diff options
Diffstat (limited to 'src/kadmin')
| -rw-r--r-- | src/kadmin/cli/kadmin.M | 22 | ||||
| -rw-r--r-- | src/kadmin/cli/kadmin.c | 127 | ||||
| -rw-r--r-- | src/kadmin/cli/kadmin.h | 3 | ||||
| -rw-r--r-- | src/kadmin/cli/kadmin_ct.ct | 9 | ||||
| -rw-r--r-- | src/kadmin/server/kadm_rpc_svc.c | 12 | ||||
| -rw-r--r-- | src/kadmin/server/ovsec_kadmd.c | 4 | ||||
| -rw-r--r-- | src/kadmin/server/server_stubs.c | 112 |
7 files changed, 288 insertions, 1 deletions
diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M index f847c8235d..4dd10e6d33 100644 --- a/src/kadmin/cli/kadmin.M +++ b/src/kadmin/cli/kadmin.M @@ -672,6 +672,28 @@ kadmin: .RE .fi .TP +\fBget_strings\fP \fIprincipal\fP +displays string attributes on +.IR principal . +String attributes are used to supply per-principal configuration to +some KDC plugin modules. Alias +.BR getstrs . +.fi +.TP +\fBset_string\fP \fIprincipal\fP \fIkey\fP \fIvalue\fP +sets a string attribute on +.IR principal . +Alias +.BR setstr . +.fi +.TP +\fBdel_string\fP \fIprincipal\fP \fIkey\fP +deletes a string attribute from +.IR principal . +Alias +.BR delstr . +.fi +.TP \fBadd_policy\fP [\fIoptions\fP] \fIpolicy\fP adds the named policy to the policy database. Requires the .I add diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c index baaac0bab3..539091f846 100644 --- a/src/kadmin/cli/kadmin.c +++ b/src/kadmin/cli/kadmin.c @@ -1898,3 +1898,130 @@ cleanup: free(canon); return; } + +void +kadmin_getstrings(int argc, char *argv[]) +{ + kadm5_ret_t retval; + char *pname, *canon = NULL; + krb5_principal princ = NULL; + krb5_string_attr *strings = NULL; + int count, i; + + if (argc != 2) { + fprintf(stderr, _("usage: get_strings principal\n")); + return; + } + pname = argv[1]; + + retval = kadmin_parse_name(pname, &princ); + if (retval) { + com_err("get_strings", retval, _("while parsing principal")); + return; + } + + retval = krb5_unparse_name(context, princ, &canon); + if (retval) { + com_err("get_strings", retval, _("while canonicalizing principal")); + goto cleanup; + } + + retval = kadm5_get_strings(handle, princ, &strings, &count); + if (retval) { + com_err("get_strings", retval, + _("while getting attributes for principal \"%s\""), canon); + goto cleanup; + } + + if (count == 0) + printf(_("(No string attributes.)\n")); + for (i = 0; i < count; i++) + printf("%s: %s\n", strings[i].key, strings[i].value); + kadm5_free_strings(handle, strings, count); + +cleanup: + krb5_free_principal(context, princ); + free(canon); + return; +} + +void +kadmin_setstring(int argc, char *argv[]) +{ + kadm5_ret_t retval; + char *pname, *canon = NULL, *key, *value; + krb5_principal princ = NULL; + + if (argc != 4) { + fprintf(stderr, _("usage: set_string principal key value\n")); + return; + } + pname = argv[1]; + key = argv[2]; + value = argv[3]; + + retval = kadmin_parse_name(pname, &princ); + if (retval) { + com_err("set_string", retval, _("while parsing principal")); + return; + } + + retval = krb5_unparse_name(context, princ, &canon); + if (retval) { + com_err("set_string", retval, _("while canonicalizing principal")); + goto cleanup; + } + + retval = kadm5_set_string(handle, princ, key, value); + if (retval) { + com_err("set_string", retval, + _("while setting attribute on principal \"%s\""), canon); + goto cleanup; + } + + printf(_("Attribute set for principal \"%s\".\n"), canon); +cleanup: + krb5_free_principal(context, princ); + free(canon); + return; +} + +void +kadmin_delstring(int argc, char *argv[]) +{ + kadm5_ret_t retval; + char *pname, *canon = NULL, *key; + krb5_principal princ = NULL; + + if (argc != 3) { + fprintf(stderr, _("usage: del_string principal key\n")); + return; + } + pname = argv[1]; + key = argv[2]; + + retval = kadmin_parse_name(pname, &princ); + if (retval) { + com_err("delstring", retval, _("while parsing principal")); + return; + } + + retval = krb5_unparse_name(context, princ, &canon); + if (retval) { + com_err("del_string", retval, _("while canonicalizing principal")); + goto cleanup; + } + + retval = kadm5_set_string(handle, princ, key, NULL); + if (retval) { + com_err("del_string", retval, + _("while deleting attribute from principal \"%s\""), canon); + goto cleanup; + } + + printf(_("Attribute removed from principal \"%s\".\n"), canon); +cleanup: + krb5_free_principal(context, princ); + free(canon); + return; +} diff --git a/src/kadmin/cli/kadmin.h b/src/kadmin/cli/kadmin.h index 6d87040359..7afa0c9283 100644 --- a/src/kadmin/cli/kadmin.h +++ b/src/kadmin/cli/kadmin.h @@ -53,6 +53,9 @@ extern void kadmin_getprivs(int argc, char *argv[]); extern void kadmin_keytab_add(int argc, char *argv[]); extern void kadmin_keytab_remove(int argc, char *argv[]); extern void kadmin_purgekeys(int argc, char *argv[]); +extern void kadmin_getstrings(int argc, char *argv[]); +extern void kadmin_setstring(int argc, char *argv[]); +extern void kadmin_delstring(int argc, char *argv[]); #include "autoconf.h" diff --git a/src/kadmin/cli/kadmin_ct.ct b/src/kadmin/cli/kadmin_ct.ct index 86ac96e708..705e41840e 100644 --- a/src/kadmin/cli/kadmin_ct.ct +++ b/src/kadmin/cli/kadmin_ct.ct @@ -80,6 +80,15 @@ request kadmin_unlock, "Release exclusive database lock", request kadmin_purgekeys, "Purge previously retained old keys from a principal", purgekeys; +request kadmin_getstrings, "Show string attributes on a principal", + get_strings, getstrs; + +request kadmin_setstring, "Set a string attribute on a principal", + set_string, setstr; + +request kadmin_delstring, "Delete a string attribute on a principal", + del_string, delstr; + # list_requests is generic -- unrelated to Kerberos request ss_list_requests, "List available requests.", list_requests, lr, "?"; diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c index a9bccf5999..a75bdb89d3 100644 --- a/src/kadmin/server/kadm_rpc_svc.c +++ b/src/kadmin/server/kadm_rpc_svc.c @@ -213,6 +213,18 @@ void kadm_1(rqstp, transp) local = (char *(*)()) purgekeys_2_svc; break; + case GET_STRINGS: + xdr_argument = xdr_gstrings_arg; + xdr_result = xdr_gstrings_ret; + local = (char *(*)()) get_strings_2_svc; + break; + + case SET_STRING: + xdr_argument = xdr_sstring_arg; + xdr_result = xdr_generic_ret; + local = (char *(*)()) set_string_2_svc; + break; + default: krb5_klog_syslog(LOG_ERR, "Invalid KADM5 procedure number: %s, %d", inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c index 63d1787cbc..f38f209f14 100644 --- a/src/kadmin/server/ovsec_kadmd.c +++ b/src/kadmin/server/ovsec_kadmd.c @@ -746,7 +746,9 @@ void log_badverf(gss_name_t client_name, gss_name_t server_name, {19, "CHPASS_PRINCIPAL3"}, {20, "CHRAND_PRINCIPAL3"}, {21, "SETKEY_PRINCIPAL3"}, - {22, "PURGEKEYS"} + {22, "PURGEKEYS"}, + {23, "GET_STRINGS"}, + {24, "SET_STRING"} }; #define NPROCNAMES (sizeof (proc_names) / sizeof (struct procnames)) OM_uint32 minor; diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c index 6a2ed75511..8dbe756d69 100644 --- a/src/kadmin/server/server_stubs.c +++ b/src/kadmin/server/server_stubs.c @@ -1604,6 +1604,118 @@ exit_func: return &ret; } +gstrings_ret * +get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) +{ + static gstrings_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; + + xdr_free(xdr_gstrings_ret, &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; + + if ((ret.code = check_handle((void *)handle))) + goto exit_func; + + ret.api_version = handle->api_version; + + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; + goto exit_func; + } + if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; + } + + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + rqst2name(rqstp), + ACL_LIST, NULL, NULL)) { + ret.code = KADM5_AUTH_LIST; + log_unauth("kadm5_get_strings", prime_arg, + &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_get_strings((void *)handle, arg->princ, &ret.strings, + &ret.count); + if (ret.code != 0) + errmsg = krb5_get_error_message(handle->context, ret.code); + + log_done("kadm5_get_strings", prime_arg, errmsg, + &client_name, &service_name, rqstp); + + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +exit_func: + free_server_handle(handle); + return &ret; +} + +generic_ret * +set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) +{ + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; + + xdr_free(xdr_generic_ret, &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; + + if ((ret.code = check_handle((void *)handle))) + goto exit_func; + + ret.api_version = handle->api_version; + + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; + goto exit_func; + } + if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; + } + + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + rqst2name(rqstp), + ACL_LIST, NULL, NULL)) { + ret.code = KADM5_AUTH_LIST; + log_unauth("kadm5_mod_strings", prime_arg, + &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_set_string((void *)handle, arg->princ, arg->key, + arg->value); + if (ret.code != 0) + errmsg = krb5_get_error_message(handle->context, ret.code); + + log_done("kadm5_mod_strings", prime_arg, errmsg, + &client_name, &service_name, rqstp); + + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +exit_func: + free_server_handle(handle); + return &ret; +} + generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) { static generic_ret ret; |