summaryrefslogtreecommitdiffstats
path: root/src/lib/kadm5/alt_prof.c
Commit message (Collapse)AuthorAgeFilesLines
* Make salt defaulting work for keysaltsTom Yu2014-01-061-2/+2
| | | | | | | | | | Make krb5_string_to_keysalts() default to only ":" as a key:salt separator character. Change most of its callers to pass NULL so they get the default separators. Adapted from a patch proposed by Jon Looney. ticket: 884
* Modernize k5bufGreg Hudson2013-02-141-6/+6
| | | | | | Rename the krb5int_buf_ family of functions to use the k5_ prefix for brevity. Reformat some k5buf implementation code to match current practices.
* Get rid of krb5_read_realm_paramsGreg Hudson2013-01-161-143/+0
| | | | | | | Read realm parameters directly from the profile in the KDC's init_realm(), getting rid of the intermediate krb5_realm_params structure. Then get rid of krb5_realm_params and krb5_read_realm_params, since nothing else uses it.
* Remove unused krb5_realm_params fieldsGreg Hudson2013-01-151-59/+1
| | | | | | | krb5_realm_params is only consumed by the KDC (everything else uses kadm5_config_params), so only needs to contain fields used by the KDC. Get rid of everything else. Also get rid of realm_profile, which is read in by KDC code but never used (and was never set anyway).
* Clean up style of alt_prof.cGreg Hudson2013-01-121-417/+354
| | | | | | Get rid of K&R-style function headers, format code and comments consistently according to current conventions, rename some variables using idiomatic names, and de-indent some nested control blocks.
* Simplify KDC host referral codeGreg Hudson2013-01-111-46/+11
| | | | | | | | | | | Remove some unnecessary optimizations to reduce code complexity. Get rid of krb5_match_config_pattern in favor of a simpler helper function in do_tgs_req_c. Get rid of KRB5_CONF_ASTERISK and just use "*" instead. Use a helper function to combine [kdcdefaults] and realm subsection values of variables, and don't bother adding leading and trailing spaces. Consistently use the names "hostbased" and "no_referral" to refer to variable values (with a "realm_" prefix for structures which currently use it).
* Remove MAX_ULOGENTRIESNicolas Williams2012-10-051-3/+1
| | | | | | | | | | | If a master KDC uses only a 64-bit libkadm5srv then there is no reason to impose any limit on ulog size: the practical maximum will be given by the filesystem and available storage space. Even when using a 32-bit libkadm5srv the maximum practical ulog size will be found easily enough when mmap() fails. ticket: 7368
* Improve kpropd behavior in iprop modeNicolas Williams2012-10-051-0/+4
| | | | | | | | | | | | | | | | | | | | | | - Make kpropd in iprop mode fork a child to listen for kprops from the master. The child writes progress and outcome reports to the parent for each kprop. This fixes a race between asking for a full resync and setting up a listener socket for it. - Add runonce (-t) for kpropd do_standalone() too. - Add a new iprop parameter: iprop_resync_timeout. kpropd will keep asking for incremental updates while waiting for a full resync to finish, and will re-request a full resync if kadmind continues to indicate that one is needed after this timeout passes since the previous full resync was requested. - Allow polling intervals less than 10 seconds. [ghudson@mit.edu: split out debug output changes; note polling interval change in commit message] ticket: 7373
* Add control over session key enctype negotiationNicolas Williams2012-06-061-0/+6
| | | | | | | | | | | | | | | | | | | Adds a principal string attribute named "session_enctypes" which can specify what enctypes the principal supports for session keys. (For what it's worth, this actually allows one to list des-cbc-md5 as a supported session key enctype, though obviously this hardly matters now.) Add a [realms] section parameter for specifying whether to assume that principals (which lack the session_enctypes attribute) support des-cbc-crc for session keys. This allows those who still need to use allow_weak_crypto=true, for whatever reason, to start reducing the number of tickets issued with des-cbc-crc session keys to clients which still give des-cbc-crc preference in their default_tgs_enctypes list. [ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored test script; documented session_enctypes attribute]
* Remove admin_keytab references in code and docsGreg Hudson2012-03-041-12/+0
| | | | | | | | | The admin keytab hasn't been needed or used by kadmind since 1.4 (except possibly by legacy admin daemons which we no longer ship). Eliminate remaining references to it in code, test cases, and documentation. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25729 dc483132-0cff-0310-8789-dd5450dbe970
* isspace should only get unsigned-char values or EOFKen Raeburn2011-07-011-2/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25010 dc483132-0cff-0310-8789-dd5450dbe970
* Use AI_ADDRCONFIG for more efficient getaddrinfoGreg Hudson2011-06-231-1/+1
| | | | | | | | | | | | | | | Add AI_ADDRCONFIG to the hint flags for every invocation of getaddrinfo which wasn't already using it. This is often the default behavior when no hints are specified, but we tend to specify hints a lot, so we have to say it ourselves. AI_ADDRCONFIG causes AAAA lookups to be skipped if the system has no public IPv6 interface addresses, usually saving a couple of DNS queries per getaddrinfo call and allowing DNS caching to be much more effective without the need for negative caching. ticket: 6923 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24978 dc483132-0cff-0310-8789-dd5450dbe970
* Mark up strings for translationGreg Hudson2011-06-101-3/+3
| | | | | | ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust most C source files to match the new standards for copyrightGreg Hudson2011-03-091-6/+2
| | | | | | and license comments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695 dc483132-0cff-0310-8789-dd5450dbe970
* Implement restrict_anonymous_to_tgt realm flagGreg Hudson2010-12-011-0/+6
| | | | | | | | | | | | | Implement a new realm flag to reject ticket requests from anonymous principals to any principal other than the local TGT. Allows FAST to be deployed using anonymous tickets as armor in realms where the set of authenticatable users must be constrained. ticket: 6829 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24547 dc483132-0cff-0310-8789-dd5450dbe970
* Make kadmin work over IPv6Greg Hudson2010-06-261-5/+11
| | | | | | | | | | | | | | | | | | | | | | | | Make gssrpc work over IPv6 TCP sockets provided that the client creates and connects/binds the sockets and doesn't query their addresses or use bindresvport(). Make kadmin work within those constraints and handle IPv6. Specific changes: * Make svctcp_create() able to extract the port from an IPv6 socket, using a new helper function getport(). * Make clnttcp_create() handle a null raddr value if *sockp is set. * Make kadm5_get_service_name() use getaddrinfo() to canonicalize the admin server name. * Make libkadm5clnt's init_any() responsible for connecting its socket using a new helper function connect_to_server(), which uses getaddrinfo instead of gethostbyname. Pass a null address to clnttcp_create(). * Make libapputil's net-server.c set up IPv6 as well as IPv4 listener ports for RPC connections. * Adjust the error code expected in a libkadm5 unit test. ticket: 6746 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24147 dc483132-0cff-0310-8789-dd5450dbe970
* When parsing a KDC or admin server string, allow the name or addressGreg Hudson2010-05-181-7/+32
| | | | | | | | | to be enclosed in brackets so that IPv6 addresses can be represented. (IPv6 addresses contain colons, which look like port separators.) ticket: 6562 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24055 dc483132-0cff-0310-8789-dd5450dbe970
* Improve the error message from kadmin when hostname resolution failsGreg Hudson2010-05-181-1/+5
| | | | | | | for the admin server. (The extended message won't be displayed by kadmin currently; that's a separate issue.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24054 dc483132-0cff-0310-8789-dd5450dbe970
* Remove some unused fields from kadm5_config_params. Bump the clientGreg Hudson2010-05-041-4/+0
| | | | | | and server sonames. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23969 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate the unused realm_dbname field from krb5_realm_paramsGreg Hudson2010-05-041-5/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23968 dc483132-0cff-0310-8789-dd5450dbe970
* make mark-cstyleTom Yu2009-10-311-199/+197
| | | | | | make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
* Use macros for config parametersZhanna Tsitkov2009-02-041-38/+38
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21879 dc483132-0cff-0310-8789-dd5450dbe970
* Remove unnecessary pointer casts in args to free,memcpy,memset,memchr except ↵Ken Raeburn2009-02-021-3/+3
| | | | | | unicode, windows code git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21875 dc483132-0cff-0310-8789-dd5450dbe970
* Default allow_weak_crypto=true for now. Default supported_enctypes toTom Yu2009-01-311-1/+1
| | | | | | | | | exclude single-DES enctypes. ticket: 6353 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21851 dc483132-0cff-0310-8789-dd5450dbe970
* Changed the name match_config_pattern to krb5_match_config_pattern. Check ↵Zhanna Tsitkov2009-01-301-3/+3
| | | | | | strdup return code. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21838 dc483132-0cff-0310-8789-dd5450dbe970
* Introduced match_config_pattern function to find a pattern in the config ↵Zhanna Tsitkov2009-01-291-24/+44
| | | | | | value strings git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21828 dc483132-0cff-0310-8789-dd5450dbe970
* Start to phase out krb5_xfree macro, which just casts its argument toKen Raeburn2009-01-281-18/+18
| | | | | | | | | | | char* and calls free. Replace most uses, outside of the LDAP KDB plugin, which doesn't build on my test system of the moment because of version dependencies. Add one explicit cast to make the change warning-neutral (under gcc 4.0.1 on Mac OS X 10.5.6). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21812 dc483132-0cff-0310-8789-dd5450dbe970
* "Coding practices" related fixesZhanna Tsitkov2009-01-271-534/+534
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21808 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate the need for the domain_realm mapping table on the client side by ↵Zhanna Tsitkov2009-01-231-1/+80
| | | | | | implementing minimal referral support in the KDC git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21792 dc483132-0cff-0310-8789-dd5450dbe970
* Signed/unsigned fixes and remove unused variableEzra Peisach2008-12-291-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21635 dc483132-0cff-0310-8789-dd5450dbe970
* Use profile_free_list as appropriate. Fix memory leaksKen Raeburn2008-11-241-20/+21
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21180 dc483132-0cff-0310-8789-dd5450dbe970
* Rename krb5int_buf_cstr to krb5int_buf_data, since k5bufs can be usedGreg Hudson2008-11-051-1/+1
| | | | | | | | | | | for binary data as well as C string data. The buffer will always have a null byte at krb5int_buf_len bytes regardless of whether it contains C string data. ticket: 6200 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21003 dc483132-0cff-0310-8789-dd5450dbe970
* Use the k5buf module instead of strcpy/strcat in several placesGreg Hudson2008-10-301-26/+12
| | | | | | | ticket: 6200 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20941 dc483132-0cff-0310-8789-dd5450dbe970
* a stash file is not a keytabWill Fiveash2008-08-151-0/+5
| | | | | | | | | Note, this is the commit for the associated Krb Consortium project: Projects/Masterkey Keytab Stash ticket: 194 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20661 dc483132-0cff-0310-8789-dd5450dbe970
* Merge from branch sun-ipropKen Raeburn2008-06-241-2/+61
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20465 dc483132-0cff-0310-8789-dd5450dbe970
* Factor out repeated code for looking up string, port, or deltat config paramsKen Raeburn2008-06-111-150/+144
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20395 dc483132-0cff-0310-8789-dd5450dbe970
* Get rid of handling of set-but-unused kadm5_config_params.admin_dbnameKen Raeburn2008-06-101-12/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20383 dc483132-0cff-0310-8789-dd5450dbe970
* Get rid of handling of set-but-unused kadm5_config_params.admin_lockfileKen Raeburn2008-06-101-8/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20381 dc483132-0cff-0310-8789-dd5450dbe970
* Don't check for NULL before calling free or krb5_xfreeKen Raeburn2008-06-091-43/+21
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20379 dc483132-0cff-0310-8789-dd5450dbe970
* After malloc/realloc/calloc failures, return ENOMEM explicitly insteadKen Raeburn2008-04-301-2/+2
| | | | | | | of reading it from errno. This may make static analysis tools less confused about when we return zero vs nonzero values. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20312 dc483132-0cff-0310-8789-dd5450dbe970
* Avoid use of unchecked sprintf in libraries. Use asprintf if theKen Raeburn2007-07-121-12/+9
| | | | | | | output buffer is allocated according to the size of data to be written, or snprintf otherwise. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19703 dc483132-0cff-0310-8789-dd5450dbe970
* * lib/kadm5/alt_prof.c (kadm5_get_config_params): Replace filename andKen Raeburn2006-05-161-46/+61
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | envvar arguments with a flag indicating whether KDC config data should be used. Prototype and all callers changed. (krb5_read_realm_params): Delete config file and env var arguments. Prototype and all callers changed. * lib/kadm5/admin.h (KADM5_CONFIG_PROFILE): Commented out. (struct _kadm5_config_params): Delete field PROFILE. * lib/kadm5/alt_prof.c (kadm5_get_config_params): Don't look at it. (kadm5_free_config_params): Don't free it. * kadmin/testing/tcl/util.t: Remove profile data from config params. * kadmin/testing/util/tcl_kadm5.c (config_mask_flags): Deleted KADM5_CONFIG_PROFILE entry. (parse_config_params): Changed to require 20 parameters instead of 21. * lib/kadm5/unit-test/api.2/init-v2.exp (test100): Deleted. * lib/kadm5/alt_prof.c (krb5_aprof_init): Fetch the list of config files from the library and add the caller-indicated config file to the front of the list. * lib/kadm5/clnt/client_init.c (kadm5_init_krb5_context): New function. * lib/kadm5/clnt/libkadm5clnt.exports: Export it. * lib/kadm5/srv/server_init.c: Include k5-int.h, osconf.h, gssapiP_krb5.h. (kadm5_init_krb5_context): New function. * lib/kadm5/srv/libkadm5srv.exports: Export it. * lib/kadm5/srv/Makefile.in (LOCAL_INCLUDES): Add gssapi directories. * lib/kadm5/admin.h (kadm5_init_krb5_context): Declare it. * kadmin/dbutil/kdb5_destroy.c (kdb5_destroy): Call kadm5_init_krb5_context instead of krb5_init_context. * kadmin/dbutil/dump.c (load_db): Likewise. * kadmin/dbutil/kdb5_util.c (main): Likewise. * kadmin/dbutil/kadm5_create.c (kadm5_create): Likewise. * kadmin/dbutil/kdb5_stash.c (kdb5_stash): Likewise. * kadmin/dbutil/loadv4.c (load_v4db): Likewise. * kadmin/server/ovsec_kadmd.c (main): Likewise. * kadmin/cli/kadmin.c (kadmin_startup): Likewise. * kadmin/testing/util/tcl_ovsec_kadm.c (tcl_ovsec_kadm_init): Likewise. * lib/kadm5/unit-test/lock-test.c (main): Likewise. * lib/kadm5/unit-test/handle-test.c (main): Likewise. * lib/kadm5/unit-test/randkey-test.c (main): Likewise. * lib/kadm5/unit-test/setkey-test.c (main): Likewise. * lib/kadm5/chpass_util.c (_kadm5_chpass_principal_util): Likewise. * lib/kadm5/kadm_rpc_xdr.c (xdr_krb5_principal): Likewise. * lib/krb5/os/init_os_ctx.c (add_kdc_config_file): New function. (os_init_paths): Add new argument KDC; call add_kdc_config_file if true. * lib/krb5/krb/init_ctx.c (krb5int_init_context_kdc): New function. (init_common): Add new argument KDC, passed to krb5_os_init_context. * lib/krb5/libkrb5.exports: Export krb5int_init_context_kdc. * k5-int.h (krb5_os_init_context): Update decl. * lib/kadm5/srv/server_init.c (kadm5_init): Call krb5int_init_context_kdc. * krb524/krb524d.c (main): Likewise. * lib/kadm5/unit-test/api.2/init-v2.exp: Don't run test 154 for error for $KRB5_KDC_PROFILE file not present. * lib/krb5/os/init_os_ctx.c (os_get_default_config_files): Rewrite KLL test so as not to confuse Emacs indentation support. * lib/gssapi/krb5/init_sec_context.c (kg_kdc_flag_mutex, kdc_flag): New variables. (krb5_gss_init_context, krb5_gss_use_kdc_context): New functions. * lib/gssapi/krb5/gssapiP_krb5.h (kg_kdc_flag_mutex): Declare. (krb5_gss_init_context, krb5_gss_use_kdc_context): Declare. (krb5_init_context): Define as macro to invoke krb5_gss_init_context for now. * lib/gssapi/gss_libinit.c (gssint_lib_init): Initialize the mutex. (gssint_lib_fini): Destroy it. * lib/gssapi/libgssapi_krb5.exports: Export krb5_gss_use_kdc_context. * lib/kadm5/srv/server_init.c (kadm5_init): Don't complain if the config files specify an admin server, since we now look at krb5.conf as well. * lib/kadm5/unit-test/api.2/init-v2.exp: Delete test test114 for bad server params. * plugins/kdb/db2/adb_openclose.c (osa_adb_init_db): Use krb5int_init_context_kdc instead of krb5_init_context. * kdc/rtest.c (main): Likewise. * kdc/fakeka.c (main): Likewise. * kdc/main.c (main, init_realm): Likewise. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18009 dc483132-0cff-0310-8789-dd5450dbe970
* * alt_prof.c (kadm5_get_admin_service_name): Fix call toTom Yu2004-06-241-3/+10
| | | | | | kadm5_get_config_params(). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16509 dc483132-0cff-0310-8789-dd5450dbe970
* This commit merges the RPCSEC_GSS integration branch onto the trunk.Tom Yu2004-06-161-0/+34
| | | | | | | | | | | | | | | | | | | Remaining work includes: * Default to using kadmin/fqdn for SEAM compatibility * Namespace cleanups and other API tweaks -- this API is not stable yet * Fix lib/rpc/unit-test testsuite to test RPCSEC_GSS in addition to AUTH_GSSAPI Additional work will be tracked in separate tickets. This merge is bracketed between the tags "tlyu-umich-rpc-merge-pre" and "tlyu-umich-rpc-merge-post". ticket: 2578 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16467 dc483132-0cff-0310-8789-dd5450dbe970
* Drop default_kdc_enctypes and all related codeTom Yu2003-06-031-21/+2
| | | | | | | | | ticket: 1553 target_version: 1.3 status: open tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15544 dc483132-0cff-0310-8789-dd5450dbe970
* * alt_prof.c (kadm5_get_config_params): Change default max_life to one dayKen Raeburn2003-05-311-1/+1
| | | | | | | ticket: 1190 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15539 dc483132-0cff-0310-8789-dd5450dbe970
* AES shouldn't be in KDC default enctype listKen Raeburn2003-05-131-1/+1
| | | | | | | | | | | Until all services including GSS-based ones can support AES, we don't want it in the default supported enctypes list on the KDC. ticket: new tags: pullup target_version: 1.3 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15428 dc483132-0cff-0310-8789-dd5450dbe970
* * alt_prof.c (kadm5_get_config_params): Add aes256 to the default supportedKen Raeburn2003-04-191-1/+1
| | | | | | | | | enctypes list. ticket: 1418 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15362 dc483132-0cff-0310-8789-dd5450dbe970
* Support reading a list of TCP port numbers from the KDC config file; defaultKen Raeburn2002-09-181-1/+6
| | | | | | to none for now. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14878 dc483132-0cff-0310-8789-dd5450dbe970
* * alt_prof.c (krb5_aprof_get_boolean): Return krb5_boolean *Ezra Peisach2001-11-051-1/+1
| | | | | | instead of int *. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13938 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2026-02-06 17:18:43 +0000