diff options
| author | Sam Hartman <hartmans@mit.edu> | 2009-01-03 23:19:42 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2009-01-03 23:19:42 +0000 |
| commit | 0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d (patch) | |
| tree | 2049c9c2cb135fe36b14c0a171711259258d18ec /src/clients | |
| parent | ff0a6514c9f4230938c29922d69cbd4e83691adf (diff) | |
| download | krb5-0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d.tar.gz krb5-0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d.tar.xz krb5-0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d.zip | |
Merge mskrb-integ onto trunk
The mskrb-integ branch includes support for the following projects:
Projects/Aliases
* Projects/PAC and principal APIs
* Projects/AEAD encryption API
* Projects/GSSAPI DCE
* Projects/RFC 3244
In addition, it includes support for enctype negotiation, and a variety of GSS-API extensions.
In the KDC it includes support for protocol transition, constrained delegation
and a new authorization data interface.
The old authorization data interface is also supported.
This commit merges the mskrb-integ branch on to the trunk.
Additional review and testing is required.
Merge commit 'mskrb-integ' into trunk
ticket: new
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21690 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/clients')
| -rw-r--r-- | src/clients/kinit/kinit.c | 51 | ||||
| -rw-r--r-- | src/clients/kvno/kvno.c | 20 |
2 files changed, 51 insertions, 20 deletions
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c index 58ebec132..e2a0f089b 100644 --- a/src/clients/kinit/kinit.c +++ b/src/clients/kinit/kinit.c @@ -122,6 +122,9 @@ struct k_opts int num_pa_opts; krb5_gic_opt_pa_data *pa_opts; + + int canonicalize; + int enterprise; }; struct k5_data @@ -145,6 +148,8 @@ struct option long_options[] = { { "forwardable", 0, NULL, 'f' }, { "proxiable", 0, NULL, 'p' }, { "noaddresses", 0, NULL, 'A' }, + { "canonicalize", 0, NULL, 'C' }, + { "enterprise", 0, NULL, 'E' }, { NULL, 0, NULL, 0 } }; @@ -159,15 +164,19 @@ usage() #define USAGE_BREAK "\n\t" #ifdef GETOPT_LONG -#define USAGE_LONG_FORWARDABLE " | --forwardable | --noforwardable" -#define USAGE_LONG_PROXIABLE " | --proxiable | --noproxiable" -#define USAGE_LONG_ADDRESSES " | --addresses | --noaddresses" +#define USAGE_LONG_FORWARDABLE " | --forwardable | --noforwardable" +#define USAGE_LONG_PROXIABLE " | --proxiable | --noproxiable" +#define USAGE_LONG_ADDRESSES " | --addresses | --noaddresses" +#define USAGE_LONG_CANONICALIZE " | --canonicalize" +#define USAGE_LONG_ENTERPRISE " | --enterprise" #define USAGE_BREAK_LONG USAGE_BREAK #else -#define USAGE_LONG_FORWARDABLE "" -#define USAGE_LONG_PROXIABLE "" -#define USAGE_LONG_ADDRESSES "" -#define USAGE_BREAK_LONG "" +#define USAGE_LONG_FORWARDABLE "" +#define USAGE_LONG_PROXIABLE "" +#define USAGE_LONG_ADDRESSES "" +#define USAGE_LONG_CANONICALIZE "" +#define USAGE_LONG_ENTERPRISE "" +#define USAGE_BREAK_LONG "" #endif fprintf(stderr, "Usage: %s [-V] " @@ -179,6 +188,10 @@ usage() "[-p | -P" USAGE_LONG_PROXIABLE "] " USAGE_BREAK_LONG "[-a | -A" USAGE_LONG_ADDRESSES "] " + USAGE_BREAK_LONG + "[-C" USAGE_LONG_CANONICALIZE "] " + USAGE_BREAK + "[-E" USAGE_LONG_ENTERPRISE "] " USAGE_BREAK "[-v] [-R] " "[-k [-t keytab_file]] " @@ -202,6 +215,8 @@ usage() fprintf(stderr, "\t-A do not include addresses\n"); fprintf(stderr, "\t-v validate\n"); fprintf(stderr, "\t-R renew\n"); + fprintf(stderr, "\t-C canonicalize\n"); + fprintf(stderr, "\t-E client is enterprise principal name\n"); fprintf(stderr, "\t-k use keytab\n"); fprintf(stderr, "\t-t filename of keytab to use\n"); fprintf(stderr, "\t-c Kerberos 5 cache name\n"); @@ -263,7 +278,7 @@ parse_options(argc, argv, opts) int errflg = 0; int i; - while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:vX:")) + while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:vX:CE")) != -1) { switch (i) { case 'V': @@ -355,6 +370,12 @@ parse_options(argc, argv, opts) errflg++; } break; + case 'C': + opts->canonicalize = 1; + break; + case 'E': + opts->enterprise = 1; + break; case '4': fprintf(stderr, "Kerberos 4 is no longer supported\n"); exit(3); @@ -403,6 +424,7 @@ k5_begin(opts, k5) struct k5_data* k5; { krb5_error_code code = 0; + int flags = opts->enterprise ? KRB5_PRINCIPAL_PARSE_ENTERPRISE : 0; code = krb5_init_context(&k5->ctx); if (code) { @@ -430,8 +452,8 @@ k5_begin(opts, k5) if (opts->principal_name) { /* Use specified name */ - if ((code = krb5_parse_name(k5->ctx, opts->principal_name, - &k5->me))) { + if ((code = krb5_parse_name_flags(k5->ctx, opts->principal_name, + flags, &k5->me))) { com_err(progname, code, "when parsing name %s", opts->principal_name); return 0; @@ -461,8 +483,8 @@ k5_begin(opts, k5) fprintf(stderr, "Unable to identify user\n"); return 0; } - if ((code = krb5_parse_name(k5->ctx, name, - &k5->me))) + if ((code = krb5_parse_name_flags(k5->ctx, name, + flags, &k5->me))) { com_err(progname, code, "when parsing name %s", name); @@ -549,6 +571,8 @@ k5_kinit(opts, k5) krb5_get_init_creds_opt_set_proxiable(options, 1); if (opts->not_proxiable) krb5_get_init_creds_opt_set_proxiable(options, 0); + if (opts->canonicalize) + krb5_get_init_creds_opt_set_canonicalize(options, 1); if (opts->addresses) { krb5_address **addresses = NULL; @@ -631,7 +655,8 @@ k5_kinit(opts, k5) goto cleanup; } - code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me); + code = krb5_cc_initialize(k5->ctx, k5->cc, + opts->canonicalize ? my_creds.client : k5->me); if (code) { com_err(progname, code, "when initializing cache %s", opts->k5_cache_name?opts->k5_cache_name:""); diff --git a/src/clients/kvno/kvno.c b/src/clients/kvno/kvno.c index c6e6477f1..d6c24f42b 100644 --- a/src/clients/kvno/kvno.c +++ b/src/clients/kvno/kvno.c @@ -39,7 +39,7 @@ static char *prog; static void xusage() { - fprintf(stderr, "usage: %s [-c ccache] [-e etype] [-k keytab] [-S sname] service1 service2 ...\n", + fprintf(stderr, "usage: %s [-C] [-c ccache] [-e etype] [-k keytab] [-S sname] service1 service2 ...\n", prog); exit(1); } @@ -48,7 +48,7 @@ int quiet = 0; static void do_v5_kvno (int argc, char *argv[], char *ccachestr, char *etypestr, char *keytab_name, - char *sname); + char *sname, int canon); #include <com_err.h> static void extended_com_err_fn (const char *, errcode_t, const char *, @@ -59,14 +59,19 @@ int main(int argc, char *argv[]) int option; char *etypestr = NULL, *ccachestr = NULL, *keytab_name = NULL; char *sname = NULL; + int canon = 0; + set_com_err_hook (extended_com_err_fn); prog = strrchr(argv[0], '/'); prog = prog ? (prog + 1) : argv[0]; - while ((option = getopt(argc, argv, "c:e:hk:qS:")) != -1) { + while ((option = getopt(argc, argv, "Cc:e:hk:qS:")) != -1) { switch (option) { + case 'C': + canon = 1; + break; case 'c': ccachestr = optarg; break; @@ -94,8 +99,8 @@ int main(int argc, char *argv[]) if ((argc - optind) < 1) xusage(); - do_v5_kvno(argc - optind, argv + optind, - ccachestr, etypestr, keytab_name, sname); + do_v5_kvno(argc - optind, argv + optind, + ccachestr, etypestr, keytab_name, sname, canon); return 0; } @@ -114,7 +119,7 @@ static void extended_com_err_fn (const char *myprog, errcode_t code, static void do_v5_kvno (int count, char *names[], char * ccachestr, char *etypestr, char *keytab_name, - char *sname) + char *sname, int canon) { krb5_error_code ret; int i, errors; @@ -197,7 +202,8 @@ static void do_v5_kvno (int count, char *names[], in_creds.keyblock.enctype = etype; - ret = krb5_get_credentials(context, 0, ccache, &in_creds, &out_creds); + ret = krb5_get_credentials(context, canon ? KRB5_GC_CANONICALIZE : 0, + ccache, &in_creds, &out_creds); krb5_free_principal(context, in_creds.server); |