diff options
author | Jeffrey Altman <jaltman@secure-endpoints.com> | 2000-03-24 22:02:59 +0000 |
---|---|---|
committer | Jeffrey Altman <jaltman@secure-endpoints.com> | 2000-03-24 22:02:59 +0000 |
commit | f4376f4d0b68a4fd8285ad5aa44bee148f646491 (patch) | |
tree | cd3e5b794bc5aa2fb5743db6ab29d742bf030b99 /src/lib/krb5/os | |
parent | 97971c69b9389be08b7e9ffb742ca35f3706b3af (diff) | |
download | krb5-f4376f4d0b68a4fd8285ad5aa44bee148f646491.tar.gz krb5-f4376f4d0b68a4fd8285ad5aa44bee148f646491.tar.xz krb5-f4376f4d0b68a4fd8285ad5aa44bee148f646491.zip |
jaltman@columbia.edu Mar 24, 2000:
In 1.0.6, the code was altered to provide a fallback mechanism to
try the "master" kdc's in case the normal kdc's did not have the
most up to date password information. The original implementation
had significant conflicts with the use of DNS SRV records. In
addition, it often performed a lot of unneeded work.
The new code still performs a fallback to the "master" kdc but
only does the computation of the "master kdc list" if we are
in fact going to attempt to use a master.
For DNS SRV we introduce a new _kerberos-master.<proto>.<REALM>
record to list the master kdc's and the priorities to be used
when contacting a master. This allows for a multi-tiered implementation.
---
The other change is local to krb/get_in_tkt.c. In preparation for
adding public krb5_appdefault_boolean and krb5_appdefault_string
functions, the static functions by that name in get_in_tkt.c are
renamed to krb5_libdefault_xxxxx since they currently access the
[libdefault] section of the code.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12137 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5/os')
-rw-r--r-- | src/lib/krb5/os/changepw.c | 23 | ||||
-rw-r--r-- | src/lib/krb5/os/locate_kdc.c | 151 | ||||
-rw-r--r-- | src/lib/krb5/os/os-proto.h | 3 | ||||
-rw-r--r-- | src/lib/krb5/os/sendto_kdc.c | 27 | ||||
-rw-r--r-- | src/lib/krb5/os/t_std_conf.c | 4 |
5 files changed, 65 insertions, 143 deletions
diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c index 6ed95bce7..597351619 100644 --- a/src/lib/krb5/os/changepw.c +++ b/src/lib/krb5/os/changepw.c @@ -53,31 +53,24 @@ */ static krb5_error_code -krb5_locate_kpasswd(context, realm, addr_pp, naddrs, master_index, nmasters) +krb5_locate_kpasswd(context, realm, addr_pp, naddrs) krb5_context context; const krb5_data *realm; struct sockaddr **addr_pp; int *naddrs; - int *master_index; - int *nmasters; { krb5_error_code code; int i; -#ifdef KRB5_DNS_LOOKUP - struct sockaddr *admin_addr_p, *kdc_addr_p; - int nadmin_addrs, nkdc_addrs; - int j; -#endif /* KRB5_DNS_LOOKUP */ /* * We always try the local file first */ - code = krb5_locate_srv_conf(context, realm, "kpasswd_server", addr_pp, naddrs, - master_index, nmasters); + code = krb5_locate_srv_conf( context, realm, "kpasswd_server", + addr_pp, naddrs, 0); if (code) { - code = krb5_locate_srv_conf(context, realm, "admin_server", addr_pp, naddrs, - master_index, nmasters); + code = krb5_locate_srv_conf( context, realm, "admin_server", + addr_pp, naddrs, 0); if ( !code ) { /* success with admin_server but now we need to change the port */ /* number to use DEFAULT_KPASSWD_PORT. */ @@ -108,10 +101,6 @@ krb5_locate_kpasswd(context, realm, addr_pp, naddrs, master_index, nmasters) } } } - if ( !code && master_index && nmasters ) { - *master_index = 1; - *nmasters = *naddrs; - } } } #endif /* KRB5_DNS_LOOKUP */ @@ -158,7 +147,7 @@ krb5_change_password(context, creds, newpw, result_code, if (code = krb5_locate_kpasswd(context, krb5_princ_realm(context, creds->client), - &addr_p, &naddr_p,NULL,NULL)) + &addr_p, &naddr_p)) goto cleanup; /* this is really obscure. s1 is used for all communications. it diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c index fcdfa03f2..1139fb338 100644 --- a/src/lib/krb5/os/locate_kdc.c +++ b/src/lib/krb5/os/locate_kdc.c @@ -85,14 +85,13 @@ _krb5_use_dns(context) */ krb5_error_code -krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, master_index, nmasters) +krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, get_masters) krb5_context context; const krb5_data *realm; const char * name; struct sockaddr **addr_pp; int *naddrs; - int *master_index; - int *nmasters; + int get_masters; { const char *realm_srv_names[4]; char **masterlist, **hostlist, *host, *port, *cp; @@ -162,10 +161,7 @@ krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, master_index, nmaste return 0; } - if (master_index) { - *master_index = 0; - *nmasters = 0; - + if (get_masters) { realm_srv_names[0] = "realms"; realm_srv_names[1] = host; realm_srv_names[2] = "admin_server"; @@ -209,8 +205,10 @@ krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, master_index, nmaste addr_p = (struct sockaddr *)malloc (sizeof (struct sockaddr) * count); if (addr_p == NULL) { - profile_free_list(hostlist); - profile_free_list(masterlist); + if ( hostlist ) + profile_free_list(hostlist); + if ( masterlist ) + profile_free_list(masterlist); return ENOMEM; } @@ -239,52 +237,54 @@ krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, master_index, nmaste if (masterlist) { for (j=0; masterlist[j]; j++) { if (strcasecmp(hostlist[i], masterlist[j]) == 0) { - *master_index = out; ismaster = 1; } } } - switch (hp->h_addrtype) { - + if ( !get_masters || ismaster ) { + switch (hp->h_addrtype) { #ifdef HAVE_NETINET_IN_H - case AF_INET: - for (j=0; hp->h_addr_list[j]; j++) { - sin_p = (struct sockaddr_in *) &addr_p[out++]; - memset ((char *)sin_p, 0, sizeof(struct sockaddr)); - sin_p->sin_family = hp->h_addrtype; - sin_p->sin_port = port ? htons(atoi(port)) : udpport; - memcpy((char *)&sin_p->sin_addr, - (char *)hp->h_addr_list[j], - sizeof(struct in_addr)); - if (out+1 >= count) { - count += 5; - addr_p = (struct sockaddr *) - realloc ((char *)addr_p, - sizeof(struct sockaddr) * count); - if (addr_p == NULL) { - profile_free_list(hostlist); - profile_free_list(masterlist); - return ENOMEM; + case AF_INET: + for (j=0; hp->h_addr_list[j]; j++) { + sin_p = (struct sockaddr_in *) &addr_p[out++]; + memset ((char *)sin_p, 0, sizeof(struct sockaddr)); + sin_p->sin_family = hp->h_addrtype; + sin_p->sin_port = port ? htons(atoi(port)) : udpport; + memcpy((char *)&sin_p->sin_addr, + (char *)hp->h_addr_list[j], + sizeof(struct in_addr)); + if (out+1 >= count) { + count += 5; + addr_p = (struct sockaddr *) + realloc ((char *)addr_p, + sizeof(struct sockaddr) * count); + if (addr_p == NULL) { + if ( hostlist ) + profile_free_list(hostlist); + if ( masterlist ) + profile_free_list(masterlist); + return ENOMEM; + } } - } - if (sec_udpport && !port) { - addr_p[out] = addr_p[out-1]; - sin_p = (struct sockaddr_in *) &addr_p[out++]; - sin_p->sin_port = sec_udpport; - } - } - break; + if (sec_udpport && !port) { + addr_p[out] = addr_p[out-1]; + sin_p = (struct sockaddr_in *) &addr_p[out++]; + sin_p->sin_port = sec_udpport; + } + } + break; #endif - default: - break; - } - if (ismaster) - *nmasters = out - *master_index; + default: + break; + } + } } - profile_free_list(hostlist); - profile_free_list(masterlist); + if ( hostlist ) + profile_free_list(hostlist); + if ( masterlist ) + profile_free_list(masterlist); if (out == 0) { /* Couldn't resolve any KDC names */ free (addr_p); @@ -564,78 +564,29 @@ krb5_locate_srv_dns(realm, service, protocol, addr_pp, naddrs) */ krb5_error_code -krb5_locate_kdc(context, realm, addr_pp, naddrs, master_index, nmasters) +krb5_locate_kdc(context, realm, addr_pp, naddrs, get_masters) krb5_context context; const krb5_data *realm; struct sockaddr **addr_pp; int *naddrs; - int *master_index; - int *nmasters; + int get_masters; { krb5_error_code code; -#ifdef KRB5_DNS_LOOKUP - struct sockaddr *admin_addr_p, *kdc_addr_p; - int nadmin_addrs, nkdc_addrs; - int i,j; -#endif /* KRB5_DNS_LOOKUP */ /* * We always try the local file first */ code = krb5_locate_srv_conf(context, realm, "kdc", addr_pp, naddrs, - master_index, nmasters); + get_masters); #ifdef KRB5_DNS_LOOKUP if (code) { int use_dns = _krb5_use_dns(context); if ( use_dns ) { - code = krb5_locate_srv_dns(realm, "_kerberos", "_udp", - addr_pp, naddrs); - if ( master_index && nmasters ) { - - code = krb5_locate_srv_dns(realm, "_kerberos-adm", "_tcp", - &admin_addr_p, &nadmin_addrs); - if ( code ) { - free(*addr_pp); - *addr_pp = NULL; - *naddrs = 0; - return(code); - } - - kdc_addr_p = *addr_pp; - nkdc_addrs = *naddrs; - - *naddrs = 0; - *addr_pp = (struct sockaddr *) malloc(sizeof(*kdc_addr_p)); - if ( *addr_pp == NULL ) { - free(kdc_addr_p); - free(admin_addr_p); - return ENOMEM; - } - - for ( i=0; i<nkdc_addrs; i++ ) { - for ( j=0 ; j<nadmin_addrs; j++) { - if ( !memcmp(&kdc_addr_p[i].sa_data[2],&admin_addr_p[j].sa_data[2],4) ) { - memcpy(&(*addr_pp)[(*naddrs)],&kdc_addr_p[i], - sizeof(struct sockaddr)); - (*naddrs)++; - break; - } - } - } - - free(kdc_addr_p); - free(admin_addr_p); - - if ( *naddrs == 0 ) { - free(*addr_pp); - *addr_pp = NULL; - return KRB5_REALM_CANT_RESOLVE; - } - *master_index = 1; - *nmasters = *naddrs; - } + code = krb5_locate_srv_dns(realm, + get_masters ? "_kerberos-master" : "_kerberos", + "_udp", addr_pp, naddrs); } } #endif /* KRB5_DNS_LOOKUP */ diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h index fed7a81db..a6b67f15e 100644 --- a/src/lib/krb5/os/os-proto.h +++ b/src/lib/krb5/os/os-proto.h @@ -36,8 +36,7 @@ krb5_error_code krb5_locate_kdc const krb5_data *, struct sockaddr **, int *, - int *, - int *)); + int)); #endif #ifdef HAVE_NETINET_IN_H diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c index 01b797e70..241ffbcbd 100644 --- a/src/lib/krb5/os/sendto_kdc.c +++ b/src/lib/krb5/os/sendto_kdc.c @@ -60,16 +60,16 @@ extern int krb5_skdc_timeout_shift; extern int krb5_skdc_timeout_1; krb5_error_code -krb5_sendto_kdc (context, message, realm, reply, master) +krb5_sendto_kdc (context, message, realm, reply, use_master) krb5_context context; const krb5_data * message; const krb5_data * realm; krb5_data * reply; - int *master; + int use_master; { register int timeout, host, i; struct sockaddr *addr; - int naddr, master_index, nmasters; + int naddr; int sent, nready; krb5_error_code retval; SOCKET *socklist; @@ -81,14 +81,10 @@ krb5_sendto_kdc (context, message, realm, reply, master) * find KDC location(s) for realm */ - if (retval = krb5_locate_kdc (context, realm, &addr, &naddr, - master?&master_index:NULL, - master?&nmasters:NULL)) + if (retval = krb5_locate_kdc(context, realm, &addr, &naddr, use_master)) return retval; if (naddr == 0) - return KRB5_REALM_UNKNOWN; - if (master && (*master == 1) && (nmasters == 0)) - return KRB5_KDC_UNREACH; + return (use_master ? KRB5_KDC_UNREACH : KRB5_REALM_UNKNOWN); socklist = (SOCKET *)malloc(naddr * sizeof(SOCKET)); if (socklist == NULL) { @@ -128,12 +124,6 @@ krb5_sendto_kdc (context, message, realm, reply, master) timeout <<= krb5_skdc_timeout_shift) { sent = 0; for (host = 0; host < naddr; host++) { - /* if a master kdc is required, skip the non-master kdc's */ - - if (master && (*master == 1) && - ((host < master_index) || (host >= (master_index+nmasters)))) - continue; - /* send to the host, wait timeout seconds for a response, then move on. */ /* cache some sockets for each host */ @@ -210,13 +200,6 @@ krb5_sendto_kdc (context, message, realm, reply, master) reply->length = cc; retval = 0; - - /* if the caller asked to be informed if it - got a master kdc, tell it */ - if (master) - *master = ((host >= master_index) && - (host < (master_index+nmasters))); - goto out; } else if (nready == 0) { /* timeout */ diff --git a/src/lib/krb5/os/t_std_conf.c b/src/lib/krb5/os/t_std_conf.c index 0846b1c22..a95c67ad5 100644 --- a/src/lib/krb5/os/t_std_conf.c +++ b/src/lib/krb5/os/t_std_conf.c @@ -110,14 +110,14 @@ void test_locate_kdc(ctx, realm) struct sockaddr *addrs; struct sockaddr_in *sin; int i, naddrs; - int master_index, nmasters; + int get_masters=0; krb5_data rlm; krb5_error_code retval; rlm.data = realm; rlm.length = strlen(realm); retval = krb5_locate_kdc(ctx, &rlm, &addrs, &naddrs, - &master_index, &nmasters); + get_masters); if (retval) { com_err("krb5_get_krbhst", retval, 0); return; |