* extern.h: Added a krb5_keytab to the realm context. The keytab

		should be associated with a krb5_db_context which will
		make having a krb5_context unnecessary in the realm context.
	* kdc_util.c kdc_process_tgs_req(): Use the realm keytab instead
		of faking up a user-to-user key to pass to krb5_rd_req_decode().
	* main.c: Added code to use the new database keytab routines.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7200 dc483132-0cff-0310-8789-dd5450dbe970

4 files changed, 50 insertions, 14 deletions

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index 85a23b32b..04db8f3c1 100644
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,13 @@
+
+Tue Dec 12 01:10:34 1995  Chris Provenzano (proven@mit.edu)
+
+	* extern.h: Added a krb5_keytab to the realm context. The keytab
+		should be associated with a krb5_db_context which will
+		make having a krb5_context unnecessary in the realm context.
+	* kdc_util.c kdc_process_tgs_req(): Use the realm keytab instead
+		of faking up a user-to-user key to pass to krb5_rd_req_decode().
+	* main.c: Added code to use the new database keytab routines.
+
 Mon Dec 11 16:58:31 1995  Chris Provenzano (proven@mit.edu)
 
 	* kdc_preauth.c return_padata(): Initialize local variable "size" 
diff --git a/src/kdc/extern.h b/src/kdc/extern.h
index 7ea95b8fc..313f20e11 100644
--- a/src/kdc/extern.h
+++ b/src/kdc/extern.h
@@ -31,7 +31,12 @@ typedef struct __kdc_realm_data {
      * General Kerberos per-realm data.
      */
     char *		realm_name;	/* Realm name			    */
+/* XXX the real context should go away once the db_context is done. 
+ * The db_context is then associated with the realm keytab using 
+ * krb5_ktkdb_resolv(). There should be nothing in the context which 
+ * cannot span multiple realms -- proven */
     krb5_context	realm_context;	/* Context to be used for realm	    */
+    krb5_keytab		realm_keytab; 	/* keytab to be used for this realm */
     char *		realm_profile;	/* Profile file for this realm	    */
     /*
      * Database per-realm data.
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index c76f6fb18..4e427ab6b 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -212,20 +212,25 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey)
 					  kdc_rcache)))
 	goto cleanup_auth_context;
 
+/*
     if ((retval = kdc_get_server_key(apreq->ticket, &key, &kvno)))
 	goto cleanup_auth_context;
+*/
 
     /*
      * XXX This is currently wrong but to fix it will require making a 
      * new keytab for groveling over the kdb.
      */
+/*
     retval = krb5_auth_con_setuseruserkey(kdc_context, auth_context, key);
     krb5_free_keyblock(kdc_context, key);
     if (retval) 
 	goto cleanup_auth_context;
+*/
 
     if ((retval = krb5_rd_req_decoded(kdc_context, &auth_context, apreq, 
-				      apreq->ticket->server, NULL,
+				      apreq->ticket->server, 
+				      kdc_active_realm->realm_keytab,
 				      NULL, ticket))) {
 	/*
 	 * I'm not so sure that this is right, but it's better than nothing
@@ -239,23 +244,17 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey)
 	    (retval == KRB5_RC_IO_UNKNOWN)) {
 	    (void) krb5_rc_close(kdc_context, kdc_rcache);
 	    kdc_rcache = (krb5_rcache) NULL;
-	    if (!(retval = kdc_initialize_rcache(kdc_context,
-						 (char *) NULL))) {
-		if ((retval = krb5_auth_con_setrcache(kdc_context,
-						      auth_context,
+	    if (!(retval = kdc_initialize_rcache(kdc_context, (char *) NULL))) {
+		if ((retval = krb5_auth_con_setrcache(kdc_context, auth_context,
 						      kdc_rcache)) ||
-		    (retval = krb5_rd_req_decoded(kdc_context,
-						  &auth_context,
-						  apreq, 
-						  apreq->ticket->server,
-						  NULL,
-						  NULL,
-						  ticket))
+		    (retval = krb5_rd_req_decoded(kdc_context, &auth_context,
+						  apreq, apreq->ticket->server,
+				      		 kdc_active_realm->realm_keytab,
+						  NULL, ticket))
 		    )
 		    goto cleanup_auth_context;
 	    }
-	}
-	else
+	} else
 	    goto cleanup_auth_context;
     }
 
@@ -317,6 +316,10 @@ cleanup:
     return retval;
 }
 
+/* XXX This function should no longer be necessary. 
+ * The KDC should take the keytab associated with the realm and pass that to 
+ * the krb5_rd_req_decode(). --proven
+ */
 krb5_error_code
 kdc_get_server_key(ticket, key, kvno)
     krb5_ticket 	* ticket;
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 49f2a89ed..68e6886dc 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -36,6 +36,7 @@
 #include "kdc_util.h"
 #include "extern.h"
 #include "kdc5_err.h"
+#include "kdb_dbc.h"
 #ifdef KRB5_USE_INET
 #include <netinet/in.h>
 #endif
@@ -257,6 +258,8 @@ finish_realm(rdp)
 	free(rdp->realm_ports);
     if (rdp->realm_kstypes)
 	free(rdp->realm_kstypes);
+    if (rdp->realm_keytab)
+	krb5_kt_close(rdp->realm_context, rdp->realm_keytab);
     if (rdp->realm_context) {
 	if (rdp->realm_mprinc)
 	    krb5_free_principal(rdp->realm_context, rdp->realm_mprinc);
@@ -296,6 +299,7 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname,
     char		*def_ports;
     krb5_boolean	def_manual;
 {
+    krb5_db_context	db_context;
     krb5_error_code	kret;
     krb5_boolean	manual;
     krb5_db_entry	db_entry;
@@ -528,6 +532,20 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname,
 		goto whoops;
 	    }
 
+/* Set master encblock with db_context */
+if ((kret = krb5_dbm_db_set_mkey(rdp->realm_context, &db_context, 
+				 &rdp->realm_encblock))) {
+com_err(progname, kret, "while setting master key for realm %s", realm);
+goto whoops;
+}
+
+/* Set up the keytab */
+if (kret = krb5_ktkdb_resolve(rdp->realm_context, &db_context, 
+			      &rdp->realm_keytab)) {
+com_err(progname, kret, "while resolving kdb keytab for realm %s", realm);
+goto whoops;
+}
+
 	    /* Preformat the TGS name */
 	    if ((kret = krb5_build_principal(rdp->realm_context,
 					     &rdp->realm_tgsprinc,