diff options
Diffstat (limited to 'src/kadmin')
-rw-r--r-- | src/kadmin/cli/ChangeLog | 5 | ||||
-rw-r--r-- | src/kadmin/cli/kadmin.c | 5 | ||||
-rw-r--r-- | src/kadmin/dbutil/ChangeLog | 5 | ||||
-rw-r--r-- | src/kadmin/dbutil/kadm5_create.c | 24 | ||||
-rw-r--r-- | src/kadmin/server/ChangeLog | 25 | ||||
-rw-r--r-- | src/kadmin/server/kadm_rpc_svc.c | 110 | ||||
-rw-r--r-- | src/kadmin/server/misc.h | 2 | ||||
-rw-r--r-- | src/kadmin/server/ovsec_kadmd.c | 42 | ||||
-rw-r--r-- | src/kadmin/server/server_stubs.c | 75 |
9 files changed, 243 insertions, 50 deletions
diff --git a/src/kadmin/cli/ChangeLog b/src/kadmin/cli/ChangeLog index 8de05c350..4bfa42652 100644 --- a/src/kadmin/cli/ChangeLog +++ b/src/kadmin/cli/ChangeLog @@ -1,3 +1,8 @@ +2004-06-15 Tom Yu <tlyu@mit.edu> + + * kadmin.c (kadmin_startup): Add option to force old AUTH_GSSAPI + flavor. + 2004-05-31 Ezra Peisach <epeisach@mit.edu> * kadmin.h, keytab.c: Remove inclusion of k5-int.h. diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c index 7ca0898d8..3eef8529b 100644 --- a/src/kadmin/cli/kadmin.c +++ b/src/kadmin/cli/kadmin.c @@ -192,7 +192,7 @@ char *kadmin_startup(argc, argv) exit(1); } - while ((optchar = getopt(argc, argv, "r:p:kq:w:d:s:mc:t:e:")) != EOF) { + while ((optchar = getopt(argc, argv, "r:p:kq:w:d:s:mc:t:e:O")) != EOF) { switch (optchar) { case 'r': def_realm = optarg; @@ -240,6 +240,9 @@ char *kadmin_startup(argc, argv) } params.mask |= KADM5_CONFIG_ENCTYPES; break; + case 'O': + params.mask |= KADM5_CONFIG_OLD_AUTH_GSSAPI; + break; default: usage(); } diff --git a/src/kadmin/dbutil/ChangeLog b/src/kadmin/dbutil/ChangeLog index 711302500..6dee87865 100644 --- a/src/kadmin/dbutil/ChangeLog +++ b/src/kadmin/dbutil/ChangeLog @@ -1,3 +1,8 @@ +2004-06-15 Tom Yu <tlyu@mit.edu> + + * kadm5_create.c (add_admin_princs): Create kadmin/fqdn + principal. + 2003-04-23 Ken Raeburn <raeburn@mit.edu> * kdb5_destroy.c, kdb5_stash.c: Don't declare errno. diff --git a/src/kadmin/dbutil/kadm5_create.c b/src/kadmin/dbutil/kadm5_create.c index d9aa60d68..9ed6459e0 100644 --- a/src/kadmin/dbutil/kadm5_create.c +++ b/src/kadmin/dbutil/kadm5_create.c @@ -173,7 +173,29 @@ static char *build_name_with_realm(char *name, char *realm) static int add_admin_princs(void *handle, krb5_context context, char *realm) { krb5_error_code ret = 0; - + char service_name[MAXHOSTNAMELEN + 8]; + char localname[MAXHOSTNAMELEN]; + struct hostent *hp; + + if (gethostname(localname, MAXHOSTNAMELEN)) { + ret = errno; + perror("gethostname"); + goto clean_and_exit; + } + hp = gethostbyname(localname); + if (hp == NULL) { + ret = errno; + perror("gethostbyname"); + goto clean_and_exit; + } + sprintf(service_name, "kadmin/%s", hp->h_name); + + if ((ret = add_admin_princ(handle, context, + service_name, realm, + KRB5_KDB_DISALLOW_TGT_BASED, + ADMIN_LIFETIME))) + goto clean_and_exit; + if ((ret = add_admin_princ(handle, context, KADM5_ADMIN_SERVICE, realm, KRB5_KDB_DISALLOW_TGT_BASED, diff --git a/src/kadmin/server/ChangeLog b/src/kadmin/server/ChangeLog index 223548ad2..9b70eecf9 100644 --- a/src/kadmin/server/ChangeLog +++ b/src/kadmin/server/ChangeLog @@ -1,3 +1,28 @@ +2004-06-15 Tom Yu <tlyu@mit.edu> + + * kadm_rpc_svc.c (check_rpcsec_auth, gss_to_krb5_name): New + functions to check service name for RPCSEC_GSS. + (kadm_1): Add service name check for RPCSEC_GSS. + + * ovsec_kadmd.c (main): Setup logging calllbacks for RPCSEC_GSS. + Use GSS_C_N_NAME for acceptor name for RPCSEC_GSS. + (log_badverf): Handle null client and server names. + + * server_stubs.c (rqst2name): New function to return appropriate + gss_name_t for a given auth flavor (RPCSEC_GSS and AUTH_GSSAPI use + different field names). + +2004-05-27 Tom Yu <tlyu@mit.edu> + + * kadm_rpc_svc.c (kadm_1): Allow RPCSEC_GSS; remove + AUTH_GSSAPI_COMPAT. + + * misc.h (kadm_1): Conditionalize prototype on SVC_GETARGS rather + than on an inclusion-protection macro. + + * ovsec_kadmd.c (main): Add preliminary support for RPCSEC_GSS. + (do_schpw, kadm_svc_run): Update some names. + 2004-03-20 Ken Raeburn <raeburn@mit.edu> * ovsec_kadmd.c (main): Use any handy krb5 context to register diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c index 54048df81..d2139a69c 100644 --- a/src/kadmin/server/kadm_rpc_svc.c +++ b/src/kadmin/server/kadm_rpc_svc.c @@ -5,6 +5,7 @@ #include <stdio.h> #include <gssrpc/rpc.h> +#include <gssapi/gssapi_krb5.h> /* for gss_nt_krb5_name */ #include <syslog.h> #ifdef HAVE_MEMORY_H #include <memory.h> @@ -17,7 +18,15 @@ #include <arpa/inet.h> #endif #include "misc.h" +#include "kadm5/server_internal.h" +extern void *global_server_handle; + +static int check_rpcsec_auth(struct svc_req *); +static int gss_to_krb5_name(struct svc_req *, krb5_context, gss_name_t, krb5_principal *, gss_buffer_t); + +void log_badauth(OM_uint32 major, OM_uint32 minor, + struct sockaddr_in *addr, char *data); /* * Function: kadm_1 * @@ -63,8 +72,8 @@ void kadm_1(rqstp, transp) char *(*local)(); if (rqstp->rq_cred.oa_flavor != AUTH_GSSAPI && - rqstp->rq_cred.oa_flavor != AUTH_GSSAPI_COMPAT) { - krb5_klog_syslog(LOG_ERR, "Authentication attempt failed: %s, invalid " + !check_rpcsec_auth(rqstp)) { + krb5_klog_syslog(LOG_ERR, "Authentication attempt failed: %s, " "RPC authentication flavor %d", inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), rqstp->rq_cred.oa_flavor); @@ -227,3 +236,100 @@ void kadm_1(rqstp, transp) } return; } + +static int +check_rpcsec_auth(struct svc_req *rqstp) +{ + gss_ctx_id_t ctx; + krb5_context kctx; + OM_uint32 maj_stat, min_stat; + gss_name_t name; + krb5_principal princ; + int ret, success; + krb5_data *c1, *c2, *realm; + gss_buffer_desc gss_str; + kadm5_server_handle_t handle; + + success = 0; + handle = (kadm5_server_handle_t)global_server_handle; + + if (rqstp->rq_cred.oa_flavor != RPCSEC_GSS) + return 0; + + ctx = rqstp->rq_svccred; + + maj_stat = gss_inquire_context(&min_stat, ctx, NULL, &name, + NULL, NULL, NULL, NULL, NULL); + if (maj_stat != GSS_S_COMPLETE) { + krb5_klog_syslog(LOG_ERR, "check_rpcsec_auth: " + "failed inquire_context, stat=%u", maj_stat); + log_badauth(maj_stat, min_stat, + &rqstp->rq_xprt->xp_raddr, NULL); + goto fail_name; + } + + kctx = handle->context; + ret = gss_to_krb5_name(rqstp, kctx, name, &princ, &gss_str); + if (ret == 0) + goto fail_name; + + /* + * Since we accept with GSS_C_NO_NAME, the client can authenticate + * against the entire kdb. Therefore, ensure that the service + * name is something reasonable. + */ + if (krb5_princ_size(kctx, princ) != 2) + goto fail_princ; + + c1 = krb5_princ_component(kctx, princ, 0); + c2 = krb5_princ_component(kctx, princ, 1); + realm = krb5_princ_realm(kctx, princ); + if (strncmp(handle->params.realm, realm->data, realm->length) == 0 + && strncmp("kadmin", c1->data, c1->length) == 0) { + + if (strncmp("history", c2->data, c2->length) == 0) + goto fail_princ; + else + success = 1; + } + +fail_princ: + if (!success) { + krb5_klog_syslog(LOG_ERR, "bad service principal %.*s", + gss_str.length, gss_str.value); + } + gss_release_buffer(&min_stat, &gss_str); + krb5_free_principal(kctx, princ); +fail_name: + gss_release_name(&min_stat, &name); + return success; +} + +static int +gss_to_krb5_name(struct svc_req *rqstp, krb5_context ctx, gss_name_t gss_name, + krb5_principal *princ, gss_buffer_t gss_str) +{ + OM_uint32 status, minor_stat; + gss_OID gss_type; + char *str; + int success; + + status = gss_display_name(&minor_stat, gss_name, gss_str, &gss_type); + if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name)) { + krb5_klog_syslog(LOG_ERR, + "gss_to_krb5_name: " + "failed display_name status %d", status); + log_badauth(status, minor_stat, + &rqstp->rq_xprt->xp_raddr, NULL); + return 0; + } + str = malloc(gss_str->length +1); + if (str == NULL) + return 0; + *str = '\0'; + + strncat(str, gss_str->value, gss_str->length); + success = (krb5_parse_name(ctx, str, princ) == 0); + free(str); + return success; +} diff --git a/src/kadmin/server/misc.h b/src/kadmin/server/misc.h index a57a7b1d9..e50725593 100644 --- a/src/kadmin/server/misc.h +++ b/src/kadmin/server/misc.h @@ -34,6 +34,6 @@ krb5_error_code process_chpw_request(krb5_context context, struct sockaddr_in *sockin, krb5_data *req, krb5_data *rep); -#ifdef __SVC_HEADER__ +#ifdef SVC_GETARGS void kadm_1(struct svc_req *, SVCXPRT *); #endif diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c index b642c8927..e7e995d18 100644 --- a/src/kadmin/server/ovsec_kadmd.c +++ b/src/kadmin/server/ovsec_kadmd.c @@ -41,7 +41,6 @@ #include <unistd.h> #include <netinet/in.h> #include <arpa/inet.h> /* inet_ntoa */ -#include <netdb.h> #include <gssrpc/rpc.h> #include <gssapi/gssapi.h> #include "gssapiP_krb5.h" /* for kg_get_context */ @@ -86,6 +85,7 @@ static struct sigaction s_action; #define TIMEOUT 15 gss_name_t gss_changepw_name = NULL, gss_oldchangepw_name = NULL; +gss_name_t gss_kadmin_name = NULL; void *global_server_handle; /* @@ -210,7 +210,9 @@ int main(int argc, char *argv[]) gss_buffer_desc gssbuf; gss_OID nt_krb5_name_oid; kadm5_config_params params; - + + setvbuf(stderr, NULL, _IONBF, 0); + /* This is OID value the Krb5_Name NameType */ gssbuf.value = "{1 2 840 113554 1 2 2 1}"; gssbuf.length = strlen(gssbuf.value); @@ -538,15 +540,15 @@ kterr: * Try to acquire creds for the old OV services as well as the * new names, but if that fails just fall back on the new names. */ - if (_svcauth_gssapi_set_names(names, 4) == TRUE) + if (svcauth_gssapi_set_names(names, 4) == TRUE) oldnames++; - if (!oldnames && _svcauth_gssapi_set_names(names, 2) == FALSE) { + if (!oldnames && svcauth_gssapi_set_names(names, 2) == FALSE) { krb5_klog_syslog(LOG_ERR, "Cannot set GSS-API authentication names (keytab not present?), " "failing."); fprintf(stderr, "%s: Cannot set GSS-API authentication names.\n", whoami); - _svcauth_gssapi_unset_names(); + svcauth_gssapi_unset_names(); kadm5_destroy(global_server_handle); krb5_klog_close(context); exit(1); @@ -564,16 +566,26 @@ kterr: &gss_oldchangepw_name); } - _svcauth_gssapi_set_log_badauth_func(log_badauth, NULL); - _svcauth_gssapi_set_log_badverf_func(log_badverf, NULL); - _svcauth_gssapi_set_log_miscerr_func(log_miscerr, NULL); + svcauth_gssapi_set_log_badauth_func(log_badauth, NULL); + svcauth_gssapi_set_log_badverf_func(log_badverf, NULL); + svcauth_gssapi_set_log_miscerr_func(log_miscerr, NULL); + + svcauth_gss_set_log_badauth_func(log_badauth, NULL); + svcauth_gss_set_log_badverf_func(log_badverf, NULL); + svcauth_gss_set_log_miscerr_func(log_miscerr, NULL); + if (svcauth_gss_set_svc_name(GSS_C_NO_NAME) != TRUE) { + fprintf(stderr, "%s: Cannot initialize RPCSEC_GSS service name.\n", + whoami); + exit(1); + } + if ((ret = acl_init(context, 0, params.acl_file))) { krb5_klog_syslog(LOG_ERR, "Cannot initialize acl file: %s", error_message(ret)); fprintf(stderr, "%s: Cannot initialize acl file: %s\n", whoami, error_message(ret)); - _svcauth_gssapi_unset_names(); + svcauth_gssapi_unset_names(); kadm5_destroy(global_server_handle); krb5_klog_close(context); exit(1); @@ -584,7 +596,7 @@ kterr: krb5_klog_syslog(LOG_ERR, "Cannot detach from tty: %s", error_message(ret)); fprintf(stderr, "%s: Cannot detach from tty: %s\n", whoami, error_message(ret)); - _svcauth_gssapi_unset_names(); + svcauth_gssapi_unset_names(); kadm5_destroy(global_server_handle); krb5_klog_close(context); exit(1); @@ -596,7 +608,7 @@ kterr: krb5_klog_syslog(LOG_INFO, "finished, exiting"); /* Clean up memory, etc */ - _svcauth_gssapi_unset_names(); + svcauth_gssapi_unset_names(); kadm5_destroy(global_server_handle); close(s); acl_finish(context, 0); @@ -670,7 +682,7 @@ void kadm_svc_run(params) kadm5_config_params *params; { fd_set rfd; - int sz = _gssrpc_rpc_dtablesize(); + int sz = gssrpc__rpc_dtablesize(); struct timeval timeout; while(signal_request_exit == 0) { @@ -942,6 +954,10 @@ void log_badverf(gss_name_t client_name, gss_name_t server_name, (void) gss_display_name(&minor, client_name, &client, &gss_type); (void) gss_display_name(&minor, server_name, &server, &gss_type); + if (client.value == NULL) + client.value = "(null)"; + if (server.value == NULL) + server.value = "(null)"; a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); proc = msg->rm_call.cb_proc; @@ -1114,7 +1130,7 @@ void do_schpw(int s1, kadm5_config_params *params) error_message(errno)); fprintf(stderr, "Cannot create connecting socket: %s", error_message(errno)); - _svcauth_gssapi_unset_names(); + svcauth_gssapi_unset_names(); kadm5_destroy(global_server_handle); krb5_klog_close(context); exit(1); diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c index d087e0d3d..62e5daac7 100644 --- a/src/kadmin/server/server_stubs.c +++ b/src/kadmin/server/server_stubs.c @@ -15,8 +15,6 @@ #include <krb5/adm_proto.h> /* krb5_klog_syslog */ #include "misc.h" -#define xdr_free gssrpc_xdr_free /* XXX kludge */ - #define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s" #define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s" @@ -38,6 +36,8 @@ static int gss_name_to_string(gss_name_t gss_name, gss_buffer_desc *str); static gss_name_t acceptor_name(gss_ctx_id_t context); +static gss_name_t rqst2name(struct svc_req *rqstp); + static int cmp_gss_names(gss_name_t n1, gss_name_t n2) { OM_uint32 emaj, emin; @@ -115,8 +115,8 @@ static kadm5_ret_t new_server_handle(krb5_ui_4 api_version, *handle = *(kadm5_server_handle_t)global_server_handle; handle->api_version = api_version; - - if (! gss_to_krb5_name(handle, rqstp->rq_clntcred, + + if (! gss_to_krb5_name(handle, rqst2name(rqstp), &handle->current_caller)) { free(handle); return KADM5_FAILURE; @@ -165,7 +165,7 @@ int setup_gss_names(struct svc_req *rqstp, OM_uint32 maj_stat, min_stat; gss_name_t server_gss_name; - if (gss_name_to_string(rqstp->rq_clntcred, client_name) != 0) + if (gss_name_to_string(rqst2name(rqstp), client_name) != 0) return -1; maj_stat = gss_inquire_context(&min_stat, rqstp->rq_svccred, NULL, &server_gss_name, NULL, NULL, NULL, @@ -269,7 +269,7 @@ create_principal_1_svc(cprinc_arg *arg, struct svc_req *rqstp) } if (CHANGEPW_SERVICE(rqstp) - || !acl_check(handle->context, rqstp->rq_clntcred, ACL_ADD, + || !acl_check(handle->context, rqst2name(rqstp), ACL_ADD, arg->rec.principal, &rp) || acl_impose_restrictions(handle->context, &arg->rec, &arg->mask, rp)) { @@ -326,7 +326,7 @@ create_principal3_1_svc(cprinc3_arg *arg, struct svc_req *rqstp) } if (CHANGEPW_SERVICE(rqstp) - || !acl_check(handle->context, rqstp->rq_clntcred, ACL_ADD, + || !acl_check(handle->context, rqst2name(rqstp), ACL_ADD, arg->rec.principal, &rp) || acl_impose_restrictions(handle->context, &arg->rec, &arg->mask, rp)) { @@ -385,7 +385,7 @@ delete_principal_1_svc(dprinc_arg *arg, struct svc_req *rqstp) } if (CHANGEPW_SERVICE(rqstp) - || !acl_check(handle->context, rqstp->rq_clntcred, ACL_DELETE, + || !acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, arg->princ, NULL)) { ret.code = KADM5_AUTH_DELETE; krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal", @@ -436,7 +436,7 @@ modify_principal_1_svc(mprinc_arg *arg, struct svc_req *rqstp) } if (CHANGEPW_SERVICE(rqstp) - || !acl_check(handle->context, rqstp->rq_clntcred, ACL_MODIFY, + || !acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, arg->rec.principal, &rp) || acl_impose_restrictions(handle->context, &arg->rec, &arg->mask, rp)) { @@ -496,11 +496,11 @@ rename_principal_1_svc(rprinc_arg *arg, struct svc_req *rqstp) ret.code = KADM5_OK; if (! CHANGEPW_SERVICE(rqstp)) { - if (!acl_check(handle->context, rqstp->rq_clntcred, + if (!acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, arg->src, NULL)) ret.code = KADM5_AUTH_DELETE; /* any restrictions at all on the ADD kills the RENAME */ - if (!acl_check(handle->context, rqstp->rq_clntcred, + if (!acl_check(handle->context, rqst2name(rqstp), ACL_ADD, arg->dest, &rp) || rp) { if (ret.code == KADM5_AUTH_DELETE) ret.code = KADM5_AUTH_INSUFFICIENT; @@ -565,9 +565,9 @@ get_principal_1_svc(gprinc_arg *arg, struct svc_req *rqstp) return &ret; } - if (! cmp_gss_krb5_name(handle, rqstp->rq_clntcred, arg->princ) && + if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) && (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context, - rqstp->rq_clntcred, + rqst2name(rqstp), ACL_INQUIRE, arg->princ, NULL))) { @@ -633,7 +633,7 @@ get_princs_1_svc(gprincs_arg *arg, struct svc_req *rqstp) prime_arg = "*"; if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context, - rqstp->rq_clntcred, + rqst2name(rqstp), ACL_LIST, NULL, NULL)) { @@ -688,11 +688,11 @@ chpass_principal_1_svc(chpass_arg *arg, struct svc_req *rqstp) return &ret; } - if (cmp_gss_krb5_name(handle, rqstp->rq_clntcred, arg->princ)) { + if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ, FALSE, 0, NULL, arg->pass); } else if (!(CHANGEPW_SERVICE(rqstp)) && - acl_check(handle->context, rqstp->rq_clntcred, + acl_check(handle->context, rqst2name(rqstp), ACL_CHANGEPW, arg->princ, NULL)) { ret.code = kadm5_chpass_principal((void *)handle, arg->princ, arg->pass); @@ -749,14 +749,14 @@ chpass_principal3_1_svc(chpass3_arg *arg, struct svc_req *rqstp) return &ret; } - if (cmp_gss_krb5_name(handle, rqstp->rq_clntcred, arg->princ)) { + if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ, arg->keepold, arg->n_ks_tuple, arg->ks_tuple, arg->pass); } else if (!(CHANGEPW_SERVICE(rqstp)) && - acl_check(handle->context, rqstp->rq_clntcred, + acl_check(handle->context, rqst2name(rqstp), ACL_CHANGEPW, arg->princ, NULL)) { ret.code = kadm5_chpass_principal_3((void *)handle, arg->princ, arg->keepold, @@ -817,7 +817,7 @@ setv4key_principal_1_svc(setv4key_arg *arg, struct svc_req *rqstp) } if (!(CHANGEPW_SERVICE(rqstp)) && - acl_check(handle->context, rqstp->rq_clntcred, + acl_check(handle->context, rqst2name(rqstp), ACL_SETKEY, arg->princ, NULL)) { ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, arg->keyblock); @@ -875,7 +875,7 @@ setkey_principal_1_svc(setkey_arg *arg, struct svc_req *rqstp) } if (!(CHANGEPW_SERVICE(rqstp)) && - acl_check(handle->context, rqstp->rq_clntcred, + acl_check(handle->context, rqst2name(rqstp), ACL_SETKEY, arg->princ, NULL)) { ret.code = kadm5_setkey_principal((void *)handle, arg->princ, arg->keyblocks, arg->n_keys); @@ -933,7 +933,7 @@ setkey_principal3_1_svc(setkey3_arg *arg, struct svc_req *rqstp) } if (!(CHANGEPW_SERVICE(rqstp)) && - acl_check(handle->context, rqstp->rq_clntcred, + acl_check(handle->context, rqst2name(rqstp), ACL_SETKEY, arg->princ, NULL)) { ret.code = kadm5_setkey_principal_3((void *)handle, arg->princ, arg->keepold, @@ -999,11 +999,11 @@ chrand_principal_1_svc(chrand_arg *arg, struct svc_req *rqstp) return &ret; } - if (cmp_gss_krb5_name(handle, rqstp->rq_clntcred, arg->princ)) { + if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ, FALSE, 0, NULL, &k, &nkeys); } else if (!(CHANGEPW_SERVICE(rqstp)) && - acl_check(handle->context, rqstp->rq_clntcred, + acl_check(handle->context, rqst2name(rqstp), ACL_CHANGEPW, arg->princ, NULL)) { ret.code = kadm5_randkey_principal((void *)handle, arg->princ, &k, &nkeys); @@ -1075,14 +1075,14 @@ chrand_principal3_1_svc(chrand3_arg *arg, struct svc_req *rqstp) return &ret; } - if (cmp_gss_krb5_name(handle, rqstp->rq_clntcred, arg->princ)) { + if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ, arg->keepold, arg->n_ks_tuple, arg->ks_tuple, &k, &nkeys); } else if (!(CHANGEPW_SERVICE(rqstp)) && - acl_check(handle->context, rqstp->rq_clntcred, + acl_check(handle->context, rqst2name(rqstp), ACL_CHANGEPW, arg->princ, NULL)) { ret.code = kadm5_randkey_principal_3((void *)handle, arg->princ, arg->keepold, @@ -1149,7 +1149,7 @@ create_policy_1_svc(cpol_arg *arg, struct svc_req *rqstp) prime_arg = arg->rec.policy; if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context, - rqstp->rq_clntcred, + rqst2name(rqstp), ACL_ADD, NULL, NULL)) { ret.code = KADM5_AUTH_ADD; krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy", @@ -1200,7 +1200,7 @@ delete_policy_1_svc(dpol_arg *arg, struct svc_req *rqstp) prime_arg = arg->name; if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context, - rqstp->rq_clntcred, + rqst2name(rqstp), ACL_DELETE, NULL, NULL)) { krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy", prime_arg, client_name.value, service_name.value, @@ -1249,7 +1249,7 @@ modify_policy_1_svc(mpol_arg *arg, struct svc_req *rqstp) prime_arg = arg->rec.policy; if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context, - rqstp->rq_clntcred, + rqst2name(rqstp), ACL_MODIFY, NULL, NULL)) { krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy", prime_arg, client_name.value, service_name.value, @@ -1306,7 +1306,7 @@ get_policy_1_svc(gpol_arg *arg, struct svc_req *rqstp) ret.code = KADM5_AUTH_GET; if (!CHANGEPW_SERVICE(rqstp) && acl_check(handle->context, - rqstp->rq_clntcred, + rqst2name(rqstp), ACL_INQUIRE, NULL, NULL)) ret.code = KADM5_OK; else { @@ -1385,7 +1385,7 @@ get_pols_1_svc(gpols_arg *arg, struct svc_req *rqstp) prime_arg = "*"; if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context, - rqstp->rq_clntcred, + rqst2name(rqstp), ACL_LIST, NULL, NULL)) { ret.code = KADM5_AUTH_LIST; krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies", @@ -1466,15 +1466,26 @@ generic_ret *init_1_svc(krb5_ui_4 *arg, struct svc_req *rqstp) return &ret; } - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, + krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d", (ret.api_version == KADM5_API_VERSION_1 ? "kadm5_init (V1)" : "kadm5_init"), client_name.value, (ret.code == 0) ? "success" : error_message(ret.code), client_name.value, service_name.value, - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), + rqstp->rq_cred.oa_flavor); gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); return(&ret); } + +static gss_name_t +rqst2name(struct svc_req *rqstp) +{ + + if (rqstp->rq_cred.oa_flavor == RPCSEC_GSS) + return rqstp->rq_clntname; + else + return rqstp->rq_clntcred; +} |