From 57d0b4b300e43722ae9f080fbf132edeb3834323 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 9 Jul 2013 10:58:49 -0400
Subject: Add kadmin support for principals without keys

Add kadmin support for "addprinc -nokey", which creates a principal
with no keys, and "purgekeys -all", which deletes all keys from a
principal.  The KDC was modified by #7630 to support principals
without keys.

ticket: 7679 (new)
---
 src/lib/kadm5/admin.h             |  1 +
 src/lib/kadm5/srv/svr_principal.c | 11 ++++++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h
index 189ca45cf..8f377f804 100644
--- a/src/lib/kadm5/admin.h
+++ b/src/lib/kadm5/admin.h
@@ -110,6 +110,7 @@ typedef long            kadm5_ret_t;
 #define KADM5_RANDKEY_USED      0x100000
 #endif
 #define KADM5_LOAD              0x200000
+#define KADM5_NOKEY             0x400000
 
 /* all but KEY_DATA, TL_DATA, LOAD */
 #define KADM5_PRINCIPAL_NORMAL_MASK 0x41ffff
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 2bb871166..d6035b0e3 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -385,8 +385,10 @@ kadm5_create_principal_3(void *server_handle,
     if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) ||
        (mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) ||
        (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
-       (mask & KADM5_KEY_DATA) || (mask & KADM5_LAST_SUCCESS) ||
-       (mask & KADM5_LAST_FAILED) || (mask & KADM5_FAIL_AUTH_COUNT))
+       (mask & KADM5_LAST_SUCCESS) || (mask & KADM5_LAST_FAILED) ||
+       (mask & KADM5_FAIL_AUTH_COUNT))
+        return KADM5_BAD_MASK;
+    if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0)
         return KADM5_BAD_MASK;
     if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
         return KADM5_BAD_MASK;
@@ -515,7 +517,10 @@ kadm5_create_principal_3(void *server_handle,
     if (ret)
         goto cleanup;
 
-    if (password) {
+    if (mask & KADM5_KEY_DATA) {
+        /* The client requested no keys for this principal. */
+        assert(entry->n_key_data == 0);
+    } else if (password) {
         ret = krb5_dbe_cpw(handle->context, act_mkey, new_ks_tuple,
                            new_n_ks_tuple, password,
                            (mask & KADM5_KVNO)?entry->kvno:1,
-- 
cgit