[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

heimdal 0.1d patches: verbose hprop -K, kaserver switch, keytab fallback

To: heimdal-discuss@sics.se
Subject: heimdal 0.1d patches: verbose hprop -K, kaserver switch, keytab fallback
From: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
Date: Sat, 17 Apr 1999 13:28:53 -0400
Sender: owner-heimdal-discuss@sics.se

Okay, as promised, here's some patches against 0.1d.

* hprop -K (kaserver.DB0 conversion) reports the failing principal in failed
  conversions.  (My original patches also reported every principal being
  dumped, but I decided I didn't need that any more; 0.0u didn't report
  failing principals at all, just the fact that the conversion failed.)

* If KASERVER is defined (--enable-kaserver configure flag), kdc accepts a
  new flag -K / --enable-kaserver (and corresponding krb5.conf option).
  (Note that this defaults off, instead of on as in an unpatched kdc.)
  The main reason for this option is so that heimdal's KDC can be run in
  parallel with an existing kaserver in order to transfer the kaserver.DB0
  before shutting down the kaserver and bringing up kdc as a kaserver.

* 0.1d uses only the first enctype in the list of default enctypes (this is
  des3-cbc-sha1 by default) to attempt to match keytab entries.  This patch
  causes it to iterate over the list of default enctypes instead.

diff -ur heimdal-0.1d-dist/kdc/config.c heimdal-0.1d/kdc/config.c
--- heimdal-0.1d-dist/kdc/config.c	Mon Mar  8 05:50:57 1999
+++ heimdal-0.1d/kdc/config.c	Sat Apr 17 12:48:24 1999
@@ -60,6 +60,9 @@
 #ifdef KRB4
 char *v4_realm;
 #endif
+#ifdef KASERVER
+krb5_boolean enable_kaserver = -1;
+#endif
 
 static int help_flag;
 static int version_flag;
@@ -92,6 +95,12 @@
 	"realm to serve v4-requests for"
     },
 #endif
+#ifdef KASERVER
+    {
+	"enable-kaserver", 'K', arg_flag,   &enable_kaserver,
+	"turn on kaserver support"
+    },
+#endif
     {	"ports",	'P', 	arg_string, &port_str,
 	"ports to listen to" 
     },
@@ -202,6 +211,11 @@
 	if(p)
 	    v4_realm = strdup(p);
     }
+#endif
+#ifdef KASERVER
+    if (enable_kaserver == -1)
+	enable_kaserver = krb5_config_get_bool(context, cf, "kdc",
+					       "enable-kaserver", NULL);
 #endif
 
     encode_as_rep_as_tgs_rep = krb5_config_get_bool(context, cf, "kdc", 
diff -ur heimdal-0.1d-dist/kdc/connect.c heimdal-0.1d/kdc/connect.c
--- heimdal-0.1d-dist/kdc/connect.c	Thu Apr  1 13:25:54 1999
+++ heimdal-0.1d/kdc/connect.c	Sat Apr 17 12:51:43 1999
@@ -97,7 +97,8 @@
     if(enable_http)
 	add_port(family, "http", "tcp");
 #ifdef KASERVER
-    add_port(family, "7004", "udp");
+    if (enable_kaserver)
+        add_port(family, "7004", "udp");
 #endif
 }
 
@@ -298,7 +299,7 @@
     }
 #endif
 #ifdef KASERVER
-    else {
+    else if (enable_kaserver) {
 	ret = do_kaserver (buf, len, reply, from, (struct sockaddr_in*)addr);
 	return ret;
     }
diff -ur heimdal-0.1d-dist/kdc/hprop.c heimdal-0.1d/kdc/hprop.c
--- heimdal-0.1d-dist/kdc/hprop.c	Mon Mar  8 05:51:08 1999
+++ heimdal-0.1d/kdc/hprop.c	Sat Apr 17 13:04:43 1999
@@ -271,7 +271,7 @@
     ret = krb5_425_conv_principal(pd->context, ent->name, ent->instance, realm,
 				  &hdb.principal);
     if(ret) {
-	krb5_warn(pd->context, ret, "krb5_425_conv_principal");
+	krb5_warn(pd->context, ret, "%s.%s@%s", ent->name, ent->instance, realm);
 	return 0;
     }
     hdb.kvno = ntohl(ent->kvno);
@@ -320,6 +320,10 @@
     hdb.flags.renewable = 1;
     hdb.flags.proxiable = 1;
     hdb.flags.postdate = 1;
+    /* XXX - AFS 3.4a creates krbtgt.REALMOFCELL as NOTGS+NOSEAL */
+    if (strcmp(ent->name, "krbtgt") == 0 &&
+	(flags & (KAFNOTGS|KAFNOSEAL)) == (KAFNOTGS|KAFNOSEAL))
+	flags &= ~KAFNOTGS;
     hdb.flags.client = (flags & KAFNOTGS) == 0;
     hdb.flags.server = (flags & KAFNOSEAL) == 0;
 
diff -ur heimdal-0.1d-dist/kdc/kdc_locl.h heimdal-0.1d/kdc/kdc_locl.h
--- heimdal-0.1d-dist/kdc/kdc_locl.h	Mon Mar 29 14:01:40 1999
+++ heimdal-0.1d/kdc/kdc_locl.h	Sat Apr 17 13:06:10 1999
@@ -63,6 +63,9 @@
 #ifdef KRB4
 extern char *v4_realm;
 #endif
+#ifdef KASERVER
+extern krb5_boolean enable_kaserver;
+#endif
 
 extern struct timeval now;
 #define kdc_time (now.tv_sec)
diff -ur heimdal-0.1d-dist/lib/krb5/get_in_tkt.c heimdal-0.1d/lib/krb5/get_in_tkt.c
--- heimdal-0.1d-dist/lib/krb5/get_in_tkt.c	Thu Apr  1 13:25:20 1999
+++ heimdal-0.1d/lib/krb5/get_in_tkt.c	Sat Apr 17 12:22:45 1999
@@ -352,20 +352,33 @@
 	   krb5_principal client,
 	   krb5_key_proc key_proc,
 	   krb5_const_pointer keyseed,
-	   krb5_enctype enctype, 
+	   krb5_enctype *enctypes, 
+	   unsigned netypes,
 	   krb5_salt *salt)
 {
     krb5_error_code ret;
     PA_DATA *pa2;
     krb5_keyblock *key;
     krb5_salt salt2;
+    krb5_enctype *ep;
     
     if(salt == NULL) {
 	/* default to standard salt */
 	ret = krb5_get_pw_salt (context, client, &salt2);
 	salt = &salt2;
     }
-    ret = (*key_proc)(context, enctype, *salt, keyseed, &key);
+    if (!enctypes) {
+	enctypes = context->etypes; /* XXX */
+	netypes = 0;
+	for (ep = enctypes; *ep != ETYPE_NULL; ep++)
+	    netypes++;
+    }
+    while (netypes--) {
+	ret = (*key_proc)(context, *enctypes, *salt, keyseed, &key);
+	if (ret != KRB5_KT_NOTFOUND)
+	    break;
+	enctypes++;
+    }
     if(salt == &salt2)
 	krb5_free_salt(context, salt2);
     if (ret)
@@ -374,7 +387,7 @@
     if(pa2 == NULL)
 	return ENOMEM;
     md->val = pa2;
-    ret = make_pa_enc_timestamp(context, &md->val[md->len], enctype, key);
+    ret = make_pa_enc_timestamp(context, &md->val[md->len], *enctypes, key);
     krb5_free_keyblock (context, key);
     if(ret)
 	return ret;
@@ -397,7 +410,6 @@
 {
     krb5_error_code ret;
     krb5_salt salt;
-    krb5_enctype etype;
 
     memset(a, 0, sizeof(*a));
 
@@ -452,8 +464,6 @@
     if (ret)
 	goto fail;
 
-    etype = a->req_body.etype.val[0]; /* XXX */
-
     a->req_body.addresses = malloc(sizeof(*a->req_body.addresses));
     if (a->req_body.addresses == NULL) {
 	ret = ENOMEM;
@@ -504,7 +514,7 @@
 			    krb5_data_zero(&salt.saltvalue);
 		    add_padata(context, a->padata, creds->client, 
 			       key_proc, keyseed, 
-			       preauth->val[i].info.val[j].etype,
+			       &preauth->val[i].info.val[j].etype, 1,
 			       sp);
 		}
 	    }
@@ -524,13 +534,15 @@
 
 	/* make a v5 salted pa-data */
 	add_padata(context, a->padata, creds->client, 
-		   key_proc, keyseed, etype, NULL);
+		   key_proc, keyseed, a->req_body.etype.val,
+		   a->req_body.etype.len, NULL);
 	
 	/* make a v4 salted pa-data */
 	salt.salttype = KRB5_PW_SALT;
 	krb5_data_zero(&salt.saltvalue);
 	add_padata(context, a->padata, creds->client, 
-		   key_proc, keyseed, etype, &salt);
+		   key_proc, keyseed, a->req_body.etype.val,
+		   a->req_body.etype.len, &salt);
     } else {
 	ret = KRB5_PREAUTH_BAD_TYPE;
 	goto fail;

-- 
brandon s. allbery	[os/2][linux][solaris][japh]	 allbery@kf8nh.apk.net
system administrator	     [WAY too many hats]	   allbery@ece.cmu.edu
carnegie mellon / electrical and computer engineering			 KF8NH
     We are Linux. Resistance is an indication that you missed the point.

Follow-Ups:
- Re: heimdal 0.1d patches: verbose hprop -K, kaserver switch, keytab fallback
  - From: Assar Westerlund <assar@sics.se>
- Re: heimdal 0.1d patches: verbose hprop -K, kaserver switch, keytab fallback
  - From: joda@pdc.kth.se (Johan Danielsson)

Prev by Date: Re: preauth requires DES3 keys???
Next by Date: Re: Some suggestions for the next iteration of heimdal
Prev by thread: Re: preauth requires DES3 keys???
Next by thread: Re: heimdal 0.1d patches: verbose hprop -K, kaserver switch, keytab fallback
Index(es):
- Date
- Thread