[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

heimdal 0.1g patch: hprop --kaspecials

To: heimdal-discuss@sics.se
Subject: heimdal 0.1g patch: hprop --kaspecials
From: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
Date: Thu, 17 Jun 1999 19:05:11 -0400
In-reply-to: Your message of "Thu, 17 Jun 1999 12:16:00 EDT." <199906171616.MAA02999@hilfy.ece.cmu.edu>
Sender: owner-heimdal-discuss@sics.se

This patch adds a flag --kaspecials to hprop to allow KASPECIAL keys to be
dumped.  This allows the complete contents of an AFS kaserver.db0 to be
transferred to a heimdal KDC, after which the kdc process can be restarted
with kaserver emulation to take the place of an AFS kaserver.

It's necessary because kaserver stores cross-realm tickets with KASPECIAL set
(except when created with kaserver versions later than 3.3a; this is a bug,
as kaserver doesn't handle cross-realm tickets properly if they're not
KASPECIAL).  The current behavior of hprop omits the cross-realm tickets,
which is a serious problem in environments such as ours where cross-realm
authentication is very common (virtually everyone aklog's between at least
two of ANDREW.CMU.EDU, CS.CMU.EDU, and ECE.CMU.EDU).

With this patch I can bring up heimdal's kdc as a kaserver replacement in
under 5 minutes, most of which time is spent sanity-checking.

BTW, I'm planning to write up the process of setting up heimdal as a kaserver 
replacement for inclusion in heimdal.info (or, if preferred, as a separate
info file).

diff -ur heimdal-0.1g-dist/kdc/hprop.c heimdal-0.1g/kdc/hprop.c
--- heimdal-0.1g-dist/kdc/hprop.c	Mon May  3 13:18:49 1999
+++ heimdal-0.1g/kdc/hprop.c	Thu Jun 17 12:02:41 1999
@@ -49,6 +49,9 @@
 static int verbose_flag;
 static int encrypt_flag;
 static int decrypt_flag;
+#ifdef KASERVER_DB
+static int kaspecials_flag;
+#endif
 static EncryptionKey mkey5;
 static krb5_data msched5;
 
@@ -265,7 +268,7 @@
     int32_t flags = ntohl(ent->flags);
     krb5_error_code ret;
     hdb_entry hdb;
-    if((flags & KAFNORMAL) == 0) /* remove special entries */
+    if(!kaspecials_flag && (flags & KAFNORMAL) == 0) /* remove special entri
es */
 	return 0;
     memset(&hdb, 0, sizeof(hdb));
     ret = krb5_425_conv_principal(pd->context, ent->name, ent->instance, rea
lm,
@@ -379,6 +382,7 @@
 #ifdef KASERVER_DB
     { "ka-db",	  'K',  arg_flag, &ka_db, "use kaserver database" },
     { "cell",	  'c',  arg_string, &afs_cell, "name of AFS cell" },
+    { "kaspecials", 'S', arg_flag,   &kaspecials_flag, "dump KASPECIAL keys" 
},
 #endif
     { "keytab",   'k',	arg_string, &ktname, "keytab to use for authentication", "keytab" },
     { "decrypt",  'D',  arg_flag,   &decrypt_flag,   "decrypt keys" },

-- 
brandon s. allbery	[os/2][linux][solaris][japh]	 allbery@kf8nh.apk.net
system administrator	     [WAY too many hats]	   allbery@ece.cmu.edu
carnegie mellon / electrical and computer engineering			 KF8NH
     We are Linux. Resistance is an indication that you missed the point.

Follow-Ups:
- Re: heimdal 0.1g patch: hprop --kaspecials
  - From: Assar Westerlund <assar@sics.se>

Prev by Date: [patch] kadmind buffer overrun
Next by Date: Perl-glue for heimdal libkadm5clnt
Prev by thread: Re: [patch] kadmind buffer overrun
Next by thread: Re: heimdal 0.1g patch: hprop --kaspecials
Index(es):
- Date
- Thread