[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

heimdal 0.1g patch: hprop --kaspecials

This patch adds a flag --kaspecials to hprop to allow KASPECIAL keys to be
dumped.  This allows the complete contents of an AFS kaserver.db0 to be
transferred to a heimdal KDC, after which the kdc process can be restarted
with kaserver emulation to take the place of an AFS kaserver.

It's necessary because kaserver stores cross-realm tickets with KASPECIAL set
(except when created with kaserver versions later than 3.3a; this is a bug,
as kaserver doesn't handle cross-realm tickets properly if they're not
KASPECIAL).  The current behavior of hprop omits the cross-realm tickets,
which is a serious problem in environments such as ours where cross-realm
authentication is very common (virtually everyone aklog's between at least

With this patch I can bring up heimdal's kdc as a kaserver replacement in
under 5 minutes, most of which time is spent sanity-checking.

BTW, I'm planning to write up the process of setting up heimdal as a kaserver 
replacement for inclusion in heimdal.info (or, if preferred, as a separate
info file).

diff -ur heimdal-0.1g-dist/kdc/hprop.c heimdal-0.1g/kdc/hprop.c
--- heimdal-0.1g-dist/kdc/hprop.c	Mon May  3 13:18:49 1999
+++ heimdal-0.1g/kdc/hprop.c	Thu Jun 17 12:02:41 1999
@@ -49,6 +49,9 @@
 static int verbose_flag;
 static int encrypt_flag;
 static int decrypt_flag;
+static int kaspecials_flag;
 static EncryptionKey mkey5;
 static krb5_data msched5;
@@ -265,7 +268,7 @@
     int32_t flags = ntohl(ent->flags);
     krb5_error_code ret;
     hdb_entry hdb;
-    if((flags & KAFNORMAL) == 0) /* remove special entries */
+    if(!kaspecials_flag && (flags & KAFNORMAL) == 0) /* remove special entri
es */
 	return 0;
     memset(&hdb, 0, sizeof(hdb));
     ret = krb5_425_conv_principal(pd->context, ent->name, ent->instance, rea
@@ -379,6 +382,7 @@
     { "ka-db",	  'K',  arg_flag, &ka_db, "use kaserver database" },
     { "cell",	  'c',  arg_string, &afs_cell, "name of AFS cell" },
+    { "kaspecials", 'S', arg_flag,   &kaspecials_flag, "dump KASPECIAL keys" 
     { "keytab",   'k',	arg_string, &ktname, "keytab to use for authentication", "keytab" },
     { "decrypt",  'D',  arg_flag,   &decrypt_flag,   "decrypt keys" },

brandon s. allbery	[os/2][linux][solaris][japh]	 allbery@kf8nh.apk.net
system administrator	     [WAY too many hats]	   allbery@ece.cmu.edu
carnegie mellon / electrical and computer engineering			 KF8NH
     We are Linux. Resistance is an indication that you missed the point.