Udiff ovsec_kadmd.c
--- /net/etna.eng/build7/semery/mit2/webrev/usr/src/cmd/krb5/kadmin/server/ovsec_kadmd.c- Wed Sep 8 16:59:54 2004
+++ ovsec_kadmd.c Wed Sep 8 13:41:36 2004
@@ -1,11 +1,11 @@
/*
* Copyright 2004 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
-#pragma ident "@(#)ovsec_kadmd.c 1.9 04/09/08 SMI"
+#pragma ident "@(#)ovsec_kadmd.c 1.8 04/05/24 SMI"
/*
* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
*
* Openvision retains the copyright to derivative works of
@@ -52,11 +52,14 @@
#include <string.h>
#include <gssapi_krb5.h>
#include <libintl.h>
#include <locale.h>
#include <sys/resource.h>
+#include <kdb/kdb_log.h>
+#include <rpc/rpcsec_gss.h>
+
#ifndef FD_SETSIZE
#define FD_SETSIZE 256
#endif
#ifndef MAX
@@ -65,11 +68,11 @@
static int signal_request_exit = 0;
static int schpw;
kadm5_config_params chgpw_params;
void kadm_svc_run(void);
-void setup_signal_handlers();
+void setup_signal_handlers(iprop_role iproprole);
void sig_exit(int);
void sig_pipe(int);
#ifdef POSIX_SIGNALS
static struct sigaction s_action;
@@ -98,10 +101,15 @@
* it also restricts us to linking against the Kv5 GSS-API library.
* Since this is *k*admind, that shouldn't be a problem.
*/
extern char *krb5_overridekeyname;
+extern void krb5_iprop_prog_1();
+extern kadm5_ret_t kiprop_get_adm_host_srv_name(
+ krb5_context,
+ const char *,
+ char **);
/*
* Function: usage
*
* Purpose: print out the server usage message
@@ -173,18 +181,20 @@
static krb5_context context; /* XXX yuck. the signal handlers need this */
in_port_t l_port = 0; /* global local port num, for BSM audits */
+int nofork = 0; /* global; don't fork (debug mode) */
+
int
main(int argc, char *argv[])
{
void kadm_1(struct svc_req *, SVCXPRT *);
SVCXPRT *transp;
extern char *optarg;
extern int optind, opterr;
- int ret, rlen, nofork, oldnames = 0;
+ int ret, rlen, oldnames = 0;
OM_uint32 OMret, major_status, minor_status;
char *whoami;
FILE *acl_file;
gss_buffer_desc in_buf;
struct servent *srv;
@@ -202,12 +212,15 @@
struct opthdr *opt;
char reqbuf[128];
int *ip;
struct rlimit rl;
+ char *kiprop_name = NULL; /* IProp svc name */
+ kdb_log_context *log_ctx;
kadm5_server_handle_t handle;
krb5_context ctx;
+
kadm5_config_params params;
auth_gssapi_name names[6];
gss_buffer_desc gssbuf;
gss_OID nt_krb5_name_oid;
@@ -544,10 +557,16 @@
gettext("Cannot register RPC service, failing."));
krb5_klog_close(context);
exit(1);
}
+ /*
+ * XXX krb5_defkeyname is an internal library global and should go
+ * away
+ */
+ krb5_overridekeyname = params.admin_keytab;
+
(void) kadm5_get_adm_host_srv_name(context,
params.realm, &names[0].name);
(void) kadm5_get_cpw_host_srv_name(context,
params.realm, &names[1].name);
names[2].name = KADM5_ADMIN_SERVICE_P;
@@ -566,15 +585,10 @@
"GSS-API authentication.\n"),
whoami);
krb5_klog_close(context);
exit(1);
}
- /*
- * XXX krb5_defkeyname is an internal library global and should go
- * away
- */
- krb5_overridekeyname = params.admin_keytab;
/*
* Try to acquire creds for the old OV services as well as the new
* names, but if that fails just fall back on the new names.
*/
@@ -642,13 +656,101 @@
exit(1);
}
handle = global_server_handle;
ctx = handle->context;
+ if (params.iprop_enabled == TRUE)
+ ulog_set_role(ctx, IPROP_MASTER);
+ else
+ ulog_set_role(ctx, IPROP_NULL);
+ log_ctx = ctx->kdblog_context;
+
+ if (log_ctx && (log_ctx->iproprole == IPROP_MASTER)) {
+ /*
+ * IProp is enabled, so let's map in the update log
+ * and setup the service.
+ */
+ if (ret = ulog_map(ctx, ¶ms, FKADMIND)) {
+ fprintf(stderr,
+ gettext("%s: %s while mapping update log "
+ "(`%s.ulog')\n"), whoami, error_message(ret),
+ params.dbname);
+ krb5_klog_syslog(LOG_ERR,
+ gettext("%s while mapping update log "
+ "(`%s.ulog')"), error_message(ret),
+ params.dbname);
+ krb5_klog_close(ctx);
+ exit(1);
+ }
+
+
+ if (nofork)
+ fprintf(stderr,
+ "%s: create IPROP svc (PROG=%d, VERS=%d)\n",
+ whoami, KRB5_IPROP_PROG, KRB5_IPROP_VERS);
+
+ if (!svc_create(krb5_iprop_prog_1,
+ KRB5_IPROP_PROG, KRB5_IPROP_VERS,
+ "circuit_v")) {
+ fprintf(stderr,
+ gettext("%s: Cannot create IProp RPC service (PROG=%d, VERS=%d)\n"),
+ whoami,
+ KRB5_IPROP_PROG, KRB5_IPROP_VERS);
+ krb5_klog_syslog(LOG_ERR,
+ gettext("Cannot create IProp RPC service (PROG=%d, VERS=%d), failing."),
+ KRB5_IPROP_PROG, KRB5_IPROP_VERS);
+ krb5_klog_close(ctx);
+ exit(1);
+ }
+
+ if (ret = kiprop_get_adm_host_srv_name(ctx,
+ params.realm,
+ &kiprop_name)) {
+ krb5_klog_syslog(LOG_ERR,
+ gettext("%s while getting IProp svc name, failing"),
+ error_message(ret));
+ fprintf(stderr,
+ gettext("%s: %s while getting IProp svc name, failing\n"),
+ whoami, error_message(ret));
+ krb5_klog_close(ctx);
+ exit(1);
+ }
+
+ if (!rpc_gss_set_svc_name(kiprop_name, "kerberos_v5", 0,
+ KRB5_IPROP_PROG, KRB5_IPROP_VERS)) {
+ rpc_gss_error_t err;
+ (void) rpc_gss_get_error(&err);
+
+ krb5_klog_syslog(LOG_ERR,
+ gettext("Unable to set RPCSEC_GSS service name (`%s'), failing."),
+ kiprop_name ? kiprop_name : "<null>");
+
+ fprintf(stderr,
+ gettext("%s: Unable to set RPCSEC_GSS service name (`%s'), failing.\n"),
+ whoami,
+ kiprop_name ? kiprop_name : "<null>");
+
+ if (nofork) {
+ fprintf(stderr,
+ "%s: set svc name (rpcsec err=%d, sys err=%d)\n",
+ whoami,
+ err.rpc_gss_error,
+ err.system_error);
+ }
+
+ exit(1);
+ }
+ free(kiprop_name);
+ }
+
+ setup_signal_handlers(log_ctx->iproprole);
krb5_klog_syslog(LOG_INFO, gettext("starting"));
+ if (nofork)
+ fprintf(stderr, "%s: starting...\n", whoami);
+
/*
* We now call our own customized async event processing
* function kadm_svc_run(), as opposed to svc_run() earlier,
* since this enables kadmind to also listen-to/process
* non-RPCSEC_GSS based change-pwd requests apart from the
@@ -737,15 +839,23 @@
/*
* Function: setup_signal_handlers
*
* Purpose: Setup signal handling functions with System V's signal().
*/
-void setup_signal_handlers() {
+void setup_signal_handlers(iprop_role iproprole) {
signal(SIGINT, sig_exit);
signal(SIGTERM, sig_exit);
signal(SIGQUIT, sig_exit);
signal(SIGPIPE, sig_pipe);
+
+ /*
+ * IProp will fork for a full-resync, we don't want to
+ * wait on it and we don't want the living dead procs either.
+ */
+ if (iproprole == IPROP_MASTER)
+ (void) signal(SIGCHLD, SIG_IGN);
+
return;
}
/*