1 /*
2 * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 *
5 * $Header: /cvs/krbdev/krb5/src/lib/kadm5/clnt/client_init.c,v 1.13.2.2 2000/05/09 13:17:14 raeburn Exp $
6 */
7
8 #pragma ident "@(#)client_init.c 1.16 04/09/08 SMI"
9
10 /*
11 * Copyright (C) 1998 by the FundsXpress, INC.
12 *
13 * All rights reserved.
14 *
15 * Export of this software from the United States of America may require
16 * a specific license from the United States Government. It is the
17 * responsibility of any person or organization contemplating export to
18 * obtain such a license before exporting.
19 *
20 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
21 * distribute this software and its documentation for any purpose and
22 * without fee is hereby granted, provided that the above copyright
23 * notice appear in all copies and that both that copyright notice and
24 * this permission notice appear in supporting documentation, and that
25 * the name of FundsXpress. not be used in advertising or publicity pertaining
26 * to distribution of the software without specific, written prior
27 * permission. FundsXpress makes no representations about the suitability of
28 * this software for any purpose. It is provided "as is" without express
46 #include <string.h>
47 #include <com_err.h>
48 #include <sys/types.h>
49 #include <sys/socket.h>
50 #include <netinet/in.h>
51 #include <krb5.h>
52 #include <k5-int.h> /* for KRB5_ADM_DEFAULT_PORT */
53 #ifdef __STDC__
54 #include <stdlib.h>
55 #endif
56 #include <libintl.h>
57
58 #include <syslog.h>
59 #include <gssapi/gssapi.h>
60 #include <gssapi_krb5.h>
61 #include <gssapiP_krb5.h>
62 #include <kadm5/kadm_rpc.h>
63 #include <rpc/clnt.h>
64 #include <kadm5/admin.h>
65 #include "client_internal.h"
66
67 #define ADM_CCACHE "/tmp/ovsec_adm.XXXXXX"
68
69 /* connection timeout to kadmind in seconds */
70 #define KADMIND_CONNECT_TIMEOUT 25
71
72 int _kadm5_check_handle();
73
74 enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS };
75
76 static kadm5_ret_t _kadm5_init_any(char *client_name,
77 enum init_type init_type,
78 char *pass,
79 krb5_ccache ccache_in,
80 char *service_name,
81 kadm5_config_params *params,
82 krb5_ui_4 struct_version,
83 krb5_ui_4 api_version,
84 void **server_handle);
85
287 * Open an RPCSEC_GSS connection and
288 * get a client handle to use for future RPCSEC calls.
289 *
290 * This function is only used when changing passwords and
291 * the kpasswd_protocol is RPCSEC_GSS
292 */
293 static int
294 _kadm5_initialize_rpcsec_gss_handle(kadm5_server_handle_t handle,
295 char *client_name,
296 char *service_name)
297 {
298 struct netbuf netaddr;
299 struct hostent *hp;
300 int fd;
301 struct sockaddr_in addr;
302 struct sockaddr_in *sin;
303 struct netconfig *nconf;
304 int code = 0;
305 generic_ret *r;
306 char *ccname_orig;
307 char mech[] = "kerberos_v5";
308 gss_OID mech_oid;
309 gss_OID_set_desc oid_set;
310 gss_name_t gss_client;
311 gss_buffer_desc input_name;
312 gss_cred_id_t gss_client_creds = GSS_C_NO_CREDENTIAL;
313 rpc_gss_options_req_t options_req;
314 rpc_gss_options_ret_t options_ret;
315 rpc_gss_service_t service = rpc_gss_svc_privacy;
316 OM_uint32 gssstat, minor_stat;
317 void *handlep;
318 enum clnt_stat rpc_err_code;
319
320 hp = gethostbyname(handle->params.admin_server);
321 if (hp == (struct hostent *)NULL) {
322 code = KADM5_BAD_SERVER_NAME;
323 ADMIN_LOGO(LOG_ERR, dgettext(TEXT_DOMAIN,
324 "bad server name\n"));
325 goto cleanup;
326 }
366 if (fd == -1) {
367 syslog(LOG_ERR, dgettext(TEXT_DOMAIN,
368 "unable to open connection to ADMIN server "
369 "(t_error %i)"), t_errno);
370 code = KADM5_RPC_ERROR;
371 goto error;
372 }
373
374 #ifdef DEBUG
375 printf("fd: %d, KADM: %d, KADMVERS %d\n", fd, KADM, KADMVERS);
376 printf("nconf: nc_netid: %s, nc_semantics: %d, nc_flag: %d, "
377 "nc_protofmly: %s\n",
378 nconf->nc_netid, nconf->nc_semantics, nconf->nc_flag,
379 nconf->nc_protofmly);
380 printf("nc_proto: %s, nc_device: %s, nc_nlookups: %d, nc_used: %d\n",
381 nconf->nc_proto, nconf->nc_device, nconf->nc_nlookups,
382 nconf->nc_unused);
383 printf("netaddr: maxlen %d, buf: %s, len: %d\n", netaddr.maxlen,
384 netaddr.buf, netaddr.len);
385 #endif
386 /* tell clnt_tli_create that given fd is already connected */
387 handle->clnt = clnt_tli_create(fd, nconf, NULL, KADM, KADMVERS, 0, 0);
388 if (handle->clnt == NULL) {
389 syslog(LOG_ERR, dgettext(TEXT_DOMAIN,
390 "clnt_tli_create failed\n"));
391 code = KADM5_RPC_ERROR;
392 (void) close(fd);
393 goto error;
394 }
395 /*
396 * The rpc-handle was created on an fd opened and connected
397 * by us, so we have to explicitly tell rpc to close it.
398 */
399 if (clnt_control(handle->clnt, CLSET_FD_CLOSE, NULL) != TRUE) {
400 clnt_pcreateerror("ERROR:");
401 syslog(LOG_ERR, dgettext(TEXT_DOMAIN,
402 "clnt_control failed to set CLSET_FD_CLOSE"));
403 code = KADM5_RPC_ERROR;
404 (void) close(fd);
405 goto error;
406 }
407
475 &options_ret);
476 #endif /* ! INIT_TEST */
477
478 if (ccname_orig) {
479 (void) krb5_setenv("KRB5CCNAME", ccname_orig, 1);
480 free(ccname_orig);
481 } else
482 (void) krb5_unsetenv("KRB5CCNAME");
483
484
485 if (handle->clnt->cl_auth == NULL) {
486 code = KADM5_GSS_ERROR;
487 display_status(dgettext(TEXT_DOMAIN,
488 "rpc_gss_seccreate failed\n"),
489 options_ret.major_status,
490 options_ret.minor_status,
491 mech);
492 goto error;
493 }
494
495 r = init_1(&handle->api_version, handle->clnt, &rpc_err_code);
496 if (r == NULL) {
497 ADMIN_LOGO(LOG_ERR, dgettext(TEXT_DOMAIN,
498 "error during admin api initialization\n"));
499
500 if (rpc_err_code == RPC_CANTENCODEARGS) {
501 ADMIN_LOGO(LOG_ERR, dgettext(TEXT_DOMAIN,
502 "encryption needed to encode RPC data may not be "
503 "installed/configured on this system"));
504 code = KADM5_RPC_ERROR_CANTENCODEARGS;
505 } else if (rpc_err_code == RPC_CANTDECODEARGS) {
506 ADMIN_LOGO(LOG_ERR, dgettext(TEXT_DOMAIN,
507 "encryption needed to decode RPC data may not be "
508 "installed/configured on the server"));
509 code = KADM5_RPC_ERROR_CANTDECODEARGS;
510 } else
511 code = KADM5_RPC_ERROR;
512
513 goto error;
514
917 handle->magic_number = 0;
918 free(handle);
919
920 return (code);
921 }
922
923 /*ARGSUSED*/
924 kadm5_ret_t
925 kadm5_flush(void *server_handle)
926 {
927 return (KADM5_OK);
928 }
929
930 int
931 _kadm5_check_handle(void *handle)
932 {
933 CHECK_HANDLE(handle);
934 return (0);
935 }
936
|
1 /*
2 * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 *
5 * $Header: /cvs/krbdev/krb5/src/lib/kadm5/clnt/client_init.c,v 1.13.2.2 2000/05/09 13:17:14 raeburn Exp $
6 */
7
8 #pragma ident "@(#)client_init.c 1.15 04/05/04 SMI"
9
10 /*
11 * Copyright (C) 1998 by the FundsXpress, INC.
12 *
13 * All rights reserved.
14 *
15 * Export of this software from the United States of America may require
16 * a specific license from the United States Government. It is the
17 * responsibility of any person or organization contemplating export to
18 * obtain such a license before exporting.
19 *
20 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
21 * distribute this software and its documentation for any purpose and
22 * without fee is hereby granted, provided that the above copyright
23 * notice appear in all copies and that both that copyright notice and
24 * this permission notice appear in supporting documentation, and that
25 * the name of FundsXpress. not be used in advertising or publicity pertaining
26 * to distribution of the software without specific, written prior
27 * permission. FundsXpress makes no representations about the suitability of
28 * this software for any purpose. It is provided "as is" without express
46 #include <string.h>
47 #include <com_err.h>
48 #include <sys/types.h>
49 #include <sys/socket.h>
50 #include <netinet/in.h>
51 #include <krb5.h>
52 #include <k5-int.h> /* for KRB5_ADM_DEFAULT_PORT */
53 #ifdef __STDC__
54 #include <stdlib.h>
55 #endif
56 #include <libintl.h>
57
58 #include <syslog.h>
59 #include <gssapi/gssapi.h>
60 #include <gssapi_krb5.h>
61 #include <gssapiP_krb5.h>
62 #include <kadm5/kadm_rpc.h>
63 #include <rpc/clnt.h>
64 #include <kadm5/admin.h>
65 #include "client_internal.h"
66 #include <iprop_hdr.h>
67 #include "iprop.h"
68
69 #define ADM_CCACHE "/tmp/ovsec_adm.XXXXXX"
70
71 /* connection timeout to kadmind in seconds */
72 #define KADMIND_CONNECT_TIMEOUT 25
73
74 int _kadm5_check_handle();
75
76 enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS };
77
78 static kadm5_ret_t _kadm5_init_any(char *client_name,
79 enum init_type init_type,
80 char *pass,
81 krb5_ccache ccache_in,
82 char *service_name,
83 kadm5_config_params *params,
84 krb5_ui_4 struct_version,
85 krb5_ui_4 api_version,
86 void **server_handle);
87
289 * Open an RPCSEC_GSS connection and
290 * get a client handle to use for future RPCSEC calls.
291 *
292 * This function is only used when changing passwords and
293 * the kpasswd_protocol is RPCSEC_GSS
294 */
295 static int
296 _kadm5_initialize_rpcsec_gss_handle(kadm5_server_handle_t handle,
297 char *client_name,
298 char *service_name)
299 {
300 struct netbuf netaddr;
301 struct hostent *hp;
302 int fd;
303 struct sockaddr_in addr;
304 struct sockaddr_in *sin;
305 struct netconfig *nconf;
306 int code = 0;
307 generic_ret *r;
308 char *ccname_orig;
309 char *iprop_svc;
310 boolean_t iprop_enable = B_FALSE;
311 char mech[] = "kerberos_v5";
312 gss_OID mech_oid;
313 gss_OID_set_desc oid_set;
314 gss_name_t gss_client;
315 gss_buffer_desc input_name;
316 gss_cred_id_t gss_client_creds = GSS_C_NO_CREDENTIAL;
317 rpc_gss_options_req_t options_req;
318 rpc_gss_options_ret_t options_ret;
319 rpc_gss_service_t service = rpc_gss_svc_privacy;
320 OM_uint32 gssstat, minor_stat;
321 void *handlep;
322 enum clnt_stat rpc_err_code;
323
324 hp = gethostbyname(handle->params.admin_server);
325 if (hp == (struct hostent *)NULL) {
326 code = KADM5_BAD_SERVER_NAME;
327 ADMIN_LOGO(LOG_ERR, dgettext(TEXT_DOMAIN,
328 "bad server name\n"));
329 goto cleanup;
330 }
370 if (fd == -1) {
371 syslog(LOG_ERR, dgettext(TEXT_DOMAIN,
372 "unable to open connection to ADMIN server "
373 "(t_error %i)"), t_errno);
374 code = KADM5_RPC_ERROR;
375 goto error;
376 }
377
378 #ifdef DEBUG
379 printf("fd: %d, KADM: %d, KADMVERS %d\n", fd, KADM, KADMVERS);
380 printf("nconf: nc_netid: %s, nc_semantics: %d, nc_flag: %d, "
381 "nc_protofmly: %s\n",
382 nconf->nc_netid, nconf->nc_semantics, nconf->nc_flag,
383 nconf->nc_protofmly);
384 printf("nc_proto: %s, nc_device: %s, nc_nlookups: %d, nc_used: %d\n",
385 nconf->nc_proto, nconf->nc_device, nconf->nc_nlookups,
386 nconf->nc_unused);
387 printf("netaddr: maxlen %d, buf: %s, len: %d\n", netaddr.maxlen,
388 netaddr.buf, netaddr.len);
389 #endif
390 /*
391 * Tell clnt_tli_create that given fd is already connected
392 *
393 * If the service_name and client_name are iprop-centric,
394 * we need to clnt_tli_create to the appropriate RPC prog
395 */
396 iprop_svc = strdup(KIPROP_SVC_NAME);
397 if (iprop_svc == NULL)
398 return (ENOMEM);
399
400 if ((strstr(service_name, iprop_svc) != NULL) &&
401 (strstr(client_name, iprop_svc) != NULL)) {
402 iprop_enable = B_TRUE;
403 handle->clnt = clnt_tli_create(fd, nconf, NULL,
404 KRB5_IPROP_PROG, KRB5_IPROP_VERS, 0, 0);
405 }
406 else
407 handle->clnt = clnt_tli_create(fd, nconf, NULL,
408 KADM, KADMVERS, 0, 0);
409
410 if (iprop_svc)
411 free(iprop_svc);
412
413 if (handle->clnt == NULL) {
414 syslog(LOG_ERR, dgettext(TEXT_DOMAIN,
415 "clnt_tli_create failed\n"));
416 code = KADM5_RPC_ERROR;
417 (void) close(fd);
418 goto error;
419 }
420 /*
421 * The rpc-handle was created on an fd opened and connected
422 * by us, so we have to explicitly tell rpc to close it.
423 */
424 if (clnt_control(handle->clnt, CLSET_FD_CLOSE, NULL) != TRUE) {
425 clnt_pcreateerror("ERROR:");
426 syslog(LOG_ERR, dgettext(TEXT_DOMAIN,
427 "clnt_control failed to set CLSET_FD_CLOSE"));
428 code = KADM5_RPC_ERROR;
429 (void) close(fd);
430 goto error;
431 }
432
500 &options_ret);
501 #endif /* ! INIT_TEST */
502
503 if (ccname_orig) {
504 (void) krb5_setenv("KRB5CCNAME", ccname_orig, 1);
505 free(ccname_orig);
506 } else
507 (void) krb5_unsetenv("KRB5CCNAME");
508
509
510 if (handle->clnt->cl_auth == NULL) {
511 code = KADM5_GSS_ERROR;
512 display_status(dgettext(TEXT_DOMAIN,
513 "rpc_gss_seccreate failed\n"),
514 options_ret.major_status,
515 options_ret.minor_status,
516 mech);
517 goto error;
518 }
519
520 /*
521 * Bypass the remainder of the code and return straightaway
522 * if the gss service requested is kiprop
523 */
524 if (iprop_enable == B_TRUE) {
525 code = 0;
526 goto cleanup;
527 }
528
529 r = init_1(&handle->api_version, handle->clnt, &rpc_err_code);
530 if (r == NULL) {
531 ADMIN_LOGO(LOG_ERR, dgettext(TEXT_DOMAIN,
532 "error during admin api initialization\n"));
533
534 if (rpc_err_code == RPC_CANTENCODEARGS) {
535 ADMIN_LOGO(LOG_ERR, dgettext(TEXT_DOMAIN,
536 "encryption needed to encode RPC data may not be "
537 "installed/configured on this system"));
538 code = KADM5_RPC_ERROR_CANTENCODEARGS;
539 } else if (rpc_err_code == RPC_CANTDECODEARGS) {
540 ADMIN_LOGO(LOG_ERR, dgettext(TEXT_DOMAIN,
541 "encryption needed to decode RPC data may not be "
542 "installed/configured on the server"));
543 code = KADM5_RPC_ERROR_CANTDECODEARGS;
544 } else
545 code = KADM5_RPC_ERROR;
546
547 goto error;
548
951 handle->magic_number = 0;
952 free(handle);
953
954 return (code);
955 }
956
957 /*ARGSUSED*/
958 kadm5_ret_t
959 kadm5_flush(void *server_handle)
960 {
961 return (KADM5_OK);
962 }
963
964 int
965 _kadm5_check_handle(void *handle)
966 {
967 CHECK_HANDLE(handle);
968 return (0);
969 }
970
971 /*
972 * Stub function for kadmin. It was created to eliminate the dependency on
973 * libkdb's ulog functions. The srv equivalent makes the actual calls.
974 */
975 krb5_error_code
976 kadm5_init_iprop(void *handle)
977 {
978 return (0);
979 }
|