1 /*
2 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
3 */
4
5
6 /*
7 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
8 *
9 * Openvision retains the copyright to derivative works of
10 * this source code. Do *NOT* create a derivative of this
11 * source code before consulting with your legal department.
12 * Do *NOT* integrate *ANY* of this source code into another
13 * product before consulting with your legal department.
14 *
15 * For further information, read the top-level Openvision
16 * copyright which is contained in the top-level MIT Kerberos
17 * copyright.
18 *
19 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
20 *
21 */
22
23
24 /*
25 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
26 *
27 */
28
29 #include <kadm5/admin.h>
30 #include <gssapi/gssapi.h>
31 #include <gssapi_krb5.h> /* for gss_nt_krb5_name */
32 #include <kadm5/kadm_rpc.h>
33 #include <kadm5/server_internal.h>
34 #include <kadm5/srv/server_acl.h>
35 #include <security/pam_appl.h>
36
37 #include <syslog.h>
38 #include <arpa/inet.h> /* inet_ntoa */
39 #include <krb5/adm_proto.h> /* krb5_klog_syslog */
40 #include <libintl.h>
41 #include <krb5.h>
42 #include "misc.h"
43
44 #define LOG_UNAUTH gettext("Unauthorized request: %s, %s, " \
45 "client=%s, service=%s, addr=%s")
46 #define LOG_DONE gettext("Request: %s, %s, %s, client=%s, " \
47 "service=%s, addr=%s")
48
49 extern gss_name_t gss_changepw_name;
50 extern gss_name_t gss_oldchangepw_name;
51 extern void * global_server_handle;
52 extern short l_port;
53
54 char buf[33];
55
56 #define CHANGEPW_SERVICE(rqstp) \
57 (cmp_gss_names_rel_1(acceptor_name(rqstp), gss_changepw_name) |\
58 (gss_oldchangepw_name && \
59 cmp_gss_names_rel_1(acceptor_name(rqstp), \
60 gss_oldchangepw_name)))
61
62
63 static int gss_to_krb5_name(kadm5_server_handle_t handle,
64 gss_name_t gss_name, krb5_principal *princ);
65
66 static int gss_name_to_string(gss_name_t gss_name, gss_buffer_desc *str);
67
68 static gss_name_t acceptor_name(struct svc_req * rqstp);
69
70 kadm5_ret_t
71 kadm5_get_priv(void *server_handle,
72 long *privs, gss_name_t clnt);
73
74 gss_name_t
get_clnt_name(struct svc_req * rqstp)75 get_clnt_name(struct svc_req * rqstp)
76 {
77 OM_uint32 maj_stat, min_stat;
78 gss_name_t name;
79 rpc_gss_rawcred_t *raw_cred;
80 void *cookie;
81 gss_buffer_desc name_buff;
82
83 rpc_gss_getcred(rqstp, &raw_cred, NULL, &cookie);
84 name_buff.value = raw_cred->client_principal->name;
85 name_buff.length = raw_cred->client_principal->len;
86 maj_stat = gss_import_name(&min_stat, &name_buff,
87 (gss_OID) GSS_C_NT_EXPORT_NAME, &name);
88 if (maj_stat != GSS_S_COMPLETE) {
89 return (NULL);
90 }
91 return (name);
92 }
93
94 char *
client_addr(struct svc_req * req,char * buf)95 client_addr(struct svc_req * req, char *buf)
96 {
97 struct sockaddr *ca;
98 u_char *b;
99 char *frontspace = " ";
100
101 /*
102 * Convert the caller's IP address to a dotted string
103 */
104 ca = (struct sockaddr *)
105 svc_getrpccaller(req->rq_xprt)->buf;
106
107 if (ca->sa_family == AF_INET) {
108 b = (u_char *) & ((struct sockaddr_in *) ca)->sin_addr;
109 (void) sprintf(buf, "%s(%d.%d.%d.%d) ", frontspace,
110 b[0] & 0xFF, b[1] & 0xFF, b[2] & 0xFF, b[3] & 0xFF);
111 } else {
112 /*
113 * No IP address to print. If there was a host name
114 * printed, then we print a space.
115 */
116 (void) sprintf(buf, frontspace);
117 }
118
119 return (buf);
120 }
121
cmp_gss_names(gss_name_t n1,gss_name_t n2)122 static int cmp_gss_names(gss_name_t n1, gss_name_t n2)
123 {
124 OM_uint32 emaj, emin;
125 int equal;
126
127 if (GSS_ERROR(emaj = gss_compare_name(&emin, n1, n2, &equal)))
128 return(0);
129
130 return(equal);
131 }
132
133 /* Does a comparison of the names and then releases the first entity */
134 /* For use above in CHANGEPW_SERVICE */
cmp_gss_names_rel_1(gss_name_t n1,gss_name_t n2)135 static int cmp_gss_names_rel_1(gss_name_t n1, gss_name_t n2)
136 {
137 OM_uint32 min_stat;
138 int ret;
139
140 ret = cmp_gss_names(n1, n2);
141 if (n1) (void) gss_release_name(&min_stat, &n1);
142 return ret;
143 }
144
145 /*
146 * Function check_handle
147 *
148 * Purpose: Check a server handle and return a com_err code if it is
149 * invalid or 0 if it is valid.
150 *
151 * Arguments:
152 *
153 * handle The server handle.
154 */
155
check_handle(void * handle)156 static int check_handle(void *handle)
157 {
158 CHECK_HANDLE(handle);
159 return 0;
160 }
161
162 /*
163 * Function: new_server_handle
164 *
165 * Purpose: Constructs a server handle suitable for passing into the
166 * server library API functions, by folding the client's API version
167 * and calling principal into the server handle returned by
168 * kadm5_init.
169 *
170 * Arguments:
171 * api_version (input) The API version specified by the client
172 * rqstp (input) The RPC request
173 * handle (output) The returned handle
174 * <return value> (output) An error code, or 0 if no error occurred
175 *
176 * Effects:
177 * Returns a pointer to allocated storage containing the server
178 * handle. If an error occurs, then no allocated storage is
179 * returned, and the return value of the function will be a
180 * non-zero com_err code.
181 *
182 * The allocated storage for the handle should be freed with
183 * free_server_handle (see below) when it is no longer needed.
184 */
185
new_server_handle(krb5_ui_4 api_version,struct svc_req * rqstp,kadm5_server_handle_t * out_handle)186 static kadm5_ret_t new_server_handle(krb5_ui_4 api_version,
187 struct svc_req *rqstp,
188 kadm5_server_handle_t
189 *out_handle)
190 {
191 kadm5_server_handle_t handle;
192 gss_name_t name;
193 OM_uint32 min_stat;
194
195 if (! (handle = (kadm5_server_handle_t)
196 malloc(sizeof(*handle))))
197 return ENOMEM;
198
199 *handle = *(kadm5_server_handle_t)global_server_handle;
200 handle->api_version = api_version;
201
202 if (!(name = get_clnt_name(rqstp))) {
203 free(handle);
204 return KADM5_FAILURE;
205 }
206 if (! gss_to_krb5_name(handle, name, &handle->current_caller)) {
207 free(handle);
208 gss_release_name(&min_stat, &name);
209 return KADM5_FAILURE;
210 }
211 gss_release_name(&min_stat, &name);
212
213 *out_handle = handle;
214 return 0;
215 }
216
217 /*
218 * Function: free_server_handle
219 *
220 * Purpose: Free handle memory allocated by new_server_handle
221 *
222 * Arguments:
223 * handle (input/output) The handle to free
224 */
free_server_handle(kadm5_server_handle_t handle)225 static void free_server_handle(kadm5_server_handle_t handle)
226 {
227 krb5_free_principal(handle->context, handle->current_caller);
228 free(handle);
229 }
230
231 /*
232 * Function: setup_gss_names
233 *
234 * Purpose: Create printable representations of the client and server
235 * names.
236 *
237 * Arguments:
238 * rqstp (r) the RPC request
239 * client_name (w) pointer to client_name string
240 * server_name (w) pointer to server_name string
241 *
242 * Effects:
243 *
244 * Unparses the client and server names into client_name and
245 * server_name, both of which must be freed by the caller. Returns 0
246 * on success and -1 on failure. On failure client_name and server_name
247 * will point to null.
248 */
249 /* SUNW14resync */
setup_gss_names(struct svc_req * rqstp,char ** client_name,char ** server_name)250 int setup_gss_names(struct svc_req *rqstp,
251 char **client_name, char **server_name)
252 {
253 OM_uint32 maj_stat, min_stat;
254 rpc_gss_rawcred_t *raw_cred;
255 gss_buffer_desc name_buf;
256 char *tmp, *val;
257 size_t len;
258 gss_name_t name;
259
260 *client_name = NULL;
261
262 rpc_gss_getcred(rqstp, &raw_cred, NULL, NULL);
263
264 /* Return a copy of the service principal from the raw_cred */
265 *server_name = strdup(raw_cred->svc_principal);
266
267 if (*server_name == NULL)
268 return (-1);
269
270 if (!(name = get_clnt_name(rqstp))) {
271 free(*server_name);
272 *server_name = NULL;
273 return (-1);
274 }
275 maj_stat = gss_display_name(&min_stat, name, &name_buf, NULL);
276 if (maj_stat != GSS_S_COMPLETE) {
277 free(*server_name);
278 gss_release_name(&min_stat, &name);
279 *server_name = NULL;
280 return (-1);
281 }
282 gss_release_name(&min_stat, &name);
283
284 /*
285 * Allocate space to copy the client principal. We allocate an
286 * extra byte to make the string null terminated if we need to.
287 */
288
289 val = name_buf.value;
290 len = name_buf.length + (val[name_buf.length - 1] != '\0');
291
292 /* len is the length including the null terminating byte. */
293
294 tmp = malloc(len);
295 if (tmp) {
296 memcpy(tmp, val, len - 1);
297 tmp[len - 1] = '\0';
298 } else {
299 free(*server_name);
300 *server_name = NULL;
301 }
302
303 /* Were done with the GSS buffer */
304 (void) gss_release_buffer(&min_stat, &name_buf);
305
306 *client_name = tmp;
307
308 return (tmp ? 0 : -1);
309 }
310
acceptor_name(struct svc_req * rqstp)311 static gss_name_t acceptor_name(struct svc_req * rqstp)
312 {
313 OM_uint32 maj_stat, min_stat;
314 gss_name_t name;
315 rpc_gss_rawcred_t *raw_cred;
316 void *cookie;
317 gss_buffer_desc name_buff;
318
319 rpc_gss_getcred(rqstp, &raw_cred, NULL, &cookie);
320 name_buff.value = raw_cred->svc_principal;
321 name_buff.length = strlen(raw_cred->svc_principal);
322 maj_stat = gss_import_name(&min_stat, &name_buff,
323 (gss_OID) gss_nt_krb5_name, &name);
324 if (maj_stat != GSS_S_COMPLETE) {
325 gss_release_buffer(&min_stat, &name_buff);
326 return (NULL);
327 }
328 maj_stat = gss_display_name(&min_stat, name, &name_buff, NULL);
329 if (maj_stat != GSS_S_COMPLETE) {
330 gss_release_buffer(&min_stat, &name_buff);
331 return (NULL);
332 }
333 gss_release_buffer(&min_stat, &name_buff);
334
335 return name;
336 }
337
cmp_gss_krb5_name(kadm5_server_handle_t handle,gss_name_t gss_name,krb5_principal princ)338 static int cmp_gss_krb5_name(kadm5_server_handle_t handle,
339 gss_name_t gss_name, krb5_principal princ)
340 {
341 krb5_principal princ2;
342 int status;
343
344 if (! gss_to_krb5_name(handle, gss_name, &princ2))
345 return 0;
346 status = krb5_principal_compare(handle->context, princ, princ2);
347 krb5_free_principal(handle->context, princ2);
348 return status;
349 }
350
351
352 /*
353 * This routine primarily validates the username and password
354 * of the principal to be created, if a prior acl check for
355 * the 'u' privilege succeeds. Validation is done using
356 * the PAM `k5migrate' service. k5migrate normally stacks
357 * pam_unix_auth.so and pam_unix_account.so in its auth and
358 * account stacks respectively.
359 *
360 * Returns 1 (true), if validation is successful,
361 * else returns 0 (false).
362 */
verify_pam_pw(char * userdata,char * pwd)363 int verify_pam_pw(char *userdata, char *pwd) {
364 pam_handle_t *pamh;
365 int err = 0;
366 int result = 1;
367 char *user = NULL;
368 char *ptr = NULL;
369
370 ptr = strchr(userdata, '@');
371 if (ptr != NULL) {
372 user = (char *)malloc(ptr - userdata + 1);
373 (void) strlcpy(user, userdata, (ptr - userdata) + 1);
374 } else {
375 user = (char *)strdup(userdata);
376 }
377
378 err = pam_start("k5migrate", user, NULL, &pamh);
379 if (err != PAM_SUCCESS) {
380 syslog(LOG_ERR, "verify_pam_pw: pam_start() failed, %s\n",
381 pam_strerror(pamh, err));
382 if (user)
383 free(user);
384 return (0);
385 }
386 if (user)
387 free(user);
388
389 err = pam_set_item(pamh, PAM_AUTHTOK, (void *)pwd);
390 if (err != PAM_SUCCESS) {
391 syslog(LOG_ERR, "verify_pam_pw: pam_set_item() failed, %s\n",
392 pam_strerror(pamh, err));
393 (void) pam_end(pamh, err);
394 return (0);
395 }
396
397 err = pam_authenticate(pamh, PAM_SILENT);
398 if (err != PAM_SUCCESS) {
399 syslog(LOG_ERR, "verify_pam_pw: pam_authenticate() "
400 "failed, %s\n", pam_strerror(pamh, err));
401 (void) pam_end(pamh, err);
402 return (0);
403 }
404
405 err = pam_acct_mgmt(pamh, PAM_SILENT);
406 if (err != PAM_SUCCESS) {
407 syslog(LOG_ERR, "verify_pam_pw: pam_acct_mgmt() failed, %s\n",
408 pam_strerror(pamh, err));
409 (void) pam_end(pamh, err);
410 return (0);
411 }
412
413 (void) pam_end(pamh, PAM_SUCCESS);
414 return (result);
415 }
416
gss_to_krb5_name(kadm5_server_handle_t handle,gss_name_t gss_name,krb5_principal * princ)417 static int gss_to_krb5_name(kadm5_server_handle_t handle,
418 gss_name_t gss_name, krb5_principal *princ)
419 {
420 OM_uint32 status, minor_stat;
421 gss_buffer_desc gss_str;
422 gss_OID gss_type;
423 int success;
424
425 status = gss_display_name(&minor_stat, gss_name, &gss_str, &gss_type);
426 if ((status != GSS_S_COMPLETE) || (!g_OID_equal(gss_type, gss_nt_krb5_name)))
427 return 0;
428 success = (krb5_parse_name(handle->context, gss_str.value, princ) == 0);
429 gss_release_buffer(&minor_stat, &gss_str);
430 return success;
431 }
432
433 static int
gss_name_to_string(gss_name_t gss_name,gss_buffer_desc * str)434 gss_name_to_string(gss_name_t gss_name, gss_buffer_desc *str)
435 {
436 OM_uint32 status, minor_stat;
437 gss_OID gss_type;
438
439 status = gss_display_name(&minor_stat, gss_name, str, &gss_type);
440 if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name))
441 return 1;
442 return 0;
443 }
444
445 static int
log_unauth(char * op,char * target,char * client,char * server,char * addr)446 log_unauth(
447 char *op,
448 char *target,
449 char *client,
450 char *server,
451 char *addr)
452 {
453 size_t tlen, clen, slen;
454 char *tdots, *cdots, *sdots;
455
456 tlen = strlen(target);
457 trunc_name(&tlen, &tdots);
458 clen = strlen(client);
459 trunc_name(&clen, &cdots);
460 slen = strlen(server);
461 trunc_name(&slen, &sdots);
462
463 return krb5_klog_syslog(LOG_NOTICE,
464 "Unauthorized request: %s, %.*s%s, "
465 "client=%.*s%s, service=%.*s%s, addr=%s",
466 op, tlen, target, tdots,
467 clen, client, cdots,
468 slen, server, sdots,
469 addr);
470 }
471
472 static int
log_done(char * op,char * target,const char * errmsg,char * client,char * server,char * addr)473 log_done(
474 char *op,
475 char *target,
476 const char *errmsg,
477 char *client,
478 char *server,
479 char *addr)
480 {
481 size_t tlen, clen, slen;
482 char *tdots, *cdots, *sdots;
483
484 tlen = strlen(target);
485 trunc_name(&tlen, &tdots);
486 clen = strlen(client);
487 trunc_name(&clen, &cdots);
488 slen = strlen(server);
489 trunc_name(&slen, &sdots);
490
491 return krb5_klog_syslog(LOG_NOTICE,
492 "Request: %s, %.*s%s, %s, "
493 "client=%.*s%s, service=%.*s%s, addr=%s",
494 op, tlen, target, tdots, errmsg,
495 clen, client, cdots,
496 slen, server, sdots,
497 addr);
498 }
499
500 generic_ret *
create_principal_2_svc(cprinc_arg * arg,struct svc_req * rqstp)501 create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
502 {
503 static generic_ret ret;
504 char *prime_arg = NULL;
505 char *client_name = NULL, *service_name = NULL;
506 int policy_migrate = 0;
507
508 OM_uint32 minor_stat;
509 kadm5_server_handle_t handle;
510 kadm5_ret_t retval;
511 restriction_t *rp;
512 const char *errmsg = NULL;
513 gss_name_t name = NULL;
514
515 xdr_free(xdr_generic_ret, (char *) &ret);
516
517 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
518 return &ret;
519
520 if ((ret.code = check_handle((void *)handle)))
521 goto error;
522 ret.api_version = handle->api_version;
523
524 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
525 ret.code = KADM5_FAILURE;
526 goto error;
527 }
528 if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) {
529 ret.code = KADM5_BAD_PRINCIPAL;
530 goto error;
531 }
532 if (!(name = get_clnt_name(rqstp))) {
533 ret.code = KADM5_FAILURE;
534 goto error;
535 }
536
537 if (kadm5int_acl_check(handle->context, name, ACL_MIGRATE,
538 arg->rec.principal, &rp) &&
539 verify_pam_pw(prime_arg, arg->passwd)) {
540 policy_migrate = 1;
541 }
542
543 if (CHANGEPW_SERVICE(rqstp)
544 || (!kadm5int_acl_check(handle->context, name, ACL_ADD,
545 arg->rec.principal, &rp) &&
546 !(policy_migrate))
547 || kadm5int_acl_impose_restrictions(handle->context,
548 &arg->rec, &arg->mask, rp)) {
549 ret.code = KADM5_AUTH_ADD;
550
551 audit_kadmind_unauth(rqstp->rq_xprt, l_port,
552 "kadm5_create_principal",
553 prime_arg, client_name);
554 log_unauth("kadm5_create_principal", prime_arg,
555 client_name, service_name, client_addr(rqstp, buf));
556 } else {
557 ret.code = kadm5_create_principal((void *)handle,
558 &arg->rec, arg->mask,
559 arg->passwd);
560 /* Solaris Kerberos */
561 if( ret.code != 0 )
562 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
563
564 audit_kadmind_auth(rqstp->rq_xprt, l_port,
565 "kadm5_create_principal",
566 prime_arg, client_name, ret.code);
567 log_done("kadm5_create_principal", prime_arg,
568 errmsg ? errmsg : "success",
569 client_name, service_name, client_addr(rqstp, buf));
570
571 if (errmsg != NULL)
572 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
573
574 if (policy_migrate && (ret.code == 0)) {
575 arg->rec.policy = strdup("default");
576 if ((arg->mask & KADM5_PW_EXPIRATION)) {
577 arg->mask = 0;
578 arg->mask |= KADM5_POLICY;
579 arg->mask |= KADM5_PW_EXPIRATION;
580 } else {
581 arg->mask = 0;
582 arg->mask |= KADM5_POLICY;
583 }
584
585 retval = kadm5_modify_principal((void *)handle,
586 &arg->rec, arg->mask);
587 log_done("kadm5_modify_principal",
588 prime_arg, ((retval == 0) ? "success" :
589 error_message(retval)), client_name,
590 service_name, client_addr(rqstp, buf));
591 }
592 }
593
594 error:
595 if (name)
596 gss_release_name(&minor_stat, &name);
597 free_server_handle(handle);
598 if (prime_arg)
599 free(prime_arg);
600 if (client_name)
601 free(client_name);
602 if (service_name)
603 free(service_name);
604 return (&ret);
605 }
606
607 generic_ret *
create_principal3_2_svc(cprinc3_arg * arg,struct svc_req * rqstp)608 create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp)
609 {
610 static generic_ret ret;
611 char *prime_arg = NULL;
612 char *client_name = NULL, *service_name = NULL;
613 int policy_migrate = 0;
614
615 OM_uint32 minor_stat;
616 kadm5_server_handle_t handle;
617 kadm5_ret_t retval;
618 restriction_t *rp;
619 const char *errmsg = NULL;
620 gss_name_t name = NULL;
621
622 xdr_free(xdr_generic_ret, (char *) &ret);
623
624 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
625 return &ret;
626
627 if ((ret.code = check_handle((void *)handle)))
628 goto error;
629 ret.api_version = handle->api_version;
630
631 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
632 ret.code = KADM5_FAILURE;
633 goto error;
634 }
635 if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) {
636 ret.code = KADM5_BAD_PRINCIPAL;
637 goto error;
638 }
639 if (!(name = get_clnt_name(rqstp))) {
640 ret.code = KADM5_FAILURE;
641 goto error;
642 }
643
644 if (kadm5int_acl_check(handle->context, name, ACL_MIGRATE,
645 arg->rec.principal, &rp) &&
646 verify_pam_pw(prime_arg, arg->passwd)) {
647 policy_migrate = 1;
648 }
649
650 if (CHANGEPW_SERVICE(rqstp)
651 || (!kadm5int_acl_check(handle->context, name, ACL_ADD,
652 arg->rec.principal, &rp) &&
653 !(policy_migrate))
654 || kadm5int_acl_impose_restrictions(handle->context,
655 &arg->rec, &arg->mask, rp)) {
656 ret.code = KADM5_AUTH_ADD;
657 log_unauth("kadm5_create_principal", prime_arg,
658 client_name, service_name, client_addr(rqstp, buf));
659 } else {
660 ret.code = kadm5_create_principal_3((void *)handle,
661 &arg->rec, arg->mask,
662 arg->n_ks_tuple,
663 arg->ks_tuple,
664 arg->passwd);
665 /* Solaris Kerberos */
666 if( ret.code != 0 )
667 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
668
669 log_done("kadm5_create_principal", prime_arg,
670 errmsg ? errmsg : "success",
671 client_name, service_name, client_addr(rqstp, buf));
672
673 if (errmsg != NULL)
674 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
675
676 if (policy_migrate && (ret.code == 0)) {
677 arg->rec.policy = strdup("default");
678 if ((arg->mask & KADM5_PW_EXPIRATION)) {
679 arg->mask = 0;
680 arg->mask |= KADM5_POLICY;
681 arg->mask |= KADM5_PW_EXPIRATION;
682 } else {
683 arg->mask = 0;
684 arg->mask |= KADM5_POLICY;
685 }
686
687 retval = kadm5_modify_principal((void *)handle,
688 &arg->rec, arg->mask);
689 log_done("kadm5_modify_principal", prime_arg,
690 ((retval == 0) ? "success" : error_message(retval)),
691 client_name, service_name, client_addr(rqstp, buf));
692 }
693 }
694
695 error:
696 if (name)
697 gss_release_name(&minor_stat, &name);
698 free_server_handle(handle);
699 if (client_name)
700 free(client_name);
701 if (service_name)
702 free(service_name);
703 if (prime_arg)
704 free(prime_arg);
705 return &ret;
706 }
707
708 generic_ret *
delete_principal_2_svc(dprinc_arg * arg,struct svc_req * rqstp)709 delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp)
710 {
711 static generic_ret ret;
712 char *prime_arg = NULL;
713 char *client_name = NULL, *service_name = NULL;
714 OM_uint32 min_stat;
715 kadm5_server_handle_t handle;
716 const char *errmsg = NULL;
717
718 gss_name_t name = NULL;
719
720
721 xdr_free(xdr_generic_ret, (char *) &ret);
722
723 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
724 return &ret;
725
726 if ((ret.code = check_handle((void *)handle)))
727 goto error;
728 ret.api_version = handle->api_version;
729
730 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
731 ret.code = KADM5_FAILURE;
732 goto error;
733 }
734 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
735 ret.code = KADM5_BAD_PRINCIPAL;
736 goto error;
737 }
738 if (!(name = get_clnt_name(rqstp))) {
739 ret.code = KADM5_FAILURE;
740 goto error;
741 }
742
743 if (CHANGEPW_SERVICE(rqstp)
744 || !kadm5int_acl_check(handle->context, name, ACL_DELETE,
745 arg->princ, NULL)) {
746 ret.code = KADM5_AUTH_DELETE;
747
748 audit_kadmind_unauth(rqstp->rq_xprt, l_port,
749 "kadm5_delete_principal",
750 prime_arg, client_name);
751 log_unauth("kadm5_delete_principal", prime_arg, client_name,
752 service_name, client_addr(rqstp, buf));
753 } else {
754 ret.code = kadm5_delete_principal((void *)handle, arg->princ);
755 /* Solaris Kerberos */
756 if( ret.code != 0 )
757 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
758
759 audit_kadmind_auth(rqstp->rq_xprt, l_port,
760 "kadm5_delete_principal",
761 prime_arg, client_name, ret.code);
762 log_done("kadm5_delete_principal", prime_arg,
763 errmsg ? errmsg : "success",
764 client_name, service_name, client_addr(rqstp, buf));
765
766 if (errmsg != NULL)
767 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
768
769 }
770
771 error:
772 if (name)
773 gss_release_name(&min_stat, &name);
774 if (prime_arg)
775 free(prime_arg);
776 free_server_handle(handle);
777 if (client_name)
778 free(client_name);
779 if (service_name)
780 free(service_name);
781 return &ret;
782 }
783
784 generic_ret *
modify_principal_2_svc(mprinc_arg * arg,struct svc_req * rqstp)785 modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp)
786 {
787 static generic_ret ret;
788 char *prime_arg = NULL;
789 char *client_name = NULL, *service_name = NULL;
790 OM_uint32 min_stat;
791 kadm5_server_handle_t handle;
792 restriction_t *rp;
793 gss_name_t name = NULL;
794 const char *errmsg = NULL;
795
796 xdr_free(xdr_generic_ret, (char *) &ret);
797
798 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
799 return &ret;
800
801 if ((ret.code = check_handle((void *)handle)))
802 goto error;
803 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
804 ret.code = KADM5_FAILURE;
805 goto error;
806 }
807 if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) {
808 ret.code = KADM5_BAD_PRINCIPAL;
809 goto error;
810 }
811 if (!(name = get_clnt_name(rqstp))) {
812 ret.code = KADM5_FAILURE;
813 goto error;
814 }
815
816 if (CHANGEPW_SERVICE(rqstp)
817 || !kadm5int_acl_check(handle->context, name, ACL_MODIFY,
818 arg->rec.principal, &rp)
819 || kadm5int_acl_impose_restrictions(handle->context,
820 &arg->rec, &arg->mask, rp)) {
821 ret.code = KADM5_AUTH_MODIFY;
822
823 audit_kadmind_unauth(rqstp->rq_xprt, l_port,
824 "kadm5_modify_principal",
825 prime_arg, client_name);
826 log_unauth("kadm5_modify_principal", prime_arg, client_name,
827 service_name, client_addr(rqstp, buf));
828 } else {
829 ret.code = kadm5_modify_principal((void *)handle, &arg->rec,
830 arg->mask);
831 /* Solaris Kerberos */
832 if( ret.code != 0 )
833 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
834
835 audit_kadmind_auth(rqstp->rq_xprt, l_port,
836 "kadm5_modify_principal",
837 prime_arg, client_name, ret.code);
838 log_done("kadm5_modify_principal", prime_arg,
839 errmsg ? errmsg : "success",
840 client_name, service_name, client_addr(rqstp, buf));
841
842 if (errmsg != NULL)
843 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
844 }
845
846 error:
847 if (name)
848 gss_release_name(&min_stat, &name);
849 free_server_handle(handle);
850 if (prime_arg)
851 free(prime_arg);
852 if (client_name)
853 free(client_name);
854 if (service_name)
855 free(service_name);
856 return &ret;
857 }
858
859 generic_ret *
rename_principal_2_svc(rprinc_arg * arg,struct svc_req * rqstp)860 rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
861 {
862 static generic_ret ret;
863 char *prime_arg1 = NULL, *prime_arg2 = NULL;
864 char prime_arg[BUFSIZ];
865 char *client_name = NULL, *service_name = NULL;
866 OM_uint32 min_stat;
867 kadm5_server_handle_t handle;
868 restriction_t *rp;
869 const char *errmsg = NULL;
870 gss_name_t name = NULL;
871 size_t tlen1, tlen2, clen, slen;
872 char *tdots1, *tdots2, *cdots, *sdots;
873
874 xdr_free(xdr_generic_ret, (char *) &ret);
875
876 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
877 return &ret;
878
879 if ((ret.code = check_handle((void *)handle)))
880 goto error;
881 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
882 ret.code = KADM5_FAILURE;
883 goto error;
884 }
885 if (krb5_unparse_name(handle->context, arg->src, &prime_arg1) ||
886 krb5_unparse_name(handle->context, arg->dest, &prime_arg2)) {
887 ret.code = KADM5_BAD_PRINCIPAL;
888 goto error;
889 }
890 tlen1 = strlen(prime_arg1);
891 trunc_name(&tlen1, &tdots1);
892 tlen2 = strlen(prime_arg2);
893 trunc_name(&tlen2, &tdots2);
894 clen = strlen(client_name);
895 trunc_name(&clen, &cdots);
896 slen = strlen(service_name);
897 trunc_name(&slen, &sdots);
898
899 (void) snprintf(prime_arg, sizeof (prime_arg), "%.*s%s to %.*s*s",
900 tlen1, prime_arg1, tdots1,
901 tlen2, prime_arg2, tdots2);
902 ret.code = KADM5_OK;
903
904 if (!(name = get_clnt_name(rqstp))) {
905 ret.code = KADM5_FAILURE;
906 goto error;
907 }
908
909 if (! CHANGEPW_SERVICE(rqstp)) {
910 if (!kadm5int_acl_check(handle->context, name,
911 ACL_DELETE, arg->src, NULL))
912 ret.code = KADM5_AUTH_DELETE;
913 /* any restrictions at all on the ADD kills the RENAME */
914 if (!kadm5int_acl_check(handle->context, name,
915 ACL_ADD, arg->dest, &rp)) {
916 if (ret.code == KADM5_AUTH_DELETE)
917 ret.code = KADM5_AUTH_INSUFFICIENT;
918 else
919 ret.code = KADM5_AUTH_ADD;
920 }
921 } else
922 ret.code = KADM5_AUTH_INSUFFICIENT;
923 if (ret.code != KADM5_OK) {
924
925 audit_kadmind_unauth(rqstp->rq_xprt, l_port,
926 "kadm5_rename_principal",
927 prime_arg, client_name);
928 krb5_klog_syslog(LOG_NOTICE,
929 "Unauthorized request: kadm5_rename_principal, "
930 "%.*s%s to %.*s%s, "
931 "client=%.*s%s, service=%.*s%s, addr=%s",
932 tlen1, prime_arg1, tdots1,
933 tlen2, prime_arg2, tdots2,
934 clen, client_name, cdots,
935 slen, service_name, sdots,
936 client_addr(rqstp, buf));
937 } else {
938 ret.code = kadm5_rename_principal((void *)handle, arg->src,
939 arg->dest);
940 /* Solaris Kerberos */
941 if( ret.code != 0 )
942 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
943
944 audit_kadmind_auth(rqstp->rq_xprt, l_port,
945 "kadm5_rename_principal",
946 prime_arg, client_name, ret.code);
947 krb5_klog_syslog(LOG_NOTICE,
948 "Request: kadm5_rename_principal, "
949 "%.*s%s to %.*s%s, %s, "
950 "client=%.*s%s, service=%.*s%s, addr=%s",
951 tlen1, prime_arg1, tdots1,
952 tlen2, prime_arg2, tdots2,
953 errmsg ? errmsg : "success",
954 clen, client_name, cdots,
955 slen, service_name, sdots,
956 client_addr(rqstp, buf));
957
958 if (errmsg != NULL)
959 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
960 }
961
962 error:
963 if (name)
964 gss_release_name(&min_stat, &name);
965 free_server_handle(handle);
966 if (prime_arg1)
967 free(prime_arg1);
968 if (prime_arg2)
969 free(prime_arg2);
970 if (client_name)
971 free(client_name);
972 if (service_name)
973 free(service_name);
974 return &ret;
975 }
976
977 gprinc_ret *
get_principal_2_svc(gprinc_arg * arg,struct svc_req * rqstp)978 get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp)
979 {
980 static gprinc_ret ret;
981 kadm5_principal_ent_t_v1 e;
982 char *prime_arg = NULL, *funcname;
983 char *client_name = NULL, *service_name = NULL;
984 OM_uint32 min_stat;
985 kadm5_server_handle_t handle;
986 const char *errmsg = NULL;
987 gss_name_t name = NULL;
988
989 xdr_free(xdr_gprinc_ret, (char *) &ret);
990
991 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
992 return &ret;
993
994 if ((ret.code = check_handle((void *)handle)))
995 goto error;
996 ret.api_version = handle->api_version;
997
998 funcname = handle->api_version == KADM5_API_VERSION_1 ?
999 "kadm5_get_principal (V1)" : "kadm5_get_principal";
1000
1001 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1002 ret.code = KADM5_FAILURE;
1003 goto error;
1004 }
1005 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
1006 ret.code = KADM5_BAD_PRINCIPAL;
1007 goto error;
1008 }
1009 if (!(name = get_clnt_name(rqstp))) {
1010 ret.code = KADM5_FAILURE;
1011 goto error;
1012 }
1013
1014 if (! cmp_gss_krb5_name(handle, name, arg->princ) &&
1015 (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
1016 name,
1017 ACL_INQUIRE,
1018 arg->princ,
1019 NULL))) {
1020 ret.code = KADM5_AUTH_GET;
1021
1022 audit_kadmind_unauth(rqstp->rq_xprt, l_port,
1023 funcname,
1024 prime_arg, client_name);
1025 log_unauth(funcname, prime_arg, client_name, service_name,
1026 client_addr(rqstp, buf));
1027 } else {
1028 if (handle->api_version == KADM5_API_VERSION_1) {
1029 ret.code = kadm5_get_principal_v1((void *)handle,
1030 arg->princ, &e);
1031 if(ret.code == KADM5_OK) {
1032 memcpy(&ret.rec, e, sizeof(kadm5_principal_ent_rec_v1));
1033 free(e);
1034 }
1035 } else {
1036 ret.code = kadm5_get_principal((void *)handle,
1037 arg->princ, &ret.rec,
1038 arg->mask);
1039 }
1040
1041 /* Solaris Kerberos */
1042 if( ret.code != 0 )
1043 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
1044
1045 audit_kadmind_auth(rqstp->rq_xprt, l_port,
1046 funcname,
1047 prime_arg, client_name, ret.code);
1048 log_done(funcname, prime_arg, errmsg ? errmsg : "success",
1049 client_name, service_name, client_addr(rqstp, buf));
1050
1051 if (errmsg != NULL)
1052 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
1053 }
1054
1055 error:
1056 if (name)
1057 gss_release_name(&min_stat, &name);
1058 free_server_handle(handle);
1059 if (prime_arg)
1060 free(prime_arg);
1061 if (client_name)
1062 free(client_name);
1063 if (service_name)
1064 free(service_name);
1065 return &ret;
1066 }
1067
1068 gprincs_ret *
get_princs_2_svc(gprincs_arg * arg,struct svc_req * rqstp)1069 get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
1070 {
1071 static gprincs_ret ret;
1072 char *prime_arg = NULL;
1073 char *client_name = NULL, *service_name = NULL;
1074 OM_uint32 min_stat;
1075 kadm5_server_handle_t handle;
1076 gss_name_t name = NULL;
1077 const char *errmsg = NULL;
1078
1079 xdr_free(xdr_gprincs_ret, (char *) &ret);
1080
1081 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1082 return &ret;
1083
1084 if ((ret.code = check_handle((void *)handle)))
1085 goto error;
1086 ret.api_version = handle->api_version;
1087
1088 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1089 ret.code = KADM5_FAILURE;
1090 goto error;
1091 }
1092 prime_arg = arg->exp;
1093 if (prime_arg == NULL)
1094 prime_arg = "*";
1095
1096 if (!(name = get_clnt_name(rqstp))) {
1097 ret.code = KADM5_FAILURE;
1098 goto error;
1099 }
1100
1101 if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
1102 name,
1103 ACL_LIST,
1104 NULL,
1105 NULL)) {
1106 ret.code = KADM5_AUTH_LIST;
1107
1108 audit_kadmind_unauth(rqstp->rq_xprt, l_port,
1109 "kadm5_get_principals",
1110 prime_arg, client_name);
1111 log_unauth("kadm5_get_principals", prime_arg, client_name,
1112 service_name, client_addr(rqstp, buf));
1113 } else {
1114 ret.code = kadm5_get_principals((void *)handle,
1115 arg->exp, &ret.princs,
1116 &ret.count);
1117 /* Solaris Kerberos */
1118 if( ret.code != 0 )
1119 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
1120
1121 audit_kadmind_auth(rqstp->rq_xprt, l_port,
1122 "kadm5_get_principals",
1123 prime_arg, client_name, ret.code);
1124 log_done("kadm5_get_principals", prime_arg,
1125 errmsg ? errmsg : "success",
1126 client_name, service_name, client_addr(rqstp, buf));
1127
1128 if (errmsg != NULL)
1129 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
1130 }
1131
1132 error:
1133 if (name)
1134 gss_release_name(&min_stat, &name);
1135 free_server_handle(handle);
1136 if (client_name)
1137 free(client_name);
1138 if (service_name)
1139 free(service_name);
1140 return (&ret);
1141 }
1142
1143 generic_ret *
chpass_principal_2_svc(chpass_arg * arg,struct svc_req * rqstp)1144 chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp)
1145 {
1146 static generic_ret ret;
1147 char *prime_arg = NULL;
1148 char *client_name = NULL, *service_name = NULL;
1149 OM_uint32 min_stat;
1150 kadm5_server_handle_t handle;
1151 const char *errmsg = NULL;
1152 gss_name_t name = NULL;
1153
1154 xdr_free(xdr_generic_ret, (char *) &ret);
1155
1156 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1157 return &ret;
1158
1159 if ((ret.code = check_handle((void *)handle)))
1160 goto error;
1161 ret.api_version = handle->api_version;
1162
1163 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1164 ret.code = KADM5_FAILURE;
1165 goto error;
1166 }
1167 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
1168 ret.code = KADM5_BAD_PRINCIPAL;
1169 goto error;
1170 }
1171 if (!(name = get_clnt_name(rqstp))) {
1172 ret.code = KADM5_FAILURE;
1173 goto error;
1174 }
1175
1176 if (cmp_gss_krb5_name(handle, name, arg->princ)) {
1177 ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ,
1178 FALSE, 0, NULL, arg->pass);
1179 } else if (!(CHANGEPW_SERVICE(rqstp)) &&
1180 kadm5int_acl_check(handle->context, name,
1181 ACL_CHANGEPW, arg->princ, NULL)) {
1182 ret.code = kadm5_chpass_principal((void *)handle, arg->princ,
1183 arg->pass);
1184 } else {
1185 audit_kadmind_unauth(rqstp->rq_xprt, l_port,
1186 "kadm5_chpass_principal",
1187 prime_arg, client_name);
1188 log_unauth("kadm5_chpass_principal", prime_arg, client_name,
1189 service_name, client_addr(rqstp, buf));
1190 ret.code = KADM5_AUTH_CHANGEPW;
1191 }
1192
1193 if(ret.code != KADM5_AUTH_CHANGEPW) {
1194 /* Solaris Kerberos */
1195 if( ret.code != 0 )
1196 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
1197
1198 audit_kadmind_auth(rqstp->rq_xprt, l_port,
1199 "kadm5_chpass_principal",
1200 prime_arg, client_name, ret.code);
1201 log_done("kadm5_chpass_principal", prime_arg,
1202 errmsg ? errmsg : "success",
1203 client_name, service_name, client_addr(rqstp, buf));
1204
1205 if (errmsg != NULL)
1206 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
1207 }
1208
1209 error:
1210 if (name)
1211 gss_release_name(&min_stat, &name);
1212 free_server_handle(handle);
1213 if (prime_arg)
1214 free(prime_arg);
1215 if (client_name)
1216 free(client_name);
1217 if (service_name)
1218 free(service_name);
1219 return (&ret);
1220 }
1221
1222 generic_ret *
chpass_principal3_2_svc(chpass3_arg * arg,struct svc_req * rqstp)1223 chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp)
1224 {
1225 static generic_ret ret;
1226 char *prime_arg = NULL;
1227 char *client_name = NULL,
1228 *service_name = NULL;
1229 OM_uint32 min_stat;
1230 kadm5_server_handle_t handle;
1231 const char *errmsg = NULL;
1232 gss_name_t name = NULL;
1233
1234 xdr_free(xdr_generic_ret, (char *) &ret);
1235
1236 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1237 return &ret;
1238
1239 if ((ret.code = check_handle((void *)handle)))
1240 goto error;
1241 ret.api_version = handle->api_version;
1242
1243 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1244 ret.code = KADM5_FAILURE;
1245 goto error;
1246 }
1247 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
1248 ret.code = KADM5_BAD_PRINCIPAL;
1249 goto error;
1250 }
1251 if (!(name = get_clnt_name(rqstp))) {
1252 ret.code = KADM5_FAILURE;
1253 goto error;
1254 }
1255
1256 if (cmp_gss_krb5_name(handle, name, arg->princ)) {
1257 ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ,
1258 arg->keepold,
1259 arg->n_ks_tuple,
1260 arg->ks_tuple,
1261 arg->pass);
1262 } else if (!(CHANGEPW_SERVICE(rqstp)) &&
1263 kadm5int_acl_check(handle->context, name,
1264 ACL_CHANGEPW, arg->princ, NULL)) {
1265 ret.code = kadm5_chpass_principal_3((void *)handle, arg->princ,
1266 arg->keepold,
1267 arg->n_ks_tuple,
1268 arg->ks_tuple,
1269 arg->pass);
1270 } else {
1271 log_unauth("kadm5_chpass_principal", prime_arg,
1272 client_name, service_name, client_addr(rqstp, buf));
1273 ret.code = KADM5_AUTH_CHANGEPW;
1274 }
1275
1276 if(ret.code != KADM5_AUTH_CHANGEPW) {
1277 /* Solaris Kerberos */
1278 if( ret.code != 0 )
1279 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
1280
1281 log_done("kadm5_chpass_principal", prime_arg,
1282 errmsg ? errmsg : "success",
1283 client_name, service_name, client_addr(rqstp, buf));
1284
1285 if (errmsg != NULL)
1286 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
1287 }
1288
1289 error:
1290 if (name)
1291 gss_release_name(&min_stat, &name);
1292 free_server_handle(handle);
1293 if (client_name)
1294 free(client_name);
1295 if (service_name)
1296 free(service_name);
1297 if (prime_arg)
1298 free(prime_arg);
1299 return (&ret);
1300 }
1301
1302 #ifdef SUNWOFF
1303 generic_ret *
setv4key_principal_2_svc(setv4key_arg * arg,struct svc_req * rqstp)1304 setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp)
1305 {
1306 static generic_ret ret;
1307 char *prime_arg = NULL;
1308 char *client_name = NULL,
1309 *service_name = NULL;
1310 OM_uint32 min_stat;
1311 kadm5_server_handle_t handle;
1312 const char *errmsg = NULL;
1313 gss_name_t name = NULL;
1314
1315 xdr_free(xdr_generic_ret, (char *) &ret);
1316
1317 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1318 return &ret;
1319
1320 if ((ret.code = check_handle((void *)handle)))
1321 goto error;
1322 ret.api_version = handle->api_version;
1323
1324 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1325 ret.code = KADM5_FAILURE;
1326 goto error;
1327 }
1328 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
1329 ret.code = KADM5_BAD_PRINCIPAL;
1330 goto error;
1331 }
1332 if (!(name = get_clnt_name(rqstp))) {
1333 ret.code = KADM5_FAILURE;
1334 goto error;
1335 }
1336
1337 if (!(CHANGEPW_SERVICE(rqstp)) &&
1338 kadm5int_acl_check(handle->context, name,
1339 ACL_SETKEY, arg->princ, NULL)) {
1340 ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
1341 arg->keyblock);
1342 } else {
1343 log_unauth("kadm5_setv4key_principal", prime_arg,
1344 client_name, service_name, client_addr(rqstp, buf));
1345 ret.code = KADM5_AUTH_SETKEY;
1346 }
1347
1348 if(ret.code != KADM5_AUTH_SETKEY) {
1349 /* Solaris Kerberos */
1350 if( ret.code != 0 )
1351 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
1352
1353 log_done("kadm5_setv4key_principal", prime_arg,
1354 errmsg ? errmsg : "success",
1355 client_name, service_name, client_addr(rqstp, buf));
1356
1357 if (errmsg != NULL)
1358 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
1359 }
1360
1361 error:
1362 if (name)
1363 gss_release_name(&min_stat, &name);
1364 free_server_handle(handle);
1365 if (client_name)
1366 free(client_name);
1367 if (service_name)
1368 free(service_name);
1369 if (prime_arg)
1370 free(prime_arg);
1371 return (&ret);
1372 }
1373 #endif
1374
1375 generic_ret *
setkey_principal_2_svc(setkey_arg * arg,struct svc_req * rqstp)1376 setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp)
1377 {
1378 static generic_ret ret;
1379 char *prime_arg;
1380 char *client_name,
1381 *service_name;
1382 OM_uint32 min_stat;
1383 kadm5_server_handle_t handle;
1384 const char *errmsg = NULL;
1385 gss_name_t name;
1386
1387 xdr_free(xdr_generic_ret, (char *) &ret);
1388
1389 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1390 return &ret;
1391
1392 if ((ret.code = check_handle((void *)handle)))
1393 goto error;
1394 ret.api_version = handle->api_version;
1395
1396 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1397 ret.code = KADM5_FAILURE;
1398 goto error;
1399 }
1400 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
1401 ret.code = KADM5_BAD_PRINCIPAL;
1402 goto error;
1403 }
1404 if (!(name = get_clnt_name(rqstp))) {
1405 ret.code = KADM5_FAILURE;
1406 goto error;
1407 }
1408
1409 if (!(CHANGEPW_SERVICE(rqstp)) &&
1410 kadm5int_acl_check(handle->context, name, ACL_SETKEY, arg->princ, NULL)) {
1411 ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
1412 arg->keyblocks, arg->n_keys);
1413 } else {
1414 log_unauth("kadm5_setkey_principal", prime_arg,
1415 client_name, service_name, client_addr(rqstp, buf));
1416 ret.code = KADM5_AUTH_SETKEY;
1417 }
1418
1419 if(ret.code != KADM5_AUTH_SETKEY) {
1420 /* Solaris Kerberos */
1421 if( ret.code != 0 )
1422 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
1423
1424 log_done("kadm5_setkey_principal", prime_arg,
1425 errmsg ? errmsg : "success",
1426 client_name, service_name, client_addr(rqstp, buf));
1427
1428 if (errmsg != NULL)
1429 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
1430 }
1431
1432 error:
1433 if (name)
1434 gss_release_name(&min_stat, &name);
1435 free_server_handle(handle);
1436 if (client_name)
1437 free(client_name);
1438 if (service_name)
1439 free(service_name);
1440 if (prime_arg)
1441 free(prime_arg);
1442 return (&ret);
1443 }
1444
1445 generic_ret *
setkey_principal3_2_svc(setkey3_arg * arg,struct svc_req * rqstp)1446 setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp)
1447 {
1448 static generic_ret ret;
1449 char *prime_arg = NULL;
1450 char *client_name = NULL,
1451 *service_name = NULL;
1452 OM_uint32 min_stat;
1453 kadm5_server_handle_t handle;
1454 const char *errmsg = NULL;
1455 gss_name_t name = NULL;
1456
1457 xdr_free(xdr_generic_ret, (char *) &ret);
1458
1459 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1460 return &ret;
1461
1462 if ((ret.code = check_handle((void *)handle)))
1463 goto error;
1464 ret.api_version = handle->api_version;
1465
1466 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1467 ret.code = KADM5_FAILURE;
1468 goto error;
1469 }
1470 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
1471 ret.code = KADM5_BAD_PRINCIPAL;
1472 goto error;
1473 }
1474 if (!(name = get_clnt_name(rqstp))) {
1475 ret.code = KADM5_FAILURE;
1476 goto error;
1477 }
1478
1479 if (!(CHANGEPW_SERVICE(rqstp)) &&
1480 kadm5int_acl_check(handle->context, name,
1481 ACL_SETKEY, arg->princ, NULL)) {
1482 ret.code = kadm5_setkey_principal_3((void *)handle, arg->princ,
1483 arg->keepold,
1484 arg->n_ks_tuple,
1485 arg->ks_tuple,
1486 arg->keyblocks, arg->n_keys);
1487 } else {
1488 log_unauth("kadm5_setkey_principal", prime_arg,
1489 client_name, service_name, client_addr(rqstp, buf));
1490 ret.code = KADM5_AUTH_SETKEY;
1491 }
1492
1493 if(ret.code != KADM5_AUTH_SETKEY) {
1494 /* Solaris Kerberos */
1495 if( ret.code != 0 )
1496 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
1497
1498 log_done("kadm5_setkey_principal", prime_arg,
1499 errmsg ? errmsg : "success",
1500 client_name, service_name, client_addr(rqstp, buf));
1501
1502 if (errmsg != NULL)
1503 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
1504 }
1505
1506 error:
1507 if (name)
1508 gss_release_name(&min_stat, &name);
1509 free_server_handle(handle);
1510 if (client_name)
1511 free(client_name);
1512 if (service_name)
1513 free(service_name);
1514 if (prime_arg)
1515 free(prime_arg);
1516 return &ret;
1517 }
1518
1519 chrand_ret *
chrand_principal_2_svc(chrand_arg * arg,struct svc_req * rqstp)1520 chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp)
1521 {
1522 static chrand_ret ret;
1523 krb5_keyblock *k;
1524 int nkeys;
1525 char *prime_arg = NULL, *funcname;
1526 char *client_name = NULL, *service_name = NULL;
1527 OM_uint32 min_stat;
1528 kadm5_server_handle_t handle;
1529 const char *errmsg = NULL;
1530 gss_name_t name = NULL;
1531
1532 xdr_free(xdr_chrand_ret, (char *) &ret);
1533
1534 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1535 return &ret;
1536
1537 if ((ret.code = check_handle((void *)handle)))
1538 goto error;
1539
1540 ret.api_version = handle->api_version;
1541
1542 funcname = handle->api_version == KADM5_API_VERSION_1 ?
1543 "kadm5_randkey_principal (V1)" : "kadm5_randkey_principal";
1544
1545 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1546 ret.code = KADM5_FAILURE;
1547 goto error;
1548 }
1549 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
1550 ret.code = KADM5_BAD_PRINCIPAL;
1551 goto error;
1552 }
1553 if (!(name = get_clnt_name(rqstp))) {
1554 ret.code = KADM5_FAILURE;
1555 goto error;
1556 }
1557
1558 if (cmp_gss_krb5_name(handle, name, arg->princ)) {
1559 ret.code = randkey_principal_wrapper((void *)handle, arg->princ, &k,
1560 &nkeys);
1561 } else if (!(CHANGEPW_SERVICE(rqstp)) &&
1562 kadm5int_acl_check(handle->context, name,
1563 ACL_CHANGEPW, arg->princ, NULL)) {
1564 ret.code = kadm5_randkey_principal((void *)handle, arg->princ,
1565 &k, &nkeys);
1566 } else {
1567 audit_kadmind_unauth(rqstp->rq_xprt, l_port,
1568 funcname, prime_arg, client_name);
1569 log_unauth(funcname, prime_arg,
1570 client_name, service_name, client_addr(rqstp, buf));
1571 ret.code = KADM5_AUTH_CHANGEPW;
1572 }
1573
1574 if(ret.code == KADM5_OK) {
1575 if (handle->api_version == KADM5_API_VERSION_1) {
1576 krb5_copy_keyblock_contents(handle->context, k, &ret.key);
1577 krb5_free_keyblock(handle->context, k);
1578 } else {
1579 ret.keys = k;
1580 ret.n_keys = nkeys;
1581 }
1582 }
1583
1584 if(ret.code != KADM5_AUTH_CHANGEPW) {
1585 /* Solaris Kerberos */
1586 if( ret.code != 0 )
1587 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
1588
1589 audit_kadmind_auth(rqstp->rq_xprt, l_port,
1590 funcname, prime_arg, client_name, ret.code);
1591 log_done(funcname, prime_arg, errmsg ? errmsg : "success",
1592 client_name, service_name, client_addr(rqstp, buf));
1593
1594 if (errmsg != NULL)
1595 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
1596 }
1597
1598 error:
1599 if (name)
1600 gss_release_name(&min_stat, &name);
1601 free_server_handle(handle);
1602 if (prime_arg)
1603 free(prime_arg);
1604 if (client_name)
1605 free(client_name);
1606 if (service_name)
1607 free(service_name);
1608 return &ret;
1609 }
1610
1611 chrand_ret *
chrand_principal3_2_svc(chrand3_arg * arg,struct svc_req * rqstp)1612 chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp)
1613 {
1614 static chrand_ret ret;
1615 krb5_keyblock *k;
1616 int nkeys;
1617 char *prime_arg = NULL, *funcname;
1618 char *client_name = NULL,
1619 *service_name = NULL;
1620 OM_uint32 min_stat;
1621 kadm5_server_handle_t handle;
1622 const char *errmsg = NULL;
1623 gss_name_t name = NULL;
1624
1625 xdr_free(xdr_chrand_ret, (char *) &ret);
1626
1627 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1628 return &ret;
1629
1630 if ((ret.code = check_handle((void *)handle)))
1631 goto error;
1632 ret.api_version = handle->api_version;
1633
1634 funcname = handle->api_version == KADM5_API_VERSION_1 ?
1635 "kadm5_randkey_principal (V1)" : "kadm5_randkey_principal";
1636
1637 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1638 ret.code = KADM5_FAILURE;
1639 goto error;
1640 }
1641 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
1642 ret.code = KADM5_BAD_PRINCIPAL;
1643 goto error;
1644 }
1645 if (!(name = get_clnt_name(rqstp))) {
1646 ret.code = KADM5_FAILURE;
1647 goto error;
1648 }
1649
1650 if (cmp_gss_krb5_name(handle, name, arg->princ)) {
1651 ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ,
1652 arg->keepold,
1653 arg->n_ks_tuple,
1654 arg->ks_tuple,
1655 &k, &nkeys);
1656 } else if (!(CHANGEPW_SERVICE(rqstp)) &&
1657 kadm5int_acl_check(handle->context, name,
1658 ACL_CHANGEPW, arg->princ, NULL)) {
1659 ret.code = kadm5_randkey_principal_3((void *)handle, arg->princ,
1660 arg->keepold,
1661 arg->n_ks_tuple,
1662 arg->ks_tuple,
1663 &k, &nkeys);
1664 } else {
1665 log_unauth(funcname, prime_arg,
1666 client_name, service_name, client_addr(rqstp, buf));
1667 ret.code = KADM5_AUTH_CHANGEPW;
1668 }
1669
1670 if(ret.code == KADM5_OK) {
1671 if (handle->api_version == KADM5_API_VERSION_1) {
1672 krb5_copy_keyblock_contents(handle->context, k, &ret.key);
1673 krb5_free_keyblock(handle->context, k);
1674 } else {
1675 ret.keys = k;
1676 ret.n_keys = nkeys;
1677 }
1678 }
1679
1680 if(ret.code != KADM5_AUTH_CHANGEPW) {
1681 /* Solaris Kerberos */
1682 if( ret.code != 0 )
1683 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
1684
1685 log_done(funcname, prime_arg, errmsg ? errmsg : "success",
1686 client_name, service_name, client_addr(rqstp, buf));
1687
1688 if (errmsg != NULL)
1689 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
1690 }
1691
1692 error:
1693 if (name)
1694 gss_release_name(&min_stat, &name);
1695 free_server_handle(handle);
1696 if (client_name)
1697 free(client_name);
1698 if (service_name)
1699 free(service_name);
1700 if (prime_arg)
1701 free(prime_arg);
1702 return (&ret);
1703 }
1704
1705 generic_ret *
create_policy_2_svc(cpol_arg * arg,struct svc_req * rqstp)1706 create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp)
1707 {
1708 static generic_ret ret;
1709 char *prime_arg = NULL;
1710 char *client_name = NULL, *service_name = NULL;
1711 OM_uint32 min_stat;
1712 kadm5_server_handle_t handle;
1713 const char *errmsg = NULL;
1714 gss_name_t name = NULL;
1715
1716 xdr_free(xdr_generic_ret, (char *) &ret);
1717
1718 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1719 return &ret;
1720
1721 if ((ret.code = check_handle((void *)handle)))
1722 goto error;
1723
1724 ret.api_version = handle->api_version;
1725
1726 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1727 ret.code = KADM5_FAILURE;
1728 goto error;
1729 }
1730 prime_arg = arg->rec.policy;
1731
1732 if (!(name = get_clnt_name(rqstp))) {
1733 ret.code = KADM5_FAILURE;
1734 goto error;
1735 }
1736
1737 if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
1738 name,
1739 ACL_ADD, NULL, NULL)) {
1740 ret.code = KADM5_AUTH_ADD;
1741
1742 audit_kadmind_unauth(rqstp->rq_xprt, l_port,
1743 "kadm5_create_policy",
1744 prime_arg, client_name);
1745 log_unauth("kadm5_create_policy", prime_arg,
1746 client_name, service_name, client_addr(rqstp, buf));
1747
1748 } else {
1749 ret.code = kadm5_create_policy((void *)handle, &arg->rec,
1750 arg->mask);
1751 /* Solaris Kerberos */
1752 if( ret.code != 0 )
1753 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
1754
1755 audit_kadmind_auth(rqstp->rq_xprt, l_port,
1756 "kadm5_create_policy",
1757 prime_arg, client_name, ret.code);
1758 log_done("kadm5_create_policy",
1759 ((prime_arg == NULL) ? "(null)" : prime_arg),
1760 errmsg ? errmsg : "success",
1761 client_name, service_name, client_addr(rqstp, buf));
1762
1763 if (errmsg != NULL)
1764 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
1765 }
1766
1767 error:
1768 if (name)
1769 gss_release_name(&min_stat, &name);
1770 free_server_handle(handle);
1771 if (client_name)
1772 free(client_name);
1773 if (service_name)
1774 free(service_name);
1775 return &ret;
1776 }
1777
1778 generic_ret *
delete_policy_2_svc(dpol_arg * arg,struct svc_req * rqstp)1779 delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp)
1780 {
1781 static generic_ret ret;
1782 char *prime_arg = NULL;
1783 char *client_name = NULL, *service_name = NULL;
1784 OM_uint32 min_stat;
1785 kadm5_server_handle_t handle;
1786 const char *errmsg = NULL;
1787 gss_name_t name = NULL;
1788
1789 xdr_free(xdr_generic_ret, (char *) &ret);
1790
1791 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1792 return &ret;
1793
1794 if ((ret.code = check_handle((void *)handle)))
1795 goto error;
1796 ret.api_version = handle->api_version;
1797
1798 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1799 ret.code = KADM5_FAILURE;
1800 goto error;
1801 }
1802 prime_arg = arg->name;
1803
1804 if (!(name = get_clnt_name(rqstp))) {
1805 ret.code = KADM5_FAILURE;
1806 goto error;
1807 }
1808
1809 if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
1810 name,
1811 ACL_DELETE, NULL, NULL)) {
1812
1813 audit_kadmind_unauth(rqstp->rq_xprt, l_port,
1814 "kadm5_delete_policy",
1815 prime_arg, client_name);
1816 log_unauth("kadm5_delete_policy", prime_arg,
1817 client_name, service_name, client_addr(rqstp, buf));
1818 ret.code = KADM5_AUTH_DELETE;
1819 } else {
1820 ret.code = kadm5_delete_policy((void *)handle, arg->name);
1821 /* Solaris Kerberos */
1822 if( ret.code != 0 )
1823 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
1824
1825 audit_kadmind_auth(rqstp->rq_xprt, l_port,
1826 "kadm5_delete_policy",
1827 prime_arg, client_name, ret.code);
1828 log_done("kadm5_delete_policy",
1829 ((prime_arg == NULL) ? "(null)" : prime_arg),
1830 errmsg ? errmsg : "success",
1831 client_name, service_name, client_addr(rqstp, buf));
1832
1833 if (errmsg != NULL)
1834 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
1835 }
1836
1837 error:
1838 if (name)
1839 gss_release_name(&min_stat, &name);
1840 free_server_handle(handle);
1841 if (client_name)
1842 free(client_name);
1843 if (service_name)
1844 free(service_name);
1845 return &ret;
1846 }
1847
1848 generic_ret *
modify_policy_2_svc(mpol_arg * arg,struct svc_req * rqstp)1849 modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp)
1850 {
1851 static generic_ret ret;
1852 char *prime_arg = NULL;
1853 char *client_name = NULL, *service_name = NULL;
1854 OM_uint32 min_stat;
1855 kadm5_server_handle_t handle;
1856 const char *errmsg = NULL;
1857 gss_name_t name = NULL;
1858
1859 xdr_free(xdr_generic_ret, (char *) &ret);
1860
1861 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1862 return &ret;
1863
1864 if ((ret.code = check_handle((void *)handle)))
1865 goto error;
1866 ret.api_version = handle->api_version;
1867
1868 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1869 ret.code = KADM5_FAILURE;
1870 goto error;
1871 }
1872 prime_arg = arg->rec.policy;
1873
1874 if (!(name = get_clnt_name(rqstp))) {
1875 ret.code = KADM5_FAILURE;
1876 goto error;
1877 }
1878
1879 if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
1880 name,
1881 ACL_MODIFY, NULL, NULL)) {
1882
1883 audit_kadmind_unauth(rqstp->rq_xprt, l_port,
1884 "kadm5_modify_policy",
1885 prime_arg, client_name);
1886 log_unauth("kadm5_modify_policy", prime_arg,
1887 client_name, service_name, client_addr(rqstp, buf));
1888 ret.code = KADM5_AUTH_MODIFY;
1889 } else {
1890 ret.code = kadm5_modify_policy((void *)handle, &arg->rec,
1891 arg->mask);
1892 /* Solaris Kerberos */
1893 if( ret.code != 0 )
1894 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
1895
1896 audit_kadmind_auth(rqstp->rq_xprt, l_port,
1897 "kadm5_modify_policy",
1898 prime_arg, client_name, ret.code);
1899 log_done("kadm5_modify_policy",
1900 ((prime_arg == NULL) ? "(null)" : prime_arg),
1901 errmsg ? errmsg : "success",
1902 client_name, service_name, client_addr(rqstp, buf));
1903
1904 if (errmsg != NULL)
1905 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
1906 }
1907
1908 error:
1909 if (name)
1910 gss_release_name(&min_stat, &name);
1911 free_server_handle(handle);
1912 if (client_name)
1913 free(client_name);
1914 if (service_name)
1915 free(service_name);
1916 return (&ret);
1917 }
1918
1919 gpol_ret *
get_policy_2_svc(gpol_arg * arg,struct svc_req * rqstp)1920 get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp)
1921 {
1922 static gpol_ret ret;
1923 kadm5_ret_t ret2;
1924 char *prime_arg = NULL, *funcname;
1925 char *client_name = NULL, *service_name = NULL;
1926 OM_uint32 min_stat;
1927 kadm5_policy_ent_t e;
1928 kadm5_principal_ent_rec caller_ent;
1929 krb5_principal caller;
1930 kadm5_server_handle_t handle;
1931 const char *errmsg = NULL;
1932 gss_name_t name = NULL;
1933
1934 xdr_free(xdr_gpol_ret, (char *) &ret);
1935
1936 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1937 return &ret;
1938
1939 if ((ret.code = check_handle((void *) handle)))
1940 goto error;
1941
1942 ret.api_version = handle->api_version;
1943
1944 funcname = handle->api_version == KADM5_API_VERSION_1 ?
1945 "kadm5_get_policy (V1)" : "kadm5_get_policy";
1946
1947 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1948 ret.code = KADM5_FAILURE;
1949 goto error;
1950 }
1951 prime_arg = arg->name;
1952 ret.code = KADM5_AUTH_GET;
1953
1954 if (!(name = get_clnt_name(rqstp))) {
1955 ret.code = KADM5_FAILURE;
1956 goto error;
1957 }
1958
1959 if (!CHANGEPW_SERVICE(rqstp) && kadm5int_acl_check(handle->context,
1960 name,
1961 ACL_INQUIRE, NULL, NULL))
1962 ret.code = KADM5_OK;
1963 else {
1964 ret.code = kadm5_get_principal(handle->lhandle,
1965 handle->current_caller,
1966 &caller_ent,
1967 KADM5_PRINCIPAL_NORMAL_MASK);
1968 if (ret.code == KADM5_OK) {
1969 if (caller_ent.aux_attributes & KADM5_POLICY &&
1970 strcmp(caller_ent.policy, arg->name) == 0) {
1971 ret.code = KADM5_OK;
1972 } else ret.code = KADM5_AUTH_GET;
1973 ret2 = kadm5_free_principal_ent(handle->lhandle,
1974 &caller_ent);
1975 ret.code = ret.code ? ret.code : ret2;
1976 }
1977 }
1978
1979 if (ret.code == KADM5_OK) {
1980 if (handle->api_version == KADM5_API_VERSION_1) {
1981 ret.code = kadm5_get_policy_v1((void *)handle, arg->name, &e);
1982 if(ret.code == KADM5_OK) {
1983 memcpy(&ret.rec, e, sizeof(kadm5_policy_ent_rec));
1984 free(e);
1985 }
1986 } else {
1987 ret.code = kadm5_get_policy((void *)handle, arg->name,
1988 &ret.rec);
1989 }
1990
1991 /* Solaris Kerberos */
1992 if( ret.code != 0 )
1993 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
1994
1995 audit_kadmind_auth(rqstp->rq_xprt, l_port,
1996 funcname, prime_arg, client_name, ret.code);
1997 log_done(funcname,
1998 ((prime_arg == NULL) ? "(null)" : prime_arg),
1999 errmsg ? errmsg : "success",
2000 client_name, service_name, client_addr(rqstp, buf));
2001
2002 if (errmsg != NULL)
2003 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
2004
2005 } else {
2006 audit_kadmind_unauth(rqstp->rq_xprt, l_port,
2007 funcname, prime_arg, client_name);
2008 log_unauth(funcname, prime_arg,
2009 client_name, service_name, client_addr(rqstp, buf));
2010 }
2011
2012 error:
2013 if (name)
2014 gss_release_name(&min_stat, &name);
2015 free_server_handle(handle);
2016 if (client_name)
2017 free(client_name);
2018 if (service_name)
2019 free(service_name);
2020 return (&ret);
2021
2022 }
2023
2024 gpols_ret *
get_pols_2_svc(gpols_arg * arg,struct svc_req * rqstp)2025 get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp)
2026 {
2027 static gpols_ret ret;
2028 char *prime_arg = NULL;
2029 char *client_name = NULL, *service_name = NULL;
2030 OM_uint32 min_stat;
2031 kadm5_server_handle_t handle;
2032 const char *errmsg = NULL;
2033 gss_name_t name = NULL;
2034
2035 xdr_free(xdr_gpols_ret, (char *) &ret);
2036
2037 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
2038 return &ret;
2039
2040 if ((ret.code = check_handle((void *)handle)))
2041 goto error;
2042
2043 ret.api_version = handle->api_version;
2044
2045 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
2046 ret.code = KADM5_FAILURE;
2047 goto error;
2048 }
2049 prime_arg = arg->exp;
2050 if (prime_arg == NULL)
2051 prime_arg = "*";
2052
2053 if (!(name = get_clnt_name(rqstp))) {
2054 ret.code = KADM5_FAILURE;
2055 goto error;
2056 }
2057
2058 if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
2059 name,
2060 ACL_LIST, NULL, NULL)) {
2061 ret.code = KADM5_AUTH_LIST;
2062
2063 audit_kadmind_unauth(rqstp->rq_xprt, l_port,
2064 "kadm5_get_policies",
2065 prime_arg, client_name);
2066 log_unauth("kadm5_get_policies", prime_arg,
2067 client_name, service_name, client_addr(rqstp, buf));
2068 } else {
2069 ret.code = kadm5_get_policies((void *)handle,
2070 arg->exp, &ret.pols,
2071 &ret.count);
2072 /* Solaris Kerberos */
2073 if( ret.code != 0 )
2074 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
2075
2076 audit_kadmind_auth(rqstp->rq_xprt, l_port,
2077 "kadm5_get_policies",
2078 prime_arg, client_name, ret.code);
2079 log_done("kadm5_get_policies", prime_arg,
2080 errmsg ? errmsg : "success",
2081 client_name, service_name, client_addr(rqstp, buf));
2082
2083 if (errmsg != NULL)
2084 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
2085 }
2086
2087 error:
2088 if (name)
2089 gss_release_name(&min_stat, &name);
2090 free_server_handle(handle);
2091 if (client_name)
2092 free(client_name);
2093 if (service_name)
2094 free(service_name);
2095 return (&ret);
2096 }
2097
get_privs_2_svc(krb5_ui_4 * arg,struct svc_req * rqstp)2098 getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
2099 {
2100 static getprivs_ret ret;
2101 char *client_name = NULL, *service_name = NULL;
2102 OM_uint32 min_stat;
2103 kadm5_server_handle_t handle;
2104 const char *errmsg = NULL;
2105 gss_name_t name = NULL;
2106
2107 xdr_free(xdr_getprivs_ret, (char *) &ret);
2108
2109 if ((ret.code = new_server_handle(*arg, rqstp, &handle)))
2110 return &ret;
2111
2112 if ((ret.code = check_handle((void *)handle)))
2113 goto error;
2114
2115 ret.api_version = handle->api_version;
2116
2117 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
2118 ret.code = KADM5_FAILURE;
2119 goto error;
2120 }
2121 if (!(name = get_clnt_name(rqstp))) {
2122 ret.code = KADM5_FAILURE;
2123 goto error;
2124 }
2125
2126 ret.code = __kadm5_get_priv((void *) handle, &ret.privs, name);
2127 /* Solaris Kerberos */
2128 if( ret.code != 0 )
2129 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
2130
2131 audit_kadmind_auth(rqstp->rq_xprt, l_port,
2132 "kadm5_get_privs", NULL, client_name,
2133 ret.code);
2134 log_done("kadm5_get_privs", client_name,
2135 errmsg ? errmsg : "success",
2136 client_name, service_name, client_addr(rqstp, buf));
2137
2138 if (errmsg != NULL)
2139 krb5_free_error_message(handle ? handle->context : NULL, errmsg);
2140
2141 error:
2142 if (name)
2143 gss_release_name(&min_stat, &name);
2144 free_server_handle(handle);
2145 if (client_name)
2146 free(client_name);
2147 if (service_name)
2148 free(service_name);
2149 return (&ret);
2150 }
2151
init_2_svc(krb5_ui_4 * arg,struct svc_req * rqstp)2152 generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
2153 {
2154 static generic_ret ret;
2155 char *client_name, *service_name;
2156 kadm5_server_handle_t handle;
2157 const char *errmsg = NULL;
2158 size_t clen, slen;
2159 char *cdots, *sdots;
2160
2161 xdr_free(xdr_generic_ret, (char *) &ret);
2162
2163 if ((ret.code = new_server_handle(*arg, rqstp, &handle)))
2164 return &ret;
2165 if (! (ret.code = check_handle((void *)handle))) {
2166 ret.api_version = handle->api_version;
2167 }
2168
2169 free_server_handle(handle);
2170
2171 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
2172 ret.code = KADM5_FAILURE;
2173 return &ret;
2174 }
2175
2176 /* Solaris Kerberos */
2177 if (ret.code != 0)
2178 errmsg = krb5_get_error_message(NULL, ret.code);
2179
2180 audit_kadmind_auth(rqstp->rq_xprt, l_port,
2181 (ret.api_version == KADM5_API_VERSION_1 ?
2182 "kadm5_init (V1)" : "kadm5_init"),
2183 NULL, client_name, ret.code);
2184
2185 clen = strlen(client_name);
2186 trunc_name(&clen, &cdots);
2187 slen = strlen(service_name);
2188 trunc_name(&slen, &sdots);
2189 krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, "
2190 "client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d",
2191 (ret.api_version == KADM5_API_VERSION_1 ?
2192 "kadm5_init (V1)" : "kadm5_init"),
2193 clen, client_name, cdots,
2194 errmsg ? errmsg : "success",
2195 clen, client_name, cdots,
2196 slen, service_name, sdots,
2197 client_addr(rqstp, buf),
2198 rqstp->rq_cred.oa_flavor);
2199 if (errmsg != NULL)
2200 krb5_free_error_message(NULL, errmsg);
2201 free(client_name);
2202 free(service_name);
2203
2204 return (&ret);
2205 }
2206