1.\" Copyright (c) 1998 - 2006 Kungliga Tekniska H�gskolan 2.\" (Royal Institute of Technology, Stockholm, Sweden). 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" 3. Neither the name of the Institute nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" $Id: kafs.3 17380 2006-05-01 07:01:18Z lha $ 33.\" 34.Dd May 1, 2006 35.Os HEIMDAL 36.Dt KAFS 3 37.Sh NAME 38.Nm k_hasafs , 39.Nm k_hasafs_recheck , 40.Nm k_pioctl , 41.Nm k_unlog , 42.Nm k_setpag , 43.Nm k_afs_cell_of_file , 44.Nm kafs_set_verbose , 45.Nm kafs_settoken_rxkad , 46.Nm kafs_settoken , 47.Nm krb_afslog , 48.Nm krb_afslog_uid , 49.Nm kafs_settoken5 , 50.Nm krb5_afslog , 51.Nm krb5_afslog_uid 52.Nd AFS library 53.Sh LIBRARY 54AFS cache manager access library (libkafs, -lkafs) 55.Sh SYNOPSIS 56.In kafs.h 57.Ft int 58.Fn k_afs_cell_of_file "const char *path" "char *cell" "int len" 59.Ft int 60.Fn k_hasafs "void" 61.Ft int 62.Fn k_hasafs_recheck "void" 63.Ft int 64.Fn k_pioctl "char *a_path" "int o_opcode" "struct ViceIoctl *a_paramsP" "int a_followSymlinks" 65.Ft int 66.Fn k_setpag "void" 67.Ft int 68.Fn k_unlog "void" 69.Ft void 70.Fn kafs_set_verbose "void (*func)(void *, const char *, int)" "void *" 71.Ft int 72.Fn kafs_settoken_rxkad "const char *cell" "struct ClearToken *token" "void *ticket" "size_t ticket_len" 73.Ft int 74.Fn kafs_settoken "const char *cell" "uid_t uid" "CREDENTIALS *c" 75.Fn krb_afslog "char *cell" "char *realm" 76.Ft int 77.Fn krb_afslog_uid "char *cell" "char *realm" "uid_t uid" 78.Ft krb5_error_code 79.Fn krb5_afslog_uid "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm" "uid_t uid" 80.Ft int 81.Fn kafs_settoken5 "const char *cell" "uid_t uid" "krb5_creds *c" 82.Ft krb5_error_code 83.Fn krb5_afslog "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm" 84.Sh DESCRIPTION 85.Fn k_hasafs 86initializes some library internal structures, and tests for the 87presence of AFS in the kernel, none of the other functions should be 88called before 89.Fn k_hasafs 90is called, or if it fails. 91.Pp 92.Fn k_hasafs_recheck 93forces a recheck if a AFS client has started since last time 94.Fn k_hasafs 95or 96.Fn k_hasafs_recheck 97was called. 98.Pp 99.Fn kafs_set_verbose 100set a log function that will be called each time the kafs library does 101something important so that the application using libkafs can output 102verbose logging. 103Calling the function 104.Fa kafs_set_verbose 105with the function argument set to 106.Dv NULL 107will stop libkafs from calling the logging function (if set). 108.Pp 109.Fn kafs_settoken_rxkad 110set 111.Li rxkad 112with the 113.Fa token 114and 115.Fa ticket 116(that have the length 117.Fa ticket_len ) 118for a given 119.Fa cell . 120.Pp 121.Fn kafs_settoken 122and 123.Fn kafs_settoken5 124work the same way as 125.Fn kafs_settoken_rxkad 126but internally converts the Kerberos 4 or 5 credential to a afs 127cleartoken and ticket. 128.Pp 129.Fn krb_afslog , 130and 131.Fn krb_afslog_uid 132obtains new tokens (and possibly tickets) for the specified 133.Fa cell 134and 135.Fa realm . 136If 137.Fa cell 138is 139.Dv NULL , 140the local cell is used. If 141.Fa realm 142is 143.Dv NULL , 144the function tries to guess what realm to use. Unless you have some good knowledge of what cell or realm to use, you should pass 145.Dv NULL . 146.Fn krb_afslog 147will use the real user-id for the 148.Dv ViceId 149field in the token, 150.Fn krb_afslog_uid 151will use 152.Fa uid . 153.Pp 154.Fn krb5_afslog , 155and 156.Fn krb5_afslog_uid 157are the Kerberos 5 equivalents of 158.Fn krb_afslog , 159and 160.Fn krb_afslog_uid . 161.Pp 162.Fn krb5_afslog , 163.Fn kafs_settoken5 164can be configured to behave differently via a 165.Nm krb5_appdefault 166option 167.Li afs-use-524 168in 169.Pa krb5.conf . 170Possible values for 171.Li afs-use-524 172are: 173.Bl -tag -width local 174.It yes 175use the 524 server in the realm to convert the ticket 176.It no 177use the Kerberos 5 ticket directly, can be used with if the afs cell 178support 2b token. 179.It local, 2b 180convert the Kerberos 5 credential to a 2b token locally (the same work 181as a 2b 524 server should have done). 182.El 183.Pp 184Example: 185.Pp 186.Bd -literal 187[appdefaults] 188 SU.SE = { afs-use-524 = local } 189 PDC.KTH.SE = { afs-use-524 = yes } 190 afs-use-524 = yes 191.Ed 192.Pp 193libkafs will use the 194.Li libkafs 195as application name when running the 196.Nm krb5_appdefault 197function call. 198.Pp 199The (uppercased) cell name is used as the realm to the 200.Nm krb5_appdefault function. 201.Pp 202.\" The extra arguments are the ubiquitous context, and the cache id where 203.\" to store any obtained tickets. Since AFS servers normally can't handle 204.\" Kerberos 5 tickets directly, these functions will first obtain version 205.\" 5 tickets for the requested cells, and then convert them to version 4 206.\" tickets, that can be stashed in the kernel. To convert tickets the 207.\" .Fn krb524_convert_creds_kdc 208.\" function will be used. 209.\" .Pp 210.Fn k_afs_cell_of_file 211will in 212.Fa cell 213return the cell of a specified file, no more than 214.Fa len 215characters is put in 216.Fa cell . 217.Pp 218.Fn k_pioctl 219does a 220.Fn pioctl 221system call with the specified arguments. This function is equivalent to 222.Fn lpioctl . 223.Pp 224.Fn k_setpag 225initializes a new PAG. 226.Pp 227.Fn k_unlog 228removes destroys all tokens in the current PAG. 229.Sh RETURN VALUES 230.Fn k_hasafs 231returns 1 if AFS is present in the kernel, 0 otherwise. 232.Fn krb_afslog 233and 234.Fn krb_afslog_uid 235returns 0 on success, or a Kerberos error number on failure. 236.Fn k_afs_cell_of_file , 237.Fn k_pioctl , 238.Fn k_setpag , 239and 240.Fn k_unlog 241all return the value of the underlaying system call, 0 on success. 242.Sh ENVIRONMENT 243The following environment variable affect the mode of operation of 244.Nm kafs : 245.Bl -tag -width AFS_SYSCALL 246.It Ev AFS_SYSCALL 247Normally, 248.Nm kafs 249will try to figure out the correct system call(s) that are used by AFS 250by itself. If it does not manage to do that, or does it incorrectly, 251you can set this variable to the system call number or list of system 252call numbers that should be used. 253.El 254.Sh EXAMPLES 255The following code from 256.Nm login 257will obtain a new PAG and tokens for the local cell and the cell of 258the users home directory. 259.Bd -literal 260if (k_hasafs()) { 261 char cell[64]; 262 k_setpag(); 263 if(k_afs_cell_of_file(pwd->pw_dir, cell, sizeof(cell)) == 0) 264 krb_afslog(cell, NULL); 265 krb_afslog(NULL, NULL); 266} 267.Ed 268.Sh ERRORS 269If any of these functions (apart from 270.Fn k_hasafs ) 271is called without AFS being present in the kernel, the process will 272usually (depending on the operating system) receive a SIGSYS signal. 273.Sh SEE ALSO 274.Xr krb5_appdefault 3 , 275.Xr krb5.conf 5 276.Rs 277.%A Transarc Corporation 278.%J AFS-3 Programmer's Reference 279.%T File Server/Cache Manager Interface 280.%D 1991 281.Re 282.Sh BUGS 283.Ev AFS_SYSCALL 284has no effect under AIX. 285