xref: /freebsd/crypto/krb5/src/kadmin/dbutil/kadm5_create.c (revision 24e4dcf4ba5e9dedcf89efd358ea3e1fe5867020) 
1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /*
3  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
4  *
5  * $Source$
6  */
7 
8 /*
9  * Copyright (C) 1998 by the FundsXpress, INC.
10  *
11  * All rights reserved.
12  *
13  * Export of this software from the United States of America may require
14  * a specific license from the United States Government.  It is the
15  * responsibility of any person or organization contemplating export to
16  * obtain such a license before exporting.
17  *
18  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
19  * distribute this software and its documentation for any purpose and
20  * without fee is hereby granted, provided that the above copyright
21  * notice appear in all copies and that both that copyright notice and
22  * this permission notice appear in supporting documentation, and that
23  * the name of FundsXpress. not be used in advertising or publicity pertaining
24  * to distribution of the software without specific, written prior
25  * permission.  FundsXpress makes no representations about the suitability of
26  * this software for any purpose.  It is provided "as is" without express
27  * or implied warranty.
28  *
29  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
30  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
31  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
32  */
33 
34 #include <k5-int.h>
35 #include <ctype.h>
36 #include <kdb.h>
37 #include <kadm5/admin.h>
38 #include <adm_proto.h>
39 
40 #include "fake-addrinfo.h"
41 
42 
43 #include <krb5.h>
44 #include <kdb.h>
45 #include "kdb5_util.h"
46 
47 static int add_admin_princ(void *handle, krb5_context context,
48                            char *name, char *realm, int attrs, int lifetime);
49 static int add_admin_princs(void *handle, krb5_context context, char *realm);
50 
51 #define ERR 1
52 #define OK 0
53 
54 #define ADMIN_LIFETIME 60*60*3 /* 3 hours */
55 #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
56 
57 /*
58  * Function: kadm5_create
59  *
60  * Purpose: create admin principals in KDC database
61  *
62  * Arguments:   params  (r) configuration parameters to use
63  *
64  * Effects:  Creates KADM5_ADMIN_SERVICE and KADM5_CHANGEPW_SERVICE
65  * principals in the KDC database and sets their attributes
66  * appropriately.
67  */
68 int kadm5_create(kadm5_config_params *params)
69 {
70     int retval;
71     kadm5_config_params lparams;
72 
73     /*
74      * The lock file has to exist before calling kadm5_init, but
75      * params->admin_lockfile may not be set yet...
76      */
77     retval = kadm5_get_config_params(util_context, 1, params, &lparams);
78     if (retval) {
79         com_err(progname, retval, _("while looking up the Kerberos "
80                                     "configuration"));
81         return 1;
82     }
83 
84     retval = kadm5_create_magic_princs(&lparams, util_context);
85 
86     kadm5_free_config_params(util_context, &lparams);
87 
88     return retval;
89 }
90 
91 int kadm5_create_magic_princs(kadm5_config_params *params,
92                               krb5_context context)
93 {
94     int retval;
95     void *handle;
96 
97     retval = krb5_klog_init(context, "admin_server", progname, 0);
98     if (retval)
99         return retval;
100     if ((retval = kadm5_init(context, progname, NULL, NULL, params,
101                              KADM5_STRUCT_VERSION,
102                              KADM5_API_VERSION_4,
103                              db5util_db_args,
104                              &handle))) {
105         com_err(progname, retval, _("while initializing the Kerberos admin "
106                                     "interface"));
107         return retval;
108     }
109 
110     retval = add_admin_princs(handle, context, params->realm);
111 
112     kadm5_destroy(handle);
113 
114     krb5_klog_close(context);
115 
116     return retval;
117 }
118 
119 /*
120  * Function: add_admin_princs
121  *
122  * Purpose: create admin principals
123  *
124  * Arguments:
125  *
126  *      rseed           (input) random seed
127  *      realm           (input) realm, or NULL for default realm
128  *      <return value>  (output) status, 0 for success, 1 for serious error
129  *
130  * Requires:
131  *
132  * Effects:
133  *
134  * add_admin_princs creates KADM5_ADMIN_SERVICE,
135  * KADM5_CHANGEPW_SERVICE.  If any of these exist a message is
136  * printed.  If any of these existing principal do not have the proper
137  * attributes, a warning message is printed.
138  */
139 static int add_admin_princs(void *handle, krb5_context context, char *realm)
140 {
141     krb5_error_code ret = 0;
142 
143     if ((ret = add_admin_princ(handle, context,
144                                KADM5_ADMIN_SERVICE, realm,
145                                KRB5_KDB_DISALLOW_TGT_BASED |
146                                KRB5_KDB_LOCKDOWN_KEYS,
147                                ADMIN_LIFETIME)))
148         return ret;
149 
150     return add_admin_princ(handle, context, KADM5_CHANGEPW_SERVICE, realm,
151                            KRB5_KDB_DISALLOW_TGT_BASED |
152                            KRB5_KDB_PWCHANGE_SERVICE | KRB5_KDB_LOCKDOWN_KEYS,
153                            CHANGEPW_LIFETIME);
154 }
155 
156 /*
157  * Function: add_admin_princ
158  *
159  * Arguments:
160  *
161  *      creator         (r) principal to use as "mod_by"
162  *      rseed           (r) seed for random key generator
163  *      name            (r) principal name
164  *      realm           (r) realm name for principal
165  *      attrs           (r) principal's attributes
166  *      lifetime        (r) principal's max life, or 0
167  *      not_unique      (r) error message for multiple entries, never used
168  *      exists          (r) warning message for principal exists
169  *      wrong_attrs     (r) warning message for wrong attributes
170  *
171  * Returns:
172  *
173  *      OK on success
174  *      ERR on serious errors
175  *
176  * Effects:
177  *
178  * If the principal is not unique, not_unique is printed (but this
179  * never happens).  If the principal exists, then exists is printed
180  * and if the principals attributes != attrs, wrong_attrs is printed.
181  * Otherwise, the principal is created with mod_by creator and
182  * attributes attrs and max life of lifetime (if not zero).
183  */
184 
185 int add_admin_princ(void *handle, krb5_context context,
186                     char *name, char *realm, int attrs, int lifetime)
187 {
188     char *fullname = NULL;
189     krb5_error_code ret;
190     kadm5_principal_ent_rec ent;
191     long flags;
192     int fret;
193 
194     memset(&ent, 0, sizeof(ent));
195 
196     if (asprintf(&fullname, "%s@%s", name, realm) < 0) {
197         com_err(progname, ENOMEM, _("while appending realm to principal"));
198         fret = ERR;
199         goto cleanup;
200     }
201     ret = krb5_parse_name(context, fullname, &ent.principal);
202     if (ret) {
203         com_err(progname, ret, _("while parsing admin principal name"));
204         fret = ERR;
205         goto cleanup;
206     }
207     ent.max_life = lifetime;
208     ent.attributes = attrs;
209 
210     flags = KADM5_PRINCIPAL | KADM5_ATTRIBUTES;
211     if (lifetime)
212         flags |= KADM5_MAX_LIFE;
213     ret = kadm5_create_principal(handle, &ent, flags, NULL);
214     if (ret && ret != KADM5_DUP) {
215         com_err(progname, ret, _("while creating principal %s"), fullname);
216         fret = ERR;
217         goto cleanup;
218     }
219 
220     fret = OK;
221 cleanup:
222     krb5_free_principal(context, ent.principal);
223     free(fullname);
224     return fret;
225 }
226