xref: /titanic_41/usr/src/cmd/krb5/kadmin/cli/kadmin.c (revision 9e26e16f703d2dfcc0689de957c21efcb72473e6)
1 /*
2  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #pragma ident	"%Z%%M%	%I%	%E% SMI"
7 
8 /*
9  * Copyright 1994 by the Massachusetts Institute of Technology.
10  * All Rights Reserved.
11  *
12  * Export of this software from the United States of America may
13  *   require a specific license from the United States Government.
14  *   It is the responsibility of any person or organization contemplating
15  *   export to obtain such a license before exporting.
16  *
17  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
18  * distribute this software and its documentation for any purpose and
19  * without fee is hereby granted, provided that the above copyright
20  * notice appear in all copies and that both that copyright notice and
21  * this permission notice appear in supporting documentation, and that
22  * the name of M.I.T. not be used in advertising or publicity pertaining
23  * to distribution of the software without specific, written prior
24  * permission.  Furthermore if you modify this software you must label
25  * your software as modified software and not distribute it in such a
26  * fashion that it might be confused with the original M.I.T. software.
27  * M.I.T. makes no representations about the suitability of
28  * this software for any purpose.  It is provided "as is" without express
29  * or implied warranty.
30  *
31  * kadmin.c: base functions for a kadmin command line interface using
32  * the OVSecure library
33  */
34 
35 #include <krb5.h>
36 #include <kadm5/admin.h>
37 #include <krb5/adm_proto.h>
38 #include <stdio.h>
39 #include <string.h>
40 #include <sys/types.h>
41 #include <math.h>
42 #include <unistd.h>
43 #include <pwd.h>
44 /* #include <sys/timeb.h> */
45 #include <time.h>
46 #include <libintl.h>
47 
48 /*
49  * Solaris:  the following are needed for paging
50  */
51 #include <signal.h>
52 #include <sys/wait.h>
53 
54 /* command name when called "locally" (i.e. non-networked client ) */
55 #define KADMIN_LOCAL_NAME "kadmin.local"
56 
57 /* functions defined in remote/local specific files */
58 extern void usage(const char *);
59 
60 /* special struct to convert flag names for principals
61    to actual krb5_flags for a principal */
62 struct pflag {
63     char *flagname;		/* name of flag as typed to CLI */
64     int flaglen;		/* length of string (not counting -,+) */
65     krb5_flags theflag;		/* actual principal flag to set/clear */
66     int set;			/* 0 means clear, 1 means set (on '-') */
67 };
68 
69 static struct pflag flags[] = {
70 {"allow_postdated",	15,	KRB5_KDB_DISALLOW_POSTDATED,	1},
71 {"allow_forwardable",	17,	KRB5_KDB_DISALLOW_FORWARDABLE,	1},
72 {"allow_tgs_req",	13,	KRB5_KDB_DISALLOW_TGT_BASED,	1},
73 {"allow_renewable",	15,	KRB5_KDB_DISALLOW_RENEWABLE,	1},
74 {"allow_proxiable",	15,	KRB5_KDB_DISALLOW_PROXIABLE,	1},
75 {"allow_dup_skey",	14,	KRB5_KDB_DISALLOW_DUP_SKEY,	1},
76 {"allow_tix",		9,	KRB5_KDB_DISALLOW_ALL_TIX,	1},
77 {"requires_preauth",	16,	KRB5_KDB_REQUIRES_PRE_AUTH,	0},
78 {"requires_hwauth",	15,	KRB5_KDB_REQUIRES_HW_AUTH,	0},
79 {"needchange",		10,	KRB5_KDB_REQUIRES_PWCHANGE,	0},
80 {"allow_svr",		9,	KRB5_KDB_DISALLOW_SVR,		1},
81 {"password_changing_service",	25,	KRB5_KDB_PWCHANGE_SERVICE,	0 },
82 {"support_desmd5",	14,	KRB5_KDB_SUPPORT_DESMD5,	0 }
83 };
84 
85 static char *prflags[] = {
86     "DISALLOW_POSTDATED",	/* 0x00000001 */
87     "DISALLOW_FORWARDABLE",	/* 0x00000002 */
88     "DISALLOW_TGT_BASED",	/* 0x00000004 */
89     "DISALLOW_RENEWABLE",	/* 0x00000008 */
90     "DISALLOW_PROXIABLE",	/* 0x00000010 */
91     "DISALLOW_DUP_SKEY",	/* 0x00000020 */
92     "DISALLOW_ALL_TIX",		/* 0x00000040 */
93     "REQUIRES_PRE_AUTH",	/* 0x00000080 */
94     "REQUIRES_HW_AUTH",		/* 0x00000100 */
95     "REQUIRES_PWCHANGE",	/* 0x00000200 */
96     "UNKNOWN_0x00000400",	/* 0x00000400 */
97     "UNKNOWN_0x00000800",	/* 0x00000800 */
98     "DISALLOW_SVR",		/* 0x00001000 */
99     "PWCHANGE_SERVICE",		/* 0x00002000 */
100     "SUPPORT_DESMD5",		/* 0x00004000 */
101     "NEW_PRINC",		/* 0x00008000 */
102 };
103 
104 char *getenv();
105 int exit_status = 0;
106 char *def_realm = NULL;
107 char *whoami = NULL;
108 
109 void *handle = NULL;
110 krb5_context context;
111 char *ccache_name = NULL;
112 
113 int locked = 0;
114 static char *strdur(duration)
115     time_t duration;
116 {
117     static char out[50];
118     int neg, days, hours, minutes, seconds;
119 
120     if (duration < 0) {
121 	duration *= -1;
122 	neg = 1;
123     } else
124 	neg = 0;
125     days = duration / (24 * 3600);
126     duration %= 24 * 3600;
127     hours = duration / 3600;
128     duration %= 3600;
129     minutes = duration / 60;
130     duration %= 60;
131     seconds = duration;
132     snprintf(out, sizeof (out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
133 	    days, days == 1 ? gettext("day") : gettext("days"),
134 	    hours, minutes, seconds);
135     return out;
136 }
137 
138 static char *strdate(when)
139     krb5_timestamp when;
140 {
141     struct tm *tm;
142     static char out[40];
143 
144     time_t lcltim = when;
145     tm = localtime(&lcltim);
146     strftime(out, sizeof(out), gettext("%a %b %d %H:%M:%S %Z %Y"), tm);
147     return out;
148 }
149 
150 /* this is a wrapper to go around krb5_parse_principal so we can set
151    the default realm up properly */
152 static krb5_error_code
153 kadmin_parse_name(name, principal)
154     char *name;
155     krb5_principal *principal;
156 {
157     char *cp, *fullname;
158     krb5_error_code retval;
159 
160     if (name == NULL)
161 	return (EINVAL);
162 
163     /* assumes def_realm is initialized! */
164     fullname = (char *)malloc(strlen(name) + 1 + strlen(def_realm) + 1);
165     if (fullname == NULL)
166 	return ENOMEM;
167     strcpy(fullname, name);
168     cp = strchr(fullname, '@');
169     while (cp) {
170 	if (cp - fullname && *(cp - 1) != '\\')
171 	    break;
172 	else
173 	    cp = strchr(cp + 1, '@');
174     }
175     if (cp == NULL) {
176 	strcat(fullname, "@");
177 	strcat(fullname, def_realm);
178     }
179     retval = krb5_parse_name(context, fullname, principal);
180     free(fullname);
181     return retval;
182 }
183 
184 char *kadmin_startup(argc, argv)
185     int argc;
186     char *argv[];
187 {
188     extern char *optarg;
189     char *princstr = NULL, *keytab_name = NULL, *query = NULL;
190     char *password = NULL;
191     char *luser, *canon, *cp;
192     int optchar, freeprinc = 0, use_keytab = 0;
193     struct passwd *pw;
194     kadm5_ret_t retval;
195     krb5_ccache cc;
196     krb5_principal princ;
197     kadm5_config_params params;
198     char *svcname = NULL;
199 
200     memset((char *) &params, 0, sizeof(params));
201 
202     retval = krb5_init_context(&context);
203     if (retval) {
204 	 com_err(whoami, retval,
205 		gettext("while initializing krb5 library"));
206 	 exit(1);
207     }
208 
209     while ((optchar = getopt(argc, argv, "r:p:kq:w:d:s:mc:t:e:O")) != EOF) {
210 	switch (optchar) {
211 	case 'r':
212 	    def_realm = optarg;
213 	    break;
214 	case 'p':
215 	    princstr = optarg;
216 	    break;
217         case 'c':
218 	    ccache_name = optarg;
219 	    break;
220         case 'k':
221 	    use_keytab++;
222 	    break;
223        case 't':
224 	    keytab_name = optarg;
225 	    break;
226         case 'w':
227 	    password = optarg;
228 	    break;
229 	case 'q':
230 	    query = optarg;
231 	    break;
232         case 'd':
233 	    params.dbname = optarg;
234 	    params.mask |= KADM5_CONFIG_DBNAME;
235 	    break;
236         case 's':
237 	    params.admin_server = optarg;
238 	    params.mask |= KADM5_CONFIG_ADMIN_SERVER;
239 	    break;
240         case 'm':
241 	    params.mkey_from_kbd = 1;
242 	    params.mask |= KADM5_CONFIG_MKEY_FROM_KBD;
243 	    break;
244         case 'e':
245 	    retval = krb5_string_to_keysalts(optarg,
246 					     ", \t",
247 					     ":.-",
248 					     0,
249 					     &params.keysalts,
250 					     &params.num_keysalts);
251 	    if (retval) {
252 		 com_err(whoami, retval,
253 			gettext("while parsing keysalts %s"), optarg);
254 		 exit(1);
255 	    }
256 	    params.mask |= KADM5_CONFIG_ENCTYPES;
257 	    break;
258 	case 'O':	/* Undocumented option for testing only */
259 		svcname = KADM5_ADMIN_SERVICE_P;
260 	    break;
261 	default:
262 	    usage(whoami);
263 	}
264     }
265     if ((ccache_name && use_keytab) ||
266 	(keytab_name && !use_keytab))
267 	 usage(whoami);
268 
269     if (def_realm == NULL && krb5_get_default_realm(context, &def_realm)) {
270 	if (freeprinc)
271 	    free(princstr);
272 	fprintf(stderr,
273 		gettext("%s: unable to get default realm\n"), whoami);
274 	exit(1);
275     }
276 
277     params.mask |= KADM5_CONFIG_REALM;
278     params.realm = def_realm;
279 
280     if (svcname == NULL) {
281 	if (kadm5_get_adm_host_srv_name(context,
282 			       def_realm, &svcname)) {
283 		fprintf(stderr,
284 			gettext("%s: unable to get host based "
285 				"service name for realm %s\n"),
286 			whoami, def_realm);
287 		if (freeprinc)
288 			free(princstr);
289 		exit(1);
290 	}
291     }
292 
293     /*
294      * Set cc to an open credentials cache, either specified by the -c
295      * argument or the default.
296      */
297     if (ccache_name == NULL) {
298 	 if ((retval = krb5_cc_default(context, &cc))) {
299 	      com_err(whoami, retval,
300 				gettext("while opening default "
301 					"credentials cache"));
302 	      exit(1);
303 	 }
304     } else {
305 	 if ((retval = krb5_cc_resolve(context, ccache_name, &cc))) {
306 	      com_err(whoami, retval,
307 			gettext("while opening credentials cache %s"),
308 			ccache_name);
309 	      exit(1);
310 	 }
311     }
312 
313     /*
314      * If no principal name is specified: If a ccache was specified
315      * and its primary principal name can be read, it is used, else if
316      * a keytab was specified, the principal name is host/hostname,
317      * otherwise append "/admin" to the primary name of the default
318      * ccache, $USER, or pw_name.
319      *
320      * Gee, 100+ lines to figure out the client principal name.  This
321      * should be compressed...
322      */
323 
324     if (princstr == NULL) {
325 	if (ccache_name != NULL &&
326 	    !krb5_cc_get_principal(context, cc, &princ)) {
327 	     if ((retval = krb5_unparse_name(context, princ, &princstr))) {
328 		  com_err(whoami, retval,
329 			gettext("while canonicalizing principal name"));
330 		  krb5_free_principal(context, princ);
331 		  exit(1);
332 	     }
333 	     krb5_free_principal(context, princ);
334 	     freeprinc++;
335 	} else if (use_keytab != 0) {
336 	     if ((retval = krb5_sname_to_principal(context, NULL,
337 						   "host",
338 						   KRB5_NT_SRV_HST,
339 						   &princ))) {
340 		  com_err(whoami, retval,
341 			gettext("creating host service principal"));
342 		  exit(1);
343 	     }
344 	     if ((retval = krb5_unparse_name(context, princ, &princstr))) {
345 	          com_err(whoami, retval,
346 			gettext("while canonicalizing "
347 				"principal name"));
348 		  krb5_free_principal(context, princ);
349 		  exit(1);
350 	     }
351 	     krb5_free_principal(context, princ);
352 	     freeprinc++;
353 	} else if (!krb5_cc_get_principal(context, cc, &princ)) {
354 	    char *realm = NULL;
355 	    if (krb5_unparse_name(context, princ, &canon)) {
356 		fprintf(stderr,
357 			gettext("%s: unable to canonicalize "
358 				"principal\n"), whoami);
359 		krb5_free_principal(context, princ);
360 		exit(1);
361 	    }
362 	    /* strip out realm of principal if it's there */
363 	    realm = strchr(canon, '@');
364 	    while (realm) {
365 		if (realm - canon && *(realm - 1) != '\\')
366 		    break;
367 		else
368 		    realm = strchr(realm + 1, '@');
369 	    }
370 	    if (realm)
371 		*realm++ = '\0';
372 	    cp = strchr(canon, '/');
373 	    while (cp) {
374 		if (cp - canon && *(cp - 1) != '\\')
375 		    break;
376 		else
377 		    cp = strchr(cp + 1, '/');
378 	    }
379 	    if (cp != NULL)
380 		*cp = '\0';
381 	    princstr = (char*)malloc(strlen(canon) + 6 /* "/admin" */ +
382 				     (realm ? 1 + strlen(realm) : 0) + 1);
383 	    if (princstr == NULL) {
384 		fprintf(stderr,
385 			gettext("%s: out of memory\n"),
386 			whoami);
387 		exit(1);
388 	    }
389 	    strcpy(princstr, canon);
390 	    strcat(princstr, "/admin");
391 	    if (realm) {
392 		strcat(princstr, "@");
393 		strcat(princstr, realm);
394 	    }
395 	    free(canon);
396 	    krb5_free_principal(context, princ);
397 	    freeprinc++;
398 	} else if ((luser = getenv("USER"))) {
399 	    princstr = (char *) malloc(strlen(luser) + 7 /* "/admin@" */
400 			      + strlen(def_realm) + 1);
401 	    if (princstr == NULL) {
402 		fprintf(stderr,
403 			gettext("%s: out of memory\n"),
404 			whoami);
405 		exit(1);
406 	    }
407 	    strcpy(princstr, luser);
408 	    strcat(princstr, "/admin");
409 	    strcat(princstr, "@");
410 	    strcat(princstr, def_realm);
411 	    freeprinc++;
412 	} else if ((pw = getpwuid(getuid()))) {
413 	    princstr = (char *) malloc(strlen(pw->pw_name) + 7 /* "/admin@" */
414 			      + strlen(def_realm) + 1);
415 	    if (princstr == NULL) {
416 		fprintf(stderr,
417 			gettext("%s: out of memory\n"),
418 			whoami);
419 		exit(1);
420 	    }
421 	    strcpy(princstr, pw->pw_name);
422 	    strcat(princstr, "/admin@");
423 	    strcat(princstr, def_realm);
424 	    freeprinc++;
425 	} else {
426 	    fprintf(stderr,
427 			gettext("%s: unable to figure out "
428 				"a principal name\n"),
429 		    whoami);
430 	    exit(1);
431 	}
432     }
433 
434     retval = krb5_klog_init(context, "admin_server", whoami, 0);
435     if (retval) {
436 	com_err(whoami, retval, "while setting up logging");
437 	exit(1);
438     }
439 
440     /*
441      * Initialize the kadm5 connection.  If we were given a ccache,
442      * use it.  Otherwise, use/prompt for the password.
443      */
444     if (ccache_name) {
445 	 printf(gettext(
446 		"Authenticating as principal %s with existing credentials.\n"),
447 		princstr);
448 	 retval = kadm5_init_with_creds(princstr, cc,
449 					svcname,
450 					&params,
451 					KADM5_STRUCT_VERSION,
452 					KADM5_API_VERSION_2,
453 					&handle);
454     } else if (use_keytab) {
455 	 if (keytab_name)
456 	     printf(gettext("Authenticating as principal %s with keytab %s.\n"),
457 		    princstr, keytab_name);
458 	 else
459 	     printf(gettext(
460 		    "Authenticating as principal %s with default keytab.\n"),
461 		    princstr);
462 	 retval = kadm5_init_with_skey(princstr, keytab_name,
463 				       svcname,
464 				       &params,
465 				       KADM5_STRUCT_VERSION,
466 				       KADM5_API_VERSION_2,
467 				       &handle);
468     } else {
469 	 printf(gettext("Authenticating as principal %s with password.\n"),
470 		princstr);
471 	 retval = kadm5_init_with_password(princstr, password,
472 					   svcname,
473 					   &params,
474 					   KADM5_STRUCT_VERSION,
475 					   KADM5_API_VERSION_2,
476 					   &handle);
477     }
478     if (retval) {
479 	    if (retval == KADM5_RPC_ERROR_CANTENCODEARGS ||
480 		retval == KADM5_RPC_ERROR_CANTDECODEARGS) {
481 		    com_err(whoami, KADM5_RPC_ERROR,
482 			gettext("while initializing %s interface"), whoami);
483 
484 		    /* privacy-enabled mech probably not installed/configed */
485 		    com_err(whoami, retval, gettext("."), whoami);
486 	    } else {
487 		    com_err(whoami, retval,
488 			gettext("while initializing %s interface"), whoami);
489 	if (retval == KADM5_BAD_CLIENT_PARAMS ||
490 	    retval == KADM5_BAD_SERVER_PARAMS)
491 		usage(whoami);
492 	}
493 	exit(1);
494     }
495     if (freeprinc)
496 	free(princstr);
497 
498     if ((retval = krb5_cc_close(context, cc))) {
499 	 com_err(whoami, retval, gettext("while closing ccache %s"),
500 		 ccache_name);
501 	 exit(1);
502     }
503 
504     /* register the WRFILE keytab type and set it as the default */
505     {
506 	 /* XXX krb5_defkeyname is an internal library global and
507             should go away */
508 	 extern char *krb5_defkeyname;
509 	 krb5_defkeyname = DEFAULT_KEYTAB;
510     }
511 
512     if ((retval = kadm5_init_iprop(handle)) != 0) {
513 	com_err(whoami, retval, gettext("while mapping update log"));
514 	exit(1);
515     }
516 
517     /* Solaris kerberos: fix memory leak */
518     if (svcname)
519 	free(svcname);
520 
521     return query;
522 }
523 
524 int quit()
525 {
526     kadm5_ret_t retval;
527 
528     if (locked) {
529 	retval = kadm5_unlock(handle);
530 	if (retval) {
531 	    com_err("quit", retval, gettext("while unlocking locked database"));
532 	    return 1;
533 	}
534 	locked = 0;
535     }
536 
537      kadm5_destroy(handle);
538      if (ccache_name != NULL) {
539 	  fprintf(stderr,
540 			gettext("\n\a\a\aAdministration credentials "
541 				"NOT DESTROYED.\n"));
542      }
543 
544      /* insert more random cleanup here */
545      krb5_klog_close(context);
546      krb5_free_context(context);
547      context = NULL;
548      return 0;
549 }
550 
551 void kadmin_lock(argc, argv)
552     int argc;
553     char *argv[];
554 {
555     kadm5_ret_t retval;
556 
557     if (locked)
558 	return;
559     retval = kadm5_lock(handle);
560     if (retval) {
561 	com_err("lock", retval, "");
562 	return;
563     }
564     locked = 1;
565 }
566 
567 void kadmin_unlock(argc, argv)
568     int argc;
569     char *argv[];
570 {
571     kadm5_ret_t retval;
572 
573     if (!locked)
574 	return;
575     retval = kadm5_unlock(handle);
576     if (retval) {
577 	com_err("unlock", retval, "");
578 	return;
579     }
580     locked = 0;
581 }
582 
583 void kadmin_delprinc(argc, argv)
584     int argc;
585     char *argv[];
586 {
587     kadm5_ret_t retval;
588     krb5_principal princ;
589     char *canon;
590     char reply[32];
591 
592     if (! (argc == 2 ||
593 	   (argc == 3 && !strcmp("-force", argv[1])))) {
594 	fprintf(stderr, "%s: delete_principal [-force] %s\n",
595 			gettext("usage"), gettext("principal"));
596 	return;
597     }
598     retval = kadmin_parse_name(argv[argc - 1], &princ);
599     if (retval) {
600 	com_err("delete_principal", retval,
601 			gettext("while parsing principal name"));
602 	return;
603     }
604     retval = krb5_unparse_name(context, princ, &canon);
605     if (retval) {
606 	com_err("delete_principal", retval,
607 			gettext("while canonicalizing principal"));
608 	krb5_free_principal(context, princ);
609 	return;
610     }
611     if (argc == 2) {
612 	printf(gettext("Are you sure you want to delete "
613 			    "the principal \"%s\"? (yes/no): "), canon);
614 	fgets(reply, sizeof (reply), stdin);
615 		if (strncmp(gettext("yes\n"), reply, sizeof (reply)) &&
616 			strncmp(gettext("y\n"), reply, sizeof (reply)) &&
617 			strncmp(gettext("Y\n"), reply, sizeof (reply))) {
618 			fprintf(stderr,
619 				gettext("Principal \"%s\" not deleted\n"),
620 				canon);
621 	    free(canon);
622 	    krb5_free_principal(context, princ);
623 	    return;
624 	}
625     }
626     retval = kadm5_delete_principal(handle, princ);
627     krb5_free_principal(context, princ);
628     if (retval) {
629 	com_err("delete_principal", retval,
630 			gettext("while deleting principal \"%s\""), canon);
631 	free(canon);
632 	return;
633     }
634     printf(gettext("Principal \"%s\" deleted.\n"), canon);
635 	printf(gettext("Make sure that you have removed this principal "
636 			"from all ACLs before reusing.\n"));
637     free(canon);
638     return;
639 }
640 
641 void kadmin_cpw(argc, argv)
642     int argc;
643     char *argv[];
644 {
645     kadm5_ret_t retval;
646     static char newpw[1024];
647     static char prompt1[1024], prompt2[1024];
648     char *canon;
649     char *pwarg = NULL;
650     int n_ks_tuple = 0, randkey = 0;
651     krb5_boolean keepold = FALSE;
652     krb5_key_salt_tuple *ks_tuple = NULL;
653     krb5_principal princ;
654     int local_kadmin = 0;
655 
656     local_kadmin = (strcmp(whoami, KADMIN_LOCAL_NAME) == 0);
657 
658     if (argc < 2) {
659 	 goto usage;
660     }
661     for (argv++, argc--; argc > 1; argc--, argv++) {
662 	if (!strcmp("-pw", *argv)) {
663 	    argc--;
664 	    if (argc < 1) {
665 		fprintf(stderr, "change_password: %s",
666 			gettext("missing password arg\n"));
667 		goto usage;
668 	    }
669 	    pwarg = *++argv;
670 	    continue;
671 	}
672 	if (!strcmp("-randkey", *argv)) {
673 	    randkey++;
674 	    continue;
675 	}
676 	if (!strcmp("-keepold", *argv)) {
677 	    keepold = TRUE;
678 	    continue;
679 	}
680 	if (!strcmp("-e", *argv)) {
681 	    argc--;
682 	    if (argc < 1) {
683 		fprintf(stderr, "change_password: %s",
684 			gettext("missing keysaltlist arg\n"));
685 		goto usage;
686 	    }
687 	    retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0,
688 					     &ks_tuple, &n_ks_tuple);
689 	    if (retval) {
690 		com_err("change_password", retval,
691 			gettext("while parsing keysalts %s"), *argv);
692 		return;
693 	    }
694 	    continue;
695 	}
696 	goto usage;
697     }
698     retval = kadmin_parse_name(*argv, &princ);
699     if (retval) {
700 	com_err("change_password", retval,
701 		gettext("while parsing principal name"));
702 	if (ks_tuple != NULL)
703 	    free(ks_tuple);
704 	goto usage;
705     }
706     retval = krb5_unparse_name(context, princ, &canon);
707     if (retval) {
708 		com_err("change_password", retval,
709 			gettext("while canonicalizing principal"));
710 	krb5_free_principal(context, princ);
711 	if (ks_tuple != NULL)
712 	    free(ks_tuple);
713 	return;
714     }
715     if (pwarg != NULL) {
716 	if (keepold || ks_tuple != NULL) {
717 	    retval = kadm5_chpass_principal_3(handle, princ, keepold,
718 					      n_ks_tuple, ks_tuple, pwarg);
719 	    if (ks_tuple != NULL)
720 		free(ks_tuple);
721 	} else {
722 	    retval = kadm5_chpass_principal(handle, princ, pwarg);
723 	}
724 	krb5_free_principal(context, princ);
725 	if (retval) {
726 	    com_err("change_password", retval,
727 				gettext("while changing password for \"%s\"."),
728 				canon);
729 	    free(canon);
730 	    return;
731 	}
732 		printf(gettext("Password for \"%s\" changed.\n"), canon);
733 	free(canon);
734 	return;
735     } else if (randkey) {
736 	if (keepold || ks_tuple != NULL || local_kadmin) {
737 	    retval = kadm5_randkey_principal_3(handle, princ, keepold,
738 					       n_ks_tuple, ks_tuple,
739 					       NULL, NULL);
740 	    if (ks_tuple != NULL)
741 		free(ks_tuple);
742 	} else {
743 	    retval = kadm5_randkey_principal(handle, princ, NULL, NULL);
744 	}
745 	krb5_free_principal(context, princ);
746 	if (retval) {
747 	    com_err("change_password", retval,
748 				gettext("while randomizing key for \"%s\"."),
749 				canon);
750 	    free(canon);
751 	    return;
752 	}
753 	printf(gettext("Key for \"%s\" randomized.\n"), canon);
754 	free(canon);
755 	return;
756     } else if (argc == 1) {
757 	unsigned int i = sizeof (newpw) - 1;
758 
759 		snprintf(prompt1, sizeof (prompt1),
760 			gettext("Enter password for principal \"%.900s\""),
761 			*argv);
762 		snprintf(prompt2, sizeof (prompt2),
763 			gettext("Re-enter password for principal \"%.900s\""),
764 			*argv);
765 	retval = krb5_read_password(context, prompt1, prompt2,
766 				    newpw, &i);
767 	if (retval) {
768 	    com_err("change_password", retval,
769 				gettext("while reading password for \"%s\"."),
770 				canon);
771 	    free(canon);
772 	    if (ks_tuple != NULL)
773 		free(ks_tuple);
774 	    krb5_free_principal(context, princ);
775 	    return;
776 	}
777 	if (keepold || ks_tuple != NULL) {
778 	    retval = kadm5_chpass_principal_3(handle, princ, keepold,
779 					      n_ks_tuple, ks_tuple,
780 					      newpw);
781 	    if (ks_tuple != NULL)
782 		free(ks_tuple);
783 	} else {
784 	    retval = kadm5_chpass_principal(handle, princ, newpw);
785 	}
786 	krb5_free_principal(context, princ);
787 	memset(newpw, 0, sizeof (newpw));
788 	if (retval) {
789 	    com_err("change_password", retval,
790 				gettext("while changing password for \"%s\"."),
791 				canon);
792 	    free(canon);
793 	    return;
794 	}
795 		printf(gettext("Password for \"%s\" changed.\n"), canon);
796 	free(canon);
797 	return;
798    } else {
799 	free(canon);
800 	krb5_free_principal(context, princ);
801    usage:
802 	if (ks_tuple != NULL)
803 	    free(ks_tuple);
804 		fprintf(stderr, "%s: change_password [-randkey] [-keepold] "
805 			"[-e keysaltlist] [-pw password] %s\n",
806 			gettext("usage"), gettext("principal"));
807 	return;
808    }
809 }
810 
811 static int
812 kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey,
813 			ks_tuple, n_ks_tuple, caller)
814     int argc;
815     char *argv[];
816     kadm5_principal_ent_t oprinc;
817     long *mask;
818     char **pass;
819     int *randkey;
820     krb5_key_salt_tuple **ks_tuple;
821     int *n_ks_tuple;
822     char *caller;
823 {
824     int i, j, attrib_set;
825     time_t date;
826     time_t now;
827     krb5_error_code retval;
828 
829     *mask = 0;
830     *pass = NULL;
831     *n_ks_tuple = 0;
832     *ks_tuple = NULL;
833     time(&now);
834     *randkey = 0;
835     for (i = 1; i < argc - 1; i++) {
836 	attrib_set = 0;
837 	if (strlen(argv[i]) == 7 &&
838 		    strcmp("-expire", argv[i]) == 0) {
839 	    if (++i > argc - 2)
840 		return -1;
841 	    else {
842 		date = get_date(argv[i]);
843  		if (date == (time_t)-1) {
844 		     fprintf(stderr,
845 						gettext("Invalid date "
846 							"specification "
847 							"\"%s\".\n"),
848 			     argv[i]);
849 		     return -1;
850  		}
851 		oprinc->princ_expire_time = date;
852 		*mask |= KADM5_PRINC_EXPIRE_TIME;
853 		continue;
854 	    }
855 	}
856 	if (strlen(argv[i]) == 9 &&
857 	    !strcmp("-pwexpire", argv[i])) {
858 	    if (++i > argc - 2)
859 		return -1;
860 	    else {
861 		date = get_date(argv[i]);
862  		if (date == (time_t)-1) {
863 		     fprintf(stderr,
864 						gettext("Invalid date "
865 							"specification "
866 							"\"%s\".\n"),
867 			     argv[i]);
868 		     return -1;
869  		}
870 		oprinc->pw_expiration = date;
871 		*mask |= KADM5_PW_EXPIRATION;
872 		continue;
873 	    }
874 	}
875 	if (strlen(argv[i]) == 8 &&
876 	    !strcmp("-maxlife", argv[i])) {
877 	    if (++i > argc - 2)
878 		return -1;
879 	    else {
880 		date = get_date(argv[i]);
881  		if (date == (time_t)-1) {
882 					fprintf(stderr,
883 						gettext("Invalid date "
884 							"specification "
885 							"\"%s\".\n"),
886 			     argv[i]);
887 		     return -1;
888  		}
889 				if (date <= now) {
890 					fprintf(stderr,
891 						gettext("Date specified is "
892 							"in the past "
893 							"\"%s\".\n"),
894 						argv[i]);
895 					return (-1);
896 				}
897 		oprinc->max_life = date - now;
898 		*mask |= KADM5_MAX_LIFE;
899 		continue;
900 	    }
901 	}
902 	if (strlen(argv[i]) == 13 &&
903 	    !strcmp("-maxrenewlife", argv[i])) {
904 	    if (++i > argc - 2)
905 		return -1;
906 	    else {
907 		date = get_date(argv[i]);
908  		if (date == (time_t)-1) {
909 					fprintf(stderr,
910 						gettext("Invalid date "
911 							"specification "
912 							"\"%s\".\n"),
913 			     argv[i]);
914 		     return -1;
915  		}
916 				if (date <= now) {
917 					fprintf(stderr,
918 						gettext("Date specified is "
919 							"in the past "
920 							"\"%s\".\n"),
921 						argv[i]);
922 					return (-1);
923 				}
924 		oprinc->max_renewable_life = date - now;
925 		*mask |= KADM5_MAX_RLIFE;
926 		continue;
927 	    }
928 	}
929 	if (strlen(argv[i]) == 5 &&
930 	    !strcmp("-kvno", argv[i])) {
931 	    if (++i > argc - 2)
932 		return -1;
933 	    else {
934 		oprinc->kvno = atoi(argv[i]);
935 		*mask |= KADM5_KVNO;
936 		continue;
937 	    }
938 	}
939 	if (strlen(argv[i]) == 7 &&
940 	    !strcmp("-policy", argv[i])) {
941 	    if (++i > argc - 2)
942 		return -1;
943 	    else {
944 		oprinc->policy = argv[i];
945 		*mask |= KADM5_POLICY;
946 		continue;
947 	    }
948 	}
949 	if (strlen(argv[i]) == 12 &&
950 	    !strcmp("-clearpolicy", argv[i])) {
951 	    oprinc->policy = NULL;
952 	    *mask |= KADM5_POLICY_CLR;
953 	    continue;
954 	}
955 	if (strlen(argv[i]) == 3 &&
956 	    !strcmp("-pw", argv[i])) {
957 	    if (++i > argc - 2)
958 		return -1;
959 	    else {
960 		*pass = argv[i];
961 		continue;
962 	    }
963 	}
964 	if (strlen(argv[i]) == 8 &&
965 	    !strcmp("-randkey", argv[i])) {
966 	    ++*randkey;
967 	    continue;
968 	}
969 	if (!strcmp("-e", argv[i])) {
970 	    if (++i > argc - 2)
971 		return -1;
972 	    else {
973 		retval = krb5_string_to_keysalts(argv[i], ", \t", ":.-", 0,
974 						 ks_tuple, n_ks_tuple);
975 		if (retval) {
976 		    com_err(caller, retval,
977 			    gettext("while parsing keysalts %s"), argv[i]);
978 		    return -1;
979 		}
980 	    }
981 	    continue;
982 	}
983 	for (j = 0; j < sizeof (flags) / sizeof (struct pflag); j++) {
984 	    if (strlen(argv[i]) == flags[j].flaglen + 1 &&
985 		!strcmp(flags[j].flagname,
986 			&argv[i][1] /* strip off leading + or - */)) {
987 		if ((flags[j].set && argv[i][0] == '-') ||
988 		    (!flags[j].set && argv[i][0] == '+')) {
989 		    oprinc->attributes |= flags[j].theflag;
990 		    *mask |= KADM5_ATTRIBUTES;
991 		    attrib_set++;
992 		    break;
993 		} else if ((flags[j].set && argv[i][0] == '+') ||
994 			   (!flags[j].set && argv[i][0] == '-')) {
995 		    oprinc->attributes &= ~flags[j].theflag;
996 		    *mask |= KADM5_ATTRIBUTES;
997 		    attrib_set++;
998 		    break;
999 		} else {
1000 		    return -1;
1001 		}
1002 	    }
1003 	}
1004 	if (!attrib_set)
1005 	    return -1;		/* nothing was parsed */
1006     }
1007     if (i != argc - 1) {
1008 	return -1;
1009     }
1010     retval = kadmin_parse_name(argv[i], &oprinc->principal);
1011     if (retval) {
1012 	com_err(caller, retval, gettext("while parsing principal"));
1013 	return -1;
1014     }
1015     return 0;
1016 }
1017 
1018 static void
1019 kadmin_addprinc_usage(func)
1020    char *func;
1021 {
1022 	fprintf(stderr, "%s: %s %s\n", gettext("usage"), func,
1023 		gettext("[options] principal"));
1024 	fprintf(stderr, gettext("\toptions are:\n"));
1025 	fprintf(stderr, "\t\t[-expire expdate] [-pwexpire pwexpdate] "
1026 		"[-maxlife maxtixlife]\n\t\t[-kvno kvno] [-policy policy] "
1027 		"[-randkey] [-pw password]\n\t\t[-maxrenewlife maxrenewlife] "
1028 		"[-e keysaltlist] [{+|-}attribute]\n");
1029 	fprintf(stderr, gettext("\tattributes are:\n"));
1030      fprintf(stderr, "%s%s%s",
1031 		"\t\tallow_postdated allow_forwardable allow_tgs_req "
1032 		"allow_renewable\n",
1033 		"\t\tallow_proxiable allow_dup_skey allow_tix "
1034 		"requires_preauth\n",
1035 		"\t\trequires_hwauth needchange allow_svr "
1036 		"password_changing_service\n");
1037 }
1038 
1039 static void
1040 kadmin_modprinc_usage(func)
1041    char *func;
1042 {
1043 	fprintf(stderr, "%s: %s %s\n", gettext("usage"), func,
1044 		gettext("[options] principal"));
1045 	fprintf(stderr, gettext("\toptions are:\n"));
1046 	fprintf(stderr, "\t\t[-expire expdate] [-pwexpire pwexpdate] "
1047 		"[-maxlife maxtixlife]\n\t\t[-kvno kvno] [-policy policy] "
1048 		"[-clearpolicy]\n\t\t[-maxrenewlife maxrenewlife] "
1049 		"[{+|-}attribute]\n");
1050 	fprintf(stderr, gettext("\tattributes are:\n"));
1051      fprintf(stderr, "%s%s%s",
1052 		"\t\tallow_postdated allow_forwardable allow_tgs_req "
1053 		"allow_renewable\n",
1054 		"\t\tallow_proxiable allow_dup_skey allow_tix "
1055 		"requires_preauth\n",
1056 		"\t\trequires_hwauth needchange allow_svr "
1057 		"password_changing_service\n");
1058 }
1059 
1060 void kadmin_addprinc(argc, argv)
1061     int argc;
1062     char *argv[];
1063 {
1064     kadm5_principal_ent_rec princ, dprinc;
1065     kadm5_policy_ent_rec defpol;
1066     long mask;
1067     int randkey = 0, i;
1068     int n_ks_tuple;
1069     krb5_key_salt_tuple *ks_tuple;
1070     char *pass, *canon;
1071     krb5_error_code retval;
1072     static char newpw[1024], dummybuf[256];
1073     static char prompt1[1024], prompt2[1024];
1074     int local_kadmin = 0;
1075 
1076     local_kadmin = (strcmp(whoami, KADMIN_LOCAL_NAME) == 0);
1077 
1078     if (dummybuf[0] == 0) {
1079 	 for (i = 0; i < 256; i++)
1080 	      dummybuf[i] = (i+1) % 256;
1081     }
1082 
1083     /* Zero all fields in request structure */
1084     memset(&princ, 0, sizeof(princ));
1085     memset(&dprinc, 0, sizeof(dprinc));
1086 
1087     princ.attributes = dprinc.attributes = 0;
1088     if (kadmin_parse_princ_args(argc, argv,
1089 				&princ, &mask, &pass, &randkey,
1090 				&ks_tuple, &n_ks_tuple,
1091 				"add_principal")) {
1092 	 kadmin_addprinc_usage("add_principal");
1093 	 return;
1094     }
1095 
1096     retval = krb5_unparse_name(context, princ.principal, &canon);
1097     if (retval) {
1098 	com_err("add_principal", retval,
1099 		gettext("while canonicalizing principal"));
1100 	krb5_free_principal(context, princ.principal);
1101 	if (ks_tuple != NULL)
1102 	    free(ks_tuple);
1103 	return;
1104     }
1105 
1106     /*
1107      * If -policy was not specified, and -clearpolicy was not
1108      * specified, and the policy "default" exists, assign it.  If
1109      * -clearpolicy was specified, then KADM5_POLICY_CLR should be
1110      * unset, since it is never valid for kadm5_create_principal.
1111      */
1112     if ((! (mask & KADM5_POLICY)) &&
1113 	(! (mask & KADM5_POLICY_CLR))) {
1114 	 if (! kadm5_get_policy(handle, "default", &defpol)) {
1115 	      fprintf(stderr,
1116 		gettext(
1117 		"NOTICE: no policy specified for %s; assigning \"default\"\n"),
1118 		    canon);
1119 	      princ.policy = "default";
1120 	      mask |= KADM5_POLICY;
1121 	      (void) kadm5_free_policy_ent(handle, &defpol);
1122 	 } else
1123 	      fprintf(stderr, gettext("WARNING: no policy specified "
1124 			"for %s; defaulting to no policy\n"),
1125 		      canon);
1126     }
1127     mask &= ~KADM5_POLICY_CLR;
1128 
1129     /*
1130      * Set 'notix' for randkey principals and also for principals which have
1131      * specified flag options on the cmdline. This is because we want to apply
1132      * generic flag settings from 'default_principal_flags' first (during
1133      * principal creation), followed by a kadm5_modify_principal() which
1134      * correctly applies the cli flag options. So, we do *not* want any tix
1135      * issued in the interim.
1136      */
1137     if (randkey || (mask & KADM5_ATTRIBUTES))
1138 	princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
1139 
1140     if (randkey) {
1141 	mask |= KADM5_ATTRIBUTES;
1142 	pass = dummybuf;
1143     } else if (pass == NULL) {
1144 	unsigned int sz = sizeof (newpw) - 1;
1145 	snprintf(prompt1, sizeof (prompt1),
1146 		gettext("Enter password for principal \"%.900s\""),
1147 		canon);
1148 	snprintf(prompt2, sizeof (prompt1),
1149 		gettext("Re-enter password for principal \"%.900s\""),
1150 		canon);
1151 	retval = krb5_read_password(context, prompt1, prompt2,
1152 				    newpw, &sz);
1153 	if (retval) {
1154 	    com_err("add_principal", retval,
1155 		gettext("while reading password for \"%s\"."), canon);
1156 	    free(canon);
1157 	    krb5_free_principal(context, princ.principal);
1158 	    return;
1159 	}
1160 	pass = newpw;
1161     }
1162     mask |= KADM5_PRINCIPAL;
1163 
1164     /*
1165      * If the client being used is local, always use the new
1166      * API so we get the full set of enctype support.
1167      */
1168     if (ks_tuple != NULL || local_kadmin) {
1169 	retval = kadm5_create_principal_3(handle, &princ, mask,
1170 					  n_ks_tuple, ks_tuple, pass);
1171     } else {
1172 	retval = kadm5_create_principal(handle, &princ, mask, pass);
1173     }
1174     if (retval) {
1175 	com_err("add_principal", retval,
1176 		gettext("while creating \"%s\"."), canon);
1177 	krb5_free_principal(context, princ.principal);
1178 	free(canon);
1179 	if (ks_tuple != NULL)
1180 	    free(ks_tuple);
1181 	return;
1182     }
1183     if (randkey) {		/* more special stuff for -randkey */
1184 	if (ks_tuple != NULL || local_kadmin) {
1185 	    retval = kadm5_randkey_principal_3(handle, princ.principal,
1186 					       FALSE,
1187 					       n_ks_tuple, ks_tuple,
1188 					       NULL, NULL);
1189 	} else {
1190 	    retval = kadm5_randkey_principal(handle, princ.principal,
1191 					     NULL, NULL);
1192 	}
1193 	if (retval) {
1194 	    com_err("add_principal", retval,
1195 		gettext("while randomizing key for \"%s\"."), canon);
1196 	    krb5_free_principal(context, princ.principal);
1197 	    free(canon);
1198 	    if (ks_tuple != NULL)
1199 		free(ks_tuple);
1200 	    return;
1201 	}
1202     }
1203 
1204     /*
1205      * We now retrieve the intersection set of the generic flag settings and
1206      * the ones specified on the cli & re-parse the princ args, just to make
1207      * sure we account for conflicts between 'default_principal_flags' and
1208      * the cmdline flag args. While we are here, also clear 'notix'.
1209      */
1210     if (randkey || (mask & KADM5_ATTRIBUTES)) {
1211 	retval = kadm5_get_principal(handle, princ.principal, &dprinc,
1212 			KADM5_PRINCIPAL_NORMAL_MASK);
1213         if (retval == 0) {
1214 	    if (dprinc.attributes != 0)
1215 		princ.attributes = dprinc.attributes;
1216 	} else {
1217 	    com_err("add_principal", retval,
1218 		gettext("while doing a get_principal on \"%s\"."), canon);
1219 	    printf(gettext("\nWarning: Principal \"%s\" could have incomplete "
1220 		"flag settings, as a result of a failed get_principal.\n"
1221 		"Check the 'default_principal_flags' setting in kdc.conf(4).\n"
1222 		"If there is a mismatch, use modprinc in kadmin(1M) to rectify "
1223 		"the same.\n\n"), canon);
1224 	}
1225 
1226 	(void) kadmin_parse_princ_args(argc, argv, &princ, &mask, &pass,
1227 			&randkey, &ks_tuple, &n_ks_tuple, "add_principal");
1228 
1229 	princ.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX;
1230 	mask = KADM5_ATTRIBUTES;
1231 	retval = kadm5_modify_principal(handle, &princ, mask);
1232 	if (retval) {
1233 	    com_err("add_principal", retval,
1234 		gettext("while doing a modify_principal to restore flag "
1235 			"settings for \"%s\"."), canon);
1236 	    krb5_free_principal(context, princ.principal);
1237 	    free(canon);
1238 	    if (ks_tuple != NULL)
1239 		free(ks_tuple);
1240 	    return;
1241 	}
1242     }
1243     krb5_free_principal(context, princ.principal);
1244 	printf(gettext("Principal \"%s\" created.\n"), canon);
1245     if (ks_tuple != NULL)
1246 	free(ks_tuple);
1247     free(canon);
1248 }
1249 
1250 void kadmin_modprinc(argc, argv)
1251     int argc;
1252     char *argv[];
1253 {
1254     kadm5_principal_ent_rec princ, oldprinc;
1255     krb5_principal kprinc;
1256     long mask;
1257     krb5_error_code retval;
1258     char *pass, *canon;
1259     int randkey = 0;
1260     int n_ks_tuple = 0;
1261     krb5_key_salt_tuple *ks_tuple;
1262 
1263     if (argc < 2) {
1264 	 kadmin_modprinc_usage("modify_principal");
1265 	 return;
1266     }
1267 
1268     memset(&oldprinc, 0, sizeof(oldprinc));
1269     memset(&princ, 0, sizeof(princ));
1270 
1271     retval = kadmin_parse_name(argv[argc - 1], &kprinc);
1272     if (retval) {
1273 	com_err("modify_principal", retval,
1274 			gettext("while parsing principal"));
1275 	return;
1276     }
1277     retval = krb5_unparse_name(context, kprinc, &canon);
1278     if (retval) {
1279 	com_err("modify_principal", retval,
1280 			gettext("while canonicalizing principal"));
1281 	krb5_free_principal(context, kprinc);
1282 	return;
1283     }
1284     retval = kadm5_get_principal(handle, kprinc, &oldprinc,
1285 				 KADM5_PRINCIPAL_NORMAL_MASK);
1286     krb5_free_principal(context, kprinc);
1287     if (retval) {
1288 	com_err("modify_principal", retval,
1289 			gettext("while getting \"%s\"."), canon);
1290 	free(canon);
1291 	return;
1292     }
1293     princ.attributes = oldprinc.attributes;
1294     kadm5_free_principal_ent(handle, &oldprinc);
1295     retval = kadmin_parse_princ_args(argc, argv,
1296 				     &princ, &mask,
1297 				     &pass, &randkey,
1298 				     &ks_tuple, &n_ks_tuple,
1299 				     "modify_principal");
1300     if (ks_tuple != NULL) {
1301 	free(ks_tuple);
1302 	kadmin_modprinc_usage("modify_principal");
1303 	free(canon);
1304 	return;
1305     }
1306     if (retval) {
1307 	kadmin_modprinc_usage("modify_principal");
1308 	free(canon);
1309 	return;
1310     }
1311     if (randkey) {
1312 		fprintf(stderr, "modify_principal: -randkey %s ",
1313 			gettext("not allowed\n"));
1314 	krb5_free_principal(context, princ.principal);
1315 	free(canon);
1316 	return;
1317     }
1318     if (pass) {
1319 	fprintf(stderr,
1320 		"modify_principal: -pw %s change_password\n",
1321 		gettext("not allowed; use"));
1322 	krb5_free_principal(context, princ.principal);
1323 	free(canon);
1324 	return;
1325     }
1326     retval = kadm5_modify_principal(handle, &princ, mask);
1327     krb5_free_principal(context, princ.principal);
1328     if (retval) {
1329 	com_err("modify_principal", retval,
1330 			gettext("while modifying \"%s\"."), canon);
1331 	free(canon);
1332 	return;
1333     }
1334 	printf(gettext("Principal \"%s\" modified.\n"), canon);
1335     free(canon);
1336 }
1337 
1338 void kadmin_getprinc(argc, argv)
1339     int argc;
1340     char *argv[];
1341 {
1342     kadm5_principal_ent_rec dprinc;
1343     krb5_principal princ;
1344     krb5_error_code retval;
1345     char *canon, *modcanon;
1346     int i;
1347 
1348     if (! (argc == 2 ||
1349 	   (argc == 3 && !strcmp("-terse", argv[1])))) {
1350 		fprintf(stderr, "%s: get_principal [-terse] %s\n",
1351 			gettext("usage"), gettext("principal"));
1352 	return;
1353     }
1354 
1355 
1356     memset(&dprinc, 0, sizeof(dprinc));
1357     memset(&princ, 0, sizeof(princ));
1358 
1359     retval = kadmin_parse_name(argv[argc - 1], &princ);
1360     if (retval) {
1361 	com_err("get_principal", retval,
1362 			gettext("while parsing principal"));
1363 	return;
1364     }
1365     retval = krb5_unparse_name(context, princ, &canon);
1366     if (retval) {
1367 	com_err("get_principal", retval,
1368 			gettext("while canonicalizing principal"));
1369 	krb5_free_principal(context, princ);
1370 	return;
1371     }
1372     retval = kadm5_get_principal(handle, princ, &dprinc,
1373 				 KADM5_PRINCIPAL_NORMAL_MASK | KADM5_KEY_DATA);
1374     krb5_free_principal(context, princ);
1375     if (retval) {
1376 	com_err("get_principal", retval,
1377 			gettext("while retrieving \"%s\"."), canon);
1378 	free(canon);
1379 	return;
1380     }
1381     retval = krb5_unparse_name(context, dprinc.mod_name, &modcanon);
1382     if (retval) {
1383 	com_err("get_principal", retval,
1384 			gettext("while unparsing modname"));
1385 	kadm5_free_principal_ent(handle, &dprinc);
1386 	free(canon);
1387 	return;
1388     }
1389     if (argc == 2) {
1390 		printf(gettext("Principal: %s\n"), canon);
1391 		printf(gettext("Expiration date: %s\n"),
1392 		    dprinc.princ_expire_time ?
1393 		    strdate(dprinc.princ_expire_time) :
1394 		    gettext("[never]"));
1395 		printf(gettext("Last password change: %s\n"),
1396 		    dprinc.last_pwd_change ?
1397 		    strdate(dprinc.last_pwd_change) :
1398 		    gettext("[never]"));
1399 		printf(gettext("Password expiration date: %s\n"),
1400 	       dprinc.pw_expiration ?
1401 		    strdate(dprinc.pw_expiration) : gettext("[none]"));
1402 		printf(gettext("Maximum ticket life: %s\n"),
1403 		    strdur(dprinc.max_life));
1404 		printf(gettext("Maximum renewable life: %s\n"),
1405 		    strdur(dprinc.max_renewable_life));
1406 		printf(gettext("Last modified: %s (%s)\n"),
1407 		    strdate(dprinc.mod_date), modcanon);
1408 		printf(gettext("Last successful authentication: %s\n"),
1409 	       dprinc.last_success ? strdate(dprinc.last_success) :
1410 		    gettext("[never]"));
1411 		printf(gettext("Last failed authentication: %s\n"),
1412 	       dprinc.last_failed ? strdate(dprinc.last_failed) :
1413 		    gettext("[never]"));
1414 		printf(gettext("Failed password attempts: %d\n"),
1415 	       dprinc.fail_auth_count);
1416 		printf(gettext("Number of keys: %d\n"), dprinc.n_key_data);
1417 	for (i = 0; i < dprinc.n_key_data; i++) {
1418 	     krb5_key_data *key_data = &dprinc.key_data[i];
1419 	     char enctype[BUFSIZ], salttype[BUFSIZ];
1420 
1421 	     if (krb5_enctype_to_string(key_data->key_data_type[0],
1422 					enctype, sizeof(enctype)))
1423 				snprintf(enctype, sizeof (enctype),
1424 					gettext("<Encryption type 0x%x>"),
1425 			  key_data->key_data_type[0]);
1426 			printf(gettext("Key: vno %d, %s, "),
1427 			    key_data->key_data_kvno, enctype);
1428 	     if (key_data->key_data_ver > 1) {
1429 				if (krb5_salttype_to_string(
1430 					key_data->key_data_type[1],
1431 					      salttype, sizeof(salttype)))
1432 					snprintf(salttype, sizeof (salttype),
1433 						gettext("<Salt type 0x%x>"),
1434 			       key_data->key_data_type[1]);
1435 		  printf("%s\n", salttype);
1436 	     } else
1437 				printf(gettext("no salt\n"));
1438 	}
1439 
1440 		printf(gettext("Attributes:"));
1441 	for (i = 0; i < sizeof (prflags) / sizeof (char *); i++) {
1442 	    if (dprinc.attributes & (krb5_flags) 1 << i)
1443 		printf(" %s", prflags[i]);
1444 	}
1445 	printf("\n");
1446 		printf(gettext("Policy: %s\n"),
1447 		    dprinc.policy ? dprinc.policy : gettext("[none]"));
1448     } else {
1449 	printf("\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"\t%d\t%d\t%d\t%d\t\"%s\""
1450 	       "\t%d\t%d\t%d\t%d\t%d",
1451 	       canon, dprinc.princ_expire_time, dprinc.last_pwd_change,
1452 	       dprinc.pw_expiration, dprinc.max_life, modcanon,
1453 	       dprinc.mod_date, dprinc.attributes, dprinc.kvno,
1454 	       dprinc.mkvno, dprinc.policy ?
1455 		    dprinc.policy : gettext("[none]"),
1456 	       dprinc.max_renewable_life, dprinc.last_success,
1457 	       dprinc.last_failed, dprinc.fail_auth_count,
1458 	       dprinc.n_key_data);
1459 	for (i = 0; i < dprinc.n_key_data; i++)
1460 	     printf("\t%d\t%d\t%d\t%d",
1461 		    dprinc.key_data[i].key_data_ver,
1462 		    dprinc.key_data[i].key_data_kvno,
1463 		    dprinc.key_data[i].key_data_type[0],
1464 		    dprinc.key_data[i].key_data_type[1]);
1465 	printf("\n");
1466    }
1467     free(modcanon);
1468     kadm5_free_principal_ent(handle, &dprinc);
1469     free(canon);
1470 }
1471 
1472 void kadmin_getprincs(argc, argv)
1473     int argc;
1474     char *argv[];
1475 {
1476     krb5_error_code retval;
1477     char *expr, **names;
1478     int i, count;
1479 
1480 	FILE *output;
1481 	int fd;
1482 	struct sigaction nsig, osig;
1483 	sigset_t nmask, omask;
1484 	int waitb;
1485 
1486     expr = NULL;
1487     if (! (argc == 1 || (argc == 2 && (expr = argv[1])))) {
1488 		fprintf(stderr, "%s: get_principals %s\n",
1489 			gettext("usage"), gettext("[expression]"));
1490 	return;
1491     }
1492     retval = kadm5_get_principals(handle, expr, &names, &count);
1493     if (retval) {
1494 	com_err("get_principals", retval,
1495 			gettext("while retrieving list."));
1496 	return;
1497     }
1498 
1499 	/*
1500 	 * Solaris:  the following code is used for paging
1501 	 */
1502 
1503 	sigemptyset(&nmask);
1504 	sigaddset(&nmask, SIGINT);
1505 	sigprocmask(SIG_BLOCK, &nmask, &omask);
1506 
1507 	nsig.sa_handler = SIG_IGN;
1508 	sigemptyset(&nsig.sa_mask);
1509 	nsig.sa_flags = 0;
1510 	sigaction(SIGINT, &nsig, &osig);
1511 
1512 	fd = ss_pager_create();
1513 	output = fdopen(fd, "w");
1514 
1515 	sigprocmask(SIG_SETMASK, &omask, (sigset_t *)0);
1516 
1517     for (i = 0; i < count; i++)
1518 	 fprintf(output, "%s\n", names[i]);
1519 
1520 	fclose(output);
1521 
1522 	wait(&waitb);
1523 
1524     kadm5_free_name_list(handle, names, count);
1525 }
1526 
1527 static int
1528 kadmin_parse_policy_args(argc, argv, policy, mask, caller)
1529     int argc;
1530     char *argv[];
1531     kadm5_policy_ent_t policy;
1532     long *mask;
1533     char *caller;
1534 {
1535     int i;
1536     time_t now;
1537     time_t date;
1538 
1539     time(&now);
1540     *mask = 0;
1541     for (i = 1; i < argc - 1; i++) {
1542 	if (strlen(argv[i]) == 8 &&
1543 	    !strcmp(argv[i], "-maxlife")) {
1544 	    if (++i > argc -2)
1545 		return -1;
1546 	    else {
1547 		date = get_date(argv[i]);
1548  		if (date == (time_t)-1) {
1549 					fprintf(stderr,
1550 						gettext("Invalid date "
1551 							"specification "
1552 							"\"%s\".\n"),
1553 			     argv[i]);
1554 		     return -1;
1555  		}
1556 				if (date <= now) {
1557 					fprintf(stderr,
1558 						gettext("Date specified is "
1559 							"in the past "
1560 							"\"%s\".\n"),
1561 						argv[i]);
1562 					return (-1);
1563 				}
1564 		policy->pw_max_life = date - now;
1565 		*mask |= KADM5_PW_MAX_LIFE;
1566 		continue;
1567 	    }
1568 	} else if (strlen(argv[i]) == 8 &&
1569 		   !strcmp(argv[i], "-minlife")) {
1570 	    if (++i > argc - 2)
1571 		return -1;
1572 	    else {
1573 		date = get_date(argv[i]);
1574  		if (date == (time_t)-1) {
1575 					fprintf(stderr,
1576 						gettext("Invalid date "
1577 							"specification "
1578 							"\"%s\".\n"),
1579 			     argv[i]);
1580 		     return -1;
1581  		}
1582 				if (date <= now) {
1583 					fprintf(stderr,
1584 						gettext("Date specified is "
1585 							"in the past "
1586 							"\"%s\".\n"),
1587 						argv[i]);
1588 					return (-1);
1589 				}
1590 		policy->pw_min_life = date - now;
1591 		*mask |= KADM5_PW_MIN_LIFE;
1592 		continue;
1593 	    }
1594 	} else if (strlen(argv[i]) == 10 &&
1595 	    !strcmp(argv[i], "-minlength")) {
1596 	    if (++i > argc - 2)
1597 		return -1;
1598 	    else {
1599 		policy->pw_min_length = atoi(argv[i]);
1600 		*mask |= KADM5_PW_MIN_LENGTH;
1601 		continue;
1602 	    }
1603 	} else if (strlen(argv[i]) == 11 &&
1604 		   !strcmp(argv[i], "-minclasses")) {
1605 	    if (++i > argc - 2)
1606 		return -1;
1607 	    else {
1608 		policy->pw_min_classes = atoi(argv[i]);
1609 		*mask |= KADM5_PW_MIN_CLASSES;
1610 		continue;
1611 	    }
1612 	} else if (strlen(argv[i]) == 8 &&
1613 		   !strcmp(argv[i], "-history")) {
1614 	    if (++i > argc - 2)
1615 		return -1;
1616 	    else {
1617 		policy->pw_history_num = atoi(argv[i]);
1618 		*mask |= KADM5_PW_HISTORY_NUM;
1619 		continue;
1620 	    }
1621 	} else
1622 	    return -1;
1623     }
1624     if (i != argc -1) {
1625 	fprintf(stderr, gettext("%s: parser lost count!\n"), caller);
1626 	return -1;
1627     } else
1628 	return 0;
1629 }
1630 
1631 static void
1632 kadmin_addmodpol_usage(func)
1633    char *func;
1634 {
1635 	fprintf(stderr, "%s: %s %s\n", gettext("usage"), func,
1636 		gettext("[options] policy"));
1637 	fprintf(stderr, gettext("\toptions are:\n"));
1638 	fprintf(stderr, "\t\t[-maxlife time] [-minlife time] "
1639 		"[-minlength length]\n\t\t[-minclasses number] "
1640 		"[-history number]\n");
1641 }
1642 
1643 void kadmin_addpol(argc, argv)
1644     int argc;
1645     char *argv[];
1646 {
1647     krb5_error_code retval;
1648     long mask;
1649     kadm5_policy_ent_rec policy;
1650 
1651     memset(&policy, 0, sizeof(policy));
1652     if (kadmin_parse_policy_args(argc, argv, &policy, &mask, "add_policy")) {
1653 	 kadmin_addmodpol_usage("add_policy");
1654 	 return;
1655     } else {
1656 	policy.policy = argv[argc - 1];
1657 	mask |= KADM5_POLICY;
1658 	retval = kadm5_create_policy(handle, &policy, mask);
1659 	if (retval) {
1660 			com_err("add_policy", retval,
1661 				gettext("while creating policy \"%s\"."),
1662 		    policy.policy);
1663 	    return;
1664 	}
1665     }
1666     return;
1667 }
1668 
1669 void kadmin_modpol(argc, argv)
1670     int argc;
1671     char *argv[];
1672 {
1673     krb5_error_code retval;
1674     long mask;
1675     kadm5_policy_ent_rec policy;
1676 
1677     memset(&policy, 0, sizeof(policy));
1678     if (kadmin_parse_policy_args(argc, argv, &policy, &mask,
1679 				 "modify_policy")) {
1680 	kadmin_addmodpol_usage("modify_policy");
1681 	return;
1682     } else {
1683 	policy.policy = argv[argc - 1];
1684 	retval = kadm5_modify_policy(handle, &policy, mask);
1685 	if (retval) {
1686 			com_err("modify_policy", retval,
1687 				gettext("while modifying policy \"%s\"."),
1688 		    policy.policy);
1689 	    return;
1690 	}
1691     }
1692     return;
1693 }
1694 
1695 void kadmin_delpol(argc, argv)
1696     int argc;
1697     char *argv[];
1698 {
1699     krb5_error_code retval;
1700     char reply[32];
1701 
1702     if (! (argc == 2 ||
1703 	   (argc == 3 && !strcmp("-force", argv[1])))) {
1704 	fprintf(stderr, "%s: delete_policy [-force] %s\n",
1705 			gettext("usage"), gettext("policy"));
1706 	return;
1707     }
1708     if (argc == 2) {
1709 		printf(gettext("Are you sure you want to delete the policy "
1710 			    "\"%s\"? (yes/no): "), argv[1]);
1711 	fgets(reply, sizeof (reply), stdin);
1712 		if (strncmp(gettext("yes\n"), reply, sizeof (reply)) &&
1713 			strncmp(gettext("y\n"), reply, sizeof (reply)) &&
1714 			strncmp(gettext("Y\n"), reply, sizeof (reply))
1715 			) {
1716 			fprintf(stderr,
1717 				gettext("Policy \"%s\" not deleted.\n"),
1718 				argv[1]);
1719 	    return;
1720 	}
1721     }
1722     retval = kadm5_delete_policy(handle, argv[argc - 1]);
1723     if (retval) {
1724 		com_err("delete_policy:", retval,
1725 			gettext("while deleting policy \"%s\""),
1726 		argv[argc - 1]);
1727 	return;
1728     }
1729     return;
1730 }
1731 
1732 void kadmin_getpol(argc, argv)
1733     int argc;
1734     char *argv[];
1735 {
1736     krb5_error_code retval;
1737     kadm5_policy_ent_rec policy;
1738 
1739     if (! (argc == 2 ||
1740 	   (argc == 3 && !strcmp("-terse", argv[1])))) {
1741 		fprintf(stderr, "%s: get_policy [-terse] %s\n",
1742 			gettext("usage"), gettext("policy"));
1743 	return;
1744     }
1745     retval = kadm5_get_policy(handle, argv[argc - 1], &policy);
1746     if (retval) {
1747 		com_err("get_policy", retval,
1748 			gettext("while retrieving policy \"%s\"."),
1749 		argv[argc - 1]);
1750 	return;
1751     }
1752     if (argc == 2) {
1753 		printf(gettext("Policy: %s\n"), policy.policy);
1754 		printf(gettext("Maximum password life: %ld\n"),
1755 		    policy.pw_max_life);
1756 		printf(gettext("Minimum password life: %ld\n"),
1757 		    policy.pw_min_life);
1758 		printf(gettext("Minimum password length: %ld\n"),
1759 		    policy.pw_min_length);
1760 		printf(gettext("Minimum number of password "
1761 			    "character classes: %ld\n"),
1762 	       policy.pw_min_classes);
1763 		printf(gettext("Number of old keys kept: %ld\n"),
1764 		    policy.pw_history_num);
1765 		printf(gettext("Reference count: %ld\n"), policy.policy_refcnt);
1766     } else {
1767 	printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\n",
1768 	       policy.policy, policy.pw_max_life, policy.pw_min_life,
1769 	       policy.pw_min_length, policy.pw_min_classes,
1770 	       policy.pw_history_num, policy.policy_refcnt);
1771     }
1772     kadm5_free_policy_ent(handle, &policy);
1773     return;
1774 }
1775 
1776 void kadmin_getpols(argc, argv)
1777     int argc;
1778     char *argv[];
1779 {
1780     krb5_error_code retval;
1781     char *expr, **names;
1782     int i, count;
1783 
1784     expr = NULL;
1785     if (! (argc == 1 || (argc == 2 && (expr = argv[1])))) {
1786 	fprintf(stderr, "%s: get_policies %s\n",
1787 			gettext("usage"), gettext("[expression]\n"));
1788 	return;
1789     }
1790     retval = kadm5_get_policies(handle, expr, &names, &count);
1791     if (retval) {
1792 	com_err("get_policies", retval,
1793 			gettext("while retrieving list."));
1794 	return;
1795     }
1796     for (i = 0; i < count; i++)
1797 	 printf("%s\n", names[i]);
1798     kadm5_free_name_list(handle, names, count);
1799 }
1800 
1801