1 /* 2 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 #pragma ident "%Z%%M% %I% %E% SMI" 7 /* 8 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. 9 * 10 * $Id: kadm5_create.c,v 1.6 1998/10/30 02:52:37 marc Exp $ 11 * $Source: /cvs/krbdev/krb5/src/kadmin/dbutil/kadm5_create.c,v $ 12 */ 13 14 /* 15 * Copyright (C) 1998 by the FundsXpress, INC. 16 * 17 * All rights reserved. 18 * 19 * Export of this software from the United States of America may require 20 * a specific license from the United States Government. It is the 21 * responsibility of any person or organization contemplating export to 22 * obtain such a license before exporting. 23 * 24 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 25 * distribute this software and its documentation for any purpose and 26 * without fee is hereby granted, provided that the above copyright 27 * notice appear in all copies and that both that copyright notice and 28 * this permission notice appear in supporting documentation, and that 29 * the name of FundsXpress. not be used in advertising or publicity pertaining 30 * to distribution of the software without specific, written prior 31 * permission. FundsXpress makes no representations about the suitability of 32 * this software for any purpose. It is provided "as is" without express 33 * or implied warranty. 34 * 35 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 36 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 37 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 38 */ 39 40 #if !defined(lint) && !defined(__CODECENTER__) 41 static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/dbutil/kadm5_create.c,v 1.6 1998/10/30 02:52:37 marc Exp $"; 42 #endif 43 44 #include "string_table.h" 45 46 #include <stdio.h> 47 #include <stdlib.h> 48 #include <string.h> 49 #include <kadm5/adb.h> 50 #include <kadm5/admin.h> 51 52 #include <krb5.h> 53 #include <krb5/kdb.h> 54 #include <libintl.h> 55 56 int 57 add_admin_old_princ(void *handle, krb5_context context, 58 char *name, char *realm, int attrs, int lifetime); 59 int 60 add_admin_sname_princ(void *handle, krb5_context context, 61 char *sname, int attrs, int lifetime); 62 int 63 add_admin_princ(void *handle, krb5_context context, 64 krb5_principal principal, int attrs, int lifetime); 65 66 #define KADM5_ERR 1 67 #define KADM5_OK 0 68 69 #define ADMIN_LIFETIME 60*60*3 /* 3 hours */ 70 #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */ 71 72 extern char *progname; 73 74 /* 75 * Function: kadm5_create 76 * 77 * Purpose: create admin principals in KDC database 78 * 79 * Arguments: params (r) configuration parameters to use 80 * 81 * Effects: Creates KADM5_ADMIN_SERVICE and KADM5_CHANGEPW_SERVICE 82 * principals in the KDC database and sets their attributes 83 * appropriately. 84 */ 85 int 86 kadm5_create(kadm5_config_params * params) 87 { 88 int retval; 89 void *handle; 90 krb5_context context; 91 FILE *f; 92 93 kadm5_config_params lparams; 94 95 if (retval = krb5_init_context(&context)) 96 exit(KADM5_ERR); 97 98 (void) memset(&lparams, 0, sizeof (kadm5_config_params)); 99 100 /* 101 * The lock file has to exist before calling kadm5_init, but 102 * params->admin_lockfile may not be set yet... 103 */ 104 if (retval = kadm5_get_config_params(context, NULL, NULL, 105 params, &lparams)) { 106 com_err(progname, retval, gettext(str_INITING_KCONTEXT)); 107 return (1); 108 } 109 if (retval = osa_adb_create_policy_db(&lparams)) { 110 com_err(progname, retval, gettext(str_CREATING_POLICY_DB)); 111 return (1); 112 } 113 114 retval = kadm5_create_magic_princs(&lparams, context); 115 116 kadm5_free_config_params(context, &lparams); 117 krb5_free_context(context); 118 119 return (retval); 120 } 121 122 int 123 kadm5_create_magic_princs(kadm5_config_params * params, 124 krb5_context *context) 125 { 126 int retval; 127 void *handle; 128 129 if ((retval = kadm5_init(progname, NULL, NULL, params, 130 KADM5_STRUCT_VERSION, 131 KADM5_API_VERSION_2, 132 &handle))) { 133 com_err(progname, retval, gettext(str_INITING_KCONTEXT)); 134 return (retval); 135 } 136 retval = add_admin_princs(handle, context, params->realm); 137 138 kadm5_destroy(handle); 139 140 return (retval); 141 } 142 143 /* 144 * Function: build_name_with_realm 145 * 146 * Purpose: concatenate a name and a realm to form a krb5 name 147 * 148 * Arguments: 149 * 150 * name (input) the name 151 * realm (input) the realm 152 * 153 * Returns: 154 * 155 * pointer to name@realm, in allocated memory, or NULL if it 156 * cannot be allocated 157 * 158 * Requires: both strings are null-terminated 159 */ 160 char * 161 build_name_with_realm(char *name, char *realm) 162 { 163 char *n; 164 165 n = (char *) malloc(strlen(name) + strlen(realm) + 2); 166 sprintf(n, "%s@%s", name, realm); 167 return (n); 168 } 169 170 /* 171 * Function: add_admin_princs 172 * 173 * Purpose: create admin principals 174 * 175 * Arguments: 176 * 177 * rseed (input) random seed 178 * realm (input) realm, or NULL for default realm 179 * <return value> (output) status, 0 for success, 1 for serious error 180 * 181 * Requires: 182 * 183 * Effects: 184 * 185 * add_admin_princs creates KADM5_ADMIN_SERVICE, 186 * KADM5_CHANGEPW_SERVICE. If any of these exist a message is 187 * printed. If any of these existing principal do not have the proper 188 * attributes, a warning message is printed. 189 */ 190 int 191 add_admin_princs(void *handle, krb5_context context, char *realm) 192 { 193 krb5_error_code ret = 0; 194 195 /* 196 * Solaris Kerberos: 197 * The kadmin/admin principal is unused on Solaris. This principal is used 198 * in AUTH_GSSAPI but Solaris doesn't support AUTH_GSSAPI. RPCSEC_GSS can only 199 * be used with host-based principals. 200 * 201 */ 202 203 #if 0 204 if ((ret = add_admin_old_princ(handle, context, 205 KADM5_ADMIN_SERVICE, realm, 206 KRB5_KDB_DISALLOW_TGT_BASED, 207 ADMIN_LIFETIME))) 208 goto clean_and_exit; 209 #endif 210 211 if ((ret = add_admin_old_princ(handle, context, 212 KADM5_CHANGEPW_SERVICE, realm, 213 KRB5_KDB_DISALLOW_TGT_BASED | 214 KRB5_KDB_PWCHANGE_SERVICE, 215 CHANGEPW_LIFETIME))) 216 goto clean_and_exit; 217 218 if ((ret = add_admin_sname_princ(handle, context, 219 KADM5_ADMIN_HOST_SERVICE, 220 KRB5_KDB_DISALLOW_TGT_BASED, 221 ADMIN_LIFETIME))) 222 goto clean_and_exit; 223 224 if ((ret = add_admin_sname_princ(handle, context, 225 KADM5_CHANGEPW_HOST_SERVICE, 226 KRB5_KDB_DISALLOW_TGT_BASED | 227 KRB5_KDB_PWCHANGE_SERVICE, 228 ADMIN_LIFETIME))) 229 goto clean_and_exit; 230 231 if ((ret = add_admin_sname_princ(handle, context, 232 KADM5_KIPROP_HOST_SERVICE, 233 KRB5_KDB_DISALLOW_TGT_BASED, 234 ADMIN_LIFETIME))) 235 goto clean_and_exit; 236 237 clean_and_exit: 238 239 return (ret); 240 } 241 242 /* 243 * Function: add_admin_princ 244 * 245 * Arguments: 246 * 247 * creator (r) principal to use as "mod_by" 248 * rseed (r) seed for random key generator 249 * principal (r) kerberos principal to add 250 * attrs (r) principal's attributes 251 * lifetime (r) principal's max life, or 0 252 * not_unique (r) error message for multiple entries, never used 253 * exists (r) warning message for principal exists 254 * wrong_attrs (r) warning message for wrong attributes 255 * 256 * Returns: 257 * 258 * KADM5_OK on success 259 * KADM5_ERR on serious errors 260 * 261 * Effects: 262 * 263 * If the principal is not unique, not_unique is printed (but this 264 * never happens). If the principal exists, then exists is printed 265 * and if the principals attributes != attrs, wrong_attrs is printed. 266 * Otherwise, the principal is created with mod_by creator and 267 * attributes attrs and max life of lifetime (if not zero). 268 */ 269 270 int 271 add_admin_princ(void *handle, krb5_context context, 272 krb5_principal principal, int attrs, int lifetime) 273 { 274 char *fullname; 275 krb5_error_code ret; 276 kadm5_principal_ent_rec ent; 277 278 memset(&ent, 0, sizeof(ent)); 279 280 if (krb5_unparse_name(context, principal, &fullname)) 281 return (KADM5_ERR); 282 283 ent.principal = principal; 284 ent.max_life = lifetime; 285 ent.attributes = attrs | KRB5_KDB_DISALLOW_ALL_TIX; 286 287 if (ret = kadm5_create_principal(handle, &ent, 288 (KADM5_PRINCIPAL | 289 KADM5_MAX_LIFE | 290 KADM5_ATTRIBUTES), 291 "to-be-random")) { 292 if (ret != KADM5_DUP) { 293 com_err(progname, ret, 294 gettext(str_PUT_PRINC), fullname); 295 krb5_free_principal(context, ent.principal); 296 free(fullname); 297 return (KADM5_ERR); 298 } 299 } else { 300 /* only randomize key if we created the principal */ 301 ret = kadm5_randkey_principal(handle, ent.principal, NULL, NULL); 302 if (ret) { 303 com_err(progname, ret, 304 gettext(str_RANDOM_KEY), fullname); 305 krb5_free_principal(context, ent.principal); 306 free(fullname); 307 return (KADM5_ERR); 308 } 309 ent.attributes = attrs; 310 ret = kadm5_modify_principal(handle, &ent, KADM5_ATTRIBUTES); 311 if (ret) { 312 com_err(progname, ret, 313 gettext(str_PUT_PRINC), fullname); 314 krb5_free_principal(context, ent.principal); 315 free(fullname); 316 return (KADM5_ERR); 317 } 318 } 319 320 krb5_free_principal(context, ent.principal); 321 free(fullname); 322 323 return (KADM5_OK); 324 } 325 326 int 327 add_admin_old_princ(void *handle, krb5_context context, 328 char *name, char *realm, int attrs, int lifetime) 329 { 330 char *fullname; 331 krb5_error_code ret; 332 krb5_principal principal; 333 334 fullname = build_name_with_realm(name, realm); 335 if (ret = krb5_parse_name(context, fullname, &principal)) { 336 com_err(progname, ret, gettext(str_PARSE_NAME)); 337 return (KADM5_ERR); 338 } 339 340 return (add_admin_princ(handle, context, principal, attrs, lifetime)); 341 } 342 343 int 344 add_admin_sname_princ(void *handle, krb5_context context, 345 char *sname, int attrs, int lifetime) 346 { 347 krb5_error_code ret; 348 krb5_principal principal; 349 350 if (ret = krb5_sname_to_principal(context, NULL, sname, 351 KRB5_NT_SRV_HST, &principal)) { 352 com_err(progname, ret, 353 gettext("Could not get host based " 354 "service name for %s principal\n"), sname); 355 return (KADM5_ERR); 356 } 357 return (add_admin_princ(handle, context, principal, attrs, lifetime)); 358 } 359 360 361 362