xref: /titanic_51/usr/src/cmd/krb5/kadmin/dbutil/kadm5_create.c (revision 0c44d0008f52b6a42b9c01d3b344661217520a68)
1 /*
2  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #pragma ident	"%Z%%M%	%I%	%E% SMI"
7 /*
8  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
9  *
10  * $Id: kadm5_create.c,v 1.6 1998/10/30 02:52:37 marc Exp $
11  * $Source: /cvs/krbdev/krb5/src/kadmin/dbutil/kadm5_create.c,v $
12  */
13 
14 /*
15  * Copyright (C) 1998 by the FundsXpress, INC.
16  *
17  * All rights reserved.
18  *
19  * Export of this software from the United States of America may require
20  * a specific license from the United States Government.  It is the
21  * responsibility of any person or organization contemplating export to
22  * obtain such a license before exporting.
23  *
24  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
25  * distribute this software and its documentation for any purpose and
26  * without fee is hereby granted, provided that the above copyright
27  * notice appear in all copies and that both that copyright notice and
28  * this permission notice appear in supporting documentation, and that
29  * the name of FundsXpress. not be used in advertising or publicity pertaining
30  * to distribution of the software without specific, written prior
31  * permission.  FundsXpress makes no representations about the suitability of
32  * this software for any purpose.  It is provided "as is" without express
33  * or implied warranty.
34  *
35  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
36  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
37  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
38  */
39 
40 #if !defined(lint) && !defined(__CODECENTER__)
41 static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/dbutil/kadm5_create.c,v 1.6 1998/10/30 02:52:37 marc Exp $";
42 #endif
43 
44 #include "string_table.h"
45 
46 #include <stdio.h>
47 #include <stdlib.h>
48 #include <string.h>
49 #include <kadm5/adb.h>
50 #include <kadm5/admin.h>
51 
52 #include <krb5.h>
53 #include <krb5/kdb.h>
54 #include <libintl.h>
55 
56 int
57 add_admin_old_princ(void *handle, krb5_context context,
58 		    char *name, char *realm, int attrs, int lifetime);
59 int
60 add_admin_sname_princ(void *handle, krb5_context context,
61     char *sname, int attrs, int lifetime);
62 int
63 add_admin_princ(void *handle, krb5_context context,
64     krb5_principal principal, int attrs, int lifetime);
65 
66 #define	KADM5_ERR 1
67 #define	KADM5_OK 0
68 
69 #define ADMIN_LIFETIME 60*60*3 /* 3 hours */
70 #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
71 
72 extern char *progname;
73 
74 /*
75  * Function: kadm5_create
76  *
77  * Purpose: create admin principals in KDC database
78  *
79  * Arguments:	params	(r) configuration parameters to use
80  *
81  * Effects:  Creates KADM5_ADMIN_SERVICE and KADM5_CHANGEPW_SERVICE
82  * principals in the KDC database and sets their attributes
83  * appropriately.
84  */
85 int
86 kadm5_create(kadm5_config_params * params)
87 {
88      int retval;
89      void *handle;
90      krb5_context context;
91      FILE *f;
92 
93      kadm5_config_params lparams;
94 
95      if (retval = krb5_init_context(&context))
96 	exit(KADM5_ERR);
97 
98      (void) memset(&lparams, 0, sizeof (kadm5_config_params));
99 
100      /*
101       * The lock file has to exist before calling kadm5_init, but
102       * params->admin_lockfile may not be set yet...
103       */
104      if (retval = kadm5_get_config_params(context, NULL, NULL,
105 		params, &lparams)) {
106 	com_err(progname, retval, gettext(str_INITING_KCONTEXT));
107 	return (1);
108      }
109      if (retval = osa_adb_create_policy_db(&lparams)) {
110 	com_err(progname, retval, gettext(str_CREATING_POLICY_DB));
111 	return (1);
112      }
113 
114      retval = kadm5_create_magic_princs(&lparams, context);
115 
116      kadm5_free_config_params(context, &lparams);
117      krb5_free_context(context);
118 
119      return (retval);
120 }
121 
122 int
123 kadm5_create_magic_princs(kadm5_config_params * params,
124 			      krb5_context *context)
125 {
126      int retval;
127      void *handle;
128 
129      if ((retval = kadm5_init(progname, NULL, NULL, params,
130 			      KADM5_STRUCT_VERSION,
131 			      KADM5_API_VERSION_2,
132 			      &handle))) {
133 	com_err(progname, retval, gettext(str_INITING_KCONTEXT));
134 	return (retval);
135      }
136      retval = add_admin_princs(handle, context, params->realm);
137 
138      kadm5_destroy(handle);
139 
140      return (retval);
141 }
142 
143 /*
144  * Function: build_name_with_realm
145  *
146  * Purpose: concatenate a name and a realm to form a krb5 name
147  *
148  * Arguments:
149  *
150  * 	name	(input) the name
151  * 	realm	(input) the realm
152  *
153  * Returns:
154  *
155  * 	pointer to name@realm, in allocated memory, or NULL if it
156  * 	cannot be allocated
157  *
158  * Requires: both strings are null-terminated
159  */
160 char *
161 build_name_with_realm(char *name, char *realm)
162 {
163      char *n;
164 
165      n = (char *) malloc(strlen(name) + strlen(realm) + 2);
166      sprintf(n, "%s@%s", name, realm);
167      return (n);
168 }
169 
170 /*
171  * Function: add_admin_princs
172  *
173  * Purpose: create admin principals
174  *
175  * Arguments:
176  *
177  * 	rseed		(input) random seed
178  * 	realm		(input) realm, or NULL for default realm
179  *      <return value>  (output) status, 0 for success, 1 for serious error
180  *
181  * Requires:
182  *
183  * Effects:
184  *
185  * add_admin_princs creates KADM5_ADMIN_SERVICE,
186  * KADM5_CHANGEPW_SERVICE.  If any of these exist a message is
187  * printed.  If any of these existing principal do not have the proper
188  * attributes, a warning message is printed.
189  */
190 int
191 add_admin_princs(void *handle, krb5_context context, char *realm)
192 {
193   krb5_error_code ret = 0;
194 
195 /*
196  * Solaris Kerberos:
197  * The kadmin/admin principal is unused on Solaris. This principal is used
198  * in AUTH_GSSAPI but Solaris doesn't support AUTH_GSSAPI. RPCSEC_GSS can only
199  * be used with host-based principals.
200  *
201  */
202 
203 #if 0
204   if ((ret = add_admin_old_princ(handle, context,
205   		     KADM5_ADMIN_SERVICE, realm,
206   		     KRB5_KDB_DISALLOW_TGT_BASED,
207   		     ADMIN_LIFETIME)))
208      goto clean_and_exit;
209 #endif
210 
211 	if ((ret = add_admin_old_princ(handle, context,
212 			     KADM5_CHANGEPW_SERVICE, realm,
213 			     KRB5_KDB_DISALLOW_TGT_BASED |
214 			     KRB5_KDB_PWCHANGE_SERVICE,
215 			     CHANGEPW_LIFETIME)))
216        goto clean_and_exit;
217 
218 	if ((ret = add_admin_sname_princ(handle, context,
219 		    KADM5_ADMIN_HOST_SERVICE,
220 		    KRB5_KDB_DISALLOW_TGT_BASED,
221 		    ADMIN_LIFETIME)))
222 		goto clean_and_exit;
223 
224 	if ((ret = add_admin_sname_princ(handle, context,
225 		    KADM5_CHANGEPW_HOST_SERVICE,
226 		    KRB5_KDB_DISALLOW_TGT_BASED |
227 		    KRB5_KDB_PWCHANGE_SERVICE,
228 		    ADMIN_LIFETIME)))
229 		goto clean_and_exit;
230 
231 	if ((ret = add_admin_sname_princ(handle, context,
232 		    KADM5_KIPROP_HOST_SERVICE,
233 		    KRB5_KDB_DISALLOW_TGT_BASED,
234 		    ADMIN_LIFETIME)))
235 		goto clean_and_exit;
236 
237 clean_and_exit:
238 
239 	return (ret);
240 }
241 
242 /*
243  * Function: add_admin_princ
244  *
245  * Arguments:
246  *
247  * 	creator		(r) principal to use as "mod_by"
248  * 	rseed		(r) seed for random key generator
249  *	principal	(r) kerberos principal to add
250  * 	attrs		(r) principal's attributes
251  * 	lifetime	(r) principal's max life, or 0
252  * 	not_unique	(r) error message for multiple entries, never used
253  * 	exists		(r) warning message for principal exists
254  * 	wrong_attrs	(r) warning message for wrong attributes
255  *
256  * Returns:
257  *
258  * 	KADM5_OK on success
259  * 	KADM5_ERR on serious errors
260  *
261  * Effects:
262  *
263  * If the principal is not unique, not_unique is printed (but this
264  * never happens).  If the principal exists, then exists is printed
265  * and if the principals attributes != attrs, wrong_attrs is printed.
266  * Otherwise, the principal is created with mod_by creator and
267  * attributes attrs and max life of lifetime (if not zero).
268  */
269 
270 int
271 add_admin_princ(void *handle, krb5_context context,
272     krb5_principal principal, int attrs, int lifetime)
273 {
274      char *fullname;
275      krb5_error_code ret;
276      kadm5_principal_ent_rec ent;
277 
278      memset(&ent, 0, sizeof(ent));
279 
280 	if (krb5_unparse_name(context, principal, &fullname))
281 		return (KADM5_ERR);
282 
283      ent.principal = principal;
284      ent.max_life = lifetime;
285      ent.attributes = attrs | KRB5_KDB_DISALLOW_ALL_TIX;
286 
287      if (ret = kadm5_create_principal(handle, &ent,
288 					   (KADM5_PRINCIPAL |
289 					    KADM5_MAX_LIFE |
290 					    KADM5_ATTRIBUTES),
291 					   "to-be-random")) {
292 	  if (ret != KADM5_DUP) {
293 		com_err(progname, ret,
294 			gettext(str_PUT_PRINC), fullname);
295 	       krb5_free_principal(context, ent.principal);
296 	       free(fullname);
297 		return (KADM5_ERR);
298 	  }
299      } else {
300 	  /* only randomize key if we created the principal */
301 	ret = kadm5_randkey_principal(handle, ent.principal, NULL, NULL);
302 	if (ret) {
303 		com_err(progname, ret,
304 			gettext(str_RANDOM_KEY), fullname);
305 		krb5_free_principal(context, ent.principal);
306 		free(fullname);
307 		return (KADM5_ERR);
308 	}
309 	ent.attributes = attrs;
310 	ret = kadm5_modify_principal(handle, &ent, KADM5_ATTRIBUTES);
311 	if (ret) {
312 		com_err(progname, ret,
313 			gettext(str_PUT_PRINC), fullname);
314 		krb5_free_principal(context, ent.principal);
315 		free(fullname);
316 		return (KADM5_ERR);
317 	}
318     }
319 
320     krb5_free_principal(context, ent.principal);
321     free(fullname);
322 
323     return (KADM5_OK);
324 }
325 
326 int
327 add_admin_old_princ(void *handle, krb5_context context,
328     char *name, char *realm, int attrs, int lifetime)
329 {
330 	char *fullname;
331 	krb5_error_code ret;
332 	krb5_principal principal;
333 
334 	fullname = build_name_with_realm(name, realm);
335 	if (ret = krb5_parse_name(context, fullname, &principal)) {
336 		com_err(progname, ret, gettext(str_PARSE_NAME));
337 		return (KADM5_ERR);
338 	}
339 
340 	return (add_admin_princ(handle, context, principal, attrs, lifetime));
341 }
342 
343 int
344 add_admin_sname_princ(void *handle, krb5_context context,
345 	     char *sname, int attrs, int lifetime)
346 {
347 	krb5_error_code ret;
348 	krb5_principal principal;
349 
350 	if (ret = krb5_sname_to_principal(context, NULL, sname,
351 					  KRB5_NT_SRV_HST, &principal)) {
352 		com_err(progname, ret,
353 			gettext("Could not get host based "
354 				"service name for %s principal\n"), sname);
355 		return (KADM5_ERR);
356 	}
357 	return (add_admin_princ(handle, context, principal, attrs, lifetime));
358 }
359 
360 
361 
362