17c478bd9Sstevel@tonic-gate /* 22dd2efa5Swillf * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 37c478bd9Sstevel@tonic-gate * Use is subject to license terms. 47c478bd9Sstevel@tonic-gate */ 57c478bd9Sstevel@tonic-gate 67c478bd9Sstevel@tonic-gate /* 77c478bd9Sstevel@tonic-gate * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 87c478bd9Sstevel@tonic-gate * 97c478bd9Sstevel@tonic-gate * Openvision retains the copyright to derivative works of 107c478bd9Sstevel@tonic-gate * this source code. Do *NOT* create a derivative of this 117c478bd9Sstevel@tonic-gate * source code before consulting with your legal department. 127c478bd9Sstevel@tonic-gate * Do *NOT* integrate *ANY* of this source code into another 137c478bd9Sstevel@tonic-gate * product before consulting with your legal department. 147c478bd9Sstevel@tonic-gate * 157c478bd9Sstevel@tonic-gate * For further information, read the top-level Openvision 167c478bd9Sstevel@tonic-gate * copyright which is contained in the top-level MIT Kerberos 177c478bd9Sstevel@tonic-gate * copyright. 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 207c478bd9Sstevel@tonic-gate * 217c478bd9Sstevel@tonic-gate */ 227c478bd9Sstevel@tonic-gate 237c478bd9Sstevel@tonic-gate 247c478bd9Sstevel@tonic-gate /* 257c478bd9Sstevel@tonic-gate * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved 267c478bd9Sstevel@tonic-gate * 27*159d09a2SMark Phalan * $Header$ 287c478bd9Sstevel@tonic-gate */ 297c478bd9Sstevel@tonic-gate 307c478bd9Sstevel@tonic-gate #if !defined(lint) && !defined(__CODECENTER__) 31*159d09a2SMark Phalan static char *rcsid = "$Header$"; 327c478bd9Sstevel@tonic-gate #endif 337c478bd9Sstevel@tonic-gate 347c478bd9Sstevel@tonic-gate #include <stdio.h> 357c478bd9Sstevel@tonic-gate #include <stdlib.h> 3654925bf6Swillf #include "k5-int.h" 377c478bd9Sstevel@tonic-gate #include <kadm5/admin.h> 387c478bd9Sstevel@tonic-gate #include "server_internal.h" 397c478bd9Sstevel@tonic-gate 407c478bd9Sstevel@tonic-gate extern caddr_t xdralloc_getdata(XDR *xdrs); 417c478bd9Sstevel@tonic-gate extern void xdralloc_create(XDR *xdrs, enum xdr_op op); 427c478bd9Sstevel@tonic-gate 437c478bd9Sstevel@tonic-gate krb5_principal master_princ; 447c478bd9Sstevel@tonic-gate krb5_db_entry master_db; 457c478bd9Sstevel@tonic-gate 467c478bd9Sstevel@tonic-gate krb5_principal hist_princ; 477c478bd9Sstevel@tonic-gate krb5_keyblock hist_key; 487c478bd9Sstevel@tonic-gate krb5_db_entry hist_db; 497c478bd9Sstevel@tonic-gate krb5_kvno hist_kvno; 507c478bd9Sstevel@tonic-gate 517c478bd9Sstevel@tonic-gate /* much of this code is stolen from the kdc. there should be some 527c478bd9Sstevel@tonic-gate library code to deal with this. */ 537c478bd9Sstevel@tonic-gate 547c478bd9Sstevel@tonic-gate krb5_error_code kdb_init_master(kadm5_server_handle_t handle, 557c478bd9Sstevel@tonic-gate char *r, int from_keyboard) 567c478bd9Sstevel@tonic-gate { 577c478bd9Sstevel@tonic-gate int ret = 0; 587c478bd9Sstevel@tonic-gate char *realm; 5956a424ccSmp153739 krb5_boolean from_kbd = FALSE; 6056a424ccSmp153739 6156a424ccSmp153739 if (from_keyboard) 6256a424ccSmp153739 from_kbd = TRUE; 637c478bd9Sstevel@tonic-gate 647c478bd9Sstevel@tonic-gate if (r == NULL) { 657c478bd9Sstevel@tonic-gate if ((ret = krb5_get_default_realm(handle->context, &realm))) 667c478bd9Sstevel@tonic-gate return ret; 677c478bd9Sstevel@tonic-gate } else { 687c478bd9Sstevel@tonic-gate realm = r; 697c478bd9Sstevel@tonic-gate } 707c478bd9Sstevel@tonic-gate 717c478bd9Sstevel@tonic-gate if ((ret = krb5_db_setup_mkey_name(handle->context, 727c478bd9Sstevel@tonic-gate handle->params.mkey_name, 737c478bd9Sstevel@tonic-gate realm, NULL, &master_princ))) 747c478bd9Sstevel@tonic-gate goto done; 75*159d09a2SMark Phalan /* Solaris Kerberos */ 76*159d09a2SMark Phalan #if 0 77*159d09a2SMark Phalan master_keyblock.enctype = handle->params.enctype; 78*159d09a2SMark Phalan #endif 797c478bd9Sstevel@tonic-gate 80*159d09a2SMark Phalan /* Solaris Kerberos */ 8156a424ccSmp153739 ret = krb5_db_fetch_mkey(handle->context, master_princ, 8256a424ccSmp153739 handle->params.enctype, from_kbd, 837c478bd9Sstevel@tonic-gate FALSE /* only prompt once */, 847c478bd9Sstevel@tonic-gate handle->params.stash_file, 857c478bd9Sstevel@tonic-gate NULL /* I'm not sure about this, 867c478bd9Sstevel@tonic-gate but it's what the kdc does --marc */, 8756a424ccSmp153739 &handle->master_keyblock); 8856a424ccSmp153739 if (ret) 897c478bd9Sstevel@tonic-gate goto done; 907c478bd9Sstevel@tonic-gate 91*159d09a2SMark Phalan /* Solaris Kerberos */ 927c478bd9Sstevel@tonic-gate if ((ret = krb5_db_verify_master_key(handle->context, master_princ, 937c478bd9Sstevel@tonic-gate &handle->master_keyblock))) { 947c478bd9Sstevel@tonic-gate krb5_db_fini(handle->context); 957c478bd9Sstevel@tonic-gate return ret; 967c478bd9Sstevel@tonic-gate } 977c478bd9Sstevel@tonic-gate 987c478bd9Sstevel@tonic-gate done: 997c478bd9Sstevel@tonic-gate if (r == NULL) 1007c478bd9Sstevel@tonic-gate free(realm); 1017c478bd9Sstevel@tonic-gate 1027c478bd9Sstevel@tonic-gate return(ret); 1037c478bd9Sstevel@tonic-gate } 1047c478bd9Sstevel@tonic-gate 1057c478bd9Sstevel@tonic-gate /* 1067c478bd9Sstevel@tonic-gate * Function: kdb_init_hist 1077c478bd9Sstevel@tonic-gate * 1087c478bd9Sstevel@tonic-gate * Purpose: Initializes the global history variables. 1097c478bd9Sstevel@tonic-gate * 1107c478bd9Sstevel@tonic-gate * Arguments: 1117c478bd9Sstevel@tonic-gate * 1127c478bd9Sstevel@tonic-gate * handle (r) kadm5 api server handle 1137c478bd9Sstevel@tonic-gate * r (r) realm of history principal to use, or NULL 1147c478bd9Sstevel@tonic-gate * 1157c478bd9Sstevel@tonic-gate * Effects: This function sets the value of the following global 1167c478bd9Sstevel@tonic-gate * variables: 1177c478bd9Sstevel@tonic-gate * 1187c478bd9Sstevel@tonic-gate * hist_princ krb5_principal holding the history principal 1197c478bd9Sstevel@tonic-gate * hist_db krb5_db_entry of the history principal 1207c478bd9Sstevel@tonic-gate * hist_key krb5_keyblock holding the history principal's key 1217c478bd9Sstevel@tonic-gate * hist_encblock krb5_encrypt_block holding the procssed hist_key 1227c478bd9Sstevel@tonic-gate * hist_kvno the version number of the history key 1237c478bd9Sstevel@tonic-gate * 1247c478bd9Sstevel@tonic-gate * If the history principal does not already exist, this function 1257c478bd9Sstevel@tonic-gate * attempts to create it with kadm5_create_principal. WARNING! 1267c478bd9Sstevel@tonic-gate * If the history principal is deleted and this function is executed 1277c478bd9Sstevel@tonic-gate * (by kadmind, or kadmin.local, or anything else with permission), 1287c478bd9Sstevel@tonic-gate * the principal will be assigned a new random key and all existing 1297c478bd9Sstevel@tonic-gate * password history information will become useless. 1307c478bd9Sstevel@tonic-gate */ 1317c478bd9Sstevel@tonic-gate krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r) 1327c478bd9Sstevel@tonic-gate { 1337c478bd9Sstevel@tonic-gate int ret = 0; 1347c478bd9Sstevel@tonic-gate char *realm, *hist_name; 1357c478bd9Sstevel@tonic-gate krb5_key_data *key_data; 1367c478bd9Sstevel@tonic-gate krb5_key_salt_tuple ks[1]; 1377c478bd9Sstevel@tonic-gate 1387c478bd9Sstevel@tonic-gate if (r == NULL) { 1397c478bd9Sstevel@tonic-gate if ((ret = krb5_get_default_realm(handle->context, &realm))) 1407c478bd9Sstevel@tonic-gate return ret; 1417c478bd9Sstevel@tonic-gate } else { 1427c478bd9Sstevel@tonic-gate realm = r; 1437c478bd9Sstevel@tonic-gate } 1447c478bd9Sstevel@tonic-gate 1457c478bd9Sstevel@tonic-gate if ((hist_name = (char *) malloc(strlen(KADM5_HIST_PRINCIPAL) + 1467c478bd9Sstevel@tonic-gate strlen(realm) + 2)) == NULL) 1477c478bd9Sstevel@tonic-gate goto done; 1487c478bd9Sstevel@tonic-gate 1497c478bd9Sstevel@tonic-gate (void) sprintf(hist_name, "%s@%s", KADM5_HIST_PRINCIPAL, realm); 1507c478bd9Sstevel@tonic-gate 1517c478bd9Sstevel@tonic-gate if ((ret = krb5_parse_name(handle->context, hist_name, &hist_princ))) 1527c478bd9Sstevel@tonic-gate goto done; 1537c478bd9Sstevel@tonic-gate 1547c478bd9Sstevel@tonic-gate if ((ret = kdb_get_entry(handle, hist_princ, &hist_db, NULL))) { 1557c478bd9Sstevel@tonic-gate kadm5_principal_ent_rec ent; 1567c478bd9Sstevel@tonic-gate 1577c478bd9Sstevel@tonic-gate if (ret != KADM5_UNK_PRINC) 1587c478bd9Sstevel@tonic-gate goto done; 1597c478bd9Sstevel@tonic-gate 1607c478bd9Sstevel@tonic-gate /* try to create the principal */ 1617c478bd9Sstevel@tonic-gate 1627c478bd9Sstevel@tonic-gate memset(&ent, 0, sizeof(ent)); 1637c478bd9Sstevel@tonic-gate 1647c478bd9Sstevel@tonic-gate ent.principal = hist_princ; 1657c478bd9Sstevel@tonic-gate ent.max_life = KRB5_KDB_DISALLOW_ALL_TIX; 1667c478bd9Sstevel@tonic-gate ent.attributes = 0; 1677c478bd9Sstevel@tonic-gate 1687c478bd9Sstevel@tonic-gate /* this uses hist_kvno. So we set it to 2, which will be the 1697c478bd9Sstevel@tonic-gate correct value once the principal is created and randomized. 1707c478bd9Sstevel@tonic-gate Of course, it doesn't make sense to keep a history for the 1717c478bd9Sstevel@tonic-gate history principal, anyway. */ 1727c478bd9Sstevel@tonic-gate 1737c478bd9Sstevel@tonic-gate hist_kvno = 2; 1747c478bd9Sstevel@tonic-gate ks[0].ks_enctype = handle->params.enctype; 1757c478bd9Sstevel@tonic-gate ks[0].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL; 1767c478bd9Sstevel@tonic-gate ret = kadm5_create_principal_3(handle, &ent, 17756a424ccSmp153739 (KADM5_PRINCIPAL | KADM5_MAX_LIFE | 1787c478bd9Sstevel@tonic-gate KADM5_ATTRIBUTES), 1797c478bd9Sstevel@tonic-gate 1, ks, 1807c478bd9Sstevel@tonic-gate "to-be-random"); 1817c478bd9Sstevel@tonic-gate if (ret) 1827c478bd9Sstevel@tonic-gate goto done; 1837c478bd9Sstevel@tonic-gate 1847c478bd9Sstevel@tonic-gate /* this won't let us randomize the hist_princ. So we cheat. */ 1857c478bd9Sstevel@tonic-gate 1867c478bd9Sstevel@tonic-gate hist_princ = NULL; 1877c478bd9Sstevel@tonic-gate 1887c478bd9Sstevel@tonic-gate ret = kadm5_randkey_principal_3(handle, ent.principal, 0, 1, ks, 1897c478bd9Sstevel@tonic-gate NULL, NULL); 1907c478bd9Sstevel@tonic-gate 1917c478bd9Sstevel@tonic-gate hist_princ = ent.principal; 1927c478bd9Sstevel@tonic-gate 1937c478bd9Sstevel@tonic-gate if (ret) 1947c478bd9Sstevel@tonic-gate goto done; 1957c478bd9Sstevel@tonic-gate 1967c478bd9Sstevel@tonic-gate /* now read the newly-created kdb record out of the 1977c478bd9Sstevel@tonic-gate database. */ 1987c478bd9Sstevel@tonic-gate 1997c478bd9Sstevel@tonic-gate if ((ret = kdb_get_entry(handle, hist_princ, &hist_db, NULL))) 2007c478bd9Sstevel@tonic-gate goto done; 2017c478bd9Sstevel@tonic-gate 2027c478bd9Sstevel@tonic-gate } 2037c478bd9Sstevel@tonic-gate 2047c478bd9Sstevel@tonic-gate ret = krb5_dbe_find_enctype(handle->context, &hist_db, 2057c478bd9Sstevel@tonic-gate handle->params.enctype, -1, -1, &key_data); 2067c478bd9Sstevel@tonic-gate if (ret) 2077c478bd9Sstevel@tonic-gate goto done; 2087c478bd9Sstevel@tonic-gate 209*159d09a2SMark Phalan /* Solaris Kerberos */ 2107c478bd9Sstevel@tonic-gate ret = krb5_dbekd_decrypt_key_data(handle->context, 2117c478bd9Sstevel@tonic-gate &handle->master_keyblock, key_data, &hist_key, NULL); 2127c478bd9Sstevel@tonic-gate if (ret) 2137c478bd9Sstevel@tonic-gate goto done; 2147c478bd9Sstevel@tonic-gate 2157c478bd9Sstevel@tonic-gate hist_kvno = key_data->key_data_kvno; 2167c478bd9Sstevel@tonic-gate 2177c478bd9Sstevel@tonic-gate done: 2187c478bd9Sstevel@tonic-gate free(hist_name); 2197c478bd9Sstevel@tonic-gate if (r == NULL) 2207c478bd9Sstevel@tonic-gate free(realm); 2217c478bd9Sstevel@tonic-gate return ret; 2227c478bd9Sstevel@tonic-gate } 2237c478bd9Sstevel@tonic-gate 2247c478bd9Sstevel@tonic-gate /* 2257c478bd9Sstevel@tonic-gate * Function: kdb_get_entry 2267c478bd9Sstevel@tonic-gate * 2277c478bd9Sstevel@tonic-gate * Purpose: Gets an entry from the kerberos database and breaks 2287c478bd9Sstevel@tonic-gate * it out into a krb5_db_entry and an osa_princ_ent_t. 2297c478bd9Sstevel@tonic-gate * 2307c478bd9Sstevel@tonic-gate * Arguments: 2317c478bd9Sstevel@tonic-gate * 2327c478bd9Sstevel@tonic-gate * handle (r) the server_handle 2337c478bd9Sstevel@tonic-gate * principal (r) the principal to get 2347c478bd9Sstevel@tonic-gate * kdb (w) krb5_db_entry to fill in 2357c478bd9Sstevel@tonic-gate * adb (w) osa_princ_ent_rec to fill in 2367c478bd9Sstevel@tonic-gate * 2377c478bd9Sstevel@tonic-gate * when the caller is done with kdb and adb, kdb_free_entry must be 2387c478bd9Sstevel@tonic-gate * called to release them. The adb record is filled in with the 2397c478bd9Sstevel@tonic-gate * contents of the KRB5_TL_KADM_DATA record; if that record doesn't 2407c478bd9Sstevel@tonic-gate * exist, an empty but valid adb record is returned. 2417c478bd9Sstevel@tonic-gate */ 2427c478bd9Sstevel@tonic-gate krb5_error_code 2437c478bd9Sstevel@tonic-gate kdb_get_entry(kadm5_server_handle_t handle, 2447c478bd9Sstevel@tonic-gate krb5_principal principal, krb5_db_entry *kdb, 2457c478bd9Sstevel@tonic-gate osa_princ_ent_rec *adb) 2467c478bd9Sstevel@tonic-gate { 2477c478bd9Sstevel@tonic-gate krb5_error_code ret; 2487c478bd9Sstevel@tonic-gate int nprincs; 2497c478bd9Sstevel@tonic-gate krb5_boolean more; 2507c478bd9Sstevel@tonic-gate krb5_tl_data tl_data; 2517c478bd9Sstevel@tonic-gate XDR xdrs; 2527c478bd9Sstevel@tonic-gate 25356a424ccSmp153739 ret = krb5_db_get_principal(handle->context, principal, kdb, &nprincs, 25456a424ccSmp153739 &more); 25556a424ccSmp153739 if (ret) 2567c478bd9Sstevel@tonic-gate return(ret); 2577c478bd9Sstevel@tonic-gate 2587c478bd9Sstevel@tonic-gate if (more) { 2597c478bd9Sstevel@tonic-gate krb5_db_free_principal(handle->context, kdb, nprincs); 2607c478bd9Sstevel@tonic-gate return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); 2617c478bd9Sstevel@tonic-gate } else if (nprincs != 1) { 2627c478bd9Sstevel@tonic-gate krb5_db_free_principal(handle->context, kdb, nprincs); 2637c478bd9Sstevel@tonic-gate return(KADM5_UNK_PRINC); 2647c478bd9Sstevel@tonic-gate } 2657c478bd9Sstevel@tonic-gate 2667c478bd9Sstevel@tonic-gate if (adb) { 2677c478bd9Sstevel@tonic-gate memset(adb, 0, sizeof(*adb)); 2687c478bd9Sstevel@tonic-gate 2697c478bd9Sstevel@tonic-gate tl_data.tl_data_type = KRB5_TL_KADM_DATA; 2707c478bd9Sstevel@tonic-gate /* 2717c478bd9Sstevel@tonic-gate * XXX Currently, lookup_tl_data always returns zero; it sets 2727c478bd9Sstevel@tonic-gate * tl_data->tl_data_length to zero if the type isn't found. 2737c478bd9Sstevel@tonic-gate * This should be fixed... 2747c478bd9Sstevel@tonic-gate */ 2757c478bd9Sstevel@tonic-gate if ((ret = krb5_dbe_lookup_tl_data(handle->context, kdb, &tl_data)) 2767c478bd9Sstevel@tonic-gate || (tl_data.tl_data_length == 0)) { 2777c478bd9Sstevel@tonic-gate /* there's no admin data. this can happen, if the admin 2787c478bd9Sstevel@tonic-gate server is put into production after some principals 2797c478bd9Sstevel@tonic-gate are created. In this case, return valid admin 2807c478bd9Sstevel@tonic-gate data (which is all zeros with the hist_kvno filled 2817c478bd9Sstevel@tonic-gate in), and when the entry is written, the admin 2827c478bd9Sstevel@tonic-gate data will get stored correctly. */ 2837c478bd9Sstevel@tonic-gate 2847c478bd9Sstevel@tonic-gate adb->admin_history_kvno = hist_kvno; 2857c478bd9Sstevel@tonic-gate 2867c478bd9Sstevel@tonic-gate return(ret); 2877c478bd9Sstevel@tonic-gate } 2887c478bd9Sstevel@tonic-gate 289*159d09a2SMark Phalan /* Solaris Kerberos */ 2907c478bd9Sstevel@tonic-gate xdrmem_create(&xdrs, (caddr_t)tl_data.tl_data_contents, 2917c478bd9Sstevel@tonic-gate tl_data.tl_data_length, XDR_DECODE); 2927c478bd9Sstevel@tonic-gate if (! xdr_osa_princ_ent_rec(&xdrs, adb)) { 2937c478bd9Sstevel@tonic-gate xdr_destroy(&xdrs); 2947c478bd9Sstevel@tonic-gate krb5_db_free_principal(handle->context, kdb, 1); 29554925bf6Swillf return(KADM5_XDR_FAILURE); 2967c478bd9Sstevel@tonic-gate } 2977c478bd9Sstevel@tonic-gate xdr_destroy(&xdrs); 2987c478bd9Sstevel@tonic-gate } 2997c478bd9Sstevel@tonic-gate 3007c478bd9Sstevel@tonic-gate return(0); 3017c478bd9Sstevel@tonic-gate } 3027c478bd9Sstevel@tonic-gate 3037c478bd9Sstevel@tonic-gate /* 3047c478bd9Sstevel@tonic-gate * Function: kdb_free_entry 3057c478bd9Sstevel@tonic-gate * 3067c478bd9Sstevel@tonic-gate * Purpose: frees the resources allocated by kdb_get_entry 3077c478bd9Sstevel@tonic-gate * 3087c478bd9Sstevel@tonic-gate * Arguments: 3097c478bd9Sstevel@tonic-gate * 3107c478bd9Sstevel@tonic-gate * handle (r) the server_handle 3117c478bd9Sstevel@tonic-gate * kdb (w) krb5_db_entry to fill in 3127c478bd9Sstevel@tonic-gate * adb (w) osa_princ_ent_rec to fill in 3137c478bd9Sstevel@tonic-gate * 3147c478bd9Sstevel@tonic-gate * when the caller is done with kdb and adb, kdb_free_entry must be 3157c478bd9Sstevel@tonic-gate * called to release them. 3167c478bd9Sstevel@tonic-gate */ 3177c478bd9Sstevel@tonic-gate 3187c478bd9Sstevel@tonic-gate krb5_error_code 3197c478bd9Sstevel@tonic-gate kdb_free_entry(kadm5_server_handle_t handle, 3207c478bd9Sstevel@tonic-gate krb5_db_entry *kdb, osa_princ_ent_rec *adb) 3217c478bd9Sstevel@tonic-gate { 3227c478bd9Sstevel@tonic-gate XDR xdrs; 3237c478bd9Sstevel@tonic-gate 3247c478bd9Sstevel@tonic-gate 3257c478bd9Sstevel@tonic-gate if (kdb) 3267c478bd9Sstevel@tonic-gate krb5_db_free_principal(handle->context, kdb, 1); 3277c478bd9Sstevel@tonic-gate 3287c478bd9Sstevel@tonic-gate if (adb) { 3297c478bd9Sstevel@tonic-gate xdrmem_create(&xdrs, NULL, 0, XDR_FREE); 3307c478bd9Sstevel@tonic-gate xdr_osa_princ_ent_rec(&xdrs, adb); 3317c478bd9Sstevel@tonic-gate xdr_destroy(&xdrs); 3327c478bd9Sstevel@tonic-gate } 3337c478bd9Sstevel@tonic-gate 3347c478bd9Sstevel@tonic-gate return(0); 3357c478bd9Sstevel@tonic-gate } 3367c478bd9Sstevel@tonic-gate 3377c478bd9Sstevel@tonic-gate /* 3387c478bd9Sstevel@tonic-gate * Function: kdb_put_entry 3397c478bd9Sstevel@tonic-gate * 3407c478bd9Sstevel@tonic-gate * Purpose: Stores the osa_princ_ent_t and krb5_db_entry into to 3417c478bd9Sstevel@tonic-gate * database. 3427c478bd9Sstevel@tonic-gate * 3437c478bd9Sstevel@tonic-gate * Arguments: 3447c478bd9Sstevel@tonic-gate * 3457c478bd9Sstevel@tonic-gate * handle (r) the server_handle 3467c478bd9Sstevel@tonic-gate * kdb (r/w) the krb5_db_entry to store 3477c478bd9Sstevel@tonic-gate * adb (r) the osa_princ_db_ent to store 3487c478bd9Sstevel@tonic-gate * 3497c478bd9Sstevel@tonic-gate * Effects: 3507c478bd9Sstevel@tonic-gate * 3517c478bd9Sstevel@tonic-gate * The last modifier field of the kdb is set to the caller at now. 3527c478bd9Sstevel@tonic-gate * adb is encoded with xdr_osa_princ_ent_ret and stored in kbd as 3537c478bd9Sstevel@tonic-gate * KRB5_TL_KADM_DATA. kdb is then written to the database. 3547c478bd9Sstevel@tonic-gate */ 3557c478bd9Sstevel@tonic-gate krb5_error_code 3567c478bd9Sstevel@tonic-gate kdb_put_entry(kadm5_server_handle_t handle, 3577c478bd9Sstevel@tonic-gate krb5_db_entry *kdb, osa_princ_ent_rec *adb) 3587c478bd9Sstevel@tonic-gate { 3597c478bd9Sstevel@tonic-gate krb5_error_code ret; 3607c478bd9Sstevel@tonic-gate krb5_int32 now; 3617c478bd9Sstevel@tonic-gate XDR xdrs; 3627c478bd9Sstevel@tonic-gate krb5_tl_data tl_data; 3637c478bd9Sstevel@tonic-gate int one; 3647c478bd9Sstevel@tonic-gate 36556a424ccSmp153739 ret = krb5_timeofday(handle->context, &now); 36656a424ccSmp153739 if (ret) 3677c478bd9Sstevel@tonic-gate return(ret); 3687c478bd9Sstevel@tonic-gate 36956a424ccSmp153739 ret = krb5_dbe_update_mod_princ_data(handle->context, kdb, now, 37056a424ccSmp153739 handle->current_caller); 37156a424ccSmp153739 if (ret) 3727c478bd9Sstevel@tonic-gate return(ret); 3737c478bd9Sstevel@tonic-gate 3747c478bd9Sstevel@tonic-gate xdralloc_create(&xdrs, XDR_ENCODE); 3757c478bd9Sstevel@tonic-gate if(! xdr_osa_princ_ent_rec(&xdrs, adb)) { 3767c478bd9Sstevel@tonic-gate xdr_destroy(&xdrs); 37754925bf6Swillf return(KADM5_XDR_FAILURE); 3787c478bd9Sstevel@tonic-gate } 3797c478bd9Sstevel@tonic-gate tl_data.tl_data_type = KRB5_TL_KADM_DATA; 3807c478bd9Sstevel@tonic-gate tl_data.tl_data_length = xdr_getpos(&xdrs); 381*159d09a2SMark Phalan /* Solaris Kerberos */ 3827c478bd9Sstevel@tonic-gate tl_data.tl_data_contents = (unsigned char *) xdralloc_getdata(&xdrs); 3837c478bd9Sstevel@tonic-gate 3847c478bd9Sstevel@tonic-gate ret = krb5_dbe_update_tl_data(handle->context, kdb, &tl_data); 3857c478bd9Sstevel@tonic-gate 3867c478bd9Sstevel@tonic-gate xdr_destroy(&xdrs); 3877c478bd9Sstevel@tonic-gate 3887c478bd9Sstevel@tonic-gate if (ret) 3897c478bd9Sstevel@tonic-gate return(ret); 3907c478bd9Sstevel@tonic-gate 3917c478bd9Sstevel@tonic-gate one = 1; 3927c478bd9Sstevel@tonic-gate 39356a424ccSmp153739 ret = krb5_db_put_principal(handle->context, kdb, &one); 39456a424ccSmp153739 if (ret) 3957c478bd9Sstevel@tonic-gate return(ret); 3967c478bd9Sstevel@tonic-gate 3977c478bd9Sstevel@tonic-gate return(0); 3987c478bd9Sstevel@tonic-gate } 3997c478bd9Sstevel@tonic-gate 4007c478bd9Sstevel@tonic-gate krb5_error_code 4017c478bd9Sstevel@tonic-gate kdb_delete_entry(kadm5_server_handle_t handle, krb5_principal name) 4027c478bd9Sstevel@tonic-gate { 4037c478bd9Sstevel@tonic-gate int one = 1; 4047c478bd9Sstevel@tonic-gate krb5_error_code ret; 4057c478bd9Sstevel@tonic-gate 4067c478bd9Sstevel@tonic-gate ret = krb5_db_delete_principal(handle->context, name, &one); 4077c478bd9Sstevel@tonic-gate 4087c478bd9Sstevel@tonic-gate return ret; 4097c478bd9Sstevel@tonic-gate } 4107c478bd9Sstevel@tonic-gate 4117c478bd9Sstevel@tonic-gate typedef struct _iter_data { 4127c478bd9Sstevel@tonic-gate void (*func)(void *, krb5_principal); 4137c478bd9Sstevel@tonic-gate void *data; 4147c478bd9Sstevel@tonic-gate } iter_data; 4157c478bd9Sstevel@tonic-gate 4167c478bd9Sstevel@tonic-gate static krb5_error_code 4177c478bd9Sstevel@tonic-gate kdb_iter_func(krb5_pointer data, krb5_db_entry *kdb) 4187c478bd9Sstevel@tonic-gate { 4197c478bd9Sstevel@tonic-gate iter_data *id = (iter_data *) data; 4207c478bd9Sstevel@tonic-gate 4217c478bd9Sstevel@tonic-gate (*(id->func))(id->data, kdb->princ); 4227c478bd9Sstevel@tonic-gate 4237c478bd9Sstevel@tonic-gate return(0); 4247c478bd9Sstevel@tonic-gate } 4257c478bd9Sstevel@tonic-gate 4267c478bd9Sstevel@tonic-gate krb5_error_code 42754925bf6Swillf kdb_iter_entry(kadm5_server_handle_t handle, char *match_entry, 4287c478bd9Sstevel@tonic-gate void (*iter_fct)(void *, krb5_principal), void *data) 4297c478bd9Sstevel@tonic-gate { 4307c478bd9Sstevel@tonic-gate iter_data id; 4317c478bd9Sstevel@tonic-gate krb5_error_code ret; 4327c478bd9Sstevel@tonic-gate 4337c478bd9Sstevel@tonic-gate id.func = iter_fct; 4347c478bd9Sstevel@tonic-gate id.data = data; 4357c478bd9Sstevel@tonic-gate 4362dd2efa5Swillf /* Solaris Kerberos: added support for db_args */ 4372dd2efa5Swillf ret = krb5_db_iterate(handle->context, match_entry, kdb_iter_func, &id, NULL); 43856a424ccSmp153739 if (ret) 4397c478bd9Sstevel@tonic-gate return(ret); 4407c478bd9Sstevel@tonic-gate 4417c478bd9Sstevel@tonic-gate return(0); 4427c478bd9Sstevel@tonic-gate } 4437c478bd9Sstevel@tonic-gate 444