hdb: Move virtual principals into HDB layer
This is a large commit that adds several features: - Revamps and moves virtual host-based service principal functionality from kdc/ to lib/hdb/ so that it may be automatically visible to lib/kadm5/, as well as kadmin(1)/kadmind(8) and ktutil(1). The changes are backwards-incompatible. - Completes support for documenting a service principal's supported enctypes in its HDB entry independently of its long-term keys. This will reduce HDB bloat by not requiring that service principals have more long-term keys than they need just to document the service's supported enctypes. - Adds support for storing krb5.conf content in principals' HDB entries. This may eventually be used for causing Heimdal KDC services to reconfigure primary/secondary roles automatically by discovering the configured primary in an HDB entry for the realm. For now this will be used to help reduce the amount of configuration needed by clients of an upcoming HTTP binding of the kadmin service.
This commit is contained in:
Nicolas Williams
@@ -124,13 +124,29 @@ fetch_acl (kadm5_server_context *context,
|
||||
if (princ != NULL) {
|
||||
krb5_principal pattern_princ;
|
||||
krb5_boolean match;
|
||||
const char *c0 = krb5_principal_get_comp_string(context->context,
|
||||
princ, 0);
|
||||
const char *pat_c0;
|
||||
|
||||
ret = krb5_parse_name (context->context, p, &pattern_princ);
|
||||
ret = krb5_parse_name(context->context, p, &pattern_princ);
|
||||
if (ret)
|
||||
break;
|
||||
match = krb5_principal_match (context->context,
|
||||
princ, pattern_princ);
|
||||
krb5_free_principal (context->context, pattern_princ);
|
||||
pat_c0 = krb5_principal_get_comp_string(context->context,
|
||||
pattern_princ, 0);
|
||||
match = krb5_principal_match(context->context,
|
||||
princ, pattern_princ);
|
||||
|
||||
/*
|
||||
* If `princ' is a WELLKNOWN name, then require the WELLKNOWN label
|
||||
* be matched exactly.
|
||||
*
|
||||
* FIXME: We could do something similar for krbtgt and kadmin other
|
||||
* principal types.
|
||||
*/
|
||||
if (match && c0 && strcmp(c0, "WELLKNOWN") == 0 &&
|
||||
(!pat_c0 || strcmp(pat_c0, "WELLKNOWN") != 0))
|
||||
match = FALSE;
|
||||
krb5_free_principal(context->context, pattern_princ);
|
||||
if (match) {
|
||||
*ret_flags = flags;
|
||||
break;
|
||||
|
||||
@@ -73,6 +73,9 @@
|
||||
#define KRB5_KDB_TRUSTED_FOR_DELEGATION 0x00020000
|
||||
#define KRB5_KDB_ALLOW_KERBEROS4 0x00040000
|
||||
#define KRB5_KDB_ALLOW_DIGEST 0x00080000
|
||||
#define KRB5_KDB_MATERIALIZE 0x00100000
|
||||
#define KRB5_KDB_VIRTUAL_KEYS 0x00200000
|
||||
#define KRB5_KDB_VIRTUAL 0x00400000
|
||||
|
||||
#define KADM5_PRINCIPAL 0x000001U
|
||||
#define KADM5_PRINC_EXPIRE_TIME 0x000002U
|
||||
@@ -141,6 +144,9 @@ typedef struct _krb5_tl_data {
|
||||
#define KRB5_TL_ALIASES 0x000a
|
||||
#define KRB5_TL_HIST_KVNO_DIFF_CLNT 0x000b
|
||||
#define KRB5_TL_HIST_KVNO_DIFF_SVC 0x000c
|
||||
#define KRB5_TL_ETYPES 0x000d
|
||||
#define KRB5_TL_KEY_ROTATION 0x000e
|
||||
#define KRB5_TL_KRB5_CONFIG 0x000f
|
||||
|
||||
typedef struct _kadm5_principal_ent_t {
|
||||
krb5_principal principal;
|
||||
|
||||
@@ -147,7 +147,8 @@ change(void *server_handle,
|
||||
goto out;
|
||||
|
||||
ret = context->db->hdb_fetch_kvno(context->context, context->db, princ,
|
||||
HDB_F_DECRYPT|HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent);
|
||||
HDB_F_DECRYPT|HDB_F_GET_ANY|HDB_F_ADMIN_DATA,
|
||||
0, &ent);
|
||||
if (ret)
|
||||
goto out2;
|
||||
|
||||
@@ -381,8 +382,8 @@ kadm5_s_chpass_principal_with_key(void *server_handle,
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
ret = context->db->hdb_fetch_kvno(context->context, context->db, princ, 0,
|
||||
HDB_F_GET_ANY|HDB_F_ADMIN_DATA, &ent);
|
||||
ret = context->db->hdb_fetch_kvno(context->context, context->db, princ,
|
||||
HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent);
|
||||
if (ret == HDB_ERR_NOENTRY)
|
||||
goto out2;
|
||||
|
||||
|
||||
@@ -54,6 +54,12 @@ kadm5_c_create_principal(void *server_handle,
|
||||
* We should get around to implementing this... At the moment, the
|
||||
* the server side API is implemented but the wire protocol has not
|
||||
* been updated.
|
||||
*
|
||||
* Well, we have the etypes extension, which the kadmin ank command now
|
||||
* adds, but that doesn't include salt types. We could, perhaps, make it
|
||||
* so if the password is "" or NULL, we send the etypes but not the salt
|
||||
* type, and then have the server side create random keys of just the
|
||||
* etypes.
|
||||
*/
|
||||
if (n_ks_tuple > 0)
|
||||
return KADM5_KS_TUPLE_NOSUPP;
|
||||
|
||||
@@ -207,7 +207,12 @@ kadm5_s_create_principal_with_key(void *server_handle,
|
||||
if (ret)
|
||||
goto out2;
|
||||
|
||||
/* This logs the change for iprop and writes to the HDB */
|
||||
/*
|
||||
* This logs the change for iprop and writes to the HDB.
|
||||
*
|
||||
* Creation of would-be virtual principals w/o the materialize flag will be
|
||||
* rejected in kadm5_log_create().
|
||||
*/
|
||||
ret = kadm5_log_create(context, &ent.entry);
|
||||
|
||||
(void) create_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT,
|
||||
@@ -238,8 +243,31 @@ kadm5_s_create_principal(void *server_handle,
|
||||
kadm5_ret_t ret;
|
||||
hdb_entry_ex ent;
|
||||
kadm5_server_context *context = server_handle;
|
||||
int use_pw = 1;
|
||||
|
||||
if (_kadm5_enforce_pwqual_on_admin_set_p(context)) {
|
||||
if ((mask & KADM5_ATTRIBUTES) &&
|
||||
(princ->attributes & (KRB5_KDB_VIRTUAL_KEYS | KRB5_KDB_VIRTUAL)) &&
|
||||
!(princ->attributes & KRB5_KDB_MATERIALIZE)) {
|
||||
ret = KADM5_DUP; /* XXX */
|
||||
goto out;
|
||||
}
|
||||
if ((mask & KADM5_ATTRIBUTES) &&
|
||||
(princ->attributes & KRB5_KDB_VIRTUAL_KEYS) &&
|
||||
(princ->attributes & KRB5_KDB_VIRTUAL)) {
|
||||
ret = KADM5_DUP; /* XXX */
|
||||
goto out;
|
||||
}
|
||||
|
||||
if ((mask & KADM5_ATTRIBUTES) &&
|
||||
(princ->attributes & KRB5_KDB_VIRTUAL) &&
|
||||
(princ->attributes & KRB5_KDB_MATERIALIZE))
|
||||
princ->attributes &= ~(KRB5_KDB_MATERIALIZE | KRB5_KDB_VIRTUAL);
|
||||
|
||||
if (password[0] == '\0' && (mask & KADM5_KEY_DATA) && princ->n_key_data &&
|
||||
!kadm5_all_keys_are_bogus(princ->n_key_data, princ->key_data))
|
||||
use_pw = 0;
|
||||
|
||||
if (use_pw && _kadm5_enforce_pwqual_on_admin_set_p(context)) {
|
||||
krb5_data pwd_data;
|
||||
const char *pwd_reason;
|
||||
|
||||
@@ -265,13 +293,22 @@ kadm5_s_create_principal(void *server_handle,
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = create_principal(context, princ, mask, &ent,
|
||||
KADM5_PRINCIPAL,
|
||||
KADM5_LAST_PWD_CHANGE | KADM5_MOD_TIME
|
||||
| KADM5_MOD_NAME | KADM5_MKVNO
|
||||
| KADM5_AUX_ATTRIBUTES | KADM5_KEY_DATA
|
||||
| KADM5_POLICY_CLR | KADM5_LAST_SUCCESS
|
||||
| KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT);
|
||||
if (use_pw)
|
||||
ret = create_principal(context, princ, mask, &ent,
|
||||
KADM5_PRINCIPAL,
|
||||
KADM5_LAST_PWD_CHANGE | KADM5_MOD_TIME
|
||||
| KADM5_MOD_NAME | KADM5_MKVNO
|
||||
| KADM5_AUX_ATTRIBUTES | KADM5_KEY_DATA
|
||||
| KADM5_POLICY_CLR | KADM5_LAST_SUCCESS
|
||||
| KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT);
|
||||
else
|
||||
ret = create_principal(context, princ, mask, &ent,
|
||||
KADM5_PRINCIPAL | KADM5_KEY_DATA,
|
||||
KADM5_LAST_PWD_CHANGE | KADM5_MOD_TIME
|
||||
| KADM5_MOD_NAME | KADM5_MKVNO
|
||||
| KADM5_AUX_ATTRIBUTES
|
||||
| KADM5_POLICY_CLR | KADM5_LAST_SUCCESS
|
||||
| KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
@@ -289,9 +326,11 @@ kadm5_s_create_principal(void *server_handle,
|
||||
|
||||
free_Keys(&ent.entry.keys);
|
||||
|
||||
ret = _kadm5_set_keys(context, &ent.entry, n_ks_tuple, ks_tuple, password);
|
||||
if (ret)
|
||||
goto out2;
|
||||
if (use_pw) {
|
||||
ret = _kadm5_set_keys(context, &ent.entry, n_ks_tuple, ks_tuple, password);
|
||||
if (ret)
|
||||
goto out2;
|
||||
}
|
||||
|
||||
ret = hdb_seal_keys(context->context, context->db, &ent.entry);
|
||||
if (ret)
|
||||
|
||||
@@ -108,7 +108,8 @@ kadm5_s_delete_principal(void *server_handle, krb5_principal princ)
|
||||
goto out;
|
||||
|
||||
ret = context->db->hdb_fetch_kvno(context->context, context->db, princ,
|
||||
HDB_F_DECRYPT|HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent);
|
||||
HDB_F_DECRYPT|HDB_F_GET_ANY|HDB_F_ADMIN_DATA,
|
||||
0, &ent);
|
||||
if (ret == HDB_ERR_NOENTRY)
|
||||
goto out2;
|
||||
if (ent.entry.flags.immutable) {
|
||||
|
||||
@@ -60,6 +60,9 @@ attr_to_flags(unsigned attr, HDBFlags *flags)
|
||||
flags->trusted_for_delegation = !!(attr & KRB5_KDB_TRUSTED_FOR_DELEGATION);
|
||||
flags->allow_kerberos4 = !!(attr & KRB5_KDB_ALLOW_KERBEROS4);
|
||||
flags->allow_digest = !!(attr & KRB5_KDB_ALLOW_DIGEST);
|
||||
flags->materialize = !!(attr & KRB5_KDB_MATERIALIZE);
|
||||
flags->virtual_keys = !!(attr & KRB5_KDB_VIRTUAL_KEYS);
|
||||
flags->virtual = !!(attr & KRB5_KDB_VIRTUAL);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -95,6 +98,25 @@ perform_tl_data(krb5_context context,
|
||||
|
||||
ret = hdb_entry_set_pw_change_time(context, &ent->entry, t);
|
||||
|
||||
} else if (tl_data->tl_data_type == KRB5_TL_KEY_ROTATION) {
|
||||
HDB_Ext_KeyRotation *prev_kr = 0;
|
||||
HDB_extension *prev_ext;
|
||||
HDB_extension ext;
|
||||
|
||||
ext.mandatory = 0;
|
||||
ext.data.element = choice_HDB_extension_data_key_rotation;
|
||||
prev_ext = hdb_find_extension(&ent->entry, ext.data.element);
|
||||
if (prev_ext)
|
||||
prev_kr = &prev_ext->data.u.key_rotation;
|
||||
ret = decode_HDB_Ext_KeyRotation(tl_data->tl_data_contents,
|
||||
tl_data->tl_data_length,
|
||||
&ext.data.u.key_rotation, NULL);
|
||||
if (ret == 0)
|
||||
ret = hdb_validate_key_rotations(context, prev_kr,
|
||||
&ext.data.u.key_rotation);
|
||||
if (ret == 0)
|
||||
ret = hdb_replace_extension(context, &ent->entry, &ext);
|
||||
free_HDB_extension(&ext);
|
||||
} else if (tl_data->tl_data_type == KRB5_TL_EXTENSION) {
|
||||
HDB_extension ext;
|
||||
|
||||
@@ -105,8 +127,34 @@ perform_tl_data(krb5_context context,
|
||||
if (ret)
|
||||
return KADM5_BAD_TL_TYPE;
|
||||
|
||||
ret = hdb_replace_extension(context, &ent->entry, &ext);
|
||||
if (ext.data.element == choice_HDB_extension_data_key_rotation) {
|
||||
HDB_extension *prev_ext = hdb_find_extension(&ent->entry,
|
||||
ext.data.element);
|
||||
HDB_Ext_KeyRotation *prev_kr = 0;
|
||||
|
||||
if (prev_ext)
|
||||
prev_kr = &prev_ext->data.u.key_rotation;
|
||||
ret = hdb_validate_key_rotations(context, prev_kr,
|
||||
&ext.data.u.key_rotation);
|
||||
}
|
||||
if (ret)
|
||||
ret = KADM5_BAD_TL_TYPE; /* XXX Need new error code */
|
||||
if (ret == 0)
|
||||
ret = hdb_replace_extension(context, &ent->entry, &ext);
|
||||
free_HDB_extension(&ext);
|
||||
} else if (tl_data->tl_data_type == KRB5_TL_ETYPES) {
|
||||
if (!ent->entry.etypes &&
|
||||
(ent->entry.etypes = calloc(1,
|
||||
sizeof(ent->entry.etypes[0]))) == NULL)
|
||||
ret = krb5_enomem(context);
|
||||
if (ent->entry.etypes)
|
||||
free_HDB_EncTypeList(ent->entry.etypes);
|
||||
if (ret == 0)
|
||||
ret = decode_HDB_EncTypeList(tl_data->tl_data_contents,
|
||||
tl_data->tl_data_length,
|
||||
ent->entry.etypes, NULL);
|
||||
if (ret)
|
||||
return KADM5_BAD_TL_TYPE;
|
||||
} else {
|
||||
return KADM5_BAD_TL_TYPE;
|
||||
}
|
||||
|
||||
@@ -123,6 +123,10 @@ kadm5_s_get_principal(void *server_handle,
|
||||
kadm5_server_context *context = server_handle;
|
||||
kadm5_ret_t ret;
|
||||
hdb_entry_ex ent;
|
||||
unsigned int flags = HDB_F_GET_ANY | HDB_F_ADMIN_DATA;
|
||||
|
||||
if ((mask & KADM5_KEY_DATA) || (mask & KADM5_KVNO))
|
||||
flags |= HDB_F_ALL_KVNOS | HDB_F_DECRYPT;
|
||||
|
||||
memset(&ent, 0, sizeof(ent));
|
||||
memset(out, 0, sizeof(*out));
|
||||
@@ -144,9 +148,9 @@ kadm5_s_get_principal(void *server_handle,
|
||||
* For now we won't attempt to recover the log.
|
||||
*/
|
||||
|
||||
ret = context->db->hdb_fetch_kvno(context->context, context->db, princ,
|
||||
HDB_F_DECRYPT|HDB_F_ALL_KVNOS|
|
||||
HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent);
|
||||
ret = hdb_fetch_kvno(context->context, context->db, princ,
|
||||
HDB_F_DECRYPT|HDB_F_ALL_KVNOS|
|
||||
HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, 0, 0, &ent);
|
||||
|
||||
if (!context->keep_open)
|
||||
context->db->hdb_close(context->context, context->db);
|
||||
@@ -179,6 +183,8 @@ kadm5_s_get_principal(void *server_handle,
|
||||
out->attributes |= ent.entry.flags.trusted_for_delegation ? KRB5_KDB_TRUSTED_FOR_DELEGATION : 0;
|
||||
out->attributes |= ent.entry.flags.allow_kerberos4 ? KRB5_KDB_ALLOW_KERBEROS4 : 0;
|
||||
out->attributes |= ent.entry.flags.allow_digest ? KRB5_KDB_ALLOW_DIGEST : 0;
|
||||
out->attributes |= ent.entry.flags.virtual_keys ? KRB5_KDB_VIRTUAL_KEYS : 0;
|
||||
out->attributes |= ent.entry.flags.virtual ? KRB5_KDB_VIRTUAL : 0;
|
||||
}
|
||||
if(mask & KADM5_MAX_LIFE) {
|
||||
if(ent.entry.max_life)
|
||||
@@ -295,6 +301,22 @@ kadm5_s_get_principal(void *server_handle,
|
||||
time_t last_pw_expire;
|
||||
const HDB_Ext_PKINIT_acl *acl;
|
||||
const HDB_Ext_Aliases *aliases;
|
||||
const HDB_Ext_KeyRotation *kr;
|
||||
heim_octet_string krb5_config;
|
||||
|
||||
if (ent.entry.etypes) {
|
||||
krb5_data buf;
|
||||
size_t len;
|
||||
|
||||
ASN1_MALLOC_ENCODE(HDB_EncTypeList, buf.data, buf.length,
|
||||
ent.entry.etypes, &len, ret);
|
||||
if (ret == 0) {
|
||||
ret = add_tl_data(out, KRB5_TL_ETYPES, buf.data, buf.length);
|
||||
free(buf.data);
|
||||
}
|
||||
if (ret)
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = hdb_entry_get_pw_change_time(&ent.entry, &last_pw_expire);
|
||||
if (ret == 0 && last_pw_expire) {
|
||||
@@ -302,6 +324,12 @@ kadm5_s_get_principal(void *server_handle,
|
||||
_krb5_put_int(buf, last_pw_expire, sizeof(buf));
|
||||
ret = add_tl_data(out, KRB5_TL_LAST_PWD_CHANGE, buf, sizeof(buf));
|
||||
}
|
||||
if (ret == 0)
|
||||
ret = hdb_entry_get_krb5_config(&ent.entry, &krb5_config);
|
||||
if (ret == 0 && krb5_config.length) {
|
||||
ret = add_tl_data(out, KRB5_TL_KRB5_CONFIG, krb5_config.data,
|
||||
krb5_config.length);
|
||||
}
|
||||
if (ret)
|
||||
goto out;
|
||||
/*
|
||||
@@ -311,6 +339,7 @@ kadm5_s_get_principal(void *server_handle,
|
||||
if (mask & KADM5_KEY_DATA) {
|
||||
heim_utf8_string pw;
|
||||
|
||||
/* XXX But not if the client doesn't have ext-keys */
|
||||
ret = hdb_entry_get_password(context->context,
|
||||
context->db, &ent.entry, &pw);
|
||||
if (ret == 0) {
|
||||
@@ -359,6 +388,26 @@ kadm5_s_get_principal(void *server_handle,
|
||||
}
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
ret = hdb_entry_get_key_rotation(context->context, &ent.entry, &kr);
|
||||
if (ret == 0 && kr) {
|
||||
krb5_data buf;
|
||||
size_t len;
|
||||
|
||||
ASN1_MALLOC_ENCODE(HDB_Ext_KeyRotation, buf.data, buf.length,
|
||||
kr, &len, ret);
|
||||
if (ret)
|
||||
goto out;
|
||||
if (len != buf.length)
|
||||
krb5_abortx(context->context,
|
||||
"internal ASN.1 encoder error");
|
||||
ret = add_tl_data(out, KRB5_TL_KEY_ROTATION, buf.data, buf.length);
|
||||
free(buf.data);
|
||||
if (ret)
|
||||
goto out;
|
||||
}
|
||||
if (ret)
|
||||
goto out;
|
||||
}
|
||||
|
||||
out:
|
||||
|
||||
@@ -940,13 +940,31 @@ kadm5_log_create(kadm5_server_context *context, hdb_entry *entry)
|
||||
krb5_ssize_t bytes;
|
||||
kadm5_ret_t ret;
|
||||
krb5_data value;
|
||||
hdb_entry_ex ent;
|
||||
hdb_entry_ex ent, existing;
|
||||
kadm5_log_context *log_context = &context->log_context;
|
||||
|
||||
memset(&ent, 0, sizeof(ent));
|
||||
ent.ctx = 0;
|
||||
ent.free_entry = 0;
|
||||
ent.entry = *entry;
|
||||
existing = ent;
|
||||
|
||||
/*
|
||||
* Do not allow creation of concrete entries within namespaces unless
|
||||
* explicitly requested.
|
||||
*/
|
||||
ret = hdb_fetch_kvno(context->context, context->db, entry->principal, 0,
|
||||
0, 0, 0, &existing);
|
||||
if (ret != 0 && ret != HDB_ERR_NOENTRY)
|
||||
return ret;
|
||||
if (ret == 0 && !ent.entry.flags.materialize &&
|
||||
(existing.entry.flags.virtual || existing.entry.flags.virtual_keys)) {
|
||||
hdb_free_entry(context->context, &existing);
|
||||
return HDB_ERR_EXISTS;
|
||||
}
|
||||
if (ret == 0)
|
||||
hdb_free_entry(context->context, &existing);
|
||||
ent.entry.flags.materialize = 0; /* Clear in stored entry */
|
||||
|
||||
/*
|
||||
* If we're not logging then we can't recover-to-perform, so just
|
||||
@@ -1406,6 +1424,7 @@ kadm5_log_replay_modify(kadm5_server_context *context,
|
||||
return ret;
|
||||
|
||||
memset(&ent, 0, sizeof(ent));
|
||||
/* NOTE: We do not use hdb_fetch_kvno() here */
|
||||
ret = context->db->hdb_fetch_kvno(context->context, context->db,
|
||||
log_ent.entry.principal,
|
||||
HDB_F_DECRYPT|HDB_F_ALL_KVNOS|
|
||||
@@ -1547,25 +1566,43 @@ kadm5_log_replay_modify(kadm5_server_context *context,
|
||||
}
|
||||
}
|
||||
}
|
||||
if ((mask & KADM5_TL_DATA) && log_ent.entry.etypes) {
|
||||
if (ent.entry.etypes)
|
||||
free_HDB_EncTypeList(ent.entry.etypes);
|
||||
free(ent.entry.etypes);
|
||||
ent.entry.etypes = calloc(1, sizeof(*ent.entry.etypes));
|
||||
if (ent.entry.etypes == NULL)
|
||||
ret = ENOMEM;
|
||||
if (ret == 0)
|
||||
ret = copy_HDB_EncTypeList(log_ent.entry.etypes, ent.entry.etypes);
|
||||
if (ret) {
|
||||
ret = krb5_enomem(context->context);
|
||||
free(ent.entry.etypes);
|
||||
ent.entry.etypes = NULL;
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
if ((mask & KADM5_TL_DATA) && log_ent.entry.extensions) {
|
||||
HDB_extensions *es = ent.entry.extensions;
|
||||
if (ent.entry.extensions) {
|
||||
free_HDB_extensions(ent.entry.extensions);
|
||||
free(ent.entry.extensions);
|
||||
ent.entry.extensions = NULL;
|
||||
}
|
||||
|
||||
ent.entry.extensions = calloc(1, sizeof(*ent.entry.extensions));
|
||||
if (ent.entry.extensions == NULL)
|
||||
goto out;
|
||||
ret = ENOMEM;
|
||||
|
||||
ret = copy_HDB_extensions(log_ent.entry.extensions,
|
||||
ent.entry.extensions);
|
||||
if (ret == 0)
|
||||
ret = copy_HDB_extensions(log_ent.entry.extensions,
|
||||
ent.entry.extensions);
|
||||
if (ret) {
|
||||
krb5_set_error_message(context->context, ret, "out of memory");
|
||||
ret = krb5_enomem(context->context);
|
||||
free(ent.entry.extensions);
|
||||
ent.entry.extensions = es;
|
||||
ent.entry.extensions = NULL;
|
||||
goto out;
|
||||
}
|
||||
if (es) {
|
||||
free_HDB_extensions(es);
|
||||
free(es);
|
||||
}
|
||||
}
|
||||
ret = context->db->hdb_store(context->context, context->db,
|
||||
HDB_F_REPLACE, &ent);
|
||||
|
||||
@@ -117,8 +117,14 @@ modify_principal(void *server_handle,
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
/*
|
||||
* NOTE: We do not use hdb_fetch_kvno() here, which means we'll
|
||||
* automatically reject modifications of would-be virtual principals.
|
||||
*/
|
||||
ret = context->db->hdb_fetch_kvno(context->context, context->db,
|
||||
princ->principal, HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent);
|
||||
princ->principal,
|
||||
HDB_F_DECRYPT|HDB_F_GET_ANY|HDB_F_ADMIN_DATA,
|
||||
0, &ent);
|
||||
if (ret)
|
||||
goto out2;
|
||||
|
||||
@@ -126,6 +132,10 @@ modify_principal(void *server_handle,
|
||||
0, princ, mask);
|
||||
if (ret)
|
||||
goto out3;
|
||||
/*
|
||||
* XXX Make sure that _kadm5_setup_entry() checks that the time of last
|
||||
* change in `ent' matches the one in `princ'.
|
||||
*/
|
||||
ret = _kadm5_setup_entry(context, &ent, mask, princ, mask, NULL, 0);
|
||||
if (ret)
|
||||
goto out3;
|
||||
|
||||
@@ -109,8 +109,10 @@ kadm5_s_prune_principal(void *server_handle,
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
/* NOTE: We do not use hdb_fetch_kvno() here */
|
||||
ret = context->db->hdb_fetch_kvno(context->context, context->db, princ,
|
||||
HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent);
|
||||
HDB_F_DECRYPT|HDB_F_GET_ANY|HDB_F_ADMIN_DATA,
|
||||
0, &ent);
|
||||
if (ret)
|
||||
goto out2;
|
||||
|
||||
|
||||
@@ -117,8 +117,10 @@ kadm5_s_randkey_principal(void *server_handle,
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
/* NOTE: We do not use hdb_fetch_kvno() here (maybe we should) */
|
||||
ret = context->db->hdb_fetch_kvno(context->context, context->db, princ,
|
||||
HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent);
|
||||
HDB_F_DECRYPT|HDB_F_GET_ANY|HDB_F_ADMIN_DATA,
|
||||
0, &ent);
|
||||
if(ret)
|
||||
goto out2;
|
||||
|
||||
|
||||
@@ -114,8 +114,11 @@ kadm5_s_rename_principal(void *server_handle,
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
/* NOTE: We do not use hdb_fetch_kvno() here */
|
||||
ret = context->db->hdb_fetch_kvno(context->context, context->db,
|
||||
source, HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent);
|
||||
source,
|
||||
HDB_F_DECRYPT|HDB_F_GET_ANY|HDB_F_ADMIN_DATA,
|
||||
0, &ent);
|
||||
if (ret)
|
||||
goto out2;
|
||||
oldname = ent.entry.principal;
|
||||
|
||||
@@ -132,8 +132,10 @@ kadm5_s_setkey_principal_3(void *server_handle,
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* NOTE: We do not use hdb_fetch_kvno() here (maybe we should?) */
|
||||
ret = context->db->hdb_fetch_kvno(context->context, context->db, princ,
|
||||
HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent);
|
||||
HDB_F_DECRYPT|HDB_F_GET_ANY|HDB_F_ADMIN_DATA,
|
||||
0, &ent);
|
||||
if (ret) {
|
||||
(void) kadm5_log_end(context);
|
||||
if (!context->keep_open)
|
||||
|
||||
Reference in New Issue
Block a user