WIP
This commit is contained in:
@@ -68,6 +68,12 @@ do_ext_keytab(krb5_principal principal, void *data)
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
/* Debug: record which principal was fetched and some context */
|
||||
krb5_warnx(context, "do_ext_keytab: fetched principal %s mask=0x%x n_key_data=%d",
|
||||
unparsed ? unparsed : "<unparsed>",
|
||||
mask,
|
||||
(int)princ.n_key_data);
|
||||
|
||||
if (!e->random_key_flag) {
|
||||
if (princ.n_key_data == 0) {
|
||||
krb5_warnx(context, "principal has no keys, or user lacks "
|
||||
@@ -111,6 +117,13 @@ do_ext_keytab(krb5_principal principal, void *data)
|
||||
keys[i].keyblock.keyvalue.data = kd->key_data_contents[0];
|
||||
keys[i].timestamp = time(NULL);
|
||||
n_k++;
|
||||
|
||||
/* Debug: log each key extracted (kvno/enctype) for the principal */
|
||||
krb5_warnx(context, "do_ext_keytab: principal=%s key_index=%zu kvno=%d enctype=%d",
|
||||
unparsed ? unparsed : "<unparsed>",
|
||||
i,
|
||||
keys[i].vno,
|
||||
keys[i].keyblock.keytype);
|
||||
}
|
||||
} else if (e->random_key_flag) {
|
||||
ret = kadm5_randkey_principal_3(e->kadm_handle, principal, e->keep,
|
||||
@@ -208,6 +221,10 @@ ext_keytab(struct ext_keytab_options *opt, int argc, char **argv)
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* Debug: record ext_keytab invocation details */
|
||||
krb5_warnx(context, "ext_keytab: invoking foreach_principal for %zu principals, enctypes=%s",
|
||||
(size_t)argc, enctypes ? enctypes : "<none>");
|
||||
|
||||
for(i = 0; i < argc; i++) {
|
||||
ret = foreach_principal(argv[i], do_ext_keytab, "ext", &data);
|
||||
if (ret)
|
||||
|
||||
+69
-4
@@ -488,12 +488,71 @@ do_get_entry(krb5_principal principal, void *data)
|
||||
e->upto--;
|
||||
|
||||
memset(&princ, 0, sizeof(princ));
|
||||
ret = kadm5_get_principal(e->kadm_handle, principal,
|
||||
&princ,
|
||||
e->mask | e->extra_mask);
|
||||
|
||||
/* Loud tracing: record which principal we are about to request from kadmind.
|
||||
*
|
||||
* Guard the unparse call: don't call into unparse with a NULL principal
|
||||
* and only use the unparsed string if the call succeeds.
|
||||
*/
|
||||
{
|
||||
char *want = NULL;
|
||||
if (principal != NULL && krb5_unparse_name(context, principal, &want) == 0 && want != NULL) {
|
||||
krb5_warnx(context, "kadmin:get: do_get_entry: requesting principal lookup for %s (mask=0x%x extra_mask=0x%x) (pid=%d)",
|
||||
want, e->mask, e->extra_mask, (int)getpid());
|
||||
} else {
|
||||
krb5_warnx(context, "kadmin:get: do_get_entry: requesting principal lookup for <unparsed> (mask=0x%x extra_mask=0x%x) (pid=%d)",
|
||||
e->mask, e->extra_mask, (int)getpid());
|
||||
}
|
||||
free(want);
|
||||
}
|
||||
|
||||
/* Always request the principal field so we can safely unparse/format
|
||||
* the returned entry. Some callers request only TL_DATA (eg aliases),
|
||||
* and the kadm5 backend may return successful results without filling
|
||||
* the principal pointer which leads to crashes when we try to use it.
|
||||
*/
|
||||
{
|
||||
uint32_t want_mask = e->mask | e->extra_mask | KADM5_PRINCIPAL;
|
||||
ret = kadm5_get_principal(e->kadm_handle, principal,
|
||||
&princ,
|
||||
want_mask);
|
||||
}
|
||||
|
||||
if (ret == 0) {
|
||||
/* Success: log the fact we received a principal record and some basic info */
|
||||
{
|
||||
char *got = NULL;
|
||||
if (krb5_unparse_name(context, princ.principal, &got) == 0) {
|
||||
krb5_warnx(context, "kadmin:get: do_get_entry: kadm5_get_principal succeeded: principal=%s kvno=%d n_key_data=%d (pid=%d)",
|
||||
got ? got : "<unparsed>",
|
||||
princ.kvno,
|
||||
princ.n_key_data,
|
||||
(int)getpid());
|
||||
} else {
|
||||
krb5_warnx(context, "kadmin:get: do_get_entry: kadm5_get_principal succeeded: <unparsed principal> kvno=%d n_key_data=%d (pid=%d)",
|
||||
princ.kvno, princ.n_key_data, (int)getpid());
|
||||
}
|
||||
free(got);
|
||||
}
|
||||
|
||||
(e->format)(e, &princ);
|
||||
kadm5_free_principal_ent(e->kadm_handle, &princ);
|
||||
} else {
|
||||
/* Failure: log explicit error so we can trace failing lookups.
|
||||
*
|
||||
* Guard the unparse call similarly to above.
|
||||
*/
|
||||
{
|
||||
char *want2 = NULL;
|
||||
if (principal != NULL && krb5_unparse_name(context, principal, &want2) == 0 && want2 != NULL) {
|
||||
krb5_warn(context, ret, "kadmin:get: do_get_entry: kadm5_get_principal(%s) failed (pid=%d)",
|
||||
want2, (int)getpid());
|
||||
} else {
|
||||
krb5_warn(context, ret, "kadmin:get: do_get_entry: kadm5_get_principal(<unparsed>) failed (pid=%d)",
|
||||
(int)getpid());
|
||||
}
|
||||
free(want2);
|
||||
}
|
||||
}
|
||||
|
||||
e->n++;
|
||||
@@ -627,8 +686,14 @@ getit(struct get_options *opt, const char *name, int argc, char **argv)
|
||||
return 0;
|
||||
}
|
||||
|
||||
for(i = 0; i < argc; i++)
|
||||
for(i = 0; i < argc; i++) {
|
||||
/* Loud tracing: announce each foreach_principal invocation */
|
||||
krb5_warnx(context, "kadmin:get: getit: invoking foreach_principal for arg[%d]=%s (call %d of %d) (pid=%d)",
|
||||
i, argv[i] ? argv[i] : "<null>", i+1, argc, (int)getpid());
|
||||
ret = foreach_principal(argv[i], do_get_entry, name, &data);
|
||||
if (ret)
|
||||
krb5_warn(context, ret, "kadmin:get: getit: foreach_principal(%s) returned error", argv[i] ? argv[i] : "<null>");
|
||||
}
|
||||
|
||||
kadm5_destroy(data.kadm_handle);
|
||||
|
||||
|
||||
@@ -624,7 +624,31 @@ proc_get_principal(kadm5_server_context *contextp,
|
||||
if(ret)
|
||||
goto fail;
|
||||
|
||||
/* Loud tracing: log which client requested this GET and what principal is being looked up */
|
||||
{
|
||||
char *want = NULL;
|
||||
(void) krb5_unparse_name(contextp->context, princ, &want);
|
||||
krb5_warnx(contextp->context,
|
||||
"proc_get_principal: received GET request for principal=%s mask=0x%x (pid=%d ppid=%d uid=%d)",
|
||||
want ? want : "<unparsed>",
|
||||
mask,
|
||||
(int)getpid(),
|
||||
(int)getppid(),
|
||||
(int)getuid());
|
||||
free(want);
|
||||
}
|
||||
|
||||
ret = kadm5_get_principal(contextp, princ, &ent, mask);
|
||||
if (ret) {
|
||||
/* Extra log to make failures obvious at the call site */
|
||||
char *want2 = NULL;
|
||||
(void) krb5_unparse_name(contextp->context, princ, &want2);
|
||||
krb5_warn(contextp->context, ret,
|
||||
"proc_get_principal: kadm5_get_principal failed for principal=%s (pid=%d)",
|
||||
want2 ? want2 : "<unparsed>",
|
||||
(int)getpid());
|
||||
free(want2);
|
||||
}
|
||||
|
||||
fail:
|
||||
krb5_warn(contextp->context, ret, "get principal principal");
|
||||
|
||||
@@ -226,6 +226,8 @@ kadmind_dispatch_int(void *kadm_handlep, krb5_boolean initial,
|
||||
ret_sp = krb5_store_int32(rsp, KADM5_FAILURE);
|
||||
goto fail;
|
||||
}
|
||||
/* Debug: record which client and numeric command we received */
|
||||
krb5_warnx(contextp->context, "kadmind_dispatch: received request from client=%s cmd=%d", client, cmd);
|
||||
|
||||
switch(cmd){
|
||||
case kadm_nop:{
|
||||
@@ -268,6 +270,8 @@ kadmind_dispatch_int(void *kadm_handlep, krb5_boolean initial,
|
||||
mask |= KADM5_PRINCIPAL;
|
||||
krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
|
||||
krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
|
||||
/* Debug: include mask/keys_ok context so we can correlate admin requests to keytab lookups */
|
||||
krb5_warnx(contextp->context, "kadmind_dispatch: GET invoked by %s for %s (mask=0x%x, keys_ok=%d)", client, name, mask, keys_ok);
|
||||
|
||||
/* If the caller doesn't have KADM5_PRIV_GET, we're done. */
|
||||
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_GET, princ);
|
||||
@@ -307,6 +311,7 @@ kadmind_dispatch_int(void *kadm_handlep, krb5_boolean initial,
|
||||
}
|
||||
}
|
||||
|
||||
krb5_warnx(contextp->context, "kadmind_dispatch: calling kadm5_get_principal for %s (mask=0x%x, keys_ok=%d)", name, mask, keys_ok);
|
||||
ret = kadm5_get_principal(kadm_handlep, princ, &ent, mask);
|
||||
ret_sp = krb5_store_int32(rsp, ret);
|
||||
if (ret == 0) {
|
||||
|
||||
Reference in New Issue
Block a user