diff --git a/kadmin/kadmin.1 b/kadmin/kadmin.1 index 221c34844..09381a6b3 100644 --- a/kadmin/kadmin.1 +++ b/kadmin/kadmin.1 @@ -336,10 +336,14 @@ Possible attributes are: .Li new-princ , .Li support-desmd5 , .Li pwchange-service , +.Li disallow-client , .Li disallow-svr , .Li requires-pw-change , .Li requires-hw-auth , .Li requires-pre-auth , +.Li allow-digest , +.Li trusted-for-delegation , +.Li ok-as-delegate , .Li disallow-all-tix , .Li disallow-dup-skey , .Li disallow-proxiable , diff --git a/kadmin/util.c b/kadmin/util.c index 13d2be73c..0e494e8bd 100644 --- a/kadmin/util.c +++ b/kadmin/util.c @@ -54,6 +54,7 @@ struct units kdb_attrs[] = { { "new-princ", KRB5_KDB_NEW_PRINC }, { "support-desmd5", KRB5_KDB_SUPPORT_DESMD5 }, { "pwchange-service", KRB5_KDB_PWCHANGE_SERVICE }, + { "disallow-client", KRB5_KDB_DISALLOW_CLIENT }, { "disallow-svr", KRB5_KDB_DISALLOW_SVR }, { "requires-pw-change", KRB5_KDB_REQUIRES_PWCHANGE }, { "requires-hw-auth", KRB5_KDB_REQUIRES_HW_AUTH }, diff --git a/lib/kadm5/admin.h b/lib/kadm5/admin.h index 3aa4ed863..d466130ed 100644 --- a/lib/kadm5/admin.h +++ b/lib/kadm5/admin.h @@ -69,13 +69,30 @@ #define KRB5_KDB_PWCHANGE_SERVICE 0x00002000 #define KRB5_KDB_SUPPORT_DESMD5 0x00004000 #define KRB5_KDB_NEW_PRINC 0x00008000 -#define KRB5_KDB_OK_AS_DELEGATE 0x00010000 -#define KRB5_KDB_TRUSTED_FOR_DELEGATION 0x00020000 -#define KRB5_KDB_ALLOW_KERBEROS4 0x00040000 -#define KRB5_KDB_ALLOW_DIGEST 0x00080000 -#define KRB5_KDB_MATERIALIZE 0x00100000 -#define KRB5_KDB_VIRTUAL_KEYS 0x00200000 -#define KRB5_KDB_VIRTUAL 0x00400000 +#define KRB5_KDB_OK_AS_DELEGATE 0x00010000 /* 0x00100000 in MIT */ +#define KRB5_KDB_TRUSTED_FOR_DELEGATION 0x00020000 /* MIT has as 0x00200000 */ +#define KRB5_KDB_ALLOW_KERBEROS4 0x00040000 /* MIT doesn't have this; XXX remove */ +#define KRB5_KDB_ALLOW_DIGEST 0x00080000 /* MIT doesn't have this */ +#define KRB5_KDB_MATERIALIZE 0x00100000 /* MIT doesn't have this */ +#define KRB5_KDB_VIRTUAL_KEYS 0x00200000 /* MIT doesn't have this */ +#define KRB5_KDB_VIRTUAL 0x00400000 /* MIT doesn't have this */ +#define KRB5_KDB_DISALLOW_CLIENT 0x00800000 /* MIT doesn't have this */ + +/* + * MIT has: + * + * - Same as our KRB5_KDB_TRUSTED_FOR_DELEGATION: + * + * #define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE 0x00200000 // S4U2Self OK + * + * - Misc: + * + * #define KRB5_KDB_NO_AUTH_DATA_REQUIRED 0x00400000 // Don't lookup / add + * // authz data + * #define KRB5_KDB_LOCKDOWN_KEYS 0x00800000 // Don't allow + * // deletion of princ + */ + #define KADM5_PRINCIPAL 0x000001U #define KADM5_PRINC_EXPIRE_TIME 0x000002U diff --git a/lib/kadm5/ent_setup.c b/lib/kadm5/ent_setup.c index 6fafe07e9..cd9ddfb41 100644 --- a/lib/kadm5/ent_setup.c +++ b/lib/kadm5/ent_setup.c @@ -55,7 +55,7 @@ attr_to_flags(unsigned attr, HDBFlags *flags) /* HW_AUTH */ flags->server = !(attr & KRB5_KDB_DISALLOW_SVR); flags->change_pw = !!(attr & KRB5_KDB_PWCHANGE_SERVICE); - flags->client = 1; /* XXX */ + flags->client = !(attr & KRB5_KDB_DISALLOW_CLIENT); flags->ok_as_delegate = !!(attr & KRB5_KDB_OK_AS_DELEGATE); flags->trusted_for_delegation = !!(attr & KRB5_KDB_TRUSTED_FOR_DELEGATION); flags->allow_kerberos4 = !!(attr & KRB5_KDB_ALLOW_KERBEROS4); @@ -162,10 +162,10 @@ perform_tl_data(krb5_context context, } static void -default_flags(hdb_entry_ex *ent, int server) +default_flags(hdb_entry_ex *ent) { ent->entry.flags.client = 1; - ent->entry.flags.server = !!server; + ent->entry.flags.server = 1; ent->entry.flags.forwardable = 1; ent->entry.flags.proxiable = 1; ent->entry.flags.renewable = 1; @@ -209,7 +209,7 @@ _kadm5_setup_entry(kadm5_server_context *context, attr_to_flags(def->attributes, &ent->entry.flags); ent->entry.flags.invalid = 0; } else { - default_flags(ent, 1); + default_flags(ent); } } diff --git a/lib/kadm5/get_s.c b/lib/kadm5/get_s.c index 5dbdd30fe..f4a9835bd 100644 --- a/lib/kadm5/get_s.c +++ b/lib/kadm5/get_s.c @@ -176,6 +176,7 @@ kadm5_s_get_principal(void *server_handle, out->attributes |= ent.entry.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0; out->attributes |= ent.entry.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0; out->attributes |= ent.entry.flags.require_pwchange ? KRB5_KDB_REQUIRES_PWCHANGE : 0; + out->attributes |= ent.entry.flags.client ? 0 : KRB5_KDB_DISALLOW_CLIENT; out->attributes |= ent.entry.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR; out->attributes |= ent.entry.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0; out->attributes |= ent.entry.flags.ok_as_delegate ? KRB5_KDB_OK_AS_DELEGATE : 0; diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in index 192ee6fdf..7007c6dde 100644 --- a/tests/kdc/check-kdc.in +++ b/tests/kdc/check-kdc.in @@ -361,6 +361,7 @@ trap "kill -9 ${kdcpid} ${kpasswddpid}; echo signal killing kdc kpasswdd; exit 1 ec=0 echo "Getting client initial tickets with wrong password"; > messages.log +${kadmin} modify --attributes=+disallow-client ${server} || exit 1 ${kinit} --password-file=${objdir}/notfoopassword \ foo@${R} 2>kinit-log.tmp && \ { ec=1 ; eval "${testfailed}"; } @@ -626,6 +627,8 @@ done ${kdestroy} echo "Getting server initial tickets"; > messages.log +${kinit} --keytab=${keytab} ${server}@$R && { ec=1 ; eval "${testfailed}"; } +${kadmin} modify --attributes=-disallow-client ${server} || exit 1 ${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; } echo "Listing tickets"; > messages.log ${klist} | grep "Principal: ${server}" > /dev/null || \