Any callback of kadm5_iter_principals() that wants to call other kadm5
functions (such as kadm5_get_principal()) needs to do so on a different
kadm5 handle than the one used for kadm5_iter_principals().
Now that we have a properly working API for listing principals in an
online way, and a server-side implementation of it, use it.
This should work with old and new servers, but it will only be online
and fast when talking to new servers.
(Old servers have a bug though that prevents LIST from working.)
This is a large commit that adds several features:
- Revamps and moves virtual host-based service principal functionality
from kdc/ to lib/hdb/ so that it may be automatically visible to
lib/kadm5/, as well as kadmin(1)/kadmind(8) and ktutil(1).
The changes are backwards-incompatible.
- Completes support for documenting a service principal's supported
enctypes in its HDB entry independently of its long-term keys. This
will reduce HDB bloat by not requiring that service principals have
more long-term keys than they need just to document the service's
supported enctypes.
- Adds support for storing krb5.conf content in principals' HDB
entries. This may eventually be used for causing Heimdal KDC
services to reconfigure primary/secondary roles automatically by
discovering the configured primary in an HDB entry for the realm.
For now this will be used to help reduce the amount of configuration
needed by clients of an upcoming HTTP binding of the kadmin service.
- Add --keepold/keepallold/pruneall options to various kadmin/ktutil
commands. Default behavior to "prune old keys".
- When setting keys for a service, we need to specify enctypes for it:
- Always use kadm5_randkey_principal_3() instead of the older
kadm5_randkey_principal().
- Add krb5_string_to_keysalts2(), like MIT's krb5_string_to_keysalts(),
but with a context, and simpler.
- Add --enctypes options to various kadmin/ktutil commands.
- Add [libdefaults] supported_enctypes param with enctype[:salttype]
list.
- Add [realms] realm supported_enctypes param with enctype[:salttype]
list.
Default to aes128-cts-hmac-sha1-96:normal.
We turn on a few extra warnings and fix the fallout that occurs
when building with --enable-developer. Note that we get different
warnings on different machines and so this will be a work in
progress. So far, we have built on NetBSD/amd64 5.99.64 (which
uses gcc 4.5.3) and Ubuntu 10.04.3 LTS (which uses gcc 4.4.3).
Notably, we fixed
1. a lot of missing structure initialisers,
2. unchecked return values for functions that glibc
marks as __attribute__((warn-unused-result)),
3. made minor modifications to slc and asn1_compile
which can generate code which generates warnings,
and
4. a few stragglers here and there.
We turned off the extended warnings for many programs in appl/ as
they are nearing the end of their useful lifetime, e.g. rsh, rcp,
popper, ftp and telnet.
Interestingly, glibc's strncmp() macro needed to be worked around
whereas the function calls did not.
We have not yet tried this on 32 bit platforms, so there will be
a few more warnings when we do.
It turns out that updates of kvno but not key data and vice-versa are
both, allowed and actually done (e.g, in kadmin's ank). Doing the right
thing in these cases turns out to be a bit tricky, but this commit ought
to do it.
Pass the function name into foreach_principal instead of the static
"get" string, so the correct function is reported in errors in
kadmin list.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
kadmin list and kadmin get -t used the same output display logic
as short output, which meant that they called kadm5_get_principal
for each principal. However, they then just threw that output
away since the terse format displays only the principal name.
For terse get output, instead use a separate set of functions that
just print the string version of the principal name and do not
retrieve additional information.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
When the principal is retrieved from the database via libkadm5srv, the
keys are always decrypted, so the reported mkvno is always 0. Rather
than returning 0 and implying that the key in the database is not
encrypted, report the mkvno as unknown for right now.
A better fix is required to either not decrypt the keys when retrieving
get information or to get the mkvno before keys are decrypted.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
that to implement printing of KADM5_TL_DATA options and fix a
dependency bug (keys needed principal to print the salting).
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15890 ec53bebd-3082-4978-b11e-865c3cabbd6b