X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fgssd%2Fkrb5_util.c;h=c43eb36254e33a766c0f5897c99fffc43fdbd1a0;hp=d29b8397445bb85fb2a4f6038645fd4e83a29cc2;hb=6e18539119224c930760ab801c24efe92b809a1e;hpb=a980156c122e975cc185a6c41ef705f166a5765f diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index d29b839..c43eb36 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -131,7 +131,7 @@ static int select_krb5_ccache(const struct dirent *d); static int gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d); static int gssd_get_single_krb5_cred(krb5_context context, krb5_keytab kt, struct gssd_k5_kt_princ *ple); -static int gssd_have_realm_ple(krb5_data *realm); +static int gssd_have_realm_ple(void *realm); static int gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name); @@ -158,7 +158,7 @@ select_krb5_ccache(const struct dirent *d) } /* - * Look in the GSSD_DEFAULT_CRED_DIR for files that look like they + * Look in the ccachedir for files that look like they * are Kerberos Credential Cache files for a given UID. Return * non-zero and the dirent pointer for the entry most likely to be * what we want. Otherwise, return zero and no dirent pointer. @@ -178,8 +178,9 @@ gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d) struct dirent *best_match_dir = NULL; struct stat best_match_stat, tmp_stat; + memset(&best_match_stat, 0, sizeof(best_match_stat)); *d = NULL; - n = scandir(GSSD_DEFAULT_CRED_DIR, &namelist, select_krb5_ccache, 0); + n = scandir(ccachedir, &namelist, select_krb5_ccache, 0); if (n < 0) { perror("scandir looking for krb5 credentials caches"); } @@ -195,7 +196,7 @@ gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d) if (strstr(namelist[i]->d_name, substring) || !strcmp(namelist[i]->d_name, fullstring)) { snprintf(statname, sizeof(statname), - "%s/%s", GSSD_DEFAULT_CRED_DIR, + "%s/%s", ccachedir, namelist[i]->d_name); if (stat(statname, &tmp_stat)) { printerr(0, "Error doing stat " @@ -280,26 +281,29 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid) { u_int maj_stat, min_stat; gss_cred_id_t credh; + gss_OID_set_desc desired_mechs; krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC }; int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]); + /* We only care about getting a krb5 cred */ + desired_mechs.count = 1; + desired_mechs.elements = &krb5oid; + maj_stat = gss_acquire_cred(&min_stat, NULL, 0, - GSS_C_NULL_OID_SET, GSS_C_INITIATE, + &desired_mechs, GSS_C_INITIATE, &credh, NULL, NULL); if (maj_stat != GSS_S_COMPLETE) { - printerr(0, "WARNING: error from gss_acquire_cred " - "for user with uid %d (%s)\n", - uid, error_message(min_stat)); + pgsserr("gss_acquire_cred", + maj_stat, min_stat, &krb5oid); return -1; } maj_stat = gss_set_allowable_enctypes(&min_stat, credh, &krb5oid, num_enctypes, &enctypes); if (maj_stat != GSS_S_COMPLETE) { - printerr(0, "WARNING: error from gss_set_allowable_enctypes " - "for user with uid %d (%s)\n", - uid, error_message(min_stat)); + pgsserr("gss_set_allowable_enctypes", + maj_stat, min_stat, &krb5oid); return -1; } sec->cred = credh; @@ -330,6 +334,7 @@ gssd_get_single_krb5_cred(krb5_context context, char cc_name[BUFSIZ]; int code; time_t now = time(0); + char *cache_type; memset(&my_creds, 0, sizeof(my_creds)); @@ -355,7 +360,7 @@ gssd_get_single_krb5_cred(krb5_context context, krb5_get_init_creds_opt_set_tkt_life(&options, 5*60); #endif if ((code = krb5_get_init_creds_keytab(context, &my_creds, ple->princ, - kt, 0, 0, &options))) { + kt, 0, NULL, &options))) { char *pname; if ((krb5_unparse_name(context, ple->princ, &pname))) { pname = NULL; @@ -364,7 +369,11 @@ gssd_get_single_krb5_cred(krb5_context context, "principal '%s' from keytab '%s'\n", error_message(code), pname ? pname : "", kt_name); +#ifdef HAVE_KRB5 if (pname) krb5_free_unparsed_name(context, pname); +#else + if (pname) free(pname); +#endif goto out; } @@ -372,7 +381,12 @@ gssd_get_single_krb5_cred(krb5_context context, * Initialize cache file which we're going to be using */ - snprintf(cc_name, sizeof(cc_name), "FILE:%s/%s%s_%s", + if (use_memcache) + cache_type = "MEMORY"; + else + cache_type = "FILE"; + snprintf(cc_name, sizeof(cc_name), "%s:%s/%s%s_%s", + cache_type, GSSD_DEFAULT_CRED_DIR, GSSD_DEFAULT_CRED_PREFIX, GSSD_DEFAULT_MACHINE_CRED_SUFFIX, ple->realm); ple->endtime = my_creds.times.endtime; @@ -416,13 +430,22 @@ gssd_get_single_krb5_cred(krb5_context context, * 1 => found ple for given realm */ static int -gssd_have_realm_ple(krb5_data *realm) +gssd_have_realm_ple(void *r) { struct gssd_k5_kt_princ *ple; +#ifdef HAVE_KRB5 + krb5_data *realm = (krb5_data *)r; +#else + char *realm = (char *)r; +#endif for (ple = gssd_k5_kt_princ_list; ple; ple = ple->next) { +#ifdef HAVE_KRB5 if ((realm->length == strlen(ple->realm)) && (strncmp(realm->data, ple->realm, realm->length) == 0)) { +#else + if (strcmp(realm, ple->realm) == 0) { +#endif return 1; } } @@ -472,16 +495,27 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name) } printerr(2, "Processing keytab entry for principal '%s'\n", pname); +#ifdef HAVE_KRB5 if ( (kte.principal->data[0].length == GSSD_SERVICE_NAME_LEN) && (strncmp(kte.principal->data[0].data, GSSD_SERVICE_NAME, GSSD_SERVICE_NAME_LEN) == 0) && - (!gssd_have_realm_ple(&kte.principal->realm)) ) { +#else + if ( (strlen(kte.principal->name.name_string.val[0]) == GSSD_SERVICE_NAME_LEN) && + (strncmp(kte.principal->name.name_string.val[0], GSSD_SERVICE_NAME, + GSSD_SERVICE_NAME_LEN) == 0) && + +#endif + (!gssd_have_realm_ple((void *)&kte.principal->realm)) ) { printerr(2, "We will use this entry (%s)\n", pname); ple = malloc(sizeof(struct gssd_k5_kt_princ)); if (ple == NULL) { printerr(0, "ERROR: could not allocate storage " "for principal list entry\n"); +#ifdef HAVE_KRB5 krb5_free_unparsed_name(context, pname); +#else + free(pname); +#endif retval = ENOMEM; goto out; } @@ -490,13 +524,21 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name) ple->ccname = NULL; ple->endtime = 0; if ((ple->realm = +#ifdef HAVE_KRB5 strndup(kte.principal->realm.data, kte.principal->realm.length)) +#else + strdup(kte.principal->realm)) +#endif == NULL) { printerr(0, "ERROR: %s while copying realm to " "principal list entry\n", "not enough memory"); +#ifdef HAVE_KRB5 krb5_free_unparsed_name(context, pname); +#else + free(pname); +#endif retval = ENOMEM; goto out; } @@ -505,7 +547,11 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name) printerr(0, "ERROR: %s while copying principal " "to principal list entry\n", error_message(code)); +#ifdef HAVE_KRB5 krb5_free_unparsed_name(context, pname); +#else + free(pname); +#endif retval = code; goto out; } @@ -520,7 +566,11 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name) printerr(2, "We will NOT use this entry (%s)\n", pname); } +#ifdef HAVE_KRB5 krb5_free_unparsed_name(context, pname); +#else + free(pname); +#endif } if ((code = krb5_kt_end_seq_get(context, kt, &cursor))) { @@ -588,13 +638,12 @@ gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername) memset(buf, 0, sizeof(buf)); if (gssd_find_existing_krb5_ccache(uid, &d)) { snprintf(buf, sizeof(buf), "FILE:%s/%s", - GSSD_DEFAULT_CRED_DIR, d->d_name); + ccachedir, d->d_name); free(d); } else snprintf(buf, sizeof(buf), "FILE:%s/%s%u", - GSSD_DEFAULT_CRED_DIR, - GSSD_DEFAULT_CRED_PREFIX, uid); + ccachedir, GSSD_DEFAULT_CRED_PREFIX, uid); printerr(2, "using %s as credentials cache for client with " "uid %u for server %s\n", buf, uid, servername); gssd_set_krb5_ccache_name(buf);