Mercurial > illumos > illumos-gate

changeset 12567:f6b7e92780d6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6954931 kclient(1M) should use new profile APIs, at least AD domain joins
author Shawn Emery <Shawn.Emery@Sun.COM>
date Mon, 07 Jun 2010 01:47:20 -0600
parents 8c45f76d0972
children 0f6ea478c2c7
files usr/src/cmd/krb5/kadmin/kclient/Makefile usr/src/cmd/krb5/kadmin/kclient/kclient.sh usr/src/cmd/krb5/kadmin/kclient/kconf.c usr/src/pkg/manifests/system-security-kerberos-5.mf
diffstat 4 files changed, 247 insertions(+), 34 deletions(-) [+]
line wrap: on
line diff
--- a/usr/src/cmd/krb5/kadmin/kclient/Makefile	Mon Jun 07 01:47:20 2010 -0600
+++ b/usr/src/cmd/krb5/kadmin/kclient/Makefile	Mon Jun 07 01:47:20 2010 -0600
@@ -18,17 +18,15 @@
 #
 # CDDL HEADER END
 #
-# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
-#
-# ident	"%Z%%M%	%I%	%E% SMI"
+# Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
 #
 # Makefile for Kerberos client-install utility.
 #
 
 PROG=		ksetpw \
 		kdyndns \
-		ksmb
+		ksmb \
+		kconf
 
 SHFILES=	kclient
 SECFILES=	pam_krb5_first \
@@ -45,8 +43,9 @@
 KS_OBJS=	ksetpw.o
 KD_OBJS=	kdyndns.o
 KSMB_OBJS=	ksmb.o
+KC_OBJS=	kconf.o
 
-OBJS=		$(KS_OBJS) $(KD_OBJS) $(KSMB_OBJS)
+OBJS=		$(KS_OBJS) $(KD_OBJS) $(KSMB_OBJS) $(KC_OBJS)
 
 SSRCS=	kclient.sh
 SRCS=	$(OBJS:%.o=%.c)
@@ -64,10 +63,12 @@
 ksetpw:=	LDFLAGS += $(KRUNPATH)
 kdyndns:=	LDFLAGS += -R/usr/lib/smbsrv
 ksmb:=		LDFLAGS += -R/usr/lib/smbsrv
+kconf:=		LDFLAGS += $(KRUNPATH)
 
 KS_LDLIBS =	$(LDLIBS) $(KMECHLIB)
 KD_LDLIBS =	$(LDLIBS) -L$(ROOT)/usr/lib/smbsrv -lsmbns
 KSMB_LDLIBS =	$(LDLIBS) -L$(ROOT)/usr/lib/smbsrv -lsmb
+KC_LDLIBS =	$(LDLIBS) $(KMECHLIB)
 
 .KEEP_STATE:
 
@@ -87,6 +88,10 @@
 	$(LINK.c) $(KS_OBJS) -o $@ $(KS_LDLIBS)
 	$(POST_PROCESS)
 
+kconf:		$(KC_OBJS)
+	$(LINK.c) $(KC_OBJS) -o $@ $(KC_LDLIBS)
+	$(POST_PROCESS)
+
 $(KRB5SBIN):
 	$(INS.dir)
 
--- a/usr/src/cmd/krb5/kadmin/kclient/kclient.sh	Mon Jun 07 01:47:20 2010 -0600
+++ b/usr/src/cmd/krb5/kadmin/kclient/kclient.sh	Mon Jun 07 01:47:20 2010 -0600
@@ -19,8 +19,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
+# Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
 #
 # This script is used to setup the Kerberos client by
 # supplying information about the Kerberos realm and kdc.
@@ -861,36 +860,27 @@
 }
 
 function write_ads_krb5conf {
+	typeset kdcs
+
 	printf "\n$(gettext "Setting up %s").\n\n" $KRB5_CONFIG_FILE
 
-	exec 3>$KRB5_CONFIG
-	if [[ $? -ne 0 ]]; then
-		printf "\n$(gettext "Can not write to %s, exiting").\n" $KRB5_CONFIG >&2
-		error_message
-	fi
-
-	printf "[libdefaults]\n" 1>&3
-	printf "\tdefault_realm = $realm\n" 1>&3
-	printf "\n[realms]\n" 1>&3
-	printf "\t$realm = {\n" 1>&3
 	for i in ${KDCs[@]}
 	do
 		[[ $i == +([0-9]) ]] && continue
-		printf "\t\tkdc = $i\n" 1>&3
+		if [[ -n $kdcs ]]
+		then
+			kdcs="$kdcs,$i"
+		else
+			kdcs=$i
+		fi
 	done
-	# Defining the same as admin_server.  This would cause auth failures
-	# if this was different.
-	printf "\n\t\tkpasswd_server = $KDC\n" 1>&3
-	printf "\n\t\tadmin_server = $KDC\n" 1>&3
-	printf "\t\tkpasswd_protocol = SET_CHANGE\n\t}\n" 1>&3
-	printf "\n[domain_realm]\n" 1>&3
-	printf "\t.$dom = $realm\n\n" 1>&3
-	printf "[logging]\n" 1>&3
-	printf "\tdefault = FILE:/var/krb5/kdc.log\n" 1>&3
-	printf "\tkdc = FILE:/var/krb5/kdc.log\n" 1>&3
-	printf "\tkdc_rotate = {\n\t\tperiod = 1d\n\t\tversions = 10\n\t}\n\n" 1>&3
-	printf "[appdefaults]\n" 1>&3
-	printf "\tkinit = {\n\t\trenewable = true\n\t\tforwardable = true\n\t}\n" 1>&3
+
+	$KCONF -f $KRB5_CONFIG -r $realm -k $kdcs -m $KDC -p SET_CHANGE -d .$dom
+
+	if [[ $? -ne 0 ]]; then
+		printf "\n$(gettext "Can not update %s, exiting").\n" $KRB5_CONFIG >&2
+		error_message
+	fi
 }
 
 function getForestName {
@@ -1576,6 +1566,7 @@
 KSETPW=/usr/lib/krb5/ksetpw;	check_bin $KSETPW
 KSMB=/usr/lib/krb5/ksmb;	check_bin $KSMB
 KDYNDNS=/usr/lib/krb5/kdyndns;	check_bin $KDYNDNS
+KCONF=/usr/lib/krb5/kconf;	check_bin $KCONF
 
 dns_lookup=no
 ask_fqdns=no
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/cmd/krb5/kadmin/kclient/kconf.c	Mon Jun 07 01:47:20 2010 -0600
@@ -0,0 +1,217 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <strings.h>
+#include <locale.h>
+#include <errno.h>
+#include <krb5.h>
+#include <profile.h>
+#include <com_err.h>
+
+struct profile_string_list {
+	char	**list;
+	int	num;
+	int	max;
+};
+
+/*
+ * From prof_get.c as the following four functions are private in mech_krb5.
+ */
+/*
+ * Initialize the string list abstraction.
+ */
+static errcode_t
+init_list(struct profile_string_list *list)
+{
+	list->num = 0;
+	list->max = 10;
+	list->list = malloc(list->max * sizeof (char *));
+	if (list->list == NULL)
+		return (ENOMEM);
+	list->list[0] = NULL;
+	return (0);
+}
+
+/*
+ * If re_list is non-NULL then pass the list header to the caller else free
+ * the previously allocated list.
+ */
+static void
+end_list(struct profile_string_list *list, char ***ret_list)
+{
+
+	if (list == NULL)
+		return;
+
+	if (ret_list) {
+		*ret_list = list->list;
+		return;
+	} else
+		profile_free_list(list->list);
+	list->num = list->max = 0;
+	list->list = NULL;
+}
+
+/*
+ * Add a string to the list.
+ */
+static errcode_t
+add_to_list(struct profile_string_list *list, const char *str)
+{
+	char 	*newstr, **newlist;
+	int	newmax;
+
+	if (list->num + 1 >= list->max) {
+		newmax = list->max + 10;
+		newlist = realloc(list->list, newmax * sizeof (char *));
+		if (newlist == NULL)
+			return (ENOMEM);
+		list->max = newmax;
+		list->list = newlist;
+	}
+	newstr = strdup(str);
+	if (newstr == NULL)
+		return (ENOMEM);
+
+	list->list[list->num++] = newstr;
+	list->list[list->num] = NULL;
+	return (0);
+}
+
+static void
+usage()
+{
+	(void) fprintf(stderr, gettext("kconf -f <file> -r <realm> "
+	    "-k <kdc[,kdc]> -m <master_kdc>\n -p <kpasswd_protocol> "
+	    "-d <domain>\n"));
+
+	exit(1);
+}
+
+int
+main(int argc, char **argv)
+{
+	profile_t	profile;
+	errcode_t	code;
+	char		c, *realm, *kdcs, *master, *domain, *token, *lasts;
+	char		*file, **ret_values = NULL;
+	boolean_t	set_change = FALSE;
+	struct profile_string_list values;
+
+	(void) setlocale(LC_ALL, "");
+
+#if !defined(TEXT_DOMAIN)
+#define	TEXT_DOMAIN "SYS_TEST"
+#endif /* TEXT_DOMAIN */
+
+	(void) textdomain(TEXT_DOMAIN);
+
+	/*
+	 * kconf -f <file> -r <realm> -k <kdc[,kdc]> -m <master_kdc>
+	 * -p <kpasswd_protocol> -d <domain>
+	 */
+	while ((c = getopt(argc, argv, "f:r:k:a:s:p:d:m:")) != -1) {
+		switch (c) {
+		case 'f':
+			file = optarg;
+			break;
+		case 'r':
+			realm = optarg;
+			break;
+		case 'k':
+			kdcs = optarg;
+			break;
+		case 'm':
+			master = optarg;
+			break;
+		case 'p':
+			if (strcmp(optarg, "SET_CHANGE") == 0)
+				set_change = TRUE;
+			break;
+		case 'd':
+			domain = optarg;
+			break;
+		default:
+			usage();
+			break;
+		}
+	}
+
+	code = __profile_init(file, &profile);
+	if (code != 0) {
+		fprintf(stderr, gettext("Wasn't able to initialize profile\n"));
+		exit(code);
+	}
+
+	if (code = init_list(&values)) {
+		fprintf(stderr, gettext("Can not initialize list %d\n"), code);
+		goto error;
+	}
+	token = strtok_r(kdcs, ",", &lasts);
+	do {
+		if (token != NULL) {
+			code = add_to_list(&values, token);
+			if (code != 0) {
+				fprintf(stderr, gettext("Can not add to list "
+				    "%d\n"), code);
+				goto error;
+			}
+		} else {
+			fprintf(stderr, gettext("Couldn't parse kdc list %d\n"),
+			    code);
+			goto error;
+		}
+	} while ((token = strtok_r(NULL, ",", &lasts)) != NULL);
+	end_list(&values, &ret_values);
+
+	code = __profile_add_realm(profile, realm, master, ret_values,
+	    set_change, TRUE);
+	if (code != 0) {
+		fprintf(stderr, gettext("Wasn't able to add realm "
+		    "information\n"));
+		goto error;
+	}
+
+	code = __profile_add_domain_mapping(profile, domain, realm);
+	if (code != 0) {
+		fprintf(stderr, gettext("Wasn't able to add domain mapping\n"));
+		goto error;
+	}
+
+error:
+	if (ret_values != NULL)
+		profile_free_list(ret_values);
+
+	/*
+	 * Release profile, which will subsequently flush new profile to file.
+	 * If this fails then at least free profile memory.
+	 */
+	if ((code =  __profile_release(profile)) != NULL)
+		__profile_abandon(profile);
+
+	return (code);
+}
--- a/usr/src/pkg/manifests/system-security-kerberos-5.mf	Mon Jun 07 01:47:20 2010 -0600
+++ b/usr/src/pkg/manifests/system-security-kerberos-5.mf	Mon Jun 07 01:47:20 2010 -0600
@@ -20,8 +20,7 @@
 #
 
 #
-# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
+# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
 #
 
 set name=pkg.fmri value=pkg:/system/security/kerberos-5@$(PKGVERS)
@@ -62,6 +61,7 @@
 file path=usr/lib/krb5/db2.so.1
 file path=usr/lib/krb5/gkadmin.jar mode=0444
 file path=usr/lib/krb5/kadmind mode=0500
+file path=usr/lib/krb5/kconf mode=0555
 file path=usr/lib/krb5/kdyndns mode=0555
 file path=usr/lib/krb5/kldap.so.1
 file path=usr/lib/krb5/klookup mode=0555