+Mon Nov 11 16:50:25 1996 Mark Eichin <eichin@cygnus.com>
+
+ * kadmin/dbutil dumpv4 expiration ("never") fixes
+ * kadmin/dbutil loadv4 stashfile, default fixes
+
+ Fri Sep 27 18:45:43 1996 Mark Eichin <eichin@cygnus.com>
+
+ * dump.c (read_string): fgetc doesn't return char.
+
+ Wed Sep 11 23:45:11 1996 Mark Eichin <eichin@cygnus.com>
+
+ * loadv4.c (enter_in_v5_db): set last_pwd_change from the
+ mod_time, not only the mod_princ_data.
+
+ Wed Sep 11 00:02:33 1996 Mark Eichin <eichin@cygnus.com>
+
+ * dumpv4.c (dump_v4_iterator): detect expiration time of "never"
+ and fill in a reasonable default (namely, the Cygnus 96q1 default
+ of 12/31/2009.)
+
+ * loadv4.c (v4_dump_find_default): New function. Scans a dumpfile
+ for a "default" entry, which was probably created at kdb_init time
+ and probably hasn't changed from either the MIT default of
+ 12/31/1999 or the Cygnus 96q1 default of 12/31/2009. Check for
+ either value, and replace it with 0, which is understood as
+ "never" in V5. If verbose is set (-v flag), log either the match
+ or the non-matching value.
+ (process_v4_dump): new argument default_exp_time, the value found
+ by v4_dump_find_default, actually performs the replacement of
+ matching entries.
+ (load_v4db): call v4_dump_find_default to get the default
+ expiration time.
+ * kdb5_util.M: document the above changes.
+
+ Sun Sep 8 01:02:47 1996 Mark W. Eichin <eichin@kitten.gen.ma.us>
+
+ * kdb5_util.c (usage): document load_v4 -s stashfile.
+ (main): fix typo in usage message.
+ * kdb5_util.M: document load_v4, including new options, removing
+ previously eliminated -f option.
+ * loadv4.c (load_v4db): support -s stashfile option.
+
Thu Nov 7 20:53:17 1996 Tom Yu <tlyu@mit.edu>
* configure.in: Remove spurious WITH_KRB4.
\fBdump_v4\fP [\fIfilename\fP]
Dumps the current database into the Kerberos 4 database dump format.
.TP
-\fBload_v4\fP [\fB\-t\fP] [\fB-n\fP] [\fB\-K\fP] [\fB-f\fP] \fIinputfile\fP
-Loads a Kerberos 4 database dump file.
+\fBload_v4\fP [\fB\-t\fP] [\fB-n\fP] [\fB\-K\fP] [\fB-s \fIstashfile\fP] \fIinputfile\fP
+Loads a Kerberos 4 database dump file. Options:
+.RS
+.TP
+.B \-K
+prompts for the V5 master key instead of using the stashed version.
+.TP
+.B \-n
+prompts for the V4 master key, instead of reading from the stash file.
+.TP
+.B \-s \fIstashfile
+gets the V4 master key out of \fIstashfile\fP instead of /.k
+.TP
+.B \-T
+creates a new \fIkrbtgt\fP instead of converting the V4 one. The V5 server
+will thus not recognize outstanding tickets, so this should be used
+with caution.
+.TP
+.B \-v
+lists each principal as it is converted or ignored.
+.TP
+.B \-t
+uses a temporary database, then moves that into place, instead of adding
+the keys to the current database.
+.PP
+Note: if the Kerberos 4 database had a default expiration date of 12/31/1999
+or 12/31/2009 (the compiled in defaults for older or newer Kerberos
+releases) then any entries which have the same expiration date will be
+converted to "never" expire in the version 5 database. If the default
+did not match either value, all expiration dates will be preserved.
+.PP
+Also, Kerberos 4 stored a single modification time for any change to a
+record; Version 5 stores a seperate modification time and last
+password change time. In practice, Version 4 "modifications" were
+always password changes. \fIload_v4\fP copies the value into both
+fields.
.SH SEE ALSO
kadmin(8)
static krb5_error_code enter_in_v5_db PROTOTYPE((krb5_context,
char *, Principal *));
static krb5_error_code process_v4_dump PROTOTYPE((krb5_context, char *,
- char *));
+ char *, long));
+static krb5_error_code v4_dump_find_default PROTOTYPE((krb5_context, char *,
+ char *, long *));
static krb5_error_code fixup_database PROTOTYPE((krb5_context, char *));
static int create_local_tgt = 0;
int persist, op_ind;
kadm5_config_params newparams;
extern kadm5_config_params global_params;
+ long exp_time = 0;
krb5_init_context(&context);
else if (!strcmp(argv[op_ind], "-n")) {
v4manual++;
}
+ else if (!strcmp(argv[op_ind], "-s")) {
+ if ((argc - op_ind) >= 1) {
+ v4_mkeyfile = argv[op_ind+1];
+ op_ind++;
+ } else {
+ usage();
+ }
+ }
else if ((argc - op_ind) >= 1) {
v4dumpfile = argv[op_ind];
op_ind++;
return;
}
- retval = process_v4_dump(context, v4dumpfile, realm);
+ retval = v4_dump_find_default(context, v4dumpfile, realm, &exp_time);
+ if (retval) {
+ com_err(PROGNAME, retval, "warning: default entry not found");
+ }
+
+ retval = process_v4_dump(context, v4dumpfile, realm, exp_time);
putchar('\n');
if (retval)
com_err(PROGNAME, retval, "while translating entries to the database");
if (!retval)
retval = krb5_dbe_update_mod_princ_data(context, &entry,
mod_time, mod_princ);
+ if (!retval)
+ retval = krb5_dbe_update_last_pwd_change(context, &entry, mod_time);
+
if (retval) {
krb5_db_free_principal(context, &entry, 1);
krb5_free_principal(context, mod_princ);
}
static krb5_error_code
-process_v4_dump(context, dumpfile, realm)
+process_v4_dump(context, dumpfile, realm, default_exp_time)
krb5_context context;
char *dumpfile;
char *realm;
+long default_exp_time;
{
krb5_error_code retval;
FILE *input_file;
aprinc.kdc_key_ver = (unsigned char) temp2;
aprinc.key_version = (unsigned char) temp3;
aprinc.exp_date = time_explode(exp_date_str);
+ if (aprinc.exp_date == default_exp_time)
+ aprinc.exp_date = 0;
aprinc.mod_date = time_explode(mod_date_str);
if (aprinc.instance[0] == '*')
aprinc.instance[0] = '\0';
return retval;
}
+static krb5_error_code
+v4_dump_find_default(context, dumpfile, realm, exptime)
+krb5_context context;
+char *dumpfile;
+char *realm;
+long *exptime;
+{
+ krb5_error_code retval = 0;
+ FILE *input_file;
+ Principal aprinc;
+ char exp_date_str[50];
+ char mod_date_str[50];
+ int temp1, temp2, temp3;
+ long time_explode();
+ long foundtime, guess1, guess2;
+
+ /* kdb_init is usually the only thing to touch the time in the
+ default entry, and everything else just copies that time. If
+ the site hasn't changed it, we can assume that "never" is an
+ appropriate value for V5. There have been two values compiled
+ in, typically:
+
+ MIT V4 had the code
+ principal.exp_date = 946702799;
+ strncpy(principal.exp_date_txt, "12/31/99", DATE_SZ);
+
+ Cygnus CNS V4 had the code
+ principal.exp_date = 946702799+((365*10+3)*24*60*60);
+ strncpy(principal.exp_date_txt, "12/31/2009", DATE_SZ);
+
+ However, the dump files only store minutes -- so these values
+ are 59 seconds high.
+
+ Other values could be added later, but in practice these are
+ likely to be the only ones. */
+
+ guess1 = 946702799-59;
+ guess2 = 946702799+((365*10+3)*24*60*60);
+
+ input_file = fopen(dumpfile, "r");
+ if (!input_file)
+ return errno;
+
+ for (;;) { /* explicit break on eof from fscanf */
+ int nread;
+
+ memset((char *)&aprinc, 0, sizeof(aprinc));
+ nread = fscanf(input_file,
+ "%s %s %d %d %d %hd %x %x %s %s %s %s\n",
+ aprinc.name,
+ aprinc.instance,
+ &temp1,
+ &temp2,
+ &temp3,
+ &aprinc.attributes,
+ &aprinc.key_low,
+ &aprinc.key_high,
+ exp_date_str,
+ mod_date_str,
+ aprinc.mod_name,
+ aprinc.mod_instance);
+ if (nread != 12) {
+ retval = nread == EOF ? 0 : KRB5_KDB_DB_CORRUPT;
+ break;
+ }
+ if (!strcmp(aprinc.name, "default")
+ && !strcmp(aprinc.instance, "*")) {
+ foundtime = time_explode(exp_date_str);
+ if (foundtime == guess1 || foundtime == guess2)
+ *exptime = foundtime;
+ if (verbose) {
+ printf("\ndefault expiration found: ");
+ if (foundtime == guess1) {
+ printf("MIT or pre96q1 value (1999)");
+ } else if (foundtime == guess2) {
+ printf("Cygnus CNS post 96q1 value (2009)");
+ } else {
+ printf("non-default start time (%d,%s)",
+ foundtime, exp_date_str);
+ }
+ }
+ break;
+ }
+ }
+ (void) fclose(input_file);
+ return retval;
+}
+
static krb5_error_code fixup_database(context, realm)
krb5_context context;
char * realm;
projects / thirdparty / krb5.git / commitdiff
