the database. This facility can be enabled in the :ref:`kdc.conf(5)`
file with the **iprop_enable** option. Incremental propagation
requires the principal ``kiprop/MASTER\@REALM`` (where MASTER is the
-master KDC's canonical host name, and REALM the realm name) to be
-registered in the database.
+master KDC's canonical host name, and REALM the realm name). In
+release 1.13, this principal is automatically created and registered
+into the datebase.
OPTIONS
``kiprop/hostname`` (where *hostname* is the lowercase,
fully-qualified, canonical name for the host) registered in the
Kerberos database, and have keys for that principal stored in the
-default keytab file (|keytab|).
+default keytab file (|keytab|). In release 1.13, the
+``kiprop/hostname`` principal is created automatically for the master
+KDC, but it must still be created for slave KDCs.
On the master KDC side, the ``kiprop/hostname`` principal must be
listed in the kadmind ACL file :ref:`kadm5.acl(5)`, and given the
static int add_admin_princs(void *handle, krb5_context context, char *realm)
{
krb5_error_code ret = 0;
- char *service_name = 0, *p;
+ char *service_name = 0, *kiprop_name = 0, *p;
char localname[MAXHOSTNAMELEN];
struct addrinfo *ai, ai_hints;
int gai_error;
freeaddrinfo(ai);
goto clean_and_exit;
}
+ if (asprintf(&kiprop_name, "kiprop/%s", ai->ai_canonname) < 0) {
+ ret = ENOMEM;
+ fprintf(stderr, _("Out of memory\n"));
+ freeaddrinfo(ai);
+ goto clean_and_exit;
+ }
freeaddrinfo(ai);
if ((ret = add_admin_princ(handle, context,
CHANGEPW_LIFETIME)))
goto clean_and_exit;
+ ret = add_admin_princ(handle, context, kiprop_name, realm, 0, 0);
+
clean_and_exit:
free(service_name);
+ free(kiprop_name);
return ret;
}
char *fullname;
krb5_error_code ret;
kadm5_principal_ent_rec ent;
+ long flags;
memset(&ent, 0, sizeof(ent));
ent.max_life = lifetime;
ent.attributes = attrs;
- ret = kadm5_create_principal(handle, &ent,
- (KADM5_PRINCIPAL | KADM5_MAX_LIFE |
- KADM5_ATTRIBUTES), NULL);
+ flags = KADM5_PRINCIPAL | KADM5_ATTRIBUTES;
+ if (lifetime)
+ flags |= KADM5_MAX_LIFE;
+ ret = kadm5_create_principal(handle, &ent, flags, NULL);
if (ret && ret != KADM5_DUP) {
com_err(progname, ret, _("while creating principal %s"), fullname);
krb5_free_principal(context, ent.principal);
if (ret)
return ret;
+ /* Create kiprop/<hostname>. */
+ rblock.max_life = global_params.max_life;
+ rblock.flags = 0;
+ ret = create_hostbased_special(context, &rblock, mkey, "kiprop");
+ if (ret)
+ return ret;
+
/* Create kadmin/changepw. */
rblock.max_life = CHANGEPW_LIFETIME;
rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE;
}
# Add an incremental-propagation service.
- set test "kadmin.local ank kiprop/$hostname"
+ set test "kadmin.local ank krbtest/fast"
set body {
if $failall {
break
verbose "starting $test"
expect_after $def_exp_after
- expect "kadmin.local: "
- send "ank kiprop/$hostname@$REALMNAME\r"
- # It echos...
- expect "ank kiprop/$hostname@$REALMNAME\r"
- expect "Enter password for principal \"kiprop/$hostname@$REALMNAME\":"
- send "kiproppass$KEY\r"
- expect "Re-enter password for principal \"kiprop/$hostname@$REALMNAME\":"
- send "kiproppass$KEY\r"
- expect {
- "Principal \"kiprop/$hostname@$REALMNAME\" created" { }
- "Principal or policy already exists while creating*" { }
- }
expect "kadmin.local: "
send "ank +requires_preauth krbtest/fast@$REALMNAME\r"
expect "Enter password for principal \"krbtest/fast@$REALMNAME\":"
# Create the principal used to authenticate kpropd to kadmind.
kiprop_princ = 'kiprop/' + hostname
-realm.addprinc(kiprop_princ)
realm.extract_keytab(kiprop_princ, realm.keytab)
# Create the initial slave1 and slave2 databases.
projects / thirdparty / krb5.git / commitdiff
