unsigned int re_match_count;
unsigned int already_current;
unsigned int updated;
+ unsigned int dry_run : 1;
+ unsigned int verbose : 1;
#ifdef SOLARIS_REGEXPS
char *expbuf;
#endif
pname);
goto fail;
}
+ /* Line up "skip" and "update" messages for viewing. */
if (old_mkvno == new_mkvno) {
+ if (p->dry_run && p->verbose)
+ printf("would skip: %s\n", pname);
+ else if (p->verbose)
+ printf("skipping: %s\n", pname);
p->already_current++;
goto skip;
}
+ if (p->dry_run) {
+ if (p->verbose)
+ printf("would update: %s\n", pname);
+ p->updated++;
+ goto skip;
+ } else if (p->verbose)
+ printf("updating: %s\n", pname);
retval = master_key_convert (util_context, ent);
if (retval) {
com_err(progname, retval,
char *regexp = NULL;
krb5_keyblock *tmp_keyblock = NULL;
- while ((optchar = getopt(argc, argv, "f")) != -1) {
+ while ((optchar = getopt(argc, argv, "fnv")) != -1) {
switch (optchar) {
case 'f':
force = 1;
break;
+ case 'n':
+ data.dry_run = 1;
+ break;
+ case 'v':
+ data.verbose = 1;
+ break;
case '?':
case ':':
default:
#ifdef BSD_REGEXPS
((msg = (char *) re_comp(regexp)) != NULL)
#endif
- )
- {
+ ) {
/* XXX syslog msg or regerr(regerrno) */
com_err(progname, 0, "error compiling converted regexp '%s'", regexp);
free(regexp);
new_master_keyblock = *tmp_keyblock;
if (!force &&
+ !data.dry_run &&
!are_you_sure("Re-encrypt all keys not using master key vno %u?",
new_mkvno)) {
printf("OK, doing nothing.\n");
exit_status++;
goto cleanup;
}
+ if (data.verbose) {
+ if (data.dry_run)
+ printf("Principals whose keys WOULD BE re-encrypted to master key vno %u:\n",
+ new_mkvno);
+ else
+ printf("Principals whose keys are being re-encrypted to master key vno %u if necessary:\n",
+ new_mkvno);
+ }
retval = krb5_db_iterate(util_context, name_pattern,
update_princ_encryption_1, &data);
exit_status++;
}
(void) krb5_db_fini(util_context);
- printf("%u principals processed: %u updated, %u already current\n",
- data.re_match_count, data.updated, data.already_current);
+ if (data.dry_run)
+ printf("%u principals processed: %u would be updated, %u already current\n",
+ data.re_match_count, data.updated, data.already_current);
+ else
+ printf("%u principals processed: %u updated, %u already current\n",
+ data.re_match_count, data.updated, data.already_current);
cleanup:
free(regexp);
\fBlist_mkeys\fP
This option needs documentation.
.TP
-\fBupdate_princ_encryption\fP [\fB\-f\fP] [\fBprinc\-pattern\fP]
+\fBupdate_princ_encryption\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] [\fBprinc\-pattern\fP]
Update all principal records (or only those matching the
.B princ\-pattern
glob pattern) to re-encrypt the key data using the latest version of
-the database master key, if they are encrypted using older versions.
+the database master key, if they are encrypted using older versions,
+and give a count at the end of the number of principals updated.
If the
.B \-f
option is not given, ask for confirmation before starting to make
-changes.
+changes. The
+.B \-v
+option causes each principal processed (each one matching the pattern)
+to be listed, and an indication given as to whether it needed updating
+or not.
+The
+.B \-n
+option causes the actions not to be taken, only the normal or verbose
+status messages displayed; this implies
+.B \-f
+since no database changes will be performed and thus there's little
+reason to seek confirmation.
.SH SEE ALSO
kadmin(8)
projects / thirdparty / krb5.git / commitdiff
