#include <kadm5/admin.h>
#include <kdb.h>
#include "server_internal.h"
-#ifdef USE_PASSWORD_SERVER
-#include <sys/wait.h>
-#include <signal.h>
-#endif
#include <krb5/kadm5_hook_plugin.h>
return(0);
}
-/* FIXME: don't use global variable for this */
-krb5_boolean use_password_server = 0;
-
-#ifdef USE_PASSWORD_SERVER
-static krb5_boolean
-kadm5_use_password_server (void)
-{
- return use_password_server;
-}
-#endif
-
-void kadm5_set_use_password_server (void);
-
-void
-kadm5_set_use_password_server (void)
-{
- use_password_server = 1;
-}
-
-#ifdef USE_PASSWORD_SERVER
-
-/*
- * kadm5_launch_task () runs a program (task_path) to synchronize the
- * Apple password server with the Kerberos database. Password server
- * programs can receive arguments on the command line (task_argv)
- * and a block of data via stdin (data_buffer).
- *
- * Because a failure to communicate with the tool results in the
- * password server falling out of sync with the database,
- * kadm5_launch_task() always fails if it can't talk to the tool.
- */
-
-static kadm5_ret_t
-kadm5_launch_task (krb5_context context,
- const char *task_path, char * const task_argv[],
- const char *buffer)
-{
- kadm5_ret_t ret;
- int data_pipe[2];
-
- ret = pipe (data_pipe);
- if (ret)
- ret = errno;
-
- if (!ret) {
- pid_t pid = fork ();
- if (pid == -1) {
- ret = errno;
- close (data_pipe[0]);
- close (data_pipe[1]);
- } else if (pid == 0) {
- /* The child: */
-
- if (dup2 (data_pipe[0], STDIN_FILENO) == -1)
- _exit (1);
-
- close (data_pipe[0]);
- close (data_pipe[1]);
-
- execv (task_path, task_argv);
-
- _exit (1); /* Fail if execv fails */
- } else {
- /* The parent: */
- int status;
-
- ret = 0;
-
- close (data_pipe[0]);
-
- /* Write out the buffer to the child, add \n */
- if (buffer) {
- if (krb5_net_write (context, data_pipe[1], buffer, strlen (buffer)) < 0
- || krb5_net_write (context, data_pipe[1], "\n", 1) < 0)
- {
- /* kill the child to make sure waitpid() won't hang later */
- ret = errno;
- kill (pid, SIGKILL);
- }
- }
- close (data_pipe[1]);
-
- waitpid (pid, &status, 0);
-
- if (!ret) {
- if (WIFEXITED (status)) {
- /* child read password and exited. Check the return value. */
- if ((WEXITSTATUS (status) != 0) && (WEXITSTATUS (status) != 252)) {
- ret = KRB5KDC_ERR_POLICY; /* password change rejected */
- }
- } else {
- /* child read password but crashed or was killed */
- ret = KRB5KRB_ERR_GENERIC; /* FIXME: better error */
- }
- }
- }
- }
-
- return ret;
-}
-
-#endif
-
kadm5_ret_t
kadm5_chpass_principal(void *server_handle,
krb5_principal principal, char *password)
kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
}
-#ifdef USE_PASSWORD_SERVER
- if (kadm5_use_password_server () &&
- (krb5_princ_size (handle->context, principal) == 1)) {
- krb5_data *princ = krb5_princ_component (handle->context, principal, 0);
- const char *path = "/usr/sbin/mkpassdb";
- char *argv[] = { "mkpassdb", "-setpassword", NULL, NULL };
- char *pstring = NULL;
-
- if (!ret) {
- pstring = malloc ((princ->length + 1) * sizeof (char));
- if (pstring == NULL) { ret = ENOMEM; }
- }
-
- if (!ret) {
- memcpy (pstring, princ->data, princ->length);
- pstring [princ->length] = '\0';
- argv[2] = pstring;
-
- ret = kadm5_launch_task (handle->context, path, argv, password);
- }
-
- if (pstring != NULL)
- free (pstring);
-
- if (ret)
- goto done;
- }
-#endif
-
ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now);
if (ret)
goto done;
projects / thirdparty / krb5.git / commitdiff
