static int add_admin_princs(void *handle, krb5_context context, char *realm)
{
krb5_error_code ret = 0;
- char *service_name = 0, *kiprop_name = 0, *canonhost = 0;
- char localname[MAXHOSTNAMELEN];
-
- if (gethostname(localname, MAXHOSTNAMELEN)) {
- ret = errno;
- perror("gethostname");
- goto clean_and_exit;
- }
- ret = krb5_expand_hostname(context, localname, &canonhost);
- if (ret) {
- com_err(progname, ret, _("while canonicalizing local hostname"));
- goto clean_and_exit;
- }
- if (asprintf(&service_name, "kadmin/%s", canonhost) < 0) {
- ret = ENOMEM;
- fprintf(stderr, _("Out of memory\n"));
- goto clean_and_exit;
- }
- if (asprintf(&kiprop_name, "kiprop/%s", canonhost) < 0) {
- ret = ENOMEM;
- fprintf(stderr, _("Out of memory\n"));
- goto clean_and_exit;
- }
-
- if ((ret = add_admin_princ(handle, context,
- service_name, realm,
- KRB5_KDB_DISALLOW_TGT_BASED |
- KRB5_KDB_LOCKDOWN_KEYS,
- ADMIN_LIFETIME)))
- goto clean_and_exit;
if ((ret = add_admin_princ(handle, context,
KADM5_ADMIN_SERVICE, realm,
KRB5_KDB_DISALLOW_TGT_BASED |
KRB5_KDB_LOCKDOWN_KEYS,
ADMIN_LIFETIME)))
- goto clean_and_exit;
-
- if ((ret = add_admin_princ(handle, context,
- KADM5_CHANGEPW_SERVICE, realm,
- KRB5_KDB_DISALLOW_TGT_BASED |
- KRB5_KDB_PWCHANGE_SERVICE |
- KRB5_KDB_LOCKDOWN_KEYS,
- CHANGEPW_LIFETIME)))
- goto clean_and_exit;
-
- ret = add_admin_princ(handle, context, kiprop_name, realm, 0, 0);
-
-clean_and_exit:
- krb5_free_string(context, canonhost);
- free(service_name);
- free(kiprop_name);
+ return ret;
- return ret;
+ return add_admin_princ(handle, context, KADM5_CHANGEPW_SERVICE, realm,
+ KRB5_KDB_DISALLOW_TGT_BASED |
+ KRB5_KDB_PWCHANGE_SERVICE | KRB5_KDB_LOCKDOWN_KEYS,
+ CHANGEPW_LIFETIME);
}
/*
}
-/* Create a special principal using one specified component and the
- * canonicalized local hostname. */
-static krb5_error_code
-create_hostbased_special(krb5_context context, struct realm_info *rinfo,
- krb5_keyblock *mkey, const char *comp1)
-{
- krb5_error_code ret;
- krb5_principal princ = NULL;
-
- ret = krb5_sname_to_principal(context, NULL, comp1, KRB5_NT_SRV_HST,
- &princ);
- if (ret)
- goto cleanup;
- ret = krb5_set_principal_realm(context, princ, global_params.realm);
- if (ret)
- goto cleanup;
- ret = kdb_ldap_create_principal(context, princ, TGT_KEY, rinfo, mkey);
-
-cleanup:
- krb5_free_principal(context, princ);
- return ret;
-}
-
/* Create all special principals for the realm. */
static krb5_error_code
create_special_princs(krb5_context context, krb5_principal master_princ,
if (ret)
return ret;
- /* Create kadmin/admin and kadmin/<hostname>. */
+ /* Create kadmin/admin. */
rblock.max_life = ADMIN_LIFETIME;
rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
ret = create_fixed_special(context, &rblock, mkey, "kadmin", "admin");
- if (ret)
- return ret;
- ret = create_hostbased_special(context, &rblock, mkey, "kadmin");
- if (ret)
- return ret;
-
- /* Create kiprop/<hostname>. */
- rblock.max_life = global_params.max_life;
- rblock.flags = 0;
- ret = create_hostbased_special(context, &rblock, mkey, "kiprop");
if (ret)
return ret;
return
}
- # test fallback to kadmin/admin
- if {![kadmin_delete_locked_down kadmin/$hostname] \
+ # test fallback to kadmin/hostname
+ if {![kadmin_add_rnd kadmin/$hostname] \
+ || ![kadmin_delete_locked_down kadmin/admin] \
|| ![kadmin_list] \
- || ![kadmin_add_rnd kadmin/$hostname -allow_tgs_req] \
+ || ![kadmin_add_rnd kadmin/admin -allow_tgs_req] \
|| ![kadmin_list]} {
return
}
# Create the principal used to authenticate kpropd to kadmind.
kiprop_princ = 'kiprop/' + hostname
+ realm.addprinc(kiprop_princ)
realm.extract_keytab(kiprop_princ, realm.keytab)
# Create the initial replica databases.
# Test authentication to kadmin/hostname.
mark('authentication to kadmin/hostname')
kadmin_hostname = 'kadmin/' + hostname
+realm.addprinc(kadmin_hostname)
realm.run([kadminl, 'delprinc', 'kadmin/admin'])
msgs = ('Getting initial credentials for user/admin@KRBTEST.COM',
'Setting initial creds service to kadmin/admin',
projects / thirdparty / krb5.git / commitdiff
