From 91596ae028cf458b61c03c13dee8c0b7039b8d76 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 11 Jul 2020 21:47:08 -0400 Subject: [PATCH] Rename master_kdc and iprop_master_ulogsize Use "primary_kdc" and "iprop_ulogsize" as the preferred names of the two relations. Fall back to the old keys if the new ones are not set. ticket: 8921 --- doc/admin/conf_files/kdc_conf.rst | 9 +++++++-- doc/admin/conf_files/krb5_conf.rst | 8 ++++++-- src/include/k5-int.h | 2 ++ src/include/krb5/locate_plugin.h | 3 ++- src/lib/kadm5/alt_prof.c | 25 +++++++++++++------------ src/lib/krb5/krb/t_krb5.conf | 2 +- src/lib/krb5/os/locate_kdc.c | 17 +++++++++++------ src/util/profile/krb5.conf | 2 +- src/util/profile/profile.5 | 4 ++-- 9 files changed, 45 insertions(+), 27 deletions(-) diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst index 0ca3d86ef4..7b1b9fcd43 100644 --- a/doc/admin/conf_files/kdc_conf.rst +++ b/doc/admin/conf_files/kdc_conf.rst @@ -222,10 +222,15 @@ The following tags may be specified in a [realms] subsection: (Boolean value.) Specifies whether incremental database propagation is enabled. The default value is false. -**iprop_master_ulogsize** +**iprop_ulogsize** (Integer.) Specifies the maximum number of log entries to be retained for incremental propagation. The default value is 1000. - Prior to release 1.11, the maximum value was 2500. + Prior to release 1.11, the maximum value was 2500. New in release + 1.19. + +**iprop_master_ulogsize** + The name for **iprop_ulogsize** prior to release 1.19. Its value is + used as a fallback if **iprop_ulogsize** is not specified. **iprop_replica_poll** (Delta time string.) Specifies how often the replica KDC polls diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index 9e831d4aa0..e4e2443edb 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -515,12 +515,16 @@ following tags may be specified in the realm's subsection: host will be tried. **master_kdc** + The name for **primary_kdc** prior to release 1.19. Its value is + used as a fallback if **primary_kdc** is not specified. + +**primary_kdc** Identifies the primary KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the primary KDC, in case the user's password has just been changed, and the updated database has not been propagated to the replica - servers yet. + servers yet. New in release 1.19. **v4_instance_convert** This subsection allows the administrator to configure exceptions @@ -1208,7 +1212,7 @@ Here is an example of a generic krb5.conf file:: kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu admin_server = kerberos.mit.edu - master_kdc = kerberos.mit.edu + primary_kdc = kerberos.mit.edu } EXAMPLE.COM = { kdc = kerberos.example.com diff --git a/src/include/k5-int.h b/src/include/k5-int.h index f50cee71c3..b3e346991d 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -228,6 +228,7 @@ typedef unsigned char u_char; #define KRB5_CONF_IPROP_RESYNC_TIMEOUT "iprop_resync_timeout" #define KRB5_CONF_IPROP_REPLICA_POLL "iprop_replica_poll" #define KRB5_CONF_IPROP_SLAVE_POLL "iprop_slave_poll" +#define KRB5_CONF_IPROP_ULOGSIZE "iprop_ulogsize" #define KRB5_CONF_K5LOGIN_AUTHORITATIVE "k5login_authoritative" #define KRB5_CONF_K5LOGIN_DIRECTORY "k5login_directory" #define KRB5_CONF_KADMIND_LISTEN "kadmind_listen" @@ -280,6 +281,7 @@ typedef unsigned char u_char; #define KRB5_CONF_PLUGINS "plugins" #define KRB5_CONF_PLUGIN_BASE_DIR "plugin_base_dir" #define KRB5_CONF_PREFERRED_PREAUTH_TYPES "preferred_preauth_types" +#define KRB5_CONF_PRIMARY_KDC "primary_kdc" #define KRB5_CONF_PROXIABLE "proxiable" #define KRB5_CONF_QUALIFY_SHORTNAME "qualify_shortname" #define KRB5_CONF_RDNS "rdns" diff --git a/src/include/krb5/locate_plugin.h b/src/include/krb5/locate_plugin.h index d0e85494d7..7a872a159c 100644 --- a/src/include/krb5/locate_plugin.h +++ b/src/include/krb5/locate_plugin.h @@ -34,11 +34,12 @@ enum locate_service_type { locate_service_kdc = 1, - locate_service_master_kdc, + locate_service_primary_kdc, locate_service_kadmin, locate_service_krb524, locate_service_kpasswd }; +#define locate_service_master_kdc locate_service_primary_kdc typedef struct krb5plugin_service_locate_ftable { int minor_version; /* currently 0 */ diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c index 5531a10fb4..d166f0aba6 100644 --- a/src/lib/kadm5/alt_prof.c +++ b/src/lib/kadm5/alt_prof.c @@ -784,24 +784,25 @@ krb5_error_code kadm5_get_config_params(krb5_context context, GET_DELTAT_PARAM(iprop_resync_timeout, KADM5_CONFIG_IPROP_RESYNC_TIMEOUT, KRB5_CONF_IPROP_RESYNC_TIMEOUT, 60 * 5); - hierarchy[2] = KRB5_CONF_IPROP_MASTER_ULOGSIZE; - - params.iprop_ulogsize = DEF_ULOGENTRIES; - params.mask |= KADM5_CONFIG_ULOG_SIZE; - if (params_in->mask & KADM5_CONFIG_ULOG_SIZE) { params.mask |= KADM5_CONFIG_ULOG_SIZE; params.iprop_ulogsize = params_in->iprop_ulogsize; } else { + params.iprop_ulogsize = 0; + hierarchy[2] = KRB5_CONF_IPROP_ULOGSIZE; if (aprofile != NULL && - !krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) { - if (ivalue <= 0) - params.iprop_ulogsize = DEF_ULOGENTRIES; - else - params.iprop_ulogsize = ivalue; - params.mask |= KADM5_CONFIG_ULOG_SIZE; - } + !krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue) && + ivalue > 0) + params.iprop_ulogsize = ivalue; + hierarchy[2] = KRB5_CONF_IPROP_MASTER_ULOGSIZE; + if (params.iprop_ulogsize == 0 && aprofile != NULL && + !krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue) && + ivalue > 0) + params.iprop_ulogsize = ivalue; + if (params.iprop_ulogsize == 0) + params.iprop_ulogsize = DEF_ULOGENTRIES; } + params.mask |= KADM5_CONFIG_ULOG_SIZE; GET_DELTAT_PARAM(iprop_poll_time, KADM5_CONFIG_POLL_TIME, KRB5_CONF_IPROP_REPLICA_POLL, -1); diff --git a/src/lib/krb5/krb/t_krb5.conf b/src/lib/krb5/krb/t_krb5.conf index a80b4ce2af..a851fbd38d 100644 --- a/src/lib/krb5/krb/t_krb5.conf +++ b/src/lib/krb5/krb/t_krb5.conf @@ -7,7 +7,7 @@ kdc = KERBEROS-2.MIT.EDU:88 kdc = KERBEROS.MIT.EDU kdc = KERBEROS-1.MIT.EDU - master_kdc = KERBEROS.MIT.EDU + primary_kdc = KERBEROS.MIT.EDU admin_server = KERBEROS.MIT.EDU default_domain = MIT.EDU v4_instance_convert = { diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c index 7036c748cd..edca5ac7eb 100644 --- a/src/lib/krb5/os/locate_kdc.c +++ b/src/lib/krb5/os/locate_kdc.c @@ -246,6 +246,11 @@ locate_srv_conf_1(krb5_context context, const krb5_data *realm, realm_srv_names[2] = name; realm_srv_names[3] = 0; code = profile_get_values(context->profile, realm_srv_names, &hostlist); + if (code == PROF_NO_RELATION && strcmp(name, KRB5_CONF_PRIMARY_KDC) == 0) { + realm_srv_names[2] = KRB5_CONF_MASTER_KDC; + code = profile_get_values(context->profile, realm_srv_names, + &hostlist); + } if (code) { Tprintf("config file lookup failed: %s\n", error_message(code)); if (code == PROF_NO_SECTION || code == PROF_NO_RELATION) @@ -495,8 +500,8 @@ prof_locate_server(krb5_context context, const krb5_data *realm, kdc_ports: dflport = KRB5_DEFAULT_PORT; break; - case locate_service_master_kdc: - profname = KRB5_CONF_MASTER_KDC; + case locate_service_primary_kdc: + profname = KRB5_CONF_PRIMARY_KDC; goto kdc_ports; case locate_service_kadmin: profname = KRB5_CONF_ADMIN_SERVER; @@ -663,7 +668,7 @@ dns_locate_server_uri(krb5_context context, const krb5_data *realm, return 0; switch (svc) { - case locate_service_master_kdc: + case locate_service_primary_kdc: find_primary = TRUE; /* Fall through */ case locate_service_kdc: @@ -707,7 +712,7 @@ dns_locate_server_srv(krb5_context context, const krb5_data *realm, case locate_service_kdc: dnsname = "_kerberos"; break; - case locate_service_master_kdc: + case locate_service_primary_kdc: dnsname = "_kerberos-master"; break; case locate_service_kadmin: @@ -824,7 +829,7 @@ k5_locate_kdc(krb5_context context, const krb5_data *realm, { enum locate_service_type stype; - stype = get_primaries ? locate_service_master_kdc : locate_service_kdc; + stype = get_primaries ? locate_service_primary_kdc : locate_service_kdc; return k5_locate_server(context, realm, serverlist, stype, no_udp); } @@ -838,7 +843,7 @@ k5_kdc_is_primary(krb5_context context, const krb5_data *realm, if (server->primary != -1) return server->primary; - if (locate_server(context, realm, &list, locate_service_master_kdc, + if (locate_server(context, realm, &list, locate_service_primary_kdc, server->transport) != 0) return FALSE; found = server_list_contains(&list, server); diff --git a/src/util/profile/krb5.conf b/src/util/profile/krb5.conf index 7d38e9e532..de4de846a8 100644 --- a/src/util/profile/krb5.conf +++ b/src/util/profile/krb5.conf @@ -10,7 +10,7 @@ kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu kdc = kerberos-3.mit.edu - master_kdc = kerberos.mit.edu + primary_kdc = kerberos.mit.edu admin_server = kerberos.mit.edu } MEDIA-LAB.MIT.EDU = { diff --git a/src/util/profile/profile.5 b/src/util/profile/profile.5 index 1b0748e611..3da6557058 100644 --- a/src/util/profile/profile.5 +++ b/src/util/profile/profile.5 @@ -27,7 +27,7 @@ An example profile file might look like this: kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu - master_kdc = kerberos.mit.edu + primary_kdc = kerberos.mit.edu admin_server = kerberos.mit.edu } CYGNUS.COM = { @@ -66,7 +66,7 @@ sections have been marked as final: [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu - master_kdc = kerberos.mit.edu + primary_kdc = kerberos.mit.edu admin_server = kerberos.mit.edu }* -- 2.47.2