diff options
author | Tomas Kuthan <tkuthan@gmail.com> | 2014-05-28 15:24:20 +0200 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2014-08-21 18:09:12 -0400 |
commit | bfd301a2d167c36ee4d5b53d06ae65ba814fa2d8 (patch) | |
tree | af9a2792205511f8c622d567289aed056b125910 | |
parent | 7b0fd353be446c9f148ac5d870610413ce361c45 (diff) | |
download | krb5-bfd301a2d167c36ee4d5b53d06ae65ba814fa2d8.zip krb5-bfd301a2d167c36ee4d5b53d06ae65ba814fa2d8.tar.gz krb5-bfd301a2d167c36ee4d5b53d06ae65ba814fa2d8.tar.bz2 |
kadm5_randkey_principal interop with Solaris KDC
When kadm5_randkey_principal is called on Solaris kadmind (as opposed
to kadm5_randkey_principal_3), the KDC assumes the peer is a Solaris 9
system, and only creates DES keys.
For better interoperability, always call kadm5_randkey_principal_3
first. If this procedure is not present on the remote server, fall
back to calling kadm5_randkey_principal if possible.
[ghudson@mit.edu: adjusted comments, argument wrapping, commit
message]
(cherry picked from commit e86e3baaa684a7e891ffe852d74095c1a8b630ba)
ticket: 7997
version_fixed: 1.13
status: resolved
-rw-r--r-- | src/kadmin/cli/kadmin.c | 33 | ||||
-rw-r--r-- | src/kadmin/cli/kadmin.h | 7 | ||||
-rw-r--r-- | src/kadmin/cli/keytab.c | 7 |
3 files changed, 31 insertions, 16 deletions
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c index 1ce30ee..a81036c 100644 --- a/src/kadmin/cli/kadmin.c +++ b/src/kadmin/cli/kadmin.c @@ -220,16 +220,25 @@ create_princ(kadm5_principal_ent_rec *princ, long mask, int n_ks, return kadm5_create_principal(handle, princ, mask, pass); } -/* Randomize a principal's password using the oldest appropriate kadm5 API. */ -static krb5_error_code -randkey_princ(krb5_principal princ, krb5_boolean keepold, int n_ks, - krb5_key_salt_tuple *ks) +/* Randomize a principal's password using the appropriate kadm5 API. */ +krb5_error_code +randkey_princ(void *lhandle, krb5_principal princ, krb5_boolean keepold, + int n_ks, krb5_key_salt_tuple *ks, krb5_keyblock **key, + int *n_keys) { - if (keepold || ks) { - return kadm5_randkey_principal_3(handle, princ, keepold, n_ks, ks, - NULL, NULL); - } else - return kadm5_randkey_principal(handle, princ, NULL, NULL); + krb5_error_code ret; + + /* Try the newer API first, because the Solaris kadmind only creates DES + * keys when the old API is used. */ + ret = kadm5_randkey_principal_3(lhandle, princ, keepold, n_ks, ks, key, + n_keys); + + /* Fall back to the old version if we get an error and aren't using any new + * parameters. */ + if (ret == KADM5_RPC_ERROR && !keepold && ks == NULL) + ret = kadm5_randkey_principal(lhandle, princ, key, n_keys); + + return ret; } static krb5_boolean @@ -830,7 +839,8 @@ kadmin_cpw(int argc, char *argv[]) } printf(_("Password for \"%s\" changed.\n"), canon); } else if (randkey) { - retval = randkey_princ(princ, keepold, n_ks_tuple, ks_tuple); + retval = randkey_princ(handle, princ, keepold, n_ks_tuple, ks_tuple, + NULL, NULL); if (retval) { com_err("change_password", retval, _("while randomizing key for \"%s\"."), canon); @@ -1273,7 +1283,8 @@ kadmin_addprinc(int argc, char *argv[]) } if (old_style_randkey) { /* Randomize the password and re-enable tickets. */ - retval = randkey_princ(princ.principal, FALSE, n_ks_tuple, ks_tuple); + retval = randkey_princ(handle, princ.principal, FALSE, n_ks_tuple, + ks_tuple, NULL, NULL); if (retval) { com_err("add_principal", retval, _("while randomizing key for \"%s\"."), canon); diff --git a/src/kadmin/cli/kadmin.h b/src/kadmin/cli/kadmin.h index 7afa0c9..9cff390 100644 --- a/src/kadmin/cli/kadmin.h +++ b/src/kadmin/cli/kadmin.h @@ -57,6 +57,13 @@ extern void kadmin_getstrings(int argc, char *argv[]); extern void kadmin_setstring(int argc, char *argv[]); extern void kadmin_delstring(int argc, char *argv[]); +#include <kdb.h> + +krb5_error_code +randkey_princ(void *lhandle, krb5_principal princ, krb5_boolean keepold, + int n_ks, krb5_key_salt_tuple *ks, krb5_keyblock **key, + int *n_keys); + #include "autoconf.h" #ifdef TIME_WITH_SYS_TIME diff --git a/src/kadmin/cli/keytab.c b/src/kadmin/cli/keytab.c index 6c0c92c..e260fbe 100644 --- a/src/kadmin/cli/keytab.c +++ b/src/kadmin/cli/keytab.c @@ -284,11 +284,8 @@ add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab, code = kadm5_get_principal_keys(handle, princ, &keys, &nkeys); else #endif - if (keepold || ks_tuple != NULL) { - code = kadm5_randkey_principal_3(lhandle, princ, keepold, - n_ks_tuple, ks_tuple, &keys, &nkeys); - } else - code = kadm5_randkey_principal(lhandle, princ, &keys, &nkeys); + code = randkey_princ(lhandle, princ, keepold, n_ks_tuple, ks_tuple, + &keys, &nkeys); if (code != 0) { if (code == KADM5_UNK_PRINC) { fprintf(stderr, _("%s: Principal %s does not exist.\n"), |