32885d593baf8bac788fa78885893a51b3ad0f28gtb/*
32885d593baf8bac788fa78885893a51b3ad0f28gtb * CDDL HEADER START
32885d593baf8bac788fa78885893a51b3ad0f28gtb *
32885d593baf8bac788fa78885893a51b3ad0f28gtb * The contents of this file are subject to the terms of the
32885d593baf8bac788fa78885893a51b3ad0f28gtb * Common Development and Distribution License (the "License").
32885d593baf8bac788fa78885893a51b3ad0f28gtb * You may not use this file except in compliance with the License.
32885d593baf8bac788fa78885893a51b3ad0f28gtb *
32885d593baf8bac788fa78885893a51b3ad0f28gtb * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
32885d593baf8bac788fa78885893a51b3ad0f28gtb * or http://www.opensolaris.org/os/licensing.
32885d593baf8bac788fa78885893a51b3ad0f28gtb * See the License for the specific language governing permissions
32885d593baf8bac788fa78885893a51b3ad0f28gtb * and limitations under the License.
32885d593baf8bac788fa78885893a51b3ad0f28gtb *
32885d593baf8bac788fa78885893a51b3ad0f28gtb * When distributing Covered Code, include this CDDL HEADER in each
32885d593baf8bac788fa78885893a51b3ad0f28gtb * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
32885d593baf8bac788fa78885893a51b3ad0f28gtb * If applicable, add the following below this CDDL HEADER, with the
32885d593baf8bac788fa78885893a51b3ad0f28gtb * fields enclosed by brackets "[]" replaced with your own identifying
32885d593baf8bac788fa78885893a51b3ad0f28gtb * information: Portions Copyright [yyyy] [name of copyright owner]
32885d593baf8bac788fa78885893a51b3ad0f28gtb *
32885d593baf8bac788fa78885893a51b3ad0f28gtb * CDDL HEADER END
32885d593baf8bac788fa78885893a51b3ad0f28gtb */
32885d593baf8bac788fa78885893a51b3ad0f28gtb/*
32885d593baf8bac788fa78885893a51b3ad0f28gtb * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
32885d593baf8bac788fa78885893a51b3ad0f28gtb * Use is subject to license terms.
32885d593baf8bac788fa78885893a51b3ad0f28gtb */
32885d593baf8bac788fa78885893a51b3ad0f28gtb
32885d593baf8bac788fa78885893a51b3ad0f28gtb#pragma ident "%Z%%M% %I% %E% SMI"
32885d593baf8bac788fa78885893a51b3ad0f28gtb
32885d593baf8bac788fa78885893a51b3ad0f28gtb
32885d593baf8bac788fa78885893a51b3ad0f28gtb#include <pwd.h>
32885d593baf8bac788fa78885893a51b3ad0f28gtb#include <locale.h>
32885d593baf8bac788fa78885893a51b3ad0f28gtb#include <syslog.h>
32885d593baf8bac788fa78885893a51b3ad0f28gtb#include <errno.h>
32885d593baf8bac788fa78885893a51b3ad0f28gtb#include <com_err.h>
32885d593baf8bac788fa78885893a51b3ad0f28gtb#include <k5-int.h>
32885d593baf8bac788fa78885893a51b3ad0f28gtb
32885d593baf8bac788fa78885893a51b3ad0f28gtbextern uint_t kwarn_add_warning(char *, int);
32885d593baf8bac788fa78885893a51b3ad0f28gtbextern uint_t kwarn_del_warning(char *);
32885d593baf8bac788fa78885893a51b3ad0f28gtb
32885d593baf8bac788fa78885893a51b3ad0f28gtb/*
32885d593baf8bac788fa78885893a51b3ad0f28gtb * Store the forwarded creds in the user's local ccache and register
32885d593baf8bac788fa78885893a51b3ad0f28gtb * w/ktkt_warnd(1M).
32885d593baf8bac788fa78885893a51b3ad0f28gtb */
32885d593baf8bac788fa78885893a51b3ad0f28gtbkrb5_error_code
32885d593baf8bac788fa78885893a51b3ad0f28gtbstore_forw_creds(krb5_context context,
32885d593baf8bac788fa78885893a51b3ad0f28gtb krb5_creds **creds,
32885d593baf8bac788fa78885893a51b3ad0f28gtb krb5_ticket *ticket,
32885d593baf8bac788fa78885893a51b3ad0f28gtb char *lusername,
32885d593baf8bac788fa78885893a51b3ad0f28gtb krb5_ccache *ccache)
32885d593baf8bac788fa78885893a51b3ad0f28gtb{
32885d593baf8bac788fa78885893a51b3ad0f28gtb krb5_error_code retval;
32885d593baf8bac788fa78885893a51b3ad0f28gtb char ccname[MAXPATHLEN];
32885d593baf8bac788fa78885893a51b3ad0f28gtb struct passwd *pwd;
32885d593baf8bac788fa78885893a51b3ad0f28gtb uid_t uid;
32885d593baf8bac788fa78885893a51b3ad0f28gtb char *client_name = NULL;
32885d593baf8bac788fa78885893a51b3ad0f28gtb
32885d593baf8bac788fa78885893a51b3ad0f28gtb *ccache = NULL;
32885d593baf8bac788fa78885893a51b3ad0f28gtb if (!(pwd = getpwnam(lusername)))
32885d593baf8bac788fa78885893a51b3ad0f28gtb return (ENOENT);
32885d593baf8bac788fa78885893a51b3ad0f28gtb
32885d593baf8bac788fa78885893a51b3ad0f28gtb uid = getuid();
32885d593baf8bac788fa78885893a51b3ad0f28gtb if (seteuid(pwd->pw_uid))
32885d593baf8bac788fa78885893a51b3ad0f28gtb return (-1);
32885d593baf8bac788fa78885893a51b3ad0f28gtb
32885d593baf8bac788fa78885893a51b3ad0f28gtb (void) snprintf(ccname, sizeof (ccname), "FILE:/tmp/krb5cc_%ld",
32885d593baf8bac788fa78885893a51b3ad0f28gtb pwd->pw_uid);
32885d593baf8bac788fa78885893a51b3ad0f28gtb
32885d593baf8bac788fa78885893a51b3ad0f28gtb if ((retval = krb5_cc_resolve(context, ccname, ccache)) != 0) {
32885d593baf8bac788fa78885893a51b3ad0f28gtb krb5_set_error_message(context, retval,
32885d593baf8bac788fa78885893a51b3ad0f28gtb gettext("failed to resolve cred cache %s"), ccname);
32885d593baf8bac788fa78885893a51b3ad0f28gtb goto cleanup;
32885d593baf8bac788fa78885893a51b3ad0f28gtb }
32885d593baf8bac788fa78885893a51b3ad0f28gtb
32885d593baf8bac788fa78885893a51b3ad0f28gtb if ((retval = krb5_cc_initialize(context, *ccache,
32885d593baf8bac788fa78885893a51b3ad0f28gtb ticket->enc_part2->client)) != 0) {
32885d593baf8bac788fa78885893a51b3ad0f28gtb krb5_set_error_message(context, retval,
32885d593baf8bac788fa78885893a51b3ad0f28gtb gettext("failed to initialize cred cache %s"), ccname);
32885d593baf8bac788fa78885893a51b3ad0f28gtb goto cleanup;
32885d593baf8bac788fa78885893a51b3ad0f28gtb }
32885d593baf8bac788fa78885893a51b3ad0f28gtb
32885d593baf8bac788fa78885893a51b3ad0f28gtb if ((retval = krb5_cc_store_cred(context, *ccache, *creds)) != 0) {
32885d593baf8bac788fa78885893a51b3ad0f28gtb krb5_set_error_message(context, retval,
32885d593baf8bac788fa78885893a51b3ad0f28gtb gettext("failed to store cred in cache %s"), ccname);
32885d593baf8bac788fa78885893a51b3ad0f28gtb goto cleanup;
32885d593baf8bac788fa78885893a51b3ad0f28gtb }
32885d593baf8bac788fa78885893a51b3ad0f28gtb
32885d593baf8bac788fa78885893a51b3ad0f28gtb if ((retval = krb5_cc_close(context, *ccache)) != 0)
32885d593baf8bac788fa78885893a51b3ad0f28gtb goto cleanup;
32885d593baf8bac788fa78885893a51b3ad0f28gtb
32885d593baf8bac788fa78885893a51b3ad0f28gtb /* Register with ktkt_warnd(1M) */
32885d593baf8bac788fa78885893a51b3ad0f28gtb if ((retval = krb5_unparse_name(context, (*creds)->client,
32885d593baf8bac788fa78885893a51b3ad0f28gtb &client_name)) != 0)
32885d593baf8bac788fa78885893a51b3ad0f28gtb goto cleanup;
32885d593baf8bac788fa78885893a51b3ad0f28gtb (void) kwarn_del_warning(client_name);
32885d593baf8bac788fa78885893a51b3ad0f28gtb if (kwarn_add_warning(client_name, (*creds)->times.endtime) != 0) {
32885d593baf8bac788fa78885893a51b3ad0f28gtb syslog(LOG_AUTH|LOG_NOTICE,
32885d593baf8bac788fa78885893a51b3ad0f28gtb "store_forw_creds: kwarn_add_warning"
32885d593baf8bac788fa78885893a51b3ad0f28gtb " failed: ktkt_warnd(1M) down? ");
32885d593baf8bac788fa78885893a51b3ad0f28gtb }
32885d593baf8bac788fa78885893a51b3ad0f28gtb free(client_name);
32885d593baf8bac788fa78885893a51b3ad0f28gtb client_name = NULL;
32885d593baf8bac788fa78885893a51b3ad0f28gtb
32885d593baf8bac788fa78885893a51b3ad0f28gtbcleanup:
32885d593baf8bac788fa78885893a51b3ad0f28gtb (void) seteuid(uid);
32885d593baf8bac788fa78885893a51b3ad0f28gtb
32885d593baf8bac788fa78885893a51b3ad0f28gtb return (retval);
32885d593baf8bac788fa78885893a51b3ad0f28gtb}