2N/A * Copyright (c) 1998, 2012, Oracle and/or its affiliates. All rights reserved. 2N/A * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved 2N/A * Copyright (C) 1998 by the FundsXpress, INC. 2N/A * All rights reserved. 2N/A * Export of this software from the United States of America may require 2N/A * a specific license from the United States Government. It is the 2N/A * responsibility of any person or organization contemplating export to 2N/A * obtain such a license before exporting. 2N/A * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 2N/A * distribute this software and its documentation for any purpose and 2N/A * without fee is hereby granted, provided that the above copyright 2N/A * notice appear in all copies and that both that copyright notice and 2N/A * this permission notice appear in supporting documentation, and that 2N/A * the name of FundsXpress. not be used in advertising or publicity pertaining 2N/A * to distribution of the software without specific, written prior 2N/A * permission. FundsXpress makes no representations about the suitability of 2N/A * this software for any purpose. It is provided "as is" without express 2N/A * or implied warranty. 2N/A * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 2N/A * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 2N/A * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 2N/A/* connection timeout to kadmind in seconds */ 2N/A/* Solaris Kerberos: don't need this */ 2N/A#
if 0
/* ************ Begin IFDEF'ed OUT ***************************** */ 2N/A#
endif /* ************** END IFDEF'ed OUT ***************************** */ 2N/A "error in gss_display_status" 2N/A " called from <%s>\n"), m);
2N/A "GSS-API error : %s\n"),
2N/A "GSS-API error : %s\n"),
2N/A * Function: display_status 2N/A * Purpose: displays GSS-API messages 2N/A * msg a string to be displayed with the message 2N/A * maj_stat the GSS-API major status code 2N/A * min_stat the GSS-API minor status code 2N/A * mech kerberos mech 2N/A * The GSS-API messages associated with maj_stat and min_stat are 2N/A * displayed on stderr, each preceeded by "GSS-API error <msg>: " and 2N/A * followed by a newline. 2N/A * Open an fd for the given address and connect asynchronously. Wait 2N/A * KADMIND_CONNECT_TIMEOUT seconds or till it succeeds. If it succeeds 2N/A * change fd to blocking and return it, else return -1. 2N/A /* we'l open with O_NONBLOCK and avoid an fcntl */ 2N/A /* we can't connect unless fd is in IDLE state */ 2N/A /* setup connect parameters */ 2N/A /* we wait for KADMIND_CONNECT_TIMEOUT seconds from now */ 2N/A /* loop till success or timeout */ 2N/A /* we have either timed out or caught an error */ 2N/A /* make the fd blocking (synchronous) */ 2N/A * Open an RPCSEC_GSS connection and 2N/A * get a client handle to use for future RPCSEC calls. 2N/A * This function is only used when changing passwords and 2N/A * the kpasswd_protocol is RPCSEC_GSS 2N/A /* Solaris Kerberos */ 2N/A /* service name is service@host */ 2N/A printf(
"addr: sin_port: %d, sin_family: %d, sin_zero %s\n",
2N/A "cannot get any transport information"));
2N/A /* Transform addr to netbuf */ 2N/A /* get an fd connected to the given address */ 2N/A "unable to open connection to ADMIN server " 2N/A printf(
"nconf: nc_netid: %s, nc_semantics: %d, nc_flag: %d, " 2N/A "nc_protofmly: %s\n",
2N/A printf(
"nc_proto: %s, nc_device: %s, nc_nlookups: %d, nc_used: %d\n",
2N/A * Tell clnt_tli_create that given fd is already connected 2N/A * If the service_name and client_name are iprop-centric, 2N/A * we need to clnt_tli_create to the appropriate RPC prog 2N/A "clnt_tli_create failed\n"));
2N/A * The rpc-handle was created on an fd opened and connected 2N/A * by us, so we have to explicitly tell rpc to close it. 2N/A "clnt_control failed to set CLSET_FD_CLOSE"));
2N/A /* now that handle->clnt is set, we can check the handle */ 2N/A * The RPC connection is open; establish the GSS-API 2N/A * authentication context. 2N/A /* use the kadm5 cache */ 2N/A#
endif /* ! INIT_TEST */ 2N/A /* Solaris Kerberos */ 2N/A "rpc_gss_seccreate failed\n"),
2N/A * Bypass the remainder of the code and return straightaway 2N/A * if the gss service requested is kiprop 2N/A /* Solaris Kerberos: 163 resync */ 2N/A /* Drop down to v2 wire protocol if server does not support v3 */ 2N/A /* Solaris Kerberos */ 2N/A * gss_client_creds is freed only when there is an error condition, 2N/A * given that rpc_gss_seccreate() will assign the cred pointer to the 2N/A * my_cred member in the auth handle's private data structure. 2N/A/* Solaris Kerberos: utility function used below */ 2N/A * Verify the version numbers before proceeding; we can't use 2N/A * CHECK_HANDLE because not all fields are set yet. 2N/A /* Solaris Kerberos */ 2N/A * Acquire relevant profile entries. In version 2, merge values 2N/A * in params_in with values from profile, based on 2N/A * In version 1, we've given a realm (which may be NULL) instead 2N/A * of params_in. So use that realm, make params_in contain an 2N/A * empty mask, and behave like version 2. 2N/A#
if 0
/* Since KDC config params can now be put in krb5.conf, these 2N/A could show up even when you're just using the remote kadmin 2N/A * Acquire a service ticket for service_name@realm in the name of 2N/A * client_name, using password pass (which could be NULL), and 2N/A * create a ccache to store them in. If INIT_CREDS, use the 2N/A * ccache we were provided instead. 2N/A /* Assumption: all service names refer to the same fundamental service */ 2N/A * Client side multi-master support: loop through service names, stopping 2N/A * either if rpcsec not being done (set-change protocol has it's own logic 2N/A * for dealing with multiple admin_servers) or a rpcsec gss handle is 2N/A * successfully initialized with one of the admin servers specified listed 2N/A * The 'service_name' is constructed by the caller 2N/A * but its done before the parameter which determines 2N/A * the kpasswd_protocol is found. The servers that 2N/A * a slightly different service principal than 2N/A * the normal SEAM kadmind so construct the correct 2N/A * name here and then forget it. 2N/A /* Solaris Kerberos */ 2N/A /* XXX temporarily fix a bug in krb5_cc_get_type */ 2N/A * Get a ticket, use the method specified in init_type. 2N/A * Save the original creds.server as krb5_get_init_creds*() always 2N/A * sets the realm of the server to the client realm. 2N/A /* Improved error messages */ 2N/A /* clean up for another go around */ 2N/A * If the server principal had an empty realm then store that in 2N/A * the cred cache and not the server realm as returned by 2N/A * krb5_get_init_creds_{keytab|password}(). This ensures that rpcsec_gss 2N/A * will find the credential in the cred cache even if a "fallback" 2N/A * method is being used to determine the realm. 2N/A * If we got this far, save the creds in the cache. 2N/A * If _kadm5_initialize_rpcsec_gss_handle() fails it will have 2N/A * called krb5_gss_release_cred(). If the credential cache is a 2N/A * MEMORY cred cache krb5_gss_release_cred() destroys the 2N/A * cred cache data. Make sure that the cred-cache is closed 2N/A * to prevent a double free in the "error" code. 2N/A /* clean up for another go around */ 2N/A /* inited the rpcsec_gss handle, can stop looping now */ 2N/A /* if not initing the rpcsec_gss handle no reason to loop */ 2N/A }
/* end for (i = 0; service_names[i] != NULL; i++) */ 2N/A /* wasn't able to setup a handle so bail */ 2N/A * Note that it is illegal for this code to execute if "handle" 2N/A * has not been allocated and initialized. I.e., don't use "goto 2N/A * error" before the block of code at the top of the function 2N/A * that allocates and initializes "handle". 2N/A * cred's server and client pointers could have been overwritten 2N/A * by the krb5_get_init_* functions. If the addresses are different 2N/A * before and after the calls then we must free the memory that 2N/A * was allocated before the call. 2N/A * Dont clean up the handle if the code is OK (code==0) 2N/A * because it is returned to the caller in the 'server_handle' 2N/A * krb5_cc_resolve() will resolve a ccache with the same data that 2N/A * handle->my_cred points to. If the ccache is a MEMORY ccache then 2N/A * gss_release_cred() will free that data (it doesn't do this when ccache 2N/A * is a FILE ccache). 2N/A * if'ed out to avoid the double free. 2N/A * Since kadm5 doesn't use the default credentials we 2N/A * must clean this up manually. 2N/A/* not supported on client */ 2N/A/* not supported on client */ 2N/A * Stub function for kadmin. It was created to eliminate the dependency on 2N/A * libkdb's ulog functions. The srv equivalent makes the actual calls.