2N/A/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 2N/A * Copyright 1997,2006,2007-2009 by the Massachusetts Institute of Technology. 2N/A * All Rights Reserved. 2N/A * Export of this software from the United States of America may 2N/A * require a specific license from the United States Government. 2N/A * It is the responsibility of any person or organization contemplating 2N/A * export to obtain such a license before exporting. 2N/A * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 2N/A * distribute this software and its documentation for any purpose and 2N/A * without fee is hereby granted, provided that the above copyright 2N/A * notice appear in all copies and that both that copyright notice and 2N/A * this permission notice appear in supporting documentation, and that 2N/A * the name of M.I.T. not be used in advertising or publicity pertaining 2N/A * to distribution of the software without specific, written prior 2N/A * permission. Furthermore if you modify this software you must label 2N/A * your software as modified software and not distribute it in such a 2N/A * fashion that it might be confused with the original M.I.T. software. 2N/A * M.I.T. makes no representations about the suitability of 2N/A * this software for any purpose. It is provided "as is" without express 2N/A * or implied warranty. 2N/A * Copyright (C) 1998 by the FundsXpress, INC. 2N/A * All rights reserved. 2N/A * Export of this software from the United States of America may require 2N/A * a specific license from the United States Government. It is the 2N/A * responsibility of any person or organization contemplating export to 2N/A * obtain such a license before exporting. 2N/A * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 2N/A * distribute this software and its documentation for any purpose and 2N/A * without fee is hereby granted, provided that the above copyright 2N/A * notice appear in all copies and that both that copyright notice and 2N/A * this permission notice appear in supporting documentation, and that 2N/A * the name of FundsXpress. not be used in advertising or publicity pertaining 2N/A * to distribution of the software without specific, written prior 2N/A * permission. FundsXpress makes no representations about the suitability of 2N/A * this software for any purpose. It is provided "as is" without express 2N/A * or implied warranty. 2N/A * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 2N/A * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 2N/A * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 2N/A * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. 2N/A * Extra error handling 2N/A * There are two distinct locking protocols used. One is designed to 2N/A * lock against processes (the admin_server, for one) which make 2N/A * incremental changes to the database; the other is designed to lock 2N/A * against utilities (kdb5_edit, kpropd, kdb5_convert) which replace the 2N/A * entire database in one fell swoop. 2N/A * The first locking protocol is implemented using flock() in the 2N/A * krb_dbl_lock() and krb_dbl_unlock routines. 2N/A * The second locking protocol is necessary because DBM "files" are 2N/A * actually implemented as two separate files, and it is impossible to 2N/A * atomically rename two files simultaneously. It assumes that the 2N/A * database is replaced only very infrequently in comparison to the time 2N/A * needed to do a database read operation. 2N/A * A third file is used as a "version" semaphore; the modification 2N/A * time of this file is the "version number" of the database. 2N/A * At the start of a read operation, the reader checks the version 2N/A * number; at the end of the read operation, it checks again. If the 2N/A * version number changed, or if the semaphore was nonexistant at 2N/A * either time, the reader sleeps for a second to let things 2N/A * stabilize, and then tries again; if it does not succeed after 2N/A * KRB5_DBM_MAX_RETRY attempts, it gives up. 2N/A * On update, the semaphore file is deleted (if it exists) before any 2N/A * update takes place; at the end of the update, it is replaced, with 2N/A * a version number strictly greater than the version number which 2N/A * existed at the start of the update. 2N/A * If the system crashes in the middle of an update, the semaphore 2N/A * file is not automatically created on reboot; this is a feature, not 2N/A * a bug, since the database may be inconsistant. Note that the 2N/A * absence of a semaphore file does not prevent another _update_ from 2N/A * taking place later. Database replacements take place automatically 2N/A * only on slave servers; a crash in the middle of an update will be 2N/A * fixed by the next slave propagation. A crash in the middle of an 2N/A * update on the master would be somewhat more serious, but this would 2N/A * likely be noticed by an administrator, who could fix the problem and 2N/A * retry the operation. 2N/A * Routines to deal with context. 2N/A * Restore the default context. 2N/A * Free any dynamically allocated memory. File descriptors and locks 2N/A * are the caller's problem. 2N/A * Clear the structure and reset the defaults. 2N/A * Utility routine: generate name of database file. 2N/A * initialization for data base routines. 2N/A /* Check for presence of our context, if not present, allocate one. */ 2N/A * should be opened read/write so that write locking can work with 2N/A /* Solaris Kerberos: Better error logging */ 2N/A /* Solaris Kerberos: Better error logging */ 2N/A gettext(
"Failed to initialize db, \"%s\", lockfile, \"%s\" : "),
2N/A * gracefully shut down database--must be called by ANY program that does 2N/A * a krb5_db2_db_init 2N/A /* free(dal_handle->db_context); */ 2N/A * Set/Get the master key associated with the database 2N/A * Set the "name" of the current database to some alternate value. 2N/A * Passing a null pointer as "name" will set back to the default. 2N/A * If the alternate database doesn't exist, nothing is changed. 2N/A /* Check for presence of our context, if not present, allocate one. */ 2N/A /* Solaris Kerberos */ 2N/A * Return the last modification time of the database. 2N/A * Think about using fstat. 2N/A * Remove the semaphore file; indicates that database is currently 2N/A * This is only for use when moving the database out from underneath 2N/A * the server (for example, during slave updates). 2N/A /* Solaris Kerberos: Better error logging */ 2N/A "access and modification times for \"%s\": "),
2N/A /* Solaris Kerberos: Better error logging */ 2N/A /* No need to upgrade lock, just return */ 2N/A /* tried to exclusive-lock something we don't have */ 2N/A /* write access to */ 2N/A /* Solaris Kerberos: Better error logging */ 2N/A /* Solaris Kerberos: Better error logging */ 2N/A /* Solaris Kerberos: Better error logging */ 2N/A * Create the database, assuming it's not there. 2N/A /* Solaris Kerberos: Better error logging */ 2N/A /* Solaris Kerberos: Better error logging */ 2N/A * Destroy the database. Zero's out all of the files, just to be sure. 2N/A /* fstat() will probably not fail unless using a remote filesystem 2N/A * (which is inappropriate for the kerberos database) so this check 2N/A * is mostly paranoia. */ 2N/A * Stroll through the file, reading in BUFSIZ chunks. If everything 2N/A * is zero, then we're done for that block, otherwise, zero the block. 2N/A * We would like to just blast through everything, but some DB 2N/A * implementations make holey files and writing data to the holes 2N/A * causes actual blocks to be allocated which is no good, since 2N/A * we're just about to unlink it anyways. 2N/A for (j = 0; j <
nb; j++) {
2N/A /* For signedness */ 2N/A /* ??? Is fsync really needed? I don't know of any non-networked 2N/A * filesystem which will discard queued writes to disk if a file 2N/A * is deleted after it is closed. --jfc */ 2N/A * Since the destroy operation happens outside the init/fini bracket, we 2N/A * have some tomfoolery to undergo here. If we're operating under no 2N/A * database context, then we initialize with the default. If the caller 2N/A * wishes a different context (e.g. different dispatch table), it's their 2N/A * responsibility to call kdb5_db_set_dbops() before this call. That will 2N/A * set up the right dispatch table values (e.g. name extensions). 2N/A * Not quite valid due to ripping out of dbops... 2N/A * look up a principal in the data base. 2N/A * returns number of entries found, and whether there were 2N/A * more than requested. 2N/A /* XXX deal with wildcard lookups */ 2N/A Free stuff returned by krb5_db2_db_get_principal. 2N/A Stores the *"nentries" entry structures pointed to by "entries" in the 2N/A *"nentries" is updated upon return to reflect the number of records 2N/A acutally stored; the first *"nstored" records will have been stored in the 2N/A database (even if an error occurs). 2N/A /* DB2 does not support db_args DB arguments for principal */ 2N/A for (i = 0; i < n; i++) {
2N/A * delete a principal from the data base. 2N/A * returns number of entries removed 2N/A /* Clear encrypted key contents */ 2N/A still try to unlock it again. That would be a bug. Fix 2N/A when integrating the locking better. */ 2N/A * Solaris Kerberos: to be safe as the (*func) could close and reopen 2N/A * the DB. Note that when resyncing with MIT 1.10 or later the call to 2N/A * db->seq() should replaced globally with db_ctx->db->seq(). 2N/A/* Solaris Kerberos - support for db_args / -rev / -recurse (not in 183) */ 2N/A /* right now, no cleanup required */ 2N/A /* ignore hash argument. Might have been passed from create */ 2N/A /* Solaris Kerberos: Better error logging */ 2N/A /* special case for db2. We might actually be looking at old type config file where database is specified as part of realm */ 2N/A /* Solaris Kerberos: Better error logging */ 2N/A /* Solaris Kerberos: Better error logging */ 2N/A /* Solaris Kerberos: Better error logging */ 2N/A "Unsupported argument \"%s\" for db2",
2N/A /* Solaris Kerberos: Better error logging */ 2N/A gettext(
"Kerberos database lock file %s~ exists, " 2N/A "loading of database failed - error %d."),
2N/A /* under given conf section */ 2N/A /* Special case for db2. We might actually be looking at 2N/A * old type config file where database is specified as 2N/A /* under given realm */ 2N/A /* Solaris Kerberos: Better error logging */ 2N/A gettext(
"Kerberos database lock file %s~ exists, " 2N/A "loading of database failed - error %d."),
2N/A /* db2 has a problem of needing to close and open the database again. This removes that need */ 2N/A /* ignore hash argument. Might have been passed from create */ 2N/A /* special case for db2. We might actually be looking at old type config file where database is specified as part of realm */ 2N/A/* policy functions */ 2N/A * Merge non-replicated attributes from src into dst, setting 2N/A * changed to non-zero if dst was changed. 2N/A * Non-replicated attributes are: last_success, last_failed, 2N/A * fail_auth_count, and any negative TL data values. 2N/A * Iteration callback merges non-replicated attributes from 2N/A /* look up the new principal in the old DB */ 2N/A /* principal may be newly created, so ignore */ 2N/A /* merge non-replicated attributes from the old entry in */ 2N/A /* if necessary, commit the modified new entry to the new DB */ 2N/A * Merge non-replicated attributes (that is, lockout-related 2N/A * attributes and negative TL data types) from the old database 2N/A * Note: src_db is locked on success. 2N/A * Finish merge of non-replicated attributes by unlocking 2N/A/* Retrieved from pre-DAL code base. */ 2N/A * "Atomically" rename the database in a way that locks out read 2N/A * access in the middle of the rename. 2N/A * Not perfect; if we crash in the middle of an update, we don't 2N/A * necessarily know to complete the transaction the rename, but... 2N/A * Since the rename operation happens outside the init/fini bracket, we 2N/A * have to go through the same stuff that we went through up in db_destroy. 2N/A * Create the database if it does not already exist; the 2N/A * files must exist because krb5_db2_db_lock, called below, 2N/A * will fail otherwise. 2N/A * Set the database to the target, so that other processes sharing 2N/A * the target will stop their activity, and notice the new database. 2N/A /* XXX moved so that NRA merge works */ 2N/A /* Ugly brute force hack. 2N/A Should be going through nice friendly helper routines for 2N/A this, but it's a mess of jumbled so-called interfaces right 2N/A * Similar to the ldap plugin.