1
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2
/*
3
 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
4
 *
5
 * $Source$
6
 */
7

8
/*
9
 * Copyright (C) 1998 by the FundsXpress, INC.
10
 *
11
 * All rights reserved.
12
 *
13
 * Export of this software from the United States of America may require
14
 * a specific license from the United States Government.  It is the
15
 * responsibility of any person or organization contemplating export to
16
 * obtain such a license before exporting.
17
 *
18
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
19
 * distribute this software and its documentation for any purpose and
20
 * without fee is hereby granted, provided that the above copyright
21
 * notice appear in all copies and that both that copyright notice and
22
 * this permission notice appear in supporting documentation, and that
23
 * the name of FundsXpress. not be used in advertising or publicity pertaining
24
 * to distribution of the software without specific, written prior
25
 * permission.  FundsXpress makes no representations about the suitability of
26
 * this software for any purpose.  It is provided "as is" without express
27
 * or implied warranty.
28
 *
29
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
30
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
31
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
32
 */
33

34
#include <k5-int.h>
35
#include <ctype.h>
36
#include <kdb.h>
37
#include <kadm5/admin.h>
38
#include <adm_proto.h>
39

40
#include "fake-addrinfo.h"
41

42

43
#include <krb5.h>
44
#include <kdb.h>
45
#include "kdb5_util.h"
46

47
static int add_admin_princ(void *handle, krb5_context context,
48
                           char *name, char *realm, int attrs, int lifetime);
49
static int add_admin_princs(void *handle, krb5_context context, char *realm);
50

51
#define ERR 1
52
#define OK 0
53

54
#define ADMIN_LIFETIME 60*60*3 /* 3 hours */
55
#define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
56

57
/*
58
 * Function: kadm5_create
59
 *
60
 * Purpose: create admin principals in KDC database
61
 *
62
 * Arguments:   params  (r) configuration parameters to use
63
 *
64
 * Effects:  Creates KADM5_ADMIN_SERVICE and KADM5_CHANGEPW_SERVICE
65
 * principals in the KDC database and sets their attributes
66
 * appropriately.
67
 */
68
int kadm5_create(kadm5_config_params *params)
69
{
70
    int retval;
71
    kadm5_config_params lparams;
72

73
    /*
74
     * The lock file has to exist before calling kadm5_init, but
75
     * params->admin_lockfile may not be set yet...
76
     */
77
    retval = kadm5_get_config_params(util_context, 1, params, &lparams);
78
    if (retval) {
79
        com_err(progname, retval, _("while looking up the Kerberos "
80
                                    "configuration"));
81
        return 1;
82
    }
83

84
    retval = kadm5_create_magic_princs(&lparams, util_context);
85

86
    kadm5_free_config_params(util_context, &lparams);
87

88
    return retval;
89
}
90

91
int kadm5_create_magic_princs(kadm5_config_params *params,
92
                              krb5_context context)
93
{
94
    int retval;
95
    void *handle;
96

97
    retval = krb5_klog_init(context, "admin_server", progname, 0);
98
    if (retval)
99
        return retval;
100
    if ((retval = kadm5_init(context, progname, NULL, NULL, params,
101
                             KADM5_STRUCT_VERSION,
102
                             KADM5_API_VERSION_4,
103
                             db5util_db_args,
104
                             &handle))) {
105
        com_err(progname, retval, _("while initializing the Kerberos admin "
106
                                    "interface"));
107
        return retval;
108
    }
109

110
    retval = add_admin_princs(handle, context, params->realm);
111

112
    kadm5_destroy(handle);
113

114
    krb5_klog_close(context);
115

116
    return retval;
117
}
118

119
/*
120
 * Function: add_admin_princs
121
 *
122
 * Purpose: create admin principals
123
 *
124
 * Arguments:
125
 *
126
 *      rseed           (input) random seed
127
 *      realm           (input) realm, or NULL for default realm
128
 *      <return value>  (output) status, 0 for success, 1 for serious error
129
 *
130
 * Requires:
131
 *
132
 * Effects:
133
 *
134
 * add_admin_princs creates KADM5_ADMIN_SERVICE,
135
 * KADM5_CHANGEPW_SERVICE.  If any of these exist a message is
136
 * printed.  If any of these existing principal do not have the proper
137
 * attributes, a warning message is printed.
138
 */
139
static int add_admin_princs(void *handle, krb5_context context, char *realm)
140
{
141
    krb5_error_code ret = 0;
142

143
    if ((ret = add_admin_princ(handle, context,
144
                               KADM5_ADMIN_SERVICE, realm,
145
                               KRB5_KDB_DISALLOW_TGT_BASED |
146
                               KRB5_KDB_LOCKDOWN_KEYS,
147
                               ADMIN_LIFETIME)))
148
        return ret;
149

150
    return add_admin_princ(handle, context, KADM5_CHANGEPW_SERVICE, realm,
151
                           KRB5_KDB_DISALLOW_TGT_BASED |
152
                           KRB5_KDB_PWCHANGE_SERVICE | KRB5_KDB_LOCKDOWN_KEYS,
153
                           CHANGEPW_LIFETIME);
154
}
155

156
/*
157
 * Function: add_admin_princ
158
 *
159
 * Arguments:
160
 *
161
 *      creator         (r) principal to use as "mod_by"
162
 *      rseed           (r) seed for random key generator
163
 *      name            (r) principal name
164
 *      realm           (r) realm name for principal
165
 *      attrs           (r) principal's attributes
166
 *      lifetime        (r) principal's max life, or 0
167
 *      not_unique      (r) error message for multiple entries, never used
168
 *      exists          (r) warning message for principal exists
169
 *      wrong_attrs     (r) warning message for wrong attributes
170
 *
171
 * Returns:
172
 *
173
 *      OK on success
174
 *      ERR on serious errors
175
 *
176
 * Effects:
177
 *
178
 * If the principal is not unique, not_unique is printed (but this
179
 * never happens).  If the principal exists, then exists is printed
180
 * and if the principals attributes != attrs, wrong_attrs is printed.
181
 * Otherwise, the principal is created with mod_by creator and
182
 * attributes attrs and max life of lifetime (if not zero).
183
 */
184

185
int add_admin_princ(void *handle, krb5_context context,
186
                    char *name, char *realm, int attrs, int lifetime)
187
{
188
    char *fullname = NULL;
189
    krb5_error_code ret;
190
    kadm5_principal_ent_rec ent;
191
    long flags;
192
    int fret;
193

194
    memset(&ent, 0, sizeof(ent));
195

196
    if (asprintf(&fullname, "%s@%s", name, realm) < 0) {
197
        com_err(progname, ENOMEM, _("while appending realm to principal"));
198
        fret = ERR;
199
        goto cleanup;
200
    }
201
    ret = krb5_parse_name(context, fullname, &ent.principal);
202
    if (ret) {
203
        com_err(progname, ret, _("while parsing admin principal name"));
204
        fret = ERR;
205
        goto cleanup;
206
    }
207
    ent.max_life = lifetime;
208
    ent.attributes = attrs;
209

210
    flags = KADM5_PRINCIPAL | KADM5_ATTRIBUTES;
211
    if (lifetime)
212
        flags |= KADM5_MAX_LIFE;
213
    ret = kadm5_create_principal(handle, &ent, flags, NULL);
214
    if (ret && ret != KADM5_DUP) {
215
        com_err(progname, ret, _("while creating principal %s"), fullname);
216
        fret = ERR;
217
        goto cleanup;
218
    }
219

220
    fret = OK;
221
cleanup:
222
    krb5_free_principal(context, ent.principal);
223
    free(fullname);
224
    return fret;
225
}
226

227