[krbdev.mit.edu #6323] kadmin: rename support
Zhanna Tsitkova via RT
rt-comment at krbdev.mit.edu
Mon Jan 12 09:52:04 EST 2009
diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin.c
--- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin.c 2009-01-08 19:22:46.000000000 -0800
+++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin.c 2009-01-08 13:14:43.000000000 -0800
@@ -650,6 +650,76 @@
return;
}
+void kadmin_renameprinc(argc, argv)
+ int argc;
+ char *argv[];
+{
+ kadm5_ret_t retval;
+ krb5_principal oprinc, nprinc;
+ char *ocanon, *ncanon;
+ char reply[5];
+
+ if (! (argc == 3 ||
+ (argc == 4 && !strcmp("-force", argv[1])))) {
+ fprintf(stderr, "usage: rename_principal [-force] old_principal new_principal\n");
+ return;
+ }
+ retval = kadmin_parse_name(argv[argc - 2], &oprinc);
+ if (retval) {
+ com_err("rename_principal", retval, "while parsing old principal name");
+ return;
+ }
+ retval = kadmin_parse_name(argv[argc - 1], &nprinc);
+ if (retval) {
+ com_err("rename_principal", retval, "while parsing new principal name");
+ krb5_free_principal(context, oprinc);
+ return;
+ }
+ retval = krb5_unparse_name(context, oprinc, &ocanon);
+ if (retval) {
+ com_err("rename_principal", retval,
+ "while canonicalizing old principal");
+ krb5_free_principal(context, nprinc);
+ krb5_free_principal(context, oprinc);
+ return;
+ }
+ retval = krb5_unparse_name(context, nprinc, &ncanon);
+ if (retval) {
+ com_err("rename_principal", retval,
+ "while canonicalizing new principal");
+ free(ocanon);
+ krb5_free_principal(context, nprinc);
+ krb5_free_principal(context, oprinc);
+ return;
+ }
+ if (argc == 3) {
+ printf("Are you sure you want to rename the principal \"%s\" to \"%s\"? (yes/no): ",
+ ocanon, ncanon);
+ fgets(reply, sizeof (reply), stdin);
+ if (strcmp("yes\n", reply)) {
+ fprintf(stderr, "Principal \"%s\" not renamed\n", ocanon);
+ free(ncanon);
+ free(ocanon);
+ krb5_free_principal(context, nprinc);
+ krb5_free_principal(context, oprinc);
+ return;
+ }
+ }
+ retval = kadm5_rename_principal(handle, oprinc, nprinc);
+ krb5_free_principal(context, nprinc);
+ krb5_free_principal(context, oprinc);
+ if (retval) {
+ com_err("rename_principal", retval,
+ "while renaming principal \"%s\" to \"%s\"", ocanon, ncanon); free(ncanon);
+ free(ocanon);
+ return;
+ }
+ printf("Principal \"%s\" renamed to \"%s\".\nMake sure that you have removed this principal from all ACLs before reusing.\n", ocanon, ncanon);
+ free(ncanon);
+ free(ocanon);
+ return;
+}
+
void kadmin_cpw(argc, argv)
int argc;
char *argv[];
diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin_ct.ct Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin_ct.ct
--- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin_ct.ct 2009-01-08 19:22:46.000000000 -0800
+++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin_ct.ct 2009-01-08 13:14:43.000000000 -0800
@@ -35,6 +35,9 @@
request kadmin_modprinc, "Modify principal",
modify_principal, modprinc;
+request kadmin_renameprinc, "Rename principal",
+ rename_principal, renprinc;
+
request kadmin_cpw, "Change password",
change_password, cpw;
diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/dbutil/dump.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/dbutil/dump.c
--- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/dbutil/dump.c 2008-11-07 11:25:29.000000000 -0800
+++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/dbutil/dump.c 2009-01-08 18:44:12.000000000 -0800
@@ -47,6 +47,7 @@
*/
static int mkey_convert;
static krb5_keyblock new_master_keyblock;
+static krb5_principal new_master_princ = NULL;
static int backwards;
static int recursive;
@@ -1097,6 +1098,10 @@
else if (!strcmp(argv[aindex], "-new_mkey_file")) {
new_mkey_file = argv[++aindex];
mkey_convert = 1;
+ } else if (!strcmp(argv[aindex], "-new_mkey_principal")) {
+ kret = krb5_parse_name(util_context, argv[++aindex], &new_master_princ);
+ if (kret)
+ fprintf(stderr, "failed to parse new mkey principal: %s", argv[aindex]);
} else if (!strcmp(argv[aindex], "-rev"))
backwards = 1;
else if (!strcmp(argv[aindex], "-recurse"))
@@ -1127,6 +1132,13 @@
}
/*
+ * Set new_master_princ if not set, use default master principal.
+ */
+
+ if (new_master_princ == NULL)
+ new_master_princ = master_princ;
+
+ /*
* If we're doing a master key conversion, set up for it.
*/
if (mkey_convert) {
@@ -1166,7 +1178,7 @@
else
kt_kvno = IGNORE_VNO;
- if ((retval = krb5_db_fetch_mkey(util_context, master_princ,
+ if ((retval = krb5_db_fetch_mkey(util_context, new_master_princ,
new_master_keyblock.enctype,
FALSE,
FALSE,
@@ -1179,7 +1191,7 @@
}
} else {
printf("Please enter new master key....\n");
- if ((retval = krb5_db_fetch_mkey(util_context, master_princ,
+ if ((retval = krb5_db_fetch_mkey(util_context, new_master_princ,
new_master_keyblock.enctype,
TRUE,
TRUE,
diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/kadm5/srv/svr_principal.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/kadm5/srv/svr_principal.c
--- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/kadm5/srv/svr_principal.c 2009-01-08 19:22:46.000000000 -0800
+++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/kadm5/srv/svr_principal.c 2009-01-08 13:14:43.000000000 -0800
@@ -677,16 +677,71 @@
if ((ret = kdb_get_entry(handle, source, &kdb, &adb)))
return ret;
- /* this is kinda gross, but unavoidable */
-
+ /* Transform salt types */
for (i=0; i<kdb.n_key_data; i++) {
- if ((kdb.key_data[i].key_data_ver == 1) ||
- (kdb.key_data[i].key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL)) {
+ krb5_int32 stype;
+ krb5_data sdata;
+ int added_salt = 0;
+
+ if (kdb.key_data[i].key_data_ver > 1)
+ stype = kdb.key_data[i].key_data_type[1];
+ else
+ stype = KRB5_KDB_SALTTYPE_NORMAL;
+
+ switch(stype) {
+ case KRB5_KDB_SALTTYPE_SPECIAL:
+ /* do nothing */
+ break;
+ case KRB5_KDB_SALTTYPE_NORMAL:
+ kdb.key_data[i].key_data_type[1] = KRB5_KDB_SALTTYPE_SPECIAL;
+ krb5_principal2salt(handle->context, kdb.princ, &sdata);
+ if (kdb.key_data[i].key_data_contents[1])
+ free(kdb.key_data[i].key_data_contents[1]);
+ kdb.key_data[i].key_data_contents[1] = sdata.data;
+ kdb.key_data[i].key_data_length[1] = sdata.length;
+ added_salt = 1;
+ break;
+ case KRB5_KDB_SALTTYPE_NOREALM:
+ kdb.key_data[i].key_data_type[1] = KRB5_KDB_SALTTYPE_SPECIAL;
+ krb5_principal2salt_norealm(handle->context, kdb.princ, &sdata);
+ if (kdb.key_data[i].key_data_contents[1])
+ free(kdb.key_data[i].key_data_contents[1]);
+ kdb.key_data[i].key_data_contents[1] = sdata.data;
+ kdb.key_data[i].key_data_length[1] = sdata.length;
+ added_salt = 1;
+ break;
+ case KRB5_KDB_SALTTYPE_ONLYREALM: {
+ unsigned char *p;
+ size_t len;
+
+ len = krb5_princ_realm(context, kdb.princ)->length;
+ p = malloc(len);
+ if (p == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ if (kdb.key_data[i].key_data_contents[1])
+ free(kdb.key_data[i].key_data_contents[1]);
+ memcpy(p, krb5_princ_realm(context, kdb.princ)->data, len);
+ kdb.key_data[i].key_data_contents[1] = p;
+ kdb.key_data[i].key_data_length[1] = len;
+ added_salt = 1;
+ break;
+ }
+ case KRB5_KDB_SALTTYPE_V4:
+ /* no do nothing, we assume v4 realm is not renamed */
+ break;
+ case KRB5_KDB_SALTTYPE_AFS3:
+ break;
+ /* FALLTHOUGH */
+ default:
ret = KADM5_NO_RENAME_SALT;
goto done;
}
+ if (added_salt && kdb.key_data[i].key_data_ver == 1)
+ kdb.key_data[i].key_data_ver = 2;
}
-
+
kadm5_free_principal(handle->context, kdb.princ);
ret = kadm5_copy_principal(handle->context, target, &kdb.princ);
if (ret) {
More information about the krb5-bugs
mailing list