2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 #include <afsconfig.h>
11 #include <afs/param.h>
16 #include <sys/types.h>
19 #include <WINNT/afsevent.h>
23 #include <netinet/in.h>
25 #include "kalog.h" /* for OpenLog() */
38 #include <rx/rxstat.h>
40 #include <rx/rx_globals.h>
41 #include <afs/cellconfig.h>
43 #include <afs/afsutil.h>
44 #include <afs/com_err.h>
45 #include <afs/audit.h>
49 #include "kauth_internal.h"
52 #include "kadatabase.h"
55 struct kadstats dynamic_statistics;
56 struct ubik_dbase *KA_dbase;
57 afs_uint32 myHost = 0;
58 afs_int32 verbose_track = 1;
59 afs_int32 krb4_cross = 0;
62 #define ADDRSPERSITE 16 /* Same global is in rx/rx_user.c */
63 afs_uint32 SHostAddrs[ADDRSPERSITE];
65 struct afsconf_dir *KA_conf; /* for getting cell info */
68 int npwSums = KA_NPWSUMS; /* needs to be variable sometime */
71 #if !defined(AFS_NT40_ENV) && !defined(AFS_LINUX20_ENV) && !defined(AFS_DARWIN_ENV) && !defined(AFS_XBSD_ENV)
73 #define vfprintf(stream,fmt,args) _doprnt(fmt,args,stream)
76 static int debugOutput;
78 /* check whether caller is authorized to manage RX statistics */
80 KA_rxstat_userok(struct rx_call *call)
82 return afsconf_SuperUser(KA_conf, call, NULL);
86 es_Report(char *fmt, ...)
93 vfprintf(stderr, fmt, pvar);
99 initialize_dstats(void)
101 memset(&dynamic_statistics, 0, sizeof(dynamic_statistics));
102 dynamic_statistics.start_time = time(0);
103 dynamic_statistics.host = myHost;
107 convert_cell_to_ubik(struct afsconf_cell *cellinfo, afs_uint32 *myHost,
108 afs_uint32 *serverList)
115 gethostname(hostname, sizeof(hostname));
116 th = gethostbyname(hostname);
118 ViceLog(0, ("kaserver: couldn't get address of this host.\n"));
121 memcpy(myHost, th->h_addr, sizeof(afs_uint32));
123 for (i = 0; i < cellinfo->numServers; i++)
124 if (cellinfo->hostAddr[i].sin_addr.s_addr != *myHost) {
125 /* omit my host from serverList */
126 *serverList++ = cellinfo->hostAddr[i].sin_addr.s_addr;
128 *serverList = 0; /* terminate list */
133 kvno_admin_key(void *rock, afs_int32 kvno, struct ktc_encryptionKey *key)
135 return ka_LookupKvno(0, KA_ADMIN_NAME, KA_ADMIN_INST, kvno, key);
137 /* we would like to start a Ubik transaction to fill the cache if that
138 * fails, but may deadlock as Rx is now organized. */
141 /* initFlags: 0x01 Do not require authenticated connections.
142 0x02 Do not check the bos NoAuth flag
143 0x04 Use fast key expiration to test oldkey code.
144 0x08 Temporary flag allowing database inconsistency fixup
147 #include "AFS_component_version_number.c"
150 main(int argc, char *argv[])
153 char *whoami = argv[0];
154 afs_uint32 serverList[MAXSERVERS];
155 struct afsconf_cell cellinfo;
157 const char *cellservdb, *dbpath, *lclpath;
160 char default_lclpath[AFSDIR_PATH_MAX];
163 int level; /* security level for Ubik */
165 char clones[MAXHOSTSPERCELL];
166 afs_uint32 host = ntohl(INADDR_ANY);
167 char *auditFileName = NULL;
169 struct rx_service *tservice;
170 struct rx_securityClass *sca[1];
171 struct rx_securityClass *scm[3];
173 extern int rx_stackSize;
177 * The following signal action for AIX is necessary so that in case of a
178 * crash (i.e. core is generated) we can include the user's data section
179 * in the core dump. Unfortunately, by default, only a partial core is
180 * generated which, in many cases, isn't too useful.
182 struct sigaction nsa;
184 sigemptyset(&nsa.sa_mask);
185 nsa.sa_handler = SIG_DFL;
186 nsa.sa_flags = SA_FULLDUMP;
187 sigaction(SIGABRT, &nsa, NULL);
188 sigaction(SIGSEGV, &nsa, NULL);
194 printf("Usage: kaserver [-noAuth] [-database <dbpath>] "
195 "[-auditlog <log path>] [-audit-interface <file|sysvmq>] "
196 "[-rxbind] [-localfiles <lclpath>] [-minhours <n>] "
197 "[-servers <serverlist>] [-crossrealm] "
198 /*" [-enable_peer_stats] [-enable_process_stats] " */
203 /* initialize winsock */
204 if (afs_winsockInit() < 0) {
205 ReportErrorEventAlt(AFSEVT_SVR_WINSOCK_INIT_FAILED, 0, argv[0], 0);
206 fprintf(stderr, "%s: Couldn't initialize winsock.\n", whoami);
210 /* Initialize dirpaths */
211 if (!(initAFSDirPath() & AFSDIR_SERVER_PATHS_OK)) {
213 ReportErrorEventAlt(AFSEVT_SVR_NO_INSTALL_DIR, 0, argv[0], 0);
215 fprintf(stderr, "%s: Unable to obtain AFS server directory.\n",
220 cellservdb = AFSDIR_SERVER_ETC_DIRPATH;
221 dbpath = AFSDIR_SERVER_KADB_FILEPATH;
222 strcompose(default_lclpath, AFSDIR_PATH_MAX, AFSDIR_SERVER_LOCAL_DIRPATH,
223 "/", AFSDIR_KADB_FILE, NULL);
224 lclpath = default_lclpath;
230 for (a = 1; a < argc; a++) {
231 int arglen = strlen(argv[a]);
232 lcstring(arg, argv[a], sizeof(arg));
233 #define IsArg(a) (strncmp (arg,a, arglen) == 0)
235 if (strcmp(arg, "-database") == 0) {
237 if (strcmp(lclpath, default_lclpath) == 0)
240 else if (strncmp(arg, "-auditlog", arglen) == 0) {
241 auditFileName = argv[++a];
243 } else if (strncmp(arg, "-audit-interface", arglen) == 0) {
244 char *interface = argv[++a];
246 if (osi_audit_interface(interface)) {
247 printf("Invalid audit interface '%s'\n", interface);
251 } else if (strcmp(arg, "-localfiles") == 0)
253 else if (strcmp(arg, "-servers") == 0)
254 debugOutput++, servers = 1;
255 else if (strcmp(arg, "-noauth") == 0)
256 debugOutput++, initFlags |= 1;
257 else if (strcmp(arg, "-fastkeys") == 0)
258 debugOutput++, initFlags |= 4;
259 else if (strcmp(arg, "-dbfixup") == 0)
260 debugOutput++, initFlags |= 8;
261 else if (strcmp(arg, "-cellservdb") == 0) {
262 cellservdb = argv[++a];
267 else if (IsArg("-crypt"))
269 else if (IsArg("-safe"))
271 else if (IsArg("-clear"))
273 else if (IsArg("-sorry"))
275 else if (IsArg("-debug"))
277 else if (IsArg("-crossrealm"))
279 else if (IsArg("-rxbind"))
281 else if (IsArg("-minhours")) {
282 MinHours = atoi(argv[++a]);
283 } else if (IsArg("-enable_peer_stats")) {
284 rx_enablePeerRPCStats();
285 } else if (IsArg("-enable_process_stats")) {
286 rx_enableProcessRPCStats();
287 } else if (*arg == '-') {
288 /* hack to support help flag */
294 osi_audit_file(auditFileName);
297 if ((code = ka_CellConfig(cellservdb)))
299 cell = ka_LocalCell();
300 KA_conf = afsconf_Open(cellservdb);
304 afs_com_err(whoami, code, "Failed getting cell info");
310 /* NT & HPUX do not have dbm package support. So we can only do some
311 * text logging. So open the AuthLog file for logging and redirect
312 * stdin and stdout to it
314 OpenLog(AFSDIR_SERVER_KALOG_FILEPATH);
318 fprintf(stderr, "%s: WARNING: kaserver is deprecated due to its weak security "
319 "properties. Migrating to a Kerberos 5 KDC is advised. "
320 "http://www.openafs.org/no-more-des.html\n", whoami);
321 ViceLog(0, ("WARNING: kaserver is deprecated due to its weak security properties. "
322 "Migrating to a Kerberos 5 KDC is advised. "
323 "http://www.openafs.org/no-more-des.html\n"));
326 afsconf_GetExtendedCellInfo(KA_conf, cell, AFSCONF_KAUTHSERVICE,
329 if ((code = ubik_ParseServerList(argc, argv, &myHost, serverList))) {
330 afs_com_err(whoami, code, "Couldn't parse server list");
333 cellinfo.hostAddr[0].sin_addr.s_addr = myHost;
334 for (i = 1; i < MAXSERVERS; i++) {
337 cellinfo.hostAddr[i].sin_addr.s_addr = serverList[i];
339 cellinfo.numServers = i;
341 code = convert_cell_to_ubik(&cellinfo, &myHost, serverList);
344 ViceLog(0, ("Using server list from %s cell database.\n", cell));
347 /* initialize ubik */
348 if (level == rxkad_clear)
349 ubik_CRXSecurityProc = afsconf_ClientAuth;
350 else if (level == rxkad_crypt)
351 ubik_CRXSecurityProc = afsconf_ClientAuthSecure;
353 ViceLog(0, ("Unsupported security level %d\n", level));
357 ("Using level %s for Ubik connections.\n",
358 (level == rxkad_crypt ? "crypt" : "clear")));
359 ubik_CRXSecurityRock = (char *)KA_conf;
360 ubik_SRXSecurityProc = afsconf_ServerAuth;
361 ubik_SRXSecurityRock = (char *)KA_conf;
362 ubik_CheckRXSecurityProc = afsconf_CheckAuth;
363 ubik_CheckRXSecurityRock = (char *)KA_conf;
369 if (AFSDIR_SERVER_NETRESTRICT_FILEPATH ||
370 AFSDIR_SERVER_NETINFO_FILEPATH) {
372 ccode = parseNetFiles(SHostAddrs, NULL, NULL,
373 ADDRSPERSITE, reason,
374 AFSDIR_SERVER_NETINFO_FILEPATH,
375 AFSDIR_SERVER_NETRESTRICT_FILEPATH);
378 ccode = rx_getAllAddr(SHostAddrs, ADDRSPERSITE);
381 host = SHostAddrs[0];
382 rx_InitHost(host, htons(AFSCONF_KAUTHPORT));
388 ubik_ServerInit(myHost, htons(AFSCONF_KAUTHPORT), serverList,
392 ubik_ServerInitByInfo(myHost, htons(AFSCONF_KAUTHPORT), &cellinfo,
393 clones, dbpath, &KA_dbase);
396 afs_com_err(whoami, code, "Ubik init failed");
400 sca[RX_SCINDEX_NULL] = rxnull_NewServerSecurityObject();
402 /* Disable jumbograms */
406 rx_NewServiceHost(host, 0, KA_AUTHENTICATION_SERVICE,
407 "AuthenticationService", sca, 1, KAA_ExecuteRequest);
408 if (tservice == (struct rx_service *)0) {
409 ViceLog(0, ("Could not create Authentication rx service\n"));
412 rx_SetMinProcs(tservice, 1);
413 rx_SetMaxProcs(tservice, 1);
417 rx_NewServiceHost(host, 0, KA_TICKET_GRANTING_SERVICE, "TicketGrantingService",
418 sca, 1, KAT_ExecuteRequest);
419 if (tservice == (struct rx_service *)0) {
420 ViceLog(0, ("Could not create Ticket Granting rx service\n"));
423 rx_SetMinProcs(tservice, 1);
424 rx_SetMaxProcs(tservice, 1);
426 scm[RX_SCINDEX_NULL] = sca[RX_SCINDEX_NULL];
427 scm[RX_SCINDEX_VAB] = 0;
428 scm[RX_SCINDEX_KAD] =
429 rxkad_NewServerSecurityObject(rxkad_crypt, 0, kvno_admin_key, 0);
431 rx_NewServiceHost(host, 0, KA_MAINTENANCE_SERVICE, "Maintenance", scm, 3,
433 if (tservice == (struct rx_service *)0) {
434 ViceLog(0, ("Could not create Maintenance rx service\n"));
437 rx_SetMinProcs(tservice, 1);
438 rx_SetMaxProcs(tservice, 1);
439 rx_SetStackSize(tservice, 10000);
442 rx_NewServiceHost(host, 0, RX_STATS_SERVICE_ID, "rpcstats", scm, 3,
443 RXSTATS_ExecuteRequest);
444 if (tservice == (struct rx_service *)0) {
445 ViceLog(0, ("Could not create rpc stats rx service\n"));
448 rx_SetMinProcs(tservice, 2);
449 rx_SetMaxProcs(tservice, 4);
453 /* allow super users to manage RX statistics */
454 rx_SetRxStatUserOk(KA_rxstat_userok);
456 rx_StartServer(0); /* start handling req. of all types */
458 if (init_kaprocs(lclpath, initFlags))
461 if ((code = init_krb_udp())) {
463 ("Failed to initialize UDP interface; code = %d.\n", code));
464 ViceLog(0, ("Running without UDP access.\n"));
467 ViceLog(0, ("Starting to process AuthServer requests\n"));
468 rx_ServerProc(NULL); /* donate this LWP */