2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 #include <afsconfig.h>
11 #include <afs/param.h>
17 #include <sys/types.h>
20 #include <WINNT/afsevent.h>
24 #include <netinet/in.h>
26 #include "kalog.h" /* for OpenLog() */
46 #include <rx/rx_globals.h>
47 #include <afs/cellconfig.h>
49 #include <afs/afsutil.h>
50 #include <afs/com_err.h>
58 struct kadstats dynamic_statistics;
59 struct ubik_dbase *KA_dbase;
61 afs_int32 verbose_track = 1;
62 afs_int32 krb4_cross = 0;
65 #define ADDRSPERSITE 16 /* Same global is in rx/rx_user.c */
66 afs_uint32 SHostAddrs[ADDRSPERSITE];
68 struct afsconf_dir *KA_conf; /* for getting cell info */
71 int npwSums = KA_NPWSUMS; /* needs to be variable sometime */
74 #if !defined(AFS_NT40_ENV) && !defined(AFS_LINUX20_ENV) && !defined(AFS_DARWIN_ENV) && !defined(AFS_XBSD_ENV)
76 #define vfprintf(stream,fmt,args) _doprnt(fmt,args,stream)
79 static int debugOutput;
81 /* check whether caller is authorized to manage RX statistics */
83 KA_rxstat_userok(call)
86 return afsconf_SuperUser(KA_conf, call, NULL);
90 es_Report(char *fmt, ...)
97 vfprintf(stderr, fmt, pvar);
105 memset(&dynamic_statistics, 0, sizeof(dynamic_statistics));
106 dynamic_statistics.start_time = time(0);
107 dynamic_statistics.host = myHost;
111 convert_cell_to_ubik(cellinfo, myHost, serverList)
112 struct afsconf_cell *cellinfo;
114 afs_int32 *serverList;
121 gethostname(hostname, sizeof(hostname));
122 th = gethostbyname(hostname);
124 ViceLog(0, ("kaserver: couldn't get address of this host.\n"));
127 memcpy(myHost, th->h_addr, sizeof(afs_int32));
129 for (i = 0; i < cellinfo->numServers; i++)
130 if (cellinfo->hostAddr[i].sin_addr.s_addr != *myHost) {
131 /* omit my host from serverList */
132 *serverList++ = cellinfo->hostAddr[i].sin_addr.s_addr;
134 *serverList = 0; /* terminate list */
139 kvno_admin_key(rock, kvno, key)
142 struct ktc_encryptionKey *key;
144 return ka_LookupKvno(0, KA_ADMIN_NAME, KA_ADMIN_INST, kvno, key);
146 /* we would like to start a Ubik transaction to fill the cache if that
147 * fails, but may deadlock as Rx is now organized. */
150 /* initFlags: 0x01 Do not require authenticated connections.
151 0x02 Do not check the bos NoAuth flag
152 0x04 Use fast key expiration to test oldkey code.
153 0x08 Temporary flag allowing database inconsistency fixup
156 #include "AFS_component_version_number.c"
163 char *whoami = argv[0];
164 afs_int32 serverList[MAXSERVERS];
165 struct afsconf_cell cellinfo;
167 const char *cellservdb, *dbpath, *lclpath;
170 char default_lclpath[AFSDIR_PATH_MAX];
173 int level; /* security level for Ubik */
175 char clones[MAXHOSTSPERCELL];
176 afs_uint32 host = ntohl(INADDR_ANY);
178 struct rx_service *tservice;
179 struct rx_securityClass *sca[1];
180 struct rx_securityClass *scm[3];
182 extern int afsconf_ClientAuthSecure();
183 extern int afsconf_ServerAuth();
184 extern int afsconf_CheckAuth();
186 extern int rx_stackSize;
187 extern int KAA_ExecuteRequest();
188 extern int KAT_ExecuteRequest();
189 extern int KAM_ExecuteRequest();
190 extern int RXSTATS_ExecuteRequest();
194 * The following signal action for AIX is necessary so that in case of a
195 * crash (i.e. core is generated) we can include the user's data section
196 * in the core dump. Unfortunately, by default, only a partial core is
197 * generated which, in many cases, isn't too useful.
199 struct sigaction nsa;
201 sigemptyset(&nsa.sa_mask);
202 nsa.sa_handler = SIG_DFL;
203 nsa.sa_flags = SA_FULLDUMP;
204 sigaction(SIGABRT, &nsa, NULL);
205 sigaction(SIGSEGV, &nsa, NULL);
211 printf("Usage: kaserver [-noAuth] [-fastKeys] [-database <dbpath>] "
212 "[-auditlog <log path>] [-rxbind] "
213 "[-localfiles <lclpath>] [-minhours <n>] [-servers <serverlist>] "
215 /*" [-enable_peer_stats] [-enable_process_stats] " */
220 /* initialize winsock */
221 if (afs_winsockInit() < 0) {
222 ReportErrorEventAlt(AFSEVT_SVR_WINSOCK_INIT_FAILED, 0, argv[0], 0);
223 fprintf(stderr, "%s: Couldn't initialize winsock.\n", whoami);
227 /* Initialize dirpaths */
228 if (!(initAFSDirPath() & AFSDIR_SERVER_PATHS_OK)) {
230 ReportErrorEventAlt(AFSEVT_SVR_NO_INSTALL_DIR, 0, argv[0], 0);
232 fprintf(stderr, "%s: Unable to obtain AFS server directory.\n",
237 cellservdb = AFSDIR_SERVER_ETC_DIRPATH;
238 dbpath = AFSDIR_SERVER_KADB_FILEPATH;
239 strcompose(default_lclpath, AFSDIR_PATH_MAX, AFSDIR_SERVER_LOCAL_DIRPATH,
240 "/", AFSDIR_KADB_FILE, NULL);
241 lclpath = default_lclpath;
247 for (a = 1; a < argc; a++) {
248 int arglen = strlen(argv[a]);
249 lcstring(arg, argv[a], sizeof(arg));
250 #define IsArg(a) (strncmp (arg,a, arglen) == 0)
252 if (strcmp(arg, "-database") == 0) {
254 if (strcmp(lclpath, default_lclpath) == 0)
257 else if (strncmp(arg, "-auditlog", arglen) == 0) {
260 char oldName[MAXPATHLEN];
261 char *fileName = argv[++a];
266 if ((lstat(fileName, &statbuf) == 0)
267 && (S_ISFIFO(statbuf.st_mode))) {
268 flags = O_WRONLY | O_NONBLOCK;
272 strcpy(oldName, fileName);
273 strcat(oldName, ".old");
274 renamefile(fileName, oldName);
275 flags = O_WRONLY | O_TRUNC | O_CREAT;
277 tempfd = open(fileName, flags, 0666);
279 auditout = fdopen(tempfd, "a");
281 osi_audit_file(auditout);
283 printf("Warning: auditlog %s not writable, ignored.\n", fileName);
285 printf("Warning: auditlog %s not writable, ignored.\n", fileName);
286 } else if (strcmp(arg, "-localfiles") == 0)
288 else if (strcmp(arg, "-servers") == 0)
289 debugOutput++, servers = 1;
290 else if (strcmp(arg, "-noauth") == 0)
291 debugOutput++, initFlags |= 1;
292 else if (strcmp(arg, "-fastkeys") == 0)
293 debugOutput++, initFlags |= 4;
294 else if (strcmp(arg, "-dbfixup") == 0)
295 debugOutput++, initFlags |= 8;
296 else if (strcmp(arg, "-cellservdb") == 0) {
297 cellservdb = argv[++a];
302 else if (IsArg("-crypt"))
304 else if (IsArg("-safe"))
306 else if (IsArg("-clear"))
308 else if (IsArg("-sorry"))
310 else if (IsArg("-debug"))
312 else if (IsArg("-crossrealm"))
314 else if (IsArg("-rxbind"))
316 else if (IsArg("-minhours")) {
317 MinHours = atoi(argv[++a]);
318 } else if (IsArg("-enable_peer_stats")) {
319 rx_enablePeerRPCStats();
320 } else if (IsArg("-enable_process_stats")) {
321 rx_enableProcessRPCStats();
322 } else if (*arg == '-') {
323 /* hack to support help flag */
327 if (code = ka_CellConfig(cellservdb))
329 cell = ka_LocalCell();
330 KA_conf = afsconf_Open(cellservdb);
334 afs_com_err(whoami, code, "Failed getting cell info");
340 /* NT & HPUX do not have dbm package support. So we can only do some
341 * text logging. So open the AuthLog file for logging and redirect
342 * stdin and stdout to it
344 OpenLog(AFSDIR_SERVER_KALOG_FILEPATH);
348 fprintf(stderr, "%s: WARNING: kaserver is deprecated due to its weak security "
349 "properties. Migrating to a Kerberos 5 KDC is advised. "
350 "http://www.openafs.org/no-more-des.html\n", whoami);
351 ViceLog(0, ("WARNING: kaserver is deprecated due to its weak security properties. "
352 "Migrating to a Kerberos 5 KDC is advised. "
353 "http://www.openafs.org/no-more-des.html\n"));
356 afsconf_GetExtendedCellInfo(KA_conf, cell, AFSCONF_KAUTHSERVICE,
359 if (code = ubik_ParseServerList(argc, argv, &myHost, serverList)) {
360 afs_com_err(whoami, code, "Couldn't parse server list");
363 cellinfo.hostAddr[0].sin_addr.s_addr = myHost;
364 for (i = 1; i < MAXSERVERS; i++) {
367 cellinfo.hostAddr[i].sin_addr.s_addr = serverList[i];
369 cellinfo.numServers = i;
371 code = convert_cell_to_ubik(&cellinfo, &myHost, serverList);
374 ViceLog(0, ("Using server list from %s cell database.\n", cell));
377 /* initialize ubik */
378 if (level == rxkad_clear)
379 ubik_CRXSecurityProc = afsconf_ClientAuth;
380 else if (level == rxkad_crypt)
381 ubik_CRXSecurityProc = afsconf_ClientAuthSecure;
383 ViceLog(0, ("Unsupported security level %d\n", level));
387 ("Using level %s for Ubik connections.\n",
388 (level == rxkad_crypt ? "crypt" : "clear")));
389 ubik_CRXSecurityRock = (char *)KA_conf;
390 ubik_SRXSecurityProc = afsconf_ServerAuth;
391 ubik_SRXSecurityRock = (char *)KA_conf;
392 ubik_CheckRXSecurityProc = afsconf_CheckAuth;
393 ubik_CheckRXSecurityRock = (char *)KA_conf;
400 if (AFSDIR_SERVER_NETRESTRICT_FILEPATH ||
401 AFSDIR_SERVER_NETINFO_FILEPATH) {
403 ccode = parseNetFiles(SHostAddrs, NULL, NULL,
404 ADDRSPERSITE, reason,
405 AFSDIR_SERVER_NETINFO_FILEPATH,
406 AFSDIR_SERVER_NETRESTRICT_FILEPATH);
410 ccode = rx_getAllAddr(SHostAddrs, ADDRSPERSITE);
413 host = SHostAddrs[0];
414 rx_InitHost(host, htons(AFSCONF_KAUTHPORT));
420 ubik_ServerInit(myHost, htons(AFSCONF_KAUTHPORT), serverList,
424 ubik_ServerInitByInfo(myHost, htons(AFSCONF_KAUTHPORT), &cellinfo,
425 &clones, dbpath, &KA_dbase);
428 afs_com_err(whoami, code, "Ubik init failed");
432 sca[RX_SCINDEX_NULL] = rxnull_NewServerSecurityObject();
434 /* Disable jumbograms */
438 rx_NewServiceHost(host, 0, KA_AUTHENTICATION_SERVICE,
439 "AuthenticationService", sca, 1, KAA_ExecuteRequest);
440 if (tservice == (struct rx_service *)0) {
441 ViceLog(0, ("Could not create Authentication rx service\n"));
444 rx_SetMinProcs(tservice, 1);
445 rx_SetMaxProcs(tservice, 1);
449 rx_NewServiceHost(host, 0, KA_TICKET_GRANTING_SERVICE, "TicketGrantingService",
450 sca, 1, KAT_ExecuteRequest);
451 if (tservice == (struct rx_service *)0) {
452 ViceLog(0, ("Could not create Ticket Granting rx service\n"));
455 rx_SetMinProcs(tservice, 1);
456 rx_SetMaxProcs(tservice, 1);
458 scm[RX_SCINDEX_NULL] = sca[RX_SCINDEX_NULL];
459 scm[RX_SCINDEX_VAB] = 0;
460 scm[RX_SCINDEX_KAD] =
461 rxkad_NewServerSecurityObject(rxkad_crypt, 0, kvno_admin_key, 0);
463 rx_NewServiceHost(host, 0, KA_MAINTENANCE_SERVICE, "Maintenance", scm, 3,
465 if (tservice == (struct rx_service *)0) {
466 ViceLog(0, ("Could not create Maintenance rx service\n"));
469 rx_SetMinProcs(tservice, 1);
470 rx_SetMaxProcs(tservice, 1);
471 rx_SetStackSize(tservice, 10000);
474 rx_NewServiceHost(host, 0, RX_STATS_SERVICE_ID, "rpcstats", scm, 3,
475 RXSTATS_ExecuteRequest);
476 if (tservice == (struct rx_service *)0) {
477 ViceLog(0, ("Could not create rpc stats rx service\n"));
480 rx_SetMinProcs(tservice, 2);
481 rx_SetMaxProcs(tservice, 4);
485 /* allow super users to manage RX statistics */
486 rx_SetRxStatUserOk(KA_rxstat_userok);
488 rx_StartServer(0); /* start handling req. of all types */
490 if (init_kaprocs(lclpath, initFlags))
493 if (code = init_krb_udp()) {
495 ("Failed to initialize UDP interface; code = %d.\n", code));
496 ViceLog(0, ("Running without UDP access.\n"));
499 ViceLog(0, ("Starting to process AuthServer requests\n"));
500 rx_ServerProc(); /* donate this LWP */