*/
#include <afsconfig.h>
-RCSID
- ("$Header$");
#include <stdio.h>
#include <string.h>
#include <afs/stds.h>
#include <krb5.h>
+#include <com_err.h>
#ifndef HAVE_KERBEROSV_HEIM_ERR_H
#include <afs/com_err.h>
#ifdef AFS_SUN5_ENV
#include <sys/ioccom.h>
#endif
+
+/* Prevent inclusion of des.h to avoid conflicts with des types */
+#define NO_DES_H_INCLUDE
+
#include <afs/auth.h>
#include <afs/cellconfig.h>
#include <afs/vice.h>
#endif
#if !defined(HAVE_KRB5_ENCRYPT_TKT_PART) && defined(HAVE_ENCODE_KRB5_ENC_TKT_PART) && defined(HAVE_KRB5_C_ENCRYPT)
+extern krb5_error_code encode_krb5_enc_tkt_part (const krb5_enc_tkt_part *rep, krb5_data **code);
+
krb5_error_code
krb5_encrypt_tkt_part(krb5_context context,
const krb5_keyblock *key,
static linked_list hostlist; /* List of host addresses */
static linked_list authedcells; /* List of cells already logged to */
+/* A com_error bodge. The idea here is that this routine lets us lookup
+ * things in the system com_err, if the AFS one just tells us the error
+ * is unknown
+ */
+
+void
+redirect_errors(const char *who, afs_int32 code, const char *fmt, va_list ap)
+{
+ if (who) {
+ fputs(who, stderr);
+ fputs(": ", stderr);
+ }
+ if (code) {
+ const char *str = afs_error_message(code);
+ if (strncmp(str, "unknown", strlen("unknown")) == 0) {
+ str = error_message(code);
+ }
+ fputs(str, stderr);
+ fputs(" ", stderr);
+ }
+ if (fmt) {
+ vfprintf(stderr, fmt, ap);
+ }
+ putc('\n', stderr);
+ fflush(stderr);
+}
+
/* ANL - CMU lifetime convert routine */
/* for K5.4.1 don't use this for now. Need to see if it is needed */
/* maybe needed in the krb524d module as well */
struct afsconf_dir *configdir;
memset(local_cell, 0, sizeof(local_cell));
- memset((char *)cellconfig, 0, sizeof(*cellconfig));
+ memset(cellconfig, 0, sizeof(*cellconfig));
if (!(configdir = afsconf_Open(AFSDIR_CLIENT_ETC_DIRPATH))) {
fprintf(stderr,
retry = 1;
while(retry) {
-
+
+ /* This code tries principals in the following, much debated,
+ * order:
+ *
+ * If the realm is specified on the command line we do
+ * - afs/cell@COMMAND-LINE-REALM
+ * - afs@COMMAND-LINE-REALM
+ *
+ * Otherwise, we do
+ * - afs/cell@REALM-FROM-USERS-PRINCIPAL
+ * - afs/cell@krb5_get_host_realm(db-server)
+ * Then, if krb5_get_host_realm(db-server) is non-empty
+ * - afs@ krb5_get_host_realm(db-server)
+ * Otherwise
+ * - afs/cell@ upper-case-domain-of-db-server
+ * - afs@ upper-case-domain-of-db-server
+ *
+ * In all cases, the 'afs@' variant is only tried where the
+ * cell and the realm match case-insensitively.
+ */
+
/* Cell on command line - use that one */
if (realm && realm[0]) {
realm_of_cell = realm;
*/
if (! do524) {
+ char k4name[ANAME_SZ], k4inst[INST_SZ], k4realm[REALM_SZ];
+#ifdef HAVE_NO_KRB5_524
char *p;
int len;
+#endif
if (dflag)
printf("Using Kerberos V5 ticket natively\n");
+#ifndef HAVE_NO_KRB5_524
+ status = krb5_524_conv_principal (context, v5cred->client,
+ (char *) &k4name,
+ (char *) &k4inst,
+ (char *) &k4realm);
+ if (status) {
+ afs_com_err(progname, status, "while converting principal "
+ "to Kerberos V4 format");
+ return(AKLOG_KERBEROS);
+ }
+ strcpy (username, k4name);
+ if (k4inst[0]) {
+ strcat (username, ".");
+ strcat (username, k4inst);
+ }
+#else
len = min(get_princ_len(context, v5cred->client, 0),
- second_comp(context, v5cred->client) ?
- MAXKTCNAMELEN - 2 : MAXKTCNAMELEN - 1);
+ second_comp(context, v5cred->client) ?
+ MAXKTCNAMELEN - 2 : MAXKTCNAMELEN - 1);
strncpy(username, get_princ_str(context, v5cred->client, 0), len);
username[len] = '\0';
-
+
if (second_comp(context, v5cred->client)) {
- strcat(username, ".");
+ strcat(username, ".");
p = username + strlen(username);
len = min(get_princ_len(context, v5cred->client, 1),
MAXKTCNAMELEN - strlen(username) - 1);
strncpy(p, get_princ_str(context, v5cred->client, 1), len);
p[len] = '\0';
}
+#endif
memset(&atoken, 0, sizeof(atoken));
atoken.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
strcpy(aclient.instance, "");
strncpy(aclient.cell, realm_of_user, MAXKTCREALMLEN - 1);
if ((status = ktc_SetToken(&aserver, &atoken, &aclient, 0))) {
- fprintf(stderr, "%s: unable to obtain tokens for cell %s "
- "(status: %d).\n", progname, cell_to_use, status);
+ afs_com_err(progname, status,
+ "while obtaining tokens for cell %s",
+ cell_to_use);
status = AKLOG_TOKEN;
}
write(2,"",0); /* dummy write */
#endif
if ((status = ktc_SetToken(&aserver, &atoken, &aclient, afssetpag))) {
- fprintf(stderr,
- "%s: unable to obtain tokens for cell %s (status: %d).\n",
- progname, cell_to_use, status);
+ afs_com_err(progname, status, "while obtaining tokens for cell %s",
+ cell_to_use);
status = AKLOG_TOKEN;
}
}
void aklog(int argc, char *argv[])
{
- krb5_context context;
+ krb5_context context;
int status = AKLOG_SUCCESS;
int i;
int somethingswrong = FALSE;
krb5_init_context(&context);
initialize_ktc_error_table ();
+ afs_set_com_err_hook(redirect_errors);
/* Initialize list of cells to which we have authenticated */
(void)ll_init(&authedcells);
? "/" : "", inst ? inst : "", realm);
}
- memset((char *)&increds, 0, sizeof(increds));
+ memset(&increds, 0, sizeof(increds));
/* ANL - instance may be ptr to a null string. Pass null then */
if ((r = krb5_build_principal(context, &increds.server,
strlen(realm), realm,