/*
* Copyright 2000, International Business Machines Corporation and others.
* All Rights Reserved.
- *
+ *
* This software has been released under the terms of the IBM Public
* License. For details, see the LICENSE file in the top-level source
* directory or online at http://www.openafs.org/dl/license10.html
#include <afsconfig.h>
#include <afs/param.h>
+#include <afs/stds.h>
+#include <roken.h>
+#include <afs/opr.h>
-#include <afs/stds.h>
-#include <sys/types.h>
#ifdef AFS_NT40_ENV
-#include <winsock2.h>
#include <WINNT/afsevent.h>
-#else
-#include <sys/file.h>
-#include <netdb.h>
-#include <netinet/in.h>
-#endif
-#include "kalog.h" /* for OpenLog() */
-#include <time.h>
-#include <stdio.h>
-#include <string.h>
-#ifdef HAVE_FCNTL_H
-#include <fcntl.h>
-#endif
-#ifdef AFS_AIX32_ENV
-#include <signal.h>
#endif
+
+
#include <lwp.h>
#include <rx/xdr.h>
#include <rx/rx.h>
#include <afs/com_err.h>
#include <afs/audit.h>
#include <ubik.h>
-#include <sys/stat.h>
+
+#include "kalog.h" /* for OpenLog() */
#include "kauth.h"
#include "kauth_internal.h"
#include "kautils.h"
struct kadstats dynamic_statistics;
struct ubik_dbase *KA_dbase;
-afs_int32 myHost = 0;
+afs_uint32 myHost = 0;
afs_int32 verbose_track = 1;
afs_int32 krb4_cross = 0;
afs_int32 rxBind = 0;
int MinHours = 0;
int npwSums = KA_NPWSUMS; /* needs to be variable sometime */
-#include <stdarg.h>
#if !defined(AFS_NT40_ENV) && !defined(AFS_LINUX20_ENV) && !defined(AFS_DARWIN_ENV) && !defined(AFS_XBSD_ENV)
#undef vfprintf
#define vfprintf(stream,fmt,args) _doprnt(fmt,args,stream)
return afsconf_SuperUser(KA_conf, call, NULL);
}
+/**
+ * Return true if this name is a member of the local realm.
+ */
+static int
+KA_IsLocalRealmMatch(void *rock, char *name, char *inst, char *cell)
+{
+ struct afsconf_dir *dir = (struct afsconf_dir *)rock;
+ afs_int32 islocal = 0; /* default to no */
+ int code;
+
+ code = afsconf_IsLocalRealmMatch(dir, &islocal, name, inst, cell);
+ if (code) {
+ ViceLog(0,
+ ("Failed local realm check; code=%d, name=%s, inst=%s, cell=%s\n",
+ code, name, inst, cell));
+ }
+ return islocal;
+}
+
afs_int32
es_Report(char *fmt, ...)
{
}
static int
-convert_cell_to_ubik(struct afsconf_cell *cellinfo, afs_int32 *myHost,
- afs_int32 *serverList)
+convert_cell_to_ubik(struct afsconf_cell *cellinfo, afs_uint32 *myHost,
+ afs_uint32 *serverList)
{
int i;
char hostname[64];
ViceLog(0, ("kaserver: couldn't get address of this host.\n"));
exit(1);
}
- memcpy(myHost, th->h_addr, sizeof(afs_int32));
+ memcpy(myHost, th->h_addr, sizeof(afs_uint32));
for (i = 0; i < cellinfo->numServers; i++)
if (cellinfo->hostAddr[i].sin_addr.s_addr != *myHost) {
{
afs_int32 code;
char *whoami = argv[0];
- afs_int32 serverList[MAXSERVERS];
+ afs_uint32 serverList[MAXSERVERS];
struct afsconf_cell cellinfo;
char *cell;
const char *cellservdb, *dbpath, *lclpath;
int a;
char arg[32];
- char default_lclpath[AFSDIR_PATH_MAX];
+ char *default_lclpath;
int servers;
int initFlags;
int level; /* security level for Ubik */
char clones[MAXHOSTSPERCELL];
afs_uint32 host = ntohl(INADDR_ANY);
char *auditFileName = NULL;
+ struct logOptions logopts;
struct rx_service *tservice;
struct rx_securityClass *sca[1];
#ifdef AFS_AIX32_ENV
/*
- * The following signal action for AIX is necessary so that in case of a
- * crash (i.e. core is generated) we can include the user's data section
+ * The following signal action for AIX is necessary so that in case of a
+ * crash (i.e. core is generated) we can include the user's data section
* in the core dump. Unfortunately, by default, only a partial core is
* generated which, in many cases, isn't too useful.
*/
#endif
osi_audit_init();
+ memset(&logopts, 0, sizeof(logopts));
+
if (argc == 0) {
usage:
- printf("Usage: kaserver [-noAuth] [-fastKeys] [-database <dbpath>] "
+ printf("Usage: kaserver [-noAuth] [-database <dbpath>] "
"[-auditlog <log path>] [-audit-interface <file|sysvmq>] "
"[-rxbind] [-localfiles <lclpath>] [-minhours <n>] "
"[-servers <serverlist>] [-crossrealm] "
- /*" [-enable_peer_stats] [-enable_process_stats] " */
+ "[-enable_peer_stats] [-enable_process_stats] "
"[-help]\n");
exit(1);
}
cellservdb = AFSDIR_SERVER_ETC_DIRPATH;
dbpath = AFSDIR_SERVER_KADB_FILEPATH;
- strcompose(default_lclpath, AFSDIR_PATH_MAX, AFSDIR_SERVER_LOCAL_DIRPATH,
- "/", AFSDIR_KADB_FILE, NULL);
+
+ if (asprintf(&default_lclpath, "%s/%s", AFSDIR_SERVER_LOCAL_DIRPATH,
+ AFSDIR_KADB_FILE) < 0) {
+ fprintf(stderr, "%s: No memory for default local dir path\n", argv[0]);
+ exit(2);
+ }
lclpath = default_lclpath;
debugOutput = 0;
printf("Invalid audit interface '%s'\n", interface);
exit(1);
}
-
+
} else if (strcmp(arg, "-localfiles") == 0)
lclpath = argv[++a];
else if (strcmp(arg, "-servers") == 0)
#else
/* NT & HPUX do not have dbm package support. So we can only do some
* text logging. So open the AuthLog file for logging and redirect
- * stdin and stdout to it
+ * stdin and stdout to it
*/
- OpenLog(AFSDIR_SERVER_KALOG_FILEPATH);
+ logopts.lopt_dest = logDest_file;
+ logopts.lopt_filename = AFSDIR_SERVER_KALOG_FILEPATH;
+ logopts.lopt_rotateOnOpen = 1;
+ logopts.lopt_rotateStyle = logRotate_old;
+
+ OpenLog(&logopts);
SetupLogSignals();
#endif
"Migrating to a Kerberos 5 KDC is advised. "
"http://www.openafs.org/no-more-des.html\n"));
- code =
- afsconf_GetExtendedCellInfo(KA_conf, cell, AFSCONF_KAUTHSERVICE,
- &cellinfo, &clones);
+ code = afsconf_GetExtendedCellInfo(KA_conf, cell, AFSCONF_KAUTHSERVICE,
+ &cellinfo, clones);
+ if (code) {
+ afs_com_err(whoami, code, "Couldn't read cell configuration");
+ exit(1);
+ }
+
if (servers) {
if ((code = ubik_ParseServerList(argc, argv, &myHost, serverList))) {
afs_com_err(whoami, code, "Couldn't parse server list");
for (i = 1; i < MAXSERVERS; i++) {
if (!serverList[i])
break;
+ if (i >= MAXHOSTSPERCELL) {
+ fprintf(stderr,
+ "Too many ubik servers specified on command line\n");
+ exit(1);
+ }
cellinfo.hostAddr[i].sin_addr.s_addr = serverList[i];
}
cellinfo.numServers = i;
ViceLog(0, ("Using server list from %s cell database.\n", cell));
}
+ /* initialize audit user check */
+ osi_audit_set_user_check(KA_conf, KA_IsLocalRealmMatch);
+
/* initialize ubik */
if (level == rxkad_clear)
- ubik_CRXSecurityProc = afsconf_ClientAuth;
+ ubik_SetClientSecurityProcs(afsconf_ClientAuth, afsconf_UpToDate,
+ KA_conf);
else if (level == rxkad_crypt)
- ubik_CRXSecurityProc = afsconf_ClientAuthSecure;
+ ubik_SetClientSecurityProcs(afsconf_ClientAuthSecure,
+ afsconf_UpToDate, KA_conf);
else {
ViceLog(0, ("Unsupported security level %d\n", level));
exit(5);
ViceLog(0,
("Using level %s for Ubik connections.\n",
(level == rxkad_crypt ? "crypt" : "clear")));
- ubik_CRXSecurityRock = (char *)KA_conf;
- ubik_SRXSecurityProc = afsconf_ServerAuth;
- ubik_SRXSecurityRock = (char *)KA_conf;
- ubik_CheckRXSecurityProc = afsconf_CheckAuth;
- ubik_CheckRXSecurityRock = (char *)KA_conf;
+
+ ubik_SetServerSecurityProcs(afsconf_BuildServerSecurityObjects,
+ afsconf_CheckAuth,
+ KA_conf);
ubik_nBuffers = 80;
if (rxBind) {
afs_int32 ccode;
- if (AFSDIR_SERVER_NETRESTRICT_FILEPATH ||
+ if (AFSDIR_SERVER_NETRESTRICT_FILEPATH ||
AFSDIR_SERVER_NETINFO_FILEPATH) {
char reason[1024];
- ccode = parseNetFiles(SHostAddrs, NULL, NULL,
- ADDRSPERSITE, reason,
- AFSDIR_SERVER_NETINFO_FILEPATH,
- AFSDIR_SERVER_NETRESTRICT_FILEPATH);
- } else
+ ccode = afsconf_ParseNetFiles(SHostAddrs, NULL, NULL,
+ ADDRSPERSITE, reason,
+ AFSDIR_SERVER_NETINFO_FILEPATH,
+ AFSDIR_SERVER_NETRESTRICT_FILEPATH);
+ } else
{
ccode = rx_getAllAddr(SHostAddrs, ADDRSPERSITE);
}
if (ccode == 1) {
host = SHostAddrs[0];
- rx_InitHost(host, htons(AFSCONF_KAUTHPORT));
}
}
+ code = rx_InitHost(host, htons(AFSCONF_KAUTHPORT));
+ if (code) {
+ afs_com_err(whoami, code, "rx init failed");
+ exit(2);
+ }
+
+ /* Disable jumbograms */
+ rx_SetNoJumbo();
+
if (servers)
code =
ubik_ServerInit(myHost, htons(AFSCONF_KAUTHPORT), serverList,
- (char *)dbpath, &KA_dbase);
+ dbpath, &KA_dbase);
else
code =
ubik_ServerInitByInfo(myHost, htons(AFSCONF_KAUTHPORT), &cellinfo,
- clones, (char *)dbpath, &KA_dbase);
+ clones, dbpath, &KA_dbase);
if (code) {
afs_com_err(whoami, code, "Ubik init failed");
exit(2);
}
- sca[RX_SCINDEX_NULL] = rxnull_NewServerSecurityObject();
-
- /* Disable jumbograms */
- rx_SetNoJumbo();
+ sca[RX_SECIDX_NULL] = rxnull_NewServerSecurityObject();
tservice =
- rx_NewServiceHost(host, 0, KA_AUTHENTICATION_SERVICE,
+ rx_NewServiceHost(host, 0, KA_AUTHENTICATION_SERVICE,
"AuthenticationService", sca, 1, KAA_ExecuteRequest);
if (tservice == (struct rx_service *)0) {
ViceLog(0, ("Could not create Authentication rx service\n"));
rx_SetMinProcs(tservice, 1);
rx_SetMaxProcs(tservice, 1);
-
+
tservice =
rx_NewServiceHost(host, 0, KA_TICKET_GRANTING_SERVICE, "TicketGrantingService",
sca, 1, KAT_ExecuteRequest);
rx_SetMinProcs(tservice, 1);
rx_SetMaxProcs(tservice, 1);
- scm[RX_SCINDEX_NULL] = sca[RX_SCINDEX_NULL];
- scm[RX_SCINDEX_VAB] = 0;
- scm[RX_SCINDEX_KAD] =
+ scm[RX_SECIDX_NULL] = sca[RX_SECIDX_NULL];
+ scm[RX_SECIDX_VAB] = 0;
+ scm[RX_SECIDX_KAD] =
rxkad_NewServerSecurityObject(rxkad_crypt, 0, kvno_admin_key, 0);
tservice =
rx_NewServiceHost(host, 0, KA_MAINTENANCE_SERVICE, "Maintenance", scm, 3,