#include <roken.h>
#include <afs/opr.h>
+#ifdef AFS_PTHREAD_ENV
+# include <opr/softsig.h>
+# include <afs/procmgmt_softsig.h> /* must come after softsig.h */
+#endif
#ifdef AFS_NT40_ENV
#include <WINNT/afsevent.h>
extern afs_int32 depthsg;
#endif
-char *pr_realmName;
-
int restricted = 0;
+int restrict_anonymous = 0;
int rxMaxMTU = -1;
int rxBind = 0;
int rxkadDisableDotCheck = 0;
return afsconf_SuperUser(prdir, call, NULL);
}
+/**
+ * Return true if this name is a member of the local realm.
+ */
+int
+pr_IsLocalRealmMatch(void *rock, char *name, char *inst, char *cell)
+{
+ struct afsconf_dir *dir = (struct afsconf_dir *)rock;
+ afs_int32 islocal = 0; /* default to no */
+ int code;
+
+ code = afsconf_IsLocalRealmMatch(dir, &islocal, name, inst, cell);
+ if (code) {
+ ViceLog(0, ("Failed local realm check; code=%d, name=%s, inst=%s, cell=%s\n",
+ code, name, inst, cell));
+ }
+ return islocal;
+}
+
+
enum optionsList {
OPT_database,
OPT_access,
OPT_groupdepth,
OPT_restricted,
+ OPT_restrict_anonymous,
OPT_auditlog,
OPT_auditiface,
OPT_config,
OPT_debug,
OPT_logfile,
OPT_threads,
+#ifdef HAVE_SYSLOG
OPT_syslog,
+#endif
OPT_peer,
OPT_process,
OPT_rxbind,
OPT_rxmaxmtu,
- OPT_dotted
+ OPT_dotted,
+ OPT_transarc_logs,
+ OPT_s2s_crypt
};
int
afs_int32 numClasses;
int lwps = 3;
char clones[MAXHOSTSPERCELL];
+ char hoststr[16];
afs_uint32 host = htonl(INADDR_ANY);
struct cmd_syndesc *opts;
struct cmd_item *list;
+ int s2s_rxgk = 0;
char *pr_dbaseName;
char *configDir;
- char *logFile;
+ struct logOptions logopts;
char *whoami = "ptserver";
char *auditFileName = NULL;
char *interface = NULL;
+ char *s2s_crypt_behavior = NULL;
#ifdef AFS_AIX32_ENV
/*
pr_dbaseName = strdup(AFSDIR_SERVER_PRDB_FILEPATH);
configDir = strdup(AFSDIR_SERVER_ETC_DIRPATH);
- logFile = strdup(AFSDIR_SERVER_PTLOG_FILEPATH);
+ memset(&logopts, 0, sizeof(logopts));
#if defined(SUPERGROUPS)
/* make sure the structures for database records are the same size */
cmd_DisableAbbreviations();
cmd_DisablePositionalCommands();
- opts = cmd_CreateSyntax(NULL, NULL, NULL, NULL);
+ opts = cmd_CreateSyntax(NULL, NULL, NULL, 0, NULL);
/* ptserver specific options */
cmd_AddParmAtOffset(opts, OPT_database, "-database", CMD_SINGLE,
CMD_OPTIONAL, "database file");
- cmd_AddParmAlias(opts, OPT_database, "db");
+ cmd_AddParmAlias(opts, OPT_database, "-db");
- cmd_AddParmAtOffset(opts, OPT_access, "-default_access", CMD_SINGLE,
+ cmd_AddParmAtOffset(opts, OPT_access, "-default_access", CMD_LIST,
CMD_OPTIONAL, "default access flags for new entries");
#if defined(SUPERGROUPS)
cmd_AddParmAtOffset(opts, OPT_groupdepth, "-groupdepth", CMD_SINGLE,
CMD_OPTIONAL, "max search depth for supergroups");
- cmd_AddParmAlias(opts, OPT_groupdepth, "depth");
+ cmd_AddParmAlias(opts, OPT_groupdepth, "-depth");
#endif
cmd_AddParmAtOffset(opts, OPT_restricted, "-restricted", CMD_FLAG,
CMD_OPTIONAL, "enable restricted mode");
+ cmd_AddParmAtOffset(opts, OPT_restrict_anonymous, "-restrict_anonymous",
+ CMD_FLAG, CMD_OPTIONAL, "enable restricted anonymous mode");
/* general server options */
cmd_AddParmAtOffset(opts, OPT_auditlog, "-auditlog", CMD_SINGLE,
CMD_OPTIONAL, "location of logfile");
cmd_AddParmAtOffset(opts, OPT_threads, "-p", CMD_SINGLE,
CMD_OPTIONAL, "number of threads");
-#if !defined(AFS_NT40_ENV)
+#ifdef HAVE_SYSLOG
cmd_AddParmAtOffset(opts, OPT_syslog, "-syslog", CMD_SINGLE_OR_FLAG,
CMD_OPTIONAL, "log to syslog");
#endif
+ cmd_AddParmAtOffset(opts, OPT_transarc_logs, "-transarc-logs", CMD_FLAG,
+ CMD_OPTIONAL, "enable Transarc style logging");
/* rx options */
cmd_AddParmAtOffset(opts, OPT_peer, "-enable_peer_stats", CMD_FLAG,
CMD_FLAG, CMD_OPTIONAL,
"permit Kerberos 5 principals with dots");
+ /* rxgk options */
+ cmd_AddParmAtOffset(opts, OPT_s2s_crypt, "-s2scrypt", CMD_SINGLE,
+ CMD_OPTIONAL,
+ "rxgk-crypt | never");
+
code = cmd_Parse(argc, argv, &opts);
+ if (code == CMD_HELP) {
+ PT_EXIT(0);
+ }
if (code)
PT_EXIT(1);
+ cmd_OptionAsString(opts, OPT_config, &configDir);
+
+ cmd_OpenConfigFile(AFSDIR_SERVER_CONFIG_FILE_FILEPATH);
+ cmd_SetCommandName("ptserver");
+
if (cmd_OptionAsList(opts, OPT_access, &list) == 0) {
prp_user_default = prp_access_mask(list->data);
if (list->next == NULL || list->next->data == NULL) {
#endif
cmd_OptionAsFlag(opts, OPT_restricted, &restricted);
+ cmd_OptionAsFlag(opts, OPT_restrict_anonymous, &restrict_anonymous);
/* general server options */
cmd_OptionAsString(opts, OPT_auditlog, &auditFileName);
free(interface);
}
- cmd_OptionAsString(opts, OPT_config, &configDir);
- cmd_OptionAsInt(opts, OPT_debug, &LogLevel);
cmd_OptionAsString(opts, OPT_database, &pr_dbaseName);
- cmd_OptionAsString(opts, OPT_logfile, &logFile);
if (cmd_OptionAsInt(opts, OPT_threads, &lwps) == 0) {
- if (lwps > 16) { /* maximum of 16 */
+ if (lwps > 64) { /* maximum of 64 */
printf("Warning: '-p %d' is too big; using %d instead\n",
- lwps, 16);
- lwps = 16;
+ lwps, 64);
+ lwps = 64;
} else if (lwps < 3) { /* minimum of 3 */
printf("Warning: '-p %d' is too small; using %d instead\n",
lwps, 3);
}
}
-#ifndef AFS_NT40_ENV
+#ifdef HAVE_SYSLOG
if (cmd_OptionPresent(opts, OPT_syslog)) {
- serverLogSyslog = 1;
- cmd_OptionAsInt(opts, OPT_syslog, &serverLogSyslogFacility);
- }
+ if (cmd_OptionPresent(opts, OPT_logfile)) {
+ fprintf(stderr, "Invalid options: -syslog and -logfile are exclusive.");
+ PT_EXIT(1);
+ }
+ if (cmd_OptionPresent(opts, OPT_transarc_logs)) {
+ fprintf(stderr, "Invalid options: -syslog and -transarc-logs are exclusive.");
+ PT_EXIT(1);
+ }
+ logopts.lopt_dest = logDest_syslog;
+ logopts.lopt_facility = LOG_DAEMON;
+ logopts.lopt_tag = "ptserver";
+ cmd_OptionAsInt(opts, OPT_syslog, &logopts.lopt_facility);
+ } else
#endif
+ {
+ logopts.lopt_dest = logDest_file;
+ if (cmd_OptionPresent(opts, OPT_transarc_logs)) {
+ logopts.lopt_rotateOnOpen = 1;
+ logopts.lopt_rotateStyle = logRotate_old;
+ }
+ if (cmd_OptionPresent(opts, OPT_logfile))
+ cmd_OptionAsString(opts, OPT_logfile, (char**)&logopts.lopt_filename);
+ else
+ logopts.lopt_filename = AFSDIR_SERVER_PTLOG_FILEPATH;
+ }
+ cmd_OptionAsInt(opts, OPT_debug, &logopts.lopt_logLevel);
/* rx options */
if (cmd_OptionPresent(opts, OPT_peer))
/* rxkad options */
cmd_OptionAsFlag(opts, OPT_dotted, &rxkadDisableDotCheck);
+ /* rxgk options */
+ if (cmd_OptionAsString(opts, OPT_s2s_crypt, &s2s_crypt_behavior) == 0) {
+ if (strcmp(s2s_crypt_behavior, "never") == 0) {
+ /* noop; this is the default */
+ } else if (strcmp(s2s_crypt_behavior, "rxgk-crypt") == 0) {
+ s2s_rxgk = 1;
+ } else {
+ fprintf(stderr, "Invalid argument for -s2scrypt: %s\n", s2s_crypt_behavior);
+ PT_EXIT(1);
+ }
+ free(s2s_crypt_behavior);
+ s2s_crypt_behavior = NULL;
+ }
+
cmd_FreeOptions(&opts);
if (auditFileName) {
osi_audit(PTS_StartEvent, 0, AUD_END);
}
-#ifndef AFS_NT40_ENV
- serverLogSyslogTag = "ptserver";
-#endif
- OpenLog(logFile); /* set up logging */
+ OpenLog(&logopts);
+#ifdef AFS_PTHREAD_ENV
+ opr_softsig_Init();
+ SetupLogSoftSignals();
+#else
SetupLogSignals();
+#endif
prdir = afsconf_Open(configDir);
if (!prdir) {
afs_com_err(whoami, code, "Couldn't get server list");
PT_EXIT(2);
}
- pr_realmName = info.name;
+
+ /* initialize audit user check */
+ osi_audit_set_user_check(prdir, pr_IsLocalRealmMatch);
/* initialize ubik */
- ubik_SetClientSecurityProcs(afsconf_ClientAuth, afsconf_UpToDate, prdir);
+ if (s2s_rxgk) {
+ ubik_SetClientSecurityProcs(afsconf_ClientAuthRXGKCrypt,
+ afsconf_UpToDate, prdir);
+ } else {
+ ubik_SetClientSecurityProcs(afsconf_ClientAuth, afsconf_UpToDate,
+ prdir);
+ }
ubik_SetServerSecurityProcs(afsconf_BuildServerSecurityObjects,
afsconf_CheckAuth, prdir);
if (AFSDIR_SERVER_NETRESTRICT_FILEPATH ||
AFSDIR_SERVER_NETINFO_FILEPATH) {
char reason[1024];
- ccode = parseNetFiles(SHostAddrs, NULL, NULL,
- ADDRSPERSITE, reason,
- AFSDIR_SERVER_NETINFO_FILEPATH,
- AFSDIR_SERVER_NETRESTRICT_FILEPATH);
+ ccode = afsconf_ParseNetFiles(SHostAddrs, NULL, NULL,
+ ADDRSPERSITE, reason,
+ AFSDIR_SERVER_NETINFO_FILEPATH,
+ AFSDIR_SERVER_NETRESTRICT_FILEPATH);
} else
{
ccode = rx_getAllAddr(SHostAddrs, ADDRSPERSITE);
}
if (ccode == 1) {
host = SHostAddrs[0];
- /* the following call is idempotent so if/when it gets called
- * again by the ubik init stuff, it doesn't really matter
- * -- klm
- */
- rx_InitHost(host, htons(AFSCONF_PROTPORT));
+ }
+ }
+
+ ViceLog(0, ("ptserver binding rx to %s:%d\n",
+ afs_inet_ntoa_r(host, hoststr), AFSCONF_PROTPORT));
+ code = rx_InitHost(host, htons(AFSCONF_PROTPORT));
+ if (code < 0) {
+ ViceLog(0, ("ptserver: Rx init failed: %d\n", code));
+ PT_EXIT(1);
+ }
+
+ /* Disable jumbograms */
+ rx_SetNoJumbo();
+
+ if (rxMaxMTU != -1) {
+ if (rx_SetMaxMTU(rxMaxMTU) != 0) {
+ printf("rxMaxMTU %d is invalid\n", rxMaxMTU);
+ PT_EXIT(1);
}
}
afs_com_err(whoami, code, "Ubik init failed");
PT_EXIT(2);
}
+
#if defined(SUPERGROUPS)
pt_hook_write();
#endif
afsconf_BuildServerSecurityObjects(prdir, &securityClasses, &numClasses);
- /* Disable jumbograms */
- rx_SetNoJumbo();
-
- if (rxMaxMTU != -1) {
- if (rx_SetMaxMTU(rxMaxMTU) != 0) {
- printf("rxMaxMTU %d is invalid\n", rxMaxMTU);
- PT_EXIT(1);
- }
- }
-
tservice =
rx_NewServiceHost(host, 0, PRSRV, "Protection Server", securityClasses,
numClasses, PR_ExecuteRequest);
rx_SetMinProcs(tservice, 2);
rx_SetMaxProcs(tservice, lwps);
if (rxkadDisableDotCheck) {
- rx_SetSecurityConfiguration(tservice, RXS_CONFIG_FLAGS,
- (void *)RXS_CONFIG_FLAGS_DISABLE_DOTCHECK);
+ code = rx_SetSecurityConfiguration(tservice, RXS_CONFIG_FLAGS,
+ (void *)RXS_CONFIG_FLAGS_DISABLE_DOTCHECK);
+ if (code) {
+ afs_com_err(whoami, code, "Failed to allow dotted principals");
+ PT_EXIT(3);
+ }
}
tservice =
"1.0",
#endif
"Starting AFS", FSLog);
+ if (afsconf_GetLatestKey(prdir, NULL, NULL) == 0) {
+ LogDesWarning();
+ }
rx_StartServer(1);
osi_audit(PTS_FinishEvent, -1, AUD_END);