2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 #include <afsconfig.h>
11 #include <afs/param.h>
18 #include <WINNT/afsevent.h>
25 #include <rx/rxstat.h>
27 #include <rx/rx_globals.h>
28 #include <afs/cellconfig.h>
30 #include <afs/afsutil.h>
31 #include <afs/com_err.h>
32 #include <afs/audit.h>
35 #include "kalog.h" /* for OpenLog() */
37 #include "kauth_internal.h"
40 #include "kadatabase.h"
43 struct kadstats dynamic_statistics;
44 struct ubik_dbase *KA_dbase;
45 afs_uint32 myHost = 0;
46 afs_int32 verbose_track = 1;
47 afs_int32 krb4_cross = 0;
50 #define ADDRSPERSITE 16 /* Same global is in rx/rx_user.c */
51 afs_uint32 SHostAddrs[ADDRSPERSITE];
53 struct afsconf_dir *KA_conf; /* for getting cell info */
56 int npwSums = KA_NPWSUMS; /* needs to be variable sometime */
58 #if !defined(AFS_NT40_ENV) && !defined(AFS_LINUX20_ENV) && !defined(AFS_DARWIN_ENV) && !defined(AFS_XBSD_ENV)
60 #define vfprintf(stream,fmt,args) _doprnt(fmt,args,stream)
63 static int debugOutput;
65 /* check whether caller is authorized to manage RX statistics */
67 KA_rxstat_userok(struct rx_call *call)
69 return afsconf_SuperUser(KA_conf, call, NULL);
73 * Return true if this name is a member of the local realm.
76 KA_IsLocalRealmMatch(void *rock, char *name, char *inst, char *cell)
78 struct afsconf_dir *dir = (struct afsconf_dir *)rock;
79 afs_int32 islocal = 0; /* default to no */
82 code = afsconf_IsLocalRealmMatch(dir, &islocal, name, inst, cell);
85 ("Failed local realm check; code=%d, name=%s, inst=%s, cell=%s\n",
86 code, name, inst, cell));
92 es_Report(char *fmt, ...)
99 vfprintf(stderr, fmt, pvar);
105 initialize_dstats(void)
107 memset(&dynamic_statistics, 0, sizeof(dynamic_statistics));
108 dynamic_statistics.start_time = time(0);
109 dynamic_statistics.host = myHost;
113 convert_cell_to_ubik(struct afsconf_cell *cellinfo, afs_uint32 *myHost,
114 afs_uint32 *serverList)
121 gethostname(hostname, sizeof(hostname));
122 th = gethostbyname(hostname);
124 ViceLog(0, ("kaserver: couldn't get address of this host.\n"));
127 memcpy(myHost, th->h_addr, sizeof(afs_uint32));
129 for (i = 0; i < cellinfo->numServers; i++)
130 if (cellinfo->hostAddr[i].sin_addr.s_addr != *myHost) {
131 /* omit my host from serverList */
132 *serverList++ = cellinfo->hostAddr[i].sin_addr.s_addr;
134 *serverList = 0; /* terminate list */
139 kvno_admin_key(void *rock, afs_int32 kvno, struct ktc_encryptionKey *key)
141 return ka_LookupKvno(0, KA_ADMIN_NAME, KA_ADMIN_INST, kvno, key);
143 /* we would like to start a Ubik transaction to fill the cache if that
144 * fails, but may deadlock as Rx is now organized. */
147 /* initFlags: 0x01 Do not require authenticated connections.
148 0x02 Do not check the bos NoAuth flag
149 0x04 Use fast key expiration to test oldkey code.
150 0x08 Temporary flag allowing database inconsistency fixup
153 #include "AFS_component_version_number.c"
156 main(int argc, char *argv[])
159 char *whoami = argv[0];
160 afs_uint32 serverList[MAXSERVERS];
161 struct afsconf_cell cellinfo;
163 const char *cellservdb, *dbpath, *lclpath;
166 char default_lclpath[AFSDIR_PATH_MAX];
169 int level; /* security level for Ubik */
171 char clones[MAXHOSTSPERCELL];
172 afs_uint32 host = ntohl(INADDR_ANY);
173 char *auditFileName = NULL;
175 struct rx_service *tservice;
176 struct rx_securityClass *sca[1];
177 struct rx_securityClass *scm[3];
179 extern int rx_stackSize;
183 * The following signal action for AIX is necessary so that in case of a
184 * crash (i.e. core is generated) we can include the user's data section
185 * in the core dump. Unfortunately, by default, only a partial core is
186 * generated which, in many cases, isn't too useful.
188 struct sigaction nsa;
190 sigemptyset(&nsa.sa_mask);
191 nsa.sa_handler = SIG_DFL;
192 nsa.sa_flags = SA_FULLDUMP;
193 sigaction(SIGABRT, &nsa, NULL);
194 sigaction(SIGSEGV, &nsa, NULL);
200 printf("Usage: kaserver [-noAuth] [-database <dbpath>] "
201 "[-auditlog <log path>] [-audit-interface <file|sysvmq>] "
202 "[-rxbind] [-localfiles <lclpath>] [-minhours <n>] "
203 "[-servers <serverlist>] [-crossrealm] "
204 /*" [-enable_peer_stats] [-enable_process_stats] " */
209 /* initialize winsock */
210 if (afs_winsockInit() < 0) {
211 ReportErrorEventAlt(AFSEVT_SVR_WINSOCK_INIT_FAILED, 0, argv[0], 0);
212 fprintf(stderr, "%s: Couldn't initialize winsock.\n", whoami);
216 /* Initialize dirpaths */
217 if (!(initAFSDirPath() & AFSDIR_SERVER_PATHS_OK)) {
219 ReportErrorEventAlt(AFSEVT_SVR_NO_INSTALL_DIR, 0, argv[0], 0);
221 fprintf(stderr, "%s: Unable to obtain AFS server directory.\n",
226 cellservdb = AFSDIR_SERVER_ETC_DIRPATH;
227 dbpath = AFSDIR_SERVER_KADB_FILEPATH;
228 strcompose(default_lclpath, AFSDIR_PATH_MAX, AFSDIR_SERVER_LOCAL_DIRPATH,
229 "/", AFSDIR_KADB_FILE, (char *)NULL);
230 lclpath = default_lclpath;
236 for (a = 1; a < argc; a++) {
237 int arglen = strlen(argv[a]);
238 lcstring(arg, argv[a], sizeof(arg));
239 #define IsArg(a) (strncmp (arg,a, arglen) == 0)
241 if (strcmp(arg, "-database") == 0) {
243 if (strcmp(lclpath, default_lclpath) == 0)
246 else if (strncmp(arg, "-auditlog", arglen) == 0) {
247 auditFileName = argv[++a];
249 } else if (strncmp(arg, "-audit-interface", arglen) == 0) {
250 char *interface = argv[++a];
252 if (osi_audit_interface(interface)) {
253 printf("Invalid audit interface '%s'\n", interface);
257 } else if (strcmp(arg, "-localfiles") == 0)
259 else if (strcmp(arg, "-servers") == 0)
260 debugOutput++, servers = 1;
261 else if (strcmp(arg, "-noauth") == 0)
262 debugOutput++, initFlags |= 1;
263 else if (strcmp(arg, "-fastkeys") == 0)
264 debugOutput++, initFlags |= 4;
265 else if (strcmp(arg, "-dbfixup") == 0)
266 debugOutput++, initFlags |= 8;
267 else if (strcmp(arg, "-cellservdb") == 0) {
268 cellservdb = argv[++a];
273 else if (IsArg("-crypt"))
275 else if (IsArg("-safe"))
277 else if (IsArg("-clear"))
279 else if (IsArg("-sorry"))
281 else if (IsArg("-debug"))
283 else if (IsArg("-crossrealm"))
285 else if (IsArg("-rxbind"))
287 else if (IsArg("-minhours")) {
288 MinHours = atoi(argv[++a]);
289 } else if (IsArg("-enable_peer_stats")) {
290 rx_enablePeerRPCStats();
291 } else if (IsArg("-enable_process_stats")) {
292 rx_enableProcessRPCStats();
293 } else if (*arg == '-') {
294 /* hack to support help flag */
300 osi_audit_file(auditFileName);
303 if ((code = ka_CellConfig(cellservdb)))
305 cell = ka_LocalCell();
306 KA_conf = afsconf_Open(cellservdb);
310 afs_com_err(whoami, code, "Failed getting cell info");
316 /* NT & HPUX do not have dbm package support. So we can only do some
317 * text logging. So open the AuthLog file for logging and redirect
318 * stdin and stdout to it
320 OpenLog(AFSDIR_SERVER_KALOG_FILEPATH);
324 fprintf(stderr, "%s: WARNING: kaserver is deprecated due to its weak security "
325 "properties. Migrating to a Kerberos 5 KDC is advised. "
326 "http://www.openafs.org/no-more-des.html\n", whoami);
327 ViceLog(0, ("WARNING: kaserver is deprecated due to its weak security properties. "
328 "Migrating to a Kerberos 5 KDC is advised. "
329 "http://www.openafs.org/no-more-des.html\n"));
332 afsconf_GetExtendedCellInfo(KA_conf, cell, AFSCONF_KAUTHSERVICE,
335 if ((code = ubik_ParseServerList(argc, argv, &myHost, serverList))) {
336 afs_com_err(whoami, code, "Couldn't parse server list");
339 cellinfo.hostAddr[0].sin_addr.s_addr = myHost;
340 for (i = 1; i < MAXSERVERS; i++) {
343 cellinfo.hostAddr[i].sin_addr.s_addr = serverList[i];
345 cellinfo.numServers = i;
347 code = convert_cell_to_ubik(&cellinfo, &myHost, serverList);
350 ViceLog(0, ("Using server list from %s cell database.\n", cell));
353 /* initialize audit user check */
354 osi_audit_set_user_check(KA_conf, KA_IsLocalRealmMatch);
356 /* initialize ubik */
357 if (level == rxkad_clear)
358 ubik_SetClientSecurityProcs(afsconf_ClientAuth, afsconf_UpToDate,
360 else if (level == rxkad_crypt)
361 ubik_SetClientSecurityProcs(afsconf_ClientAuthSecure,
362 afsconf_UpToDate, KA_conf);
364 ViceLog(0, ("Unsupported security level %d\n", level));
368 ("Using level %s for Ubik connections.\n",
369 (level == rxkad_crypt ? "crypt" : "clear")));
371 ubik_SetServerSecurityProcs(afsconf_BuildServerSecurityObjects,
379 if (AFSDIR_SERVER_NETRESTRICT_FILEPATH ||
380 AFSDIR_SERVER_NETINFO_FILEPATH) {
382 ccode = parseNetFiles(SHostAddrs, NULL, NULL,
383 ADDRSPERSITE, reason,
384 AFSDIR_SERVER_NETINFO_FILEPATH,
385 AFSDIR_SERVER_NETRESTRICT_FILEPATH);
388 ccode = rx_getAllAddr(SHostAddrs, ADDRSPERSITE);
391 host = SHostAddrs[0];
392 rx_InitHost(host, htons(AFSCONF_KAUTHPORT));
396 /* Disable jumbograms */
401 ubik_ServerInit(myHost, htons(AFSCONF_KAUTHPORT), serverList,
405 ubik_ServerInitByInfo(myHost, htons(AFSCONF_KAUTHPORT), &cellinfo,
406 clones, dbpath, &KA_dbase);
409 afs_com_err(whoami, code, "Ubik init failed");
413 sca[RX_SCINDEX_NULL] = rxnull_NewServerSecurityObject();
416 rx_NewServiceHost(host, 0, KA_AUTHENTICATION_SERVICE,
417 "AuthenticationService", sca, 1, KAA_ExecuteRequest);
418 if (tservice == (struct rx_service *)0) {
419 ViceLog(0, ("Could not create Authentication rx service\n"));
422 rx_SetMinProcs(tservice, 1);
423 rx_SetMaxProcs(tservice, 1);
427 rx_NewServiceHost(host, 0, KA_TICKET_GRANTING_SERVICE, "TicketGrantingService",
428 sca, 1, KAT_ExecuteRequest);
429 if (tservice == (struct rx_service *)0) {
430 ViceLog(0, ("Could not create Ticket Granting rx service\n"));
433 rx_SetMinProcs(tservice, 1);
434 rx_SetMaxProcs(tservice, 1);
436 scm[RX_SCINDEX_NULL] = sca[RX_SCINDEX_NULL];
437 scm[RX_SCINDEX_VAB] = 0;
438 scm[RX_SCINDEX_KAD] =
439 rxkad_NewServerSecurityObject(rxkad_crypt, 0, kvno_admin_key, 0);
441 rx_NewServiceHost(host, 0, KA_MAINTENANCE_SERVICE, "Maintenance", scm, 3,
443 if (tservice == (struct rx_service *)0) {
444 ViceLog(0, ("Could not create Maintenance rx service\n"));
447 rx_SetMinProcs(tservice, 1);
448 rx_SetMaxProcs(tservice, 1);
449 rx_SetStackSize(tservice, 10000);
452 rx_NewServiceHost(host, 0, RX_STATS_SERVICE_ID, "rpcstats", scm, 3,
453 RXSTATS_ExecuteRequest);
454 if (tservice == (struct rx_service *)0) {
455 ViceLog(0, ("Could not create rpc stats rx service\n"));
458 rx_SetMinProcs(tservice, 2);
459 rx_SetMaxProcs(tservice, 4);
463 /* allow super users to manage RX statistics */
464 rx_SetRxStatUserOk(KA_rxstat_userok);
466 rx_StartServer(0); /* start handling req. of all types */
468 if (init_kaprocs(lclpath, initFlags))
471 if ((code = init_krb_udp())) {
473 ("Failed to initialize UDP interface; code = %d.\n", code));
474 ViceLog(0, ("Running without UDP access.\n"));
477 ViceLog(0, ("Starting to process AuthServer requests\n"));
478 rx_ServerProc(NULL); /* donate this LWP */