2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 #include <afsconfig.h>
11 #include <afs/param.h>
17 #include <sys/types.h>
20 #include <WINNT/afsevent.h>
24 #include <netinet/in.h>
26 #include "kalog.h" /* for OpenLog() */
46 #include <rx/rx_globals.h>
47 #include <afs/cellconfig.h>
49 #include <afs/afsutil.h>
57 struct kadstats dynamic_statistics;
58 struct ubik_dbase *KA_dbase;
60 afs_int32 verbose_track = 1;
61 afs_int32 krb4_cross = 0;
64 #define ADDRSPERSITE 16 /* Same global is in rx/rx_user.c */
65 afs_uint32 SHostAddrs[ADDRSPERSITE];
67 struct afsconf_dir *KA_conf; /* for getting cell info */
70 int npwSums = KA_NPWSUMS; /* needs to be variable sometime */
73 #if !defined(AFS_NT40_ENV) && !defined(AFS_LINUX20_ENV) && !defined(AFS_DARWIN_ENV) && !defined(AFS_XBSD_ENV)
75 #define vfprintf(stream,fmt,args) _doprnt(fmt,args,stream)
78 static int debugOutput;
80 /* check whether caller is authorized to manage RX statistics */
82 KA_rxstat_userok(call)
85 return afsconf_SuperUser(KA_conf, call, NULL);
89 es_Report(char *fmt, ...)
96 vfprintf(stderr, fmt, pvar);
104 memset(&dynamic_statistics, 0, sizeof(dynamic_statistics));
105 dynamic_statistics.start_time = time(0);
106 dynamic_statistics.host = myHost;
110 convert_cell_to_ubik(cellinfo, myHost, serverList)
111 struct afsconf_cell *cellinfo;
113 afs_int32 *serverList;
120 gethostname(hostname, sizeof(hostname));
121 th = gethostbyname(hostname);
123 ViceLog(0, ("kaserver: couldn't get address of this host.\n"));
126 memcpy(myHost, th->h_addr, sizeof(afs_int32));
128 for (i = 0; i < cellinfo->numServers; i++)
129 if (cellinfo->hostAddr[i].sin_addr.s_addr != *myHost) {
130 /* omit my host from serverList */
131 *serverList++ = cellinfo->hostAddr[i].sin_addr.s_addr;
133 *serverList = 0; /* terminate list */
138 kvno_admin_key(rock, kvno, key)
141 struct ktc_encryptionKey *key;
143 return ka_LookupKvno(0, KA_ADMIN_NAME, KA_ADMIN_INST, kvno, key);
145 /* we would like to start a Ubik transaction to fill the cache if that
146 * fails, but may deadlock as Rx is now organized. */
149 /* initFlags: 0x01 Do not require authenticated connections.
150 0x02 Do not check the bos NoAuth flag
151 0x04 Use fast key expiration to test oldkey code.
152 0x08 Temporary flag allowing database inconsistency fixup
155 #include "AFS_component_version_number.c"
162 char *whoami = argv[0];
163 afs_int32 serverList[MAXSERVERS];
164 struct afsconf_cell cellinfo;
166 const char *cellservdb, *dbpath, *lclpath;
169 char default_lclpath[AFSDIR_PATH_MAX];
172 int level; /* security level for Ubik */
174 char clones[MAXHOSTSPERCELL];
175 afs_uint32 host = ntohl(INADDR_ANY);
177 struct rx_service *tservice;
178 struct rx_securityClass *sca[1];
179 struct rx_securityClass *scm[3];
181 extern int afsconf_ClientAuthSecure();
182 extern int afsconf_ServerAuth();
183 extern int afsconf_CheckAuth();
185 extern int rx_stackSize;
186 extern int KAA_ExecuteRequest();
187 extern int KAT_ExecuteRequest();
188 extern int KAM_ExecuteRequest();
189 extern int RXSTATS_ExecuteRequest();
193 * The following signal action for AIX is necessary so that in case of a
194 * crash (i.e. core is generated) we can include the user's data section
195 * in the core dump. Unfortunately, by default, only a partial core is
196 * generated which, in many cases, isn't too useful.
198 struct sigaction nsa;
200 sigemptyset(&nsa.sa_mask);
201 nsa.sa_handler = SIG_DFL;
202 nsa.sa_flags = SA_FULLDUMP;
203 sigaction(SIGABRT, &nsa, NULL);
204 sigaction(SIGSEGV, &nsa, NULL);
210 printf("Usage: kaserver [-noAuth] [-fastKeys] [-database <dbpath>] "
211 "[-auditlog <log path>] [-rxbind] "
212 "[-localfiles <lclpath>] [-minhours <n>] [-servers <serverlist>] "
214 /*" [-enable_peer_stats] [-enable_process_stats] " */
219 /* initialize winsock */
220 if (afs_winsockInit() < 0) {
221 ReportErrorEventAlt(AFSEVT_SVR_WINSOCK_INIT_FAILED, 0, argv[0], 0);
222 fprintf(stderr, "%s: Couldn't initialize winsock.\n", whoami);
226 /* Initialize dirpaths */
227 if (!(initAFSDirPath() & AFSDIR_SERVER_PATHS_OK)) {
229 ReportErrorEventAlt(AFSEVT_SVR_NO_INSTALL_DIR, 0, argv[0], 0);
231 fprintf(stderr, "%s: Unable to obtain AFS server directory.\n",
236 cellservdb = AFSDIR_SERVER_ETC_DIRPATH;
237 dbpath = AFSDIR_SERVER_KADB_FILEPATH;
238 strcompose(default_lclpath, AFSDIR_PATH_MAX, AFSDIR_SERVER_LOCAL_DIRPATH,
239 "/", AFSDIR_KADB_FILE, NULL);
240 lclpath = default_lclpath;
246 for (a = 1; a < argc; a++) {
247 int arglen = strlen(argv[a]);
248 lcstring(arg, argv[a], sizeof(arg));
249 #define IsArg(a) (strncmp (arg,a, arglen) == 0)
251 if (strcmp(arg, "-database") == 0) {
253 if (strcmp(lclpath, default_lclpath) == 0)
256 else if (strncmp(arg, "-auditlog", arglen) == 0) {
259 char oldName[MAXPATHLEN];
260 char *fileName = argv[++a];
265 if ((lstat(fileName, &statbuf) == 0)
266 && (S_ISFIFO(statbuf.st_mode))) {
267 flags = O_WRONLY | O_NONBLOCK;
271 strcpy(oldName, fileName);
272 strcat(oldName, ".old");
273 renamefile(fileName, oldName);
274 flags = O_WRONLY | O_TRUNC | O_CREAT;
276 tempfd = open(fileName, flags, 0666);
278 auditout = fdopen(tempfd, "a");
280 osi_audit_file(auditout);
282 printf("Warning: auditlog %s not writable, ignored.\n", fileName);
284 printf("Warning: auditlog %s not writable, ignored.\n", fileName);
285 } else if (strcmp(arg, "-localfiles") == 0)
287 else if (strcmp(arg, "-servers") == 0)
288 debugOutput++, servers = 1;
289 else if (strcmp(arg, "-noauth") == 0)
290 debugOutput++, initFlags |= 1;
291 else if (strcmp(arg, "-fastkeys") == 0)
292 debugOutput++, initFlags |= 4;
293 else if (strcmp(arg, "-dbfixup") == 0)
294 debugOutput++, initFlags |= 8;
295 else if (strcmp(arg, "-cellservdb") == 0) {
296 cellservdb = argv[++a];
301 else if (IsArg("-crypt"))
303 else if (IsArg("-safe"))
305 else if (IsArg("-clear"))
307 else if (IsArg("-sorry"))
309 else if (IsArg("-debug"))
311 else if (IsArg("-crossrealm"))
313 else if (IsArg("-rxbind"))
315 else if (IsArg("-minhours")) {
316 MinHours = atoi(argv[++a]);
317 } else if (IsArg("-enable_peer_stats")) {
318 rx_enablePeerRPCStats();
319 } else if (IsArg("-enable_process_stats")) {
320 rx_enableProcessRPCStats();
321 } else if (*arg == '-') {
322 /* hack to support help flag */
326 if (code = ka_CellConfig(cellservdb))
328 cell = ka_LocalCell();
329 KA_conf = afsconf_Open(cellservdb);
333 com_err(whoami, code, "Failed getting cell info");
339 /* NT & HPUX do not have dbm package support. So we can only do some
340 * text logging. So open the AuthLog file for logging and redirect
341 * stdin and stdout to it
343 OpenLog(AFSDIR_SERVER_KALOG_FILEPATH);
347 fprintf(stderr, "%s: WARNING: kaserver is deprecated due to its weak security "
348 "properties. Migrating to a Kerberos 5 KDC is advised. "
349 "http://www.openafs.org/no-more-des.html\n", whoami);
350 ViceLog(0, ("WARNING: kaserver is deprecated due to its weak security properties. "
351 "Migrating to a Kerberos 5 KDC is advised. "
352 "http://www.openafs.org/no-more-des.html\n"));
355 afsconf_GetExtendedCellInfo(KA_conf, cell, AFSCONF_KAUTHSERVICE,
358 if (code = ubik_ParseServerList(argc, argv, &myHost, serverList)) {
359 com_err(whoami, code, "Couldn't parse server list");
362 cellinfo.hostAddr[0].sin_addr.s_addr = myHost;
363 for (i = 1; i < MAXSERVERS; i++) {
366 cellinfo.hostAddr[i].sin_addr.s_addr = serverList[i];
368 cellinfo.numServers = i;
370 code = convert_cell_to_ubik(&cellinfo, &myHost, serverList);
373 ViceLog(0, ("Using server list from %s cell database.\n", cell));
376 /* initialize ubik */
377 if (level == rxkad_clear)
378 ubik_CRXSecurityProc = afsconf_ClientAuth;
379 else if (level == rxkad_crypt)
380 ubik_CRXSecurityProc = afsconf_ClientAuthSecure;
382 ViceLog(0, ("Unsupported security level %d\n", level));
386 ("Using level %s for Ubik connections.\n",
387 (level == rxkad_crypt ? "crypt" : "clear")));
388 ubik_CRXSecurityRock = (char *)KA_conf;
389 ubik_SRXSecurityProc = afsconf_ServerAuth;
390 ubik_SRXSecurityRock = (char *)KA_conf;
391 ubik_CheckRXSecurityProc = afsconf_CheckAuth;
392 ubik_CheckRXSecurityRock = (char *)KA_conf;
399 if (AFSDIR_SERVER_NETRESTRICT_FILEPATH ||
400 AFSDIR_SERVER_NETINFO_FILEPATH) {
402 ccode = parseNetFiles(SHostAddrs, NULL, NULL,
403 ADDRSPERSITE, reason,
404 AFSDIR_SERVER_NETINFO_FILEPATH,
405 AFSDIR_SERVER_NETRESTRICT_FILEPATH);
409 ccode = rx_getAllAddr(SHostAddrs, ADDRSPERSITE);
412 host = SHostAddrs[0];
413 rx_InitHost(host, htons(AFSCONF_KAUTHPORT));
419 ubik_ServerInit(myHost, htons(AFSCONF_KAUTHPORT), serverList,
423 ubik_ServerInitByInfo(myHost, htons(AFSCONF_KAUTHPORT), &cellinfo,
424 &clones, dbpath, &KA_dbase);
427 com_err(whoami, code, "Ubik init failed");
431 sca[RX_SCINDEX_NULL] = rxnull_NewServerSecurityObject();
433 /* Disable jumbograms */
437 rx_NewServiceHost(host, 0, KA_AUTHENTICATION_SERVICE,
438 "AuthenticationService", sca, 1, KAA_ExecuteRequest);
439 if (tservice == (struct rx_service *)0) {
440 ViceLog(0, ("Could not create Authentication rx service\n"));
443 rx_SetMinProcs(tservice, 1);
444 rx_SetMaxProcs(tservice, 1);
448 rx_NewServiceHost(host, 0, KA_TICKET_GRANTING_SERVICE, "TicketGrantingService",
449 sca, 1, KAT_ExecuteRequest);
450 if (tservice == (struct rx_service *)0) {
451 ViceLog(0, ("Could not create Ticket Granting rx service\n"));
454 rx_SetMinProcs(tservice, 1);
455 rx_SetMaxProcs(tservice, 1);
457 scm[RX_SCINDEX_NULL] = sca[RX_SCINDEX_NULL];
458 scm[RX_SCINDEX_VAB] = 0;
459 scm[RX_SCINDEX_KAD] =
460 rxkad_NewServerSecurityObject(rxkad_crypt, 0, kvno_admin_key, 0);
462 rx_NewServiceHost(host, 0, KA_MAINTENANCE_SERVICE, "Maintenance", scm, 3,
464 if (tservice == (struct rx_service *)0) {
465 ViceLog(0, ("Could not create Maintenance rx service\n"));
468 rx_SetMinProcs(tservice, 1);
469 rx_SetMaxProcs(tservice, 1);
470 rx_SetStackSize(tservice, 10000);
473 rx_NewServiceHost(host, 0, RX_STATS_SERVICE_ID, "rpcstats", scm, 3,
474 RXSTATS_ExecuteRequest);
475 if (tservice == (struct rx_service *)0) {
476 ViceLog(0, ("Could not create rpc stats rx service\n"));
479 rx_SetMinProcs(tservice, 2);
480 rx_SetMaxProcs(tservice, 4);
484 /* allow super users to manage RX statistics */
485 rx_SetRxStatUserOk(KA_rxstat_userok);
487 rx_StartServer(0); /* start handling req. of all types */
489 if (init_kaprocs(lclpath, initFlags))
492 if (code = init_krb_udp()) {
494 ("Failed to initialize UDP interface; code = %d.\n", code));
495 ViceLog(0, ("Running without UDP access.\n"));
498 ViceLog(0, ("Starting to process AuthServer requests\n"));
499 rx_ServerProc(); /* donate this LWP */