2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 #include <afsconfig.h>
11 #include <afs/param.h>
17 #include <sys/types.h>
20 #include <WINNT/afsevent.h>
24 #include <netinet/in.h>
26 #include "kalog.h" /* for OpenLog() */
40 #include <rx/rx_globals.h>
41 #include <afs/cellconfig.h>
43 #include <afs/afsutil.h>
44 #include <afs/com_err.h>
52 struct kadstats dynamic_statistics;
53 struct ubik_dbase *KA_dbase;
55 afs_int32 verbose_track = 1;
56 afs_int32 krb4_cross = 0;
59 #define ADDRSPERSITE 16 /* Same global is in rx/rx_user.c */
60 afs_uint32 SHostAddrs[ADDRSPERSITE];
62 struct afsconf_dir *KA_conf; /* for getting cell info */
65 int npwSums = KA_NPWSUMS; /* needs to be variable sometime */
68 #if !defined(AFS_NT40_ENV) && !defined(AFS_LINUX20_ENV) && !defined(AFS_DARWIN_ENV) && !defined(AFS_XBSD_ENV)
70 #define vfprintf(stream,fmt,args) _doprnt(fmt,args,stream)
73 static int debugOutput;
75 /* check whether caller is authorized to manage RX statistics */
77 KA_rxstat_userok(call)
80 return afsconf_SuperUser(KA_conf, call, NULL);
84 es_Report(char *fmt, ...)
91 vfprintf(stderr, fmt, pvar);
99 memset(&dynamic_statistics, 0, sizeof(dynamic_statistics));
100 dynamic_statistics.start_time = time(0);
101 dynamic_statistics.host = myHost;
105 convert_cell_to_ubik(cellinfo, myHost, serverList)
106 struct afsconf_cell *cellinfo;
108 afs_int32 *serverList;
115 gethostname(hostname, sizeof(hostname));
116 th = gethostbyname(hostname);
118 ViceLog(0, ("kaserver: couldn't get address of this host.\n"));
121 memcpy(myHost, th->h_addr, sizeof(afs_int32));
123 for (i = 0; i < cellinfo->numServers; i++)
124 if (cellinfo->hostAddr[i].sin_addr.s_addr != *myHost) {
125 /* omit my host from serverList */
126 *serverList++ = cellinfo->hostAddr[i].sin_addr.s_addr;
128 *serverList = 0; /* terminate list */
133 kvno_admin_key(rock, kvno, key)
136 struct ktc_encryptionKey *key;
138 return ka_LookupKvno(0, KA_ADMIN_NAME, KA_ADMIN_INST, kvno, key);
140 /* we would like to start a Ubik transaction to fill the cache if that
141 * fails, but may deadlock as Rx is now organized. */
144 /* initFlags: 0x01 Do not require authenticated connections.
145 0x02 Do not check the bos NoAuth flag
146 0x04 Use fast key expiration to test oldkey code.
147 0x08 Temporary flag allowing database inconsistency fixup
150 #include "AFS_component_version_number.c"
157 char *whoami = argv[0];
158 afs_int32 serverList[MAXSERVERS];
159 struct afsconf_cell cellinfo;
161 const char *cellservdb, *dbpath, *lclpath;
164 char default_lclpath[AFSDIR_PATH_MAX];
167 int level; /* security level for Ubik */
169 char clones[MAXHOSTSPERCELL];
170 afs_uint32 host = ntohl(INADDR_ANY);
172 struct rx_service *tservice;
173 struct rx_securityClass *sca[1];
174 struct rx_securityClass *scm[3];
176 extern int afsconf_ClientAuthSecure();
177 extern int afsconf_ServerAuth();
178 extern int afsconf_CheckAuth();
180 extern int rx_stackSize;
181 extern int KAA_ExecuteRequest();
182 extern int KAT_ExecuteRequest();
183 extern int KAM_ExecuteRequest();
184 extern int RXSTATS_ExecuteRequest();
188 * The following signal action for AIX is necessary so that in case of a
189 * crash (i.e. core is generated) we can include the user's data section
190 * in the core dump. Unfortunately, by default, only a partial core is
191 * generated which, in many cases, isn't too useful.
193 struct sigaction nsa;
195 sigemptyset(&nsa.sa_mask);
196 nsa.sa_handler = SIG_DFL;
197 nsa.sa_flags = SA_FULLDUMP;
198 sigaction(SIGABRT, &nsa, NULL);
199 sigaction(SIGSEGV, &nsa, NULL);
205 printf("Usage: kaserver [-noAuth] [-fastKeys] [-database <dbpath>] "
206 "[-auditlog <log path>] [-rxbind] "
207 "[-localfiles <lclpath>] [-minhours <n>] [-servers <serverlist>] "
209 /*" [-enable_peer_stats] [-enable_process_stats] " */
214 /* initialize winsock */
215 if (afs_winsockInit() < 0) {
216 ReportErrorEventAlt(AFSEVT_SVR_WINSOCK_INIT_FAILED, 0, argv[0], 0);
217 fprintf(stderr, "%s: Couldn't initialize winsock.\n", whoami);
221 /* Initialize dirpaths */
222 if (!(initAFSDirPath() & AFSDIR_SERVER_PATHS_OK)) {
224 ReportErrorEventAlt(AFSEVT_SVR_NO_INSTALL_DIR, 0, argv[0], 0);
226 fprintf(stderr, "%s: Unable to obtain AFS server directory.\n",
231 cellservdb = AFSDIR_SERVER_ETC_DIRPATH;
232 dbpath = AFSDIR_SERVER_KADB_FILEPATH;
233 strcompose(default_lclpath, AFSDIR_PATH_MAX, AFSDIR_SERVER_LOCAL_DIRPATH,
234 "/", AFSDIR_KADB_FILE, NULL);
235 lclpath = default_lclpath;
241 for (a = 1; a < argc; a++) {
242 int arglen = strlen(argv[a]);
243 lcstring(arg, argv[a], sizeof(arg));
244 #define IsArg(a) (strncmp (arg,a, arglen) == 0)
246 if (strcmp(arg, "-database") == 0) {
248 if (strcmp(lclpath, default_lclpath) == 0)
251 else if (strncmp(arg, "-auditlog", arglen) == 0) {
254 char oldName[MAXPATHLEN];
255 char *fileName = argv[++a];
260 if ((lstat(fileName, &statbuf) == 0)
261 && (S_ISFIFO(statbuf.st_mode))) {
262 flags = O_WRONLY | O_NONBLOCK;
266 strcpy(oldName, fileName);
267 strcat(oldName, ".old");
268 renamefile(fileName, oldName);
269 flags = O_WRONLY | O_TRUNC | O_CREAT;
271 tempfd = open(fileName, flags, 0666);
273 auditout = fdopen(tempfd, "a");
275 osi_audit_file(auditout);
277 printf("Warning: auditlog %s not writable, ignored.\n", fileName);
279 printf("Warning: auditlog %s not writable, ignored.\n", fileName);
280 } else if (strcmp(arg, "-localfiles") == 0)
282 else if (strcmp(arg, "-servers") == 0)
283 debugOutput++, servers = 1;
284 else if (strcmp(arg, "-noauth") == 0)
285 debugOutput++, initFlags |= 1;
286 else if (strcmp(arg, "-fastkeys") == 0)
287 debugOutput++, initFlags |= 4;
288 else if (strcmp(arg, "-dbfixup") == 0)
289 debugOutput++, initFlags |= 8;
290 else if (strcmp(arg, "-cellservdb") == 0) {
291 cellservdb = argv[++a];
296 else if (IsArg("-crypt"))
298 else if (IsArg("-safe"))
300 else if (IsArg("-clear"))
302 else if (IsArg("-sorry"))
304 else if (IsArg("-debug"))
306 else if (IsArg("-crossrealm"))
308 else if (IsArg("-rxbind"))
310 else if (IsArg("-minhours")) {
311 MinHours = atoi(argv[++a]);
312 } else if (IsArg("-enable_peer_stats")) {
313 rx_enablePeerRPCStats();
314 } else if (IsArg("-enable_process_stats")) {
315 rx_enableProcessRPCStats();
316 } else if (*arg == '-') {
317 /* hack to support help flag */
321 if (code = ka_CellConfig(cellservdb))
323 cell = ka_LocalCell();
324 KA_conf = afsconf_Open(cellservdb);
328 afs_com_err(whoami, code, "Failed getting cell info");
334 /* NT & HPUX do not have dbm package support. So we can only do some
335 * text logging. So open the AuthLog file for logging and redirect
336 * stdin and stdout to it
338 OpenLog(AFSDIR_SERVER_KALOG_FILEPATH);
342 fprintf(stderr, "%s: WARNING: kaserver is deprecated due to its weak security "
343 "properties. Migrating to a Kerberos 5 KDC is advised. "
344 "http://www.openafs.org/no-more-des.html\n", whoami);
345 ViceLog(0, ("WARNING: kaserver is deprecated due to its weak security properties. "
346 "Migrating to a Kerberos 5 KDC is advised. "
347 "http://www.openafs.org/no-more-des.html\n"));
350 afsconf_GetExtendedCellInfo(KA_conf, cell, AFSCONF_KAUTHSERVICE,
353 if (code = ubik_ParseServerList(argc, argv, &myHost, serverList)) {
354 afs_com_err(whoami, code, "Couldn't parse server list");
357 cellinfo.hostAddr[0].sin_addr.s_addr = myHost;
358 for (i = 1; i < MAXSERVERS; i++) {
361 cellinfo.hostAddr[i].sin_addr.s_addr = serverList[i];
363 cellinfo.numServers = i;
365 code = convert_cell_to_ubik(&cellinfo, &myHost, serverList);
368 ViceLog(0, ("Using server list from %s cell database.\n", cell));
371 /* initialize ubik */
372 if (level == rxkad_clear)
373 ubik_CRXSecurityProc = afsconf_ClientAuth;
374 else if (level == rxkad_crypt)
375 ubik_CRXSecurityProc = afsconf_ClientAuthSecure;
377 ViceLog(0, ("Unsupported security level %d\n", level));
381 ("Using level %s for Ubik connections.\n",
382 (level == rxkad_crypt ? "crypt" : "clear")));
383 ubik_CRXSecurityRock = (char *)KA_conf;
384 ubik_SRXSecurityProc = afsconf_ServerAuth;
385 ubik_SRXSecurityRock = (char *)KA_conf;
386 ubik_CheckRXSecurityProc = afsconf_CheckAuth;
387 ubik_CheckRXSecurityRock = (char *)KA_conf;
393 if (AFSDIR_SERVER_NETRESTRICT_FILEPATH ||
394 AFSDIR_SERVER_NETINFO_FILEPATH) {
396 ccode = parseNetFiles(SHostAddrs, NULL, NULL,
397 ADDRSPERSITE, reason,
398 AFSDIR_SERVER_NETINFO_FILEPATH,
399 AFSDIR_SERVER_NETRESTRICT_FILEPATH);
402 ccode = rx_getAllAddr(SHostAddrs, ADDRSPERSITE);
405 host = SHostAddrs[0];
406 rx_InitHost(host, htons(AFSCONF_KAUTHPORT));
412 ubik_ServerInit(myHost, htons(AFSCONF_KAUTHPORT), serverList,
416 ubik_ServerInitByInfo(myHost, htons(AFSCONF_KAUTHPORT), &cellinfo,
417 &clones, dbpath, &KA_dbase);
420 afs_com_err(whoami, code, "Ubik init failed");
424 sca[RX_SCINDEX_NULL] = rxnull_NewServerSecurityObject();
426 /* Disable jumbograms */
430 rx_NewServiceHost(host, 0, KA_AUTHENTICATION_SERVICE,
431 "AuthenticationService", sca, 1, KAA_ExecuteRequest);
432 if (tservice == (struct rx_service *)0) {
433 ViceLog(0, ("Could not create Authentication rx service\n"));
436 rx_SetMinProcs(tservice, 1);
437 rx_SetMaxProcs(tservice, 1);
441 rx_NewServiceHost(host, 0, KA_TICKET_GRANTING_SERVICE, "TicketGrantingService",
442 sca, 1, KAT_ExecuteRequest);
443 if (tservice == (struct rx_service *)0) {
444 ViceLog(0, ("Could not create Ticket Granting rx service\n"));
447 rx_SetMinProcs(tservice, 1);
448 rx_SetMaxProcs(tservice, 1);
450 scm[RX_SCINDEX_NULL] = sca[RX_SCINDEX_NULL];
451 scm[RX_SCINDEX_VAB] = 0;
452 scm[RX_SCINDEX_KAD] =
453 rxkad_NewServerSecurityObject(rxkad_crypt, 0, kvno_admin_key, 0);
455 rx_NewServiceHost(host, 0, KA_MAINTENANCE_SERVICE, "Maintenance", scm, 3,
457 if (tservice == (struct rx_service *)0) {
458 ViceLog(0, ("Could not create Maintenance rx service\n"));
461 rx_SetMinProcs(tservice, 1);
462 rx_SetMaxProcs(tservice, 1);
463 rx_SetStackSize(tservice, 10000);
466 rx_NewServiceHost(host, 0, RX_STATS_SERVICE_ID, "rpcstats", scm, 3,
467 RXSTATS_ExecuteRequest);
468 if (tservice == (struct rx_service *)0) {
469 ViceLog(0, ("Could not create rpc stats rx service\n"));
472 rx_SetMinProcs(tservice, 2);
473 rx_SetMaxProcs(tservice, 4);
477 /* allow super users to manage RX statistics */
478 rx_SetRxStatUserOk(KA_rxstat_userok);
480 rx_StartServer(0); /* start handling req. of all types */
482 if (init_kaprocs(lclpath, initFlags))
485 if (code = init_krb_udp()) {
487 ("Failed to initialize UDP interface; code = %d.\n", code));
488 ViceLog(0, ("Running without UDP access.\n"));
491 ViceLog(0, ("Starting to process AuthServer requests\n"));
492 rx_ServerProc(NULL); /* donate this LWP */