2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 #include <afsconfig.h>
11 #include <afs/param.h>
15 #include <sys/types.h>
18 #include <WINNT/afsevent.h>
22 #include <netinet/in.h>
24 #include "kalog.h" /* for OpenLog() */
37 #include <rx/rxstat.h>
39 #include <rx/rx_globals.h>
40 #include <afs/cellconfig.h>
42 #include <afs/afsutil.h>
43 #include <afs/com_err.h>
44 #include <afs/audit.h>
48 #include "kauth_internal.h"
51 #include "kadatabase.h"
54 struct kadstats dynamic_statistics;
55 struct ubik_dbase *KA_dbase;
56 afs_uint32 myHost = 0;
57 afs_int32 verbose_track = 1;
58 afs_int32 krb4_cross = 0;
61 #define ADDRSPERSITE 16 /* Same global is in rx/rx_user.c */
62 afs_uint32 SHostAddrs[ADDRSPERSITE];
64 struct afsconf_dir *KA_conf; /* for getting cell info */
67 int npwSums = KA_NPWSUMS; /* needs to be variable sometime */
70 #if !defined(AFS_NT40_ENV) && !defined(AFS_LINUX20_ENV) && !defined(AFS_DARWIN_ENV) && !defined(AFS_XBSD_ENV)
72 #define vfprintf(stream,fmt,args) _doprnt(fmt,args,stream)
75 static int debugOutput;
77 /* check whether caller is authorized to manage RX statistics */
79 KA_rxstat_userok(struct rx_call *call)
81 return afsconf_SuperUser(KA_conf, call, NULL);
85 es_Report(char *fmt, ...)
92 vfprintf(stderr, fmt, pvar);
98 initialize_dstats(void)
100 memset(&dynamic_statistics, 0, sizeof(dynamic_statistics));
101 dynamic_statistics.start_time = time(0);
102 dynamic_statistics.host = myHost;
106 convert_cell_to_ubik(struct afsconf_cell *cellinfo, afs_uint32 *myHost,
107 afs_uint32 *serverList)
114 gethostname(hostname, sizeof(hostname));
115 th = gethostbyname(hostname);
117 ViceLog(0, ("kaserver: couldn't get address of this host.\n"));
120 memcpy(myHost, th->h_addr, sizeof(afs_uint32));
122 for (i = 0; i < cellinfo->numServers; i++)
123 if (cellinfo->hostAddr[i].sin_addr.s_addr != *myHost) {
124 /* omit my host from serverList */
125 *serverList++ = cellinfo->hostAddr[i].sin_addr.s_addr;
127 *serverList = 0; /* terminate list */
132 kvno_admin_key(void *rock, afs_int32 kvno, struct ktc_encryptionKey *key)
134 return ka_LookupKvno(0, KA_ADMIN_NAME, KA_ADMIN_INST, kvno, key);
136 /* we would like to start a Ubik transaction to fill the cache if that
137 * fails, but may deadlock as Rx is now organized. */
140 /* initFlags: 0x01 Do not require authenticated connections.
141 0x02 Do not check the bos NoAuth flag
142 0x04 Use fast key expiration to test oldkey code.
143 0x08 Temporary flag allowing database inconsistency fixup
146 #include "AFS_component_version_number.c"
149 main(int argc, char *argv[])
152 char *whoami = argv[0];
153 afs_uint32 serverList[MAXSERVERS];
154 struct afsconf_cell cellinfo;
156 const char *cellservdb, *dbpath, *lclpath;
159 char default_lclpath[AFSDIR_PATH_MAX];
162 int level; /* security level for Ubik */
164 char clones[MAXHOSTSPERCELL];
165 afs_uint32 host = ntohl(INADDR_ANY);
166 char *auditFileName = NULL;
168 struct rx_service *tservice;
169 struct rx_securityClass *sca[1];
170 struct rx_securityClass *scm[3];
172 extern int rx_stackSize;
176 * The following signal action for AIX is necessary so that in case of a
177 * crash (i.e. core is generated) we can include the user's data section
178 * in the core dump. Unfortunately, by default, only a partial core is
179 * generated which, in many cases, isn't too useful.
181 struct sigaction nsa;
183 sigemptyset(&nsa.sa_mask);
184 nsa.sa_handler = SIG_DFL;
185 nsa.sa_flags = SA_FULLDUMP;
186 sigaction(SIGABRT, &nsa, NULL);
187 sigaction(SIGSEGV, &nsa, NULL);
193 printf("Usage: kaserver [-noAuth] [-database <dbpath>] "
194 "[-auditlog <log path>] [-audit-interface <file|sysvmq>] "
195 "[-rxbind] [-localfiles <lclpath>] [-minhours <n>] "
196 "[-servers <serverlist>] [-crossrealm] "
197 /*" [-enable_peer_stats] [-enable_process_stats] " */
202 /* initialize winsock */
203 if (afs_winsockInit() < 0) {
204 ReportErrorEventAlt(AFSEVT_SVR_WINSOCK_INIT_FAILED, 0, argv[0], 0);
205 fprintf(stderr, "%s: Couldn't initialize winsock.\n", whoami);
209 /* Initialize dirpaths */
210 if (!(initAFSDirPath() & AFSDIR_SERVER_PATHS_OK)) {
212 ReportErrorEventAlt(AFSEVT_SVR_NO_INSTALL_DIR, 0, argv[0], 0);
214 fprintf(stderr, "%s: Unable to obtain AFS server directory.\n",
219 cellservdb = AFSDIR_SERVER_ETC_DIRPATH;
220 dbpath = AFSDIR_SERVER_KADB_FILEPATH;
221 strcompose(default_lclpath, AFSDIR_PATH_MAX, AFSDIR_SERVER_LOCAL_DIRPATH,
222 "/", AFSDIR_KADB_FILE, NULL);
223 lclpath = default_lclpath;
229 for (a = 1; a < argc; a++) {
230 int arglen = strlen(argv[a]);
231 lcstring(arg, argv[a], sizeof(arg));
232 #define IsArg(a) (strncmp (arg,a, arglen) == 0)
234 if (strcmp(arg, "-database") == 0) {
236 if (strcmp(lclpath, default_lclpath) == 0)
239 else if (strncmp(arg, "-auditlog", arglen) == 0) {
240 auditFileName = argv[++a];
242 } else if (strncmp(arg, "-audit-interface", arglen) == 0) {
243 char *interface = argv[++a];
245 if (osi_audit_interface(interface)) {
246 printf("Invalid audit interface '%s'\n", interface);
250 } else if (strcmp(arg, "-localfiles") == 0)
252 else if (strcmp(arg, "-servers") == 0)
253 debugOutput++, servers = 1;
254 else if (strcmp(arg, "-noauth") == 0)
255 debugOutput++, initFlags |= 1;
256 else if (strcmp(arg, "-fastkeys") == 0)
257 debugOutput++, initFlags |= 4;
258 else if (strcmp(arg, "-dbfixup") == 0)
259 debugOutput++, initFlags |= 8;
260 else if (strcmp(arg, "-cellservdb") == 0) {
261 cellservdb = argv[++a];
266 else if (IsArg("-crypt"))
268 else if (IsArg("-safe"))
270 else if (IsArg("-clear"))
272 else if (IsArg("-sorry"))
274 else if (IsArg("-debug"))
276 else if (IsArg("-crossrealm"))
278 else if (IsArg("-rxbind"))
280 else if (IsArg("-minhours")) {
281 MinHours = atoi(argv[++a]);
282 } else if (IsArg("-enable_peer_stats")) {
283 rx_enablePeerRPCStats();
284 } else if (IsArg("-enable_process_stats")) {
285 rx_enableProcessRPCStats();
286 } else if (*arg == '-') {
287 /* hack to support help flag */
293 osi_audit_file(auditFileName);
296 if ((code = ka_CellConfig(cellservdb)))
298 cell = ka_LocalCell();
299 KA_conf = afsconf_Open(cellservdb);
303 afs_com_err(whoami, code, "Failed getting cell info");
309 /* NT & HPUX do not have dbm package support. So we can only do some
310 * text logging. So open the AuthLog file for logging and redirect
311 * stdin and stdout to it
313 OpenLog(AFSDIR_SERVER_KALOG_FILEPATH);
317 fprintf(stderr, "%s: WARNING: kaserver is deprecated due to its weak security "
318 "properties. Migrating to a Kerberos 5 KDC is advised. "
319 "http://www.openafs.org/no-more-des.html\n", whoami);
320 ViceLog(0, ("WARNING: kaserver is deprecated due to its weak security properties. "
321 "Migrating to a Kerberos 5 KDC is advised. "
322 "http://www.openafs.org/no-more-des.html\n"));
325 afsconf_GetExtendedCellInfo(KA_conf, cell, AFSCONF_KAUTHSERVICE,
328 if ((code = ubik_ParseServerList(argc, argv, &myHost, serverList))) {
329 afs_com_err(whoami, code, "Couldn't parse server list");
332 cellinfo.hostAddr[0].sin_addr.s_addr = myHost;
333 for (i = 1; i < MAXSERVERS; i++) {
336 cellinfo.hostAddr[i].sin_addr.s_addr = serverList[i];
338 cellinfo.numServers = i;
340 code = convert_cell_to_ubik(&cellinfo, &myHost, serverList);
343 ViceLog(0, ("Using server list from %s cell database.\n", cell));
346 /* initialize ubik */
347 if (level == rxkad_clear)
348 ubik_CRXSecurityProc = afsconf_ClientAuth;
349 else if (level == rxkad_crypt)
350 ubik_CRXSecurityProc = afsconf_ClientAuthSecure;
352 ViceLog(0, ("Unsupported security level %d\n", level));
356 ("Using level %s for Ubik connections.\n",
357 (level == rxkad_crypt ? "crypt" : "clear")));
358 ubik_CRXSecurityRock = (char *)KA_conf;
359 ubik_SRXSecurityProc = afsconf_ServerAuth;
360 ubik_SRXSecurityRock = (char *)KA_conf;
361 ubik_CheckRXSecurityProc = afsconf_CheckAuth;
362 ubik_CheckRXSecurityRock = (char *)KA_conf;
368 if (AFSDIR_SERVER_NETRESTRICT_FILEPATH ||
369 AFSDIR_SERVER_NETINFO_FILEPATH) {
371 ccode = parseNetFiles(SHostAddrs, NULL, NULL,
372 ADDRSPERSITE, reason,
373 AFSDIR_SERVER_NETINFO_FILEPATH,
374 AFSDIR_SERVER_NETRESTRICT_FILEPATH);
377 ccode = rx_getAllAddr(SHostAddrs, ADDRSPERSITE);
380 host = SHostAddrs[0];
381 rx_InitHost(host, htons(AFSCONF_KAUTHPORT));
387 ubik_ServerInit(myHost, htons(AFSCONF_KAUTHPORT), serverList,
391 ubik_ServerInitByInfo(myHost, htons(AFSCONF_KAUTHPORT), &cellinfo,
392 clones, dbpath, &KA_dbase);
395 afs_com_err(whoami, code, "Ubik init failed");
399 sca[RX_SCINDEX_NULL] = rxnull_NewServerSecurityObject();
401 /* Disable jumbograms */
405 rx_NewServiceHost(host, 0, KA_AUTHENTICATION_SERVICE,
406 "AuthenticationService", sca, 1, KAA_ExecuteRequest);
407 if (tservice == (struct rx_service *)0) {
408 ViceLog(0, ("Could not create Authentication rx service\n"));
411 rx_SetMinProcs(tservice, 1);
412 rx_SetMaxProcs(tservice, 1);
416 rx_NewServiceHost(host, 0, KA_TICKET_GRANTING_SERVICE, "TicketGrantingService",
417 sca, 1, KAT_ExecuteRequest);
418 if (tservice == (struct rx_service *)0) {
419 ViceLog(0, ("Could not create Ticket Granting rx service\n"));
422 rx_SetMinProcs(tservice, 1);
423 rx_SetMaxProcs(tservice, 1);
425 scm[RX_SCINDEX_NULL] = sca[RX_SCINDEX_NULL];
426 scm[RX_SCINDEX_VAB] = 0;
427 scm[RX_SCINDEX_KAD] =
428 rxkad_NewServerSecurityObject(rxkad_crypt, 0, kvno_admin_key, 0);
430 rx_NewServiceHost(host, 0, KA_MAINTENANCE_SERVICE, "Maintenance", scm, 3,
432 if (tservice == (struct rx_service *)0) {
433 ViceLog(0, ("Could not create Maintenance rx service\n"));
436 rx_SetMinProcs(tservice, 1);
437 rx_SetMaxProcs(tservice, 1);
438 rx_SetStackSize(tservice, 10000);
441 rx_NewServiceHost(host, 0, RX_STATS_SERVICE_ID, "rpcstats", scm, 3,
442 RXSTATS_ExecuteRequest);
443 if (tservice == (struct rx_service *)0) {
444 ViceLog(0, ("Could not create rpc stats rx service\n"));
447 rx_SetMinProcs(tservice, 2);
448 rx_SetMaxProcs(tservice, 4);
452 /* allow super users to manage RX statistics */
453 rx_SetRxStatUserOk(KA_rxstat_userok);
455 rx_StartServer(0); /* start handling req. of all types */
457 if (init_kaprocs(lclpath, initFlags))
460 if ((code = init_krb_udp())) {
462 ("Failed to initialize UDP interface; code = %d.\n", code));
463 ViceLog(0, ("Running without UDP access.\n"));
466 ViceLog(0, ("Starting to process AuthServer requests\n"));
467 rx_ServerProc(NULL); /* donate this LWP */