2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 #include <afsconfig.h>
11 #include <afs/param.h>
15 #include <sys/types.h>
18 #include <WINNT/afsevent.h>
22 #include <netinet/in.h>
24 #include "kalog.h" /* for OpenLog() */
37 #include <rx/rxstat.h>
39 #include <rx/rx_globals.h>
40 #include <afs/cellconfig.h>
42 #include <afs/afsutil.h>
43 #include <afs/com_err.h>
44 #include <afs/audit.h>
50 #include "kadatabase.h"
53 struct kadstats dynamic_statistics;
54 struct ubik_dbase *KA_dbase;
56 afs_int32 verbose_track = 1;
57 afs_int32 krb4_cross = 0;
60 #define ADDRSPERSITE 16 /* Same global is in rx/rx_user.c */
61 afs_uint32 SHostAddrs[ADDRSPERSITE];
63 struct afsconf_dir *KA_conf; /* for getting cell info */
66 int npwSums = KA_NPWSUMS; /* needs to be variable sometime */
69 #if !defined(AFS_NT40_ENV) && !defined(AFS_LINUX20_ENV) && !defined(AFS_DARWIN_ENV) && !defined(AFS_XBSD_ENV)
71 #define vfprintf(stream,fmt,args) _doprnt(fmt,args,stream)
74 static int debugOutput;
76 /* check whether caller is authorized to manage RX statistics */
78 KA_rxstat_userok(struct rx_call *call)
80 return afsconf_SuperUser(KA_conf, call, NULL);
84 es_Report(char *fmt, ...)
91 vfprintf(stderr, fmt, pvar);
97 initialize_dstats(void)
99 memset(&dynamic_statistics, 0, sizeof(dynamic_statistics));
100 dynamic_statistics.start_time = time(0);
101 dynamic_statistics.host = myHost;
105 convert_cell_to_ubik(struct afsconf_cell *cellinfo, afs_int32 *myHost,
106 afs_int32 *serverList)
113 gethostname(hostname, sizeof(hostname));
114 th = gethostbyname(hostname);
116 ViceLog(0, ("kaserver: couldn't get address of this host.\n"));
119 memcpy(myHost, th->h_addr, sizeof(afs_int32));
121 for (i = 0; i < cellinfo->numServers; i++)
122 if (cellinfo->hostAddr[i].sin_addr.s_addr != *myHost) {
123 /* omit my host from serverList */
124 *serverList++ = cellinfo->hostAddr[i].sin_addr.s_addr;
126 *serverList = 0; /* terminate list */
131 kvno_admin_key(void *rock, afs_int32 kvno, struct ktc_encryptionKey *key)
133 return ka_LookupKvno(0, KA_ADMIN_NAME, KA_ADMIN_INST, kvno, key);
135 /* we would like to start a Ubik transaction to fill the cache if that
136 * fails, but may deadlock as Rx is now organized. */
139 /* initFlags: 0x01 Do not require authenticated connections.
140 0x02 Do not check the bos NoAuth flag
141 0x04 Use fast key expiration to test oldkey code.
142 0x08 Temporary flag allowing database inconsistency fixup
145 #include "AFS_component_version_number.c"
148 main(int argc, char *argv[])
151 char *whoami = argv[0];
152 afs_int32 serverList[MAXSERVERS];
153 struct afsconf_cell cellinfo;
155 const char *cellservdb, *dbpath, *lclpath;
158 char default_lclpath[AFSDIR_PATH_MAX];
161 int level; /* security level for Ubik */
163 char clones[MAXHOSTSPERCELL];
164 afs_uint32 host = ntohl(INADDR_ANY);
165 char *auditFileName = NULL;
167 struct rx_service *tservice;
168 struct rx_securityClass *sca[1];
169 struct rx_securityClass *scm[3];
171 extern int rx_stackSize;
175 * The following signal action for AIX is necessary so that in case of a
176 * crash (i.e. core is generated) we can include the user's data section
177 * in the core dump. Unfortunately, by default, only a partial core is
178 * generated which, in many cases, isn't too useful.
180 struct sigaction nsa;
182 sigemptyset(&nsa.sa_mask);
183 nsa.sa_handler = SIG_DFL;
184 nsa.sa_flags = SA_FULLDUMP;
185 sigaction(SIGABRT, &nsa, NULL);
186 sigaction(SIGSEGV, &nsa, NULL);
192 printf("Usage: kaserver [-noAuth] [-fastKeys] [-database <dbpath>] "
193 "[-auditlog <log path>] [-audit-interface <file|sysvmq>] "
194 "[-rxbind] [-localfiles <lclpath>] [-minhours <n>] "
195 "[-servers <serverlist>] [-crossrealm] "
196 /*" [-enable_peer_stats] [-enable_process_stats] " */
201 /* initialize winsock */
202 if (afs_winsockInit() < 0) {
203 ReportErrorEventAlt(AFSEVT_SVR_WINSOCK_INIT_FAILED, 0, argv[0], 0);
204 fprintf(stderr, "%s: Couldn't initialize winsock.\n", whoami);
208 /* Initialize dirpaths */
209 if (!(initAFSDirPath() & AFSDIR_SERVER_PATHS_OK)) {
211 ReportErrorEventAlt(AFSEVT_SVR_NO_INSTALL_DIR, 0, argv[0], 0);
213 fprintf(stderr, "%s: Unable to obtain AFS server directory.\n",
218 cellservdb = AFSDIR_SERVER_ETC_DIRPATH;
219 dbpath = AFSDIR_SERVER_KADB_FILEPATH;
220 strcompose(default_lclpath, AFSDIR_PATH_MAX, AFSDIR_SERVER_LOCAL_DIRPATH,
221 "/", AFSDIR_KADB_FILE, NULL);
222 lclpath = default_lclpath;
228 for (a = 1; a < argc; a++) {
229 int arglen = strlen(argv[a]);
230 lcstring(arg, argv[a], sizeof(arg));
231 #define IsArg(a) (strncmp (arg,a, arglen) == 0)
233 if (strcmp(arg, "-database") == 0) {
235 if (strcmp(lclpath, default_lclpath) == 0)
238 else if (strncmp(arg, "-auditlog", arglen) == 0) {
239 auditFileName = argv[++a];
241 } else if (strncmp(arg, "-audit-interface", arglen) == 0) {
242 char *interface = argv[++a];
244 if (osi_audit_interface(interface)) {
245 printf("Invalid audit interface '%s'\n", interface);
249 } else if (strcmp(arg, "-localfiles") == 0)
251 else if (strcmp(arg, "-servers") == 0)
252 debugOutput++, servers = 1;
253 else if (strcmp(arg, "-noauth") == 0)
254 debugOutput++, initFlags |= 1;
255 else if (strcmp(arg, "-fastkeys") == 0)
256 debugOutput++, initFlags |= 4;
257 else if (strcmp(arg, "-dbfixup") == 0)
258 debugOutput++, initFlags |= 8;
259 else if (strcmp(arg, "-cellservdb") == 0) {
260 cellservdb = argv[++a];
265 else if (IsArg("-crypt"))
267 else if (IsArg("-safe"))
269 else if (IsArg("-clear"))
271 else if (IsArg("-sorry"))
273 else if (IsArg("-debug"))
275 else if (IsArg("-crossrealm"))
277 else if (IsArg("-rxbind"))
279 else if (IsArg("-minhours")) {
280 MinHours = atoi(argv[++a]);
281 } else if (IsArg("-enable_peer_stats")) {
282 rx_enablePeerRPCStats();
283 } else if (IsArg("-enable_process_stats")) {
284 rx_enableProcessRPCStats();
285 } else if (*arg == '-') {
286 /* hack to support help flag */
292 osi_audit_file(auditFileName);
295 if ((code = ka_CellConfig(cellservdb)))
297 cell = ka_LocalCell();
298 KA_conf = afsconf_Open(cellservdb);
302 afs_com_err(whoami, code, "Failed getting cell info");
308 /* NT & HPUX do not have dbm package support. So we can only do some
309 * text logging. So open the AuthLog file for logging and redirect
310 * stdin and stdout to it
312 OpenLog(AFSDIR_SERVER_KALOG_FILEPATH);
316 fprintf(stderr, "%s: WARNING: kaserver is deprecated due to its weak security "
317 "properties. Migrating to a Kerberos 5 KDC is advised. "
318 "http://www.openafs.org/no-more-des.html\n", whoami);
319 ViceLog(0, ("WARNING: kaserver is deprecated due to its weak security properties. "
320 "Migrating to a Kerberos 5 KDC is advised. "
321 "http://www.openafs.org/no-more-des.html\n"));
324 afsconf_GetExtendedCellInfo(KA_conf, cell, AFSCONF_KAUTHSERVICE,
327 if ((code = ubik_ParseServerList(argc, argv, &myHost, serverList))) {
328 afs_com_err(whoami, code, "Couldn't parse server list");
331 cellinfo.hostAddr[0].sin_addr.s_addr = myHost;
332 for (i = 1; i < MAXSERVERS; i++) {
335 cellinfo.hostAddr[i].sin_addr.s_addr = serverList[i];
337 cellinfo.numServers = i;
339 code = convert_cell_to_ubik(&cellinfo, &myHost, serverList);
342 ViceLog(0, ("Using server list from %s cell database.\n", cell));
345 /* initialize ubik */
346 if (level == rxkad_clear)
347 ubik_CRXSecurityProc = afsconf_ClientAuth;
348 else if (level == rxkad_crypt)
349 ubik_CRXSecurityProc = afsconf_ClientAuthSecure;
351 ViceLog(0, ("Unsupported security level %d\n", level));
355 ("Using level %s for Ubik connections.\n",
356 (level == rxkad_crypt ? "crypt" : "clear")));
357 ubik_CRXSecurityRock = (char *)KA_conf;
358 ubik_SRXSecurityProc = afsconf_ServerAuth;
359 ubik_SRXSecurityRock = (char *)KA_conf;
360 ubik_CheckRXSecurityProc = afsconf_CheckAuth;
361 ubik_CheckRXSecurityRock = (char *)KA_conf;
367 if (AFSDIR_SERVER_NETRESTRICT_FILEPATH ||
368 AFSDIR_SERVER_NETINFO_FILEPATH) {
370 ccode = parseNetFiles(SHostAddrs, NULL, NULL,
371 ADDRSPERSITE, reason,
372 AFSDIR_SERVER_NETINFO_FILEPATH,
373 AFSDIR_SERVER_NETRESTRICT_FILEPATH);
376 ccode = rx_getAllAddr(SHostAddrs, ADDRSPERSITE);
379 host = SHostAddrs[0];
380 rx_InitHost(host, htons(AFSCONF_KAUTHPORT));
386 ubik_ServerInit(myHost, htons(AFSCONF_KAUTHPORT), serverList,
390 ubik_ServerInitByInfo(myHost, htons(AFSCONF_KAUTHPORT), &cellinfo,
391 clones, dbpath, &KA_dbase);
394 afs_com_err(whoami, code, "Ubik init failed");
398 sca[RX_SCINDEX_NULL] = rxnull_NewServerSecurityObject();
400 /* Disable jumbograms */
404 rx_NewServiceHost(host, 0, KA_AUTHENTICATION_SERVICE,
405 "AuthenticationService", sca, 1, KAA_ExecuteRequest);
406 if (tservice == (struct rx_service *)0) {
407 ViceLog(0, ("Could not create Authentication rx service\n"));
410 rx_SetMinProcs(tservice, 1);
411 rx_SetMaxProcs(tservice, 1);
415 rx_NewServiceHost(host, 0, KA_TICKET_GRANTING_SERVICE, "TicketGrantingService",
416 sca, 1, KAT_ExecuteRequest);
417 if (tservice == (struct rx_service *)0) {
418 ViceLog(0, ("Could not create Ticket Granting rx service\n"));
421 rx_SetMinProcs(tservice, 1);
422 rx_SetMaxProcs(tservice, 1);
424 scm[RX_SCINDEX_NULL] = sca[RX_SCINDEX_NULL];
425 scm[RX_SCINDEX_VAB] = 0;
426 scm[RX_SCINDEX_KAD] =
427 rxkad_NewServerSecurityObject(rxkad_crypt, 0, kvno_admin_key, 0);
429 rx_NewServiceHost(host, 0, KA_MAINTENANCE_SERVICE, "Maintenance", scm, 3,
431 if (tservice == (struct rx_service *)0) {
432 ViceLog(0, ("Could not create Maintenance rx service\n"));
435 rx_SetMinProcs(tservice, 1);
436 rx_SetMaxProcs(tservice, 1);
437 rx_SetStackSize(tservice, 10000);
440 rx_NewServiceHost(host, 0, RX_STATS_SERVICE_ID, "rpcstats", scm, 3,
441 RXSTATS_ExecuteRequest);
442 if (tservice == (struct rx_service *)0) {
443 ViceLog(0, ("Could not create rpc stats rx service\n"));
446 rx_SetMinProcs(tservice, 2);
447 rx_SetMaxProcs(tservice, 4);
451 /* allow super users to manage RX statistics */
452 rx_SetRxStatUserOk(KA_rxstat_userok);
454 rx_StartServer(0); /* start handling req. of all types */
456 if (init_kaprocs(lclpath, initFlags))
459 if ((code = init_krb_udp())) {
461 ("Failed to initialize UDP interface; code = %d.\n", code));
462 ViceLog(0, ("Running without UDP access.\n"));
465 ViceLog(0, ("Starting to process AuthServer requests\n"));
466 rx_ServerProc(NULL); /* donate this LWP */