1 Enable listing multiple realms in the server krb.conf file. Up to four
2 realms may be treated as local in that fashion for authorization
3 purposes (instead of the single realm supported without this patch).
5 This upstream patch is in the 1.5 series but not in 1.4. However, it
6 has been working in production at Stanford University for some time.
8 --- openafs.orig/src/audit/audit.c
9 +++ openafs/src/audit/audit.c
12 if ((clen = strlen(tcell))) {
13 #if defined(AFS_ATHENA_STDENV) || defined(AFS_KERBREALM_ENV)
14 - static char local_realm[AFS_REALM_SZ] = "";
15 - if (!local_realm[0]) {
16 - if (afs_krb_get_lrealm(local_realm, 0) != 0 /*KSUCCESS*/)
17 - strncpy(local_realm, "UNKNOWN.LOCAL.REALM", AFS_REALM_SZ);
18 + static char local_realms[AFS_NUM_LREALMS][AFS_REALM_SZ];
19 + static int num_lrealms = -1;
20 + int i, lrealm_match;
22 + if (num_lrealms == -1) {
23 + for (i=0; i<AFS_NUM_LREALMS; i++) {
24 + if (afs_krb_get_lrealm(local_realms[i], i) != 0 /*KSUCCESS*/)
29 + strncpy(local_realms[0], "UNKNOWN.LOCAL.REALM", AFS_REALM_SZ);
32 - if (strcasecmp(local_realm, tcell)) {
34 + /* Check to see if the ticket cell matches one of the local realms */
36 + for ( i=0;i<num_lrealms;i++ ) {
37 + if (!strcasecmp(local_realms[i], tcell)) {
42 + /* If yes, then make sure that the name is not present in
43 + * an exclusion list */
47 + snprintf(uname,sizeof(uname),"%s.%s@%s",name,inst,tcell);
49 + snprintf(uname,sizeof(uname),"%s@%s",name,tcell);
51 + if (afs_krb_exclusion(uname))
55 + if (!lrealm_match) {
56 if (strlen(vname) + 1 + clen >= sizeof(vname))
59 --- openafs.orig/src/auth/userok.c
60 +++ openafs/src/auth/userok.c
64 static char lcell[MAXCELLCHARS] = "";
65 - static char lrealm[AFS_REALM_SZ] = "";
66 + static char lrealms[AFS_NUM_LREALMS][AFS_REALM_SZ];
67 + static int num_lrealms = -1;
68 + int lrealm_match = 0, i;
70 /* get auth details from server connection */
73 /* if running a krb environment, also get the local realm */
74 /* note - this assumes AFS_REALM_SZ <= MAXCELLCHARS */
75 /* just set it to lcell if it fails */
77 - if (afs_krb_get_lrealm(lrealm, 0) != 0) /* KSUCCESS */
78 - strncpy(lrealm, lcell, AFS_REALM_SZ);
79 + if (num_lrealms == -1) {
80 + for (i=0; i<AFS_NUM_LREALMS; i++) {
81 + if (afs_krb_get_lrealm(lrealms[i], i) != 0 /*KSUCCESS*/)
86 + strncpy(lrealms[0], lcell, AFS_REALM_SZ);
93 + /* See if the ticket cell matches one of the local realms */
95 + for ( i=0;i<num_lrealms;i++ ) {
96 + if (!strcasecmp(lrealms[i], tcell)) {
102 + /* If yes, then make sure that the name is not present in
103 + * an exclusion list */
104 + if (lrealm_match) {
106 + snprintf(uname,sizeof(uname),"%s.%s@%s",tname,tinst,tcell);
108 + snprintf(uname,sizeof(uname),"%s@%s",tname,tcell);
110 + if (afs_krb_exclusion(uname))
114 /* start with no uname and no authorization */
117 strcpy(uname, "<LocalAuth>");
120 - /* cell of connection matches local cell or krb4 realm */
121 - } else if (!strcasecmp(tcell, lcell) || !strcasecmp(tcell, lrealm)) {
122 + /* cell of connection matches local cell or one of the realms */
123 + } else if (!strcasecmp(tcell, lcell) || lrealm_match) {
124 if ((tmp = CompFindUser(adir, tname, ".", tinst, NULL))) {
132 /* cell of conn doesn't match local cell or realm */
134 if ((tmp = CompFindUser(adir, tname, ".", tinst, tcell))) {
135 --- openafs.orig/src/config/afs_sysnames.h
136 +++ openafs/src/config/afs_sysnames.h
138 #ifdef AFS_KERBREALM_ENV
139 #define AFS_REALM_SZ 64
141 +/* Specifies the number of equivalent local realm names */
142 +#define AFS_NUM_LREALMS 4
143 #endif /* __AFS_SYSNAMES_INCL_ENV_ */
144 --- openafs.orig/src/ptserver/ptprocs.c
145 +++ openafs/src/ptserver/ptprocs.c
147 extern afs_int32 Initdb();
148 extern int pr_noAuth;
149 extern afs_int32 initd;
150 +extern char *pr_realmName;
151 afs_int32 iNewEntry(), newEntry(), whereIsIt(), dumpEntry(), addToGroup(),
152 nameToID(), Delete(), removeFromGroup();
153 afs_int32 getCPS(), getCPS2(), getHostCPS(), listMax(), setMax(), listEntry();
155 if (exp < FT_ApproxTime())
158 - if (strlen(tcell)) {
159 - extern char *pr_realmName;
160 -#if defined(AFS_ATHENA_STDENV) || defined(AFS_KERBREALM_ENV)
161 - static char local_realm[AFS_REALM_SZ] = "";
162 - if (!local_realm[0]) {
163 - if (afs_krb_get_lrealm(local_realm, 0) != 0 /*KSUCCESS*/)
164 - strncpy(local_realm, pr_realmName, AFS_REALM_SZ);
168 -#if defined(AFS_ATHENA_STDENV) || defined(AFS_KERBREALM_ENV)
169 - strcasecmp(local_realm, tcell) &&
171 - strcasecmp(pr_realmName, tcell))
175 + foreign = afs_is_foreign_ticket_name(name,inst,tcell,pr_realmName);
177 strncpy(vname, name, sizeof(vname));
178 if (ilen = strlen(inst)) {
179 if (strlen(vname) + 1 + ilen >= sizeof(vname))
181 ABORT_WITH(tt, code);
183 for (i = 0; i < aname->namelist_len; i++) {
184 - code = NameToID(tt, aname->namelist_val[i], &aid->idlist_val[i]);
186 + char *nameinst, *cell;
188 + strncpy(vname, aname->namelist_val[i], sizeof(vname));
189 + vname[sizeof(vname)-1] ='\0';
192 + cell = strchr(vname, '@');
198 + if (cell && afs_is_foreign_ticket_name(nameinst,NULL,cell,pr_realmName))
199 + code = NameToID(tt, aname->namelist_val[i], &aid->idlist_val[i]);
201 + code = NameToID(tt, nameinst, &aid->idlist_val[i]);
203 if (code != PRSUCCESS)
204 aid->idlist_val[i] = ANONYMOUSID;
205 osi_audit(PTS_NmToIdEvent, code, AUD_STR,
206 @@ -2281,7 +2286,6 @@
208 #endif /* IP_WILDCARDS */
212 WhoIsThisWithName(acall, at, aid, aname)
213 struct rx_call *acall;
214 @@ -2309,11 +2313,12 @@
215 } else if (code == 2) { /* kad class */
218 - extern char *pr_realmName;
220 if ((code = rxkad_GetServerInfo(acall->conn, NULL, 0 /*was &exp */ ,
221 name, inst, tcell, NULL)))
225 strncpy(vname, name, sizeof(vname));
226 if ((ilen = strlen(inst))) {
227 if (strlen(vname) + 1 + ilen >= sizeof(vname))
228 @@ -2322,19 +2327,9 @@
231 if ((clen = strlen(tcell))) {
232 + int foreign = afs_is_foreign_ticket_name(name,inst,tcell,pr_realmName);
234 -#if defined(AFS_ATHENA_STDENV) || defined(AFS_KERBREALM_ENV)
235 - static char local_realm[AFS_REALM_SZ] = "";
236 - if (!local_realm[0]) {
237 - if (afs_krb_get_lrealm(local_realm, 0) != 0 /*KSUCCESS*/)
238 - strncpy(local_realm, pr_realmName, AFS_REALM_SZ);
242 -#if defined(AFS_ATHENA_STDENV) || defined(AFS_KERBREALM_ENV)
243 - strcasecmp(local_realm, tcell) &&
245 - strcasecmp(pr_realmName, tcell)) {
247 if (strlen(vname) + 1 + clen >= sizeof(vname))
250 --- openafs.orig/src/util/afsutil_prototypes.h
251 +++ openafs/src/util/afsutil_prototypes.h
255 extern int afs_krb_get_lrealm(char *r, int n);
257 +extern int afs_krb_exclusion(char *name);
258 +extern int afs_is_foreign_ticket_name(char *tname, char *tinst, char * tcell, char *localrealm);
260 extern struct hostent *hostutil_GetHostByName(register char *ahost);
261 extern char *hostutil_GetNameByINet(afs_uint32 addr);
262 --- openafs.orig/src/util/dirpath.c
263 +++ openafs/src/util/dirpath.c
265 pathp = dirPathArray[AFSDIR_SERVER_MIGRATELOG_FILEPATH_ID];
266 AFSDIR_SERVER_FILEPATH(pathp, AFSDIR_MIGR_DIR, AFSDIR_MIGRATE_LOGNAME);
268 + pathp = dirPathArray[AFSDIR_SERVER_KRB_EXCL_FILEPATH_ID];
269 + AFSDIR_SERVER_FILEPATH(pathp, AFSDIR_SERVER_ETC_DIR, AFSDIR_KRB_EXCL_FILE);
271 /* client file paths */
273 --- openafs.orig/src/util/dirpath.hin
274 +++ openafs/src/util/dirpath.hin
276 #define AFSDIR_BOSVR_FILE "bosserver"
277 #define AFSDIR_VOLSERLOG_FILE "VolserLog"
278 #define AFSDIR_AUDIT_FILE "Audit"
279 +#define AFSDIR_KRB_EXCL_FILE "krb.excl"
281 #define AFSDIR_ROOTVOL_FILE "RootVolume"
282 #define AFSDIR_HOSTDUMP_FILE "hosts.dump"
284 AFSDIR_SERVER_MIGRATELOG_FILEPATH_ID,
285 AFSDIR_SERVER_BIN_FILE_DIRPATH_ID,
286 AFSDIR_CLIENT_CELLALIAS_FILEPATH_ID,
287 + AFSDIR_SERVER_KRB_EXCL_FILEPATH_ID,
288 AFSDIR_PATHSTRING_MAX } afsdir_id_t;
290 /* getDirPath() returns a pointer to a string from an internal array of path strings
292 #define AFSDIR_SERVER_WEIGHTING_CONSTANTS_FILEPATH getDirPath(AFSDIR_SERVER_WEIGHTING_CONSTANTS_FILEPATH_ID)
293 #define AFSDIR_SERVER_THRESHOLD_CONSTANTS_FILEPATH getDirPath(AFSDIR_SERVER_THRESHOLD_CONSTANTS_FILEPATH_ID)
294 #define AFSDIR_SERVER_MIGRATELOG_FILEPATH getDirPath(AFSDIR_SERVER_MIGRATELOG_FILEPATH_ID)
295 +#define AFSDIR_SERVER_KRB_EXCL_FILEPATH getDirPath(AFSDIR_SERVER_KRB_EXCL_FILEPATH_ID)
297 /* client file paths */
298 #define AFSDIR_CLIENT_THISCELL_FILEPATH getDirPath(AFSDIR_CLIENT_THISCELL_FILEPATH_ID)
299 --- openafs.orig/src/util/dirpath_nt.h
300 +++ openafs/src/util/dirpath_nt.h
302 #define AFSDIR_BOSVR_FILE "bosserver"
303 #define AFSDIR_VOLSERLOG_FILE "VolserLog"
304 #define AFSDIR_AUDIT_FILE "Audit"
305 +#define AFSDIR_KRB_EXCL_FILE "krb.excl"
307 #define AFSDIR_ROOTVOL_FILE "RootVolume"
308 #define AFSDIR_HOSTDUMP_FILE "hosts.dump"
310 AFSDIR_SERVER_MIGRATELOG_FILEPATH_ID,
311 AFSDIR_SERVER_BIN_FILE_DIRPATH_ID,
312 AFSDIR_CLIENT_CELLALIAS_FILEPATH_ID,
313 + AFSDIR_SERVER_KRB_EXCL_FILEPATH_ID,
314 AFSDIR_PATHSTRING_MAX
318 #define AFSDIR_SERVER_WEIGHTING_CONSTANTS_FILEPATH getDirPath(AFSDIR_SERVER_WEIGHTING_CONSTANTS_FILEPATH_ID)
319 #define AFSDIR_SERVER_THRESHOLD_CONSTANTS_FILEPATH getDirPath(AFSDIR_SERVER_THRESHOLD_CONSTANTS_FILEPATH_ID)
320 #define AFSDIR_SERVER_MIGRATELOG_FILEPATH getDirPath(AFSDIR_SERVER_MIGRATELOG_FILEPATH_ID)
321 +#define AFSDIR_SERVER_KRB_EXCL_FILEPATH getDirPath(AFSDIR_SERVER_KRB_EXCL_FILEPATH_ID)
323 /* client file paths */
324 #define AFSDIR_CLIENT_THISCELL_FILEPATH getDirPath(AFSDIR_CLIENT_THISCELL_FILEPATH_ID)
325 --- openafs.orig/src/util/get_krbrlm.c
326 +++ openafs/src/util/get_krbrlm.c
329 #define KFAILURE (-1)
332 +parse_str(char *buffer, char *result, int size)
339 + while (*buffer && isspace(*buffer))
341 + while (*buffer && !isspace(*buffer)) {
342 + if (n < size - 1) {
343 + *result++=*buffer++;
357 afs_krb_get_lrealm(char *r, int n)
359 + char linebuf[2048];
360 + char tr[AFS_REALM_SZ] = "";
362 FILE *cnffile/*, *fopen()*/;
367 - return (KFAILURE); /* Temporary restriction */
370 if ((cnffile = fopen(AFSDIR_SERVER_KCONF_FILEPATH, "r")) == NULL) {
373 - if (fscanf(cnffile, "%s", r) != 1) {
374 - (void)fclose(cnffile);
376 + if (fgets(linebuf, sizeof(linebuf)-1, cnffile) == NULL) {
379 + linebuf[sizeof(linebuf)-1] = '\0';
380 + for (i=0, p=linebuf; i<=n && *p; i++) {
381 + p = parse_str(p, tr, AFS_REALM_SZ);
390 + (void)fclose(cnffile);
395 +afs_krb_exclusion(char * name)
397 + char linebuf[2048];
398 + char excl_name[256] = "";
399 + FILE *cnffile/*, *fopen()*/;
402 + if ((cnffile = fopen(AFSDIR_SERVER_KRB_EXCL_FILEPATH, "r")) == NULL)
406 + if (fgets(linebuf, sizeof(linebuf)-1, cnffile) == NULL) {
409 + linebuf[sizeof(linebuf)-1] = '\0';
410 + parse_str(linebuf, excl_name, sizeof(excl_name));
412 + if (!strcmp(name,excl_name)) {
419 (void)fclose(cnffile);
425 +afs_is_foreign_ticket_name(char *tname, char *tinst, char * tcell, char *localrealm)
429 + if (localrealm && strcasecmp(localrealm, tcell))
432 +#if defined(AFS_ATHENA_STDENV) || defined(AFS_KERBREALM_ENV)
434 + static char local_realms[AFS_NUM_LREALMS][AFS_REALM_SZ];
435 + static int num_lrealms = -1;
436 + int lrealm_match, i;
439 + if (num_lrealms == -1) {
440 + for (i=0; i<AFS_NUM_LREALMS; i++) {
441 + if (afs_krb_get_lrealm(local_realms[i], i) != 0 /*KSUCCESS*/)
445 + if (i==0 && localrealm) {
446 + strncpy(local_realms[0], localrealm, AFS_REALM_SZ);
453 + /* See if the ticket cell matches one of the local realms */
455 + for ( i=0;i<num_lrealms;i++ ) {
456 + if (!strcasecmp(local_realms[i], tcell)) {
462 + /* If yes, then make sure that the name is not present in
463 + * an exclusion list */
464 + if (lrealm_match) {
465 + if (tinst && tinst[0])
466 + snprintf(uname,sizeof(uname),"%s.%s@%s",tname,tinst,tcell);
468 + snprintf(uname,sizeof(uname),"%s@%s",tname,tcell);
470 + if (afs_krb_exclusion(uname))
474 + foreign = !lrealm_match;
482 --- openafs.orig/src/util/test/dirpath_test.c
483 +++ openafs/src/util/test/dirpath_test.c
485 AFSDIR_SERVER_FILELOG_FILEPATH);
486 printf("AFSDIR_SERVER_AUDIT_FILEPATH = %s\n",
487 AFSDIR_SERVER_AUDIT_FILEPATH);
488 + printf("AFSDIR_SERVER_KRB_EXCL_FILEPATH = %s\n",
489 + AFSDIR_SERVER_KRB_EXCL_FILEPATH);
492 printf("AFSDIR_CLIENT_THISCELL_FILEPATH = %s\n",
493 --- openafs.orig/src/viced/host.c
494 +++ openafs/src/viced/host.c
495 @@ -1793,7 +1793,8 @@
498 static char localcellname[PR_MAXNAMELEN + 1];
499 -char local_realm[AFS_REALM_SZ] = "";
500 +char local_realms[AFS_NUM_LREALMS][AFS_REALM_SZ];
501 +int num_lrealms = -1;
505 @@ -1801,13 +1802,26 @@
507 memset(&nulluuid, 0, sizeof(afsUUID));
508 afsconf_GetLocalCell(confDir, localcellname, PR_MAXNAMELEN);
509 - if (!local_realm[0]) {
510 - if (afs_krb_get_lrealm(local_realm, 0) != 0 /*KSUCCESS*/) {
511 + if (num_lrealms == -1) {
513 + for (i=0; i<AFS_NUM_LREALMS; i++) {
514 + if (afs_krb_get_lrealm(local_realms[i], i) != 0 /*KSUCCESS*/)
520 ("afs_krb_get_lrealm failed, using %s.\n",
522 - strcpy(local_realm, localcellname);
523 + strncpy(local_realms[0], localcellname, AFS_REALM_SZ);
524 + num_lrealms = i =1;
529 + /* initialize the rest of the local realms to nullstring for debugging */
530 + for (; i<AFS_NUM_LREALMS; i++)
531 + local_realms[i][0] = '\0';
533 rxcon_ident_key = rx_KeyCreate((rx_destructor_t) free);
534 rxcon_client_key = rx_KeyCreate((rx_destructor_t) 0);
535 @@ -1837,11 +1851,10 @@
537 cnamelen = strlen(acell);
539 - if (strcasecmp(local_realm, acell)
540 - && strcasecmp(localcellname, acell)) {
541 + if (afs_is_foreign_ticket_name(aname, NULL, acell, localcellname)) {
543 - ("MapName: cell is foreign. cell=%s, localcell=%s, localrealm=%s\n",
544 - acell, localcellname, local_realm));
545 + ("MapName: cell is foreign. cell=%s, localcell=%s, localrealms={%s,%s,%s,%s}\n",
546 + acell, localcellname, local_realms[0],local_realms[1],local_realms[2],local_realms[3]));
547 if ((anamelen + cnamelen + 1) >= PR_MAXNAMELEN) {
549 ("MapName: Name too long, using AnonymousID for %s@%s\n",
550 --- openafs.orig/src/viced/viced.c
551 +++ openafs/src/viced/viced.c
552 @@ -1077,7 +1077,8 @@
555 } else if (!strcmp(argv[i], "-realm")) {
556 - extern char local_realm[AFS_REALM_SZ];
557 + extern char local_realms[AFS_NUM_LREALMS][AFS_REALM_SZ];
558 + extern int num_lrealms;
559 if ((i + 1) >= argc) {
560 fprintf(stderr, "missing argument for -realm\n");
562 @@ -1088,7 +1089,15 @@
566 - strncpy(local_realm, argv[i], AFS_REALM_SZ);
567 + if (num_lrealms == -1)
569 + if (num_lrealms >= AFS_NUM_LREALMS) {
571 + ("a maximum of %d -realm arguments can be specified.\n",
575 + strncpy(local_realms[num_lrealms++], argv[i], AFS_REALM_SZ);
576 } else if (!strcmp(argv[i], "-udpsize")) {
577 if ((i + 1) >= argc) {
578 printf("You have to specify -udpsize <integer value>\n");