kfw-upds-20040422
authorJeffrey Altman <jaltman@mit.edu>
Fri, 23 Apr 2004 04:43:24 +0000 (04:43 +0000)
committerJeffrey Altman <jaltman@secure-endpoints.com>
Fri, 23 Apr 2004 04:43:24 +0000 (04:43 +0000)
(1) remove the tkt_lifetime table which is no longer used

(2) improve the handling of token to k5 principal mapping

(3) assign the REALM to the token client name if the realm of
    the cell does not match the realm of the user

src/WINNT/client_creds/afskfw.c

index 1603a37..d64df21 100644 (file)
@@ -797,7 +797,7 @@ KFW_AFS_find_principals_for_cell(krb5_context ctx, char * cell, char **principal
         next_map = next_map->next;
     }
 
-    if ( !principals )
+    if ( !principals || !count )
         return count;
 
     *principals = (char **) malloc(sizeof(char *) * count);
@@ -999,37 +999,40 @@ KFW_import_ccache_data(void)
              && strcmp(pNCi[i]->name,LSA_CCNAME) 
              ) {
             int found = 0;
-            krb5_ccache oldcc = 0;
             for ( j=0; pNCi[j]; j++ ) {
                 if (!strcmp(pNCi[j]->name,pNCi[i]->principal)) {
                     found = 1;
                     break;
                 }
             }
-            if (found)
-                continue;
-
-            if ( IsDebuggerPresent() )
-                OutputDebugString("copying ccache data to new ccache\n");
-
+            
             code = pkrb5_cc_resolve(ctx, pNCi[i]->principal, &cc);
             if (code) goto loop_cleanup;
-            code = pkrb5_parse_name(ctx, pNCi[i]->principal, &principal);
-            if (code) goto loop_cleanup;
-            code = pkrb5_cc_initialize(ctx, cc, principal);
-            if (code) goto loop_cleanup;
-            code = pkrb5_cc_resolve(ctx, pNCi[i]->name, &oldcc);
-            if (code) goto loop_cleanup;
-            code = pkrb5_cc_copy_creds(ctx,oldcc,cc);
-                       if (code) {
-                               code = pkrb5_cc_close(ctx,cc);
-                cc = 0;
+
+            if (!found) {
+                krb5_ccache oldcc = 0;
+
+                if ( IsDebuggerPresent() )
+                    OutputDebugString("copying ccache data to new ccache\n");
+
+                code = pkrb5_parse_name(ctx, pNCi[i]->principal, &principal);
+                if (code) goto loop_cleanup;
+                code = pkrb5_cc_initialize(ctx, cc, principal);
+                if (code) goto loop_cleanup;
+
+                code = pkrb5_cc_resolve(ctx, pNCi[i]->name, &oldcc);
+                if (code) goto loop_cleanup;
+                code = pkrb5_cc_copy_creds(ctx,oldcc,cc);
+                if (code) {
+                    code = pkrb5_cc_close(ctx,cc);
+                    cc = 0;
+                    code = pkrb5_cc_close(ctx,oldcc);
+                    cc = 0;
+                    KRB5_error(code, "krb5_cc_copy_creds", 0, NULL, NULL);
+                    continue;
+                }
                 code = pkrb5_cc_close(ctx,oldcc);
-                cc = 0;
-                               KRB5_error(code, "krb5_cc_copy_creds", 0, NULL, NULL);
-                               continue;
-                       }
-            code = pkrb5_cc_close(ctx,oldcc);
+            }
         } else {
             code = pkrb5_cc_resolve(ctx, pNCi[i]->name, &cc);
             if (code) goto loop_cleanup;
@@ -1129,11 +1132,13 @@ KFW_import_ccache_data(void)
             pkrb5_cc_close(ctx,cc);
             cc = 0;
         }
+        if (principal) {
+            pkrb5_free_principal(ctx,principal);
+            principal = 0;
+        }
     }
 
   cleanup:
-    if (principal)
-        pkrb5_free_principal(ctx,principal);
     if (ctx)
         pkrb5_free_context(ctx);
     if (pNCi)
@@ -1189,7 +1194,7 @@ KFW_AFS_get_cred(char * username,
         *realm = '\0';
         realm++;
     }
-    if ( !realm[0] )
+    if ( !realm || !realm[0] )
         realm = afs_realm_of_cell(&cellconfig);  // do not free
 
     if ( IsDebuggerPresent() ) {
@@ -1475,6 +1480,13 @@ KFW_AFS_renew_token_for_cell(char * cell)
     if (code) goto cleanup;
 
     count = KFW_AFS_find_principals_for_cell(ctx, cell, &principals, TRUE);
+    if ( count == 0 ) {
+        // We know we must have a credential somewhere since we are
+        // trying to renew a token
+
+        KFW_import_ccache_data();
+        count = KFW_AFS_find_principals_for_cell(ctx, cell, &principals, TRUE);
+    }
     if ( count > 0 ) {
         krb5_principal      princ = 0;
         krb5_principal      service = 0;
@@ -2384,102 +2396,6 @@ KFW_AFS_unlog(void)
     return(0);
 }
 
-
-#define TKTLIFENUMFIXED 64
-#define TKTLIFEMINFIXED 0x80
-#define TKTLIFEMAXFIXED 0xBF
-#define TKTLIFENOEXPIRE 0xFF
-#define MAXTKTLIFETIME (30*24*3600)    /* 30 days */
-#ifndef NEVERDATE
-#define NEVERDATE ((unsigned long)0x7fffffffL)
-#endif
-
-static int no_long_lifetimes = 0;
-typedef unsigned long u_int32_t;
-
-static const int tkt_lifetimes[TKTLIFENUMFIXED] = {
-    38400,                             /* 10.67 hours, 0.44 days */ 
-    41055,                             /* 11.40 hours, 0.48 days */ 
-    43894,                             /* 12.19 hours, 0.51 days */ 
-    46929,                             /* 13.04 hours, 0.54 days */ 
-    50174,                             /* 13.94 hours, 0.58 days */ 
-    53643,                             /* 14.90 hours, 0.62 days */ 
-    57352,                             /* 15.93 hours, 0.66 days */ 
-    61318,                             /* 17.03 hours, 0.71 days */ 
-    65558,                             /* 18.21 hours, 0.76 days */ 
-    70091,                             /* 19.47 hours, 0.81 days */ 
-    74937,                             /* 20.82 hours, 0.87 days */ 
-    80119,                             /* 22.26 hours, 0.93 days */ 
-    85658,                             /* 23.79 hours, 0.99 days */ 
-    91581,                             /* 25.44 hours, 1.06 days */ 
-    97914,                             /* 27.20 hours, 1.13 days */ 
-    104684,                            /* 29.08 hours, 1.21 days */ 
-    111922,                            /* 31.09 hours, 1.30 days */ 
-    119661,                            /* 33.24 hours, 1.38 days */ 
-    127935,                            /* 35.54 hours, 1.48 days */ 
-    136781,                            /* 37.99 hours, 1.58 days */ 
-    146239,                            /* 40.62 hours, 1.69 days */ 
-    156350,                            /* 43.43 hours, 1.81 days */ 
-    167161,                            /* 46.43 hours, 1.93 days */ 
-    178720,                            /* 49.64 hours, 2.07 days */ 
-    191077,                            /* 53.08 hours, 2.21 days */ 
-    204289,                            /* 56.75 hours, 2.36 days */ 
-    218415,                            /* 60.67 hours, 2.53 days */ 
-    233517,                            /* 64.87 hours, 2.70 days */ 
-    249664,                            /* 69.35 hours, 2.89 days */ 
-    266926,                            /* 74.15 hours, 3.09 days */ 
-    285383,                            /* 79.27 hours, 3.30 days */ 
-    305116,                            /* 84.75 hours, 3.53 days */ 
-    326213,                            /* 90.61 hours, 3.78 days */ 
-    348769,                            /* 96.88 hours, 4.04 days */ 
-    372885,                            /* 103.58 hours, 4.32 days */ 
-    398668,                            /* 110.74 hours, 4.61 days */ 
-    426234,                            /* 118.40 hours, 4.93 days */ 
-    455705,                            /* 126.58 hours, 5.27 days */ 
-    487215,                            /* 135.34 hours, 5.64 days */ 
-    520904,                            /* 144.70 hours, 6.03 days */ 
-    556921,                            /* 154.70 hours, 6.45 days */ 
-    595430,                            /* 165.40 hours, 6.89 days */ 
-    636601,                            /* 176.83 hours, 7.37 days */ 
-    680618,                            /* 189.06 hours, 7.88 days */ 
-    727680,                            /* 202.13 hours, 8.42 days */ 
-    777995,                            /* 216.11 hours, 9.00 days */ 
-    831789,                            /* 231.05 hours, 9.63 days */ 
-    889303,                            /* 247.03 hours, 10.29 days */
-
-    950794,                            /* 264.11 hours, 11.00 days */
-
-    1016537,                           /* 282.37 hours, 11.77 days */
-
-    1086825,                           /* 301.90 hours, 12.58 days */
-
-    1161973,                           /* 322.77 hours, 13.45 days */
-
-    1242318,                           /* 345.09 hours, 14.38 days */
-
-    1328218,                           /* 368.95 hours, 15.37 days */
-
-    1420057,                           /* 394.46 hours, 16.44 days */
-
-    1518247,                           /* 421.74 hours, 17.57 days */
-
-    1623226,                           /* 450.90 hours, 18.79 days */
-
-    1735464,                           /* 482.07 hours, 20.09 days */
-
-    1855462,                           /* 515.41 hours, 21.48 days */
-
-    1983758,                           /* 551.04 hours, 22.96 days */
-
-    2120925,                           /* 589.15 hours, 24.55 days */
-
-    2267576,                           /* 629.88 hours, 26.25 days */
-
-    2424367,                           /* 673.44 hours, 28.06 days */
-
-    2592000};                          /* 720.00 hours, 30.00 days */
-
-
 int
 KFW_AFS_klog(
     krb5_context alt_ctx,
@@ -2800,16 +2716,27 @@ KFW_AFS_klog(
         aclient.name[len] = '\0';
 
         if ( k5creds->client->length > 1 ) {
-            len = min(k5creds->client->data[1].length,MAXKTCNAMELEN - 1);
-            strncpy(aclient.instance, k5creds->client->data[1].data, len);
-            aclient.instance[len] = '\0';
-        } else
-            aclient.instance[0] = '\0';
-        len = min(k5creds->client->realm.length,MAXKTCNAMELEN - 1);
-           for ( i=0; i<len; i++ ) {
-                       aclient.cell[i] = tolower(k5creds->client->realm.data[i]);
-               }
-        aclient.cell[len] = '\0';
+            char * p;
+            strcat(aclient.name, ".");
+            p = aclient.name + strlen(aclient.name);
+            len = min(k5creds->client->data[1].length,MAXKTCNAMELEN - strlen(aclient.name) - 1);
+            strncpy(p, k5creds->client->data[1].data, len);
+            p[len] = '\0';
+        }
+        aclient.instance[0] = '\0';
+
+        strcpy(aclient.cell, realm_of_cell);
+
+        len = min(k5creds->client->realm.length,strlen(realm_of_cell));
+        if ( strncmp(realm_of_cell, k5creds->client->realm.data, len) ) {
+            char * p;
+            strcat(aclient.name, "@");
+            p = aclient.name + strlen(aclient.name);
+            len = min(k5creds->client->realm.length,MAXKTCNAMELEN - strlen(aclient.name) - 1);
+            strncpy(p, k5creds->client->realm.data, len);
+            p[len] = '\0';
+        }
+
                aclient.smbname[0] = '\0';
 
         rc = pktc_SetToken(&aserver, &atoken, &aclient, 0);
@@ -2907,8 +2834,22 @@ KFW_AFS_klog(
     // * we were comparing whether identical tokens already existed.
 
     strncpy(aclient.name, creds.pname, MAXKTCNAMELEN - 1);
-    strcpy(aclient.instance, creds.pinst);
-    strncpy(aclient.cell, creds.realm, MAXKTCREALMLEN - 1);
+    if (creds.pinst[0])
+    {
+        strncat(aclient.name, ".", MAXKTCNAMELEN - 1);
+        strncat(aclient.name, creds.pinst, MAXKTCNAMELEN - 1);
+    }
+    strcpy(aclient.instance, "");
+
+    if ( strcmp(realm_of_cell, creds.realm) ) 
+    {
+        char * p;
+        strncat(aclient.name, "@", MAXKTCNAMELEN - 1);
+        strncpy(aclient.name, creds.realm, MAXKTCREALMLEN - 1);
+    }
+    aclient.name[MAXKTCREALMLEN-1] = '\0';
+
+    strcpy(aclient.cell, CellName);
 
     if (rc = pktc_SetToken(&aserver, &atoken, &aclient, 0))
     {