STABLE14-windows-force-krb524-20030921

Provide mechanisms to force the use of krb524 via afscreds, afslogon,
and aklog.  afslogon and afscreds rely on a new "Use524" registry value
(see registry.txt) and aklog has a new "-m" command line option.


(cherry picked from commit b400902339)
This commit is contained in:
Jeffrey Altman 2004-09-22 07:03:19 +00:00 committed by Jeffrey Altman
parent 8996b91f97
commit 4044366199
4 changed files with 710 additions and 662 deletions

View File

@ -1,4 +1,9 @@
Since 1.3.71:
* provide mechanisms to force the use of krb524d for Kerberos 5
ticket to AFS token conversion. For afslogon.dll and afscreds.exe
there is a new registry value "Use524" and for aklog.exe a new
command line parameter "-m".
* Fix the pattern matching algorithm to properly match patterns
ending with a '*'.

View File

@ -628,6 +628,17 @@ Function: KFW_is_available()
Kerberos 4 implementation will be used instead. The current user value
is checked first; if it does not exist the local machine value is checked.
Value : Use524
Type : DWORD {0, 1}
Default : 0
Function: KFW_use_krb524()
When MIT Kerberos for Windows can be loaded, Kerberos 5 will be used
to obtain AFS credentials. By setting this value to 1, the Kerberos 5
tickets will be converted to Kerberos 4 tokens via a call to the krb524
daemon. The current user value is checked first; if it does not exist
the local machine value is checked.
Value : AfscredsShortcutParams
Type : REG_SZ
Default : "-A -M -N -Q"

View File

@ -444,6 +444,31 @@ KFW_cleanup(void)
static char OpenAFSConfigKeyName[] = "SOFTWARE\\OpenAFS\\Client";
int
KFW_use_krb524(void)
{
HKEY parmKey;
DWORD code, len;
DWORD use524 = 0;
code = RegOpenKeyEx(HKEY_CURRENT_USER, OpenAFSConfigKeyName,
0, KEY_QUERY_VALUE, &parmKey);
if (code != ERROR_SUCCESS)
code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
0, KEY_QUERY_VALUE, &parmKey);
if (code == ERROR_SUCCESS) {
len = sizeof(use524);
code = RegQueryValueEx(parmKey, "Use524", NULL, NULL,
(BYTE *) &use524, &len);
if (code != ERROR_SUCCESS) {
use524 = 0;
}
RegCloseKey (parmKey);
}
return use524;
}
int
KFW_is_available(void)
{
@ -2761,7 +2786,8 @@ KFW_AFS_klog(
* No need to perform a krb524 translation which is
* commented out in the code below
*/
if (k5creds->ticket.length > MAXKTCTICKETLEN)
if (KFW_use_krb524() ||
k5creds->ticket.length > MAXKTCTICKETLEN)
goto try_krb524d;
memset(&aserver, '\0', sizeof(aserver));

View File

@ -148,6 +148,7 @@ static int force = FALSE; /* Bash identical tokens? */
static linked_list authedcells; /* List of cells already logged to */
static int usev5 = TRUE; /* use kerberos 5? */
static int use524 = FALSE; /* use krb524? */
static krb5_ccache _krb425_ccache;
long GetLocalCell(struct afsconf_dir **pconfigdir, char *local_cell)
@ -626,11 +627,13 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
try_v5:
if (dflag)
printf("Getting v5 tickets: %s/%s@%s\n", name, instance, realm_of_cell);
status = get_v5cred(context, name, instance, realm_of_cell, NULL, &v5cred);
status = get_v5cred(context, name, instance, realm_of_cell,
use524 ? &c : NULL, &v5cred);
if (status == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
if (dflag)
printf("Getting v5 tickets: %s@%s\n", name, realm_of_cell);
status = get_v5cred(context, name, "", realm_of_cell, NULL, &v5cred);
status = get_v5cred(context, name, "", realm_of_cell,
use524 ? &c : NULL, &v5cred);
}
if ( status == KRB5KRB_AP_ERR_MSG_TYPE && retry ) {
retry = 0;
@ -673,7 +676,7 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
strncpy(aserver.instance, AFSINST, MAXKTCNAMELEN - 1);
strncpy(aserver.cell, cell_to_use, MAXKTCREALMLEN - 1);
if (usev5) {
if (usev5 && !use524) {
/* This code inserts the entire K5 ticket into the token
* No need to perform a krb524 translation which is
* commented out in the code below
@ -737,7 +740,7 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
}
else
{
if(usev5) {
if (usev5) {
if((status = get_v5_user_realm(context, realm_of_user)) != KSUCCESS) {
fprintf(stderr, "%s: Couldn't determine realm of user: %d\n",
progname, status);
@ -771,7 +774,7 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
strncpy(aclient.name, username, MAXKTCNAMELEN - 1);
strcpy(aclient.instance, "");
if (usev5) {
if (usev5 && !use524) {
int len = min(v5cred->client->realm.length,MAXKTCNAMELEN - 1);
strncpy(aclient.cell, v5cred->client->realm.data, len);
aclient.cell[len] = '\0';
@ -1046,7 +1049,7 @@ static void usage(void)
"[-d] [[-cell | -c] cell [-k krb_realm]] ",
"[[-p | -path] pathname]\n",
" [-noprdb] [-force]\n",
" [-5 | -4]\n"
" [-5 [-m]| -4]\n"
);
fprintf(stderr, " -d gives debugging information.\n");
fprintf(stderr, " krb_realm is the kerberos realm of a cell.\n");
@ -1055,6 +1058,7 @@ static void usage(void)
fprintf(stderr, " -noprdb means don't try to determine AFS ID.\n");
fprintf(stderr, " -5 or -4 selects whether to use Kerberos V or Kerberos IV.\n"
" (default is Kerberos V)\n");
fprintf(stderr, " -m means use krb524d to convert Kerberos V tickets.\n");
fprintf(stderr, " No commandline arguments means ");
fprintf(stderr, "authenticate to the local cell.\n");
fprintf(stderr, "\n");
@ -1111,6 +1115,8 @@ int main(int argc, char *argv[])
dflag++;
else if (strcmp(argv[i], "-5") == 0)
usev5++;
else if (strcmp(argv[i], "-m") == 0)
use524++;
else if (strcmp(argv[i], "-4") == 0)
usev5 = 0;
else if (strcmp(argv[i], "-noprdb") == 0)