kfw-upds-20040422

(1) remove the tkt_lifetime table which is no longer used (2) improve the handling of token to k5 principal mapping (3) assign the REALM to the token client name if the realm of the cell does not match the realm of the user
2025-01-18 23:10:58 +00:00 · 2004-04-23 04:43:24 +00:00 · 2004-04-23 04:43:24 +00:00 · a40db2ebc0
commit a40db2ebc0
parent 9374963fca
1 changed files with 75 additions and 134 deletions
--- a/src/WINNT/client_creds/afskfw.c
+++ b/src/WINNT/client_creds/afskfw.c
@ -797,7 +797,7 @@ KFW_AFS_find_principals_for_cell(krb5_context ctx, char * cell, char **principal
        next_map = next_map->next;
    }

-    if ( !principals )
+    if ( !principals || !count )
        return count;

    *principals = (char **) malloc(sizeof(char *) * count);
@ -999,37 +999,40 @@ KFW_import_ccache_data(void)
             && strcmp(pNCi[i]->name,LSA_CCNAME) 
             ) {
            int found = 0;
-            krb5_ccache oldcc = 0;
            for ( j=0; pNCi[j]; j++ ) {
                if (!strcmp(pNCi[j]->name,pNCi[i]->principal)) {
                    found = 1;
                    break;
                }
            }
-            if (found)
-                continue;
-
-            if ( IsDebuggerPresent() )
-                OutputDebugString("copying ccache data to new ccache\n");
-
+            
            code = pkrb5_cc_resolve(ctx, pNCi[i]->principal, &cc);
            if (code) goto loop_cleanup;
-            code = pkrb5_parse_name(ctx, pNCi[i]->principal, &principal);
-            if (code) goto loop_cleanup;
-            code = pkrb5_cc_initialize(ctx, cc, principal);
-            if (code) goto loop_cleanup;
-            code = pkrb5_cc_resolve(ctx, pNCi[i]->name, &oldcc);
-            if (code) goto loop_cleanup;
-            code = pkrb5_cc_copy_creds(ctx,oldcc,cc);
-			if (code) {
-				code = pkrb5_cc_close(ctx,cc);
-                cc = 0;
+
+            if (!found) {
+                krb5_ccache oldcc = 0;
+
+                if ( IsDebuggerPresent() )
+                    OutputDebugString("copying ccache data to new ccache\n");
+
+                code = pkrb5_parse_name(ctx, pNCi[i]->principal, &principal);
+                if (code) goto loop_cleanup;
+                code = pkrb5_cc_initialize(ctx, cc, principal);
+                if (code) goto loop_cleanup;
+
+                code = pkrb5_cc_resolve(ctx, pNCi[i]->name, &oldcc);
+                if (code) goto loop_cleanup;
+                code = pkrb5_cc_copy_creds(ctx,oldcc,cc);
+                if (code) {
+                    code = pkrb5_cc_close(ctx,cc);
+                    cc = 0;
+                    code = pkrb5_cc_close(ctx,oldcc);
+                    cc = 0;
+                    KRB5_error(code, "krb5_cc_copy_creds", 0, NULL, NULL);
+                    continue;
+                }
                code = pkrb5_cc_close(ctx,oldcc);
-                cc = 0;
-				KRB5_error(code, "krb5_cc_copy_creds", 0, NULL, NULL);
-				continue;
-			}
-            code = pkrb5_cc_close(ctx,oldcc);
+            }
        } else {
            code = pkrb5_cc_resolve(ctx, pNCi[i]->name, &cc);
            if (code) goto loop_cleanup;
@ -1129,11 +1132,13 @@ KFW_import_ccache_data(void)
            pkrb5_cc_close(ctx,cc);
            cc = 0;
        }
+        if (principal) {
+            pkrb5_free_principal(ctx,principal);
+            principal = 0;
+        }
    }

  cleanup:
-    if (principal)
-        pkrb5_free_principal(ctx,principal);
    if (ctx)
        pkrb5_free_context(ctx);
    if (pNCi)
@ -1189,7 +1194,7 @@ KFW_AFS_get_cred(char * username,
        *realm = '\0';
        realm++;
    }
-    if ( !realm[0] )
+    if ( !realm || !realm[0] )
        realm = afs_realm_of_cell(&cellconfig);  // do not free

    if ( IsDebuggerPresent() ) {
@ -1475,6 +1480,13 @@ KFW_AFS_renew_token_for_cell(char * cell)
    if (code) goto cleanup;

    count = KFW_AFS_find_principals_for_cell(ctx, cell, &principals, TRUE);
+    if ( count == 0 ) {
+        // We know we must have a credential somewhere since we are
+        // trying to renew a token
+
+        KFW_import_ccache_data();
+        count = KFW_AFS_find_principals_for_cell(ctx, cell, &principals, TRUE);
+    }
    if ( count > 0 ) {
        krb5_principal      princ = 0;
        krb5_principal      service = 0;
@ -2384,102 +2396,6 @@ KFW_AFS_unlog(void)
    return(0);
 }

-
-#define TKTLIFENUMFIXED 64
-#define TKTLIFEMINFIXED 0x80
-#define TKTLIFEMAXFIXED 0xBF
-#define TKTLIFENOEXPIRE 0xFF
-#define MAXTKTLIFETIME	(30*24*3600)	/* 30 days */
-#ifndef NEVERDATE
-#define NEVERDATE ((unsigned long)0x7fffffffL)
-#endif
-
-static int no_long_lifetimes = 0;
-typedef unsigned long u_int32_t;
-
-static const int tkt_lifetimes[TKTLIFENUMFIXED] = {
-    38400,				/* 10.67 hours, 0.44 days */ 
-    41055,				/* 11.40 hours, 0.48 days */ 
-    43894,				/* 12.19 hours, 0.51 days */ 
-    46929,				/* 13.04 hours, 0.54 days */ 
-    50174,				/* 13.94 hours, 0.58 days */ 
-    53643,				/* 14.90 hours, 0.62 days */ 
-    57352,				/* 15.93 hours, 0.66 days */ 
-    61318,				/* 17.03 hours, 0.71 days */ 
-    65558,				/* 18.21 hours, 0.76 days */ 
-    70091,				/* 19.47 hours, 0.81 days */ 
-    74937,				/* 20.82 hours, 0.87 days */ 
-    80119,				/* 22.26 hours, 0.93 days */ 
-    85658,				/* 23.79 hours, 0.99 days */ 
-    91581,				/* 25.44 hours, 1.06 days */ 
-    97914,				/* 27.20 hours, 1.13 days */ 
-    104684,				/* 29.08 hours, 1.21 days */ 
-    111922,				/* 31.09 hours, 1.30 days */ 
-    119661,				/* 33.24 hours, 1.38 days */ 
-    127935,				/* 35.54 hours, 1.48 days */ 
-    136781,				/* 37.99 hours, 1.58 days */ 
-    146239,				/* 40.62 hours, 1.69 days */ 
-    156350,				/* 43.43 hours, 1.81 days */ 
-    167161,				/* 46.43 hours, 1.93 days */ 
-    178720,				/* 49.64 hours, 2.07 days */ 
-    191077,				/* 53.08 hours, 2.21 days */ 
-    204289,				/* 56.75 hours, 2.36 days */ 
-    218415,				/* 60.67 hours, 2.53 days */ 
-    233517,				/* 64.87 hours, 2.70 days */ 
-    249664,				/* 69.35 hours, 2.89 days */ 
-    266926,				/* 74.15 hours, 3.09 days */ 
-    285383,				/* 79.27 hours, 3.30 days */ 
-    305116,				/* 84.75 hours, 3.53 days */ 
-    326213,				/* 90.61 hours, 3.78 days */ 
-    348769,				/* 96.88 hours, 4.04 days */ 
-    372885,				/* 103.58 hours, 4.32 days */ 
-    398668,				/* 110.74 hours, 4.61 days */ 
-    426234,				/* 118.40 hours, 4.93 days */ 
-    455705,				/* 126.58 hours, 5.27 days */ 
-    487215,				/* 135.34 hours, 5.64 days */ 
-    520904,				/* 144.70 hours, 6.03 days */ 
-    556921,				/* 154.70 hours, 6.45 days */ 
-    595430,				/* 165.40 hours, 6.89 days */ 
-    636601,				/* 176.83 hours, 7.37 days */ 
-    680618,				/* 189.06 hours, 7.88 days */ 
-    727680,				/* 202.13 hours, 8.42 days */ 
-    777995,				/* 216.11 hours, 9.00 days */ 
-    831789,				/* 231.05 hours, 9.63 days */ 
-    889303,				/* 247.03 hours, 10.29 days */
-
-    950794,				/* 264.11 hours, 11.00 days */
-
-    1016537,				/* 282.37 hours, 11.77 days */
-
-    1086825,				/* 301.90 hours, 12.58 days */
-
-    1161973,				/* 322.77 hours, 13.45 days */
-
-    1242318,				/* 345.09 hours, 14.38 days */
-
-    1328218,				/* 368.95 hours, 15.37 days */
-
-    1420057,				/* 394.46 hours, 16.44 days */
-
-    1518247,				/* 421.74 hours, 17.57 days */
-
-    1623226,				/* 450.90 hours, 18.79 days */
-
-    1735464,				/* 482.07 hours, 20.09 days */
-
-    1855462,				/* 515.41 hours, 21.48 days */
-
-    1983758,				/* 551.04 hours, 22.96 days */
-
-    2120925,				/* 589.15 hours, 24.55 days */
-
-    2267576,				/* 629.88 hours, 26.25 days */
-
-    2424367,				/* 673.44 hours, 28.06 days */
-
-    2592000};				/* 720.00 hours, 30.00 days */
-
-
 int
 KFW_AFS_klog(
    krb5_context alt_ctx,
@ -2800,16 +2716,27 @@ KFW_AFS_klog(
        aclient.name[len] = '\0';

        if ( k5creds->client->length > 1 ) {
-            len = min(k5creds->client->data[1].length,MAXKTCNAMELEN - 1);
-            strncpy(aclient.instance, k5creds->client->data[1].data, len);
-            aclient.instance[len] = '\0';
-        } else
-            aclient.instance[0] = '\0';
-        len = min(k5creds->client->realm.length,MAXKTCNAMELEN - 1);
-	    for ( i=0; i<len; i++ ) {
-			aclient.cell[i] = tolower(k5creds->client->realm.data[i]);
-		}
-        aclient.cell[len] = '\0';
+            char * p;
+            strcat(aclient.name, ".");
+            p = aclient.name + strlen(aclient.name);
+            len = min(k5creds->client->data[1].length,MAXKTCNAMELEN - strlen(aclient.name) - 1);
+            strncpy(p, k5creds->client->data[1].data, len);
+            p[len] = '\0';
+        }
+        aclient.instance[0] = '\0';
+
+        strcpy(aclient.cell, realm_of_cell);
+
+        len = min(k5creds->client->realm.length,strlen(realm_of_cell));
+        if ( strncmp(realm_of_cell, k5creds->client->realm.data, len) ) {
+            char * p;
+            strcat(aclient.name, "@");
+            p = aclient.name + strlen(aclient.name);
+            len = min(k5creds->client->realm.length,MAXKTCNAMELEN - strlen(aclient.name) - 1);
+            strncpy(p, k5creds->client->realm.data, len);
+            p[len] = '\0';
+        }
+
 		aclient.smbname[0] = '\0';

        rc = pktc_SetToken(&aserver, &atoken, &aclient, 0);
@ -2907,8 +2834,22 @@ KFW_AFS_klog(
    // * we were comparing whether identical tokens already existed.

    strncpy(aclient.name, creds.pname, MAXKTCNAMELEN - 1);
-    strcpy(aclient.instance, creds.pinst);
-    strncpy(aclient.cell, creds.realm, MAXKTCREALMLEN - 1);
+    if (creds.pinst[0])
+    {
+        strncat(aclient.name, ".", MAXKTCNAMELEN - 1);
+        strncat(aclient.name, creds.pinst, MAXKTCNAMELEN - 1);
+    }
+    strcpy(aclient.instance, "");
+
+    if ( strcmp(realm_of_cell, creds.realm) ) 
+    {
+        char * p;
+        strncat(aclient.name, "@", MAXKTCNAMELEN - 1);
+        strncpy(aclient.name, creds.realm, MAXKTCREALMLEN - 1);
+    }
+    aclient.name[MAXKTCREALMLEN-1] = '\0';
+
+    strcpy(aclient.cell, CellName);

    if (rc = pktc_SetToken(&aserver, &atoken, &aclient, 0))
    {