From a40db2ebc0490dfd63f02900fa2aa077a8276f6a Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Fri, 23 Apr 2004 04:43:24 +0000 Subject: [PATCH] kfw-upds-20040422 (1) remove the tkt_lifetime table which is no longer used (2) improve the handling of token to k5 principal mapping (3) assign the REALM to the token client name if the realm of the cell does not match the realm of the user --- src/WINNT/client_creds/afskfw.c | 209 ++++++++++++-------------------- 1 file changed, 75 insertions(+), 134 deletions(-) diff --git a/src/WINNT/client_creds/afskfw.c b/src/WINNT/client_creds/afskfw.c index 1603a37696..d64df2142c 100644 --- a/src/WINNT/client_creds/afskfw.c +++ b/src/WINNT/client_creds/afskfw.c @@ -797,7 +797,7 @@ KFW_AFS_find_principals_for_cell(krb5_context ctx, char * cell, char **principal next_map = next_map->next; } - if ( !principals ) + if ( !principals || !count ) return count; *principals = (char **) malloc(sizeof(char *) * count); @@ -999,37 +999,40 @@ KFW_import_ccache_data(void) && strcmp(pNCi[i]->name,LSA_CCNAME) ) { int found = 0; - krb5_ccache oldcc = 0; for ( j=0; pNCi[j]; j++ ) { if (!strcmp(pNCi[j]->name,pNCi[i]->principal)) { found = 1; break; } } - if (found) - continue; - - if ( IsDebuggerPresent() ) - OutputDebugString("copying ccache data to new ccache\n"); - + code = pkrb5_cc_resolve(ctx, pNCi[i]->principal, &cc); if (code) goto loop_cleanup; - code = pkrb5_parse_name(ctx, pNCi[i]->principal, &principal); - if (code) goto loop_cleanup; - code = pkrb5_cc_initialize(ctx, cc, principal); - if (code) goto loop_cleanup; - code = pkrb5_cc_resolve(ctx, pNCi[i]->name, &oldcc); - if (code) goto loop_cleanup; - code = pkrb5_cc_copy_creds(ctx,oldcc,cc); - if (code) { - code = pkrb5_cc_close(ctx,cc); - cc = 0; + + if (!found) { + krb5_ccache oldcc = 0; + + if ( IsDebuggerPresent() ) + OutputDebugString("copying ccache data to new ccache\n"); + + code = pkrb5_parse_name(ctx, pNCi[i]->principal, &principal); + if (code) goto loop_cleanup; + code = pkrb5_cc_initialize(ctx, cc, principal); + if (code) goto loop_cleanup; + + code = pkrb5_cc_resolve(ctx, pNCi[i]->name, &oldcc); + if (code) goto loop_cleanup; + code = pkrb5_cc_copy_creds(ctx,oldcc,cc); + if (code) { + code = pkrb5_cc_close(ctx,cc); + cc = 0; + code = pkrb5_cc_close(ctx,oldcc); + cc = 0; + KRB5_error(code, "krb5_cc_copy_creds", 0, NULL, NULL); + continue; + } code = pkrb5_cc_close(ctx,oldcc); - cc = 0; - KRB5_error(code, "krb5_cc_copy_creds", 0, NULL, NULL); - continue; - } - code = pkrb5_cc_close(ctx,oldcc); + } } else { code = pkrb5_cc_resolve(ctx, pNCi[i]->name, &cc); if (code) goto loop_cleanup; @@ -1129,11 +1132,13 @@ KFW_import_ccache_data(void) pkrb5_cc_close(ctx,cc); cc = 0; } + if (principal) { + pkrb5_free_principal(ctx,principal); + principal = 0; + } } cleanup: - if (principal) - pkrb5_free_principal(ctx,principal); if (ctx) pkrb5_free_context(ctx); if (pNCi) @@ -1189,7 +1194,7 @@ KFW_AFS_get_cred(char * username, *realm = '\0'; realm++; } - if ( !realm[0] ) + if ( !realm || !realm[0] ) realm = afs_realm_of_cell(&cellconfig); // do not free if ( IsDebuggerPresent() ) { @@ -1475,6 +1480,13 @@ KFW_AFS_renew_token_for_cell(char * cell) if (code) goto cleanup; count = KFW_AFS_find_principals_for_cell(ctx, cell, &principals, TRUE); + if ( count == 0 ) { + // We know we must have a credential somewhere since we are + // trying to renew a token + + KFW_import_ccache_data(); + count = KFW_AFS_find_principals_for_cell(ctx, cell, &principals, TRUE); + } if ( count > 0 ) { krb5_principal princ = 0; krb5_principal service = 0; @@ -2384,102 +2396,6 @@ KFW_AFS_unlog(void) return(0); } - -#define TKTLIFENUMFIXED 64 -#define TKTLIFEMINFIXED 0x80 -#define TKTLIFEMAXFIXED 0xBF -#define TKTLIFENOEXPIRE 0xFF -#define MAXTKTLIFETIME (30*24*3600) /* 30 days */ -#ifndef NEVERDATE -#define NEVERDATE ((unsigned long)0x7fffffffL) -#endif - -static int no_long_lifetimes = 0; -typedef unsigned long u_int32_t; - -static const int tkt_lifetimes[TKTLIFENUMFIXED] = { - 38400, /* 10.67 hours, 0.44 days */ - 41055, /* 11.40 hours, 0.48 days */ - 43894, /* 12.19 hours, 0.51 days */ - 46929, /* 13.04 hours, 0.54 days */ - 50174, /* 13.94 hours, 0.58 days */ - 53643, /* 14.90 hours, 0.62 days */ - 57352, /* 15.93 hours, 0.66 days */ - 61318, /* 17.03 hours, 0.71 days */ - 65558, /* 18.21 hours, 0.76 days */ - 70091, /* 19.47 hours, 0.81 days */ - 74937, /* 20.82 hours, 0.87 days */ - 80119, /* 22.26 hours, 0.93 days */ - 85658, /* 23.79 hours, 0.99 days */ - 91581, /* 25.44 hours, 1.06 days */ - 97914, /* 27.20 hours, 1.13 days */ - 104684, /* 29.08 hours, 1.21 days */ - 111922, /* 31.09 hours, 1.30 days */ - 119661, /* 33.24 hours, 1.38 days */ - 127935, /* 35.54 hours, 1.48 days */ - 136781, /* 37.99 hours, 1.58 days */ - 146239, /* 40.62 hours, 1.69 days */ - 156350, /* 43.43 hours, 1.81 days */ - 167161, /* 46.43 hours, 1.93 days */ - 178720, /* 49.64 hours, 2.07 days */ - 191077, /* 53.08 hours, 2.21 days */ - 204289, /* 56.75 hours, 2.36 days */ - 218415, /* 60.67 hours, 2.53 days */ - 233517, /* 64.87 hours, 2.70 days */ - 249664, /* 69.35 hours, 2.89 days */ - 266926, /* 74.15 hours, 3.09 days */ - 285383, /* 79.27 hours, 3.30 days */ - 305116, /* 84.75 hours, 3.53 days */ - 326213, /* 90.61 hours, 3.78 days */ - 348769, /* 96.88 hours, 4.04 days */ - 372885, /* 103.58 hours, 4.32 days */ - 398668, /* 110.74 hours, 4.61 days */ - 426234, /* 118.40 hours, 4.93 days */ - 455705, /* 126.58 hours, 5.27 days */ - 487215, /* 135.34 hours, 5.64 days */ - 520904, /* 144.70 hours, 6.03 days */ - 556921, /* 154.70 hours, 6.45 days */ - 595430, /* 165.40 hours, 6.89 days */ - 636601, /* 176.83 hours, 7.37 days */ - 680618, /* 189.06 hours, 7.88 days */ - 727680, /* 202.13 hours, 8.42 days */ - 777995, /* 216.11 hours, 9.00 days */ - 831789, /* 231.05 hours, 9.63 days */ - 889303, /* 247.03 hours, 10.29 days */ - - 950794, /* 264.11 hours, 11.00 days */ - - 1016537, /* 282.37 hours, 11.77 days */ - - 1086825, /* 301.90 hours, 12.58 days */ - - 1161973, /* 322.77 hours, 13.45 days */ - - 1242318, /* 345.09 hours, 14.38 days */ - - 1328218, /* 368.95 hours, 15.37 days */ - - 1420057, /* 394.46 hours, 16.44 days */ - - 1518247, /* 421.74 hours, 17.57 days */ - - 1623226, /* 450.90 hours, 18.79 days */ - - 1735464, /* 482.07 hours, 20.09 days */ - - 1855462, /* 515.41 hours, 21.48 days */ - - 1983758, /* 551.04 hours, 22.96 days */ - - 2120925, /* 589.15 hours, 24.55 days */ - - 2267576, /* 629.88 hours, 26.25 days */ - - 2424367, /* 673.44 hours, 28.06 days */ - - 2592000}; /* 720.00 hours, 30.00 days */ - - int KFW_AFS_klog( krb5_context alt_ctx, @@ -2800,16 +2716,27 @@ KFW_AFS_klog( aclient.name[len] = '\0'; if ( k5creds->client->length > 1 ) { - len = min(k5creds->client->data[1].length,MAXKTCNAMELEN - 1); - strncpy(aclient.instance, k5creds->client->data[1].data, len); - aclient.instance[len] = '\0'; - } else - aclient.instance[0] = '\0'; - len = min(k5creds->client->realm.length,MAXKTCNAMELEN - 1); - for ( i=0; iclient->realm.data[i]); - } - aclient.cell[len] = '\0'; + char * p; + strcat(aclient.name, "."); + p = aclient.name + strlen(aclient.name); + len = min(k5creds->client->data[1].length,MAXKTCNAMELEN - strlen(aclient.name) - 1); + strncpy(p, k5creds->client->data[1].data, len); + p[len] = '\0'; + } + aclient.instance[0] = '\0'; + + strcpy(aclient.cell, realm_of_cell); + + len = min(k5creds->client->realm.length,strlen(realm_of_cell)); + if ( strncmp(realm_of_cell, k5creds->client->realm.data, len) ) { + char * p; + strcat(aclient.name, "@"); + p = aclient.name + strlen(aclient.name); + len = min(k5creds->client->realm.length,MAXKTCNAMELEN - strlen(aclient.name) - 1); + strncpy(p, k5creds->client->realm.data, len); + p[len] = '\0'; + } + aclient.smbname[0] = '\0'; rc = pktc_SetToken(&aserver, &atoken, &aclient, 0); @@ -2907,8 +2834,22 @@ KFW_AFS_klog( // * we were comparing whether identical tokens already existed. strncpy(aclient.name, creds.pname, MAXKTCNAMELEN - 1); - strcpy(aclient.instance, creds.pinst); - strncpy(aclient.cell, creds.realm, MAXKTCREALMLEN - 1); + if (creds.pinst[0]) + { + strncat(aclient.name, ".", MAXKTCNAMELEN - 1); + strncat(aclient.name, creds.pinst, MAXKTCNAMELEN - 1); + } + strcpy(aclient.instance, ""); + + if ( strcmp(realm_of_cell, creds.realm) ) + { + char * p; + strncat(aclient.name, "@", MAXKTCNAMELEN - 1); + strncpy(aclient.name, creds.realm, MAXKTCREALMLEN - 1); + } + aclient.name[MAXKTCREALMLEN-1] = '\0'; + + strcpy(aclient.cell, CellName); if (rc = pktc_SetToken(&aserver, &atoken, &aclient, 0)) {