krb5-sync 2.4 (unreleased)
+ Drop support for MIT Kerberos versions prior to 1.9. All major
+ distributions are now shipping with a newer version of MIT Kerberos
+ than this, and supporting older versions requires supporting patches
+ and maintaining handicapped internal APIs. MIT Kerberos 1.9 and later
+ do not require patches to use this module. Patches for Heimdal are
+ still provided.
+
Add a new string krb5.conf option, ad_base_instance, which, if set,
changes the way that password synchronization is handled. When this
option is set, the password for the principal formed by appending that
Maintained by Russ Allbery <eagle@eyrie.org>
- Copyright 2006, 2007, 2010, 2011, 2012 The Board of Trustees of the
- Leland Stanford Junior University. Originally developed by Derrick
+ Copyright 2006, 2007, 2010, 2011, 2012, 2013 The Board of Trustees of
+ the Leland Stanford Junior University. Originally developed by Derrick
Brashear and Ken Hornstein of Sine Nomine Associates, on behalf of
Stanford University. This software is distributed under a BSD-style
license. Please see the section LICENSE below for more information.
Password changes are done via the Kerberos password change protocol, and
account status is updated via LDAP. It provides a plugin for the kadmin
libraries and supporting command-line utilities, as well as a patch for
- Heimdal and older versions of MIT Kerberos to add plugin support.
+ Heimdal to add plugin support.
DESCRIPTION
can be used to process failed synchronizations later, to test the
system, or to make manual changes as required.
- * Patches to Heimdal and to versions of MIT Kerberos prior to 1.9 to
- add a plugin system for password changes and account status updates.
- MIT Kerberos 1.9 and later do not require patching. These patches
- add hooks that are run prior to a password change, after a password
- change, and after a change to an account's flags. The code added by
- these patches to libkadm5srv is independent of what that plugin might
- do.
+ * Patches to Heimdal to add a plugin system for password changes and
+ account status updates. MIT Kerberos 1.9 and later do not require
+ patching, and earlier versions of MIT Kerberos are not supported.
+ These patches add hooks that are run before and after password
+ changes, principal creations, and changes to principals. The code
+ added by these patches to libkadm5srv is independent of what that
+ plugin might do.
The plugin and system are designed so that operations done in the hook
prior to the password change can abort the password change if they fail.
Currently, only one Active Directory realm is supported for updates.
- Be aware that, due to the structure of the MIT Kerberos libkadm5srv
- code, the patch for versions prior to 1.9 runs the pre-commit hook and
- hence password propagation to Active Directory before the password is
- checked for reuse. This means that the password may be changed in
- Active Directory but then rejected by the local KDC if it is present in
- the account's password history. If you remember only one password in
- the password history, this will be harmless, since it will only mean the
- Active Directory password will be reset to the existing password. If,
- however, you store multiple passwords in the password history, the
- passwords could end up being desynchronized. I believe this is fixed in
- MIT Kerberos 1.9.
-
REQUIREMENTS
The utilities provided in this package will work without any
modifications to your KDC or kadmind, but to use this entire system, you
will either need MIT Kerberos 1.9 or later or apply the patch in the
- patches directory to MIT Kerberos or Heimdal and rebuild. Due to how
- kadmind is constructed, the changes are actually in the libkadm5srv
- library, not the kadmind binary, so you'll need to install the modified
- libraries. It is my hope that eventually the hooks necessary to do this
- will be incorporated into the Heimdal distribution as well, and these
- tools will be modified to support the Heimdal interfaces, and then
- patching will not be necessary.
+ patches directory to Heimdal and rebuild. Due to how kadmind is
+ constructed, the changes are actually in the libkadm5srv library, not
+ the kadmind binary, so you'll need to install the modified libraries.
+ It is my hope that eventually the hooks necessary to do this will be
+ incorporated into the Heimdal distribution as well, and these tools will
+ be modified to support the Heimdal interfaces, and then patching will
+ not be necessary.
To build the account status update code, you will need OpenLDAP
installed. To authenticate to Active Directory, you will also need
INSTALLATION
- First, for Heimdal or versions of MIT Kerberos prior to 1.9, patch MIT
- Kerberos or Heimdal with the patch provided in the patches directory and
- install the new libkadm5srv or libkadm5srv_mit library. See
- patches/README for more information about the patch. If you're using a
- different version of MIT Kerberos or Heimdal, you may need to adjust the
- patch accordingly.
+ First, for Heimdal, patch Heimdal with one of the patches provided in
+ the patches directory and install the new libkadm5srv library. See
+ patches/README for more information about the patches. If you're using
+ a different version of MIT Kerberos or Heimdal, you may need to adjust
+ the patch accordingly.
Then, you can build and install the plugin and command-line utilities
with the standard commands:
The krb5-sync package as a whole is covered by the following copyright
statement and license:
- Copyright 2006, 2007, 2008, 2010, 2011, 2012
+ Copyright 2006, 2007, 2008, 2010, 2011, 2012, 2013
The Board of Trustees of the Leland Stanford Junior University
Permission is hereby granted, free of charge, to any person obtaining a
-The patches in this directory apply to MIT Kerberos and add to kadmind a
-plugin API for performing actions before and after a password change is
-committed to the KDC database and after a change is made to the attributes
-of a principal (specifically, a change to DISALLOW_ALL_TIX).
+The patches in this directory apply to Heimdal and add plugin support to
+the kadmin libraries for performing actions before and after a password
+change is committed to the KDC database and after a change is made to the
+attributes of a principal (specifically, a change to DISALLOW_ALL_TIX).
-No patch is required for MIT Kerberos 1.9 or later.
+No patch is required for MIT Kerberos 1.9 or later. MIT Kerberos prior to
+1.9 is not supported.
-Currently, there are three patches available:
+Currently, there is one patch available:
heimdal-1.3.1 Built against stock Heimdal 1.3.1
- mit-krb5-1.4.4 Built against stock MIT Kerberos 1.4.4
- mit-krb5-1.8.3 Built against stock MIT Kerberos 1.8.3
-
-After applying the patch, you will need to run src/util/reconf to
-regenerate the Autoconf files. With MIT Kerberos 1.4.4, you will need an
-older version of Autoconf (2.59 or earlier) or shared library fragments
-will not be handled properly.
More patches against other source trees may be provided in the future.
Please let me know if there is a specific version you wish to see a patch
for (and even better, let me know if you have a tested patch for a
different version).
-This patch adds to kadmind a configuration option which should be set in
-the local realm section of kdc.conf. That configuration option is in the
-form:
+This patch adds a hook_libraries configuration option to the [kadmin]
+section of krb5.conf (or kdc.conf if you use that file) that must be set
+to load the module. That configuration option is in the form:
- pwupdate_plugin = /usr/local/lib/kadmind/passwd_update.so
+ [kadmin]
+ hook_libraries = /usr/local/lib/krb5/plugins/kadm5_hook/krb5_sync.so
where the value is the full path to the plugin that you want to load. If
this option is not present, kadmind will not load a plugin and the changes
error message in syslog.
-Be aware that, due to the structure of the kadmind code, the pre-commit
-hook will be called before the password is checked for reuse. If the
-password is present in that account's password history, the password
-change may still be rejected by the local KDC after the pre-commit hook
-has been called. If you remember only one password in the password
-history, this will be harmless, since in this failure case the pre-commit
-hook would have propagated the existing password. If, however, you store
-multiple passwords in the password history, the pre-commit hook could
-change the password in another environment even though it wasn't
-successful in the local KDC. This is fixed in the code incorporated into
-MIT Kerberos 1.9 and later.
-
-
-Any plugin used with this patch must implement the following two
-interfaces:
-
-int pwupdate_init(krb5_context ctx, void **data)
-
- Initialize the plugin. Takes a Kerberos context from kadmind and a
- pointer to a pointer. Whatever value is stored in the second argument
- will then be passed to all the other plugin functions, so this
- interface can be used to load options and allocate any necessary
- internal state.
-
- Returns 0 on success, non-zero on failure. The numerical code
- returned on failure will be logged by kadmind, so it can be used for
- debugging (to track down just what is failing). If this function
- fails, it will abort kadmind startup.
-
-void pwupdate_close(void *data)
-
- Shut down the plugin. This function is responsible for freeing any
- memory or other resources allocated by pwupdate_init. It is passed
- the pointer that pwupdate_init stored in its second argument (like all
- of the other plugin functions).
-
-
-Finally, any plugin must implement one or more of the following
-interfaces. If it implemented none of them, it would do nothing and would
-therefore be pointless, so that is treated as an error. If the plugin
-does not implement one of these interfaces, the resulting portion of the
-kadmind patch will be deactivated and that hook will not be called.
-
-int pwupdate_precommit_password(void *data, krb5_principal principal,
- char *password, int pwlen, char *errstr, int errstrlen)
-
- Called immediately before a password change is committed to the KDC
- database. All necessary authentication and authorization has already
- been done. This function is called for any password change, including
- password changes of service principals, but is not called for key
- randomization (-randkey).
-
- The arguments passed in are the pointer set by the initialization
- function, the principal whose password is being changed, the new
- password, the length of the new password, a buffer into which error
- messages should be written, and the length of the buffer.
-
- This function should return 0 for success and non-zero for failure.
- On failure, some appropriate error message should be written into the
- errstr buffer (being careful to nul-terminate and not exceed errstrlen
- bytes including the terminating nul). The return code and the error
- message will be logged by kadmind but not passed back to the client.
-
- If this call fails (returns a non-zero status), the password change is
- aborted and is not changed in the local KDC database.
-
-int pwupdate_postcommit_password(void *data, krb5_principal principal,
- char *password, int pwlen, char *errstr, int errstrlen)
-
- Identical in arguments and meaning of return status to
- pwupdate_precommit_password, this function is called immediately after
- a password change is committed to the local KDC database. If this
- call fails (returns a non-zero status), the password change is *not*
- aborted and is *not* rolled back. The only effect of a non-zero
- status return is that kadmind will log the status code and error
- message.
-
-int pwupdate_postcommit_status(void *data, krb5_principal principal,
- int enabled, char *errstr, int errstrlen)
-
- Called immediately after a change to the DISALLOW_ALL_TIX attribute of
- a principal. This function is only called if the status changes, not
- if the attribute is being set to the same as its current value.
-
- The arguments passed in are the pointer set by the initialization
- function, the principal whose attributes are being changed, a flag
- that's set to 1 if DISALLOW_ALL_TIX was just cleared and set to 0 if
- DISALLOW_ALL_TIX was just set, a buffer into which error messages
- should be written, and the length of the buffer.
-
- This function should return 0 for success and non-zero for failure.
- On failure, some appropriate error message should be written into the
- errstr buffer (being careful to nul-terminate and not exceed errstrlen
- bytes including the terminating nul). The return code and the error
- message will be logged by kadmind but not passed back to the client.
-
- The only effect of failing (returning a non-zero status) is that
- kadmind will log an error with the return status and the error message
- from the errstr buffer. The change will not be aborted or rolled
- back.
+Any plugin used with this patch must expose a public struct named
+kadm5_hook. That struct must contain the following:
+
+ typedef struct kadm5_hook {
+ const char *name;
+ int version;
+ const char *vendor;
+
+ krb5_error_code (*init)(krb5_context, void **);
+ void (*fini)(krb5_context, void *);
+
+ krb5_error_code (*chpass)(krb5_context, void *, enum kadm5_hook_stage,
+ krb5_principal, const char *);
+ krb5_error_code (*create)(krb5_context, void *, enum kadm5_hook_stage,
+ kadm5_principal_ent_t, uint32_t mask,
+ const char *password);
+ krb5_error_code (*modify)(krb5_context, void *, enum kadm5_hook_stage,
+ kadm5_principal_ent_t, uint32_t mask);
+ } kadm5_hook;
+
+where enum kadm5_hook_stage is:
+
+ enum kadm5_hook_stage {
+ KADM5_HOOK_STAGE_PRECOMMIT,
+ KADM5_HOOK_STAGE_POSTCOMMIT
+ };
+
+init creates a hook context that is passed into all subsequent calls.
+chpass is called for password changes, create is called for principal
+creation (with the newly-created principal in the kadm5_principal_ent_t
+argument), and modify is called when a principal is modified.
+
+These functions should follow the normal Kerberos calling convention of
+returning 0 on success and a Kerberos error code on failure, setting the
+Kerberos error message in the provided context.
-----
-Copyright 2012
+Copyright 2012, 2013
The Board of Trustees of the Leland Stanford Junior University
Copying and distribution of this file, with or without modification, are
+++ /dev/null
-krb5-sync patch for stock MIT Kerberos 1.4.4.
-
-This patch may apply to earlier or later versions but may not and will
-require verification.
-
-Note that this patch modifies configure.in and hence will require running
-util/reconf from the src directory of the MIT Kerberos distribution before
-running configure and rebuilding.
-
-Written by Russ Allbery <eagle@eyrie.org>
-Based on code developed by Derrick Brashear and Ken Hornstein of Sine
- Nomine Associates, on behalf of Stanford University.
-
-Copyright 2006, 2007
- The Board of Trustees of the Leland Stanford Junior University
-
-See LICENSE for licensing terms.
-
-diff -ru krb5-1.4.4/src/lib/kadm5/admin.h krb5-1.4.4-patched/src/lib/kadm5/admin.h
---- krb5-1.4.4/src/lib/kadm5/admin.h 2005-11-28 16:01:49.000000000 -0800
-+++ krb5-1.4.4-patched/src/lib/kadm5/admin.h 2007-07-29 19:12:55.000000000 -0700
-@@ -227,6 +227,7 @@
- char * admin_keytab;
- char * acl_file;
- char * dict_file;
-+ char * pwupdate_plugin;
-
- int mkey_from_kbd;
- char * stash_file;
-diff -ru krb5-1.4.4/src/lib/kadm5/alt_prof.c krb5-1.4.4-patched/src/lib/kadm5/alt_prof.c
---- krb5-1.4.4/src/lib/kadm5/alt_prof.c 2004-06-24 13:08:30.000000000 -0700
-+++ krb5-1.4.4-patched/src/lib/kadm5/alt_prof.c 2007-07-29 19:12:55.000000000 -0700
-@@ -515,6 +515,16 @@
- params.dict_file = svalue;
- }
-
-+ /* Get the value for the pwsync plugin */
-+ hierarchy[2] = "pwupdate_plugin";
-+ if (aprofile &&
-+ !krb5_aprof_get_string(aprofile, hierarchy, TRUE,
-+ &svalue)) {
-+ params.pwupdate_plugin = svalue;
-+ } else {
-+ params.pwupdate_plugin = NULL;
-+ }
-+
- /* Get the value for the kadmind port */
- if (! (params.mask & KADM5_CONFIG_KADMIND_PORT)) {
- hierarchy[2] = "kadmind_port";
-Only in krb5-1.4.4-patched/src/lib/kadm5: alt_prof.c.orig
-diff -ru krb5-1.4.4/src/lib/kadm5/configure.in krb5-1.4.4-patched/src/lib/kadm5/configure.in
---- krb5-1.4.4/src/lib/kadm5/configure.in 2004-02-12 19:19:30.000000000 -0800
-+++ krb5-1.4.4-patched/src/lib/kadm5/configure.in 2007-07-29 19:12:55.000000000 -0700
-@@ -10,10 +10,12 @@
- AC_CHECK_PROG(RUNTEST,runtest,runtest)
- AC_CHECK_PROG(PERL,perl,perl)
- AC_CHECK_FUNCS(srand48 srand srandom)
-+AC_CHECK_LIB(dl, dlopen, DL_LIB=-ldl)
- AC_KRB5_TCL
- if test "$PERL" = perl -a "$RUNTEST" = runtest -a "$TCL_LIBS" != ""; then
- DO_TEST=ok
- fi
-+AC_SUBST(DL_LIB)
- AC_SUBST(DO_TEST)
- dnl
- KRB5_BUILD_LIBOBJS
-diff -ru krb5-1.4.4/src/lib/kadm5/server_internal.h krb5-1.4.4-patched/src/lib/kadm5/server_internal.h
---- krb5-1.4.4/src/lib/kadm5/server_internal.h 2005-11-28 16:01:49.000000000 -0800
-+++ krb5-1.4.4-patched/src/lib/kadm5/server_internal.h 2007-07-29 19:12:55.000000000 -0700
-@@ -62,6 +62,9 @@
- int find_word(const char *word);
- void destroy_dict(void);
-
-+int init_pwupdate(krb5_context, kadm5_config_params *);
-+void destroy_pwupdate(void);
-+
- /* XXX this ought to be in libkrb5.a, but isn't */
- kadm5_ret_t krb5_copy_key_data_contents(krb5_context context,
- krb5_key_data *from,
-diff -ru krb5-1.4.4/src/lib/kadm5/srv/Makefile.in krb5-1.4.4-patched/src/lib/kadm5/srv/Makefile.in
---- krb5-1.4.4/src/lib/kadm5/srv/Makefile.in 2005-11-28 16:23:12.000000000 -0800
-+++ krb5-1.4.4-patched/src/lib/kadm5/srv/Makefile.in 2007-07-29 19:12:55.000000000 -0700
-@@ -21,7 +21,7 @@
- $(TOPLIBD)/libk5crypto$(SHLIBEXT) \
- $(COM_ERR_DEPLIB)
- SHLIB_EXPLIBS = -lgssrpc -lgssapi_krb5 -lkdb5 $(KDB5_DB_LIB) \
-- -lkrb5 -lk5crypto -lcom_err @GEN_LIB@
-+ -lkrb5 -lk5crypto -lcom_err @GEN_LIB@ @DL_LIB@
- SHLIB_DIRS=-L$(TOPLIBD)
- SHLIB_RDIRS=$(KRB5_LIBDIR)
- RELDIR=kadm5/srv
-diff -ru krb5-1.4.4/src/lib/kadm5/srv/server_init.c krb5-1.4.4-patched/src/lib/kadm5/srv/server_init.c
---- krb5-1.4.4/src/lib/kadm5/srv/server_init.c 2005-11-28 16:01:49.000000000 -0800
-+++ krb5-1.4.4-patched/src/lib/kadm5/srv/server_init.c 2007-07-29 19:12:55.000000000 -0700
-@@ -272,6 +272,15 @@
- return ret;
- }
-
-+ ret = init_pwupdate(handle->context, &handle->params);
-+ if (ret) {
-+ krb5_db_fini(handle->context);
-+ krb5_free_principal(handle->context, handle->current_caller);
-+ krb5_free_context(handle->context);
-+ free(handle);
-+ return ret;
-+ }
-+
- ret = adb_policy_init(handle);
- if (ret) {
- krb5_db_fini(handle->context);
-@@ -294,6 +303,7 @@
- CHECK_HANDLE(server_handle);
-
- destroy_dict();
-+ destroy_pwupdate();
-
- adb_policy_close(handle);
- krb5_db_fini(handle->context);
-diff -ru krb5-1.4.4/src/lib/kadm5/srv/svr_principal.c krb5-1.4.4-patched/src/lib/kadm5/srv/svr_principal.c
---- krb5-1.4.4/src/lib/kadm5/srv/svr_principal.c 2005-11-28 16:01:49.000000000 -0800
-+++ krb5-1.4.4-patched/src/lib/kadm5/srv/svr_principal.c 2007-07-29 19:12:55.000000000 -0700
-@@ -23,6 +23,9 @@
- #include <sys/wait.h>
- #endif
-
-+#include <dlfcn.h>
-+#include <syslog.h>
-+
- extern krb5_principal master_princ;
- extern krb5_principal hist_princ;
- extern krb5_keyblock master_keyblock;
-@@ -35,6 +38,17 @@
- int n_key_data, krb5_key_data *key_data,
- krb5_keyblock **keyblocks, int *n_keys);
-
-+static void *update_handle = NULL;
-+static int (*d_pwupdate_init)(krb5_context, void **) = NULL;
-+static int (*d_pwupdate_precommit_password)(void *, krb5_principal, char *,
-+ int, char *, int) = NULL;
-+static int (*d_pwupdate_postcommit_password)(void *, krb5_principal, char *,
-+ int, char *, int) = NULL;
-+static int (*d_pwupdate_postcommit_status)(void *, krb5_principal, int,
-+ char *, int) = NULL;
-+static int (*d_pwupdate_close)(void *) = NULL;
-+static void *pwupdate_context = NULL;
-+
- /*
- * XXX Functions that ought to be in libkrb5.a, but aren't.
- */
-@@ -238,6 +252,25 @@
- return(ret);
- }
-
-+ /*
-+ * If we have a precommit password update entry point, call that now
-+ * before any database modifications.
-+ */
-+
-+ if (d_pwupdate_precommit_password) {
-+ char errstr[256];
-+
-+ ret = (*d_pwupdate_precommit_password)(pwupdate_context,
-+ entry->principal, password,
-+ strlen(password), errstr,
-+ sizeof(errstr));
-+ if (ret) {
-+ krb5_klog_syslog(LOG_ERR, "External password update failed: "
-+ "%s (%d)", errstr, ret);
-+ return ret;
-+ }
-+ }
-+
- if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now))) {
- krb5_dbe_free_contents(handle->context, &kdb);
- if (mask & KADM5_POLICY)
-@@ -328,6 +361,18 @@
- return(ret);
- }
-
-+ if (d_pwupdate_postcommit_password) {
-+ char errstr[256];
-+
-+ ret = (*d_pwupdate_postcommit_password)(pwupdate_context,
-+ entry->principal, password,
-+ strlen(password), errstr,
-+ sizeof(errstr));
-+ if (ret)
-+ krb5_klog_syslog(LOG_ERR, "WARNING: External password update "
-+ "failed: %s (%d)", errstr, ret);
-+ }
-+
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
-
-@@ -515,8 +560,22 @@
- KADM5_REF_COUNT)))))
- goto done;
-
-- if ((mask & KADM5_ATTRIBUTES))
-+ if ((mask & KADM5_ATTRIBUTES)) {
-+ if (d_pwupdate_postcommit_status
-+ && ((kdb.attributes & KRB5_KDB_DISALLOW_ALL_TIX) !=
-+ (entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))) {
-+ char errstr[256];
-+ int enabled = (entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX) == 0;
-+
-+ ret = (*d_pwupdate_postcommit_status)(pwupdate_context,
-+ entry->principal, enabled,
-+ errstr, sizeof(errstr));
-+ if (ret)
-+ krb5_klog_syslog(LOG_ERR, "External status update failed: "
-+ "%s (%d)", errstr, ret);
-+ }
- kdb.attributes = entry->attributes;
-+ }
- if ((mask & KADM5_MAX_LIFE))
- kdb.max_life = entry->max_life;
- if ((mask & KADM5_PRINC_EXPIRE_TIME))
-@@ -1250,6 +1309,24 @@
- KADM5_POLICY, &pol, principal)))
- goto done;
-
-+ /*
-+ * If we have a precommit password update entry point, call that now
-+ * before any database modifications.
-+ */
-+
-+ if (d_pwupdate_precommit_password) {
-+ char errstr[256];
-+
-+ ret = (*d_pwupdate_precommit_password)(pwupdate_context, principal,
-+ password, strlen(password),
-+ errstr, sizeof(errstr));
-+ if (ret) {
-+ krb5_klog_syslog(LOG_ERR, "External password update failed: "
-+ "%s (%d)", errstr, ret);
-+ return ret;
-+ }
-+ }
-+
- ret = krb5_dbe_cpw(handle->context, &master_keyblock,
- n_ks_tuple?ks_tuple:handle->params.keysalts,
- n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
-@@ -1367,6 +1444,17 @@
- if ((ret = kdb_put_entry(handle, &kdb, &adb)))
- goto done;
-
-+ if (d_pwupdate_postcommit_password) {
-+ char errstr[256];
-+
-+ ret = (*d_pwupdate_postcommit_password)(pwupdate_context, principal,
-+ password, strlen(password),
-+ errstr, sizeof(errstr));
-+ if (ret)
-+ krb5_klog_syslog(LOG_ERR, "WARNING: External password update "
-+ "failed: %s (%d)", errstr, ret);
-+ }
-+
- ret = KADM5_OK;
- done:
- if (!hist_added && hist.key_data)
-@@ -1946,3 +2034,71 @@
-
- return KADM5_OK;
- }
-+
-+/*
-+ * Function: init_pwupdate
-+ *
-+ * Initialize the password update module (if we have one)
-+ *
-+ * Right now all we do is look for a module named "pwupdate.so" in the
-+ * same directory as the database. Later on this should be cleaned up.
-+ */
-+
-+int
-+init_pwupdate(krb5_context context, kadm5_config_params *params)
-+{
-+ int ret;
-+
-+ if (params->pwupdate_plugin) {
-+ update_handle = dlopen(params->pwupdate_plugin, RTLD_NOW);
-+
-+ if (! update_handle) {
-+ krb5_klog_syslog(LOG_ERR, "ERROR: Unable to load plugin "
-+ "\"%s\": %s", params->pwupdate_plugin,
-+ dlerror());
-+ return KADM5_FAILURE;
-+ }
-+
-+ d_pwupdate_init = dlsym(update_handle, "pwupdate_init");
-+ d_pwupdate_precommit_password = dlsym(update_handle,
-+ "pwupdate_precommit_password");
-+ d_pwupdate_postcommit_password = dlsym(update_handle,
-+ "pwupdate_postcommit_password");
-+ d_pwupdate_postcommit_status = dlsym(update_handle,
-+ "pwupdate_postcommit_status");
-+ d_pwupdate_close = dlsym(update_handle, "pwupdate_close");
-+
-+ if (d_pwupdate_init == NULL
-+ || d_pwupdate_close == NULL
-+ || (d_pwupdate_precommit_password == NULL &&
-+ d_pwupdate_postcommit_password == NULL &&
-+ d_pwupdate_postcommit_status == NULL)) {
-+ krb5_klog_syslog(LOG_ERR, "ERROR: Needed symbols missing in "
-+ "pwupdate plugin");
-+ dlclose(update_handle);
-+ update_handle = NULL;
-+ return KADM5_FAILURE;
-+ }
-+
-+ ret = (*d_pwupdate_init)(context, &pwupdate_context);
-+
-+ if (ret != 0) {
-+ krb5_klog_syslog(LOG_ERR, "ERROR: Password update plugin "
-+ "initialization failed with code %d", ret);
-+ dlclose(update_handle);
-+ update_handle = NULL;
-+ return KADM5_FAILURE;
-+ }
-+
-+ krb5_klog_syslog(LOG_INFO, "Password update plugin \"%s\" initialized",
-+ params->pwupdate_plugin);
-+ }
-+ return KADM5_OK;
-+}
-+
-+void
-+destroy_pwupdate(void)
-+{
-+ if (d_pwupdate_close)
-+ (*d_pwupdate_close)(pwupdate_context);
-+}
+++ /dev/null
-krb5-sync patch for stock MIT Kerberos 1.8.3.
-
-This patch may apply to earlier or later versions but may not and will
-require verification.
-
-Note that this patch modifies configure.in and hence will require running
-util/reconf from the src directory of the MIT Kerberos distribution before
-running configure and rebuilding.
-
-Written by Russ Allbery <eagle@eyrie.org>
-Ported to 1.8.3 by Sam Hartman <hartmans@debian.org>
-Based on code developed by Derrick Brashear and Ken Hornstein of Sine
- Nomine Associates, on behalf of Stanford University.
-
-Copyright 2006, 2007
- The Board of Trustees of the Leland Stanford Junior University
-
-See LICENSE for licensing terms.
-
-diff --git a/src/configure.in b/src/configure.in
-index e353065..269ed4c 100644
---- a/src/configure.in
-+++ b/src/configure.in
-@@ -1041,6 +1041,8 @@ else
- fi
- AC_SUBST(ldap_plugin_dir)
- AC_SUBST(LDAP)
-+AC_CHECK_LIB(dl, dlopen, DL_LIB=-ldl)
-+AC_SUBST(DL_LIB)
-
- # We really should look for and use python-config.
- PYTHON_LIB=
-diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h
-index 8fad111..9016162 100644
---- a/src/lib/kadm5/admin.h
-+++ b/src/lib/kadm5/admin.h
-@@ -241,9 +241,9 @@ typedef struct _kadm5_config_params {
- specified in the database module section of the config
- file. */
- char * dbname;
-+ char * pwupdate_plugin;
-
- /* dummy fields to preserve abi for now */
-- char * admin_dbname_was_here;
- char * admin_lockfile_was_here;
-
- char * admin_keytab;
-diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
-index 7d28738..df460b3 100644
---- a/src/lib/kadm5/alt_prof.c
-+++ b/src/lib/kadm5/alt_prof.c
-@@ -619,7 +619,7 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config,
- GET_STRING_PARAM(dbname, KADM5_CONFIG_DBNAME, KRB5_CONF_DATABASE_NAME,
- DEFAULT_KDB_FILE);
-
-- params.admin_dbname_was_here = NULL;
-+ params.pwupdate_plugin = NULL;
- params.admin_lockfile_was_here = NULL;
- /* never set KADM5_CONFIG_ADBNAME, KADM5_CONFIG_ADB_LOCKFILE */
-
-@@ -640,7 +640,7 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config,
-
- /* Get the name of the dict file */
- GET_STRING_PARAM(dict_file, KADM5_CONFIG_DICT_FILE, KRB5_CONF_DICT_FILE, NULL);
--
-+ GET_STRING_PARAM(pwupdate_plugin, 0, "pwupdate_plugin", NULL);
- #define GET_PORT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \
- get_port_param(¶ms.FIELD, params_in->FIELD, \
- ¶ms.mask, params_in->mask, BIT, \
-diff --git a/src/lib/kadm5/server_internal.h b/src/lib/kadm5/server_internal.h
-index 3276b27..394cda1 100644
---- a/src/lib/kadm5/server_internal.h
-+++ b/src/lib/kadm5/server_internal.h
-@@ -94,6 +94,9 @@ int init_dict(kadm5_config_params *);
- int find_word(const char *word);
- void destroy_dict(void);
-
-+int init_pwupdate(krb5_context, kadm5_config_params *);
-+void destroy_pwupdate(void);
-+
- /* XXX this ought to be in libkrb5.a, but isn't */
- kadm5_ret_t krb5_copy_key_data_contents(krb5_context context,
- krb5_key_data *from,
-diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in
-index 9e8b26f..d5807c5 100644
---- a/src/lib/kadm5/srv/Makefile.in
-+++ b/src/lib/kadm5/srv/Makefile.in
-@@ -22,7 +22,7 @@ SHLIB_EXPDEPS=\
- $(TOPLIBD)/libk5crypto$(SHLIBEXT) \
- $(COM_ERR_DEPLIB) $(SUPPORT_LIBDEP)
- SHLIB_EXPLIBS = -lgssrpc -lgssapi_krb5 -lkdb5 $(KDB5_DB_LIB) \
-- -lkrb5 -lk5crypto $(SUPPORT_LIB) -lcom_err @GEN_LIB@
-+ -lkrb5 -lk5crypto $(SUPPORT_LIB) -lcom_err @GEN_LIB@ @DL_LIB@
- SHLIB_DIRS=-L$(TOPLIBD)
- SHLIB_RDIRS=$(KRB5_LIBDIR)
- RELDIR=kadm5/srv
-diff --git a/src/lib/kadm5/srv/server_init.c b/src/lib/kadm5/srv/server_init.c
-index 557ef0a..b96108e 100644
---- a/src/lib/kadm5/srv/server_init.c
-+++ b/src/lib/kadm5/srv/server_init.c
-@@ -326,6 +326,14 @@ kadm5_ret_t kadm5_init(krb5_context context, char *client_name, char *pass,
- return ret;
- }
-
-+ ret = init_pwupdate(handle->context, &handle->params);
-+ if (ret) {
-+ krb5_db_fini(handle->context);
-+ krb5_free_principal(handle->context, handle->current_caller);
-+ krb5_free_context(handle->context);
-+ free(handle);
-+ return ret;
-+ }
- *server_handle = (void *) handle;
-
- return KADM5_OK;
-@@ -338,6 +346,7 @@ kadm5_ret_t kadm5_destroy(void *server_handle)
- CHECK_HANDLE(server_handle);
-
- destroy_dict();
-+ destroy_pwupdate();
-
- adb_policy_close(handle);
- krb5_db_fini(handle->context);
-diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
-index 469a8e8..aaf71a0 100644
---- a/src/lib/kadm5/srv/svr_principal.c
-+++ b/src/lib/kadm5/srv/svr_principal.c
-@@ -31,6 +31,8 @@ static char *rcsid = "$Header$";
- #define VALGRIND_CHECK_DEFINED(LVALUE) ((void)0)
- #endif
-
-+#include <dlfcn.h>
-+#include <syslog.h>
- extern krb5_principal master_princ;
- extern krb5_principal hist_princ;
- extern krb5_keyblock master_keyblock;
-@@ -56,6 +58,7 @@ kadm5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_pr
- VALGRIND_CHECK_DEFINED(*inprinc);
- *tempprinc = *inprinc;
-
-+
- nelems = (int) krb5_princ_size(context, inprinc);
- tempprinc->data = krb5_db_alloc(context, NULL, nelems * sizeof(krb5_data));
- if (tempprinc->data == 0) {
-@@ -116,6 +119,17 @@ kadm5_free_principal(krb5_context context, krb5_principal val)
- krb5_db_free(context, val);
- }
-
-+static void *update_handle = NULL;
-+static int (*d_pwupdate_init)(krb5_context, void **) = NULL;
-+static int (*d_pwupdate_precommit_password)(void *, krb5_principal, char *,
-+ int, char *, int) = NULL;
-+static int (*d_pwupdate_postcommit_password)(void *, krb5_principal, char *,
-+ int, char *, int) = NULL;
-+static int (*d_pwupdate_postcommit_status)(void *, krb5_principal, int,
-+ char *, int) = NULL;
-+static int (*d_pwupdate_close)(void *) = NULL;
-+static void *pwupdate_context = NULL;
-+
- /*
- * XXX Functions that ought to be in libkrb5.a, but aren't.
- */
-@@ -354,6 +368,27 @@ kadm5_create_principal_3(void *server_handle,
- return(ret);
- }
-
-+ /*
-+ * If we have a precommit password update entry point, call that now
-+ * before any database modifications.
-+ */
-+
-+ if (d_pwupdate_precommit_password) {
-+ char errstr[256];
-+ size_t length;
-+
-+ length = (password == NULL) ? 0 : strlen(password);
-+ ret = (*d_pwupdate_precommit_password)(pwupdate_context,
-+ entry->principal, password,
-+ length, errstr,
-+ sizeof(errstr));
-+ if (ret) {
-+ krb5_klog_syslog(LOG_ERR, "External password update failed: "
-+ "%s (%d)", errstr, ret);
-+ return ret;
-+ }
-+ }
-+
- if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now))) {
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
-@@ -475,6 +508,20 @@ kadm5_create_principal_3(void *server_handle,
- return(ret);
- }
-
-+ if (d_pwupdate_postcommit_password) {
-+ char errstr[256];
-+ size_t length;
-+
-+ length = (password == NULL) ? 0 : strlen(password);
-+ ret = (*d_pwupdate_postcommit_password)(pwupdate_context,
-+ entry->principal, password,
-+ length, errstr,
-+ sizeof(errstr));
-+ if (ret)
-+ krb5_klog_syslog(LOG_ERR, "WARNING: External password update "
-+ "failed: %s (%d)", errstr, ret);
-+ }
-+
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
-
-@@ -666,8 +711,22 @@ kadm5_modify_principal(void *server_handle,
- KADM5_REF_COUNT)))))
- goto done;
-
-- if ((mask & KADM5_ATTRIBUTES))
-+ if ((mask & KADM5_ATTRIBUTES)) {
-+ if (d_pwupdate_postcommit_status
-+ && ((kdb.attributes & KRB5_KDB_DISALLOW_ALL_TIX) !=
-+ (entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))) {
-+ char errstr[256];
-+ int enabled = (entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX) == 0;
-+
-+ ret = (*d_pwupdate_postcommit_status)(pwupdate_context,
-+ entry->principal, enabled,
-+ errstr, sizeof(errstr));
-+ if (ret)
-+ krb5_klog_syslog(LOG_ERR, "External status update failed: "
-+ "%s (%d)", errstr, ret);
-+ }
- kdb.attributes = entry->attributes;
-+ }
- if ((mask & KADM5_MAX_LIFE))
- kdb.max_life = entry->max_life;
- if ((mask & KADM5_PRINC_EXPIRE_TIME))
-@@ -1390,11 +1449,30 @@ kadm5_chpass_principal_3(void *server_handle,
- if (ret)
- goto done;
-
-+ /*
-+ * If we have a precommit password update entry point, call that now
-+ * before any database modifications.
-+ */
-+
-+ if (d_pwupdate_precommit_password) {
-+ char errstr[256];
-+
-+ ret = (*d_pwupdate_precommit_password)(pwupdate_context, principal,
-+ password, strlen(password),
-+ errstr, sizeof(errstr));
-+ if (ret) {
-+ krb5_klog_syslog(LOG_ERR, "External password update failed: "
-+ "%s (%d)", errstr, ret);
-+ goto done;
-+ }
-+ }
-+
- ret = krb5_dbe_cpw(handle->context, act_mkey,
- n_ks_tuple?ks_tuple:handle->params.keysalts,
- n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
- password, 0 /* increment kvno */,
- keepold, &kdb);
-+
- if (ret)
- goto done;
-
-@@ -1517,6 +1595,17 @@ kadm5_chpass_principal_3(void *server_handle,
- if ((ret = kdb_put_entry(handle, &kdb, &adb)))
- goto done;
-
-+ if (d_pwupdate_postcommit_password) {
-+ char errstr[256];
-+
-+ ret = (*d_pwupdate_postcommit_password)(pwupdate_context, principal,
-+ password, strlen(password),
-+ errstr, sizeof(errstr));
-+ if (ret)
-+ krb5_klog_syslog(LOG_ERR, "WARNING: External password update "
-+ "failed: %s (%d)", errstr, ret);
-+ }
-+
- ret = KADM5_OK;
- done:
- if (!hist_added && hist.key_data)
-@@ -1575,7 +1664,7 @@ kadm5_randkey_principal_3(void *server_handle,
- if (keepold)
- return KADM5_PROTECT_PRINCIPAL;
- ks_tuple = n_ks_tuple ? ks_tuple : handle->params.keysalts,
-- n_ks_tuple = 1;
-+ n_ks_tuple = 1;
- }
-
- if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
-@@ -2236,3 +2325,71 @@ kadm5_ret_t kadm5_decrypt_key(void *server_handle,
-
- return KADM5_OK;
- }
-+
-+/*
-+ * Function: init_pwupdate
-+ *
-+ * Initialize the password update module (if we have one)
-+ *
-+ * Right now all we do is look for a module named "pwupdate.so" in the
-+ * same directory as the database. Later on this should be cleaned up.
-+ */
-+
-+int
-+init_pwupdate(krb5_context context, kadm5_config_params *params)
-+{
-+ int ret;
-+
-+ if (params->pwupdate_plugin) {
-+ update_handle = dlopen(params->pwupdate_plugin, RTLD_NOW);
-+
-+ if (! update_handle) {
-+ krb5_klog_syslog(LOG_ERR, "ERROR: Unable to load plugin "
-+ "\"%s\": %s", params->pwupdate_plugin,
-+ dlerror());
-+ return KADM5_FAILURE;
-+ }
-+
-+ d_pwupdate_init = dlsym(update_handle, "pwupdate_init");
-+ d_pwupdate_precommit_password = dlsym(update_handle,
-+ "pwupdate_precommit_password");
-+ d_pwupdate_postcommit_password = dlsym(update_handle,
-+ "pwupdate_postcommit_password");
-+ d_pwupdate_postcommit_status = dlsym(update_handle,
-+ "pwupdate_postcommit_status");
-+ d_pwupdate_close = dlsym(update_handle, "pwupdate_close");
-+
-+ if (d_pwupdate_init == NULL
-+ || d_pwupdate_close == NULL
-+ || (d_pwupdate_precommit_password == NULL &&
-+ d_pwupdate_postcommit_password == NULL &&
-+ d_pwupdate_postcommit_status == NULL)) {
-+ krb5_klog_syslog(LOG_ERR, "ERROR: Needed symbols missing in "
-+ "pwupdate plugin");
-+ dlclose(update_handle);
-+ update_handle = NULL;
-+ return KADM5_FAILURE;
-+ }
-+
-+ ret = (*d_pwupdate_init)(context, &pwupdate_context);
-+
-+ if (ret != 0) {
-+ krb5_klog_syslog(LOG_ERR, "ERROR: Password update plugin "
-+ "initialization failed with code %d", ret);
-+ dlclose(update_handle);
-+ update_handle = NULL;
-+ return KADM5_FAILURE;
-+ }
-+
-+ krb5_klog_syslog(LOG_INFO, "Password update plugin \"%s\" initialized",
-+ params->pwupdate_plugin);
-+ }
-+ return KADM5_OK;
-+}
-+
-+void
-+destroy_pwupdate(void)
-+{
-+ if (d_pwupdate_close)
-+ (*d_pwupdate_close)(pwupdate_context);
-+}
BEGIN_DECLS
+/* Default to a hidden visibility for all internal functions. */
+#pragma GCC visibility push(hidden)
+
/* General public API. */
int pwupdate_init(krb5_context ctx, void **data);
void pwupdate_close(void *data);
int pwupdate_postcommit_status(void *data, krb5_principal principal,
int enabled, char *errstr, int errstrlen);
-/* Default to a hidden visibility for all internal functions. */
-#pragma GCC visibility push(hidden)
-
/* Password changing. */
int pwupdate_ad_change(struct plugin_config *config, krb5_context ctx,
krb5_principal principal, const char *password,
projects / kerberos / krb5-sync.git / commitdiff