1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
3 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
7 #include <k5-platform.h>
8 #include <gssapi/gssapi.h>
9 #include <gssapi/gssapi_krb5.h> /* for gss_nt_krb5_name */
11 #include <kadm5/admin.h>
12 #include <kadm5/kadm_rpc.h>
13 #include <kadm5/server_internal.h>
14 #include <kadm5/server_acl.h>
16 #include <arpa/inet.h> /* inet_ntoa */
17 #include <adm_proto.h> /* krb5_klog_syslog */
20 extern gss_name_t gss_changepw_name;
21 extern gss_name_t gss_oldchangepw_name;
22 extern void * global_server_handle;
24 #define CHANGEPW_SERVICE(rqstp) \
25 (cmp_gss_names_rel_1(acceptor_name(rqstp->rq_svccred), gss_changepw_name) | \
26 (gss_oldchangepw_name && \
27 cmp_gss_names_rel_1(acceptor_name(rqstp->rq_svccred), \
28 gss_oldchangepw_name)))
31 static int gss_to_krb5_name(kadm5_server_handle_t handle,
32 gss_name_t gss_name, krb5_principal *princ);
34 static int gss_name_to_string(gss_name_t gss_name, gss_buffer_desc *str);
36 static gss_name_t acceptor_name(gss_ctx_id_t context);
38 gss_name_t rqst2name(struct svc_req *rqstp);
40 static int cmp_gss_names(gss_name_t n1, gss_name_t n2)
45 if (GSS_ERROR(emaj = gss_compare_name(&emin, n1, n2, &equal)))
51 /* Does a comparison of the names and then releases the first entity */
52 /* For use above in CHANGEPW_SERVICE */
53 static int cmp_gss_names_rel_1(gss_name_t n1, gss_name_t n2)
58 ret = cmp_gss_names(n1, n2);
59 if (n1) (void) gss_release_name(&min_stat, &n1);
64 * Function check_handle
66 * Purpose: Check a server handle and return a com_err code if it is
67 * invalid or 0 if it is valid.
71 * handle The server handle.
74 static int check_handle(void *handle)
81 * Function: new_server_handle
83 * Purpose: Constructs a server handle suitable for passing into the
84 * server library API functions, by folding the client's API version
85 * and calling principal into the server handle returned by
89 * api_version (input) The API version specified by the client
90 * rqstp (input) The RPC request
91 * handle (output) The returned handle
92 * <return value> (output) An error code, or 0 if no error occurred
95 * Returns a pointer to allocated storage containing the server
96 * handle. If an error occurs, then no allocated storage is
97 * returned, and the return value of the function will be a
98 * non-zero com_err code.
100 * The allocated storage for the handle should be freed with
101 * free_server_handle (see below) when it is no longer needed.
104 static kadm5_ret_t new_server_handle(krb5_ui_4 api_version,
105 struct svc_req *rqstp,
106 kadm5_server_handle_t
109 kadm5_server_handle_t handle;
113 if (! (handle = (kadm5_server_handle_t)
114 malloc(sizeof(*handle))))
117 *handle = *(kadm5_server_handle_t)global_server_handle;
118 handle->api_version = api_version;
120 if (! gss_to_krb5_name(handle, rqst2name(rqstp),
121 &handle->current_caller)) {
123 return KADM5_FAILURE;
126 *out_handle = handle;
131 * Function: free_server_handle
133 * Purpose: Free handle memory allocated by new_server_handle
136 * handle (input/output) The handle to free
138 static void free_server_handle(kadm5_server_handle_t handle)
142 krb5_free_principal(handle->context, handle->current_caller);
147 * Function: setup_gss_names
149 * Purpose: Create printable representations of the client and server
153 * rqstp (r) the RPC request
154 * client_name (w) the gss_buffer_t for the client name
155 * server_name (w) the gss_buffer_t for the server name
159 * Unparses the client and server names into client_name and
160 * server_name, both of which must be freed by the caller. Returns 0
161 * on success and -1 on failure.
163 int setup_gss_names(struct svc_req *rqstp,
164 gss_buffer_desc *client_name,
165 gss_buffer_desc *server_name)
167 OM_uint32 maj_stat, min_stat;
168 gss_name_t server_gss_name;
170 if (gss_name_to_string(rqst2name(rqstp), client_name) != 0)
172 maj_stat = gss_inquire_context(&min_stat, rqstp->rq_svccred, NULL,
173 &server_gss_name, NULL, NULL, NULL,
175 if (maj_stat != GSS_S_COMPLETE) {
176 gss_release_buffer(&min_stat, client_name);
177 gss_release_name(&min_stat, &server_gss_name);
180 if (gss_name_to_string(server_gss_name, server_name) != 0) {
181 gss_release_buffer(&min_stat, client_name);
182 gss_release_name(&min_stat, &server_gss_name);
185 gss_release_name(&min_stat, &server_gss_name);
189 static gss_name_t acceptor_name(gss_ctx_id_t context)
191 OM_uint32 maj_stat, min_stat;
194 maj_stat = gss_inquire_context(&min_stat, context, NULL, &name,
195 NULL, NULL, NULL, NULL, NULL);
196 if (maj_stat != GSS_S_COMPLETE)
201 static int cmp_gss_krb5_name(kadm5_server_handle_t handle,
202 gss_name_t gss_name, krb5_principal princ)
204 krb5_principal princ2;
207 if (! gss_to_krb5_name(handle, gss_name, &princ2))
209 status = krb5_principal_compare(handle->context, princ, princ2);
210 krb5_free_principal(handle->context, princ2);
214 static int gss_to_krb5_name(kadm5_server_handle_t handle,
215 gss_name_t gss_name, krb5_principal *princ)
217 OM_uint32 status, minor_stat;
218 gss_buffer_desc gss_str;
222 status = gss_display_name(&minor_stat, gss_name, &gss_str, &gss_type);
223 if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name))
225 success = (krb5_parse_name(handle->context, gss_str.value, princ) == 0);
226 gss_release_buffer(&minor_stat, &gss_str);
231 gss_name_to_string(gss_name_t gss_name, gss_buffer_desc *str)
233 OM_uint32 status, minor_stat;
236 status = gss_display_name(&minor_stat, gss_name, str, &gss_type);
237 if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name))
248 struct svc_req *rqstp)
250 size_t tlen, clen, slen;
251 char *tdots, *cdots, *sdots;
253 tlen = strlen(target);
254 trunc_name(&tlen, &tdots);
255 clen = client->length;
256 trunc_name(&clen, &cdots);
257 slen = server->length;
258 trunc_name(&slen, &sdots);
260 /* okay to cast lengths to int because trunc_name limits max value */
261 return krb5_klog_syslog(LOG_NOTICE,
262 _("Unauthorized request: %s, %.*s%s, "
263 "client=%.*s%s, service=%.*s%s, addr=%s"),
264 op, (int)tlen, target, tdots,
265 (int)clen, (char *)client->value, cdots,
266 (int)slen, (char *)server->value, sdots,
267 inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
277 struct svc_req *rqstp)
279 size_t tlen, clen, slen;
280 char *tdots, *cdots, *sdots;
283 errmsg = _("success");
284 tlen = strlen(target);
285 trunc_name(&tlen, &tdots);
286 clen = client->length;
287 trunc_name(&clen, &cdots);
288 slen = server->length;
289 trunc_name(&slen, &sdots);
291 /* okay to cast lengths to int because trunc_name limits max value */
292 return krb5_klog_syslog(LOG_NOTICE,
293 _("Request: %s, %.*s%s, %s, "
294 "client=%.*s%s, service=%.*s%s, addr=%s"),
295 op, (int)tlen, target, tdots, errmsg,
296 (int)clen, (char *)client->value, cdots,
297 (int)slen, (char *)server->value, sdots,
298 inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
302 create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
304 static generic_ret ret;
306 gss_buffer_desc client_name, service_name;
307 OM_uint32 minor_stat;
308 kadm5_server_handle_t handle;
310 const char *errmsg = NULL;
312 xdr_free(xdr_generic_ret, &ret);
314 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
317 if ((ret.code = check_handle((void *)handle)))
320 ret.api_version = handle->api_version;
322 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
323 ret.code = KADM5_FAILURE;
326 if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) {
327 ret.code = KADM5_BAD_PRINCIPAL;
331 if (CHANGEPW_SERVICE(rqstp)
332 || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD,
333 arg->rec.principal, &rp)
334 || kadm5int_acl_impose_restrictions(handle->context,
335 &arg->rec, &arg->mask, rp)) {
336 ret.code = KADM5_AUTH_ADD;
337 log_unauth("kadm5_create_principal", prime_arg,
338 &client_name, &service_name, rqstp);
340 ret.code = kadm5_create_principal((void *)handle,
341 &arg->rec, arg->mask,
345 errmsg = krb5_get_error_message(handle->context, ret.code);
347 log_done("kadm5_create_principal", prime_arg, errmsg,
348 &client_name, &service_name, rqstp);
351 krb5_free_error_message(handle->context, errmsg);
354 gss_release_buffer(&minor_stat, &client_name);
355 gss_release_buffer(&minor_stat, &service_name);
358 free_server_handle(handle);
363 create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp)
365 static generic_ret ret;
367 gss_buffer_desc client_name, service_name;
368 OM_uint32 minor_stat;
369 kadm5_server_handle_t handle;
371 const char *errmsg = NULL;
373 xdr_free(xdr_generic_ret, &ret);
375 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
378 if ((ret.code = check_handle((void *)handle)))
381 ret.api_version = handle->api_version;
383 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
384 ret.code = KADM5_FAILURE;
387 if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) {
388 ret.code = KADM5_BAD_PRINCIPAL;
392 if (CHANGEPW_SERVICE(rqstp)
393 || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD,
394 arg->rec.principal, &rp)
395 || kadm5int_acl_impose_restrictions(handle->context,
396 &arg->rec, &arg->mask, rp)) {
397 ret.code = KADM5_AUTH_ADD;
398 log_unauth("kadm5_create_principal", prime_arg,
399 &client_name, &service_name, rqstp);
401 ret.code = kadm5_create_principal_3((void *)handle,
402 &arg->rec, arg->mask,
407 errmsg = krb5_get_error_message(handle->context, ret.code);
409 log_done("kadm5_create_principal", prime_arg, errmsg,
410 &client_name, &service_name, rqstp);
413 krb5_free_error_message(handle->context, errmsg);
416 gss_release_buffer(&minor_stat, &client_name);
417 gss_release_buffer(&minor_stat, &service_name);
420 free_server_handle(handle);
425 delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp)
427 static generic_ret ret;
429 gss_buffer_desc client_name,
431 OM_uint32 minor_stat;
432 kadm5_server_handle_t handle;
433 const char *errmsg = NULL;
435 xdr_free(xdr_generic_ret, &ret);
437 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
440 if ((ret.code = check_handle((void *)handle)))
443 ret.api_version = handle->api_version;
445 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
446 ret.code = KADM5_FAILURE;
449 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
450 ret.code = KADM5_BAD_PRINCIPAL;
454 if (CHANGEPW_SERVICE(rqstp)
455 || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE,
457 ret.code = KADM5_AUTH_DELETE;
458 log_unauth("kadm5_delete_principal", prime_arg,
459 &client_name, &service_name, rqstp);
461 ret.code = kadm5_delete_principal((void *)handle, arg->princ);
463 errmsg = krb5_get_error_message(handle->context, ret.code);
465 log_done("kadm5_delete_principal", prime_arg, errmsg,
466 &client_name, &service_name, rqstp);
469 krb5_free_error_message(handle->context, errmsg);
473 gss_release_buffer(&minor_stat, &client_name);
474 gss_release_buffer(&minor_stat, &service_name);
477 free_server_handle(handle);
482 modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp)
484 static generic_ret ret;
486 gss_buffer_desc client_name,
488 OM_uint32 minor_stat;
489 kadm5_server_handle_t handle;
491 const char *errmsg = NULL;
493 xdr_free(xdr_generic_ret, &ret);
495 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
498 if ((ret.code = check_handle((void *)handle)))
501 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
502 ret.code = KADM5_FAILURE;
505 if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) {
506 ret.code = KADM5_BAD_PRINCIPAL;
510 if (CHANGEPW_SERVICE(rqstp)
511 || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY,
512 arg->rec.principal, &rp)
513 || kadm5int_acl_impose_restrictions(handle->context,
514 &arg->rec, &arg->mask, rp)) {
515 ret.code = KADM5_AUTH_MODIFY;
516 log_unauth("kadm5_modify_principal", prime_arg,
517 &client_name, &service_name, rqstp);
519 ret.code = kadm5_modify_principal((void *)handle, &arg->rec,
522 errmsg = krb5_get_error_message(handle->context, ret.code);
524 log_done("kadm5_modify_principal", prime_arg, errmsg,
525 &client_name, &service_name, rqstp);
528 krb5_free_error_message(handle->context, errmsg);
531 gss_release_buffer(&minor_stat, &client_name);
532 gss_release_buffer(&minor_stat, &service_name);
534 free_server_handle(handle);
539 rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
541 static generic_ret ret;
544 gss_buffer_desc client_name,
546 OM_uint32 minor_stat;
547 kadm5_server_handle_t handle;
549 const char *errmsg = NULL;
550 size_t tlen1, tlen2, clen, slen;
551 char *tdots1, *tdots2, *cdots, *sdots;
553 xdr_free(xdr_generic_ret, &ret);
555 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
558 if ((ret.code = check_handle((void *)handle)))
561 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
562 ret.code = KADM5_FAILURE;
565 if (krb5_unparse_name(handle->context, arg->src, &prime_arg1) ||
566 krb5_unparse_name(handle->context, arg->dest, &prime_arg2)) {
567 ret.code = KADM5_BAD_PRINCIPAL;
570 tlen1 = strlen(prime_arg1);
571 trunc_name(&tlen1, &tdots1);
572 tlen2 = strlen(prime_arg2);
573 trunc_name(&tlen2, &tdots2);
574 clen = client_name.length;
575 trunc_name(&clen, &cdots);
576 slen = service_name.length;
577 trunc_name(&slen, &sdots);
580 if (! CHANGEPW_SERVICE(rqstp)) {
581 if (!kadm5int_acl_check(handle->context, rqst2name(rqstp),
582 ACL_DELETE, arg->src, NULL))
583 ret.code = KADM5_AUTH_DELETE;
584 /* any restrictions at all on the ADD kills the RENAME */
585 if (!kadm5int_acl_check(handle->context, rqst2name(rqstp),
586 ACL_ADD, arg->dest, &rp) || rp) {
587 if (ret.code == KADM5_AUTH_DELETE)
588 ret.code = KADM5_AUTH_INSUFFICIENT;
590 ret.code = KADM5_AUTH_ADD;
593 ret.code = KADM5_AUTH_INSUFFICIENT;
594 if (ret.code != KADM5_OK) {
595 /* okay to cast lengths to int because trunc_name limits max value */
596 krb5_klog_syslog(LOG_NOTICE,
597 _("Unauthorized request: kadm5_rename_principal, "
599 "client=%.*s%s, service=%.*s%s, addr=%s"),
600 (int)tlen1, prime_arg1, tdots1,
601 (int)tlen2, prime_arg2, tdots2,
602 (int)clen, (char *)client_name.value, cdots,
603 (int)slen, (char *)service_name.value, sdots,
604 inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
606 ret.code = kadm5_rename_principal((void *)handle, arg->src,
609 errmsg = krb5_get_error_message(handle->context, ret.code);
611 /* okay to cast lengths to int because trunc_name limits max value */
612 krb5_klog_syslog(LOG_NOTICE,
613 _("Request: kadm5_rename_principal, "
614 "%.*s%s to %.*s%s, %s, "
615 "client=%.*s%s, service=%.*s%s, addr=%s"),
616 (int)tlen1, prime_arg1, tdots1,
617 (int)tlen2, prime_arg2, tdots2,
618 errmsg ? errmsg : _("success"),
619 (int)clen, (char *)client_name.value, cdots,
620 (int)slen, (char *)service_name.value, sdots,
621 inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
624 krb5_free_error_message(handle->context, errmsg);
629 gss_release_buffer(&minor_stat, &client_name);
630 gss_release_buffer(&minor_stat, &service_name);
632 free_server_handle(handle);
637 get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp)
639 static gprinc_ret ret;
640 char *prime_arg, *funcname;
641 gss_buffer_desc client_name,
643 OM_uint32 minor_stat;
644 kadm5_server_handle_t handle;
645 const char *errmsg = NULL;
647 xdr_free(xdr_gprinc_ret, &ret);
649 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
652 if ((ret.code = check_handle((void *)handle)))
655 ret.api_version = handle->api_version;
657 funcname = "kadm5_get_principal";
659 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
660 ret.code = KADM5_FAILURE;
663 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
664 ret.code = KADM5_BAD_PRINCIPAL;
668 if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) &&
669 (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
674 ret.code = KADM5_AUTH_GET;
675 log_unauth(funcname, prime_arg,
676 &client_name, &service_name, rqstp);
678 ret.code = kadm5_get_principal(handle, arg->princ, &ret.rec,
682 errmsg = krb5_get_error_message(handle->context, ret.code);
684 log_done(funcname, prime_arg, errmsg,
685 &client_name, &service_name, rqstp);
688 krb5_free_error_message(handle->context, errmsg);
691 gss_release_buffer(&minor_stat, &client_name);
692 gss_release_buffer(&minor_stat, &service_name);
694 free_server_handle(handle);
699 get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
701 static gprincs_ret ret;
703 gss_buffer_desc client_name,
705 OM_uint32 minor_stat;
706 kadm5_server_handle_t handle;
707 const char *errmsg = NULL;
709 xdr_free(xdr_gprincs_ret, &ret);
711 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
714 if ((ret.code = check_handle((void *)handle)))
717 ret.api_version = handle->api_version;
719 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
720 ret.code = KADM5_FAILURE;
723 prime_arg = arg->exp;
724 if (prime_arg == NULL)
727 if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
732 ret.code = KADM5_AUTH_LIST;
733 log_unauth("kadm5_get_principals", prime_arg,
734 &client_name, &service_name, rqstp);
736 ret.code = kadm5_get_principals((void *)handle,
737 arg->exp, &ret.princs,
740 errmsg = krb5_get_error_message(handle->context, ret.code);
742 log_done("kadm5_get_principals", prime_arg, errmsg,
743 &client_name, &service_name, rqstp);
746 krb5_free_error_message(handle->context, errmsg);
749 gss_release_buffer(&minor_stat, &client_name);
750 gss_release_buffer(&minor_stat, &service_name);
752 free_server_handle(handle);
757 chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp)
759 static generic_ret ret;
761 gss_buffer_desc client_name,
763 OM_uint32 minor_stat;
764 kadm5_server_handle_t handle;
765 const char *errmsg = NULL;
767 xdr_free(xdr_generic_ret, &ret);
769 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
772 if ((ret.code = check_handle((void *)handle)))
775 ret.api_version = handle->api_version;
777 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
778 ret.code = KADM5_FAILURE;
781 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
782 ret.code = KADM5_BAD_PRINCIPAL;
786 if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) {
787 ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ,
788 FALSE, 0, NULL, arg->pass);
789 } else if (!(CHANGEPW_SERVICE(rqstp)) &&
790 kadm5int_acl_check(handle->context, rqst2name(rqstp),
791 ACL_CHANGEPW, arg->princ, NULL)) {
792 ret.code = kadm5_chpass_principal((void *)handle, arg->princ,
795 log_unauth("kadm5_chpass_principal", prime_arg,
796 &client_name, &service_name, rqstp);
797 ret.code = KADM5_AUTH_CHANGEPW;
800 if (ret.code != KADM5_AUTH_CHANGEPW) {
802 errmsg = krb5_get_error_message(handle->context, ret.code);
804 log_done("kadm5_chpass_principal", prime_arg, errmsg,
805 &client_name, &service_name, rqstp);
808 krb5_free_error_message(handle->context, errmsg);
812 gss_release_buffer(&minor_stat, &client_name);
813 gss_release_buffer(&minor_stat, &service_name);
815 free_server_handle(handle);
820 chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp)
822 static generic_ret ret;
824 gss_buffer_desc client_name,
826 OM_uint32 minor_stat;
827 kadm5_server_handle_t handle;
828 const char *errmsg = NULL;
830 xdr_free(xdr_generic_ret, &ret);
832 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
835 if ((ret.code = check_handle((void *)handle)))
838 ret.api_version = handle->api_version;
840 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
841 ret.code = KADM5_FAILURE;
844 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
845 ret.code = KADM5_BAD_PRINCIPAL;
849 if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) {
850 ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ,
855 } else if (!(CHANGEPW_SERVICE(rqstp)) &&
856 kadm5int_acl_check(handle->context, rqst2name(rqstp),
857 ACL_CHANGEPW, arg->princ, NULL)) {
858 ret.code = kadm5_chpass_principal_3((void *)handle, arg->princ,
864 log_unauth("kadm5_chpass_principal", prime_arg,
865 &client_name, &service_name, rqstp);
866 ret.code = KADM5_AUTH_CHANGEPW;
869 if(ret.code != KADM5_AUTH_CHANGEPW) {
871 errmsg = krb5_get_error_message(handle->context, ret.code);
873 log_done("kadm5_chpass_principal", prime_arg, errmsg,
874 &client_name, &service_name, rqstp);
877 krb5_free_error_message(handle->context, errmsg);
881 gss_release_buffer(&minor_stat, &client_name);
882 gss_release_buffer(&minor_stat, &service_name);
884 free_server_handle(handle);
889 setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp)
891 static generic_ret ret;
893 gss_buffer_desc client_name,
895 OM_uint32 minor_stat;
896 kadm5_server_handle_t handle;
897 const char *errmsg = NULL;
899 xdr_free(xdr_generic_ret, &ret);
901 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
904 if ((ret.code = check_handle((void *)handle)))
907 ret.api_version = handle->api_version;
909 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
910 ret.code = KADM5_FAILURE;
913 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
914 ret.code = KADM5_BAD_PRINCIPAL;
918 if (!(CHANGEPW_SERVICE(rqstp)) &&
919 kadm5int_acl_check(handle->context, rqst2name(rqstp),
920 ACL_SETKEY, arg->princ, NULL)) {
921 ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
924 log_unauth("kadm5_setv4key_principal", prime_arg,
925 &client_name, &service_name, rqstp);
926 ret.code = KADM5_AUTH_SETKEY;
929 if(ret.code != KADM5_AUTH_SETKEY) {
931 errmsg = krb5_get_error_message(handle->context, ret.code);
933 log_done("kadm5_setv4key_principal", prime_arg, errmsg,
934 &client_name, &service_name, rqstp);
937 krb5_free_error_message(handle->context, errmsg);
941 gss_release_buffer(&minor_stat, &client_name);
942 gss_release_buffer(&minor_stat, &service_name);
944 free_server_handle(handle);
949 setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp)
951 static generic_ret ret;
953 gss_buffer_desc client_name,
955 OM_uint32 minor_stat;
956 kadm5_server_handle_t handle;
957 const char *errmsg = NULL;
959 xdr_free(xdr_generic_ret, &ret);
961 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
964 if ((ret.code = check_handle((void *)handle)))
967 ret.api_version = handle->api_version;
969 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
970 ret.code = KADM5_FAILURE;
973 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
974 ret.code = KADM5_BAD_PRINCIPAL;
978 if (!(CHANGEPW_SERVICE(rqstp)) &&
979 kadm5int_acl_check(handle->context, rqst2name(rqstp),
980 ACL_SETKEY, arg->princ, NULL)) {
981 ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
982 arg->keyblocks, arg->n_keys);
984 log_unauth("kadm5_setkey_principal", prime_arg,
985 &client_name, &service_name, rqstp);
986 ret.code = KADM5_AUTH_SETKEY;
989 if(ret.code != KADM5_AUTH_SETKEY) {
991 errmsg = krb5_get_error_message(handle->context, ret.code);
993 log_done("kadm5_setkey_principal", prime_arg, errmsg,
994 &client_name, &service_name, rqstp);
997 krb5_free_error_message(handle->context, errmsg);
1001 gss_release_buffer(&minor_stat, &client_name);
1002 gss_release_buffer(&minor_stat, &service_name);
1004 free_server_handle(handle);
1009 setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp)
1011 static generic_ret ret;
1013 gss_buffer_desc client_name,
1015 OM_uint32 minor_stat;
1016 kadm5_server_handle_t handle;
1017 const char *errmsg = NULL;
1019 xdr_free(xdr_generic_ret, &ret);
1021 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1024 if ((ret.code = check_handle((void *)handle)))
1027 ret.api_version = handle->api_version;
1029 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1030 ret.code = KADM5_FAILURE;
1033 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
1034 ret.code = KADM5_BAD_PRINCIPAL;
1038 if (!(CHANGEPW_SERVICE(rqstp)) &&
1039 kadm5int_acl_check(handle->context, rqst2name(rqstp),
1040 ACL_SETKEY, arg->princ, NULL)) {
1041 ret.code = kadm5_setkey_principal_3((void *)handle, arg->princ,
1045 arg->keyblocks, arg->n_keys);
1047 log_unauth("kadm5_setkey_principal", prime_arg,
1048 &client_name, &service_name, rqstp);
1049 ret.code = KADM5_AUTH_SETKEY;
1052 if(ret.code != KADM5_AUTH_SETKEY) {
1054 errmsg = krb5_get_error_message(handle->context, ret.code);
1056 log_done("kadm5_setkey_principal", prime_arg, errmsg,
1057 &client_name, &service_name, rqstp);
1060 krb5_free_error_message(handle->context, errmsg);
1064 gss_release_buffer(&minor_stat, &client_name);
1065 gss_release_buffer(&minor_stat, &service_name);
1067 free_server_handle(handle);
1072 chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp)
1074 static chrand_ret ret;
1077 char *prime_arg, *funcname;
1078 gss_buffer_desc client_name,
1080 OM_uint32 minor_stat;
1081 kadm5_server_handle_t handle;
1082 const char *errmsg = NULL;
1084 xdr_free(xdr_chrand_ret, &ret);
1086 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1090 if ((ret.code = check_handle((void *)handle)))
1093 ret.api_version = handle->api_version;
1095 funcname = "kadm5_randkey_principal";
1097 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1098 ret.code = KADM5_FAILURE;
1101 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
1102 ret.code = KADM5_BAD_PRINCIPAL;
1106 if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) {
1107 ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ,
1108 FALSE, 0, NULL, &k, &nkeys);
1109 } else if (!(CHANGEPW_SERVICE(rqstp)) &&
1110 kadm5int_acl_check(handle->context, rqst2name(rqstp),
1111 ACL_CHANGEPW, arg->princ, NULL)) {
1112 ret.code = kadm5_randkey_principal((void *)handle, arg->princ,
1115 log_unauth(funcname, prime_arg,
1116 &client_name, &service_name, rqstp);
1117 ret.code = KADM5_AUTH_CHANGEPW;
1120 if(ret.code == KADM5_OK) {
1125 if(ret.code != KADM5_AUTH_CHANGEPW) {
1127 errmsg = krb5_get_error_message(handle->context, ret.code);
1129 log_done(funcname, prime_arg, errmsg,
1130 &client_name, &service_name, rqstp);
1133 krb5_free_error_message(handle->context, errmsg);
1136 gss_release_buffer(&minor_stat, &client_name);
1137 gss_release_buffer(&minor_stat, &service_name);
1139 free_server_handle(handle);
1144 chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp)
1146 static chrand_ret ret;
1149 char *prime_arg, *funcname;
1150 gss_buffer_desc client_name,
1152 OM_uint32 minor_stat;
1153 kadm5_server_handle_t handle;
1154 const char *errmsg = NULL;
1156 xdr_free(xdr_chrand_ret, &ret);
1158 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1161 if ((ret.code = check_handle((void *)handle)))
1164 ret.api_version = handle->api_version;
1166 funcname = "kadm5_randkey_principal";
1168 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1169 ret.code = KADM5_FAILURE;
1172 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
1173 ret.code = KADM5_BAD_PRINCIPAL;
1177 if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) {
1178 ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ,
1183 } else if (!(CHANGEPW_SERVICE(rqstp)) &&
1184 kadm5int_acl_check(handle->context, rqst2name(rqstp),
1185 ACL_CHANGEPW, arg->princ, NULL)) {
1186 ret.code = kadm5_randkey_principal_3((void *)handle, arg->princ,
1192 log_unauth(funcname, prime_arg,
1193 &client_name, &service_name, rqstp);
1194 ret.code = KADM5_AUTH_CHANGEPW;
1197 if(ret.code == KADM5_OK) {
1202 if(ret.code != KADM5_AUTH_CHANGEPW) {
1204 errmsg = krb5_get_error_message(handle->context, ret.code);
1206 log_done(funcname, prime_arg, errmsg,
1207 &client_name, &service_name, rqstp);
1210 krb5_free_error_message(handle->context, errmsg);
1213 gss_release_buffer(&minor_stat, &client_name);
1214 gss_release_buffer(&minor_stat, &service_name);
1216 free_server_handle(handle);
1221 create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp)
1223 static generic_ret ret;
1225 gss_buffer_desc client_name,
1227 OM_uint32 minor_stat;
1228 kadm5_server_handle_t handle;
1229 const char *errmsg = NULL;
1231 xdr_free(xdr_generic_ret, &ret);
1233 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1236 if ((ret.code = check_handle((void *)handle)))
1239 ret.api_version = handle->api_version;
1241 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1242 ret.code = KADM5_FAILURE;
1245 prime_arg = arg->rec.policy;
1247 if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
1249 ACL_ADD, NULL, NULL)) {
1250 ret.code = KADM5_AUTH_ADD;
1251 log_unauth("kadm5_create_policy", prime_arg,
1252 &client_name, &service_name, rqstp);
1255 ret.code = kadm5_create_policy((void *)handle, &arg->rec,
1258 errmsg = krb5_get_error_message(handle->context, ret.code);
1260 log_done("kadm5_create_policy",
1261 ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
1262 &client_name, &service_name, rqstp);
1265 krb5_free_error_message(handle->context, errmsg);
1267 gss_release_buffer(&minor_stat, &client_name);
1268 gss_release_buffer(&minor_stat, &service_name);
1270 free_server_handle(handle);
1275 delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp)
1277 static generic_ret ret;
1279 gss_buffer_desc client_name,
1281 OM_uint32 minor_stat;
1282 kadm5_server_handle_t handle;
1283 const char *errmsg = NULL;
1285 xdr_free(xdr_generic_ret, &ret);
1287 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1290 if ((ret.code = check_handle((void *)handle)))
1293 ret.api_version = handle->api_version;
1295 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1296 ret.code = KADM5_FAILURE;
1299 prime_arg = arg->name;
1301 if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
1303 ACL_DELETE, NULL, NULL)) {
1304 log_unauth("kadm5_delete_policy", prime_arg,
1305 &client_name, &service_name, rqstp);
1306 ret.code = KADM5_AUTH_DELETE;
1308 ret.code = kadm5_delete_policy((void *)handle, arg->name);
1310 errmsg = krb5_get_error_message(handle->context, ret.code);
1312 log_done("kadm5_delete_policy",
1313 ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
1314 &client_name, &service_name, rqstp);
1317 krb5_free_error_message(handle->context, errmsg);
1319 gss_release_buffer(&minor_stat, &client_name);
1320 gss_release_buffer(&minor_stat, &service_name);
1322 free_server_handle(handle);
1327 modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp)
1329 static generic_ret ret;
1331 gss_buffer_desc client_name,
1333 OM_uint32 minor_stat;
1334 kadm5_server_handle_t handle;
1335 const char *errmsg = NULL;
1337 xdr_free(xdr_generic_ret, &ret);
1339 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1342 if ((ret.code = check_handle((void *)handle)))
1345 ret.api_version = handle->api_version;
1347 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1348 ret.code = KADM5_FAILURE;
1351 prime_arg = arg->rec.policy;
1353 if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
1355 ACL_MODIFY, NULL, NULL)) {
1356 log_unauth("kadm5_modify_policy", prime_arg,
1357 &client_name, &service_name, rqstp);
1358 ret.code = KADM5_AUTH_MODIFY;
1360 ret.code = kadm5_modify_policy((void *)handle, &arg->rec,
1363 errmsg = krb5_get_error_message(handle->context, ret.code);
1365 log_done("kadm5_modify_policy",
1366 ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
1367 &client_name, &service_name, rqstp);
1370 krb5_free_error_message(handle->context, errmsg);
1372 gss_release_buffer(&minor_stat, &client_name);
1373 gss_release_buffer(&minor_stat, &service_name);
1375 free_server_handle(handle);
1380 get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp)
1382 static gpol_ret ret;
1384 char *prime_arg, *funcname;
1385 gss_buffer_desc client_name,
1387 OM_uint32 minor_stat;
1388 kadm5_principal_ent_rec caller_ent;
1389 kadm5_server_handle_t handle;
1390 const char *errmsg = NULL;
1392 xdr_free(xdr_gpol_ret, &ret);
1394 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1397 if ((ret.code = check_handle((void *)handle)))
1400 ret.api_version = handle->api_version;
1402 funcname = "kadm5_get_policy";
1404 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1405 ret.code = KADM5_FAILURE;
1408 prime_arg = arg->name;
1410 ret.code = KADM5_AUTH_GET;
1411 if (!CHANGEPW_SERVICE(rqstp) && kadm5int_acl_check(handle->context,
1413 ACL_INQUIRE, NULL, NULL))
1414 ret.code = KADM5_OK;
1416 ret.code = kadm5_get_principal(handle->lhandle,
1417 handle->current_caller,
1419 KADM5_PRINCIPAL_NORMAL_MASK);
1420 if (ret.code == KADM5_OK) {
1421 if (caller_ent.aux_attributes & KADM5_POLICY &&
1422 strcmp(caller_ent.policy, arg->name) == 0) {
1423 ret.code = KADM5_OK;
1424 } else ret.code = KADM5_AUTH_GET;
1425 ret2 = kadm5_free_principal_ent(handle->lhandle,
1427 ret.code = ret.code ? ret.code : ret2;
1431 if (ret.code == KADM5_OK) {
1432 ret.code = kadm5_get_policy(handle, arg->name, &ret.rec);
1435 errmsg = krb5_get_error_message(handle->context, ret.code);
1438 ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
1439 &client_name, &service_name, rqstp);
1441 krb5_free_error_message(handle->context, errmsg);
1444 log_unauth(funcname, prime_arg,
1445 &client_name, &service_name, rqstp);
1447 gss_release_buffer(&minor_stat, &client_name);
1448 gss_release_buffer(&minor_stat, &service_name);
1450 free_server_handle(handle);
1456 get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp)
1458 static gpols_ret ret;
1460 gss_buffer_desc client_name,
1462 OM_uint32 minor_stat;
1463 kadm5_server_handle_t handle;
1464 const char *errmsg = NULL;
1466 xdr_free(xdr_gpols_ret, &ret);
1468 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1471 if ((ret.code = check_handle((void *)handle)))
1474 ret.api_version = handle->api_version;
1476 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1477 ret.code = KADM5_FAILURE;
1480 prime_arg = arg->exp;
1481 if (prime_arg == NULL)
1484 if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
1486 ACL_LIST, NULL, NULL)) {
1487 ret.code = KADM5_AUTH_LIST;
1488 log_unauth("kadm5_get_policies", prime_arg,
1489 &client_name, &service_name, rqstp);
1491 ret.code = kadm5_get_policies((void *)handle,
1492 arg->exp, &ret.pols,
1495 errmsg = krb5_get_error_message(handle->context, ret.code);
1497 log_done("kadm5_get_policies", prime_arg, errmsg,
1498 &client_name, &service_name, rqstp);
1501 krb5_free_error_message(handle->context, errmsg);
1503 gss_release_buffer(&minor_stat, &client_name);
1504 gss_release_buffer(&minor_stat, &service_name);
1506 free_server_handle(handle);
1510 getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
1512 static getprivs_ret ret;
1513 gss_buffer_desc client_name, service_name;
1514 OM_uint32 minor_stat;
1515 kadm5_server_handle_t handle;
1516 const char *errmsg = NULL;
1518 xdr_free(xdr_getprivs_ret, &ret);
1520 if ((ret.code = new_server_handle(*arg, rqstp, &handle)))
1523 if ((ret.code = check_handle((void *)handle)))
1526 ret.api_version = handle->api_version;
1528 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1529 ret.code = KADM5_FAILURE;
1533 ret.code = kadm5_get_privs((void *)handle, &ret.privs);
1535 errmsg = krb5_get_error_message(handle->context, ret.code);
1537 log_done("kadm5_get_privs", client_name.value, errmsg,
1538 &client_name, &service_name, rqstp);
1541 krb5_free_error_message(handle->context, errmsg);
1543 gss_release_buffer(&minor_stat, &client_name);
1544 gss_release_buffer(&minor_stat, &service_name);
1546 free_server_handle(handle);
1551 purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp)
1553 static generic_ret ret;
1554 char *prime_arg, *funcname;
1555 gss_buffer_desc client_name, service_name;
1556 OM_uint32 minor_stat;
1557 kadm5_server_handle_t handle;
1559 const char *errmsg = NULL;
1561 xdr_free(xdr_generic_ret, &ret);
1563 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1566 if ((ret.code = check_handle((void *)handle)))
1569 ret.api_version = handle->api_version;
1571 funcname = "kadm5_purgekeys";
1573 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1574 ret.code = KADM5_FAILURE;
1577 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
1578 ret.code = KADM5_BAD_PRINCIPAL;
1582 if (CHANGEPW_SERVICE(rqstp)
1583 || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY,
1584 arg->princ, NULL)) {
1585 ret.code = KADM5_AUTH_MODIFY;
1586 log_unauth(funcname, prime_arg, &client_name, &service_name, rqstp);
1588 ret.code = kadm5_purgekeys((void *)handle, arg->princ,
1591 errmsg = krb5_get_error_message(handle->context, ret.code);
1593 log_done(funcname, prime_arg, errmsg,
1594 &client_name, &service_name, rqstp);
1597 krb5_free_error_message(handle->context, errmsg);
1600 gss_release_buffer(&minor_stat, &client_name);
1601 gss_release_buffer(&minor_stat, &service_name);
1603 free_server_handle(handle);
1608 get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp)
1610 static gstrings_ret ret;
1612 gss_buffer_desc client_name,
1614 OM_uint32 minor_stat;
1615 kadm5_server_handle_t handle;
1616 const char *errmsg = NULL;
1618 xdr_free(xdr_gstrings_ret, &ret);
1620 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1623 if ((ret.code = check_handle((void *)handle)))
1626 ret.api_version = handle->api_version;
1628 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1629 ret.code = KADM5_FAILURE;
1632 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
1633 ret.code = KADM5_BAD_PRINCIPAL;
1637 if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) &&
1638 (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
1643 ret.code = KADM5_AUTH_GET;
1644 log_unauth("kadm5_get_strings", prime_arg,
1645 &client_name, &service_name, rqstp);
1647 ret.code = kadm5_get_strings((void *)handle, arg->princ, &ret.strings,
1650 errmsg = krb5_get_error_message(handle->context, ret.code);
1652 log_done("kadm5_get_strings", prime_arg, errmsg,
1653 &client_name, &service_name, rqstp);
1656 krb5_free_error_message(handle->context, errmsg);
1659 gss_release_buffer(&minor_stat, &client_name);
1660 gss_release_buffer(&minor_stat, &service_name);
1662 free_server_handle(handle);
1667 set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp)
1669 static generic_ret ret;
1671 gss_buffer_desc client_name,
1673 OM_uint32 minor_stat;
1674 kadm5_server_handle_t handle;
1675 const char *errmsg = NULL;
1677 xdr_free(xdr_generic_ret, &ret);
1679 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
1682 if ((ret.code = check_handle((void *)handle)))
1685 ret.api_version = handle->api_version;
1687 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1688 ret.code = KADM5_FAILURE;
1691 if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
1692 ret.code = KADM5_BAD_PRINCIPAL;
1696 if (CHANGEPW_SERVICE(rqstp)
1697 || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY,
1698 arg->princ, NULL)) {
1699 ret.code = KADM5_AUTH_MODIFY;
1700 log_unauth("kadm5_mod_strings", prime_arg,
1701 &client_name, &service_name, rqstp);
1703 ret.code = kadm5_set_string((void *)handle, arg->princ, arg->key,
1706 errmsg = krb5_get_error_message(handle->context, ret.code);
1708 log_done("kadm5_mod_strings", prime_arg, errmsg,
1709 &client_name, &service_name, rqstp);
1712 krb5_free_error_message(handle->context, errmsg);
1715 gss_release_buffer(&minor_stat, &client_name);
1716 gss_release_buffer(&minor_stat, &service_name);
1718 free_server_handle(handle);
1722 generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
1724 static generic_ret ret;
1725 gss_buffer_desc client_name,
1727 kadm5_server_handle_t handle;
1728 OM_uint32 minor_stat;
1729 const char *errmsg = NULL;
1731 char *cdots, *sdots;
1733 xdr_free(xdr_generic_ret, &ret);
1735 if ((ret.code = new_server_handle(*arg, rqstp, &handle)))
1737 if (! (ret.code = check_handle((void *)handle))) {
1738 ret.api_version = handle->api_version;
1741 free_server_handle(handle);
1743 if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
1744 ret.code = KADM5_FAILURE;
1749 errmsg = krb5_get_error_message(NULL, ret.code);
1751 clen = client_name.length;
1752 trunc_name(&clen, &cdots);
1753 slen = service_name.length;
1754 trunc_name(&slen, &sdots);
1755 /* okay to cast lengths to int because trunc_name limits max value */
1756 krb5_klog_syslog(LOG_NOTICE, _("Request: kadm5_init, %.*s%s, %s, "
1757 "client=%.*s%s, service=%.*s%s, addr=%s, "
1758 "vers=%d, flavor=%d"),
1759 (int)clen, (char *)client_name.value, cdots,
1760 errmsg ? errmsg : _("success"),
1761 (int)clen, (char *)client_name.value, cdots,
1762 (int)slen, (char *)service_name.value, sdots,
1763 inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
1764 ret.api_version & ~(KADM5_API_VERSION_MASK),
1765 rqstp->rq_cred.oa_flavor);
1767 krb5_free_error_message(NULL, errmsg);
1768 gss_release_buffer(&minor_stat, &client_name);
1769 gss_release_buffer(&minor_stat, &service_name);
1776 rqst2name(struct svc_req *rqstp)
1779 if (rqstp->rq_cred.oa_flavor == RPCSEC_GSS)
1780 return rqstp->rq_clntname;
1782 return rqstp->rq_clntcred;