1275 lines
40 KiB
Diff
1275 lines
40 KiB
Diff
*** src/kadmin/server/kadm_rpc_svc.c (revision 19480)
|
|
--- src/kadmin/server/kadm_rpc_svc.c (local)
|
|
***************
|
|
*** 250,255 ****
|
|
--- 250,257 ----
|
|
krb5_data *c1, *c2, *realm;
|
|
gss_buffer_desc gss_str;
|
|
kadm5_server_handle_t handle;
|
|
+ size_t slen;
|
|
+ char *sdots;
|
|
|
|
success = 0;
|
|
handle = (kadm5_server_handle_t)global_server_handle;
|
|
***************
|
|
*** 274,279 ****
|
|
--- 276,283 ----
|
|
if (ret == 0)
|
|
goto fail_name;
|
|
|
|
+ slen = gss_str.length;
|
|
+ trunc_name(&slen, &sdots);
|
|
/*
|
|
* Since we accept with GSS_C_NO_NAME, the client can authenticate
|
|
* against the entire kdb. Therefore, ensure that the service
|
|
***************
|
|
*** 296,303 ****
|
|
|
|
fail_princ:
|
|
if (!success) {
|
|
! krb5_klog_syslog(LOG_ERR, "bad service principal %.*s",
|
|
! gss_str.length, gss_str.value);
|
|
}
|
|
gss_release_buffer(&min_stat, &gss_str);
|
|
krb5_free_principal(kctx, princ);
|
|
--- 300,307 ----
|
|
|
|
fail_princ:
|
|
if (!success) {
|
|
! krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s",
|
|
! slen, gss_str.value, sdots);
|
|
}
|
|
gss_release_buffer(&min_stat, &gss_str);
|
|
krb5_free_principal(kctx, princ);
|
|
*** src/kadmin/server/misc.c (revision 19480)
|
|
--- src/kadmin/server/misc.c (local)
|
|
***************
|
|
*** 171,173 ****
|
|
--- 171,182 ----
|
|
|
|
return kadm5_free_principal_ent(handle->lhandle, &princ);
|
|
}
|
|
+
|
|
+ #define MAXPRINCLEN 125
|
|
+
|
|
+ void
|
|
+ trunc_name(size_t *len, char **dots)
|
|
+ {
|
|
+ *dots = *len > MAXPRINCLEN ? "..." : "";
|
|
+ *len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len;
|
|
+ }
|
|
*** src/kadmin/server/misc.h (revision 19480)
|
|
--- src/kadmin/server/misc.h (local)
|
|
***************
|
|
*** 45,47 ****
|
|
--- 45,49 ----
|
|
#ifdef SVC_GETARGS
|
|
void kadm_1(struct svc_req *, SVCXPRT *);
|
|
#endif
|
|
+
|
|
+ void trunc_name(size_t *len, char **dots);
|
|
*** src/kadmin/server/ovsec_kadmd.c (revision 19480)
|
|
--- src/kadmin/server/ovsec_kadmd.c (local)
|
|
***************
|
|
*** 992,997 ****
|
|
--- 992,999 ----
|
|
rpcproc_t proc;
|
|
int i;
|
|
const char *procname;
|
|
+ size_t clen, slen;
|
|
+ char *cdots, *sdots;
|
|
|
|
client.length = 0;
|
|
client.value = NULL;
|
|
***************
|
|
*** 1000,1009 ****
|
|
|
|
(void) gss_display_name(&minor, client_name, &client, &gss_type);
|
|
(void) gss_display_name(&minor, server_name, &server, &gss_type);
|
|
! if (client.value == NULL)
|
|
client.value = "(null)";
|
|
! if (server.value == NULL)
|
|
server.value = "(null)";
|
|
a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr);
|
|
|
|
proc = msg->rm_call.cb_proc;
|
|
--- 1002,1021 ----
|
|
|
|
(void) gss_display_name(&minor, client_name, &client, &gss_type);
|
|
(void) gss_display_name(&minor, server_name, &server, &gss_type);
|
|
! if (client.value == NULL) {
|
|
client.value = "(null)";
|
|
! clen = sizeof("(null)") -1;
|
|
! } else {
|
|
! clen = client.length;
|
|
! }
|
|
! trunc_name(&clen, &cdots);
|
|
! if (server.value == NULL) {
|
|
server.value = "(null)";
|
|
+ slen = sizeof("(null)") - 1;
|
|
+ } else {
|
|
+ slen = server.length;
|
|
+ }
|
|
+ trunc_name(&slen, &sdots);
|
|
a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr);
|
|
|
|
proc = msg->rm_call.cb_proc;
|
|
***************
|
|
*** 1016,1029 ****
|
|
}
|
|
if (procname != NULL)
|
|
krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "
|
|
! "claimed client = %s, server = %s, addr = %s",
|
|
! procname, client.value,
|
|
! server.value, a);
|
|
else
|
|
krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, "
|
|
! "claimed client = %s, server = %s, addr = %s",
|
|
! proc, client.value,
|
|
! server.value, a);
|
|
|
|
(void) gss_release_buffer(&minor, &client);
|
|
(void) gss_release_buffer(&minor, &server);
|
|
--- 1028,1041 ----
|
|
}
|
|
if (procname != NULL)
|
|
krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "
|
|
! "claimed client = %.*s%s, server = %.*s%s, addr = %s",
|
|
! procname, clen, client.value, cdots,
|
|
! slen, server.value, sdots, a);
|
|
else
|
|
krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, "
|
|
! "claimed client = %.*s%s, server = %.*s%s, addr = %s",
|
|
! proc, clen, client.value, cdots,
|
|
! slen, server.value, sdots, a);
|
|
|
|
(void) gss_release_buffer(&minor, &client);
|
|
(void) gss_release_buffer(&minor, &server);
|
|
*** src/kadmin/server/schpw.c (revision 19480)
|
|
--- src/kadmin/server/schpw.c (local)
|
|
***************
|
|
*** 40,45 ****
|
|
--- 40,47 ----
|
|
int numresult;
|
|
char strresult[1024];
|
|
char *clientstr;
|
|
+ size_t clen;
|
|
+ char *cdots;
|
|
|
|
ret = 0;
|
|
rep->length = 0;
|
|
***************
|
|
*** 258,266 ****
|
|
free(ptr);
|
|
clear.length = 0;
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s",
|
|
inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr),
|
|
! clientstr, ret ? krb5_get_error_message (context, ret) : "success");
|
|
krb5_free_unparsed_name(context, clientstr);
|
|
|
|
if (ret) {
|
|
--- 260,271 ----
|
|
free(ptr);
|
|
clear.length = 0;
|
|
|
|
! clen = strlen(clientstr);
|
|
! trunc_name(&clen, &cdots);
|
|
! krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s",
|
|
inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr),
|
|
! clen, clientstr, cdots,
|
|
! ret ? krb5_get_error_message (context, ret) : "success");
|
|
krb5_free_unparsed_name(context, clientstr);
|
|
|
|
if (ret) {
|
|
*** src/kadmin/server/server_stubs.c (revision 19480)
|
|
--- src/kadmin/server/server_stubs.c (local)
|
|
***************
|
|
*** 14,19 ****
|
|
--- 14,20 ----
|
|
#include <arpa/inet.h> /* inet_ntoa */
|
|
#include <adm_proto.h> /* krb5_klog_syslog */
|
|
#include "misc.h"
|
|
+ #include <string.h>
|
|
|
|
#define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s"
|
|
#define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s"
|
|
***************
|
|
*** 237,242 ****
|
|
--- 238,298 ----
|
|
return 0;
|
|
}
|
|
|
|
+ static int
|
|
+ log_unauth(
|
|
+ char *op,
|
|
+ char *target,
|
|
+ gss_buffer_t client,
|
|
+ gss_buffer_t server,
|
|
+ struct svc_req *rqstp)
|
|
+ {
|
|
+ size_t tlen, clen, slen;
|
|
+ char *tdots, *cdots, *sdots;
|
|
+
|
|
+ tlen = strlen(target);
|
|
+ trunc_name(&tlen, &tdots);
|
|
+ clen = client->length;
|
|
+ trunc_name(&clen, &cdots);
|
|
+ slen = server->length;
|
|
+ trunc_name(&slen, &sdots);
|
|
+
|
|
+ return krb5_klog_syslog(LOG_NOTICE,
|
|
+ "Unauthorized request: %s, %.*s%s, "
|
|
+ "client=%.*s%s, service=%.*s%s, addr=%s",
|
|
+ op, tlen, target, tdots,
|
|
+ clen, client->value, cdots,
|
|
+ slen, server->value, sdots,
|
|
+ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
+ }
|
|
+
|
|
+ static int
|
|
+ log_done(
|
|
+ char *op,
|
|
+ char *target,
|
|
+ char *errmsg,
|
|
+ gss_buffer_t client,
|
|
+ gss_buffer_t server,
|
|
+ struct svc_req *rqstp)
|
|
+ {
|
|
+ size_t tlen, clen, slen;
|
|
+ char *tdots, *cdots, *sdots;
|
|
+
|
|
+ tlen = strlen(target);
|
|
+ trunc_name(&tlen, &tdots);
|
|
+ clen = client->length;
|
|
+ trunc_name(&clen, &cdots);
|
|
+ slen = server->length;
|
|
+ trunc_name(&slen, &sdots);
|
|
+
|
|
+ return krb5_klog_syslog(LOG_NOTICE,
|
|
+ "Request: %s, %.*s%s, %s, "
|
|
+ "client=%.*s%s, service=%.*s%s, addr=%s",
|
|
+ op, tlen, target, tdots, errmsg,
|
|
+ clen, client->value, cdots,
|
|
+ slen, server->value, sdots,
|
|
+ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
+ }
|
|
+
|
|
generic_ret *
|
|
create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
|
|
{
|
|
***************
|
|
*** 275,283 ****
|
|
|| kadm5int_acl_impose_restrictions(handle->context,
|
|
&arg->rec, &arg->mask, rp)) {
|
|
ret.code = KADM5_AUTH_ADD;
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
} else {
|
|
ret.code = kadm5_create_principal((void *)handle,
|
|
&arg->rec, arg->mask,
|
|
--- 331,338 ----
|
|
|| kadm5int_acl_impose_restrictions(handle->context,
|
|
&arg->rec, &arg->mask, rp)) {
|
|
ret.code = KADM5_AUTH_ADD;
|
|
! log_unauth("kadm5_create_principal", prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
} else {
|
|
ret.code = kadm5_create_principal((void *)handle,
|
|
&arg->rec, arg->mask,
|
|
***************
|
|
*** 287,296 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
|
|
! prime_arg, errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
|
|
/* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
|
|
}
|
|
--- 342,349 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done("kadm5_create_principal", prime_arg, errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
|
|
/* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
|
|
}
|
|
***************
|
|
*** 341,349 ****
|
|
|| kadm5int_acl_impose_restrictions(handle->context,
|
|
&arg->rec, &arg->mask, rp)) {
|
|
ret.code = KADM5_AUTH_ADD;
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
} else {
|
|
ret.code = kadm5_create_principal_3((void *)handle,
|
|
&arg->rec, arg->mask,
|
|
--- 394,401 ----
|
|
|| kadm5int_acl_impose_restrictions(handle->context,
|
|
&arg->rec, &arg->mask, rp)) {
|
|
ret.code = KADM5_AUTH_ADD;
|
|
! log_unauth("kadm5_create_principal", prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
} else {
|
|
ret.code = kadm5_create_principal_3((void *)handle,
|
|
&arg->rec, arg->mask,
|
|
***************
|
|
*** 355,364 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
|
|
! prime_arg, errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
|
|
/* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
|
|
}
|
|
--- 407,414 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done("kadm5_create_principal", prime_arg, errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
|
|
/* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
|
|
}
|
|
***************
|
|
*** 406,414 ****
|
|
|| !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE,
|
|
arg->princ, NULL)) {
|
|
ret.code = KADM5_AUTH_DELETE;
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal",
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
} else {
|
|
ret.code = kadm5_delete_principal((void *)handle, arg->princ);
|
|
if( ret.code == 0 )
|
|
--- 456,463 ----
|
|
|| !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE,
|
|
arg->princ, NULL)) {
|
|
ret.code = KADM5_AUTH_DELETE;
|
|
! log_unauth("kadm5_delete_principal", prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
} else {
|
|
ret.code = kadm5_delete_principal((void *)handle, arg->princ);
|
|
if( ret.code == 0 )
|
|
***************
|
|
*** 416,425 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal",
|
|
! prime_arg, errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
|
|
/* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
|
|
}
|
|
--- 465,472 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done("kadm5_delete_principal", prime_arg, errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
|
|
/* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
|
|
}
|
|
***************
|
|
*** 469,477 ****
|
|
|| kadm5int_acl_impose_restrictions(handle->context,
|
|
&arg->rec, &arg->mask, rp)) {
|
|
ret.code = KADM5_AUTH_MODIFY;
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal",
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
} else {
|
|
ret.code = kadm5_modify_principal((void *)handle, &arg->rec,
|
|
arg->mask);
|
|
--- 516,523 ----
|
|
|| kadm5int_acl_impose_restrictions(handle->context,
|
|
&arg->rec, &arg->mask, rp)) {
|
|
ret.code = KADM5_AUTH_MODIFY;
|
|
! log_unauth("kadm5_modify_principal", prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
} else {
|
|
ret.code = kadm5_modify_principal((void *)handle, &arg->rec,
|
|
arg->mask);
|
|
***************
|
|
*** 480,489 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal",
|
|
! prime_arg, errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
|
|
/* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
|
|
}
|
|
--- 526,533 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done("kadm5_modify_principal", prime_arg, errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
|
|
/* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
|
|
}
|
|
***************
|
|
*** 546,554 ****
|
|
} else
|
|
ret.code = KADM5_AUTH_INSUFFICIENT;
|
|
if (ret.code != KADM5_OK) {
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal",
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
} else {
|
|
ret.code = kadm5_rename_principal((void *)handle, arg->src,
|
|
arg->dest);
|
|
--- 590,597 ----
|
|
} else
|
|
ret.code = KADM5_AUTH_INSUFFICIENT;
|
|
if (ret.code != KADM5_OK) {
|
|
! log_unauth("kadm5_rename_principal", prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
} else {
|
|
ret.code = kadm5_rename_principal((void *)handle, arg->src,
|
|
arg->dest);
|
|
***************
|
|
*** 557,566 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal",
|
|
! prime_arg, errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
}
|
|
free_server_handle(handle);
|
|
free(prime_arg1);
|
|
--- 600,607 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done("kadm5_rename_principal", prime_arg, errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
}
|
|
free_server_handle(handle);
|
|
free(prime_arg1);
|
|
***************
|
|
*** 614,622 ****
|
|
arg->princ,
|
|
NULL))) {
|
|
ret.code = KADM5_AUTH_GET;
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
} else {
|
|
if (handle->api_version == KADM5_API_VERSION_1) {
|
|
ret.code = kadm5_get_principal_v1((void *)handle,
|
|
--- 655,662 ----
|
|
arg->princ,
|
|
NULL))) {
|
|
ret.code = KADM5_AUTH_GET;
|
|
! log_unauth(funcname, prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
} else {
|
|
if (handle->api_version == KADM5_API_VERSION_1) {
|
|
ret.code = kadm5_get_principal_v1((void *)handle,
|
|
***************
|
|
*** 636,646 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
|
|
! prime_arg,
|
|
! errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
|
|
}
|
|
free_server_handle(handle);
|
|
--- 676,683 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done(funcname, prime_arg, errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
|
|
}
|
|
free_server_handle(handle);
|
|
***************
|
|
*** 688,696 ****
|
|
NULL,
|
|
NULL)) {
|
|
ret.code = KADM5_AUTH_LIST;
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals",
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
} else {
|
|
ret.code = kadm5_get_principals((void *)handle,
|
|
arg->exp, &ret.princs,
|
|
--- 725,732 ----
|
|
NULL,
|
|
NULL)) {
|
|
ret.code = KADM5_AUTH_LIST;
|
|
! log_unauth("kadm5_get_principals", prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
} else {
|
|
ret.code = kadm5_get_principals((void *)handle,
|
|
arg->exp, &ret.princs,
|
|
***************
|
|
*** 700,710 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals",
|
|
! prime_arg,
|
|
! errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
|
|
}
|
|
free_server_handle(handle);
|
|
--- 736,743 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done("kadm5_get_principals", prime_arg, errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
|
|
}
|
|
free_server_handle(handle);
|
|
***************
|
|
*** 755,763 ****
|
|
ret.code = kadm5_chpass_principal((void *)handle, arg->princ,
|
|
arg->pass);
|
|
} else {
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
ret.code = KADM5_AUTH_CHANGEPW;
|
|
}
|
|
|
|
--- 788,795 ----
|
|
ret.code = kadm5_chpass_principal((void *)handle, arg->princ,
|
|
arg->pass);
|
|
} else {
|
|
! log_unauth("kadm5_chpass_principal", prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
ret.code = KADM5_AUTH_CHANGEPW;
|
|
}
|
|
|
|
***************
|
|
*** 767,776 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal",
|
|
! prime_arg, errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
}
|
|
|
|
free_server_handle(handle);
|
|
--- 799,806 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done("kadm5_chpass_principal", prime_arg, errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
}
|
|
|
|
free_server_handle(handle);
|
|
***************
|
|
*** 828,836 ****
|
|
arg->ks_tuple,
|
|
arg->pass);
|
|
} else {
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
ret.code = KADM5_AUTH_CHANGEPW;
|
|
}
|
|
|
|
--- 858,865 ----
|
|
arg->ks_tuple,
|
|
arg->pass);
|
|
} else {
|
|
! log_unauth("kadm5_chpass_principal", prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
ret.code = KADM5_AUTH_CHANGEPW;
|
|
}
|
|
|
|
***************
|
|
*** 840,849 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal",
|
|
! prime_arg, errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
}
|
|
|
|
free_server_handle(handle);
|
|
--- 869,876 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done("kadm5_chpass_principal", prime_arg, errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
}
|
|
|
|
free_server_handle(handle);
|
|
***************
|
|
*** 892,900 ****
|
|
ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
|
|
arg->keyblock);
|
|
} else {
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal",
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
ret.code = KADM5_AUTH_SETKEY;
|
|
}
|
|
|
|
--- 919,926 ----
|
|
ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
|
|
arg->keyblock);
|
|
} else {
|
|
! log_unauth("kadm5_setv4key_principal", prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
ret.code = KADM5_AUTH_SETKEY;
|
|
}
|
|
|
|
***************
|
|
*** 904,913 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setv4key_principal",
|
|
! prime_arg, errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
}
|
|
|
|
free_server_handle(handle);
|
|
--- 930,937 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done("kadm5_setv4key_principal", prime_arg, errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
}
|
|
|
|
free_server_handle(handle);
|
|
***************
|
|
*** 956,964 ****
|
|
ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
|
|
arg->keyblocks, arg->n_keys);
|
|
} else {
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
ret.code = KADM5_AUTH_SETKEY;
|
|
}
|
|
|
|
--- 980,987 ----
|
|
ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
|
|
arg->keyblocks, arg->n_keys);
|
|
} else {
|
|
! log_unauth("kadm5_setkey_principal", prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
ret.code = KADM5_AUTH_SETKEY;
|
|
}
|
|
|
|
***************
|
|
*** 968,977 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal",
|
|
! prime_arg, errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
}
|
|
|
|
free_server_handle(handle);
|
|
--- 991,998 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done("kadm5_setkey_principal", prime_arg, errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
}
|
|
|
|
free_server_handle(handle);
|
|
***************
|
|
*** 1023,1031 ****
|
|
arg->ks_tuple,
|
|
arg->keyblocks, arg->n_keys);
|
|
} else {
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
ret.code = KADM5_AUTH_SETKEY;
|
|
}
|
|
|
|
--- 1044,1051 ----
|
|
arg->ks_tuple,
|
|
arg->keyblocks, arg->n_keys);
|
|
} else {
|
|
! log_unauth("kadm5_setkey_principal", prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
ret.code = KADM5_AUTH_SETKEY;
|
|
}
|
|
|
|
***************
|
|
*** 1035,1044 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal",
|
|
! prime_arg, errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
}
|
|
|
|
free_server_handle(handle);
|
|
--- 1055,1062 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done("kadm5_setkey_principal", prime_arg, errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
}
|
|
|
|
free_server_handle(handle);
|
|
***************
|
|
*** 1097,1105 ****
|
|
ret.code = kadm5_randkey_principal((void *)handle, arg->princ,
|
|
&k, &nkeys);
|
|
} else {
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
ret.code = KADM5_AUTH_CHANGEPW;
|
|
}
|
|
|
|
--- 1115,1122 ----
|
|
ret.code = kadm5_randkey_principal((void *)handle, arg->princ,
|
|
&k, &nkeys);
|
|
} else {
|
|
! log_unauth(funcname, prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
ret.code = KADM5_AUTH_CHANGEPW;
|
|
}
|
|
|
|
***************
|
|
*** 1119,1128 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
|
|
! prime_arg, errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
}
|
|
free_server_handle(handle);
|
|
free(prime_arg);
|
|
--- 1136,1143 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done(funcname, prime_arg, errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
}
|
|
free_server_handle(handle);
|
|
free(prime_arg);
|
|
***************
|
|
*** 1185,1193 ****
|
|
arg->ks_tuple,
|
|
&k, &nkeys);
|
|
} else {
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
ret.code = KADM5_AUTH_CHANGEPW;
|
|
}
|
|
|
|
--- 1200,1207 ----
|
|
arg->ks_tuple,
|
|
&k, &nkeys);
|
|
} else {
|
|
! log_unauth(funcname, prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
ret.code = KADM5_AUTH_CHANGEPW;
|
|
}
|
|
|
|
***************
|
|
*** 1207,1216 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
|
|
! prime_arg, errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
}
|
|
free_server_handle(handle);
|
|
free(prime_arg);
|
|
--- 1221,1228 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done(funcname, prime_arg, errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
}
|
|
free_server_handle(handle);
|
|
free(prime_arg);
|
|
***************
|
|
*** 1253,1262 ****
|
|
rqst2name(rqstp),
|
|
ACL_ADD, NULL, NULL)) {
|
|
ret.code = KADM5_AUTH_ADD;
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy",
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
!
|
|
} else {
|
|
ret.code = kadm5_create_policy((void *)handle, &arg->rec,
|
|
arg->mask);
|
|
--- 1265,1273 ----
|
|
rqst2name(rqstp),
|
|
ACL_ADD, NULL, NULL)) {
|
|
ret.code = KADM5_AUTH_ADD;
|
|
! log_unauth("kadm5_create_policy", prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
!
|
|
} else {
|
|
ret.code = kadm5_create_policy((void *)handle, &arg->rec,
|
|
arg->mask);
|
|
***************
|
|
*** 1265,1275 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy",
|
|
! ((prime_arg == NULL) ? "(null)" : prime_arg),
|
|
! errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
}
|
|
free_server_handle(handle);
|
|
gss_release_buffer(&minor_stat, &client_name);
|
|
--- 1276,1284 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done("kadm5_create_policy",
|
|
! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
}
|
|
free_server_handle(handle);
|
|
gss_release_buffer(&minor_stat, &client_name);
|
|
***************
|
|
*** 1310,1318 ****
|
|
if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
|
|
rqst2name(rqstp),
|
|
ACL_DELETE, NULL, NULL)) {
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy",
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
ret.code = KADM5_AUTH_DELETE;
|
|
} else {
|
|
ret.code = kadm5_delete_policy((void *)handle, arg->name);
|
|
--- 1319,1326 ----
|
|
if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
|
|
rqst2name(rqstp),
|
|
ACL_DELETE, NULL, NULL)) {
|
|
! log_unauth("kadm5_delete_policy", prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
ret.code = KADM5_AUTH_DELETE;
|
|
} else {
|
|
ret.code = kadm5_delete_policy((void *)handle, arg->name);
|
|
***************
|
|
*** 1321,1331 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy",
|
|
! ((prime_arg == NULL) ? "(null)" : prime_arg),
|
|
! errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
}
|
|
free_server_handle(handle);
|
|
gss_release_buffer(&minor_stat, &client_name);
|
|
--- 1329,1337 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done("kadm5_delete_policy",
|
|
! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
}
|
|
free_server_handle(handle);
|
|
gss_release_buffer(&minor_stat, &client_name);
|
|
***************
|
|
*** 1366,1374 ****
|
|
if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
|
|
rqst2name(rqstp),
|
|
ACL_MODIFY, NULL, NULL)) {
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy",
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
ret.code = KADM5_AUTH_MODIFY;
|
|
} else {
|
|
ret.code = kadm5_modify_policy((void *)handle, &arg->rec,
|
|
--- 1372,1379 ----
|
|
if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
|
|
rqst2name(rqstp),
|
|
ACL_MODIFY, NULL, NULL)) {
|
|
! log_unauth("kadm5_modify_policy", prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
ret.code = KADM5_AUTH_MODIFY;
|
|
} else {
|
|
ret.code = kadm5_modify_policy((void *)handle, &arg->rec,
|
|
***************
|
|
*** 1378,1388 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy",
|
|
! ((prime_arg == NULL) ? "(null)" : prime_arg),
|
|
! errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
}
|
|
free_server_handle(handle);
|
|
gss_release_buffer(&minor_stat, &client_name);
|
|
--- 1383,1391 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done("kadm5_modify_policy",
|
|
! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
}
|
|
free_server_handle(handle);
|
|
gss_release_buffer(&minor_stat, &client_name);
|
|
***************
|
|
*** 1464,1478 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
|
|
! ((prime_arg == NULL) ? "(null)" : prime_arg),
|
|
! errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
} else {
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
}
|
|
free_server_handle(handle);
|
|
gss_release_buffer(&minor_stat, &client_name);
|
|
--- 1467,1478 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done(funcname,
|
|
! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
} else {
|
|
! log_unauth(funcname, prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
}
|
|
free_server_handle(handle);
|
|
gss_release_buffer(&minor_stat, &client_name);
|
|
***************
|
|
*** 1517,1525 ****
|
|
rqst2name(rqstp),
|
|
ACL_LIST, NULL, NULL)) {
|
|
ret.code = KADM5_AUTH_LIST;
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies",
|
|
! prime_arg, client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
} else {
|
|
ret.code = kadm5_get_policies((void *)handle,
|
|
arg->exp, &ret.pols,
|
|
--- 1517,1524 ----
|
|
rqst2name(rqstp),
|
|
ACL_LIST, NULL, NULL)) {
|
|
ret.code = KADM5_AUTH_LIST;
|
|
! log_unauth("kadm5_get_policies", prime_arg,
|
|
! &client_name, &service_name, rqstp);
|
|
} else {
|
|
ret.code = kadm5_get_policies((void *)handle,
|
|
arg->exp, &ret.pols,
|
|
***************
|
|
*** 1529,1539 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies",
|
|
! prime_arg,
|
|
! errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
}
|
|
free_server_handle(handle);
|
|
gss_release_buffer(&minor_stat, &client_name);
|
|
--- 1528,1535 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done("kadm5_get_policies", prime_arg, errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
}
|
|
free_server_handle(handle);
|
|
gss_release_buffer(&minor_stat, &client_name);
|
|
***************
|
|
*** 1573,1583 ****
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_privs",
|
|
! client_name.value,
|
|
! errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
|
|
|
|
free_server_handle(handle);
|
|
gss_release_buffer(&minor_stat, &client_name);
|
|
--- 1569,1576 ----
|
|
else
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
|
|
! log_done("kadm5_get_privs", client_name.value, errmsg,
|
|
! &client_name, &service_name, rqstp);
|
|
|
|
free_server_handle(handle);
|
|
gss_release_buffer(&minor_stat, &client_name);
|
|
***************
|
|
*** 1594,1599 ****
|
|
--- 1587,1594 ----
|
|
kadm5_server_handle_t handle;
|
|
OM_uint32 minor_stat;
|
|
char *errmsg = 0;
|
|
+ size_t clen, slen;
|
|
+ char *cdots, *sdots;
|
|
|
|
xdr_free(xdr_generic_ret, &ret);
|
|
|
|
***************
|
|
*** 1612,1625 ****
|
|
|
|
if (ret.code != 0)
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d",
|
|
! (ret.api_version == KADM5_API_VERSION_1 ?
|
|
! "kadm5_init (V1)" : "kadm5_init"),
|
|
! client_name.value,
|
|
! (ret.code == 0) ? "success" : errmsg,
|
|
! client_name.value, service_name.value,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
|
|
! rqstp->rq_cred.oa_flavor);
|
|
gss_release_buffer(&minor_stat, &client_name);
|
|
gss_release_buffer(&minor_stat, &service_name);
|
|
|
|
--- 1607,1628 ----
|
|
|
|
if (ret.code != 0)
|
|
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
|
|
! else
|
|
! errmsg = "success";
|
|
!
|
|
! clen = client_name.length;
|
|
! trunc_name(&clen, &cdots);
|
|
! slen = service_name.length;
|
|
! trunc_name(&slen, &sdots);
|
|
! krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, "
|
|
! "client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d",
|
|
! (ret.api_version == KADM5_API_VERSION_1 ?
|
|
! "kadm5_init (V1)" : "kadm5_init"),
|
|
! clen, client_name.value, cdots, errmsg,
|
|
! clen, client_name.value, cdots,
|
|
! slen, service_name.value, sdots,
|
|
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
|
|
! rqstp->rq_cred.oa_flavor);
|
|
gss_release_buffer(&minor_stat, &client_name);
|
|
gss_release_buffer(&minor_stat, &service_name);
|
|
|
|
*** src/kdc/do_tgs_req.c (revision 19480)
|
|
--- src/kdc/do_tgs_req.c (local)
|
|
***************
|
|
*** 489,516 ****
|
|
newtransited = 1;
|
|
}
|
|
if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
|
|
errcode = krb5_check_transited_list (kdc_context,
|
|
&enc_tkt_reply.transited.tr_contents,
|
|
krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
|
|
krb5_princ_realm (kdc_context, request->server));
|
|
if (errcode == 0) {
|
|
setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
|
|
} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
|
|
krb5_klog_syslog (LOG_INFO,
|
|
! "bad realm transit path from '%s' to '%s' via '%.*s'",
|
|
cname ? cname : "<unknown client>",
|
|
sname ? sname : "<unknown server>",
|
|
! enc_tkt_reply.transited.tr_contents.length,
|
|
! enc_tkt_reply.transited.tr_contents.data);
|
|
else {
|
|
const char *emsg = krb5_get_error_message(kdc_context, errcode);
|
|
krb5_klog_syslog (LOG_ERR,
|
|
! "unexpected error checking transit from '%s' to '%s' via '%.*s': %s",
|
|
cname ? cname : "<unknown client>",
|
|
sname ? sname : "<unknown server>",
|
|
! enc_tkt_reply.transited.tr_contents.length,
|
|
enc_tkt_reply.transited.tr_contents.data,
|
|
! emsg);
|
|
krb5_free_error_message(kdc_context, emsg);
|
|
}
|
|
} else
|
|
--- 489,526 ----
|
|
newtransited = 1;
|
|
}
|
|
if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
|
|
+ unsigned int tlen;
|
|
+ char *tdots;
|
|
+
|
|
errcode = krb5_check_transited_list (kdc_context,
|
|
&enc_tkt_reply.transited.tr_contents,
|
|
krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
|
|
krb5_princ_realm (kdc_context, request->server));
|
|
+ tlen = enc_tkt_reply.transited.tr_contents.length;
|
|
+ tdots = tlen > 125 ? "..." : "";
|
|
+ tlen = tlen > 125 ? 125 : tlen;
|
|
+
|
|
if (errcode == 0) {
|
|
setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
|
|
} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
|
|
krb5_klog_syslog (LOG_INFO,
|
|
! "bad realm transit path from '%s' to '%s' "
|
|
! "via '%.*s%s'",
|
|
cname ? cname : "<unknown client>",
|
|
sname ? sname : "<unknown server>",
|
|
! tlen,
|
|
! enc_tkt_reply.transited.tr_contents.data,
|
|
! tdots);
|
|
else {
|
|
const char *emsg = krb5_get_error_message(kdc_context, errcode);
|
|
krb5_klog_syslog (LOG_ERR,
|
|
! "unexpected error checking transit from "
|
|
! "'%s' to '%s' via '%.*s%s': %s",
|
|
cname ? cname : "<unknown client>",
|
|
sname ? sname : "<unknown server>",
|
|
! tlen,
|
|
enc_tkt_reply.transited.tr_contents.data,
|
|
! tdots, emsg);
|
|
krb5_free_error_message(kdc_context, emsg);
|
|
}
|
|
} else
|
|
***************
|
|
*** 542,547 ****
|
|
--- 552,560 ----
|
|
if (!krb5_principal_compare(kdc_context, request->server, client2)) {
|
|
if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
|
|
tmp = 0;
|
|
+ if (tmp != NULL)
|
|
+ limit_string(tmp);
|
|
+
|
|
krb5_klog_syslog(LOG_INFO,
|
|
"TGS_REQ %s: 2ND_TKT_MISMATCH: "
|
|
"authtime %d, %s for %s, 2nd tkt client %s",
|
|
***************
|
|
*** 816,821 ****
|
|
--- 829,835 ----
|
|
krb5_klog_syslog(LOG_INFO,
|
|
"TGS_REQ: issuing alternate <un-unparseable> TGT");
|
|
} else {
|
|
+ limit_string(sname);
|
|
krb5_klog_syslog(LOG_INFO,
|
|
"TGS_REQ: issuing TGT %s", sname);
|
|
free(sname);
|
|
*** src/kdc/kdc_util.c (revision 19480)
|
|
--- src/kdc/kdc_util.c (local)
|
|
***************
|
|
*** 404,409 ****
|
|
--- 404,410 ----
|
|
|
|
krb5_db_free_principal(kdc_context, &server, nprincs);
|
|
if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {
|
|
+ limit_string(sname);
|
|
krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",
|
|
sname);
|
|
free(sname);
|
|
*** src/lib/kadm5/logger.c (revision 19480)
|
|
--- src/lib/kadm5/logger.c (local)
|
|
***************
|
|
*** 45,51 ****
|
|
#include <varargs.h>
|
|
#endif /* HAVE_STDARG_H */
|
|
|
|
! #define KRB5_KLOG_MAX_ERRMSG_SIZE 1024
|
|
#ifndef MAXHOSTNAMELEN
|
|
#define MAXHOSTNAMELEN 256
|
|
#endif /* MAXHOSTNAMELEN */
|
|
--- 45,51 ----
|
|
#include <varargs.h>
|
|
#endif /* HAVE_STDARG_H */
|
|
|
|
! #define KRB5_KLOG_MAX_ERRMSG_SIZE 2048
|
|
#ifndef MAXHOSTNAMELEN
|
|
#define MAXHOSTNAMELEN 256
|
|
#endif /* MAXHOSTNAMELEN */
|
|
***************
|
|
*** 261,267 ****
|
|
#endif /* HAVE_SYSLOG */
|
|
|
|
/* Now format the actual message */
|
|
! #if HAVE_VSPRINTF
|
|
vsprintf(cp, actual_format, ap);
|
|
#else /* HAVE_VSPRINTF */
|
|
sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1],
|
|
--- 261,269 ----
|
|
#endif /* HAVE_SYSLOG */
|
|
|
|
/* Now format the actual message */
|
|
! #if HAVE_VSNPRINTF
|
|
! vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap);
|
|
! #elif HAVE_VSPRINTF
|
|
vsprintf(cp, actual_format, ap);
|
|
#else /* HAVE_VSPRINTF */
|
|
sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1],
|
|
***************
|
|
*** 850,856 ****
|
|
syslogp = &outbuf[strlen(outbuf)];
|
|
|
|
/* Now format the actual message */
|
|
! #ifdef HAVE_VSPRINTF
|
|
vsprintf(syslogp, format, arglist);
|
|
#else /* HAVE_VSPRINTF */
|
|
sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1],
|
|
--- 852,860 ----
|
|
syslogp = &outbuf[strlen(outbuf)];
|
|
|
|
/* Now format the actual message */
|
|
! #ifdef HAVE_VSNPRINTF
|
|
! vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist);
|
|
! #elif HAVE_VSPRINTF
|
|
vsprintf(syslogp, format, arglist);
|
|
#else /* HAVE_VSPRINTF */
|
|
sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1],
|
|
|