krb5 commit: Add kiprop/<master-hostname> during KDB creation

Greg Hudson ghudson at MIT.EDU
Fri Aug 1 18:24:32 EDT 2014 

https://github.com/krb5/krb5/commit/0279b74c6744a8841eba8d16dbfbebb2592718e9
commit 0279b74c6744a8841eba8d16dbfbebb2592718e9
Author: Neng Xue <xnsuda at yahoo.com>
Date:   Fri Jul 11 16:04:42 2014 -0700

    Add kiprop/<master-hostname> during KDB creation
    
    To reduce the number of steps in the deployment of iprop, create the
    kiprop/hostname principal for the master KDC during KDB creation.
    Adjust tests to match the new behavior.
    
    [ghudson at mit.edu: clarified commit message; avoided applying kadmin
    flags/lifetime to kiprop principal]
    
    ticket: 7979 (new)

 doc/admin/admin_commands/kadmind.rst             |    5 +++--
 doc/admin/database.rst                           |    4 +++-
 src/kadmin/dbutil/kadm5_create.c                 |   19 +++++++++++++++----
 src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c |    7 +++++++
 src/tests/dejagnu/config/default.exp             |   14 +-------------
 src/tests/t_iprop.py                             |    1 -
 6 files changed, 29 insertions(+), 21 deletions(-)

diff --git a/doc/admin/admin_commands/kadmind.rst b/doc/admin/admin_commands/kadmind.rst
index 88f5566..acf25e3 100644
--- a/doc/admin/admin_commands/kadmind.rst
+++ b/doc/admin/admin_commands/kadmind.rst
@@ -53,8 +53,9 @@ and policy updates incrementally instead of receiving full dumps of
 the database.  This facility can be enabled in the :ref:`kdc.conf(5)`
 file with the **iprop_enable** option.  Incremental propagation
 requires the principal ``kiprop/MASTER\@REALM`` (where MASTER is the
-master KDC's canonical host name, and REALM the realm name) to be
-registered in the database.
+master KDC's canonical host name, and REALM the realm name).  In
+release 1.13, this principal is automatically created and registered
+into the datebase.
 
 
 OPTIONS
diff --git a/doc/admin/database.rst b/doc/admin/database.rst
index 0d8bfa5..c7abc1b 100644
--- a/doc/admin/database.rst
+++ b/doc/admin/database.rst
@@ -805,7 +805,9 @@ Both master and slave sides must have a principal named
 ``kiprop/hostname`` (where *hostname* is the lowercase,
 fully-qualified, canonical name for the host) registered in the
 Kerberos database, and have keys for that principal stored in the
-default keytab file (|keytab|).
+default keytab file (|keytab|).  In release 1.13, the
+``kiprop/hostname`` principal is created automatically for the master
+KDC, but it must still be created for slave KDCs.
 
 On the master KDC side, the ``kiprop/hostname`` principal must be
 listed in the kadmind ACL file :ref:`kadm5.acl(5)`, and given the
diff --git a/src/kadmin/dbutil/kadm5_create.c b/src/kadmin/dbutil/kadm5_create.c
index fffc64d..159a419 100644
--- a/src/kadmin/dbutil/kadm5_create.c
+++ b/src/kadmin/dbutil/kadm5_create.c
@@ -145,7 +145,7 @@ int kadm5_create_magic_princs(kadm5_config_params *params,
 static int add_admin_princs(void *handle, krb5_context context, char *realm)
 {
     krb5_error_code ret = 0;
-    char *service_name = 0, *p;
+    char *service_name = 0, *kiprop_name = 0, *p;
     char localname[MAXHOSTNAMELEN];
     struct addrinfo *ai, ai_hints;
     int gai_error;
@@ -191,6 +191,12 @@ static int add_admin_princs(void *handle, krb5_context context, char *realm)
         freeaddrinfo(ai);
         goto clean_and_exit;
     }
+    if (asprintf(&kiprop_name, "kiprop/%s", ai->ai_canonname) < 0) {
+        ret = ENOMEM;
+        fprintf(stderr, _("Out of memory\n"));
+        freeaddrinfo(ai);
+        goto clean_and_exit;
+    }
     freeaddrinfo(ai);
 
     if ((ret = add_admin_princ(handle, context,
@@ -212,8 +218,11 @@ static int add_admin_princs(void *handle, krb5_context context, char *realm)
                                CHANGEPW_LIFETIME)))
         goto clean_and_exit;
 
+    ret = add_admin_princ(handle, context, kiprop_name, realm, 0, 0);
+
 clean_and_exit:
     free(service_name);
+    free(kiprop_name);
 
     return ret;
 }
@@ -253,6 +262,7 @@ int add_admin_princ(void *handle, krb5_context context,
     char *fullname;
     krb5_error_code ret;
     kadm5_principal_ent_rec ent;
+    long flags;
 
     memset(&ent, 0, sizeof(ent));
 
@@ -268,9 +278,10 @@ int add_admin_princ(void *handle, krb5_context context,
     ent.max_life = lifetime;
     ent.attributes = attrs;
 
-    ret = kadm5_create_principal(handle, &ent,
-                                 (KADM5_PRINCIPAL | KADM5_MAX_LIFE |
-                                  KADM5_ATTRIBUTES), NULL);
+    flags = KADM5_PRINCIPAL | KADM5_ATTRIBUTES;
+    if (lifetime)
+        flags |= KADM5_MAX_LIFE;
+    ret = kadm5_create_principal(handle, &ent, flags, NULL);
     if (ret && ret != KADM5_DUP) {
         com_err(progname, ret, _("while creating principal %s"), fullname);
         krb5_free_principal(context, ent.principal);
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
index 4cbb57c..4d30700 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
@@ -371,6 +371,13 @@ create_special_princs(krb5_context context, krb5_principal master_princ,
     if (ret)
         return ret;
 
+    /* Create kiprop/<hostname>. */
+    rblock.max_life = global_params.max_life;
+    rblock.flags = 0;
+    ret = create_hostbased_special(context, &rblock, mkey, "kiprop");
+    if (ret)
+        return ret;
+
     /* Create kadmin/changepw. */
     rblock.max_life = CHANGEPW_LIFETIME;
     rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE;
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
index 5d4bcfc..0c7a0c7 100644
--- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/dejagnu/config/default.exp
@@ -1254,7 +1254,7 @@ proc setup_kerberos_db { standalone } {
     }
 
     # Add an incremental-propagation service.
-    set test "kadmin.local ank kiprop/$hostname"
+    set test "kadmin.local ank krbtest/fast"
     set body {
 	if $failall {
 	    break
@@ -1264,18 +1264,6 @@ proc setup_kerberos_db { standalone } {
 	expect_after $def_exp_after
 
 	expect "kadmin.local: "
-	send "ank kiprop/$hostname@$REALMNAME\r"
-	# It echos...
-	expect "ank kiprop/$hostname@$REALMNAME\r"
-	expect "Enter password for principal \"kiprop/$hostname@$REALMNAME\":"
-	send "kiproppass$KEY\r"
-	expect "Re-enter password for principal \"kiprop/$hostname@$REALMNAME\":"
-	send "kiproppass$KEY\r"
-	expect {
-	    "Principal \"kiprop/$hostname@$REALMNAME\" created" { }
-	    "Principal or policy already exists while creating*" { }
-	}
-	expect "kadmin.local: "
 	send "ank +requires_preauth krbtest/fast@$REALMNAME\r"
 	expect "Enter password for principal \"krbtest/fast@$REALMNAME\":"
 	send "adminpass$KEY\r"
diff --git a/src/tests/t_iprop.py b/src/tests/t_iprop.py
index d08081c..51e18a8 100644
--- a/src/tests/t_iprop.py
+++ b/src/tests/t_iprop.py
@@ -153,7 +153,6 @@ if not os.path.exists(ulog):
 
 # Create the principal used to authenticate kpropd to kadmind.
 kiprop_princ = 'kiprop/' + hostname
-realm.addprinc(kiprop_princ)
 realm.extract_keytab(kiprop_princ, realm.keytab)
 
 # Create the initial slave1 and slave2 databases.

More information about the cvs-krb5 mailing list