6954931 kclient(1M) should use new profile APIs, at least AD domain joins

3 files changed, 245 insertions, 32 deletions

diff --git a/usr/src/cmd/krb5/kadmin/kclient/Makefile b/usr/src/cmd/krb5/kadmin/kclient/Makefile
index 10d64c8fb2..4e76e4054b 100644
--- a/usr/src/cmd/krb5/kadmin/kclient/Makefile
+++ b/usr/src/cmd/krb5/kadmin/kclient/Makefile
@@ -18,17 +18,15 @@
 #
 # CDDL HEADER END
 #
-# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
-#
-# ident	"%Z%%M%	%I%	%E% SMI"
+# Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
 #
 # Makefile for Kerberos client-install utility.
 #
 
 PROG=		ksetpw \
 		kdyndns \
-		ksmb
+		ksmb \
+		kconf
 
 SHFILES=	kclient
 SECFILES=	pam_krb5_first \
@@ -45,8 +43,9 @@ $(SEC):=	FILEMODE = $(LIBFILEMODE)
 KS_OBJS=	ksetpw.o
 KD_OBJS=	kdyndns.o
 KSMB_OBJS=	ksmb.o
+KC_OBJS=	kconf.o
 
-OBJS=		$(KS_OBJS) $(KD_OBJS) $(KSMB_OBJS)
+OBJS=		$(KS_OBJS) $(KD_OBJS) $(KSMB_OBJS) $(KC_OBJS)
 
 SSRCS=	kclient.sh
 SRCS=	$(OBJS:%.o=%.c)
@@ -64,10 +63,12 @@ CPPFLAGS += -I$(SRC)/uts/common/gssapi/include \
 ksetpw:=	LDFLAGS += $(KRUNPATH)
 kdyndns:=	LDFLAGS += -R/usr/lib/smbsrv
 ksmb:=		LDFLAGS += -R/usr/lib/smbsrv
+kconf:=		LDFLAGS += $(KRUNPATH)
 
 KS_LDLIBS =	$(LDLIBS) $(KMECHLIB)
 KD_LDLIBS =	$(LDLIBS) -L$(ROOT)/usr/lib/smbsrv -lsmbns
 KSMB_LDLIBS =	$(LDLIBS) -L$(ROOT)/usr/lib/smbsrv -lsmb
+KC_LDLIBS =	$(LDLIBS) $(KMECHLIB)
 
 .KEEP_STATE:
 
@@ -87,6 +88,10 @@ ksetpw:		$(KS_OBJS)
 	$(LINK.c) $(KS_OBJS) -o $@ $(KS_LDLIBS)
 	$(POST_PROCESS)
 
+kconf:		$(KC_OBJS)
+	$(LINK.c) $(KC_OBJS) -o $@ $(KC_LDLIBS)
+	$(POST_PROCESS)
+
 $(KRB5SBIN):
 	$(INS.dir)
 
diff --git a/usr/src/cmd/krb5/kadmin/kclient/kclient.sh b/usr/src/cmd/krb5/kadmin/kclient/kclient.sh
index c9e3384fb4..258d5e42a2 100644
--- a/usr/src/cmd/krb5/kadmin/kclient/kclient.sh
+++ b/usr/src/cmd/krb5/kadmin/kclient/kclient.sh
@@ -19,8 +19,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
+# Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
 #
 # This script is used to setup the Kerberos client by
 # supplying information about the Kerberos realm and kdc.
@@ -861,36 +860,27 @@ function getDC {
 }
 
 function write_ads_krb5conf {
-	printf "\n$(gettext "Setting up %s").\n\n" $KRB5_CONFIG_FILE
+	typeset kdcs
 
-	exec 3>$KRB5_CONFIG
-	if [[ $? -ne 0 ]]; then
-		printf "\n$(gettext "Can not write to %s, exiting").\n" $KRB5_CONFIG >&2
-		error_message
-	fi
+	printf "\n$(gettext "Setting up %s").\n\n" $KRB5_CONFIG_FILE
 
-	printf "[libdefaults]\n" 1>&3
-	printf "\tdefault_realm = $realm\n" 1>&3
-	printf "\n[realms]\n" 1>&3
-	printf "\t$realm = {\n" 1>&3
 	for i in ${KDCs[@]}
 	do
 		[[ $i == +([0-9]) ]] && continue
-		printf "\t\tkdc = $i\n" 1>&3
+		if [[ -n $kdcs ]]
+		then
+			kdcs="$kdcs,$i"
+		else
+			kdcs=$i
+		fi
 	done
-	# Defining the same as admin_server.  This would cause auth failures
-	# if this was different.
-	printf "\n\t\tkpasswd_server = $KDC\n" 1>&3
-	printf "\n\t\tadmin_server = $KDC\n" 1>&3
-	printf "\t\tkpasswd_protocol = SET_CHANGE\n\t}\n" 1>&3
-	printf "\n[domain_realm]\n" 1>&3
-	printf "\t.$dom = $realm\n\n" 1>&3
-	printf "[logging]\n" 1>&3
-	printf "\tdefault = FILE:/var/krb5/kdc.log\n" 1>&3
-	printf "\tkdc = FILE:/var/krb5/kdc.log\n" 1>&3
-	printf "\tkdc_rotate = {\n\t\tperiod = 1d\n\t\tversions = 10\n\t}\n\n" 1>&3
-	printf "[appdefaults]\n" 1>&3
-	printf "\tkinit = {\n\t\trenewable = true\n\t\tforwardable = true\n\t}\n" 1>&3
+
+	$KCONF -f $KRB5_CONFIG -r $realm -k $kdcs -m $KDC -p SET_CHANGE -d .$dom
+
+	if [[ $? -ne 0 ]]; then
+		printf "\n$(gettext "Can not update %s, exiting").\n" $KRB5_CONFIG >&2
+		error_message
+	fi
 }
 
 function getForestName {
@@ -1576,6 +1566,7 @@ KLOOKUP=/usr/lib/krb5/klookup;	check_bin $KLOOKUP
 KSETPW=/usr/lib/krb5/ksetpw;	check_bin $KSETPW
 KSMB=/usr/lib/krb5/ksmb;	check_bin $KSMB
 KDYNDNS=/usr/lib/krb5/kdyndns;	check_bin $KDYNDNS
+KCONF=/usr/lib/krb5/kconf;	check_bin $KCONF
 
 dns_lookup=no
 ask_fqdns=no
diff --git a/usr/src/cmd/krb5/kadmin/kclient/kconf.c b/usr/src/cmd/krb5/kadmin/kclient/kconf.c
new file mode 100644
index 0000000000..6bbeff2c7b
--- /dev/null
+++ b/usr/src/cmd/krb5/kadmin/kclient/kconf.c
@@ -0,0 +1,217 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <strings.h>
+#include <locale.h>
+#include <errno.h>
+#include <krb5.h>
+#include <profile.h>
+#include <com_err.h>
+
+struct profile_string_list {
+	char	**list;
+	int	num;
+	int	max;
+};
+
+/*
+ * From prof_get.c as the following four functions are private in mech_krb5.
+ */
+/*
+ * Initialize the string list abstraction.
+ */
+static errcode_t
+init_list(struct profile_string_list *list)
+{
+	list->num = 0;
+	list->max = 10;
+	list->list = malloc(list->max * sizeof (char *));
+	if (list->list == NULL)
+		return (ENOMEM);
+	list->list[0] = NULL;
+	return (0);
+}
+
+/*
+ * If re_list is non-NULL then pass the list header to the caller else free
+ * the previously allocated list.
+ */
+static void
+end_list(struct profile_string_list *list, char ***ret_list)
+{
+
+	if (list == NULL)
+		return;
+
+	if (ret_list) {
+		*ret_list = list->list;
+		return;
+	} else
+		profile_free_list(list->list);
+	list->num = list->max = 0;
+	list->list = NULL;
+}
+
+/*
+ * Add a string to the list.
+ */
+static errcode_t
+add_to_list(struct profile_string_list *list, const char *str)
+{
+	char 	*newstr, **newlist;
+	int	newmax;
+
+	if (list->num + 1 >= list->max) {
+		newmax = list->max + 10;
+		newlist = realloc(list->list, newmax * sizeof (char *));
+		if (newlist == NULL)
+			return (ENOMEM);
+		list->max = newmax;
+		list->list = newlist;
+	}
+	newstr = strdup(str);
+	if (newstr == NULL)
+		return (ENOMEM);
+
+	list->list[list->num++] = newstr;
+	list->list[list->num] = NULL;
+	return (0);
+}
+
+static void
+usage()
+{
+	(void) fprintf(stderr, gettext("kconf -f <file> -r <realm> "
+	    "-k <kdc[,kdc]> -m <master_kdc>\n -p <kpasswd_protocol> "
+	    "-d <domain>\n"));
+
+	exit(1);
+}
+
+int
+main(int argc, char **argv)
+{
+	profile_t	profile;
+	errcode_t	code;
+	char		c, *realm, *kdcs, *master, *domain, *token, *lasts;
+	char		*file, **ret_values = NULL;
+	boolean_t	set_change = FALSE;
+	struct profile_string_list values;
+
+	(void) setlocale(LC_ALL, "");
+
+#if !defined(TEXT_DOMAIN)
+#define	TEXT_DOMAIN "SYS_TEST"
+#endif /* TEXT_DOMAIN */
+
+	(void) textdomain(TEXT_DOMAIN);
+
+	/*
+	 * kconf -f <file> -r <realm> -k <kdc[,kdc]> -m <master_kdc>
+	 * -p <kpasswd_protocol> -d <domain>
+	 */
+	while ((c = getopt(argc, argv, "f:r:k:a:s:p:d:m:")) != -1) {
+		switch (c) {
+		case 'f':
+			file = optarg;
+			break;
+		case 'r':
+			realm = optarg;
+			break;
+		case 'k':
+			kdcs = optarg;
+			break;
+		case 'm':
+			master = optarg;
+			break;
+		case 'p':
+			if (strcmp(optarg, "SET_CHANGE") == 0)
+				set_change = TRUE;
+			break;
+		case 'd':
+			domain = optarg;
+			break;
+		default:
+			usage();
+			break;
+		}
+	}
+
+	code = __profile_init(file, &profile);
+	if (code != 0) {
+		fprintf(stderr, gettext("Wasn't able to initialize profile\n"));
+		exit(code);
+	}
+
+	if (code = init_list(&values)) {
+		fprintf(stderr, gettext("Can not initialize list %d\n"), code);
+		goto error;
+	}
+	token = strtok_r(kdcs, ",", &lasts);
+	do {
+		if (token != NULL) {
+			code = add_to_list(&values, token);
+			if (code != 0) {
+				fprintf(stderr, gettext("Can not add to list "
+				    "%d\n"), code);
+				goto error;
+			}
+		} else {
+			fprintf(stderr, gettext("Couldn't parse kdc list %d\n"),
+			    code);
+			goto error;
+		}
+	} while ((token = strtok_r(NULL, ",", &lasts)) != NULL);
+	end_list(&values, &ret_values);
+
+	code = __profile_add_realm(profile, realm, master, ret_values,
+	    set_change, TRUE);
+	if (code != 0) {
+		fprintf(stderr, gettext("Wasn't able to add realm "
+		    "information\n"));
+		goto error;
+	}
+
+	code = __profile_add_domain_mapping(profile, domain, realm);
+	if (code != 0) {
+		fprintf(stderr, gettext("Wasn't able to add domain mapping\n"));
+		goto error;
+	}
+
+error:
+	if (ret_values != NULL)
+		profile_free_list(ret_values);
+
+	/*
+	 * Release profile, which will subsequently flush new profile to file.
+	 * If this fails then at least free profile memory.
+	 */
+	if ((code =  __profile_release(profile)) != NULL)
+		__profile_abandon(profile);
+
+	return (code);
+}