NOTE: You may not want to apply the very last bit of the patch to bdump.c --- my setup does very goofy things if I try to get a k4 tgt from a srvtab, so I simply ifdef'd that out of get_tgt. Also, I probably don't need that initial setting of retval to ZERR_NONE in realms.c. --- kstuff.c.orig-kula 2007-12-07 19:12:08.000000000 -0500 +++ kstuff.c 2007-12-09 14:04:19.000000000 -0500 @@ -165,7 +165,7 @@ SendKrb5Data(int fd, krb5_data *data) { char p[32]; int written, size_to_write; - sprintf(p, "V5-%d", data->length); + sprintf(p, "V5-%d ", data->length); size_to_write = strlen (p); if (size_to_write != (written = write(fd, p, size_to_write)) || data->length != (written = write(fd, data->data, data->length))) { --- bdump.c-pre-kula 2007-12-07 19:12:08.000000000 -0500 +++ bdump.c 2007-12-09 13:55:16.000000000 -0500 @@ -316,8 +316,132 @@ #ifdef HAVE_KRB5 { /* "server" side */ krb5_auth_context actx; + krb5_creds creds; + krb5_creds *credsp; + krb5_principal principal; + krb5_data data; + krb5_ap_rep_enc_part *rep; + krb5_keytab kt; + + if (get_tgt()) { + syslog(LOG_ERR, "bdump_send: get_tgt failed"); + cleanup(server); + return; + } + + memset((char *)&creds, 0, sizeof(creds)); + + retval = krb5_build_principal(Z_krb5_ctx, &principal, + strlen(ZGetRealm()), + ZGetRealm(), + SERVER_KRB5_SERVICE, SERVER_INSTANCE, + 0); + if (retval) { + syslog(LOG_ERR, "bdump_send: krb5_build_principal: %s", error_message(retval)); + cleanup(server); + return; + } + retval = krb5_copy_principal(Z_krb5_ctx, principal, &creds.server); + if (retval) { + syslog(LOG_ERR, "bdump_send: krb5_copy_principal (server): %s", error_message(retval)); + krb5_free_principal(Z_krb5_ctx, principal); + cleanup(server); + return; } + + retval = krb5_copy_principal(Z_krb5_ctx, principal, &creds.client); + krb5_free_principal(Z_krb5_ctx, principal); + if (retval) { + syslog(LOG_ERR, "bdump_send: krb5_copy_principal (client): %s", error_message(retval)); + krb5_free_cred_contents(Z_krb5_ctx, &creds); + cleanup(server); + return; + } + + retval = krb5_get_credentials(Z_krb5_ctx, 0, Z_krb5_ccache, + &creds, &credsp); + krb5_free_cred_contents(Z_krb5_ctx, &creds); + if (retval) { + syslog(LOG_ERR, "bdump_send: krb5_get_credentials: %s", error_message(retval)); + cleanup(server); + return; + } + + retval = krb5_auth_con_init(Z_krb5_ctx, &actx); + if (retval) { + syslog(LOG_ERR, "bdump_send: krb5_auth_con_init: %s", error_message(retval)); + krb5_free_creds(Z_krb5_ctx, credsp); + cleanup(server); + return; + } + + /* Get the "client" krb_ap_req */ + + memset((char *)&data, 0, sizeof(krb5_data)); + retval = GetKrb5Data(live_socket, &data); + if (retval) { + syslog(LOG_ERR, "bdump_send: cannot get auth response: %s", + error_message(retval)); + krb5_auth_con_free(Z_krb5_ctx, actx); + cleanup(server); + return; + } + + + /* resolve keytab */ + retval = krb5_kt_resolve(Z_krb5_ctx, keytab_file, &kt); + if (retval) { + syslog(LOG_ERR, "bdump_send: cannot resolve keytab: %s", + error_message(retval)); + krb5_auth_con_free(Z_krb5_ctx, actx); + krb5_kt_close(Z_krb5_ctx, kt); + cleanup(server); + return; + } + + retval = krb5_rd_req(Z_krb5_ctx, &actx, &data, creds.client, kt, NULL, NULL); + krb5_kt_close(Z_krb5_ctx, kt); + free(data.data); + memset((char *)&data, 0, sizeof(krb5_data)); + if (retval) { + syslog(LOG_ERR, "bdump_send: mutual authentication failed: %s", + error_message(retval)); + abort(); + krb5_auth_con_free(Z_krb5_ctx, actx); + cleanup(server); + return; + } + + /* Now send back our auth packet */ + + + + memset((char *)&data, 0, sizeof(krb5_data)); + retval = krb5_mk_rep(Z_krb5_ctx, actx, &data); + if (retval) { + syslog(LOG_ERR, "bdump_send: krb5_mk_rep: %s", error_message(retval)); + krb5_auth_con_free(Z_krb5_ctx, actx); + krb5_free_creds(Z_krb5_ctx, credsp); + cleanup(server); + return; + } + retval = SendKrb5Data(live_socket, &data); + krb5_free_creds(Z_krb5_ctx, credsp); + if (retval) { + syslog(LOG_ERR, "bdump_send: cannot send authenticator: %s", + error_message(retval)); + krb5_free_data_contents(Z_krb5_ctx, &data); + krb5_auth_con_free(Z_krb5_ctx, actx); + cleanup(server); + return; + } + krb5_free_data_contents(Z_krb5_ctx, &data); + + + } + + #else /* HAVE_KRB5 */ #ifdef HAVE_KRB4 /* receive the authenticator */ @@ -499,6 +623,7 @@ #ifdef HAVE_KRB5 if (get_tgt()) { + syslog(LOG_ERR, "bdump_get: get_tgt failed"); cleanup(server); return; } @@ -523,6 +648,7 @@ return; } + retval = krb5_copy_principal(Z_krb5_ctx, principal, &creds.server); if (retval) { syslog(LOG_ERR, "bdump_get: krb5_copy_principal (server): %s", error_message(retval)); @@ -845,7 +971,7 @@ #ifndef NOENCRYPTION Sched *s; #endif - +#if 0 /* XXX TPROA hates krb4 */ /* have they expired ? */ if (ticket_time < NOW - tkt_lifetime(TKTLIFETIME) + (15L * 60L)) { /* +15 for leeway */ @@ -889,6 +1015,7 @@ #endif #endif /* !NOENCRYPTION */ } +#endif /* TPROA */ #ifdef HAVE_KRB5 /* XXX */ if (ticket5_time < NOW - tkt5_lifetime(TKT5LIFETIME) + (15L * 60L)) { --- realm.c-pre-kula 2007-12-09 14:18:07.000000000 -0500 +++ realm.c 2007-12-09 14:15:03.000000000 -0500 @@ -236,10 +236,12 @@ realm_send_realms() { int cnt, retval; + retval = ZERR_NONE; for (cnt = 0; cnt < nrealms; cnt++) { if (retval = (subscr_send_realm_subs(&otherrealms[cnt])) != ZERR_NONE) return(retval); } + return ZERR_NONE; } int