diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin.c 2009-01-08 19:22:46.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin.c 2009-01-08 13:14:43.000000000 -0800 @@ -650,6 +650,76 @@ return; } +void kadmin_renameprinc(argc, argv) + int argc; + char *argv[]; +{ + kadm5_ret_t retval; + krb5_principal oprinc, nprinc; + char *ocanon, *ncanon; + char reply[5]; + + if (! (argc == 3 || + (argc == 4 && !strcmp("-force", argv[1])))) { + fprintf(stderr, "usage: rename_principal [-force] old_principal new_principal\n"); + return; + } + retval = kadmin_parse_name(argv[argc - 2], &oprinc); + if (retval) { + com_err("rename_principal", retval, "while parsing old principal name"); + return; + } + retval = kadmin_parse_name(argv[argc - 1], &nprinc); + if (retval) { + com_err("rename_principal", retval, "while parsing new principal name"); + krb5_free_principal(context, oprinc); + return; + } + retval = krb5_unparse_name(context, oprinc, &ocanon); + if (retval) { + com_err("rename_principal", retval, + "while canonicalizing old principal"); + krb5_free_principal(context, nprinc); + krb5_free_principal(context, oprinc); + return; + } + retval = krb5_unparse_name(context, nprinc, &ncanon); + if (retval) { + com_err("rename_principal", retval, + "while canonicalizing new principal"); + free(ocanon); + krb5_free_principal(context, nprinc); + krb5_free_principal(context, oprinc); + return; + } + if (argc == 3) { + printf("Are you sure you want to rename the principal \"%s\" to \"%s\"? (yes/no): ", + ocanon, ncanon); + fgets(reply, sizeof (reply), stdin); + if (strcmp("yes\n", reply)) { + fprintf(stderr, "Principal \"%s\" not renamed\n", ocanon); + free(ncanon); + free(ocanon); + krb5_free_principal(context, nprinc); + krb5_free_principal(context, oprinc); + return; + } + } + retval = kadm5_rename_principal(handle, oprinc, nprinc); + krb5_free_principal(context, nprinc); + krb5_free_principal(context, oprinc); + if (retval) { + com_err("rename_principal", retval, + "while renaming principal \"%s\" to \"%s\"", ocanon, ncanon); free(ncanon); + free(ocanon); + return; + } + printf("Principal \"%s\" renamed to \"%s\".\nMake sure that you have removed this principal from all ACLs before reusing.\n", ocanon, ncanon); + free(ncanon); + free(ocanon); + return; +} + void kadmin_cpw(argc, argv) int argc; char *argv[]; diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin_ct.ct Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin_ct.ct --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin_ct.ct 2009-01-08 19:22:46.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin_ct.ct 2009-01-08 13:14:43.000000000 -0800 @@ -35,6 +35,9 @@ request kadmin_modprinc, "Modify principal", modify_principal, modprinc; +request kadmin_renameprinc, "Rename principal", + rename_principal, renprinc; + request kadmin_cpw, "Change password", change_password, cpw; diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/dbutil/dump.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/dbutil/dump.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/dbutil/dump.c 2008-11-07 11:25:29.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/dbutil/dump.c 2009-01-08 18:44:12.000000000 -0800 @@ -47,6 +47,7 @@ */ static int mkey_convert; static krb5_keyblock new_master_keyblock; +static krb5_principal new_master_princ = NULL; static int backwards; static int recursive; @@ -1097,6 +1098,10 @@ else if (!strcmp(argv[aindex], "-new_mkey_file")) { new_mkey_file = argv[++aindex]; mkey_convert = 1; + } else if (!strcmp(argv[aindex], "-new_mkey_principal")) { + kret = krb5_parse_name(util_context, argv[++aindex], &new_master_princ); + if (kret) + fprintf(stderr, "failed to parse new mkey principal: %s", argv[aindex]); } else if (!strcmp(argv[aindex], "-rev")) backwards = 1; else if (!strcmp(argv[aindex], "-recurse")) @@ -1127,6 +1132,13 @@ } /* + * Set new_master_princ if not set, use default master principal. + */ + + if (new_master_princ == NULL) + new_master_princ = master_princ; + + /* * If we're doing a master key conversion, set up for it. */ if (mkey_convert) { @@ -1166,7 +1178,7 @@ else kt_kvno = IGNORE_VNO; - if ((retval = krb5_db_fetch_mkey(util_context, master_princ, + if ((retval = krb5_db_fetch_mkey(util_context, new_master_princ, new_master_keyblock.enctype, FALSE, FALSE, @@ -1179,7 +1191,7 @@ } } else { printf("Please enter new master key....\n"); - if ((retval = krb5_db_fetch_mkey(util_context, master_princ, + if ((retval = krb5_db_fetch_mkey(util_context, new_master_princ, new_master_keyblock.enctype, TRUE, TRUE, diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/kadm5/srv/svr_principal.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/kadm5/srv/svr_principal.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/kadm5/srv/svr_principal.c 2009-01-08 19:22:46.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/kadm5/srv/svr_principal.c 2009-01-08 13:14:43.000000000 -0800 @@ -677,16 +677,71 @@ if ((ret = kdb_get_entry(handle, source, &kdb, &adb))) return ret; - /* this is kinda gross, but unavoidable */ - + /* Transform salt types */ for (i=0; i 1) + stype = kdb.key_data[i].key_data_type[1]; + else + stype = KRB5_KDB_SALTTYPE_NORMAL; + + switch(stype) { + case KRB5_KDB_SALTTYPE_SPECIAL: + /* do nothing */ + break; + case KRB5_KDB_SALTTYPE_NORMAL: + kdb.key_data[i].key_data_type[1] = KRB5_KDB_SALTTYPE_SPECIAL; + krb5_principal2salt(handle->context, kdb.princ, &sdata); + if (kdb.key_data[i].key_data_contents[1]) + free(kdb.key_data[i].key_data_contents[1]); + kdb.key_data[i].key_data_contents[1] = sdata.data; + kdb.key_data[i].key_data_length[1] = sdata.length; + added_salt = 1; + break; + case KRB5_KDB_SALTTYPE_NOREALM: + kdb.key_data[i].key_data_type[1] = KRB5_KDB_SALTTYPE_SPECIAL; + krb5_principal2salt_norealm(handle->context, kdb.princ, &sdata); + if (kdb.key_data[i].key_data_contents[1]) + free(kdb.key_data[i].key_data_contents[1]); + kdb.key_data[i].key_data_contents[1] = sdata.data; + kdb.key_data[i].key_data_length[1] = sdata.length; + added_salt = 1; + break; + case KRB5_KDB_SALTTYPE_ONLYREALM: { + unsigned char *p; + size_t len; + + len = krb5_princ_realm(context, kdb.princ)->length; + p = malloc(len); + if (p == NULL) { + ret = ENOMEM; + goto done; + } + if (kdb.key_data[i].key_data_contents[1]) + free(kdb.key_data[i].key_data_contents[1]); + memcpy(p, krb5_princ_realm(context, kdb.princ)->data, len); + kdb.key_data[i].key_data_contents[1] = p; + kdb.key_data[i].key_data_length[1] = len; + added_salt = 1; + break; + } + case KRB5_KDB_SALTTYPE_V4: + /* no do nothing, we assume v4 realm is not renamed */ + break; + case KRB5_KDB_SALTTYPE_AFS3: + break; + /* FALLTHOUGH */ + default: ret = KADM5_NO_RENAME_SALT; goto done; } + if (added_salt && kdb.key_data[i].key_data_ver == 1) + kdb.key_data[i].key_data_ver = 2; } - + kadm5_free_principal(handle->context, kdb.princ); ret = kadm5_copy_principal(handle->context, target, &kdb.princ); if (ret) {