Skip Menu |
 

Date: Fri, 06 Jun 2008 22:19:35 +0200
From: Robert Specht <krbdev@admindb.org>
To: krb5-bugs@mit.edu
Subject: Patch: tell kadmind the correct net address changing password
Download (untitled) / with headers
text/plain 7.6KiB
Show quoted text
>Submitter-Id: unknown
>Originator: Robert Specht
>Organization: admindb.org
>Confidential: no
>Synopsis: Patch: tell kadmind the correct net address changing password
>Severity: serious
>Priority: medium
>Category: krb5-admin
>Class: change-request
>Release: krb5-1.6.3
>Environment:
All
System: Linux itx13 2.6.18-6
Show quoted text
>Description:
kadmind runs kpasswd into the error "Incorrect net address changing password",
if kadmind runs on a server with multiple IP-Addresses (e.g. Cluster-Node):

The kpasswd-request goes to the kpasswd_server-Address. The kadmind-reply
comes from the schpw.c:getsockname(s, &local_addr, &addrlen)-local_addr.
kpasswd failes, if local_addr != kpasswd_server-Address.


This Patch (without error handling!) allows you to tell kadmind the
correct local_addr using the parameter "-pwlocaladdr local_pw_ip_address".

If you use "pwlocaladdr", kadmind also binds the kpasswd-service 464/udp
to "pwlocaladdr", not to INADDR_ANY (default).

$ diff -c server.ori kadmind163
diff -c server.ori/misc.h kadmind163/misc.h
*** server.ori/misc.h 2007-04-04 23:08:05.000000000 +0200
--- kadmind163/misc.h 2008-05-31 15:53:07.000000000 +0200
***************
*** 40,45 ****
--- 40,46 ----
char *realm, int s,
krb5_keytab keytab,
struct sockaddr_in *sockin,
+ char *pwlocaladdr,
krb5_data *req, krb5_data *rep);

#ifdef SVC_GETARGS
diff -c server.ori/ovsec_kadmd.c kadmind163/ovsec_kadmd.c
*** server.ori/ovsec_kadmd.c 2007-04-04 23:08:05.000000000 +0200
--- kadmind163/ovsec_kadmd.c 2008-06-01 14:31:02.000000000 +0200
***************
*** 76,82 ****
void request_hup(int);
void reset_db(void);
void sig_pipe(int);
! void kadm_svc_run(kadm5_config_params *params);

#ifdef POSIX_SIGNALS
static struct sigaction s_action;
--- 76,82 ----
void request_hup(int);
void reset_db(void);
void sig_pipe(int);
! void kadm_svc_run(kadm5_config_params *params, char *pwlocaladdr);

#ifdef POSIX_SIGNALS
static struct sigaction s_action;
***************
*** 112,118 ****
int rec);

int schpw;
! void do_schpw(int s, kadm5_config_params *params);

#ifdef USE_PASSWORD_SERVER
void kadm5_set_use_password_server (void);
--- 112,118 ----
int rec);

int schpw;
! void do_schpw(int s, kadm5_config_params *params, char *pwlocaladdr);

#ifdef USE_PASSWORD_SERVER
void kadm5_set_use_password_server (void);
***************
*** 131,137 ****

static void usage()
{
! fprintf(stderr, "Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] "
#ifdef USE_PASSWORD_SERVER
"[-passwordserver] "
#endif
--- 131,137 ----

static void usage()
{
! fprintf(stderr, "Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] [-pwlocaladdr local_pw_ip_address] "
#ifdef USE_PASSWORD_SERVER
"[-passwordserver] "
#endif
***************
*** 214,219 ****
--- 214,220 ----
gss_buffer_desc gssbuf;
gss_OID nt_krb5_name_oid;
kadm5_config_params params;
+ char *pwlocaladdr = NULL;
char **db_args = NULL;
int db_args_size = 0;
char *errmsg;
***************
*** 275,280 ****
--- 276,286 ----
params.mask |= KADM5_CONFIG_MKEY_FROM_KBD;
} else if (strcmp(*argv, "-nofork") == 0) {
nofork = 1;
+ }else if (strcmp(*argv, "-pwlocaladdr") == 0) {
+ argc--; argv++;
+ if (!argc)
+ usage();
+ pwlocaladdr = *argv;
#ifdef USE_PASSWORD_SERVER
} else if (strcmp(*argv, "-passwordserver") == 0) {
kadm5_set_use_password_server ();
***************
*** 457,462 ****
--- 463,470 ----
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = INADDR_ANY;
+ if (pwlocaladdr)
+ addr.sin_addr.s_addr = inet_addr(pwlocaladdr);
/* XXX */
addr.sin_port = htons(params.kpasswd_port);

***************
*** 643,649 ****

setup_signal_handlers();
krb5_klog_syslog(LOG_INFO, "starting");
! kadm_svc_run(&params);
krb5_klog_syslog(LOG_INFO, "finished, exiting");

/* Clean up memory, etc */
--- 651,657 ----

setup_signal_handlers();
krb5_klog_syslog(LOG_INFO, "starting");
! kadm_svc_run(&params, pwlocaladdr);
krb5_klog_syslog(LOG_INFO, "finished, exiting");

/* Clean up memory, etc */
***************
*** 717,724 ****
* Modifies:
*/

! void kadm_svc_run(params)
kadm5_config_params *params;
{
fd_set rfd;
struct timeval timeout;
--- 725,733 ----
* Modifies:
*/

! void kadm_svc_run(params, pwlocaladdr)
kadm5_config_params *params;
+ char *pwlocaladdr;
{
fd_set rfd;
struct timeval timeout;
***************
*** 760,766 ****
break;
default:
if (FD_ISSET(schpw, &rfd))
! do_schpw(schpw, params);
else
svc_getreqset(&rfd);
}
--- 769,775 ----
break;
default:
if (FD_ISSET(schpw, &rfd))
! do_schpw(schpw, params, pwlocaladdr);
else
svc_getreqset(&rfd);
}
***************
*** 1138,1144 ****
}
}

! void do_schpw(int s1, kadm5_config_params *params)
{
krb5_error_code ret;
/* XXX buffer = ethernet mtu */
--- 1147,1153 ----
}
}

! void do_schpw(int s1, kadm5_config_params *params, char *pwlocaladdr)
{
krb5_error_code ret;
/* XXX buffer = ethernet mtu */
***************
*** 1202,1208 ****
}

if ((ret = process_chpw_request(context, global_server_handle,
! params->realm, s2, kt, &from,
&reqdata, &repdata))) {
krb5_klog_syslog(LOG_ERR, "chpw: Error processing request: %s",
krb5_get_error_message (context, ret));
--- 1211,1217 ----
}

if ((ret = process_chpw_request(context, global_server_handle,
! params->realm, s2, kt, &from, pwlocaladdr,
&reqdata, &repdata))) {
krb5_klog_syslog(LOG_ERR, "chpw: Error processing request: %s",
krb5_get_error_message (context, ret));
diff -c server.ori/schpw.c kadmind163/schpw.c
*** server.ori/schpw.c 2007-04-04 23:08:05.000000000 +0200
--- kadmind163/schpw.c 2008-05-31 15:53:07.000000000 +0200
***************
*** 12,18 ****
#endif

krb5_error_code
! process_chpw_request(context, server_handle, realm, s, keytab, sockin,
req, rep)
krb5_context context;
void *server_handle;
--- 12,18 ----
#endif

krb5_error_code
! process_chpw_request(context, server_handle, realm, s, keytab, sockin, pwlocaladdr,
req, rep)
krb5_context context;
void *server_handle;
***************
*** 20,25 ****
--- 20,26 ----
int s;
krb5_keytab keytab;
struct sockaddr_in *sockin;
+ char *pwlocaladdr;
krb5_data *req;
krb5_data *rep;
{
***************
*** 33,39 ****
krb5_principal changepw;
krb5_ticket *ticket;
krb5_data cipher, clear;
! struct sockaddr local_addr, remote_addr;
GETSOCKNAME_ARG3_TYPE addrlen;
krb5_replay_data replay;
krb5_error krberror;
--- 34,41 ----
krb5_principal changepw;
krb5_ticket *ticket;
krb5_data cipher, clear;
! struct sockaddr_in local_addr;
! struct sockaddr remote_addr;
GETSOCKNAME_ARG3_TYPE addrlen;
krb5_replay_data replay;
krb5_error krberror;
***************
*** 145,150 ****
--- 147,155 ----
goto chpwfail;
}

+ if (pwlocaladdr)
+ local_addr.sin_addr.s_addr = inet_addr(pwlocaladdr);
+
/* some brain-dead OS's don't return useful information from
* the getsockname call. Namely, windows and solaris. */