source: trunk/server/source4/heimdal/kdc/default_config.c

Last change on this file was 745, checked in by Silvan Scherrer, 13 years ago

Samba Server: updated trunk to 3.6.0
File size: 9.0 KB
Line 
1/*
2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36#include "kdc_locl.h"
37#include <getarg.h>
38#include <parse_bytes.h>
39
40krb5_error_code
41krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
42{
43 krb5_kdc_configuration *c;
44
45 c = calloc(1, sizeof(*c));
46 if (c == NULL) {
47 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
48 return ENOMEM;
49 }
50
51 c->require_preauth = TRUE;
52 c->kdc_warn_pwexpire = 0;
53 c->encode_as_rep_as_tgs_rep = FALSE;
54 c->check_ticket_addresses = TRUE;
55 c->allow_null_ticket_addresses = TRUE;
56 c->allow_anonymous = FALSE;
57 c->trpolicy = TRPOLICY_ALWAYS_CHECK;
58 c->enable_v4 = FALSE;
59 c->enable_kaserver = FALSE;
60 c->enable_524 = FALSE;
61 c->enable_v4_cross_realm = FALSE;
62 c->enable_pkinit = FALSE;
63 c->pkinit_princ_in_cert = TRUE;
64 c->pkinit_require_binding = TRUE;
65 c->db = NULL;
66 c->num_db = 0;
67 c->logf = NULL;
68
69 c->require_preauth =
70 krb5_config_get_bool_default(context, NULL,
71 c->require_preauth,
72 "kdc", "require-preauth", NULL);
73 c->enable_v4 =
74 krb5_config_get_bool_default(context, NULL,
75 c->enable_v4,
76 "kdc", "enable-kerberos4", NULL);
77 c->enable_v4_cross_realm =
78 krb5_config_get_bool_default(context, NULL,
79 c->enable_v4_cross_realm,
80 "kdc",
81 "enable-kerberos4-cross-realm", NULL);
82 c->enable_524 =
83 krb5_config_get_bool_default(context, NULL,
84 c->enable_v4,
85 "kdc", "enable-524", NULL);
86#ifdef DIGEST
87 c->enable_digest =
88 krb5_config_get_bool_default(context, NULL,
89 FALSE,
90 "kdc", "enable-digest", NULL);
91
92 {
93 const char *digests;
94
95 digests = krb5_config_get_string(context, NULL,
96 "kdc",
97 "digests_allowed", NULL);
98 if (digests == NULL)
99 digests = "ntlm-v2";
100 c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0);
101 if (c->digests_allowed == -1) {
102 kdc_log(context, c, 0,
103 "unparsable digest units (%s), turning off digest",
104 digests);
105 c->enable_digest = 0;
106 } else if (c->digests_allowed == 0) {
107 kdc_log(context, c, 0,
108 "no digest enable, turning digest off",
109 digests);
110 c->enable_digest = 0;
111 }
112 }
113#endif
114
115#ifdef KX509
116 c->enable_kx509 =
117 krb5_config_get_bool_default(context, NULL,
118 FALSE,
119 "kdc", "enable-kx509", NULL);
120
121 if (c->enable_kx509) {
122 c->kx509_template =
123 krb5_config_get_string(context, NULL,
124 "kdc", "kx509_template", NULL);
125 c->kx509_ca =
126 krb5_config_get_string(context, NULL,
127 "kdc", "kx509_ca", NULL);
128 if (c->kx509_ca == NULL || c->kx509_template == NULL) {
129 kdc_log(context, c, 0,
130 "missing kx509 configuration, turning off");
131 c->enable_kx509 = FALSE;
132 }
133 }
134#endif
135
136 c->check_ticket_addresses =
137 krb5_config_get_bool_default(context, NULL,
138 c->check_ticket_addresses,
139 "kdc",
140 "check-ticket-addresses", NULL);
141 c->allow_null_ticket_addresses =
142 krb5_config_get_bool_default(context, NULL,
143 c->allow_null_ticket_addresses,
144 "kdc",
145 "allow-null-ticket-addresses", NULL);
146
147 c->allow_anonymous =
148 krb5_config_get_bool_default(context, NULL,
149 c->allow_anonymous,
150 "kdc",
151 "allow-anonymous", NULL);
152
153 c->max_datagram_reply_length =
154 krb5_config_get_int_default(context,
155 NULL,
156 1400,
157 "kdc",
158 "max-kdc-datagram-reply-length",
159 NULL);
160
161 {
162 const char *trpolicy_str;
163
164 trpolicy_str =
165 krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
166 "transited-policy", NULL);
167 if(strcasecmp(trpolicy_str, "always-check") == 0) {
168 c->trpolicy = TRPOLICY_ALWAYS_CHECK;
169 } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
170 c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
171 } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
172 c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
173 } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
174 /* default */
175 } else {
176 kdc_log(context, c, 0,
177 "unknown transited-policy: %s, "
178 "reverting to default (always-check)",
179 trpolicy_str);
180 }
181 }
182
183 {
184 const char *p;
185 p = krb5_config_get_string (context, NULL,
186 "kdc",
187 "v4-realm",
188 NULL);
189 if(p != NULL) {
190 c->v4_realm = strdup(p);
191 if (c->v4_realm == NULL)
192 krb5_errx(context, 1, "out of memory");
193 } else {
194 c->v4_realm = NULL;
195 }
196 }
197
198 c->enable_kaserver =
199 krb5_config_get_bool_default(context,
200 NULL,
201 c->enable_kaserver,
202 "kdc", "enable-kaserver", NULL);
203
204
205 c->encode_as_rep_as_tgs_rep =
206 krb5_config_get_bool_default(context, NULL,
207 c->encode_as_rep_as_tgs_rep,
208 "kdc",
209 "encode_as_rep_as_tgs_rep", NULL);
210
211 c->kdc_warn_pwexpire =
212 krb5_config_get_time_default (context, NULL,
213 c->kdc_warn_pwexpire,
214 "kdc", "kdc_warn_pwexpire", NULL);
215
216
217 c->enable_pkinit =
218 krb5_config_get_bool_default(context,
219 NULL,
220 c->enable_pkinit,
221 "kdc",
222 "enable-pkinit",
223 NULL);
224
225
226 c->pkinit_kdc_identity =
227 krb5_config_get_string(context, NULL,
228 "kdc", "pkinit_identity", NULL);
229 c->pkinit_kdc_anchors =
230 krb5_config_get_string(context, NULL,
231 "kdc", "pkinit_anchors", NULL);
232 c->pkinit_kdc_cert_pool =
233 krb5_config_get_strings(context, NULL,
234 "kdc", "pkinit_pool", NULL);
235 c->pkinit_kdc_revoke =
236 krb5_config_get_strings(context, NULL,
237 "kdc", "pkinit_revoke", NULL);
238 c->pkinit_kdc_ocsp_file =
239 krb5_config_get_string(context, NULL,
240 "kdc", "pkinit_kdc_ocsp", NULL);
241 c->pkinit_kdc_friendly_name =
242 krb5_config_get_string(context, NULL,
243 "kdc", "pkinit_kdc_friendly_name", NULL);
244 c->pkinit_princ_in_cert =
245 krb5_config_get_bool_default(context, NULL,
246 c->pkinit_princ_in_cert,
247 "kdc",
248 "pkinit_principal_in_certificate",
249 NULL);
250 c->pkinit_require_binding =
251 krb5_config_get_bool_default(context, NULL,
252 c->pkinit_require_binding,
253 "kdc",
254 "pkinit_win2k_require_binding",
255 NULL);
256 c->pkinit_dh_min_bits =
257 krb5_config_get_int_default(context, NULL,
258 0,
259 "kdc", "pkinit_dh_min_bits", NULL);
260
261 *config = c;
262
263 return 0;
264}
265
266krb5_error_code
267krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config)
268{
269#ifdef PKINIT
270#ifdef __APPLE__
271 config->enable_pkinit = 1;
272
273 if (config->pkinit_kdc_identity == NULL) {
274 if (config->pkinit_kdc_friendly_name == NULL)
275 config->pkinit_kdc_friendly_name =
276 strdup("O=System Identity,CN=com.apple.kerberos.kdc");
277 config->pkinit_kdc_identity = strdup("KEYCHAIN:");
278 }
279 if (config->pkinit_kdc_anchors == NULL)
280 config->pkinit_kdc_anchors = strdup("KEYCHAIN:");
281
282#endif /* __APPLE__ */
283
284 if (config->enable_pkinit) {
285 if (config->pkinit_kdc_identity == NULL)
286 krb5_errx(context, 1, "pkinit enabled but no identity");
287
288 if (config->pkinit_kdc_anchors == NULL)
289 krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
290
291 krb5_kdc_pk_initialize(context, config,
292 config->pkinit_kdc_identity,
293 config->pkinit_kdc_anchors,
294 config->pkinit_kdc_cert_pool,
295 config->pkinit_kdc_revoke);
296
297 }
298
299 return 0;
300#endif /* PKINIT */
301}
Note: See TracBrowser for help on using the repository browser.