aklog 1.6: make krb5_524 non-fatal for native K5 tokens

The krb5_524_conv_principal() function should fail whenever the Kerberos
v5 principal cannot safely be mapped onto a Kerberos v4 principal, and
does fail on some Kerberos v5 principals used in real-world AFS
deployments.

Prior to this patchset a failure was treated as a fatal error that
in turn prevents an AFS token from being generated or set into the
cache manager.

Prior to b1f9b4cb5dd295162ae51704310e9d6058008f0a the
krb5_524_conv_principal() function wasn't used and a local client
mapping was created.  b1f9b4cb5dd295162ae51704310e9d6058008f0a
replaced the local mapping with the krb5 function because the local
mapping could be wrong and confusing.

The krb5_524_conv_principal() function as applied to AFS tokens is
just a local guess.  How the username in the token is interpreted by
the AFS server is up to the server.

krb5_524_conv_principal() is only used for Krb5 native tokens. For Krb4
tokens the krb5_524_convert_creds() function is used to obtain both the
Kerberos v4 ticket and the converted names from the KDC.  Many
organizations used the krb524d service to perform name translation.  When
the krb524d service is used, the name translation is performed by the KDC,
so there is no local call to krb5_524_conv_principal() which might fail.
As a result, disallowing the use of a native Krb5 token due to a failed
local name translation is a needless loss of functionality; the local name
translation is not an essential part of obtaining a token.

This patchset modifies the behavior such that krb5_524_conv_principal()
errors are non-fatal.

 1. If -noprdb is not specified the error message is generated
    and a NULL username is used.

 2. If the username is NULL the prdb lookup is disabled.

 3. If the username is NULL the informational messages do not
    include a username.

 4. If the username is NULL the username info provided to the
    cache manager in the token description is the nul string.

This patchset is an openafs-stable-1_6_x specific version of
the patch.  The master version was submitted to

  http://gerrit.openafs.org/#change,11542

Credit to Ben Kaduk for assistance with the wording of this commit
message.

Change-Id: If12ae69394321fa7b7a182c9db95716bc66e489c
Reviewed-on: http://gerrit.openafs.org/11538
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>

diff --git a/doc/man-pages/pod1/aklog.pod b/doc/man-pages/pod1/aklog.pod
index a6c881e8666c4a26ecc8c732a1d886899dae90a8..740118d525d9eb460e428fcc9fe2e4a65160dbf9 100644 (file)
--- a/doc/man-pages/pod1/aklog.pod
+++ b/doc/man-pages/pod1/aklog.pod
@@ -36,13 +36,15 @@ specified with B<-k>.  B<-k> cannot be used in B<-path> mode (see below).
 When a Kerberos 5 cross-realm trust is used, B<aklog> looks up the AFS ID
 corresponding to the name (Kerberos principal) of the person invoking the
 command, and if the user doesn't exist and the
-system:authuser@FOREIGN.REALM PTS group exists, then it attempts automatic
+C<system:authuser@FOREIGN.REALM> PTS group exists, then it attempts automatic
 registration of the user with the foreign cell.  The user is then added to
-the system:authuser@FOREIGN.REALM PTS group if registration is successful.
+the C<system:authuser@FOREIGN.REALM> PTS group if registration is successful.
 Automatic registration in the foreign cell will fail if the group quota
-for the system:authuser@FOREIGN.REALM group is less than one.  Each
+for the C<system:authuser@FOREIGN.REALM> group is less than one.  Each
 automatic registration decrements the group quota by one.
 
+=head1 CAUTIONS
+
 When using B<aklog>, be aware that AFS uses the Kerberos v4 principal
 naming format, not the Kerberos v5 format, when referring to principals in
 PTS ACLs, F<UserList>, and similar locations.  AFS will internally map
@@ -54,6 +56,15 @@ entry for the Kerberos v5 principal C<user/admin>, refer to it as
 C<user.admin>, and for the principal C<host/shell.example.com>, refer to
 it as C<rcmd.shell>.
 
+The B<aklog> mapping of Kerberos v5 principal to Kerberos v4 principal and
+the determination that a Kerberos realm is foreign is performed in the
+absence of the actual AFS server configuration.  If the B<aklog> mapping
+of Kerberos v5 principal to Kerberos v4 principal or the foreign realm
+determination is wrong, the PTS name-to-id lookup will produce the wrong
+AFS ID for the user.  The AFS ID is only used for display purposes and
+should not be trusted.  Use the B<-noprdb> switch to disable the PTS
+name-to-id lookup.
+
 =head1 OPTIONS
 
 =over 4

diff --git a/src/aklog/aklog.c b/src/aklog/aklog.c
index a09534048afd9ef0501a9e392ccec0fc64e1b7cb..eb661fabda9268238a90d8529832e8515725c5ad 100644 (file)
--- a/src/aklog/aklog.c
+++ b/src/aklog/aklog.c
@@ -624,7 +624,8 @@ out:
  *     structure which should be freed by the caller.
  * @param[out[ userPtr
  *     A string containing the principal of the user to whom the token was
- *     issued. This is a malloc'd block which should be freed by the caller.
+ *     issued. This is a malloc'd block which should be freed by the caller,
+ *      if set.
  *
  * @returns
  *     0 on success, an error value upon failure
@@ -632,7 +633,7 @@ out:
 static int
 rxkad_build_native_token(krb5_context context, krb5_creds *v5cred,
                         struct ktc_token **tokenPtr, char **userPtr) {
-    char username[BUFSIZ];
+    char username[BUFSIZ]="";
     struct ktc_token *token;
 #ifdef HAVE_NO_KRB5_524
     char *p;
@@ -657,14 +658,15 @@ rxkad_build_native_token(krb5_context context, krb5_creds *v5cred,
                                      (char *) &k4inst,
                                      (char *) &k4realm);
     if (status) {
-       afs_com_err(progname, status, "while converting principal "
-                   "to Kerberos V4 format");
-       return AKLOG_KERBEROS;
-    }
-    strcpy (username, k4name);
-    if (k4inst[0]) {
-       strcat (username, ".");
-       strcat (username, k4inst);
+       if (!noprdb)
+           afs_com_err(progname, status,
+                       "while converting principal to Kerberos V4 format");
+    } else {
+       strcpy (username, k4name);
+       if (k4inst[0]) {
+           strcat (username, ".");
+           strcat (username, k4inst);
+       }
     }
 #else
     len = min(get_princ_len(context, v5cred->client, 0),
@@ -701,8 +703,8 @@ rxkad_build_native_token(krb5_context context, krb5_creds *v5cred,
     memcpy(token->ticket, v5cred->ticket.data, token->ticketLen);
 
     *tokenPtr = token;
-    *userPtr = strdup(username);
-
+    if (username[0] != '\0')
+       *userPtr = strdup(username);
     return 0;
 }
 
@@ -805,7 +807,8 @@ rxkad_get_converted_token(krb5_context context, krb5_creds *v5cred,
  *     be freed by the caller.
  * @parma[out] authuser
  *     A string containing the principal of the user to whom the token was
- *     issued. This is a malloc'd block which should be freed by the caller.
+ *     issued. This is a malloc'd block which should be freed by the caller,
+ *     if set.
  * @param[out] foreign
  *     Whether the user is considered as 'foreign' to the realm of the cell.
  *
@@ -839,7 +842,7 @@ rxkad_get_token(krb5_context context, struct afsconf_cell *cell, char *realm,
 
     /* We now have the username, plus the realm name, so stitch them together
      * to give us the name that the ptserver will know the user by */
-    if (realmUsed == NULL) {
+    if (realmUsed == NULL || username == NULL) {
        *authuser = username;
        username = NULL;
        *foreign = 0;
@@ -893,7 +896,9 @@ set_kernel_token(struct afsconf_cell *cell, char *username,
 {
     struct ktc_principal client, server;
 
-    strncpy(client.name, username, MAXKTCNAMELEN - 1);
+    strncpy(client.name,
+           username ? username : "",
+           MAXKTCNAMELEN - 1);
     strcpy(client.instance, "");
     strncpy(client.cell, cell->name, MAXKTCREALMLEN - 1);
 
@@ -1003,7 +1008,10 @@ auth_to_cell(krb5_context context, char *cell, char *realm, char **linkedcell)
        noprdb = 1;
 #endif
 
-       if (noprdb) {
+       if (username == NULL) {
+           afs_dprintf("Not resolving name to id\n");
+       }
+       else if (noprdb) {
            afs_dprintf("Not resolving name %s to id (-noprdb set)\n", username);
        }
        else {
@@ -1082,9 +1090,14 @@ auth_to_cell(krb5_context context, char *cell, char *realm, char **linkedcell)
            }
        }
 
-       afs_dprintf("Set username to %s\n", username);
+       if (username) {
+           afs_dprintf("Set username to %s\n", username);
 
-       afs_dprintf("Setting tokens. %s @ %s \n", username, cellconf.name);
+           afs_dprintf("Setting tokens. %s @ %s\n",
+                       username, cellconf.name);
+       } else {
+           afs_dprintf("Setting tokens for cell %s\n", cellconf.name);
+       }
 
 #ifndef AFS_AIX51_ENV
        /* on AIX 4.1.4 with AFS 3.4a+ if a write is not done before