From: Jeffrey Altman Date: Mon, 3 Jul 2006 02:20:45 +0000 (+0000) Subject: STABLE14-windows-afslogon-pr_end-20060702 X-Git-Tag: openafs-stable-1_4_2-beta2~7 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=d48cc9d32a4ea61d9728728b73c82d633c949159;p=packages%2Fo%2Fopenafs.git STABLE14-windows-afslogon-pr_end-20060702 * do not attempt to copy kfw krb5 creds if integrated logon disabled * disable use of automatic registration from afslogon.dll. calling pr_Initialize() results in rx_Init() being called which creates threads that prevent safe unloading of the dll. This is causing crashes in third party applications that call CreateProcessAsUser() which in turn temporarily loads afslogon.dll. * add life_to_time to afskfw.c in order remove the link to the rxkad and des libraries (cherry picked from commit 61df8d9fc834b87d758d8581e73fa7c05198ecf4) --- diff --git a/src/WINNT/afsd/afskfw.c b/src/WINNT/afsd/afskfw.c index 9139b0c0c..92bb4bdda 100644 --- a/src/WINNT/afsd/afskfw.c +++ b/src/WINNT/afsd/afskfw.c @@ -1,4 +1,5 @@ /* + * Copyright (c) 2004, 2005 Secure Endpoints Inc. * Copyright (c) 2003 SkyRope, LLC * All rights reserved. * @@ -61,9 +62,9 @@ #include "afskfw.h" #include -#include /* for life_to_time */ #include #include +#include #include @@ -2548,6 +2549,7 @@ ViceIDToUsername(char *username, strncpy(sname, username, PR_MAXNAMELEN); sname[PR_MAXNAMELEN-1] = '\0'; status = pr_SNameToId (sname, &viceId); + pr_End(); } /* @@ -2587,8 +2589,10 @@ ViceIDToUsername(char *username, return status; if (status = pr_Initialize(1L, confname, aserver->cell)) return status; - if (status = pr_CreateUser(username, &id)) - return status; + status = pr_CreateUser(username, &id); + pr_End(); + if (status) + return status; #ifdef AFS_ID_TO_NAME strncpy(username_copy, username, BUFSIZ); snprintf (username, BUFSIZ, "%s (AFS ID %d)", username_copy, (int) viceId); @@ -2961,8 +2965,10 @@ KFW_AFS_klog( p[len] = '\0'; } - ViceIDToUsername(aclient.name, realm_of_user, realm_of_cell, CellName, - &aclient, &aserver, &atoken); + GetEnvironmentVariable(DO_NOT_REGISTER_VARNAME, NULL, 0); + if (GetLastError() == ERROR_ENVVAR_NOT_FOUND) + ViceIDToUsername(aclient.name, realm_of_user, realm_of_cell, CellName, + &aclient, &aserver, &atoken); if ( smbname ) { strncpy(aclient.smbname, smbname, sizeof(aclient.smbname)); @@ -3079,8 +3085,10 @@ KFW_AFS_klog( strcpy(aclient.cell, CellName); - ViceIDToUsername(aclient.name, realm_of_user, realm_of_cell, CellName, - &aclient, &aserver, &atoken); + GetEnvironmentVariable(DO_NOT_REGISTER_VARNAME, NULL, 0); + if (GetLastError() == ERROR_ENVVAR_NOT_FOUND) + ViceIDToUsername(aclient.name, realm_of_user, realm_of_cell, CellName, + &aclient, &aserver, &atoken); if ( smbname ) { strncpy(aclient.smbname, smbname, sizeof(aclient.smbname)); @@ -3609,3 +3617,154 @@ KFW_AFS_copy_system_file_to_default_cache(char * filename) return 0; } + +/* We are including this + +/* Ticket lifetime. This defines the table used to lookup lifetime for the + fixed part of rande of the one byte lifetime field. Values less than 0x80 + are intrpreted as the number of 5 minute intervals. Values from 0x80 to + 0xBF should be looked up in this table. The value of 0x80 is the same using + both methods: 10 and two-thirds hours . The lifetime of 0xBF is 30 days. + The intervening values of have a fixed ratio of roughly 1.06914. The value + oxFF is defined to mean a ticket has no expiration time. This should be + used advisedly since individual servers may impose defacto upperbounds on + ticket lifetimes. */ + +#define TKTLIFENUMFIXED 64 +#define TKTLIFEMINFIXED 0x80 +#define TKTLIFEMAXFIXED 0xBF +#define TKTLIFENOEXPIRE 0xFF +#define MAXTKTLIFETIME (30*24*3600) /* 30 days */ + +static const int tkt_lifetimes[TKTLIFENUMFIXED] = { + 38400, /* 10.67 hours, 0.44 days */ + 41055, /* 11.40 hours, 0.48 days */ + 43894, /* 12.19 hours, 0.51 days */ + 46929, /* 13.04 hours, 0.54 days */ + 50174, /* 13.94 hours, 0.58 days */ + 53643, /* 14.90 hours, 0.62 days */ + 57352, /* 15.93 hours, 0.66 days */ + 61318, /* 17.03 hours, 0.71 days */ + 65558, /* 18.21 hours, 0.76 days */ + 70091, /* 19.47 hours, 0.81 days */ + 74937, /* 20.82 hours, 0.87 days */ + 80119, /* 22.26 hours, 0.93 days */ + 85658, /* 23.79 hours, 0.99 days */ + 91581, /* 25.44 hours, 1.06 days */ + 97914, /* 27.20 hours, 1.13 days */ + 104684, /* 29.08 hours, 1.21 days */ + 111922, /* 31.09 hours, 1.30 days */ + 119661, /* 33.24 hours, 1.38 days */ + 127935, /* 35.54 hours, 1.48 days */ + 136781, /* 37.99 hours, 1.58 days */ + 146239, /* 40.62 hours, 1.69 days */ + 156350, /* 43.43 hours, 1.81 days */ + 167161, /* 46.43 hours, 1.93 days */ + 178720, /* 49.64 hours, 2.07 days */ + 191077, /* 53.08 hours, 2.21 days */ + 204289, /* 56.75 hours, 2.36 days */ + 218415, /* 60.67 hours, 2.53 days */ + 233517, /* 64.87 hours, 2.70 days */ + 249664, /* 69.35 hours, 2.89 days */ + 266926, /* 74.15 hours, 3.09 days */ + 285383, /* 79.27 hours, 3.30 days */ + 305116, /* 84.75 hours, 3.53 days */ + 326213, /* 90.61 hours, 3.78 days */ + 348769, /* 96.88 hours, 4.04 days */ + 372885, /* 103.58 hours, 4.32 days */ + 398668, /* 110.74 hours, 4.61 days */ + 426234, /* 118.40 hours, 4.93 days */ + 455705, /* 126.58 hours, 5.27 days */ + 487215, /* 135.34 hours, 5.64 days */ + 520904, /* 144.70 hours, 6.03 days */ + 556921, /* 154.70 hours, 6.45 days */ + 595430, /* 165.40 hours, 6.89 days */ + 636601, /* 176.83 hours, 7.37 days */ + 680618, /* 189.06 hours, 7.88 days */ + 727680, /* 202.13 hours, 8.42 days */ + 777995, /* 216.11 hours, 9.00 days */ + 831789, /* 231.05 hours, 9.63 days */ + 889303, /* 247.03 hours, 10.29 days */ + 950794, /* 264.11 hours, 11.00 days */ + 1016537, /* 282.37 hours, 11.77 days */ + 1086825, /* 301.90 hours, 12.58 days */ + 1161973, /* 322.77 hours, 13.45 days */ + 1242318, /* 345.09 hours, 14.38 days */ + 1328218, /* 368.95 hours, 15.37 days */ + 1420057, /* 394.46 hours, 16.44 days */ + 1518247, /* 421.74 hours, 17.57 days */ + 1623226, /* 450.90 hours, 18.79 days */ + 1735464, /* 482.07 hours, 20.09 days */ + 1855462, /* 515.41 hours, 21.48 days */ + 1983758, /* 551.04 hours, 22.96 days */ + 2120925, /* 589.15 hours, 24.55 days */ + 2267576, /* 629.88 hours, 26.25 days */ + 2424367, /* 673.44 hours, 28.06 days */ + 2592000 +}; /* 720.00 hours, 30.00 days */ + +/* life_to_time - takes a start time and a Kerberos standard lifetime char and + * returns the corresponding end time. There are four simple cases to be + * handled. The first is a life of 0xff, meaning no expiration, and results in + * an end time of 0xffffffff. The second is when life is less than the values + * covered by the table. In this case, the end time is the start time plus the + * number of 5 minute intervals specified by life. The third case returns + * start plus the MAXTKTLIFETIME if life is greater than TKTLIFEMAXFIXED. The + * last case, uses the life value (minus TKTLIFEMINFIXED) as an index into the + * table to extract the lifetime in seconds, which is added to start to produce + * the end time. */ + +afs_uint32 +life_to_time(afs_uint32 start, unsigned char life) +{ + int realLife; + + if (life == TKTLIFENOEXPIRE) + return NEVERDATE; + if (life < TKTLIFEMINFIXED) + return start + life * 5 * 60; + if (life > TKTLIFEMAXFIXED) + return start + MAXTKTLIFETIME; + realLife = tkt_lifetimes[life - TKTLIFEMINFIXED]; + return start + realLife; +} + +/* time_to_life - takes start and end times for the ticket and returns a + * Kerberos standard lifetime char possibily using the tkt_lifetimes table for + * lifetimes above 127*5minutes. First, the special case of (end == + * 0xffffffff) is handled to mean no expiration. Then negative lifetimes and + * those greater than the maximum ticket lifetime are rejected. Then lifetimes + * less than the first table entry are handled by rounding the requested + * lifetime *up* to the next 5 minute interval. The final step is to search + * the table for the smallest entry *greater than or equal* to the requested + * entry. The actual code is prepared to handle the case where the table is + * unordered but that it an unnecessary frill. */ + +static unsigned char +time_to_life(afs_uint32 start, afs_uint32 end) +{ + int lifetime = end - start; + int best, best_i; + int i; + + if (end == NEVERDATE) + return TKTLIFENOEXPIRE; + if ((lifetime > MAXKTCTICKETLIFETIME) || (lifetime <= 0)) + return 0; + if (lifetime < tkt_lifetimes[0]) + return (lifetime + 5 * 60 - 1) / (5 * 60); + best_i = -1; + best = MAXKTCTICKETLIFETIME; + for (i = 0; i < TKTLIFENUMFIXED; i++) + if (tkt_lifetimes[i] >= lifetime) { + int diff = tkt_lifetimes[i] - lifetime; + if (diff < best) { + best = diff; + best_i = i; + } + } + if (best_i < 0) + return 0; + return best_i + TKTLIFEMINFIXED; +} + diff --git a/src/WINNT/afsd/afskfw.h b/src/WINNT/afsd/afskfw.h index 7c744e7bc..498b9f29a 100644 --- a/src/WINNT/afsd/afskfw.h +++ b/src/WINNT/afsd/afskfw.h @@ -88,6 +88,7 @@ int KFW_AFS_copy_system_file_to_default_cache(char *); #define PROBE_USERNAME "OPENAFS-KDC-PROBE" #define PROBE_PASSWORD_LEN 16 +#define DO_NOT_REGISTER_VARNAME "OPENAFS_DO_NOT_REGISTER_AFS_ID" #ifdef __cplusplus } #endif diff --git a/src/WINNT/afsd/afslogon.c b/src/WINNT/afsd/afslogon.c index bafc0adef..48f6022ff 100644 --- a/src/WINNT/afsd/afslogon.c +++ b/src/WINNT/afsd/afslogon.c @@ -35,7 +35,6 @@ DWORD TraceOption = 0; HANDLE hDLL; -WSADATA WSAjunk; #define AFS_LOGON_EVENT_NAME TEXT("AFS Logon") void DebugEvent0(char *a) @@ -79,11 +78,19 @@ BOOLEAN APIENTRY DllEntryPoint(HANDLE dll, DWORD reason, PVOID reserved) switch (reason) { case DLL_PROCESS_ATTACH: /* Initialization Mutex */ - hInitMutex = CreateMutex(NULL, FALSE, NULL); + if (!bInit) { + hInitMutex = CreateMutex(NULL, FALSE, NULL); + SetEnvironmentVariable(DO_NOT_REGISTER_VARNAME, ""); + } break; case DLL_PROCESS_DETACH: - CloseHandle(hInitMutex); + /* do nothing on unload because we might + * be reloaded. + */ + CloseHandle(hInitMutex); + hInitMutex = NULL; + bInit = FALSE; break; case DLL_THREAD_ATTACH: @@ -100,14 +107,28 @@ void AfsLogonInit(void) { if ( bInit == FALSE ) { if ( WaitForSingleObject( hInitMutex, INFINITE ) == WAIT_OBJECT_0 ) { - if ( bInit == FALSE ) { - rx_Init(0); - initAFSDirPath(); - ka_Init(0); - bInit = TRUE; - } - ReleaseMutex(hInitMutex); - } + /* initAFSDirPath() initializes an array and sets a + * flag so that the initialization can only occur + * once. No cleanup will be done when the DLL is + * unloaded so the initialization will not be + * performed again on a subsequent reload + */ + initAFSDirPath(); + + /* ka_Init initializes a number of error tables. + * and then calls ka_CellConfig() which grabs + * an afsconf_dir structure via afsconf_Open(). + * Upon a second attempt to call ka_CellConfig() + * the structure will be released with afsconf_Close() + * and then re-opened. Could this corrupt memory? + * + * We only need this if we are not using KFW. + */ + if (!KFW_is_available()) + ka_Init(0); + bInit = TRUE; + } + ReleaseMutex(hInitMutex); } } @@ -915,7 +936,7 @@ DWORD APIENTRY NPLogonNotify( /* remove any kerberos 5 tickets currently held by the SYSTEM account * for this user */ - if ( KFW_is_available() ) { + if (ISLOGONINTEGRATED(opt.LogonOption) && KFW_is_available()) { sprintf(szLogonId,"%d.%d",lpLogonId->HighPart, lpLogonId->LowPart); KFW_AFS_copy_cache_to_system_file(uname, szLogonId);