From 8be8d54156b09b142f6e93019ef7f5bdb492a082 Mon Sep 17 00:00:00 2001 From: Simon Wilkinson Date: Wed, 23 Jan 2008 04:18:10 +0000 Subject: [PATCH] DEVEL15-rxkad-v5-dot-check-20080122 LICENSE IPL10 FIXES 75101 give an option to not enforce the dotted principal check. document it. (cherry picked from commit 98a68f9b021a06d056fb3b97681b9cfc04873d55) --- doc/man-pages/pod8/bosserver.pod | 11 ++++++++++- doc/man-pages/pod8/fileserver.pod | 10 ++++++++++ doc/man-pages/pod8/ptserver.pod | 11 ++++++++++- doc/man-pages/pod8/vlserver.pod | 12 +++++++++++- doc/man-pages/pod8/volserver.pod | 12 +++++++++++- src/bozo/bosserver.c | 13 +++++++++++-- src/ptserver/ptserver.c | 13 +++++++++++++ src/rx/rx.c | 17 +++++++++++++++++ src/rx/rx.h | 23 +++++++++++++++++++++-- src/rxkad/private_data.h | 1 + src/rxkad/rxkad_prototypes.h | 8 +++++--- src/rxkad/rxkad_server.c | 28 ++++++++++++++++++++++++++-- src/rxkad/ticket5.c | 18 ++++++++++-------- src/viced/viced.c | 9 +++++++++ src/vlserver/vlserver.c | 14 +++++++++++--- src/volser/volmain.c | 13 +++++++++++-- 16 files changed, 187 insertions(+), 26 deletions(-) diff --git a/doc/man-pages/pod8/bosserver.pod b/doc/man-pages/pod8/bosserver.pod index 3433495c8..3ff4345f3 100644 --- a/doc/man-pages/pod8/bosserver.pod +++ b/doc/man-pages/pod8/bosserver.pod @@ -8,7 +8,7 @@ bosserver - Initializes the BOS Server
B [B<-noauth>] [B<-log>] [B<-enable_peer_stats>] - [B<-enable_process_stats>] [B<-help>] + [B<-enable_process_stats>] [B<-allow-dotted-principal>] [B<-help>] =for html
@@ -108,6 +108,15 @@ GetStatus, and so on) sent or received, aggregated over all connections to other machines. To display or otherwise access the records, use the Rx Monitoring API. +=item B<-allow-dotted-principal> + +By default, the RXKAD security layer will disallow access by Kerberos +principals with a dot in the first component of their name. This is to avoid +the confusion where principals user/admin and user.admin are both mapped to the +user.admin PTS entry. Sites whose Kerberos realms don't have these collisions +between principal names may disable this check by starting the server +with this option. + =item B<-help> Prints the online help for this command. All other valid options are diff --git a/doc/man-pages/pod8/fileserver.pod b/doc/man-pages/pod8/fileserver.pod index 6199cb1bf..50f346307 100644 --- a/doc/man-pages/pod8/fileserver.pod +++ b/doc/man-pages/pod8/fileserver.pod @@ -20,6 +20,7 @@ B S<<< [B<-auditlog> >] >>> S<<< [B<-busyat> n >>>] >>> [B<-nobusy>] S<<< [B<-rxpck> >] >>> [B<-rxdbg>] [B<-rxdbge>] S<<< [B<-rxmaxmtu> >] >>> + [B<-allow-dotted-principal>] S<<< [B<-rxbind> >] >>> S<<< [B<-vattachpar> >] >>> S<<< [B<-m> >] >>> @@ -351,6 +352,15 @@ F. Writes a trace of the File Server's operations on Rx events (such as retransmissions) to the file F. +=item B<-allow-dotted-principal> + +By default, the RXKAD security layer will disallow access by Kerberos +principals with a dot in the first component of their name. This is to avoid +the confusion where principals user/admin and user.admin are both mapped to the +user.admin PTS entry. Sites whose Kerberos realms don't have these collisions +between principal names may disable this check by starting the server +with this option. + =item F<-m> > Specifies the percentage of each AFS server partition that the AIX version diff --git a/doc/man-pages/pod8/ptserver.pod b/doc/man-pages/pod8/ptserver.pod index f14fd21ef..b5214d296 100644 --- a/doc/man-pages/pod8/ptserver.pod +++ b/doc/man-pages/pod8/ptserver.pod @@ -9,7 +9,7 @@ ptserver - Initializes the Protection Server B S<<< [B<-database> >] >>> S<<< [B<-p> >] >>> [B<-rebuildDB>] [B<-enable_peer_stats>] [B<-enable_process_stats>] - [B<-help>] + [B<-allow-dotted-principal>] [B<-help>] =for html @@ -90,6 +90,15 @@ GetStatus, and so on) sent or received, aggregated over all connections to other machines. To display or otherwise access the records, use the Rx Monitoring API. +=item B<-allow-dotted-principal> + +By default, the RXKAD security layer will disallow access by Kerberos +principals with a dot in the first component of their name. This is to avoid +the confusion where principals user/admin and user.admin are both mapped to the +user.admin PTS entry. Sites whose Kerberos realms don't have these collisions +between principal names may disable this check by starting the server +with this option. + =item B<-help> Prints the online help for this command. All other valid options are diff --git a/doc/man-pages/pod8/vlserver.pod b/doc/man-pages/pod8/vlserver.pod index 0d22718f2..9d1e893d4 100644 --- a/doc/man-pages/pod8/vlserver.pod +++ b/doc/man-pages/pod8/vlserver.pod @@ -8,7 +8,8 @@ vlserver - Initializes the Volume Location Server
B S<<< [B<-p> >] >>> [B<-nojumbo>] - [B<-enable_peer_stats>] [B<-enable_process_stats>] [B<-help>] + [B<-allow-dotted-principal>] [B<-enable_peer_stats>] [B<-enable_process_stats>] + [B<-help>] =for html
@@ -83,6 +84,15 @@ GetStatus, and so on) sent or received, aggregated over all connections to other machines. To display or otherwise access the records, use the Rx Monitoring API. +=item B<-allow-dotted-principal> + +By default, the RXKAD security layer will disallow access by Kerberos +principals with a dot in the first component of their name. This is to avoid +the confusion where principals user/admin and user.admin are both mapped to the +user.admin PTS entry. Sites whose Kerberos realms don't have these collisions +between principal names may disable this check by starting the server +with this option. + =item B<-help> Prints the online help for this command. All other valid options are diff --git a/doc/man-pages/pod8/volserver.pod b/doc/man-pages/pod8/volserver.pod index 559ad5b4f..0fe488512 100644 --- a/doc/man-pages/pod8/volserver.pod +++ b/doc/man-pages/pod8/volserver.pod @@ -9,7 +9,8 @@ volserver - Initializes the Volume Server component of the fs process B [B<-log>] S<<< [B<-p> >] >>> S<<< [B<-udpsize> >] >>> - [B<-enable_peer_stats>] [B<-enable_process_stats>] [B<-help>] + [B<-enable_peer_stats>] [B<-enable_process_stats>] + [B<-allow-dotted-principal>] [B<-help>] =for html @@ -77,6 +78,15 @@ GetStatus, and so on) sent or received, aggregated over all connections to other machines. To display or otherwise access the records, use the Rx Monitoring API. +=item B<-allow-dotted-principal> + +By default, the RXKAD security layer will disallow access by Kerberos +principals with a dot in the first component of their name. This is to avoid +the confusion where principals user/admin and user.admin are both mapped to the +user.admin PTS entry. Sites whose Kerberos realms don't have these collisions +between principal names may disable this check by starting the server +with this option. + =item B<-help> Prints the online help for this command. All other valid options are diff --git a/src/bozo/bosserver.c b/src/bozo/bosserver.c index d53d90938..e4b8c56f6 100644 --- a/src/bozo/bosserver.c +++ b/src/bozo/bosserver.c @@ -71,6 +71,7 @@ static afs_int32 nextDay; struct ktime bozo_nextRestartKT, bozo_nextDayKT; int bozo_newKTs; int rxBind = 0; +int rxkadDisableDotCheck = 0; #define ADDRSPERSITE 16 /* Same global is in rx/rx_user.c */ afs_uint32 SHostAddrs[ADDRSPERSITE]; @@ -820,6 +821,9 @@ main(int argc, char **argv, char **envp) else if (strcmp(argv[code], "-rxbind") == 0) { rxBind = 1; } + else if (strcmp(argv[code], "-allow-dotted-principals") == 0) { + rxkadDisableDotCheck = 1; + } else if (!strcmp(argv[i], "-rxmaxmtu")) { if ((i + 1) >= argc) { fprintf(stderr, "missing argument for -rxmaxmtu\n"); @@ -871,14 +875,14 @@ main(int argc, char **argv, char **envp) #ifndef AFS_NT40_ENV printf("Usage: bosserver [-noauth] [-log] " "[-auditlog ] " - "[-rxmaxmtu ] [-rxbind] " + "[-rxmaxmtu ] [-rxbind] [-allow-dotted-principals]" "[-syslog[=FACILITY]] " "[-enable_peer_stats] [-enable_process_stats] " "[-nofork] " "[-help]\n"); #else printf("Usage: bosserver [-noauth] [-log] " "[-auditlog ] " - "[-rxmaxmtu ] [-rxbind] " + "[-rxmaxmtu ] [-rxbind] [-allow-dotted-principals]" "[-enable_peer_stats] [-enable_process_stats] " "[-help]\n"); #endif @@ -1061,6 +1065,11 @@ main(int argc, char **argv, char **envp) rx_SetMinProcs(tservice, 2); rx_SetMaxProcs(tservice, 4); rx_SetStackSize(tservice, BOZO_LWP_STACKSIZE); /* so gethostbyname works (in cell stuff) */ + if (rxkadDisableDotCheck) { + rx_SetSecurityConfiguration(tservice, RXS_CONFIG_FLAGS, + (void *)RXS_CONFIG_FLAGS_DISABLE_DOTCHECK, + NULL); + } tservice = rx_NewServiceHost(host, 0, RX_STATS_SERVICE_ID, "rpcstats", bozo_rxsc, diff --git a/src/ptserver/ptserver.c b/src/ptserver/ptserver.c index 778eba627..ab7ac0ad3 100644 --- a/src/ptserver/ptserver.c +++ b/src/ptserver/ptserver.c @@ -163,6 +163,7 @@ char *pr_realmName; int restricted = 0; int rxMaxMTU = -1; int rxBind = 0; +int rxkadDisableDotCheck = 0; #define ADDRSPERSITE 16 /* Same global is in rx/rx_user.c */ afs_uint32 SHostAddrs[ADDRSPERSITE]; @@ -308,6 +309,9 @@ main(int argc, char **argv) else if (strncmp(arg, "-rxbind", alen) == 0) { rxBind = 1; } + else if (strncmp(arg, "-allow-dotted-principals", alen) == 0) { + rxkadDisableDotCheck = 1; + } else if (strncmp(arg, "-enable_peer_stats", alen) == 0) { rx_enablePeerRPCStats(); } else if (strncmp(arg, "-enable_process_stats", alen) == 0) { @@ -378,6 +382,7 @@ main(int argc, char **argv) "[-p ] [-rebuild] " "[-groupdepth ] " "[-restricted] [-rxmaxmtu ] [-rxbind] " + "[-allow-dotted-principals] " "[-enable_peer_stats] [-enable_process_stats] " "[-default_access default_user_access default_group_access] " "[-help]\n"); @@ -385,6 +390,7 @@ main(int argc, char **argv) printf("Usage: ptserver [-database ] " "[-auditlog ] " "[-p ] [-rebuild] [-rxbind] " + "[-allow-dotted-principals] " "[-default_access default_user_access default_group_access] " "[-restricted] [-rxmaxmtu ] [-rxbind] " "[-groupdepth ] " "[-help]\n"); @@ -398,12 +404,14 @@ main(int argc, char **argv) "[-enable_peer_stats] [-enable_process_stats] " "[-default_access default_user_access default_group_access] " "[-restricted] [-rxmaxmtu ] [-rxbind] " + "[-allow-dotted-principals] " "[-help]\n"); #else /* AFS_NT40_ENV */ printf("Usage: ptserver [-database ] " "[-auditlog ] " "[-default_access default_user_access default_group_access] " "[-restricted] [-rxmaxmtu ] [-rxbind] " + "[-allow-dotted-principals] " "[-p ] [-rebuild] " "[-help]\n"); #endif #endif @@ -552,6 +560,11 @@ main(int argc, char **argv) } rx_SetMinProcs(tservice, 2); rx_SetMaxProcs(tservice, lwps); + if (rxkadDisableDotCheck) { + rx_SetSecurityConfiguration(tservice, RXS_CONFIG_FLAGS, + (void *)RXS_CONFIG_FLAGS_DISABLE_DOTCHECK, + NULL); + } tservice = rx_NewServiceHost(host, 0, RX_STATS_SERVICE_ID, "rpcstats", sc, 3, diff --git a/src/rx/rx.c b/src/rx/rx.c index 40c9fc49d..a10a0fd4d 100644 --- a/src/rx/rx.c +++ b/src/rx/rx.c @@ -1347,6 +1347,23 @@ rx_NewServiceHost(afs_uint32 host, u_short port, u_short serviceId, return 0; } +/* Set configuration options for all of a service's security objects */ + +afs_int32 +rx_SetSecurityConfiguration(struct rx_service *service, + rx_securityConfigVariables type, + void *value) +{ + int i; + for (i = 0; inSecurityObjects; i++) { + if (service->securityObjects[i]) { + RXS_SetConfiguration(service->securityObjects[i], NULL, type, + value, NULL); + } + } + return 0; +} + struct rx_service * rx_NewService(u_short port, u_short serviceId, char *serviceName, struct rx_securityClass **securityObjects, int nSecurityObjects, diff --git a/src/rx/rx.h b/src/rx/rx.h index 16c5a7e83..7a86719c8 100644 --- a/src/rx/rx.h +++ b/src/rx/rx.h @@ -694,6 +694,21 @@ struct rx_securityObjectStats { afs_int32 sparel[8]; }; +/* Configuration settings */ + +/* Enum for storing configuration variables which can be set via the + * SetConfiguration method in the rx_securityClass, below + */ + +typedef enum { + RXS_CONFIG_FLAGS /* afs_uint32 set of bitwise flags */ +} rx_securityConfigVariables; + +/* For the RXS_CONFIG_FLAGS, the following bit values are defined */ + +/* Disable the principal name contains dot check in rxkad */ +#define RXS_CONFIG_FLAGS_DISABLE_DOTCHECK 0x01 + /* XXXX (rewrite this description) A security class object contains a set of * procedures and some private data to implement a security model for rx * connections. These routines are called by rx as appropriate. Rx knows @@ -734,7 +749,11 @@ struct rx_securityClass { int (*op_GetStats) (struct rx_securityClass * aobj, struct rx_connection * aconn, struct rx_securityObjectStats * astats); - int (*op_Spare1) (void); + int (*op_SetConfiguration) (struct rx_securityClass * aobj, + struct rx_connection * aconn, + rx_securityConfigVariables atype, + void * avalue, + void ** acurrentValue); int (*op_Spare2) (void); int (*op_Spare3) (void); } *ops; @@ -756,7 +775,7 @@ struct rx_securityClass { #define RXS_CheckPacket(obj,call,packet) RXS_OP(obj,CheckPacket,(obj,call,packet)) #define RXS_DestroyConnection(obj,conn) RXS_OP(obj,DestroyConnection,(obj,conn)) #define RXS_GetStats(obj,conn,stats) RXS_OP(obj,GetStats,(obj,conn,stats)) - +#define RXS_SetConfiguration(obj, conn, type, value, currentValue) RXS_OP(obj, SetConfiguration,(obj,conn,type,value,currentValue)) /* Structure for keeping rx statistics. Note that this structure is returned diff --git a/src/rxkad/private_data.h b/src/rxkad/private_data.h index d7c40f965..1d762ff3a 100644 --- a/src/rxkad/private_data.h +++ b/src/rxkad/private_data.h @@ -77,6 +77,7 @@ struct rxkad_sprivate { char *get_key_rock; /* rock for get_key function */ int (*get_key) (); /* func. of kvno and server key ptr */ int (*user_ok) (); /* func called with new client name */ + afs_uint32 flags; /* configuration flags */ }; /* private data in server-side connection */ diff --git a/src/rxkad/rxkad_prototypes.h b/src/rxkad/rxkad_prototypes.h index a610d612b..a2c3517ff 100644 --- a/src/rxkad/rxkad_prototypes.h +++ b/src/rxkad/rxkad_prototypes.h @@ -120,8 +120,10 @@ extern afs_int32 rxkad_GetServerInfo(struct rx_connection *aconn, afs_uint32 * expiration, char *name, char *instance, char *cell, afs_int32 * kvno); - - +extern afs_int32 rxkad_SetConfiguration(struct rx_securityClass *aobj, + struct rx_connection *aconn, + rx_securityConfigVariables atype, + void * avalue, void **aresult); /* ticket.c */ extern int tkt_DecodeTicket(char *asecret, afs_int32 ticketLen, @@ -147,6 +149,6 @@ extern int tkt_DecodeTicket5(char *ticket, afs_int32 ticket_len, char *get_key_rock, int serv_kvno, char *name, char *inst, char *cell, char *session_key, afs_int32 * host, afs_int32 * start, - afs_int32 * end); + afs_int32 * end, afs_int32 disableDotCheck); #endif diff --git a/src/rxkad/rxkad_server.c b/src/rxkad/rxkad_server.c index 09adcb9bc..a0e5e6fd5 100644 --- a/src/rxkad/rxkad_server.c +++ b/src/rxkad/rxkad_server.c @@ -57,7 +57,7 @@ static struct rx_securityOps rxkad_server_ops = { rxkad_CheckPacket, /* check data packet */ rxkad_DestroyConnection, rxkad_GetStats, - 0, /* spare 1 */ + rxkad_SetConfiguration, 0, /* spare 2 */ 0, /* spare 3 */ }; @@ -327,7 +327,8 @@ rxkad_CheckResponse(struct rx_securityClass *aobj, code = tkt_DecodeTicket5(tix, tlen, tsp->get_key, tsp->get_key_rock, kvno, client.name, client.instance, client.cell, - &sessionkey, &host, &start, &end); + &sessionkey, &host, &start, &end, + tsp->flags & RXS_CONFIG_FLAGS_DISABLE_DOTCHECK); if (code) return code; } @@ -452,3 +453,26 @@ rxkad_GetServerInfo(struct rx_connection * aconn, rxkad_level * level, } else return RXKADNOAUTH; } + +/* Set security object configuration variables */ +afs_int32 rxkad_SetConfiguration(struct rx_securityClass *aobj, + struct rx_connection *aconn, + rx_securityConfigVariables atype, + void * avalue, void **currentValue) +{ + struct rxkad_sprivate *private = + (struct rxkad_sprivate *) aobj->privateData; + + switch (atype) { + case RXS_CONFIG_FLAGS: + if (currentValue) { + *((afs_uint32 *)currentValue) = private->flags; + } else { + private->flags = (afs_uint32) avalue; + } + break; + default: + break; + } + return 0; +} diff --git a/src/rxkad/ticket5.c b/src/rxkad/ticket5.c index cd7425fc7..264153f1f 100644 --- a/src/rxkad/ticket5.c +++ b/src/rxkad/ticket5.c @@ -195,7 +195,7 @@ tkt_DecodeTicket5(char *ticket, afs_int32 ticket_len, int (*get_key) (char *, int, struct ktc_encryptionKey *), char *get_key_rock, int serv_kvno, char *name, char *inst, char *cell, char *session_key, afs_int32 * host, - afs_int32 * start, afs_int32 * end) + afs_int32 * start, afs_int32 * end, afs_int32 disableCheckdot) { char plain[MAXKRB5TICKETLEN]; struct ktc_encryptionKey serv_key; @@ -312,13 +312,15 @@ tkt_DecodeTicket5(char *ticket, afs_int32 ticket_len, goto bad_ticket; } - /* - * If the first part of the name_string contains a dot, punt since - * then we can't see the diffrence between the kerberos 5 - * principals foo.root and foo/root later in the fileserver. - */ - if (strchr(decr_part.cname.name_string.val[0], '.') != NULL) - goto bad_ticket; + if (!disableCheckdot) { + /* + * If the first part of the name_string contains a dot, punt since + * then we can't see the diffrence between the kerberos 5 + * principals foo.root and foo/root later in the fileserver. + */ + if (strchr(decr_part.cname.name_string.val[0], '.') != NULL) + goto bad_ticket; + } /* Verify that decr_part.key is of right type */ switch (decr_part.key.keytype) { diff --git a/src/viced/viced.c b/src/viced/viced.c index 0f79df7fb..1722b4240 100644 --- a/src/viced/viced.c +++ b/src/viced/viced.c @@ -164,6 +164,7 @@ int debuglevel = 0; int printBanner = 0; int rxJumbograms = 1; /* default is to send and receive jumbograms. */ int rxBind = 0; /* don't bind */ +int rxkadDisableDotCheck = 0; /* disable check for dot in principal name */ int rxMaxMTU = -1; afs_int32 implicitAdminRights = PRSFS_LOOKUP; /* The ADMINISTER right is * already implied */ @@ -890,6 +891,7 @@ FlagMsg() strcat(buffer, "[-rxdbge (enable rxevent debugging)] "); strcat(buffer, "[-rxmaxmtu ] "); strcat(buffer, "[-rxbind (bind the Rx socket to one address)] "); + strcat(buffer, "[-allow-dotted-principals (disable the rxkad principal name dot check)] "); #ifdef AFS_DEMAND_ATTACH_FS strcat(buffer, "[-fs-state-dont-save (disable state save during shutdown)] "); strcat(buffer, "[-fs-state-dont-restore (disable state restore during startup)] "); @@ -1269,6 +1271,8 @@ ParseArgs(int argc, char *argv[]) rxJumbograms = 0; } else if (!strcmp(argv[i], "-rxbind")) { rxBind = 1; + } else if (!strcmp(argv[i], "-allow-dotted-principals")) { + rxkadDisableDotCheck = 1; } else if (!strcmp(argv[i], "-rxmaxmtu")) { if ((i + 1) >= argc) { fprintf(stderr, "missing argument for -rxmaxmtu\n"); @@ -2082,6 +2086,11 @@ main(int argc, char *argv[]) ("Failed to initialize RX, probably two servers running.\n")); exit(-1); } + if (rxkadDisableDotCheck) { + rx_SetSecurityConfiguration(tservice, RXS_CONFIG_FLAGS, + (void *)RXS_CONFIG_FLAGS_DISABLE_DOTCHECK, + NULL); + } rx_SetMinProcs(tservice, 3); rx_SetMaxProcs(tservice, lwps); rx_SetCheckReach(tservice, 1); diff --git a/src/vlserver/vlserver.c b/src/vlserver/vlserver.c index 52020e7a4..924959732 100644 --- a/src/vlserver/vlserver.c +++ b/src/vlserver/vlserver.c @@ -66,6 +66,7 @@ int smallMem = 0; int rxJumbograms = 1; /* default is to send and receive jumbo grams */ int rxMaxMTU = -1; afs_int32 rxBind = 0; +int rxkadDisableDotCheck = 0; #define ADDRSPERSITE 16 /* Same global is in rx/rx_user.c */ afs_uint32 SHostAddrs[ADDRSPERSITE]; @@ -179,7 +180,8 @@ main(argc, argv) } else if (strcmp(argv[index], "-rxbind") == 0) { rxBind = 1; - + } else if (strcmp(argv[index], "-allow-dotted-principals") == 0) { + rxkadDisableDotCheck = 1; } else if (!strcmp(argv[index], "-rxmaxmtu")) { if ((index + 1) >= argc) { fprintf(stderr, "missing argument for -rxmaxmtu\n"); @@ -246,14 +248,14 @@ main(argc, argv) /* support help flag */ #ifndef AFS_NT40_ENV printf("Usage: vlserver [-p ] [-nojumbo] " - "[-rxmaxmtu ] [-rxbind] " + "[-rxmaxmtu ] [-rxbind] [-allow-dotted-principals] " "[-auditlog ] " "[-syslog[=FACILITY]] " "[-enable_peer_stats] [-enable_process_stats] " "[-help]\n"); #else printf("Usage: vlserver [-p ] [-nojumbo] " - "[-rxmaxmtu ] [-rxbind] " + "[-rxmaxmtu ] [-rxbind] [-allow-dotted-principals] " "[-auditlog ] " "[-enable_peer_stats] [-enable_process_stats] " "[-help]\n"); @@ -386,6 +388,12 @@ main(argc, argv) lwps = 4; rx_SetMaxProcs(tservice, lwps); + if (rxkadDisableDotCheck) { + rx_SetSecurityConfiguration(tservice, RXS_CONFIG_FLAGS, + (void *)RXS_CONFIG_FLAGS_DISABLE_DOTCHECK, + NULL); + } + tservice = rx_NewServiceHost(host, 0, RX_STATS_SERVICE_ID, "rpcstats", sc, 3, RXSTATS_ExecuteRequest); diff --git a/src/volser/volmain.c b/src/volser/volmain.c index e31ceb893..126e8d03c 100644 --- a/src/volser/volmain.c +++ b/src/volser/volmain.c @@ -89,6 +89,7 @@ int lwps = 9; int udpBufSize = 0; /* UDP buffer size for receive */ int rxBind = 0; +int rxkadDisableDotCheck = 0; #define ADDRSPERSITE 16 /* Same global is in rx/rx_user.c */ afs_uint32 SHostAddrs[ADDRSPERSITE]; @@ -288,6 +289,8 @@ main(int argc, char **argv) goto usage; } else if (strcmp(argv[code], "-rxbind") == 0) { rxBind = 1; + } else if (strcmp(argv[code], "-allow-dotted-principals") == 0) { + rxkadDisableDotCheck = 1; } else if (strcmp(argv[code], "-p") == 0) { lwps = atoi(argv[++code]); if (lwps > MAXLWP) { @@ -379,7 +382,7 @@ main(int argc, char **argv) #ifndef AFS_NT40_ENV printf("Usage: volserver [-log] [-p ] " "[-auditlog ] " - "[-nojumbo] [-rxmaxmtu ] [-rxbind] " + "[-nojumbo] [-rxmaxmtu ] [-rxbind] [-allow-dotted-principals] " "[-udpsize ] " "[-syslog[=FACILITY]] " "[-enable_peer_stats] [-enable_process_stats] " @@ -387,7 +390,7 @@ main(int argc, char **argv) #else printf("Usage: volserver [-log] [-p ] " "[-auditlog ] " - "[-nojumbo] [-rxmaxmtu ] [-rxbind] " + "[-nojumbo] [-rxmaxmtu ] [-rxbind] [-allow-dotted-principals] " "[-udpsize ] " "[-enable_peer_stats] [-enable_process_stats] " "[-help]\n"); @@ -517,6 +520,12 @@ main(int argc, char **argv) rx_SetStackSize(service, 32768); #endif + if (rxkadDisableDotCheck) { + rx_SetSecurityConfiguration(service, RXS_CONFIG_FLAGS, + (void *)RXS_CONFIG_FLAGS_DISABLE_DOTCHECK, + NULL); + } + service = rx_NewService(0, RX_STATS_SERVICE_ID, "rpcstats", securityObjects, 3, RXSTATS_ExecuteRequest); -- 2.39.5