summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc/default_config.c
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/kdc/default_config.c')
-rw-r--r--source4/heimdal/kdc/default_config.c316
1 files changed, 312 insertions, 4 deletions
diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c
index c4d9f51fd0..2352020d86 100644
--- a/source4/heimdal/kdc/default_config.c
+++ b/source4/heimdal/kdc/default_config.c
@@ -1,6 +1,7 @@
/*
- * Copyright (c) 2005 Andrew Bartlett <abartlet@samba.org>
- *
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ *
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -14,10 +15,14 @@
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -29,6 +34,19 @@
#include "kdc_locl.h"
+int require_preauth = -1; /* 1 == require preauth for all principals */
+
+const char *trpolicy_str;
+
+int disable_des = -1;
+int enable_v4 = -1;
+int enable_kaserver = -1;
+int enable_524 = -1;
+int enable_v4_cross_realm = -1;
+int detach_from_console = -1;
+
+char *v4_realm;
+
/*
* Setup some of the defaults for the KDC configuration.
*
@@ -60,3 +78,293 @@ krb5_kdc_default_config(krb5_kdc_configuration *config)
config->num_db = 0;
config->logf = NULL;
}
+
+
+/*
+ * Setup some valudes for the KDC configuration, from the config file
+ *
+ * Note: Caller must also fill in:
+ * - db
+ * - num_db
+ * - logf
+ *
+*/
+
+void krb5_kdc_configure(krb5_context context, krb5_kdc_configuration *config)
+{
+ const char *p;
+ if(require_preauth == -1) {
+ config->require_preauth = krb5_config_get_bool_default(context, NULL,
+ config->require_preauth,
+ "kdc",
+ "require-preauth", NULL);
+ } else {
+ config->require_preauth = require_preauth;
+ }
+
+ if(enable_v4 == -1) {
+ config->enable_v4 = krb5_config_get_bool_default(context, NULL,
+ config->enable_v4,
+ "kdc",
+ "enable-kerberos4",
+ NULL);
+ } else {
+ config->enable_v4 = enable_v4;
+ }
+
+ if(enable_v4_cross_realm == -1) {
+ config->enable_v4_cross_realm =
+ krb5_config_get_bool_default(context, NULL,
+ config->enable_v4_cross_realm,
+ "kdc",
+ "enable-kerberos4-cross-realm",
+ NULL);
+ } else {
+ config->enable_v4_cross_realm = enable_v4_cross_realm;
+ }
+
+ if(enable_524 == -1) {
+ config->enable_524 = krb5_config_get_bool_default(context, NULL,
+ config->enable_v4,
+ "kdc", "enable-524",
+ NULL);
+ } else {
+ config->enable_524 = enable_524;
+ }
+
+ config->enable_digest =
+ krb5_config_get_bool_default(context, NULL,
+ FALSE,
+ "kdc",
+ "enable-digest", NULL);
+
+ {
+ const char *digests;
+
+ digests = krb5_config_get_string(context, NULL,
+ "kdc",
+ "digests_allowed", NULL);
+ if (digests == NULL)
+ digests = "ntlm-v2";
+ config->digests_allowed = parse_flags(digests,
+ _kdc_digestunits,
+ 0);
+ if (config->digests_allowed == -1) {
+ kdc_log(context, config, 0,
+ "unparsable digest units (%s), turning off digest",
+ digests);
+ config->enable_digest = 0;
+ } else if (config->digests_allowed == 0) {
+ kdc_log(context, config, 0,
+ "no digest enable, turning digest off",
+ digests);
+ config->enable_digest = 0;
+ }
+ }
+
+ config->enable_kx509 =
+ krb5_config_get_bool_default(context, NULL,
+ FALSE,
+ "kdc",
+ "enable-kx509", NULL);
+
+ config->check_ticket_addresses =
+ krb5_config_get_bool_default(context, NULL,
+ config->check_ticket_addresses,
+ "kdc",
+ "check-ticket-addresses", NULL);
+ config->allow_null_ticket_addresses =
+ krb5_config_get_bool_default(context, NULL,
+ config->allow_null_ticket_addresses,
+ "kdc",
+ "allow-null-ticket-addresses", NULL);
+
+ config->allow_anonymous =
+ krb5_config_get_bool_default(context, NULL,
+ config->allow_anonymous,
+ "kdc",
+ "allow-anonymous", NULL);
+
+ config->max_datagram_reply_length =
+ krb5_config_get_int_default(context,
+ NULL,
+ 1400,
+ "kdc",
+ "max-kdc-datagram-reply-length",
+ NULL);
+
+ trpolicy_str =
+ krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
+ "transited-policy", NULL);
+ if(strcasecmp(trpolicy_str, "always-check") == 0) {
+ config->trpolicy = TRPOLICY_ALWAYS_CHECK;
+ } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
+ config->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
+ } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
+ config->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
+ } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
+ /* default */
+ } else {
+ kdc_log(context, config,
+ 0, "unknown transited-policy: %s, reverting to default (always-check)",
+ trpolicy_str);
+ }
+
+ if (krb5_config_get_string(context, NULL, "kdc",
+ "enforce-transited-policy", NULL))
+ krb5_errx(context, 1, "enforce-transited-policy deprecated, "
+ "use [kdc]transited-policy instead");
+
+ if(v4_realm == NULL){
+ p = krb5_config_get_string (context, NULL,
+ "kdc",
+ "v4-realm",
+ NULL);
+ if(p != NULL) {
+ config->v4_realm = strdup(p);
+ if (config->v4_realm == NULL)
+ krb5_errx(context, 1, "out of memory");
+ } else {
+ config->v4_realm = NULL;
+ }
+ } else {
+ config->v4_realm = v4_realm;
+ }
+
+ if (enable_kaserver == -1) {
+ config->enable_kaserver =
+ krb5_config_get_bool_default(context,
+ NULL,
+ config->enable_kaserver,
+ "kdc",
+ "enable-kaserver",
+ NULL);
+ } else {
+ config->enable_kaserver = enable_kaserver;
+ }
+
+ config->encode_as_rep_as_tgs_rep =
+ krb5_config_get_bool_default(context, NULL,
+ config->encode_as_rep_as_tgs_rep,
+ "kdc",
+ "encode_as_rep_as_tgs_rep",
+ NULL);
+
+ config->kdc_warn_pwexpire =
+ krb5_config_get_time_default (context, NULL,
+ config->kdc_warn_pwexpire,
+ "kdc",
+ "kdc_warn_pwexpire",
+ NULL);
+
+ if(detach_from_console == -1)
+ detach_from_console = krb5_config_get_bool_default(context, NULL,
+ DETACH_IS_DEFAULT,
+ "kdc",
+ "detach", NULL);
+
+#ifdef PKINIT
+ config->enable_pkinit =
+ krb5_config_get_bool_default(context,
+ NULL,
+ config->enable_pkinit,
+ "kdc",
+ "enable-pkinit",
+ NULL);
+ if (config->enable_pkinit) {
+ const char *user_id, *anchors, *ocsp_file;
+ char **pool_list, **revoke_list;
+
+ user_id = krb5_config_get_string(context, NULL,
+ "kdc",
+ "pkinit_identity",
+ NULL);
+ if (user_id == NULL)
+ krb5_errx(context, 1, "pkinit enabled but no identity");
+
+ anchors = krb5_config_get_string(context, NULL,
+ "kdc",
+ "pkinit_anchors",
+ NULL);
+ if (anchors == NULL)
+ krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
+
+ pool_list = krb5_config_get_strings(context, NULL,
+ "kdc",
+ "pkinit_pool",
+ NULL);
+
+ revoke_list = krb5_config_get_strings(context, NULL,
+ "kdc",
+ "pkinit_revoke",
+ NULL);
+
+ ocsp_file =
+ krb5_config_get_string(context, NULL,
+ "kdc",
+ "pkinit_kdc_ocsp",
+ NULL);
+ if (ocsp_file) {
+ config->pkinit_kdc_ocsp_file = strdup(ocsp_file);
+ if (config->pkinit_kdc_ocsp_file == NULL)
+ krb5_errx(context, 1, "out of memory");
+ }
+ _kdc_pk_initialize(context, config, user_id, anchors,
+ pool_list, revoke_list);
+
+ krb5_config_free_strings(pool_list);
+ krb5_config_free_strings(revoke_list);
+
+ config->enable_pkinit_princ_in_cert =
+ krb5_config_get_bool_default(context,
+ NULL,
+ config->enable_pkinit_princ_in_cert,
+ "kdc",
+ "pkinit_principal_in_certificate",
+ NULL);
+ }
+
+ config->pkinit_dh_min_bits =
+ krb5_config_get_int_default(context,
+ NULL,
+ 0,
+ "kdc",
+ "pkinit_dh_min_bits",
+ NULL);
+
+#endif
+
+ if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4)){
+#ifdef KRB4
+ config->v4_realm = malloc(40); /* REALM_SZ */
+ if (config->v4_realm == NULL)
+ krb5_errx(context, 1, "out of memory");
+ krb_get_lrealm(config->v4_realm, 1);
+#else
+ krb5_errx(context, 1, "No Kerberos 4 realm configured");
+#endif
+ }
+ if(disable_des == -1)
+ disable_des = krb5_config_get_bool_default(context, NULL,
+ FALSE,
+ "kdc",
+ "disable-des", NULL);
+ if(disable_des) {
+ krb5_enctype_disable(context, ETYPE_DES_CBC_CRC);
+ krb5_enctype_disable(context, ETYPE_DES_CBC_MD4);
+ krb5_enctype_disable(context, ETYPE_DES_CBC_MD5);
+ krb5_enctype_disable(context, ETYPE_DES_CBC_NONE);
+ krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE);
+ krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE);
+
+ kdc_log(context, config,
+ 0, "DES was disabled, turned off Kerberos V4, 524 "
+ "and kaserver");
+ config->enable_v4 = 0;
+ config->enable_524 = 0;
+ config->enable_kaserver = 0;
+ }
+
+ _kdc_windc_init(context);
+}
+
generated by cgit (git 2.34.1) at 2025-02-13 15:22:25 +0000