diff --git a/src/kadm.c b/src/kadm.c index fd64316..90790e9 100644 --- a/src/kadm.c +++ b/src/kadm.c @@ -32,22 +32,22 @@ void ceo_kadm_cleanup() { int ceo_add_princ(char *user, char *password) { krb5_error_code retval; - kadm5_principal_ent_rec princ; + krb5_principal princ; memset((void *) &princ, 0, sizeof(princ)); debug("kadmin: adding principal %s", user); - if ((retval = krb5_parse_name(context, user, &princ.principal))) { + if ((retval = krb5_parse_name(context, user, &princ))) { com_err(prog, retval, "while parsing principal name"); return retval; } - if ((retval = kadm5_create_principal(handle, &princ, KADM5_PRINCIPAL, password))) { + if ((retval = kadm5_chpass_principal(handle, princ, password))) { com_err(prog, retval, "while creating principal"); return retval; } - krb5_free_principal(context, princ.principal); + krb5_free_principal(context, princ); return 0; } diff --git a/src/ldap.c b/src/ldap.c index 2201eec..2154036 100644 --- a/src/ldap.c +++ b/src/ldap.c @@ -170,7 +170,7 @@ int ceo_add_group_sudo(char *group, char *basedn) { return ret; } -int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home, char *shell, int no, ...) { +int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home, char *principal, char *shell, int no, ...) { va_list args; if (!uid || !basedn || !cn || !home || !shell) @@ -179,13 +179,19 @@ int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home, LDAPMod *mods[16]; int i = -1; int ret = 0; + int classes = 4; mods[++i] = xmalloc(sizeof(LDAPMod)); mods[i]->mod_op = LDAP_MOD_ADD; mods[i]->mod_type = "objectClass"; - char *objectClasses[] = { "top", "account", "posixAccount", "shadowAccount", NULL, NULL }; + char *objectClasses[] = { "top", "account", "posixAccount", "shadowAccount", NULL, NULL, NULL, NULL }; if (objclass != NULL) - objectClasses[4] = objclass; + objectClasses[classes++] = objclass; + if (principal) { + objectClasses[classes++] = "krbPrincipalAux"; + objectClasses[classes++] = "krbTicketPolicyAux"; + + } mods[i]->mod_values = objectClasses; mods[++i] = xmalloc(sizeof(LDAPMod)); @@ -225,6 +231,14 @@ int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home, char *homeDirectory[] = { home, NULL }; mods[i]->mod_values = homeDirectory; + if (principal) { + mods[++i] = xmalloc(sizeof(LDAPMod)); + mods[i]->mod_op = LDAP_MOD_ADD; + mods[i]->mod_type = "krbPrincipalName"; + char *krbPrincipalName[] = { principal, NULL }; + mods[i]->mod_values = krbPrincipalName; + } + va_start(args, no); char *attr; while ((attr = va_arg(args, char *))) { diff --git a/src/ldap.h b/src/ldap.h index b29b68b..5a2d3f5 100644 --- a/src/ldap.h +++ b/src/ldap.h @@ -1,6 +1,6 @@ #define LDAP_DEFAULT_PROTOCOL LDAP_VERSION3 -int ceo_add_user(char *, char *, char *, char *, char *, char *, int, ...); +int ceo_add_user(char *, char *, char *, char *, char *, char *, char *, int, ...); int ceo_add_group(char *, char *, int); int ceo_add_group_sudo(char *, char *); int ceo_new_uid(int, int); diff --git a/src/op-adduser.c b/src/op-adduser.c index 5ad2fae..b1465cc 100644 --- a/src/op-adduser.c +++ b/src/op-adduser.c @@ -137,9 +137,14 @@ static void adduser_spam(Ceo__AddUser *in, Ceo__AddUserResponse *out, char *clie static int32_t addmember(Ceo__AddUser *in, Ceo__AddUserResponse *out) { char homedir[1024]; + char principal[1024]; int user_stat, group_stat, krb_stat, home_stat; int id; + if (snprintf(principal, sizeof(principal), "%s@%s", + in->username, krb5_realm) >= sizeof(principal)) + fatal("principal overflow"); + if (snprintf(homedir, sizeof(homedir), "%s/%s", member_home, in->username) >= sizeof(homedir)) fatal("homedir overflow"); @@ -150,17 +155,17 @@ static int32_t addmember(Ceo__AddUser *in, Ceo__AddUserResponse *out) { if ((krb_stat = ceo_del_princ(in->username))) return response_message(out, EEXIST, "unable to overwrite orphaned kerberos principal %s", in->username); - if ((krb_stat = ceo_add_princ(in->username, in->password))) - return response_message(out, EKERB, "unable to create kerberos principal %s", in->username); - response_message(out, 0, "successfully created principal"); - - if ((user_stat = ceo_add_user(in->username, ldap_users_base, "member", in->realname, homedir, + if ((user_stat = ceo_add_user(in->username, ldap_users_base, "member", in->realname, homedir, principal, member_shell, id, "program", in->program, NULL))) return response_message(out, ELDAP, "unable to create ldap account %s", in->username); response_message(out, 0, "successfully created ldap account"); /* errors that occur after this point are not fatal */ + if ((krb_stat = ceo_add_princ(in->username, in->password))) + return response_message(out, EKERB, "unable to create kerberos principal %s", in->username); + response_message(out, 0, "successfully created principal"); + if ((group_stat = ceo_add_group(in->username, ldap_groups_base, id))) response_message(out, ELDAP, "unable to create ldap group %s", in->username); else @@ -191,7 +196,7 @@ static int32_t addclub(Ceo__AddUser *in, Ceo__AddUserResponse *out) { return response_message(out, EKERB, "unable to clear principal %s", in->username); if ((user_stat = ceo_add_user(in->username, ldap_users_base, "club", in->realname, homedir, - club_shell, id, NULL))) + NULL, club_shell, id, NULL))) return response_message(out, ELDAP, "unable to create ldap account %s", in->username); response_message(out, 0, "successfully created ldap account");