krb5_db_init being used in do_as_req.c - Kerberos

This is a discussion on krb5_db_init being used in do_as_req.c - Kerberos ; Hello, We are enabling the LDAP plugin to update the attributes like krbLastSuccessfulAuth, krbLastFailedAuth and krbLoginFailedCount. I came across some parts of the code are which are not DAL enabled. These parts of the code contains reference to krb5_db_init and ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: krb5_db_init being used in do_as_req.c

  1. krb5_db_init being used in do_as_req.c

    Hello,

    We are enabling the LDAP plugin to update the attributes like
    krbLastSuccessfulAuth, krbLastFailedAuth and krbLoginFailedCount.
    I came across some parts of the code are which are not DAL enabled.
    These parts of the code contains reference to krb5_db_init and
    krb5_db_set_name API's. (do_as_req.c and loadv4.c)
    The problem occurred while doing a configure with --with-kdc-kdb-update
    option.

    Build details:
    gcc -L../lib -Wl,-rpath -Wl,/home/builds/krb5-1.5/bins//lib -g -Wall
    -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -o
    krb5kdc kdc5_err.o dispatch.o do_as_req.o do_tgs_req.o kdc_util.o
    kdc_preauth.o main.o network.o policy.o extern.o replay.o kerberos_v4.o
    -lkadm5srv -lkdb5 -lgssrpc -lgssapi_krb5 -lkrb4 -ldes425 -lkrb5
    -lk5crypto -lcom_err -lkrb5support -lresolv -ldl -lapputils
    do_as_req.o(.text+0xfab): In function `process_as_req':
    /home/builds/krb5-1.5/src/kdc/do_as_req.c:481: undefined reference to
    `krb5_db_set_name'
    do_as_req.o(.text+0xfbe):/home/builds/krb5-1.5/src/kdc/do_as_req.c:483:
    undefined reference to `krb5_db_init'

    I was considering replacing the existing with the code with the code
    below. (in do_as_req.c)

    #ifdef KRBCONF_KDC_MODIFIES_KDB
    if (update_client) {
    krb5_db_put_principal(kdc_context, &client, &c_nprincs);
    /*
    ** ptooey. We want krb5_db_sync() or something like
    that.
    **/
    krb5_db_fini(kdc_context);
    if (kdc_active_realm->realm_dbname)
    + if ((errcode =
    krb5_set_default_realm(kdc_active_realm->realm_context,
    kdc_active_realm->realm_dbname))) {
    + return errcode;
    }

    + if((errcode =
    krb5_db_open(kdc_active_realm->realm_context, db_args,
    + KRB5_KDB_OPEN_RW |
    KRB5_KDB_SRV_TYPE_KDC)))
    return errcode;
    /* Reset master key */
    krb5_db_set_mkey(kdc_context,
    &kdc_active_realm->realm_mkey);
    }
    #endif /* KRBCONF_KDC_MODIFIES_KDB */

    Let me know if this is fine.

    Thanks,
    Anil Belur





    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: krb5_db_init being used in do_as_req.c

    On Aug 29, 2006, at 07:57, Anil Belur wrote:
    > We are enabling the LDAP plugin to update the attributes like
    > krbLastSuccessfulAuth, krbLastFailedAuth and krbLoginFailedCount.
    > I came across some parts of the code are which are not DAL enabled.
    > These parts of the code contains reference to krb5_db_init and
    > krb5_db_set_name API's. (do_as_req.c and loadv4.c)


    Yes, the KDC database updates aren't a mode we test a lot, and
    obviously haven't with the LDAP plugin code. (Or, more correctly,
    with the DAL changes, even if we just use the db back end.) I guess
    I should probably disable that option until we can make it work.

    It's going to need some rethinking for the LDAP case anyways, because
    a "login failed count" value can't be reliably updated by multiple
    KDCs without some kind of locking. Not that the right thing would
    ever happen with the counts from the slave KDCs in the earlier
    versions, either....

    Ken
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread