+ memset( (char *)&increds, 0, sizeof(increds));
+
+ /* set server part */
+ if (( kerror = krb5_parse_name( kcontext, AFS, &increds.server ))) {
+ ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
+ (char *)error_message( kerror ));
+
+ return;
+ }
+
+ if (( kerror = krb5_cc_resolve( kcontext, k5path, &kccache )) != 0 ) {
+ ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
+ (char *)error_message( kerror ));
+
+ return;
+ }
+
+ /* set client part */
+ krb5_cc_get_principal( kcontext, kccache, &increds.client );
+
+ increds.times.endtime = 0;
+ /* Ask for DES since that is what V4 understands */
+ increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
+
+ /* get the V5 credentials */
+ if (( kerror = krb5_get_credentials( kcontext, 0, kccache,
+ &increds, &v5credsp ) ) ) {
+ ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
+ "mod_waklog: krb5_get_credentials: %s", krb_err_txt[ kerror ] );
+ return;
+ }
+
+ /* get the V4 credentials */
+ if (( kerror = krb524_convert_creds_kdc( kcontext, v5credsp, &v4creds ) ) ) {
+ ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
+ "mod_waklog: krb524_convert_creds_kdc: %s", krb_err_txt[ kerror ] );
+ return;
+ }
+
+ /* assemble the token */
+ token.kvno = v4creds.kvno;
+ token.startTime = v4creds.issue_date;
+ token.endTime = v5credsp->times.endtime;
+ memmove( &token.sessionKey, v4creds.session, 8 );
+ token.ticketLen = v4creds.ticket_st.length ;
+ memmove( token.ticket, v4creds.ticket_st.dat, token.ticketLen );
+
+ /* make sure we have to do this */
+ if ( child->token.kvno != token.kvno ||
+ child->token.ticketLen != token.ticketLen ||
+ memcmp( &child->token.sessionKey, &token.sessionKey,
+ sizeof( token.sessionKey ) ) ||
+ memcmp( child->token.ticket, token.ticket, token.ticketLen ) ) {
+
+ ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
+ "mod_waklog: %s.%s@%s", v4creds.service, v4creds.instance,
+ v4creds.realm );
+ ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
+ "mod_waklog: %d %d %d", v4creds.lifetime, v4creds.kvno,
+ v4creds.issue_date );
+ ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
+ "mod_waklog: %s %s", v4creds.pname, v4creds.pinst );
+ ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
+ "mod_waklog: %d", v4creds.ticket_st.length );
+
+ /* build the name */
+ strcpy( buf, v4creds.pname );
+ if ( v4creds.pinst[ 0 ] ) {
+ strcat( buf, "." );
+ strcat( buf, v4creds.pinst );
+ }
+
+ /* assemble the client */
+ strncpy( client.name, buf, MAXKTCNAMELEN - 1 );
+ strcpy( client.instance, "" );
+ strncpy( client.cell, v4creds.realm, MAXKTCNAMELEN - 1 );
+
+ ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
+ "mod_waklog: server: name=%s, instance=%s, cell=%s",
+ server.name, server.instance, server.cell );
+
+ ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
+ "mod_waklog: client: name=%s, instance=%s, cell=%s",
+ client.name, client.instance, client.cell );
+
+ /* use the path */
+ krb_set_tkt_string( (char *)k4path );
+
+ /* rumor: we have to do this for AIX 4.1.4 with AFS 3.4+ */
+ write( 2, "", 0 );
+
+ if ( ( rc = ktc_SetToken( &server, &token, &client, 0 ) ) ) {
+ ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
+ "mod_waklog: settoken returned %d", rc );
+ }
+
+ /* save this */
+ memmove( &child->token, &token, sizeof( struct ktc_token ) );
+
+ /* we'll need to unlog when this connection is done. */
+ ap_register_cleanup( r->pool, (void *)r, pioctl_cleanup, ap_null_cleanup );
+ }
+
+ krb5_free_cred_contents( kcontext, v5credsp );
+ krb5_free_principal( kcontext, increds.client );
+ krb5_cc_close( kcontext, kccache );
+ krb5_free_context( kcontext );
+
+ ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
+ "mod_waklog: finished with waklog_aklog" );
+
+}
+
+ static int
+waklog_child_routine( void *s, child_info *pinfo )
+{
+ ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, s,
+ "mod_waklog: waklog_child_routine called" );
+
+ if ( !getuid() ) {
+ ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, s,
+ "mod_waklog: waklog_child_routine called as root" );
+
+ /* this was causing the credential file to get owned by root */
+ setgid(ap_group_id);
+ setuid(ap_user_id);
+ }
+
+ while( 1 ) {
+ waklog_ktinit( s );
+ sleep( 60 /* 10*60*60 - 5*60 */ );
+ }
+
+}
+
+
+ static void
+waklog_init( server_rec *s, pool *p )
+{
+ extern char *version;
+ int pid;
+
+ ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, s,
+ "mod_waklog: version %s initialized.", version );
+
+ pid = ap_bspawn_child( p, waklog_child_routine, s, kill_always,
+ NULL, NULL, NULL );
+
+ ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, s,
+ "mod_waklog: ap_bspawn_child: %d.", pid );