{ name, func, \
NULL , \
RSRC_CONF | ACCESS_CONF , type, usage }
+module waklog_module;
/********************* APACHE2 ******************************************************************************/
#else
#include <apr_strings.h>
#include <apr_base64.h>
-//#include <ap_compat.h>
#define ap_pcalloc apr_pcalloc
#define ap_pdupstr apr_pdupstr
#define ap_pstrdup apr_pstrdup
-
-module AP_MODULE_DECLARE_DATA waklog_module;
-
#define MK_POOL apr_pool_t
#define MK_TABLE_GET apr_table_get
#define MK_TABLE_SET apr_table_set
AP_INIT_ ## type (name, (void*) func, \
NULL, \
RSRC_CONF | ACCESS_CONF, usage)
-typedef struct
-{
- int dummy;
-}
-child_info;
-
+module AP_MODULE_DECLARE_DATA waklog_module;
+typedef struct { int dummy; } child_info;
const char *userdata_key = "waklog_init";
+
#endif /* APACHE2 */
/**************************************************************************************************/
#define APLOG_DEBUG APLOG_ERR
#endif
-#ifndef CELL_IN_PRINCIPAL
-int cell_in_principal = 1;
-#else
-int cell_in_principal = 0;
-#endif
-
/* this is used to turn off pag generation for the backround worker child during startup */
int pag_for_children = 1;
int configured;
int protect;
int usertokens;
+ int cell_in_principal;
+ int disable_token_cache;
char *keytab;
char *principal;
char *default_principal;
int renewcount = 0;
-module waklog_module;
#define getModConfig(P, X) P = (waklog_config *) ap_get_module_config( (X)->module_config, &waklog_module );
#include <afs/ptuser.h>
#include <rx/rxkad.h>
-/* If there's an error, retry more aggressively */
-#define ERR_SLEEP_TIME 5*60
-
-
-#define K5PATH "FILE:/tmp/waklog.creds.k5"
static void
log_error (const char *file, int line, int level, int status,
int stored = -1;
time_t mytime;
int indentical;
+ int cell_in_principal;
+ int attempt;
char k5user[MAXNAMELEN];
char *k5secret;
/* now, to the 'aklog' portion of our program. */
strncpy( buf, "afs", sizeof(buf) - 1 );
-
- if (cell_in_principal) {
- strncat(buf, "/", sizeof(buf) - strlen(buf) - 1);
- strncat(buf, cfg->afs_cell, sizeof(buf) - strlen(buf) - 1);
- }
- log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: using AFS principal: %s", buf);
-
- if ((kerror = krb5_parse_name (child.kcontext, buf, &increds.server))) {
- log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_parse name %s", error_message(kerror));
- goto cleanup;
- }
-
- if ((kerror = krb5_cc_get_principal(child.kcontext, child.ccache, &increds.client))) {
- log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_cc_get_princ %s", error_message(kerror));
- goto cleanup;
- }
-
- log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: retrieved data from ccache for %s", k5user);
-
- increds.times.endtime = 0;
-
- increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
-
- if (kerror = krb5_get_credentials (child.kcontext, 0, child.ccache, &increds, &v5credsp )) {
- log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_get_credentials: %s",
- error_message(kerror));
- goto cleanup;
+ /** we make two attempts here, one for afs@REALM and one for afs/cell@REALM */
+ for(attempt = 0; attempt <= 1; attempt++) {
+ cell_in_principal = (cfg->cell_in_principal + attempt) % 2;
+
+ log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: cell_in_principal=%d", cell_in_principal );
+ if (cell_in_principal) {
+ strncat(buf, "/", sizeof(buf) - strlen(buf) - 1);
+ strncat(buf, cfg->afs_cell, sizeof(buf) - strlen(buf) - 1);
+ }
+
+ log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: using AFS principal: %s", buf);
+
+ if ((kerror = krb5_parse_name (child.kcontext, buf, &increds.server))) {
+ log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_parse name %s", error_message(kerror));
+ goto cleanup;
+ }
+
+ if ((kerror = krb5_cc_get_principal(child.kcontext, child.ccache, &increds.client))) {
+ log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_cc_get_princ %s", error_message(kerror));
+ goto cleanup;
+ }
+
+ log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: retrieved data from ccache for %s", k5user);
+
+ increds.times.endtime = 0;
+
+ increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
+
+ if (kerror = krb5_get_credentials (child.kcontext, 0, child.ccache, &increds, &v5credsp )) {
+ /* only complain once we've tried both afs@REALM and afs/cell@REALM */
+ if (attempt>=1) {
+ log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_get_credentials: %s",
+ error_message(kerror));
+ goto cleanup;
+ } else {
+ continue;
+ }
+ }
+ cfg->cell_in_principal = cell_in_principal;
+ break;
}
-
+
log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: get_credentials passed for %s", k5user);
if ( v5credsp->ticket.length >= MAXKTCTICKETLEN ) {
cfg->path = "(server)";
cfg->protect = WAKLOG_UNSET;
cfg->usertokens = WAKLOG_UNSET;
+ cfg->disable_token_cache = WAKLOG_UNSET;
cfg->keytab = WAKLOG_UNSET;
cfg->principal = WAKLOG_UNSET;
cfg->default_principal = WAKLOG_UNSET;
cfg->path = ap_pstrdup(p, dir );
cfg->protect = WAKLOG_UNSET;
cfg->usertokens = WAKLOG_UNSET;
+ cfg->disable_token_cache = WAKLOG_UNSET;
cfg->keytab = WAKLOG_UNSET;
cfg->principal = WAKLOG_UNSET;
cfg->default_principal = WAKLOG_UNSET;
merged->path = child->path != WAKLOG_UNSET ? child->path : parent->path;
merged->usertokens = child->usertokens != WAKLOG_UNSET ? child->usertokens : parent->usertokens;
+
+ merged->disable_token_cache = child->disable_token_cache != WAKLOG_UNSET ? child->disable_token_cache : parent->disable_token_cache;
merged->principal = child->principal != WAKLOG_UNSET ? child->principal : parent->principal;
merged->usertokens = nconf->usertokens == WAKLOG_UNSET ? pconf->usertokens : nconf->usertokens;
+ merged->disable_token_cache = nconf->disable_token_cache == WAKLOG_UNSET ? pconf->udisable_token_cache : nconf->disable_token_cache;
+
merged->keytab = nconf->keytab == WAKLOG_UNSET ? ap_pstrdup(p, pconf->keytab) :
( nconf->keytab == WAKLOG_UNSET ? WAKLOG_UNSET : ap_pstrdup(p, pconf->keytab) );
}
static const char *
-set_waklog_protect (cmd_parms * params, void *mconfig, int flag)
+set_waklog_enabled (cmd_parms * params, void *mconfig, int flag)
{
waklog_config *cfg = mconfig ? ( waklog_config * ) mconfig :
( waklog_config * ) ap_get_module_config(params->server->module_config, &waklog_module );
cfg->protect = flag;
cfg->configured = 1;
log_error (APLOG_MARK, APLOG_DEBUG, 0, params->server,
- "mod_waklog: waklog_protect set on %s", cfg->path ? cfg->path : "NULL");
+ "mod_waklog: waklog_enabled set on %s", cfg->path ? cfg->path : "NULL");
return (NULL);
}
}
static const char *
-set_waklog_principal (cmd_parms *params, void *mconfig, char *principal, char *keytab)
+set_waklog_location_principal (cmd_parms *params, void *mconfig, char *principal, char *keytab)
{
waklog_config *cfg = mconfig ? ( waklog_config * ) mconfig :
( waklog_config * ) ap_get_module_config(params->server->module_config, &waklog_module );
}
static const char *
-set_waklog_use_afs_cell (cmd_parms * params, void *mconfig, char *file)
+set_waklog_afs_cell (cmd_parms * params, void *mconfig, char *file)
{
waklog_config *waklog_mconfig = ( waklog_config * ) mconfig;
waklog_config *waklog_srvconfig =
log_error (APLOG_MARK, APLOG_INFO, 0, params->server,
"mod_waklog: will use afs_cell: %s", file);
+ waklog_srvconfig->cell_in_principal = 0;
waklog_srvconfig->afs_cell = ap_pstrdup (params->pool, file);
waklog_srvconfig->configured = 1;
if (waklog_mconfig != NULL) {
+ waklog_mconfig->cell_in_principal = waklog_srvconfig->cell_in_principal;
waklog_mconfig->afs_cell = ap_pstrdup (params->pool, file);
waklog_mconfig->configured = 1;
}
}
+static const char *
+set_waklog_disable_token_cache (cmd_parms * params, void *mconfig, int flag)
+{
+ waklog_config *cfg = mconfig ? ( waklog_config * ) mconfig :
+ ( waklog_config * ) ap_get_module_config(params->server->module_config, &waklog_module );
+
+ cfg->disable_token_cache = flag;
+
+ cfg->configured = 1;
+
+ log_error (APLOG_MARK, APLOG_DEBUG, 0, params->server,
+ "mod_waklog: waklog_disable_token_cache set");
+ return (NULL);
+}
+
+
#ifndef APACHE2
static void waklog_child_exit( server_rec *s, MK_POOL *p ) {
#else
command_rec waklog_cmds[] = {
- command ("WaklogProtected", set_waklog_protect, 0, FLAG,
- "enable waklog on a location or directory basis"),
+ command ("WaklogAFSCell", set_waklog_afs_cell, 0, TAKE1,
+ "Use the supplied AFS cell (required)"),
- command ("WaklogPrincipal", set_waklog_principal, 0, TAKE2,
- "Use the supplied keytab rather than the default"),
+ command ("WaklogEnabled", set_waklog_enabled, 0, FLAG,
+ "enable waklog on a server, location, or directory basis"),
- command ("WaklogUseAFSCell", set_waklog_use_afs_cell, 0, TAKE1,
- "Use the supplied AFS cell rather than the default"),
+ command ("WaklogDefaultPrincipal", set_waklog_default_principal, 0, TAKE2,
+ "Set the default principal that the server runs as"),
- command ("WaklogUseUserTokens", set_waklog_use_usertokens, 0, FLAG,
- "Use the requesting user tokens (from webauth)"),
+ command ("WaklogLocationPrincipal", set_waklog_location_principal, 0, TAKE2,
+ "Set the principal on a <Location>-specific basis"),
- command ("WaklogDefaultPrincipal", set_waklog_default_principal, 0, TAKE2,
- "Set the default principal that the server runs as"),
-
+ command ("WaklogDisableTokenCache", set_waklog_disable_token_cache, 0, FLAG,
+ "Ignore the token cache (location-specific); useful for scripts that need kerberos tickets."),
+
+ command ("WaklogUseUserTokens", set_waklog_use_usertokens, 0, FLAG,
+ "Use the requesting user tokens (from webauth)"),
+
{NULL}
};
if (cfg->afs_cell==NULL) {
log_error (APLOG_MARK, APLOG_ERR, 0, s,
- "mod_waklog: afs_cell==NULL; please provide the WaklogUseAFSCell directive");
+ "mod_waklog: afs_cell==NULL; please provide the WaklogAFSCell directive");
/** clobber apache */
exit(-1);
}