[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference tuxedo::dce-products

Title:DCE Product Information
Notice:Kit Info - See 2.*-4.*
Moderator:TUXEDO::MAZZAFERRO
Created:Fri Jun 26 1992
Last Modified:Fri Jun 06 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:2269
Total number of notes:10003

2223.0. "sec_key_mgmt_get_key hangs, unix 4.0a" by CSC32::J_BECKER (There's no substitute for a good boot) Thu Apr 17 1997 13:53

Call to sec_key_mgmt_get_key hangs.  The call passes a principal name and
file name and should return the key value.  We never return from the call.

The code is called with the required arguments, for example:

# file_dce_login csplcdb_server /home/servers/dce_data/csplcdb_server_keytab

We can read the key tab file:

rgy_edit=> ktlist -f /home/servers/dce_data/csplcdb_server_keytab
/.../mci_con_cell.atn.mci.com/csplcdb_server            1

The prinicpal is in the registry:

rgy_edit=> view csplcdb_server
csplcdb_server [none none]:*:361:12::/::

and the config knows about the main node (ibm system):

# more /krb5/krb.conf
mci_con_cell.atn.mci.com
mci_con_cell.atn.mci.com


I checked the default key tab file /krb5/v5srvtab and it has different
principals:

/.../mci_con_cell.atn.mci.com/hosts/csplcdb/self                1
/.../mci_con_cell.atn.mci.com/hosts/csplcdb/self                2


So, I copied this file over to the user's file and then added the principal
we want to this file but it still hangs.  The owners of the file are
root:system or root:dba with -rw------- protection.  All attempts to use
the routine hang and the rgy_edit=> commands work.

The only rgy_edit=> command that fails is ktadd -p <pname> -r -f <file_name>.
When using the -r, we receive  unable to add key, requested key is
unavailable.  I dont know if this is related to the problem

Why do we hang or can anyone give me some method to troubleshoot this?

jb
---------------------------------------------------------------
The code:

/**************************************************************************

.NAME           FILE_DCE_LOGIN

.DATE           06/12/96

.DESC           Perform dce_login using a key table. Useful when you don't
                know/remember the password for an account used for example
                by a server.

.RETURNS        SUCCESS

.USAGE          file_dce_login principal_name keytable_file

.SIDE_EFFECTS  N/A

.HISTORY

.END
**************************************************************************/

#include <stdio.h>

#include <dce/binding.h>
#include <dce/keymgmt.h>
#include <dce/sec_login.h>

rpc_binding_handle_t    binding_h;

int main (int argc, char *argv[])
{
error_status_t      status;

sec_login_handle_t  login_context;

void                    *key_ptr;
boolean32                password_has_expired;
sec_login_auth_src_t     auth_source;
unsigned char            *principal_name,
                         *keyfile;
if (argc < 3)
    {
    printf ("usage: file_dce_login principal_name keytable\n");
    return 1;
    }

printf ("Calling sec_key_mgmt_get_key\n");

principal_name = (unsigned char *) argv[1];
keyfile = (unsigned char *) argv[2];

sec_key_mgmt_get_key                                    <--- hang !!!! 
  (rpc_c_authn_dce_secret,  keyfile,
   principal_name,  (unsigned32) 0, &key_ptr,  &status );

/*  we never get any of the next printf statements on our terminal   */
/*  we have waited several minutes (30+) before aborting the program */

if ( status != error_status_ok )
  {
    printf ("Call to sec_key_mgmt_get_key failed --");
    printf("  Principal name:       %s\n  Key file name:            %s\n",
           argv[1],  argv[2] );
    return status ;
  }

printf ("sec_key_mgmt_get_key successful\n");

#if 0

sec_login_setup_identity( principal_name,  sec_login_no_flags,
                              &login_context,  &status );

    if ( status != error_status_ok )
        {
#if defined(_DEBUG) || defined(_DEBUG_RTK) || 1
        printf ("Call to sec_login_setup_identity failed %d\n", status);
        printf("  Principal name:           %s\n  Key file name:            %s\
               principal_name,  key_file_name );
#endif
        *p_login_context = 0;
        return status ;
        }
#ifdef _DEBUG_RTK
    printf ("ec_login_setup_identity successful\n");
#endif

    sec_login_validate_identity( login_context,  key_ptr,
                        &password_has_expired,  &auth_source,  &status );
    if ( status != error_status_ok )
        {
#if defined(_DEBUG) || defined(_DEBUG_RTK) || 1
        printf ("Call to sec_login_validate_identity failed %d\n--", status);
        printf("  Principal name:           %s\n  Key file name:            %s\
               principal_name,  key_file_name );
#endif
        *p_login_context = 0;
        return status ;
        }

#ifdef _DEBUG_RTK
    printf ("sec_login_validate_identity successful\n");
#endif

    if ( password_has_expired )
        {
#if defined(_DEBUG) || defined(_DEBUG_RTK) || 1
        printf ("Password has expired --");
        printf("  Principal name:           %s\n  Key file name:            %s\
               principal_name,  key_file_name );
#endif
        *p_login_context = 0;
        return 0;
        }

    if ( auth_source != sec_login_auth_src_network )
        {
#if defined(_DEBUG) || defined(_DEBUG_RTK) || 1
        printf ("Network identity could not be authorized --");
        printf("  Principal name:           %s\n  Key file name:            %s\
               principal_name,  key_file_name );
#endif
        *p_login_context = 0;
        return auth_source ;
        }

    sec_login_certify_identity( login_context, &status );

    if ( status != error_status_ok )
        {
#if defined(_DEBUG) || defined(_DEBUG_RTK) || 1
        printf ("Call to sec_login_certify_identity failed %d\n--", status);
        printf("  Principal name:           %s\n  Key file name:            %s\
               principal_name,  key_file_name );
#endif
#endif
        *p_login_context = 0;
        return status ;
        }

#ifdef _DEBUG_RTK
    printf ("sec_login_certify_identity successful\n");
#endif

    sec_login_set_context( login_context, &status );

    if ( status != error_status_ok )
        {
#if defined(_DEBUG) || defined(_DEBUG_RTK) || 1
    printf ("Call to sec_login_set_context failed %d\n--", status);
        printf("  Principal name:           %s\n  Key file name:            %s\
               principal_name,  key_file_name );
#endif
        *p_login_context = 0;
        return status ;
        }
#ifdef _DEBUG_RTK
    printf ("sec_login_set_context successful\n");
#endif
    *p_login_context = login_context;
    return status ;

#endif

}
T.RTitleUserPersonal
Name		DateLines
2223.1calls were made in the wrong orderCSC32::J_BECKERThere&#039;s no substitute for a good bootFri Apr 18 1997 12:1323
From the doc Application Development Guide , Managing the Server's
Authentication Key, we found a reference that describes the sequence of
calls you must make to uese set_key_mgmt_get_key()

The order apparently is

sec_login_setup_identity()
sec_key_mgmt_get_key()
sec_login_validate_identity()
sec_login_get_current_context()

The customer was calling them out of order:

sec_key_mgmt_get_key()
sec_login_setup_identity()
sec_login_validate_identity()
sec_login_certify_identity()
sec_login_set_context()

By rearranging the first two calls, we returned from sec_key_mgmt_get_key()

jb