Remove kaserver synchronization support from the wallet client

The wallet client no longer enables kaserver synchronization when a
srvtab is requested with -S.  Instead, it just extracts the DES key
from the keytab and writes it to a srvtab.  It no longer forces the
kvno of the srvtab to 0 (a Stanford-specific action) and instead
preserves the kvno from the key in the keytab.  This should now do the
right thing for sites that use a KDC that serves both Kerberos v4 and
Kerberos v5 from the same database.

8 files changed, 33 insertions, 164 deletions

diff --git a/NEWS b/NEWS
index 60c0945..f8bc57b 100644
--- a/NEWS
+++ b/NEWS
@@ -18,6 +18,14 @@ wallet 0.10 (unreleased)
 
     Remove the kasetkey client for setting keys in an AFS kaserver.
 
+    The wallet client no longer enables kaserver synchronization when a
+    srvtab is requested with -S.  Instead, it just extracts the DES key
+    from the keytab and writes it to a srvtab.  It no longer forces the
+    kvno of the srvtab to 0 (a Stanford-specific action) and instead
+    preserves the kvno from the key in the keytab.  This should now do the
+    right thing for sites that use a KDC that serves both Kerberos v4 and
+    Kerberos v5 from the same database.
+
     Correctly handle storing of data that begins with a dash and don't
     parse it as an argument to wallet-backend.
 
diff --git a/TODO b/TODO
index 7448019..1b1bd78 100644
--- a/TODO
+++ b/TODO
@@ -67,16 +67,6 @@ Release 1.0:
   an ACL without having to write it into the database.  Redo default ACL
   creation using that functionality.
 
-* The wallet client currently sets sync kaserver whenever writing a keytab
-  to a srvtab.  This is correct for sites using kaserver and wrong for
-  everyone else.  Remove or rethink this once Stanford's kaserver
-  migration is over.
-
-* The wallet client currently hard-codes a kvno of 0 in srvtabs, which is
-  correct for how kasetkey works but probably isn't correct for people
-  using Heimdal or MIT to serve both K4 and K5 from the same KDC.  Rethink
-  once Stanford's kaserver migration is over.
-
 * Add a hook to enforce ACL naming standards.
 
 Future work:
diff --git a/client/keytab.c b/client/keytab.c
index bdd0134..393ce3c 100644
--- a/client/keytab.c
+++ b/client/keytab.c
@@ -2,7 +2,7 @@
  * Implementation of keytab handling for the wallet client.
  *
  * Written by Russ Allbery <rra@stanford.edu>
- * Copyright 2007, 2008 Board of Trustees, Leland Stanford Jr. University
+ * Copyright 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr. University
  *
  * See LICENSE for licensing terms.
  */
@@ -64,39 +64,6 @@ merge_keytab(krb5_context ctx, const char *newfile, const char *file)
 
 
 /*
- * Configure a given keytab to be synchronized with an AFS kaserver if it
- * isn't already.  Returns true on success, false on failure.
- */
-static int
-set_sync(struct remctl *r, const char *type, const char *name)
-{
-    const char *command[7];
-    char *data = NULL;
-    size_t length = 0;
-    int status;
-
-    command[0] = type;
-    command[1] = "getattr";
-    command[2] = "keytab";
-    command[3] = name;
-    command[4] = "sync";
-    command[5] = NULL;
-    status = run_command(r, command, &data, &length);
-    if (status != 0)
-        return 0;
-    if (data == NULL || strstr(data, "kaserver\n") == NULL) {
-        command[1] = "setattr";
-        command[5] = "kaserver";
-        command[6] = NULL;
-        status = run_command(r, command, NULL, NULL);
-        if (status != 0)
-            return 0;
-    }
-    return 1;
-}
-
-
-/*
  * Given a remctl object, the Kerberos context, the name of a keytab object,
  * and a file name, call the correct wallet commands to download a keytab and
  * write it to that file.  Returns the setatus or 255 on an internal error.
@@ -111,9 +78,6 @@ get_keytab(struct remctl *r, krb5_context ctx, const char *type,
     size_t length = 0;
     int status;
 
-    if (srvtab != NULL)
-        if (!set_sync(r, type, name))
-            return 255;
     command[0] = type;
     command[1] = "get";
     command[2] = "keytab";
diff --git a/client/srvtab.c b/client/srvtab.c
index a01026e..5b52955 100644
--- a/client/srvtab.c
+++ b/client/srvtab.c
@@ -2,7 +2,7 @@
  * Implementation of srvtab handling for the wallet client.
  *
  * Written by Russ Allbery <rra@stanford.edu>
- * Copyright 2007, 2008 Board of Trustees, Leland Stanford Jr. University
+ * Copyright 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr. University
  *
  * See LICENSE for licensing terms.
  */
@@ -28,10 +28,6 @@
  * keytab and write it to the newly created srvtab file as a srvtab.  Convert
  * the principal from Kerberos v5 form to Kerberos v4 form.
  *
- * We always force the kvno to 0 for the srvtab.  This works with how the
- * wallet synchronizes keys with kasetkey, even though it's not particularly
- * correct.
- *
  * On any failure, print an error message to standard error and then exit.
  */
 void
@@ -84,7 +80,7 @@ write_srvtab(krb5_context ctx, const char *srvtab, const char *principal,
     strcpy(data + length, realm);
     length += strlen(realm);
     data[length++] = '\0';
-    data[length++] = '\0';
+    data[length++] = (unsigned char) entry.vno;
 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK
     memcpy(data + length, entry.keyblock.keyvalue.data, 8);
 #else
diff --git a/client/wallet.pod b/client/wallet.pod
index 657929b..6451e72 100644
--- a/client/wallet.pod
+++ b/client/wallet.pod
@@ -114,9 +114,19 @@ C<keytab> object, and must be used in conjunction with the B<-f> flag.
 After the keytab is saved to the file specified by B<-f>, the DES key for
 that principal will be extracted and written as a Kerberos v4 srvtab to
 the file I<srvtab>.  Any existing contents of I<srvtab> will be
-destroyed.  For more information on how the principal is converted to
-Kerberos v4, see the description of the B<sync> attribute under
-L<ATTRIBUTES>.
+destroyed.
+
+The Kerberos v4 principal name will be generated from the Kerberos v5
+principal name using the krb5_524_conv_principal() function of the
+Kerberos libraries.  See its documentation for more information, but
+briefly (and in the absence of special configuration), the Kerberos v4
+principal name will be the same as the Kerberos v5 principal name except
+that the components are separated by C<.> instead of C</>; the second
+component is truncated after the first C<.> if the first component is one
+of the recognized host-based principals (generally C<host>, C<imap>,
+C<pop>, or C<smtp>); and the first component is C<rcmd> if the Kerberos v5
+principal component is C<host>.  The principal name must not contain more
+than two components.
 
 =item B<-s> I<server>
 
@@ -377,34 +387,6 @@ Keytabs retrieved with C<unchanging> set will contain all keys present in
 the KDC for that Kerberos principal and therefore may contain different
 enctypes than those requested by this attribute.
 
-=item sync
-
-Sets the external systems to which the key of a given principal is
-synchronized.  The only supported value for this attribute is C<kaserver>,
-which says to synchronize the key with an AFS Kerberos v4 kaserver.
-
-If this attribute is set on a keytab, whenever the C<get> command is run
-for that keytab, the DES key will be extracted from that keytab and set in
-the configured AFS kaserver.  If the B<-S> option is given to the
-B<wallet> client, the srvtab corresponding to the keytab will be written
-to the file specified with that option.  The Kerberos v4 principal name
-will be the same as the Kerberos v5 principal name except that the
-components are separated by C<.> instead of C</>; the second component is
-truncated after the first C<.> if the first component is one of C<host>,
-C<ident>, C<imap>, C<pop>, or C<smtp>; and the first component is C<rcmd>
-if the Kerberos v5 principal component is C<host>.  The principal name
-must not contain more than two components.
-
-If this attribute is set, calling C<destroy> will also destroy the
-principal from the AFS kaserver, with a principal mapping determined as
-above.
-
-The realm of the srvtab defaults to the same realm as the keytab.  You can
-change this by setting the v4_realm configuration option in the [realms]
-section of krb5.conf for the local realm.  The keytab must be for a
-principal in the default local realm for the B<-S> option to work
-correctly.
-
 =back
 
 =head1 CONFIGURATION
diff --git a/tests/client/basic-t.in b/tests/client/basic-t.in
index 05a7abe..752e5d9 100644
--- a/tests/client/basic-t.in
+++ b/tests/client/basic-t.in
@@ -3,7 +3,8 @@
 # Test suite for the wallet command-line client.
 #
 # Written by Russ Allbery <rra@stanford.edu>
-# Copyright 2006, 2007, 2008 Board of Trustees, Leland Stanford Jr. University
+# Copyright 2006, 2007, 2008, 2010
+#     Board of Trustees, Leland Stanford Jr. University
 #
 # See LICENSE for licensing terms.
 
@@ -46,10 +47,10 @@ if [ ! -f data/pid ] ; then
     exit 1
 fi
 
-# We need a modified krb5.conf file for the srvtab test to work, since we need
-# to add a v4_realm setting for the test-k5.stanford.edu realm that the keytab
-# is for.  Despite all the Stanford hard-coding, this test isn't
-# Stanford-specific.  It just matches the data files shipped with the package.
+# We need a modified krb5.conf file to test wallet configuration settings in
+# krb5.conf.  Despite the hard-coding of test-k5.stanford.edu, this test isn't
+# Stanford-specific; it just matches the files that are distributed with the
+# package.
 krb5conf=
 for p in /etc/krb5.conf /usr/local/etc/krb5.conf data/krb5.conf ; do
     if [ -r "$p" ] ; then
@@ -63,7 +64,7 @@ for p in /etc/krb5.conf /usr/local/etc/krb5.conf data/krb5.conf ; do
 
 [realms]
     test-k5.stanford.edu = {
-        v4_realm = TEST.STANFORD.EDU
+        v4_realm = test-k5.stanford.edu
     }
 EOF
         KRB5_CONFIG="./krb5.conf"
@@ -77,8 +78,7 @@ if [ -z "$krb5conf" ] ; then
 fi
 
 # Make sure everything's clean.
-rm -f output output.bak keytab keytab.bak srvtab srvtab.bak sync-kaserver \
-    autocreated
+rm -f output output.bak keytab keytab.bak srvtab srvtab.bak autocreated
 
 # Now, we can finally run our tests.  First, basic operations.
 runsuccess "" "$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet \
@@ -139,11 +139,6 @@ if cmp keytab data/fake-keytab >/dev/null 2>&1 ; then
 else
     printcount "not ok"
 fi
-if [ ! -f sync-kaserver ] ; then
-    printcount "ok"
-else
-    printcount "not ok"
-fi
 
 # Test srvtab support.
 runsuccess "" "$wallet" -f keytab -S srvtab get keytab service/fake-srvtab
@@ -153,23 +148,12 @@ else
     printcount "not ok"
 fi
 rm keytab
-if [ -f sync-kaserver ] ; then
-    printcount "ok"
-else
-    printcount "not ok"
-fi
 runsuccess "" "$wallet" -f keytab -S srvtab get keytab service/fake-srvtab
 if cmp keytab data/fake-keytab >/dev/null 2>&1 ; then
     printcount "ok"
 else
     printcount "not ok"
 fi
-if [ -f sync-kaserver ] ; then
-    printcount "ok"
-    rm sync-kaserver
-else
-    printcount "not ok"
-fi
 if cmp srvtab data/fake-srvtab >/dev/null 2>&1 ; then
     printcount "ok"
 else
@@ -196,12 +180,6 @@ fi
 # Test srvtab download into a merged keytab with an older version.
 cp data/fake-keytab-old keytab
 runsuccess "" "$wallet" -f keytab -S srvtab get keytab service/fake-srvtab
-if [ -f sync-kaserver ] ; then
-    printcount "ok"
-    rm sync-kaserver
-else
-    printcount "not ok"
-fi
 if cmp srvtab data/fake-srvtab >/dev/null 2>&1 ; then
     printcount "ok"
 else
diff --git a/tests/data/cmd-fake b/tests/data/cmd-fake
index 9c9e38c..199bd57 100755
--- a/tests/data/cmd-fake
+++ b/tests/data/cmd-fake
@@ -4,7 +4,7 @@
 # the client test suite.  It doesn't test any of the wallet server code.
 #
 # Written by Russ Allbery <rra@stanford.edu>
-# Copyright 2007, 2008 Board of Trustees, Leland Stanford Jr. University
+# Copyright 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr. University
 # See LICENSE for licensing terms.
 
 command="$1"
@@ -17,55 +17,6 @@ if [ "$type" != "keytab" ] && [ "$type" != "file" ] ; then
 fi
 
 case "$command" in
-getattr)
-    if [ -n "$3" ] ; then
-        echo "Too many arguments" >&2
-        exit 1
-    fi
-    if [ "$type" != "keytab" ] || [ "$2" != sync ] ; then
-        echo "Unknown attribute $2" >&2
-        exit 1
-    fi
-    case "$1" in
-    service/fake-srvtab)
-        if [ -f sync-kaserver ] ; then
-            echo "kaserver"
-        fi
-        ;;
-    *)
-        echo "Looking at sync attribute of wrong keytab" >&2
-        exit 1
-        ;;
-    esac
-    ;;
-setattr)
-    if [ -n "$4" ] ; then
-        echo "Too many arguments" >&2
-        exit 1
-    fi
-    if [ "$type" != "keytab" ] || [ "$2" != sync ] ; then
-        echo "Unknown attribute $2" >&2
-        exit 1
-    fi
-    case "$1" in
-    service/fake-srvtab)
-        if [ "$3" = "kaserver" ] ; then
-            touch sync-kaserver
-        else
-            if [ "$3" = "" ] ; then
-                rm sync-kaserver
-            else
-                echo "Invalid attribute value $3" >&2
-                exit 1
-            fi
-        fi
-        ;;
-    *)
-        echo "Looking at sync attribute of wrong keytab" >&2
-        exit 1
-        ;;
-    esac
-    ;;
 check)
     if [ -n "$2" ] ; then
         echo "Too many arguments" >&2
diff --git a/tests/data/fake-srvtab b/tests/data/fake-srvtab
index 3c0ec65..f454af2 100644
--- a/tests/data/fake-srvtab
+++ b/tests/data/fake-srvtab