Remove kaserver synchronization support from the wallet client

The wallet client no longer enables kaserver synchronization when a
srvtab is requested with -S.  Instead, it just extracts the DES key
from the keytab and writes it to a srvtab.  It no longer forces the
kvno of the srvtab to 0 (a Stanford-specific action) and instead
preserves the kvno from the key in the keytab.  This should now do the
right thing for sites that use a KDC that serves both Kerberos v4 and
Kerberos v5 from the same database.

3 files changed, 16 insertions, 74 deletions

diff --git a/client/keytab.c b/client/keytab.c
index bdd0134..393ce3c 100644
--- a/client/keytab.c
+++ b/client/keytab.c
@@ -2,7 +2,7 @@
  * Implementation of keytab handling for the wallet client.
  *
  * Written by Russ Allbery <rra@stanford.edu>
- * Copyright 2007, 2008 Board of Trustees, Leland Stanford Jr. University
+ * Copyright 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr. University
  *
  * See LICENSE for licensing terms.
  */
@@ -64,39 +64,6 @@ merge_keytab(krb5_context ctx, const char *newfile, const char *file)
 
 
 /*
- * Configure a given keytab to be synchronized with an AFS kaserver if it
- * isn't already.  Returns true on success, false on failure.
- */
-static int
-set_sync(struct remctl *r, const char *type, const char *name)
-{
-    const char *command[7];
-    char *data = NULL;
-    size_t length = 0;
-    int status;
-
-    command[0] = type;
-    command[1] = "getattr";
-    command[2] = "keytab";
-    command[3] = name;
-    command[4] = "sync";
-    command[5] = NULL;
-    status = run_command(r, command, &data, &length);
-    if (status != 0)
-        return 0;
-    if (data == NULL || strstr(data, "kaserver\n") == NULL) {
-        command[1] = "setattr";
-        command[5] = "kaserver";
-        command[6] = NULL;
-        status = run_command(r, command, NULL, NULL);
-        if (status != 0)
-            return 0;
-    }
-    return 1;
-}
-
-
-/*
  * Given a remctl object, the Kerberos context, the name of a keytab object,
  * and a file name, call the correct wallet commands to download a keytab and
  * write it to that file.  Returns the setatus or 255 on an internal error.
@@ -111,9 +78,6 @@ get_keytab(struct remctl *r, krb5_context ctx, const char *type,
     size_t length = 0;
     int status;
 
-    if (srvtab != NULL)
-        if (!set_sync(r, type, name))
-            return 255;
     command[0] = type;
     command[1] = "get";
     command[2] = "keytab";
diff --git a/client/srvtab.c b/client/srvtab.c
index a01026e..5b52955 100644
--- a/client/srvtab.c
+++ b/client/srvtab.c
@@ -2,7 +2,7 @@
  * Implementation of srvtab handling for the wallet client.
  *
  * Written by Russ Allbery <rra@stanford.edu>
- * Copyright 2007, 2008 Board of Trustees, Leland Stanford Jr. University
+ * Copyright 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr. University
  *
  * See LICENSE for licensing terms.
  */
@@ -28,10 +28,6 @@
  * keytab and write it to the newly created srvtab file as a srvtab.  Convert
  * the principal from Kerberos v5 form to Kerberos v4 form.
  *
- * We always force the kvno to 0 for the srvtab.  This works with how the
- * wallet synchronizes keys with kasetkey, even though it's not particularly
- * correct.
- *
  * On any failure, print an error message to standard error and then exit.
  */
 void
@@ -84,7 +80,7 @@ write_srvtab(krb5_context ctx, const char *srvtab, const char *principal,
     strcpy(data + length, realm);
     length += strlen(realm);
     data[length++] = '\0';
-    data[length++] = '\0';
+    data[length++] = (unsigned char) entry.vno;
 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK
     memcpy(data + length, entry.keyblock.keyvalue.data, 8);
 #else
diff --git a/client/wallet.pod b/client/wallet.pod
index 657929b..6451e72 100644
--- a/client/wallet.pod
+++ b/client/wallet.pod
@@ -114,9 +114,19 @@ C<keytab> object, and must be used in conjunction with the B<-f> flag.
 After the keytab is saved to the file specified by B<-f>, the DES key for
 that principal will be extracted and written as a Kerberos v4 srvtab to
 the file I<srvtab>.  Any existing contents of I<srvtab> will be
-destroyed.  For more information on how the principal is converted to
-Kerberos v4, see the description of the B<sync> attribute under
-L<ATTRIBUTES>.
+destroyed.
+
+The Kerberos v4 principal name will be generated from the Kerberos v5
+principal name using the krb5_524_conv_principal() function of the
+Kerberos libraries.  See its documentation for more information, but
+briefly (and in the absence of special configuration), the Kerberos v4
+principal name will be the same as the Kerberos v5 principal name except
+that the components are separated by C<.> instead of C</>; the second
+component is truncated after the first C<.> if the first component is one
+of the recognized host-based principals (generally C<host>, C<imap>,
+C<pop>, or C<smtp>); and the first component is C<rcmd> if the Kerberos v5
+principal component is C<host>.  The principal name must not contain more
+than two components.
 
 =item B<-s> I<server>
 
@@ -377,34 +387,6 @@ Keytabs retrieved with C<unchanging> set will contain all keys present in
 the KDC for that Kerberos principal and therefore may contain different
 enctypes than those requested by this attribute.
 
-=item sync
-
-Sets the external systems to which the key of a given principal is
-synchronized.  The only supported value for this attribute is C<kaserver>,
-which says to synchronize the key with an AFS Kerberos v4 kaserver.
-
-If this attribute is set on a keytab, whenever the C<get> command is run
-for that keytab, the DES key will be extracted from that keytab and set in
-the configured AFS kaserver.  If the B<-S> option is given to the
-B<wallet> client, the srvtab corresponding to the keytab will be written
-to the file specified with that option.  The Kerberos v4 principal name
-will be the same as the Kerberos v5 principal name except that the
-components are separated by C<.> instead of C</>; the second component is
-truncated after the first C<.> if the first component is one of C<host>,
-C<ident>, C<imap>, C<pop>, or C<smtp>; and the first component is C<rcmd>
-if the Kerberos v5 principal component is C<host>.  The principal name
-must not contain more than two components.
-
-If this attribute is set, calling C<destroy> will also destroy the
-principal from the AFS kaserver, with a principal mapping determined as
-above.
-
-The realm of the srvtab defaults to the same realm as the keytab.  You can
-change this by setting the v4_realm configuration option in the [realms]
-section of krb5.conf for the local realm.  The keytab must be for a
-principal in the default local realm for the B<-S> option to work
-correctly.
-
 =back
 
 =head1 CONFIGURATION