Add support for deleting principals out of the AFS kaserver (optionally)

if synchronization is not set.

2 files changed, 40 insertions, 7 deletions

diff --git a/perl/Wallet/Config.pm b/perl/Wallet/Config.pm
index c52cfd1..0c22d2b 100644
--- a/perl/Wallet/Config.pm
+++ b/perl/Wallet/Config.pm
@@ -328,7 +328,7 @@ variables.
 
 =over 4
 
-=item $KEYTAB_AFS_ADMIN
+=item KEYTAB_AFS_ADMIN
 
 The Kerberos v4 principal to use for authentication to the AFS kaserver.  If
 this principal is not in the default local Kerberos v4 realm, it must be
@@ -341,7 +341,31 @@ must be set to use the kaserver synchronization support.
 
 our $KEYTAB_AFS_ADMIN;
 
-=item $KEYTAB_AFS_KASETKEY
+=item KEYTAB_AFS_DESTROY
+
+If this variable, which is false by default, is set to a true value, each
+time a keytab object that is not configured to be synchronized with the AFS
+kaserver, the corresponding Kerberos v4 principal will be deleted from the
+AFS kaserver.  Use this with caution; it will cause the AFS kaserver realm
+to be slowly stripped of principals.  This is intended for use with
+migration from Kerberos v4 to Kerberos v5, where the old principals should
+be deleted out of Kerberos v4 whenever not requested from the wallet to aid
+in tracking down and removing any systems with lingering Kerberos v4
+dependencies.
+
+Be aware that multiple Kerberos v5 principals map to the same Kerberos v4
+principal since in Kerberos v4 the domain name is stripped from the
+principal for machine principals.  If you create a keytab named
+host/foo.example.com and mark it synchronized, and then create another
+keytab named host/foo.example.net and don't mark it synchronized,
+downloading the second will destroy the Kerberos v4 principal of the first
+if this variable is set.
+
+=cut
+
+our $KEYTAB_AFS_DESTROY;
+
+=item KEYTAB_AFS_KASETKEY
 
 The path to the B<kasetkey> command-line client.  The default value is
 C<kasetkey>, which will cause the wallet to search for B<kasetkey> on its
@@ -351,7 +375,7 @@ default PATH.
 
 our $KEYTAB_AFS_KASETKEY = 'kasetkey';
 
-=item $KEYTAB_AFS_REALM
+=item KEYTAB_AFS_REALM
 
 The name of the Kerberos v4 realm with which to synchronize keys.  This is a
 realm, not a cell, so it should be in all uppercase.  If this variable is
@@ -361,7 +385,7 @@ not set, the default is the realm determined from the local cell name.
 
 our $KEYTAB_AFS_REALM;
 
-=item $KEYTAB_AFS_SRVTAB
+=item KEYTAB_AFS_SRVTAB
 
 The path to a srvtab used to authenticate to the AFS kaserver.  This srvtab
 should be for the principal set in $KEYTAB_AFS_ADMIN.  This variable must be
diff --git a/perl/Wallet/Object/Keytab.pm b/perl/Wallet/Object/Keytab.pm
index 293e41e..4ae8e10 100644
--- a/perl/Wallet/Object/Keytab.pm
+++ b/perl/Wallet/Object/Keytab.pm
@@ -548,8 +548,11 @@ sub get {
     my @sync = $self->attr ('sync');
     if (grep { $_ eq 'kaserver' } @sync) {
         unless ($self->kaserver_sync ($self->{name}, $file)) {
+            unlink $file;
             return undef;
         }
+    } elsif ($Wallet::Config::KEYTAB_AFS_DESTROY) {
+        $self->kaserver_destroy ($self->{name});
     }
     unlink $file;
     $self->log_action ('get', $user, $host, $time);
@@ -683,9 +686,15 @@ used.
 Retrieves a keytab for this object and returns the keytab data or undef on
 error.  The caller should call error() to get the error message if get()
 returns undef.  The keytab is created with C<ktadd>, invalidating any
-existing keytabs for that principal.  PRINCIPAL, HOSTNAME, and DATETIME are
-stored as history information.  PRINCIPAL should be the user who is
-downloading the keytab.  If DATETIME isn't given, the current time is used.
+existing keytabs for that principal.  PRINCIPAL, HOSTNAME, and DATETIME
+are stored as history information.  PRINCIPAL should be the user who is
+downloading the keytab.  If DATETIME isn't given, the current time is
+used.
+
+If the configuration variable $KEYTAB_AFS_DESTROY is set and the C<sync>
+attribute is not set to C<kaserver>, calling get() on a keytab object will
+cause the corresponding Kerberos v4 principal to be destroyed.  This
+variable is not set by default.
 
 =back