Make accountadm work on modern Debian

sql.mit.edu Debian-based servers need admof, just like the
Fedora-based realservers. Unfortunately, there seem to be some
differences in how Debian and Fedora currently handle OpenAFS
packaging and dependencies, so the admof does not build as-is.

Namely, the krb5 function krb5_524_conv_principal no longer exists in
MIT krb5, so we have to implement it ourselves. The implementation
comes from openafs' aklog.c, modified to fit the expected function
signature.

OpenAFS also throws a surprise at us: it needs heimdal to link
(namely, libroken and libhcrypto). This adds another challenge to
admof, as it now has to juggle mit-krb5 and heimdal-krb5 at
build-time. This change continues to use mit-krb5, but has #if 0'd out
heimdal implementation if we ever change our minds.

Making this work required re-writing the autotools configuration. I've
replaced it with a modern configure.ac and Makefile.am.

Rewrite autotools to be modern; update admof to link against new openafs

Author: achernya

server/common/oursrc/accountadm/.gitignore

@@ -1,2 +1,19 @@
-/configure
-/autom4te.cache
+configure
+autom4te.cache
+Makefile
+Makefile.in
+config.*
+compile
+install-sh
+ssh-admof
+depcomp
+INSTALL
+.deps
+ar-lib
+missing
+stamp-h1
+aclocal.m4
+admof
+*.o
+mbash
+signup-scripts-backend

server/common/oursrc/accountadm/Makefile.am

@@ -0,0 +1,19 @@
+bin_PROGRAMS = admof
+
+admof_SOURCES = admof.c
+admof_LDADD = @KRB5_LIBS@ @HEIMDAL_LIBS@ @PTHREAD_LIBS@
+admof_CFLAGS = @KRB5_CFLAGS@
+
+ssh-admof: admof
+	@cp -p $< $@
+CLEANFILES = ssh-admof
+
+dist_bin_SCRIPTS = mbash cronload
+dist_sbin_SCRIPTS = \
+	get-homedirs \
+	ldap-backup \
+	signup-scripts-backend \
+	ssh-admof \
+	vhostadd \
+	vhostedit
+dist_sysconf_DATA = mbashrc

server/common/oursrc/accountadm/Makefile.in

@@ -52,6 +52,12 @@ extern int pioctl(char *, afs_int32, struct ViceIoctl *, afs_int32);
       _x > _y ? _x : _y; })
 #endif
 
+#define get_princ_str(c, p, n) krb5_princ_component(c, p, n)->data
+#define get_princ_len(c, p, n) krb5_princ_component(c, p, n)->length
+#define second_comp(c, p) (krb5_princ_size(c, p) > 1)
+#define realm_data(c, p) krb5_princ_realm(c, p)->data
+#define realm_len(c, p) krb5_princ_realm(c, p)->length
+
 #define SYSADMINS "system:scripts-root"
 #define SYSADMIN_CELL "athena.mit.edu"
 
@@ -106,6 +112,44 @@ parse_rights(int n, const char **p, char *user)
     return rights;
 }
 
+static int
+admof_krb5_524_conv_principal(krb5_context context, krb5_const_principal princ,
+			      char *name, char *inst, char *realm) {
+  size_t len = 0;
+  /* Taken from aklog.c in openafs and modified */
+  len = min(get_princ_len(context, princ, 0),
+	    second_comp(context, princ) ?
+	    PR_MAXNAMELEN - 2 : PR_MAXNAMELEN - 1);
+  strncpy(name, get_princ_str(context, princ, 0), len);
+  name[len] = '\0';
+
+  if (second_comp(context, princ)) {
+    len = min(get_princ_len(context, princ, 1),
+	      PR_MAXNAMELEN - strlen(name) - 1);
+    strncpy(inst, get_princ_str(context, princ, 1), len);
+    inst[len] = '\0';
+  }
+  realm[0] = '\0';
+#if 0
+  // This code works for Heimdal krb5
+  if (princ->name.name_string.len < 1) {
+    return -1;
+  }
+  strncpy(name, princ->name.name_string.val[0], ANAME_SZ);
+  name[ANAME_SZ-1] = '\0';
+  if (princ->name.name_string.len > 1) {
+    strncpy(inst, princ->name.name_string.val[1], ANAME_SZ);
+    inst[ANAME_SZ-1] = '\0';
+  }
+  realm[0] = '\0';
+  if (princ->realm) {
+    strncpy(realm, princ->realm, ANAME_SZ);
+  }
+  realm[ANAME_SZ-1] = '\0';
+#endif
+  return 0;
+}
+
 /* Resolve a Kerberos principal to a name usable by the AFS PTS. */
 void
 resolve_principal(const char *name, const char *cell, char *user)
@@ -124,20 +168,30 @@ resolve_principal(const char *name, const char *cell, char *user)
     krb5_principal principal;
     if (krb5_parse_name(context, name, &principal) != 0)
 	die("internal error: krb5_parse_name failed");
-    char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
-    if (krb5_524_conv_principal(context, principal, pname, pinst, prealm) != 0)
+    char pname[ANAME_SZ] = {0}, pinst[INST_SZ] = {0}, prealm[REALM_SZ] = {0};
+    if (admof_krb5_524_conv_principal(context, principal, pname, pinst, prealm) != 0)
 	die("internal error: krb5_524_conv_principal failed\n");
 
     krb5_data realm = *krb5_princ_realm(context, principal);
     if (realm.length > REALM_SZ - 1)
-	realm.length = REALM_SZ - 1;
+      realm.length = REALM_SZ - 1;
     if (strlen(realm_list[0]) == realm.length &&
 	memcmp(realm.data, realm_list[0], realm.length) == 0)
-	snprintf(user, MAX_K_NAME_SZ, "%s%s%s",
+      snprintf(user, MAX_K_NAME_SZ, "%s%s%s",
+	       pname, pinst[0] ? "." : "", pinst);
+    else
+      snprintf(user, MAX_K_NAME_SZ, "%s%s%s@%.*s",
+	       pname, pinst[0] ? "." : "", pinst, realm.length, realm.data);
+
+#if 0
+    // This code works with Heimdal krb5
+    if (strcmp(realm_list[0], prealm) == 0)
+      snprintf(user, MAX_K_NAME_SZ, "%s%s%s",
 		 pname, pinst[0] ? "." : "", pinst);
     else
-	snprintf(user, MAX_K_NAME_SZ, "%s%s%s@%.*s",
-		 pname, pinst[0] ? "." : "", pinst, realm.length, realm.data);
+	snprintf(user, MAX_K_NAME_SZ, "%s%s%s@%s",
+		 pname, pinst[0] ? "." : "", pinst, prealm);
+#endif
 
     krb5_free_principal(context, principal);
     krb5_free_host_realm(context, realm_list);
@@ -225,7 +279,7 @@ main(int argc, const char *argv[])
     }
 
     /* Get the locker's cell. */
-    char cell[MAXCELLCHARS];
+    char cell[MAXCELLCHARS] = {0};
     struct ViceIoctl vi;
     vi.in = NULL;
     vi.in_size = 0;
@@ -245,12 +299,13 @@ main(int argc, const char *argv[])
     if (afsconf_GetCellInfo(configdir, cell, NULL, &cellconfig) != 0)
 	die("internal error: afsconf_GetCellInfo failed\n");
     afsconf_Close(configdir);
+    configdir = NULL;
 
     char user[MAX(PR_MAXNAMELEN, MAX_K_NAME_SZ)];
     resolve_principal(name, cellconfig.hostName[0], user);
 
     /* Read the locker ACL. */
-    char acl[2048];
+    char acl[2048] = {0};
     vi.in = NULL;
     vi.in_size = 0;
     vi.out = acl;
@@ -261,8 +316,8 @@ main(int argc, const char *argv[])
     /* Parse the locker ACL to compute the user's rights. */
     const char *p = acl;
 
-    int nplus, nminus;
-    int off;
+    int nplus = 0, nminus = 0;
+    int off = 0;
     if (sscanf(p, "%d\n%d\n%n", &nplus, &nminus, &off) < 2)
 	die("internal error: can't parse output from pioctl\n");
     p += off;

server/common/oursrc/accountadm/admof.c

@@ -0,0 +1,62 @@
+#                                               -*- Autoconf -*-
+# Process this file with autoconf to produce a configure script.
+
+AC_PREREQ([2.69])
+AC_INIT([scripts-accountadm], [0.1], [[email protected]])
+AM_INIT_AUTOMAKE([-Wall -Werror foreign])
+AM_MAINTAINER_MODE([enable])
+m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
+AC_CONFIG_MACRO_DIR([m4])
+AC_CONFIG_HEADERS([config.h])
+AC_USE_SYSTEM_EXTENSIONS
+
+# Checks for programs.
+AC_PROG_CC
+# automake 1.12 seems to require this, but automake 1.11 doesn't recognize it
+m4_ifdef([AM_PROG_AR], [AM_PROG_AR])
+AC_PROG_INSTALL
+
+# Checks for libraries.
+AC_CHECK_LIB([resolv], [res_mkquery], [], [
+    AC_MSG_CHECKING([if res_mkquery is provided by libresolv with mangled symbols])
+    save_LIBS="$LIBS"
+    LIBS="-lresolv $LIBS"
+    AC_TRY_LINK([#include <resolv.h>],
+                [res_mkquery(0,NULL,0,0,NULL,0,NULL,NULL,0);], [
+                    AC_DEFINE(HAVE_LIBRESOLV, [1], [Define if your libresolv provides res_mkquery.])
+		    AC_MSG_RESULT(yes)], [
+		    LIBS="$save_LIBS"
+		    AC_MSG_RESULT(no)])])
+
+AX_PTHREAD
+# MIT KRB5 is used for actual linking and runtime
+PKG_CHECK_MODULES([KRB5], [mit-krb5])
+# But OpenAFS needs heimdal libraries to operate
+PKG_CHECK_MODULES([HEIMDAL], [heimdal-krb5])
+AC_CHECK_LIB([roken], [rk_asnprintf], [], [], [$HEIMDAL_LIBS])
+AC_CHECK_LIB([hcrypto], [hc_RAND_bytes], [], [], [$HEIMDAL_LIBS])
+AC_CHECK_LIB([afsrpc_pic], [rx_GetCall], [], [], [$PTHREAD_LIBS $HEIMDAL_LIBS])
+AC_CHECK_LIB([afsauthent_pic], [afsconf_Open], [], [], [$PTHREAD_LIBS $HEIMDAL_LIBS])
+
+# Checks for header files.
+AC_CHECK_HEADERS([limits.h netinet/in.h string.h syslog.h unistd.h])
+
+# Checks for typedefs, structures, and compiler characteristics.
+AC_CHECK_HEADER_STDBOOL
+AC_TYPE_SIZE_T
+AC_TYPE_SSIZE_T
+
+# Checks for library functions.
+AC_FUNC_MALLOC
+AC_CHECK_FUNCS([strcasecmp])
+
+# For mbash
+AC_PATH_PROG([bash_path], [bash])
+
+# For signup-scripts-backend
+AC_PATH_PROG([hesinfo_path], [hesinfo])
+AC_PATH_PROG([ldapadd_path], [ldapadd])
+AC_PATH_PROG([sudo_path], [sudo])
+
+AC_CONFIG_FILES([Makefile signup-scripts-backend mbash])
+AC_OUTPUT

server/common/oursrc/accountadm/configure.ac

@@ -0,0 +1,5 @@
+libtool.m4
+ltoptions.m4
+ltsugar.m4
+ltversion.m4
+lt~obsolete.m4