summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2013-09-25 17:21:36 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-09-27 10:33:25 +0200
commitbbd43fbcd8f70eedeac4e4ce01c36256cde82ab1 (patch)
tree611f89e5c2fc5e4f991ff5f22ac9b609720197df
parentc5711b0279ea85d69fe3c77dfb194360c346e1d7 (diff)
downloadsssd-bbd43fbcd8f70eedeac4e4ce01c36256cde82ab1.tar.gz
sssd-bbd43fbcd8f70eedeac4e4ce01c36256cde82ab1.tar.bz2
sssd-bbd43fbcd8f70eedeac4e4ce01c36256cde82ab1.zip
ipa_server_mode: write capaths to krb5 include file
If there are member domains in a trusted forest which are DNS-wise not proper children of the forest root the IPA KDC needs some help to determine the right authentication path. In general this should be done internally by the IPA KDC but this works requires more effort than letting sssd write the needed data to the include file for krb5.conf. If this functionality is available for the IPA KDC this patch might be removed from the sssd tree. Fixes https://fedorahosted.org/sssd/ticket/2093
-rw-r--r--src/providers/ad/ad_subdomains.c2
-rw-r--r--src/providers/ipa/ipa_subdomains.c4
-rw-r--r--src/util/domain_info_utils.c51
-rw-r--r--src/util/util.h3
4 files changed, 56 insertions, 4 deletions
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index e8345ae5..f6d2eb81 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -482,7 +482,7 @@ static void ad_subdomains_get_slave_domain_done(struct tevent_req *req)
goto done;
}
- ret = sss_write_domain_mappings(ctx->sd_ctx->be_ctx->domain);
+ ret = sss_write_domain_mappings(ctx->sd_ctx->be_ctx->domain, false);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
("sss_krb5_write_mappings failed.\n"));
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index 03b780d6..ab0fdf65 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -932,7 +932,9 @@ static void ipa_subdomains_handler_done(struct tevent_req *req)
goto done;
}
- ret = sss_write_domain_mappings(domain);
+ ret = sss_write_domain_mappings(domain,
+ dp_opt_get_bool(ctx->sd_ctx->id_ctx->ipa_options->basic,
+ IPA_SERVER_MODE));
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
("sss_krb5_write_mappings failed.\n"));
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 4af967cf..9d7bb5f5 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -336,9 +336,10 @@ sss_krb5_touch_config(void)
}
errno_t
-sss_write_domain_mappings(struct sss_domain_info *domain)
+sss_write_domain_mappings(struct sss_domain_info *domain, bool add_capaths)
{
struct sss_domain_info *dom;
+ struct sss_domain_info *parent_dom;
errno_t ret;
errno_t err;
TALLOC_CTX *tmp_ctx;
@@ -349,6 +350,9 @@ sss_write_domain_mappings(struct sss_domain_info *domain)
mode_t old_mode;
FILE *fstream = NULL;
int i;
+ bool capaths_started;
+ char *uc_forest;
+ char *uc_parent;
if (domain == NULL || domain->name == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, ("No domain name provided\n"));
@@ -434,6 +438,51 @@ sss_write_domain_mappings(struct sss_domain_info *domain)
}
}
+ if (add_capaths) {
+ capaths_started = false;
+ parent_dom = domain;
+ uc_parent = get_uppercase_realm(tmp_ctx, parent_dom->name);
+ if (uc_parent == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("get_uppercase_realm failed.\n"));
+ ret = ENOMEM;
+ goto done;
+ }
+
+ for (dom = get_next_domain(domain, true);
+ dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */
+ dom = get_next_domain(dom, false)) {
+
+ if (dom->forest == NULL) {
+ continue;
+ }
+
+ uc_forest = get_uppercase_realm(tmp_ctx, dom->forest);
+ if (uc_forest == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("get_uppercase_realm failed.\n"));
+ ret = ENOMEM;
+ goto done;
+ }
+
+ if (!capaths_started) {
+ ret = fprintf(fstream, "[capaths]\n");
+ if (ret < 0) {
+ DEBUG(SSSDBG_OP_FAILURE, ("fprintf failed\n"));
+ ret = EIO;
+ goto done;
+ }
+ capaths_started = true;
+ }
+
+ ret = fprintf(fstream, "%s = {\n %s = %s\n}\n%s = {\n %s = %s\n}\n",
+ dom->realm, uc_parent, uc_forest,
+ uc_parent, dom->realm, uc_forest);
+ if (ret < 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("fprintf failed\n"));
+ goto done;
+ }
+ }
+ }
+
ret = fclose(fstream);
fstream = NULL;
if (ret != 0) {
diff --git a/src/util/util.h b/src/util/util.h
index bd450ec7..98b86e9d 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -577,7 +577,8 @@ errno_t sssd_domain_init(TALLOC_CTX *mem_ctx,
#define IS_SUBDOMAIN(dom) ((dom)->parent != NULL)
-errno_t sss_write_domain_mappings(struct sss_domain_info *domain);
+errno_t sss_write_domain_mappings(struct sss_domain_info *domain,
+ bool add_capaths);
/* from util_lock.c */
errno_t sss_br_lock_file(int fd, size_t start, size_t len,