diff options
author | Simo Sorce <ssorce@redhat.com> | 2009-10-15 17:39:36 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2009-10-16 14:27:23 -0400 |
commit | b774feec96d8e0d382fc0b50ce5d70b51eabdc5c (patch) | |
tree | 4bf461026511dfee82d4be2f7f92a40e4ff2f6d9 /server | |
parent | ea30597c0e2ebbe976cbd63605d3567416a4e4f2 (diff) | |
download | sssd-b774feec96d8e0d382fc0b50ce5d70b51eabdc5c.tar.gz sssd-b774feec96d8e0d382fc0b50ce5d70b51eabdc5c.tar.bz2 sssd-b774feec96d8e0d382fc0b50ce5d70b51eabdc5c.zip |
Move all krb5 provider init functions
Put all init functions in their own file so that the other files can be
reused in other providers w/o having them in the way.
Diffstat (limited to 'server')
-rw-r--r-- | server/Makefile.am | 3 | ||||
-rw-r--r-- | server/krb5_plugin/sssd_krb5_locator_plugin.c | 2 | ||||
-rw-r--r-- | server/providers/krb5/krb5_auth.c | 204 | ||||
-rw-r--r-- | server/providers/krb5/krb5_auth.h | 21 | ||||
-rw-r--r-- | server/providers/krb5/krb5_common.h | 40 | ||||
-rw-r--r-- | server/providers/krb5/krb5_init.c | 189 |
6 files changed, 264 insertions, 195 deletions
diff --git a/server/Makefile.am b/server/Makefile.am index bfafa6b1..f6740937 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -457,7 +457,8 @@ libsss_proxy_la_LDFLAGS = \ libsss_krb5_la_SOURCES = \ providers/krb5/krb5_utils.c \ - providers/krb5/krb5_auth.c + providers/krb5/krb5_auth.c \ + providers/krb5/krb5_init.c libsss_krb5_la_CFLAGS = \ $(AM_CFLAGS) \ $(KRB5_CFLAGS) diff --git a/server/krb5_plugin/sssd_krb5_locator_plugin.c b/server/krb5_plugin/sssd_krb5_locator_plugin.c index 7ccdb3fe..fc5f4261 100644 --- a/server/krb5_plugin/sssd_krb5_locator_plugin.c +++ b/server/krb5_plugin/sssd_krb5_locator_plugin.c @@ -31,7 +31,7 @@ #include <krb5/locate_plugin.h> -#include "providers/krb5/krb5_auth.h" +#include "providers/krb5/krb5_common.h" #define SSSD_KRB5_LOCATOR_DEBUG "SSSD_KRB5_LOCATOR_DEBUG" #define DEBUG_KEY "[sssd_krb5_locator] " diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c index 4d98b931..1e689d93 100644 --- a/server/providers/krb5/krb5_auth.c +++ b/server/providers/krb5/krb5_auth.c @@ -27,16 +27,12 @@ #include <sys/types.h> #include <sys/wait.h> -#include <unistd.h> #include <fcntl.h> #include <pwd.h> -#include <sys/stat.h> - #include <security/pam_modules.h> #include "util/util.h" -#include "providers/dp_backend.h" #include "db/sysdb.h" #include "providers/krb5/krb5_auth.h" #include "providers/krb5/krb5_utils.h" @@ -141,7 +137,8 @@ errno_t create_send_buffer(struct krb5child_req *kr, struct io_buffer **io_buf) return EOK; } -static struct krb5_ctx *get_krb5_ctx(struct be_req *be_req) { +static struct krb5_ctx *get_krb5_ctx(struct be_req *be_req) +{ struct pam_data *pd; pd = talloc_get_type(be_req->req_data, struct pam_data); @@ -161,7 +158,8 @@ static struct krb5_ctx *get_krb5_ctx(struct be_req *be_req) { } } -static void fd_nonblocking(int fd) { +static void fd_nonblocking(int fd) +{ int flags; flags = fcntl(fd, F_GETFL, 0); @@ -297,9 +295,9 @@ failed: return err; } -static void wait_for_child_handler(struct tevent_context *ev, - struct tevent_signal *sige, int signum, - int count, void *__siginfo, void *pvt) +void krb5_child_sig_handler(struct tevent_context *ev, + struct tevent_signal *sige, int signum, + int count, void *__siginfo, void *pvt) { int ret; int child_status; @@ -496,12 +494,12 @@ struct read_pipe_state { size_t len; }; -static void read_pipe_done(struct tevent_context *ev, struct tevent_fd *fde, - uint16_t flags, void *pvt); +static void read_pipe_done(struct tevent_context *ev, + struct tevent_fd *fde, + uint16_t flags, void *pvt); static struct tevent_req *read_pipe_send(TALLOC_CTX *memctx, - struct tevent_context *ev, - int fd) + struct tevent_context *ev, int fd) { struct tevent_req *req; struct read_pipe_state *state; @@ -530,8 +528,9 @@ fail: return NULL; } -static void read_pipe_done(struct tevent_context *ev, struct tevent_fd *fde, - uint16_t flags, void *pvt) +static void read_pipe_done(struct tevent_context *ev, + struct tevent_fd *fde, + uint16_t flags, void *pvt) { ssize_t size; struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); @@ -569,7 +568,8 @@ static void read_pipe_done(struct tevent_context *ev, struct tevent_fd *fde, } static ssize_t read_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, - uint8_t **buf, uint64_t *error) { + uint8_t **buf, uint64_t *error) +{ struct read_pipe_state *state = tevent_req_data(req, struct read_pipe_state); enum tevent_req_state tstate; @@ -590,8 +590,9 @@ struct handle_child_state { static void handle_child_done(struct tevent_req *subreq); -static struct tevent_req *handle_child_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, - struct krb5child_req *kr) +static struct tevent_req *handle_child_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct krb5child_req *kr) { int ret; struct tevent_req *req; @@ -656,8 +657,10 @@ static void handle_child_done(struct tevent_req *subreq) return; } -static ssize_t handle_child_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, - uint8_t **buf, uint64_t *error) { +static ssize_t handle_child_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + uint8_t **buf, uint64_t *error) +{ struct handle_child_state *state = tevent_req_data(req, struct handle_child_state); enum tevent_req_state tstate; @@ -674,7 +677,7 @@ static void get_user_upn_done(void *pvt, int err, struct ldb_result *res); static void krb5_pam_handler_done(struct tevent_req *req); static void krb5_pam_handler_cache_done(struct tevent_req *treq); -static void krb5_pam_handler(struct be_req *be_req) +void krb5_pam_handler(struct be_req *be_req) { struct pam_data *pd; const char **attrs; @@ -968,162 +971,3 @@ static void krb_reply(struct be_req *req, int dp_err, int result) req->fn(req, dp_err, result, NULL); } - -struct bet_ops krb5_auth_ops = { - .handler = krb5_pam_handler, - .finalize = NULL, -}; - -struct bet_ops krb5_chpass_ops = { - .handler = krb5_pam_handler, - .finalize = NULL, -}; - - -int sssm_krb5_auth_init(struct be_ctx *bectx, - struct bet_ops **ops, void **pvt_auth_data) -{ - struct krb5_ctx *ctx = NULL; - char *value = NULL; - int int_value; - int ret; - struct tevent_signal *sige; - struct stat stat_buf; - unsigned v; - FILE *debug_filep; - - ctx = talloc_zero(bectx, struct krb5_ctx); - if (!ctx) { - DEBUG(1, ("talloc failed.\n")); - return ENOMEM; - } - - ctx->action = INIT_PW; - - ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, - CONFDB_KRB5_KDCIP, NULL, &value); - if (ret != EOK) goto fail; - if (value == NULL) { - DEBUG(2, ("Missing krb5KDCIP, authentication might fail.\n")); - } else { - ret = setenv(SSSD_KRB5_KDC, value, 1); - if (ret != EOK) { - DEBUG(2, ("setenv %s failed, authentication might fail.\n", - SSSD_KRB5_KDC)); - } - } - ctx->kdcip = value; - - ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, - CONFDB_KRB5_REALM, NULL, &value); - if (ret != EOK) goto fail; - if (value == NULL) { - DEBUG(4, ("Missing krb5REALM authentication might fail.\n")); - } else { - ret = setenv(SSSD_KRB5_REALM, value, 1); - if (ret != EOK) { - DEBUG(2, ("setenv %s failed, authentication might fail.\n", - SSSD_KRB5_REALM)); - } - } - ctx->realm = value; - - ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, - CONFDB_KRB5_CCACHEDIR, "/tmp", &value); - if (ret != EOK) goto fail; - ret = lstat(value, &stat_buf); - if (ret != EOK) { - DEBUG(1, ("lstat for [%s] failed: [%d][%s].\n", value, errno, - strerror(errno))); - goto fail; - } - if ( !S_ISDIR(stat_buf.st_mode) ) { - DEBUG(1, ("Value of krb5ccache_dir [%s] is not a directory.\n", value)); - goto fail; - } - ctx->ccache_dir = value; - - ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, - CONFDB_KRB5_CCNAME_TMPL, - "FILE:%d/krb5cc_%U_XXXXXX", - &value); - if (ret != EOK) goto fail; - if (value[0] != '/' && strncmp(value, "FILE:", 5) != 0) { - DEBUG(1, ("Currently only file based credential caches are supported " - "and krb5ccname_template must start with '/' or 'FILE:'\n")); - goto fail; - } - ctx->ccname_template = value; - - ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, - CONFDB_KRB5_CHANGEPW_PRINC, - "kadmin/changepw", - &value); - if (ret != EOK) goto fail; - if (strchr(value, '@') == NULL) { - value = talloc_asprintf_append(value, "@%s", ctx->realm); - if (value == NULL) { - DEBUG(7, ("talloc_asprintf_append failed.\n")); - goto fail; - } - } - ctx->changepw_principle = value; - - ret = setenv(SSSD_KRB5_CHANGEPW_PRINCIPLE, ctx->changepw_principle, 1); - if (ret != EOK) { - DEBUG(2, ("setenv %s failed, password change might fail.\n", - SSSD_KRB5_CHANGEPW_PRINCIPLE)); - } - - ret = confdb_get_int(bectx->cdb, ctx, bectx->conf_path, - CONFDB_KRB5_AUTH_TIMEOUT, 15, &int_value); - if (ret != EOK) goto fail; - if (int_value <= 0) { - DEBUG(4, ("krb5auth_timeout has to be a positive value.\n")); - goto fail; - } - ctx->auth_timeout = int_value; - -/* TODO: set options */ - - sige = tevent_add_signal(bectx->ev, ctx, SIGCHLD, SA_SIGINFO, - wait_for_child_handler, NULL); - if (sige == NULL) { - DEBUG(1, ("tevent_add_signal failed.\n")); - ret = ENOMEM; - goto fail; - } - - if (debug_to_file != 0) { - ret = open_debug_file_ex("krb5_child", &debug_filep); - if (ret != EOK) { - DEBUG(0, ("Error setting up logging (%d) [%s]\n", - ret, strerror(ret))); - goto fail; - } - - ctx->child_debug_fd = fileno(debug_filep); - if (ctx->child_debug_fd == -1) { - DEBUG(0, ("fileno failed [%d][%s]\n", errno, strerror(errno))); - ret = errno; - goto fail; - } - - v = fcntl(ctx->child_debug_fd, F_GETFD, 0); - fcntl(ctx->child_debug_fd, F_SETFD, v & ~FD_CLOEXEC); - } - - *ops = &krb5_auth_ops; - *pvt_auth_data = ctx; - return EOK; - -fail: - talloc_free(ctx); - return ret; -} - -int sssm_krb5_chpass_init(struct be_ctx *bectx, struct bet_ops **ops, - void **pvt_auth_data) -{ - return sssm_krb5_auth_init(bectx, ops, pvt_auth_data); -} diff --git a/server/providers/krb5/krb5_auth.h b/server/providers/krb5/krb5_auth.h index 1fd7c589..9e9142cf 100644 --- a/server/providers/krb5/krb5_auth.h +++ b/server/providers/krb5/krb5_auth.h @@ -26,23 +26,12 @@ #ifndef __KRB5_AUTH_H__ #define __KRB5_AUTH_H__ -#include "config.h" - -#include <stdbool.h> - -#ifdef HAVE_KRB5_KRB5_H -#include <krb5/krb5.h> -#else -#include <krb5.h> -#endif +#include "providers/dp_backend.h" +#include "providers/krb5/krb5_common.h" #define MAX_CHILD_MSG_SIZE 255 #define CCACHE_ENV_NAME "KRB5CCNAME" - #define SSSD_KRB5_CHANGEPW_PRINCIPLE "SSSD_KRB5_CHANGEPW_PRINCIPLE" -#define SSSD_KRB5_KDC "SSSD_KRB5_KDC" -#define SSSD_KRB5_REALM "SSSD_KRB5_REALM" - typedef enum { INIT_PW, INIT_KT, RENEW, VALIDATE } action_type; @@ -95,4 +84,10 @@ struct krb5_ctx { int child_debug_fd; }; +void krb5_pam_handler(struct be_req *be_req); + +void krb5_child_sig_handler(struct tevent_context *ev, + struct tevent_signal *sige, int signum, + int count, void *__siginfo, void *pvt); + #endif /* __KRB5_AUTH_H__ */ diff --git a/server/providers/krb5/krb5_common.h b/server/providers/krb5/krb5_common.h new file mode 100644 index 00000000..64e43605 --- /dev/null +++ b/server/providers/krb5/krb5_common.h @@ -0,0 +1,40 @@ +/* + SSSD + + Kerberos Backend, common header file + + Authors: + Sumit Bose <sbose@redhat.com> + + Copyright (C) 2009 Red Hat + + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef __KRB5_COMMON_H__ +#define __KRB5_COMMON_H__ + +#include "config.h" +#include <stdbool.h> +#ifdef HAVE_KRB5_KRB5_H +#include <krb5/krb5.h> +#else +#include <krb5.h> +#endif + +#define SSSD_KRB5_KDC "SSSD_KRB5_KDC" +#define SSSD_KRB5_REALM "SSSD_KRB5_REALM" + +#endif /* __KRB5_COMMON_H__ */ diff --git a/server/providers/krb5/krb5_init.c b/server/providers/krb5/krb5_init.c new file mode 100644 index 00000000..676d078d --- /dev/null +++ b/server/providers/krb5/krb5_init.c @@ -0,0 +1,189 @@ +/* + SSSD + + Kerberos 5 Backend Module + + Authors: + Sumit Bose <sbose@redhat.com> + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <sys/types.h> +#include <unistd.h> +#include <fcntl.h> +#include <sys/stat.h> +#include "providers/krb5/krb5_auth.h" + +struct bet_ops krb5_auth_ops = { + .handler = krb5_pam_handler, + .finalize = NULL, +}; + +struct bet_ops krb5_chpass_ops = { + .handler = krb5_pam_handler, + .finalize = NULL, +}; + +int sssm_krb5_auth_init(struct be_ctx *bectx, + struct bet_ops **ops, + void **pvt_auth_data) +{ + struct krb5_ctx *ctx = NULL; + char *value = NULL; + int int_value; + int ret; + struct tevent_signal *sige; + struct stat stat_buf; + unsigned v; + FILE *debug_filep; + + ctx = talloc_zero(bectx, struct krb5_ctx); + if (!ctx) { + DEBUG(1, ("talloc failed.\n")); + return ENOMEM; + } + + ctx->action = INIT_PW; + + ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, + CONFDB_KRB5_KDCIP, NULL, &value); + if (ret != EOK) goto fail; + if (value == NULL) { + DEBUG(2, ("Missing krb5KDCIP, authentication might fail.\n")); + } else { + ret = setenv(SSSD_KRB5_KDC, value, 1); + if (ret != EOK) { + DEBUG(2, ("setenv %s failed, authentication might fail.\n", + SSSD_KRB5_KDC)); + } + } + ctx->kdcip = value; + + ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, + CONFDB_KRB5_REALM, NULL, &value); + if (ret != EOK) goto fail; + if (value == NULL) { + DEBUG(4, ("Missing krb5REALM authentication might fail.\n")); + } else { + ret = setenv(SSSD_KRB5_REALM, value, 1); + if (ret != EOK) { + DEBUG(2, ("setenv %s failed, authentication might fail.\n", + SSSD_KRB5_REALM)); + } + } + ctx->realm = value; + + ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, + CONFDB_KRB5_CCACHEDIR, "/tmp", &value); + if (ret != EOK) goto fail; + ret = lstat(value, &stat_buf); + if (ret != EOK) { + DEBUG(1, ("lstat for [%s] failed: [%d][%s].\n", value, errno, + strerror(errno))); + goto fail; + } + if ( !S_ISDIR(stat_buf.st_mode) ) { + DEBUG(1, ("Value of krb5ccache_dir [%s] is not a directory.\n", value)); + goto fail; + } + ctx->ccache_dir = value; + + ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, + CONFDB_KRB5_CCNAME_TMPL, + "FILE:%d/krb5cc_%U_XXXXXX", + &value); + if (ret != EOK) goto fail; + if (value[0] != '/' && strncmp(value, "FILE:", 5) != 0) { + DEBUG(1, ("Currently only file based credential caches are supported " + "and krb5ccname_template must start with '/' or 'FILE:'\n")); + goto fail; + } + ctx->ccname_template = value; + + ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, + CONFDB_KRB5_CHANGEPW_PRINC, + "kadmin/changepw", + &value); + if (ret != EOK) goto fail; + if (strchr(value, '@') == NULL) { + value = talloc_asprintf_append(value, "@%s", ctx->realm); + if (value == NULL) { + DEBUG(7, ("talloc_asprintf_append failed.\n")); + goto fail; + } + } + ctx->changepw_principle = value; + + ret = setenv(SSSD_KRB5_CHANGEPW_PRINCIPLE, ctx->changepw_principle, 1); + if (ret != EOK) { + DEBUG(2, ("setenv %s failed, password change might fail.\n", + SSSD_KRB5_CHANGEPW_PRINCIPLE)); + } + + ret = confdb_get_int(bectx->cdb, ctx, bectx->conf_path, + CONFDB_KRB5_AUTH_TIMEOUT, 15, &int_value); + if (ret != EOK) goto fail; + if (int_value <= 0) { + DEBUG(4, ("krb5auth_timeout has to be a positive value.\n")); + goto fail; + } + ctx->auth_timeout = int_value; + +/* TODO: set options */ + + sige = tevent_add_signal(bectx->ev, ctx, SIGCHLD, SA_SIGINFO, + krb5_child_sig_handler, NULL); + if (sige == NULL) { + DEBUG(1, ("tevent_add_signal failed.\n")); + ret = ENOMEM; + goto fail; + } + + if (debug_to_file != 0) { + ret = open_debug_file_ex("krb5_child", &debug_filep); + if (ret != EOK) { + DEBUG(0, ("Error setting up logging (%d) [%s]\n", + ret, strerror(ret))); + goto fail; + } + + ctx->child_debug_fd = fileno(debug_filep); + if (ctx->child_debug_fd == -1) { + DEBUG(0, ("fileno failed [%d][%s]\n", errno, strerror(errno))); + ret = errno; + goto fail; + } + + v = fcntl(ctx->child_debug_fd, F_GETFD, 0); + fcntl(ctx->child_debug_fd, F_SETFD, v & ~FD_CLOEXEC); + } + + *ops = &krb5_auth_ops; + *pvt_auth_data = ctx; + return EOK; + +fail: + talloc_free(ctx); + return ret; +} + +int sssm_krb5_chpass_init(struct be_ctx *bectx, + struct bet_ops **ops, + void **pvt_auth_data) +{ + return sssm_krb5_auth_init(bectx, ops, pvt_auth_data); +} |