krb5: Fetch ccname template from krb5.conf

In order to use the same defaults in all system daemons that needs to know how to generate or search for ccaches we introduce ode here to take advantage of the new option called default_ccache_name provided by libkrb5. If set this variable we establish the same default for all programs that surce it out of krb5.conf therefore providing a consistent experience across the system. Related: https://fedorahosted.org/sssd/ticket/2036
author: Stephen Gallagher <sgallagh@redhat.com> 2013-08-27 13:36:41 -0400
committer: Jakub Hrozek <jhrozek@redhat.com> 2013-08-28 11:00:03 +0200
commit: dcc6877aa2e2dd63a9dc9c411a9c58feaeb36b9a (patch)
tree: fda3c24e3ec4be05c86b6271e297e8fc0f4cd6a1 /src/providers/krb5/krb5_common.c
parent: a524b03792dc8f8dae32bba5a2af8532bc751e86 (diff)
download: sssd-dcc6877aa2e2dd63a9dc9c411a9c58feaeb36b9a.tar.gz
sssd-dcc6877aa2e2dd63a9dc9c411a9c58feaeb36b9a.tar.bz2
sssd-dcc6877aa2e2dd63a9dc9c411a9c58feaeb36b9a.zip
1 files changed, 91 insertions, 8 deletions
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index c88eb03f..c7ce574d 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -33,6 +33,11 @@
 #include "providers/krb5/krb5_opts.h"
 #include "providers/krb5/krb5_utils.h"
 
+#ifdef HAVE_KRB5_CC_COLLECTION
+/* krb5 profile functions */
+#include <profile.h>
+#endif
+
 errno_t check_and_export_lifetime(struct dp_option *opts, const int opt_id,
                                   const char *env_name)
 {
@@ -86,6 +91,58 @@ done:
     return ret;
 }
 
+#ifdef HAVE_KRB5_CC_COLLECTION
+/* source default_ccache_name from krb5.conf */
+static errno_t sss_get_system_ccname_template(TALLOC_CTX *mem_ctx,
+                                              char **ccname)
+{
+    krb5_context ctx;
+    profile_t p;
+    char *value = NULL;
+    long ret;
+
+    *ccname = NULL;
+
+    ret = krb5_init_context(&ctx);
+    if (ret) return ret;
+
+    ret = krb5_get_profile(ctx, &p);
+    if (ret) goto done;
+
+    ret = profile_get_string(p, "libdefaults", "default_ccache_name",
+                             NULL, NULL, &value);
+    if (ret) goto done;
+
+    if (!value) {
+        ret = ERR_NOT_FOUND;
+        goto done;
+    }
+
+    *ccname = talloc_strdup(mem_ctx, value);
+    if (*ccname == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    ret = EOK;
+
+done:
+    krb5_free_context(ctx);
+    free(value);
+    return ret;
+}
+#else
+static errno_t sss_get_system_ccname_template(TALLOC_CTX *mem_ctx,
+                                              char **ccname)
+{
+    DEBUG(SSSDBG_CONF_SETTINGS,
+          ("Your kerberos library does not support the default_ccache_name "
+           "option or the profile library. Please use krb5_ccname_template "
+           "in sssd.conf if you want to change the default\n"));
+    *ccname = NULL;
+    return ERR_NOT_FOUND;
+}
+#endif
 
 errno_t check_and_export_options(struct dp_option *opts,
                                  struct sss_domain_info *dom,
@@ -188,19 +245,45 @@ errno_t check_and_export_options(struct dp_option *opts,
                                      "using the KDC or defaults.\n"));
     }
 
-    dummy = dp_opt_get_cstring(opts, KRB5_CCNAME_TMPL);
-    if (dummy == NULL) {
-        DEBUG(1, ("Missing credential cache name template.\n"));
-        ret = EINVAL;
-        goto done;
+    ccname = dp_opt_get_string(opts, KRB5_CCNAME_TMPL);
+    if (ccname != NULL) {
+        DEBUG(SSSDBG_CONF_SETTINGS,
+              ("The credential ccache name template has been explicitly set "
+               "in sssd.conf, it is recommended to set default_ccache_name "
+               "in krb5.conf instead so that a system default is used\n"));
+        ccname = talloc_strdup(tmp_ctx, ccname);
+        if (!ccname) {
+            ret = ENOMEM;
+            goto done;
+        }
+    } else {
+        ret = sss_get_system_ccname_template(tmp_ctx, &ccname);
+        if (ret && ret != ERR_NOT_FOUND) {
+            goto done;
+        }
+        if (ret == ERR_NOT_FOUND) {
+            /* Use fallback default */
+            ccname = talloc_strdup(tmp_ctx, DEFAULT_CCNAME_TEMPLATE);
+            if (!ccname) {
+                ret = ENOMEM;
+                goto done;
+            }
+        }
+
+        /* set back in opts */
+        ret = dp_opt_set_string(opts, KRB5_CCNAME_TMPL, ccname);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE, ("dp_opt_set_string failed.\n"));
+            goto done;
+        }
     }
 
-    cc_be = sss_krb5_get_type(dummy);
+    cc_be = sss_krb5_get_type(ccname);
     switch (cc_be) {
     case SSS_KRB5_TYPE_FILE:
         DEBUG(SSSDBG_CONF_SETTINGS, ("ccache is of type FILE\n"));
         krb5_ctx->cc_be = &file_cc;
-        if (dummy[0] != '/') {
+        if (ccname[0] != '/') {
             /* FILE:/path/to/cc */
             break;
         }
@@ -209,7 +292,7 @@ errno_t check_and_export_options(struct dp_option *opts,
               "missing an explicit type, but is an absolute "
               "path specifier. Assuming FILE:\n"));
 
-        ccname = talloc_asprintf(tmp_ctx, "FILE:%s", dummy);
+        ccname = talloc_asprintf(tmp_ctx, "FILE:%s", ccname);
         if (!ccname) {
             ret = ENOMEM;
             goto done;
author	Stephen Gallagher <sgallagh@redhat.com>	2013-08-27 13:36:41 -0400
committer	Jakub Hrozek <jhrozek@redhat.com>	2013-08-28 11:00:03 +0200
commit	dcc6877aa2e2dd63a9dc9c411a9c58feaeb36b9a (patch)
tree	fda3c24e3ec4be05c86b6271e297e8fc0f4cd6a1 /src/providers/krb5/krb5_common.c
parent	a524b03792dc8f8dae32bba5a2af8532bc751e86 (diff)
download	sssd-dcc6877aa2e2dd63a9dc9c411a9c58feaeb36b9a.tar.gz sssd-dcc6877aa2e2dd63a9dc9c411a9c58feaeb36b9a.tar.bz2 sssd-dcc6877aa2e2dd63a9dc9c411a9c58feaeb36b9a.zip