summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile.am4
-rw-r--r--configure.ac1
-rw-r--r--contrib/sssd.spec.in2
-rw-r--r--src/conf_macros.m415
-rw-r--r--src/confdb/confdb.h1
-rw-r--r--src/config/SSSDConfig.py1
-rwxr-xr-xsrc/config/SSSDConfigTest.py1
-rw-r--r--src/config/etc/sssd.api.conf1
-rw-r--r--src/man/sssd.conf.5.xml20
-rw-r--r--src/monitor/monitor.c31
10 files changed, 77 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am
index 4e2e26ba..144060f0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -34,6 +34,7 @@ systemdunitdir = @systemdunitdir@
logpath = @logpath@
pubconfpath = @pubconfpath@
pkgconfigdir = $(libdir)/pkgconfig
+krb5rcachedir = @krb5rcachedir@
AM_CFLAGS =
if WANT_AUX_INFO
@@ -1141,6 +1142,9 @@ install-data-hook:
rm $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 \
$(DESTDIR)/$(nsslibdir)/libnss_sss.so
mv $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2.0.0 $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2
+ if [ ! $(krb5rcachedir) = "__LIBKRB5_DEFAULTS__" ]; then \
+ mkdir -p $(DESTDIR)/$(krb5rcachedir) ; \
+ fi
uninstall-hook:
if [ -f $(abs_builddir)/src/config/.files ]; then \
diff --git a/configure.ac b/configure.ac
index 770371d5..230afa21 100644
--- a/configure.ac
+++ b/configure.ac
@@ -82,6 +82,7 @@ WITH_TEST_DIR
WITH_MANPAGES
WITH_XML_CATALOG
WITH_KRB5_PLUGIN_PATH
+WITH_KRB5_RCACHE_DIR
WITH_PYTHON_BINDINGS
WITH_SELINUX
WITH_NSCD
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 2639f3a2..ba908de2 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -171,6 +171,7 @@ autoreconf -ivf
--with-pipe-path=%{pipepath} \
--with-pubconf-path=%{pubconfpath} \
--with-init-dir=%{_initrddir} \
+ --with-krb5rcache-dir=%{_localstatedir}/cache/krb5rcache \
--enable-nsslibdir=/%{_lib} \
--enable-pammoddir=/%{_lib}/security \
--disable-static \
@@ -254,6 +255,7 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/%{name}/
%{ldb_modulesdir}/memberof.so
%dir %{sssdstatedir}
+%dir %{_localstatedir}/cache/krb5rcache
%attr(700,root,root) %dir %{dbpath}
%attr(755,root,root) %dir %{pipepath}
%attr(755,root,root) %dir %{pubconfpath}
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 1e503b3e..bd661ba3 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -204,6 +204,21 @@ AC_DEFUN([WITH_KRB5_PLUGIN_PATH],
AC_SUBST(krb5pluginpath)
])
+AC_DEFUN([WITH_KRB5_RCACHE_DIR],
+ [ AC_ARG_WITH([krb5-rcache-dir],
+ [AC_HELP_STRING([--with-krb5-rcache-dir=PATH],
+ [Path to store Kerberos replay caches [__LIBKRB5_DEFAULTS__]]
+ )
+ ]
+ )
+ krb5rcachedir="__LIBKRB5_DEFAULTS__"
+ if test x"$with_krb5_rcache_dir" != x; then
+ krb5rcachedir=$with_krb5_rcache_dir
+ fi
+ AC_SUBST(krb5rcachedir)
+ AC_DEFINE_UNQUOTED(KRB5_RCACHE_DIR, "$krb5rcachedir", [Directory used for storing Kerberos replay caches])
+ ])
+
AC_DEFUN([WITH_PYTHON_BINDINGS],
[ AC_ARG_WITH([python-bindings],
[AC_HELP_STRING([--with-python-bindings],
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 5e50991f..4d615761 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -63,6 +63,7 @@
#define CONFDB_MONITOR_NAME_REGEX "re_expression"
#define CONFDB_MONITOR_FULL_NAME_FORMAT "full_name_format"
#define CONFDB_MONITOR_TRY_INOTIFY "try_inotify"
+#define CONFDB_MONITOR_KRB5_RCACHEDIR "krb5_rcache_dir"
/* NSS */
#define CONFDB_NSS_CONF_ENTRY "config/nss"
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 77a57c66..94d1f603 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -49,6 +49,7 @@ option_strings = {
'sbus_timeout' : _('Timeout for messages sent over the SBUS'),
're_expression' : _('Regex to parse username and domain'),
'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'),
+ 'krb5_rcache_dir' : _('Directory on the filesystem where SSSD should store Kerberos replay cache files.'),
# [nss]
'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 5b01b990..93b241b7 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -266,6 +266,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
'sbus_timeout',
're_expression',
'full_name_format',
+ 'krb5_rcache_dir',
'debug_level',
'debug_timestamps',
'debug_to_files',
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index ae9ba559..216766a5 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -17,6 +17,7 @@ timeout = int, None, false
sbus_timeout = int, None, false
re_expression = str, None, false
full_name_format = str, None, false
+krb5_rcache_dir = str, None, false
[nss]
# Name service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 6f85dda9..dcbb5c1b 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -185,6 +185,26 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>krb5_rcache_dir (string)</term>
+ <listitem>
+ <para>
+ Directory on the filesystem where SSSD should
+ store Kerberos replay cache files.
+ </para>
+ <para>
+ This option accepts a special value
+ __LIBKRB5_DEFAULTS__ that will instruct SSSD
+ to let libkrb5 decide the appropriate
+ location for the replay cache.
+ </para>
+ <para>
+ Default: Distribution-specific and specified
+ at build-time. (__LIBKRB5_DEFAULTS__ if not
+ configured)
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
</refsect2>
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index dd099841..0e16b78f 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -55,6 +55,11 @@
* monitor will get crazy hammering children with messages */
#define MONITOR_DEF_PING_TIME 10
+/* Special value to leave the Kerberos Replay Cache set to use
+ * the libkrb5 defaults
+ */
+#define KRB5_RCACHE_DIR_DISABLE "__LIBKRB5_DEFAULTS__"
+
int cmdline_debug_level;
int cmdline_debug_timestamps;
@@ -1926,8 +1931,34 @@ int monitor_process_init(struct mt_ctx *ctx,
struct sysdb_ctx_list *db_list;
struct tevent_signal *tes;
struct sss_domain_info *dom;
+ char *rcachedir;
int num_providers;
int ret;
+ int error;
+
+ /* Set up the environment variable for the Kerberos Replay Cache */
+ ret = confdb_get_string(ctx->cdb, ctx,
+ CONFDB_MONITOR_CONF_ENTRY,
+ CONFDB_MONITOR_KRB5_RCACHEDIR,
+ KRB5_RCACHE_DIR,
+ &rcachedir);
+ if (ret != EOK) {
+ return ret;
+ }
+
+ if (strcmp(rcachedir, KRB5_RCACHE_DIR_DISABLE) != 0)
+ {
+ errno = 0;
+ ret = setenv("KRB5RCACHEDIR", rcachedir, 1);
+ if (ret < 0) {
+ error = errno;
+ DEBUG(1,
+ ("Unable to set KRB5RCACHEDIR: %s."
+ "Will attempt to use libkrb5 defaults\n",
+ strerror(error)));
+ }
+ talloc_zfree(rcachedir);
+ }
/* Set up an event handler for a SIGHUP */
tes = tevent_add_signal(ctx->ev, ctx, SIGHUP, 0,