diff options
-rw-r--r-- | src/providers/ipa/ipa_auth.c | 504 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.h | 8 | ||||
-rw-r--r-- | src/providers/ipa/ipa_init.c | 83 | ||||
-rw-r--r-- | src/providers/krb5/krb5_common.c | 4 |
4 files changed, 400 insertions, 199 deletions
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c index 86b72e49..6f062adc 100644 --- a/src/providers/ipa/ipa_auth.c +++ b/src/providers/ipa/ipa_auth.c @@ -31,283 +31,435 @@ #include "providers/krb5/krb5_auth.h" #include "providers/ipa/ipa_common.h" -struct ipa_auth_ctx { - struct sdap_auth_ctx *sdap_auth_ctx; - struct krb5_ctx *krb5_ctx; - struct be_req *be_req; - be_async_callback_t callback; - void *pvt; - bool password_migration; - - int dp_err_type; - int errnum; - char *errstr; -}; +#define IPA_CONFIG_MIRATION_ENABLED "ipaMigrationEnabled" +#define IPA_CONFIG_SEARCH_BASE_TEMPLATE "cn=etc,%s" +#define IPA_CONFIG_FILTER "(&(cn=ipaConfig)(objectClass=ipaGuiConfig))" -static void ipa_auth_reply(struct ipa_auth_ctx *ipa_auth_ctx) +static void ipa_auth_reply(struct be_req *be_req, int dp_err, int result) { - struct pam_data *pd; - struct be_req *be_req = ipa_auth_ctx->be_req; - be_req->fn = ipa_auth_ctx->callback; - be_req->pvt = ipa_auth_ctx->pvt; - be_req->be_ctx->bet_info[BET_AUTH].pvt_bet_data = ipa_auth_ctx->krb5_ctx; - pd = talloc_get_type(be_req->req_data, struct pam_data); - int dp_err_type = ipa_auth_ctx->dp_err_type; - char *errstr = ipa_auth_ctx->errstr; - - talloc_zfree(ipa_auth_ctx); - DEBUG(9, ("sending [%d] [%d] [%s].\n", dp_err_type, pd->pam_status, - errstr)); - - be_req->fn(be_req, dp_err_type, pd->pam_status, errstr); + be_req->fn(be_req, dp_err, result, NULL); } -struct ipa_auth_handler_state { +struct get_password_migration_flag_state { struct tevent_context *ev; - - int dp_err_type; - int errnum; - char *errstr; + struct sdap_auth_ctx *sdap_auth_ctx; + struct sdap_handle *sh; + enum sdap_result result; + struct fo_server *srv; + char *ipa_domain; + bool password_migration; }; -static void ipa_auth_handler_callback(struct be_req *be_req, - int dp_err_type, - int errnum, - const char *errstr); +static void get_password_migration_flag_auth_done(struct tevent_req *subreq); +static void get_password_migration_flag_done(struct tevent_req *subreq); -static struct tevent_req *ipa_auth_handler_send(TALLOC_CTX *memctx, +static struct tevent_req *get_password_migration_flag_send(TALLOC_CTX *memctx, struct tevent_context *ev, - struct be_req *be_req, - be_req_fn_t auth_handler) + struct sdap_auth_ctx *sdap_auth_ctx, + char *ipa_domain) { - struct ipa_auth_handler_state *state; - struct tevent_req *req; + int ret; + struct tevent_req *req, *subreq; + struct get_password_migration_flag_state *state; + + if (sdap_auth_ctx == NULL || ipa_domain == NULL) { + DEBUG(1, ("Missing parameter.\n")); + return NULL; + } - req = tevent_req_create(memctx, &state, struct ipa_auth_handler_state); + req = tevent_req_create(memctx, &state, + struct get_password_migration_flag_state); if (req == NULL) { DEBUG(1, ("tevent_req_create failed.\n")); return NULL; } state->ev = ev; + state->sdap_auth_ctx = sdap_auth_ctx; + state->sh = NULL; + state->result = SDAP_ERROR; + state->srv = NULL; + state->password_migration = false; + state->ipa_domain = ipa_domain; + + /* We request to use StartTLS here, because if password migration is + * enabled we will use this connection for authentication, too. */ + ret = dp_opt_set_bool(sdap_auth_ctx->opts->basic, SDAP_ID_TLS, true); + if (ret != EOK) { + DEBUG(1, ("Failed to set SDAP_ID_TLS to true.\n")); + goto fail; + } - be_req->fn = ipa_auth_handler_callback; - be_req->pvt = req; - - auth_handler(be_req); + subreq = sdap_cli_connect_send(state, ev, sdap_auth_ctx->opts, + sdap_auth_ctx->be, sdap_auth_ctx->service, + NULL); + if (subreq == NULL) { + DEBUG(1, ("sdap_cli_connect_send failed.\n")); + goto fail; + } + tevent_req_set_callback(subreq, get_password_migration_flag_auth_done, + req); return req; + +fail: + talloc_zfree(req); + return NULL; } -static void ipa_auth_handler_callback(struct be_req *be_req, - int dp_err_type, - int errnum, - const char *errstr) +static void get_password_migration_flag_auth_done(struct tevent_req *subreq) { - struct tevent_req *req = talloc_get_type(be_req->pvt, struct tevent_req); - struct ipa_auth_handler_state *state = tevent_req_data(req, - struct ipa_auth_handler_state); + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct get_password_migration_flag_state *state = tevent_req_data(req, + struct get_password_migration_flag_state); + int ret; + char *ldap_basedn; + char *search_base; + const char **attrs; + + ret = sdap_cli_connect_recv(subreq, state, &state->sh, NULL); + talloc_zfree(subreq); + if (ret) { + DEBUG(1, ("sdap_auth request failed.\n")); + tevent_req_error(req, ret); + return; + } - DEBUG(9, ("received from handler [%d] [%d] [%s].\n", dp_err_type, errnum, - errstr)); - state->dp_err_type = dp_err_type; - state->errnum = errnum; - state->errstr = talloc_strdup(state, errstr); + ret = domain_to_basedn(state, state->ipa_domain, &ldap_basedn); + if (ret != EOK) { + DEBUG(1, ("domain_to_basedn failed.\n")); + tevent_req_error(req, ret); + return; + } - tevent_req_post(req, state->ev); - tevent_req_done(req); - return; + search_base = talloc_asprintf(state, IPA_CONFIG_SEARCH_BASE_TEMPLATE, + ldap_basedn); + if (search_base == NULL) { + DEBUG(1, ("talloc_asprintf failed.\n")); + tevent_req_error(req, ENOMEM); + return; + } + + attrs = talloc_array(state, const char*, 2); + if (attrs == NULL) { + DEBUG(1, ("talloc_array failed.\n")); + tevent_req_error(req, ENOMEM); + return; + } + + attrs[0] = IPA_CONFIG_MIRATION_ENABLED; + attrs[1] = NULL; + + subreq = sdap_get_generic_send(state, state->ev, state->sdap_auth_ctx->opts, + state->sh, search_base, LDAP_SCOPE_SUBTREE, + IPA_CONFIG_FILTER, attrs, NULL, 0); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, get_password_migration_flag_done, req); } -static int ipa_auth_handler_recv(struct tevent_req *req, TALLOC_CTX *memctx, - int *dp_err_type, int *errnum, - char **errstr) +static void get_password_migration_flag_done(struct tevent_req *subreq) { - struct ipa_auth_handler_state *state = tevent_req_data(req, - struct ipa_auth_handler_state); - enum tevent_req_state tstate; - uint64_t err; - - if (tevent_req_is_error(req, &tstate, &err)) { - if (err) return err; - return EIO; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct get_password_migration_flag_state *state = tevent_req_data(req, + struct get_password_migration_flag_state); + int ret; + size_t reply_count; + struct sysdb_attrs **reply = NULL; + const char *value = NULL; + + ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + + if (reply_count != 1) { + DEBUG(1, ("Unexpected number of results, expected 1, got %d.\n", + reply_count)); + tevent_req_error(req, EINVAL); + return; } - *dp_err_type = state->dp_err_type; - *errnum = state->errnum; - *errstr = talloc_steal(memctx, state->errstr); + ret = sysdb_attrs_get_string(reply[0], IPA_CONFIG_MIRATION_ENABLED, &value); + if (strcasecmp(value, "true") == 0) { + state->password_migration = true; + } + + tevent_req_done(req); +} + +static int get_password_migration_flag_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + bool *password_migration, + struct sdap_handle **sh) +{ + struct get_password_migration_flag_state *state = tevent_req_data(req, + struct get_password_migration_flag_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *password_migration = state->password_migration; + if (sh != NULL) { + *sh = talloc_steal(mem_ctx, state->sh); + } return EOK; } +struct ipa_auth_state { + struct be_req *be_req; + struct tevent_context *ev; + struct ipa_auth_ctx *ipa_auth_ctx; + struct pam_data *pd; + bool password_migration; + struct sdap_handle *sh; +}; + static void ipa_auth_handler_done(struct tevent_req *req); +static void ipa_get_migration_flag_done(struct tevent_req *req); static void ipa_auth_ldap_done(struct tevent_req *req); static void ipa_auth_handler_retry_done(struct tevent_req *req); void ipa_auth(struct be_req *be_req) { struct tevent_req *req; - struct ipa_auth_ctx *ipa_auth_ctx; - struct sdap_id_ctx *sdap_id_ctx; + struct ipa_auth_state *state; - ipa_auth_ctx = talloc_zero(be_req, struct ipa_auth_ctx); - if (ipa_auth_ctx == NULL) { - DEBUG(1, ("talloc failed.\n")); - be_req->fn(be_req, DP_ERR_FATAL, PAM_SYSTEM_ERR, NULL); - } - - ipa_auth_ctx->callback = be_req->fn; - ipa_auth_ctx->pvt = be_req->pvt; - - ipa_auth_ctx->be_req = be_req; - - ipa_auth_ctx->sdap_auth_ctx = talloc_zero(ipa_auth_ctx, - struct sdap_auth_ctx); - if (ipa_auth_ctx->sdap_auth_ctx == NULL) { - DEBUG(1, ("talloc failed.\n")); + state = talloc_zero(be_req, struct ipa_auth_state); + if (state == NULL) { + DEBUG(1, ("talloc_zero failed.\n")); goto fail; } - sdap_id_ctx = talloc_get_type( - be_req->be_ctx->bet_info[BET_ID].pvt_bet_data, - struct sdap_id_ctx); - ipa_auth_ctx->sdap_auth_ctx->be = sdap_id_ctx->be; - ipa_auth_ctx->sdap_auth_ctx->opts = sdap_id_ctx->opts; - - ipa_auth_ctx->krb5_ctx = talloc_get_type( - be_req->be_ctx->bet_info[BET_AUTH].pvt_bet_data, - struct krb5_ctx); - -/* TODO: test and activate when server side support is available */ - ipa_auth_ctx->password_migration = false; - - ipa_auth_ctx->dp_err_type = DP_ERR_FATAL; - ipa_auth_ctx->errnum = EIO; - ipa_auth_ctx->errstr = NULL; + state->password_migration = false; + state->sh = NULL; + + state->be_req = be_req; + state->ev = be_req->be_ctx->ev; + + state->pd = talloc_get_type(be_req->req_data, struct pam_data); + + switch (state->pd->cmd) { + case SSS_PAM_AUTHENTICATE: + state->ipa_auth_ctx = talloc_get_type( + be_req->be_ctx->bet_info[BET_AUTH].pvt_bet_data, + struct ipa_auth_ctx); + break; + case SSS_PAM_CHAUTHTOK: + case SSS_PAM_CHAUTHTOK_PRELIM: + state->ipa_auth_ctx = talloc_get_type( + be_req->be_ctx->bet_info[BET_CHPASS].pvt_bet_data, + struct ipa_auth_ctx); + break; + default: + DEBUG(1, ("Unsupported PAM task.\n")); + goto fail; + } - req = ipa_auth_handler_send(ipa_auth_ctx, be_req->be_ctx->ev, be_req, - krb5_pam_handler); + req = krb5_auth_send(state, state->ev, be_req->be_ctx, state->pd, + state->ipa_auth_ctx->krb5_auth_ctx); if (req == NULL) { - DEBUG(1, ("ipa_auth_handler_send failed.\n")); + DEBUG(1, ("krb5_auth_send failed.\n")); goto fail; } - tevent_req_set_callback(req, ipa_auth_handler_done, ipa_auth_ctx); + tevent_req_set_callback(req, ipa_auth_handler_done, state); return; fail: - ipa_auth_reply(ipa_auth_ctx); + state->pd->pam_status = PAM_SYSTEM_ERR; + ipa_auth_reply(be_req, DP_ERR_FATAL, state->pd->pam_status); } static void ipa_auth_handler_done(struct tevent_req *req) { - struct ipa_auth_ctx *ipa_auth_ctx = tevent_req_callback_data(req, - struct ipa_auth_ctx); - struct pam_data *pd; - struct be_req *be_req; + struct ipa_auth_state *state = tevent_req_callback_data(req, + struct ipa_auth_state); int ret; + int pam_status = PAM_SYSTEM_ERR; + int dp_err; - be_req = ipa_auth_ctx->be_req; - pd = talloc_get_type(be_req->req_data, struct pam_data); - - ret = ipa_auth_handler_recv(req, ipa_auth_ctx, &ipa_auth_ctx->dp_err_type, - &ipa_auth_ctx->errnum, &ipa_auth_ctx->errstr); + ret = krb5_auth_recv(req, &pam_status, &dp_err); talloc_zfree(req); - if (ret != EOK) { - DEBUG(1, ("ipa_auth_handler request failed.\n")); - pd->pam_status = PAM_SYSTEM_ERR; + state->pd->pam_status = pam_status; + if (ret != EOK && pam_status != PAM_CRED_ERR) { + DEBUG(1, ("krb5_auth_recv request failed.\n")); + dp_err = DP_ERR_OK; goto done; } - if (ipa_auth_ctx->dp_err_type != DP_ERR_OK) { - pd->pam_status = ipa_auth_ctx->errnum; + + if (dp_err != DP_ERR_OK) { + goto done; + } + + if (state->pd->cmd == SSS_PAM_AUTHENTICATE && + state->pd->pam_status == PAM_CRED_ERR) { + + req = get_password_migration_flag_send(state, state->ev, + state->ipa_auth_ctx->sdap_auth_ctx, + dp_opt_get_string( + state->ipa_auth_ctx->ipa_options, + IPA_DOMAIN)); + if (req == NULL) { + DEBUG(1, ("get_password_migration_flag failed.\n")); + goto done; + } + + tevent_req_set_callback(req, ipa_get_migration_flag_done, state); + return; + } + +done: + ipa_auth_reply(state->be_req, dp_err, state->pd->pam_status); +} + +static void ipa_get_migration_flag_done(struct tevent_req *req) +{ + struct ipa_auth_state *state = tevent_req_callback_data(req, + struct ipa_auth_state); + int ret; + int dp_err = DP_ERR_FATAL; + const char **attrs; + struct ldb_message *user_msg; + const char *dn; + struct dp_opt_blob password; + + ret = get_password_migration_flag_recv(req, state, + &state->password_migration, + &state->sh); + talloc_zfree(req); + if (ret != EOK) { + DEBUG(1, ("get_password_migration_flag request failed.\n")); + state->pd->pam_status = PAM_SYSTEM_ERR; + dp_err = DP_ERR_OK; goto done; } - if (ipa_auth_ctx->password_migration && pd->pam_status == PAM_CRED_ERR) { + if (state->password_migration) { + state->pd->pam_status = PAM_SYSTEM_ERR; DEBUG(1, ("Assuming Kerberos password is missing, " "starting password migration.\n")); - be_req->be_ctx->bet_info[BET_AUTH].pvt_bet_data = - ipa_auth_ctx->sdap_auth_ctx; - req = ipa_auth_handler_send(ipa_auth_ctx, be_req->be_ctx->ev, be_req, - sdap_pam_auth_handler); + + attrs = talloc_array(state, const char *, 2); + if (attrs == NULL) { + DEBUG(1, ("talloc_array failed.\n")); + state->pd->pam_status = PAM_SYSTEM_ERR; + dp_err = DP_ERR_OK; + goto done; + } + attrs[0] = SYSDB_ORIG_DN; + attrs[1] = NULL; + + ret = sysdb_search_user_by_name(state, state->be_req->be_ctx->sysdb, + state->be_req->be_ctx->domain, + state->pd->user, attrs, &user_msg); + if (ret != EOK) { + DEBUG(1, ("sysdb_search_user_by_name failed.\n")); + goto done; + } + + dn = ldb_msg_find_attr_as_string(user_msg, SYSDB_ORIG_DN, NULL); + if (dn == NULL) { + DEBUG(1, ("Missing original DN for user [%s].\n", state->pd->user)); + state->pd->pam_status = PAM_SYSTEM_ERR; + dp_err = DP_ERR_OK; + goto done; + } + + password.data = state->pd->authtok; + password.length = state->pd->authtok_size; + + req = sdap_auth_send(state, state->ev, state->sh, NULL, NULL, dn, + "password", password); if (req == NULL) { - DEBUG(1, ("ipa_auth_ldap_send failed.\n")); + DEBUG(1, ("sdap_auth_send failed.\n")); goto done; } - tevent_req_set_callback(req, ipa_auth_ldap_done, ipa_auth_ctx); + tevent_req_set_callback(req, ipa_auth_ldap_done, state); return; + + } else { + DEBUG(5, ("Password migration is not enabled.\n")); } + dp_err = DP_ERR_OK; + done: - ipa_auth_reply(ipa_auth_ctx); + ipa_auth_reply(state->be_req, dp_err, state->pd->pam_status); } static void ipa_auth_ldap_done(struct tevent_req *req) { - struct ipa_auth_ctx *ipa_auth_ctx = tevent_req_callback_data(req, - struct ipa_auth_ctx); - struct pam_data *pd; - struct be_req *be_req; + struct ipa_auth_state *state = tevent_req_callback_data(req, + struct ipa_auth_state); int ret; + int dp_err = DP_ERR_FATAL; + enum sdap_result result; - be_req = ipa_auth_ctx->be_req; - pd = talloc_get_type(be_req->req_data, struct pam_data); - - ret = ipa_auth_handler_recv(req, ipa_auth_ctx, &ipa_auth_ctx->dp_err_type, - &ipa_auth_ctx->errnum, &ipa_auth_ctx->errstr); + ret = sdap_auth_recv(req, state, &result, NULL); talloc_zfree(req); if (ret != EOK) { - DEBUG(1, ("ipa_auth_handler request failed.\n")); - pd->pam_status = PAM_SYSTEM_ERR; + DEBUG(1, ("auth_send request failed.\n")); + state->pd->pam_status = PAM_SYSTEM_ERR; + dp_err = DP_ERR_OK; goto done; } - if (ipa_auth_ctx->dp_err_type != DP_ERR_OK) { - pd->pam_status = ipa_auth_ctx->errnum; + +/* TODO: do we need to handle expired passwords? */ + if (result != SDAP_AUTH_SUCCESS) { + DEBUG(1, ("LDAP authentication failed, " + "Password migration not possible.\n")); + state->pd->pam_status = PAM_CRED_INSUFFICIENT; + dp_err = DP_ERR_OK; goto done; } - if (pd->pam_status == PAM_SUCCESS) { - DEBUG(1, ("LDAP authentication succeded, " - "trying Kerberos authentication again.\n")); - be_req->be_ctx->bet_info[BET_AUTH].pvt_bet_data = ipa_auth_ctx->krb5_ctx; - req = ipa_auth_handler_send(ipa_auth_ctx, be_req->be_ctx->ev, be_req, - krb5_pam_handler); - if (req == NULL) { - DEBUG(1, ("ipa_auth_ldap_send failed.\n")); - goto done; - } + DEBUG(1, ("LDAP authentication succeded, " + "trying Kerberos authentication again.\n")); - tevent_req_set_callback(req, ipa_auth_handler_retry_done, ipa_auth_ctx); - return; + req = krb5_auth_send(state, state->ev, + state->be_req->be_ctx, state->pd, + state->ipa_auth_ctx->krb5_auth_ctx); + if (req == NULL) { + DEBUG(1, ("krb5_auth_send failed.\n")); + goto done; } + tevent_req_set_callback(req, ipa_auth_handler_retry_done, state); + return; + done: - ipa_auth_reply(ipa_auth_ctx); + ipa_auth_reply(state->be_req, dp_err, state->pd->pam_status); } static void ipa_auth_handler_retry_done(struct tevent_req *req) { - struct ipa_auth_ctx *ipa_auth_ctx = tevent_req_callback_data(req, - struct ipa_auth_ctx); - struct pam_data *pd; - struct be_req *be_req; + struct ipa_auth_state *state = tevent_req_callback_data(req, + struct ipa_auth_state); int ret; + int pam_status; + int dp_err; - be_req = ipa_auth_ctx->be_req; - pd = talloc_get_type(be_req->req_data, struct pam_data); - - ret = ipa_auth_handler_recv(req, ipa_auth_ctx, &ipa_auth_ctx->dp_err_type, - &ipa_auth_ctx->errnum, &ipa_auth_ctx->errstr); + ret = krb5_auth_recv(req, &pam_status, &dp_err); talloc_zfree(req); if (ret != EOK) { - DEBUG(1, ("ipa_auth_handler request failed.\n")); - pd->pam_status = PAM_SYSTEM_ERR; - } - if (ipa_auth_ctx->dp_err_type != DP_ERR_OK) { - pd->pam_status = ipa_auth_ctx->errnum; + DEBUG(1, ("krb5_auth_recv request failed.\n")); + state->pd->pam_status = PAM_SYSTEM_ERR; + dp_err = DP_ERR_OK; + goto done; } - ipa_auth_reply(ipa_auth_ctx); + state->pd->pam_status = pam_status; + +done: + ipa_auth_reply(state->be_req, dp_err, state->pd->pam_status); } diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 9daede2d..f53c022e 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -50,6 +50,12 @@ enum ipa_basic_opt { IPA_OPTS_BASIC /* opts counter */ }; +struct ipa_auth_ctx { + struct krb5_ctx *krb5_auth_ctx; + struct sdap_auth_ctx *sdap_auth_ctx; + struct dp_option *ipa_options; +}; + struct ipa_options { struct dp_option *basic; @@ -61,7 +67,7 @@ struct ipa_options { /* auth and chpass provider */ struct dp_option *auth; - struct krb5_ctx *auth_ctx; + struct ipa_auth_ctx *auth_ctx; }; int domain_to_basedn(TALLOC_CTX *memctx, const char *domain, char **basedn); diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index 596aecfb..d2f9b3dc 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -48,7 +48,7 @@ struct bet_ops ipa_auth_ops = { }; struct bet_ops ipa_chpass_ops = { - .handler = krb5_pam_handler, + .handler = ipa_auth, .finalize = NULL, }; @@ -161,7 +161,9 @@ int sssm_ipa_auth_init(struct be_ctx *bectx, struct bet_ops **ops, void **pvt_data) { - struct krb5_ctx *ctx; + struct ipa_auth_ctx *ipa_auth_ctx; + struct krb5_ctx *krb5_auth_ctx; + struct sdap_auth_ctx *sdap_auth_ctx; struct tevent_signal *sige; FILE *debug_filep; unsigned v; @@ -181,33 +183,74 @@ int sssm_ipa_auth_init(struct be_ctx *bectx, return EOK; } - ctx = talloc_zero(bectx, struct krb5_ctx); - if (!ctx) { + ipa_auth_ctx = talloc_zero(ipa_options, struct ipa_auth_ctx); + if (!ipa_auth_ctx) { return ENOMEM; } - ctx->service = ipa_options->service->krb5_service; - ipa_options->auth_ctx = ctx; + ipa_options->auth_ctx = ipa_auth_ctx; - ret = ipa_get_auth_options(ipa_options, bectx->cdb, - bectx->conf_path, - &ctx->opts); + ret = dp_copy_options(ipa_auth_ctx, ipa_options->basic, + IPA_OPTS_BASIC, &ipa_auth_ctx->ipa_options); if (ret != EOK) { + DEBUG(1, ("dp_copy_options failed.\n")); + goto done; + } + + krb5_auth_ctx = talloc_zero(ipa_auth_ctx, struct krb5_ctx); + if (!krb5_auth_ctx) { + ret = ENOMEM; goto done; } + krb5_auth_ctx->service = ipa_options->service->krb5_service; + ipa_options->auth_ctx->krb5_auth_ctx = krb5_auth_ctx; - ret = check_and_export_options(ctx->opts, bectx->domain); + ret = ipa_get_auth_options(ipa_options, bectx->cdb, bectx->conf_path, + &krb5_auth_ctx->opts); if (ret != EOK) { - DEBUG(1, ("check_and_export_opts failed.\n")); goto done; } - sige = tevent_add_signal(bectx->ev, ctx, SIGCHLD, SA_SIGINFO, - child_sig_handler, NULL); - if (sige == NULL) { - DEBUG(1, ("tevent_add_signal failed.\n")); + sdap_auth_ctx = talloc_zero(ipa_auth_ctx, struct sdap_auth_ctx); + if (!sdap_auth_ctx) { ret = ENOMEM; goto done; } + sdap_auth_ctx->be = bectx; + sdap_auth_ctx->service = ipa_options->service->sdap; + ipa_options->auth_ctx->sdap_auth_ctx = sdap_auth_ctx; + + ret = ipa_get_id_options(ipa_options, bectx->cdb, bectx->conf_path, + &sdap_auth_ctx->opts); + if (ret != EOK) { + goto done; + } + + ret = setup_tls_config(sdap_auth_ctx->opts->basic); + if (ret != EOK) { + DEBUG(1, ("setup_tls_config failed [%d][%s].\n", + ret, strerror(ret))); + goto done; + } + + ret = check_and_export_options(krb5_auth_ctx->opts, bectx->domain); + if (ret != EOK) { + DEBUG(1, ("check_and_export_opts failed.\n")); + goto done; + } + + if (ipa_options->id_ctx == NULL) { + DEBUG(9, ("Adding SIGCHLD handler for Kerberos child.\n")); + sige = tevent_add_signal(bectx->ev, krb5_auth_ctx, SIGCHLD, SA_SIGINFO, + child_sig_handler, NULL); + if (sige == NULL) { + DEBUG(1, ("tevent_add_signal failed.\n")); + ret = ENOMEM; + goto done; + } + } else { + DEBUG(9, ("IPA id provider already initialized, " + "assuming that a SIGCHLD handler is already in place.\n")); + } if (debug_to_file != 0) { ret = open_debug_file_ex("krb5_child", &debug_filep); @@ -217,19 +260,19 @@ int sssm_ipa_auth_init(struct be_ctx *bectx, goto done; } - ctx->child_debug_fd = fileno(debug_filep); - if (ctx->child_debug_fd == -1) { + krb5_auth_ctx->child_debug_fd = fileno(debug_filep); + if (krb5_auth_ctx->child_debug_fd == -1) { DEBUG(0, ("fileno failed [%d][%s]\n", errno, strerror(errno))); ret = errno; goto done; } - v = fcntl(ctx->child_debug_fd, F_GETFD, 0); - fcntl(ctx->child_debug_fd, F_SETFD, v & ~FD_CLOEXEC); + v = fcntl(krb5_auth_ctx->child_debug_fd, F_GETFD, 0); + fcntl(krb5_auth_ctx->child_debug_fd, F_SETFD, v & ~FD_CLOEXEC); } *ops = &ipa_auth_ops; - *pvt_data = ctx; + *pvt_data = ipa_auth_ctx; ret = EOK; done: diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c index bc2d3fbc..17b6511e 100644 --- a/src/providers/krb5/krb5_common.c +++ b/src/providers/krb5/krb5_common.c @@ -71,13 +71,13 @@ errno_t check_and_export_options(struct dp_option *opts, dummy = dp_opt_get_cstring(opts, KRB5_KDC); if (dummy == NULL) { - DEBUG(1, ("No KDC explicitly configured, using defaults")); + DEBUG(1, ("No KDC explicitly configured, using defaults.\n")); } dummy = dp_opt_get_cstring(opts, KRB5_KPASSWD); if (dummy == NULL) { DEBUG(1, ("No kpasswd server explicitly configured, " - "using the KDC or defaults")); + "using the KDC or defaults.\n")); } dummy = dp_opt_get_cstring(opts, KRB5_CCNAME_TMPL); |