diff options
-rw-r--r-- | server/Makefile.am | 1 | ||||
-rw-r--r-- | server/providers/ipa/ipa_common.c | 79 | ||||
-rw-r--r-- | server/providers/ipa/ipa_common.h | 7 | ||||
-rw-r--r-- | server/providers/ipa/ipa_init.c | 157 |
4 files changed, 134 insertions, 110 deletions
diff --git a/server/Makefile.am b/server/Makefile.am index d6114999..8c6cc48a 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -485,6 +485,7 @@ libsss_ipa_la_SOURCES = \ providers/ldap/sdap.c \ util/sss_ldap.c \ providers/krb5/krb5_utils.c \ + providers/krb5/krb5_common.c \ providers/krb5/krb5_auth.c libsss_ipa_la_CFLAGS = \ $(AM_CFLAGS) \ diff --git a/server/providers/ipa/ipa_common.c b/server/providers/ipa/ipa_common.c index 799ac2f9..6dba10c8 100644 --- a/server/providers/ipa/ipa_common.c +++ b/server/providers/ipa/ipa_common.c @@ -104,6 +104,15 @@ struct sdap_id_map ipa_group_map[] = { { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL } }; +struct dp_option ipa_def_krb5_opts[] = { + { "krb5_kdcip", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING }, + { "krb5_ccname_tmpl", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING}, + { "krb5_changepw_princ", DP_OPT_STRING, { "kadmin/changepw" }, NULL_STRING }, + { "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER }, +}; + int domain_to_basedn(TALLOC_CTX *memctx, const char *domain, char **basedn) { const char *s; @@ -317,3 +326,73 @@ done: return ret; } +/* the following preprocessor code is used to keep track of + * the options in the krb5 module, so that if they change and ipa + * is not updated correspondingly this will trigger a build error */ +#if KRB5_OPTS > 6 +#error There are krb5 options not accounted for +#endif + +int ipa_get_auth_options(TALLOC_CTX *memctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct ipa_options *ipa_opts, + struct dp_option **_opts) +{ + int ret; + int i; + TALLOC_CTX *tmpctx; + struct dp_option *opts; + char *value; + + tmpctx = talloc_new(memctx); + if (!tmpctx) { + return ENOMEM; + } + + opts = talloc_zero(memctx, struct dp_option); + if (opts == NULL) { + ret = ENOMEM; + goto done; + } + + ret = dp_copy_options(ipa_opts, ipa_def_krb5_opts, + KRB5_OPTS, &opts); + if (ret != EOK) { + goto done; + } + + value = dp_opt_get_string(ipa_opts->basic, IPA_SERVER); + if (!value) { + ret = ENOMEM; + goto done; + } + ret = dp_opt_set_string(opts, KRB5_KDC, value); + if (ret != EOK) { + goto done; + } + + + value = dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN); + if (!value) { + ret = ENOMEM; + goto done; + } + for (i = 0; value[i]; i++) { + value[i] = toupper(value[i]); + } + ret = dp_opt_set_string(opts, KRB5_REALM, value); + if (ret != EOK) { + goto done; + } + + *_opts = opts; + ret = EOK; + +done: + talloc_zfree(tmpctx); + if (ret != EOK) { + talloc_zfree(opts); + } + return ret; +} diff --git a/server/providers/ipa/ipa_common.h b/server/providers/ipa/ipa_common.h index 80f5294a..f7d3ab8c 100644 --- a/server/providers/ipa/ipa_common.h +++ b/server/providers/ipa/ipa_common.h @@ -25,6 +25,7 @@ #include "util/util.h" #include "confdb/confdb.h" #include "providers/ldap/ldap_common.h" +#include "providers/krb5/krb5_common.h" enum ipa_basic_opt { IPA_DOMAIN = 0, @@ -58,4 +59,10 @@ int ipa_get_id_options(TALLOC_CTX *memctx, struct ipa_options *ipa_opts, struct sdap_options **_opts); +int ipa_get_auth_options(TALLOC_CTX *memctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct ipa_options *ipa_opts, + struct dp_option **_opts); + #endif /* _IPA_COMMON_H_ */ diff --git a/server/providers/ipa/ipa_init.c b/server/providers/ipa/ipa_init.c index 9cdcf4b0..0c2eb2a7 100644 --- a/server/providers/ipa/ipa_init.c +++ b/server/providers/ipa/ipa_init.c @@ -25,6 +25,8 @@ #include <sys/types.h> #include <unistd.h> #include <sys/stat.h> +#include <fcntl.h> + #include "providers/ipa/ipa_common.h" #include "providers/krb5/krb5_auth.h" @@ -100,141 +102,76 @@ done: int sssm_ipa_auth_init(struct be_ctx *bectx, struct bet_ops **ops, - void **pvt_auth_data) + void **pvt_data) { struct krb5_ctx *ctx = NULL; - struct tevent_signal *sige; - struct stat stat_buf; - char *value = NULL; - int int_value; int ret; + struct tevent_signal *sige; + unsigned v; + FILE *debug_filep; + + if (!ipa_options) { + ipa_get_options(bectx, bectx->cdb, + bectx->conf_path, + bectx->domain, &ipa_options); + } + if (!ipa_options) { + return ENOMEM; + } ctx = talloc_zero(bectx, struct krb5_ctx); if (!ctx) { - DEBUG(1, ("talloc failed.\n")); return ENOMEM; } - ctx->action = INIT_PW; - - ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, - CONFDB_KRB5_KDCIP, NULL, &value); + ret = ipa_get_auth_options(ctx, bectx->cdb, + bectx->conf_path, + ipa_options, &ctx->opts); if (ret != EOK) { - goto fail; + goto done; } - if (value == NULL) { - DEBUG(2, ("Missing krb5KDCIP, authentication might fail.\n")); - } else { - ret = setenv(SSSD_KRB5_KDC, value, 1); - if (ret != EOK) { - DEBUG(2, ("setenv %s failed, authentication might fail.\n", - SSSD_KRB5_KDC)); - } + ret = check_and_export_options(ctx->opts, bectx->domain); + if (ret != EOK) { + DEBUG(1, ("check_and_export_opts failed.\n")); + goto done; } - ctx->kdcip = value; - ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, - CONFDB_KRB5_REALM, NULL, &value); - if (ret != EOK) { - goto fail; + sige = tevent_add_signal(bectx->ev, ctx, SIGCHLD, SA_SIGINFO, + krb5_child_sig_handler, NULL); + if (sige == NULL) { + DEBUG(1, ("tevent_add_signal failed.\n")); + ret = ENOMEM; + goto done; } - if (value == NULL) { - DEBUG(4, ("Missing krb5REALM authentication might fail.\n")); - } else { - ret = setenv(SSSD_KRB5_REALM, value, 1); + if (debug_to_file != 0) { + ret = open_debug_file_ex("krb5_child", &debug_filep); if (ret != EOK) { - DEBUG(2, ("setenv %s failed, authentication might fail.\n", - SSSD_KRB5_REALM)); + DEBUG(0, ("Error setting up logging (%d) [%s]\n", + ret, strerror(ret))); + goto done; } - } - ctx->realm = value; - ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, - CONFDB_KRB5_CCACHEDIR, "/tmp", &value); - if (ret != EOK) { - goto fail; - } - - ret = lstat(value, &stat_buf); - if (ret != EOK) { - DEBUG(1, ("lstat for [%s] failed: [%d][%s].\n", - value, errno, strerror(errno))); - goto fail; - } - if (!S_ISDIR(stat_buf.st_mode)) { - DEBUG(1, ("Value of krb5ccache_dir [%s] is not a directory.\n", - value)); - goto fail; - } - ctx->ccache_dir = value; - - ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, - CONFDB_KRB5_CCNAME_TMPL, - "FILE:%d/krb5cc_%U_XXXXXX", - &value); - if (ret != EOK) { - goto fail; - } - - if (value[0] != '/' && strncmp(value, "FILE:", 5) != 0) { - DEBUG(1, ("Currently only file based credential caches are supported " - "and krb5ccname_template must start with '/' or 'FILE:'\n")); - goto fail; - } - ctx->ccname_template = value; - - ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, - CONFDB_KRB5_CHANGEPW_PRINC, - "kadmin/changepw", - &value); - if (ret != EOK) { - goto fail; - } - - if (strchr(value, '@') == NULL) { - value = talloc_asprintf_append(value, "@%s", ctx->realm); - if (value == NULL) { - DEBUG(7, ("talloc_asprintf_append failed.\n")); - goto fail; + ctx->child_debug_fd = fileno(debug_filep); + if (ctx->child_debug_fd == -1) { + DEBUG(0, ("fileno failed [%d][%s]\n", errno, strerror(errno))); + ret = errno; + goto done; } - } - ctx->changepw_principle = value; - - ret = setenv(SSSD_KRB5_CHANGEPW_PRINCIPLE, ctx->changepw_principle, 1); - if (ret != EOK) { - DEBUG(2, ("setenv %s failed, password change might fail.\n", - SSSD_KRB5_CHANGEPW_PRINCIPLE)); - } - - ret = confdb_get_int(bectx->cdb, ctx, bectx->conf_path, - CONFDB_KRB5_AUTH_TIMEOUT, 15, &int_value); - if (ret != EOK) { - goto fail; - } - if (int_value <= 0) { - DEBUG(4, ("krb5auth_timeout has to be a positive value.\n")); - goto fail; - } - ctx->auth_timeout = int_value; - -/* TODO: set options */ - sige = tevent_add_signal(bectx->ev, ctx, SIGCHLD, SA_SIGINFO, - krb5_child_sig_handler, NULL); - if (sige == NULL) { - DEBUG(1, ("tevent_add_signal failed.\n")); - ret = ENOMEM; - goto fail; + v = fcntl(ctx->child_debug_fd, F_GETFD, 0); + fcntl(ctx->child_debug_fd, F_SETFD, v & ~FD_CLOEXEC); } *ops = &ipa_auth_ops; - *pvt_auth_data = ctx; - return EOK; + *pvt_data = ctx; + ret = EOK; -fail: - talloc_free(ctx); +done: + if (ret != EOK) { + talloc_free(ctx); + } return ret; } |