diff options
-rw-r--r-- | src/config/SSSDConfig.py | 1 | ||||
-rwxr-xr-x | src/config/SSSDConfigTest.py | 3 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ipa.conf | 2 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-krb5.conf | 2 | ||||
-rw-r--r-- | src/man/sssd-krb5.5.xml | 15 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.c | 1 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.h | 2 | ||||
-rw-r--r-- | src/providers/krb5/krb5_auth.h | 1 | ||||
-rw-r--r-- | src/providers/krb5/krb5_child.c | 34 | ||||
-rw-r--r-- | src/providers/krb5/krb5_common.c | 27 | ||||
-rw-r--r-- | src/providers/krb5/krb5_common.h | 2 |
11 files changed, 26 insertions, 64 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 7b9d96c9..a05b5334 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -103,7 +103,6 @@ option_strings = { 'krb5_store_password_if_offline' : _("Store password if offline for later online authentication"), # [provider/krb5/chpass] - 'krb5_changepw_principal' : _('The principal of the change password service'), 'krb5_kpasswd' : _('Server where the change password service is running if not on the KDC'), # [provider/ldap] diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index ea897d71..8cbb0f91 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -739,8 +739,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): #Test looking up all provider values options = domain.list_provider_options('krb5') - control_list.extend(['krb5_changepw_principal', - 'krb5_kpasswd']) + control_list.extend(['krb5_kpasswd']) self.assertTrue(type(options) == dict, "Options should be a dictionary") diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index 2d267bd0..ac681710 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -81,4 +81,4 @@ ldap_pwd_policy = str, None, false [provider/ipa/access] [provider/ipa/chpass] -krb5_changepw_principal = str, None, false + diff --git a/src/config/etc/sssd.api.d/sssd-krb5.conf b/src/config/etc/sssd.api.d/sssd-krb5.conf index eeb8fe13..76ef8b5b 100644 --- a/src/config/etc/sssd.api.d/sssd-krb5.conf +++ b/src/config/etc/sssd.api.d/sssd-krb5.conf @@ -12,4 +12,4 @@ krb5_validate = bool, None, false krb5_store_password_if_offline = bool, None, false [provider/krb5/chpass] -krb5_changepw_principal = str, None, false + diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml index e78fd767..489a5072 100644 --- a/src/man/sssd-krb5.5.xml +++ b/src/man/sssd-krb5.5.xml @@ -90,21 +90,6 @@ </varlistentry> <varlistentry> - <term>krb5_changepw_principal (string)</term> - <listitem> - <para> - The priciple of the change password service. - If only the 'identifier/instance' part of the - principal are given the realm part is added - automatically. - </para> - <para> - Default: kadmin/changepw - </para> - </listitem> - </varlistentry> - - <varlistentry> <term>krb5_kpasswd (string)</term> <listitem> <para> diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 580b66f4..3ada423e 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -121,7 +121,6 @@ struct dp_option ipa_def_krb5_opts[] = { { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING }, { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING}, - { "krb5_changepw_principal", DP_OPT_STRING, { "kadmin/changepw" }, NULL_STRING }, { "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER }, { "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING }, { "krb5_validate", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index fe9ca541..3b40e41e 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -40,7 +40,7 @@ struct ipa_service { /* the following define is used to keep track of the options in the krb5 * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ -#define IPA_KRB5_OPTS_TEST 10 +#define IPA_KRB5_OPTS_TEST 9 enum ipa_basic_opt { IPA_DOMAIN = 0, diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h index 293375da..9dbf7c6d 100644 --- a/src/providers/krb5/krb5_auth.h +++ b/src/providers/krb5/krb5_auth.h @@ -33,7 +33,6 @@ #include "providers/krb5/krb5_common.h" #define CCACHE_ENV_NAME "KRB5CCNAME" -#define SSSD_KRB5_CHANGEPW_PRINCIPLE "SSSD_KRB5_CHANGEPW_PRINCIPLE" #define ILLEGAL_PATH_PATTERN "//|/\\./|/\\.\\./" diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 18b7a220..b538c841 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -36,6 +36,8 @@ #include "providers/krb5/krb5_auth.h" #include "providers/krb5/krb5_utils.h" +#define SSSD_KRB5_CHANGEPW_PRINCIPLE "kadmin/changepw" + struct krb5_child_ctx { /* opts taken from kinit */ /* in seconds */ @@ -63,7 +65,6 @@ struct krb5_child_ctx { char *kdcip; char *realm; - char *changepw_principle; char *ccache_dir; char *ccname_template; int auth_timeout; @@ -571,6 +572,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) char *user_error_message = NULL; size_t user_resp_len; uint8_t *user_resp; + char *changepw_princ = NULL; krb5_prompter_fct prompter = sss_krb5_prompter; pass_str = talloc_strndup(kr, (const char *) kr->pd->authtok, @@ -581,6 +583,14 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) goto sendresponse; } + changepw_princ = talloc_asprintf(kr, "%s@%s", SSSD_KRB5_CHANGEPW_PRINCIPLE, + kr->krb5_ctx->realm); + if (changepw_princ == NULL) { + DEBUG(1, ("talloc_asprintf failed.\n")); + kerr = KRB5KRB_ERR_GENERIC; + goto sendresponse; + } + if (kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) { /* We do not need a password expiration warning here. */ prompter = NULL; @@ -588,7 +598,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, pass_str, prompter, kr, 0, - kr->krb5_ctx->changepw_principle, + changepw_princ, kr->options); if (kerr != 0) { KRB5_DEBUG(1, kerr); @@ -702,6 +712,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) int ret; krb5_error_code kerr = 0; char *pass_str = NULL; + char *changepw_princ = NULL; int pam_status = PAM_SYSTEM_ERR; pass_str = talloc_strndup(kr, (const char *) kr->pd->authtok, @@ -712,6 +723,14 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) goto sendresponse; } + changepw_princ = talloc_asprintf(kr, "%s@%s", SSSD_KRB5_CHANGEPW_PRINCIPLE, + kr->krb5_ctx->realm); + if (changepw_princ == NULL) { + DEBUG(1, ("talloc_asprintf failed.\n")); + kerr = KRB5KRB_ERR_GENERIC; + goto sendresponse; + } + kerr = get_and_save_tgt(kr, pass_str); /* If the password is expired the KDC will always return @@ -721,7 +740,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) if (kerr == KRB5KDC_ERR_KEY_EXP) { kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, pass_str, sss_krb5_prompter, kr, 0, - kr->krb5_ctx->changepw_principle, + changepw_princ, kr->options); krb5_free_cred_contents(kr->ctx, kr->creds); if (kerr == 0) { @@ -872,15 +891,6 @@ static int krb5_setup(struct krb5_req *kr, uint32_t offline) goto failed; } - kr->krb5_ctx->changepw_principle = getenv(SSSD_KRB5_CHANGEPW_PRINCIPLE); - if (kr->krb5_ctx->changepw_principle == NULL) { - DEBUG(1, ("Cannot read [%s] from environment.\n", - SSSD_KRB5_CHANGEPW_PRINCIPLE)); - if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) { - goto failed; - } - } - kr->krb5_ctx->realm = getenv(SSSD_KRB5_REALM); if (kr->krb5_ctx->realm == NULL) { DEBUG(2, ("Cannot read [%s] from environment.\n", SSSD_KRB5_REALM)); diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c index fbc30889..57d7b1d0 100644 --- a/src/providers/krb5/krb5_common.c +++ b/src/providers/krb5/krb5_common.c @@ -36,7 +36,6 @@ struct dp_option default_krb5_opts[] = { { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING }, { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING}, - { "krb5_changepw_principal", DP_OPT_STRING, { "kadmin/changepw" }, NULL_STRING }, { "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER }, { "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING }, { "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, @@ -48,7 +47,6 @@ errno_t check_and_export_options(struct dp_option *opts, struct sss_domain_info *dom) { int ret; - char *value; const char *realm; const char *dummy; @@ -90,31 +88,6 @@ errno_t check_and_export_options(struct dp_option *opts, return EINVAL; } - dummy = dp_opt_get_cstring(opts, KRB5_CHANGEPW_PRINC); - if (dummy == NULL) { - DEBUG(1, ("Missing change password principle.\n")); - return EINVAL; - } - if (strchr(dummy, '@') == NULL) { - value = talloc_asprintf(opts, "%s@%s", dummy, realm); - if (value == NULL) { - DEBUG(7, ("talloc_asprintf failed.\n")); - return ENOMEM; - } - ret = dp_opt_set_string(opts, KRB5_CHANGEPW_PRINC, value); - if (ret != EOK) { - DEBUG(1, ("dp_opt_set_string failed.\n")); - return ret; - } - dummy = value; - } - - ret = setenv(SSSD_KRB5_CHANGEPW_PRINCIPLE, dummy, 1); - if (ret != EOK) { - DEBUG(2, ("setenv %s failed, password change might fail.\n", - SSSD_KRB5_CHANGEPW_PRINCIPLE)); - } - return EOK; } diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index 342481e5..f3bbbb84 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -35,7 +35,6 @@ #define SSSD_KRB5_KDC "SSSD_KRB5_KDC" #define SSSD_KRB5_REALM "SSSD_KRB5_REALM" -#define SSSD_KRB5_CHANGEPW_PRINCIPLE "SSSD_KRB5_CHANGEPW_PRINCIPLE" #define KDCINFO_TMPL PUBCONF_PATH"/kdcinfo.%s" #define KPASSWDINFO_TMPL PUBCONF_PATH"/kpasswdinfo.%s" @@ -48,7 +47,6 @@ enum krb5_opts { KRB5_REALM, KRB5_CCACHEDIR, KRB5_CCNAME_TMPL, - KRB5_CHANGEPW_PRINC, KRB5_AUTH_TIMEOUT, KRB5_KEYTAB, KRB5_VALIDATE, |