diff options
| -rw-r--r-- | src/providers/ad/ad_common.c | 64 | ||||
| -rw-r--r-- | src/providers/ad/ad_common.h | 7 | ||||
| -rw-r--r-- | src/providers/ad/ad_init.c | 85 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_common.h | 4 |
4 files changed, 159 insertions, 1 deletions
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 92cd40ec..d8f8aff6 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -598,3 +598,67 @@ ad_set_search_bases(struct sdap_options *id_opts) done: return ret; } + +errno_t +ad_get_auth_options(TALLOC_CTX *mem_ctx, + struct ad_options *ad_opts, + struct be_ctx *bectx, + struct dp_option **_opts) +{ + errno_t ret; + struct dp_option *krb5_options; + const char *ad_servers; + const char *krb5_realm; + + TALLOC_CTX *tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + /* Get krb5 options */ + ret = dp_get_options(tmp_ctx, bectx->cdb, bectx->conf_path, + ad_def_krb5_opts, KRB5_OPTS, + &krb5_options); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Could not read Kerberos options from the configuration\n")); + goto done; + } + + ad_servers = dp_opt_get_string(ad_opts->basic, AD_SERVER); + + /* Force the krb5_servers to match the ad_servers */ + ret = dp_opt_set_string(krb5_options, KRB5_KDC, ad_servers); + if (ret != EOK) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, + ("Option %s set to %s\n", + krb5_options[KRB5_KDC].opt_name, + ad_servers)); + + /* Set krb5 realm */ + /* Set the Kerberos Realm for GSSAPI */ + krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM); + if (!krb5_realm) { + /* Should be impossible, this is set in ad_get_common_options() */ + DEBUG(SSSDBG_FATAL_FAILURE, ("No Kerberos realm\n")); + ret = EINVAL; + goto done; + } + + /* Force the kerberos realm to match the AD_KRB5_REALM (which may have + * been upper-cased in ad_common_options() + */ + ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm); + if (ret != EOK) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, + ("Option %s set to %s\n", + krb5_options[KRB5_REALM].opt_name, + krb5_realm)); + + + *_opts = talloc_steal(mem_ctx, krb5_options); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index fefb67b6..d34f498a 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -60,7 +60,7 @@ struct ad_options { /* Auth and chpass Provider */ struct dp_option *auth; - struct ad_auth_ctx *auth_ctx; + struct krb5_ctx *auth_ctx; }; errno_t @@ -81,5 +81,10 @@ ad_get_id_options(struct ad_options *ad_opts, struct confdb_ctx *cdb, const char *conf_path, struct sdap_options **_opts); +errno_t +ad_get_auth_options(TALLOC_CTX *mem_ctx, + struct ad_options *ad_opts, + struct be_ctx *bectx, + struct dp_option **_opts); #endif /* AD_COMMON_H_ */ diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c index da659da2..89101a5b 100644 --- a/src/providers/ad/ad_init.c +++ b/src/providers/ad/ad_init.c @@ -31,6 +31,7 @@ #include "providers/ldap/ldap_common.h" #include "providers/ldap/sdap_idmap.h" #include "providers/krb5/krb5_auth.h" +#include "providers/krb5/krb5_init_shared.h" #include "providers/ad/ad_id.h" struct ad_options *ad_options = NULL; @@ -176,6 +177,90 @@ done: return ret; } +int +sssm_ad_auth_init(struct be_ctx *bectx, + struct bet_ops **ops, + void **pvt_data) +{ + errno_t ret; + struct krb5_ctx *krb5_auth_ctx = NULL; + + if (!ad_options) { + ret = common_ad_init(bectx); + if (ret != EOK) { + return ret; + } + } + + if (ad_options->auth_ctx) { + /* Already initialized */ + *ops = &ad_auth_ops; + *pvt_data = ad_options->auth_ctx; + return EOK; + } + + krb5_auth_ctx = talloc_zero(NULL, struct krb5_ctx); + if (!krb5_auth_ctx) { + ret = ENOMEM; + goto done; + } + + krb5_auth_ctx->service = ad_options->service->krb5_service; + + ret = ad_get_auth_options(krb5_auth_ctx, ad_options, bectx, + &krb5_auth_ctx->opts); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + ("Could not determine Kerberos options\n")); + goto done; + } + + ret = krb5_child_init(krb5_auth_ctx, bectx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + ("Could not initialize krb5_child settings: [%s]\n", + strerror(ret))); + goto done; + } + + ad_options->auth_ctx = talloc_steal(ad_options, krb5_auth_ctx); + *ops = &ad_auth_ops; + *pvt_data = ad_options->auth_ctx; + +done: + if (ret != EOK) { + talloc_free(krb5_auth_ctx); + } + return ret; +} + +int +sssm_ad_chpass_init(struct be_ctx *bectx, + struct bet_ops **ops, + void **pvt_data) +{ + errno_t ret; + + if (!ad_options) { + ret = common_ad_init(bectx); + if (ret != EOK) { + return ret; + } + } + + if (ad_options->auth_ctx) { + /* Already initialized */ + *ops = &ad_chpass_ops; + *pvt_data = ad_options->auth_ctx; + return EOK; + } + + ret = sssm_ad_auth_init(bectx, ops, pvt_data); + *ops = &ad_chpass_ops; + ad_options->auth_ctx = *pvt_data; + return ret; +} + static void ad_shutdown(struct be_req *req) { diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index ec4fc050..589b866b 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -173,4 +173,8 @@ errno_t remove_krb5_info_files(TALLOC_CTX *mem_ctx, const char *realm); errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx, const char *username, const char **_upn); +int sssm_krb5_auth_init(struct be_ctx *bectx, + struct bet_ops **ops, + void **pvt_auth_data); + #endif /* __KRB5_COMMON_H__ */ |