diff options
-rw-r--r-- | src/config/SSSDConfig/__init__.py.in | 1 | ||||
-rwxr-xr-x | src/config/SSSDConfigTest.py | 9 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ad.conf | 1 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ipa.conf | 1 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-krb5.conf | 1 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ldap.conf | 1 | ||||
-rw-r--r-- | src/man/sssd-krb5.5.xml | 28 | ||||
-rw-r--r-- | src/man/sssd-ldap.5.xml | 28 | ||||
-rw-r--r-- | src/providers/ad/ad_common.c | 39 | ||||
-rw-r--r-- | src/providers/ad/ad_opts.h | 2 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.c | 35 | ||||
-rw-r--r-- | src/providers/ipa/ipa_opts.h | 2 | ||||
-rw-r--r-- | src/providers/krb5/krb5_common.c | 30 | ||||
-rw-r--r-- | src/providers/krb5/krb5_common.h | 6 | ||||
-rw-r--r-- | src/providers/krb5/krb5_init.c | 17 | ||||
-rw-r--r-- | src/providers/krb5/krb5_opts.h | 1 | ||||
-rw-r--r-- | src/providers/ldap/ldap_common.c | 8 | ||||
-rw-r--r-- | src/providers/ldap/ldap_opts.h | 1 | ||||
-rw-r--r-- | src/providers/ldap/sdap.h | 1 |
19 files changed, 163 insertions, 49 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index b6e722fc..4d7629e1 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -165,6 +165,7 @@ option_strings = { 'krb5_backup_server' : _('Kerberos backup server address'), 'krb5_realm' : _('Kerberos realm'), 'krb5_auth_timeout' : _('Authentication timeout'), + 'krb5_use_kdcinfo' : _('Whether to create kdcinfo files'), # [provider/krb5/auth] 'krb5_ccachedir' : _('Directory to store credential caches'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index f44fac72..ca344ad4 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -614,7 +614,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'krb5_use_fast', 'krb5_fast_principal', 'krb5_canonicalize', - 'krb5_use_enterprise_principal']) + 'krb5_use_enterprise_principal', + 'krb5_use_kdcinfo']) options = domain.list_options() @@ -773,7 +774,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'krb5_use_fast', 'krb5_fast_principal', 'krb5_canonicalize', - 'krb5_use_enterprise_principal'] + 'krb5_use_enterprise_principal', + 'krb5_use_kdcinfo'] self.assertTrue(type(options) == dict, "Options should be a dictionary") @@ -967,7 +969,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'krb5_use_fast', 'krb5_fast_principal', 'krb5_canonicalize', - 'krb5_use_enterprise_principal']) + 'krb5_use_enterprise_principal', + 'krb5_use_kdcinfo']) options = domain.list_options() diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index 3be25e8d..120c8275 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -29,6 +29,7 @@ krb5_backup_server = str, None, false krb5_realm = str, None, false krb5_auth_timeout = int, None, false krb5_canonicalize = bool, None, false +krb5_use_kdcinfo = bool, None, false ldap_krb5_keytab = str, None, false ldap_krb5_init_creds = bool, None, false ldap_entry_usn = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index e6f1bb0a..8a7e75f2 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -35,6 +35,7 @@ krb5_server = str, None, false krb5_backup_server = str, None, false krb5_realm = str, None, false krb5_auth_timeout = int, None, false +krb5_use_kdcinfo = bool, None, false krb5_kpasswd = str, None, false krb5_backup_kpasswd = str, None, false krb5_canonicalize = bool, None, false diff --git a/src/config/etc/sssd.api.d/sssd-krb5.conf b/src/config/etc/sssd.api.d/sssd-krb5.conf index 89d16d77..e65ed01b 100644 --- a/src/config/etc/sssd.api.d/sssd-krb5.conf +++ b/src/config/etc/sssd.api.d/sssd-krb5.conf @@ -4,6 +4,7 @@ krb5_server = str, None, false krb5_backup_server = str, None, false krb5_realm = str, None, true krb5_auth_timeout = int, None, false +krb5_use_kdcinfo = bool, None, false krb5_kpasswd = str, None, false krb5_backup_kpasswd = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index 14e979da..870cf20f 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -21,6 +21,7 @@ krb5_kdcip = str, None, false krb5_server = str, None, false krb5_realm = str, None, false krb5_canonicalize = bool, None, false +krb5_use_kdcinfo = bool, None, false ldap_krb5_keytab = str, None, false ldap_krb5_init_creds = bool, None, false ldap_entry_usn = str, None, false diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml index 731d7725..906aee09 100644 --- a/src/man/sssd-krb5.5.xml +++ b/src/man/sssd-krb5.5.xml @@ -452,6 +452,34 @@ </varlistentry> <varlistentry> + <term>krb5_use_kdcinfo (boolean)</term> + <listitem> + <para> + Specifies if the SSSD should be instructing the Kerberos + libraries what realm and which KDCs to use. This option + is on by default, if you disable it, you need to configure + the Kerberos library using the + <citerefentry> + <refentrytitle>krb5.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + configuration file. + </para> + <para> + See the + <citerefentry> + <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry> + manual page for more information on the locator plugin. + </para> + <para> + Default: true + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>krb5_use_enterprise_principal (boolean)</term> <listitem> <para> diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 97b5fdc5..9cd594c7 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1589,6 +1589,34 @@ </varlistentry> <varlistentry> + <term>krb5_use_kdcinfo (boolean)</term> + <listitem> + <para> + Specifies if the SSSD should be instructing the Kerberos + libraries what realm and which KDCs to use. This option + is on by default, if you disable it, you need to configure + the Kerberos library using the + <citerefentry> + <refentrytitle>krb5.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + configuration file. + </para> + <para> + See the + <citerefentry> + <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry> + manual page for more information on the locator plugin. + </para> + <para> + Default: true + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>ldap_pwd_policy (string)</term> <listitem> <para> diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index ea124d96..1aad85de 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -531,21 +531,23 @@ ad_resolve_callback(void *private_data, struct fo_server *server) goto done; } - /* Write krb5 info files */ - safe_address = sss_escape_ip_address(tmp_ctx, - srvaddr->family, - address); - if (safe_address == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, ("sss_escape_ip_address failed.\n")); - ret = ENOMEM; - goto done; - } + if (service->krb5_service->write_kdcinfo) { + /* Write krb5 info files */ + safe_address = sss_escape_ip_address(tmp_ctx, + srvaddr->family, + address); + if (safe_address == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("sss_escape_ip_address failed.\n")); + ret = ENOMEM; + goto done; + } - ret = write_krb5info_file(service->krb5_service->realm, safe_address, - SSS_KRB5KDC_FO_SRV); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("write_krb5info_file failed, authentication might fail.\n")); + ret = write_krb5info_file(service->krb5_service->realm, safe_address, + SSS_KRB5KDC_FO_SRV); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("write_krb5info_file failed, authentication might fail.\n")); + } } ret = EOK; @@ -846,6 +848,15 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx, krb5_options[KRB5_REALM].opt_name, krb5_realm)); + /* Set flag that controls whether we want to write the + * kdcinfo files at all + */ + ad_opts->service->krb5_service->write_kdcinfo = \ + dp_opt_get_bool(krb5_options, KRB5_USE_KDCINFO); + DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n", + ad_opts->auth[KRB5_USE_KDCINFO].opt_name, + ad_opts->service->krb5_service->write_kdcinfo ? "true" : "false")); + *_opts = talloc_steal(mem_ctx, krb5_options); ret = EOK; diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index 218614dc..ba03c232 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -88,6 +88,7 @@ struct dp_option ad_def_ldap_opts[] = { { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING }, { "ldap_referrals", DP_OPT_BOOL, BOOL_FALSE, BOOL_TRUE }, { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, @@ -145,6 +146,7 @@ struct dp_option ad_def_krb5_opts[] = { { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 76da6c1e..67137409 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -664,6 +664,15 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts, dp_opt_get_string(ipa_opts->auth, KRB5_REALM))); } + /* Set flag that controls whether we want to write the + * kdcinfo files at all + */ + ipa_opts->service->krb5_service->write_kdcinfo = \ + dp_opt_get_bool(ipa_opts->auth, KRB5_USE_KDCINFO); + DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n", + ipa_opts->auth[KRB5_USE_KDCINFO].opt_name, + ipa_opts->service->krb5_service->write_kdcinfo ? "true" : "false")); + *_opts = ipa_opts->auth; ret = EOK; @@ -743,19 +752,21 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server) talloc_zfree(service->sdap->sockaddr); service->sdap->sockaddr = talloc_steal(service, sockaddr); - safe_address = sss_escape_ip_address(tmp_ctx, - srvaddr->family, - address); - if (safe_address == NULL) { - DEBUG(1, ("sss_escape_ip_address failed.\n")); - talloc_free(tmp_ctx); - return; - } + if (service->krb5_service->write_kdcinfo) { + safe_address = sss_escape_ip_address(tmp_ctx, + srvaddr->family, + address); + if (safe_address == NULL) { + DEBUG(1, ("sss_escape_ip_address failed.\n")); + talloc_free(tmp_ctx); + return; + } - ret = write_krb5info_file(service->krb5_service->realm, safe_address, - SSS_KRB5KDC_FO_SRV); - if (ret != EOK) { - DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n")); + ret = write_krb5info_file(service->krb5_service->realm, safe_address, + SSS_KRB5KDC_FO_SRV); + if (ret != EOK) { + DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n")); + } } talloc_free(tmp_ctx); diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index 4dfa72db..fe81ed11 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -112,6 +112,7 @@ struct dp_option ipa_def_ldap_opts[] = { { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING }, { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, @@ -274,6 +275,7 @@ struct dp_option ipa_def_krb5_opts[] = { { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c index e60e6e0e..9db14b8a 100644 --- a/src/providers/krb5/krb5_common.c +++ b/src/providers/krb5/krb5_common.c @@ -452,18 +452,20 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server) return; } - safe_address = talloc_asprintf_append(safe_address, ":%d", - fo_get_server_port(server)); - if (safe_address == NULL) { - DEBUG(1, ("talloc_asprintf_append failed.\n")); - talloc_free(tmp_ctx); - return; - } + if (krb5_service->write_kdcinfo) { + safe_address = talloc_asprintf_append(safe_address, ":%d", + fo_get_server_port(server)); + if (safe_address == NULL) { + DEBUG(1, ("talloc_asprintf_append failed.\n")); + talloc_free(tmp_ctx); + return; + } - ret = write_krb5info_file(krb5_service->realm, safe_address, - krb5_service->name); - if (ret != EOK) { - DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n")); + ret = write_krb5info_file(krb5_service->realm, safe_address, + krb5_service->name); + if (ret != EOK) { + DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n")); + } } talloc_free(tmp_ctx); @@ -620,7 +622,9 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, const char *service_name, const char *primary_servers, const char *backup_servers, - const char *realm, struct krb5_service **_service) + const char *realm, + bool use_kdcinfo, + struct krb5_service **_service) { TALLOC_CTX *tmp_ctx; struct krb5_service *service; @@ -655,6 +659,8 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, goto done; } + service->write_kdcinfo = use_kdcinfo; + if (!primary_servers) { DEBUG(SSSDBG_CONF_SETTINGS, ("No primary servers defined, using service discovery\n")); diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index 85049360..eb563888 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -66,6 +66,7 @@ enum krb5_opts { KRB5_FAST_PRINCIPAL, KRB5_CANONICALIZE, KRB5_USE_ENTERPRISE_PRINCIPAL, + KRB5_USE_KDCINFO, KRB5_OPTS }; @@ -82,6 +83,7 @@ struct tgt_times { struct krb5_service { char *name; char *realm; + bool write_kdcinfo; }; struct fo_service; @@ -153,7 +155,9 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, const char *service_name, const char *primary_servers, const char *backup_servers, - const char *realm, struct krb5_service **_service); + const char *realm, + bool use_kdcinfo, + struct krb5_service **_service); void remove_krb5_info_files_callback(void *pvt); diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c index 1821d5b3..c6ec496e 100644 --- a/src/providers/krb5/krb5_init.c +++ b/src/providers/krb5/krb5_init.c @@ -108,8 +108,12 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, return EINVAL; } - ret = krb5_service_init(ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers, - krb5_backup_servers, krb5_realm, &ctx->service); + ret = krb5_service_init(ctx, bectx, + SSS_KRB5KDC_FO_SRV, krb5_servers, + krb5_backup_servers, krb5_realm, + dp_opt_get_bool(krb5_options->opts, + KRB5_USE_KDCINFO), + &ctx->service); if (ret != EOK) { DEBUG(0, ("Failed to init KRB5 failover service!\n")); return ret; @@ -130,9 +134,12 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, "will use KDC for pasword change operations!\n")); ctx->kpasswd_service = NULL; } else { - ret = krb5_service_init(ctx, bectx, SSS_KRB5KPASSWD_FO_SRV, - krb5_kpasswd_servers, krb5_backup_kpasswd_servers, - krb5_realm, &ctx->kpasswd_service); + ret = krb5_service_init(ctx, bectx, + SSS_KRB5KPASSWD_FO_SRV, krb5_kpasswd_servers, + krb5_backup_kpasswd_servers, krb5_realm, + dp_opt_get_bool(krb5_options->opts, + KRB5_USE_KDCINFO), + &ctx->kpasswd_service); if (ret != EOK) { DEBUG(0, ("Failed to init KRB5KPASSWD failover service!\n")); return ret; diff --git a/src/providers/krb5/krb5_opts.h b/src/providers/krb5/krb5_opts.h index c8e64782..400b7e33 100644 --- a/src/providers/krb5/krb5_opts.h +++ b/src/providers/krb5/krb5_opts.h @@ -44,6 +44,7 @@ struct dp_option default_krb5_opts[] = { { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index fd6f05de..96edd336 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -1269,8 +1269,12 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx, } } - ret = krb5_service_init(mem_ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers, - krb5_backup_servers, krb5_realm, &service); + ret = krb5_service_init(mem_ctx, bectx, + SSS_KRB5KDC_FO_SRV, krb5_servers, + krb5_backup_servers, krb5_realm, + dp_opt_get_bool(opts, + SDAP_KRB5_USE_KDCINFO), + &service); if (ret != EOK) { DEBUG(0, ("Failed to init KRB5 failover service!\n")); goto done; diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h index 807716c1..6857d4ca 100644 --- a/src/providers/ldap/ldap_opts.h +++ b/src/providers/ldap/ldap_opts.h @@ -79,6 +79,7 @@ struct dp_option default_basic_opts[] = { { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING }, { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index f77636b3..6f10efa4 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -186,6 +186,7 @@ enum sdap_basic_opt { SDAP_KRB5_BACKUP_KDC, SDAP_KRB5_REALM, SDAP_KRB5_CANONICALIZE, + SDAP_KRB5_USE_KDCINFO, SDAP_PWD_POLICY, SDAP_REFERRALS, SDAP_ACCOUNT_CACHE_EXPIRATION, |