summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/providers/ad/ad_subdomains.c7
-rw-r--r--src/providers/ipa/ipa_subdomains.c167
-rw-r--r--src/providers/krb5/krb5_common.h1
-rw-r--r--src/util/domain_info_utils.c185
-rw-r--r--src/util/sss_krb5.c22
-rw-r--r--src/util/sss_krb5.h2
-rw-r--r--src/util/util.h2
7 files changed, 197 insertions, 189 deletions
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 07b523df..20aaa2d7 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -736,6 +736,13 @@ static void ad_subdomains_get_slave_domain_done(struct tevent_req *req)
DEBUG(SSSDBG_OP_FAILURE, ("ads_store_sdap_subdom failed.\n"));
goto done;
}
+
+ ret = sss_write_domain_mappings(ctx->sd_ctx->be_ctx->domain);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("sss_krb5_write_mappings failed.\n"));
+ /* Just continue */
+ }
}
ret = EOK;
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index 881f27c5..76ea709a 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -49,9 +49,6 @@
#define IPA_SUBDOMAIN_REFRESH_PERIOD (3600 * 4)
#define IPA_SUBDOMAIN_DISABLED_PERIOD 3600
-/* the directory domain - realm mappings are written to */
-#define IPA_SUBDOMAIN_MAPPING_DIR PUBCONF_PATH"/krb5.include.d"
-
enum ipa_subdomains_req_type {
IPA_SUBDOMAINS_MASTER,
IPA_SUBDOMAINS_SLAVE,
@@ -256,165 +253,6 @@ done:
return ret;
}
-static errno_t
-ipa_subdomains_write_mappings(struct sss_domain_info *domain)
-{
- struct sss_domain_info *dom;
- errno_t ret;
- errno_t err;
- TALLOC_CTX *tmp_ctx;
- const char *mapping_file;
- char *sanitized_domain;
- char *tmp_file = NULL;
- int fd = -1;
- mode_t old_mode;
- FILE *fstream = NULL;
- int i;
-
- if (domain == NULL || domain->name == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("No domain name provided\n"));
- return EINVAL;
- }
-
- tmp_ctx = talloc_new(NULL);
- if (!tmp_ctx) return ENOMEM;
-
- sanitized_domain = talloc_strdup(tmp_ctx, domain->name);
- if (sanitized_domain == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_strdup() failed\n"));
- return ENOMEM;
- }
-
- /* only alpha-numeric chars, dashes and underscores are allowed in
- * krb5 include directory */
- for (i = 0; sanitized_domain[i] != '\0'; i++) {
- if (!isalnum(sanitized_domain[i])
- && sanitized_domain[i] != '-' && sanitized_domain[i] != '_') {
- sanitized_domain[i] = '_';
- }
- }
-
- mapping_file = talloc_asprintf(tmp_ctx, "%s/domain_realm_%s",
- IPA_SUBDOMAIN_MAPPING_DIR, sanitized_domain);
- if (!mapping_file) {
- ret = ENOMEM;
- goto done;
- }
-
- DEBUG(SSSDBG_FUNC_DATA, ("Mapping file for domain [%s] is [%s]\n",
- domain->name, mapping_file));
-
- tmp_file = talloc_asprintf(tmp_ctx, "%sXXXXXX", mapping_file);
- if (tmp_file == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- old_mode = umask(077);
- fd = mkstemp(tmp_file);
- umask(old_mode);
- if (fd < 0) {
- DEBUG(SSSDBG_OP_FAILURE, ("creating the temp file [%s] for domain-realm "
- "mappings failed.", tmp_file));
- ret = EIO;
- talloc_zfree(tmp_ctx);
- goto done;
- }
-
- fstream = fdopen(fd, "a");
- if (!fstream) {
- ret = errno;
- DEBUG(SSSDBG_OP_FAILURE, ("fdopen failed [%d]: %s\n",
- ret, strerror(ret)));
- ret = close(fd);
- if (ret != 0) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- ("fclose failed [%d][%s].\n", ret, strerror(ret)));
- /* Nothing to do here, just report the failure */
- }
- ret = EIO;
- goto done;
- }
-
- ret = fprintf(fstream, "[domain_realm]\n");
- if (ret < 0) {
- DEBUG(SSSDBG_OP_FAILURE, ("fprintf failed\n"));
- ret = EIO;
- goto done;
- }
-
- for (dom = get_next_domain(domain, true);
- dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */
- dom = get_next_domain(dom, false)) {
- ret = fprintf(fstream, ".%s = %s\n%s = %s\n",
- dom->name, dom->realm, dom->name, dom->realm);
- if (ret < 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("fprintf failed\n"));
- goto done;
- }
- }
-
- ret = fclose(fstream);
- fstream = NULL;
- if (ret != 0) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- ("fclose failed [%d][%s].\n", ret, strerror(ret)));
- goto done;
- }
-
- ret = rename(tmp_file, mapping_file);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- ("rename failed [%d][%s].\n", ret, strerror(ret)));
- goto done;
- }
-
- talloc_zfree(tmp_file);
-
- ret = chmod(mapping_file, 0644);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- ("fchmod failed [%d][%s].\n", ret, strerror(ret)));
- goto done;
- }
-
- /* touch krb5.conf to ensure that new mappings are loaded */
- ret = sss_krb5_touch_config();
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to change last modification time "
- "of krb5.conf. Created mappings may not be loaded.\n"));
- /* just continue */
- }
-
- ret = EOK;
-done:
- if (fstream) {
- err = fclose(fstream);
- if (err != 0) {
- err = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- ("fclose failed [%d][%s].\n", err, strerror(err)));
- /* Nothing to do here, just report the failure */
- }
- }
-
- if (tmp_file) {
- err = unlink(tmp_file);
- if (err < 0) {
- err = errno;
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("Could not remove file [%s]: [%d]: %s",
- tmp_file, err, strerror(err)));
- }
- }
- talloc_free(tmp_ctx);
- return ret;
-}
-
static errno_t ipa_subdomains_refresh(struct ipa_subdomains_ctx *ctx,
int count, struct sysdb_attrs **reply,
bool *changes)
@@ -726,10 +564,11 @@ static void ipa_subdomains_handler_done(struct tevent_req *req)
goto done;
}
- ret = ipa_subdomains_write_mappings(domain);
+ ret = sss_write_domain_mappings(domain);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
- ("ipa_subdomains_write_mappings failed.\n"));
+ ("sss_krb5_write_mappings failed.\n"));
+ /* Just continue */
}
}
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 9eb602cf..27089ab9 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -188,7 +188,6 @@ errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx,
errno_t compare_principal_realm(const char *upn, const char *realm,
bool *different_realm);
-
int sssm_krb5_auth_init(struct be_ctx *bectx,
struct bet_ops **ops,
void **pvt_auth_data);
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 34aa3f33..b72e8e34 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -18,10 +18,15 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include <utime.h>
+
#include "confdb/confdb.h"
#include "db/sysdb.h"
#include "util/util.h"
+/* the directory domain - realm mappings are written to */
+#define KRB5_MAPPING_DIR PUBCONF_PATH"/krb5.include.d"
+
struct sss_domain_info *get_next_domain(struct sss_domain_info *domain,
bool descend)
{
@@ -190,3 +195,183 @@ errno_t sssd_domain_init(TALLOC_CTX *mem_ctx,
return EOK;
}
+
+static errno_t
+sss_krb5_touch_config(void)
+{
+ const char *config = NULL;
+ errno_t ret;
+
+ config = getenv("KRB5_CONFIG");
+ if (config == NULL) {
+ config = KRB5_CONF_PATH;
+ }
+
+ ret = utime(config, NULL);
+ if (ret == -1) {
+ ret = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to change mtime of \"%s\" "
+ "[%d]: %s\n", config, strerror(ret)));
+ return ret;
+ }
+
+ return EOK;
+}
+
+errno_t
+sss_write_domain_mappings(struct sss_domain_info *domain)
+{
+ struct sss_domain_info *dom;
+ errno_t ret;
+ errno_t err;
+ TALLOC_CTX *tmp_ctx;
+ const char *mapping_file;
+ char *sanitized_domain;
+ char *tmp_file = NULL;
+ int fd = -1;
+ mode_t old_mode;
+ FILE *fstream = NULL;
+ int i;
+
+ if (domain == NULL || domain->name == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("No domain name provided\n"));
+ return EINVAL;
+ }
+
+ tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) return ENOMEM;
+
+ sanitized_domain = talloc_strdup(tmp_ctx, domain->name);
+ if (sanitized_domain == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_strdup() failed\n"));
+ return ENOMEM;
+ }
+
+ /* only alpha-numeric chars, dashes and underscores are allowed in
+ * krb5 include directory */
+ for (i = 0; sanitized_domain[i] != '\0'; i++) {
+ if (!isalnum(sanitized_domain[i])
+ && sanitized_domain[i] != '-' && sanitized_domain[i] != '_') {
+ sanitized_domain[i] = '_';
+ }
+ }
+
+ mapping_file = talloc_asprintf(tmp_ctx, "%s/domain_realm_%s",
+ KRB5_MAPPING_DIR, sanitized_domain);
+ if (!mapping_file) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ DEBUG(SSSDBG_FUNC_DATA, ("Mapping file for domain [%s] is [%s]\n",
+ domain->name, mapping_file));
+
+ tmp_file = talloc_asprintf(tmp_ctx, "%sXXXXXX", mapping_file);
+ if (tmp_file == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ old_mode = umask(077);
+ fd = mkstemp(tmp_file);
+ umask(old_mode);
+ if (fd < 0) {
+ DEBUG(SSSDBG_OP_FAILURE, ("creating the temp file [%s] for domain-realm "
+ "mappings failed.", tmp_file));
+ ret = EIO;
+ talloc_zfree(tmp_ctx);
+ goto done;
+ }
+
+ fstream = fdopen(fd, "a");
+ if (!fstream) {
+ ret = errno;
+ DEBUG(SSSDBG_OP_FAILURE, ("fdopen failed [%d]: %s\n",
+ ret, strerror(ret)));
+ ret = close(fd);
+ if (ret != 0) {
+ ret = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("fclose failed [%d][%s].\n", ret, strerror(ret)));
+ /* Nothing to do here, just report the failure */
+ }
+ ret = EIO;
+ goto done;
+ }
+
+ ret = fprintf(fstream, "[domain_realm]\n");
+ if (ret < 0) {
+ DEBUG(SSSDBG_OP_FAILURE, ("fprintf failed\n"));
+ ret = EIO;
+ goto done;
+ }
+
+ for (dom = get_next_domain(domain, true);
+ dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */
+ dom = get_next_domain(dom, false)) {
+ ret = fprintf(fstream, ".%s = %s\n%s = %s\n",
+ dom->name, dom->realm, dom->name, dom->realm);
+ if (ret < 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("fprintf failed\n"));
+ goto done;
+ }
+ }
+
+ ret = fclose(fstream);
+ fstream = NULL;
+ if (ret != 0) {
+ ret = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("fclose failed [%d][%s].\n", ret, strerror(ret)));
+ goto done;
+ }
+
+ ret = rename(tmp_file, mapping_file);
+ if (ret == -1) {
+ ret = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("rename failed [%d][%s].\n", ret, strerror(ret)));
+ goto done;
+ }
+
+ talloc_zfree(tmp_file);
+
+ ret = chmod(mapping_file, 0644);
+ if (ret == -1) {
+ ret = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("fchmod failed [%d][%s].\n", ret, strerror(ret)));
+ goto done;
+ }
+
+ ret = EOK;
+done:
+ err = sss_krb5_touch_config();
+ if (err != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to change last modification time "
+ "of krb5.conf. Created mappings may not be loaded.\n"));
+ /* Ignore */
+ }
+
+ if (fstream) {
+ err = fclose(fstream);
+ if (err != 0) {
+ err = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("fclose failed [%d][%s].\n", err, strerror(err)));
+ /* Nothing to do here, just report the failure */
+ }
+ }
+
+ if (tmp_file) {
+ err = unlink(tmp_file);
+ if (err < 0) {
+ err = errno;
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Could not remove file [%s]: [%d]: %s",
+ tmp_file, err, strerror(err)));
+ }
+ }
+ talloc_free(tmp_ctx);
+ return ret;
+}
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index 9adb8ff2..7d42e97f 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -20,7 +20,6 @@
#include <stdio.h>
#include <errno.h>
#include <talloc.h>
-#include <utime.h>
#include "config.h"
@@ -1180,24 +1179,3 @@ done:
return ENOTSUP;
#endif
}
-
-errno_t sss_krb5_touch_config(void)
-{
- const char *config = NULL;
- errno_t ret;
-
- config = getenv("KRB5_CONFIG");
- if (config == NULL) {
- config = KRB5_CONF_PATH;
- }
-
- ret = utime(config, NULL);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to change mtime of \"%s\" "
- "[%d]: %s\n", config, strerror(ret)));
- return ret;
- }
-
- return EOK;
-}
diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
index 9bae2f92..4d3b9f7e 100644
--- a/src/util/sss_krb5.h
+++ b/src/util/sss_krb5.h
@@ -192,6 +192,4 @@ krb5_error_code sss_extract_pac(krb5_context ctx,
krb5_keytab keytab,
krb5_authdata ***_pac_authdata);
-errno_t sss_krb5_touch_config(void);
-
#endif /* __SSS_KRB5_H__ */
diff --git a/src/util/util.h b/src/util/util.h
index 8ae85f4f..f66f57b8 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -572,6 +572,8 @@ errno_t sssd_domain_init(TALLOC_CTX *mem_ctx,
#define IS_SUBDOMAIN(dom) ((dom)->parent != NULL)
+errno_t sss_write_domain_mappings(struct sss_domain_info *domain);
+
/* from util_lock.c */
errno_t sss_br_lock_file(int fd, size_t start, size_t len,
int num_tries, useconds_t wait);