summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile.am1
-rw-r--r--src/config/SSSDConfig.py1
-rwxr-xr-xsrc/config/SSSDConfigTest.py9
-rw-r--r--src/config/etc/sssd.api.d/sssd-krb5.conf1
-rw-r--r--src/man/sssd-krb5.5.xml32
-rw-r--r--src/providers/ipa/ipa_common.c3
-rw-r--r--src/providers/ipa/ipa_common.h2
-rw-r--r--src/providers/krb5/krb5_child.c18
-rw-r--r--src/providers/krb5/krb5_common.c24
-rw-r--r--src/providers/krb5/krb5_common.h2
10 files changed, 86 insertions, 7 deletions
diff --git a/Makefile.am b/Makefile.am
index 6d91cf69..4a8fd599 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -531,6 +531,7 @@ krb5_utils_tests_CFLAGS = \
krb5_utils_tests_LDADD = \
$(SSSD_LIBS)\
$(CARES_LIBS) \
+ $(KRB5_LIBS) \
$(CHECK_LIBS) \
libsss_test_common.la
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 1f54b475..bb7e424e 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -104,6 +104,7 @@ option_strings = {
'krb5_keytab' : _("Location of the keytab to validate credentials"),
'krb5_validate' : _("Enable credential validation"),
'krb5_store_password_if_offline' : _("Store password if offline for later online authentication"),
+ 'krb5_renewable_lifetime' : _("Renewable lifetime of the TGT"),
# [provider/krb5/chpass]
'krb5_kpasswd' : _('Server where the change password service is running if not on the KDC'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 39db49dc..b63e40b5 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -549,7 +549,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'krb5_keytab',
'krb5_validate',
'krb5_store_password_if_offline',
- 'krb5_auth_timeout'])
+ 'krb5_auth_timeout',
+ 'krb5_renewable_lifetime'])
options = domain.list_options()
@@ -723,7 +724,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'krb5_keytab',
'krb5_validate',
'krb5_store_password_if_offline',
- 'krb5_auth_timeout']
+ 'krb5_auth_timeout',
+ 'krb5_renewable_lifetime']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
@@ -871,7 +873,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'krb5_keytab',
'krb5_validate',
'krb5_store_password_if_offline',
- 'krb5_auth_timeout'])
+ 'krb5_auth_timeout',
+ 'krb5_renewable_lifetime'])
options = domain.list_options()
diff --git a/src/config/etc/sssd.api.d/sssd-krb5.conf b/src/config/etc/sssd.api.d/sssd-krb5.conf
index 0c0aa426..c3cc5bbf 100644
--- a/src/config/etc/sssd.api.d/sssd-krb5.conf
+++ b/src/config/etc/sssd.api.d/sssd-krb5.conf
@@ -11,6 +11,7 @@ krb5_ccname_template = str, None, false
krb5_keytab = str, None, false
krb5_validate = bool, None, false
krb5_store_password_if_offline = bool, None, false
+krb5_renewable_lifetime = str, None, false
[provider/krb5/chpass]
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index f5c8ad0a..0f0c8a2c 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -268,6 +268,38 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>krb5_renewable_lifetime (string)</term>
+ <listitem>
+ <para>
+ Request a renewable ticket with a with a total
+ lifetime given by an integer immediately followed
+ by one of the following delimiters:
+ </para>
+ <para>
+ <emphasis>s</emphasis> seconds
+ </para>
+ <para>
+ <emphasis>m</emphasis> minutes
+ </para>
+ <para>
+ <emphasis>h</emphasis> hours
+ </para>
+ <para>
+ <emphasis>d</emphasis> days.
+ </para>
+ <para>
+ Please note that it is not possible to mix units.
+ If you want to set the renewable lifetime to one
+ and a half hours please use '90m' instead of
+ '1h30m'.
+ </para>
+ <para>
+ Default: not set, i.e. the TGT is not renewable
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</para>
</refsect1>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index a7f4494b..149a352f 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -139,7 +139,8 @@ struct dp_option ipa_def_krb5_opts[] = {
{ "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
{ "krb5_validate", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
- { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
+ { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }
};
int ipa_get_options(TALLOC_CTX *memctx,
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index ef1cac20..33b325c0 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -40,7 +40,7 @@ struct ipa_service {
/* the following define is used to keep track of the options in the krb5
* module, so that if they change and ipa is not updated correspondingly
* this will trigger a runtime abort error */
-#define IPA_KRB5_OPTS_TEST 9
+#define IPA_KRB5_OPTS_TEST 10
enum ipa_basic_opt {
IPA_DOMAIN = 0,
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 0e555604..2a2ed9b4 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1084,6 +1084,8 @@ static int krb5_cleanup(void *ptr)
static int krb5_child_setup(struct krb5_req *kr, uint32_t offline)
{
krb5_error_code kerr = 0;
+ char *lifetime_str;
+ krb5_deltat lifetime;
kr->krb5_ctx = talloc_zero(kr, struct krb5_child_ctx);
if (kr->krb5_ctx == NULL) {
@@ -1162,9 +1164,23 @@ static int krb5_child_setup(struct krb5_req *kr, uint32_t offline)
goto failed;
}
+ lifetime_str = getenv(SSSD_KRB5_RENEWABLE_LIFETIME);
+ if (lifetime_str == NULL) {
+ DEBUG(7, ("Cannot read [%s] from environment.\n",
+ SSSD_KRB5_RENEWABLE_LIFETIME));
+ } else {
+ kerr = krb5_string_to_deltat(lifetime_str, &lifetime);
+ if (kerr != 0) {
+ DEBUG(1, ("krb5_string_to_deltat failed for [%s].\n",
+ lifetime_str));
+ KRB5_DEBUG(1, kerr);
+ goto failed;
+ }
+ krb5_get_init_creds_opt_set_renew_life(kr->options, lifetime);
+ }
+
/* TODO: set options, e.g.
* krb5_get_init_creds_opt_set_tkt_life
- * krb5_get_init_creds_opt_set_renew_life
* krb5_get_init_creds_opt_set_forwardable
* krb5_get_init_creds_opt_set_proxiable
* krb5_get_init_creds_opt_set_etype_list
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index bf47dcc4..1a62bbe3 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -40,7 +40,8 @@ struct dp_option default_krb5_opts[] = {
{ "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
{ "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
- { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
+ { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }
};
errno_t check_and_export_options(struct dp_option *opts,
@@ -49,6 +50,8 @@ errno_t check_and_export_options(struct dp_option *opts,
int ret;
const char *realm;
const char *dummy;
+ char *str;
+ krb5_deltat lifetime;
realm = dp_opt_get_cstring(opts, KRB5_REALM);
if (realm == NULL) {
@@ -66,6 +69,25 @@ errno_t check_and_export_options(struct dp_option *opts,
SSSD_KRB5_REALM));
}
+ str = dp_opt_get_string(opts, KRB5_RENEWABLE_LIFETIME);
+ if (str == NULL) {
+ DEBUG(5, ("No renewable lifetime configured.\n"));
+ } else {
+ ret = krb5_string_to_deltat(str, &lifetime);
+ if (ret != 0) {
+ DEBUG(1, ("Invalid value [%s] for krb5_renewable_lifetime.\n",
+ str));
+ return EINVAL;
+ }
+
+ ret = setenv(SSSD_KRB5_RENEWABLE_LIFETIME, str, 1);
+ if (ret != EOK) {
+ DEBUG(2, ("setenv [%s] failed.\n",
+ SSSD_KRB5_RENEWABLE_LIFETIME));
+ return ret;
+ }
+ }
+
dummy = dp_opt_get_cstring(opts, KRB5_KDC);
if (dummy == NULL) {
DEBUG(1, ("No KDC explicitly configured, using defaults.\n"));
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 139ce400..15ef437b 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -35,6 +35,7 @@
#define SSSD_KRB5_KDC "SSSD_KRB5_KDC"
#define SSSD_KRB5_REALM "SSSD_KRB5_REALM"
+#define SSSD_KRB5_RENEWABLE_LIFETIME "SSSD_KRB5_RENEWABLE_LIFETIME"
#define KDCINFO_TMPL PUBCONF_PATH"/kdcinfo.%s"
#define KPASSWDINFO_TMPL PUBCONF_PATH"/kpasswdinfo.%s"
@@ -52,6 +53,7 @@ enum krb5_opts {
KRB5_VALIDATE,
KRB5_KPASSWD,
KRB5_STORE_PASSWORD_IF_OFFLINE,
+ KRB5_RENEWABLE_LIFETIME,
KRB5_OPTS
};