summaryrefslogtreecommitdiff
path: root/src/providers/krb5
AgeCommit message (Collapse)AuthorFilesLines
2013-07-23KRB5: Do not send PAC in server modeJakub Hrozek3-6/+19
The krb5 child contacts the PAC responder for any user except for the IPA native users if the PAC is configured. This works fine for the general case but the ipa_server_mode is a special one. The PAC responder is there, but since in the server mode we should be operating as AD provider default, the PAC shouldn't be analyzed either in this case.
2013-07-22Fix warnings: uninitialized variableLukas Slebodnik2-4/+3
2013-07-22Remove unused memory context from function unpack_authtokLukas Slebodnik1-3/+3
2013-07-19Add mising argument required by format stringLukas Slebodnik1-2/+3
2013-07-18KRB: Replace multiple calls with variableOndrej Kos1-6/+9
Instead of multiple calls of sss_authtok_get_type, perform the call just once and store into variable.
2013-07-18KRB: Handle empty password gracefullyOndrej Kos1-0/+11
https://fedorahosted.org/sssd/ticket/1814 Return authentication error when empty password is passed.
2013-07-17SIGCHLD handler: do not call callback when pvt data where freedPavel Březina1-1/+1
https://fedorahosted.org/sssd/ticket/1992
2013-07-17print hint about password complexity when new password is rejectedPavel Březina1-1/+7
https://fedorahosted.org/sssd/ticket/1827
2013-07-15Use conditional build for retrieving ccache.Lukas Slebodnik2-88/+22
Some krb5 functions needn't be available for retrieving ccache with principal. Therefore ifdef is used to solve this situation with older version of libkrb5. There were two functions with similar functionality in krb5_child and krb5_utils. They were merged to one universal function, which was moved to file src/util/sss_krb5.c
2013-07-11Return right directory name for dircacheLukas Slebodnik1-6/+10
Dircache can be either file or directory. Wrong value was used when dircache was itself directory. https://fedorahosted.org/sssd/ticket/2002
2013-07-10KRB5_CHILD: Fix handling of get_password return codeOndrej Kos1-4/+10
The switch statement was dead code due to missing case/default.
2013-06-28Replace new_subdomain() with find_subdomain_by_name()Sumit Bose1-3/+2
new_subdomain() will create a new domain object and should not be used anymore in the priovder code directly. Instead a reference to the domain from the common domain object should be used.
2013-06-27Fix compilation warningJakub Hrozek1-1/+1
2013-06-27AD: Write out domain-realm mappingsJakub Hrozek1-1/+0
This patch reuses the code from IPA provider to make sure that domain-realm mappings are written even for AD sub domains.
2013-06-27KRB5: guess UPN for subdomain usersJakub Hrozek7-18/+43
2013-06-26Do not switch to credentials everytime.Lukas Slebodnik1-4/+69
If user decide to kinit as another user we do not want to switch back to user ccache at another login. We will switch to new ccache if and only if default principal name is the same as current principal name, or there is not any default ccache. https://fedorahosted.org/sssd/ticket/1936
2013-06-26Every time return directory for krb5 cache collection.Lukas Slebodnik2-4/+64
Function krb5_cc_get_full_name is called only as a way to validate that, we have the right cache. Instead of returned name, location will be returned from function cc_dir_cache_for_princ. https://fedorahosted.org/sssd/ticket/1936
2013-06-25krb5: do not use enterprise principals for renewalsSumit Bose1-1/+6
When renewing a ticket we already know the canonical principal hence it is not needed to expand it to an enterprise principal but we can contact the KDC of the corresponding realm directly.
2013-06-25krb5: do not send pac for IPA users from the local domainSumit Bose4-10/+19
So far we didn't send the PAC of IPA users to the PAC responder during password authentication because group memberships for IPA users can be retrieved efficiently with LDAP calls. Recently patches added PAC support for the AD provider as well and removed the restriction for the IPA users. This patch restores the original behaviour by introducing a new flag in struct krb5_ctx which is only set for the IPA provider. Additionally a different flag is renamed to make it's purpose more clear. Fixes https://fedorahosted.org/sssd/ticket/1995
2013-06-25Revert "Always send the PAC to the PAC responder"Sumit Bose1-18/+20
This reverts commit d153941864fe481399665be8fe583c9317194a99.
2013-06-24Fix typo in pack_authtok()Sumit Bose1-1/+1
2013-06-24KRB5: use the right authtok type for renewalsSumit Bose1-3/+20
2013-06-17Set default realm for enterprise principalsSumit Bose1-0/+12
Enterprise principals require that a default realm is available. To make SSSD more robust in the case that the default realm option is missing in krb5.conf or to allow SSSD to work with multiple unconnected realms (e.g. AD domains without trust between them) the default realm will be set explicitly. Fixes https://fedorahosted.org/sssd/ticket/1931
2013-06-17Use principal from the ticket to find validation entrySumit Bose1-1/+1
If canonicalization or enterprise principals are enabled the realm of the client principal might have changed compared to the original request. To find the most suitable keytab entry to validate the TGT is it better to use the returned client principal. Fixes https://fedorahosted.org/sssd/ticket/1931
2013-06-14KRB: Handle preauthentication error correctlyOndrej Kos2-1/+9
https://fedorahosted.org/sssd/ticket/1873 KRB preauthentication error was later mishandled like authentication error.
2013-06-10A new option krb5_use_kdcinfoJakub Hrozek4-18/+36
https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf
2013-06-07Do not obfuscate calls with booleansJakub Hrozek1-7/+22
Instead of using boolean variables to denote whether the call is adding a primary or a secondary server, use a function wrapper that tells what it's doing by its name.
2013-06-06Always send the PAC to the PAC responderSumit Bose1-20/+18
Currently while doing a Kerberos based authentication the PAC was only send to the PAC responder for principals from a different realm. This reflects the FreeIPA use case of users from trusted domains. This restriction does not make sense anymore when the data from the PAC should be used for the AD provider as well. It also makes only limited sense for the IPA use case, because when using GSSAPI the PAC of users from the local IPA domain are already evaluated by the PAC responder.
2013-05-31Set canonicalize flag if enterprise principals are usedSumit Bose1-1/+6
In contrast to MIT KDCs AD does not automatically canonicalize the enterprise principal in an AS request but requires the canonicalize flags to be set. To be on the safe side we always enable canonicalization if enterprise principals are used.
2013-05-20Fixing critical format string issues.Lukas Slebodnik2-3/+5
--missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'
2013-05-14Always update cached upn if enterprise principals are usedSumit Bose1-3/+4
Instead of continuing to use the initial upn if enterprise principals are used if should always be replaced. The enterprise principal is stored in the credential cache and without knowing it the ccache_for_princ() calls to determine the location of the credential cache will fail. Fixes https://fedorahosted.org/sssd/ticket/1921
2013-05-03Only check UPN if enterprise principals are not usedJakub Hrozek1-0/+5
If enterprise principals are enabled (which is the default in the AD provider), then the returned UPN might be slightly different from the one SSSD constructs before attempting the login. This patch makes SSSD only check if the principal is the same when the enterprise principals are disabled.
2013-04-22Allow usage of enterprise principalsSumit Bose4-4/+18
Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842
2013-04-12Fix krbcc dir creation issue with MIT krb5 1.11Lukas Slebodnik2-11/+61
In krb5-libs >= 1.11, function krb5_cc_resolve verify if credential cache dir exists. If it doesn't exist, than it will be created with process permissions and not user permissions. Function cc_residual_is_used has already checked for non existing directory, but it wasn't considered to be a failure and therefore next call of krb5_init_context will create directory with wrong permissions. Now if directory doesn't exist, it will be handled like there was not ccache attribute in sysdb cache. We also check if "primary" file in ccache directory has right permissions. But we ignore missing "primary" file. https://fedorahosted.org/sssd/ticket/1822
2013-04-05Further restrict become_user drop of privileges.Simo Sorce1-15/+18
We never need to regain root after we call become_user() so tighten up even further our privilege drop. Add a setgroups() call to remove all secondary groups root may have been given for whateve reason. Then use the setres[ug]id function to also drop the saved uid/gid so the process cannot regain back root id. Capabilities are also implicitly dropped here, no more CAP_SETUID so this is a Point of No Return, once changed to non-root the process can't get back. Remove redefinition of sys/types.h and unistd.h, they are already defined in util.h and they need to be included after _GNU_SOURCE/_BSD_SOURCE is defined or the prototypes for setres[ug]id will not be found. Add grp.h after util.h for the same reason.
2013-04-03Allow setting krb5_renew_interval with a delimiterAriel Barria3-6/+30
https://fedorahosted.org/sssd/ticket/902 changed the data type the krb5_renew_interval to string. function krb5_string_to_deltat is used to convert and allow delimiters
2013-04-03Check for correct variable nameJakub Hrozek1-4/+0
https://fedorahosted.org/sssd/ticket/1864
2013-04-03krb5 child: Use the correct type when processing OTPJakub Hrozek1-1/+1
2013-04-02Making the authtok structure really opaque.Lukas Slebodnik5-32/+31
Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830
2013-04-02Reusing create_pam_data() on the other places.Lukas Slebodnik1-1/+1
Function create_pam_data() should be only one way how to create new struct pam_data, because it also initialize destructor to created object.
2013-03-19Removing unused declaration of functions and variable.Lukas Slebodnik1-2/+2
Variables dir_cc and file_cc are used in three modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be declared with extern in krb5_utils.h.
2013-03-18Decrease krb5_auth_timeout defaultOndrej Kos1-1/+1
https://fedorahosted.org/sssd/ticket/1738
2013-03-18Retry the correct service on krb5 child timeoutJakub Hrozek1-1/+1
2013-03-13Fix initialization of multiple variablesOndrej Kos2-4/+3
2013-03-13More generalized function open_debug_file_ex()Lukas Slebodnik1-5/+1
Function open_debug_file_ex() set flag FD_CLOEXEC to opened file according to the value of third parameter. Removed duplicity of unsetting FD_CLOEXEC after calling function open_debug_file_ex()
2013-03-08Add support for krb5 1.11's responder callback.Nathaniel McCallum4-1/+232
krb5 1.11 adds support for a new method for responding to structured data queries. This method, called the responder, provides an alternative to the prompter interface. This patch adds support for this method. It takes the password and provides it via a responder instead of the prompter. In the case of OTP authentication, it also disables the caching of credentials (since the credentials are one-time only).
2013-03-04Cleanup error message handling for krb5 childSimo Sorce2-296/+240
Use the new internal SSSD errors, to simplify error handling. Instead of using up to 3 different error types (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use different number spaces so there is no overlap and they can be safely merged. This means that errors being sent from the child to the parent are not pam status error messages anymore. The callers have been changed to properly deal with that. Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that.
2013-03-04krb5_child: fix value type and initializationOndrej Kos1-1/+2
ret was defined as integer, instead of errno_t, and was uninitialized
2013-02-28Refactor krb5 childSimo Sorce1-288/+210
The aim of this refactoring is to make the code readable and understandable. This code has grown organically over time and has becomed confused and baroque enough that understanding it's very simple flow had become very complex for the uninitiated. Complex flows easily hide nasty bugs. Improvements: - Remove dead/unused data storage - Fix and simplify talloc hierarchy, use a memory context (kr) for the whole code and allocate kr->pd where it is filled up. - Rename some functions to create a better name space (easier for searching fucntions across the tree) - Streamline setup function, by spliting out fast setup in a subroutine. - Avoid confusing indirection in executng actual functions by not using the krb5_req child_req member. - Make main() flow s now simmetric, send abck data from the main function instead of delegating a reply to every inner function that implements a command. Now the flow is evident from the main function: 1. read request 2. setup data 3. execute command 4. send reply back
2013-02-28krb5_child style fixSimo Sorce1-11/+11
Use the standard 'done' label for exceptions.