From 4b6a0d0b3d42e5fdb457f47d9adfa5e66b160256 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 30 Aug 2011 10:51:19 -0400 Subject: Add option to specify the kerberos replay cache dir Adds a configure option to set the distribution default as well as an sssd.conf option to override it. https://fedorahosted.org/sssd/ticket/980 --- Makefile.am | 4 ++++ configure.ac | 1 + contrib/sssd.spec.in | 2 ++ src/conf_macros.m4 | 15 +++++++++++++++ src/confdb/confdb.h | 1 + src/config/SSSDConfig.py | 1 + src/config/SSSDConfigTest.py | 1 + src/config/etc/sssd.api.conf | 1 + src/man/sssd.conf.5.xml | 20 ++++++++++++++++++++ src/monitor/monitor.c | 31 +++++++++++++++++++++++++++++++ 10 files changed, 77 insertions(+) diff --git a/Makefile.am b/Makefile.am index 4e2e26ba..144060f0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -34,6 +34,7 @@ systemdunitdir = @systemdunitdir@ logpath = @logpath@ pubconfpath = @pubconfpath@ pkgconfigdir = $(libdir)/pkgconfig +krb5rcachedir = @krb5rcachedir@ AM_CFLAGS = if WANT_AUX_INFO @@ -1141,6 +1142,9 @@ install-data-hook: rm $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 \ $(DESTDIR)/$(nsslibdir)/libnss_sss.so mv $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2.0.0 $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 + if [ ! $(krb5rcachedir) = "__LIBKRB5_DEFAULTS__" ]; then \ + mkdir -p $(DESTDIR)/$(krb5rcachedir) ; \ + fi uninstall-hook: if [ -f $(abs_builddir)/src/config/.files ]; then \ diff --git a/configure.ac b/configure.ac index 770371d5..230afa21 100644 --- a/configure.ac +++ b/configure.ac @@ -82,6 +82,7 @@ WITH_TEST_DIR WITH_MANPAGES WITH_XML_CATALOG WITH_KRB5_PLUGIN_PATH +WITH_KRB5_RCACHE_DIR WITH_PYTHON_BINDINGS WITH_SELINUX WITH_NSCD diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 2639f3a2..ba908de2 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -171,6 +171,7 @@ autoreconf -ivf --with-pipe-path=%{pipepath} \ --with-pubconf-path=%{pubconfpath} \ --with-init-dir=%{_initrddir} \ + --with-krb5rcache-dir=%{_localstatedir}/cache/krb5rcache \ --enable-nsslibdir=/%{_lib} \ --enable-pammoddir=/%{_lib}/security \ --disable-static \ @@ -254,6 +255,7 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/%{name}/ %{ldb_modulesdir}/memberof.so %dir %{sssdstatedir} +%dir %{_localstatedir}/cache/krb5rcache %attr(700,root,root) %dir %{dbpath} %attr(755,root,root) %dir %{pipepath} %attr(755,root,root) %dir %{pubconfpath} diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 index 1e503b3e..bd661ba3 100644 --- a/src/conf_macros.m4 +++ b/src/conf_macros.m4 @@ -204,6 +204,21 @@ AC_DEFUN([WITH_KRB5_PLUGIN_PATH], AC_SUBST(krb5pluginpath) ]) +AC_DEFUN([WITH_KRB5_RCACHE_DIR], + [ AC_ARG_WITH([krb5-rcache-dir], + [AC_HELP_STRING([--with-krb5-rcache-dir=PATH], + [Path to store Kerberos replay caches [__LIBKRB5_DEFAULTS__]] + ) + ] + ) + krb5rcachedir="__LIBKRB5_DEFAULTS__" + if test x"$with_krb5_rcache_dir" != x; then + krb5rcachedir=$with_krb5_rcache_dir + fi + AC_SUBST(krb5rcachedir) + AC_DEFINE_UNQUOTED(KRB5_RCACHE_DIR, "$krb5rcachedir", [Directory used for storing Kerberos replay caches]) + ]) + AC_DEFUN([WITH_PYTHON_BINDINGS], [ AC_ARG_WITH([python-bindings], [AC_HELP_STRING([--with-python-bindings], diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 5e50991f..4d615761 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -63,6 +63,7 @@ #define CONFDB_MONITOR_NAME_REGEX "re_expression" #define CONFDB_MONITOR_FULL_NAME_FORMAT "full_name_format" #define CONFDB_MONITOR_TRY_INOTIFY "try_inotify" +#define CONFDB_MONITOR_KRB5_RCACHEDIR "krb5_rcache_dir" /* NSS */ #define CONFDB_NSS_CONF_ENTRY "config/nss" diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 77a57c66..94d1f603 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -49,6 +49,7 @@ option_strings = { 'sbus_timeout' : _('Timeout for messages sent over the SBUS'), 're_expression' : _('Regex to parse username and domain'), 'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'), + 'krb5_rcache_dir' : _('Directory on the filesystem where SSSD should store Kerberos replay cache files.'), # [nss] 'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 5b01b990..93b241b7 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -266,6 +266,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase): 'sbus_timeout', 're_expression', 'full_name_format', + 'krb5_rcache_dir', 'debug_level', 'debug_timestamps', 'debug_to_files', diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index ae9ba559..216766a5 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -17,6 +17,7 @@ timeout = int, None, false sbus_timeout = int, None, false re_expression = str, None, false full_name_format = str, None, false +krb5_rcache_dir = str, None, false [nss] # Name service diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 6f85dda9..dcbb5c1b 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -185,6 +185,26 @@ + + krb5_rcache_dir (string) + + + Directory on the filesystem where SSSD should + store Kerberos replay cache files. + + + This option accepts a special value + __LIBKRB5_DEFAULTS__ that will instruct SSSD + to let libkrb5 decide the appropriate + location for the replay cache. + + + Default: Distribution-specific and specified + at build-time. (__LIBKRB5_DEFAULTS__ if not + configured) + + + diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index dd099841..0e16b78f 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -55,6 +55,11 @@ * monitor will get crazy hammering children with messages */ #define MONITOR_DEF_PING_TIME 10 +/* Special value to leave the Kerberos Replay Cache set to use + * the libkrb5 defaults + */ +#define KRB5_RCACHE_DIR_DISABLE "__LIBKRB5_DEFAULTS__" + int cmdline_debug_level; int cmdline_debug_timestamps; @@ -1926,8 +1931,34 @@ int monitor_process_init(struct mt_ctx *ctx, struct sysdb_ctx_list *db_list; struct tevent_signal *tes; struct sss_domain_info *dom; + char *rcachedir; int num_providers; int ret; + int error; + + /* Set up the environment variable for the Kerberos Replay Cache */ + ret = confdb_get_string(ctx->cdb, ctx, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_KRB5_RCACHEDIR, + KRB5_RCACHE_DIR, + &rcachedir); + if (ret != EOK) { + return ret; + } + + if (strcmp(rcachedir, KRB5_RCACHE_DIR_DISABLE) != 0) + { + errno = 0; + ret = setenv("KRB5RCACHEDIR", rcachedir, 1); + if (ret < 0) { + error = errno; + DEBUG(1, + ("Unable to set KRB5RCACHEDIR: %s." + "Will attempt to use libkrb5 defaults\n", + strerror(error))); + } + talloc_zfree(rcachedir); + } /* Set up an event handler for a SIGHUP */ tes = tevent_add_signal(ctx->ev, ctx, SIGHUP, 0, -- cgit