From 5096bb4c2242b426aa6f5ea2cb82223e0b81a345 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 10 Mar 2010 17:03:23 +0100 Subject: Add krb5_kpasswd option --- src/providers/krb5/krb5_auth.c | 85 +++++++++++++++++++++++++---- src/providers/krb5/krb5_auth.h | 2 + src/providers/krb5/krb5_child.c | 7 +++ src/providers/krb5/krb5_common.c | 112 +++++++++++++++++++++++++++++++++------ src/providers/krb5/krb5_common.h | 8 ++- src/providers/krb5/krb5_init.c | 21 ++++++-- 6 files changed, 205 insertions(+), 30 deletions(-) (limited to 'src/providers/krb5') diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index b8b498a0..ce3aacd8 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -676,7 +676,9 @@ static int handle_child_recv(struct tevent_req *req, } static void get_user_attr_done(void *pvt, int err, struct ldb_result *res); -static void krb5_resolve_done(struct tevent_req *req); +static void krb5_resolve_kdc_done(struct tevent_req *req); +static void krb5_resolve_kpasswd_done(struct tevent_req *req); +static void krb5_find_ccache_step(struct krb5child_req *kr); static void krb5_save_ccname_done(struct tevent_req *req); static void krb5_child_done(struct tevent_req *req); static void krb5_pam_handler_cache_done(struct tevent_req *treq); @@ -852,14 +854,16 @@ static void get_user_attr_done(void *pvt, int err, struct ldb_result *res) break; } + kr->srv = NULL; + kr->kpasswd_srv = NULL; req = be_resolve_server_send(kr, be_req->be_ctx->ev, be_req->be_ctx, krb5_ctx->service->name); if (req == NULL) { - DEBUG(1, ("handle_child_send failed.\n")); + DEBUG(1, ("be_resolve_server_send failed.\n")); goto failed; } - tevent_req_set_callback(req, krb5_resolve_done, kr); + tevent_req_set_callback(req, krb5_resolve_kdc_done, kr); return; @@ -870,18 +874,13 @@ failed: krb_reply(be_req, dp_err, pd->pam_status); } -static void krb5_resolve_done(struct tevent_req *req) +static void krb5_resolve_kdc_done(struct tevent_req *req) { struct krb5child_req *kr = tevent_req_callback_data(req, struct krb5child_req); int ret; - int pam_status = PAM_SYSTEM_ERR; - int dp_err = DP_ERR_FATAL; struct pam_data *pd = kr->pd; struct be_req *be_req = kr->req; - char *msg; - size_t offset = 0; - bool private_path = false; ret = be_resolve_server_recv(req, &kr->srv); talloc_zfree(req); @@ -892,8 +891,68 @@ static void krb5_resolve_done(struct tevent_req *req) * the ccache file. */ be_mark_offline(be_req->be_ctx); kr->is_offline = true; + } else { + if (pd->cmd == SSS_PAM_CHAUTHTOK && + kr->krb5_ctx->kpasswd_service != NULL) { + req = be_resolve_server_send(kr, be_req->be_ctx->ev, be_req->be_ctx, + kr->krb5_ctx->kpasswd_service->name); + if (req == NULL) { + DEBUG(1, ("be_resolve_server_send failed.\n")); + goto failed; + } + + tevent_req_set_callback(req, krb5_resolve_kpasswd_done, kr); + + return; + } } + krb5_find_ccache_step(kr); + return; + +failed: + talloc_free(kr); + + pd->pam_status = PAM_SYSTEM_ERR; + krb_reply(be_req, DP_ERR_FATAL, pd->pam_status); +} + +static void krb5_resolve_kpasswd_done(struct tevent_req *req) +{ + struct krb5child_req *kr = tevent_req_callback_data(req, + struct krb5child_req); + int ret; + struct pam_data *pd = kr->pd; + struct be_req *be_req = kr->req; + + ret = be_resolve_server_recv(req, &kr->kpasswd_srv); + talloc_zfree(req); + if (ret) { + /* all kpasswd servers have been tried and none was found good, but the + * kdc seems ok. Password changes are not possible but + * authentication. We return an PAM error here, but do not mark the + * backend offline. */ + + talloc_free(kr); + pd->pam_status = PAM_AUTHTOK_LOCK_BUSY; + krb_reply(be_req, DP_ERR_OK, pd->pam_status); + } + + krb5_find_ccache_step(kr); +} + +static void krb5_find_ccache_step(struct krb5child_req *kr) +{ + int ret; + int pam_status = PAM_SYSTEM_ERR; + int dp_err = DP_ERR_FATAL; + struct pam_data *pd = kr->pd; + struct be_req *be_req = kr->req; + char *msg; + size_t offset = 0; + bool private_path = false; + struct tevent_req *req = NULL; + if (kr->ccname == NULL || (be_is_offline(be_req->be_ctx) && !kr->active_ccache_present && !kr->valid_tgt_present) || @@ -1081,6 +1140,14 @@ static void krb5_child_done(struct tevent_req *req) fo_set_port_status(kr->srv, PORT_WORKING); } + if (kr->kpasswd_srv != NULL) { + if (*msg_status == PAM_AUTHTOK_LOCK_BUSY) { + fo_set_port_status(kr->kpasswd_srv, PORT_NOT_WORKING); + } else { + fo_set_port_status(kr->kpasswd_srv, PORT_WORKING); + } + } + struct sysdb_attrs *attrs; attrs = sysdb_new_attrs(kr); ret = sysdb_attrs_add_string(attrs, SYSDB_CCACHE_FILE, kr->ccname); diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h index 825f3d64..9f8c4144 100644 --- a/src/providers/krb5/krb5_auth.h +++ b/src/providers/krb5/krb5_auth.h @@ -57,6 +57,7 @@ struct krb5child_req { gid_t gid; bool is_offline; struct fo_server *srv; + struct fo_server *kpasswd_srv; bool active_ccache_present; bool valid_tgt_present; }; @@ -90,6 +91,7 @@ struct krb5_ctx { struct dp_option *opts; struct krb5_service *service; + struct krb5_service *kpasswd_service; int child_debug_fd; pcre *illegal_path_re; diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 234b8389..86242ef3 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -587,9 +587,16 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) goto sendresponse; } + memset(&result_code_string, 0, sizeof(krb5_data)); + memset(&result_string, 0, sizeof(krb5_data)); kerr = krb5_change_password(kr->ctx, kr->creds, newpass_str, &result_code, &result_code_string, &result_string); + if (kerr == KRB5_KDC_UNREACH) { + pam_status = PAM_AUTHTOK_LOCK_BUSY; + goto sendresponse; + } + if (kerr != 0 || result_code != 0) { if (kerr != 0) { KRB5_DEBUG(1, kerr); diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c index 8c1c7fac..2b3331ed 100644 --- a/src/providers/krb5/krb5_common.c +++ b/src/providers/krb5/krb5_common.c @@ -26,6 +26,7 @@ #include #include #include +#include #include "providers/dp_backend.h" #include "providers/krb5/krb5_common.h" @@ -38,7 +39,8 @@ struct dp_option default_krb5_opts[] = { { "krb5_changepw_principal", DP_OPT_STRING, { "kadmin/changepw" }, NULL_STRING }, { "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER }, { "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING }, - { "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE } + { "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING } }; errno_t check_and_export_options(struct dp_option *opts, @@ -67,7 +69,13 @@ errno_t check_and_export_options(struct dp_option *opts, dummy = dp_opt_get_cstring(opts, KRB5_KDC); if (dummy == NULL) { - DEBUG(1, ("No KDC expicitly configured, using defaults")); + DEBUG(1, ("No KDC explicitly configured, using defaults")); + } + + dummy = dp_opt_get_cstring(opts, KRB5_KPASSWD); + if (dummy == NULL) { + DEBUG(1, ("No kpasswd server explicitly configured, " + "using the KDC or defaults")); } dummy = dp_opt_get_cstring(opts, KRB5_CCNAME_TMPL); @@ -139,21 +147,33 @@ done: return ret; } -errno_t write_kdcinfo_file(const char *realm, const char *kdc) +errno_t write_krb5info_file(const char *realm, const char *server, + const char *service) { int ret; int fd = -1; char *tmp_name = NULL; - char *kdcinfo_name = NULL; + char *krb5info_name = NULL; TALLOC_CTX *tmp_ctx = NULL; - int kdc_len; + const char *name_tmpl = NULL; + int server_len; + + if (realm == NULL || *realm == '\0' || server == NULL || *server == '\0' || + service == NULL || service == '\0') { + DEBUG(1, ("Missing or empty realm, server or service.\n")); + return EINVAL; + } - if (realm == NULL || *realm == '\0' || kdc == NULL || *kdc == '\0') { - DEBUG(1, ("Missing or empty realm or kdc.\n")); + if (strcmp(service, SSS_KRB5KDC_FO_SRV) == 0) { + name_tmpl = KDCINFO_TMPL; + } else if (strcmp(service, SSS_KRB5KPASSWD_FO_SRV) == 0) { + name_tmpl = KPASSWDINFO_TMPL; + } else { + DEBUG(1, ("Unsupported service [%s]\n.", service)); return EINVAL; } - kdc_len = strlen(kdc); + server_len = strlen(server); tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -161,15 +181,15 @@ errno_t write_kdcinfo_file(const char *realm, const char *kdc) return ENOMEM; } - tmp_name = talloc_asprintf(tmp_ctx, PUBCONF_PATH"/.kdcinfo_dummy_XXXXXX"); + tmp_name = talloc_asprintf(tmp_ctx, PUBCONF_PATH"/.krb5info_dummy_XXXXXX"); if (tmp_name == NULL) { DEBUG(1, ("talloc_asprintf failed.\n")); ret = ENOMEM; goto done; } - kdcinfo_name = talloc_asprintf(tmp_ctx, KDCINFO_TMPL, realm); - if (kdcinfo_name == NULL) { + krb5info_name = talloc_asprintf(tmp_ctx, name_tmpl, realm); + if (krb5info_name == NULL) { DEBUG(1, ("talloc_asprintf failed.\n")); ret = ENOMEM; goto done; @@ -182,12 +202,12 @@ errno_t write_kdcinfo_file(const char *realm, const char *kdc) goto done; } - ret = write(fd, kdc, kdc_len); + ret = write(fd, server, server_len); if (ret == -1) { DEBUG(1, ("write failed [%d][%s].\n", errno, strerror(errno))); goto done; } - if (ret != kdc_len) { + if (ret != server_len) { DEBUG(1, ("Partial write occured, this should never happen.\n")); ret = EINTR; goto done; @@ -205,7 +225,7 @@ errno_t write_kdcinfo_file(const char *realm, const char *kdc) goto done; } - ret = rename(tmp_name, kdcinfo_name); + ret = rename(tmp_name, krb5info_name); if (ret == -1) { DEBUG(1, ("rename failed [%d][%s].\n", errno, strerror(errno))); goto done; @@ -248,12 +268,20 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server) return; } + address = talloc_asprintf_append(address, ":%d", + fo_get_server_port(server)); + if (address == NULL) { + DEBUG(1, ("talloc_asprintf_append failed.\n")); + return; + } + talloc_zfree(krb5_service->address); krb5_service->address = address; - ret = write_kdcinfo_file(krb5_service->realm, address); + ret = write_krb5info_file(krb5_service->realm, address, + krb5_service->name); if (ret != EOK) { - DEBUG(2, ("write_kdcinfo_file failed, authentication might fail.\n")); + DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n")); } return; @@ -269,6 +297,11 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, char **list = NULL; int ret; int i; + char *port_str; + long port; + char *server_spec; + char *endptr; + struct servent *servent; tmp_ctx = talloc_new(memctx); if (!tmp_ctx) { @@ -308,8 +341,53 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, for (i = 0; list[i]; i++) { talloc_steal(service, list[i]); + server_spec = talloc_strdup(service, list[i]); + port_str = strrchr(server_spec, ':'); + if (port_str == NULL) { + port = 0; + } else { + *port_str = '\0'; + ++port_str; + if (isdigit(*port_str)) { + errno = 0; + port = strtol(port_str, &endptr, 10); + if (errno != 0) { + ret = errno; + DEBUG(1, ("strtol failed on [%s]: [%d][%s].\n", port_str, + ret, strerror(ret))); + goto done; + } + if (*endptr != '\0') { + DEBUG(1, ("Found additional characters [%s] in port number " + "[%s].\n", endptr, port_str)); + ret = EINVAL; + goto done; + } + + if (port < 1 || port > 65535) { + DEBUG(1, ("Illegal port number [%d].\n", port)); + ret = EINVAL; + goto done; + } + } else if (isalpha(*port_str)) { + servent = getservbyname(port_str, NULL); + if (servent == NULL) { + DEBUG(1, ("getservbyname cannot find service [%s].\n", + port_str)); + ret = EINVAL; + goto done; + } + + port = servent->s_port; + } else { + DEBUG(1, ("Unsupported port specifier in [%s].\n", list[i])); + ret = EINVAL; + goto done; + } + } - ret = be_fo_add_server(ctx, service_name, list[i], 0, NULL); + ret = be_fo_add_server(ctx, service_name, server_spec, (int) port, + list[i]); if (ret && ret != EEXIST) { DEBUG(0, ("Failed to add server\n")); goto done; diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index 832ffcdd..0b0da31f 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -38,6 +38,10 @@ #define SSSD_KRB5_CHANGEPW_PRINCIPLE "SSSD_KRB5_CHANGEPW_PRINCIPLE" #define KDCINFO_TMPL PUBCONF_PATH"/kdcinfo.%s" +#define KPASSWDINFO_TMPL PUBCONF_PATH"/kpasswdinfo.%s" + +#define SSS_KRB5KDC_FO_SRV "KRB5KDC" +#define SSS_KRB5KPASSWD_FO_SRV "KRB5KPASSWD" enum krb5_opts { KRB5_KDC = 0, @@ -48,6 +52,7 @@ enum krb5_opts { KRB5_AUTH_TIMEOUT, KRB5_KEYTAB, KRB5_VALIDATE, + KRB5_KPASSWD, KRB5_OPTS }; @@ -64,7 +69,8 @@ errno_t check_and_export_options(struct dp_option *opts, errno_t krb5_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, const char *conf_path, struct dp_option **_opts); -errno_t write_kdcinfo_file(const char *realm, const char *kdc); +errno_t write_krb5info_file(const char *realm, const char *kdc, + const char *service); int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, const char *service_name, const char *servers, diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c index 4d212381..83129d9c 100644 --- a/src/providers/krb5/krb5_init.c +++ b/src/providers/krb5/krb5_init.c @@ -52,6 +52,7 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, unsigned v; FILE *debug_filep; const char *krb5_servers; + const char *krb5_kpasswd_servers; const char *krb5_realm; const char *errstr; int errval; @@ -98,13 +99,27 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, return EINVAL; } - ret = krb5_service_init(ctx, bectx, "KRB5", krb5_servers, krb5_realm, - &ctx->service); + ret = krb5_service_init(ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers, + krb5_realm, &ctx->service); if (ret != EOK) { - DEBUG(0, ("Failed to init IPA failover service!\n")); + DEBUG(0, ("Failed to init KRB5 failover service!\n")); return ret; } + krb5_kpasswd_servers = dp_opt_get_string(ctx->opts, KRB5_KPASSWD); + if (krb5_kpasswd_servers == NULL) { + DEBUG(0, ("Missing krb5_kpasswd option, using KDC!\n")); + ctx->kpasswd_service = NULL; + } else { + ret = krb5_service_init(ctx, bectx, SSS_KRB5KPASSWD_FO_SRV, + krb5_kpasswd_servers, krb5_realm, + &ctx->kpasswd_service); + if (ret != EOK) { + DEBUG(0, ("Failed to init KRB5KPASSWD failover service!\n")); + return ret; + } + } + ret = check_and_export_options(ctx->opts, bectx->domain); if (ret != EOK) { DEBUG(1, ("check_and_export_options failed.\n")); -- cgit