From 7051a30300d12163e890e4ec4b9a765567679a8b Mon Sep 17 00:00:00 2001 From: Jan Zeleny Date: Thu, 14 Oct 2010 09:37:34 +0200 Subject: Option krb5_server is now used to store a list of KDCs instead of krb5_kdcip. For the time being, if krb5_server is not found, still falls back to krb5_kdcip with a warning. If both options are present in config file, krb5_server has a higher priority. Fixes: #543 --- src/config/SSSDConfig.py | 2 ++ src/config/SSSDConfigTest.py | 8 ++++-- src/config/etc/sssd.api.d/sssd-ipa.conf | 1 + src/config/etc/sssd.api.d/sssd-krb5.conf | 1 + src/config/etc/sssd.api.d/sssd-ldap.conf | 1 + src/config/sssd_upgrade_config.py | 4 +-- src/man/sssd-krb5.5.xml | 10 +++++-- src/man/sssd.conf.5.xml | 2 +- src/providers/ipa/ipa_common.c | 10 ++++++- src/providers/krb5/krb5_common.c | 45 +++++++++++++++++++++++++++++++- src/providers/krb5/krb5_common.h | 3 +++ src/providers/krb5/krb5_init.c | 2 +- 12 files changed, 79 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 22013eeb..f4734b8c 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -93,6 +93,7 @@ option_strings = { # [provider/krb5] 'krb5_kdcip' : _('Kerberos server address'), + 'krb5_server' : _('Kerberos server address'), 'krb5_realm' : _('Kerberos realm'), 'krb5_auth_timeout' : _('Authentication timeout'), @@ -122,6 +123,7 @@ option_strings = { 'ldap_sasl_mech' : _('Specify the sasl mechanism to use'), 'ldap_sasl_authid' : _('Specify the sasl authorization id to use'), 'krb5_kdcip' : _('Kerberos server address'), + 'krb5_server' : _('Kerberos server address'), 'krb5_realm' : _('Kerberos realm'), 'ldap_krb5_keytab' : _('Kerberos service keytab'), 'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index f0cfac8b..39db49dc 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -541,7 +541,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): backup_list = control_list[:] control_list.extend( - ['krb5_kdcip', + ['krb5_server', 'krb5_realm', 'krb5_kpasswd', 'krb5_ccachedir', @@ -562,6 +562,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): "Option [%s] missing" % option) + control_list.extend(['krb5_kdcip']) + # Ensure that there aren't any unexpected options listed for option in options.keys(): self.assertTrue(option in control_list, @@ -712,6 +714,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): # Test looking up a specific provider type options = domain.list_provider_options('krb5', 'auth') control_list = [ + 'krb5_server', 'krb5_kdcip', 'krb5_realm', 'krb5_kpasswd', @@ -859,7 +862,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): backup_list = control_list[:] control_list.extend( - ['krb5_kdcip', + ['krb5_server', + 'krb5_kdcip', 'krb5_realm', 'krb5_kpasswd', 'krb5_ccachedir', diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index b559b78d..001d4fce 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -19,6 +19,7 @@ ldap_tls_reqcert = str, None, false ldap_sasl_mech = str, None, false ldap_sasl_authid = str, None, false krb5_kdcip = str, None, false +krb5_server = str, None, false krb5_realm = str, None, false krb5_auth_timeout = int, None, false krb5_kpasswd = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-krb5.conf b/src/config/etc/sssd.api.d/sssd-krb5.conf index 76ef8b5b..0c0aa426 100644 --- a/src/config/etc/sssd.api.d/sssd-krb5.conf +++ b/src/config/etc/sssd.api.d/sssd-krb5.conf @@ -1,5 +1,6 @@ [provider/krb5] krb5_kdcip = str, None, false +krb5_server = str, None, false krb5_realm = str, None, true krb5_auth_timeout = int, None, false krb5_kpasswd = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index 75eba586..1f5d7ab2 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -14,6 +14,7 @@ ldap_tls_reqcert = str, None, false ldap_sasl_mech = str, None, false ldap_sasl_authid = str, None, false krb5_kdcip = str, None, false +krb5_server = str, None, false krb5_realm = str, None, false ldap_krb5_keytab = str, None, false ldap_krb5_init_creds = bool, None, false diff --git a/src/config/sssd_upgrade_config.py b/src/config/sssd_upgrade_config.py index 62ffe527..e05226e8 100644 --- a/src/config/sssd_upgrade_config.py +++ b/src/config/sssd_upgrade_config.py @@ -77,7 +77,7 @@ class SSSDConfigFile(SSSDChangeConf): auth_provider = self.findOpts(domain['value'], 'option', 'auth_provider')[1] if auth_provider and auth_provider['value'] == 'krb5': - server = self.findOpts(domain['value'], 'option', 'krb5_kdcip')[1] + server = self.findOpts(domain['value'], 'option', 'krb5_server')[1] if not server or "__srv__" in server['value']: domain['value'].insert(0, dns_domain_name) @@ -201,7 +201,7 @@ class SSSDConfigFile(SSSDChangeConf): 'ldap_netgroup_uuid' : 'netgroupUUID', 'ldap_netgroup_modify_timestamp' : 'netgroupModifyTimestamp', } - krb5_kw = { 'krb5_kdcip' : 'krb5KDCIP', + krb5_kw = { 'krb5_server' : 'krb5KDCIP', 'krb5_realm' : 'krb5REALM', 'krb5_try_simple_upn' : 'krb5try_simple_upn', 'krb5_changepw_principal' : 'krb5changepw_principle', diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml index dbe96a1d..e9c2cac3 100644 --- a/src/man/sssd-krb5.5.xml +++ b/src/man/sssd-krb5.5.xml @@ -63,7 +63,7 @@ for details on the configuration of a SSSD domain. - krb5_kdcip (string) + krb5_server (string) Specifies the list of IP addresses or hostnames @@ -77,6 +77,12 @@ for more information, refer to the SERVICE DISCOVERY section. + + This option was named krb5_kdcip in + earlier releases of SSSD. While the legacy name is recognized + for the time being, users are advised to migrate their config + files to use krb5_server instead. + @@ -270,7 +276,7 @@ [domain/FOO] auth_provider = krb5 - krb5_kdcip = 192.168.1.1 + krb5_server = 192.168.1.1 krb5_realm = EXAMPLE.COM diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index d00de05c..60ba169b 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -917,7 +917,7 @@ ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com auth_provider = krb5 -krb5_kdcip = kerberos.example.com +krb5_server = kerberos.example.com krb5_realm = EXAMPLE.COM cache_credentials = true diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 95d99de8..758bf9de 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -129,7 +129,7 @@ struct sdap_attr_map ipa_netgroup_map[] = { }; struct dp_option ipa_def_krb5_opts[] = { - { "krb5_kdcip", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING }, { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING}, @@ -437,6 +437,14 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts, goto done; } + /* If there is no KDC, try the deprecated krb5_kdcip option, too */ + /* FIXME - this can be removed in a future version */ + ret = krb5_try_kdcip(ipa_opts, cdb, conf_path, ipa_opts->auth); + if (ret != EOK) { + DEBUG(1, ("sss_krb5_try_kdcip failed.\n")); + goto done; + } + /* set krb realm */ if (NULL == dp_opt_get_string(ipa_opts->auth, KRB5_REALM)) { value = dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN); diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c index 3863acd9..81ad4e9d 100644 --- a/src/providers/krb5/krb5_common.c +++ b/src/providers/krb5/krb5_common.c @@ -32,7 +32,7 @@ #include "providers/krb5/krb5_common.h" struct dp_option default_krb5_opts[] = { - { "krb5_kdcip", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING }, { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING}, @@ -91,6 +91,41 @@ errno_t check_and_export_options(struct dp_option *opts, return EOK; } +errno_t krb5_try_kdcip(TALLOC_CTX *memctx, struct confdb_ctx *cdb, + const char *conf_path, struct dp_option *opts) +{ + char *krb5_servers = NULL; + errno_t ret; + + krb5_servers = dp_opt_get_string(opts, KRB5_KDC); + if (krb5_servers == NULL) { + DEBUG(4, ("No KDC found in configuration, trying legacy option\n")); + ret = confdb_get_string(cdb, memctx, conf_path, + "krb5_kdcip", NULL, &krb5_servers); + if (ret != EOK) { + DEBUG(1, ("confdb_get_string failed.\n")); + return ret; + } + + if (krb5_servers != NULL) + { + ret = dp_opt_set_string(opts, KRB5_KDC, krb5_servers); + if (ret != EOK) { + DEBUG(1, ("dp_opt_set_string failed.\n")); + talloc_free(krb5_servers); + return ret; + } + + DEBUG(9, ("Set krb5 server [%s] based on legacy krb5_kdcip option\n")); + DEBUG(0, ("Your configuration uses the deprecated option 'krb5_kdcip' " + "to specify the KDC. Please change the configuration to use " + "the 'krb5_server' option instead.")); + } + } + + return EOK; +} + errno_t krb5_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, const char *conf_path, struct dp_option **_opts) { @@ -110,6 +145,14 @@ errno_t krb5_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, goto done; } + /* If there is no KDC, try the deprecated krb5_kdcip option, too */ + /* FIXME - this can be removed in a future version */ + ret = krb5_try_kdcip(memctx, cdb, conf_path, opts); + if (ret != EOK) { + DEBUG(1, ("sss_krb5_try_kdcip failed.\n")); + goto done; + } + *_opts = opts; ret = EOK; diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index 6398ea22..a8ebcf5c 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -112,6 +112,9 @@ struct remove_info_files_ctx { errno_t check_and_export_options(struct dp_option *opts, struct sss_domain_info *dom); +errno_t krb5_try_kdcip(TALLOC_CTX *memctx, struct confdb_ctx *cdb, + const char *conf_path, struct dp_option *opts); + errno_t krb5_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, const char *conf_path, struct dp_option **_opts); diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c index c457dc55..7facdce5 100644 --- a/src/providers/krb5/krb5_init.c +++ b/src/providers/krb5/krb5_init.c @@ -88,7 +88,7 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, krb5_servers = dp_opt_get_string(ctx->opts, KRB5_KDC); if (krb5_servers == NULL) { - DEBUG(1, ("Missing krb5_kdcip option, using service discovery!\n")); + DEBUG(1, ("Missing krb5_server option, using service discovery!\n")); } krb5_realm = dp_opt_get_string(ctx->opts, KRB5_REALM); -- cgit