|
|
6cf099 |
From dba7ccc7594be1881967aa274090d61a97aec5fa Mon Sep 17 00:00:00 2001
|
|
|
6cf099 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
6cf099 |
Date: Wed, 22 Jul 2015 17:20:11 +0200
|
|
|
6cf099 |
Subject: [PATCH 26/27] IPA: Handle sssd-owned keytabs when running as root
|
|
|
6cf099 |
|
|
|
6cf099 |
https://fedorahosted.org/sssd/ticket/2718
|
|
|
6cf099 |
|
|
|
6cf099 |
This patch handles the case where the keytab is created with sssd:sssd
|
|
|
6cf099 |
ownership (perhaps by the IPA oddjob script) but SSSD runs as root,
|
|
|
6cf099 |
which is the default in many distributions.
|
|
|
6cf099 |
|
|
|
6cf099 |
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
6cf099 |
---
|
|
|
6cf099 |
src/providers/ipa/ipa_subdomains.h | 3 ++
|
|
|
6cf099 |
src/providers/ipa/ipa_subdomains_server.c | 46 +++++++++++++++++++++++++------
|
|
|
6cf099 |
2 files changed, 41 insertions(+), 8 deletions(-)
|
|
|
6cf099 |
|
|
|
6cf099 |
diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h
|
|
|
6cf099 |
index 5bc63a173a1a8967eb5de30a2da84a81377d3900..2302c5f03e80de2ea1efad424769e777cd6dd8d5 100644
|
|
|
6cf099 |
--- a/src/providers/ipa/ipa_subdomains.h
|
|
|
6cf099 |
+++ b/src/providers/ipa/ipa_subdomains.h
|
|
|
6cf099 |
@@ -94,6 +94,9 @@ struct ipa_server_mode_ctx {
|
|
|
6cf099 |
|
|
|
6cf099 |
struct ipa_ad_server_ctx *trusts;
|
|
|
6cf099 |
struct ipa_ext_groups *ext_groups;
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ uid_t kt_owner_uid;
|
|
|
6cf099 |
+ uid_t kt_owner_gid;
|
|
|
6cf099 |
};
|
|
|
6cf099 |
|
|
|
6cf099 |
int ipa_ad_subdom_init(struct be_ctx *be_ctx,
|
|
|
6cf099 |
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
|
|
|
6cf099 |
index a9e2c1f700ef47716be868bad68590b8d5d0d42a..4bfea61e6dd0a02f6b723a39f7ba236c914009b0 100644
|
|
|
6cf099 |
--- a/src/providers/ipa/ipa_subdomains_server.c
|
|
|
6cf099 |
+++ b/src/providers/ipa/ipa_subdomains_server.c
|
|
|
6cf099 |
@@ -520,16 +520,28 @@ static errno_t ipa_getkeytab_recv(struct tevent_req *req, int *child_status)
|
|
|
6cf099 |
return EOK;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
-static errno_t ipa_check_keytab(const char *keytab)
|
|
|
6cf099 |
+static errno_t ipa_check_keytab(const char *keytab,
|
|
|
6cf099 |
+ uid_t kt_owner_uid,
|
|
|
6cf099 |
+ gid_t kt_owner_gid)
|
|
|
6cf099 |
{
|
|
|
6cf099 |
errno_t ret;
|
|
|
6cf099 |
|
|
|
6cf099 |
ret = check_file(keytab, getuid(), getgid(), S_IFREG|0600, 0, NULL, false);
|
|
|
6cf099 |
- if (ret != EOK) {
|
|
|
6cf099 |
- if (ret != ENOENT) {
|
|
|
6cf099 |
- DEBUG(SSSDBG_OP_FAILURE, "Failed to check for %s\n", keytab);
|
|
|
6cf099 |
- } else {
|
|
|
6cf099 |
- DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab);
|
|
|
6cf099 |
+ if (ret == ENOENT) {
|
|
|
6cf099 |
+ DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab);
|
|
|
6cf099 |
+ goto done;
|
|
|
6cf099 |
+ } else if (ret != EOK) {
|
|
|
6cf099 |
+ if (kt_owner_uid) {
|
|
|
6cf099 |
+ ret = check_file(keytab, kt_owner_uid, kt_owner_gid,
|
|
|
6cf099 |
+ S_IFREG|0600, 0, NULL, false);
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ if (ret != EOK) {
|
|
|
6cf099 |
+ if (ret != ENOENT) {
|
|
|
6cf099 |
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to check for %s\n", keytab);
|
|
|
6cf099 |
+ } else {
|
|
|
6cf099 |
+ DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab);
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
}
|
|
|
6cf099 |
goto done;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
@@ -648,7 +660,9 @@ static errno_t ipa_server_trust_add_1way(struct tevent_req *req)
|
|
|
6cf099 |
return EIO;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
- ret = ipa_check_keytab(state->keytab);
|
|
|
6cf099 |
+ ret = ipa_check_keytab(state->keytab,
|
|
|
6cf099 |
+ state->id_ctx->server_mode->kt_owner_uid,
|
|
|
6cf099 |
+ state->id_ctx->server_mode->kt_owner_gid);
|
|
|
6cf099 |
if (ret == EOK) {
|
|
|
6cf099 |
DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
6cf099 |
"Keytab already present, can add the trust\n");
|
|
|
6cf099 |
@@ -704,7 +718,9 @@ static void ipa_server_trust_1way_kt_done(struct tevent_req *subreq)
|
|
|
6cf099 |
DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
6cf099 |
"Keytab successfully retrieved to %s\n", state->keytab);
|
|
|
6cf099 |
|
|
|
6cf099 |
- ret = ipa_check_keytab(state->keytab);
|
|
|
6cf099 |
+ ret = ipa_check_keytab(state->keytab,
|
|
|
6cf099 |
+ state->id_ctx->server_mode->kt_owner_uid,
|
|
|
6cf099 |
+ state->id_ctx->server_mode->kt_owner_gid);
|
|
|
6cf099 |
if (ret != EOK) {
|
|
|
6cf099 |
DEBUG(SSSDBG_OP_FAILURE, "ipa_check_keytab failed: %d\n", ret);
|
|
|
6cf099 |
tevent_req_error(req, ret);
|
|
|
6cf099 |
@@ -1029,6 +1045,20 @@ int ipa_ad_subdom_init(struct be_ctx *be_ctx,
|
|
|
6cf099 |
id_ctx->server_mode->hostname = hostname;
|
|
|
6cf099 |
id_ctx->server_mode->trusts = NULL;
|
|
|
6cf099 |
id_ctx->server_mode->ext_groups = NULL;
|
|
|
6cf099 |
+ id_ctx->server_mode->kt_owner_uid = 0;
|
|
|
6cf099 |
+ id_ctx->server_mode->kt_owner_gid = 0;
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ if (getuid() == 0) {
|
|
|
6cf099 |
+ /* We need to handle keytabs created by IPA oddjob script gracefully
|
|
|
6cf099 |
+ * even if we're running as root and IPA creates them as the SSSD user
|
|
|
6cf099 |
+ */
|
|
|
6cf099 |
+ ret = sss_user_by_name_or_uid(SSSD_USER,
|
|
|
6cf099 |
+ &id_ctx->server_mode->kt_owner_uid,
|
|
|
6cf099 |
+ &id_ctx->server_mode->kt_owner_gid);
|
|
|
6cf099 |
+ if (ret != EOK) {
|
|
|
6cf099 |
+ DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get ID of %s\n", SSSD_USER);
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
|
|
|
6cf099 |
ret = ipa_ad_subdom_reinit(be_ctx, be_ctx->ev,
|
|
|
6cf099 |
be_ctx, id_ctx, be_ctx->domain);
|
|
|
6cf099 |
--
|
|
|
6cf099 |
2.4.3
|
|
|
6cf099 |
|