|
 |
905b4d |
From c230bce668a65649e9f2ca8b4424148ef9e19491 Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Sumit Bose <sbose@redhat.com>
|
|
|
905b4d |
Date: Fri, 21 Nov 2014 18:07:10 +0100
|
|
|
905b4d |
Subject: [PATCH 109/112] AD/IPA: add krb5_confd_path configuration option
|
|
|
905b4d |
|
|
|
905b4d |
With this new parameter the directory where Kerberos configuration
|
|
|
905b4d |
snippets are created can be specified.
|
|
|
905b4d |
|
|
|
905b4d |
Fixes https://fedorahosted.org/sssd/ticket/2473
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
905b4d |
---
|
|
|
905b4d |
src/config/SSSDConfig/__init__.py.in | 1 +
|
|
|
905b4d |
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
|
|
|
905b4d |
src/config/etc/sssd.api.d/sssd-ipa.conf | 1 +
|
|
|
905b4d |
src/man/sssd-ad.5.xml | 18 ++++
|
|
|
905b4d |
src/man/sssd-ipa.5.xml | 18 ++++
|
|
|
905b4d |
src/providers/ad/ad_common.h | 1 +
|
|
|
905b4d |
src/providers/ad/ad_opts.h | 1 +
|
|
|
905b4d |
src/providers/ad/ad_subdomains.c | 8 ++
|
|
|
905b4d |
src/providers/ipa/ipa_common.h | 1 +
|
|
|
905b4d |
src/providers/ipa/ipa_opts.h | 1 +
|
|
|
905b4d |
src/providers/ipa/ipa_subdomains.c | 8 ++
|
|
|
905b4d |
src/tests/cmocka/test_utils.c | 48 +++++++++++
|
|
|
905b4d |
src/util/domain_info_utils.c | 146 +++++++++++++++++++++++++++++++-
|
|
|
905b4d |
src/util/util.h | 6 ++
|
|
|
905b4d |
14 files changed, 256 insertions(+), 3 deletions(-)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
|
905b4d |
index 283ed2d37c894db95bac38c23d25c4ac8d1f4a40..500bd717fec7abcaafd5153ccca7847b91e208ad 100644
|
|
|
905b4d |
--- a/src/config/SSSDConfig/__init__.py.in
|
|
|
905b4d |
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
|
905b4d |
@@ -195,6 +195,7 @@ option_strings = {
|
|
|
905b4d |
'krb5_realm' : _('Kerberos realm'),
|
|
|
905b4d |
'krb5_auth_timeout' : _('Authentication timeout'),
|
|
|
905b4d |
'krb5_use_kdcinfo' : _('Whether to create kdcinfo files'),
|
|
|
905b4d |
+ 'krb5_confd_path' : _('Where to drop krb5 config snippets'),
|
|
|
905b4d |
|
|
|
905b4d |
# [provider/krb5/auth]
|
|
|
905b4d |
'krb5_ccachedir' : _('Directory to store credential caches'),
|
|
|
905b4d |
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
|
|
|
905b4d |
index 3daa2560b14d74f7686ed47cf1b09e2005eb8917..3496fb4006697d380f7c9729ed9997272cbce2ea 100644
|
|
|
905b4d |
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
|
|
|
905b4d |
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
|
|
|
905b4d |
@@ -54,6 +54,7 @@ ldap_page_size = int, None, false
|
|
|
905b4d |
ldap_deref_threshold = int, None, false
|
|
|
905b4d |
ldap_connection_expire_timeout = int, None, false
|
|
|
905b4d |
ldap_disable_paging = bool, None, false
|
|
|
905b4d |
+krb5_confd_path = str, None, false
|
|
|
905b4d |
|
|
|
905b4d |
[provider/ad/id]
|
|
|
905b4d |
ldap_search_timeout = int, None, false
|
|
|
905b4d |
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
|
|
|
905b4d |
index 5df52581e67657e41e2f08820b885f100ccd7ca9..2a3b7ef1519e3476cb4b432336da0c359b1844ba 100644
|
|
|
905b4d |
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
|
|
|
905b4d |
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
|
|
|
905b4d |
@@ -51,6 +51,7 @@ ldap_page_size = int, None, false
|
|
|
905b4d |
ldap_deref_threshold = int, None, false
|
|
|
905b4d |
ldap_connection_expire_timeout = int, None, false
|
|
|
905b4d |
ldap_disable_paging = bool, None, false
|
|
|
905b4d |
+krb5_confd_path = str, None, false
|
|
|
905b4d |
|
|
|
905b4d |
[provider/ipa/id]
|
|
|
905b4d |
ldap_search_timeout = int, None, false
|
|
|
905b4d |
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
|
|
905b4d |
index f63a496d9c7294749fb046995985985e2cae4a57..4e29d4f75cae5bf17e4bb85fa46c921b25ee8047 100644
|
|
|
905b4d |
--- a/src/man/sssd-ad.5.xml
|
|
|
905b4d |
+++ b/src/man/sssd-ad.5.xml
|
|
|
905b4d |
@@ -778,6 +778,24 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
|
|
|
905b4d |
</para>
|
|
|
905b4d |
</listitem>
|
|
|
905b4d |
</varlistentry>
|
|
|
905b4d |
+
|
|
|
905b4d |
+ <varlistentry>
|
|
|
905b4d |
+ <term>krb5_confd_path (string)</term>
|
|
|
905b4d |
+ <listitem>
|
|
|
905b4d |
+ <para>
|
|
|
905b4d |
+ Absolute path of a directory where SSSD should place
|
|
|
905b4d |
+ Kerberos configuration snippets.
|
|
|
905b4d |
+ </para>
|
|
|
905b4d |
+ <para>
|
|
|
905b4d |
+ To disable the creation of the configuration
|
|
|
905b4d |
+ snippets set the parameter to 'none'.
|
|
|
905b4d |
+ </para>
|
|
|
905b4d |
+ <para>
|
|
|
905b4d |
+ Default: not set (krb5.include.d subdirectory of
|
|
|
905b4d |
+ SSSD's pubconf directory)
|
|
|
905b4d |
+ </para>
|
|
|
905b4d |
+ </listitem>
|
|
|
905b4d |
+ </varlistentry>
|
|
|
905b4d |
</variablelist>
|
|
|
905b4d |
</para>
|
|
|
905b4d |
</refsect1>
|
|
|
905b4d |
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
|
|
|
905b4d |
index e8a716c4104b8038e354b8ae544a04d6773e708b..2d8654a3cde76ab205766f8fdcb836aa1002cd43 100644
|
|
|
905b4d |
--- a/src/man/sssd-ipa.5.xml
|
|
|
905b4d |
+++ b/src/man/sssd-ipa.5.xml
|
|
|
905b4d |
@@ -447,6 +447,24 @@
|
|
|
905b4d |
</varlistentry>
|
|
|
905b4d |
|
|
|
905b4d |
<varlistentry>
|
|
|
905b4d |
+ <term>krb5_confd_path (string)</term>
|
|
|
905b4d |
+ <listitem>
|
|
|
905b4d |
+ <para>
|
|
|
905b4d |
+ Absolute path of a directory where SSSD should place
|
|
|
905b4d |
+ Kerberos configuration snippets.
|
|
|
905b4d |
+ </para>
|
|
|
905b4d |
+ <para>
|
|
|
905b4d |
+ To disable the creation of the configuration
|
|
|
905b4d |
+ snippets set the parameter to 'none'.
|
|
|
905b4d |
+ </para>
|
|
|
905b4d |
+ <para>
|
|
|
905b4d |
+ Default: not set (krb5.include.d subdirectory of
|
|
|
905b4d |
+ SSSD's pubconf directory)
|
|
|
905b4d |
+ </para>
|
|
|
905b4d |
+ </listitem>
|
|
|
905b4d |
+ </varlistentry>
|
|
|
905b4d |
+
|
|
|
905b4d |
+ <varlistentry>
|
|
|
905b4d |
<term>ipa_hbac_refresh (integer)</term>
|
|
|
905b4d |
<listitem>
|
|
|
905b4d |
<para>
|
|
|
905b4d |
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
|
|
|
905b4d |
index df8dcffea5f98030f6d5a6c98e95a7d887ace7fd..b39ade40cd00ad5fccdb5d4bf4df8790eb634a51 100644
|
|
|
905b4d |
--- a/src/providers/ad/ad_common.h
|
|
|
905b4d |
+++ b/src/providers/ad/ad_common.h
|
|
|
905b4d |
@@ -60,6 +60,7 @@ enum ad_basic_opt {
|
|
|
905b4d |
AD_GPO_MAP_PERMIT,
|
|
|
905b4d |
AD_GPO_MAP_DENY,
|
|
|
905b4d |
AD_GPO_DEFAULT_RIGHT,
|
|
|
905b4d |
+ AD_KRB5_CONFD_PATH,
|
|
|
905b4d |
|
|
|
905b4d |
AD_OPTS_BASIC /* opts counter */
|
|
|
905b4d |
};
|
|
|
905b4d |
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
|
|
|
905b4d |
index ac6006c9200464956ccedb17ff53050fed5fc6ea..c3de3d94b1818665a86bba8a2432c699717b6a34 100644
|
|
|
905b4d |
--- a/src/providers/ad/ad_opts.h
|
|
|
905b4d |
+++ b/src/providers/ad/ad_opts.h
|
|
|
905b4d |
@@ -48,6 +48,7 @@ struct dp_option ad_basic_opts[] = {
|
|
|
905b4d |
{ "ad_gpo_map_permit", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
|
|
905b4d |
{ "ad_gpo_map_deny", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
|
|
905b4d |
{ "ad_gpo_default_right", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
|
|
905b4d |
+ { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
|
|
|
905b4d |
DP_OPTION_TERMINATOR
|
|
|
905b4d |
};
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
|
|
905b4d |
index bc5bc8914ce84ecfbff69ff837250b5bf3a3515b..3c61d13522c7c773171ea8645dddb417e610745c 100644
|
|
|
905b4d |
--- a/src/providers/ad/ad_subdomains.c
|
|
|
905b4d |
+++ b/src/providers/ad/ad_subdomains.c
|
|
|
905b4d |
@@ -461,6 +461,14 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *ctx)
|
|
|
905b4d |
{
|
|
|
905b4d |
errno_t ret;
|
|
|
905b4d |
|
|
|
905b4d |
+ ret = sss_write_krb5_conf_snippet(
|
|
|
905b4d |
+ dp_opt_get_string(ctx->ad_id_ctx->ad_options->basic,
|
|
|
905b4d |
+ AD_KRB5_CONFD_PATH));
|
|
|
905b4d |
+ if (ret != EOK) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
|
|
|
905b4d |
+ /* Just continue */
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
ret = sysdb_update_subdomains(ctx->be_ctx->domain);
|
|
|
905b4d |
if (ret != EOK) {
|
|
|
905b4d |
DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_subdomains failed.\n");
|
|
|
905b4d |
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
|
|
|
905b4d |
index 495276548e57e91f9744dda6d8866971b627b4da..33085197c2a4807d4546289ead4c30d891d0d2c0 100644
|
|
|
905b4d |
--- a/src/providers/ipa/ipa_common.h
|
|
|
905b4d |
+++ b/src/providers/ipa/ipa_common.h
|
|
|
905b4d |
@@ -54,6 +54,7 @@ enum ipa_basic_opt {
|
|
|
905b4d |
IPA_ENABLE_DNS_SITES,
|
|
|
905b4d |
IPA_SERVER_MODE,
|
|
|
905b4d |
IPA_VIEWS_SEARCH_BASE,
|
|
|
905b4d |
+ IPA_KRB5_CONFD_PATH,
|
|
|
905b4d |
|
|
|
905b4d |
IPA_OPTS_BASIC /* opts counter */
|
|
|
905b4d |
};
|
|
|
905b4d |
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
|
|
|
905b4d |
index 59282e8699091fbccf08ddfc6825034d4f81a87f..f77ff1d05b9540155db44d04d4fb3aac9d7b5988 100644
|
|
|
905b4d |
--- a/src/providers/ipa/ipa_opts.h
|
|
|
905b4d |
+++ b/src/providers/ipa/ipa_opts.h
|
|
|
905b4d |
@@ -51,6 +51,7 @@ struct dp_option ipa_basic_opts[] = {
|
|
|
905b4d |
{ "ipa_enable_dns_sites", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
|
|
905b4d |
{ "ipa_server_mode", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
|
|
905b4d |
{ "ipa_views_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
|
|
905b4d |
+ { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
|
|
|
905b4d |
DP_OPTION_TERMINATOR
|
|
|
905b4d |
};
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
|
|
|
905b4d |
index 9281aab1b028ebcaee8044b2768c6918efa4e514..883558c4d79d2da64ef6f010982ac89ccfae4e4f 100644
|
|
|
905b4d |
--- a/src/providers/ipa/ipa_subdomains.c
|
|
|
905b4d |
+++ b/src/providers/ipa/ipa_subdomains.c
|
|
|
905b4d |
@@ -312,6 +312,14 @@ ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx)
|
|
|
905b4d |
{
|
|
|
905b4d |
errno_t ret;
|
|
|
905b4d |
|
|
|
905b4d |
+ ret = sss_write_krb5_conf_snippet(
|
|
|
905b4d |
+ dp_opt_get_string(ctx->id_ctx->ipa_options->basic,
|
|
|
905b4d |
+ IPA_KRB5_CONFD_PATH));
|
|
|
905b4d |
+ if (ret != EOK) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
|
|
|
905b4d |
+ /* Just continue */
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
ret = sysdb_update_subdomains(ctx->be_ctx->domain);
|
|
|
905b4d |
if (ret != EOK) {
|
|
|
905b4d |
DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_subdomains failed.\n");
|
|
|
905b4d |
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
|
|
|
905b4d |
index d9781377be70a0d58b0fd1fff2145483dbeb199c..5dc00c4cc9707776fabda50ad1eab8e582b16c0f 100644
|
|
|
905b4d |
--- a/src/tests/cmocka/test_utils.c
|
|
|
905b4d |
+++ b/src/tests/cmocka/test_utils.c
|
|
|
905b4d |
@@ -20,6 +20,8 @@
|
|
|
905b4d |
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
905b4d |
*/
|
|
|
905b4d |
|
|
|
905b4d |
+#define _GNU_SOURCE
|
|
|
905b4d |
+#include <stdio.h>
|
|
|
905b4d |
#include <popt.h>
|
|
|
905b4d |
|
|
|
905b4d |
#include "tests/cmocka/common_mock.h"
|
|
|
905b4d |
@@ -983,6 +985,51 @@ void test_add_strings_lists(void **state)
|
|
|
905b4d |
talloc_free(res);
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
+void test_sss_write_krb5_conf_snippet(void **state)
|
|
|
905b4d |
+{
|
|
|
905b4d |
+ int ret;
|
|
|
905b4d |
+ char buf[PATH_MAX];
|
|
|
905b4d |
+ char *cwd;
|
|
|
905b4d |
+ char *path;
|
|
|
905b4d |
+ char *file;
|
|
|
905b4d |
+
|
|
|
905b4d |
+ ret = sss_write_krb5_conf_snippet(NULL);
|
|
|
905b4d |
+ assert_int_equal(ret, EINVAL);
|
|
|
905b4d |
+
|
|
|
905b4d |
+ ret = sss_write_krb5_conf_snippet("abc");
|
|
|
905b4d |
+ assert_int_equal(ret, EINVAL);
|
|
|
905b4d |
+
|
|
|
905b4d |
+ ret = sss_write_krb5_conf_snippet("");
|
|
|
905b4d |
+ assert_int_equal(ret, EOK);
|
|
|
905b4d |
+
|
|
|
905b4d |
+ ret = sss_write_krb5_conf_snippet("none");
|
|
|
905b4d |
+ assert_int_equal(ret, EOK);
|
|
|
905b4d |
+
|
|
|
905b4d |
+ cwd = getcwd(buf, PATH_MAX);
|
|
|
905b4d |
+ assert_non_null(cwd);
|
|
|
905b4d |
+
|
|
|
905b4d |
+ ret = asprintf(&path, "%s/%s", cwd, TESTS_PATH);
|
|
|
905b4d |
+ assert_true(ret > 0);
|
|
|
905b4d |
+
|
|
|
905b4d |
+ ret = asprintf(&file, "%s/%s/localauth_plugin", cwd, TESTS_PATH);
|
|
|
905b4d |
+ assert_true(ret > 0);
|
|
|
905b4d |
+
|
|
|
905b4d |
+ ret = sss_write_krb5_conf_snippet(path);
|
|
|
905b4d |
+ assert_int_equal(ret, EOK);
|
|
|
905b4d |
+
|
|
|
905b4d |
+ /* Check if writing a second time will work as well */
|
|
|
905b4d |
+ ret = sss_write_krb5_conf_snippet(path);
|
|
|
905b4d |
+ assert_int_equal(ret, EOK);
|
|
|
905b4d |
+
|
|
|
905b4d |
+#ifdef HAVE_KRB5_LOCALAUTH_PLUGIN
|
|
|
905b4d |
+ ret = unlink(file);
|
|
|
905b4d |
+ assert_int_equal(ret, EOK);
|
|
|
905b4d |
+#endif
|
|
|
905b4d |
+
|
|
|
905b4d |
+ free(file);
|
|
|
905b4d |
+ free(path);
|
|
|
905b4d |
+}
|
|
|
905b4d |
+
|
|
|
905b4d |
int main(int argc, const char *argv[])
|
|
|
905b4d |
{
|
|
|
905b4d |
poptContext pc;
|
|
|
905b4d |
@@ -1030,6 +1077,7 @@ int main(int argc, const char *argv[])
|
|
|
905b4d |
unit_test_setup_teardown(test_add_strings_lists,
|
|
|
905b4d |
setup_add_strings_lists,
|
|
|
905b4d |
teardown_add_strings_lists),
|
|
|
905b4d |
+ unit_test(test_sss_write_krb5_conf_snippet),
|
|
|
905b4d |
};
|
|
|
905b4d |
|
|
|
905b4d |
/* Set debug level to invalid value so we can deside if -d 0 was used. */
|
|
|
905b4d |
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
|
|
|
905b4d |
index 4e2c14c9432d38502422ddf2b0cb2b655a68d1cc..e04b905768078c503168f27327f974c0f19a6775 100644
|
|
|
905b4d |
--- a/src/util/domain_info_utils.c
|
|
|
905b4d |
+++ b/src/util/domain_info_utils.c
|
|
|
905b4d |
@@ -24,9 +24,6 @@
|
|
|
905b4d |
#include "db/sysdb.h"
|
|
|
905b4d |
#include "util/util.h"
|
|
|
905b4d |
|
|
|
905b4d |
-/* the directory domain - realm mappings are written to */
|
|
|
905b4d |
-#define KRB5_MAPPING_DIR PUBCONF_PATH"/krb5.include.d"
|
|
|
905b4d |
-
|
|
|
905b4d |
struct sss_domain_info *get_domains_head(struct sss_domain_info *domain)
|
|
|
905b4d |
{
|
|
|
905b4d |
struct sss_domain_info *dom = NULL;
|
|
|
905b4d |
@@ -637,3 +634,146 @@ done:
|
|
|
905b4d |
talloc_free(tmp_ctx);
|
|
|
905b4d |
return ret;
|
|
|
905b4d |
}
|
|
|
905b4d |
+
|
|
|
905b4d |
+#define LOCALAUTH_PLUGIN_CONFIG \
|
|
|
905b4d |
+"[plugins]\n" \
|
|
|
905b4d |
+" localauth = {\n" \
|
|
|
905b4d |
+" module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
|
|
|
905b4d |
+" enable_only = sssd\n" \
|
|
|
905b4d |
+" }"
|
|
|
905b4d |
+
|
|
|
905b4d |
+static errno_t sss_write_krb5_localauth_snippet(const char *path)
|
|
|
905b4d |
+{
|
|
|
905b4d |
+#ifdef HAVE_KRB5_LOCALAUTH_PLUGIN
|
|
|
905b4d |
+ int ret;
|
|
|
905b4d |
+ errno_t err;
|
|
|
905b4d |
+ TALLOC_CTX *tmp_ctx = NULL;
|
|
|
905b4d |
+ char *tmp_file = NULL;
|
|
|
905b4d |
+ const char *file_name;
|
|
|
905b4d |
+ int fd = -1;
|
|
|
905b4d |
+ mode_t old_mode;
|
|
|
905b4d |
+ ssize_t written;
|
|
|
905b4d |
+ size_t size;
|
|
|
905b4d |
+
|
|
|
905b4d |
+ tmp_ctx = talloc_new(NULL);
|
|
|
905b4d |
+ if (tmp_ctx == NULL) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
|
|
|
905b4d |
+ return ENOMEM;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+ file_name = talloc_asprintf(tmp_ctx, "%s/localauth_plugin", path);
|
|
|
905b4d |
+ if (file_name == NULL) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
|
|
|
905b4d |
+ ret = ENOMEM;
|
|
|
905b4d |
+ goto done;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+ DEBUG(SSSDBG_FUNC_DATA, "File for localauth plugin configuration is [%s]\n",
|
|
|
905b4d |
+ file_name);
|
|
|
905b4d |
+
|
|
|
905b4d |
+ tmp_file = talloc_asprintf(tmp_ctx, "%sXXXXXX", file_name);
|
|
|
905b4d |
+ if (tmp_file == NULL) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
|
|
|
905b4d |
+ ret = ENOMEM;
|
|
|
905b4d |
+ goto done;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+ old_mode = umask(077);
|
|
|
905b4d |
+ fd = mkstemp(tmp_file);
|
|
|
905b4d |
+ umask(old_mode);
|
|
|
905b4d |
+ if (fd < 0) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_OP_FAILURE, "creating the temp file [%s] for domain-realm "
|
|
|
905b4d |
+ "mappings failed.", tmp_file);
|
|
|
905b4d |
+ ret = EIO;
|
|
|
905b4d |
+ talloc_zfree(tmp_ctx);
|
|
|
905b4d |
+ goto done;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+ size = sizeof(LOCALAUTH_PLUGIN_CONFIG) -1;
|
|
|
905b4d |
+ written = sss_atomic_write_s(fd, discard_const(LOCALAUTH_PLUGIN_CONFIG),
|
|
|
905b4d |
+ size);
|
|
|
905b4d |
+ close(fd);
|
|
|
905b4d |
+ if (written == -1) {
|
|
|
905b4d |
+ ret = errno;
|
|
|
905b4d |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
905b4d |
+ "write failed [%d][%s]\n", ret, sss_strerror(ret));
|
|
|
905b4d |
+ goto done;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+ if (written != size) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
905b4d |
+ "Wrote %zd bytes expected %zu\n", written, size);
|
|
|
905b4d |
+ ret = EIO;
|
|
|
905b4d |
+ goto done;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+ ret = rename(tmp_file, file_name);
|
|
|
905b4d |
+ if (ret == -1) {
|
|
|
905b4d |
+ ret = errno;
|
|
|
905b4d |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
905b4d |
+ "rename failed [%d][%s].\n", ret, sss_strerror(ret));
|
|
|
905b4d |
+ goto done;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+ tmp_file = NULL;
|
|
|
905b4d |
+
|
|
|
905b4d |
+ ret = chmod(file_name, 0644);
|
|
|
905b4d |
+ if (ret == -1) {
|
|
|
905b4d |
+ ret = errno;
|
|
|
905b4d |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
905b4d |
+ "chmod failed [%d][%s].\n", ret, sss_strerror(ret));
|
|
|
905b4d |
+ goto done;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+done:
|
|
|
905b4d |
+ if (tmp_file != NULL) {
|
|
|
905b4d |
+ err = unlink(tmp_file);
|
|
|
905b4d |
+ if (err == -1) {
|
|
|
905b4d |
+ err = errno;
|
|
|
905b4d |
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
905b4d |
+ "Could not remove file [%s]: [%d]: %s",
|
|
|
905b4d |
+ tmp_file, err, sss_strerror(err));
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+ talloc_free(tmp_ctx);
|
|
|
905b4d |
+ return ret;
|
|
|
905b4d |
+#else
|
|
|
905b4d |
+ DEBUG(SSSDBG_TRACE_ALL, "Kerberos localauth plugin not available.\n");
|
|
|
905b4d |
+ return EOK;
|
|
|
905b4d |
+#endif
|
|
|
905b4d |
+}
|
|
|
905b4d |
+
|
|
|
905b4d |
+errno_t sss_write_krb5_conf_snippet(const char *path)
|
|
|
905b4d |
+{
|
|
|
905b4d |
+ errno_t ret;
|
|
|
905b4d |
+ errno_t err;
|
|
|
905b4d |
+
|
|
|
905b4d |
+ if (path != NULL && (*path == '\0' || strcasecmp(path, "none") == 0)) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_TRACE_FUNC, "Empty path, nothing to do.\n");
|
|
|
905b4d |
+ return EOK;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+ if (path == NULL || *path != '/') {
|
|
|
905b4d |
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid or missing path [%s]-\n",
|
|
|
905b4d |
+ path == NULL ? "missing" : path);
|
|
|
905b4d |
+ return EINVAL;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+ ret = sss_write_krb5_localauth_snippet(path);
|
|
|
905b4d |
+ if (ret != EOK) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_localauth_snippet failed.\n");
|
|
|
905b4d |
+ goto done;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+ ret = EOK;
|
|
|
905b4d |
+
|
|
|
905b4d |
+done:
|
|
|
905b4d |
+ err = sss_krb5_touch_config();
|
|
|
905b4d |
+ if (err != EOK) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to change last modification time "
|
|
|
905b4d |
+ "of krb5.conf. Created mappings may not be loaded.\n");
|
|
|
905b4d |
+ /* Ignore */
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+ return ret;
|
|
|
905b4d |
+}
|
|
|
905b4d |
diff --git a/src/util/util.h b/src/util/util.h
|
|
|
905b4d |
index 7c335b9a2ac2599304731082845fd382dc62465f..45efd1aef94c2e058a435933e7c41adaecc676e2 100644
|
|
|
905b4d |
--- a/src/util/util.h
|
|
|
905b4d |
+++ b/src/util/util.h
|
|
|
905b4d |
@@ -576,8 +576,14 @@ errno_t sssd_domain_init(TALLOC_CTX *mem_ctx,
|
|
|
905b4d |
|
|
|
905b4d |
#define DOM_HAS_VIEWS(dom) ((dom)->has_views)
|
|
|
905b4d |
|
|
|
905b4d |
+/* the directory domain - realm mappings and other krb5 config snippers are
|
|
|
905b4d |
+ * written to */
|
|
|
905b4d |
+#define KRB5_MAPPING_DIR PUBCONF_PATH"/krb5.include.d"
|
|
|
905b4d |
+
|
|
|
905b4d |
errno_t sss_write_domain_mappings(struct sss_domain_info *domain);
|
|
|
905b4d |
|
|
|
905b4d |
+errno_t sss_write_krb5_conf_snippet(const char *path);
|
|
|
905b4d |
+
|
|
|
905b4d |
errno_t get_dom_names(TALLOC_CTX *mem_ctx,
|
|
|
905b4d |
struct sss_domain_info *start_dom,
|
|
|
905b4d |
char ***_dom_names,
|
|
|
905b4d |
--
|
|
|
905b4d |
1.9.3
|
|
|
905b4d |
|