dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Blob Blame History Raw
From c230bce668a65649e9f2ca8b4424148ef9e19491 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 21 Nov 2014 18:07:10 +0100
Subject: [PATCH 109/112] AD/IPA: add krb5_confd_path configuration option

With this new parameter the directory where Kerberos configuration
snippets are created can be specified.

Fixes https://fedorahosted.org/sssd/ticket/2473

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/config/SSSDConfig/__init__.py.in    |   1 +
 src/config/etc/sssd.api.d/sssd-ad.conf  |   1 +
 src/config/etc/sssd.api.d/sssd-ipa.conf |   1 +
 src/man/sssd-ad.5.xml                   |  18 ++++
 src/man/sssd-ipa.5.xml                  |  18 ++++
 src/providers/ad/ad_common.h            |   1 +
 src/providers/ad/ad_opts.h              |   1 +
 src/providers/ad/ad_subdomains.c        |   8 ++
 src/providers/ipa/ipa_common.h          |   1 +
 src/providers/ipa/ipa_opts.h            |   1 +
 src/providers/ipa/ipa_subdomains.c      |   8 ++
 src/tests/cmocka/test_utils.c           |  48 +++++++++++
 src/util/domain_info_utils.c            | 146 +++++++++++++++++++++++++++++++-
 src/util/util.h                         |   6 ++
 14 files changed, 256 insertions(+), 3 deletions(-)

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 283ed2d37c894db95bac38c23d25c4ac8d1f4a40..500bd717fec7abcaafd5153ccca7847b91e208ad 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -195,6 +195,7 @@ option_strings = {
     'krb5_realm' : _('Kerberos realm'),
     'krb5_auth_timeout' : _('Authentication timeout'),
     'krb5_use_kdcinfo' : _('Whether to create kdcinfo files'),
+    'krb5_confd_path' : _('Where to drop krb5 config snippets'),
 
     # [provider/krb5/auth]
     'krb5_ccachedir' : _('Directory to store credential caches'),
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 3daa2560b14d74f7686ed47cf1b09e2005eb8917..3496fb4006697d380f7c9729ed9997272cbce2ea 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -54,6 +54,7 @@ ldap_page_size = int, None, false
 ldap_deref_threshold = int, None, false
 ldap_connection_expire_timeout = int, None, false
 ldap_disable_paging = bool, None, false
+krb5_confd_path = str, None, false
 
 [provider/ad/id]
 ldap_search_timeout = int, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 5df52581e67657e41e2f08820b885f100ccd7ca9..2a3b7ef1519e3476cb4b432336da0c359b1844ba 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -51,6 +51,7 @@ ldap_page_size = int, None, false
 ldap_deref_threshold = int, None, false
 ldap_connection_expire_timeout = int, None, false
 ldap_disable_paging = bool, None, false
+krb5_confd_path = str, None, false
 
 [provider/ipa/id]
 ldap_search_timeout = int, None, false
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index f63a496d9c7294749fb046995985985e2cae4a57..4e29d4f75cae5bf17e4bb85fa46c921b25ee8047 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -778,6 +778,24 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
                         </para>
                     </listitem>
                 </varlistentry>
+
+                <varlistentry>
+                    <term>krb5_confd_path (string)</term>
+                    <listitem>
+                        <para>
+                            Absolute path of a directory where SSSD should place
+                            Kerberos configuration snippets.
+                        </para>
+                        <para>
+                            To disable the creation of the configuration
+                            snippets set the parameter to 'none'.
+                        </para>
+                        <para>
+                            Default: not set (krb5.include.d subdirectory of
+                            SSSD's pubconf directory)
+                        </para>
+                    </listitem>
+                </varlistentry>
             </variablelist>
         </para>
     </refsect1>
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index e8a716c4104b8038e354b8ae544a04d6773e708b..2d8654a3cde76ab205766f8fdcb836aa1002cd43 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -447,6 +447,24 @@
                 </varlistentry>
 
                 <varlistentry>
+                    <term>krb5_confd_path (string)</term>
+                    <listitem>
+                        <para>
+                            Absolute path of a directory where SSSD should place
+                            Kerberos configuration snippets.
+                        </para>
+                        <para>
+                            To disable the creation of the configuration
+                            snippets set the parameter to 'none'.
+                        </para>
+                        <para>
+                            Default: not set (krb5.include.d subdirectory of
+                            SSSD's pubconf directory)
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
                     <term>ipa_hbac_refresh (integer)</term>
                     <listitem>
                         <para>
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index df8dcffea5f98030f6d5a6c98e95a7d887ace7fd..b39ade40cd00ad5fccdb5d4bf4df8790eb634a51 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -60,6 +60,7 @@ enum ad_basic_opt {
     AD_GPO_MAP_PERMIT,
     AD_GPO_MAP_DENY,
     AD_GPO_DEFAULT_RIGHT,
+    AD_KRB5_CONFD_PATH,
 
     AD_OPTS_BASIC /* opts counter */
 };
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index ac6006c9200464956ccedb17ff53050fed5fc6ea..c3de3d94b1818665a86bba8a2432c699717b6a34 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -48,6 +48,7 @@ struct dp_option ad_basic_opts[] = {
     { "ad_gpo_map_permit", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ad_gpo_map_deny", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ad_gpo_default_right", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
     DP_OPTION_TERMINATOR
 };
 
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index bc5bc8914ce84ecfbff69ff837250b5bf3a3515b..3c61d13522c7c773171ea8645dddb417e610745c 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -461,6 +461,14 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *ctx)
 {
     errno_t ret;
 
+    ret = sss_write_krb5_conf_snippet(
+                            dp_opt_get_string(ctx->ad_id_ctx->ad_options->basic,
+                                              AD_KRB5_CONFD_PATH));
+    if (ret != EOK) {
+        DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
+        /* Just continue */
+    }
+
     ret = sysdb_update_subdomains(ctx->be_ctx->domain);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_subdomains failed.\n");
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 495276548e57e91f9744dda6d8866971b627b4da..33085197c2a4807d4546289ead4c30d891d0d2c0 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -54,6 +54,7 @@ enum ipa_basic_opt {
     IPA_ENABLE_DNS_SITES,
     IPA_SERVER_MODE,
     IPA_VIEWS_SEARCH_BASE,
+    IPA_KRB5_CONFD_PATH,
 
     IPA_OPTS_BASIC /* opts counter */
 };
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 59282e8699091fbccf08ddfc6825034d4f81a87f..f77ff1d05b9540155db44d04d4fb3aac9d7b5988 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -51,6 +51,7 @@ struct dp_option ipa_basic_opts[] = {
     { "ipa_enable_dns_sites", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ipa_server_mode", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ipa_views_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
     DP_OPTION_TERMINATOR
 };
 
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index 9281aab1b028ebcaee8044b2768c6918efa4e514..883558c4d79d2da64ef6f010982ac89ccfae4e4f 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -312,6 +312,14 @@ ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx)
 {
     errno_t ret;
 
+    ret = sss_write_krb5_conf_snippet(
+                              dp_opt_get_string(ctx->id_ctx->ipa_options->basic,
+                                                IPA_KRB5_CONFD_PATH));
+    if (ret != EOK) {
+        DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
+        /* Just continue */
+    }
+
     ret = sysdb_update_subdomains(ctx->be_ctx->domain);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_subdomains failed.\n");
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
index d9781377be70a0d58b0fd1fff2145483dbeb199c..5dc00c4cc9707776fabda50ad1eab8e582b16c0f 100644
--- a/src/tests/cmocka/test_utils.c
+++ b/src/tests/cmocka/test_utils.c
@@ -20,6 +20,8 @@
     along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
+#define _GNU_SOURCE
+#include <stdio.h>
 #include <popt.h>
 
 #include "tests/cmocka/common_mock.h"
@@ -983,6 +985,51 @@ void test_add_strings_lists(void **state)
     talloc_free(res);
 }
 
+void test_sss_write_krb5_conf_snippet(void **state)
+{
+    int ret;
+    char buf[PATH_MAX];
+    char *cwd;
+    char *path;
+    char *file;
+
+    ret = sss_write_krb5_conf_snippet(NULL);
+    assert_int_equal(ret, EINVAL);
+
+    ret = sss_write_krb5_conf_snippet("abc");
+    assert_int_equal(ret, EINVAL);
+
+    ret = sss_write_krb5_conf_snippet("");
+    assert_int_equal(ret, EOK);
+
+    ret = sss_write_krb5_conf_snippet("none");
+    assert_int_equal(ret, EOK);
+
+    cwd = getcwd(buf, PATH_MAX);
+    assert_non_null(cwd);
+
+    ret = asprintf(&path, "%s/%s", cwd, TESTS_PATH);
+    assert_true(ret > 0);
+
+    ret = asprintf(&file, "%s/%s/localauth_plugin", cwd, TESTS_PATH);
+    assert_true(ret > 0);
+
+    ret = sss_write_krb5_conf_snippet(path);
+    assert_int_equal(ret, EOK);
+
+    /* Check if writing a second time will work as well */
+    ret = sss_write_krb5_conf_snippet(path);
+    assert_int_equal(ret, EOK);
+
+#ifdef HAVE_KRB5_LOCALAUTH_PLUGIN
+    ret = unlink(file);
+    assert_int_equal(ret, EOK);
+#endif
+
+    free(file);
+    free(path);
+}
+
 int main(int argc, const char *argv[])
 {
     poptContext pc;
@@ -1030,6 +1077,7 @@ int main(int argc, const char *argv[])
         unit_test_setup_teardown(test_add_strings_lists,
                                  setup_add_strings_lists,
                                  teardown_add_strings_lists),
+        unit_test(test_sss_write_krb5_conf_snippet),
     };
 
     /* Set debug level to invalid value so we can deside if -d 0 was used. */
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 4e2c14c9432d38502422ddf2b0cb2b655a68d1cc..e04b905768078c503168f27327f974c0f19a6775 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -24,9 +24,6 @@
 #include "db/sysdb.h"
 #include "util/util.h"
 
-/* the directory domain - realm mappings are written to */
-#define KRB5_MAPPING_DIR PUBCONF_PATH"/krb5.include.d"
-
 struct sss_domain_info *get_domains_head(struct sss_domain_info *domain)
 {
     struct sss_domain_info *dom = NULL;
@@ -637,3 +634,146 @@ done:
     talloc_free(tmp_ctx);
     return ret;
 }
+
+#define LOCALAUTH_PLUGIN_CONFIG \
+"[plugins]\n" \
+" localauth = {\n" \
+"  module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
+"  enable_only = sssd\n" \
+" }"
+
+static errno_t sss_write_krb5_localauth_snippet(const char *path)
+{
+#ifdef HAVE_KRB5_LOCALAUTH_PLUGIN
+    int ret;
+    errno_t err;
+    TALLOC_CTX *tmp_ctx = NULL;
+    char *tmp_file = NULL;
+    const char *file_name;
+    int fd = -1;
+    mode_t old_mode;
+    ssize_t written;
+    size_t size;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+        return ENOMEM;
+    }
+
+    file_name = talloc_asprintf(tmp_ctx, "%s/localauth_plugin", path);
+    if (file_name == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+        ret = ENOMEM;
+        goto done;
+    }
+
+    DEBUG(SSSDBG_FUNC_DATA, "File for localauth plugin configuration is [%s]\n",
+                             file_name);
+
+    tmp_file = talloc_asprintf(tmp_ctx, "%sXXXXXX", file_name);
+    if (tmp_file == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+        ret = ENOMEM;
+        goto done;
+    }
+
+    old_mode = umask(077);
+    fd = mkstemp(tmp_file);
+    umask(old_mode);
+    if (fd < 0) {
+        DEBUG(SSSDBG_OP_FAILURE, "creating the temp file [%s] for domain-realm "
+                                  "mappings failed.", tmp_file);
+        ret = EIO;
+        talloc_zfree(tmp_ctx);
+        goto done;
+    }
+
+    size = sizeof(LOCALAUTH_PLUGIN_CONFIG) -1;
+    written = sss_atomic_write_s(fd, discard_const(LOCALAUTH_PLUGIN_CONFIG),
+                                 size);
+    close(fd);
+    if (written == -1) {
+        ret = errno;
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "write failed [%d][%s]\n", ret, sss_strerror(ret));
+        goto done;
+    }
+
+    if (written != size) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Wrote %zd bytes expected %zu\n", written, size);
+        ret = EIO;
+        goto done;
+    }
+
+    ret = rename(tmp_file, file_name);
+    if (ret == -1) {
+        ret = errno;
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "rename failed [%d][%s].\n", ret, sss_strerror(ret));
+        goto done;
+    }
+    tmp_file = NULL;
+
+    ret = chmod(file_name, 0644);
+    if (ret == -1) {
+        ret = errno;
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "chmod failed [%d][%s].\n", ret, sss_strerror(ret));
+        goto done;
+    }
+
+done:
+    if (tmp_file != NULL) {
+        err = unlink(tmp_file);
+        if (err == -1) {
+            err = errno;
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "Could not remove file [%s]: [%d]: %s",
+                   tmp_file, err, sss_strerror(err));
+        }
+    }
+
+    talloc_free(tmp_ctx);
+    return ret;
+#else
+    DEBUG(SSSDBG_TRACE_ALL, "Kerberos localauth plugin not available.\n");
+    return EOK;
+#endif
+}
+
+errno_t sss_write_krb5_conf_snippet(const char *path)
+{
+    errno_t ret;
+    errno_t err;
+
+    if (path != NULL && (*path == '\0' || strcasecmp(path, "none") == 0)) {
+        DEBUG(SSSDBG_TRACE_FUNC, "Empty path, nothing to do.\n");
+        return EOK;
+    }
+
+    if (path == NULL || *path != '/') {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Invalid or missing path [%s]-\n",
+                                    path == NULL ? "missing" : path);
+        return EINVAL;
+    }
+
+    ret = sss_write_krb5_localauth_snippet(path);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_localauth_snippet failed.\n");
+        goto done;
+    }
+
+    ret = EOK;
+
+done:
+    err = sss_krb5_touch_config();
+    if (err != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to change last modification time "
+              "of krb5.conf. Created mappings may not be loaded.\n");
+        /* Ignore */
+    }
+
+    return ret;
+}
diff --git a/src/util/util.h b/src/util/util.h
index 7c335b9a2ac2599304731082845fd382dc62465f..45efd1aef94c2e058a435933e7c41adaecc676e2 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -576,8 +576,14 @@ errno_t sssd_domain_init(TALLOC_CTX *mem_ctx,
 
 #define DOM_HAS_VIEWS(dom) ((dom)->has_views)
 
+/* the directory domain - realm mappings and other krb5 config snippers are
+ * written to */
+#define KRB5_MAPPING_DIR PUBCONF_PATH"/krb5.include.d"
+
 errno_t sss_write_domain_mappings(struct sss_domain_info *domain);
 
+errno_t sss_write_krb5_conf_snippet(const char *path);
+
 errno_t get_dom_names(TALLOC_CTX *mem_ctx,
                       struct sss_domain_info *start_dom,
                       char ***_dom_names,
-- 
1.9.3