From 6b5b0732b7f4fab195a6205e1046a8402f5d3040 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Fri, 1 Jul 2016 18:18:14 +0200

Subject: [PATCH 27/27] IPA: enable enterprise principals if server supports

 them

If there are alternative UPN suffixes found on the server we can safely

assume that the IPA server supports enterprise principals.

Resolves https://fedorahosted.org/sssd/ticket/3018

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

(cherry picked from commit 70673115c03c37ddc64c951b53d92df9d3310762)

---

 src/man/sssd-krb5.5.xml            |  6 +++

 src/providers/ipa/ipa_subdomains.c | 86 ++++++++++++++++++++++++++++++++++++++

 2 files changed, 92 insertions(+)

diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml

index e7fdd19e07db99314a9491faff9974d7d5e617e6..60b7dfb508c0d054a421fd46957574f52e0333d7 100644

--- a/src/man/sssd-krb5.5.xml

+++ b/src/man/sssd-krb5.5.xml

@@ -513,6 +513,12 @@

                         <para>

                             Default: false (AD provider: true)

                         </para>

+                        <para>

+                            The IPA provider will set to option to 'true' if it

+                            detects that the server is capable of handling

+                            enterprise principals and the option is not set

+                            explicitly in the config file.

+                        </para>

                     </listitem>

                 </varlistentry>

diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c

index 925b1d8b133eb56724ee4f9133a2487090982a8b..4e5bceb8c761bf4476928168d620baf2beb62ad5 100644

--- a/src/providers/ipa/ipa_subdomains.c

+++ b/src/providers/ipa/ipa_subdomains.c

@@ -28,6 +28,7 @@

 #include "providers/ipa/ipa_subdomains.h"

 #include "providers/ipa/ipa_common.h"

 #include "providers/ipa/ipa_id.h"

+#include "providers/ipa/ipa_opts.h"

 #include <ctype.h>

@@ -999,6 +1000,84 @@ immediately:

     return req;

 }

+static errno_t ipa_enable_enterprise_principals(struct be_ctx *be_ctx)

+{

+    int ret;

+    struct sss_domain_info *d;

+    TALLOC_CTX *tmp_ctx;

+    char **vals = NULL;

+    struct dp_module *auth;

+    struct krb5_ctx *krb5_auth_ctx;

+

+    d = get_domains_head(be_ctx->domain);

+

+    while (d != NULL) {

+        DEBUG(SSSDBG_TRACE_ALL, "checking [%s].\n", d->name);

+        if (d->upn_suffixes != NULL) {

+            break;

+        }

+        d = get_next_domain(d, SSS_GND_DESCEND);

+    }

+

+    if (d == NULL) {

+        DEBUG(SSSDBG_TRACE_ALL,

+              "No UPN suffixes found, "

+              "no need to enable enterprise principals.\n");

+        return EOK;

+    }

+

+    tmp_ctx = talloc_new(NULL);

+    if (tmp_ctx == NULL) {

+        DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");

+        return ENOMEM;

+    }

+

+    ret = confdb_get_param(be_ctx->cdb, tmp_ctx, be_ctx->conf_path,

+                     ipa_def_krb5_opts[KRB5_USE_ENTERPRISE_PRINCIPAL].opt_name,

+                     &vals);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "confdb_get_param failed.\n");

+        goto done;

+    }

+

+    if (vals[0]) {

+        DEBUG(SSSDBG_CONF_SETTINGS,

+              "Parameter [%s] set in config file and will not be changed.\n",

+              ipa_def_krb5_opts[KRB5_USE_ENTERPRISE_PRINCIPAL].opt_name);

+        return EOK;

+    }

+

+    auth = dp_target_module(be_ctx->provider, DPT_AUTH);

+    if (auth == NULL) {

+        DEBUG(SSSDBG_OP_FAILURE, "Unable to find auth proivder.\n");

+        ret = EINVAL;

+        goto done;

+    }

+

+    krb5_auth_ctx = ipa_init_get_krb5_auth_ctx(dp_get_module_data(auth));

+    if (krb5_auth_ctx == NULL) {

+        DEBUG(SSSDBG_OP_FAILURE, "Unable to find auth proivder data.\n");

+        ret = EINVAL;

+        goto done;

+    }

+

+    ret = dp_opt_set_bool(krb5_auth_ctx->opts,

+                          KRB5_USE_ENTERPRISE_PRINCIPAL, true);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "dp_opt_set_bool failed.\n");

+        goto done;

+    }

+

+    DEBUG(SSSDBG_CONF_SETTINGS, "Enterprise principals enabled.\n");

+

+    ret = EOK;

+

+done:

+    talloc_free(tmp_ctx);

+

+    return ret;

+}

+

 static void ipa_subdomains_slave_search_done(struct tevent_req *subreq)

 {

     struct ipa_subdomains_slave_state *state;

@@ -1037,6 +1116,13 @@ static void ipa_subdomains_slave_search_done(struct tevent_req *subreq)

         goto done;

     }

+    ret = ipa_enable_enterprise_principals(state->sd_ctx->be_ctx);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "ipa_enable_enterprise_principals failed. "

+                                 "Enterprise principals might not work as "

+                                 "expected.\n");

+    }

+

     if (state->sd_ctx->ipa_id_ctx->server_mode == NULL) {

         ret = EOK;

         goto done;

-- 

2.4.11