From 6b5b0732b7f4fab195a6205e1046a8402f5d3040 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 1 Jul 2016 18:18:14 +0200
Subject: [PATCH 27/27] IPA: enable enterprise principals if server supports
them
If there are alternative UPN suffixes found on the server we can safely
assume that the IPA server supports enterprise principals.
Resolves https://fedorahosted.org/sssd/ticket/3018
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 70673115c03c37ddc64c951b53d92df9d3310762)
---
src/man/sssd-krb5.5.xml | 6 +++
src/providers/ipa/ipa_subdomains.c | 86 ++++++++++++++++++++++++++++++++++++++
2 files changed, 92 insertions(+)
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index e7fdd19e07db99314a9491faff9974d7d5e617e6..60b7dfb508c0d054a421fd46957574f52e0333d7 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -513,6 +513,12 @@
<para>
Default: false (AD provider: true)
</para>
+ <para>
+ The IPA provider will set to option to 'true' if it
+ detects that the server is capable of handling
+ enterprise principals and the option is not set
+ explicitly in the config file.
+ </para>
</listitem>
</varlistentry>
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index 925b1d8b133eb56724ee4f9133a2487090982a8b..4e5bceb8c761bf4476928168d620baf2beb62ad5 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -28,6 +28,7 @@
#include "providers/ipa/ipa_subdomains.h"
#include "providers/ipa/ipa_common.h"
#include "providers/ipa/ipa_id.h"
+#include "providers/ipa/ipa_opts.h"
#include <ctype.h>
@@ -999,6 +1000,84 @@ immediately:
return req;
}
+static errno_t ipa_enable_enterprise_principals(struct be_ctx *be_ctx)
+{
+ int ret;
+ struct sss_domain_info *d;
+ TALLOC_CTX *tmp_ctx;
+ char **vals = NULL;
+ struct dp_module *auth;
+ struct krb5_ctx *krb5_auth_ctx;
+
+ d = get_domains_head(be_ctx->domain);
+
+ while (d != NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "checking [%s].\n", d->name);
+ if (d->upn_suffixes != NULL) {
+ break;
+ }
+ d = get_next_domain(d, SSS_GND_DESCEND);
+ }
+
+ if (d == NULL) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "No UPN suffixes found, "
+ "no need to enable enterprise principals.\n");
+ return EOK;
+ }
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ return ENOMEM;
+ }
+
+ ret = confdb_get_param(be_ctx->cdb, tmp_ctx, be_ctx->conf_path,
+ ipa_def_krb5_opts[KRB5_USE_ENTERPRISE_PRINCIPAL].opt_name,
+ &vals);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "confdb_get_param failed.\n");
+ goto done;
+ }
+
+ if (vals[0]) {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "Parameter [%s] set in config file and will not be changed.\n",
+ ipa_def_krb5_opts[KRB5_USE_ENTERPRISE_PRINCIPAL].opt_name);
+ return EOK;
+ }
+
+ auth = dp_target_module(be_ctx->provider, DPT_AUTH);
+ if (auth == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Unable to find auth proivder.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ krb5_auth_ctx = ipa_init_get_krb5_auth_ctx(dp_get_module_data(auth));
+ if (krb5_auth_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Unable to find auth proivder data.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ ret = dp_opt_set_bool(krb5_auth_ctx->opts,
+ KRB5_USE_ENTERPRISE_PRINCIPAL, true);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "dp_opt_set_bool failed.\n");
+ goto done;
+ }
+
+ DEBUG(SSSDBG_CONF_SETTINGS, "Enterprise principals enabled.\n");
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
static void ipa_subdomains_slave_search_done(struct tevent_req *subreq)
{
struct ipa_subdomains_slave_state *state;
@@ -1037,6 +1116,13 @@ static void ipa_subdomains_slave_search_done(struct tevent_req *subreq)
goto done;
}
+ ret = ipa_enable_enterprise_principals(state->sd_ctx->be_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "ipa_enable_enterprise_principals failed. "
+ "Enterprise principals might not work as "
+ "expected.\n");
+ }
+
if (state->sd_ctx->ipa_id_ctx->server_mode == NULL) {
ret = EOK;
goto done;
--
2.4.11