From 6b5b0732b7f4fab195a6205e1046a8402f5d3040 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 1 Jul 2016 18:18:14 +0200 Subject: [PATCH 27/27] IPA: enable enterprise principals if server supports them If there are alternative UPN suffixes found on the server we can safely assume that the IPA server supports enterprise principals. Resolves https://fedorahosted.org/sssd/ticket/3018 Reviewed-by: Jakub Hrozek (cherry picked from commit 70673115c03c37ddc64c951b53d92df9d3310762) --- src/man/sssd-krb5.5.xml | 6 +++ src/providers/ipa/ipa_subdomains.c | 86 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 92 insertions(+) diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml index e7fdd19e07db99314a9491faff9974d7d5e617e6..60b7dfb508c0d054a421fd46957574f52e0333d7 100644 --- a/src/man/sssd-krb5.5.xml +++ b/src/man/sssd-krb5.5.xml @@ -513,6 +513,12 @@ Default: false (AD provider: true) + + The IPA provider will set to option to 'true' if it + detects that the server is capable of handling + enterprise principals and the option is not set + explicitly in the config file. + diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 925b1d8b133eb56724ee4f9133a2487090982a8b..4e5bceb8c761bf4476928168d620baf2beb62ad5 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -28,6 +28,7 @@ #include "providers/ipa/ipa_subdomains.h" #include "providers/ipa/ipa_common.h" #include "providers/ipa/ipa_id.h" +#include "providers/ipa/ipa_opts.h" #include @@ -999,6 +1000,84 @@ immediately: return req; } +static errno_t ipa_enable_enterprise_principals(struct be_ctx *be_ctx) +{ + int ret; + struct sss_domain_info *d; + TALLOC_CTX *tmp_ctx; + char **vals = NULL; + struct dp_module *auth; + struct krb5_ctx *krb5_auth_ctx; + + d = get_domains_head(be_ctx->domain); + + while (d != NULL) { + DEBUG(SSSDBG_TRACE_ALL, "checking [%s].\n", d->name); + if (d->upn_suffixes != NULL) { + break; + } + d = get_next_domain(d, SSS_GND_DESCEND); + } + + if (d == NULL) { + DEBUG(SSSDBG_TRACE_ALL, + "No UPN suffixes found, " + "no need to enable enterprise principals.\n"); + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + ret = confdb_get_param(be_ctx->cdb, tmp_ctx, be_ctx->conf_path, + ipa_def_krb5_opts[KRB5_USE_ENTERPRISE_PRINCIPAL].opt_name, + &vals); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "confdb_get_param failed.\n"); + goto done; + } + + if (vals[0]) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Parameter [%s] set in config file and will not be changed.\n", + ipa_def_krb5_opts[KRB5_USE_ENTERPRISE_PRINCIPAL].opt_name); + return EOK; + } + + auth = dp_target_module(be_ctx->provider, DPT_AUTH); + if (auth == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to find auth proivder.\n"); + ret = EINVAL; + goto done; + } + + krb5_auth_ctx = ipa_init_get_krb5_auth_ctx(dp_get_module_data(auth)); + if (krb5_auth_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to find auth proivder data.\n"); + ret = EINVAL; + goto done; + } + + ret = dp_opt_set_bool(krb5_auth_ctx->opts, + KRB5_USE_ENTERPRISE_PRINCIPAL, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "dp_opt_set_bool failed.\n"); + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Enterprise principals enabled.\n"); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + static void ipa_subdomains_slave_search_done(struct tevent_req *subreq) { struct ipa_subdomains_slave_state *state; @@ -1037,6 +1116,13 @@ static void ipa_subdomains_slave_search_done(struct tevent_req *subreq) goto done; } + ret = ipa_enable_enterprise_principals(state->sd_ctx->be_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_enable_enterprise_principals failed. " + "Enterprise principals might not work as " + "expected.\n"); + } + if (state->sd_ctx->ipa_id_ctx->server_mode == NULL) { ret = EOK; goto done; -- 2.4.11