From ce69c907f04214e16c07c5a05fb8dac12b271aba Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 17 Sep 2015 17:09:24 +0200 Subject: [PATCH 92/96] IPA: Change ipa_server_trust_add_send request to be reusable from ID code Required for: https://fedorahosted.org/sssd/ticket/2639 Expose a request ipa_server_trusted_dom_setup_send that sets up a trusted domain. The setup might include actions like retrieving a keytab for one-way trusts. Creating the AD ID context for the trused domain is now done in the caller of this new request. Reviewed-by: Sumit Bose (cherry picked from commit 1ccfd8e2e5cf4cdb6807d9809c150b7f6ba3e0eb) --- src/providers/ipa/ipa_subdomains.h | 11 +++ src/providers/ipa/ipa_subdomains_server.c | 122 ++++++++++++++++-------------- 2 files changed, 75 insertions(+), 58 deletions(-) diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h index 2302c5f03e80de2ea1efad424769e777cd6dd8d5..0c13f8ed2eeda87237dfb097f532c7137095ddf1 100644 --- a/src/providers/ipa/ipa_subdomains.h +++ b/src/providers/ipa/ipa_subdomains.h @@ -52,6 +52,17 @@ struct ipa_ad_server_ctx { struct ipa_ad_server_ctx *next, *prev; }; +/* Can be used to set up trusted subdomain, for example fetch + * keytab in server mode + */ +struct tevent_req * +ipa_server_trusted_dom_setup_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct sss_domain_info *subdom); +errno_t ipa_server_trusted_dom_setup_recv(struct tevent_req *req); + /* To be used by ipa_subdomains.c only */ struct tevent_req * ipa_server_create_trusts_send(TALLOC_CTX *mem_ctx, diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c index dfecab1bc362b5772379bae6d51f9cef8443f225..c561118946e2ba76b2b4076e5057b1b5c0075a41 100644 --- a/src/providers/ipa/ipa_subdomains_server.c +++ b/src/providers/ipa/ipa_subdomains_server.c @@ -563,7 +563,7 @@ done: return ret; } -struct ipa_server_trust_add_state { +struct ipa_server_trusted_dom_setup_state { struct tevent_context *ev; struct be_ctx *be_ctx; struct ipa_id_ctx *id_ctx; @@ -578,22 +578,22 @@ struct ipa_server_trust_add_state { const char *ccache; }; -static errno_t ipa_server_trust_add_1way(struct tevent_req *req); +static errno_t ipa_server_trusted_dom_setup_1way(struct tevent_req *req); static void ipa_server_trust_1way_kt_done(struct tevent_req *subreq); -static errno_t ipa_server_trust_add_step(struct tevent_req *req); -static struct tevent_req * -ipa_server_trust_add_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct be_ctx *be_ctx, - struct ipa_id_ctx *id_ctx, - struct sss_domain_info *subdom) +struct tevent_req * +ipa_server_trusted_dom_setup_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct sss_domain_info *subdom) { struct tevent_req *req = NULL; - struct ipa_server_trust_add_state *state = NULL; + struct ipa_server_trusted_dom_setup_state *state = NULL; errno_t ret; - req = tevent_req_create(mem_ctx, &state, struct ipa_server_trust_add_state); + req = tevent_req_create(mem_ctx, &state, + struct ipa_server_trusted_dom_setup_state); if (req == NULL) { return NULL; } @@ -626,16 +626,19 @@ ipa_server_trust_add_send(TALLOC_CTX *mem_ctx, ipa_trust_dir2str(state->direction)); if (state->direction & LSA_TRUST_DIRECTION_OUTBOUND) { - /* Use system keytab */ - ret = ipa_server_trust_add_step(req); + /* Use system keytab, nothing to do here */ + ret = EOK; + goto immediate; } else if (state->direction & LSA_TRUST_DIRECTION_INBOUND) { /* Need special keytab */ - ret = ipa_server_trust_add_1way(req); + ret = ipa_server_trusted_dom_setup_1way(req); if (ret == EAGAIN) { /* In progress.. */ return req; } else if (ret == EOK) { - ret = ipa_server_trust_add_step(req); + /* Keytab available, shortcut */ + ret = EOK; + goto immediate; } } else { /* Even unset is an error at this point */ @@ -658,12 +661,12 @@ immediate: return req; } -static errno_t ipa_server_trust_add_1way(struct tevent_req *req) +static errno_t ipa_server_trusted_dom_setup_1way(struct tevent_req *req) { errno_t ret; struct tevent_req *subreq = NULL; - struct ipa_server_trust_add_state *state = - tevent_req_data(req, struct ipa_server_trust_add_state); + struct ipa_server_trusted_dom_setup_state *state = + tevent_req_data(req, struct ipa_server_trusted_dom_setup_state); const char *hostname; state->keytab = forest_keytab(state, state->forest); @@ -715,8 +718,8 @@ static void ipa_server_trust_1way_kt_done(struct tevent_req *subreq) errno_t ret; struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); - struct ipa_server_trust_add_state *state = - tevent_req_data(req, struct ipa_server_trust_add_state); + struct ipa_server_trusted_dom_setup_state *state = + tevent_req_data(req, struct ipa_server_trusted_dom_setup_state); ret = ipa_getkeytab_recv(subreq, NULL); talloc_zfree(subreq); @@ -764,46 +767,12 @@ static void ipa_server_trust_1way_kt_done(struct tevent_req *subreq) DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s contains the expected principals\n", state->new_keytab); - ret = ipa_server_trust_add_step(req); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "ipa_server_trust_add_step failed: %d\n", ret); - tevent_req_error(req, ret); - return; - } - DEBUG(SSSDBG_TRACE_FUNC, "Established trust context for %s\n", state->subdom->name); tevent_req_done(req); } -static errno_t ipa_server_trust_add_step(struct tevent_req *req) -{ - struct ipa_ad_server_ctx *trust_ctx; - struct ad_id_ctx *ad_id_ctx; - errno_t ret; - struct ipa_server_trust_add_state *state = - tevent_req_data(req, struct ipa_server_trust_add_state); - - ret = ipa_ad_ctx_new(state->be_ctx, state->id_ctx, state->subdom, &ad_id_ctx); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "Cannot create ad_id_ctx for subdomain %s\n", state->subdom->name); - return ret; - } - - trust_ctx = talloc(state->id_ctx->server_mode, struct ipa_ad_server_ctx); - if (trust_ctx == NULL) { - return ENOMEM; - } - trust_ctx->dom = state->subdom; - trust_ctx->ad_id_ctx = ad_id_ctx; - - DLIST_ADD(state->id_ctx->server_mode->trusts, trust_ctx); - return EOK; -} - -static errno_t ipa_server_trust_add_recv(struct tevent_req *req) +errno_t ipa_server_trusted_dom_setup_recv(struct tevent_req *req) { TEVENT_REQ_RETURN_ON_ERROR(req); return EOK; @@ -817,6 +786,7 @@ struct ipa_server_create_trusts_state { }; static errno_t ipa_server_create_trusts_step(struct tevent_req *req); +static errno_t ipa_server_create_trusts_ctx(struct tevent_req *req); static void ipa_server_create_trusts_done(struct tevent_req *subreq); struct tevent_req * @@ -879,8 +849,11 @@ static errno_t ipa_server_create_trusts_step(struct tevent_req *req) /* Newly detected trust */ if (trust_iter == NULL) { - subreq = ipa_server_trust_add_send(state, state->ev, state->be_ctx, - state->id_ctx, state->domiter); + subreq = ipa_server_trusted_dom_setup_send(state, + state->ev, + state->be_ctx, + state->id_ctx, + state->domiter); if (subreq == NULL) { return ENOMEM; } @@ -898,13 +871,19 @@ static void ipa_server_create_trusts_done(struct tevent_req *subreq) struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); - ret = ipa_server_trust_add_recv(subreq); + ret = ipa_server_trusted_dom_setup_recv(subreq); talloc_zfree(subreq); if (ret != EOK) { tevent_req_error(req, ret); return; } + ret = ipa_server_create_trusts_ctx(req); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + ret = ipa_server_create_trusts_step(req); if (ret == EOK) { tevent_req_done(req); @@ -917,6 +896,33 @@ static void ipa_server_create_trusts_done(struct tevent_req *subreq) /* Will cycle back */ } +static errno_t ipa_server_create_trusts_ctx(struct tevent_req *req) +{ + struct ipa_ad_server_ctx *trust_ctx; + struct ad_id_ctx *ad_id_ctx; + errno_t ret; + struct ipa_server_create_trusts_state *state = NULL; + + state = tevent_req_data(req, struct ipa_server_create_trusts_state); + + ret = ipa_ad_ctx_new(state->be_ctx, state->id_ctx, state->domiter, &ad_id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot create ad_id_ctx for subdomain %s\n", state->domiter->name); + return ret; + } + + trust_ctx = talloc(state->id_ctx->server_mode, struct ipa_ad_server_ctx); + if (trust_ctx == NULL) { + return ENOMEM; + } + trust_ctx->dom = state->domiter; + trust_ctx->ad_id_ctx = ad_id_ctx; + + DLIST_ADD(state->id_ctx->server_mode->trusts, trust_ctx); + return EOK; +} + errno_t ipa_server_create_trusts_recv(struct tevent_req *req) { TEVENT_REQ_RETURN_ON_ERROR(req); -- 2.4.3