Always start PAC responder if IPA ID provider is configured

Since the PAC responder is used during the authentication of users from
trusted realms it is started automatically if the IPA ID provider is
configured for a domain to simplify the configuration.

Fixes https://fedorahosted.org/sssd/ticket/1613

3 files changed, 84 insertions, 0 deletions

diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index 4c4aaba4e..c7abea975 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -58,6 +58,12 @@
             refer to freeipa.org for more information about HBAC. No configuration
             of access provider is required on the client side.
         </para>
+        <para>
+            The IPA provider will use the PAC responder if the Kerberos tickets
+            of users from trusted realms contain a PAC. To make configuration
+            easier the PAC responder is started automatically if the IPA ID
+            provider is configured.
+        </para>
     </refsect1>
 
     <refsect1 id='file-format'>
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index a4652ee96..1fbbcb9ce 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -804,6 +804,71 @@ static int check_local_domain_unique(struct sss_domain_info *domains)
     return EOK;
 }
 
+static errno_t add_implicit_services(struct confdb_ctx *cdb, TALLOC_CTX *mem_ctx,
+                                     char ***_services)
+{
+    int ret;
+    char **domain_names;
+    TALLOC_CTX *tmp_ctx;
+    size_t c;
+    char *conf_path;
+    char *id_provider;
+    bool add_pac = false;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, ("talloc_new failed.\n"));
+        return ENOMEM;
+    }
+
+    ret = confdb_get_string_as_list(cdb, tmp_ctx,
+                                    CONFDB_MONITOR_CONF_ENTRY,
+                                    CONFDB_MONITOR_ACTIVE_DOMAINS,
+                                    &domain_names);
+    if (ret == ENOENT) {
+        DEBUG(SSSDBG_OP_FAILURE, ("No domains configured!\n"));
+        goto done;
+    }
+
+    for (c = 0; domain_names[c] != NULL; c++) {
+        conf_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL,
+                                    domain_names[c]);
+        if (conf_path == NULL) {
+            DEBUG(SSSDBG_OP_FAILURE, ("talloc_asprintf failed.\n"));
+            ret = ENOMEM;
+            goto done;
+        }
+
+        ret = confdb_get_string(cdb, tmp_ctx, conf_path,
+                                CONFDB_DOMAIN_ID_PROVIDER, NULL, &id_provider);
+        if (ret == EOK) {
+            if (strcasecmp(id_provider, "IPA") == 0) {
+                add_pac = true;
+            }
+        } else {
+            DEBUG(SSSDBG_OP_FAILURE, ("Failed to get id_provider for " \
+                                      "domain [%s], trying next domain.\n",
+                                      domain_names[c]));
+        }
+    }
+
+    if (BUILD_WITH_PAC_RESPONDER && add_pac &&
+        !string_in_list("pac", *_services, false)) {
+        ret = add_string_to_list(mem_ctx, "pac", _services);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, ("add_string_to_list failed.\n"));
+            goto done;
+        }
+    }
+
+    ret = EOK;
+
+done:
+    talloc_free(tmp_ctx);
+
+    return ret;
+}
+
 static char *check_services(char **services)
 {
     const char *known_services[] = { "nss", "pam", "sudo", "autofs", "ssh",
@@ -857,6 +922,13 @@ int get_monitor_config(struct mt_ctx *ctx)
         return EINVAL;
     }
 
+    ret = add_implicit_services(ctx->cdb, ctx->service_ctx, &ctx->services);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, ("Failed to add implicit configured " \
+                                  "services. Some functionality might " \
+                                  "be missing"));
+    }
+
     badsrv = check_services(ctx->services);
     if (badsrv != NULL) {
         DEBUG(0, ("Invalid service %s\n", badsrv));
diff --git a/src/util/util.h b/src/util/util.h
index 53f5954ee..9e55e5065 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -583,4 +583,10 @@ errno_t sss_br_lock_file(int fd, size_t start, size_t len,
 
 #endif /* le32toh */
 
+#ifdef HAVE_PAC_RESPONDER
+#define BUILD_WITH_PAC_RESPONDER true
+#else
+#define BUILD_WITH_PAC_RESPONDER false
+#endif
+
 #endif /* __SSSD_UTIL_H__ */