diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2015-07-22 17:20:11 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-09-07 18:20:27 +0200 |
commit | fd68d59f701ff90e4baae7b4bd137c374c719e8a (patch) | |
tree | fd1b052d99ea26993341362cc5946755e462da8a | |
parent | 75b3a8eaaaa74d34406a2899c8e21ba12233ab6e (diff) | |
download | sssd-fd68d59f701ff90e4baae7b4bd137c374c719e8a.tar.gz sssd-fd68d59f701ff90e4baae7b4bd137c374c719e8a.tar.xz sssd-fd68d59f701ff90e4baae7b4bd137c374c719e8a.zip |
IPA: Handle sssd-owned keytabs when running as root
https://fedorahosted.org/sssd/ticket/2718
This patch handles the case where the keytab is created with sssd:sssd
ownership (perhaps by the IPA oddjob script) but SSSD runs as root,
which is the default in many distributions.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
-rw-r--r-- | src/providers/ipa/ipa_subdomains.h | 3 | ||||
-rw-r--r-- | src/providers/ipa/ipa_subdomains_server.c | 46 |
2 files changed, 41 insertions, 8 deletions
diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h index 5bc63a173..2302c5f03 100644 --- a/src/providers/ipa/ipa_subdomains.h +++ b/src/providers/ipa/ipa_subdomains.h @@ -94,6 +94,9 @@ struct ipa_server_mode_ctx { struct ipa_ad_server_ctx *trusts; struct ipa_ext_groups *ext_groups; + + uid_t kt_owner_uid; + uid_t kt_owner_gid; }; int ipa_ad_subdom_init(struct be_ctx *be_ctx, diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c index a9e2c1f70..4bfea61e6 100644 --- a/src/providers/ipa/ipa_subdomains_server.c +++ b/src/providers/ipa/ipa_subdomains_server.c @@ -520,16 +520,28 @@ static errno_t ipa_getkeytab_recv(struct tevent_req *req, int *child_status) return EOK; } -static errno_t ipa_check_keytab(const char *keytab) +static errno_t ipa_check_keytab(const char *keytab, + uid_t kt_owner_uid, + gid_t kt_owner_gid) { errno_t ret; ret = check_file(keytab, getuid(), getgid(), S_IFREG|0600, 0, NULL, false); - if (ret != EOK) { - if (ret != ENOENT) { - DEBUG(SSSDBG_OP_FAILURE, "Failed to check for %s\n", keytab); - } else { - DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab); + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab); + goto done; + } else if (ret != EOK) { + if (kt_owner_uid) { + ret = check_file(keytab, kt_owner_uid, kt_owner_gid, + S_IFREG|0600, 0, NULL, false); + } + + if (ret != EOK) { + if (ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to check for %s\n", keytab); + } else { + DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab); + } } goto done; } @@ -648,7 +660,9 @@ static errno_t ipa_server_trust_add_1way(struct tevent_req *req) return EIO; } - ret = ipa_check_keytab(state->keytab); + ret = ipa_check_keytab(state->keytab, + state->id_ctx->server_mode->kt_owner_uid, + state->id_ctx->server_mode->kt_owner_gid); if (ret == EOK) { DEBUG(SSSDBG_TRACE_FUNC, "Keytab already present, can add the trust\n"); @@ -704,7 +718,9 @@ static void ipa_server_trust_1way_kt_done(struct tevent_req *subreq) DEBUG(SSSDBG_TRACE_FUNC, "Keytab successfully retrieved to %s\n", state->keytab); - ret = ipa_check_keytab(state->keytab); + ret = ipa_check_keytab(state->keytab, + state->id_ctx->server_mode->kt_owner_uid, + state->id_ctx->server_mode->kt_owner_gid); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "ipa_check_keytab failed: %d\n", ret); tevent_req_error(req, ret); @@ -1029,6 +1045,20 @@ int ipa_ad_subdom_init(struct be_ctx *be_ctx, id_ctx->server_mode->hostname = hostname; id_ctx->server_mode->trusts = NULL; id_ctx->server_mode->ext_groups = NULL; + id_ctx->server_mode->kt_owner_uid = 0; + id_ctx->server_mode->kt_owner_gid = 0; + + if (getuid() == 0) { + /* We need to handle keytabs created by IPA oddjob script gracefully + * even if we're running as root and IPA creates them as the SSSD user + */ + ret = sss_user_by_name_or_uid(SSSD_USER, + &id_ctx->server_mode->kt_owner_uid, + &id_ctx->server_mode->kt_owner_gid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get ID of %s\n", SSSD_USER); + } + } ret = ipa_ad_subdom_reinit(be_ctx, be_ctx->ev, be_ctx, id_ctx, be_ctx->domain); |