summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2014-11-17 17:42:07 +0100
committerJakub Hrozek <jhrozek@redhat.com>2014-11-28 17:59:38 +0100
commit019ea9b10ff5a723e7720abf816a8c7dc13b3b32 (patch)
tree4ed3627c57a2253dfa28fac200204f3725586c94
parent56113d90eb552b5d0ad8f1c2eb446127e948369e (diff)
downloadsssd-019ea9b10ff5a723e7720abf816a8c7dc13b3b32.zip
sssd-019ea9b10ff5a723e7720abf816a8c7dc13b3b32.tar.gz
sssd-019ea9b10ff5a723e7720abf816a8c7dc13b3b32.tar.xz
krb5/ldap: use MEMORY ccache and keytab in *_child processes
-rw-r--r--Makefile.am2
-rw-r--r--src/providers/krb5/krb5_child.c33
-rw-r--r--src/providers/ldap/ldap_child.c37
3 files changed, 65 insertions, 7 deletions
diff --git a/Makefile.am b/Makefile.am
index d63675d..3075156 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2512,6 +2512,7 @@ libsss_ad_la_LDFLAGS = \
krb5_child_SOURCES = \
src/providers/krb5/krb5_child.c \
src/providers/krb5/krb5_ccache.c \
+ src/providers/krb5/krb5_keytab.c \
src/providers/dp_pam_data_util.c \
src/util/user_info_msg.c \
src/util/sss_krb5.c \
@@ -2544,6 +2545,7 @@ krb5_child_LDADD = \
ldap_child_SOURCES = \
src/providers/ldap/ldap_child.c \
+ src/providers/krb5/krb5_keytab.c \
src/util/sss_krb5.c \
src/util/atomic_io.c \
src/util/authtok.c \
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index ec22665..c13c087 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1846,6 +1846,7 @@ static int k5c_setup_fast(struct krb5_req *kr, bool demand)
char *fast_principal;
krb5_error_code kerr;
char *tmp_str;
+ char *new_ccname;
tmp_str = getenv(SSSD_KRB5_FAST_PRINCIPAL);
if (tmp_str) {
@@ -1888,6 +1889,15 @@ static int k5c_setup_fast(struct krb5_req *kr, bool demand)
return kerr;
}
+ kerr = copy_ccache_into_memory(kr, kr->ctx, kr->fast_ccname, &new_ccname);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "copy_ccache_into_memory failed.\n");
+ return kerr;
+ }
+
+ talloc_free(kr->fast_ccname);
+ kr->fast_ccname = new_ccname;
+
kerr = sss_krb5_get_init_creds_opt_set_fast_ccache_name(kr->ctx,
kr->options,
kr->fast_ccname);
@@ -2070,6 +2080,7 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline)
krb5_error_code kerr;
int parse_flags;
enum k5c_fast_opt fast_val;
+ char *mem_keytab;
kerr = check_use_fast(&fast_val);
if (kerr != EOK) {
@@ -2190,6 +2201,28 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline)
}
}
+ if (!(offline || (fast_val == K5C_FAST_NEVER && kr->validate == false))) {
+ if (kr->keytab != NULL) {
+ kerr = copy_keytab_into_memory(kr, kr->ctx, kr->keytab,
+ &mem_keytab);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_OP_FAILURE, "copy_keytab_into_memory failed.\n");
+ return kerr;
+ }
+
+ talloc_free(kr->keytab);
+ kr->keytab = mem_keytab;
+ }
+
+ kerr = become_user(kr->uid, kr->gid);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n");
+ return kerr;
+ }
+ }
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid());
+
/* TODO: set options, e.g.
* krb5_get_init_creds_opt_set_forwardable
* krb5_get_init_creds_opt_set_proxiable
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index a922b18..e7febdf 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -33,6 +33,7 @@
#include "util/sss_krb5.h"
#include "util/child_common.h"
#include "providers/dp_backend.h"
+#include "providers/krb5/krb5_common.h"
static krb5_context krb5_error_ctx;
#define LDAP_CHILD_DEBUG(level, error) KRB5_DEBUG(level, krb5_error_ctx, error)
@@ -248,7 +249,7 @@ static int lc_verify_keytab_ex(const char *principal,
static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
const char *realm_str,
const char *princ_str,
- const char *keytab_name,
+ const char *inp_keytab_name,
const krb5_deltat lifetime,
uid_t uid,
gid_t gid,
@@ -277,6 +278,8 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
char *ccname_file_dummy;
char *ccname_file;
mode_t old_umask;
+ char *keytab_name;
+ char default_keytab_name[MAX_KEYTAB_NAME_LEN];
krberr = krb5_init_context(&context);
if (krberr) {
@@ -291,6 +294,32 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
goto done;
}
+ if (inp_keytab_name != NULL) {
+ krberr = copy_keytab_into_memory(tmp_ctx, context, inp_keytab_name,
+ &keytab_name);
+ } else {
+ krberr = krb5_kt_default_name(context, default_keytab_name,
+ sizeof(default_keytab_name));
+ if (krberr != 0) {
+ DEBUG(SSSDBG_OP_FAILURE, "krb5_kt_default_name failed.\n");
+ goto done;
+ }
+
+ krberr = copy_keytab_into_memory(tmp_ctx, context, default_keytab_name,
+ &keytab_name);
+ }
+ if (krberr != 0) {
+ DEBUG(SSSDBG_OP_FAILURE, "copy_keytab_into_memory failed.\n");
+ goto done;
+ }
+
+ krberr = become_user(uid, gid);
+ if (krberr != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n");
+ goto done;
+ }
+
+
krberr = set_child_debugging(context);
if (krberr != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Cannot set krb5_child debugging\n");
@@ -440,12 +469,6 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
}
DEBUG(SSSDBG_TRACE_INTERNAL, "credentials initialized\n");
- krberr = become_user(uid, gid);
- if (krberr != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n");
- goto done;
- }
-
ccname_dummy = talloc_asprintf(tmp_ctx, "FILE:%s", ccname_file_dummy);
ccname = talloc_asprintf(tmp_ctx, "FILE:%s", ccname_file);
if (ccname_dummy == NULL || ccname == NULL) {