summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2011-08-30 10:51:19 -0400
committerStephen Gallagher <sgallagh@redhat.com>2011-10-26 10:29:39 -0400
commite97b2822ad260a1df04e9b5b26b93ea0fa1b9853 (patch)
tree2097c4dcd53a4311ea87e262a2e5429cdfa10d86
parent4396b4446acee09f5957ff63c4a86fdf854536df (diff)
downloadsssd-e97b2822ad260a1df04e9b5b26b93ea0fa1b9853.tar.gz
sssd-e97b2822ad260a1df04e9b5b26b93ea0fa1b9853.tar.xz
sssd-e97b2822ad260a1df04e9b5b26b93ea0fa1b9853.zip
Add option to specify the kerberos replay cache dir
Adds a configure option to set the distribution default as well as an sssd.conf option to override it. https://fedorahosted.org/sssd/ticket/980
-rw-r--r--Makefile.am4
-rw-r--r--configure.ac1
-rw-r--r--contrib/sssd.spec.in2
-rw-r--r--src/conf_macros.m415
-rw-r--r--src/confdb/confdb.h1
-rw-r--r--src/config/SSSDConfig.py1
-rwxr-xr-xsrc/config/SSSDConfigTest.py1
-rw-r--r--src/config/etc/sssd.api.conf1
-rw-r--r--src/man/sssd.conf.5.xml20
-rw-r--r--src/monitor/monitor.c31
10 files changed, 77 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am
index 44c9b7c42..6fa682456 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -33,6 +33,7 @@ initdir = @initdir@
logpath = @logpath@
pubconfpath = @pubconfpath@
pkgconfigdir = $(libdir)/pkgconfig
+krb5rcachedir = @krb5rcachedir@
AM_CFLAGS =
if WANT_AUX_INFO
@@ -1092,6 +1093,9 @@ install-data-hook:
rm $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 \
$(DESTDIR)/$(nsslibdir)/libnss_sss.so
mv $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2.0.0 $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2
+ if [ ! $(krb5rcachedir) = "__LIBKRB5_DEFAULTS__" ]; then \
+ mkdir -p $(DESTDIR)/$(krb5rcachedir) ; \
+ fi
uninstall-hook:
if [ -f $(abs_builddir)/src/config/.files ]; then \
diff --git a/configure.ac b/configure.ac
index 9a1dfb2cd..5e0878bca 100644
--- a/configure.ac
+++ b/configure.ac
@@ -91,6 +91,7 @@ WITH_TEST_DIR
WITH_MANPAGES
WITH_XML_CATALOG
WITH_KRB5_PLUGIN_PATH
+WITH_KRB5_RCACHE_DIR
WITH_PYTHON_BINDINGS
WITH_SELINUX
WITH_NSCD
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 291029b11..90e3f13ad 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -143,6 +143,7 @@ used by Python applications.
--with-pipe-path=%{pipepath} \
--with-pubconf-path=%{pubconfpath} \
--with-init-dir=%{_initrddir} \
+ --with-krb5rcache-dir=%{_localstatedir}/cache/krb5rcache \
--enable-nsslibdir=/%{_lib} \
--enable-pammoddir=/%{_lib}/security \
--disable-static \
@@ -211,6 +212,7 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/%{name}/
%{_libdir}/ldb/memberof.so
%dir %{sssdstatedir}
+%dir %{_localstatedir}/cache/krb5rcache
%attr(700,root,root) %dir %{dbpath}
%attr(755,root,root) %dir %{pipepath}
%attr(755,root,root) %dir %{pubconfpath}
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 8ead0b29b..2a109b5f8 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -161,6 +161,21 @@ AC_DEFUN([WITH_KRB5_PLUGIN_PATH],
AC_SUBST(krb5pluginpath)
])
+AC_DEFUN([WITH_KRB5_RCACHE_DIR],
+ [ AC_ARG_WITH([krb5-rcache-dir],
+ [AC_HELP_STRING([--with-krb5-rcache-dir=PATH],
+ [Path to store Kerberos replay caches [__LIBKRB5_DEFAULTS__]]
+ )
+ ]
+ )
+ krb5rcachedir="__LIBKRB5_DEFAULTS__"
+ if test x"$with_krb5_rcache_dir" != x; then
+ krb5rcachedir=$with_krb5_rcache_dir
+ fi
+ AC_SUBST(krb5rcachedir)
+ AC_DEFINE_UNQUOTED(KRB5_RCACHE_DIR, "$krb5rcachedir", [Directory used for storing Kerberos replay caches])
+ ])
+
AC_DEFUN([WITH_PYTHON_BINDINGS],
[ AC_ARG_WITH([python-bindings],
[AC_HELP_STRING([--with-python-bindings],
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 5e50991f3..4d6157612 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -63,6 +63,7 @@
#define CONFDB_MONITOR_NAME_REGEX "re_expression"
#define CONFDB_MONITOR_FULL_NAME_FORMAT "full_name_format"
#define CONFDB_MONITOR_TRY_INOTIFY "try_inotify"
+#define CONFDB_MONITOR_KRB5_RCACHEDIR "krb5_rcache_dir"
/* NSS */
#define CONFDB_NSS_CONF_ENTRY "config/nss"
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 3f983327d..2ba9ea4e1 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -49,6 +49,7 @@ option_strings = {
'sbus_timeout' : _('Timeout for messages sent over the SBUS'),
're_expression' : _('Regex to parse username and domain'),
'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'),
+ 'krb5_rcache_dir' : _('Directory on the filesystem where SSSD should store Kerberos replay cache files.'),
# [nss]
'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 0e5a630e0..ebfd372e5 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -266,6 +266,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
'sbus_timeout',
're_expression',
'full_name_format',
+ 'krb5_rcache_dir',
'debug_level',
'debug_timestamps',
'debug_to_files',
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 49836e457..a080ae12c 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -17,6 +17,7 @@ timeout = int, None, false
sbus_timeout = int, None, false
re_expression = str, None, false
full_name_format = str, None, false
+krb5_rcache_dir = str, None, false
[nss]
# Name service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index e03805561..f5119433b 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -185,6 +185,26 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>krb5_rcache_dir (string)</term>
+ <listitem>
+ <para>
+ Directory on the filesystem where SSSD should
+ store Kerberos replay cache files.
+ </para>
+ <para>
+ This option accepts a special value
+ __LIBKRB5_DEFAULTS__ that will instruct SSSD
+ to let libkrb5 decide the appropriate
+ location for the replay cache.
+ </para>
+ <para>
+ Default: Distribution-specific and specified
+ at build-time. (__LIBKRB5_DEFAULTS__ if not
+ configured)
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
</refsect2>
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 2e2478204..431b875cc 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -57,6 +57,11 @@
* monitor will get crazy hammering children with messages */
#define MONITOR_DEF_PING_TIME 10
+/* Special value to leave the Kerberos Replay Cache set to use
+ * the libkrb5 defaults
+ */
+#define KRB5_RCACHE_DIR_DISABLE "__LIBKRB5_DEFAULTS__"
+
struct svc_spy;
struct mt_svc {
@@ -1871,8 +1876,34 @@ int monitor_process_init(struct mt_ctx *ctx,
struct sysdb_ctx_list *db_list;
struct tevent_signal *tes;
struct sss_domain_info *dom;
+ char *rcachedir;
int num_providers;
int ret;
+ int error;
+
+ /* Set up the environment variable for the Kerberos Replay Cache */
+ ret = confdb_get_string(ctx->cdb, ctx,
+ CONFDB_MONITOR_CONF_ENTRY,
+ CONFDB_MONITOR_KRB5_RCACHEDIR,
+ KRB5_RCACHE_DIR,
+ &rcachedir);
+ if (ret != EOK) {
+ return ret;
+ }
+
+ if (strcmp(rcachedir, KRB5_RCACHE_DIR_DISABLE) != 0)
+ {
+ errno = 0;
+ ret = setenv("KRB5RCACHEDIR", rcachedir, 1);
+ if (ret < 0) {
+ error = errno;
+ DEBUG(1,
+ ("Unable to set KRB5RCACHEDIR: %s."
+ "Will attempt to use libkrb5 defaults\n",
+ strerror(error)));
+ }
+ talloc_zfree(rcachedir);
+ }
/* Set up an event handler for a SIGHUP */
tes = tevent_add_signal(ctx->ev, ctx, SIGHUP, 0,