diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-26 22:39:41 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-27 18:43:57 +0200 |
| commit | 58dd26b1c5b60ee992dd5d1214bb168aebb42d54 (patch) | |
| tree | b9cdf45f5519050f77e81cbe9a84fc482eb70aba /src/providers | |
| parent | 80a874555d8b2737827bb150133ba70a83c65bb7 (diff) | |
| download | sssd-58dd26b1c5b60ee992dd5d1214bb168aebb42d54.tar.gz sssd-58dd26b1c5b60ee992dd5d1214bb168aebb42d54.tar.xz sssd-58dd26b1c5b60ee992dd5d1214bb168aebb42d54.zip | |
AD: Write out domain-realm mappings
This patch reuses the code from IPA provider to make sure that
domain-realm mappings are written even for AD sub domains.
Diffstat (limited to 'src/providers')
| -rw-r--r-- | src/providers/ad/ad_subdomains.c | 7 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_subdomains.c | 167 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_common.h | 1 |
3 files changed, 10 insertions, 165 deletions
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 07b523df5..20aaa2d71 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -736,6 +736,13 @@ static void ad_subdomains_get_slave_domain_done(struct tevent_req *req) DEBUG(SSSDBG_OP_FAILURE, ("ads_store_sdap_subdom failed.\n")); goto done; } + + ret = sss_write_domain_mappings(ctx->sd_ctx->be_ctx->domain); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("sss_krb5_write_mappings failed.\n")); + /* Just continue */ + } } ret = EOK; diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 881f27c5d..76ea709a6 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -49,9 +49,6 @@ #define IPA_SUBDOMAIN_REFRESH_PERIOD (3600 * 4) #define IPA_SUBDOMAIN_DISABLED_PERIOD 3600 -/* the directory domain - realm mappings are written to */ -#define IPA_SUBDOMAIN_MAPPING_DIR PUBCONF_PATH"/krb5.include.d" - enum ipa_subdomains_req_type { IPA_SUBDOMAINS_MASTER, IPA_SUBDOMAINS_SLAVE, @@ -256,165 +253,6 @@ done: return ret; } -static errno_t -ipa_subdomains_write_mappings(struct sss_domain_info *domain) -{ - struct sss_domain_info *dom; - errno_t ret; - errno_t err; - TALLOC_CTX *tmp_ctx; - const char *mapping_file; - char *sanitized_domain; - char *tmp_file = NULL; - int fd = -1; - mode_t old_mode; - FILE *fstream = NULL; - int i; - - if (domain == NULL || domain->name == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, ("No domain name provided\n")); - return EINVAL; - } - - tmp_ctx = talloc_new(NULL); - if (!tmp_ctx) return ENOMEM; - - sanitized_domain = talloc_strdup(tmp_ctx, domain->name); - if (sanitized_domain == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_strdup() failed\n")); - return ENOMEM; - } - - /* only alpha-numeric chars, dashes and underscores are allowed in - * krb5 include directory */ - for (i = 0; sanitized_domain[i] != '\0'; i++) { - if (!isalnum(sanitized_domain[i]) - && sanitized_domain[i] != '-' && sanitized_domain[i] != '_') { - sanitized_domain[i] = '_'; - } - } - - mapping_file = talloc_asprintf(tmp_ctx, "%s/domain_realm_%s", - IPA_SUBDOMAIN_MAPPING_DIR, sanitized_domain); - if (!mapping_file) { - ret = ENOMEM; - goto done; - } - - DEBUG(SSSDBG_FUNC_DATA, ("Mapping file for domain [%s] is [%s]\n", - domain->name, mapping_file)); - - tmp_file = talloc_asprintf(tmp_ctx, "%sXXXXXX", mapping_file); - if (tmp_file == NULL) { - ret = ENOMEM; - goto done; - } - - old_mode = umask(077); - fd = mkstemp(tmp_file); - umask(old_mode); - if (fd < 0) { - DEBUG(SSSDBG_OP_FAILURE, ("creating the temp file [%s] for domain-realm " - "mappings failed.", tmp_file)); - ret = EIO; - talloc_zfree(tmp_ctx); - goto done; - } - - fstream = fdopen(fd, "a"); - if (!fstream) { - ret = errno; - DEBUG(SSSDBG_OP_FAILURE, ("fdopen failed [%d]: %s\n", - ret, strerror(ret))); - ret = close(fd); - if (ret != 0) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, - ("fclose failed [%d][%s].\n", ret, strerror(ret))); - /* Nothing to do here, just report the failure */ - } - ret = EIO; - goto done; - } - - ret = fprintf(fstream, "[domain_realm]\n"); - if (ret < 0) { - DEBUG(SSSDBG_OP_FAILURE, ("fprintf failed\n")); - ret = EIO; - goto done; - } - - for (dom = get_next_domain(domain, true); - dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */ - dom = get_next_domain(dom, false)) { - ret = fprintf(fstream, ".%s = %s\n%s = %s\n", - dom->name, dom->realm, dom->name, dom->realm); - if (ret < 0) { - DEBUG(SSSDBG_CRIT_FAILURE, ("fprintf failed\n")); - goto done; - } - } - - ret = fclose(fstream); - fstream = NULL; - if (ret != 0) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, - ("fclose failed [%d][%s].\n", ret, strerror(ret))); - goto done; - } - - ret = rename(tmp_file, mapping_file); - if (ret == -1) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, - ("rename failed [%d][%s].\n", ret, strerror(ret))); - goto done; - } - - talloc_zfree(tmp_file); - - ret = chmod(mapping_file, 0644); - if (ret == -1) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, - ("fchmod failed [%d][%s].\n", ret, strerror(ret))); - goto done; - } - - /* touch krb5.conf to ensure that new mappings are loaded */ - ret = sss_krb5_touch_config(); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to change last modification time " - "of krb5.conf. Created mappings may not be loaded.\n")); - /* just continue */ - } - - ret = EOK; -done: - if (fstream) { - err = fclose(fstream); - if (err != 0) { - err = errno; - DEBUG(SSSDBG_CRIT_FAILURE, - ("fclose failed [%d][%s].\n", err, strerror(err))); - /* Nothing to do here, just report the failure */ - } - } - - if (tmp_file) { - err = unlink(tmp_file); - if (err < 0) { - err = errno; - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not remove file [%s]: [%d]: %s", - tmp_file, err, strerror(err))); - } - } - talloc_free(tmp_ctx); - return ret; -} - static errno_t ipa_subdomains_refresh(struct ipa_subdomains_ctx *ctx, int count, struct sysdb_attrs **reply, bool *changes) @@ -726,10 +564,11 @@ static void ipa_subdomains_handler_done(struct tevent_req *req) goto done; } - ret = ipa_subdomains_write_mappings(domain); + ret = sss_write_domain_mappings(domain); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, - ("ipa_subdomains_write_mappings failed.\n")); + ("sss_krb5_write_mappings failed.\n")); + /* Just continue */ } } diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index 9eb602cfb..27089ab96 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -188,7 +188,6 @@ errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx, errno_t compare_principal_realm(const char *upn, const char *realm, bool *different_realm); - int sssm_krb5_auth_init(struct be_ctx *bectx, struct bet_ops **ops, void **pvt_auth_data); |