diff options
| author | Sumit Bose <sbose@redhat.com> | 2013-09-25 17:21:36 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-09-27 10:39:07 +0200 |
| commit | 0ee14e804e5a6ef6c0fbcc006c376d7cd51a960f (patch) | |
| tree | 17e60bf5a50f590e65ebf6e5700b7f53a225ad88 /src/util/domain_info_utils.c | |
| parent | a091e5b7831ea84c739493dc20a84ad834f6df7e (diff) | |
| download | sssd-0ee14e804e5a6ef6c0fbcc006c376d7cd51a960f.tar.gz sssd-0ee14e804e5a6ef6c0fbcc006c376d7cd51a960f.tar.xz sssd-0ee14e804e5a6ef6c0fbcc006c376d7cd51a960f.zip | |
ipa_server_mode: write capaths to krb5 include file
If there are member domains in a trusted forest which are DNS-wise not
proper children of the forest root the IPA KDC needs some help to
determine the right authentication path. In general this should be done
internally by the IPA KDC but this works requires more effort than
letting sssd write the needed data to the include file for krb5.conf.
If this functionality is available for the IPA KDC this patch might be
removed from the sssd tree.
Fixes https://fedorahosted.org/sssd/ticket/2093
Diffstat (limited to 'src/util/domain_info_utils.c')
| -rw-r--r-- | src/util/domain_info_utils.c | 51 |
1 files changed, 50 insertions, 1 deletions
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index 4af967cfd..9d7bb5f5a 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -336,9 +336,10 @@ sss_krb5_touch_config(void) } errno_t -sss_write_domain_mappings(struct sss_domain_info *domain) +sss_write_domain_mappings(struct sss_domain_info *domain, bool add_capaths) { struct sss_domain_info *dom; + struct sss_domain_info *parent_dom; errno_t ret; errno_t err; TALLOC_CTX *tmp_ctx; @@ -349,6 +350,9 @@ sss_write_domain_mappings(struct sss_domain_info *domain) mode_t old_mode; FILE *fstream = NULL; int i; + bool capaths_started; + char *uc_forest; + char *uc_parent; if (domain == NULL || domain->name == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, ("No domain name provided\n")); @@ -434,6 +438,51 @@ sss_write_domain_mappings(struct sss_domain_info *domain) } } + if (add_capaths) { + capaths_started = false; + parent_dom = domain; + uc_parent = get_uppercase_realm(tmp_ctx, parent_dom->name); + if (uc_parent == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("get_uppercase_realm failed.\n")); + ret = ENOMEM; + goto done; + } + + for (dom = get_next_domain(domain, true); + dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */ + dom = get_next_domain(dom, false)) { + + if (dom->forest == NULL) { + continue; + } + + uc_forest = get_uppercase_realm(tmp_ctx, dom->forest); + if (uc_forest == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("get_uppercase_realm failed.\n")); + ret = ENOMEM; + goto done; + } + + if (!capaths_started) { + ret = fprintf(fstream, "[capaths]\n"); + if (ret < 0) { + DEBUG(SSSDBG_OP_FAILURE, ("fprintf failed\n")); + ret = EIO; + goto done; + } + capaths_started = true; + } + + ret = fprintf(fstream, "%s = {\n %s = %s\n}\n%s = {\n %s = %s\n}\n", + dom->realm, uc_parent, uc_forest, + uc_parent, dom->realm, uc_forest); + if (ret < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, ("fprintf failed\n")); + goto done; + } + } + } + ret = fclose(fstream); fstream = NULL; if (ret != 0) { |