summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2015-05-15 15:32:17 +0200
committerJakub Hrozek <jhrozek@redhat.com>2015-06-14 21:47:29 +0200
commitd2c552edde275e6c0de904760147afb2992796e9 (patch)
treebcff5c746faf73e62c75a3ddbdb62eca81381f32 /src
parent30dd3f3e063dded0ec9f58bc2535a94727d8e96d (diff)
downloadsssd-d2c552edde275e6c0de904760147afb2992796e9.tar.gz
sssd-d2c552edde275e6c0de904760147afb2992796e9.tar.xz
sssd-d2c552edde275e6c0de904760147afb2992796e9.zip
IPA: Utility function for setting up one-way trust context
Related: https://fedorahosted.org/sssd/ticket/2638 Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src')
-rw-r--r--src/providers/ipa/ipa_subdomains_server.c71
-rw-r--r--src/tests/cmocka/test_ipa_subdomains_server.c29
2 files changed, 91 insertions, 9 deletions
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index caa3821c3..cd8c6301c 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -127,6 +127,71 @@ const char *ipa_trust_dir2str(uint32_t direction)
#define IPA_GETKEYTAB_TIMEOUT 5
#endif /* IPA_GETKEYTAB_TIMEOUT */
+static struct ad_options *
+ipa_create_1way_trust_ctx(struct ipa_id_ctx *id_ctx,
+ const char *forest,
+ const char *forest_realm,
+ struct sss_domain_info *subdom)
+{
+ char *keytab;
+ char *principal;
+ struct ad_options *ad_options;
+ const char *ad_domain;
+
+ ad_domain = subdom->name;
+ keytab = forest_keytab(id_ctx, forest);
+ principal = subdomain_trust_princ(id_ctx, forest_realm, subdom);
+ if (keytab == NULL || principal == NULL) {
+ return NULL;
+ }
+
+ ad_options = ad_create_1way_trust_options(id_ctx,
+ ad_domain,
+ id_ctx->server_mode->hostname,
+ keytab,
+ principal);
+ if (ad_options == NULL) {
+ talloc_free(keytab);
+ talloc_free(principal);
+ return NULL;
+ }
+
+ return ad_options;
+}
+
+static struct ad_options *ipa_ad_options_new(struct ipa_id_ctx *id_ctx,
+ struct sss_domain_info *subdom)
+{
+ struct ad_options *ad_options = NULL;
+ uint32_t direction;
+ const char *forest;
+ const char *forest_realm;
+
+ /* Trusts are only established with forest roots */
+ direction = subdom->forest_root->trust_direction;
+ forest_realm = subdom->forest_root->realm;
+ forest = subdom->forest_root->forest;
+
+ if (direction & LSA_TRUST_DIRECTION_OUTBOUND) {
+ ad_options = ad_create_2way_trust_options(id_ctx,
+ id_ctx->server_mode->realm,
+ subdom->name,
+ id_ctx->server_mode->hostname);
+ } else if (direction & LSA_TRUST_DIRECTION_INBOUND) {
+ ad_options = ipa_create_1way_trust_ctx(id_ctx, forest,
+ forest_realm, subdom);
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported trust direction!\n");
+ ad_options = NULL;
+ }
+
+ if (ad_options == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n");
+ return NULL;
+ }
+ return ad_options;
+}
+
static errno_t
ipa_ad_ctx_new(struct be_ctx *be_ctx,
@@ -147,9 +212,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
ad_domain = subdom->name;
DEBUG(SSSDBG_TRACE_LIBS, "Setting up AD subdomain %s\n", subdom->name);
- ad_options = ad_create_2way_trust_options(id_ctx, id_ctx->server_mode->realm,
- ad_domain,
- id_ctx->server_mode->hostname);
+ ad_options = ipa_ad_options_new(id_ctx, subdom);
if (ad_options == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n");
talloc_free(ad_options);
@@ -524,7 +587,7 @@ ipa_server_trust_add_send(TALLOC_CTX *mem_ctx,
}
state->direction = subdom->forest_root->trust_direction;
- state->forest = subdom->forest_root->realm;
+ state->forest = subdom->forest_root->forest;
state->forest_realm = subdom->forest_root->realm;
state->ccache = talloc_asprintf(state, "%s/ccache_%s",
DB_PATH, subdom->parent->realm);
diff --git a/src/tests/cmocka/test_ipa_subdomains_server.c b/src/tests/cmocka/test_ipa_subdomains_server.c
index 9d9c9dd8f..3f62107a2 100644
--- a/src/tests/cmocka/test_ipa_subdomains_server.c
+++ b/src/tests/cmocka/test_ipa_subdomains_server.c
@@ -63,7 +63,8 @@
#define TEST_ID_PROVIDER "ipa"
#define ONEWAY_KEYTAB TEST_DIR"/"SUBDOM_REALM".keytab"
-#define ONEWAY_AUTHID DOM_FLAT"$@"SUBDOM_REALM
+#define ONEWAY_PRINC DOM_FLAT"$"
+#define ONEWAY_AUTHID ONEWAY_PRINC"@"SUBDOM_REALM
krb5_error_code __wrap_krb5_kt_default(krb5_context context, krb5_keytab *id)
{
@@ -72,13 +73,11 @@ krb5_error_code __wrap_krb5_kt_default(krb5_context context, krb5_keytab *id)
static void create_dummy_keytab(void)
{
- int fd;
errno_t ret;
assert_non_null(ONEWAY_KEYTAB);
- fd = open(ONEWAY_KEYTAB, O_WRONLY | O_CREAT | O_TRUNC, 0600);
- assert_int_not_equal(fd, -1);
- close(fd);
+ mock_keytab_with_contents(global_talloc_context,
+ ONEWAY_KEYTAB, ONEWAY_AUTHID);
ret = access(ONEWAY_KEYTAB, R_OK);
assert_int_equal(ret, 0);
@@ -641,8 +640,28 @@ static void test_ipa_server_create_trusts_oneway(struct tevent_req *req)
/* Trust object should be around now */
assert_non_null(test_ctx->ipa_ctx->server_mode->trusts);
+
+ assert_trust_object(
+ test_ctx->ipa_ctx->server_mode->trusts,
+ CHILD_NAME, /* AD domain name */
+ CHILD_REALM, /* AD realm can be child if SDAP realm is parent's */
+ CHILD_SID,
+ ONEWAY_KEYTAB, /* Keytab shared with parent AD dom */
+ ONEWAY_PRINC, /* Principal shared with parent AD dom */
+ SUBDOM_REALM); /* SDAP realm must be AD root domain */
+
assert_non_null(test_ctx->ipa_ctx->server_mode->trusts->next);
+ /* Here all properties point to the AD domain */
+ assert_trust_object(test_ctx->ipa_ctx->server_mode->trusts->next,
+ SUBDOM_NAME,
+ SUBDOM_REALM,
+ SUBDOM_SID,
+ ONEWAY_KEYTAB,
+ ONEWAY_PRINC,
+ SUBDOM_REALM);
+
+ assert_null(test_ctx->ipa_ctx->server_mode->trusts->next->next);
test_ipa_server_create_trusts_finish(test_ctx);
}