diff options
| -rw-r--r-- | src/man/sssd-ipa.5.xml | 6 | ||||
| -rw-r--r-- | src/monitor/monitor.c | 72 | ||||
| -rw-r--r-- | src/util/util.h | 6 |
3 files changed, 84 insertions, 0 deletions
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index 4c4aaba4e..c7abea975 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -58,6 +58,12 @@ refer to freeipa.org for more information about HBAC. No configuration of access provider is required on the client side. </para> + <para> + The IPA provider will use the PAC responder if the Kerberos tickets + of users from trusted realms contain a PAC. To make configuration + easier the PAC responder is started automatically if the IPA ID + provider is configured. + </para> </refsect1> <refsect1 id='file-format'> diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index a4652ee96..1fbbcb9ce 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -804,6 +804,71 @@ static int check_local_domain_unique(struct sss_domain_info *domains) return EOK; } +static errno_t add_implicit_services(struct confdb_ctx *cdb, TALLOC_CTX *mem_ctx, + char ***_services) +{ + int ret; + char **domain_names; + TALLOC_CTX *tmp_ctx; + size_t c; + char *conf_path; + char *id_provider; + bool add_pac = false; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_new failed.\n")); + return ENOMEM; + } + + ret = confdb_get_string_as_list(cdb, tmp_ctx, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_ACTIVE_DOMAINS, + &domain_names); + if (ret == ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, ("No domains configured!\n")); + goto done; + } + + for (c = 0; domain_names[c] != NULL; c++) { + conf_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL, + domain_names[c]); + if (conf_path == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_asprintf failed.\n")); + ret = ENOMEM; + goto done; + } + + ret = confdb_get_string(cdb, tmp_ctx, conf_path, + CONFDB_DOMAIN_ID_PROVIDER, NULL, &id_provider); + if (ret == EOK) { + if (strcasecmp(id_provider, "IPA") == 0) { + add_pac = true; + } + } else { + DEBUG(SSSDBG_OP_FAILURE, ("Failed to get id_provider for " \ + "domain [%s], trying next domain.\n", + domain_names[c])); + } + } + + if (BUILD_WITH_PAC_RESPONDER && add_pac && + !string_in_list("pac", *_services, false)) { + ret = add_string_to_list(mem_ctx, "pac", _services); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("add_string_to_list failed.\n")); + goto done; + } + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + static char *check_services(char **services) { const char *known_services[] = { "nss", "pam", "sudo", "autofs", "ssh", @@ -857,6 +922,13 @@ int get_monitor_config(struct mt_ctx *ctx) return EINVAL; } + ret = add_implicit_services(ctx->cdb, ctx->service_ctx, &ctx->services); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("Failed to add implicit configured " \ + "services. Some functionality might " \ + "be missing")); + } + badsrv = check_services(ctx->services); if (badsrv != NULL) { DEBUG(0, ("Invalid service %s\n", badsrv)); diff --git a/src/util/util.h b/src/util/util.h index 53f5954ee..9e55e5065 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -583,4 +583,10 @@ errno_t sss_br_lock_file(int fd, size_t start, size_t len, #endif /* le32toh */ +#ifdef HAVE_PAC_RESPONDER +#define BUILD_WITH_PAC_RESPONDER true +#else +#define BUILD_WITH_PAC_RESPONDER false +#endif + #endif /* __SSSD_UTIL_H__ */ |