4 files changed, 134 insertions, 110 deletions

diff --git a/server/Makefile.am b/server/Makefile.am
index d61149991..8c6cc48ab 100644
--- a/server/Makefile.am
+++ b/server/Makefile.am
@@ -485,6 +485,7 @@ libsss_ipa_la_SOURCES = \
     providers/ldap/sdap.c \
     util/sss_ldap.c \
     providers/krb5/krb5_utils.c \
+    providers/krb5/krb5_common.c \
     providers/krb5/krb5_auth.c
 libsss_ipa_la_CFLAGS = \
     $(AM_CFLAGS) \
diff --git a/server/providers/ipa/ipa_common.c b/server/providers/ipa/ipa_common.c
index 799ac2f94..6dba10c84 100644
--- a/server/providers/ipa/ipa_common.c
+++ b/server/providers/ipa/ipa_common.c
@@ -104,6 +104,15 @@ struct sdap_id_map ipa_group_map[] = {
     { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }
 };
 
+struct dp_option ipa_def_krb5_opts[] = {
+    { "krb5_kdcip", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING },
+    { "krb5_ccname_tmpl", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING},
+    { "krb5_changepw_princ", DP_OPT_STRING, { "kadmin/changepw" }, NULL_STRING },
+    { "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER },
+};
+
 int domain_to_basedn(TALLOC_CTX *memctx, const char *domain, char **basedn)
 {
     const char *s;
@@ -317,3 +326,73 @@ done:
     return ret;
 }
 
+/* the following preprocessor code is used to keep track of
+ * the options in the krb5 module, so that if they change and ipa
+ * is not updated correspondingly this will trigger a build error */
+#if KRB5_OPTS > 6
+#error There are krb5 options not accounted for
+#endif
+
+int ipa_get_auth_options(TALLOC_CTX *memctx,
+                         struct confdb_ctx *cdb,
+                         const char *conf_path,
+                         struct ipa_options *ipa_opts,
+                         struct dp_option **_opts)
+{
+    int ret;
+    int i;
+    TALLOC_CTX *tmpctx;
+    struct dp_option *opts;
+    char *value;
+
+    tmpctx = talloc_new(memctx);
+    if (!tmpctx) {
+        return ENOMEM;
+    }
+
+    opts = talloc_zero(memctx, struct dp_option);
+    if (opts == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    ret = dp_copy_options(ipa_opts, ipa_def_krb5_opts,
+                          KRB5_OPTS, &opts);
+    if (ret != EOK) {
+        goto done;
+    }
+
+    value = dp_opt_get_string(ipa_opts->basic, IPA_SERVER);
+    if (!value) {
+        ret = ENOMEM;
+        goto done;
+    }
+    ret = dp_opt_set_string(opts, KRB5_KDC, value);
+    if (ret != EOK) {
+        goto done;
+    }
+
+
+    value = dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN);
+    if (!value) {
+        ret = ENOMEM;
+        goto done;
+    }
+    for (i = 0; value[i]; i++) {
+        value[i] = toupper(value[i]);
+    }
+    ret = dp_opt_set_string(opts, KRB5_REALM, value);
+    if (ret != EOK) {
+        goto done;
+    }
+
+    *_opts = opts;
+    ret = EOK;
+
+done:
+    talloc_zfree(tmpctx);
+    if (ret != EOK) {
+        talloc_zfree(opts);
+    }
+    return ret;
+}
diff --git a/server/providers/ipa/ipa_common.h b/server/providers/ipa/ipa_common.h
index 80f5294ac..f7d3ab8cb 100644
--- a/server/providers/ipa/ipa_common.h
+++ b/server/providers/ipa/ipa_common.h
@@ -25,6 +25,7 @@
 #include "util/util.h"
 #include "confdb/confdb.h"
 #include "providers/ldap/ldap_common.h"
+#include "providers/krb5/krb5_common.h"
 
 enum ipa_basic_opt {
     IPA_DOMAIN = 0,
@@ -58,4 +59,10 @@ int ipa_get_id_options(TALLOC_CTX *memctx,
                        struct ipa_options *ipa_opts,
                        struct sdap_options **_opts);
 
+int ipa_get_auth_options(TALLOC_CTX *memctx,
+                         struct confdb_ctx *cdb,
+                         const char *conf_path,
+                         struct ipa_options *ipa_opts,
+                         struct dp_option **_opts);
+
 #endif /* _IPA_COMMON_H_ */
diff --git a/server/providers/ipa/ipa_init.c b/server/providers/ipa/ipa_init.c
index 9cdcf4b07..0c2eb2a79 100644
--- a/server/providers/ipa/ipa_init.c
+++ b/server/providers/ipa/ipa_init.c
@@ -25,6 +25,8 @@
 #include <sys/types.h>
 #include <unistd.h>
 #include <sys/stat.h>
+#include <fcntl.h>
+
 #include "providers/ipa/ipa_common.h"
 #include "providers/krb5/krb5_auth.h"
 
@@ -100,141 +102,76 @@ done:
 
 int sssm_ipa_auth_init(struct be_ctx *bectx,
                        struct bet_ops **ops,
-                       void **pvt_auth_data)
+                       void **pvt_data)
 {
     struct krb5_ctx *ctx = NULL;
-    struct tevent_signal *sige;
-    struct stat stat_buf;
-    char *value = NULL;
-    int int_value;
     int ret;
+    struct tevent_signal *sige;
+    unsigned v;
+    FILE *debug_filep;
+
+    if (!ipa_options) {
+        ipa_get_options(bectx, bectx->cdb,
+                        bectx->conf_path,
+                        bectx->domain, &ipa_options);
+    }
+    if (!ipa_options) {
+        return ENOMEM;
+    }
 
     ctx = talloc_zero(bectx, struct krb5_ctx);
     if (!ctx) {
-        DEBUG(1, ("talloc failed.\n"));
         return ENOMEM;
     }
 
-    ctx->action = INIT_PW;
-
-    ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path,
-                            CONFDB_KRB5_KDCIP, NULL, &value);
+    ret = ipa_get_auth_options(ctx, bectx->cdb,
+                               bectx->conf_path,
+                               ipa_options, &ctx->opts);
     if (ret != EOK) {
-        goto fail;
+        goto done;
     }
 
-    if (value == NULL) {
-        DEBUG(2, ("Missing krb5KDCIP, authentication might fail.\n"));
-    } else {
-        ret = setenv(SSSD_KRB5_KDC, value, 1);
-        if (ret != EOK) {
-            DEBUG(2, ("setenv %s failed, authentication might fail.\n",
-                      SSSD_KRB5_KDC));
-        }
+    ret = check_and_export_options(ctx->opts, bectx->domain);
+    if (ret != EOK) {
+        DEBUG(1, ("check_and_export_opts failed.\n"));
+        goto done;
     }
-    ctx->kdcip = value;
 
-    ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path,
-                            CONFDB_KRB5_REALM, NULL, &value);
-    if (ret != EOK) {
-        goto fail;
+    sige = tevent_add_signal(bectx->ev, ctx, SIGCHLD, SA_SIGINFO,
+                             krb5_child_sig_handler, NULL);
+    if (sige == NULL) {
+        DEBUG(1, ("tevent_add_signal failed.\n"));
+        ret = ENOMEM;
+        goto done;
     }
 
-    if (value == NULL) {
-        DEBUG(4, ("Missing krb5REALM authentication might fail.\n"));
-    } else {
-        ret = setenv(SSSD_KRB5_REALM, value, 1);
+    if (debug_to_file != 0) {
+        ret = open_debug_file_ex("krb5_child", &debug_filep);
         if (ret != EOK) {
-            DEBUG(2, ("setenv %s failed, authentication might fail.\n",
-                      SSSD_KRB5_REALM));
+            DEBUG(0, ("Error setting up logging (%d) [%s]\n",
+                    ret, strerror(ret)));
+            goto done;
         }
-    }
-    ctx->realm = value;
 
-    ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path,
-                            CONFDB_KRB5_CCACHEDIR, "/tmp", &value);
-    if (ret != EOK) {
-        goto fail;
-    }
-
-    ret = lstat(value, &stat_buf);
-    if (ret != EOK) {
-        DEBUG(1, ("lstat for [%s] failed: [%d][%s].\n",
-                  value, errno, strerror(errno)));
-        goto fail;
-    }
-    if (!S_ISDIR(stat_buf.st_mode)) {
-        DEBUG(1, ("Value of krb5ccache_dir [%s] is not a directory.\n",
-                  value));
-        goto fail;
-    }
-    ctx->ccache_dir = value;
-
-    ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path,
-                            CONFDB_KRB5_CCNAME_TMPL,
-                            "FILE:%d/krb5cc_%U_XXXXXX",
-                            &value);
-    if (ret != EOK) {
-        goto fail;
-    }
-
-    if (value[0] != '/' && strncmp(value, "FILE:", 5) != 0) {
-        DEBUG(1, ("Currently only file based credential caches are supported "
-                  "and krb5ccname_template must start with '/' or 'FILE:'\n"));
-        goto fail;
-    }
-    ctx->ccname_template = value;
-
-    ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path,
-                            CONFDB_KRB5_CHANGEPW_PRINC,
-                            "kadmin/changepw",
-                            &value);
-    if (ret != EOK) {
-        goto fail;
-    }
-
-    if (strchr(value, '@') == NULL) {
-        value = talloc_asprintf_append(value, "@%s", ctx->realm);
-        if (value == NULL) {
-            DEBUG(7, ("talloc_asprintf_append failed.\n"));
-            goto fail;
+        ctx->child_debug_fd = fileno(debug_filep);
+        if (ctx->child_debug_fd == -1) {
+            DEBUG(0, ("fileno failed [%d][%s]\n", errno, strerror(errno)));
+            ret = errno;
+            goto done;
         }
-    }
-    ctx->changepw_principle = value;
-
-    ret = setenv(SSSD_KRB5_CHANGEPW_PRINCIPLE, ctx->changepw_principle, 1);
-    if (ret != EOK) {
-        DEBUG(2, ("setenv %s failed, password change might fail.\n",
-                  SSSD_KRB5_CHANGEPW_PRINCIPLE));
-    }
-
-    ret = confdb_get_int(bectx->cdb, ctx, bectx->conf_path,
-                         CONFDB_KRB5_AUTH_TIMEOUT, 15, &int_value);
-    if (ret != EOK) {
-        goto fail;
-    }
-    if (int_value <= 0) {
-        DEBUG(4, ("krb5auth_timeout has to be a positive value.\n"));
-        goto fail;
-    }
-    ctx->auth_timeout = int_value;
-
-/* TODO: set options */
 
-    sige = tevent_add_signal(bectx->ev, ctx, SIGCHLD, SA_SIGINFO,
-                             krb5_child_sig_handler, NULL);
-    if (sige == NULL) {
-        DEBUG(1, ("tevent_add_signal failed.\n"));
-        ret = ENOMEM;
-        goto fail;
+        v = fcntl(ctx->child_debug_fd, F_GETFD, 0);
+        fcntl(ctx->child_debug_fd, F_SETFD, v & ~FD_CLOEXEC);
     }
 
     *ops = &ipa_auth_ops;
-    *pvt_auth_data = ctx;
-    return EOK;
+    *pvt_data = ctx;
+    ret = EOK;
 
-fail:
-    talloc_free(ctx);
+done:
+    if (ret != EOK) {
+        talloc_free(ctx);
+    }
     return ret;
 }