summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--contrib/sssd.spec.in9
-rw-r--r--server/Makefile.am13
-rw-r--r--server/configure.ac6
-rw-r--r--server/external/krb5.m428
-rw-r--r--server/man/sssd_krb5_locator_plugin.8.xml89
-rw-r--r--server/providers/krb5/krb5_auth.c3
-rw-r--r--server/providers/krb5/krb5_auth.h10
-rw-r--r--server/providers/krb5/krb5_child.c31
8 files changed, 177 insertions, 12 deletions
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 408d44936..786b2e9e0 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -92,10 +92,16 @@ rm -f \
$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la \
$RPM_BUILD_ROOT/%{python_sitearch}/pysss.la
+touch locator.filelist
+if test -e $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
+then
+ echo %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so > locator.filelist
+fi
+
%clean
rm -rf $RPM_BUILD_ROOT
-%files
+%files -f locator.filelist
%defattr(-,root,root,-)
%doc COPYING
%{_initrddir}/%{name}
@@ -109,7 +115,6 @@ rm -rf $RPM_BUILD_ROOT
%{_libexecdir}/%{servicename}/
%{_libdir}/%{name}/
%{_libdir}/ldb/memberof.so
-%{_libdir}/krb5/plugins/libkrb5/*
%dir %{sssdstatedir}
%attr(700,root,root) %dir %{dbpath}
%attr(755,root,root) %dir %{pipepath}
diff --git a/server/Makefile.am b/server/Makefile.am
index 6ed405a5b..41eeefb42 100644
--- a/server/Makefile.am
+++ b/server/Makefile.am
@@ -7,7 +7,9 @@ builddir ?= .
sssdlibexecdir = $(libexecdir)/sssd
sssdlibdir = $(libdir)/sssd
ldblibdir = $(libdir)/ldb
+if BUILD_KRB5_LOCATOR_PLUGIN
krb5plugindir = @krb5pluginpath@
+endif
sssdconfdir = $(sysconfdir)/sssd
dbusintrospectdir = $(datarootdir)/sssd/introspect
dbuspolicydir = $(sysconfdir)/dbus-1/system.d
@@ -78,8 +80,10 @@ sssdlib_LTLIBRARIES = \
ldblib_LTLIBRARIES = \
memberof.la
+if BUILD_KRB5_LOCATOR_PLUGIN
krb5plugin_LTLIBRARIES = \
sssd_krb5_locator_plugin.la
+endif
noinst_LTLIBRARIES = \
libsss_crypt.la
@@ -203,8 +207,8 @@ SSSD_LIBS = \
$(COLLECTION_LIBS) \
$(DHASH_LIBS) \
$(REPLACE_LIBS) \
- $(NSS_LIBS) \
- libsss_crypt.la
+ libsss_crypt.la \
+ $(NSS_LIBS)
PYTHON_BINDINGS_LIBS = \
$(TALLOC_LIBS) \
@@ -464,6 +468,7 @@ memberof_la_LDFLAGS = \
-avoid-version \
-module
+if BUILD_KRB5_LOCATOR_PLUGIN
sssd_krb5_locator_plugin_la_SOURCES = \
krb5_plugin/sssd_krb5_locator_plugin.c
sssd_krb5_locator_plugin_la_CFLAGS = \
@@ -472,6 +477,7 @@ sssd_krb5_locator_plugin_la_CFLAGS = \
sssd_krb5_locator_plugin_la_LDFLAGS = \
-avoid-version \
-module
+endif
if BUILD_PYTHON_BINDINGS
pysss_la_SOURCES = \
@@ -501,7 +507,8 @@ XSLTPROC_FLAGS = --catalogs --xinclude --nonet
dist_man_MANS = man/sss_useradd.8 man/sss_userdel.8 man/sss_usermod.8 \
man/sss_groupadd.8 man/sss_groupdel.8 man/sss_groupmod.8 \
- man/sssd.8 man/sssd.conf.5 man/sssd-ldap.5 man/sssd-krb5.5
+ man/sssd.8 man/sssd.conf.5 man/sssd-ldap.5 man/sssd-krb5.5 \
+ man/sssd_krb5_locator_plugin.8
SUFFIXES = .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8
.1.xml.1:
diff --git a/server/configure.ac b/server/configure.ac
index 475bdca6a..03d2885ac 100644
--- a/server/configure.ac
+++ b/server/configure.ac
@@ -67,6 +67,12 @@ m4_include([external/python.m4])
m4_include([util/signal.m4])
PKG_CHECK_MODULES([DBUS],[dbus-1])
+dnl if test -n "`$PKG_CONFIG --modversion dbus-1 | grep '^0\.'`" ; then
+if ! $PKG_CONFIG --atleast-version 1.0.0 dbus-1; then
+ DBUS_CFLAGS="$DBUS_CFLAGS -DDBUS_API_SUBJECT_TO_CHANGE"
+ AC_MSG_RESULT([setting -DDBUS_API_SUBJECT_TO_CHANGE])
+fi
+
if test x$has_dbus != xno; then
SAFE_LDFLAGS="$LDFLAGS"
LDFLAGS="$DBUS_LIBS"
diff --git a/server/external/krb5.m4 b/server/external/krb5.m4
index 1ed5064a5..95cd386e2 100644
--- a/server/external/krb5.m4
+++ b/server/external/krb5.m4
@@ -9,3 +9,31 @@ if test -x "$KRB5_CONFIG"; then
else
AC_MSG_ERROR(no. Please install MIT kerberos devel package)
fi
+
+SAVE_CFLAGS=$CFLAGS
+SAVE_LIBS=$LIBS
+CFLAGS="$CFLAGS $KRB5_CFLAGS"
+LIBS="$LIBS $KRB5_LIBS"
+AC_CHECK_HEADERS([krb5.h krb5/krb5.h])
+AC_CHECK_FUNCS([krb5_get_init_creds_opt_alloc krb5_get_error_message])
+CFLAGS=$SAVE_CFLAGS
+LIBS=$SAVE_LIBS
+
+if test x$ac_cv_header_krb5_h != xyes -a x$ac_cv_header_krb5_krb5_h != xyes
+then
+ AC_MSG_ERROR(you must have Kerberos 5 header files to build sssd)
+fi
+
+AC_ARG_ENABLE([krb5-locator-plugin],
+ [AS_HELP_STRING([--disable-krb5-locator-plugin],
+ [do not build Kerberos locator plugin])],
+ [build_locator=$enableval],
+ [build_locator=yes])
+
+AC_CHECK_HEADER([krb5/locate_plugin.h],
+ [have_locate_plugin=yes],
+ [have_locate_plugin=no]
+ [AC_MSG_NOTICE([Kerberos locator plugin cannot be build])])
+AM_CONDITIONAL([BUILD_KRB5_LOCATOR_PLUGIN],
+ [test x$have_locate_plugin == xyes -a x$build_locator == xyes])
+
diff --git a/server/man/sssd_krb5_locator_plugin.8.xml b/server/man/sssd_krb5_locator_plugin.8.xml
new file mode 100644
index 000000000..6c60431ff
--- /dev/null
+++ b/server/man/sssd_krb5_locator_plugin.8.xml
@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sssd_krb5_locator_plugin</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sssd_krb5_locator_plugin</refname>
+ <refpurpose>the configuration file for SSSD</refpurpose>
+ </refnamediv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ The Kerberos locator plugin
+ <command>sssd_krb5_locator_plugin</command> is used by the Kerberos
+ provider of
+ <citerefentry>
+ <refentrytitle>sssd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>
+ to tell the Kerberos libraries what Realm and which KDC to use.
+ Typically this is done in
+ <citerefentry>
+ <refentrytitle>krb5.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>
+ which is always read by the Kerberos libraries. To simplyfy the
+ configuration the Realm and the KDC can be defined in
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>
+ as described in
+ <citerefentry>
+ <refentrytitle>sssd-krb5.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>
+ </para>
+ <para>
+ <citerefentry>
+ <refentrytitle>sssd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>
+ puts the Realm and the name or IP address of the KDC into the
+ enviroment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively.
+ When <command>sssd_krb5_locator_plugin</command> is called by the
+ kerberos libraries it reads and evaluates these variable and returns
+ them to the libraries.
+ </para>
+ </refsect1>
+
+ <refsect1 id='notes'>
+ <title>NOTES</title>
+ <para>
+ Not all Kerberos implementations support the use of plugins. If
+ <command>sssd_krb5_locator_plugin</command> is not available on
+ your system you have to edit /etc/krb5.conf to reflect your
+ Kerberos setup.
+ </para>
+ <para>
+ If the enviroment variable SSSD_KRB5_LOCATOR_DEBUG is set to any
+ value debug messages will be sent to stderr.
+ </para>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+</refentry>
+</reference>
diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c
index 03e790322..631f70862 100644
--- a/server/providers/krb5/krb5_auth.c
+++ b/server/providers/krb5/krb5_auth.c
@@ -22,10 +22,9 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-
#include <errno.h>
#include <sys/time.h>
-#include <krb5/krb5.h>
+
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
diff --git a/server/providers/krb5/krb5_auth.h b/server/providers/krb5/krb5_auth.h
index 4e65d9fc2..9a7807e8a 100644
--- a/server/providers/krb5/krb5_auth.h
+++ b/server/providers/krb5/krb5_auth.h
@@ -26,8 +26,15 @@
#ifndef __KRB5_AUTH_H__
#define __KRB5_AUTH_H__
+#include "config.h"
+
#include <stdbool.h>
+
+#ifdef HAVE_KRB5_KRB5_H
#include <krb5/krb5.h>
+#else
+#include <krb5.h>
+#endif
#define MAX_CHILD_MSG_SIZE 255
#define CCACHE_ENV_NAME "KRB5CCNAME"
@@ -79,9 +86,6 @@ struct krb5_ctx {
action_type action;
- int num_pa_opts;
- krb5_gic_opt_pa_data *pa_opts;
-
char *kdcip;
char *realm;
bool try_simple_upn;
diff --git a/server/providers/krb5/krb5_child.c b/server/providers/krb5/krb5_child.c
index 3673c7457..4f3a62c65 100644
--- a/server/providers/krb5/krb5_child.c
+++ b/server/providers/krb5/krb5_child.c
@@ -22,7 +22,6 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#include <krb5/krb5.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/stat.h>
@@ -53,6 +52,7 @@ struct krb5_req {
char *ccname;
};
+#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
static krb5_context krb5_error_ctx;
static const char *__krb5_error_msg;
#define KRB5_DEBUG(level, krb5_error) do { \
@@ -60,6 +60,11 @@ static const char *__krb5_error_msg;
DEBUG(level, ("%d: [%d][%s]\n", __LINE__, krb5_error, __krb5_error_msg)); \
krb5_free_error_message(krb5_error_ctx, __krb5_error_msg); \
} while(0);
+#else
+#define KRB5_DEBUG(level, krb5_error) do { \
+ DEBUG(level, ("%d: kerberos error [%d]\n", __LINE__, krb5_error)); \
+} while(0);
+#endif
struct response {
size_t max_size;
@@ -138,6 +143,7 @@ static struct response *prepare_response_message(struct krb5_req *kr,
ret = pack_response_packet(resp, PAM_SUCCESS, PAM_ENV_ITEM, msg);
talloc_zfree(msg);
} else {
+#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
krb5_msg = krb5_get_error_message(krb5_error_ctx, kerr);
if (krb5_msg == NULL) {
DEBUG(1, ("krb5_get_error_message failed.\n"));
@@ -146,6 +152,11 @@ static struct response *prepare_response_message(struct krb5_req *kr,
ret = pack_response_packet(resp, pam_status, PAM_USER_INFO, krb5_msg);
krb5_free_error_message(krb5_error_ctx, krb5_msg);
+#else
+ msg = talloc_asprintf(kr, "Kerberos error [%d]", kerr);
+ ret = pack_response_packet(resp, pam_status, PAM_USER_INFO, msg);
+ talloc_zfree(msg);
+#endif
}
if (ret != EOK) {
@@ -441,8 +452,14 @@ static int krb5_cleanup(void *ptr)
struct krb5_req *kr = talloc_get_type(ptr, struct krb5_req);
if (kr == NULL) return EOK;
- if (kr->options != NULL)
+ if (kr->options != NULL) {
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
krb5_get_init_creds_opt_free(kr->ctx, kr->options);
+#else
+ free(kr->options);
+#endif
+ }
+
if (kr->creds != NULL) {
krb5_free_cred_contents(kr->ctx, kr->creds);
krb5_free_creds(kr->ctx, kr->creds);
@@ -539,11 +556,21 @@ static int krb5_setup(struct pam_data *pd, const char *user_princ_str,
goto failed;
}
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
kerr = krb5_get_init_creds_opt_alloc(kr->ctx, &kr->options);
if (kerr != 0) {
KRB5_DEBUG(1, kerr);
goto failed;
}
+#else
+ kr->options = calloc(1, sizeof(krb5_get_init_creds_opt));
+ if (kr->options == NULL) {
+ DEBUG(1, ("calloc failed.\n"));
+ kerr = ENOMEM;
+ goto failed;
+ }
+ krb5_get_init_creds_opt_init(&kr->options);
+#endif
/* TODO: set options, e.g.
* krb5_get_init_creds_opt_set_tkt_life