diff options
-rw-r--r-- | contrib/sssd.spec.in | 9 | ||||
-rw-r--r-- | server/Makefile.am | 13 | ||||
-rw-r--r-- | server/configure.ac | 6 | ||||
-rw-r--r-- | server/external/krb5.m4 | 28 | ||||
-rw-r--r-- | server/man/sssd_krb5_locator_plugin.8.xml | 89 | ||||
-rw-r--r-- | server/providers/krb5/krb5_auth.c | 3 | ||||
-rw-r--r-- | server/providers/krb5/krb5_auth.h | 10 | ||||
-rw-r--r-- | server/providers/krb5/krb5_child.c | 31 |
8 files changed, 177 insertions, 12 deletions
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 408d44936..786b2e9e0 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -92,10 +92,16 @@ rm -f \ $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la \ $RPM_BUILD_ROOT/%{python_sitearch}/pysss.la +touch locator.filelist +if test -e $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so +then + echo %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so > locator.filelist +fi + %clean rm -rf $RPM_BUILD_ROOT -%files +%files -f locator.filelist %defattr(-,root,root,-) %doc COPYING %{_initrddir}/%{name} @@ -109,7 +115,6 @@ rm -rf $RPM_BUILD_ROOT %{_libexecdir}/%{servicename}/ %{_libdir}/%{name}/ %{_libdir}/ldb/memberof.so -%{_libdir}/krb5/plugins/libkrb5/* %dir %{sssdstatedir} %attr(700,root,root) %dir %{dbpath} %attr(755,root,root) %dir %{pipepath} diff --git a/server/Makefile.am b/server/Makefile.am index 6ed405a5b..41eeefb42 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -7,7 +7,9 @@ builddir ?= . sssdlibexecdir = $(libexecdir)/sssd sssdlibdir = $(libdir)/sssd ldblibdir = $(libdir)/ldb +if BUILD_KRB5_LOCATOR_PLUGIN krb5plugindir = @krb5pluginpath@ +endif sssdconfdir = $(sysconfdir)/sssd dbusintrospectdir = $(datarootdir)/sssd/introspect dbuspolicydir = $(sysconfdir)/dbus-1/system.d @@ -78,8 +80,10 @@ sssdlib_LTLIBRARIES = \ ldblib_LTLIBRARIES = \ memberof.la +if BUILD_KRB5_LOCATOR_PLUGIN krb5plugin_LTLIBRARIES = \ sssd_krb5_locator_plugin.la +endif noinst_LTLIBRARIES = \ libsss_crypt.la @@ -203,8 +207,8 @@ SSSD_LIBS = \ $(COLLECTION_LIBS) \ $(DHASH_LIBS) \ $(REPLACE_LIBS) \ - $(NSS_LIBS) \ - libsss_crypt.la + libsss_crypt.la \ + $(NSS_LIBS) PYTHON_BINDINGS_LIBS = \ $(TALLOC_LIBS) \ @@ -464,6 +468,7 @@ memberof_la_LDFLAGS = \ -avoid-version \ -module +if BUILD_KRB5_LOCATOR_PLUGIN sssd_krb5_locator_plugin_la_SOURCES = \ krb5_plugin/sssd_krb5_locator_plugin.c sssd_krb5_locator_plugin_la_CFLAGS = \ @@ -472,6 +477,7 @@ sssd_krb5_locator_plugin_la_CFLAGS = \ sssd_krb5_locator_plugin_la_LDFLAGS = \ -avoid-version \ -module +endif if BUILD_PYTHON_BINDINGS pysss_la_SOURCES = \ @@ -501,7 +507,8 @@ XSLTPROC_FLAGS = --catalogs --xinclude --nonet dist_man_MANS = man/sss_useradd.8 man/sss_userdel.8 man/sss_usermod.8 \ man/sss_groupadd.8 man/sss_groupdel.8 man/sss_groupmod.8 \ - man/sssd.8 man/sssd.conf.5 man/sssd-ldap.5 man/sssd-krb5.5 + man/sssd.8 man/sssd.conf.5 man/sssd-ldap.5 man/sssd-krb5.5 \ + man/sssd_krb5_locator_plugin.8 SUFFIXES = .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8 .1.xml.1: diff --git a/server/configure.ac b/server/configure.ac index 475bdca6a..03d2885ac 100644 --- a/server/configure.ac +++ b/server/configure.ac @@ -67,6 +67,12 @@ m4_include([external/python.m4]) m4_include([util/signal.m4]) PKG_CHECK_MODULES([DBUS],[dbus-1]) +dnl if test -n "`$PKG_CONFIG --modversion dbus-1 | grep '^0\.'`" ; then +if ! $PKG_CONFIG --atleast-version 1.0.0 dbus-1; then + DBUS_CFLAGS="$DBUS_CFLAGS -DDBUS_API_SUBJECT_TO_CHANGE" + AC_MSG_RESULT([setting -DDBUS_API_SUBJECT_TO_CHANGE]) +fi + if test x$has_dbus != xno; then SAFE_LDFLAGS="$LDFLAGS" LDFLAGS="$DBUS_LIBS" diff --git a/server/external/krb5.m4 b/server/external/krb5.m4 index 1ed5064a5..95cd386e2 100644 --- a/server/external/krb5.m4 +++ b/server/external/krb5.m4 @@ -9,3 +9,31 @@ if test -x "$KRB5_CONFIG"; then else AC_MSG_ERROR(no. Please install MIT kerberos devel package) fi + +SAVE_CFLAGS=$CFLAGS +SAVE_LIBS=$LIBS +CFLAGS="$CFLAGS $KRB5_CFLAGS" +LIBS="$LIBS $KRB5_LIBS" +AC_CHECK_HEADERS([krb5.h krb5/krb5.h]) +AC_CHECK_FUNCS([krb5_get_init_creds_opt_alloc krb5_get_error_message]) +CFLAGS=$SAVE_CFLAGS +LIBS=$SAVE_LIBS + +if test x$ac_cv_header_krb5_h != xyes -a x$ac_cv_header_krb5_krb5_h != xyes +then + AC_MSG_ERROR(you must have Kerberos 5 header files to build sssd) +fi + +AC_ARG_ENABLE([krb5-locator-plugin], + [AS_HELP_STRING([--disable-krb5-locator-plugin], + [do not build Kerberos locator plugin])], + [build_locator=$enableval], + [build_locator=yes]) + +AC_CHECK_HEADER([krb5/locate_plugin.h], + [have_locate_plugin=yes], + [have_locate_plugin=no] + [AC_MSG_NOTICE([Kerberos locator plugin cannot be build])]) +AM_CONDITIONAL([BUILD_KRB5_LOCATOR_PLUGIN], + [test x$have_locate_plugin == xyes -a x$build_locator == xyes]) + diff --git a/server/man/sssd_krb5_locator_plugin.8.xml b/server/man/sssd_krb5_locator_plugin.8.xml new file mode 100644 index 000000000..6c60431ff --- /dev/null +++ b/server/man/sssd_krb5_locator_plugin.8.xml @@ -0,0 +1,89 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sssd_krb5_locator_plugin</refname> + <refpurpose>the configuration file for SSSD</refpurpose> + </refnamediv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + The Kerberos locator plugin + <command>sssd_krb5_locator_plugin</command> is used by the Kerberos + provider of + <citerefentry> + <refentrytitle>sssd</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry> + to tell the Kerberos libraries what Realm and which KDC to use. + Typically this is done in + <citerefentry> + <refentrytitle>krb5.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + which is always read by the Kerberos libraries. To simplyfy the + configuration the Realm and the KDC can be defined in + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + as described in + <citerefentry> + <refentrytitle>sssd-krb5.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + </para> + <para> + <citerefentry> + <refentrytitle>sssd</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry> + puts the Realm and the name or IP address of the KDC into the + enviroment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. + When <command>sssd_krb5_locator_plugin</command> is called by the + kerberos libraries it reads and evaluates these variable and returns + them to the libraries. + </para> + </refsect1> + + <refsect1 id='notes'> + <title>NOTES</title> + <para> + Not all Kerberos implementations support the use of plugins. If + <command>sssd_krb5_locator_plugin</command> is not available on + your system you have to edit /etc/krb5.conf to reflect your + Kerberos setup. + </para> + <para> + If the enviroment variable SSSD_KRB5_LOCATOR_DEBUG is set to any + value debug messages will be sent to stderr. + </para> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> +</reference> diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c index 03e790322..631f70862 100644 --- a/server/providers/krb5/krb5_auth.c +++ b/server/providers/krb5/krb5_auth.c @@ -22,10 +22,9 @@ along with this program. If not, see <http://www.gnu.org/licenses/>. */ - #include <errno.h> #include <sys/time.h> -#include <krb5/krb5.h> + #include <sys/types.h> #include <sys/wait.h> #include <unistd.h> diff --git a/server/providers/krb5/krb5_auth.h b/server/providers/krb5/krb5_auth.h index 4e65d9fc2..9a7807e8a 100644 --- a/server/providers/krb5/krb5_auth.h +++ b/server/providers/krb5/krb5_auth.h @@ -26,8 +26,15 @@ #ifndef __KRB5_AUTH_H__ #define __KRB5_AUTH_H__ +#include "config.h" + #include <stdbool.h> + +#ifdef HAVE_KRB5_KRB5_H #include <krb5/krb5.h> +#else +#include <krb5.h> +#endif #define MAX_CHILD_MSG_SIZE 255 #define CCACHE_ENV_NAME "KRB5CCNAME" @@ -79,9 +86,6 @@ struct krb5_ctx { action_type action; - int num_pa_opts; - krb5_gic_opt_pa_data *pa_opts; - char *kdcip; char *realm; bool try_simple_upn; diff --git a/server/providers/krb5/krb5_child.c b/server/providers/krb5/krb5_child.c index 3673c7457..4f3a62c65 100644 --- a/server/providers/krb5/krb5_child.c +++ b/server/providers/krb5/krb5_child.c @@ -22,7 +22,6 @@ along with this program. If not, see <http://www.gnu.org/licenses/>. */ -#include <krb5/krb5.h> #include <sys/types.h> #include <unistd.h> #include <sys/stat.h> @@ -53,6 +52,7 @@ struct krb5_req { char *ccname; }; +#ifdef HAVE_KRB5_GET_ERROR_MESSAGE static krb5_context krb5_error_ctx; static const char *__krb5_error_msg; #define KRB5_DEBUG(level, krb5_error) do { \ @@ -60,6 +60,11 @@ static const char *__krb5_error_msg; DEBUG(level, ("%d: [%d][%s]\n", __LINE__, krb5_error, __krb5_error_msg)); \ krb5_free_error_message(krb5_error_ctx, __krb5_error_msg); \ } while(0); +#else +#define KRB5_DEBUG(level, krb5_error) do { \ + DEBUG(level, ("%d: kerberos error [%d]\n", __LINE__, krb5_error)); \ +} while(0); +#endif struct response { size_t max_size; @@ -138,6 +143,7 @@ static struct response *prepare_response_message(struct krb5_req *kr, ret = pack_response_packet(resp, PAM_SUCCESS, PAM_ENV_ITEM, msg); talloc_zfree(msg); } else { +#ifdef HAVE_KRB5_GET_ERROR_MESSAGE krb5_msg = krb5_get_error_message(krb5_error_ctx, kerr); if (krb5_msg == NULL) { DEBUG(1, ("krb5_get_error_message failed.\n")); @@ -146,6 +152,11 @@ static struct response *prepare_response_message(struct krb5_req *kr, ret = pack_response_packet(resp, pam_status, PAM_USER_INFO, krb5_msg); krb5_free_error_message(krb5_error_ctx, krb5_msg); +#else + msg = talloc_asprintf(kr, "Kerberos error [%d]", kerr); + ret = pack_response_packet(resp, pam_status, PAM_USER_INFO, msg); + talloc_zfree(msg); +#endif } if (ret != EOK) { @@ -441,8 +452,14 @@ static int krb5_cleanup(void *ptr) struct krb5_req *kr = talloc_get_type(ptr, struct krb5_req); if (kr == NULL) return EOK; - if (kr->options != NULL) + if (kr->options != NULL) { +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC krb5_get_init_creds_opt_free(kr->ctx, kr->options); +#else + free(kr->options); +#endif + } + if (kr->creds != NULL) { krb5_free_cred_contents(kr->ctx, kr->creds); krb5_free_creds(kr->ctx, kr->creds); @@ -539,11 +556,21 @@ static int krb5_setup(struct pam_data *pd, const char *user_princ_str, goto failed; } +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC kerr = krb5_get_init_creds_opt_alloc(kr->ctx, &kr->options); if (kerr != 0) { KRB5_DEBUG(1, kerr); goto failed; } +#else + kr->options = calloc(1, sizeof(krb5_get_init_creds_opt)); + if (kr->options == NULL) { + DEBUG(1, ("calloc failed.\n")); + kerr = ENOMEM; + goto failed; + } + krb5_get_init_creds_opt_init(&kr->options); +#endif /* TODO: set options, e.g. * krb5_get_init_creds_opt_set_tkt_life |