summaryrefslogtreecommitdiffstats
path: root/src/providers/ad
diff options
context:
space:
mode:
Diffstat (limited to 'src/providers/ad')
-rw-r--r--src/providers/ad/ad_common.c64
-rw-r--r--src/providers/ad/ad_common.h7
-rw-r--r--src/providers/ad/ad_init.c85
3 files changed, 155 insertions, 1 deletions
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index 92cd40eca..d8f8aff6f 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -598,3 +598,67 @@ ad_set_search_bases(struct sdap_options *id_opts)
done:
return ret;
}
+
+errno_t
+ad_get_auth_options(TALLOC_CTX *mem_ctx,
+ struct ad_options *ad_opts,
+ struct be_ctx *bectx,
+ struct dp_option **_opts)
+{
+ errno_t ret;
+ struct dp_option *krb5_options;
+ const char *ad_servers;
+ const char *krb5_realm;
+
+ TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) return ENOMEM;
+
+ /* Get krb5 options */
+ ret = dp_get_options(tmp_ctx, bectx->cdb, bectx->conf_path,
+ ad_def_krb5_opts, KRB5_OPTS,
+ &krb5_options);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Could not read Kerberos options from the configuration\n"));
+ goto done;
+ }
+
+ ad_servers = dp_opt_get_string(ad_opts->basic, AD_SERVER);
+
+ /* Force the krb5_servers to match the ad_servers */
+ ret = dp_opt_set_string(krb5_options, KRB5_KDC, ad_servers);
+ if (ret != EOK) goto done;
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ ("Option %s set to %s\n",
+ krb5_options[KRB5_KDC].opt_name,
+ ad_servers));
+
+ /* Set krb5 realm */
+ /* Set the Kerberos Realm for GSSAPI */
+ krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
+ if (!krb5_realm) {
+ /* Should be impossible, this is set in ad_get_common_options() */
+ DEBUG(SSSDBG_FATAL_FAILURE, ("No Kerberos realm\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
+ /* Force the kerberos realm to match the AD_KRB5_REALM (which may have
+ * been upper-cased in ad_common_options()
+ */
+ ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm);
+ if (ret != EOK) goto done;
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ ("Option %s set to %s\n",
+ krb5_options[KRB5_REALM].opt_name,
+ krb5_realm));
+
+
+ *_opts = talloc_steal(mem_ctx, krb5_options);
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index fefb67b60..d34f498a0 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -60,7 +60,7 @@ struct ad_options {
/* Auth and chpass Provider */
struct dp_option *auth;
- struct ad_auth_ctx *auth_ctx;
+ struct krb5_ctx *auth_ctx;
};
errno_t
@@ -81,5 +81,10 @@ ad_get_id_options(struct ad_options *ad_opts,
struct confdb_ctx *cdb,
const char *conf_path,
struct sdap_options **_opts);
+errno_t
+ad_get_auth_options(TALLOC_CTX *mem_ctx,
+ struct ad_options *ad_opts,
+ struct be_ctx *bectx,
+ struct dp_option **_opts);
#endif /* AD_COMMON_H_ */
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index da659da25..89101a5b1 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -31,6 +31,7 @@
#include "providers/ldap/ldap_common.h"
#include "providers/ldap/sdap_idmap.h"
#include "providers/krb5/krb5_auth.h"
+#include "providers/krb5/krb5_init_shared.h"
#include "providers/ad/ad_id.h"
struct ad_options *ad_options = NULL;
@@ -176,6 +177,90 @@ done:
return ret;
}
+int
+sssm_ad_auth_init(struct be_ctx *bectx,
+ struct bet_ops **ops,
+ void **pvt_data)
+{
+ errno_t ret;
+ struct krb5_ctx *krb5_auth_ctx = NULL;
+
+ if (!ad_options) {
+ ret = common_ad_init(bectx);
+ if (ret != EOK) {
+ return ret;
+ }
+ }
+
+ if (ad_options->auth_ctx) {
+ /* Already initialized */
+ *ops = &ad_auth_ops;
+ *pvt_data = ad_options->auth_ctx;
+ return EOK;
+ }
+
+ krb5_auth_ctx = talloc_zero(NULL, struct krb5_ctx);
+ if (!krb5_auth_ctx) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ krb5_auth_ctx->service = ad_options->service->krb5_service;
+
+ ret = ad_get_auth_options(krb5_auth_ctx, ad_options, bectx,
+ &krb5_auth_ctx->opts);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ ("Could not determine Kerberos options\n"));
+ goto done;
+ }
+
+ ret = krb5_child_init(krb5_auth_ctx, bectx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ ("Could not initialize krb5_child settings: [%s]\n",
+ strerror(ret)));
+ goto done;
+ }
+
+ ad_options->auth_ctx = talloc_steal(ad_options, krb5_auth_ctx);
+ *ops = &ad_auth_ops;
+ *pvt_data = ad_options->auth_ctx;
+
+done:
+ if (ret != EOK) {
+ talloc_free(krb5_auth_ctx);
+ }
+ return ret;
+}
+
+int
+sssm_ad_chpass_init(struct be_ctx *bectx,
+ struct bet_ops **ops,
+ void **pvt_data)
+{
+ errno_t ret;
+
+ if (!ad_options) {
+ ret = common_ad_init(bectx);
+ if (ret != EOK) {
+ return ret;
+ }
+ }
+
+ if (ad_options->auth_ctx) {
+ /* Already initialized */
+ *ops = &ad_chpass_ops;
+ *pvt_data = ad_options->auth_ctx;
+ return EOK;
+ }
+
+ ret = sssm_ad_auth_init(bectx, ops, pvt_data);
+ *ops = &ad_chpass_ops;
+ ad_options->auth_ctx = *pvt_data;
+ return ret;
+}
+
static void
ad_shutdown(struct be_req *req)
{