2 files changed, 52 insertions, 2 deletions

diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 4af967cfd..9d7bb5f5a 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -336,9 +336,10 @@ sss_krb5_touch_config(void)
 }
 
 errno_t
-sss_write_domain_mappings(struct sss_domain_info *domain)
+sss_write_domain_mappings(struct sss_domain_info *domain, bool add_capaths)
 {
     struct sss_domain_info *dom;
+    struct sss_domain_info *parent_dom;
     errno_t ret;
     errno_t err;
     TALLOC_CTX *tmp_ctx;
@@ -349,6 +350,9 @@ sss_write_domain_mappings(struct sss_domain_info *domain)
     mode_t old_mode;
     FILE *fstream = NULL;
     int i;
+    bool capaths_started;
+    char *uc_forest;
+    char *uc_parent;
 
     if (domain == NULL || domain->name == NULL) {
         DEBUG(SSSDBG_CRIT_FAILURE, ("No domain name provided\n"));
@@ -434,6 +438,51 @@ sss_write_domain_mappings(struct sss_domain_info *domain)
         }
     }
 
+    if (add_capaths) {
+        capaths_started = false;
+        parent_dom = domain;
+        uc_parent = get_uppercase_realm(tmp_ctx, parent_dom->name);
+        if (uc_parent == NULL) {
+            DEBUG(SSSDBG_OP_FAILURE, ("get_uppercase_realm failed.\n"));
+            ret = ENOMEM;
+            goto done;
+        }
+
+        for (dom = get_next_domain(domain, true);
+             dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */
+             dom = get_next_domain(dom, false)) {
+
+            if (dom->forest == NULL) {
+                continue;
+            }
+
+            uc_forest = get_uppercase_realm(tmp_ctx, dom->forest);
+            if (uc_forest == NULL) {
+                DEBUG(SSSDBG_OP_FAILURE, ("get_uppercase_realm failed.\n"));
+                ret = ENOMEM;
+                goto done;
+            }
+
+            if (!capaths_started) {
+                ret = fprintf(fstream, "[capaths]\n");
+                if (ret < 0) {
+                    DEBUG(SSSDBG_OP_FAILURE, ("fprintf failed\n"));
+                    ret = EIO;
+                    goto done;
+                }
+                capaths_started = true;
+            }
+
+            ret = fprintf(fstream, "%s = {\n  %s = %s\n}\n%s = {\n  %s = %s\n}\n",
+                                   dom->realm, uc_parent, uc_forest,
+                                   uc_parent, dom->realm, uc_forest);
+            if (ret < 0) {
+                DEBUG(SSSDBG_CRIT_FAILURE, ("fprintf failed\n"));
+                goto done;
+            }
+        }
+    }
+
     ret = fclose(fstream);
     fstream = NULL;
     if (ret != 0) {
diff --git a/src/util/util.h b/src/util/util.h
index bd450ec7f..98b86e9db 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -577,7 +577,8 @@ errno_t sssd_domain_init(TALLOC_CTX *mem_ctx,
 
 #define IS_SUBDOMAIN(dom) ((dom)->parent != NULL)
 
-errno_t sss_write_domain_mappings(struct sss_domain_info *domain);
+errno_t sss_write_domain_mappings(struct sss_domain_info *domain,
+                                  bool add_capaths);
 
 /* from util_lock.c */
 errno_t sss_br_lock_file(int fd, size_t start, size_t len,