From 5fd1c0557734da0649d91d87d6fcdc56c1a95f91 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 30 Aug 2011 10:51:19 -0400 Subject: Add option to specify the kerberos replay cache dir Adds a configure option to set the distribution default as well as an sssd.conf option to override it. https://fedorahosted.org/sssd/ticket/980 --- src/conf_macros.m4 | 15 +++++++++++++++ src/confdb/confdb.h | 1 + src/config/SSSDConfig.py | 1 + src/config/SSSDConfigTest.py | 1 + src/config/etc/sssd.api.conf | 1 + src/man/sssd.conf.5.xml | 20 ++++++++++++++++++++ src/monitor/monitor.c | 31 +++++++++++++++++++++++++++++++ 7 files changed, 70 insertions(+) (limited to 'src') diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 index 8ead0b29b..2a109b5f8 100644 --- a/src/conf_macros.m4 +++ b/src/conf_macros.m4 @@ -161,6 +161,21 @@ AC_DEFUN([WITH_KRB5_PLUGIN_PATH], AC_SUBST(krb5pluginpath) ]) +AC_DEFUN([WITH_KRB5_RCACHE_DIR], + [ AC_ARG_WITH([krb5-rcache-dir], + [AC_HELP_STRING([--with-krb5-rcache-dir=PATH], + [Path to store Kerberos replay caches [__LIBKRB5_DEFAULTS__]] + ) + ] + ) + krb5rcachedir="__LIBKRB5_DEFAULTS__" + if test x"$with_krb5_rcache_dir" != x; then + krb5rcachedir=$with_krb5_rcache_dir + fi + AC_SUBST(krb5rcachedir) + AC_DEFINE_UNQUOTED(KRB5_RCACHE_DIR, "$krb5rcachedir", [Directory used for storing Kerberos replay caches]) + ]) + AC_DEFUN([WITH_PYTHON_BINDINGS], [ AC_ARG_WITH([python-bindings], [AC_HELP_STRING([--with-python-bindings], diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 5e50991f3..4d6157612 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -63,6 +63,7 @@ #define CONFDB_MONITOR_NAME_REGEX "re_expression" #define CONFDB_MONITOR_FULL_NAME_FORMAT "full_name_format" #define CONFDB_MONITOR_TRY_INOTIFY "try_inotify" +#define CONFDB_MONITOR_KRB5_RCACHEDIR "krb5_rcache_dir" /* NSS */ #define CONFDB_NSS_CONF_ENTRY "config/nss" diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 3f983327d..2ba9ea4e1 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -49,6 +49,7 @@ option_strings = { 'sbus_timeout' : _('Timeout for messages sent over the SBUS'), 're_expression' : _('Regex to parse username and domain'), 'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'), + 'krb5_rcache_dir' : _('Directory on the filesystem where SSSD should store Kerberos replay cache files.'), # [nss] 'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 0e5a630e0..ebfd372e5 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -266,6 +266,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase): 'sbus_timeout', 're_expression', 'full_name_format', + 'krb5_rcache_dir', 'debug_level', 'debug_timestamps', 'debug_to_files', diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 49836e457..a080ae12c 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -17,6 +17,7 @@ timeout = int, None, false sbus_timeout = int, None, false re_expression = str, None, false full_name_format = str, None, false +krb5_rcache_dir = str, None, false [nss] # Name service diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index e03805561..f5119433b 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -185,6 +185,26 @@ + + krb5_rcache_dir (string) + + + Directory on the filesystem where SSSD should + store Kerberos replay cache files. + + + This option accepts a special value + __LIBKRB5_DEFAULTS__ that will instruct SSSD + to let libkrb5 decide the appropriate + location for the replay cache. + + + Default: Distribution-specific and specified + at build-time. (__LIBKRB5_DEFAULTS__ if not + configured) + + + diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index 2e2478204..431b875cc 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -57,6 +57,11 @@ * monitor will get crazy hammering children with messages */ #define MONITOR_DEF_PING_TIME 10 +/* Special value to leave the Kerberos Replay Cache set to use + * the libkrb5 defaults + */ +#define KRB5_RCACHE_DIR_DISABLE "__LIBKRB5_DEFAULTS__" + struct svc_spy; struct mt_svc { @@ -1871,8 +1876,34 @@ int monitor_process_init(struct mt_ctx *ctx, struct sysdb_ctx_list *db_list; struct tevent_signal *tes; struct sss_domain_info *dom; + char *rcachedir; int num_providers; int ret; + int error; + + /* Set up the environment variable for the Kerberos Replay Cache */ + ret = confdb_get_string(ctx->cdb, ctx, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_KRB5_RCACHEDIR, + KRB5_RCACHE_DIR, + &rcachedir); + if (ret != EOK) { + return ret; + } + + if (strcmp(rcachedir, KRB5_RCACHE_DIR_DISABLE) != 0) + { + errno = 0; + ret = setenv("KRB5RCACHEDIR", rcachedir, 1); + if (ret < 0) { + error = errno; + DEBUG(1, + ("Unable to set KRB5RCACHEDIR: %s." + "Will attempt to use libkrb5 defaults\n", + strerror(error))); + } + talloc_zfree(rcachedir); + } /* Set up an event handler for a SIGHUP */ tes = tevent_add_signal(ctx->ev, ctx, SIGHUP, 0, -- cgit