From d2c552edde275e6c0de904760147afb2992796e9 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 15 May 2015 15:32:17 +0200 Subject: IPA: Utility function for setting up one-way trust context Related: https://fedorahosted.org/sssd/ticket/2638 Reviewed-by: Sumit Bose --- src/providers/ipa/ipa_subdomains_server.c | 71 +++++++++++++++++++++++++-- src/tests/cmocka/test_ipa_subdomains_server.c | 29 +++++++++-- 2 files changed, 91 insertions(+), 9 deletions(-) (limited to 'src') diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c index caa3821c3..cd8c6301c 100644 --- a/src/providers/ipa/ipa_subdomains_server.c +++ b/src/providers/ipa/ipa_subdomains_server.c @@ -127,6 +127,71 @@ const char *ipa_trust_dir2str(uint32_t direction) #define IPA_GETKEYTAB_TIMEOUT 5 #endif /* IPA_GETKEYTAB_TIMEOUT */ +static struct ad_options * +ipa_create_1way_trust_ctx(struct ipa_id_ctx *id_ctx, + const char *forest, + const char *forest_realm, + struct sss_domain_info *subdom) +{ + char *keytab; + char *principal; + struct ad_options *ad_options; + const char *ad_domain; + + ad_domain = subdom->name; + keytab = forest_keytab(id_ctx, forest); + principal = subdomain_trust_princ(id_ctx, forest_realm, subdom); + if (keytab == NULL || principal == NULL) { + return NULL; + } + + ad_options = ad_create_1way_trust_options(id_ctx, + ad_domain, + id_ctx->server_mode->hostname, + keytab, + principal); + if (ad_options == NULL) { + talloc_free(keytab); + talloc_free(principal); + return NULL; + } + + return ad_options; +} + +static struct ad_options *ipa_ad_options_new(struct ipa_id_ctx *id_ctx, + struct sss_domain_info *subdom) +{ + struct ad_options *ad_options = NULL; + uint32_t direction; + const char *forest; + const char *forest_realm; + + /* Trusts are only established with forest roots */ + direction = subdom->forest_root->trust_direction; + forest_realm = subdom->forest_root->realm; + forest = subdom->forest_root->forest; + + if (direction & LSA_TRUST_DIRECTION_OUTBOUND) { + ad_options = ad_create_2way_trust_options(id_ctx, + id_ctx->server_mode->realm, + subdom->name, + id_ctx->server_mode->hostname); + } else if (direction & LSA_TRUST_DIRECTION_INBOUND) { + ad_options = ipa_create_1way_trust_ctx(id_ctx, forest, + forest_realm, subdom); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported trust direction!\n"); + ad_options = NULL; + } + + if (ad_options == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n"); + return NULL; + } + return ad_options; +} + static errno_t ipa_ad_ctx_new(struct be_ctx *be_ctx, @@ -147,9 +212,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx, ad_domain = subdom->name; DEBUG(SSSDBG_TRACE_LIBS, "Setting up AD subdomain %s\n", subdom->name); - ad_options = ad_create_2way_trust_options(id_ctx, id_ctx->server_mode->realm, - ad_domain, - id_ctx->server_mode->hostname); + ad_options = ipa_ad_options_new(id_ctx, subdom); if (ad_options == NULL) { DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n"); talloc_free(ad_options); @@ -524,7 +587,7 @@ ipa_server_trust_add_send(TALLOC_CTX *mem_ctx, } state->direction = subdom->forest_root->trust_direction; - state->forest = subdom->forest_root->realm; + state->forest = subdom->forest_root->forest; state->forest_realm = subdom->forest_root->realm; state->ccache = talloc_asprintf(state, "%s/ccache_%s", DB_PATH, subdom->parent->realm); diff --git a/src/tests/cmocka/test_ipa_subdomains_server.c b/src/tests/cmocka/test_ipa_subdomains_server.c index 9d9c9dd8f..3f62107a2 100644 --- a/src/tests/cmocka/test_ipa_subdomains_server.c +++ b/src/tests/cmocka/test_ipa_subdomains_server.c @@ -63,7 +63,8 @@ #define TEST_ID_PROVIDER "ipa" #define ONEWAY_KEYTAB TEST_DIR"/"SUBDOM_REALM".keytab" -#define ONEWAY_AUTHID DOM_FLAT"$@"SUBDOM_REALM +#define ONEWAY_PRINC DOM_FLAT"$" +#define ONEWAY_AUTHID ONEWAY_PRINC"@"SUBDOM_REALM krb5_error_code __wrap_krb5_kt_default(krb5_context context, krb5_keytab *id) { @@ -72,13 +73,11 @@ krb5_error_code __wrap_krb5_kt_default(krb5_context context, krb5_keytab *id) static void create_dummy_keytab(void) { - int fd; errno_t ret; assert_non_null(ONEWAY_KEYTAB); - fd = open(ONEWAY_KEYTAB, O_WRONLY | O_CREAT | O_TRUNC, 0600); - assert_int_not_equal(fd, -1); - close(fd); + mock_keytab_with_contents(global_talloc_context, + ONEWAY_KEYTAB, ONEWAY_AUTHID); ret = access(ONEWAY_KEYTAB, R_OK); assert_int_equal(ret, 0); @@ -641,8 +640,28 @@ static void test_ipa_server_create_trusts_oneway(struct tevent_req *req) /* Trust object should be around now */ assert_non_null(test_ctx->ipa_ctx->server_mode->trusts); + + assert_trust_object( + test_ctx->ipa_ctx->server_mode->trusts, + CHILD_NAME, /* AD domain name */ + CHILD_REALM, /* AD realm can be child if SDAP realm is parent's */ + CHILD_SID, + ONEWAY_KEYTAB, /* Keytab shared with parent AD dom */ + ONEWAY_PRINC, /* Principal shared with parent AD dom */ + SUBDOM_REALM); /* SDAP realm must be AD root domain */ + assert_non_null(test_ctx->ipa_ctx->server_mode->trusts->next); + /* Here all properties point to the AD domain */ + assert_trust_object(test_ctx->ipa_ctx->server_mode->trusts->next, + SUBDOM_NAME, + SUBDOM_REALM, + SUBDOM_SID, + ONEWAY_KEYTAB, + ONEWAY_PRINC, + SUBDOM_REALM); + + assert_null(test_ctx->ipa_ctx->server_mode->trusts->next->next); test_ipa_server_create_trusts_finish(test_ctx); } -- cgit