/* SSSD Kerberos 5 Backend Module Authors: Sumit Bose Copyright (C) 2009 Red Hat This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ #include #include #include #include #include "providers/child_common.h" #include "providers/krb5/krb5_auth.h" #include "providers/krb5/krb5_common.h" struct krb5_options { struct dp_option *opts; struct krb5_ctx *auth_ctx; }; struct krb5_options *krb5_options = NULL; struct bet_ops krb5_auth_ops = { .handler = krb5_pam_handler, .finalize = NULL, }; int sssm_krb5_auth_init(struct be_ctx *bectx, struct bet_ops **ops, void **pvt_auth_data) { struct krb5_ctx *ctx = NULL; int ret; unsigned v; FILE *debug_filep; const char *krb5_servers; const char *krb5_kpasswd_servers; const char *krb5_realm; const char *errstr; int errval; int errpos; time_t renew_intv; if (krb5_options == NULL) { krb5_options = talloc_zero(bectx, struct krb5_options); if (krb5_options == NULL) { DEBUG(1, ("talloc_zero failed.\n")); return ENOMEM; } ret = krb5_get_options(krb5_options, bectx->cdb, bectx->conf_path, &krb5_options->opts); if (ret != EOK) { DEBUG(1, ("krb5_get_options failed.\n")); return ret; } } if (krb5_options->auth_ctx != NULL) { *ops = &krb5_auth_ops; *pvt_auth_data = krb5_options->auth_ctx; return EOK; } ctx = talloc_zero(bectx, struct krb5_ctx); if (!ctx) { DEBUG(1, ("talloc failed.\n")); return ENOMEM; } krb5_options->auth_ctx = ctx; ctx->action = INIT_PW; ctx->opts = krb5_options->opts; krb5_servers = dp_opt_get_string(ctx->opts, KRB5_KDC); if (krb5_servers == NULL) { DEBUG(1, ("Missing krb5_server option, using service discovery!\n")); } krb5_realm = dp_opt_get_string(ctx->opts, KRB5_REALM); if (krb5_realm == NULL) { DEBUG(0, ("Missing krb5_realm option!\n")); return EINVAL; } ret = krb5_service_init(ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers, krb5_realm, &ctx->service); if (ret != EOK) { DEBUG(0, ("Failed to init KRB5 failover service!\n")); return ret; } krb5_kpasswd_servers = dp_opt_get_string(ctx->opts, KRB5_KPASSWD); if (krb5_kpasswd_servers == NULL && krb5_servers != NULL) { DEBUG(0, ("Missing krb5_kpasswd option and KDC set explicitly, " "will use KDC for pasword change operations!\n")); ctx->kpasswd_service = NULL; } else { ret = krb5_service_init(ctx, bectx, SSS_KRB5KPASSWD_FO_SRV, krb5_kpasswd_servers, krb5_realm, &ctx->kpasswd_service); if (ret != EOK) { DEBUG(0, ("Failed to init KRB5KPASSWD failover service!\n")); return ret; } } if (dp_opt_get_bool(ctx->opts, KRB5_STORE_PASSWORD_IF_OFFLINE)) { ret = init_delayed_online_authentication(ctx, bectx, bectx->ev); if (ret != EOK) { DEBUG(1, ("init_delayed_online_authentication failed.\n")); goto fail; } } renew_intv = dp_opt_get_int(ctx->opts, KRB5_RENEW_INTERVAL); if (renew_intv > 0) { ret = init_renew_tgt(ctx, bectx, bectx->ev, renew_intv); if (ret != EOK) { DEBUG(1, ("init_renew_tgt failed.\n")); goto fail; } } ret = check_and_export_options(ctx->opts, bectx->domain, ctx); if (ret != EOK) { DEBUG(1, ("check_and_export_options failed.\n")); goto fail; } ret = krb5_install_sigterm_handler(bectx->ev, ctx); if (ret != EOK) { DEBUG(1, ("krb5_install_sigterm_handler failed.\n")); goto fail; } ret = krb5_install_offline_callback(bectx, ctx); if (ret != EOK) { DEBUG(1, ("krb5_install_offline_callback failed.\n")); goto fail; } if (debug_to_file != 0) { ret = open_debug_file_ex("krb5_child", &debug_filep); if (ret != EOK) { DEBUG(0, ("Error setting up logging (%d) [%s]\n", ret, strerror(ret))); goto fail; } ctx->child_debug_fd = fileno(debug_filep); if (ctx->child_debug_fd == -1) { DEBUG(0, ("fileno failed [%d][%s]\n", errno, strerror(errno))); ret = errno; goto fail; } v = fcntl(ctx->child_debug_fd, F_GETFD, 0); fcntl(ctx->child_debug_fd, F_SETFD, v & ~FD_CLOEXEC); } ctx->illegal_path_re = pcre_compile2(ILLEGAL_PATH_PATTERN, 0, &errval, &errstr, &errpos, NULL); if (ctx->illegal_path_re == NULL) { DEBUG(1, ("Invalid Regular Expression pattern at position %d. " "(Error: %d [%s])\n", errpos, errval, errstr)); ret = EFAULT; goto fail; } *ops = &krb5_auth_ops; *pvt_auth_data = ctx; return EOK; fail: talloc_zfree(krb5_options->auth_ctx); return ret; } int sssm_krb5_chpass_init(struct be_ctx *bectx, struct bet_ops **ops, void **pvt_auth_data) { return sssm_krb5_auth_init(bectx, ops, pvt_auth_data); } int sssm_krb5_access_init(struct be_ctx *bectx, struct bet_ops **ops, void **pvt_auth_data) { return sssm_krb5_auth_init(bectx, ops, pvt_auth_data); }