summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2011-05-13 18:44:15 +0200
committerStephen Gallagher <sgallagh@redhat.com>2012-06-21 15:30:20 -0400
commitb9e5bd09a5ff7009537a18914dbebcf10498f592 (patch)
tree81fd19114444133fdbf9560ced2c9224fc867511
parent611b6fcd3ae863bf36ae1fa4c0db89cfcdc76974 (diff)
downloadsssd2-b9e5bd09a5ff7009537a18914dbebcf10498f592.tar.gz
sssd2-b9e5bd09a5ff7009537a18914dbebcf10498f592.tar.xz
sssd2-b9e5bd09a5ff7009537a18914dbebcf10498f592.zip
PAC responder: add basic infrastructure
This adds only the basic outline of the PAC responder, it won't support any operations, it will just start and initialize itself.
-rw-r--r--Makefile.am21
-rw-r--r--configure.ac1
-rw-r--r--src/confdb/confdb.h3
-rw-r--r--src/external/pac_responder.m434
-rw-r--r--src/monitor/monitor.c2
-rw-r--r--src/responder/pac/pacsrv.c227
-rw-r--r--src/responder/pac/pacsrv.h52
-rw-r--r--src/responder/pac/pacsrv_cmd.c61
8 files changed, 400 insertions, 1 deletions
diff --git a/Makefile.am b/Makefile.am
index c5bde071..ad79de37 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -97,6 +97,10 @@ if BUILD_SSH
sssdlibexec_PROGRAMS += sssd_ssh
endif
+if BUILD_PAC_RESPONDER
+ sssdlibexec_PROGRAMS += sssd_pac
+endif
+
if HAVE_CHECK
non_interactive_check_based_tests = \
sysdb-tests \
@@ -236,6 +240,7 @@ AM_CPPFLAGS = \
-DSSS_NSS_MCACHE_DIR=\"$(mcpath)\" \
-DSSS_NSS_SOCKET_NAME=\"$(pipepath)/nss\" \
-DSSS_PAM_SOCKET_NAME=\"$(pipepath)/pam\" \
+ -DSSS_PAC_SOCKET_NAME=\"$(pipepath)/pac\" \
-DSSS_PAM_PRIV_SOCKET_NAME=\"$(pipepath)/private/pam\" \
-DSSS_SUDO_SOCKET_NAME=\"$(pipepath)/sudo\" \
-DSSS_AUTOFS_SOCKET_NAME=\"$(pipepath)/autofs\" \
@@ -349,6 +354,7 @@ dist_noinst_HEADERS = \
src/responder/nss/nsssrv_netgroup.h \
src/responder/nss/nsssrv_services.h \
src/responder/nss/nsssrv_mmap_cache.h \
+ src/responder/pac/pacsrv.h \
src/responder/common/negcache.h \
src/responder/sudo/sudosrv_private.h \
src/responder/autofs/autofs_private.h \
@@ -581,6 +587,21 @@ sssd_ssh_LDADD = \
libsss_util.la
endif
+sssd_pac_SOURCES = \
+ src/responder/pac/pacsrv.c \
+ src/responder/pac/pacsrv_cmd.c \
+ $(SSSD_UTIL_OBJ) \
+ $(SSSD_RESPONDER_OBJ)
+sssd_pac_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(NDR_KRB5PAC_CFLAGS)
+sssd_pac_LDADD = \
+ $(NDR_KRB5PAC_LIBS) \
+ $(TDB_LIBS) \
+ $(SSSD_LIBS) \
+ libsss_idmap.la \
+ libsss_util.la
+
sssd_be_SOURCES = \
src/providers/data_provider_be.c \
src/providers/data_provider_fo.c \
diff --git a/configure.ac b/configure.ac
index f43c32ac..7f242090 100644
--- a/configure.ac
+++ b/configure.ac
@@ -126,6 +126,7 @@ m4_include([src/external/nsupdate.m4])
m4_include([src/external/libkeyutils.m4])
m4_include([src/external/libnl.m4])
m4_include([src/external/systemd.m4])
+m4_include([src/external/pac_responder.m4])
m4_include([src/util/signal.m4])
WITH_UNICODE_LIB
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 3fa8b037..139dd903 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -119,6 +119,9 @@
#define CONFDB_SSH_HASH_KNOWN_HOSTS "ssh_hash_known_hosts"
#define CONFDB_DEFAULT_SSH_HASH_KNOWN_HOSTS true
+/* PAC */
+#define CONFDB_PAC_CONF_ENTRY "config/pac"
+
/* Data Provider */
#define CONFDB_DP_CONF_ENTRY "config/dp"
diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
new file mode 100644
index 00000000..f2841924
--- /dev/null
+++ b/src/external/pac_responder.m4
@@ -0,0 +1,34 @@
+AC_SUBST(NDR_KRB5PAC_CFLAGS)
+AC_SUBST(NDR_KRB5PAC_LIBS)
+
+AC_ARG_ENABLE([experimental-pac-responder],
+ [AS_HELP_STRING([--enable-experimental-pac-responder],
+ [build experimental pac responder])],
+ [build_pac_responder=$enableval],
+ [build_pac_responder=no])
+
+if test x$build_all_experimental_features != xno
+then
+ build_pac_responder=yes
+fi
+
+if test x$build_pac_responder == xyes
+then
+ PKG_CHECK_MODULES(NDR_KRB5PAC, ndr_krb5pac,,
+ AC_MSG_ERROR([Cannot build pac responder without libndr_krb5pac]))
+
+ AC_PATH_PROG(KRB5_CONFIG, krb5-config)
+ AC_MSG_CHECKING(for supported MIT krb5 version)
+ KRB5_VERSION="`$KRB5_CONFIG --version`"
+ case $KRB5_VERSION in
+ Kerberos\ 5\ release\ 1.9* | \
+ Kerberos\ 5\ release\ 1.10*)
+ AC_MSG_RESULT(yes)
+ ;;
+ *)
+ AC_MSG_ERROR([Cannot build authdata plugin with this version of
+ MIT Kerberos, please use 1.9.x or 1.10.x])
+ esac
+fi
+
+AM_CONDITIONAL([BUILD_PAC_RESPONDER], [test x$build_pac_responder = xyes ])
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 1cc092f8..201d9fa8 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -759,7 +759,7 @@ static int check_local_domain_unique(struct sss_domain_info *domains)
static char *check_services(char **services)
{
const char *known_services[] = { "nss", "pam", "sudo", "autofs", "ssh",
- NULL };
+ "pac", NULL };
int i;
int ii;
diff --git a/src/responder/pac/pacsrv.c b/src/responder/pac/pacsrv.c
new file mode 100644
index 00000000..feee3aee
--- /dev/null
+++ b/src/responder/pac/pacsrv.c
@@ -0,0 +1,227 @@
+/*
+ SSSD
+
+ PAC Responder
+
+ Copyright (C) Sumit Bose <sbose@redhat.com> 2011
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <string.h>
+#include <sys/time.h>
+#include <errno.h>
+
+#include "popt.h"
+#include "util/util.h"
+#include "responder/pac/pacsrv.h"
+#include "db/sysdb.h"
+#include "confdb/confdb.h"
+#include "dbus/dbus.h"
+#include "sbus/sssd_dbus.h"
+#include "responder/common/responder_packet.h"
+#include "responder/common/responder.h"
+#include "providers/data_provider.h"
+#include "monitor/monitor_interfaces.h"
+#include "sbus/sbus_client.h"
+
+#define SSS_PAC_PIPE_NAME "pac"
+
+struct sbus_method monitor_pac_methods[] = {
+ { MON_CLI_METHOD_PING, monitor_common_pong },
+ { MON_CLI_METHOD_RES_INIT, monitor_common_res_init },
+ { MON_CLI_METHOD_ROTATE, monitor_common_rotate_logs },
+ { NULL, NULL }
+};
+
+struct sbus_interface monitor_pac_interface = {
+ MONITOR_INTERFACE,
+ MONITOR_PATH,
+ SBUS_DEFAULT_VTABLE,
+ monitor_pac_methods,
+ NULL
+};
+
+static struct sbus_method pac_dp_methods[] = {
+ { NULL, NULL }
+};
+
+struct sbus_interface pac_dp_interface = {
+ DP_INTERFACE,
+ DP_PATH,
+ SBUS_DEFAULT_VTABLE,
+ pac_dp_methods,
+ NULL
+};
+
+
+/* TODO: check if this can be made generic for all responders */
+static void pac_dp_reconnect_init(struct sbus_connection *conn,
+ int status, void *pvt)
+{
+ struct be_conn *be_conn = talloc_get_type(pvt, struct be_conn);
+ int ret;
+
+ /* Did we reconnect successfully? */
+ if (status == SBUS_RECONNECT_SUCCESS) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Reconnected to the Data Provider.\n"));
+
+ /* Identify ourselves to the data provider */
+ ret = dp_common_send_id(be_conn->conn,
+ DATA_PROVIDER_VERSION,
+ "PAC");
+ /* all fine */
+ if (ret == EOK) {
+ handle_requests_after_reconnect(be_conn->rctx);
+ return;
+ }
+ }
+
+ /* Failed to reconnect */
+ DEBUG(SSSDBG_FATAL_FAILURE, ("Could not reconnect to %s provider.\n",
+ be_conn->domain->name));
+
+ /* FIXME: kill the frontend and let the monitor restart it ? */
+ /* nss_shutdown(rctx); */
+}
+
+static void *idmap_talloc(size_t size, void *pvt)
+{
+ return talloc_size(pvt, size);
+}
+
+static void idmap_free(void *ptr, void *pvt)
+{
+ talloc_free(ptr);
+}
+
+int pac_process_init(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct confdb_ctx *cdb)
+{
+ struct sss_cmd_table *pac_cmds;
+ struct be_conn *iter;
+ struct pac_ctx *pac_ctx;
+ int ret, max_retries;
+ enum idmap_error_code err;
+
+ pac_ctx = talloc_zero(mem_ctx, struct pac_ctx);
+ if (!pac_ctx) {
+ DEBUG(SSSDBG_FATAL_FAILURE, ("fatal error initializing pac_ctx\n"));
+ return ENOMEM;
+ }
+
+ pac_cmds = get_pac_cmds();
+
+ ret = sss_process_init(pac_ctx, ev, cdb,
+ pac_cmds,
+ SSS_PAC_SOCKET_NAME, NULL,
+ CONFDB_PAC_CONF_ENTRY,
+ PAC_SBUS_SERVICE_NAME,
+ PAC_SBUS_SERVICE_VERSION,
+ &monitor_pac_interface,
+ "PAC", &pac_dp_interface,
+ &pac_ctx->rctx);
+ if (ret != EOK) {
+ return ret;
+ }
+ pac_ctx->rctx->pvt_ctx = pac_ctx;
+
+ /* Enable automatic reconnection to the Data Provider */
+ ret = confdb_get_int(pac_ctx->rctx->cdb,
+ CONFDB_PAC_CONF_ENTRY,
+ CONFDB_SERVICE_RECON_RETRIES,
+ 3, &max_retries);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, ("Failed to set up automatic reconnection\n"));
+ return ret;
+ }
+
+ for (iter = pac_ctx->rctx->be_conns; iter; iter = iter->next) {
+ sbus_reconnect_init(iter->conn, max_retries,
+ pac_dp_reconnect_init, iter);
+ }
+
+ err = sss_idmap_init(idmap_talloc, pac_ctx, idmap_free,
+ &pac_ctx->idmap_ctx);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(SSSDBG_FATAL_FAILURE, ("sss_idmap_init failed.\n"));
+ return EFAULT;
+ }
+
+ DEBUG(SSSDBG_TRACE_FUNC, ("PAC Initialization complete\n"));
+
+ return EOK;
+}
+
+int main(int argc, const char *argv[])
+{
+ int opt;
+ poptContext pc;
+ struct main_context *main_ctx;
+ int ret;
+
+ struct poptOption long_options[] = {
+ POPT_AUTOHELP
+ SSSD_MAIN_OPTS
+ POPT_TABLEEND
+ };
+
+ /* Set debug level to invalid value so we can decide if -d 0 was used. */
+ debug_level = SSSDBG_INVALID;
+
+ pc = poptGetContext(argv[0], argc, argv, long_options, 0);
+ while((opt = poptGetNextOpt(pc)) != -1) {
+ switch(opt) {
+ default:
+ fprintf(stderr, "\nInvalid option %s: %s\n\n",
+ poptBadOption(pc, 0), poptStrerror(opt));
+ poptPrintUsage(pc, stderr, 0);
+ return 1;
+ }
+ }
+
+ poptFreeContext(pc);
+
+ CONVERT_AND_SET_DEBUG_LEVEL(debug_level);
+
+ /* set up things like debug, signals, daemonization, etc... */
+ debug_log_file = "sssd_pac";
+
+ ret = server_setup("sssd[pac]", 0, CONFDB_PAC_CONF_ENTRY, &main_ctx);
+ if (ret != EOK) return 2;
+
+ ret = die_if_parent_died();
+ if (ret != EOK) {
+ /* This is not fatal, don't return */
+ DEBUG(SSSDBG_OP_FAILURE, ("Could not set up to exit when parent process does\n"));
+ }
+
+ ret = pac_process_init(main_ctx,
+ main_ctx->event_ctx,
+ main_ctx->confdb_ctx);
+ if (ret != EOK) return 3;
+
+ /* loop on main */
+ server_loop(main_ctx);
+
+ return 0;
+}
diff --git a/src/responder/pac/pacsrv.h b/src/responder/pac/pacsrv.h
new file mode 100644
index 00000000..0dfe7f9e
--- /dev/null
+++ b/src/responder/pac/pacsrv.h
@@ -0,0 +1,52 @@
+/*
+ SSSD
+
+ PAC Responder, header file
+
+ Copyright (C) Sumit Bose <sbose@redhat.com> 2011
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef __PACSRV_H__
+#define __PACSRV_H__
+
+#include <stdint.h>
+#include <sys/un.h>
+#include "config.h"
+#include "talloc.h"
+#include "tevent.h"
+#include "ldb.h"
+#include "dbus/dbus.h"
+#include "sbus/sssd_dbus.h"
+#include "responder/common/responder_packet.h"
+#include "responder/common/responder.h"
+#include "lib/idmap/sss_idmap.h"
+
+#define PAC_SBUS_SERVICE_VERSION 0x0001
+#define PAC_SBUS_SERVICE_NAME "pac"
+
+#define PAC_PACKET_MAX_RECV_SIZE 1024
+
+struct getent_ctx;
+
+struct pac_ctx {
+ struct resp_ctx *rctx;
+};
+
+int pac_cmd_execute(struct cli_ctx *cctx);
+
+struct sss_cmd_table *get_pac_cmds(void);
+
+#endif /* __PACSRV_H__ */
diff --git a/src/responder/pac/pacsrv_cmd.c b/src/responder/pac/pacsrv_cmd.c
new file mode 100644
index 00000000..892ef856
--- /dev/null
+++ b/src/responder/pac/pacsrv_cmd.c
@@ -0,0 +1,61 @@
+/*
+ SSSD
+
+ PAC Responder
+
+ Copyright (C) Sumit Bose <sbose@redhat.com> 2012
+ Jan Zeleny <jzeleny@redhat.com> 2012
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "util/util.h"
+#include "responder/pac/pacsrv.h"
+#include "confdb/confdb.h"
+#include "db/sysdb.h"
+
+struct cli_protocol_version *register_cli_protocol_version(void)
+{
+ static struct cli_protocol_version pac_cli_protocol_version[] = {
+ {1, "2011-04-12", "initial version"},
+ {0, NULL, NULL}
+ };
+
+ return pac_cli_protocol_version;
+}
+
+static struct sss_cmd_table pac_cmds[] = {
+ {SSS_GET_VERSION, sss_cmd_get_version},
+ {SSS_CLI_NULL, NULL}
+};
+
+struct sss_cmd_table *get_pac_cmds(void) {
+ return pac_cmds;
+}
+
+int pac_cmd_execute(struct cli_ctx *cctx)
+{
+ enum sss_cli_command cmd;
+ int i;
+
+ cmd = sss_packet_get_cmd(cctx->creq->in);
+
+ for (i = 0; pac_cmds[i].cmd != SSS_CLI_NULL; i++) {
+ if (cmd == pac_cmds[i].cmd) {
+ return pac_cmds[i].fn(cctx);
+ }
+ }
+
+ return EINVAL;
+}