diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2016-08-01 12:52:07 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2017-03-27 09:56:19 +0200 |
| commit | b9c563c29243291f40489bb0dcbf3946fca72d58 (patch) | |
| tree | 5659fa3d01b0f1745f769438685e6d2524230d15 /contrib | |
| parent | 1dbf09404e20b6e30a24afe72b6d349734aee62f (diff) | |
| download | sssd-b9c563c29243291f40489bb0dcbf3946fca72d58.tar.gz sssd-b9c563c29243291f40489bb0dcbf3946fca72d58.tar.xz sssd-b9c563c29243291f40489bb0dcbf3946fca72d58.zip | |
KCM: Initial responder build and packaging
Adds the initial build of the Kerberos Cache Manager responder (KCM).
This is a deamon that is capable of holding and storing Kerberos
ccaches. When KCM is used, the kerberos libraries (invoked through e.g.
kinit) are referred to as a 'client' and the KCM deamon is referred to
as 'server'.
At the moment, only the Heimdal implementation of Kerberos implements the
KCM server:
https://www.h5l.org/manual/HEAD/info/heimdal/Credential-cache-server-_002d-KCM.html
This patch adds a KCM server to SSSD.
In MIT, only the 'client-side' support was added:
http://k5wiki.kerberos.org/wiki/Projects/KCM_client
This page also describes the protocol between the client and the server.
The client is capable of talking to the server over either UNIX sockets
(Linux, most Unixes) or Mach RPC (macOS). Our server only implements the
UNIX sockets way and should be socket-activated by systemd, although can
in theory be also ran explicitly.
The KCM server only builds if the configuration option "--with-kcm" is
enabled. It is packaged in a new subpackage sssd-kcm in order to allow
distributions to enable the KCM credential caches by installing this
subpackage only, without the rest of the SSSD. The sssd-kcm subpackage
also includes a krb5.conf.d snippet that allows the admin to just uncomment
the KCM defaults and instructs them to start the socket.
The server can be configured in sssd.conf in the "[kcm]" section.
By default, the server only listens on the same socket path the Heimdal
server uses, which is "/var/run/.heim_org.h5l.kcm-socket". This is,
however, configurable.
The file src/responder/kcm/kcm.h is more or less directly imported from
the MIT Kerberos tree, with an additional sentinel code and some
comments. Not all KCM operations are implemented, only those that also
the MIT client implements. That said, this KCM server should also be
usable with a Heimdal client, although no special testing was with this
hybrid.
The patch also adds several error codes that will be used in later
patches.
Related to:
https://pagure.io/SSSD/sssd/issue/2887
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/kcm_default_ccache | 12 | ||||
| -rw-r--r-- | contrib/sssd.spec.in | 41 |
2 files changed, 53 insertions, 0 deletions
diff --git a/contrib/kcm_default_ccache b/contrib/kcm_default_ccache new file mode 100644 index 000000000..ac88fca86 --- /dev/null +++ b/contrib/kcm_default_ccache @@ -0,0 +1,12 @@ +# This file should normally be installed by your distribution into a +# directory that is included from the Kerberos configuration file (/etc/krb5.conf) +# On Fedora/RHEL/CentOS, this is /etc/krb5.conf.d/ +# +# To enable the KCM credential cache, uncomment the following lines and +# enable the KCM socket and the service: +# systemctl enable sssd-kcm.socket +# systemctl start sssd-kcm.socket +# systemctl enable sssd-kcm.service + +#[libdefaults] +# default_ccache_name = KCM: diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 28ebe07a2..5c7c2af52 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -112,6 +112,13 @@ %global enable_systemtap_opt --enable-systemtap %endif +%if (0%{?fedora} >= 23 || 0%{?rhel} >= 7) + %global with_kcm 1 + %global with_kcm_option --with-kcm +%else + %global with_kcm_option --without-kcm +%endif + Name: @PACKAGE_NAME@ Version: @PACKAGE_VERSION@ Release: 0@PRERELEASE_VERSION@%{?dist} @@ -677,6 +684,18 @@ Requires: libsss_certmap = %{version}-%{release} %description -n libsss_certmap-devel Library to map certificates to users based on rules +%if (0%{?with_kcm} == 1) +%package kcm +Summary: An implementation of a Kerberos KCM server +Group: Applications/System +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} + +%description kcm +An implementation of a Kerberos KCM server. Use this package if you want to +use the KCM: Kerberos credentials cache. +%endif + %prep %setup -q -n %{name}-%{version} @@ -706,6 +725,7 @@ autoreconf -ivf %{?with_python3_option} \ %{?enable_polkit_rules_option} \ %{?enable_systemtap_opt} \ + %{?with_kcm_option} \ %{?experimental} make %{?_smp_mflags} all @@ -1178,6 +1198,15 @@ done %{_libdir}/libsss_certmap.so %{_libdir}/pkgconfig/sss_certmap.pc +%if (0%{?with_kcm} == 1) +%files kcm +%{_libexecdir}/%{servicename}/sssd_kcm +%dir %{_sysconfdir}/krb5.conf.d +%config(noreplace) %{_sysconfdir}/krb5.conf.d/kcm_default_ccache +%{_unitdir}/sssd-kcm.socket +%{_unitdir}/sssd-kcm.service +%endif + %pre common getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd @@ -1274,6 +1303,18 @@ fi %postun -n libsss_simpleifp -p /sbin/ldconfig +%if (0%{?with_kcm} == 1) +%post kcm +%systemd_post sssd-kcm.socket + +%preun kcm +%systemd_preun sssd-kcm.socket + +%postun kcm +%systemd_postun_with_restart sssd-kcm.socket +%systemd_postun_with_restart sssd-kcm.service +%endif + %changelog * Mon Mar 15 2010 Stephen Gallagher <sgallagh@redhat.com> - @PACKAGE_VERSION@-0@PRERELEASE_VERSION@ - Automated build of the SSSD |