IPA: enable enterprise principals if server supports them

If there are alternative UPN suffixes found on the server we can safely assume that the IPA server supports enterprise principals. Resolves https://fedorahosted.org/sssd/ticket/3018 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
author: Sumit Bose <sbose@redhat.com> 2016-07-01 18:18:14 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2016-07-18 17:10:59 +0200
commit: 70673115c03c37ddc64c951b53d92df9d3310762 (patch)
tree: 078fd79202fe264c1a4075b8ede9357c537cacbb
parent: 17dccc24e4490dfda2820d46b62a029b14ba2359 (diff)
download: sssd-70673115c03c37ddc64c951b53d92df9d3310762.tar.gz
sssd-70673115c03c37ddc64c951b53d92df9d3310762.tar.xz
sssd-70673115c03c37ddc64c951b53d92df9d3310762.zip
2 files changed, 92 insertions, 0 deletions
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index e7fdd19e0..60b7dfb50 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -513,6 +513,12 @@
                         <para>
                             Default: false (AD provider: true)
                         </para>
+                        <para>
+                            The IPA provider will set to option to 'true' if it
+                            detects that the server is capable of handling
+                            enterprise principals and the option is not set
+                            explicitly in the config file.
+                        </para>
                     </listitem>
                 </varlistentry>
 
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index 925b1d8b1..4e5bceb8c 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -28,6 +28,7 @@
 #include "providers/ipa/ipa_subdomains.h"
 #include "providers/ipa/ipa_common.h"
 #include "providers/ipa/ipa_id.h"
+#include "providers/ipa/ipa_opts.h"
 
 #include <ctype.h>
 
@@ -999,6 +1000,84 @@ immediately:
     return req;
 }
 
+static errno_t ipa_enable_enterprise_principals(struct be_ctx *be_ctx)
+{
+    int ret;
+    struct sss_domain_info *d;
+    TALLOC_CTX *tmp_ctx;
+    char **vals = NULL;
+    struct dp_module *auth;
+    struct krb5_ctx *krb5_auth_ctx;
+
+    d = get_domains_head(be_ctx->domain);
+
+    while (d != NULL) {
+        DEBUG(SSSDBG_TRACE_ALL, "checking [%s].\n", d->name);
+        if (d->upn_suffixes != NULL) {
+            break;
+        }
+        d = get_next_domain(d, SSS_GND_DESCEND);
+    }
+
+    if (d == NULL) {
+        DEBUG(SSSDBG_TRACE_ALL,
+              "No UPN suffixes found, "
+              "no need to enable enterprise principals.\n");
+        return EOK;
+    }
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+        return ENOMEM;
+    }
+
+    ret = confdb_get_param(be_ctx->cdb, tmp_ctx, be_ctx->conf_path,
+                     ipa_def_krb5_opts[KRB5_USE_ENTERPRISE_PRINCIPAL].opt_name,
+                     &vals);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "confdb_get_param failed.\n");
+        goto done;
+    }
+
+    if (vals[0]) {
+        DEBUG(SSSDBG_CONF_SETTINGS,
+              "Parameter [%s] set in config file and will not be changed.\n",
+              ipa_def_krb5_opts[KRB5_USE_ENTERPRISE_PRINCIPAL].opt_name);
+        return EOK;
+    }
+
+    auth = dp_target_module(be_ctx->provider, DPT_AUTH);
+    if (auth == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "Unable to find auth proivder.\n");
+        ret = EINVAL;
+        goto done;
+    }
+
+    krb5_auth_ctx = ipa_init_get_krb5_auth_ctx(dp_get_module_data(auth));
+    if (krb5_auth_ctx == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "Unable to find auth proivder data.\n");
+        ret = EINVAL;
+        goto done;
+    }
+
+    ret = dp_opt_set_bool(krb5_auth_ctx->opts,
+                          KRB5_USE_ENTERPRISE_PRINCIPAL, true);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "dp_opt_set_bool failed.\n");
+        goto done;
+    }
+
+    DEBUG(SSSDBG_CONF_SETTINGS, "Enterprise principals enabled.\n");
+
+    ret = EOK;
+
+done:
+    talloc_free(tmp_ctx);
+
+    return ret;
+}
+
 static void ipa_subdomains_slave_search_done(struct tevent_req *subreq)
 {
     struct ipa_subdomains_slave_state *state;
@@ -1037,6 +1116,13 @@ static void ipa_subdomains_slave_search_done(struct tevent_req *subreq)
         goto done;
     }
 
+    ret = ipa_enable_enterprise_principals(state->sd_ctx->be_ctx);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "ipa_enable_enterprise_principals failed. "
+                                 "Enterprise principals might not work as "
+                                 "expected.\n");
+    }
+
     if (state->sd_ctx->ipa_id_ctx->server_mode == NULL) {
         ret = EOK;
         goto done;
author	Sumit Bose <sbose@redhat.com>	2016-07-01 18:18:14 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2016-07-18 17:10:59 +0200
commit	70673115c03c37ddc64c951b53d92df9d3310762 (patch)
tree	078fd79202fe264c1a4075b8ede9357c537cacbb
parent	17dccc24e4490dfda2820d46b62a029b14ba2359 (diff)
download	sssd-70673115c03c37ddc64c951b53d92df9d3310762.tar.gz sssd-70673115c03c37ddc64c951b53d92df9d3310762.tar.xz sssd-70673115c03c37ddc64c951b53d92df9d3310762.zip