diff options
author | Sumit Bose <sbose@redhat.com> | 2016-07-01 18:18:14 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-07-18 17:10:59 +0200 |
commit | 70673115c03c37ddc64c951b53d92df9d3310762 (patch) | |
tree | 078fd79202fe264c1a4075b8ede9357c537cacbb | |
parent | 17dccc24e4490dfda2820d46b62a029b14ba2359 (diff) | |
download | sssd-70673115c03c37ddc64c951b53d92df9d3310762.tar.gz sssd-70673115c03c37ddc64c951b53d92df9d3310762.tar.xz sssd-70673115c03c37ddc64c951b53d92df9d3310762.zip |
IPA: enable enterprise principals if server supports them
If there are alternative UPN suffixes found on the server we can safely
assume that the IPA server supports enterprise principals.
Resolves https://fedorahosted.org/sssd/ticket/3018
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-rw-r--r-- | src/man/sssd-krb5.5.xml | 6 | ||||
-rw-r--r-- | src/providers/ipa/ipa_subdomains.c | 86 |
2 files changed, 92 insertions, 0 deletions
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml index e7fdd19e0..60b7dfb50 100644 --- a/src/man/sssd-krb5.5.xml +++ b/src/man/sssd-krb5.5.xml @@ -513,6 +513,12 @@ <para> Default: false (AD provider: true) </para> + <para> + The IPA provider will set to option to 'true' if it + detects that the server is capable of handling + enterprise principals and the option is not set + explicitly in the config file. + </para> </listitem> </varlistentry> diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 925b1d8b1..4e5bceb8c 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -28,6 +28,7 @@ #include "providers/ipa/ipa_subdomains.h" #include "providers/ipa/ipa_common.h" #include "providers/ipa/ipa_id.h" +#include "providers/ipa/ipa_opts.h" #include <ctype.h> @@ -999,6 +1000,84 @@ immediately: return req; } +static errno_t ipa_enable_enterprise_principals(struct be_ctx *be_ctx) +{ + int ret; + struct sss_domain_info *d; + TALLOC_CTX *tmp_ctx; + char **vals = NULL; + struct dp_module *auth; + struct krb5_ctx *krb5_auth_ctx; + + d = get_domains_head(be_ctx->domain); + + while (d != NULL) { + DEBUG(SSSDBG_TRACE_ALL, "checking [%s].\n", d->name); + if (d->upn_suffixes != NULL) { + break; + } + d = get_next_domain(d, SSS_GND_DESCEND); + } + + if (d == NULL) { + DEBUG(SSSDBG_TRACE_ALL, + "No UPN suffixes found, " + "no need to enable enterprise principals.\n"); + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + ret = confdb_get_param(be_ctx->cdb, tmp_ctx, be_ctx->conf_path, + ipa_def_krb5_opts[KRB5_USE_ENTERPRISE_PRINCIPAL].opt_name, + &vals); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "confdb_get_param failed.\n"); + goto done; + } + + if (vals[0]) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Parameter [%s] set in config file and will not be changed.\n", + ipa_def_krb5_opts[KRB5_USE_ENTERPRISE_PRINCIPAL].opt_name); + return EOK; + } + + auth = dp_target_module(be_ctx->provider, DPT_AUTH); + if (auth == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to find auth proivder.\n"); + ret = EINVAL; + goto done; + } + + krb5_auth_ctx = ipa_init_get_krb5_auth_ctx(dp_get_module_data(auth)); + if (krb5_auth_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to find auth proivder data.\n"); + ret = EINVAL; + goto done; + } + + ret = dp_opt_set_bool(krb5_auth_ctx->opts, + KRB5_USE_ENTERPRISE_PRINCIPAL, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "dp_opt_set_bool failed.\n"); + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Enterprise principals enabled.\n"); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + static void ipa_subdomains_slave_search_done(struct tevent_req *subreq) { struct ipa_subdomains_slave_state *state; @@ -1037,6 +1116,13 @@ static void ipa_subdomains_slave_search_done(struct tevent_req *subreq) goto done; } + ret = ipa_enable_enterprise_principals(state->sd_ctx->be_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_enable_enterprise_principals failed. " + "Enterprise principals might not work as " + "expected.\n"); + } + if (state->sd_ctx->ipa_id_ctx->server_mode == NULL) { ret = EOK; goto done; |