diff options
| author | Sumit Bose <sbose@redhat.com> | 2016-07-05 11:25:59 +0200 |
|---|---|---|
| committer | Sumit Bose <sbose@redhat.com> | 2016-07-05 12:03:57 +0200 |
| commit | 8b27ace5c972b82cde1e9a6d6f771f28a2999e39 (patch) | |
| tree | 5cc635385247e22e6bbd1f44415a517a38a51f88 | |
| parent | 66ee2f40d0c9b526df8fa9ba7061772237b5d9e6 (diff) | |
| download | sssd-ipa_automatic_enterprise.tar.gz sssd-ipa_automatic_enterprise.tar.xz sssd-ipa_automatic_enterprise.zip | |
IPA/AD: globally set krb5 canonicalization flagipa_automatic_enterprise
If Kerberos principal canonicalization is configured in SSSD, currently
it is the default for the IPA provider, a configuration snippet is
generated for the system-wide libkrb5 configuration so that all
kerberized applications will use canonicalization by default.
Resolves https://fedorahosted.org/sssd/ticket/3041
| -rw-r--r-- | src/providers/ad/ad_subdomains.c | 7 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_subdomains.c | 7 | ||||
| -rw-r--r-- | src/tests/cmocka/test_utils.c | 12 | ||||
| -rw-r--r-- | src/util/domain_info_utils.c | 48 | ||||
| -rw-r--r-- | src/util/util.h | 2 |
5 files changed, 65 insertions, 11 deletions
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 4a858fd4d..928c4fe93 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -504,11 +504,16 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx) { const char *path; errno_t ret; + bool canonicalize; path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic, AD_KRB5_CONFD_PATH); - ret = sss_write_krb5_conf_snippet(path); + canonicalize = dp_opt_get_bool( + subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts, + KRB5_CANONICALIZE); + + ret = sss_write_krb5_conf_snippet(path, canonicalize); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n"); /* Just continue */ diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index f36e1bc69..4a3a69161 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -78,8 +78,11 @@ ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx) "Re-initializing domain %s\n", ctx->be_ctx->domain->name); ret = sss_write_krb5_conf_snippet( - dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic, - IPA_KRB5_CONFD_PATH)); + dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic, + IPA_KRB5_CONFD_PATH), + dp_opt_get_bool( + ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts, + KRB5_CANONICALIZE)); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n"); /* Just continue */ diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c index aaba2df6d..4ea593647 100644 --- a/src/tests/cmocka/test_utils.c +++ b/src/tests/cmocka/test_utils.c @@ -1247,16 +1247,16 @@ void test_sss_write_krb5_conf_snippet(void **state) char *path; char *file; - ret = sss_write_krb5_conf_snippet(NULL); + ret = sss_write_krb5_conf_snippet(NULL, false); assert_int_equal(ret, EINVAL); - ret = sss_write_krb5_conf_snippet("abc"); + ret = sss_write_krb5_conf_snippet("abc", false); assert_int_equal(ret, EINVAL); - ret = sss_write_krb5_conf_snippet(""); + ret = sss_write_krb5_conf_snippet("", false); assert_int_equal(ret, EOK); - ret = sss_write_krb5_conf_snippet("none"); + ret = sss_write_krb5_conf_snippet("none", false); assert_int_equal(ret, EOK); cwd = getcwd(buf, PATH_MAX); @@ -1268,11 +1268,11 @@ void test_sss_write_krb5_conf_snippet(void **state) ret = asprintf(&file, "%s/%s/localauth_plugin", cwd, TESTS_PATH); assert_true(ret > 0); - ret = sss_write_krb5_conf_snippet(path); + ret = sss_write_krb5_conf_snippet(path, true); assert_int_equal(ret, EOK); /* Check if writing a second time will work as well */ - ret = sss_write_krb5_conf_snippet(path); + ret = sss_write_krb5_conf_snippet(path, true); assert_int_equal(ret, EOK); #ifdef HAVE_KRB5_LOCALAUTH_PLUGIN diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index 50fae22e6..a3e427b84 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -658,7 +658,45 @@ done: #endif } -errno_t sss_write_krb5_conf_snippet(const char *path) +#define KRB5_LIBDEFAUTLS_CONFIG \ +"[libdefaults]\n" \ +" canonicalize = true" + +static errno_t sss_write_krb5_libdefaults_snippet(const char *path) +{ + int ret; + TALLOC_CTX *tmp_ctx = NULL; + const char *file_name; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + file_name = talloc_asprintf(tmp_ctx, "%s/krb5_libdefaults", path); + if (file_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_FUNC_DATA, "File for KRB5 kibdefaults configuration is [%s]\n", + file_name); + + ret = sss_write_krb5_snippet_common(file_name, KRB5_LIBDEFAUTLS_CONFIG); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_snippet_common failed.\n"); + goto done; + } + +done: + + talloc_free(tmp_ctx); + return ret; +} + +errno_t sss_write_krb5_conf_snippet(const char *path, bool canonicalize) { errno_t ret; errno_t err; @@ -680,6 +718,14 @@ errno_t sss_write_krb5_conf_snippet(const char *path) goto done; } + if (canonicalize) { + ret = sss_write_krb5_libdefaults_snippet(path); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_libdefaults_snippet failed.\n"); + goto done; + } + } + ret = EOK; done: diff --git a/src/util/util.h b/src/util/util.h index 36d8231b9..92076488a 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -525,7 +525,7 @@ errno_t sssd_domain_init(TALLOC_CTX *mem_ctx, errno_t sss_write_domain_mappings(struct sss_domain_info *domain); -errno_t sss_write_krb5_conf_snippet(const char *path); +errno_t sss_write_krb5_conf_snippet(const char *path, bool canonicalize); errno_t get_dom_names(TALLOC_CTX *mem_ctx, struct sss_domain_info *start_dom, |