From cc4caf88344210ea9777d618f0f71935ca5e7f8b Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 10 Mar 2016 17:50:13 +0100 Subject: AD: use krb5_keytab for subdomain initialization During the initialization of AD subdomains parameters like the SASL auth id are determined. Since subdomains use a default set of the AD specific configuration options the default keytab will be used. If krb5_keytab is set in sssd.conf for the AD domain this keytab should be used for the subdomains (domains of the same AD forest) as well. Reviewed-by: Jakub Hrozek --- src/providers/ad/ad_common.c | 27 +++++++++++++++------------ src/providers/ad/ad_common.h | 3 ++- src/providers/ad/ad_subdomains.c | 4 +++- src/providers/ipa/ipa_subdomains_server.c | 3 ++- 4 files changed, 22 insertions(+), 15 deletions(-) (limited to 'src/providers') diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 4f8223879..be16b4306 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -139,7 +139,8 @@ static errno_t set_common_ad_trust_opts(struct ad_options *ad_options, const char *realm, const char *ad_domain, - const char *hostname) + const char *hostname, + const char *keytab) { errno_t ret; @@ -161,6 +162,14 @@ set_common_ad_trust_opts(struct ad_options *ad_options, return ret; } + if (keytab != NULL) { + ret = dp_opt_set_string(ad_options->basic, AD_KEYTAB, keytab); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set keytab\n"); + return ret; + } + } + return EOK; } @@ -168,7 +177,8 @@ struct ad_options * ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, const char *realm, const char *ad_domain, - const char *hostname) + const char *hostname, + const char *keytab) { struct ad_options *ad_options; errno_t ret; @@ -176,7 +186,8 @@ ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, ad_options = ad_create_default_options(mem_ctx); if (ad_options == NULL) return NULL; - ret = set_common_ad_trust_opts(ad_options, realm, ad_domain, hostname); + ret = set_common_ad_trust_opts(ad_options, realm, ad_domain, hostname, + keytab); if (ret != EOK) { talloc_free(ad_options); return NULL; @@ -212,16 +223,8 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx, } ret = set_common_ad_trust_opts(ad_options, realm, - ad_domain, hostname); - if (ret != EOK) { - talloc_free(ad_options); - return NULL; - } - - /* Set AD_KEYTAB to the special 1way keytab */ - ret = dp_opt_set_string(ad_options->basic, AD_KEYTAB, keytab); + ad_domain, hostname, keytab); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Cannot set trust keytab\n"); talloc_free(ad_options); return NULL; } diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index d61be42cc..37178d611 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -110,7 +110,8 @@ struct ad_options *ad_create_default_options(TALLOC_CTX *mem_ctx); struct ad_options *ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, const char *realm, const char *ad_domain, - const char *hostname); + const char *hostname, + const char *keytab); struct ad_options *ad_create_1way_trust_options(TALLOC_CTX *mem_ctx, const char *ad_domain, diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 4799b518a..4bdd2a7ad 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -108,9 +108,11 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, errno_t ret; const char *realm; const char *hostname; + const char *keytab; realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM); hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME); + keytab = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KEYTAB); ad_domain = subdom->name; if (realm == NULL || hostname == NULL || ad_domain == NULL) { DEBUG(SSSDBG_CONF_SETTINGS, "Missing realm or hostname.\n"); @@ -118,7 +120,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, } ad_options = ad_create_2way_trust_options(id_ctx, realm, - ad_domain, hostname); + ad_domain, hostname, keytab); if (ad_options == NULL) { DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n"); talloc_free(ad_options); diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c index 33c76cad9..b870d5552 100644 --- a/src/providers/ipa/ipa_subdomains_server.c +++ b/src/providers/ipa/ipa_subdomains_server.c @@ -176,7 +176,8 @@ static struct ad_options *ipa_ad_options_new(struct ipa_id_ctx *id_ctx, ad_options = ad_create_2way_trust_options(id_ctx, id_ctx->server_mode->realm, subdom->name, - id_ctx->server_mode->hostname); + id_ctx->server_mode->hostname, + NULL); } else if (direction & LSA_TRUST_DIRECTION_INBOUND) { ad_options = ipa_create_1way_trust_ctx(id_ctx, forest, forest_realm, subdom); -- cgit