KCM: Make use of sss_client_fd_handler() Let's make use of the sss_client_fd_handler() on kcm_fd_handler() Resolves: https://pagure.io/SSSD/sssd/issue/3633 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

KCM: reset last_request_time on any activity As all the activities are being handled by the kcm responder itself and not by responder's common code, we have to take care of re-setting the last_request_time by ourselves here. Without this patch, the responder would be shot down after reaching the idle_timeout with activities happening or not. Resolves: https://pagure.io/SSSD/sssd/issue/3633 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

KCM: Do not use 2048 as fixed size for the payload The KCM code has the limit set as 2048 only inside #ifdef __APPLE__, while it should be normally set as 10 * 1024 * 1024, as seen in: https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53 Last but not least, doesn't make much sense to use a fixed value as the first 4 bytes received are the payload size ... so let's just allocate the needed size instead of having a fixed value. Resolves: https://pagure.io/SSSD/sssd/issue/3671 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

KCM: Introduce kcm_input_get_payload_len() As this piece of code will be useful for us in the future patches of this series, let's move it to a new function. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

KCM: Remove mem_ctx from kcm_new_req() Let's remove the mem_ctx argument as we really want cctx to be the memory context here, so that if the client disconnects the request goes away. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

KCM: include missing header file man 2 readv says that the header file "sys/uio.h" must be included for the functions readv/writev Previously, "sys/uio.h" was included in "sys/socket.h" in glibc. It worked just by a change. But it will be changed in glibc-2.26. https://sourceware.org/bugzilla/show_bug.cgi?id=21426 src/responder/kcm/kcmsrv_cmd.c: In function 'kcm_iovec_op': src/responder/kcm/kcmsrv_cmd.c:75:15: error: implicit declaration of function 'readv'; did you mean 'read'? [-Werror=implicit-function-declaration] src/responder/kcm/kcmsrv_cmd.c:77:15: error: implicit declaration of function 'writev'; did you mean 'write'? [-Werror=implicit-function-declaration] Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

KCM: Queue requests by the same UID In order to avoid race conditions, we queue requests towards the KCM responder coming from the same client UID. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KCM: Implement KCM server operations Implements the actual KCM server operations. On a high level, each operation unmarhalls the needed data from the input buffer, calls into the ccache db and marshalls a response. Only the operations that are also implemented by the MIT client are implemented by our KCM server. Resolves: https://pagure.io/SSSD/sssd/issue/2887 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

KCM: request parsing and sending a reply Implements parsing the KCM client request into per-client buffers and sending a response for both the failure case and for success. The protocol is documented at: http://k5wiki.kerberos.org/wiki/Projects/KCM_client Several places don't use the sss_iobuf structure, because they don't parse variable-length data from the buffer and it's much more efficient to just allocate the needed request and reply structure on the stack. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

KCM: Initial responder build and packaging Adds the initial build of the Kerberos Cache Manager responder (KCM). This is a deamon that is capable of holding and storing Kerberos ccaches. When KCM is used, the kerberos libraries (invoked through e.g. kinit) are referred to as a 'client' and the KCM deamon is referred to as 'server'. At the moment, only the Heimdal implementation of Kerberos implements the KCM server: https://www.h5l.org/manual/HEAD/info/heimdal/Credential-cache-server-_002d-KCM.html This patch adds a KCM server to SSSD. In MIT, only the 'client-side' support was added: http://k5wiki.kerberos.org/wiki/Projects/KCM_client This page also describes the protocol between the client and the server. The client is capable of talking to the server over either UNIX sockets (Linux, most Unixes) or Mach RPC (macOS). Our server only implements the UNIX sockets way and should be socket-activated by systemd, although can in theory be also ran explicitly. The KCM server only builds if the configuration option "--with-kcm" is enabled. It is packaged in a new subpackage sssd-kcm in order to allow distributions to enable the KCM credential caches by installing this subpackage only, without the rest of the SSSD. The sssd-kcm subpackage also includes a krb5.conf.d snippet that allows the admin to just uncomment the KCM defaults and instructs them to start the socket. The server can be configured in sssd.conf in the "[kcm]" section. By default, the server only listens on the same socket path the Heimdal server uses, which is "/var/run/.heim_org.h5l.kcm-socket". This is, however, configurable. The file src/responder/kcm/kcm.h is more or less directly imported from the MIT Kerberos tree, with an additional sentinel code and some comments. Not all KCM operations are implemented, only those that also the MIT client implements. That said, this KCM server should also be usable with a Heimdal client, although no special testing was with this hybrid. The patch also adds several error codes that will be used in later patches. Related to: https://pagure.io/SSSD/sssd/issue/2887 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>