Fix minor spelling mistakes Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

krb5: show error message for krb5_init_context() failures If there are typos in /etc/krb5.conf (or one of the included config snippets) krb5_init_context(), the initial call always needed to do any other operation with libkrb5, fails because /etc/krb5.conf cannot be parsed. Currently the related debug/syslog messages might be misleading, e.g. failed to read keytab. This is because SSSD does not use a global krb5 context but creates a fresh one for every new request or operation (to always use the latest settings from /etc/krb5.conf) and typically there is an error message indicating that the related operation failed but not giving more details. Since krb5_init_context() is fundamental for Kerberos support this patch tries to add as much details as libkrb5 provides in the logs if the call fails. Resolves: https://pagure.io/SSSD/sssd/issue/3586 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>

UTIL: Remove ctype.h from util/util.h ctype.h is not used directly by util/util.h. The header file ctype.h must be included in 32 files and after removing it from util.h it had to be added only to 8 missing files Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

UTIL: Use max 15 characters for AD host UPN We do not want to use host principal with AD "host/name.domain.tld@DOMAIN.TLD" because it does not work. We need to use correct user principal for AD hosts. And we cannot rely all fallback "*$" because of other principals in keytab. The NetBIOS naming convention allows for 16 characters in a NetBIOS name. Microsoft, however, limits NetBIOS names to 15 characters and uses the 16th character as a NetBIOS suffix. https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name Resolves: https://pagure.io/SSSD/sssd/issue/3329 Reviewed-by: Michal Židek <mzidek@redhat.com>

UTIL: krb5 principal (un)marshalling The KCM responder needs to read the contents of the principal blob that the Kerberos library sends. Since libkrb5 doesn't export any API to do so, we need to implement marshalling and unmarshalling of the principal ourselves. In future, when the KCM server also supports renewals, we will also need to unmarshall the credentials, but until that is not really needed, the credentials will be stored as a blob. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

UTIL: Removing of never read value Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KRB5: Don't error out reading a minimal krb5.conf With some setups, krb5.conf can be really minimal. In those cases, we should ignore PROF_NO_RELATION and PROF_NO_SECTION and just return "false" as in "no proxy" without a loud debug message. Reviewed-by: Petr Cech <pcech@redhat.com>

utils: make sss_krb5_get_primary() private Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

krb5 utils: add sss_krb5_realm_has_proxy() Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

krb5: add wrapper for krb5_kt_have_content() krb5_kt_have_content() was introduced in MIT Kerberos 1.11. For older platforms this patch adds sss_krb5_kt_have_content() as a wrapper. Resolves https://fedorahosted.org/sssd/ticket/2518 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

krb5: Check return value of sss_krb5_princ_realm sss_krb5_princ_realm set output parameter realm to NULL and len to 0 in case of failure. Clang static analysers reported warning "Null pointer passed as an argument to a 'nonnull' parameter" in function match_principal. It was possible, that realm_name with value NULL could be used in strncmp. Reviewed-by: Pavel Reichl <preichl@redhat.com>

krb5: Check return value of krb5_principal_get_realm Function krb5_principal_get_realm can return NULL an it would case segfault in function strlen. Reviewed-by: Pavel Reichl <preichl@redhat.com>

LDAP: Move sss_krb5_verify_keytab_ex to ldap_child The function was called from one place only, so it makes no sense to keep it in a shared module. Moreover, the function should only be called from code that runs as root. Reviewed-by: Michal Židek <mzidek@redhat.com>

krb5: make get_primary() a public call This patch changes get_primary() into sss_krb5_get_primary() so it can be used by the AD provider to get the sAMAccountName from the hostname. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

KRB5: Print a verbose error message on failure reading the keytab krb5_kt_resolve() returns 0 when a non-existent keytab is read, which means there was no FATAL-level DEBUG message printed to the user in case the keytab was missing completely and users had to enable more verbose debugging to diagnose failure to start up. This patch adds both the verbose DEBUG message as well as a syslog message. Reviewed-by: Michal Židek <mzidek@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Fix a trivial typo

krb5: Remove unused helper functions these functions are not needed anymore. Related: https://fedorahosted.org/sssd/ticket/2061

krb5: Remove unused function Related: https://fedorahosted.org/sssd/ticket/2061

krb5: Make check_for_valid_tgt() static check_for_valid_tgt() is used exclusively in krb5_uitls.c so move it there. Resolves: https://fedorahosted.org/sssd/ticket/2061

KRB5: Add support for KEYRING cache type https://fedorahosted.org/sssd/ticket/2036

KRB5: Add low-level debugging to sss_get_ccache_name_for_principal

Fix memory leak insss_krb5_get_error_message warning reported by cppcheck

KRB5: Add new #define for collection cache types Kerberos now supports multiple types of collection caches, not just DIR: caches. We should add a macro for generic collection behavior and use that where appropriate.

Add mising argument required by format string

Use conditional build for retrieving ccache. Some krb5 functions needn't be available for retrieving ccache with principal. Therefore ifdef is used to solve this situation with older version of libkrb5. There were two functions with similar functionality in krb5_child and krb5_utils. They were merged to one universal function, which was moved to file src/util/sss_krb5.c

AD: Write out domain-realm mappings This patch reuses the code from IPA provider to make sure that domain-realm mappings are written even for AD sub domains.

Fix wrong detection of krb5 ccname DIR:/run/user/1000/krb5cc is valid ccname, but function sss_krb5_cc_file_path returned NULL in this case.

subdomains: touch krb5.conf when creating new domain-realm mappings https://fedorahosted.org/sssd/ticket/1815

Allow usage of enterprise principals Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842

krb5: include backwards compatible declaration of krb5_trace_info krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11 includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info". Do the same in the SSSD to allow compiling with both 1.10 and 1.11.

Search for SHORTNAME$@REALM instead of fqdn$@REALM by default The search was intended for the AD provider mostly, but keytabs coming from AD via samba don't contain fqdn$@REALM but rather uppercased SHORTNAME$@REALM https://fedorahosted.org/sssd/ticket/1740

select_principal_from_keytab() do wildcard lookups after specific ones Currently the wildcard lookup '*$' is done before the one for host/our.hostname@REALM. This means we would ignore a more specific match in favour of an unspecific match with a principal which is only used in a AD environment. I think this is wrong an wildcards should only be used is all specific lookups fail.

select_principal_from_keytab() look for plain input as well Currently in select_principal_from_keytab() all kind of different versions of the host principal are looked up in the keytab except for the plain name the ldap_sasl_authid option. With this patch the plain name is looked up first.

Only build extract_and_send_pac on platforms that support it

Add replacement for krb5_find_authdata() krb5_find_authdata() is only available in MIT Kerberos 1.10 or higher. To allow sssd to be compiled on platform with lower version of MIT Kerberos a replacement call is added. Please note that on those platform the replacement call will only return an error. If the krb5_find_authdata functionality is really needed on those platform it must be implemented by a different patch.

Only call krb5_set_trace_callback on platforms that support it

Collect krb5 trace on high debug levels If the debug level contains SSSDBG_TRACE_ALL, then the logs would also include tracing information from libkrb5. https://fedorahosted.org/sssd/ticket/1539

remove left over principal selection https://fedorahosted.org/sssd/ticket/1303 Domain start up was taking too long when there are many principals in a kerberos keytab. We were looking up in the keytab two times. The first time we try to select a proper principal and remember it. The second call happens almost right after the first one and it is just a check if the principal exists in the keytab, without any output information other than success/failure. It is probably a left over from https://fedorahosted.org/sssd/ticket/781. This patch removes the second call.

Check for errors from krb5_unparse_name Coverity #12781

Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8 * This broke corner cases when used with default_tkt_types = des-cbc-crc and DES enabled on an AD domain. * This is fixed in kerberos instead, in a more correct way and in a way which we cannot replicate.

KRB5: Auto-detect DIR cache support in configure We can't support the DIR cache features in systems with kerberos libraries older than 1.10. Make sure we don't build it on those systems.

Add support for storing credential caches in the DIR: back end https://fedorahosted.org/sssd/ticket/974

Residual util functions Kerberos credential caches can be specified by TYPE:RESIDUAL. This patch adds a couple of utilities to support parsing if ccache locations, checking types etc.

KRB5: Avoid NULL-dereference with empty keytab https://fedorahosted.org/sssd/ticket/1330

Limit krb5_get_init_creds_keytab() to etypes in keytab * Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375

Remove erroneous failure message in find_principal_in_keytab * When it's actually a failure, then the callers will print a message. Fine tune this.

Clean up log messages about keytab_name There were many places where we were printing (null) to the logs because a NULL keytab name tells libkrb5 to use its configured default instead of a particular path. This patch should clean up all uses of this to print "default" in the logs. https://fedorahosted.org/sssd/ticket/1288

Fix off-by-one error in principal selection https://fedorahosted.org/sssd/ticket/1269

Always initialize the returned data in sss_krb5_princ_realm()

Raise the debug level of two very noisy statements

Add compatibility layer for Heimdal Kerberos implementation

Add wrapper for krb5_get_init_creds_opt_set_canonicalize

Fixed unitialized pointer in select_principal_from_keytab https://fedorahosted.org/sssd/ticket/857

Fixed unitialized return value in match_principal https://fedorahosted.org/sssd/ticket/858

Added some kerberos functions for building on RHEL5

Modify principal selection for keytab authentication Currently we construct the principal as host/fqdn@REALM. The problem with this is that this principal doesn't have to be in the keytab. In that case the provider fails to start. It is better to scan the keytab and find the most suitable principal to use. Only in case no suitable principal is found the backend should fail to start. The second issue solved by this patch is that the realm we are authenticating the machine to can be in general different from the realm our users are part of (in case of cross Kerberos trust). The patch adds new configuration option SDAP_SASL_REALM. https://fedorahosted.org/sssd/ticket/781

Extend and move function for finding principal in keytab The function now supports finding principal in keytab not only based on realm, but based on both realm and primary/instance parts. The function also supports * wildcard at the beginning or at the end of primary principal part. The function for finding principal has been moved to util/sss_krb5.c, so it can be used in other parts of the code.

Fix unchecked return value in sss_krb5_verify_keytab_ex https://fedorahosted.org/sssd/ticket/711

Add support for FAST in krb5 provider

Add missing error code

Use new MIT krb5 API for better password expiration warnings

Validate keytab at startup In addition to validating the keytab everytime a TGT is requested, we also validate the keytab on back end startup to give early warning that the keytab is not usable. Fixes: #556

Rename server/ directory to src/ Also update BUILD.txt