krb5: Use command line arguments instead env vars for krb5_child Resolves: https://fedorahosted.org/sssd/ticket/697 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KRB5: Send the output username, not internal fqname to krb5_child krb5_child calls krb5_kuserok() during the access phase which checks if a particular user is allowed to authenticate as a particular principal. We used to pass the internal fqname to krb5_kuserok() which broke the functionality and all users were denied access. This patch changes that to send the 'output' username to krb5_child, because that's the username the system receives through getpwnam() or getpwuid() anyway. The patch also adds a new structure member fo the krb5child_req structure to avoid reusing the pd->user variable but have an explicit one that serves as the input for the child process. Resolves: https://fedorahosted.org/sssd/ticket/3172 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Rename dp_backend.h to backend.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KRB5: Add and use krb5_auth_queue_send to queue requests by default Resolves: https://fedorahosted.org/sssd/ticket/2701 Previously, only the krb5 provides used to queue requests, which resulted in concurrent authentication requests stepping on one another. This patch queues requests by default. Reviewed-by: Sumit Bose <sbose@redhat.com>

krb5: new option krb5_map_user New option `krb5_map_user` providing mapping of ID provider names to Kerberos principals. Resolves: https://fedorahosted.org/sssd/ticket/2509 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

krb5: remove field run_as_user run_as_user is set set but never read. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KRB5: Move ccache-related functions to krb5_ccache.c Add a new module krb5_ccache.c that contains all ccache-related operations. The only user of this module shall be krb5_child.c as the other modules will run unprivileged and accessing the ccache requires either privileges of root or the ccache owner. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

krb5: Remove unused ccache backend infrastructure Remove struct sss_krb5_cc_be and the remaining functions that reference it as they are all unused now. Resolves: https://fedorahosted.org/sssd/ticket/2061

krb5: do not send pac for IPA users from the local domain So far we didn't send the PAC of IPA users to the PAC responder during password authentication because group memberships for IPA users can be retrieved efficiently with LDAP calls. Recently patches added PAC support for the AD provider as well and removed the restriction for the IPA users. This patch restores the original behaviour by introducing a new flag in struct krb5_ctx which is only set for the IPA provider. Additionally a different flag is renamed to make it's purpose more clear. Fixes https://fedorahosted.org/sssd/ticket/1995

Add support for krb5 1.11's responder callback. krb5 1.11 adds support for a new method for responding to structured data queries. This method, called the responder, provides an alternative to the prompter interface. This patch adds support for this method. It takes the password and provides it via a responder instead of the prompter. In the case of OTP authentication, it also disables the caching of credentials (since the credentials are one-time only).

Fix tevent_req style for krb5_auth No functionality changes, just make the code respect the tevent_req style and naming conventions and enhance readability by adding some helper functions.

Use find_or_guess_upn() where needed

krb5_child: send back the client principal In general Kerberos is case sensitive but the KDC of Active Directory typically handles request case in-sensitive. In the case where we guess a user principal by combining the user name and the realm and are not sure about the cases of the letters used in the user name we might get a valid ticket from the AD KDC but are not able to access it with the Kerberos client library because we assume a wrong case. The client principal in the returned credentials will always have the right cases. To be able to update the cache user principal name the krb5_child will return the principal for further processing.

krb5_auth: check if principal belongs to a different realm Add a flag if the principal used for authentication does not belong to our realm. This can be used to act differently for users from other realms.

Add a credential cache back end structure To be able to add support for new credential cache types easily, this patch creates a new structure sss_krb5_cc_be that defines common operations with a credential cache, such as create, check if used or remove.

Split parse_krb5_child_response so it can be reused krb5-child-test will be another consumer. It also makes the code more readable by splitting a huge function.

Move child_common routines to util

Serialize requests of the same user in the krb5 provider

Fixes for automatic ticket renewal - do not recreate the ccache file when renewing the TGT - use user principal name as hash key instead of ccfile name - let krb5_child return Kerberos error codes

Add support for automatic Kerberos ticket renewal

Make handle_child_* request public I took the opportunity to move everything related to the handling of the krb5_child into a separate file and cleaned the interfaces and related structures a bit.

Make krb5_setup() public

Add infrastructure for Kerberos access provider

Remove krb5_changepw_principal option Fixes: #531

Add callback to remove krb5 info files when going offline

Fix handling of ccache file when going offline The ccache file was removed too early if system is offline but the backend was not already marked offline. Now we remove the ccache file only if the successfully got a new one and it is not the same as the old one.

Add support for delayed kinit if offline If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.

Make Kerberos authentication a tevent_req To allow other providers to include Kerberos authentication the main part is put into a tevent request.

Add krb5_kpasswd option

Add expandable sequences to krb5_ccachedir As with krb5_ccname_template sequences like %u can be used in the krb5_ccachedir parameter which are expanded at runtime. If the directory does not exist, it will be created. Depending on the used sequences it is created as a public or private directory.

Remove unneeded items from struct pam_data

Rename server/ directory to src/ Also update BUILD.txt