effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher Stephen Gallagher <sgallagh@redhat.com>
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher Copyright (C) 2012 Red Hat
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher This program is free software; you can redistribute it and/or modify
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher it under the terms of the GNU General Public License as published by
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher the Free Software Foundation; either version 3 of the License, or
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher (at your option) any later version.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher This program is distributed in the hope that it will be useful,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher but WITHOUT ANY WARRANTY; without even the implied warranty of
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher GNU General Public License for more details.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher You should have received a copy of the GNU General Public License
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher along with this program. If not, see <http://www.gnu.org/licenses/>.
4c49edbd8df651b1737c59459637962c117212c6Michal Židekerrno_t ad_set_search_bases(struct sdap_options *id_opts,
44ba573582072823d8760d0f18e5b3195cecc182Jakub Hrozekstatic errno_t ad_set_sdap_options(struct ad_options *ad_opts,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozekstatic struct sdap_options *
d2633d922eeed68f92be4248b9172b928c189920Jakub Hrozekad_create_default_sdap_options(TALLOC_CTX *mem_ctx,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek id_opts = talloc_zero(mem_ctx, struct sdap_options);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek /* Get sdap option maps */
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek /* General Attribute Map */
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek /* User map */
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek /* Group map */
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek /* Netgroup map */
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek /* Services map */
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek /* Fallback to defaults if there is no confdb */
d2633d922eeed68f92be4248b9172b928c189920Jakub Hrozek id_opts = ad_create_default_sdap_options(mem_ctx, dp);
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek "Failed to initialize default sdap options\n");
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek /* Nothing to do without cdb */
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek id_opts = talloc_zero(mem_ctx, struct sdap_options);
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek /* Get sdap option maps */
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek /* General Attribute Map */
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek /* User map */
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek ret = sdap_extend_map_with_list(id_opts, id_opts,
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek /* Group map */
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek /* Netgroup map */
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek /* Services map */
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ad_options = talloc_zero(mem_ctx, struct ad_options);
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek /* Fallback to reading the defaults only if no confdb
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek * is available */
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get basic AD options\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD LDAP options\n");
30dd3f3e063dded0ec9f58bc2535a94727d8e96dJakub Hrozekset_common_ad_trust_opts(struct ad_options *ad_options,
cc4caf88344210ea9777d618f0f71935ca5e7f8bSumit Bose const char *keytab)
30dd3f3e063dded0ec9f58bc2535a94727d8e96dJakub Hrozek ret = dp_opt_set_string(ad_options->basic, AD_KRB5_REALM, realm);
30dd3f3e063dded0ec9f58bc2535a94727d8e96dJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD krb5 realm\n");
30dd3f3e063dded0ec9f58bc2535a94727d8e96dJakub Hrozek ret = dp_opt_set_string(ad_options->basic, AD_DOMAIN, ad_domain);
30dd3f3e063dded0ec9f58bc2535a94727d8e96dJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD domain\n");
30dd3f3e063dded0ec9f58bc2535a94727d8e96dJakub Hrozek ret = dp_opt_set_string(ad_options->basic, AD_HOSTNAME, hostname);
30dd3f3e063dded0ec9f58bc2535a94727d8e96dJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD hostname\n");
cc4caf88344210ea9777d618f0f71935ca5e7f8bSumit Bose ret = dp_opt_set_string(ad_options->basic, AD_KEYTAB, keytab);
933314e53fac878d1a9b126af216454172cb945aJakub Hrozekad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
cc4caf88344210ea9777d618f0f71935ca5e7f8bSumit Bose const char *keytab)
b4ca0da4d8d70bcfbd4f809f3b3b094d43d64cfcMichal Židek DEBUG(SSSDBG_TRACE_FUNC, "2way trust is defined to domain '%s'\n",
d2633d922eeed68f92be4248b9172b928c189920Jakub Hrozek ad_options = ad_create_options(mem_ctx, cdb, conf_path, dp, subdom);
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n");
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek ret = set_common_ad_trust_opts(ad_options, realm, subdom->name, hostname,
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek DEBUG(SSSDBG_CRIT_FAILURE, "set_common_ad_trust_opts failed\n");
30dd3f3e063dded0ec9f58bc2535a94727d8e96dJakub Hrozek ret = ad_set_sdap_options(ad_options, ad_options->id);
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek DEBUG(SSSDBG_CRIT_FAILURE, "ad_set_sdap_options failed");
30dd3f3e063dded0ec9f58bc2535a94727d8e96dJakub Hrozekad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
b4ca0da4d8d70bcfbd4f809f3b3b094d43d64cfcMichal Židek DEBUG(SSSDBG_TRACE_FUNC, "1way trust is defined to domain '%s'\n",
d2633d922eeed68f92be4248b9172b928c189920Jakub Hrozek ad_options = ad_create_options(mem_ctx, cdb, subdom_conf_path, dp, subdom);
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n");
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek realm = get_uppercase_realm(ad_options, subdom->name);
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek DEBUG(SSSDBG_CRIT_FAILURE, "Failed to get uppercase realm\n");
30dd3f3e063dded0ec9f58bc2535a94727d8e96dJakub Hrozek ret = set_common_ad_trust_opts(ad_options, realm,
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek "set_common_ad_trust_opts failed [%d]: %s\n",
30dd3f3e063dded0ec9f58bc2535a94727d8e96dJakub Hrozek /* Set SDAP_SASL_AUTHID to the trust principal */
30dd3f3e063dded0ec9f58bc2535a94727d8e96dJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot set SASL authid\n");
44ba573582072823d8760d0f18e5b3195cecc182Jakub Hrozek ret = ad_set_sdap_options(ad_options, ad_options->id);
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek DEBUG(SSSDBG_CRIT_FAILURE, "ad_set_sdap_options failed [%d]: %s\n",
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher opts = talloc_zero(mem_ctx, struct ad_options);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = dp_get_options(opts, cdb, conf_path,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* If the AD domain name wasn't explicitly set, assume that it
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher * matches the SSSD domain name
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher domain = dp_opt_get_string(opts->basic, AD_DOMAIN);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = dp_opt_set_string(opts->basic, AD_DOMAIN, dom->name);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Did we get an explicit server name, or are we discovering it? */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher server = dp_opt_get_string(opts->basic, AD_SERVER);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "No AD server set, will use service discovery!\n");
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Set the machine's hostname to the local host name if it
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher * wasn't explicitly specified.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ad_hostname = dp_opt_get_string(opts->basic, AD_HOSTNAME);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher gret = gethostname(hostname, HOST_NAME_MAX);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "gethostname failed [%s].\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Setting ad_hostname to [%s].\n", hostname);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = dp_opt_set_string(opts->basic, AD_HOSTNAME, hostname);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Setting ad_hostname failed [%s].\n",
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Always use the upper-case AD domain for the kerberos realm */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = dp_opt_set_string(opts->basic, AD_KRB5_REALM, realm);
346f41f1ede975cb2db0af570f5b454b9b306704Stephen Gallagher /* Active Directory is always case-insensitive */
ff22e829fd73fc53027d1e6ca005a9ac334086ddMichal Zidek ret = confdb_get_string(cdb, mem_ctx, conf_path,
ff22e829fd73fc53027d1e6ca005a9ac334086ddMichal Zidek DEBUG(SSSDBG_CRIT_FAILURE, "condb_get_string failed.\n");
ff22e829fd73fc53027d1e6ca005a9ac334086ddMichal Zidek if (strcasecmp(case_sensitive_opt, "true") == 0) {
ff22e829fd73fc53027d1e6ca005a9ac334086ddMichal Zidek "Warning: AD domain can not be set as case-sensitive.\n");
ff22e829fd73fc53027d1e6ca005a9ac334086ddMichal Zidek } else if (strcasecmp(case_sensitive_opt, "false") == 0) {
ff22e829fd73fc53027d1e6ca005a9ac334086ddMichal Zidek } else if (strcasecmp(case_sensitive_opt, "preserving") == 0) {
ff22e829fd73fc53027d1e6ca005a9ac334086ddMichal Zidek "Invalid value for %s\n", CONFDB_DOMAIN_CASE_SENSITIVE);
5b4c6f22cb576a11037c7fa940fe0ba09e643e77Michal Zidek opt_override = dom->case_preserve ? "preserving" : "false";
346f41f1ede975cb2db0af570f5b454b9b306704Stephen Gallagher /* Set this in the confdb so that the responders pick it
346f41f1ede975cb2db0af570f5b454b9b306704Stephen Gallagher * up when they start up.
5b4c6f22cb576a11037c7fa940fe0ba09e643e77Michal Zidek ret = confdb_set_string(cdb, conf_path, "case_sensitive", opt_override);
5b4c6f22cb576a11037c7fa940fe0ba09e643e77Michal Zidek "Could not set domain option case_sensitive: [%s]\n",
5b4c6f22cb576a11037c7fa940fe0ba09e643e77Michal Zidek "Setting domain option case_sensitive to [%s]\n", opt_override);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagherad_resolve_callback(void *private_data, struct fo_server *server);
016e0d7202ff965018e41869c5ab501f86b0d081Jan Zeleny /* Split the server list */
04759b59e71c78ab23b84d13dd29d9c6dd680adbMichal Zidek ret = split_on_separator(tmp_ctx, servers, ',', true, true, &list, NULL);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse server list!\n");
e915f42093add45a11208e871c9abdf7ab2bfbdcJustin Stephenson for (j = 0; list[j]; j++) {
e915f42093add45a11208e871c9abdf7ab2bfbdcJustin Stephenson "ad_server [%s] is detected as IP address, "
e915f42093add45a11208e871c9abdf7ab2bfbdcJustin Stephenson "this can cause GSSAPI problems\n", list[j]);
016e0d7202ff965018e41869c5ab501f86b0d081Jan Zeleny /* Add each of these servers to the failover service */
016e0d7202ff965018e41869c5ab501f86b0d081Jan Zeleny for (i = 0; list[i]; i++) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Failed to add server [%s] to failover service: "
4a1e58d85409fbb7a12ac244c3dbef8c0c1b15dfMichal Zidek "SRV resolution only allowed for primary servers!\n",
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek sdata = talloc(service, struct ad_server_data);
59415636c92c6e9764ddc65a85ad61002310519dJakub Hrozek ret = be_fo_add_srv_server(bectx, fo_gc_service, "gc",
87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595Lukas Slebodnik "Failed to add service discovery to failover: [%s]\n",
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek sdata = talloc(service, struct ad_server_data);
59415636c92c6e9764ddc65a85ad61002310519dJakub Hrozek ret = be_fo_add_srv_server(bectx, fo_service, "ldap",
87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595Lukas Slebodnik "Failed to add service discovery to failover: [%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CONF_SETTINGS, "Added service discovery for AD\n");
b096321a5a02dda0b6b71ba0f9c4d8feacd979e4Michal Zidek /* It could be ipv6 address in square brackets. Remove
b096321a5a02dda0b6b71ba0f9c4d8feacd979e4Michal Zidek * the brackets if needed. */
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek sdata = talloc(service, struct ad_server_data);
9a9a813906472ffff3911b6006d023e1c6cbff8aSumit Bose ret = be_fo_add_server(bectx, fo_gc_service, list[i], 0, sdata, primary);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_FATAL_FAILURE, "Failed to add server\n");
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek sdata = talloc(service, struct ad_server_data);
59415636c92c6e9764ddc65a85ad61002310519dJakub Hrozek ret = be_fo_add_server(bectx, fo_service, list[i], 0, sdata, primary);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_FATAL_FAILURE, "Failed to add server\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CONF_SETTINGS, "Added failover server %s\n", list[i]);
113debb7297f0c02b5be0dd404badeef78841a83Lukas Slebodnikad_primary_servers_init(struct ad_service *service,
59415636c92c6e9764ddc65a85ad61002310519dJakub Hrozek const char *fo_service, const char *fo_gc_service,
113debb7297f0c02b5be0dd404badeef78841a83Lukas Slebodnik return _ad_servers_init(service, bectx, fo_service,
113debb7297f0c02b5be0dd404badeef78841a83Lukas Slebodnikad_backup_servers_init(struct ad_service *service,
59415636c92c6e9764ddc65a85ad61002310519dJakub Hrozek const char *fo_service, const char *fo_gc_service,
113debb7297f0c02b5be0dd404badeef78841a83Lukas Slebodnik return _ad_servers_init(service, bectx, fo_service,
9ab243b369ba317cc964080786dbcdebaf23d6beMichal Zidekstatic int ad_user_data_cmp(void *ud1, void *ud2)
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek sd1 = talloc_get_type(ud1, struct ad_server_data);
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek sd2 = talloc_get_type(ud2, struct ad_server_data);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_FUNC, "No user data\n");
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek struct ad_service *service = talloc_get_type(pvt, struct ad_service);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Invalid private pointer\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_FUNC, "The AD provider is online\n");
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagherad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher service = talloc_zero(tmp_ctx, struct ad_service);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher service->sdap = talloc_zero(service, struct sdap_service);
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek service->gc = talloc_zero(service, struct sdap_service);
59415636c92c6e9764ddc65a85ad61002310519dJakub Hrozek service->sdap->name = talloc_strdup(service->sdap, ad_service);
59415636c92c6e9764ddc65a85ad61002310519dJakub Hrozek service->gc->name = talloc_strdup(service->gc, ad_gc_service);
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek if (!service->sdap->name || !service->gc->name) {
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher service->krb5_service = talloc_zero(service, struct krb5_service);
59415636c92c6e9764ddc65a85ad61002310519dJakub Hrozek ret = be_fo_add_service(bectx, ad_service, ad_user_data_cmp);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create failover service!\n");
59415636c92c6e9764ddc65a85ad61002310519dJakub Hrozek ret = be_fo_add_service(bectx, ad_gc_service, ad_user_data_cmp);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create GC failover service!\n");
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek service->krb5_service->name = talloc_strdup(service->krb5_service,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher service->sdap->kinit_service_name = service->krb5_service->name;
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek service->gc->kinit_service_name = service->krb5_service->name;
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm set\n");
59415636c92c6e9764ddc65a85ad61002310519dJakub Hrozek talloc_strdup(service->krb5_service, krb5_realm);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "No primary servers defined, using service discovery\n");
113debb7297f0c02b5be0dd404badeef78841a83Lukas Slebodnik ret = ad_primary_servers_init(service, bectx,
113debb7297f0c02b5be0dd404badeef78841a83Lukas Slebodnik ret = ad_backup_servers_init(service, bectx,
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek ret = be_add_online_cb(bectx, bectx, ad_online_cb, service, NULL);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up AD online callback\n");
59415636c92c6e9764ddc65a85ad61002310519dJakub Hrozek ret = be_fo_service_add_callback(mem_ctx, bectx, ad_service,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Failed to add failover callback! [%s]\n", strerror(ret));
59415636c92c6e9764ddc65a85ad61002310519dJakub Hrozek ret = be_fo_service_add_callback(mem_ctx, bectx, ad_gc_service,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Failed to add failover callback! [%s]\n", strerror(ret));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher *_service = talloc_steal(mem_ctx, service);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagherad_resolve_callback(void *private_data, struct fo_server *server)
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n");
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek if (fo_is_srv_lookup(server) == false && sdata == NULL) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "No user data?\n");
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher service = talloc_get_type(private_data, struct ad_service);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "No hostent available for server (%s)\n",
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher address = resolv_get_string_address(tmp_ctx, srvaddr);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_string_address failed.\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Could not get server host name\n");
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek new_uri = talloc_asprintf(service->sdap, "ldap://%s", srv_name);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy URI\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CONF_SETTINGS, "Constructed uri '%s'\n", new_uri);
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n");
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* free old one and replace with new one */
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek service->sdap->sockaddr = talloc_steal(service->sdap, sockaddr);
3a3fd60043234038c6ff6584a5b92fb757c4afe1Lukas Slebodnik new_port = (new_port == 0) ? AD_GC_PORT : new_port;
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek service->gc->uri = talloc_asprintf(service->gc, "%s:%d",
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek service->gc->sockaddr = resolv_get_sockaddr_address(service->gc,
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek /* Make sure there always is an URI even if we know that this
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek * server doesn't support GC. That way the lookup would go through
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek * just not return anything
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek service->gc->uri = talloc_strdup(service->gc, service->sdap->uri);
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek service->gc->sockaddr = talloc_memdup(service->gc, service->sdap->sockaddr,
55d80b1301fe969fb4ba2b9481027887b9462dbbJakub Hrozek sizeof(struct sockaddr_storage));
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Failed to append to URI\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CONF_SETTINGS, "Constructed GC uri '%s'\n", service->gc->uri);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "resolv_get_sockaddr_address failed.\n");
ba95f1c434b430f0db7fddbd865af10488ecab17Jakub Hrozek /* Only write kdcinfo files for local servers */
14452cd066b51e32ca0ebad6c45ae909a1debe57Jakub Hrozek /* Write krb5 info files */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "sss_escape_ip_address failed.\n");
14452cd066b51e32ca0ebad6c45ae909a1debe57Jakub Hrozek ret = write_krb5info_file(service->krb5_service->realm, safe_address,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "write_krb5info_file failed, authentication might fail.\n");
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* We only support Kerberos password policy with AD, so
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher * force that on.
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_FATAL_FAILURE, "Could not set password policy\n");
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Set the Kerberos Realm for GSSAPI */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Should be impossible, this is set in ad_get_common_options() */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n");
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_REALM, krb5_realm);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Option %s set to %s\n",
4e2d9fe30bf8b692972a9654c60d2d90ed355815Stephen Gallagher keytab_path = dp_opt_get_string(ad_opts->basic, AD_KEYTAB);
4e2d9fe30bf8b692972a9654c60d2d90ed355815Stephen Gallagher ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_KEYTAB,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Option %s set to %s\n",
4e2d9fe30bf8b692972a9654c60d2d90ed355815Stephen Gallagher id_opts->basic[SDAP_KRB5_KEYTAB].opt_name,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Cannot set the SASL-related options\n");
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* fix schema to AD */
d2633d922eeed68f92be4248b9172b928c189920Jakub Hrozek ret = ad_create_sdap_options(ad_opts, cdb, conf_path, dp, &id_opts);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek /* Set up search bases if they were assigned explicitly */
03b859510dc13a13a456ca4aa94c0561a0e9684cJakub Hrozekad_get_autofs_options(struct ad_options *ad_opts,
03b859510dc13a13a456ca4aa94c0561a0e9684cJakub Hrozek /* autofs maps */
4c49edbd8df651b1737c59459637962c117212c6Michal Židekad_set_search_bases(struct sdap_options *id_opts,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher const int search_base_options[] = { SDAP_USER_SEARCH_BASE,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* AD servers provide defaultNamingContext, so we will
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher * rely on that to specify the search base unless it has
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher * been specifically overridden.
4c49edbd8df651b1737c59459637962c117212c6Michal Židek /* If no specific sdom was given, use the first in the list. */
4c49edbd8df651b1737c59459637962c117212c6Michal Židek if (has_default == false) {
4c49edbd8df651b1737c59459637962c117212c6Michal Židek dp_opt_get_string(id_opts->basic, SDAP_SEARCH_BASE);
4c49edbd8df651b1737c59459637962c117212c6Michal Židek if (default_search_base && has_default == false) {
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* set search bases if they are not */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher for (o = 0; search_base_options[o] != -1; o++) {
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher if (NULL == dp_opt_get_string(id_opts->basic,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Option %s set to %s\n",
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher id_opts->basic[search_base_options[o]].opt_name,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Search base not set. SSSD will attempt to discover it later, "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "when connecting to the LDAP server.\n");
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Default search */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = sdap_parse_search_base(id_opts, id_opts->basic,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* User search */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = sdap_parse_search_base(id_opts, id_opts->basic,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Group search base */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = sdap_parse_search_base(id_opts, id_opts->basic,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Netgroup search */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = sdap_parse_search_base(id_opts, id_opts->basic,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Service search */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = sdap_parse_search_base(id_opts, id_opts->basic,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher /* Get krb5 options */
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher ret = dp_get_options(tmp_ctx, bectx->cdb, bectx->conf_path,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not read Kerberos options from the configuration\n");
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher ad_servers = dp_opt_get_string(ad_opts->basic, AD_SERVER);
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher /* Force the krb5_servers to match the ad_servers */
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher ret = dp_opt_set_string(krb5_options, KRB5_KDC, ad_servers);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Option %s set to %s\n",
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher /* Set krb5 realm */
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher /* Set the Kerberos Realm for GSSAPI */
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher /* Should be impossible, this is set in ad_get_common_options() */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n");
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher /* Force the kerberos realm to match the AD_KRB5_REALM (which may have
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher * been upper-cased in ad_common_options()
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Option %s set to %s\n",
14452cd066b51e32ca0ebad6c45ae909a1debe57Jakub Hrozek /* Set flag that controls whether we want to write the
14452cd066b51e32ca0ebad6c45ae909a1debe57Jakub Hrozek * kdcinfo files at all
14452cd066b51e32ca0ebad6c45ae909a1debe57Jakub Hrozek ad_opts->service->krb5_service->write_kdcinfo = \
14452cd066b51e32ca0ebad6c45ae909a1debe57Jakub Hrozek dp_opt_get_bool(krb5_options, KRB5_USE_KDCINFO);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov ad_opts->service->krb5_service->write_kdcinfo ? "true" : "false");
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher *_opts = talloc_steal(mem_ctx, krb5_options);
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozekerrno_t ad_get_dyndns_options(struct be_ctx *be_ctx,
3bd78eb2faf09635b8d307e4440ccb1420f80716Jakub Hrozek ret = be_nsupdate_init(ad_opts, be_ctx, ad_dyndns_opts,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Cannot initialize AD dyndns opts [%d]: %s\n",
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozekad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx)
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ad_ctx = talloc_zero(ad_opts, struct ad_id_ctx);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek sdap_ctx = sdap_id_ctx_new(ad_ctx, bectx, ad_opts->service->sdap);
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ad_ctx->gc_ctx = sdap_id_ctx_conn_add(sdap_ctx, ad_opts->service->gc);
72ae534f5aef6d2e5d3f2f51299aede5abf9687eJakub Hrozekad_get_dom_ldap_conn(struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom)
e2bd4f8a41b72aea0712ad21ad02ccebb707f536Stephen Gallagher sdom = sdap_domain_get(ad_ctx->sdap_id_ctx->opts, dom);
e2bd4f8a41b72aea0712ad21ad02ccebb707f536Stephen Gallagher DEBUG(SSSDBG_CRIT_FAILURE, "No ID ctx available for [%s].\n",
e2bd4f8a41b72aea0712ad21ad02ccebb707f536Stephen Gallagher subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx);
309aa83d16b5919f727af04850bcd0799ba0962fJakub Hrozek if (IS_SUBDOMAIN(sdom->dom) == true && conn != NULL) {
309aa83d16b5919f727af04850bcd0799ba0962fJakub Hrozek /* Regardless of connection types, a subdomain error must not be
309aa83d16b5919f727af04850bcd0799ba0962fJakub Hrozek * allowed to set the whole back end offline, rather report an error
309aa83d16b5919f727af04850bcd0799ba0962fJakub Hrozek * and let the caller deal with it (normally disable the subdomain
72ae534f5aef6d2e5d3f2f51299aede5abf9687eJakub Hrozekad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,
72ae534f5aef6d2e5d3f2f51299aede5abf9687eJakub Hrozek clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 3);
72ae534f5aef6d2e5d3f2f51299aede5abf9687eJakub Hrozek /* Always try GC first */
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)) {
266110fa0f6eb086f8f88787bb167cea416fe108Jakub Hrozek clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom);
309aa83d16b5919f727af04850bcd0799ba0962fJakub Hrozek clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 2);
e6ad16e05f42a1678a8c6cd14eb54ca75b8d775eSumit Bose clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 3);
afb21fd06690a0bec288a7970abf74ed2ea7dfdcJakub Hrozek /* Try GC first for users from trusted domains, but go to LDAP
afb21fd06690a0bec288a7970abf74ed2ea7dfdcJakub Hrozek * for users from non-trusted domains to get all POSIX attrs
afb21fd06690a0bec288a7970abf74ed2ea7dfdcJakub Hrozek if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)
afb21fd06690a0bec288a7970abf74ed2ea7dfdcJakub Hrozek /* Users from primary domain can be just downloaded from LDAP.
afb21fd06690a0bec288a7970abf74ed2ea7dfdcJakub Hrozek * The domain's LDAP connection also works as a fallback