ipa_subdomains.c revision c5711b0279ea85d69fe3c77dfb194360c346e1d7
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose IPA Subdomains Module
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose Sumit Bose <sbose@redhat.com>
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose Copyright (C) 2011 Red Hat
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose This program is free software; you can redistribute it and/or modify
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose it under the terms of the GNU General Public License as published by
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose the Free Software Foundation; either version 3 of the License, or
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose (at your option) any later version.
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose This program is distributed in the hope that it will be useful,
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose but WITHOUT ANY WARRANTY; without even the implied warranty of
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose GNU General Public License for more details.
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose You should have received a copy of the GNU General Public License
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose along with this program. If not, see <http://www.gnu.org/licenses/>.
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose#define SUBDOMAINS_FILTER "objectclass=ipaNTTrustedDomain"
84c611c1b7c04cc7735ab54d4e5f48284b79e6fbJan Zeleny#define MASTER_DOMAIN_FILTER "objectclass=ipaNTDomainAttrs"
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose#define IPA_TRUSTED_DOMAIN_SID "ipaNTTrustedDomainSID"
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose#define IPA_SECONDARY_BASE_RID "ipaSecondaryBaseRID"
4c20fe34346919cf676c3e1b54b7701069e2aac6Simo Sorce/* do not refresh more often than every 5 seconds for now */
3b533d57a737e2de1b3e85b073b14d3bfb49dafcSimo Sorce/* refresh automatically every 4 hours */
84c611c1b7c04cc7735ab54d4e5f48284b79e6fbJan Zeleny const char *filter;
b1829e54acbc8a010aca7f14b9ffa9625f8c102cSumit Bosestruct be_ctx *ipa_get_subdomains_be_ctx(struct be_ctx *be_ctx)
b1829e54acbc8a010aca7f14b9ffa9625f8c102cSumit Bose subdom_ctx = talloc_get_type(be_ctx->bet_info[BET_SUBDOMAINS].pvt_bet_data,
b1829e54acbc8a010aca7f14b9ffa9625f8c102cSumit Bose DEBUG(SSSDBG_TRACE_ALL, ("Subdomains are not configured.\n"));
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek ad_options = ad_create_default_options(id_ctx, id_ctx->server_mode->realm,
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, ("Cannot initialize AD options\n"));
de307ab8e390deabc5df9884a3f762bfb1581936Jakub Hrozek ret = dp_opt_set_string(ad_options->basic, AD_DOMAIN, ad_domain);
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, ("Cannot set AD domain\n"));
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek ret = dp_opt_set_string(ad_options->basic, AD_KRB5_REALM,
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, ("Cannot set AD realm\n"));
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek gc_service_name = talloc_asprintf(ad_options, "%s%s", "gc_", subdom->name);
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek /* Set KRB5 realm to same as the one of IPA when IPA
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek * is able to attach PAC. For testing, use hardcoded. */
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek ret = ad_failover_init(ad_options, be_ctx, NULL, NULL,
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, ("Cannot initialize AD failover\n"));
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek ad_id_ctx = ad_id_ctx_init(ad_options, be_ctx);
de307ab8e390deabc5df9884a3f762bfb1581936Jakub Hrozek /* use AD plugin */
de307ab8e390deabc5df9884a3f762bfb1581936Jakub Hrozek srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx->be_res,
de307ab8e390deabc5df9884a3f762bfb1581936Jakub Hrozek DEBUG(SSSDBG_FATAL_FAILURE, ("Out of memory?\n"));
de307ab8e390deabc5df9884a3f762bfb1581936Jakub Hrozek be_fo_set_srv_lookup_plugin(be_ctx, ad_srv_plugin_send,
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek ret = sdap_domain_subdom_add(ad_id_ctx->sdap_id_ctx,
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, ("Cannot initialize sdap domain\n"));
31dd31b00ad759f256282ef0f7054e60672161ceJakub Hrozek sdom = sdap_domain_get(ad_id_ctx->sdap_id_ctx->opts, subdom);
31dd31b00ad759f256282ef0f7054e60672161ceJakub Hrozek ret = sdap_id_setup_tasks(ad_id_ctx->sdap_id_ctx,
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek /* Set up the ID mapping object */
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek ret = ipa_ad_ctx_new(be_ctx, id_ctx, subdom, &ad_id_ctx);
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek ("Cannot create ad_id_ctx for subdomain %s\n", subdom->name));
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek trust_ctx = talloc(id_ctx->server_mode, struct ipa_ad_server_ctx);
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek DLIST_ADD(id_ctx->server_mode->trusts, trust_ctx);
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek if (dp_opt_get_bool(id_ctx->ipa_options->basic,
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek /* Check if we already have an ID context for this subdomain */
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek DLIST_FOR_EACH(trust_iter, id_ctx->server_mode->trusts) {
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek /* Newly detected trust */
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek ret = ipa_server_trust_add(be_ctx, id_ctx, dom);
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek ("Cannot create ad_id_ctx for subdomain %s\n",
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozekipa_ad_subdom_remove(struct ipa_subdomains_ctx *ctx,
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek if (dp_opt_get_bool(ctx->id_ctx->ipa_options->basic,
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek DLIST_FOR_EACH(iter, ctx->id_ctx->server_mode->trusts) {
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, ("No IPA-AD context for subdomain %s\n",
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek sdap_domain_remove(iter->ad_id_ctx->sdap_id_ctx->opts, subdom);
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek DLIST_REMOVE(ctx->id_ctx->server_mode->trusts, iter);
31dd31b00ad759f256282ef0f7054e60672161ceJakub Hrozek sdom = sdap_domain_get(iter->ad_id_ctx->sdap_id_ctx->opts, subdom);
70eaade10feedd7845e39170d0b7eebf3a030af1Sumit Boseconst char *get_flat_name_from_subdomain_name(struct be_ctx *be_ctx,
70eaade10feedd7845e39170d0b7eebf3a030af1Sumit Bose const char *name)
70eaade10feedd7845e39170d0b7eebf3a030af1Sumit Bose ctx = talloc_get_type(be_ctx->bet_info[BET_SUBDOMAINS].pvt_bet_data,
70eaade10feedd7845e39170d0b7eebf3a030af1Sumit Bose DEBUG(SSSDBG_TRACE_ALL, ("Subdomains are not configured.\n"));
bba1a5fd62cffcae076d1351df5a83fbc4a6ec17Simo Sorce dom = find_subdomain_by_name(ctx->be_ctx->domain, name, true);
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bosestatic errno_t ipa_ranges_parse_results(TALLOC_CTX *mem_ctx,
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose const char *value;
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose range_list = talloc_array(mem_ctx, struct range_info *, count + 1);
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("talloc_array failed.\n"));
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose for (c = 0; c < count; c++) {
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose range_list[c] = talloc_zero(range_list, struct range_info);
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("talloc_zero failed.\n"));
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose ret = sysdb_attrs_get_string(reply[c], IPA_CN, &value);
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose range_list[c]->name = talloc_strdup(range_list[c], value);
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n"));
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose ret = sysdb_attrs_get_string(reply[c], IPA_TRUSTED_DOMAIN_SID, &value);
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose range_list[c]->trusted_dom_sid = talloc_strdup(range_list[c],
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n"));
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose ret = sysdb_attrs_get_uint32_t(reply[c], IPA_BASE_ID,
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose ret = sysdb_attrs_get_uint32_t(reply[c], IPA_ID_RANGE_SIZE,
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose ret = sysdb_attrs_get_uint32_t(reply[c], IPA_BASE_RID,
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose ret = sysdb_attrs_get_uint32_t(reply[c], IPA_SECONDARY_BASE_RID,
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
5e60c73cb91d1659755fb5ea829837db68d46163Sumit Bose ret = sysdb_attrs_get_string(reply[c], IPA_RANGE_TYPE, &value);
5e60c73cb91d1659755fb5ea829837db68d46163Sumit Bose range_list[c]->range_type = talloc_strdup(range_list[c], value);
5e60c73cb91d1659755fb5ea829837db68d46163Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n"));
5e60c73cb91d1659755fb5ea829837db68d46163Sumit Bose /* Older IPA servers might not have the range_type attribute, but
5e60c73cb91d1659755fb5ea829837db68d46163Sumit Bose * only support local ranges and trusts with algorithmic mapping. */
5e60c73cb91d1659755fb5ea829837db68d46163Sumit Bose range_list[c]->range_type = talloc_strdup(range_list[c],
5e60c73cb91d1659755fb5ea829837db68d46163Sumit Bose range_list[c]->range_type = talloc_strdup(range_list[c],
5e60c73cb91d1659755fb5ea829837db68d46163Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
5e60c73cb91d1659755fb5ea829837db68d46163Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n"));
31dd31b00ad759f256282ef0f7054e60672161ceJakub Hrozekstatic errno_t ipa_subdom_enumerates(struct sss_domain_info *parent,
31dd31b00ad759f256282ef0f7054e60672161ceJakub Hrozek const char *name;
31dd31b00ad759f256282ef0f7054e60672161ceJakub Hrozek ret = sysdb_attrs_get_string(attrs, IPA_CN, &name);
31dd31b00ad759f256282ef0f7054e60672161ceJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
31dd31b00ad759f256282ef0f7054e60672161ceJakub Hrozek *_enumerates = subdomain_enumerates(parent, name);
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bosestatic errno_t ipa_subdom_get_forest(TALLOC_CTX *mem_ctx,
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose ret = sysdb_attrs_get_string(attrs, SYSDB_ORIG_DN, &orig_dn);
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose DEBUG(SSSDBG_TRACE_ALL, ("Checking if we need the forest name for [%s].\n",
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("ldb_dn_new failed.\n"));
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("Original DN [%s] is not a valid DN.\n",
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose /* We are only interested in the member domain objects. In IPA the
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose * forest root object is stored as e.g.
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose * cn=AD.DOM,cn=ad,cn=trusts,dc=example,dc=com. Member domains in the
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose * forest are children of the forest root object e.g.
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose * cn=SUB.AD.DOM,cn=AD.DOM,cn=ad,cn=trusts,dc=example,dc=com. Since
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose * the forest name is not stored in the member objects we derive it
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose * from the RDN of the forest root object. */
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose if (strncasecmp("trusts", (const char *) val->data, val->length) != 0) {
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose ("4th component is not 'trust', nothing to do.\n"));
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose if (strncasecmp("ad", (const char *) val->data, val->length) != 0) {
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose ("3rd component is not 'ad', nothing to do.\n"));
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose forest = talloc_strndup(mem_ctx, (const char *) val->data, val->length);
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("talloc_strndup failed.\n"));
31dd31b00ad759f256282ef0f7054e60672161ceJakub Hrozekstatic errno_t ipa_subdom_store(struct sss_domain_info *parent,
bba1a5fd62cffcae076d1351df5a83fbc4a6ec17Simo Sorce const char *name;
bba1a5fd62cffcae076d1351df5a83fbc4a6ec17Simo Sorce const char *flat;
bba1a5fd62cffcae076d1351df5a83fbc4a6ec17Simo Sorce const char *id;
bba1a5fd62cffcae076d1351df5a83fbc4a6ec17Simo Sorce ret = sysdb_attrs_get_string(attrs, IPA_CN, &name);
efea50efda58be66638e5d38c8e57fdf9992f204Simo Sorce DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
bba1a5fd62cffcae076d1351df5a83fbc4a6ec17Simo Sorce ret = sysdb_attrs_get_string(attrs, IPA_FLATNAME, &flat);
efea50efda58be66638e5d38c8e57fdf9992f204Simo Sorce DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
bba1a5fd62cffcae076d1351df5a83fbc4a6ec17Simo Sorce ret = sysdb_attrs_get_string(attrs, IPA_TRUSTED_DOMAIN_SID, &id);
efea50efda58be66638e5d38c8e57fdf9992f204Simo Sorce DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
09d7c105839bfc7447ea0f766413ed86675ca075Sumit Bose mpg = sdap_idmap_domain_has_algorithmic_mapping(sdap_idmap_ctx, id);
c5711b0279ea85d69fe3c77dfb194360c346e1d7Sumit Bose ret = ipa_subdom_get_forest(tmp_ctx, sysdb_ctx_get_ldb(parent->sysdb),
31dd31b00ad759f256282ef0f7054e60672161ceJakub Hrozek ret = sysdb_subdomain_store(parent->sysdb, name, realm, flat,
bba1a5fd62cffcae076d1351df5a83fbc4a6ec17Simo Sorce DEBUG(SSSDBG_OP_FAILURE, ("sysdb_subdomain_store failed.\n"));
efea50efda58be66638e5d38c8e57fdf9992f204Simo Sorcestatic errno_t ipa_subdomains_refresh(struct ipa_subdomains_ctx *ctx,
efea50efda58be66638e5d38c8e57fdf9992f204Simo Sorce const char *value;
95e94691178297f2b8225a83d43ae388cab04b45Simo Sorce /* check existing subdomains */
4f118e3e6a25762f40a43e6dbefb09f44adbef32Simo Sorce dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */
efea50efda58be66638e5d38c8e57fdf9992f204Simo Sorce for (c = 0; c < count; c++) {
efea50efda58be66638e5d38c8e57fdf9992f204Simo Sorce ret = sysdb_attrs_get_string(reply[c], IPA_CN, &value);
efea50efda58be66638e5d38c8e57fdf9992f204Simo Sorce DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
efea50efda58be66638e5d38c8e57fdf9992f204Simo Sorce /* ok this subdomain does not exist anymore, let's clean up */
bba1a5fd62cffcae076d1351df5a83fbc4a6ec17Simo Sorce ret = sysdb_subdomain_delete(dom->sysdb, dom->name);
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek /* Remove the AD ID ctx from the list of LDAP domains */
efea50efda58be66638e5d38c8e57fdf9992f204Simo Sorce /* ok let's try to update it */
31dd31b00ad759f256282ef0f7054e60672161ceJakub Hrozek ret = ipa_subdom_enumerates(parent, reply[c], &enumerate);
31dd31b00ad759f256282ef0f7054e60672161ceJakub Hrozek ret = ipa_subdom_store(parent, ctx->sdap_id_ctx->opts->idmap_ctx,
0fcdef99980260d2da308c2c26861492ab983e3dJakub Hrozek /* Nothing we can do about the errorr. Let's at least try
0fcdef99980260d2da308c2c26861492ab983e3dJakub Hrozek * to reuse the existing domain
0fcdef99980260d2da308c2c26861492ab983e3dJakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE, ("Failed to parse subdom data, "
0fcdef99980260d2da308c2c26861492ab983e3dJakub Hrozek "will try to use cached subdomain\n"));
efea50efda58be66638e5d38c8e57fdf9992f204Simo Sorce /* all domains were already accounted for and have been updated */
efea50efda58be66638e5d38c8e57fdf9992f204Simo Sorce /* if we get here it means we have changes to the subdomains list */
efea50efda58be66638e5d38c8e57fdf9992f204Simo Sorce for (c = 0; c < count; c++) {
0fcdef99980260d2da308c2c26861492ab983e3dJakub Hrozek /* Nothing we can do about the errorr. Let's at least try
0fcdef99980260d2da308c2c26861492ab983e3dJakub Hrozek * to reuse the existing domain.
31dd31b00ad759f256282ef0f7054e60672161ceJakub Hrozek ret = ipa_subdom_enumerates(parent, reply[c], &enumerate);
31dd31b00ad759f256282ef0f7054e60672161ceJakub Hrozek ret = ipa_subdom_store(parent, ctx->sdap_id_ctx->opts->idmap_ctx,
0fcdef99980260d2da308c2c26861492ab983e3dJakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE, ("Failed to parse subdom data, "
0fcdef99980260d2da308c2c26861492ab983e3dJakub Hrozek "will try to use cached subdomain\n"));
81165faf5d951aca69f410713730c26ff048ec44Sumit Bosestatic void ipa_subdomains_get_conn_done(struct tevent_req *req);
84c611c1b7c04cc7735ab54d4e5f48284b79e6fbJan Zelenyipa_subdomains_handler_get(struct ipa_subdomains_req_ctx *ctx,
81165faf5d951aca69f410713730c26ff048ec44Sumit Bosestatic void ipa_subdomains_handler_done(struct tevent_req *req);
84c611c1b7c04cc7735ab54d4e5f48284b79e6fbJan Zelenystatic void ipa_subdomains_handler_master_done(struct tevent_req *req);
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bosestatic void ipa_subdomains_handler_ranges_done(struct tevent_req *req);
84c611c1b7c04cc7735ab54d4e5f48284b79e6fbJan Zelenystatic struct ipa_subdomains_req_params subdomain_requests[] = {
5ea449b18d2597f2581627de80bcaf2bc70b0fd3Simo Sorce { IPA_CN, IPA_FLATNAME, IPA_TRUSTED_DOMAIN_SID, NULL }
5ea449b18d2597f2581627de80bcaf2bc70b0fd3Simo Sorce IPA_BASE_ID, IPA_BASE_RID, IPA_SECONDARY_BASE_RID,
5e60c73cb91d1659755fb5ea829837db68d46163Sumit Bose IPA_ID_RANGE_SIZE, IPA_TRUSTED_DOMAIN_SID, IPA_RANGE_TYPE, NULL
6a81cb8c3424dbe9f764af3738299cbbe5874a15Simo Sorcestatic void ipa_subdomains_retrieve(struct ipa_subdomains_ctx *ctx, struct be_req *be_req)
4c20fe34346919cf676c3e1b54b7701069e2aac6Simo Sorce req_ctx = talloc(be_req, struct ipa_subdomains_req_ctx);
20ccfd63a17dc15dd24e6543424d86913d511c4bSumit Bose req_ctx->search_bases = ctx->ranges_search_bases;
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("sdap_id_op_create failed.\n"));
4c20fe34346919cf676c3e1b54b7701069e2aac6Simo Sorce req = sdap_id_op_connect_send(req_ctx->sdap_op, req_ctx, &ret);
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("sdap_id_op_connect_send failed: %d(%s).\n",
4c20fe34346919cf676c3e1b54b7701069e2aac6Simo Sorce tevent_req_set_callback(req, ipa_subdomains_get_conn_done, req_ctx);
81165faf5d951aca69f410713730c26ff048ec44Sumit Bosestatic void ipa_subdomains_get_conn_done(struct tevent_req *req)
21f19d573047e70ee8ec0119ec00c1ed1af9ec04Simo Sorce ctx = tevent_req_callback_data(req, struct ipa_subdomains_req_ctx);
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose ("No IPA server is available, cannot get the "
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose "subdomain list while offline\n"));
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose/* FIXME: return saved results ?? */
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose ("Failed to connect to IPA server: [%d](%s)\n",
20ccfd63a17dc15dd24e6543424d86913d511c4bSumit Bose ret = ipa_subdomains_handler_get(ctx, IPA_SUBDOMAINS_RANGES);
8e5549e453558d4bebdec333a93e215d5d6ffaecSimo Sorce be_req_terminate(ctx->be_req, dp_error, ret, NULL);
84c611c1b7c04cc7735ab54d4e5f48284b79e6fbJan Zelenyipa_subdomains_handler_get(struct ipa_subdomains_req_ctx *ctx,
21f19d573047e70ee8ec0119ec00c1ed1af9ec04Simo Sorce ctx->current_filter = sdap_get_id_specific_filter(ctx, params->filter,
6a81cb8c3424dbe9f764af3738299cbbe5874a15Simo Sorce req = sdap_get_generic_send(ctx, ctx->sd_ctx->be_ctx->ev,
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose dp_opt_get_int(ctx->sd_ctx->sdap_id_ctx->opts->basic,
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("sdap_get_generic_send failed.\n"));
81165faf5d951aca69f410713730c26ff048ec44Sumit Bosestatic void ipa_subdomains_handler_done(struct tevent_req *req)
21f19d573047e70ee8ec0119ec00c1ed1af9ec04Simo Sorce ctx = tevent_req_callback_data(req, struct ipa_subdomains_req_ctx);
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose ret = sdap_get_generic_recv(req, ctx, &reply_count, &reply);
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("sdap_get_generic_send request failed.\n"));
81165faf5d951aca69f410713730c26ff048ec44Sumit Bose ctx->reply = talloc_realloc(ctx, ctx->reply, struct sysdb_attrs *,
84c611c1b7c04cc7735ab54d4e5f48284b79e6fbJan Zeleny ret = ipa_subdomains_handler_get(ctx, IPA_SUBDOMAINS_SLAVE);
efea50efda58be66638e5d38c8e57fdf9992f204Simo Sorce ret = ipa_subdomains_refresh(ctx->sd_ctx, ctx->reply_count, ctx->reply,
efea50efda58be66638e5d38c8e57fdf9992f204Simo Sorce DEBUG(SSSDBG_OP_FAILURE, ("Failed to refresh subdomains.\n"));
efea50efda58be66638e5d38c8e57fdf9992f204Simo Sorce DEBUG(SSSDBG_OP_FAILURE, ("sysdb_update_subdomains failed.\n"));
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek ret = ipa_ad_subdom_refresh(ctx->sd_ctx->be_ctx, ctx->sd_ctx->id_ctx,
418e6ccd116eced7ccc75aca999a4c37c67289baJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, ("ipa_ad_subdom_refresh failed.\n"));
58dd26b1c5b60ee992dd5d1214bb168aebb42d54Jakub Hrozek ("sss_krb5_write_mappings failed.\n"));
58dd26b1c5b60ee992dd5d1214bb168aebb42d54Jakub Hrozek /* Just continue */
20ccfd63a17dc15dd24e6543424d86913d511c4bSumit Bose ctx->search_bases = ctx->sd_ctx->master_search_bases;
20ccfd63a17dc15dd24e6543424d86913d511c4bSumit Bose ret = ipa_subdomains_handler_get(ctx, IPA_SUBDOMAINS_MASTER);
8e5549e453558d4bebdec333a93e215d5d6ffaecSimo Sorce be_req_terminate(ctx->be_req, DP_ERR_FATAL, ret, NULL);
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bosestatic void ipa_subdomains_handler_ranges_done(struct tevent_req *req)
21f19d573047e70ee8ec0119ec00c1ed1af9ec04Simo Sorce ctx = tevent_req_callback_data(req, struct ipa_subdomains_req_ctx);
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose ret = sdap_get_generic_recv(req, ctx, &reply_count, &reply);
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("sdap_get_generic_send request failed.\n"));
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose ret = ipa_ranges_parse_results(ctx, reply_count, reply, &range_list);
21f19d573047e70ee8ec0119ec00c1ed1af9ec04Simo Sorce ("ipa_ranges_parse_results request failed.\n"));
386a66b1aa18a176e6a06fa126556c9590c373b6Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("sysdb_update_ranges failed.\n"));
20ccfd63a17dc15dd24e6543424d86913d511c4bSumit Bose ret = ipa_subdomains_handler_get(ctx, IPA_SUBDOMAINS_SLAVE);
20ccfd63a17dc15dd24e6543424d86913d511c4bSumit Bose DEBUG(SSSDBG_OP_FAILURE, ("No search base for ranges available.\n"));
8e5549e453558d4bebdec333a93e215d5d6ffaecSimo Sorce be_req_terminate(ctx->be_req, dp_error, ret, NULL);
84c611c1b7c04cc7735ab54d4e5f48284b79e6fbJan Zelenystatic void ipa_subdomains_handler_master_done(struct tevent_req *req)
21f19d573047e70ee8ec0119ec00c1ed1af9ec04Simo Sorce ctx = tevent_req_callback_data(req, struct ipa_subdomains_req_ctx);
84c611c1b7c04cc7735ab54d4e5f48284b79e6fbJan Zeleny ret = sdap_get_generic_recv(req, ctx, &reply_count, &reply);
84c611c1b7c04cc7735ab54d4e5f48284b79e6fbJan Zeleny DEBUG(SSSDBG_OP_FAILURE, ("sdap_get_generic_send request failed.\n"));
3912262270a6449ebe1d3e92c27c217b4044f894Simo Sorce ret = sysdb_attrs_get_string(reply[0], IPA_FLATNAME, &flat);
3912262270a6449ebe1d3e92c27c217b4044f894Simo Sorce ret = sysdb_attrs_get_string(reply[0], IPA_SID, &id);
3912262270a6449ebe1d3e92c27c217b4044f894Simo Sorce ret = sysdb_master_domain_add_info(ctx->sd_ctx->be_ctx->domain,
84c611c1b7c04cc7735ab54d4e5f48284b79e6fbJan Zeleny ret = ipa_subdomains_handler_get(ctx, IPA_SUBDOMAINS_MASTER);
84c611c1b7c04cc7735ab54d4e5f48284b79e6fbJan Zeleny /* Right now we know there has been an error
84c611c1b7c04cc7735ab54d4e5f48284b79e6fbJan Zeleny * and we don't have the master domain record
84c611c1b7c04cc7735ab54d4e5f48284b79e6fbJan Zeleny DEBUG(SSSDBG_CRIT_FAILURE, ("Master domain record not found!\n"));
8e5549e453558d4bebdec333a93e215d5d6ffaecSimo Sorce be_req_terminate(ctx->be_req, dp_error, ret, NULL);
3b533d57a737e2de1b3e85b073b14d3bfb49dafcSimo Sorcestatic void ipa_subdom_timer_refresh(struct tevent_context *ev,
d6d8287a9b8a240e068a26769dc6ce4582604850Simo Sorcestatic void ipa_subdom_be_req_callback(struct be_req *be_req,
d6d8287a9b8a240e068a26769dc6ce4582604850Simo Sorce const char *errstr)
6a81cb8c3424dbe9f764af3738299cbbe5874a15Simo Sorce ctx = talloc_get_type(pvt, struct ipa_subdomains_ctx);
3b533d57a737e2de1b3e85b073b14d3bfb49dafcSimo Sorce DEBUG(SSSDBG_CRIT_FAILURE, ("Bad private pointer\n"));
44af0057c1fd52f6252f82ca73a06acfcac6c5e3Michal Zidek DEBUG(SSSDBG_CRIT_FAILURE, ("be_req_create() failed.\n"));
3b533d57a737e2de1b3e85b073b14d3bfb49dafcSimo Sorce tv = tevent_timeval_current_ofs(IPA_SUBDOMAIN_REFRESH_PERIOD, 0);
3b533d57a737e2de1b3e85b073b14d3bfb49dafcSimo Sorce ctx->timer_event = tevent_add_timer(ctx->be_ctx->ev, ctx, tv,
3b533d57a737e2de1b3e85b073b14d3bfb49dafcSimo Sorce DEBUG(SSSDBG_MINOR_FAILURE, ("Failed to add subdom timer event\n"));
3b533d57a737e2de1b3e85b073b14d3bfb49dafcSimo Sorce ctx = talloc_get_type(pvt, struct ipa_subdomains_ctx);
5063dcc5ab685dce325b13b9c1e93cee2a673e60Sumit Bosestatic errno_t get_config_status(struct be_ctx *be_ctx,
5063dcc5ab685dce325b13b9c1e93cee2a673e60Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("talloc_new failed.\n"));
5063dcc5ab685dce325b13b9c1e93cee2a673e60Sumit Bose ret = confdb_get_string(be_ctx->cdb, tmp_ctx, be_ctx->conf_path,
5063dcc5ab685dce325b13b9c1e93cee2a673e60Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("confdb_get_string failed.\n"));
5063dcc5ab685dce325b13b9c1e93cee2a673e60Sumit Bose DEBUG(SSSDBG_TRACE_ALL, ("IPA subdomain provider is configured %s.\n",
5063dcc5ab685dce325b13b9c1e93cee2a673e60Sumit Bose *configured_explicit ? "explicit" : "implicit"));
6a81cb8c3424dbe9f764af3738299cbbe5874a15Simo Sorcevoid ipa_subdomains_handler(struct be_req *be_req)
03abdaa21ecf562b714f204ca42379ff08626f75Simo Sorce struct be_ctx *be_ctx = be_req_get_be_ctx(be_req);
03abdaa21ecf562b714f204ca42379ff08626f75Simo Sorce ctx = talloc_get_type(be_ctx->bet_info[BET_SUBDOMAINS].pvt_bet_data,
8e5549e453558d4bebdec333a93e215d5d6ffaecSimo Sorce be_req_terminate(be_req, DP_ERR_FATAL, EINVAL, NULL);
5063dcc5ab685dce325b13b9c1e93cee2a673e60Sumit Bose DEBUG(SSSDBG_TRACE_ALL, ("Subdomain provider disabled.\n"));
5063dcc5ab685dce325b13b9c1e93cee2a673e60Sumit Bose if (ctx->last_refreshed > now - IPA_SUBDOMAIN_REFRESH_LIMIT) {
5063dcc5ab685dce325b13b9c1e93cee2a673e60Sumit Bose ret = get_config_status(be_ctx, &configured_explicit);
5063dcc5ab685dce325b13b9c1e93cee2a673e60Sumit Bose DEBUG(SSSDBG_OP_FAILURE, ("get_config_status failed.\n"));
87ed72b47859e673b636c85f35b85f1546c7ed3dSimo Sorce ctx = talloc_zero(id_ctx, struct ipa_subdomains_ctx);
87ed72b47859e673b636c85f35b85f1546c7ed3dSimo Sorce DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n"));
87ed72b47859e673b636c85f35b85f1546c7ed3dSimo Sorce ctx->search_bases = id_ctx->ipa_options->subdomains_search_bases;
87ed72b47859e673b636c85f35b85f1546c7ed3dSimo Sorce ctx->master_search_bases = id_ctx->ipa_options->master_domain_search_bases;
87ed72b47859e673b636c85f35b85f1546c7ed3dSimo Sorce ctx->ranges_search_bases = id_ctx->ipa_options->ranges_search_bases;
6a81cb8c3424dbe9f764af3738299cbbe5874a15Simo Sorce ret = be_add_online_cb(ctx, be_ctx, ipa_subdom_online_cb, ctx, NULL);
6a81cb8c3424dbe9f764af3738299cbbe5874a15Simo Sorce DEBUG(SSSDBG_MINOR_FAILURE, ("Failed to add subdom online callback"));
3b533d57a737e2de1b3e85b073b14d3bfb49dafcSimo Sorce ret = be_add_offline_cb(ctx, be_ctx, ipa_subdom_offline_cb, ctx, NULL);
3b533d57a737e2de1b3e85b073b14d3bfb49dafcSimo Sorce DEBUG(SSSDBG_MINOR_FAILURE, ("Failed to add subdom offline callback"));
f8a4a5f6240156809e1b5ef03816f673281e3fa0Jakub Hrozek if (dp_opt_get_bool(id_ctx->ipa_options->basic,
52ae806bd17c3c00d70bd1aed437f10f5ae51a1cJakub Hrozek /* The IPA code relies on the default FQDN format to unparse user
52ae806bd17c3c00d70bd1aed437f10f5ae51a1cJakub Hrozek * names. Warn loudly if the full_name_format was customized on the
52ae806bd17c3c00d70bd1aed437f10f5ae51a1cJakub Hrozek * IPA server
d5e8c3a1290d68d07362a119e63121156ad448dfJakub Hrozek CONFDB_DEFAULT_FULL_NAME_FORMAT_INTERNAL) != 0)) {
52ae806bd17c3c00d70bd1aed437f10f5ae51a1cJakub Hrozek DEBUG(SSSDBG_FATAL_FAILURE, ("%s is set to a non-default value [%s] " \
52ae806bd17c3c00d70bd1aed437f10f5ae51a1cJakub Hrozek "lookups of subdomain users will likely fail!\n",
52ae806bd17c3c00d70bd1aed437f10f5ae51a1cJakub Hrozek CONFDB_FULL_NAME_FORMAT, be_ctx->domain->names->fq_fmt));
52ae806bd17c3c00d70bd1aed437f10f5ae51a1cJakub Hrozek sss_log(SSS_LOG_ERR, "%s is set to a non-default value [%s] " \
52ae806bd17c3c00d70bd1aed437f10f5ae51a1cJakub Hrozek "lookups of subdomain users will likely fail!\n",
52ae806bd17c3c00d70bd1aed437f10f5ae51a1cJakub Hrozek CONFDB_FULL_NAME_FORMAT, be_ctx->domain->names->fq_fmt);
52ae806bd17c3c00d70bd1aed437f10f5ae51a1cJakub Hrozek /* Attempt to continue */
f8a4a5f6240156809e1b5ef03816f673281e3fa0Jakub Hrozek realm = dp_opt_get_string(id_ctx->ipa_options->basic, IPA_KRB5_REALM);
f8a4a5f6240156809e1b5ef03816f673281e3fa0Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, ("No Kerberos realm for IPA?\n"));
f8a4a5f6240156809e1b5ef03816f673281e3fa0Jakub Hrozek hostname = dp_opt_get_string(id_ctx->ipa_options->basic, IPA_HOSTNAME);
f8a4a5f6240156809e1b5ef03816f673281e3fa0Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, ("No host name for IPA?\n"));