27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek/*
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek SSSD
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek IPA Subdomains Module - server mode
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek Authors:
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek Sumit Bose <sbose@redhat.com>
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek Copyright (C) 2015 Red Hat
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek This program is free software; you can redistribute it and/or modify
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek it under the terms of the GNU General Public License as published by
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek the Free Software Foundation; either version 3 of the License, or
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek (at your option) any later version.
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek This program is distributed in the hope that it will be useful,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek but WITHOUT ANY WARRANTY; without even the implied warranty of
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek GNU General Public License for more details.
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek You should have received a copy of the GNU General Public License
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek along with this program. If not, see <http://www.gnu.org/licenses/>.
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek*/
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek#include "providers/ldap/sdap_async.h"
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek#include "providers/ldap/sdap_idmap.h"
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek#include "providers/ipa/ipa_subdomains.h"
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek#include "providers/ipa/ipa_common.h"
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek#include "providers/ipa/ipa_id.h"
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek/* These constants are defined in MS-ADTS 6.1.6.7.1
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek * https://msdn.microsoft.com/en-us/library/cc223768.aspx
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek */
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek#define LSA_TRUST_DIRECTION_INBOUND 0x00000001
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek#define LSA_TRUST_DIRECTION_OUTBOUND 0x00000002
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic char *forest_keytab(TALLOC_CTX *mem_ctx, const char *forest)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek{
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek return talloc_asprintf(mem_ctx,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "%s/%s.keytab", IPA_TRUST_KEYTAB_DIR, forest);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek}
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic char *subdomain_trust_princ(TALLOC_CTX *mem_ctx,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *forest_realm,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct sss_domain_info *sd)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek{
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (sd->parent->flat_name == NULL) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Unknown flat name for parent %s\n", sd->parent->name);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek return NULL;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek return talloc_asprintf(mem_ctx, "%s$@%s",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek sd->parent->flat_name, forest_realm);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek}
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozekstatic uint32_t default_direction(TALLOC_CTX *mem_ctx,
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek struct ldb_context *ldb_ctx,
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek struct sysdb_attrs *attrs)
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek{
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek struct ldb_dn *dn = NULL;
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek uint32_t direction;
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek dn = ipa_subdom_ldb_dn(mem_ctx, ldb_ctx, attrs);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek if (dn == NULL) {
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek /* Shouldn't happen, but let's try system keytab in this case */
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE,
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek "Cannot determine subdomain DN, falling back to two-way trust\n");
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return (LSA_TRUST_DIRECTION_INBOUND|LSA_TRUST_DIRECTION_OUTBOUND);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek }
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek if (ipa_subdom_is_member_dom(dn) == true) {
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek /* It's expected member domains do not have the direction */
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek direction = 0;
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek } else {
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek /* Old server? Default to 2way trust */
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek direction = (LSA_TRUST_DIRECTION_INBOUND|LSA_TRUST_DIRECTION_OUTBOUND);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek }
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek talloc_free(dn);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return direction;
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek}
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozekerrno_t ipa_server_get_trust_direction(struct sysdb_attrs *sd,
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek struct ldb_context *ldb_ctx,
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek uint32_t *_direction)
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek{
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek uint32_t ipa_trust_direction = 0;
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek uint32_t direction;
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek int ret;
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek ret = sysdb_attrs_get_uint32_t(sd, IPA_TRUST_DIRECTION,
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek &ipa_trust_direction);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek DEBUG(SSSDBG_TRACE_INTERNAL,
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek "Raw %s value: %d\n", IPA_TRUST_DIRECTION, ipa_trust_direction);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek if (ret == ENOENT) {
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek direction = default_direction(sd, ldb_ctx, sd);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek } else if (ret == EOK) {
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek /* Just store the AD value in SYSDB, we will check it while we're
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek * trying to use the trust */
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek direction = ipa_trust_direction;
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek } else {
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return ret;
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek }
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek *_direction = direction;
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return EOK;
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek}
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozekconst char *ipa_trust_dir2str(uint32_t direction)
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek{
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek if ((direction & LSA_TRUST_DIRECTION_OUTBOUND)
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek && (direction & LSA_TRUST_DIRECTION_INBOUND)) {
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return "two-way trust";
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek } else if (direction & LSA_TRUST_DIRECTION_OUTBOUND) {
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return "one-way outbound: local domain is trusted by remote domain";
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek } else if (direction & LSA_TRUST_DIRECTION_INBOUND) {
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return "one-way inbound: local domain trusts the remote domain";
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek } else if (direction == 0) {
2427b40566cf63880f3650b26a2fee91cb28de24Petr Cech return "not set";
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek }
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return "unknown";
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek}
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek#ifndef IPA_GETKEYTAB_TIMEOUT
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek#define IPA_GETKEYTAB_TIMEOUT 5
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek#endif /* IPA_GETKEYTAB_TIMEOUT */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozekstatic struct ad_options *
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozekipa_create_1way_trust_ctx(struct ipa_id_ctx *id_ctx,
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek struct be_ctx *be_ctx,
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek const char *subdom_conf_path,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek const char *forest,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek const char *forest_realm,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek struct sss_domain_info *subdom)
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek{
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek char *keytab;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek char *principal;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek struct ad_options *ad_options;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek keytab = forest_keytab(id_ctx, forest);
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek principal = subdomain_trust_princ(id_ctx, forest_realm, subdom);
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek if (keytab == NULL || principal == NULL) {
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek return NULL;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek }
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek ad_options = ad_create_1way_trust_options(id_ctx,
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek be_ctx->cdb,
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek subdom_conf_path,
d2633d922eeed68f92be4248b9172b928c189920Jakub Hrozek be_ctx->provider,
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek subdom,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek id_ctx->server_mode->hostname,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek keytab,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek principal);
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek if (ad_options == NULL) {
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek talloc_free(keytab);
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek talloc_free(principal);
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek return NULL;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek }
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek return ad_options;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek}
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židekstatic struct ad_options *ipa_ad_options_new(struct be_ctx *be_ctx,
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek struct ipa_id_ctx *id_ctx,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek struct sss_domain_info *subdom)
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek{
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek struct ad_options *ad_options = NULL;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek uint32_t direction;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek const char *forest;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek const char *forest_realm;
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek char *subdom_conf_path;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek /* Trusts are only established with forest roots */
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek direction = subdom->forest_root->trust_direction;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek forest_realm = subdom->forest_root->realm;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek forest = subdom->forest_root->forest;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek
e0e038218580166648ac24f23180f0f4c2769d99Michal Židek subdom_conf_path = subdomain_create_conf_path(id_ctx, subdom);
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek if (subdom_conf_path == NULL) {
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek DEBUG(SSSDBG_CRIT_FAILURE, "subdom_conf_path failed\n");
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek return NULL;
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek }
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek if (direction & LSA_TRUST_DIRECTION_OUTBOUND) {
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek ad_options = ad_create_2way_trust_options(id_ctx,
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek be_ctx->cdb,
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek subdom_conf_path,
d2633d922eeed68f92be4248b9172b928c189920Jakub Hrozek be_ctx->provider,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek id_ctx->server_mode->realm,
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek subdom,
cc4caf88344210ea9777d618f0f71935ca5e7f8bSumit Bose id_ctx->server_mode->hostname,
cc4caf88344210ea9777d618f0f71935ca5e7f8bSumit Bose NULL);
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek } else if (direction & LSA_TRUST_DIRECTION_INBOUND) {
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek ad_options = ipa_create_1way_trust_ctx(id_ctx, be_ctx,
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek subdom_conf_path, forest,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek forest_realm, subdom);
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek } else {
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported trust direction!\n");
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek ad_options = NULL;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek }
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek talloc_free(subdom_conf_path);
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek if (ad_options == NULL) {
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n");
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek return NULL;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek }
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek return ad_options;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek}
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozekstatic errno_t
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozekipa_ad_ctx_new(struct be_ctx *be_ctx,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek struct ipa_id_ctx *id_ctx,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek struct sss_domain_info *subdom,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek struct ad_id_ctx **_ad_id_ctx)
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek{
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek struct ad_options *ad_options;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek struct ad_id_ctx *ad_id_ctx;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek const char *gc_service_name;
778f241e78241b0d6b8734148175f8dee804f494Pavel Březina const char *service_name;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek struct ad_srv_plugin_ctx *srv_ctx;
de2bad8ae08f09964834bda0f88db9de39f47c5cJakub Hrozek const char *ad_domain;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek const char *ad_site_override;
62a1570f01053ec61e894ee3e58fc759ee809c6eMichal Židek const char *ad_servers;
62a1570f01053ec61e894ee3e58fc759ee809c6eMichal Židek const char *ad_backup_servers;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek struct sdap_domain *sdom;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek errno_t ret;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek const char *extra_attrs;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
de2bad8ae08f09964834bda0f88db9de39f47c5cJakub Hrozek ad_domain = subdom->name;
de2bad8ae08f09964834bda0f88db9de39f47c5cJakub Hrozek DEBUG(SSSDBG_TRACE_LIBS, "Setting up AD subdomain %s\n", subdom->name);
de2bad8ae08f09964834bda0f88db9de39f47c5cJakub Hrozek
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek ad_options = ipa_ad_options_new(be_ctx, id_ctx, subdom);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (ad_options == NULL) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek talloc_free(ad_options);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return ENOMEM;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek extra_attrs = dp_opt_get_string(id_ctx->sdap_id_ctx->opts->basic,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek SDAP_USER_EXTRA_ATTRS);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (extra_attrs != NULL) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_TRACE_ALL,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek "Setting extra attrs for subdomain [%s] to [%s].\n", ad_domain,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek extra_attrs);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ret = dp_opt_set_string(ad_options->id->basic, SDAP_USER_EXTRA_ATTRS,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek extra_attrs);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (ret != EOK) {
ebe05e32b5af9b1ee404ebe492e52096d45fb675Michal Židek DEBUG(SSSDBG_OP_FAILURE, "dp_opt_set_string failed.\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek talloc_free(ad_options);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return ret;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ret = sdap_extend_map_with_list(ad_options->id, ad_options->id,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek SDAP_USER_EXTRA_ATTRS,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_options->id->user_map,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek SDAP_OPTS_USER,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek &ad_options->id->user_map,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek &ad_options->id->user_map_cnt);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (ret != EOK) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "sdap_extend_map_with_list failed.\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek talloc_free(ad_options);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return ret;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek } else {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_TRACE_ALL, "No extra attrs set.\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
778f241e78241b0d6b8734148175f8dee804f494Pavel Březina gc_service_name = talloc_asprintf(ad_options, "sd_gc_%s", subdom->forest);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (gc_service_name == NULL) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek talloc_free(ad_options);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return ENOMEM;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
778f241e78241b0d6b8734148175f8dee804f494Pavel Březina service_name = talloc_asprintf(ad_options, "sd_%s", subdom->name);
778f241e78241b0d6b8734148175f8dee804f494Pavel Březina if (service_name == NULL) {
778f241e78241b0d6b8734148175f8dee804f494Pavel Březina talloc_free(ad_options);
778f241e78241b0d6b8734148175f8dee804f494Pavel Březina return ENOMEM;
778f241e78241b0d6b8734148175f8dee804f494Pavel Březina }
778f241e78241b0d6b8734148175f8dee804f494Pavel Březina
62a1570f01053ec61e894ee3e58fc759ee809c6eMichal Židek ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
62a1570f01053ec61e894ee3e58fc759ee809c6eMichal Židek ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
62a1570f01053ec61e894ee3e58fc759ee809c6eMichal Židek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* Set KRB5 realm to same as the one of IPA when IPA
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek * is able to attach PAC. For testing, use hardcoded. */
62a1570f01053ec61e894ee3e58fc759ee809c6eMichal Židek ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek id_ctx->server_mode->realm,
778f241e78241b0d6b8734148175f8dee804f494Pavel Březina service_name, gc_service_name,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek subdom->name, &ad_options->service);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (ret != EOK) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD failover\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek talloc_free(ad_options);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return ret;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_id_ctx = ad_id_ctx_init(ad_options, be_ctx);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (ad_id_ctx == NULL) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek talloc_free(ad_options);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return ENOMEM;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_id_ctx->sdap_id_ctx->opts = ad_options->id;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_options->id_ctx = ad_id_ctx;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* use AD plugin */
fb0431b13a9fcd8ac31e622503acbd10d2b73ac9Pavel Březina srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek default_host_dbs,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_id_ctx->ad_options->id,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek id_ctx->server_mode->hostname,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_domain,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_site_override);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (srv_ctx == NULL) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return ENOMEM;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek be_fo_set_srv_lookup_plugin(be_ctx, ad_srv_plugin_send,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_srv_plugin_recv, srv_ctx, "AD");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ret = sdap_domain_subdom_add(ad_id_ctx->sdap_id_ctx,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_id_ctx->sdap_id_ctx->opts->sdom,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek subdom->parent);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (ret != EOK) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize sdap domain\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek talloc_free(ad_options);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return ret;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek sdom = sdap_domain_get(ad_id_ctx->sdap_id_ctx->opts, subdom);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (sdom == NULL) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return EFAULT;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
4c49edbd8df651b1737c59459637962c117212c6Michal Židek ret = ad_set_search_bases(ad_options->id, sdom);
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek if (ret != EOK) {
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD search bases\n");
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek talloc_free(ad_options);
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek return ret;
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek }
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek sdap_inherit_options(subdom->parent->sd_inherit,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek id_ctx->sdap_id_ctx->opts,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_id_ctx->sdap_id_ctx->opts);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ret = sdap_id_setup_tasks(be_ctx,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_id_ctx->sdap_id_ctx,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek sdom,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ldap_enumeration_send,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ldap_enumeration_recv,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_id_ctx->sdap_id_ctx);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (ret != EOK) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek talloc_free(ad_options);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return ret;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek sdom->pvt = ad_id_ctx;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* Set up the ID mapping object */
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_id_ctx->sdap_id_ctx->opts->idmap_ctx =
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek id_ctx->sdap_id_ctx->opts->idmap_ctx;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
c44728a02d5e2c9eaced11e74820a6ae6a985f61Sumit Bose /* Set up the certificate mapping context */
f2e70ec742cd7aab82b74d7e4b424ba3258da7aaSumit Bose ad_id_ctx->sdap_id_ctx->opts->sdap_certmap_ctx =
f2e70ec742cd7aab82b74d7e4b424ba3258da7aaSumit Bose id_ctx->sdap_id_ctx->opts->sdap_certmap_ctx;
c44728a02d5e2c9eaced11e74820a6ae6a985f61Sumit Bose
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek *_ad_id_ctx = ad_id_ctx;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return EOK;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek}
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstruct ipa_getkeytab_state {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek int child_status;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct sss_child_ctx_old *child_ctx;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct tevent_timer *timeout_handler;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek};
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_exec(const char *ccache,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *server,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *principal,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *keytab_path);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_done(int child_status,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct tevent_signal *sige,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek void *pvt);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_timeout(struct tevent_context *ev,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct tevent_timer *te,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct timeval tv, void *pvt);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic struct tevent_req *ipa_getkeytab_send(TALLOC_CTX *mem_ctx,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct tevent_context *ev,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *ccache,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *server,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *principal,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *keytab)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek{
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek errno_t ret;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct tevent_req *req = NULL;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct ipa_getkeytab_state *state;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek pid_t child_pid;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct timeval tv;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek req = tevent_req_create(mem_ctx, &state, struct ipa_getkeytab_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (req == NULL) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek return NULL;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->child_status = EFAULT;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (server == NULL || principal == NULL || keytab == NULL) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = EINVAL;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek goto done;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_TRACE_FUNC,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Retrieving keytab for %s from %s into %s using ccache %s\n",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek principal, server, keytab, ccache);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek child_pid = fork();
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (child_pid == 0) { /* child */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ipa_getkeytab_exec(ccache, server, principal, keytab);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek } else if (child_pid > 0) { /* parent */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Set up SIGCHLD handler */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = child_handler_setup(ev, child_pid, ipa_getkeytab_done, req,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek &state->child_ctx);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (ret != EOK) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Could not set up child handlers [%d]: %s\n",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret, sss_strerror(ret));
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = ERR_IPA_GETKEYTAB_FAILED;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek goto done;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Set up timeout handler */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tv = tevent_timeval_current_ofs(IPA_GETKEYTAB_TIMEOUT, 0);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->timeout_handler = tevent_add_timer(ev, req, tv,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ipa_getkeytab_timeout, req);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if(state->timeout_handler == NULL) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = ERR_IPA_GETKEYTAB_FAILED;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek goto done;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Now either wait for the timeout to fire or the child
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek * to finish
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek } else { /* error */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = errno;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "fork failed [%d][%s].\n", ret, sss_strerror(ret));
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek goto done;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = EOK;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekdone:
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (ret != EOK) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_error(req, ret);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_post(req, ev);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek return req;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek}
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_exec(const char *ccache,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *server,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *principal,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *keytab_path)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek{
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek errno_t ret;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek int debug_fd;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *gkt_env[2] = { NULL, NULL };
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (debug_level >= SSSDBG_TRACE_LIBS) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek debug_fd = get_fd_from_debug_file();
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = dup2(debug_fd, STDERR_FILENO);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (ret == -1) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = errno;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "dup2 failed [%d][%s].\n", ret, sss_strerror(ret));
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* stderr is not fatal */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek gkt_env[0] = talloc_asprintf(NULL, "KRB5CCNAME=%s", ccache);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (gkt_env[0] == NULL) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Failed to format KRB5CCNAME\n");
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek exit(1);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek /* ipa-getkeytab cannot add keys to an empty file, let's unlink it and only
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek * use the filename */
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek ret = unlink(keytab_path);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek if (ret == -1) {
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek ret = errno;
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE,
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek "Failed to unlink the temporary ccname [%d][%s]\n",
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek ret, sss_strerror(ret));
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek exit(1);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek }
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek errno = 0;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = execle(IPA_GETKEYTAB_PATH, IPA_GETKEYTAB_PATH,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "-r", "-s", server, "-p", principal, "-k", keytab_path, NULL,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek gkt_env);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "execle returned %d, this shouldn't happen!\n", ret);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* The child should never end up here */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = errno;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "execle failed [%d][%s].\n", ret, sss_strerror(ret));
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek exit(1);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek}
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_done(int child_status,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct tevent_signal *sige,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek void *pvt)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek{
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct tevent_req *req = talloc_get_type(pvt, struct tevent_req);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct ipa_getkeytab_state *state =
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_data(req, struct ipa_getkeytab_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->child_status = child_status;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (WIFEXITED(child_status) && WEXITSTATUS(child_status) != 0) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_OP_FAILURE,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "ipa-getkeytab failed with status [%d]\n", child_status);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_error(req, ERR_IPA_GETKEYTAB_FAILED);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek return;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (WIFSIGNALED(child_status)) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_OP_FAILURE,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "ipa-getkeytab was terminated by signal [%d]\n",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek WTERMSIG(child_status));
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_error(req, ERR_IPA_GETKEYTAB_FAILED);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek return;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_done(req);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek}
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_timeout(struct tevent_context *ev,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct tevent_timer *te,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct timeval tv, void *pvt)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek{
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct tevent_req *req =
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek talloc_get_type(pvt, struct tevent_req);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct ipa_getkeytab_state *state =
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_data(req, struct ipa_getkeytab_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Timeout reached for retrieving keytab from IPA server\n");
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek child_handler_destroy(state->child_ctx);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->child_ctx = NULL;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->child_status = ETIMEDOUT;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_error(req, ERR_IPA_GETKEYTAB_FAILED);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek}
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic errno_t ipa_getkeytab_recv(struct tevent_req *req, int *child_status)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek{
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct ipa_getkeytab_state *state =
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_data(req, struct ipa_getkeytab_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_TRACE_INTERNAL,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "ipa-getkeytab status %d\n", state->child_status);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (child_status) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek *child_status = state->child_status;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek TEVENT_REQ_RETURN_ON_ERROR(req);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek return EOK;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek}
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozekstatic errno_t ipa_check_keytab(const char *keytab,
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek uid_t kt_owner_uid,
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek gid_t kt_owner_gid)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek{
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek errno_t ret;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = check_file(keytab, getuid(), getgid(), S_IFREG|0600, 0, NULL, false);
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek if (ret == ENOENT) {
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab);
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek goto done;
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek } else if (ret != EOK) {
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek if (kt_owner_uid) {
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek ret = check_file(keytab, kt_owner_uid, kt_owner_gid,
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek S_IFREG|0600, 0, NULL, false);
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek }
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek if (ret != EOK) {
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek if (ret != ENOENT) {
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Failed to check for %s\n", keytab);
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek } else {
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab);
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek goto done;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_TRACE_ALL, "keytab %s already exists\n", keytab);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = EOK;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekdone:
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek return ret;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek}
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozekstruct ipa_server_trusted_dom_setup_state {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct tevent_context *ev;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct be_ctx *be_ctx;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct ipa_id_ctx *id_ctx;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct sss_domain_info *subdom;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek uint32_t direction;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *forest;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *keytab;
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek char *new_keytab;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *principal;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *forest_realm;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *ccache;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek};
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozekstatic errno_t ipa_server_trusted_dom_setup_1way(struct tevent_req *req);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_server_trust_1way_kt_done(struct tevent_req *subreq);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozekstruct tevent_req *
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozekipa_server_trusted_dom_setup_send(TALLOC_CTX *mem_ctx,
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek struct tevent_context *ev,
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek struct be_ctx *be_ctx,
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek struct ipa_id_ctx *id_ctx,
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek struct sss_domain_info *subdom)
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek{
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct tevent_req *req = NULL;
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek struct ipa_server_trusted_dom_setup_state *state = NULL;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek errno_t ret;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek req = tevent_req_create(mem_ctx, &state,
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek struct ipa_server_trusted_dom_setup_state);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek if (req == NULL) {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek return NULL;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->ev = ev;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->be_ctx = be_ctx;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->id_ctx = id_ctx;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->subdom = subdom;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Trusts are only established with forest roots */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (subdom->forest_root == NULL) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Subdomain %s has no forest root?\n", subdom->name);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = ERR_TRUST_FOREST_UNKNOWN;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek goto immediate;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->direction = subdom->forest_root->trust_direction;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek state->forest = subdom->forest_root->forest;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->forest_realm = subdom->forest_root->realm;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->ccache = talloc_asprintf(state, "%s/ccache_%s",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DB_PATH, subdom->parent->realm);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (state->ccache == NULL) {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek ret = ENOMEM;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek goto immediate;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_TRACE_LIBS,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Trust direction of subdom %s from forest %s is: %s\n",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek subdom->name, state->forest,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ipa_trust_dir2str(state->direction));
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (state->direction & LSA_TRUST_DIRECTION_OUTBOUND) {
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek /* Use system keytab, nothing to do here */
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek ret = EOK;
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek goto immediate;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek } else if (state->direction & LSA_TRUST_DIRECTION_INBOUND) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Need special keytab */
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek ret = ipa_server_trusted_dom_setup_1way(req);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (ret == EAGAIN) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* In progress.. */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek return req;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek } else if (ret == EOK) {
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek /* Keytab available, shortcut */
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek ret = EOK;
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek goto immediate;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek } else {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Even unset is an error at this point */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_OP_FAILURE,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Subdomain %s has trust direction %d\n",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek subdom->name, subdom->trust_direction);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = ERR_TRUST_NOT_SUPPORTED;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekimmediate:
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek if (ret != EOK) {
146e024b318dadeb069e8ce8254179f6119747f2Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE,
146e024b318dadeb069e8ce8254179f6119747f2Jakub Hrozek "Could not add trusted subdomain %s from forest %s\n",
146e024b318dadeb069e8ce8254179f6119747f2Jakub Hrozek subdom->name, state->forest);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_req_error(req, ret);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek } else {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_req_done(req);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek }
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_req_post(req, ev);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek return req;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek}
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozekstatic errno_t ipa_server_trusted_dom_setup_1way(struct tevent_req *req)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek{
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek errno_t ret;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct tevent_req *subreq = NULL;
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek struct ipa_server_trusted_dom_setup_state *state =
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek tevent_req_data(req, struct ipa_server_trusted_dom_setup_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek const char *hostname;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->keytab = forest_keytab(state, state->forest);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (state->keytab == NULL) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up ipa_get_keytab\n");
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek return EIO;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek state->new_keytab = talloc_asprintf(state, "%sXXXXXX", state->keytab);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek if (state->new_keytab == NULL) {
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up ipa_get_keytab\n");
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek return ENOMEM;
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek }
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek ret = sss_unique_filename(state, state->new_keytab);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek if (ret != EOK) {
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create temporary keytab name\n");
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek return ret;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_TRACE_FUNC,
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek "Will re-fetch keytab for %s\n", state->subdom->name);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek hostname = dp_opt_get_string(state->id_ctx->ipa_options->basic,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek IPA_HOSTNAME);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->principal = subdomain_trust_princ(state,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->forest_realm,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->subdom);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (state->principal == NULL) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up ipa_get_keytab\n");
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek return EIO;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek subreq = ipa_getkeytab_send(state->be_ctx, state->be_ctx->ev,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->ccache,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek hostname,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->principal,
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek state->new_keytab);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (subreq == NULL) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek return ENOMEM;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_set_callback(subreq, ipa_server_trust_1way_kt_done, req);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek return EAGAIN;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek}
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_server_trust_1way_kt_done(struct tevent_req *subreq)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek{
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek errno_t ret;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct tevent_req);
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek struct ipa_server_trusted_dom_setup_state *state =
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek tevent_req_data(req, struct ipa_server_trusted_dom_setup_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = ipa_getkeytab_recv(subreq, NULL);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek talloc_zfree(subreq);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (ret != EOK) {
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek /* Do not fail here, but try to check and use the previous keytab,
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek * if any */
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE, "ipa_getkeytab_recv failed: %d\n", ret);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek } else {
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek DEBUG(SSSDBG_TRACE_FUNC,
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek "Keytab successfully retrieved to %s\n", state->new_keytab);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek ret = ipa_check_keytab(state->new_keytab,
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek state->id_ctx->server_mode->kt_owner_uid,
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek state->id_ctx->server_mode->kt_owner_gid);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek if (ret == EOK) {
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek ret = rename(state->new_keytab, state->keytab);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek if (ret == -1) {
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek ret = errno;
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE,
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek "rename failed [%d][%s].\n", ret, strerror(ret));
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek tevent_req_error(req, ret);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek return;
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek }
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek DEBUG(SSSDBG_TRACE_INTERNAL, "Keytab renamed to %s\n", state->keytab);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek } else if (ret != EOK) {
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE,
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek "Trying to recover and use the previous keytab, if available\n");
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek ret = ipa_check_keytab(state->keytab,
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek state->id_ctx->server_mode->kt_owner_uid,
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek state->id_ctx->server_mode->kt_owner_gid);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek if (ret == EOK) {
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek DEBUG(SSSDBG_TRACE_FUNC,
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek "The previous keytab %s contains the expected principal\n",
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek state->keytab);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek } else {
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE,
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek "Cannot use the old keytab: %d\n", ret);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek /* Nothing we can do now */
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek tevent_req_error(req, ret);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek return;
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek }
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek DEBUG(SSSDBG_TRACE_FUNC,
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek "Keytab %s contains the expected principals\n", state->new_keytab);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_TRACE_FUNC,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Established trust context for %s\n", state->subdom->name);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_done(req);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek}
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozekerrno_t ipa_server_trusted_dom_setup_recv(struct tevent_req *req)
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek{
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek TEVENT_REQ_RETURN_ON_ERROR(req);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return EOK;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek}
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstruct ipa_server_create_trusts_state {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct tevent_context *ev;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct be_ctx *be_ctx;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct ipa_id_ctx *id_ctx;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct sss_domain_info *domiter;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek};
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic errno_t ipa_server_create_trusts_step(struct tevent_req *req);
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozekstatic errno_t ipa_server_create_trusts_ctx(struct tevent_req *req);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic void ipa_server_create_trusts_done(struct tevent_req *subreq);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstruct tevent_req *
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekipa_server_create_trusts_send(TALLOC_CTX *mem_ctx,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct tevent_context *ev,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct be_ctx *be_ctx,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek struct ipa_id_ctx *id_ctx,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek struct sss_domain_info *parent)
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek{
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct tevent_req *req = NULL;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct ipa_server_create_trusts_state *state = NULL;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek errno_t ret;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek req = tevent_req_create(mem_ctx, &state,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct ipa_server_create_trusts_state);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek if (req == NULL) {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek return NULL;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek }
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state->ev = ev;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state->be_ctx = be_ctx;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state->id_ctx = id_ctx;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state->domiter = parent;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek ret = ipa_server_create_trusts_step(req);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek if (ret != EAGAIN) {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek goto immediate;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek return req;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekimmediate:
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek if (ret != EOK) {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_req_error(req, ret);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek } else {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_req_done(req);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek }
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_req_post(req, ev);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek return req;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek}
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic errno_t ipa_server_create_trusts_step(struct tevent_req *req)
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek{
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct tevent_req *subreq = NULL;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct ipa_ad_server_ctx *trust_iter;
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek struct ipa_ad_server_ctx *trust_i;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct ipa_server_create_trusts_state *state = NULL;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state = tevent_req_data(req, struct ipa_server_create_trusts_state);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
877b92e80bde510d5cd9f03dbf01e2bcf73ab072Michal Židek for (state->domiter = get_next_domain(state->domiter, SSS_GND_DESCEND);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state->domiter && IS_SUBDOMAIN(state->domiter);
877b92e80bde510d5cd9f03dbf01e2bcf73ab072Michal Židek state->domiter = get_next_domain(state->domiter, 0)) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* Check if we already have an ID context for this subdomain */
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek DLIST_FOR_EACH(trust_iter, state->id_ctx->server_mode->trusts) {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek if (trust_iter->dom == state->domiter) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek break;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* Newly detected trust */
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (trust_iter == NULL) {
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek subreq = ipa_server_trusted_dom_setup_send(state,
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek state->ev,
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek state->be_ctx,
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek state->id_ctx,
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek state->domiter);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek if (subreq == NULL) {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek return ENOMEM;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_req_set_callback(subreq, ipa_server_create_trusts_done, req);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek return EAGAIN;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek /* Refresh all sdap_dom lists in all ipa_ad_server_ctx contexts */
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek DLIST_FOR_EACH(trust_iter, state->id_ctx->server_mode->trusts) {
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek struct sdap_domain *sdom_a;
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek sdom_a = sdap_domain_get(trust_iter->ad_id_ctx->sdap_id_ctx->opts,
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek trust_iter->dom);
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek if (sdom_a == NULL) {
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek continue;
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek }
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek DLIST_FOR_EACH(trust_i, state->id_ctx->server_mode->trusts) {
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek struct sdap_domain *sdom_b;
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek if (strcmp(trust_iter->dom->name, trust_i->dom->name) == 0) {
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek continue;
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek }
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek sdom_b = sdap_domain_get(trust_i->ad_id_ctx->sdap_id_ctx->opts,
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek sdom_a->dom);
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek if (sdom_b == NULL) {
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek continue;
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek }
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek /* Replace basedn and search bases from sdom_b with values
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek * from sdom_a */
386c5f2e134beb6fcfc474f347e226ac0dedfef5Michal Židek sdap_domain_copy_search_bases(sdom_b, sdom_a);
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek }
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek }
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return EOK;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek}
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic void ipa_server_create_trusts_done(struct tevent_req *subreq)
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek{
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek errno_t ret;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct tevent_req);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek ret = ipa_server_trusted_dom_setup_recv(subreq);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek talloc_zfree(subreq);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek if (ret != EOK) {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_req_error(req, ret);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek return;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek }
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek ret = ipa_server_create_trusts_ctx(req);
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek if (ret != EOK) {
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek tevent_req_error(req, ret);
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek return;
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek }
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek ret = ipa_server_create_trusts_step(req);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek if (ret == EOK) {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_req_done(req);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek return;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek } else if (ret != EAGAIN) {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_req_error(req, ret);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek return;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek }
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek /* Will cycle back */
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek}
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozekstatic errno_t ipa_server_create_trusts_ctx(struct tevent_req *req)
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek{
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek struct ipa_ad_server_ctx *trust_ctx;
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek struct ad_id_ctx *ad_id_ctx;
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek errno_t ret;
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek struct ipa_server_create_trusts_state *state = NULL;
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek state = tevent_req_data(req, struct ipa_server_create_trusts_state);
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek ret = ipa_ad_ctx_new(state->be_ctx, state->id_ctx, state->domiter, &ad_id_ctx);
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek if (ret != EOK) {
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE,
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek "Cannot create ad_id_ctx for subdomain %s\n", state->domiter->name);
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek return ret;
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek }
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek trust_ctx = talloc(state->id_ctx->server_mode, struct ipa_ad_server_ctx);
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek if (trust_ctx == NULL) {
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek return ENOMEM;
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek }
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek trust_ctx->dom = state->domiter;
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek trust_ctx->ad_id_ctx = ad_id_ctx;
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek DLIST_ADD(state->id_ctx->server_mode->trusts, trust_ctx);
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek return EOK;
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek}
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekerrno_t ipa_server_create_trusts_recv(struct tevent_req *req)
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek{
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek TEVENT_REQ_RETURN_ON_ERROR(req);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek return EOK;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek}
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozekvoid ipa_ad_subdom_remove(struct be_ctx *be_ctx,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek struct ipa_id_ctx *id_ctx,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek struct sss_domain_info *subdom)
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek{
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek struct ipa_ad_server_ctx *iter;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek struct sdap_domain *sdom;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (dp_opt_get_bool(id_ctx->ipa_options->basic,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek IPA_SERVER_MODE) == false) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DLIST_FOR_EACH(iter, id_ctx->server_mode->trusts) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (iter->dom == subdom) break;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (iter == NULL) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "No IPA-AD context for subdomain %s\n",
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek subdom->name);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek sdom = sdap_domain_get(iter->ad_id_ctx->sdap_id_ctx->opts, subdom);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (sdom == NULL) return;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek be_ptask_destroy(&sdom->enum_task);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek be_ptask_destroy(&sdom->cleanup_task);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek sdap_domain_remove(iter->ad_id_ctx->sdap_id_ctx->opts, subdom);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DLIST_REMOVE(id_ctx->server_mode->trusts, iter);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* terminate all requests for this subdomain so we can free it */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina dp_terminate_domain_requests(be_ctx->provider, subdom->name);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek talloc_zfree(sdom);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek}
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstruct ipa_ad_subdom_reinit_state {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct tevent_context *ev;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct be_ctx *be_ctx;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct ipa_id_ctx *id_ctx;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct sss_domain_info *parent;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek};
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic void create_trusts_at_startup_done(struct tevent_req *req)
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek{
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek errno_t ret;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek ret = ipa_server_create_trusts_recv(req);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek talloc_free(req);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek if (ret != EOK) {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek "ipa_server_create_trusts_send request failed [%d]: %s\n",
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek ret, sss_strerror(ret));
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek }
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek}
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic void create_trusts_at_startup(struct tevent_context *ev,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct tevent_immediate *imm,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek void *pvt)
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek{
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct tevent_req *req;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct ipa_ad_subdom_reinit_state *state;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state = talloc_get_type(pvt, struct ipa_ad_subdom_reinit_state);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek req = ipa_server_create_trusts_send(state, state->ev, state->be_ctx,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state->id_ctx, state->parent);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek if (req == NULL) {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "ipa_server_create_trusts_send failed.\n");
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek talloc_free(state);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek return;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek }
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_req_set_callback(req, create_trusts_at_startup_done, state);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek return;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek}
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic errno_t ipa_ad_subdom_reinit(TALLOC_CTX *mem_ctx,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct tevent_context *ev,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct be_ctx *be_ctx,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct ipa_id_ctx *id_ctx,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct sss_domain_info *parent)
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek{
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct tevent_immediate *imm;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct ipa_ad_subdom_reinit_state *state;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state = talloc(mem_ctx, struct ipa_ad_subdom_reinit_state);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek if (state == NULL) {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek return ENOMEM;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek }
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state->ev = ev;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state->be_ctx = be_ctx;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state->id_ctx = id_ctx;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state->parent = parent;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek if (dp_opt_get_bool(id_ctx->ipa_options->basic,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek IPA_SERVER_MODE) == false) {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek return EOK;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek }
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek imm = tevent_create_immediate(mem_ctx);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek if (imm == NULL) {
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "tevent_create_immediate failed.\n");
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek talloc_free(state);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek return ENOMEM;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek }
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_schedule_immediate(imm, ev, create_trusts_at_startup, state);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek return EOK;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek}
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozekint ipa_ad_subdom_init(struct be_ctx *be_ctx,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek struct ipa_id_ctx *id_ctx)
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek{
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek char *realm;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek char *hostname;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek errno_t ret;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (dp_opt_get_bool(id_ctx->ipa_options->basic,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek IPA_SERVER_MODE) == false) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return EOK;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* The IPA code relies on the default FQDN format to unparse user
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek * names. Warn loudly if the full_name_format was customized on the
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek * IPA server
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek */
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if ((strcmp(be_ctx->domain->names->fq_fmt,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek CONFDB_DEFAULT_FULL_NAME_FORMAT) != 0)
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek && (strcmp(be_ctx->domain->names->fq_fmt,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek CONFDB_DEFAULT_FULL_NAME_FORMAT_INTERNAL) != 0)) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_FATAL_FAILURE, "%s is set to a non-default value [%s] " \
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek "lookups of subdomain users will likely fail!\n",
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek CONFDB_FULL_NAME_FORMAT, be_ctx->domain->names->fq_fmt);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek sss_log(SSS_LOG_ERR, "%s is set to a non-default value [%s] " \
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek "lookups of subdomain users will likely fail!\n",
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek CONFDB_FULL_NAME_FORMAT, be_ctx->domain->names->fq_fmt);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* Attempt to continue */
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek realm = dp_opt_get_string(id_ctx->ipa_options->basic, IPA_KRB5_REALM);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (realm == NULL) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return EINVAL;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek hostname = dp_opt_get_string(id_ctx->ipa_options->basic, IPA_HOSTNAME);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (hostname == NULL) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "No host name for IPA?\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return EINVAL;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek id_ctx->server_mode = talloc_zero(id_ctx, struct ipa_server_mode_ctx);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (id_ctx->server_mode == NULL) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return ENOMEM;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek id_ctx->server_mode->realm = realm;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek id_ctx->server_mode->hostname = hostname;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek id_ctx->server_mode->trusts = NULL;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek id_ctx->server_mode->ext_groups = NULL;
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek id_ctx->server_mode->kt_owner_uid = 0;
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek id_ctx->server_mode->kt_owner_gid = 0;
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek if (getuid() == 0) {
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek /* We need to handle keytabs created by IPA oddjob script gracefully
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek * even if we're running as root and IPA creates them as the SSSD user
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek */
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek ret = sss_user_by_name_or_uid(SSSD_USER,
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek &id_ctx->server_mode->kt_owner_uid,
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek &id_ctx->server_mode->kt_owner_gid);
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek if (ret != EOK) {
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get ID of %s\n", SSSD_USER);
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek }
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek ret = ipa_ad_subdom_reinit(be_ctx, be_ctx->ev,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek be_ctx, id_ctx, be_ctx->domain);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (ret != EOK) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "ipa_ad_subdom_refresh failed.\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return ret;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek }
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek return EOK;
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek}