27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek IPA Subdomains Module - server mode
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek Sumit Bose <sbose@redhat.com>
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek Copyright (C) 2015 Red Hat
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek This program is free software; you can redistribute it and/or modify
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek it under the terms of the GNU General Public License as published by
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek the Free Software Foundation; either version 3 of the License, or
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek (at your option) any later version.
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek This program is distributed in the hope that it will be useful,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek but WITHOUT ANY WARRANTY; without even the implied warranty of
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek GNU General Public License for more details.
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek You should have received a copy of the GNU General Public License
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek along with this program. If not, see <http://www.gnu.org/licenses/>.
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek/* These constants are defined in MS-ADTS 6.1.6.7.1
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek * https://msdn.microsoft.com/en-us/library/cc223768.aspx
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic char *forest_keytab(TALLOC_CTX *mem_ctx, const char *forest)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic char *subdomain_trust_princ(TALLOC_CTX *mem_ctx,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Unknown flat name for parent %s\n", sd->parent->name);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozekstatic uint32_t default_direction(TALLOC_CTX *mem_ctx,
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek dn = ipa_subdom_ldb_dn(mem_ctx, ldb_ctx, attrs);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek /* Shouldn't happen, but let's try system keytab in this case */
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek "Cannot determine subdomain DN, falling back to two-way trust\n");
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return (LSA_TRUST_DIRECTION_INBOUND|LSA_TRUST_DIRECTION_OUTBOUND);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek /* It's expected member domains do not have the direction */
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek /* Old server? Default to 2way trust */
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek direction = (LSA_TRUST_DIRECTION_INBOUND|LSA_TRUST_DIRECTION_OUTBOUND);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozekerrno_t ipa_server_get_trust_direction(struct sysdb_attrs *sd,
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek ret = sysdb_attrs_get_uint32_t(sd, IPA_TRUST_DIRECTION,
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek "Raw %s value: %d\n", IPA_TRUST_DIRECTION, ipa_trust_direction);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek direction = default_direction(sd, ldb_ctx, sd);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek /* Just store the AD value in SYSDB, we will check it while we're
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek * trying to use the trust */
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozekconst char *ipa_trust_dir2str(uint32_t direction)
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek && (direction & LSA_TRUST_DIRECTION_INBOUND)) {
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return "two-way trust";
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek } else if (direction & LSA_TRUST_DIRECTION_OUTBOUND) {
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return "one-way outbound: local domain is trusted by remote domain";
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek } else if (direction & LSA_TRUST_DIRECTION_INBOUND) {
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return "one-way inbound: local domain trusts the remote domain";
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek } else if (direction == 0) {
2427b40566cf63880f3650b26a2fee91cb28de24Petr Cech return "not set";
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return "unknown";
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek#endif /* IPA_GETKEYTAB_TIMEOUT */
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozekstatic struct ad_options *
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozekipa_create_1way_trust_ctx(struct ipa_id_ctx *id_ctx,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek principal = subdomain_trust_princ(id_ctx, forest_realm, subdom);
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek ad_options = ad_create_1way_trust_options(id_ctx,
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židekstatic struct ad_options *ipa_ad_options_new(struct be_ctx *be_ctx,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek /* Trusts are only established with forest roots */
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek direction = subdom->forest_root->trust_direction;
e0e038218580166648ac24f23180f0f4c2769d99Michal Židek subdom_conf_path = subdomain_create_conf_path(id_ctx, subdom);
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek DEBUG(SSSDBG_CRIT_FAILURE, "subdom_conf_path failed\n");
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek if (direction & LSA_TRUST_DIRECTION_OUTBOUND) {
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek ad_options = ad_create_2way_trust_options(id_ctx,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek } else if (direction & LSA_TRUST_DIRECTION_INBOUND) {
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek ad_options = ipa_create_1way_trust_ctx(id_ctx, be_ctx,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported trust direction!\n");
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n");
de2bad8ae08f09964834bda0f88db9de39f47c5cJakub Hrozek DEBUG(SSSDBG_TRACE_LIBS, "Setting up AD subdomain %s\n", subdom->name);
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek ad_options = ipa_ad_options_new(be_ctx, id_ctx, subdom);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek extra_attrs = dp_opt_get_string(id_ctx->sdap_id_ctx->opts->basic,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek "Setting extra attrs for subdomain [%s] to [%s].\n", ad_domain,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ret = dp_opt_set_string(ad_options->id->basic, SDAP_USER_EXTRA_ATTRS,
ebe05e32b5af9b1ee404ebe492e52096d45fb675Michal Židek DEBUG(SSSDBG_OP_FAILURE, "dp_opt_set_string failed.\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ret = sdap_extend_map_with_list(ad_options->id, ad_options->id,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "sdap_extend_map_with_list failed.\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_TRACE_ALL, "No extra attrs set.\n");
778f241e78241b0d6b8734148175f8dee804f494Pavel Březina gc_service_name = talloc_asprintf(ad_options, "sd_gc_%s", subdom->forest);
778f241e78241b0d6b8734148175f8dee804f494Pavel Březina service_name = talloc_asprintf(ad_options, "sd_%s", subdom->name);
62a1570f01053ec61e894ee3e58fc759ee809c6eMichal Židek ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
62a1570f01053ec61e894ee3e58fc759ee809c6eMichal Židek ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* Set KRB5 realm to same as the one of IPA when IPA
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek * is able to attach PAC. For testing, use hardcoded. */
62a1570f01053ec61e894ee3e58fc759ee809c6eMichal Židek ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD failover\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_id_ctx = ad_id_ctx_init(ad_options, be_ctx);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* use AD plugin */
fb0431b13a9fcd8ac31e622503acbd10d2b73ac9Pavel Březina srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek be_fo_set_srv_lookup_plugin(be_ctx, ad_srv_plugin_send,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ret = sdap_domain_subdom_add(ad_id_ctx->sdap_id_ctx,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize sdap domain\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek sdom = sdap_domain_get(ad_id_ctx->sdap_id_ctx->opts, subdom);
4c49edbd8df651b1737c59459637962c117212c6Michal Židek ret = ad_set_search_bases(ad_options->id, sdom);
231bd1b34023daa3080cf461085e6e4aa7f4d733Michal Židek DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD search bases\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek sdap_inherit_options(subdom->parent->sd_inherit,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* Set up the ID mapping object */
c44728a02d5e2c9eaced11e74820a6ae6a985f61Sumit Bose /* Set up the certificate mapping context */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_exec(const char *ccache,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_done(int child_status,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_timeout(struct tevent_context *ev,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic struct tevent_req *ipa_getkeytab_send(TALLOC_CTX *mem_ctx,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek req = tevent_req_create(mem_ctx, &state, struct ipa_getkeytab_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (server == NULL || principal == NULL || keytab == NULL) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Retrieving keytab for %s from %s into %s using ccache %s\n",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ipa_getkeytab_exec(ccache, server, principal, keytab);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Set up SIGCHLD handler */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = child_handler_setup(ev, child_pid, ipa_getkeytab_done, req,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Could not set up child handlers [%d]: %s\n",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Set up timeout handler */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tv = tevent_timeval_current_ofs(IPA_GETKEYTAB_TIMEOUT, 0);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->timeout_handler = tevent_add_timer(ev, req, tv,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Now either wait for the timeout to fire or the child
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek } else { /* error */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "fork failed [%d][%s].\n", ret, sss_strerror(ret));
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_exec(const char *ccache,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "dup2 failed [%d][%s].\n", ret, sss_strerror(ret));
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* stderr is not fatal */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek gkt_env[0] = talloc_asprintf(NULL, "KRB5CCNAME=%s", ccache);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Failed to format KRB5CCNAME\n");
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek /* ipa-getkeytab cannot add keys to an empty file, let's unlink it and only
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek * use the filename */
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek "Failed to unlink the temporary ccname [%d][%s]\n",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = execle(IPA_GETKEYTAB_PATH, IPA_GETKEYTAB_PATH,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "-r", "-s", server, "-p", principal, "-k", keytab_path, NULL,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "execle returned %d, this shouldn't happen!\n", ret);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* The child should never end up here */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "execle failed [%d][%s].\n", ret, sss_strerror(ret));
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_done(int child_status,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct tevent_req *req = talloc_get_type(pvt, struct tevent_req);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_data(req, struct ipa_getkeytab_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (WIFEXITED(child_status) && WEXITSTATUS(child_status) != 0) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "ipa-getkeytab failed with status [%d]\n", child_status);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_error(req, ERR_IPA_GETKEYTAB_FAILED);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "ipa-getkeytab was terminated by signal [%d]\n",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_error(req, ERR_IPA_GETKEYTAB_FAILED);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_timeout(struct tevent_context *ev,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_data(req, struct ipa_getkeytab_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Timeout reached for retrieving keytab from IPA server\n");
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_error(req, ERR_IPA_GETKEYTAB_FAILED);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic errno_t ipa_getkeytab_recv(struct tevent_req *req, int *child_status)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_data(req, struct ipa_getkeytab_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "ipa-getkeytab status %d\n", state->child_status);
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozekstatic errno_t ipa_check_keytab(const char *keytab,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = check_file(keytab, getuid(), getgid(), S_IFREG|0600, 0, NULL, false);
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab);
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek ret = check_file(keytab, kt_owner_uid, kt_owner_gid,
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Failed to check for %s\n", keytab);
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_TRACE_ALL, "keytab %s already exists\n", keytab);
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozekstatic errno_t ipa_server_trusted_dom_setup_1way(struct tevent_req *req);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_server_trust_1way_kt_done(struct tevent_req *subreq);
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozekipa_server_trusted_dom_setup_send(TALLOC_CTX *mem_ctx,
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek struct ipa_server_trusted_dom_setup_state *state = NULL;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Trusts are only established with forest roots */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Subdomain %s has no forest root?\n", subdom->name);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->direction = subdom->forest_root->trust_direction;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->forest_realm = subdom->forest_root->realm;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->ccache = talloc_asprintf(state, "%s/ccache_%s",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Trust direction of subdom %s from forest %s is: %s\n",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (state->direction & LSA_TRUST_DIRECTION_OUTBOUND) {
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek /* Use system keytab, nothing to do here */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek } else if (state->direction & LSA_TRUST_DIRECTION_INBOUND) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Need special keytab */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* In progress.. */
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek /* Keytab available, shortcut */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Even unset is an error at this point */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Subdomain %s has trust direction %d\n",
146e024b318dadeb069e8ce8254179f6119747f2Jakub Hrozek "Could not add trusted subdomain %s from forest %s\n",
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozekstatic errno_t ipa_server_trusted_dom_setup_1way(struct tevent_req *req)
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek struct ipa_server_trusted_dom_setup_state *state =
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek tevent_req_data(req, struct ipa_server_trusted_dom_setup_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->keytab = forest_keytab(state, state->forest);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up ipa_get_keytab\n");
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek state->new_keytab = talloc_asprintf(state, "%sXXXXXX", state->keytab);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up ipa_get_keytab\n");
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek ret = sss_unique_filename(state, state->new_keytab);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create temporary keytab name\n");
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek "Will re-fetch keytab for %s\n", state->subdom->name);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek hostname = dp_opt_get_string(state->id_ctx->ipa_options->basic,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->principal = subdomain_trust_princ(state,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up ipa_get_keytab\n");
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek subreq = ipa_getkeytab_send(state->be_ctx, state->be_ctx->ev,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_set_callback(subreq, ipa_server_trust_1way_kt_done, req);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_server_trust_1way_kt_done(struct tevent_req *subreq)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek struct ipa_server_trusted_dom_setup_state *state =
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek tevent_req_data(req, struct ipa_server_trusted_dom_setup_state);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek /* Do not fail here, but try to check and use the previous keytab,
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE, "ipa_getkeytab_recv failed: %d\n", ret);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek "Keytab successfully retrieved to %s\n", state->new_keytab);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek ret = rename(state->new_keytab, state->keytab);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek "rename failed [%d][%s].\n", ret, strerror(ret));
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek DEBUG(SSSDBG_TRACE_INTERNAL, "Keytab renamed to %s\n", state->keytab);
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek "Trying to recover and use the previous keytab, if available\n");
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek "The previous keytab %s contains the expected principal\n",
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek /* Nothing we can do now */
db5f9ab3feb85aa444eab20428ca2b98801b6783Jakub Hrozek "Keytab %s contains the expected principals\n", state->new_keytab);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Established trust context for %s\n", state->subdom->name);
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozekerrno_t ipa_server_trusted_dom_setup_recv(struct tevent_req *req)
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic errno_t ipa_server_create_trusts_step(struct tevent_req *req);
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozekstatic errno_t ipa_server_create_trusts_ctx(struct tevent_req *req);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic void ipa_server_create_trusts_done(struct tevent_req *subreq);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekipa_server_create_trusts_send(TALLOC_CTX *mem_ctx,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct ipa_server_create_trusts_state *state = NULL;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic errno_t ipa_server_create_trusts_step(struct tevent_req *req)
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct ipa_server_create_trusts_state *state = NULL;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state = tevent_req_data(req, struct ipa_server_create_trusts_state);
877b92e80bde510d5cd9f03dbf01e2bcf73ab072Michal Židek for (state->domiter = get_next_domain(state->domiter, SSS_GND_DESCEND);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state->domiter && IS_SUBDOMAIN(state->domiter);
877b92e80bde510d5cd9f03dbf01e2bcf73ab072Michal Židek state->domiter = get_next_domain(state->domiter, 0)) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* Check if we already have an ID context for this subdomain */
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek DLIST_FOR_EACH(trust_iter, state->id_ctx->server_mode->trusts) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* Newly detected trust */
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek subreq = ipa_server_trusted_dom_setup_send(state,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_req_set_callback(subreq, ipa_server_create_trusts_done, req);
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek /* Refresh all sdap_dom lists in all ipa_ad_server_ctx contexts */
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek DLIST_FOR_EACH(trust_iter, state->id_ctx->server_mode->trusts) {
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek sdom_a = sdap_domain_get(trust_iter->ad_id_ctx->sdap_id_ctx->opts,
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek DLIST_FOR_EACH(trust_i, state->id_ctx->server_mode->trusts) {
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek if (strcmp(trust_iter->dom->name, trust_i->dom->name) == 0) {
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek sdom_b = sdap_domain_get(trust_i->ad_id_ctx->sdap_id_ctx->opts,
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek /* Replace basedn and search bases from sdom_b with values
21f3d6124ea28218d02e1e345d38e2b948e4ec23Michal Židek * from sdom_a */
386c5f2e134beb6fcfc474f347e226ac0dedfef5Michal Židek sdap_domain_copy_search_bases(sdom_b, sdom_a);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic void ipa_server_create_trusts_done(struct tevent_req *subreq)
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek ret = ipa_server_trusted_dom_setup_recv(subreq);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek /* Will cycle back */
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozekstatic errno_t ipa_server_create_trusts_ctx(struct tevent_req *req)
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek struct ipa_server_create_trusts_state *state = NULL;
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek state = tevent_req_data(req, struct ipa_server_create_trusts_state);
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek ret = ipa_ad_ctx_new(state->be_ctx, state->id_ctx, state->domiter, &ad_id_ctx);
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek "Cannot create ad_id_ctx for subdomain %s\n", state->domiter->name);
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek trust_ctx = talloc(state->id_ctx->server_mode, struct ipa_ad_server_ctx);
4c53f8b7400630ae06459aa8b5079427edcaa348Jakub Hrozek DLIST_ADD(state->id_ctx->server_mode->trusts, trust_ctx);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekerrno_t ipa_server_create_trusts_recv(struct tevent_req *req)
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozekvoid ipa_ad_subdom_remove(struct be_ctx *be_ctx,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (dp_opt_get_bool(id_ctx->ipa_options->basic,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DLIST_FOR_EACH(iter, id_ctx->server_mode->trusts) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "No IPA-AD context for subdomain %s\n",
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek sdom = sdap_domain_get(iter->ad_id_ctx->sdap_id_ctx->opts, subdom);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek sdap_domain_remove(iter->ad_id_ctx->sdap_id_ctx->opts, subdom);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DLIST_REMOVE(id_ctx->server_mode->trusts, iter);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* terminate all requests for this subdomain so we can free it */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina dp_terminate_domain_requests(be_ctx->provider, subdom->name);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic void create_trusts_at_startup_done(struct tevent_req *req)
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek "ipa_server_create_trusts_send request failed [%d]: %s\n",
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic void create_trusts_at_startup(struct tevent_context *ev,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state = talloc_get_type(pvt, struct ipa_ad_subdom_reinit_state);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek req = ipa_server_create_trusts_send(state, state->ev, state->be_ctx,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "ipa_server_create_trusts_send failed.\n");
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_req_set_callback(req, create_trusts_at_startup_done, state);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic errno_t ipa_ad_subdom_reinit(TALLOC_CTX *mem_ctx,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state = talloc(mem_ctx, struct ipa_ad_subdom_reinit_state);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek if (dp_opt_get_bool(id_ctx->ipa_options->basic,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "tevent_create_immediate failed.\n");
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_schedule_immediate(imm, ev, create_trusts_at_startup, state);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (dp_opt_get_bool(id_ctx->ipa_options->basic,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* The IPA code relies on the default FQDN format to unparse user
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek * names. Warn loudly if the full_name_format was customized on the
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek * IPA server
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek CONFDB_DEFAULT_FULL_NAME_FORMAT_INTERNAL) != 0)) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_FATAL_FAILURE, "%s is set to a non-default value [%s] " \
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek "lookups of subdomain users will likely fail!\n",
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek CONFDB_FULL_NAME_FORMAT, be_ctx->domain->names->fq_fmt);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek sss_log(SSS_LOG_ERR, "%s is set to a non-default value [%s] " \
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek "lookups of subdomain users will likely fail!\n",
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek CONFDB_FULL_NAME_FORMAT, be_ctx->domain->names->fq_fmt);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* Attempt to continue */
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek realm = dp_opt_get_string(id_ctx->ipa_options->basic, IPA_KRB5_REALM);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek hostname = dp_opt_get_string(id_ctx->ipa_options->basic, IPA_HOSTNAME);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "No host name for IPA?\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek id_ctx->server_mode = talloc_zero(id_ctx, struct ipa_server_mode_ctx);
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek if (getuid() == 0) {
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek /* We need to handle keytabs created by IPA oddjob script gracefully
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek * even if we're running as root and IPA creates them as the SSSD user
6ed964cf2e5a68e92e220f3b9f55029731bcabaaJakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get ID of %s\n", SSSD_USER);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "ipa_ad_subdom_refresh failed.\n");