ipa_subdomains_server.c revision 146e024b318dadeb069e8ce8254179f6119747f2
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek IPA Subdomains Module - server mode
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek Sumit Bose <sbose@redhat.com>
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek Copyright (C) 2015 Red Hat
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek This program is free software; you can redistribute it and/or modify
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek it under the terms of the GNU General Public License as published by
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek the Free Software Foundation; either version 3 of the License, or
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek (at your option) any later version.
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek This program is distributed in the hope that it will be useful,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek but WITHOUT ANY WARRANTY; without even the implied warranty of
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek GNU General Public License for more details.
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek You should have received a copy of the GNU General Public License
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek along with this program. If not, see <http://www.gnu.org/licenses/>.
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek/* These constants are defined in MS-ADTS 6.1.6.7.1
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek * https://msdn.microsoft.com/en-us/library/cc223768.aspx
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic char *forest_keytab(TALLOC_CTX *mem_ctx, const char *forest)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic char *subdomain_trust_princ(TALLOC_CTX *mem_ctx,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Unknown flat name for parent %s\n", sd->parent->name);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozekstatic uint32_t default_direction(TALLOC_CTX *mem_ctx,
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek dn = ipa_subdom_ldb_dn(mem_ctx, ldb_ctx, attrs);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek /* Shouldn't happen, but let's try system keytab in this case */
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek "Cannot determine subdomain DN, falling back to two-way trust\n");
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return (LSA_TRUST_DIRECTION_INBOUND|LSA_TRUST_DIRECTION_OUTBOUND);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek /* It's expected member domains do not have the direction */
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek /* Old server? Default to 2way trust */
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek direction = (LSA_TRUST_DIRECTION_INBOUND|LSA_TRUST_DIRECTION_OUTBOUND);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozekerrno_t ipa_server_get_trust_direction(struct sysdb_attrs *sd,
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek ret = sysdb_attrs_get_uint32_t(sd, IPA_TRUST_DIRECTION,
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek "Raw %s value: %d\n", IPA_TRUST_DIRECTION, ipa_trust_direction);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek direction = default_direction(sd, ldb_ctx, sd);
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek /* Just store the AD value in SYSDB, we will check it while we're
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek * trying to use the trust */
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozekconst char *ipa_trust_dir2str(uint32_t direction)
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek && (direction & LSA_TRUST_DIRECTION_INBOUND)) {
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return "two-way trust";
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek } else if (direction & LSA_TRUST_DIRECTION_OUTBOUND) {
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return "one-way outbound: local domain is trusted by remote domain";
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek } else if (direction & LSA_TRUST_DIRECTION_INBOUND) {
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return "one-way inbound: local domain trusts the remote domain";
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek } else if (direction == 0) {
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return "trust direction not set";
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek return "unknown";
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek#endif /* IPA_GETKEYTAB_TIMEOUT */
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozekstatic struct ad_options *
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozekipa_create_1way_trust_ctx(struct ipa_id_ctx *id_ctx,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek principal = subdomain_trust_princ(id_ctx, forest_realm, subdom);
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek ad_options = ad_create_1way_trust_options(id_ctx,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozekstatic struct ad_options *ipa_ad_options_new(struct ipa_id_ctx *id_ctx,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek /* Trusts are only established with forest roots */
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek direction = subdom->forest_root->trust_direction;
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek if (direction & LSA_TRUST_DIRECTION_OUTBOUND) {
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek ad_options = ad_create_2way_trust_options(id_ctx,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek } else if (direction & LSA_TRUST_DIRECTION_INBOUND) {
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek ad_options = ipa_create_1way_trust_ctx(id_ctx, forest,
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported trust direction!\n");
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n");
de2bad8ae08f09964834bda0f88db9de39f47c5cJakub Hrozek DEBUG(SSSDBG_TRACE_LIBS, "Setting up AD subdomain %s\n", subdom->name);
d2c552edde275e6c0de904760147afb2992796e9Jakub Hrozek ad_options = ipa_ad_options_new(id_ctx, subdom);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek extra_attrs = dp_opt_get_string(id_ctx->sdap_id_ctx->opts->basic,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek "Setting extra attrs for subdomain [%s] to [%s].\n", ad_domain,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ret = dp_opt_set_string(ad_options->id->basic, SDAP_USER_EXTRA_ATTRS,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "dp_opt_get_string failed.\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ret = sdap_extend_map_with_list(ad_options->id, ad_options->id,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "sdap_extend_map_with_list failed.\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_TRACE_ALL, "No extra attrs set.\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek gc_service_name = talloc_asprintf(ad_options, "%s%s", "gc_", subdom->name);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* Set KRB5 realm to same as the one of IPA when IPA
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek * is able to attach PAC. For testing, use hardcoded. */
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ret = ad_failover_init(ad_options, be_ctx, NULL, NULL,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD failover\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_id_ctx = ad_id_ctx_init(ad_options, be_ctx);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* use AD plugin */
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx->be_res,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek be_fo_set_srv_lookup_plugin(be_ctx, ad_srv_plugin_send,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek ret = sdap_domain_subdom_add(ad_id_ctx->sdap_id_ctx,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize sdap domain\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek sdom = sdap_domain_get(ad_id_ctx->sdap_id_ctx->opts, subdom);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek sdap_inherit_options(subdom->parent->sd_inherit,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* Set up the ID mapping object */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_exec(const char *ccache,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_done(int child_status,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_timeout(struct tevent_context *ev,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic struct tevent_req *ipa_getkeytab_send(TALLOC_CTX *mem_ctx,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek req = tevent_req_create(mem_ctx, &state, struct ipa_getkeytab_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (server == NULL || principal == NULL || keytab == NULL) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Retrieving keytab for %s from %s into %s using ccache %s\n",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ipa_getkeytab_exec(ccache, server, principal, keytab);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Set up SIGCHLD handler */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = child_handler_setup(ev, child_pid, ipa_getkeytab_done, req,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Could not set up child handlers [%d]: %s\n",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Set up timeout handler */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tv = tevent_timeval_current_ofs(IPA_GETKEYTAB_TIMEOUT, 0);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->timeout_handler = tevent_add_timer(ev, req, tv,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Now either wait for the timeout to fire or the child
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek } else { /* error */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "fork failed [%d][%s].\n", ret, sss_strerror(ret));
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_exec(const char *ccache,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "dup2 failed [%d][%s].\n", ret, sss_strerror(ret));
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* stderr is not fatal */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek gkt_env[0] = talloc_asprintf(NULL, "KRB5CCNAME=%s", ccache);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Failed to format KRB5CCNAME\n");
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = execle(IPA_GETKEYTAB_PATH, IPA_GETKEYTAB_PATH,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "-r", "-s", server, "-p", principal, "-k", keytab_path, NULL,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "execle returned %d, this shouldn't happen!\n", ret);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* The child should never end up here */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "execle failed [%d][%s].\n", ret, sss_strerror(ret));
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_done(int child_status,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct tevent_req *req = talloc_get_type(pvt, struct tevent_req);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_data(req, struct ipa_getkeytab_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (WIFEXITED(child_status) && WEXITSTATUS(child_status) != 0) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "ipa-getkeytab failed with status [%d]\n", child_status);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_error(req, ERR_IPA_GETKEYTAB_FAILED);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "ipa-getkeytab was terminated by signal [%d]\n",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_error(req, ERR_IPA_GETKEYTAB_FAILED);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_getkeytab_timeout(struct tevent_context *ev,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_data(req, struct ipa_getkeytab_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Timeout reached for retrieving keytab from IPA server\n");
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_error(req, ERR_IPA_GETKEYTAB_FAILED);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic errno_t ipa_getkeytab_recv(struct tevent_req *req, int *child_status)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_data(req, struct ipa_getkeytab_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "ipa-getkeytab status %d\n", state->child_status);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic errno_t ipa_check_keytab(const char *keytab)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = check_file(keytab, getuid(), getgid(), S_IFREG|0600, 0, NULL, false);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Failed to check for %s\n", keytab);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_TRACE_ALL, "keytab %s already exists\n", keytab);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic errno_t ipa_server_trust_add_1way(struct tevent_req *req);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_server_trust_1way_kt_done(struct tevent_req *subreq);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic errno_t ipa_server_trust_add_step(struct tevent_req *req);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic struct tevent_req *
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct ipa_server_trust_add_state *state = NULL;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek req = tevent_req_create(mem_ctx, &state, struct ipa_server_trust_add_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Trusts are only established with forest roots */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Subdomain %s has no forest root?\n", subdom->name);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->direction = subdom->forest_root->trust_direction;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->forest_realm = subdom->forest_root->realm;
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->ccache = talloc_asprintf(state, "%s/ccache_%s",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Trust direction of subdom %s from forest %s is: %s\n",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (state->direction & LSA_TRUST_DIRECTION_OUTBOUND) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Use system keytab */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek } else if (state->direction & LSA_TRUST_DIRECTION_INBOUND) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Need special keytab */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* In progress.. */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek /* Even unset is an error at this point */
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Subdomain %s has trust direction %d\n",
146e024b318dadeb069e8ce8254179f6119747f2Jakub Hrozek "Could not add trusted subdomain %s from forest %s\n",
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic errno_t ipa_server_trust_add_1way(struct tevent_req *req)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_data(req, struct ipa_server_trust_add_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->keytab = forest_keytab(state, state->forest);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up ipa_get_keytab\n");
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Keytab already present, can add the trust\n");
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek hostname = dp_opt_get_string(state->id_ctx->ipa_options->basic,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek state->principal = subdomain_trust_princ(state,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up ipa_get_keytab\n");
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek subreq = ipa_getkeytab_send(state->be_ctx, state->be_ctx->ev,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_set_callback(subreq, ipa_server_trust_1way_kt_done, req);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic void ipa_server_trust_1way_kt_done(struct tevent_req *subreq)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_data(req, struct ipa_server_trust_add_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "ipa_getkeytab_recv failed: %d\n", ret);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Keytab successfully retrieved to %s\n", state->keytab);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "ipa_check_keytab failed: %d\n", ret);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "ipa_server_trust_add_step failed: %d\n", ret);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Established trust context for %s\n", state->subdom->name);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozekstatic errno_t ipa_server_trust_add_step(struct tevent_req *req)
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek tevent_req_data(req, struct ipa_server_trust_add_state);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = ipa_ad_ctx_new(state->be_ctx, state->id_ctx, state->subdom, &ad_id_ctx);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek "Cannot create ad_id_ctx for subdomain %s\n", state->subdom->name);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek trust_ctx = talloc(state->id_ctx->server_mode, struct ipa_ad_server_ctx);
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek DLIST_ADD(state->id_ctx->server_mode->trusts, trust_ctx);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic errno_t ipa_server_trust_add_recv(struct tevent_req *req)
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic errno_t ipa_server_create_trusts_step(struct tevent_req *req);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic void ipa_server_create_trusts_done(struct tevent_req *subreq);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekipa_server_create_trusts_send(TALLOC_CTX *mem_ctx,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct ipa_server_create_trusts_state *state = NULL;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic errno_t ipa_server_create_trusts_step(struct tevent_req *req)
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct ipa_server_create_trusts_state *state = NULL;
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state = tevent_req_data(req, struct ipa_server_create_trusts_state);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek for (state->domiter = get_next_domain(state->domiter, true);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state->domiter && IS_SUBDOMAIN(state->domiter);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state->domiter = get_next_domain(state->domiter, false)) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* Check if we already have an ID context for this subdomain */
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek DLIST_FOR_EACH(trust_iter, state->id_ctx->server_mode->trusts) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* Newly detected trust */
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek subreq = ipa_server_trust_add_send(state, state->ev, state->be_ctx,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_req_set_callback(subreq, ipa_server_create_trusts_done, req);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic void ipa_server_create_trusts_done(struct tevent_req *subreq)
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek /* Will cycle back */
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekerrno_t ipa_server_create_trusts_recv(struct tevent_req *req)
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozekvoid ipa_ad_subdom_remove(struct be_ctx *be_ctx,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (dp_opt_get_bool(id_ctx->ipa_options->basic,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DLIST_FOR_EACH(iter, id_ctx->server_mode->trusts) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "No IPA-AD context for subdomain %s\n",
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek sdom = sdap_domain_get(iter->ad_id_ctx->sdap_id_ctx->opts, subdom);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek sdap_domain_remove(iter->ad_id_ctx->sdap_id_ctx->opts, subdom);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DLIST_REMOVE(id_ctx->server_mode->trusts, iter);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* terminate all requests for this subdomain so we can free it */
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek be_terminate_domain_requests(be_ctx, subdom->name);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic void create_trusts_at_startup_done(struct tevent_req *req)
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek "ipa_server_create_trusts_send request failed [%d]: %s\n",
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic void create_trusts_at_startup(struct tevent_context *ev,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state = talloc_get_type(pvt, struct ipa_ad_subdom_reinit_state);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek req = ipa_server_create_trusts_send(state, state->ev, state->be_ctx,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "ipa_server_create_trusts_send failed.\n");
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_req_set_callback(req, create_trusts_at_startup_done, state);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozekstatic errno_t ipa_ad_subdom_reinit(TALLOC_CTX *mem_ctx,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek state = talloc(mem_ctx, struct ipa_ad_subdom_reinit_state);
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek if (dp_opt_get_bool(id_ctx->ipa_options->basic,
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "tevent_create_immediate failed.\n");
298e22fc97a99994e025c0d507737d88fe6fafefJakub Hrozek tevent_schedule_immediate(imm, ev, create_trusts_at_startup, state);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek if (dp_opt_get_bool(id_ctx->ipa_options->basic,
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* The IPA code relies on the default FQDN format to unparse user
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek * names. Warn loudly if the full_name_format was customized on the
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek * IPA server
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek CONFDB_DEFAULT_FULL_NAME_FORMAT_INTERNAL) != 0)) {
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_FATAL_FAILURE, "%s is set to a non-default value [%s] " \
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek "lookups of subdomain users will likely fail!\n",
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek CONFDB_FULL_NAME_FORMAT, be_ctx->domain->names->fq_fmt);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek sss_log(SSS_LOG_ERR, "%s is set to a non-default value [%s] " \
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek "lookups of subdomain users will likely fail!\n",
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek CONFDB_FULL_NAME_FORMAT, be_ctx->domain->names->fq_fmt);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek /* Attempt to continue */
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek realm = dp_opt_get_string(id_ctx->ipa_options->basic, IPA_KRB5_REALM);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek hostname = dp_opt_get_string(id_ctx->ipa_options->basic, IPA_HOSTNAME);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "No host name for IPA?\n");
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek id_ctx->server_mode = talloc_zero(id_ctx, struct ipa_server_mode_ctx);
27e89b6925334565c73c407a9ae2809358789c81Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "ipa_ad_subdom_refresh failed.\n");