krb5_auth.c revision 8f4aaae28c88c707853f8f28d8babc4efe0c1bf6
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen Kerberos 5 Backend Module
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen Sumit Bose <sbose@redhat.com>
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen Copyright (C) 2009 Red Hat
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen This program is free software; you can redistribute it and/or modify
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen it under the terms of the GNU General Public License as published by
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen the Free Software Foundation; either version 3 of the License, or
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen (at your option) any later version.
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen This program is distributed in the hope that it will be useful,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen but WITHOUT ANY WARRANTY; without even the implied warranty of
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen GNU General Public License for more details.
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen You should have received a copy of the GNU General Public License
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen along with this program. If not, see <http://www.gnu.org/licenses/>.
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen#define KRB5_CHILD SSSD_LIBEXEC_PATH"/krb5_child"
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic errno_t add_krb5_env(struct dp_option *opts, const char *ccname,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen env = talloc_asprintf(tmp_ctx, "%s=%s",CCACHE_ENV_NAME, ccname);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen ret = pam_add_response(pd, SSS_PAM_ENV_ITEM, strlen(env)+1,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen env = talloc_asprintf(tmp_ctx, "%s=%s", SSSD_KRB5_REALM, dummy);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen ret = pam_add_response(pd, SSS_PAM_ENV_ITEM, strlen(env)+1,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen env = talloc_asprintf(tmp_ctx, "%s=%s", SSSD_KRB5_KDC, dummy);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen ret = pam_add_response(pd, SSS_PAM_ENV_ITEM, strlen(env)+1,
a1044a46a8f3512173f4ea2684ef1fc3e61645c7Timo Sirainenstatic errno_t check_if_ccache_file_is_used(uid_t uid, const char *ccname,
a1044a46a8f3512173f4ea2684ef1fc3e61645c7Timo Sirainen DEBUG(1, ("Only absolute path names are allowed.\n"));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(1, ("stat failed [%d][%s].\n", errno, strerror(errno)));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(1, ("Cache file [%s] exists, but is owned by [%d] instead of "
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(1, ("Cache file [%s] exists, but is not a regular file.\n",
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(1, ("check_if_uid_is_active failed.\n"));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(9, ("User [%d] is still active, reusing ccache file [%s].\n",
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic void krb5_save_ccname_trans(struct tevent_req *subreq);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic void krb5_set_user_attr_done(struct tevent_req *subreq);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic struct tevent_req *krb5_save_ccname_send(TALLOC_CTX *mem_ctx,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen req = tevent_req_create(mem_ctx, &state, struct krb5_save_ccname_state);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen ret = sysdb_attrs_add_string(state->attrs, SYSDB_CCACHE_FILE, ccname);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(1, ("sysdb_attrs_add_string failed.\n"));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen subreq = sysdb_transaction_send(state, ev, sysdb);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen tevent_req_set_callback(subreq, krb5_save_ccname_trans, req);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic void krb5_save_ccname_trans(struct tevent_req *subreq)
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen struct tevent_req *req = tevent_req_callback_data(subreq,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen struct krb5_save_ccname_state *state = tevent_req_data(req,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen ret = sysdb_transaction_recv(subreq, state, &state->handle);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(6, ("Error: %d (%s)\n", ret, strerror(ret)));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen subreq = sysdb_set_user_attr_send(state, state->ev, state->handle,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen tevent_req_set_callback(subreq, krb5_set_user_attr_done, req);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic void krb5_set_user_attr_done(struct tevent_req *subreq)
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen struct tevent_req *req = tevent_req_callback_data(subreq,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen struct krb5_save_ccname_state *state = tevent_req_data(req,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(6, ("Error: %d (%s)\n", ret, strerror(ret)));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen subreq = sysdb_transaction_commit_send(state, state->ev, state->handle);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen tevent_req_set_callback(subreq, sysdb_transaction_complete, req);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenint krb5_save_ccname_recv(struct tevent_req *req)
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenerrno_t create_send_buffer(struct krb5child_req *kr, struct io_buffer **io_buf)
b650f04c3b2e7dea2295bdbe3239eb82ec03ada0Timo Sirainen keytab = dp_opt_get_cstring(kr->krb5_ctx->opts, KRB5_KEYTAB);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen validate = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) ? 1 : 0;
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen buf->size = 9*sizeof(uint32_t) + strlen(kr->upn) + strlen(kr->ccname) +
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen buf->size += sizeof(uint32_t) + kr->pd->newauthtok_size;
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->pd->cmd, &rp);
a1044a46a8f3512173f4ea2684ef1fc3e61645c7Timo Sirainen SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->uid, &rp);
6ea145a99eeee923602f04d3c9183bbdba6cd190Timo Sirainen SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->gid, &rp);
6ea145a99eeee923602f04d3c9183bbdba6cd190Timo Sirainen SAFEALIGN_COPY_UINT32(&buf->data[rp], &validate, &rp);
a1044a46a8f3512173f4ea2684ef1fc3e61645c7Timo Sirainen SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->is_offline, &rp);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(kr->upn), &rp);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen safealign_memcpy(&buf->data[rp], kr->upn, strlen(kr->upn), &rp);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(kr->ccname), &rp);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen safealign_memcpy(&buf->data[rp], kr->ccname, strlen(kr->ccname), &rp);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(keytab), &rp);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen safealign_memcpy(&buf->data[rp], keytab, strlen(keytab), &rp);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->pd->authtok_size, &rp);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen safealign_memcpy(&buf->data[rp], kr->pd->authtok,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->pd->newauthtok_size, &rp);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen safealign_memcpy(&buf->data[rp], kr->pd->newauthtok,
a1044a46a8f3512173f4ea2684ef1fc3e61645c7Timo Sirainenstatic struct krb5_ctx *get_krb5_ctx(struct be_req *be_req)
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen pd = talloc_get_type(be_req->req_data, struct pam_data);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen return talloc_get_type(be_req->be_ctx->bet_info[BET_AUTH].pvt_bet_data,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen return talloc_get_type(be_req->be_ctx->bet_info[BET_CHPASS].pvt_bet_data,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic void krb_reply(struct be_req *req, int dp_err, int result);
a1044a46a8f3512173f4ea2684ef1fc3e61645c7Timo Sirainenstatic void krb5_child_timeout(struct tevent_context *ev,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen struct krb5child_req *kr = talloc_get_type(pvt, struct krb5child_req);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(9, ("timeout for child [%d] reached.\n", kr->child_pid));
b650f04c3b2e7dea2295bdbe3239eb82ec03ada0Timo Sirainen DEBUG(1, ("kill failed [%d][%s].\n", errno, strerror(errno)));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen krb_reply(be_req, DP_ERR_OFFLINE, pd->pam_status);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic errno_t activate_child_timeout_handler(struct krb5child_req *kr)
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen kr->timeout_handler = tevent_add_timer(kr->req->be_ctx->ev, kr, tv,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen struct krb5child_req *kr = talloc_get_type(ptr, struct krb5child_req);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen child_cleanup(kr->read_from_child_fd, kr->write_to_child_fd);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic errno_t krb5_setup(struct be_req *req, struct krb5child_req **krb5_req)
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen pd = talloc_get_type(req->req_data, struct pam_data);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(1, ("Kerberos context not available.\n"));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen talloc_set_destructor((TALLOC_CTX *) kr, krb5_cleanup);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic errno_t fork_child(struct krb5child_req *kr)
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(1, ("pipe failed [%d][%s].\n", errno, strerror(errno)));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(1, ("pipe failed [%d][%s].\n", errno, strerror(errno)));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen /* We need to keep the root privileges to read the keytab file if
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen * validation is enabled, otherwise we can drop them here and run
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen * krb5_child with user privileges.
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen * If authtok_size is zero we are offline and want to create an empty
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen * ccache file. In this case we can drop the privileges, too. */
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen if (!dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) ||
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(1, ("Could not exec LDAP child: [%d][%s].\n",
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen kr->read_from_child_fd = pipefd_from_child[0];
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(1, ("activate_child_timeout_handler failed.\n"));
ce74395e2a932342e04fb682395bcce111574969Timo Sirainen } else { /* error */
ce74395e2a932342e04fb682395bcce111574969Timo Sirainen DEBUG(1, ("fork failed [%d][%s].\n", errno, strerror(errno)));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic void handle_child_step(struct tevent_req *subreq);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic void handle_child_done(struct tevent_req *subreq);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic struct tevent_req *handle_child_send(TALLOC_CTX *mem_ctx,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen req = tevent_req_create(mem_ctx, &state, struct handle_child_state);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen subreq = write_pipe_send(state, ev, buf->data, buf->size,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen tevent_req_set_callback(subreq, handle_child_step, req);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic void handle_child_step(struct tevent_req *subreq)
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen struct tevent_req *req = tevent_req_callback_data(subreq,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen struct handle_child_state *state = tevent_req_data(req,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen subreq = read_pipe_send(state, state->ev, state->kr->read_from_child_fd);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen tevent_req_set_callback(subreq, handle_child_done, req);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic void handle_child_done(struct tevent_req *subreq)
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen struct tevent_req *req = tevent_req_callback_data(subreq,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen struct handle_child_state *state = tevent_req_data(req,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen ret = read_pipe_recv(subreq, state, &state->buf, &state->len);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic int handle_child_recv(struct tevent_req *req,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen struct handle_child_state *state = tevent_req_data(req,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic void get_user_attr_done(void *pvt, int err, struct ldb_result *res);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic void krb5_resolve_done(struct tevent_req *req);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic void krb5_save_ccname_done(struct tevent_req *req);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic void krb5_child_done(struct tevent_req *req);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic void krb5_pam_handler_cache_done(struct tevent_req *treq);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen const char **attrs;
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen pd = talloc_get_type(be_req->req_data, struct pam_data);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(4, ("krb5 does not handles pam task %d.\n", pd->cmd));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen (pd->cmd == SSS_PAM_CHAUTHTOK || pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM)) {
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(9, ("Password changes are not possible while offline.\n"));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen attrs = talloc_array(be_req, const char *, 6);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen ret = sysdb_get_user_attr(be_req, be_req->be_ctx->sysdb,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic void get_user_attr_done(void *pvt, int err, struct ldb_result *res)
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen struct be_req *be_req = talloc_get_type(pvt, struct be_req);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen struct pam_data *pd = talloc_get_type(be_req->req_data, struct pam_data);
6b4b3e5fe8d9e84f4b1356ee898ca76996a11fe1Timo Sirainen DEBUG(5, ("sysdb search for upn of user [%s] failed.\n", pd->user));
6b4b3e5fe8d9e84f4b1356ee898ca76996a11fe1Timo Sirainen realm = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(5, ("No attributes for user [%s] found.\n", pd->user));
e22ec7998afd426c53c658483ce66b6e404e27c6Timo Sirainen kr->upn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_UPN, NULL);
e22ec7998afd426c53c658483ce66b6e404e27c6Timo Sirainen /* NOTE: this is a hack, works only in some environments */
e22ec7998afd426c53c658483ce66b6e404e27c6Timo Sirainen kr->upn = talloc_asprintf(be_req, "%s@%s", pd->user, realm);
e22ec7998afd426c53c658483ce66b6e404e27c6Timo Sirainen DEBUG(9, ("Using simple UPN [%s].\n", kr->upn));
ce74395e2a932342e04fb682395bcce111574969Timo Sirainen kr->homedir = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_HOMEDIR,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(4, ("Home directory for user [%s] not known.\n", pd->user));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen kr->uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0);
6b4b3e5fe8d9e84f4b1356ee898ca76996a11fe1Timo Sirainen DEBUG(4, ("UID for user [%s] not known.\n", pd->user));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen kr->gid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_GIDNUM, 0);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(4, ("GID for user [%s] not known.\n", pd->user));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen ccache_file = ldb_msg_find_attr_as_string(res->msgs[0],
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen ret = check_if_ccache_file_is_used(kr->uid, ccache_file,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(1, ("check_if_ccache_file_is_used failed.\n"));
ce74395e2a932342e04fb682395bcce111574969Timo Sirainen kerr = check_for_valid_tgt(ccache_file, realm, kr->upn,
e22ec7998afd426c53c658483ce66b6e404e27c6Timo Sirainen DEBUG(4, ("No ccache file for user [%s] found.\n", pd->user));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(9, ("Ccache_file is [%s] and is %s active and TGT is %s valid.\n",
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(1, ("A user search by name (%s) returned > 1 results!\n",
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen req = be_resolve_server_send(kr, be_req->be_ctx->ev, be_req->be_ctx,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen tevent_req_set_callback(req, krb5_resolve_done, kr);
b650f04c3b2e7dea2295bdbe3239eb82ec03ada0Timo Sirainenstatic void krb5_resolve_done(struct tevent_req *req)
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen struct krb5child_req *kr = tevent_req_callback_data(req,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen /* all servers have been tried and none
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen * was found good, setting offline,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen * but we still have to call the child to setup
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen * the ccache file. */
e22ec7998afd426c53c658483ce66b6e404e27c6Timo Sirainen (be_is_offline(be_req->be_ctx) && !kr->active_ccache_present &&
e22ec7998afd426c53c658483ce66b6e404e27c6Timo Sirainen (!be_is_offline(be_req->be_ctx) && !kr->active_ccache_present)) {
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(1, ("Ccache file name [%s] is not an absolute path.\n",
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(1, ("unlink [%s] failed [%d][%s].\n", kr->ccname,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(1, ("expand_ccname_template failed.\n"));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(9, ("Preparing for offline operation.\n"));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(9, ("Valid TGT available, nothing to do.\n"));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen msg = talloc_asprintf(pd, "%s=%s", CCACHE_ENV_NAME, kr->ccname);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen ret = pam_add_response(pd, SSS_PAM_ENV_ITEM, strlen(msg) + 1,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen req = krb5_save_ccname_send(kr, be_req->be_ctx->ev,
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen DEBUG(1, ("krb5_save_ccname_send failed.\n"));
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen tevent_req_set_callback(req, krb5_save_ccname_done, kr);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen req = handle_child_send(kr, be_req->be_ctx->ev, kr);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen tevent_req_set_callback(req, krb5_child_done, kr);
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainenstatic void krb5_child_done(struct tevent_req *req)
b772ddf3cfb606dddaa465b317a0dc01bf06c6e4Timo Sirainen struct krb5child_req *kr = tevent_req_callback_data(req,
goto done;
goto done;
p += sizeof(int32_t);
p += sizeof(int32_t);
p += sizeof(int32_t);
*msg_len));
goto done;
goto done;
goto done;
goto done;
&buf[p]));
goto done;
goto done;
goto done;
done:
struct krb5child_req);
int ret;
goto failed;
goto failed;
goto failed;
case SSS_PAM_AUTHENTICATE:
case SSS_PAM_CHAUTHTOK_PRELIM:
case SSS_PAM_CHAUTHTOK:
goto failed;
password);
goto failed;
int ret;
if (ret) {