krb5_common.c revision 97c93859e310bc8e4ad5f011e42a5fccd4a7f369
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny Kerberos Provider Common Functions
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny Sumit Bose <sbose@redhat.com>
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny Copyright (C) 2008-2009 Red Hat
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny This program is free software; you can redistribute it and/or modify
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny it under the terms of the GNU General Public License as published by
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny the Free Software Foundation; either version 3 of the License, or
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny (at your option) any later version.
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny This program is distributed in the hope that it will be useful,
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny but WITHOUT ANY WARRANTY; without even the implied warranty of
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny GNU General Public License for more details.
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny You should have received a copy of the GNU General Public License
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny along with this program. If not, see <http://www.gnu.org/licenses/>.
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING },
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING},
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny { "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER },
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny { "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek { "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny { "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny { "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek { "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny { "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek { "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING },
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozekerrno_t check_and_export_lifetime(struct dp_option *opts, const int opt_id,
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny DEBUG(1, ("Invalid value [%s] for a lifetime.\n", str));
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zelenyerrno_t check_and_export_options(struct dp_option *opts,
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny const char *dummy;
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny ret = dp_opt_set_string(opts, KRB5_REALM, dom->name);
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek DEBUG(2, ("setenv %s failed, authentication might fail.\n",
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek ret = check_and_export_lifetime(opts, KRB5_RENEWABLE_LIFETIME,
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek DEBUG(1, ("Failed to check value of krb5_renewable_lifetime. [%d][%s]\n",
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek ret = check_and_export_lifetime(opts, KRB5_LIFETIME,
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek DEBUG(1, ("Failed to check value of krb5_lifetime. [%d][%s]\n",
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek use_fast_str = dp_opt_get_string(opts, KRB5_USE_FAST);
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek ret = check_fast(use_fast_str, &krb5_ctx->use_fast);
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek ret = setenv(SSSD_KRB5_USE_FAST, use_fast_str, 1);
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek DEBUG(2, ("setenv [%s] failed.\n", SSSD_KRB5_USE_FAST));
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek fast_principal = dp_opt_get_string(opts, KRB5_FAST_PRINCIPAL);
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek ret = setenv(SSSD_KRB5_FAST_PRINCIPAL, fast_principal, 1);
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek DEBUG(2, ("setenv [%s] failed.\n", SSSD_KRB5_FAST_PRINCIPAL));
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek DEBUG(1, ("No KDC explicitly configured, using defaults.\n"));
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek dummy = dp_opt_get_cstring(opts, KRB5_KPASSWD);
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek DEBUG(1, ("No kpasswd server explicitly configured, "
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek "using the KDC or defaults.\n"));
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek dummy = dp_opt_get_cstring(opts, KRB5_CCNAME_TMPL);
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek DEBUG(1, ("Missing credential cache name template.\n"));
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek if (dummy[0] != '/' && strncmp(dummy, "FILE:", 5) != 0) {
877b92e80bde510d5cd9f03dbf01e2bcf73ab072Michal Židek DEBUG(1, ("Currently only file based credential caches are supported "
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek "and krb5ccname_template must start with '/' or 'FILE:'\n"));
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozekerrno_t krb5_try_kdcip(TALLOC_CTX *memctx, struct confdb_ctx *cdb,
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek krb5_servers = dp_opt_get_string(opts, opt_id);
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek DEBUG(4, ("No KDC found in configuration, trying legacy option\n"));
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek ret = confdb_get_string(cdb, memctx, conf_path,
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek ret = dp_opt_set_string(opts, opt_id, krb5_servers);
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek DEBUG(9, ("Set krb5 server [%s] based on legacy krb5_kdcip option\n",
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek DEBUG(0, ("Your configuration uses the deprecated option 'krb5_kdcip' "
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek "to specify the KDC. Please change the configuration to use "
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny "the 'krb5_server' option instead.\n"));
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zelenyerrno_t krb5_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov opts = talloc_zero(memctx, struct dp_option);
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek ret = dp_get_options(opts, cdb, conf_path, default_krb5_opts,
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozek /* If there is no KDC, try the deprecated krb5_kdcip option, too */
99bac83188601c2b07e0b141aac7dc7d882b464aSumit Bose /* FIXME - this can be removed in a future version */
bdbf4f169e4d5d00b0616df19f7a55debb407f78Pavel Březina ret = krb5_try_kdcip(memctx, cdb, conf_path, opts, KRB5_KDC);
8ba8222afca3026fd67af08e224b1d9e848aceaaJakub Hrozekerrno_t write_krb5info_file(const char *realm, const char *server,
aac3ca699a09090072ae4d68bdda8dec990ae393Sumit Bose if (realm == NULL || *realm == '\0' || server == NULL || *server == '\0' ||
aac3ca699a09090072ae4d68bdda8dec990ae393Sumit Bose DEBUG(1, ("Missing or empty realm, server or service.\n"));
bba1a5fd62cffcae076d1351df5a83fbc4a6ec17Simo Sorce } else if (strcmp(service, SSS_KRB5KPASSWD_FO_SRV) == 0) {
bba1a5fd62cffcae076d1351df5a83fbc4a6ec17Simo Sorce DEBUG(1, ("Unsupported service [%s]\n.", service));
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny tmp_name = talloc_asprintf(tmp_ctx, PUBCONF_PATH"/.krb5info_dummy_XXXXXX");
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny krb5info_name = talloc_asprintf(tmp_ctx, name_tmpl, realm);
99bac83188601c2b07e0b141aac7dc7d882b464aSumit Bose DEBUG(1, ("mkstemp failed [%d][%s].\n", ret, strerror(ret)));
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov ret = write(fd, server+written, server_len-written);
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny DEBUG(1, ("write failed [%d][%s].\n", ret, strerror(ret)));
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny DEBUG(1, ("Write error, wrote [%d] bytes, expected [%d]\n",
bba1a5fd62cffcae076d1351df5a83fbc4a6ec17Simo Sorce ret = fchmod(fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
bba1a5fd62cffcae076d1351df5a83fbc4a6ec17Simo Sorce DEBUG(1, ("fchmod failed [%d][%s].\n", ret, strerror(ret)));
c0f9698cd951b7223f251ff2511c4b22a6e4ba60Jan Zeleny DEBUG(1, ("close failed [%d][%s].\n", ret, strerror(ret)));
0528fdec17d0031996e919fcd852459e86592c35Jakub Hrozek DEBUG(1, ("rename failed [%d][%s].\n", ret, strerror(ret)));
0528fdec17d0031996e919fcd852459e86592c35Jakub Hrozekstatic void krb5_resolve_callback(void *private_data, struct fo_server *server)
0528fdec17d0031996e919fcd852459e86592c35Jakub Hrozek krb5_service = talloc_get_type(private_data, struct krb5_service);
909a86af4eb99f5d311d7136cab78dca535ae304Sumit Bose DEBUG(1, ("FATAL: No hostent available for server (%s)\n",
909a86af4eb99f5d311d7136cab78dca535ae304Sumit Bose address = resolv_get_string_address(krb5_service, srvaddr);
0528fdec17d0031996e919fcd852459e86592c35Jakub Hrozek DEBUG(1, ("resolv_get_string_address failed.\n"));
0528fdec17d0031996e919fcd852459e86592c35Jakub Hrozek safe_address = talloc_asprintf_append(safe_address, ":%d",
0528fdec17d0031996e919fcd852459e86592c35Jakub Hrozek DEBUG(1, ("talloc_asprintf_append failed.\n"));
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov ret = write_krb5info_file(krb5_service->realm, safe_address,
909a86af4eb99f5d311d7136cab78dca535ae304Sumit Bose DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n"));
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926Jakub Hrozekint krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
2b5704cd96a085b99d3b0d4f80f4414adc134750Pavel Březina const char *service_name, const char *servers,
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926Jakub Hrozek const char *realm, struct krb5_service **_service)
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926Jakub Hrozek service = talloc_zero(tmp_ctx, struct krb5_service);
2b5704cd96a085b99d3b0d4f80f4414adc134750Pavel Březina DEBUG(1, ("Failed to create failover service!\n"));
2b5704cd96a085b99d3b0d4f80f4414adc134750Pavel Březina service->name = talloc_strdup(service, service_name);
2b5704cd96a085b99d3b0d4f80f4414adc134750Pavel Březina service->realm = talloc_strdup(service, realm);
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926Jakub Hrozek ret = split_on_separator(tmp_ctx, servers, ',', true, &list, NULL);
2b5704cd96a085b99d3b0d4f80f4414adc134750Pavel Březina for (i = 0; list[i]; i++) {
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926Jakub Hrozek ret = be_fo_add_srv_server(ctx, service_name, service_name,
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926Jakub Hrozek DEBUG(1, ("strtol failed on [%s]: [%d][%s].\n", port_str,
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926Jakub Hrozek DEBUG(1, ("Found additional characters [%s] in port number "
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926Jakub Hrozek DEBUG(1, ("Illegal port number [%d].\n", port));
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926Jakub Hrozek DEBUG(1, ("getservbyname cannot find service [%s].\n",
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926Jakub Hrozek DEBUG(1, ("Unsupported port specifier in [%s].\n", list[i]));
28ebfa4373d1e7ce45b5d70a3619df1c074a661ePavel Březina ret = be_fo_add_server(ctx, service_name, server_spec, (int) port,
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926Jakub Hrozek ret = be_fo_service_add_callback(memctx, ctx, service_name,
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926Jakub Hrozek DEBUG(1, ("Failed to add failover callback!\n"));
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926Jakub Hrozekerrno_t remove_krb5_info_files(TALLOC_CTX *mem_ctx, const char *realm)
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926Jakub Hrozek file = talloc_asprintf(mem_ctx, KDCINFO_TMPL, realm);
return ENOMEM;
errno = 0;
return ENOMEM;
errno = 0;
return EOK;
int ret;
struct remove_info_files_ctx);
int signum,
int count,
void *siginfo,
void *private_data)
int ret;
int ret;
const char *krb5_realm;
return EINVAL;
return ENOMEM;
goto done;
goto done;
NULL);
goto done;
done:
return ret;
const char *krb5_realm;
char *sig_realm;
return EINVAL;
return ENOMEM;
return ENOMEM;
return EOK;
const char *realm;
char *upn;
return ENOENT;
return ENOMEM;
return EOK;