1c67beb3720d0b84d8d71ee2012166a09be81fbdChristian Maeder

1c67beb3720d0b84d8d71ee2012166a09be81fbdChristian Maeder

1c67beb3720d0b84d8d71ee2012166a09be81fbdChristian Maeder#include <sys/types.h>

1c67beb3720d0b84d8d71ee2012166a09be81fbdChristian Maeder#include <unistd.h>

62925f4a144f45b5ed1e7c841f891d13f51e553dChristian Maeder#include <sys/stat.h>

715ffaf874309df081d1e1cd8e05073fc1227729Christian Maeder#include <fcntl.h>

369454f9b2dbea113cbb40544a9b0f31425b2c69Christian Maeder

53301de22afd7190981b363b57c48df86fcb50f7Christian Maeder#include <sasl/sasl.h>

cdaff0507c1b7240e2660dbb311f9c4646a6d14aChristian Maeder

f3cd81f98592d1dbf301f48af31677a6a0cc666aChristian Maeder#include "util/util.h"

ff9a53595208f532c25ac5168f772f48fd80fdb5Christian Maeder#include "providers/ad/ad_common.h"

d17834302eaa101395b4b806cd73670fd864445fChristian Maeder#include "providers/ad/ad_access.h"

0f67ca7b0c738a28f6688ba6e96d44d7c14af611Christian Maeder#include "providers/ldap/ldap_common.h"

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder#include "providers/ldap/sdap_access.h"

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder#include "providers/ldap/sdap_idmap.h"

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder#include "providers/krb5/krb5_auth.h"

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder#include "providers/krb5/krb5_init_shared.h"

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder#include "providers/ad/ad_id.h"

ff9a53595208f532c25ac5168f772f48fd80fdb5Christian Maeder#include "providers/ad/ad_srv.h"

836e72a3c413366ba9801726f3b249c7791cb9caChristian Maeder#include "providers/dp_dyndns.h"

ff9a53595208f532c25ac5168f772f48fd80fdb5Christian Maeder#include "providers/ad/ad_subdomains.h"

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder#include "providers/ad/ad_domain_info.h"

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maederstruct ad_options *ad_options = NULL;

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maederstatic void

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maederad_shutdown(struct be_req *req);

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maederstruct bet_ops ad_id_ops = {

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder .handler = ad_account_info_handler,

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder .finalize = ad_shutdown,

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder .check_online = ad_check_online

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder};

53301de22afd7190981b363b57c48df86fcb50f7Christian Maeder

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maederstruct bet_ops ad_auth_ops = {

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder .handler = krb5_pam_handler,

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder .finalize = NULL

ff9a53595208f532c25ac5168f772f48fd80fdb5Christian Maeder};

fa45d098e1c9d468f128be9505eb7e5b2705b304Christian Maeder

25612a7b3ce708909298d5426406592473880a20Christian Maederstruct bet_ops ad_chpass_ops = {

c1db3d36c29a6324745a86dbcba18b8e4cd9f338Christian Maeder .handler = krb5_pam_handler,

c1db3d36c29a6324745a86dbcba18b8e4cd9f338Christian Maeder .finalize = NULL

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder};

c1db3d36c29a6324745a86dbcba18b8e4cd9f338Christian Maeder

25612a7b3ce708909298d5426406592473880a20Christian Maederstruct bet_ops ad_access_ops = {

25612a7b3ce708909298d5426406592473880a20Christian Maeder .handler = ad_access_handler,

c1db3d36c29a6324745a86dbcba18b8e4cd9f338Christian Maeder .finalize = NULL

18b709ce961d68328da768318dcc70067f066d86Christian Maeder};

18b709ce961d68328da768318dcc70067f066d86Christian Maeder

18b709ce961d68328da768318dcc70067f066d86Christian Maeder#define AD_COMPAT_ON "1"

18b709ce961d68328da768318dcc70067f066d86Christian Maederstatic int ad_sasl_getopt(void *context, const char *plugin_name,

18b709ce961d68328da768318dcc70067f066d86Christian Maeder const char *option,

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder const char **result, unsigned *len)

18b709ce961d68328da768318dcc70067f066d86Christian Maeder{

18b709ce961d68328da768318dcc70067f066d86Christian Maeder if (!plugin_name || !result) {

18b709ce961d68328da768318dcc70067f066d86Christian Maeder return SASL_FAIL;

b814fecd0a2dbdeae62402903783d08e4206b4d2Christian Maeder }

18b709ce961d68328da768318dcc70067f066d86Christian Maeder if (strcmp(plugin_name, "GSSAPI") != 0) {

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder return SASL_FAIL;

18b709ce961d68328da768318dcc70067f066d86Christian Maeder }

18b709ce961d68328da768318dcc70067f066d86Christian Maeder if (strcmp(option, "ad_compat") != 0) {

18b709ce961d68328da768318dcc70067f066d86Christian Maeder return SASL_FAIL;

18b709ce961d68328da768318dcc70067f066d86Christian Maeder }

9c5b1136299d9052e4e995614a3a36a051a2682fChristian Maeder *result = AD_COMPAT_ON;

18b709ce961d68328da768318dcc70067f066d86Christian Maeder if (len) {

9c5b1136299d9052e4e995614a3a36a051a2682fChristian Maeder *len = 2;

9c5b1136299d9052e4e995614a3a36a051a2682fChristian Maeder }

9c5b1136299d9052e4e995614a3a36a051a2682fChristian Maeder return SASL_OK;

9c5b1136299d9052e4e995614a3a36a051a2682fChristian Maeder}

ff9a53595208f532c25ac5168f772f48fd80fdb5Christian Maeder

76fa667489c5e0868ac68de9f0253ac10f73d0b5Christian Maedertypedef int (*sss_sasl_gen_cb_fn)(void);

9c5b1136299d9052e4e995614a3a36a051a2682fChristian Maeder

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maederstatic const sasl_callback_t ad_sasl_callbacks[] = {

797f811e57952d59e73b8cd03b667eef276db972Christian Maeder { SASL_CB_GETOPT, (sss_sasl_gen_cb_fn)ad_sasl_getopt, NULL },

18b709ce961d68328da768318dcc70067f066d86Christian Maeder { SASL_CB_LIST_END, NULL, NULL }

369454f9b2dbea113cbb40544a9b0f31425b2c69Christian Maeder};

797f811e57952d59e73b8cd03b667eef276db972Christian Maederstatic void ad_sasl_initialize(void)

18b709ce961d68328da768318dcc70067f066d86Christian Maeder{

18b709ce961d68328da768318dcc70067f066d86Christian Maeder /* NOTE: this may fail if soe other library in the system happens to

18b709ce961d68328da768318dcc70067f066d86Christian Maeder (void)sasl_client_init(ad_sasl_callbacks);

18b709ce961d68328da768318dcc70067f066d86Christian Maeder}

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder

3f7009c892b16d172314abbba83d663fa0d87a65Christian Maederstatic errno_t

369454f9b2dbea113cbb40544a9b0f31425b2c69Christian Maedercommon_ad_init(struct be_ctx *bectx)

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder{

ccf3de3d66b521a260e5c22d335c64a48e3f0195Christian Maeder errno_t ret;

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder char *ad_servers = NULL;

ccf3de3d66b521a260e5c22d335c64a48e3f0195Christian Maeder char *ad_backup_servers = NULL;

ccf3de3d66b521a260e5c22d335c64a48e3f0195Christian Maeder char *ad_realm;

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder ad_sasl_initialize();

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder /* Get AD-specific options */

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder ret = ad_get_common_options(bectx, bectx->cdb,

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder bectx->conf_path,

ccf3de3d66b521a260e5c22d335c64a48e3f0195Christian Maeder bectx->domain,

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder &ad_options);

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder if (ret != EOK) {

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder DEBUG(SSSDBG_FATAL_FAILURE,

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder ("Could not parse common options: [%s]\n",

dfa74d066ea0f00a70276aedecc624c6b3c86deaChristian Maeder strerror(ret)));

dfa74d066ea0f00a70276aedecc624c6b3c86deaChristian Maeder goto done;

9c5b1136299d9052e4e995614a3a36a051a2682fChristian Maeder }

9c5b1136299d9052e4e995614a3a36a051a2682fChristian Maeder

9c5b1136299d9052e4e995614a3a36a051a2682fChristian Maeder ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER);

9c5b1136299d9052e4e995614a3a36a051a2682fChristian Maeder ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM);

9c5b1136299d9052e4e995614a3a36a051a2682fChristian Maeder

369454f9b2dbea113cbb40544a9b0f31425b2c69Christian Maeder /* Set up the failover service */

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder ret = ad_failover_init(ad_options, bectx, ad_servers, ad_backup_servers, ad_realm,

9c5b1136299d9052e4e995614a3a36a051a2682fChristian Maeder AD_SERVICE_NAME, AD_GC_SERVICE_NAME,

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder dp_opt_get_string(ad_options->basic, AD_DOMAIN),

f8f78a2c8796a387a4348cc672ae08e8d9f69315Christian Maeder &ad_options->service);

f8f78a2c8796a387a4348cc672ae08e8d9f69315Christian Maeder if (ret != EOK) {

f8f78a2c8796a387a4348cc672ae08e8d9f69315Christian Maeder DEBUG(SSSDBG_FATAL_FAILURE,

f8f78a2c8796a387a4348cc672ae08e8d9f69315Christian Maeder ("Failed to init AD failover service: [%s]\n",

fcec1ffa4a95dbc47cf23f75e6843ceff93a925eChristian Maeder strerror(ret)));

fcec1ffa4a95dbc47cf23f75e6843ceff93a925eChristian Maeder goto done;

fcec1ffa4a95dbc47cf23f75e6843ceff93a925eChristian Maeder }

c64d33a7fbeae730cbe65193fe3cc24e7aa1ddd6Christian Maeder

53301de22afd7190981b363b57c48df86fcb50f7Christian Maeder ret = EOK;

fcec1ffa4a95dbc47cf23f75e6843ceff93a925eChristian Maederdone:

fcec1ffa4a95dbc47cf23f75e6843ceff93a925eChristian Maeder return ret;

fcec1ffa4a95dbc47cf23f75e6843ceff93a925eChristian Maeder}

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder

dfa74d066ea0f00a70276aedecc624c6b3c86deaChristian Maedersssm_ad_id_init(struct be_ctx *bectx,

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder struct bet_ops **ops,

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder void **pvt_data)

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder{

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder errno_t ret;

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder struct ad_id_ctx *ad_ctx;

fcec1ffa4a95dbc47cf23f75e6843ceff93a925eChristian Maeder const char *hostname;

fcec1ffa4a95dbc47cf23f75e6843ceff93a925eChristian Maeder const char *ad_domain;

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder struct ad_srv_plugin_ctx *srv_ctx;

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder

fcec1ffa4a95dbc47cf23f75e6843ceff93a925eChristian Maeder if (!ad_options) {

fcec1ffa4a95dbc47cf23f75e6843ceff93a925eChristian Maeder ret = common_ad_init(bectx);

f8f78a2c8796a387a4348cc672ae08e8d9f69315Christian Maeder if (ret != EOK) {

2f3c4316d3979a76918f0a93206b9dc75d46a1d4Christian Maeder return ret;

2f3c4316d3979a76918f0a93206b9dc75d46a1d4Christian Maeder }

2f3c4316d3979a76918f0a93206b9dc75d46a1d4Christian Maeder }

f8a03685d9184046e88e1d76aabdab4f714db440Christian Maeder

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder if (ad_options->id_ctx) {

f8a03685d9184046e88e1d76aabdab4f714db440Christian Maeder /* already initialized */

2f3c4316d3979a76918f0a93206b9dc75d46a1d4Christian Maeder *ops = &ad_id_ops;

aff01ee50b66032469c232e00c945d1fd4f57d1bChristian Maeder *pvt_data = ad_options->id_ctx;

2f3c4316d3979a76918f0a93206b9dc75d46a1d4Christian Maeder return EOK;

2f3c4316d3979a76918f0a93206b9dc75d46a1d4Christian Maeder }

2f3c4316d3979a76918f0a93206b9dc75d46a1d4Christian Maeder

ad_ctx = ad_id_ctx_init(ad_options, bectx);

if (ad_ctx == NULL) {

return ENOMEM;

}

ad_options->id_ctx = ad_ctx;

ret = ad_dyndns_init(ad_ctx->sdap_id_ctx->be, ad_options);

if (ret != EOK) {

DEBUG(SSSDBG_MINOR_FAILURE,

("Failure setting up automatic DNS update\n"));

/* Continue without DNS updates */

}

ret = sdap_setup_child();

if (ret != EOK) {

DEBUG(SSSDBG_FATAL_FAILURE,

("setup_child failed [%d][%s].\n",

ret, strerror(ret)));

goto done;

}

/* Set up various SDAP options */

ret = ad_get_id_options(ad_options, bectx->cdb,

bectx->conf_path,

&ad_ctx->sdap_id_ctx->opts);

if (ret != EOK) {

goto done;

}

ret = sdap_id_setup_tasks(ad_ctx->sdap_id_ctx,

ad_ctx->sdap_id_ctx->conn,

ad_ctx->sdap_id_ctx->opts->sdom,

ad_enumeration_send,

ad_enumeration_recv);

if (ret != EOK) {

goto done;

}

ad_ctx->sdap_id_ctx->opts->sdom->pvt = ad_ctx;

/* Set up the ID mapping object */

ret = sdap_idmap_init(ad_ctx->sdap_id_ctx, ad_ctx->sdap_id_ctx,

&ad_ctx->sdap_id_ctx->opts->idmap_ctx);

if (ret != EOK) goto done;

ret = setup_tls_config(ad_ctx->sdap_id_ctx->opts->basic);

if (ret != EOK) {

DEBUG(SSSDBG_CRIT_FAILURE,

("setup_tls_config failed [%s]\n", strerror(ret)));

goto done;

}

/* setup SRV lookup plugin */

hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME);

if (dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES)) {

/* use AD plugin */

ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN);

srv_ctx = ad_srv_plugin_ctx_init(bectx, bectx->be_res,

default_host_dbs, ad_options->id,

hostname, ad_domain);

if (srv_ctx == NULL) {

DEBUG(SSSDBG_FATAL_FAILURE, ("Out of memory?\n"));

ret = ENOMEM;

goto done;

}

be_fo_set_srv_lookup_plugin(bectx, ad_srv_plugin_send,

ad_srv_plugin_recv, srv_ctx, "AD");

} else {

/* fall back to standard plugin */

ret = be_fo_set_dns_srv_lookup_plugin(bectx, hostname);

if (ret != EOK) {

DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to set SRV lookup plugin "

"[%d]: %s\n", ret, strerror(ret)));

goto done;

}

}

/* setup periodical refresh of expired records */

ret = be_refresh_add_cb(bectx->refresh_ctx, BE_REFRESH_TYPE_NETGROUPS,

sdap_refresh_netgroups_send,

sdap_refresh_netgroups_recv,

ad_ctx->sdap_id_ctx);

if (ret != EOK && ret != EEXIST) {

DEBUG(SSSDBG_MINOR_FAILURE, ("Periodical refresh of netgroups "

"will not work [%d]: %s\n", ret, strerror(ret)));

}

*ops = &ad_id_ops;

*pvt_data = ad_ctx;

ret = EOK;

done:

if (ret != EOK) {

talloc_zfree(ad_options->id_ctx);

}

return ret;

}

sssm_ad_auth_init(struct be_ctx *bectx,

struct bet_ops **ops,

void **pvt_data)

{

errno_t ret;

struct krb5_ctx *krb5_auth_ctx = NULL;

if (!ad_options) {

ret = common_ad_init(bectx);

if (ret != EOK) {

return ret;

}

}

if (ad_options->auth_ctx) {

/* Already initialized */

*ops = &ad_auth_ops;

*pvt_data = ad_options->auth_ctx;

return EOK;

}

krb5_auth_ctx = talloc_zero(NULL, struct krb5_ctx);

if (!krb5_auth_ctx) {

ret = ENOMEM;

goto done;

}

krb5_auth_ctx->config_type = K5C_GENERIC;

krb5_auth_ctx->service = ad_options->service->krb5_service;

ret = ad_get_auth_options(krb5_auth_ctx, ad_options, bectx,

&krb5_auth_ctx->opts);

if (ret != EOK) {

DEBUG(SSSDBG_FATAL_FAILURE,

("Could not determine Kerberos options\n"));

goto done;

}

ret = krb5_child_init(krb5_auth_ctx, bectx);

if (ret != EOK) {

DEBUG(SSSDBG_FATAL_FAILURE,

("Could not initialize krb5_child settings: [%s]\n",

strerror(ret)));

goto done;

}

ad_options->auth_ctx = talloc_steal(ad_options, krb5_auth_ctx);

*ops = &ad_auth_ops;

*pvt_data = ad_options->auth_ctx;

done:

if (ret != EOK) {

talloc_free(krb5_auth_ctx);

}

return ret;

}

sssm_ad_chpass_init(struct be_ctx *bectx,

struct bet_ops **ops,

void **pvt_data)

{

errno_t ret;

if (!ad_options) {

ret = common_ad_init(bectx);

if (ret != EOK) {

return ret;

}

}

if (ad_options->auth_ctx) {

/* Already initialized */

*ops = &ad_chpass_ops;

*pvt_data = ad_options->auth_ctx;

return EOK;

}

ret = sssm_ad_auth_init(bectx, ops, pvt_data);

*ops = &ad_chpass_ops;

ad_options->auth_ctx = *pvt_data;

return ret;

}

sssm_ad_access_init(struct be_ctx *bectx,

struct bet_ops **ops,

void **pvt_data)

{

errno_t ret;

struct ad_access_ctx *access_ctx;

struct ad_id_ctx *ad_id_ctx;

const char *filter;

access_ctx = talloc_zero(bectx, struct ad_access_ctx);

if (!access_ctx) return ENOMEM;

ret = sssm_ad_id_init(bectx, ops, (void **)&ad_id_ctx);

if (ret != EOK) {

goto fail;

}

access_ctx->ldap_ctx = ad_id_ctx->ldap_ctx;

access_ctx->gc_ctx = ad_id_ctx->gc_ctx;

ret = dp_copy_options(access_ctx, ad_options->basic, AD_OPTS_BASIC,

&access_ctx->ad_options);

if (ret != EOK) {

DEBUG(SSSDBG_FATAL_FAILURE,

("Could not initialize access provider options: [%s]\n",

strerror(ret)));

goto fail;

}

/* Set up an sdap_access_ctx for checking expired/locked accounts */

access_ctx->sdap_access_ctx =

talloc_zero(access_ctx, struct sdap_access_ctx);

if (!access_ctx->sdap_access_ctx) {

ret = ENOMEM;

goto fail;

}

access_ctx->sdap_access_ctx->id_ctx = ad_id_ctx->sdap_id_ctx;

/* If ad_access_filter is set, the value of ldap_acess_order is

access_ctx->sdap_access_ctx->access_rule[0] = LDAP_ACCESS_EXPIRE;

filter = dp_opt_get_cstring(access_ctx->ad_options, AD_ACCESS_FILTER);

if (filter != NULL) {

/* The processing of the extended filter is performed during the access

access_ctx->sdap_access_ctx->filter = talloc_strdup(

access_ctx->sdap_access_ctx,

filter);

if (access_ctx->sdap_access_ctx->filter == NULL) {

ret = ENOMEM;

goto fail;

}

access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_FILTER;

access_ctx->sdap_access_ctx->access_rule[2] = LDAP_ACCESS_EMPTY;

} else {

access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EMPTY;

}

*ops = &ad_access_ops;

*pvt_data = access_ctx;

return EOK;

fail:

talloc_free(access_ctx);

return ret;

}

static void

ad_shutdown(struct be_req *req)

{

/* TODO: Clean up any internal data */

sdap_handler_done(req, DP_ERR_OK, EOK, NULL);

}

int sssm_ad_subdomains_init(struct be_ctx *bectx,

struct bet_ops **ops,

void **pvt_data)

{

int ret;

struct ad_id_ctx *id_ctx;

const char *ad_domain;

ret = sssm_ad_id_init(bectx, ops, (void **) &id_ctx);

if (ret != EOK) {

DEBUG(SSSDBG_CRIT_FAILURE, ("sssm_ad_id_init failed.\n"));

return ret;

}

if (ad_options == NULL) {

DEBUG(SSSDBG_CRIT_FAILURE, ("Global AD options not available.\n"));

return EINVAL;

}

ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN);

ret = ad_subdom_init(bectx, id_ctx, ad_domain, ops, pvt_data);

if (ret != EOK) {

DEBUG(SSSDBG_CRIT_FAILURE, ("ad_subdom_init failed.\n"));

return ret;

}

return EOK;

}