From 041c689691e280335ced4e9d2003a841e41d4ada Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 10 Mar 2016 17:50:13 +0100
Subject: [PATCH 14/24] AD: use krb5_keytab for subdomain initialization
During the initialization of AD subdomains parameters like the SASL auth
id are determined. Since subdomains use a default set of the AD specific
configuration options the default keytab will be used. If krb5_keytab is
set in sssd.conf for the AD domain this keytab should be used for the
subdomains (domains of the same AD forest) as well.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit cc4caf88344210ea9777d618f0f71935ca5e7f8b)
(cherry picked from commit c5eabcd8f2500cb563ec0381782ef695e4a1ab7c)
---
src/providers/ad/ad_common.c | 27 +++++++++++++++------------
src/providers/ad/ad_common.h | 3 ++-
src/providers/ad/ad_subdomains.c | 4 +++-
src/providers/ipa/ipa_subdomains_server.c | 3 ++-
src/tests/cmocka/test_ad_common.c | 6 ++++--
5 files changed, 26 insertions(+), 17 deletions(-)
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index aba66a4346aa32a0953e642f540ce2fd822239b9..d0911495a3f1ce115aa7b56b6cd9718d290fca4c 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -139,7 +139,8 @@ static errno_t
set_common_ad_trust_opts(struct ad_options *ad_options,
const char *realm,
const char *ad_domain,
- const char *hostname)
+ const char *hostname,
+ const char *keytab)
{
errno_t ret;
@@ -161,6 +162,14 @@ set_common_ad_trust_opts(struct ad_options *ad_options,
return ret;
}
+ if (keytab != NULL) {
+ ret = dp_opt_set_string(ad_options->basic, AD_KEYTAB, keytab);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot set keytab\n");
+ return ret;
+ }
+ }
+
return EOK;
}
@@ -168,7 +177,8 @@ struct ad_options *
ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
const char *realm,
const char *ad_domain,
- const char *hostname)
+ const char *hostname,
+ const char *keytab)
{
struct ad_options *ad_options;
errno_t ret;
@@ -176,7 +186,8 @@ ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
ad_options = ad_create_default_options(mem_ctx);
if (ad_options == NULL) return NULL;
- ret = set_common_ad_trust_opts(ad_options, realm, ad_domain, hostname);
+ ret = set_common_ad_trust_opts(ad_options, realm, ad_domain, hostname,
+ keytab);
if (ret != EOK) {
talloc_free(ad_options);
return NULL;
@@ -212,20 +223,12 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
}
ret = set_common_ad_trust_opts(ad_options, realm,
- ad_domain, hostname);
+ ad_domain, hostname, keytab);
if (ret != EOK) {
talloc_free(ad_options);
return NULL;
}
- /* Set AD_KEYTAB to the special 1way keytab */
- ret = dp_opt_set_string(ad_options->basic, AD_KEYTAB, keytab);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Cannot set trust keytab\n");
- talloc_free(ad_options);
- return NULL;
- }
-
/* Set SDAP_SASL_AUTHID to the trust principal */
ret = dp_opt_set_string(ad_options->id->basic,
SDAP_SASL_AUTHID, sasl_authid);
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index 5bb2e52d402e4279fdc60d4ab58afd2292358487..d0ef724c0e8ffa76701fff903d6b074f5879e9c3 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -110,7 +110,8 @@ struct ad_options *ad_create_default_options(TALLOC_CTX *mem_ctx);
struct ad_options *ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
const char *realm,
const char *ad_domain,
- const char *hostname);
+ const char *hostname,
+ const char *keytab);
struct ad_options *ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
const char *ad_domain,
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 2e5d9120e473e32a84610d607ccf329249b4ac9e..5eebcbbfc6b61f7f6337cf8e1d1c05237b4d0d2e 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -108,9 +108,11 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
errno_t ret;
const char *realm;
const char *hostname;
+ const char *keytab;
realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM);
hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME);
+ keytab = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KEYTAB);
ad_domain = subdom->name;
if (realm == NULL || hostname == NULL || ad_domain == NULL) {
DEBUG(SSSDBG_CONF_SETTINGS, "Missing realm or hostname.\n");
@@ -118,7 +120,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
}
ad_options = ad_create_2way_trust_options(id_ctx, realm,
- ad_domain, hostname);
+ ad_domain, hostname, keytab);
if (ad_options == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n");
talloc_free(ad_options);
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index 33c76cad926e4cef67e0a097dccb9efe877089f0..b870d555251690dd1fb09095ed7d295d72e3c97c 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -176,7 +176,8 @@ static struct ad_options *ipa_ad_options_new(struct ipa_id_ctx *id_ctx,
ad_options = ad_create_2way_trust_options(id_ctx,
id_ctx->server_mode->realm,
subdom->name,
- id_ctx->server_mode->hostname);
+ id_ctx->server_mode->hostname,
+ NULL);
} else if (direction & LSA_TRUST_DIRECTION_INBOUND) {
ad_options = ipa_create_1way_trust_ctx(id_ctx, forest,
forest_realm, subdom);
diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c
index b0cf4b5e6b0559c2896273bfcfb1af99cad195a3..573e2ad6aebf0231b18e40bdbc75f62b39427e57 100644
--- a/src/tests/cmocka/test_ad_common.c
+++ b/src/tests/cmocka/test_ad_common.c
@@ -207,7 +207,8 @@ static void test_ad_create_2way_trust_options(void **state)
test_ctx->ad_ctx,
REALMNAME,
DOMNAME,
- HOST_NAME);
+ HOST_NAME,
+ NULL);
assert_non_null(test_ctx->ad_ctx->ad_options);
assert_int_equal(test_ctx->ad_ctx->ad_options->id->schema_type,
@@ -272,7 +273,8 @@ test_ldap_conn_setup(void **state)
ad_ctx->ad_options = ad_create_2way_trust_options(ad_ctx,
REALMNAME,
DOMNAME,
- HOST_NAME);
+ HOST_NAME,
+ NULL);
assert_non_null(ad_ctx->ad_options);
ad_ctx->gc_ctx = talloc_zero(ad_ctx, struct sdap_id_conn_ctx);
--
2.7.4