From 041c689691e280335ced4e9d2003a841e41d4ada Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 10 Mar 2016 17:50:13 +0100 Subject: [PATCH 14/24] AD: use krb5_keytab for subdomain initialization During the initialization of AD subdomains parameters like the SASL auth id are determined. Since subdomains use a default set of the AD specific configuration options the default keytab will be used. If krb5_keytab is set in sssd.conf for the AD domain this keytab should be used for the subdomains (domains of the same AD forest) as well. Reviewed-by: Jakub Hrozek (cherry picked from commit cc4caf88344210ea9777d618f0f71935ca5e7f8b) (cherry picked from commit c5eabcd8f2500cb563ec0381782ef695e4a1ab7c) --- src/providers/ad/ad_common.c | 27 +++++++++++++++------------ src/providers/ad/ad_common.h | 3 ++- src/providers/ad/ad_subdomains.c | 4 +++- src/providers/ipa/ipa_subdomains_server.c | 3 ++- src/tests/cmocka/test_ad_common.c | 6 ++++-- 5 files changed, 26 insertions(+), 17 deletions(-) diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index aba66a4346aa32a0953e642f540ce2fd822239b9..d0911495a3f1ce115aa7b56b6cd9718d290fca4c 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -139,7 +139,8 @@ static errno_t set_common_ad_trust_opts(struct ad_options *ad_options, const char *realm, const char *ad_domain, - const char *hostname) + const char *hostname, + const char *keytab) { errno_t ret; @@ -161,6 +162,14 @@ set_common_ad_trust_opts(struct ad_options *ad_options, return ret; } + if (keytab != NULL) { + ret = dp_opt_set_string(ad_options->basic, AD_KEYTAB, keytab); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set keytab\n"); + return ret; + } + } + return EOK; } @@ -168,7 +177,8 @@ struct ad_options * ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, const char *realm, const char *ad_domain, - const char *hostname) + const char *hostname, + const char *keytab) { struct ad_options *ad_options; errno_t ret; @@ -176,7 +186,8 @@ ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, ad_options = ad_create_default_options(mem_ctx); if (ad_options == NULL) return NULL; - ret = set_common_ad_trust_opts(ad_options, realm, ad_domain, hostname); + ret = set_common_ad_trust_opts(ad_options, realm, ad_domain, hostname, + keytab); if (ret != EOK) { talloc_free(ad_options); return NULL; @@ -212,20 +223,12 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx, } ret = set_common_ad_trust_opts(ad_options, realm, - ad_domain, hostname); + ad_domain, hostname, keytab); if (ret != EOK) { talloc_free(ad_options); return NULL; } - /* Set AD_KEYTAB to the special 1way keytab */ - ret = dp_opt_set_string(ad_options->basic, AD_KEYTAB, keytab); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Cannot set trust keytab\n"); - talloc_free(ad_options); - return NULL; - } - /* Set SDAP_SASL_AUTHID to the trust principal */ ret = dp_opt_set_string(ad_options->id->basic, SDAP_SASL_AUTHID, sasl_authid); diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index 5bb2e52d402e4279fdc60d4ab58afd2292358487..d0ef724c0e8ffa76701fff903d6b074f5879e9c3 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -110,7 +110,8 @@ struct ad_options *ad_create_default_options(TALLOC_CTX *mem_ctx); struct ad_options *ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, const char *realm, const char *ad_domain, - const char *hostname); + const char *hostname, + const char *keytab); struct ad_options *ad_create_1way_trust_options(TALLOC_CTX *mem_ctx, const char *ad_domain, diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 2e5d9120e473e32a84610d607ccf329249b4ac9e..5eebcbbfc6b61f7f6337cf8e1d1c05237b4d0d2e 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -108,9 +108,11 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, errno_t ret; const char *realm; const char *hostname; + const char *keytab; realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM); hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME); + keytab = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KEYTAB); ad_domain = subdom->name; if (realm == NULL || hostname == NULL || ad_domain == NULL) { DEBUG(SSSDBG_CONF_SETTINGS, "Missing realm or hostname.\n"); @@ -118,7 +120,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, } ad_options = ad_create_2way_trust_options(id_ctx, realm, - ad_domain, hostname); + ad_domain, hostname, keytab); if (ad_options == NULL) { DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n"); talloc_free(ad_options); diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c index 33c76cad926e4cef67e0a097dccb9efe877089f0..b870d555251690dd1fb09095ed7d295d72e3c97c 100644 --- a/src/providers/ipa/ipa_subdomains_server.c +++ b/src/providers/ipa/ipa_subdomains_server.c @@ -176,7 +176,8 @@ static struct ad_options *ipa_ad_options_new(struct ipa_id_ctx *id_ctx, ad_options = ad_create_2way_trust_options(id_ctx, id_ctx->server_mode->realm, subdom->name, - id_ctx->server_mode->hostname); + id_ctx->server_mode->hostname, + NULL); } else if (direction & LSA_TRUST_DIRECTION_INBOUND) { ad_options = ipa_create_1way_trust_ctx(id_ctx, forest, forest_realm, subdom); diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c index b0cf4b5e6b0559c2896273bfcfb1af99cad195a3..573e2ad6aebf0231b18e40bdbc75f62b39427e57 100644 --- a/src/tests/cmocka/test_ad_common.c +++ b/src/tests/cmocka/test_ad_common.c @@ -207,7 +207,8 @@ static void test_ad_create_2way_trust_options(void **state) test_ctx->ad_ctx, REALMNAME, DOMNAME, - HOST_NAME); + HOST_NAME, + NULL); assert_non_null(test_ctx->ad_ctx->ad_options); assert_int_equal(test_ctx->ad_ctx->ad_options->id->schema_type, @@ -272,7 +273,8 @@ test_ldap_conn_setup(void **state) ad_ctx->ad_options = ad_create_2way_trust_options(ad_ctx, REALMNAME, DOMNAME, - HOST_NAME); + HOST_NAME, + NULL); assert_non_null(ad_ctx->ad_options); ad_ctx->gc_ctx = talloc_zero(ad_ctx, struct sdap_id_conn_ctx); -- 2.7.4