Hi,
this is a bit of a follow-up patch to "subdomains: inherit
ldap_krb5_keytab". It turned out that if the default keytab contains
some completely unrelated keys the SASL initialization might e.g. pick a
wrong realm name because the alternative keytab was only added later
during the initialization.
bye,
Sumit
From b76cbbd2e9f426cbc10e67a7eefa776b3027a2cb Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Thu, 10 Mar 2016 17:50:13 +0100
Subject: [PATCH] AD: use krb5_keytab for subdomain initialization
During the initialization of AD subdomains parameters like the SASL auth
id are determined. Since subdomains use a default set of the AD specific
configuration options the default keytab will be used. If krb5_keytab is
set in sssd.conf for the AD domain this keytab should be used for the
subdomains (domains of the same AD forest) as well.
---
src/providers/ad/ad_common.c | 27 +++++++++++++++------------
src/providers/ad/ad_common.h | 3 ++-
src/providers/ad/ad_subdomains.c | 4 +++-
src/providers/ipa/ipa_subdomains_server.c | 3 ++-
src/tests/cmocka/test_ad_common.c | 6 ++++--
5 files changed, 26 insertions(+), 17 deletions(-)
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index
4f8223879a504d1e34b39f4166601c53fd6a73fe..be16b4306f5fe60dcf7e4dafb3dce08f55bac2c2
100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -139,7 +139,8 @@ static errno_t
set_common_ad_trust_opts(struct ad_options *ad_options,
const char *realm,
const char *ad_domain,
- const char *hostname)
+ const char *hostname,
+ const char *keytab)
{
errno_t ret;
@@ -161,6 +162,14 @@ set_common_ad_trust_opts(struct ad_options *ad_options,
return ret;
}
+ if (keytab != NULL) {
+ ret = dp_opt_set_string(ad_options->basic, AD_KEYTAB, keytab);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot set keytab\n");
+ return ret;
+ }
+ }
+
return EOK;
}
@@ -168,7 +177,8 @@ struct ad_options *
ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
const char *realm,
const char *ad_domain,
- const char *hostname)
+ const char *hostname,
+ const char *keytab)
{
struct ad_options *ad_options;
errno_t ret;
@@ -176,7 +186,8 @@ ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
ad_options = ad_create_default_options(mem_ctx);
if (ad_options == NULL) return NULL;
- ret = set_common_ad_trust_opts(ad_options, realm, ad_domain, hostname);
+ ret = set_common_ad_trust_opts(ad_options, realm, ad_domain, hostname,
+ keytab);
if (ret != EOK) {
talloc_free(ad_options);
return NULL;
@@ -212,20 +223,12 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
}
ret = set_common_ad_trust_opts(ad_options, realm,
- ad_domain, hostname);
+ ad_domain, hostname, keytab);
if (ret != EOK) {
talloc_free(ad_options);
return NULL;
}
- /* Set AD_KEYTAB to the special 1way keytab */
- ret = dp_opt_set_string(ad_options->basic, AD_KEYTAB, keytab);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Cannot set trust keytab\n");
- talloc_free(ad_options);
- return NULL;
- }
-
/* Set SDAP_SASL_AUTHID to the trust principal */
ret = dp_opt_set_string(ad_options->id->basic,
SDAP_SASL_AUTHID, sasl_authid);
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index
d61be42ccfa5d61c0521ef8b3589c72a0d51c05f..37178d611da5c23fe8fd1f8b5033a3cd90301a71
100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -110,7 +110,8 @@ struct ad_options *ad_create_default_options(TALLOC_CTX
*mem_ctx);
struct ad_options *ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
const char *realm,
const char *ad_domain,
- const char *hostname);
+ const char *hostname,
+ const char *keytab);
struct ad_options *ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
const char *ad_domain,
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index
4799b518a1354e5b4ef8392b860effc9121ee121..4bdd2a7adbf104354a33fd382eb175d9c315d356
100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -108,9 +108,11 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
errno_t ret;
const char *realm;
const char *hostname;
+ const char *keytab;
realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM);
hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME);
+ keytab = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KEYTAB);
ad_domain = subdom->name;
if (realm == NULL || hostname == NULL || ad_domain == NULL) {
DEBUG(SSSDBG_CONF_SETTINGS, "Missing realm or hostname.\n");
@@ -118,7 +120,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
}
ad_options = ad_create_2way_trust_options(id_ctx, realm,
- ad_domain, hostname);
+ ad_domain, hostname, keytab);
if (ad_options == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n");
talloc_free(ad_options);
diff --git a/src/providers/ipa/ipa_subdomains_server.c
b/src/providers/ipa/ipa_subdomains_server.c
index
7d8b3d3fbc6b501a6362ec1aeaf2c82e32c7906a..e61d84096dd4071f485020d344c679c2e14c7100
100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -176,7 +176,8 @@ static struct ad_options *ipa_ad_options_new(struct
ipa_id_ctx *id_ctx,
ad_options = ad_create_2way_trust_options(id_ctx,
id_ctx->server_mode->realm,
subdom->name,
-
id_ctx->server_mode->hostname);
+
id_ctx->server_mode->hostname,
+ NULL);
} else if (direction & LSA_TRUST_DIRECTION_INBOUND) {
ad_options = ipa_create_1way_trust_ctx(id_ctx, forest,
forest_realm, subdom);
diff --git a/src/tests/cmocka/test_ad_common.c
b/src/tests/cmocka/test_ad_common.c
index
6fc2be4f7e1bfad9036979d9f1ea338d73d3165b..d0bebbd6ae704bcca9758bdaf7afdcd98cc8c40b
100644
--- a/src/tests/cmocka/test_ad_common.c
+++ b/src/tests/cmocka/test_ad_common.c
@@ -529,7 +529,8 @@ static void test_ad_create_2way_trust_options(void **state)
test_ctx->ad_ctx,
REALMNAME,
DOMNAME,
- HOST_NAME);
+ HOST_NAME,
+ NULL);
assert_non_null(test_ctx->ad_ctx->ad_options);
assert_int_equal(test_ctx->ad_ctx->ad_options->id->schema_type,
@@ -594,7 +595,8 @@ test_ldap_conn_setup(void **state)
ad_ctx->ad_options = ad_create_2way_trust_options(ad_ctx,
REALMNAME,
DOMNAME,
- HOST_NAME);
+ HOST_NAME,
+ NULL);
assert_non_null(ad_ctx->ad_options);
ad_ctx->gc_ctx = talloc_zero(ad_ctx, struct sdap_id_conn_ctx);
--
2.1.0
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
