Hi,
the following 4 patches include fixes for
ttps://fedorahosted.org/sssd/ticket/2788 and
https://fedorahosted.org/sssd/ticket/3041. They are not related but
depend on each other patch-wise, so I put them in a single mail. Please
let me know if you prefer to review them separately then I can them in
to different threads.
The first patch just removes the 'enable_only = sssd' like which
effectively disables the default localauth mechanisms like checking
.k5login. I thought we already did this some time ago but apparently not.
While I was at it I made SSSD's localauth plugin non-authoritative for
SSSD users as well (it already is non-authoritative for non-SSSD users,
i.e. it returns KRB5_PLUGIN_NO_HANDLE which leaves the final decision to
a different module). This would allow the usage of .k5login files for
SSSD users as well.
The third and fourth patch create a new krb5 config snippet
krb5_libdefaults which will set 'canonicalize = true' if the related
SSSD option is true as well, which is currently by default the case for
the IPA provider.
bye,
Sumit
From af04d03096c670b8470aa677c4234c4ee1f6dde6 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Mon, 4 Jul 2016 15:23:58 +0200
Subject: [PATCH 1/4] localauth: remove enable_only sssd from config snippet
Resolves https://fedorahosted.org/sssd/ticket/2788
---
src/util/domain_info_utils.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index
0791da3046c35e28cb1b479bb05610412acdb53c..2ae31fc17ad6d33eb47274aae438b745de24c413
100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -531,8 +531,7 @@ done:
"[plugins]\n" \
" localauth = {\n" \
" module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
-" enable_only = sssd\n" \
-" }"
+" }\n"
static errno_t sss_write_krb5_localauth_snippet(const char *path)
{
--
2.1.0
From dea83a7802b92da09a666cee9d820e42d24dc388 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Mon, 4 Jul 2016 15:52:00 +0200
Subject: [PATCH 2/4] localauth: make plugin non-authoritative on failures
According to the documentation in localauth_plugin.h "aname will be
considered authorized if at least one module returns 0 and all other
modules return KRB5_PLUGIN_NO_HANDLE." So it is safe to always return
KRB5_PLUGIN_NO_HANDLE because a different plugin has to return 0 to
allow access to the given principal.
Resolves https://fedorahosted.org/sssd/ticket/2788
---
src/krb5_plugin/sssd_krb5_localauth_plugin.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/krb5_plugin/sssd_krb5_localauth_plugin.c
b/src/krb5_plugin/sssd_krb5_localauth_plugin.c
index
1e77d5227b6766303849505d887182f2a387a43b..13ab07d1315430f11f7bbc916f25d2c837bec78c
100644
--- a/src/krb5_plugin/sssd_krb5_localauth_plugin.c
+++ b/src/krb5_plugin/sssd_krb5_localauth_plugin.c
@@ -49,7 +49,8 @@ static krb5_error_code sss_userok(krb5_context context,
kerr = krb5_unparse_name(context, aname, &princ_str);
if (kerr != 0) {
- return kerr;
+ ret = kerr;
+ goto done;
}
if (strcasecmp(princ_str, lname) == 0) {
@@ -98,6 +99,10 @@ done:
krb5_free_unparsed_name(context, princ_str);
free(buffer);
+ if (ret != 0) {
+ return KRB5_PLUGIN_NO_HANDLE;
+ }
+
return ret;
}
--
2.1.0
From 1a6d5328586ecbb60463eea3147c77f14ed0b476 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Mon, 4 Jul 2016 17:56:37 +0200
Subject: [PATCH 3/4] utils: add sss_write_krb5_snippet_common()
---
src/util/domain_info_utils.c | 70 +++++++++++++++++++++++++++++---------------
1 file changed, 47 insertions(+), 23 deletions(-)
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index
2ae31fc17ad6d33eb47274aae438b745de24c413..adb3f1247bc1e381b7cd204c48f6bb63dbff989a
100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -527,20 +527,13 @@ done:
return ret;
}
-#define LOCALAUTH_PLUGIN_CONFIG \
-"[plugins]\n" \
-" localauth = {\n" \
-" module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
-" }\n"
-
-static errno_t sss_write_krb5_localauth_snippet(const char *path)
+static errno_t sss_write_krb5_snippet_common(const char *file_name,
+ const char *content)
{
-#ifdef HAVE_KRB5_LOCALAUTH_PLUGIN
int ret;
errno_t err;
TALLOC_CTX *tmp_ctx = NULL;
char *tmp_file = NULL;
- const char *file_name;
int fd = -1;
mode_t old_mode;
ssize_t written;
@@ -552,16 +545,6 @@ static errno_t sss_write_krb5_localauth_snippet(const char
*path)
return ENOMEM;
}
- file_name = talloc_asprintf(tmp_ctx, "%s/localauth_plugin", path);
- if (file_name == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
- ret = ENOMEM;
- goto done;
- }
-
- DEBUG(SSSDBG_FUNC_DATA, "File for localauth plugin configuration is
[%s]\n",
- file_name);
-
tmp_file = talloc_asprintf(tmp_ctx, "%sXXXXXX", file_name);
if (tmp_file == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
@@ -574,15 +557,14 @@ static errno_t sss_write_krb5_localauth_snippet(const
char *path)
umask(old_mode);
if (fd < 0) {
DEBUG(SSSDBG_OP_FAILURE, "creating the temp file [%s] for "
- "domain-realm mappings failed.\n", tmp_file);
+ "krb5 config snippet failed.\n", tmp_file);
ret = EIO;
talloc_zfree(tmp_ctx);
goto done;
}
- size = sizeof(LOCALAUTH_PLUGIN_CONFIG) -1;
- written = sss_atomic_write_s(fd, discard_const(LOCALAUTH_PLUGIN_CONFIG),
- size);
+ size = strlen(content);
+ written = sss_atomic_write_s(fd, discard_const(content), size);
close(fd);
if (written == -1) {
ret = errno;
@@ -628,6 +610,48 @@ done:
talloc_free(tmp_ctx);
return ret;
+}
+
+#define LOCALAUTH_PLUGIN_CONFIG \
+"[plugins]\n" \
+" localauth = {\n" \
+" module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
+" }\n"
+
+static errno_t sss_write_krb5_localauth_snippet(const char *path)
+{
+#ifdef HAVE_KRB5_LOCALAUTH_PLUGIN
+ int ret;
+ TALLOC_CTX *tmp_ctx = NULL;
+ const char *file_name;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ return ENOMEM;
+ }
+
+ file_name = talloc_asprintf(tmp_ctx, "%s/localauth_plugin", path);
+ if (file_name == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ DEBUG(SSSDBG_FUNC_DATA, "File for localauth plugin configuration is
[%s]\n",
+ file_name);
+
+ ret = sss_write_krb5_snippet_common(file_name, LOCALAUTH_PLUGIN_CONFIG);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_snippet_common failed.\n");
+ goto done;
+ }
+
+done:
+
+ talloc_free(tmp_ctx);
+ return ret;
+
#else
DEBUG(SSSDBG_TRACE_ALL, "Kerberos localauth plugin not available.\n");
return EOK;
--
2.1.0
From b026627350eea06a1f07a3c57497da8c47591574 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 5 Jul 2016 11:25:59 +0200
Subject: [PATCH 4/4] IPA/AD: globally set krb5 canonicalization flag
If Kerberos principal canonicalization is configured in SSSD, currently
it is the default for the IPA provider, a configuration snippet is
generated for the system-wide libkrb5 configuration so that all
kerberized applications will use canonicalization by default.
Resolves https://fedorahosted.org/sssd/ticket/3041
---
src/providers/ad/ad_subdomains.c | 7 +++++-
src/providers/ipa/ipa_subdomains.c | 7 ++++--
src/tests/cmocka/test_utils.c | 12 +++++-----
src/util/domain_info_utils.c | 48 +++++++++++++++++++++++++++++++++++++-
src/util/util.h | 2 +-
5 files changed, 65 insertions(+), 11 deletions(-)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index
4a858fd4db6f3075ad908bfde6b077363f284fde..928c4fe93cc6afa5c3f69c14503896db820a4c0a
100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -504,11 +504,16 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx
*subdoms_ctx)
{
const char *path;
errno_t ret;
+ bool canonicalize;
path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic,
AD_KRB5_CONFD_PATH);
- ret = sss_write_krb5_conf_snippet(path);
+ canonicalize = dp_opt_get_bool(
+
subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts,
+ KRB5_CANONICALIZE);
+
+ ret = sss_write_krb5_conf_snippet(path, canonicalize);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
/* Just continue */
diff --git a/src/providers/ipa/ipa_subdomains.c
b/src/providers/ipa/ipa_subdomains.c
index
f36e1bc691bc637518f34f78e64c0fe4c25cf6d1..4a3a6916129e0b2b61676242be8327d8b5e6f7f2
100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -78,8 +78,11 @@ ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx)
"Re-initializing domain %s\n", ctx->be_ctx->domain->name);
ret = sss_write_krb5_conf_snippet(
-
dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic,
- IPA_KRB5_CONFD_PATH));
+
dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic,
+ IPA_KRB5_CONFD_PATH),
+ dp_opt_get_bool(
+
ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts,
+ KRB5_CANONICALIZE));
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
/* Just continue */
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
index
aaba2df6d06d396bc88d7fa23edc8840eebeddb6..4ea5936477fef6b2f5c88f3b10c7921b8b130bf4
100644
--- a/src/tests/cmocka/test_utils.c
+++ b/src/tests/cmocka/test_utils.c
@@ -1247,16 +1247,16 @@ void test_sss_write_krb5_conf_snippet(void **state)
char *path;
char *file;
- ret = sss_write_krb5_conf_snippet(NULL);
+ ret = sss_write_krb5_conf_snippet(NULL, false);
assert_int_equal(ret, EINVAL);
- ret = sss_write_krb5_conf_snippet("abc");
+ ret = sss_write_krb5_conf_snippet("abc", false);
assert_int_equal(ret, EINVAL);
- ret = sss_write_krb5_conf_snippet("");
+ ret = sss_write_krb5_conf_snippet("", false);
assert_int_equal(ret, EOK);
- ret = sss_write_krb5_conf_snippet("none");
+ ret = sss_write_krb5_conf_snippet("none", false);
assert_int_equal(ret, EOK);
cwd = getcwd(buf, PATH_MAX);
@@ -1268,11 +1268,11 @@ void test_sss_write_krb5_conf_snippet(void **state)
ret = asprintf(&file, "%s/%s/localauth_plugin", cwd, TESTS_PATH);
assert_true(ret > 0);
- ret = sss_write_krb5_conf_snippet(path);
+ ret = sss_write_krb5_conf_snippet(path, true);
assert_int_equal(ret, EOK);
/* Check if writing a second time will work as well */
- ret = sss_write_krb5_conf_snippet(path);
+ ret = sss_write_krb5_conf_snippet(path, true);
assert_int_equal(ret, EOK);
#ifdef HAVE_KRB5_LOCALAUTH_PLUGIN
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index
adb3f1247bc1e381b7cd204c48f6bb63dbff989a..6fc15a045ccc600b1803ddb3e7927573f6d20b1e
100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -658,7 +658,45 @@ done:
#endif
}
-errno_t sss_write_krb5_conf_snippet(const char *path)
+#define KRB5_LIBDEFAUTLS_CONFIG \
+"[libdefaults]\n" \
+" canonicalize = true\n"
+
+static errno_t sss_write_krb5_libdefaults_snippet(const char *path)
+{
+ int ret;
+ TALLOC_CTX *tmp_ctx = NULL;
+ const char *file_name;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ return ENOMEM;
+ }
+
+ file_name = talloc_asprintf(tmp_ctx, "%s/krb5_libdefaults", path);
+ if (file_name == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ DEBUG(SSSDBG_FUNC_DATA, "File for KRB5 kibdefaults configuration is
[%s]\n",
+ file_name);
+
+ ret = sss_write_krb5_snippet_common(file_name, KRB5_LIBDEFAUTLS_CONFIG);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_snippet_common failed.\n");
+ goto done;
+ }
+
+done:
+
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
+errno_t sss_write_krb5_conf_snippet(const char *path, bool canonicalize)
{
errno_t ret;
errno_t err;
@@ -680,6 +718,14 @@ errno_t sss_write_krb5_conf_snippet(const char *path)
goto done;
}
+ if (canonicalize) {
+ ret = sss_write_krb5_libdefaults_snippet(path);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_libdefaults_snippet
failed.\n");
+ goto done;
+ }
+ }
+
ret = EOK;
done:
diff --git a/src/util/util.h b/src/util/util.h
index
36d8231b9e16b90a16d236b9f394ae32ea447b72..92076488a087c424e0e0dcc237a2b4569e5ea29a
100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -525,7 +525,7 @@ errno_t sssd_domain_init(TALLOC_CTX *mem_ctx,
errno_t sss_write_domain_mappings(struct sss_domain_info *domain);
-errno_t sss_write_krb5_conf_snippet(const char *path);
+errno_t sss_write_krb5_conf_snippet(const char *path, bool canonicalize);
errno_t get_dom_names(TALLOC_CTX *mem_ctx,
struct sss_domain_info *start_dom,
--
2.1.0
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
