68ef824a5f
And also ... - Related: upstream#941 - return multiple server addresses to the Kerberos locator plugin - Related: upstream#3652 - kdcinfo doesn't get populated for other domains - Resolves: upstream#3747 - sss_ssh_authorizedkeys exits abruptly if SSHD closes its end of the pipe before reading all the SSH keys - Resolves: upstream#3607 - Handle conflicting e-mail addresses more gracefully - Resolves: upstream#3754 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Related: upstream#3219 - [RFE] Regular expression used in sssd.conf not being able to consume an @-sign in the user/group name. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
469 lines
15 KiB
Diff
469 lines
15 KiB
Diff
From 4b1137562c3446e85a6383010702850f9532a4f2 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Fri, 24 Feb 2017 13:55:47 +0100
|
|
Subject: [PATCH] krb5 locator: add support for multiple addresses
|
|
|
|
Read multiple addresses from the kdcinfo files add call the provided
|
|
callback with each of them.
|
|
|
|
Related to https://pagure.io/SSSD/sssd/issue/941
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
(cherry picked from commit efae9509cb05648357e9b4c10a93c0d38558bed4)
|
|
|
|
DOWNSTREAM:
|
|
Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client
|
|
---
|
|
src/krb5_plugin/sssd_krb5_locator_plugin.c | 344 +++++++++++++++------
|
|
1 file changed, 246 insertions(+), 98 deletions(-)
|
|
|
|
diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
|
index 7c17fcb33373293fbbbe2be967dca57b31ef13de..82fb5c7b2ffa319ed250e54cdf9a0b6798d4ff51 100644
|
|
--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
|
+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
|
@@ -42,7 +42,7 @@
|
|
#define DEFAULT_KADMIN_PORT 749
|
|
#define DEFAULT_KPASSWD_PORT 464
|
|
|
|
-#define BUFSIZE 512
|
|
+#define BUFSIZE 4096
|
|
#define PORT_STR_SIZE 7
|
|
#define SSSD_KRB5_LOCATOR_DEBUG "SSSD_KRB5_LOCATOR_DEBUG"
|
|
#define SSSD_KRB5_LOCATOR_DISABLE "SSSD_KRB5_LOCATOR_DISABLE"
|
|
@@ -53,12 +53,15 @@
|
|
} \
|
|
} while(0)
|
|
|
|
+struct addr_port {
|
|
+ char *addr;
|
|
+ uint16_t port;
|
|
+};
|
|
+
|
|
struct sssd_ctx {
|
|
char *sssd_realm;
|
|
- char *kdc_addr;
|
|
- uint16_t kdc_port;
|
|
- char *kpasswd_addr;
|
|
- uint16_t kpasswd_port;
|
|
+ struct addr_port *kdc_addr;
|
|
+ struct addr_port *kpasswd_addr;
|
|
bool debug;
|
|
bool disabled;
|
|
};
|
|
@@ -82,6 +85,186 @@ void plugin_debug_fn(const char *format, ...)
|
|
free(s);
|
|
}
|
|
|
|
+
|
|
+static void free_addr_port_list(struct addr_port **list)
|
|
+{
|
|
+ size_t c;
|
|
+
|
|
+ if (list == NULL || *list == NULL) {
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ for (c = 0; (*list)[c].addr != NULL; c++) {
|
|
+ free((*list)[c].addr);
|
|
+ }
|
|
+ free(*list);
|
|
+ *list = NULL;
|
|
+}
|
|
+
|
|
+static int copy_addr_port_list(struct addr_port *src, bool clear_port,
|
|
+ struct addr_port **dst)
|
|
+{
|
|
+ size_t c;
|
|
+ struct addr_port *d = NULL;
|
|
+ int ret;
|
|
+
|
|
+ /* only copy if dst is initialized to NULL */
|
|
+ if (dst == NULL || *dst != NULL) {
|
|
+ return EINVAL;
|
|
+ }
|
|
+
|
|
+ if (src == NULL) {
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ for (c = 0; src[c].addr != NULL; c++);
|
|
+
|
|
+ d = calloc((c + 1), sizeof(struct addr_port));
|
|
+ if (d == NULL) {
|
|
+ return ENOMEM;
|
|
+ }
|
|
+
|
|
+ for (c = 0; src[c].addr != NULL; c++) {
|
|
+ d[c].addr = strdup(src[c].addr);
|
|
+ if (d[c].addr == NULL) {
|
|
+ ret = ENOMEM;
|
|
+ goto done;
|
|
+ }
|
|
+ if (clear_port) {
|
|
+ d[c].port = 0;
|
|
+ } else {
|
|
+ d[c].port = src[c].port;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ ret = EOK;
|
|
+
|
|
+done:
|
|
+ if (ret != EOK) {
|
|
+ free_addr_port_list(&d);
|
|
+ } else {
|
|
+ *dst = d;
|
|
+ }
|
|
+
|
|
+ return ret;
|
|
+}
|
|
+
|
|
+static int buf_to_addr_port_list(struct sssd_ctx *ctx,
|
|
+ uint8_t *buf, size_t buf_size,
|
|
+ struct addr_port **list)
|
|
+{
|
|
+ struct addr_port *l = NULL;
|
|
+ int ret;
|
|
+ uint8_t *p;
|
|
+ uint8_t *pn;
|
|
+ size_t c;
|
|
+ size_t len;
|
|
+ char *tmp = NULL;
|
|
+ char *port_str;
|
|
+ long port;
|
|
+ char *endptr;
|
|
+
|
|
+ /* only create if list is initialized to NULL */
|
|
+ if (buf == NULL || buf_size == 0 || list == NULL || *list != NULL) {
|
|
+ return EINVAL;
|
|
+ }
|
|
+
|
|
+ c = 1; /* to account for a missing \n at the very end */
|
|
+ p = buf;
|
|
+ while ((p - buf) < buf_size
|
|
+ && (p = memchr(p, '\n', buf_size - (p - buf))) != NULL) {
|
|
+ p++;
|
|
+ c++;
|
|
+ }
|
|
+
|
|
+ l = calloc((c + 1), sizeof(struct addr_port));
|
|
+ if (l == NULL) {
|
|
+ return ENOMEM;
|
|
+ }
|
|
+
|
|
+ c = 0;
|
|
+ p = buf;
|
|
+ do {
|
|
+ pn = memchr(p, '\n', buf_size - (p - buf));
|
|
+ if (pn != NULL) {
|
|
+ len = pn - p;
|
|
+ } else {
|
|
+ len = buf_size - (p - buf);
|
|
+ }
|
|
+ if (len == 0) {
|
|
+ /* empty line no more processing */
|
|
+ break;
|
|
+ }
|
|
+
|
|
+ free(tmp);
|
|
+ tmp = strndup((char *) p, len);
|
|
+ if (tmp == NULL) {
|
|
+ ret = ENOMEM;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ port_str = strrchr(tmp, ':');
|
|
+ if (port_str == NULL) {
|
|
+ port = 0;
|
|
+ } else {
|
|
+ *port_str = '\0';
|
|
+ ++port_str;
|
|
+
|
|
+ if (isdigit(*port_str)) {
|
|
+ errno = 0;
|
|
+ port = strtol(port_str, &endptr, 10);
|
|
+ if (errno != 0) {
|
|
+ ret = errno;
|
|
+ PLUGIN_DEBUG(("strtol failed on [%s]: [%d][%s], "
|
|
+ "assuming default.\n", port_str, ret,
|
|
+ strerror(ret)));
|
|
+ port = 0;
|
|
+ }
|
|
+ if (*endptr != '\0') {
|
|
+ PLUGIN_DEBUG(("Found additional characters [%s] in port "
|
|
+ "number [%s], assuming default.\n", endptr,
|
|
+ port_str));
|
|
+ port = 0;
|
|
+ }
|
|
+
|
|
+ if (port < 0 || port > 65535) {
|
|
+ PLUGIN_DEBUG(("Illegal port number [%ld], assuming "
|
|
+ "default.\n", port));
|
|
+ port = 0;
|
|
+ }
|
|
+ } else {
|
|
+ PLUGIN_DEBUG(("Illegal port number [%s], assuming default.\n",
|
|
+ port_str));
|
|
+ port = 0;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ PLUGIN_DEBUG(("Found [%s][%d].\n", tmp, port));
|
|
+
|
|
+ l[c].addr = strdup(tmp);
|
|
+ if (l[c].addr == NULL) {
|
|
+ ret = ENOMEM;
|
|
+ goto done;
|
|
+ }
|
|
+ l[c].port = port;
|
|
+
|
|
+ c++;
|
|
+ p = pn == NULL ? NULL : (pn + 1);
|
|
+ } while (p != NULL);
|
|
+
|
|
+ ret = EOK;
|
|
+
|
|
+done:
|
|
+ free(tmp);
|
|
+ if (ret != EOK) {
|
|
+ free_addr_port_list(&l);
|
|
+ } else {
|
|
+ *list = l;
|
|
+ }
|
|
+
|
|
+ return ret;
|
|
+}
|
|
+
|
|
static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
|
|
enum locate_service_type svc)
|
|
{
|
|
@@ -91,9 +274,6 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
|
|
uint8_t buf[BUFSIZE + 1];
|
|
int fd = -1;
|
|
const char *name_tmpl = NULL;
|
|
- char *port_str;
|
|
- long port;
|
|
- char *endptr;
|
|
|
|
switch (svc) {
|
|
case locate_service_kdc:
|
|
@@ -148,62 +328,21 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
|
|
PLUGIN_DEBUG(("Content of krb5info file [%s] is [%d] or larger.\n",
|
|
krb5info_name, BUFSIZE));
|
|
}
|
|
- PLUGIN_DEBUG(("Found [%s] in [%s].\n", buf, krb5info_name));
|
|
-
|
|
- port_str = strrchr((char *) buf, ':');
|
|
- if (port_str == NULL) {
|
|
- port = 0;
|
|
- } else {
|
|
- *port_str = '\0';
|
|
- ++port_str;
|
|
-
|
|
- if (isdigit(*port_str)) {
|
|
- errno = 0;
|
|
- port = strtol(port_str, &endptr, 10);
|
|
- if (errno != 0) {
|
|
- ret = errno;
|
|
- PLUGIN_DEBUG(("strtol failed on [%s]: [%d][%s], "
|
|
- "assuming default.\n", port_str, ret, strerror(ret)));
|
|
- port = 0;
|
|
- }
|
|
- if (*endptr != '\0') {
|
|
- PLUGIN_DEBUG(("Found additional characters [%s] in port number "
|
|
- "[%s], assuming default.\n", endptr, port_str));
|
|
- port = 0;
|
|
- }
|
|
-
|
|
- if (port < 0 || port > 65535) {
|
|
- PLUGIN_DEBUG(("Illegal port number [%ld], assuming default.\n",
|
|
- port));
|
|
- port = 0;
|
|
- }
|
|
- } else {
|
|
- PLUGIN_DEBUG(("Illegal port number [%s], assuming default.\n",
|
|
- port_str));
|
|
- port = 0;
|
|
- }
|
|
- }
|
|
|
|
switch (svc) {
|
|
case locate_service_kdc:
|
|
- free(ctx->kdc_addr);
|
|
- ctx->kdc_addr = strdup((char *) buf);
|
|
- if (ctx->kdc_addr == NULL) {
|
|
- PLUGIN_DEBUG(("strdup failed.\n"));
|
|
- ret = ENOMEM;
|
|
+ free_addr_port_list(&(ctx->kdc_addr));
|
|
+ ret = buf_to_addr_port_list(ctx, buf, len, &(ctx->kdc_addr));
|
|
+ if (ret != EOK) {
|
|
goto done;
|
|
}
|
|
- ctx->kdc_port = (uint16_t) port;
|
|
break;
|
|
case locate_service_kpasswd:
|
|
- free(ctx->kpasswd_addr);
|
|
- ctx->kpasswd_addr = strdup((char *) buf);
|
|
- if (ctx->kpasswd_addr == NULL) {
|
|
- PLUGIN_DEBUG(("strdup failed.\n"));
|
|
- ret = ENOMEM;
|
|
+ free_addr_port_list(&(ctx->kpasswd_addr));
|
|
+ ret = buf_to_addr_port_list(ctx, buf, len, &(ctx->kpasswd_addr));
|
|
+ if (ret != EOK) {
|
|
goto done;
|
|
}
|
|
- ctx->kpasswd_port = (uint16_t) port;
|
|
break;
|
|
default:
|
|
PLUGIN_DEBUG(("Unsupported service [%d].\n", svc));
|
|
@@ -256,8 +395,8 @@ void sssd_krb5_locator_close(void *private_data)
|
|
ctx = (struct sssd_ctx *) private_data;
|
|
PLUGIN_DEBUG(("sssd_krb5_locator_close called\n"));
|
|
|
|
- free(ctx->kdc_addr);
|
|
- free(ctx->kpasswd_addr);
|
|
+ free_addr_port_list(&(ctx->kdc_addr));
|
|
+ free_addr_port_list(&(ctx->kpasswd_addr));
|
|
free(ctx->sssd_realm);
|
|
free(ctx);
|
|
|
|
@@ -277,8 +416,10 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
|
|
struct sssd_ctx *ctx;
|
|
struct addrinfo ai_hints;
|
|
uint16_t port = 0;
|
|
- const char *addr = NULL;
|
|
+ uint16_t default_port = 0;
|
|
+ struct addr_port *addr = NULL;
|
|
char port_str[PORT_STR_SIZE];
|
|
+ size_t c;
|
|
|
|
if (private_data == NULL) return KRB5_PLUGIN_NO_HANDLE;
|
|
ctx = (struct sssd_ctx *) private_data;
|
|
@@ -308,9 +449,13 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
|
|
if (ret != EOK) {
|
|
PLUGIN_DEBUG(("reading kpasswd address failed, "
|
|
"using kdc address.\n"));
|
|
- free(ctx->kpasswd_addr);
|
|
- ctx->kpasswd_addr = strdup(ctx->kdc_addr);
|
|
- ctx->kpasswd_port = 0;
|
|
+ free_addr_port_list(&(ctx->kpasswd_addr));
|
|
+ ret = copy_addr_port_list(ctx->kdc_addr, true,
|
|
+ &(ctx->kpasswd_addr));
|
|
+ if (ret != EOK) {
|
|
+ PLUGIN_DEBUG(("copying address list failed.\n"));
|
|
+ return KRB5_PLUGIN_NO_HANDLE;
|
|
+ }
|
|
}
|
|
}
|
|
}
|
|
@@ -322,19 +467,19 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
|
|
switch (svc) {
|
|
case locate_service_kdc:
|
|
addr = ctx->kdc_addr;
|
|
- port = ctx->kdc_port ? ctx->kdc_port : DEFAULT_KERBEROS_PORT;
|
|
+ default_port = DEFAULT_KERBEROS_PORT;
|
|
break;
|
|
case locate_service_master_kdc:
|
|
addr = ctx->kpasswd_addr;
|
|
- port = DEFAULT_KERBEROS_PORT;
|
|
+ default_port = DEFAULT_KERBEROS_PORT;
|
|
break;
|
|
case locate_service_kadmin:
|
|
addr = ctx->kpasswd_addr;
|
|
- port = DEFAULT_KADMIN_PORT;
|
|
+ default_port = DEFAULT_KADMIN_PORT;
|
|
break;
|
|
case locate_service_kpasswd:
|
|
addr = ctx->kpasswd_addr;
|
|
- port = ctx->kpasswd_port ? ctx->kpasswd_port : DEFAULT_KPASSWD_PORT;
|
|
+ default_port = DEFAULT_KPASSWD_PORT;
|
|
break;
|
|
case locate_service_krb524:
|
|
return KRB5_PLUGIN_NO_HANDLE;
|
|
@@ -362,46 +507,49 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
|
|
if (strcmp(realm, ctx->sssd_realm) != 0)
|
|
return KRB5_PLUGIN_NO_HANDLE;
|
|
|
|
- memset(port_str, 0, PORT_STR_SIZE);
|
|
- ret = snprintf(port_str, PORT_STR_SIZE-1, "%u", port);
|
|
- if (ret < 0 || ret >= (PORT_STR_SIZE-1)) {
|
|
- PLUGIN_DEBUG(("snprintf failed.\n"));
|
|
- return KRB5_PLUGIN_NO_HANDLE;
|
|
- }
|
|
-
|
|
- memset(&ai_hints, 0, sizeof(struct addrinfo));
|
|
- ai_hints.ai_flags = AI_NUMERICHOST|AI_NUMERICSERV;
|
|
- ai_hints.ai_socktype = socktype;
|
|
-
|
|
- ret = getaddrinfo(addr, port_str, &ai_hints, &ai);
|
|
- if (ret != 0) {
|
|
- PLUGIN_DEBUG(("getaddrinfo failed [%d][%s].\n", ret,
|
|
- gai_strerror(ret)));
|
|
- if (ret == EAI_SYSTEM) {
|
|
- PLUGIN_DEBUG(("getaddrinfo failed [%d][%s].\n", errno,
|
|
- strerror(errno)));
|
|
+ for (c = 0; addr[c].addr != NULL; c++) {
|
|
+ port = (addr[c].port == 0 ? default_port : addr[c].port);
|
|
+ memset(port_str, 0, PORT_STR_SIZE);
|
|
+ ret = snprintf(port_str, PORT_STR_SIZE-1, "%u", port);
|
|
+ if (ret < 0 || ret >= (PORT_STR_SIZE-1)) {
|
|
+ PLUGIN_DEBUG(("snprintf failed.\n"));
|
|
+ return KRB5_PLUGIN_NO_HANDLE;
|
|
}
|
|
- return KRB5_PLUGIN_NO_HANDLE;
|
|
- }
|
|
|
|
- PLUGIN_DEBUG(("addr[%s:%s] family[%d] socktype[%d]\n", addr, port_str,
|
|
- ai->ai_family, ai->ai_socktype));
|
|
+ memset(&ai_hints, 0, sizeof(struct addrinfo));
|
|
+ ai_hints.ai_flags = AI_NUMERICHOST|AI_NUMERICSERV;
|
|
+ ai_hints.ai_socktype = socktype;
|
|
|
|
- if ((family == AF_UNSPEC || ai->ai_family == family) &&
|
|
- ai->ai_socktype == socktype) {
|
|
-
|
|
- ret = cbfunc(cbdata, socktype, ai->ai_addr);
|
|
+ ret = getaddrinfo(addr[c].addr, port_str, &ai_hints, &ai);
|
|
if (ret != 0) {
|
|
- PLUGIN_DEBUG(("cbfunc failed\n"));
|
|
- freeaddrinfo(ai);
|
|
- return ret;
|
|
+ PLUGIN_DEBUG(("getaddrinfo failed [%d][%s].\n", ret,
|
|
+ gai_strerror(ret)));
|
|
+ if (ret == EAI_SYSTEM) {
|
|
+ PLUGIN_DEBUG(("getaddrinfo failed [%d][%s].\n",
|
|
+ errno, strerror(errno)));
|
|
+ }
|
|
+ return KRB5_PLUGIN_NO_HANDLE;
|
|
+ }
|
|
+
|
|
+ PLUGIN_DEBUG(("addr[%s:%s] family[%d] socktype[%d]\n", addr[c].addr,
|
|
+ port_str, ai->ai_family, ai->ai_socktype));
|
|
+
|
|
+ if ((family == AF_UNSPEC || ai->ai_family == family) &&
|
|
+ ai->ai_socktype == socktype) {
|
|
+
|
|
+ ret = cbfunc(cbdata, socktype, ai->ai_addr);
|
|
+ if (ret != 0) {
|
|
+ PLUGIN_DEBUG(("cbfunc failed\n"));
|
|
+ freeaddrinfo(ai);
|
|
+ return ret;
|
|
+ } else {
|
|
+ PLUGIN_DEBUG(("[%s] used\n", addr[c].addr));
|
|
+ }
|
|
} else {
|
|
- PLUGIN_DEBUG(("[%s] used\n", addr));
|
|
+ PLUGIN_DEBUG(("[%s] NOT used\n", addr[c].addr));
|
|
}
|
|
- } else {
|
|
- PLUGIN_DEBUG(("[%s] NOT used\n", addr));
|
|
+ freeaddrinfo(ai);
|
|
}
|
|
- freeaddrinfo(ai);
|
|
|
|
return 0;
|
|
}
|
|
--
|
|
2.17.1
|
|
|