const char *
sss_krb5_residual_check_type(const char *full_location,
enum sss_krb5_cc_type expected_type)
{
enum sss_krb5_cc_type type;
type = sss_krb5_get_type(full_location);
if (type != expected_type) {
DEBUG(SSSDBG_OP_FAILURE, ("Unexpected ccache type\n"));
return NULL;
}
return sss_krb5_residual_by_type(full_location, type);
}
static errno_t safe_remove_old_ccache_file(struct sss_krb5_cc_be *cc_be,
const char *princ,
const char *old_ccache,
const char *new_ccache)
{
int ret;
enum sss_krb5_cc_type old_type;
struct sss_krb5_cc_be *old_cc_ops;
if (old_ccache == NULL) {
DEBUG(SSSDBG_FUNC_DATA, ("No old ccache, nothing to do\n"));
return EOK;
}
if (new_ccache == NULL) {
DEBUG(SSSDBG_OP_FAILURE,
("Missing new ccache file, old ccache file is not deleted.\n"));
return EINVAL;
}
old_type = sss_krb5_get_type(old_ccache);
old_cc_ops = get_cc_be_ops(old_type);
if (!old_cc_ops) {
DEBUG(SSSDBG_CRIT_FAILURE, ("Cannot get ccache operations\n"));
return EINVAL;
}
if (cc_be->type == old_type &&
strcmp(old_ccache, new_ccache) == 0) {
DEBUG(SSSDBG_TRACE_FUNC, ("New and old ccache file are the same, "
"no one will be deleted.\n"));
return EOK;
}
ret = old_cc_ops->remove(old_ccache);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
("Cannot remove ccache [%s]\n", old_ccache));
return EIO;
}
return EOK;
}
const char *
sss_krb5_cc_file_path(const char *full_location)
{
enum sss_krb5_cc_type cc_type;
const char *residual;
cc_type = sss_krb5_get_type(full_location);
residual = sss_krb5_residual_by_type(full_location, cc_type);
switch(cc_type) {
case SSS_KRB5_TYPE_FILE:
return residual;
#ifdef HAVE_KRB5_DIRCACHE
case SSS_KRB5_TYPE_DIR:
/* DIR::/run/user/tkt_foo */
if (residual[0] == ':') return residual+1;
#endif
case SSS_KRB5_TYPE_UNKNOWN:
break;
}
return NULL;
}
errno_t check_and_export_options(struct dp_option *opts,
struct sss_domain_info *dom,
struct krb5_ctx *krb5_ctx)
{
int ret;
const char *realm;
const char *dummy;
char *use_fast_str;
char *fast_principal;
enum sss_krb5_cc_type cc_be;
realm = dp_opt_get_cstring(opts, KRB5_REALM);
if (realm == NULL) {
ret = dp_opt_set_string(opts, KRB5_REALM, dom->name);
if (ret != EOK) {
DEBUG(1, ("dp_opt_set_string failed.\n"));
return ret;
}
realm = dom->name;
}
ret = setenv(SSSD_KRB5_REALM, realm, 1);
if (ret != EOK) {
DEBUG(2, ("setenv %s failed, authentication might fail.\n",
SSSD_KRB5_REALM));
}
ret = check_and_export_lifetime(opts, KRB5_RENEWABLE_LIFETIME,
SSSD_KRB5_RENEWABLE_LIFETIME);
if (ret != EOK) {
DEBUG(1, ("Failed to check value of krb5_renewable_lifetime. [%d][%s]\n",
ret, strerror(ret)));
return ret;
}
ret = check_and_export_lifetime(opts, KRB5_LIFETIME,
SSSD_KRB5_LIFETIME);
if (ret != EOK) {
DEBUG(1, ("Failed to check value of krb5_lifetime. [%d][%s]\n",
ret, strerror(ret)));
return ret;
}
use_fast_str = dp_opt_get_string(opts, KRB5_USE_FAST);
if (use_fast_str != NULL) {
ret = check_fast(use_fast_str, &krb5_ctx->use_fast);
if (ret != EOK) {
DEBUG(1, ("check_fast failed.\n"));
return ret;
}
if (krb5_ctx->use_fast) {
ret = setenv(SSSD_KRB5_USE_FAST, use_fast_str, 1);
if (ret != EOK) {
DEBUG(2, ("setenv [%s] failed.\n", SSSD_KRB5_USE_FAST));
} else {
fast_principal = dp_opt_get_string(opts, KRB5_FAST_PRINCIPAL);
if (fast_principal != NULL) {
ret = setenv(SSSD_KRB5_FAST_PRINCIPAL, fast_principal, 1);
if (ret != EOK) {
DEBUG(2, ("setenv [%s] failed.\n", SSSD_KRB5_FAST_PRINCIPAL));
}
}
}
}
}
if (dp_opt_get_bool(opts, KRB5_CANONICALIZE)) {
ret = setenv(SSSD_KRB5_CANONICALIZE, "true", 1);
} else {
ret = setenv(SSSD_KRB5_CANONICALIZE, "false", 1);
}
if (ret != EOK) {
DEBUG(2, ("setenv [%s] failed.\n", SSSD_KRB5_CANONICALIZE));
}
dummy = dp_opt_get_cstring(opts, KRB5_KDC);
if (dummy == NULL) {
DEBUG(SSSDBG_CONF_SETTINGS, ("No KDC explicitly configured, using defaults.\n"));
}
dummy = dp_opt_get_cstring(opts, KRB5_KPASSWD);
if (dummy == NULL) {
DEBUG(SSSDBG_CONF_SETTINGS, ("No kpasswd server explicitly configured, "
"using the KDC or defaults.\n"));
}
dummy = dp_opt_get_cstring(opts, KRB5_CCNAME_TMPL);
if (dummy == NULL) {
DEBUG(1, ("Missing credential cache name template.\n"));
return EINVAL;
}
cc_be = sss_krb5_get_type(dummy);
switch (cc_be) {
case SSS_KRB5_TYPE_FILE:
DEBUG(SSSDBG_CONF_SETTINGS, ("ccache is of type FILE\n"));
krb5_ctx->cc_be = &file_cc;
if (dummy[0] != '/') {
/* FILE:/path/to/cc */
break;
}
DEBUG(SSSDBG_CONF_SETTINGS, ("The ccname template was "
"missing an explicit type, but is an absolute "
"path specifier. Assuming FILE:\n"));
dummy = talloc_asprintf(opts, "FILE:%s", dummy);
if (!dummy) return ENOMEM;
ret = dp_opt_set_string(opts, KRB5_CCNAME_TMPL, dummy);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, ("dp_opt_set_string failed.\n"));
return ret;
}
break;
#ifdef HAVE_KRB5_DIRCACHE
case SSS_KRB5_TYPE_DIR:
DEBUG(SSSDBG_CONF_SETTINGS, ("ccache is of type DIR\n"));
krb5_ctx->cc_be = &dir_cc;
break;
#endif
default:
DEBUG(SSSDBG_OP_FAILURE, ("Unknown ccname database\n"));
return EINVAL;
break;
}
return EOK;
}
