int sssm_ipa_auth_init(struct be_ctx *bectx, struct bet_ops **ops, void **pvt_data) { struct ipa_auth_ctx *ipa_auth_ctx; struct ipa_id_ctx *id_ctx; struct krb5_ctx *krb5_auth_ctx; struct sdap_auth_ctx *sdap_auth_ctx; struct bet_ops *id_ops; int ret; if (!ipa_options) { ret = common_ipa_init(bectx); if (ret != EOK) { return ret; } } if (ipa_options->auth_ctx) { /* already initialized */ *ops = &ipa_auth_ops; *pvt_data = ipa_options->auth_ctx; return EOK; } ipa_auth_ctx = talloc_zero(ipa_options, struct ipa_auth_ctx); if (!ipa_auth_ctx) { return ENOMEM; } ipa_options->auth_ctx = ipa_auth_ctx; ret = sssm_ipa_id_init(bectx, &id_ops, (void **) &id_ctx); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "sssm_ipa_id_init failed.\n"); goto done; } ipa_auth_ctx->sdap_id_ctx = id_ctx->sdap_id_ctx; ret = dp_copy_options(ipa_auth_ctx, ipa_options->basic, IPA_OPTS_BASIC, &ipa_auth_ctx->ipa_options); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "dp_copy_options failed.\n"); goto done; } krb5_auth_ctx = talloc_zero(ipa_auth_ctx, struct krb5_ctx); if (!krb5_auth_ctx) { ret = ENOMEM; goto done; } krb5_auth_ctx->service = ipa_options->service->krb5_service; if (dp_opt_get_bool(id_ctx->ipa_options->basic, IPA_SERVER_MODE) == true) { krb5_auth_ctx->config_type = K5C_IPA_SERVER; } else { krb5_auth_ctx->config_type = K5C_IPA_CLIENT; } ipa_options->auth_ctx->krb5_auth_ctx = krb5_auth_ctx; ret = ipa_get_auth_options(ipa_options, bectx->cdb, bectx->conf_path, &krb5_auth_ctx->opts); if (ret != EOK) { goto done; } sdap_auth_ctx = talloc_zero(ipa_auth_ctx, struct sdap_auth_ctx); if (!sdap_auth_ctx) { ret = ENOMEM; goto done; } sdap_auth_ctx->be = bectx; sdap_auth_ctx->service = ipa_options->service->sdap; if (ipa_options->id == NULL) { ret = EINVAL; goto done; } sdap_auth_ctx->opts = ipa_options->id; ipa_options->auth_ctx->sdap_auth_ctx = sdap_auth_ctx; ret = setup_tls_config(sdap_auth_ctx->opts->basic); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "setup_tls_config failed [%d][%s].\n", ret, strerror(ret)); goto done; } /* Initialize features needed by the krb5_child */ ret = krb5_child_init(krb5_auth_ctx, bectx); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, "Could not initialize krb5_child settings: [%s]\n", strerror(ret)); goto done; } ret = create_ipa_preauth_indicator(); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create preauth indicator file, special password " "prompting might not be available.\n"); sss_log(SSSDBG_CRIT_FAILURE, "Failed to create preauth indicator file, special password " "prompting might not be available.\n"); } *ops = &ipa_auth_ops; *pvt_data = ipa_auth_ctx; ret = EOK; done: if (ret != EOK) { talloc_zfree(ipa_options->auth_ctx); } return ret; }
errno_t sssm_krb5_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, struct data_provider *provider, const char *module_name, void **_module_data) { struct krb5_ctx *ctx; const char *errstr; int errval; int errpos; errno_t ret; ctx = talloc_zero(mem_ctx, struct krb5_ctx); if (ctx == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed\n"); return ENOMEM; } /* Only needed to generate random ccache names for non-POSIX domains */ srand(time(NULL) * getpid()); ret = sss_krb5_get_options(ctx, be_ctx->cdb, be_ctx->conf_path, &ctx->opts); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get krb5 options [%d]: %s\n", ret, sss_strerror(ret)); goto done; } ctx->action = INIT_PW; ctx->config_type = K5C_GENERIC; ret = krb5_init_kdc(ctx, be_ctx); if (ret != EOK) { goto done; } ret = krb5_init_kpasswd(ctx, be_ctx); if (ret != EOK) { goto done; } ret = krb5_child_init(ctx, be_ctx); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, "Could not initialize krb5_child settings " "[%d]: %s\n", ret, sss_strerror(ret)); goto done; } ctx->illegal_path_re = pcre_compile2(ILLEGAL_PATH_PATTERN, 0, &errval, &errstr, &errpos, NULL); if (ctx->illegal_path_re == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Invalid Regular Expression pattern " "at position %d. (Error: %d [%s])\n", errpos, errval, errstr); ret = EFAULT; goto done; } talloc_set_destructor(ctx, krb5_ctx_re_destructor); ret = be_fo_set_dns_srv_lookup_plugin(be_ctx, NULL); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set SRV lookup plugin " "[%d]: %s\n", ret, sss_strerror(ret)); goto done; } *_module_data = ctx; ret = EOK; done: if (ret != EOK) { talloc_free(ctx); } return ret; }