static const char *
convert_user(TALLOC_CTX *mem_ctx,
struct ipa_sudo_conv *conv,
const char *value)
{
char *rdn;
const char *group;
errno_t ret;
ret = ipa_get_rdn(mem_ctx, conv->sysdb, value, &rdn,
MATCHRDN_USER(conv->map_user));
if (ret == EOK) {
return rdn;
} else if (ret != ENOENT) {
DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n",
value, ret, sss_strerror(ret));
return NULL;
}
ret = ipa_get_rdn(mem_ctx, conv->sysdb, value, &rdn,
MATCHRDN_GROUP(conv->map_group));
if (ret == ENOENT) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s\n", value);
return NULL;
} else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n",
value, ret, sss_strerror(ret));
return NULL;
}
group = talloc_asprintf(mem_ctx, "%%%s", rdn);
talloc_free(rdn);
return group;
}
int ad_autofs_init(struct be_ctx *be_ctx,
struct ad_id_ctx *id_ctx,
struct bet_ops **ops,
void **pvt_data)
{
int ret;
DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing autofs AD back end\n");
ret = sdap_autofs_init(be_ctx, id_ctx->sdap_id_ctx, ops, pvt_data);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD autofs [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
ret = ad_get_autofs_options(id_ctx->ad_options, be_ctx->cdb,
be_ctx->conf_path);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD autofs [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
return EOK;
}
struct ipa_sudo_conv *
ipa_sudo_conv_init(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb,
struct sdap_attr_map *map_rule,
struct sdap_attr_map *map_cmdgroup,
struct sdap_attr_map *map_cmd,
struct sdap_attr_map *map_user,
struct sdap_attr_map *map_group,
struct sdap_attr_map *map_host,
struct sdap_attr_map *map_hostgroup)
{
struct ipa_sudo_conv *conv;
errno_t ret;
conv = talloc_zero(mem_ctx, struct ipa_sudo_conv);
if (conv == NULL) {
return NULL;
}
conv->sysdb = sysdb;
conv->map_rule = map_rule;
conv->map_cmdgroup = map_cmdgroup;
conv->map_cmd = map_cmd;
conv->map_user = map_user;
conv->map_group = map_group;
conv->map_host = map_host;
conv->map_hostgroup = map_hostgroup;
ret = sss_hash_create(conv, 20, &conv->rules);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create hash table [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
ret = sss_hash_create(conv, 20, &conv->cmdgroups);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create hash table [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
ret = sss_hash_create(conv, 20, &conv->cmds);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create hash table [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
done:
if (ret != EOK) {
talloc_free(conv);
return NULL;
}
return conv;
}
static errno_t proxy_id_conf(TALLOC_CTX *mem_ctx,
struct be_ctx *be_ctx,
char **_libname,
char **_libpath,
bool *_fast_alias)
{
TALLOC_CTX *tmp_ctx;
char *libname;
char *libpath;
bool fast_alias;
errno_t ret;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
return ENOMEM;
}
ret = confdb_get_string(be_ctx->cdb, tmp_ctx, be_ctx->conf_path,
CONFDB_PROXY_LIBNAME, NULL, &libname);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read confdb [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
} else if (libname == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "No library name given\n");
ret = ENOENT;
goto done;
}
ret = confdb_get_bool(be_ctx->cdb, be_ctx->conf_path,
CONFDB_PROXY_FAST_ALIAS, false, &fast_alias);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read confdb [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
libpath = talloc_asprintf(tmp_ctx, "libnss_%s.so.2", libname);
if (libpath == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n");
ret = ENOMEM;
goto done;
}
*_libname = talloc_steal(mem_ctx, libname);
*_libpath = talloc_steal(mem_ctx, libpath);
*_fast_alias = fast_alias;
ret = EOK;
done:
talloc_free(tmp_ctx);
return ret;
}
errno_t
ipa_sudo_conv_cmdgroups(struct ipa_sudo_conv *conv,
struct sysdb_attrs **cmdgroups,
size_t num_cmdgroups)
{
struct ipa_sudo_cmdgroup *cmdgroup = NULL;
const char *key;
errno_t ret;
size_t i;
if (num_cmdgroups == 0) {
/* We're done here. */
return EOK;
}
for (i = 0; i < num_cmdgroups; i++) {
ret = sysdb_attrs_get_string(cmdgroups[i], SYSDB_ORIG_DN, &key);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get command group DN, "
"skipping [%d]: %s\n", ret, sss_strerror(ret));
continue;
}
cmdgroup = talloc_zero(conv->cmdgroups, struct ipa_sudo_cmdgroup);
if (cmdgroup == NULL) {
ret = ENOMEM;
goto done;
}
ret = process_cmdgroupmember(conv, cmdgroup, cmdgroups[i]);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to process member "
"[%d]: %s\n", ret, sss_strerror(ret));
return ret;
}
ret = ipa_sudo_conv_store(conv->cmdgroups, key, cmdgroup);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to store command group into "
"table [%d]: %s\n", ret, sss_strerror(ret));
goto done;
}
cmdgroup = NULL;
}
ret = EOK;
done:
if (ret != EOK) {
talloc_free(cmdgroup);
}
return ret;
}
static errno_t sssctl_fetch_object(TALLOC_CTX *mem_ctx,
struct sssctl_object_info *info,
struct sss_domain_info *domains,
struct sss_domain_info *domain,
sssctl_basedn_fn basedn_fn,
enum cache_object obj_type,
const char *attr_name,
const char *attr_value,
struct sysdb_attrs **_entry,
struct sss_domain_info **_dom)
{
TALLOC_CTX *tmp_ctx;
struct sysdb_attrs *entry;
struct sss_domain_info *dom;
const char **attrs;
char *sanitized;
errno_t ret;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
return ENOMEM;
}
ret = sss_filter_sanitize(tmp_ctx, attr_value, &sanitized);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to sanitize input [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
attrs = sssctl_build_attrs(tmp_ctx, info);
if (attrs == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get attribute list!\n");
ret = ENOMEM;
goto done;
}
ret = sssctl_find_object(tmp_ctx, domains, domain, basedn_fn,
obj_type, attr_name, sanitized, attrs,
&entry, &dom);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to query cache [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
*_entry = talloc_steal(mem_ctx, entry);
*_dom = dom;
done:
talloc_free(tmp_ctx);
return ret;
}
static errno_t
ifp_groups_group_get(struct sbus_request *sbus_req,
void *data,
gid_t *_gid,
struct sss_domain_info **_domain,
struct ldb_message **_group)
{
struct ifp_ctx *ctx;
struct sss_domain_info *domain;
struct ldb_result *res;
uid_t gid;
errno_t ret;
ctx = talloc_get_type(data, struct ifp_ctx);
if (ctx == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n");
return ERR_INTERNAL;
}
ret = ifp_groups_decompose_path(ctx->rctx->domains, sbus_req->path,
&domain, &gid);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to decompose object path"
"[%s] [%d]: %s\n", sbus_req->path, ret, sss_strerror(ret));
return ret;
}
if (_group != NULL) {
ret = sysdb_getgrgid_with_views(sbus_req, domain, gid, &res);
if (ret == EOK && res->count == 0) {
*_group = NULL;
ret = ENOENT;
}
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup group %u@%s [%d]: %s\n",
gid, domain->name, ret, sss_strerror(ret));
} else {
*_group = res->msgs[0];
}
}
if (ret == EOK || ret == ENOENT) {
if (_gid != NULL) {
*_gid = gid;
}
if (_domain != NULL) {
*_domain = domain;
}
}
return ret;
}
static errno_t sssctl_query_cache(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb,
struct ldb_dn *base_dn,
const char *filter,
const char **attrs,
struct sysdb_attrs **_entry)
{
TALLOC_CTX *tmp_ctx;
struct sysdb_attrs **sysdb_attrs;
struct ldb_message **msgs;
size_t count;
errno_t ret;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n");
return ENOMEM;
}
ret = sysdb_search_entry(tmp_ctx, sysdb, base_dn, LDB_SCOPE_SUBTREE,
filter, attrs, &count, &msgs);
if (ret == ENOENT) {
DEBUG(SSSDBG_TRACE_FUNC, "No result\n");
goto done;
} else if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to search sysdb "
"[%d]: %s\n", ret, sss_strerror(ret));
goto done;
}
if (count != 1) {
DEBUG(SSSDBG_CRIT_FAILURE, "Search returned more than one result!\n");
ret = ERR_INTERNAL;
goto done;
}
ret = sysdb_msg2attrs(tmp_ctx, count, msgs, &sysdb_attrs);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to convert message to sysdb attrs "
"[%d]: %s\n", ret, sss_strerror(ret));
goto done;
}
*_entry = talloc_steal(mem_ctx, sysdb_attrs[0]);
done:
talloc_free(tmp_ctx);
return ret;
}
static errno_t
store_rulemember(TALLOC_CTX *mem_ctx,
struct ipa_sudo_dn_list **list,
hash_table_t *table,
const char *dn)
{
struct ipa_sudo_dn_list *item;
errno_t ret;
item = talloc_zero(mem_ctx, struct ipa_sudo_dn_list);
if (item == NULL) {
return ENOMEM;
}
ret = ipa_sudo_conv_store(table, dn, NULL);
if (ret != EOK && ret != EEXIST) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to store DN %s [%d]: %s\n",
dn, ret, sss_strerror(ret));
goto done;
}
item->dn = talloc_steal(item, dn);
DLIST_ADD(*list, item);
done:
if (ret != EOK && ret != EEXIST) {
talloc_free(item);
}
return ret;
}
static errno_t cache_req_search_ncache(struct cache_req *cr)
{
errno_t ret;
if (cr->plugin->ncache_check_fn == NULL) {
CACHE_REQ_DEBUG(SSSDBG_TRACE_INTERNAL, cr,
"This request type does not support negative cache\n");
return EOK;
}
CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
"Checking negative cache for [%s]\n",
cr->debugobj);
ret = cr->plugin->ncache_check_fn(cr->ncache, cr->domain, cr->data);
if (ret == EEXIST) {
CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
"[%s] does not exist (negative cache)\n",
cr->debugobj);
return ENOENT;
} else if (ret != EOK && ret != ENOENT) {
CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr,
"Unable to check negative cache [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
"[%s] is not present in negative cache\n",
cr->debugobj);
return EOK;
}
static void cache_req_search_process_dp(TALLOC_CTX *mem_ctx,
struct tevent_req *subreq,
struct cache_req *cr)
{
char *err_msg;
dbus_uint16_t err_maj;
dbus_uint32_t err_min;
errno_t ret;
ret = sss_dp_get_account_recv(mem_ctx, subreq, &err_maj, &err_min, &err_msg);
talloc_zfree(subreq);
if (ret != EOK) {
CACHE_REQ_DEBUG(SSSDBG_OP_FAILURE, cr,
"Could not get account info [%d]: %s\n",
ret, sss_strerror(ret));
CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
"Due to an error we will return cached data\n");
}
if (err_maj) {
CACHE_REQ_DEBUG(SSSDBG_OP_FAILURE, cr,
"Data Provider Error: %u, %u, %s\n",
(unsigned int)err_maj, (unsigned int)err_min, err_msg);
CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
"Due to an error we will return cached data\n");
}
return;
}
static errno_t cache_req_dpreq_params(TALLOC_CTX *mem_ctx,
struct cache_req *cr,
struct ldb_result *result,
const char **_string,
uint32_t *_id,
const char **_flag)
{
errno_t ret;
if (cr->plugin->dpreq_params_fn == NULL) {
CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr,
"Bug: No dpreq params function specified\n");
return ERR_INTERNAL;
}
CACHE_REQ_DEBUG(SSSDBG_TRACE_INTERNAL, cr,
"Creating DP request parameters\n");
ret = cr->plugin->dpreq_params_fn(mem_ctx, cr, result, _string, _id, _flag);
if (ret != EOK) {
CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr,
"Unable to create DP request parameters [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
return EOK;
}
static void be_ptask_done(struct tevent_req *req)
{
struct be_ptask *task = NULL;
errno_t ret;
task = tevent_req_callback_data(req, struct be_ptask);
ret = task->recv_fn(req);
talloc_zfree(req);
task->req = NULL;
switch (ret) {
case EOK:
DEBUG(SSSDBG_TRACE_FUNC, "Task [%s]: finished successfully\n",
task->name);
be_ptask_schedule(task, BE_PTASK_PERIOD, BE_PTASK_SCHEDULE_FROM_LAST);
break;
default:
DEBUG(SSSDBG_OP_FAILURE, "Task [%s]: failed with [%d]: %s\n",
task->name, ret, sss_strerror(ret));
be_ptask_schedule(task, BE_PTASK_PERIOD, BE_PTASK_SCHEDULE_FROM_NOW);
break;
}
}
static errno_t proxy_auth_conf(TALLOC_CTX *mem_ctx,
struct be_ctx *be_ctx,
char **_pam_target)
{
char *pam_target;
errno_t ret;
ret = confdb_get_string(be_ctx->cdb, mem_ctx, be_ctx->conf_path,
CONFDB_PROXY_PAM_TARGET, NULL, &pam_target);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read confdb [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
if (pam_target == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Missing option %s.\n",
CONFDB_PROXY_PAM_TARGET);
return EINVAL;
}
*_pam_target = pam_target;
return EOK;
}
char *
sss_get_domain_name(TALLOC_CTX *mem_ctx,
const char *orig_name,
struct sss_domain_info *dom)
{
char *user_name;
char *domain = NULL;
int ret;
/* check if the name already contains domain part */
if (dom->names != NULL) {
ret = sss_parse_name(mem_ctx, dom->names, orig_name, &domain, NULL);
if (ret == ERR_REGEX_NOMATCH) {
DEBUG(SSSDBG_TRACE_FUNC,
"sss_parse_name could not parse domain from [%s]. "
"Assuming it is not FQDN.\n", orig_name);
} else if (ret != EOK) {
DEBUG(SSSDBG_TRACE_FUNC,
"sss_parse_name failed [%d]: %s\n", ret, sss_strerror(ret));
return NULL;
}
}
if (IS_SUBDOMAIN(dom) && dom->fqnames && domain == NULL) {
/* we always use the fully qualified name for subdomain users */
user_name = sss_tc_fqname(mem_ctx, dom->names, dom, orig_name);
} else {
user_name = talloc_strdup(mem_ctx, orig_name);
}
talloc_free(domain);
return user_name;
}
static errno_t wait_till_nss_responder_invalidate_cache(void)
{
struct stat stat_buf = { 0 };
const time_t max_wait = 1000000; /* 1 second */
const time_t step_time = 5000; /* 5 milliseconds */
const size_t steps_count = max_wait / step_time;
int ret;
for (size_t i = 0; i < steps_count; ++i) {
ret = stat(SSS_NSS_MCACHE_DIR "/" CLEAR_MC_FLAG, &stat_buf);
if (ret == -1) {
ret = errno;
if (ret == ENOENT) {
/* nss responder has already invalidated memory caches */
return EOK;
}
DEBUG(SSSDBG_CRIT_FAILURE,
"stat failed: %s (%d)\n", sss_strerror(ret), ret);
}
usleep(step_time);
}
return EAGAIN;
}
struct sss_domain_info *
find_domain_by_object_name(struct sss_domain_info *domain,
const char *object_name)
{
TALLOC_CTX *tmp_ctx;
struct sss_domain_info *dom = NULL;
char *domainname = NULL;
errno_t ret;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
return NULL;
}
ret = sss_parse_name(tmp_ctx, domain->names, object_name,
&domainname, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s' [%d]: %s\n",
object_name, ret, sss_strerror(ret));
goto done;
}
if (domainname == NULL) {
dom = domain;
} else {
dom = find_domain_by_name(domain, domainname, true);
}
done:
talloc_free(tmp_ctx);
return dom;
}
static errno_t
nss_get_id_type(struct nss_cmd_ctx *cmd_ctx,
struct cache_req_result *result,
enum sss_id_type *_type)
{
errno_t ret;
if (cmd_ctx->sid_id_type != SSS_ID_TYPE_NOT_SPECIFIED) {
*_type = cmd_ctx->sid_id_type;
return EOK;
}
/* Well known objects are always groups. */
if (result->well_known_object) {
*_type = SSS_ID_TYPE_GID;
return EOK;
}
ret = find_sss_id_type(result->msgs[0], result->domain->mpg, _type);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Unable to find ID type [%d]: %s\n", ret, sss_strerror(ret));
return ret;
}
return EOK;
}
static errno_t
memcache_delete_entry_by_name(struct nss_ctx *nss_ctx,
struct sized_string *name,
enum sss_mc_type type)
{
errno_t ret;
switch (type) {
case SSS_MC_PASSWD:
ret = sss_mmap_cache_pw_invalidate(nss_ctx->pwd_mc_ctx, name);
break;
case SSS_MC_GROUP:
ret = sss_mmap_cache_gr_invalidate(nss_ctx->grp_mc_ctx, name);
break;
case SSS_MC_INITGROUPS:
ret = sss_mmap_cache_initgr_invalidate(nss_ctx->initgr_mc_ctx, name);
break;
default:
return EINVAL;
}
if (ret == EOK || ret == ENOENT) {
return EOK;
}
DEBUG(SSSDBG_CRIT_FAILURE,
"Internal failure in memory cache code: %d [%s]\n",
ret, sss_strerror(ret));
return ret;
}
static errno_t
memcache_delete_entry_by_id(struct nss_ctx *nss_ctx,
uint32_t id,
enum sss_mc_type type)
{
errno_t ret;
switch (type) {
case SSS_MC_PASSWD:
ret = sss_mmap_cache_pw_invalidate_uid(nss_ctx->pwd_mc_ctx, (uid_t)id);
break;
case SSS_MC_GROUP:
ret = sss_mmap_cache_gr_invalidate_gid(nss_ctx->grp_mc_ctx, (gid_t)id);
break;
default:
return EINVAL;
}
if (ret == EOK || ret == ENOENT) {
return EOK;
}
DEBUG(SSSDBG_CRIT_FAILURE,
"Internal failure in memory cache code: %d [%s]\n",
ret, sss_strerror(ret));
return ret;
}
void
sbus_request_invoke_or_finish(struct sbus_request *dbus_req,
sbus_msg_handler_fn handler_fn,
void *handler_data,
sbus_method_invoker_fn invoker_fn)
{
DBusError error;
int ret;
if (invoker_fn != NULL) {
ret = invoker_fn(dbus_req, handler_fn);
} else if (handler_fn != NULL) {
ret = handler_fn(dbus_req, handler_data);
} else {
ret = EINVAL;
}
switch(ret) {
case ERR_SBUS_REQUEST_HANDLED:
case EOK:
return;
case ENOMEM:
DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory handling DBus message\n");
sbus_request_finish(dbus_req, NULL);
break;
default:
DEBUG(SSSDBG_CRIT_FAILURE, "Handler failed [%d]: %s\n",
ret, sss_strerror(ret));
dbus_error_init(&error);
dbus_set_error_const(&error, DBUS_ERROR_FAILED, INTERNAL_ERROR);
sbus_request_fail_and_finish(dbus_req, &error);
break;
}
}
errno_t sssm_proxy_init(TALLOC_CTX *mem_ctx,
struct be_ctx *be_ctx,
struct data_provider *provider,
const char *module_name,
void **_module_data)
{
struct proxy_auth_ctx *auth_ctx;
errno_t ret;
if (!dp_target_enabled(provider, module_name,
DPT_ACCESS, DPT_AUTH, DPT_CHPASS)) {
return EOK;
}
/* Initialize auth_ctx since one of the access, auth or chpass is set. */
ret = proxy_init_auth_ctx(mem_ctx, be_ctx, &auth_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create auth context [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
*_module_data = auth_ctx;
return EOK;
}
const char* sss_ldap_err2string(int err)
{
if (IS_SSSD_ERROR(err)) {
return sss_strerror(err);
} else {
return ldap_err2string(err);
}
}
static errno_t ad_get_enabled_domains(TALLOC_CTX *mem_ctx,
struct ad_id_ctx *ad_id_ctx,
const char *ad_domain,
const char ***_ad_enabled_domains)
{
int ret;
const char *str;
const char *option_name;
const char **domains = NULL;
int count;
bool is_ad_in_domains;
TALLOC_CTX *tmp_ctx = NULL;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
return ENOMEM;
}
str = dp_opt_get_cstring(ad_id_ctx->ad_options->basic, AD_ENABLED_DOMAINS);
if (str == NULL) {
*_ad_enabled_domains = NULL;
ret = EOK;
goto done;
}
count = 0;
ret = split_on_separator(tmp_ctx, str, ',', true, true,
discard_const_p(char **, &domains), &count);
if (ret != EOK) {
option_name = ad_id_ctx->ad_options->basic[AD_ENABLED_DOMAINS].opt_name;
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse option [%s], [%i] [%s]!\n",
option_name, ret, sss_strerror(ret));
ret = EINVAL;
goto done;
}
is_ad_in_domains = false;
for (int i = 0; i < count; i++) {
is_ad_in_domains += strcmp(ad_domain, domains[i]) == 0 ? true : false;
}
if (is_ad_in_domains == false) {
domains = talloc_realloc(tmp_ctx, domains, const char*, count + 2);
if (domains == NULL) {
ret = ENOMEM;
goto done;
}
domains[count] = talloc_strdup(domains, ad_domain);
if (domains[count] == NULL) {
ret = ENOMEM;
goto done;
}
domains[count + 1] = NULL;
} else {
errno_t
ipa_sudo_conv_cmds(struct ipa_sudo_conv *conv,
struct sysdb_attrs **cmds,
size_t num_cmds)
{
const char *key;
const char *cmd;
errno_t ret;
size_t i;
if (num_cmds == 0) {
/* We're done here. */
return EOK;
}
for (i = 0; i < num_cmds; i++) {
ret = sysdb_attrs_get_string(cmds[i], SYSDB_ORIG_DN, &key);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get command DN, skipping "
"[%d]: %s\n", ret, sss_strerror(ret));
continue;
}
ret = sysdb_attrs_get_string(cmds[i], SYSDB_IPA_SUDOCMD_SUDOCMD, &cmd);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get command, skipping "
"[%d]: %s\n", ret, sss_strerror(ret));
continue;
}
ret = ipa_sudo_conv_store(conv->cmds, key, discard_const(cmd));
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to store command into table "
"[%d]: %s\n", ret, sss_strerror(ret));
goto done;
}
}
ret = EOK;
done:
return ret;
}
errno_t sssm_proxy_id_init(TALLOC_CTX *mem_ctx,
struct be_ctx *be_ctx,
void *module_data,
struct dp_method *dp_methods)
{
struct proxy_id_ctx *ctx;
char *libname;
char *libpath;
errno_t ret;
ctx = talloc_zero(mem_ctx, struct proxy_id_ctx);
if (ctx == NULL) {
return ENOMEM;
}
ctx->be = be_ctx;
ret = proxy_id_conf(ctx, be_ctx, &libname, &libpath, &ctx->fast_alias);
if (ret != EOK) {
goto done;
}
ctx->handle = dlopen(libpath, RTLD_NOW);
if (ctx->handle == NULL) {
DEBUG(SSSDBG_FATAL_FAILURE, "Unable to load %s module, "
"error: %s\n", libpath, dlerror());
ret = ELIBACC;
goto done;
}
ret = proxy_id_load_symbols(&ctx->ops, libname, ctx->handle);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Unable to load NSS symbols [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
dp_set_method(dp_methods, DPM_ACCOUNT_HANDLER,
proxy_account_info_handler_send, proxy_account_info_handler_recv, ctx,
struct proxy_id_ctx, struct dp_id_data, struct dp_reply_std);
dp_set_method(dp_methods, DPM_ACCT_DOMAIN_HANDLER,
default_account_domain_send, default_account_domain_recv, NULL,
void, struct dp_get_acct_domain_data, struct dp_reply_std);
ret = EOK;
done:
if (ret != EOK) {
talloc_free(ctx);
}
return ret;
}
void sbus_sync_emit_signal(struct sbus_sync_connection *conn,
DBusMessage *msg)
{
errno_t ret;
ret = sbus_sync_message_send(NULL, conn, msg, SBUS_MESSAGE_TIMEOUT, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to emit signal [%d]: %s\n",
ret, sss_strerror(ret));
}
}
static errno_t
nodes_cached_objects(TALLOC_CTX *mem_ctx,
struct ifp_ctx *ifp_ctx,
enum ifp_cache_type type,
const char *prefix,
const char ***_nodes)
{
TALLOC_CTX *tmp_ctx;
const char **paths;
const char **nodes;
const char *node;
int num_paths;
errno_t ret;
int i;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
return ENOMEM;
}
ret = ifp_cache_list_domains(tmp_ctx, ifp_ctx->rctx->domains, type, &paths);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to obtain cache objects list "
"[%d]: %s\n", ret, sss_strerror(ret));
goto done;
}
num_paths = talloc_array_length(paths) - 1;
nodes = talloc_zero_array(tmp_ctx, const char *, num_paths + 1);
if (nodes == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n");
ret = ENOMEM;
goto done;
}
for (i = 0; i < num_paths; i++) {
node = sbus_opath_strip_prefix(paths[i], prefix);
nodes[i] = talloc_strdup(nodes, node);
if (nodes[i] == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n");
ret = ENOMEM;
goto done;
}
}
*_nodes = talloc_steal(mem_ctx, nodes);
ret = EOK;
done:
talloc_free(tmp_ctx);
return ret;
}
void
sdap_sudo_set_usn(struct sdap_server_opts *srv_opts,
const char *usn)
{
unsigned long usn_number;
char *newusn;
char *endptr = NULL;
errno_t ret;
if (srv_opts == NULL) {
DEBUG(SSSDBG_TRACE_FUNC, "Bug: srv_opts is NULL\n");
return;
}
if (usn == NULL) {
DEBUG(SSSDBG_TRACE_FUNC, "Bug: usn is NULL\n");
return;
}
errno = 0;
usn_number = strtoul(usn, &endptr, 10);
if (errno != 0) {
ret = errno;
DEBUG(SSSDBG_MINOR_FAILURE, "Unable to convert USN %s [%d]: %s\n",
usn, ret, sss_strerror(ret));
return;
}
if (usn_number == 0) {
/* Zero means that there were no rules on the server, so we have
* nothing to store. */
DEBUG(SSSDBG_TRACE_FUNC, "SUDO USN value is empty.\n");
return;
}
newusn = sdap_sudo_new_usn(srv_opts, usn_number, endptr);
if (newusn == NULL) {
return;
}
if (sysdb_compare_usn(newusn, srv_opts->max_sudo_value) > 0) {
talloc_zfree(srv_opts->max_sudo_value);
srv_opts->max_sudo_value = newusn;
} else {
talloc_zfree(newusn);
}
if (usn_number > srv_opts->last_usn) {
srv_opts->last_usn = usn_number;
}
DEBUG(SSSDBG_FUNC_DATA, "SUDO higher USN value: [%s]\n",
srv_opts->max_sudo_value);
}
static errno_t sudosrv_fetch_rules(TALLOC_CTX *mem_ctx,
enum sss_sudo_type type,
struct sss_domain_info *domain,
uid_t cli_uid,
uid_t orig_uid,
const char *username,
char **groups,
bool inverse_order,
struct sysdb_attrs ***_rules,
uint32_t *_num_rules)
{
struct sysdb_attrs **rules;
const char *debug_name = "unknown";
uint32_t num_rules;
errno_t ret;
switch (type) {
case SSS_SUDO_USER:
DEBUG(SSSDBG_TRACE_FUNC, "Retrieving rules for [%s@%s]\n",
username, domain->name);
debug_name = "rules";
ret = sudosrv_cached_rules(mem_ctx, domain,
cli_uid, orig_uid, username, groups,
inverse_order, &rules, &num_rules);
break;
case SSS_SUDO_DEFAULTS:
debug_name = "default options";
DEBUG(SSSDBG_TRACE_FUNC, "Retrieving default options for [%s@%s]\n",
username, domain->name);
ret = sudosrv_cached_defaults(mem_ctx, domain, &rules, &num_rules);
break;
default:
ret = EINVAL;
}
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to retrieve %s [%d]: %s\n",
debug_name, ret, sss_strerror(ret));
return ret;
}
DEBUG(SSSDBG_TRACE_FUNC, "Returning %u %s for [%s@%s]\n",
num_rules, debug_name, username, domain->name);
*_rules = rules;
*_num_rules = num_rules;
return EOK;
}
