From 8cb263f039da9e616e907d25701593dca22b11ed Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Mon, 1 Aug 2016 12:52:07 +0200

Subject: [PATCH 22/36] KCM: Initial responder build and packaging

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Adds the initial build of the Kerberos Cache Manager responder (KCM).

This is a deamon that is capable of holding and storing Kerberos

ccaches. When KCM is used, the kerberos libraries (invoked through e.g.

kinit) are referred to as a 'client' and the KCM deamon is referred to

as 'server'.

At the moment, only the Heimdal implementation of Kerberos implements the

KCM server:

    https://www.h5l.org/manual/HEAD/info/heimdal/Credential-cache-server-_002d-KCM.html

This patch adds a KCM server to SSSD.

In MIT, only the 'client-side' support was added:

    http://k5wiki.kerberos.org/wiki/Projects/KCM_client

This page also describes the protocol between the client and the server.

The client is capable of talking to the server over either UNIX sockets

(Linux, most Unixes) or Mach RPC (macOS). Our server only implements the

UNIX sockets way and should be socket-activated by systemd, although can

in theory be also ran explicitly.

The KCM server only builds if the configuration option "--with-kcm" is

enabled. It is packaged in a new subpackage sssd-kcm in order to allow

distributions to enable the KCM credential caches by installing this

subpackage only, without the rest of the SSSD. The sssd-kcm subpackage

also includes a krb5.conf.d snippet that allows the admin to just uncomment

the KCM defaults and instructs them to start the socket.

The server can be configured in sssd.conf in the "[kcm]" section.

By default, the server only listens on the same socket path the Heimdal

server uses, which is "/var/run/.heim_org.h5l.kcm-socket". This is,

however, configurable.

The file src/responder/kcm/kcm.h is more or less directly imported from

the MIT Kerberos tree, with an additional sentinel code and some

comments. Not all KCM operations are implemented, only those that also

the MIT client implements. That said, this KCM server should also be

usable with a Heimdal client, although no special testing was with this

hybrid.

The patch also adds several error codes that will be used in later

patches.

Related to:

    https://pagure.io/SSSD/sssd/issue/2887

Reviewed-by: Michal Židek <mzidek@redhat.com>

Reviewed-by: Simo Sorce <simo@redhat.com>

---

 Makefile.am                          |  53 ++++++++

 configure.ac                         |  10 +-

 contrib/kcm_default_ccache           |  12 ++

 contrib/sssd.spec.in                 |  41 ++++++

 src/conf_macros.m4                   |  16 +++

 src/confdb/confdb.h                  |   3 +

 src/config/cfg_rules.ini             |  19 +++

 src/external/libcurl.m4              |   6 +-

 src/responder/kcm/kcm.c              | 254 +++++++++++++++++++++++++++++++++++

 src/responder/kcm/kcm.h              |  97 +++++++++++++

 src/responder/kcm/kcmsrv_cmd.c       |  65 +++++++++

 src/responder/kcm/kcmsrv_pvt.h       |  58 ++++++++

 src/sysv/systemd/sssd-kcm.service.in |   9 ++

 src/sysv/systemd/sssd-kcm.socket.in  |  10 ++

 src/util/util_errors.c               |   5 +

 src/util/util_errors.h               |   5 +

 16 files changed, 658 insertions(+), 5 deletions(-)

 create mode 100644 contrib/kcm_default_ccache

 create mode 100644 src/responder/kcm/kcm.c

 create mode 100644 src/responder/kcm/kcm.h

 create mode 100644 src/responder/kcm/kcmsrv_cmd.c

 create mode 100644 src/responder/kcm/kcmsrv_pvt.h

 create mode 100644 src/sysv/systemd/sssd-kcm.service.in

 create mode 100644 src/sysv/systemd/sssd-kcm.socket.in

diff --git a/Makefile.am b/Makefile.am

index 7516338bc6fd95045d20db8155a0c82fd7003358..4248536e90370c1aab59549a9c18408ef314e6d4 100644

--- a/Makefile.am

+++ b/Makefile.am

@@ -87,6 +87,7 @@ sudolibdir = @sudolibpath@

 polkitdir = @polkitdir@

 pamconfdir = $(sysconfdir)/pam.d

 systemtap_tapdir = @tapset_dir@

+krb5sysincludedir = $(sysconfdir)/krb5.conf.d

 if HAVE_SYSTEMD_UNIT

 ifp_exec_cmd = $(sssdlibexecdir)/sssd_ifp --uid 0 --gid 0 --debug-to-files --dbus-activated

@@ -186,6 +187,11 @@ endif

 if BUILD_SECRETS

 sssdlibexec_PROGRAMS += sssd_secrets

 endif

+if BUILD_KCM

+sssdlibexec_PROGRAMS += sssd_kcm

+dist_krb5sysinclude_DATA = contrib/kcm_default_ccache

+endif

+

 if BUILD_PAC_RESPONDER

     sssdlibexec_PROGRAMS += sssd_pac

@@ -703,6 +709,8 @@ dist_noinst_HEADERS = \

     src/responder/secrets/secsrv_private.h \

     src/responder/secrets/secsrv_local.h \

     src/responder/secrets/secsrv_proxy.h \

+    src/responder/kcm/kcm.h \

+    src/responder/kcm/kcmsrv_pvt.h \

     src/sbus/sbus_client.h \

     src/sbus/sssd_dbus.h \

     src/sbus/sssd_dbus_meta.h \

@@ -1476,6 +1484,24 @@ sssd_secrets_LDADD = \

     $(NULL)

 endif

+if BUILD_KCM

+sssd_kcm_SOURCES = \

+    src/responder/kcm/kcm.c \

+    src/responder/kcm/kcmsrv_cmd.c \

+    src/util/sss_sockets.c \

+    $(SSSD_RESPONDER_OBJ) \

+    $(NULL)

+sssd_kcm_CFLAGS = \

+    $(AM_CFLAGS) \

+    $(KRB5_CFLAGS) \

+    $(NULL)

+sssd_kcm_LDADD = \

+    $(KRB5_LIBS) \

+    $(SSSD_LIBS) \

+    $(SSSD_INTERNAL_LTLIBS) \

+    $(NULL)

+endif

+

 sssd_be_SOURCES = \

     src/providers/data_provider_be.c \

     src/providers/data_provider_req.c \

@@ -4259,6 +4285,12 @@ if BUILD_SUDO

         src/sysv/systemd/sssd-sudo.service \

         $(NULL)

 endif

+if BUILD_KCM

+    systemdunit_DATA += \

+        src/sysv/systemd/sssd-kcm.socket \

+        src/sysv/systemd/sssd-kcm.service \

+        $(NULL)

+endif

 if WITH_JOURNALD

     systemdconf_DATA += \

         src/sysv/systemd/journal.conf

@@ -4350,6 +4382,12 @@ EXTRA_DIST += \

     src/sysv/systemd/sssd-sudo.service.in \

     $(NULL)

 endif

+if BUILD_KCM

+EXTRA_DIST += \

+    src/sysv/systemd/sssd-kcm.socket.in \

+    src/sysv/systemd/sssd-kcm.service.in \

+    $(NULL)

+endif

 src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in Makefile

 	@$(MKDIR_P) src/sysv/systemd/

@@ -4433,6 +4471,16 @@ src/sysv/systemd/sssd-sudo.service: src/sysv/systemd/sssd-sudo.service.in Makefi

 	$(replace_script)

 endif

+if BUILD_KCM

+src/sysv/systemd/sssd-kcm.socket: src/sysv/systemd/sssd-kcm.socket.in Makefile

+	@$(MKDIR_P) src/sysv/systemd/

+	$(replace_script)

+

+src/sysv/systemd/sssd-kcm.service: src/sysv/systemd/sssd-kcm.service.in Makefile

+	@$(MKDIR_P) src/sysv/systemd/

+	$(replace_script)

+endif

+

 SSSD_USER_DIRS = \

     $(DESTDIR)$(dbpath) \

     $(DESTDIR)$(keytabdir) \

@@ -4596,6 +4644,9 @@ install-data-hook:

 if BUILD_SAMBA

 	mv $(DESTDIR)/$(winbindplugindir)/winbind_idmap_sss.so $(DESTDIR)/$(winbindplugindir)/sss.so

 endif

+if BUILD_KCM

+	$(MKDIR_P) $(DESTDIR)/$(krb5sysincludedir)

+endif

 uninstall-hook:

 	if [ -f $(abs_builddir)/src/config/.files2 ]; then \

@@ -4670,6 +4721,8 @@ endif

 	rm -f $(builddir)/src/sysv/systemd/sssd-sudo.service

 	rm -f $(builddir)/src/sysv/systemd/sssd-secrets.socket

 	rm -f $(builddir)/src/sysv/systemd/sssd-secrets.service

+	rm -f $(builddir)/src/sysv/systemd/sssd-kcm.socket

+	rm -f $(builddir)/src/sysv/systemd/sssd-kcm.service

 	rm -f $(builddir)/src/sysv/systemd/journal.conf

 CLEANFILES += *.X */*.X */*/*.X

diff --git a/configure.ac b/configure.ac

index dd1012015a5fea9f25e5b5199b4868fbc0bc14c4..c363d48a806cc1998e85779a92b6b59b0e2a5c9c 100644

--- a/configure.ac

+++ b/configure.ac

@@ -155,6 +155,7 @@ WITH_SSSD_USER

 SSSD_RUNSTATEDIR

 WITH_SECRETS

 WITH_SECRETS_DB_PATH

+WITH_KCM

 m4_include([src/external/pkg.m4])

 m4_include([src/external/libpopt.m4])

@@ -193,13 +194,20 @@ m4_include([src/external/libresolv.m4])

 m4_include([src/external/intgcheck.m4])

 m4_include([src/external/systemtap.m4])

 m4_include([src/external/service.m4])

-m4_include([src/external/libcurl.m4])

 if test x$with_secrets = xyes; then

     m4_include([src/external/libhttp_parser.m4])

     m4_include([src/external/libjansson.m4])

 fi

+if test x$with_kcm = xyes; then

+    m4_include([src/external/libcurl.m4])

+fi

+# This variable is defined by external/libcurl.m4, but conditionals

+# must be always evaluated

+AM_CONDITIONAL([BUILD_WITH_LIBCURL],

+               [test x"$have_curlopt_unix_sockpath" = xyes])

+

 WITH_UNICODE_LIB

 if test x$unicode_lib = xlibunistring; then

     m4_include([src/external/libunistring.m4])

diff --git a/contrib/kcm_default_ccache b/contrib/kcm_default_ccache

new file mode 100644

index 0000000000000000000000000000000000000000..ac88fca86b60b19f772912b5d9d14595a96d101d

--- /dev/null

+++ b/contrib/kcm_default_ccache

@@ -0,0 +1,12 @@

+# This file should normally be installed by your distribution into a

+# directory that is included from the Kerberos configuration file (/etc/krb5.conf)

+# On Fedora/RHEL/CentOS, this is /etc/krb5.conf.d/

+#

+# To enable the KCM credential cache, uncomment the following lines and

+# enable the KCM socket and the service:

+#   systemctl enable sssd-kcm.socket

+#   systemctl start sssd-kcm.socket

+#   systemctl enable sssd-kcm.service

+

+#[libdefaults]

+#    default_ccache_name = KCM:

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in

index 28ebe07a26a3112210b092b7831e7f6aae061c8d..5c7c2af521a84ef2ca6cca7b2d6cd1f9b3057056 100644

--- a/contrib/sssd.spec.in

+++ b/contrib/sssd.spec.in

@@ -112,6 +112,13 @@

     %global enable_systemtap_opt --enable-systemtap

 %endif

+%if (0%{?fedora} >= 23 || 0%{?rhel} >= 7)

+    %global with_kcm 1

+    %global with_kcm_option --with-kcm

+%else

+    %global with_kcm_option --without-kcm

+%endif

+

 Name: @PACKAGE_NAME@

 Version: @PACKAGE_VERSION@

 Release: 0@PRERELEASE_VERSION@%{?dist}

@@ -677,6 +684,18 @@ Requires: libsss_certmap = %{version}-%{release}

 %description -n libsss_certmap-devel

 Library to map certificates to users based on rules

+%if (0%{?with_kcm} == 1)

+%package kcm

+Summary: An implementation of a Kerberos KCM server

+Group:  Applications/System

+License: GPLv3+

+Requires: sssd-common = %{version}-%{release}

+

+%description kcm

+An implementation of a Kerberos KCM server. Use this package if you want to

+use the KCM: Kerberos credentials cache.

+%endif

+

 %prep

 %setup -q -n %{name}-%{version}

@@ -706,6 +725,7 @@ autoreconf -ivf

     %{?with_python3_option} \

     %{?enable_polkit_rules_option} \

     %{?enable_systemtap_opt} \

+    %{?with_kcm_option} \

     %{?experimental}

 make %{?_smp_mflags} all

@@ -1178,6 +1198,15 @@ done

 %{_libdir}/libsss_certmap.so

 %{_libdir}/pkgconfig/sss_certmap.pc

+%if (0%{?with_kcm} == 1)

+%files kcm

+%{_libexecdir}/%{servicename}/sssd_kcm

+%dir %{_sysconfdir}/krb5.conf.d

+%config(noreplace) %{_sysconfdir}/krb5.conf.d/kcm_default_ccache

+%{_unitdir}/sssd-kcm.socket

+%{_unitdir}/sssd-kcm.service

+%endif

+

 %pre common

 getent group sssd >/dev/null || groupadd -r sssd

 getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd

@@ -1274,6 +1303,18 @@ fi

 %postun -n libsss_simpleifp -p /sbin/ldconfig

+%if (0%{?with_kcm} == 1)

+%post kcm

+%systemd_post sssd-kcm.socket

+

+%preun kcm

+%systemd_preun sssd-kcm.socket

+

+%postun kcm

+%systemd_postun_with_restart sssd-kcm.socket

+%systemd_postun_with_restart sssd-kcm.service

+%endif

+

 %changelog

 * Mon Mar 15 2010 Stephen Gallagher <sgallagh@redhat.com> - @PACKAGE_VERSION@-0@PRERELEASE_VERSION@

 - Automated build of the SSSD

diff --git a/src/conf_macros.m4 b/src/conf_macros.m4

index 749e7694f4dd7086468e461194ef274be2094236..420997229cb3c244afd8fb21b074e43a21de0eda 100644

--- a/src/conf_macros.m4

+++ b/src/conf_macros.m4

@@ -887,6 +887,22 @@ AC_DEFUN([WITH_SECRETS],

     AM_CONDITIONAL([BUILD_SECRETS], [test x"$with_secrets" = xyes])

   ])

+AC_DEFUN([WITH_KCM],

+  [ AC_ARG_WITH([kcm],

+                [AC_HELP_STRING([--with-kcm],

+                                [Whether to build with KCM server support [yes]]

+                               )

+                ],

+                [with_kcm=$withval],

+                with_kcm=yes

+               )

+

+    if test x"$with_kcm" = xyes; then

+        AC_DEFINE(BUILD_KCM, 1, [whether to build with KCM server support])

+    fi

+    AM_CONDITIONAL([BUILD_KCM], [test x"$with_kcm" = xyes])

+  ])

+

 AC_DEFUN([WITH_SECRETS_DB_PATH],

   [ AC_ARG_WITH([secrets-db-path],

                 [AC_HELP_STRING([--with-secrets-db-path=PATH],

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h

index c05b1cee45ece748bf8e2b1e1ecf3dc28979e48b..c443e869a7a6782265b42c4ad122867c4e3dd8e0 100644

--- a/src/confdb/confdb.h

+++ b/src/confdb/confdb.h

@@ -231,6 +231,9 @@

 #define CONFDB_SEC_MAX_SECRETS "max_secrets"

 #define CONFDB_SEC_MAX_PAYLOAD_SIZE "max_payload_size"

+/* KCM Service */

+#define CONFDB_KCM_CONF_ENTRY "config/kcm"

+#define CONFDB_KCM_SOCKET "socket_path"

 struct confdb_ctx;

 struct config_file_ctx;

diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini

index c287328828cae2f0ad8a5a105f1c2b3e05353021..5e789c51658c51c0af1338d23d6c0f30f40bf119 100644

--- a/src/config/cfg_rules.ini

+++ b/src/config/cfg_rules.ini

@@ -9,6 +9,7 @@ section = ssh

 section = pac

 section = ifp

 section = secrets

+section = kcm

 section_re = ^secrets/users/[0-9]\+$

 section_re = ^domain/.*$

@@ -262,6 +263,24 @@ option = forward_headers

 option = username

 option = password

+# KCM responder

+[rule/allowed_kcm_options]

+validator = ini_allowed_options

+section_re = ^kcm$

+

+option = timeout

+option = debug

+option = debug_level

+option = debug_timestamps

+option = debug_microseconds

+option = debug_to_files

+option = command

+option = reconnection_retries

+option = fd_limit

+option = client_idle_timeout

+option = description

+option = socket_path

+

 [rule/allowed_domain_options]

 validator = ini_allowed_options

 section_re = ^domain/.*$

diff --git a/src/external/libcurl.m4 b/src/external/libcurl.m4

index 3bc303ca4e1dea8a04117e32b8c4466b80d885b1..b420b04ad806bd1251f086b773ffe480d39f8bd3 100644

--- a/src/external/libcurl.m4

+++ b/src/external/libcurl.m4

@@ -9,8 +9,8 @@ AS_IF([test x$enable_libcurl = xyes],

       [PKG_CHECK_MODULES([CURL],

                          [libcurl],

                          [found_libcurl=yes],

-                         [AC_MSG_WARN([

-The libcurl development library was not found. Some features will be disabled.])

+                         [AC_MSG_ERROR([

+The libcurl development library was not found.])

       ])])

 AS_IF([test x"$found_libcurl" = xyes],

@@ -32,7 +32,5 @@ AS_IF([test x"$found_libcurl" = xyes],

 AC_SUBST(CURL_LIBS)

 AC_SUBST(CURL_CFLAGS)

-AM_CONDITIONAL([BUILD_WITH_LIBCURL],

-               [test x"$have_curlopt_unix_sockpath" = xyes])

 AM_COND_IF([BUILD_WITH_LIBCURL],

            [AC_DEFINE_UNQUOTED(HAVE_LIBCURL, 1, [Build with libcurl support])])

diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c

new file mode 100644

index 0000000000000000000000000000000000000000..90a6999c5e39d48a1a2ea8168d171612a65077d5

--- /dev/null

+++ b/src/responder/kcm/kcm.c

@@ -0,0 +1,254 @@

+/*

+   SSSD

+

+   KCM Server - the mainloop and server setup

+

+   Copyright (C) Red Hat, 2016

+

+   This program is free software; you can redistribute it and/or modify

+   it under the terms of the GNU General Public License as published by

+   the Free Software Foundation; either version 3 of the License, or

+   (at your option) any later version.

+

+   This program is distributed in the hope that it will be useful,

+   but WITHOUT ANY WARRANTY; without even the implied warranty of

+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+   GNU General Public License for more details.

+

+   You should have received a copy of the GNU General Public License

+   along with this program.  If not, see <http://www.gnu.org/licenses/>.

+*/

+

+#include "config.h"

+

+#include <popt.h>

+#include <krb5/krb5.h>

+

+#include "responder/kcm/kcm.h"

+#include "responder/kcm/kcmsrv_pvt.h"

+#include "responder/common/responder.h"

+#include "util/util.h"

+

+#define DEFAULT_KCM_FD_LIMIT 2048

+

+#ifndef SSS_KCM_SOCKET_NAME

+#define SSS_KCM_SOCKET_NAME DEFAULT_KCM_SOCKET_PATH

+#endif

+

+static int kcm_responder_ctx_destructor(void *ptr)

+{

+    struct resp_ctx *rctx = talloc_get_type(ptr, struct resp_ctx);

+

+    /* mark that we are shutting down the responder, so it is propagated

+     * into underlying contexts that are freed right before rctx */

+    DEBUG(SSSDBG_TRACE_FUNC, "Responder is being shut down\n");

+    rctx->shutting_down = true;

+

+    return 0;

+}

+

+static int kcm_get_config(struct kcm_ctx *kctx)

+{

+    int ret;

+    char *sock_name;

+

+    ret = confdb_get_int(kctx->rctx->cdb,

+                         CONFDB_KCM_CONF_ENTRY,

+                         CONFDB_SERVICE_FD_LIMIT,

+                         DEFAULT_KCM_FD_LIMIT,

+                         &kctx->fd_limit);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_FATAL_FAILURE,

+              "Failed to get file descriptors limit\n");

+        goto done;

+    }

+

+    ret = confdb_get_int(kctx->rctx->cdb,

+                         kctx->rctx->confdb_service_path,

+                         CONFDB_RESPONDER_CLI_IDLE_TIMEOUT,

+                         CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT,

+                         &kctx->rctx->client_idle_timeout);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE,

+              "Cannot get the client idle timeout [%d]: %s\n",

+               ret, strerror(ret));

+        goto done;

+    }

+

+    /* Ensure that the client timeout is at least ten seconds */

+    if (kctx->rctx->client_idle_timeout < 10) {

+        kctx->rctx->client_idle_timeout = 10;

+    }

+

+    ret = confdb_get_string(kctx->rctx->cdb,

+                            kctx->rctx,

+                            kctx->rctx->confdb_service_path,

+                            CONFDB_KCM_SOCKET,

+                            SSS_KCM_SOCKET_NAME,

+                            &sock_name);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE,

+              "Cannot get the client idle timeout [%d]: %s\n",

+               ret, strerror(ret));

+        goto done;

+    }

+    kctx->rctx->sock_name = sock_name;

+

+    ret = EOK;

+

+done:

+    return ret;

+}

+

+static int kcm_data_destructor(void *ptr)

+{

+    struct kcm_resp_ctx *kcm_data = talloc_get_type(ptr, struct kcm_resp_ctx);

+

+    if (kcm_data != NULL) {

+        krb5_free_context(kcm_data->k5c);

+    }

+    return 0;

+}

+

+static struct kcm_resp_ctx *kcm_data_setup(TALLOC_CTX *mem_ctx)

+{

+    struct kcm_resp_ctx *kcm_data;

+    krb5_error_code kret;

+

+    kcm_data = talloc_zero(mem_ctx, struct kcm_resp_ctx);

+    if (kcm_data == NULL) {

+        DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing kcm data\n");

+        return NULL;

+    }

+

+    kret = krb5_init_context(&kcm_data->k5c);

+    if (kret != EOK) {

+        talloc_free(kcm_data);

+        return NULL;

+    }

+    talloc_set_destructor((TALLOC_CTX*)kcm_data, kcm_data_destructor);

+

+    return kcm_data;

+}

+

+static int kcm_process_init(TALLOC_CTX *mem_ctx,

+                            struct tevent_context *ev,

+                            struct confdb_ctx *cdb)

+{

+    struct resp_ctx *rctx;

+    struct kcm_ctx *kctx;

+    int ret;

+

+    rctx = talloc_zero(mem_ctx, struct resp_ctx);

+    if (rctx == NULL) {

+        DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing resp_ctx\n");

+        return ENOMEM;

+    }

+    rctx->ev = ev;

+    rctx->cdb = cdb;

+    rctx->confdb_service_path = CONFDB_KCM_CONF_ENTRY;

+    rctx->shutting_down = false;

+    rctx->lfd = -1;

+    rctx->priv_lfd = -1;

+

+    talloc_set_destructor((TALLOC_CTX*)rctx, kcm_responder_ctx_destructor);

+

+    kctx = talloc_zero(rctx, struct kcm_ctx);

+    if (kctx == NULL) {

+        DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing kcm_ctx\n");

+        ret = ENOMEM;

+        goto fail;

+    }

+

+    kctx->rctx = rctx;

+    kctx->rctx->pvt_ctx = kctx;

+

+    ret = kcm_get_config(kctx);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_FATAL_FAILURE, "fatal error getting KCM config\n");

+        goto fail;

+    }

+

+    kctx->kcm_data = kcm_data_setup(kctx);

+    if (kctx->kcm_data == NULL) {

+        DEBUG(SSSDBG_FATAL_FAILURE,

+              "fatal error initializing responder data\n");

+        ret = EIO;

+        goto fail;

+    }

+

+    /* Set up file descriptor limits */

+    responder_set_fd_limit(kctx->fd_limit);

+

+    ret = activate_unix_sockets(rctx, kcm_connection_setup);

+    if (ret != EOK) goto fail;

+

+    DEBUG(SSSDBG_TRACE_FUNC, "KCM Initialization complete\n");

+

+    return EOK;

+

+fail:

+    talloc_free(rctx);

+    return ret;

+}

+

+int main(int argc, const char *argv[])

+{

+    int opt;

+    poptContext pc;

+    struct main_context *main_ctx;

+    int ret;

+    uid_t uid;

+    gid_t gid;

+

+    struct poptOption long_options[] = {

+        POPT_AUTOHELP

+        SSSD_MAIN_OPTS

+        SSSD_SERVER_OPTS(uid, gid)

+        POPT_TABLEEND

+    };

+

+    /* Set debug level to invalid value so we can deside if -d 0 was used. */

+    debug_level = SSSDBG_INVALID;

+

+    umask(DFL_RSP_UMASK);

+

+    pc = poptGetContext(argv[0], argc, argv, long_options, 0);

+    while((opt = poptGetNextOpt(pc)) != -1) {

+        switch(opt) {

+        default:

+            fprintf(stderr, "\nInvalid option %s: %s\n\n",

+                  poptBadOption(pc, 0), poptStrerror(opt));

+            poptPrintUsage(pc, stderr, 0);

+            return 1;

+        }

+    }

+

+    poptFreeContext(pc);

+

+    DEBUG_INIT(debug_level);

+

+    /* set up things like debug, signals, daemonization, etc... */

+    debug_log_file = "sssd_kcm";

+

+    ret = server_setup("sssd[kcm]", 0, uid, gid, CONFDB_KCM_CONF_ENTRY,

+                       &main_ctx);

+    if (ret != EOK) return 2;

+

+    ret = die_if_parent_died();

+    if (ret != EOK) {

+        /* This is not fatal, don't return */

+        DEBUG(SSSDBG_OP_FAILURE,

+              "Could not set up to exit when parent process does\n");

+    }

+

+    ret = kcm_process_init(main_ctx,

+                           main_ctx->event_ctx,

+                           main_ctx->confdb_ctx);

+    if (ret != EOK) return 3;

+

+    /* loop on main */

+    server_loop(main_ctx);

+

+    return 0;

+}

diff --git a/src/responder/kcm/kcm.h b/src/responder/kcm/kcm.h

new file mode 100644

index 0000000000000000000000000000000000000000..1ea7e9bbca754dca2eeb72a08830fa2f95713b4f

--- /dev/null

+++ b/src/responder/kcm/kcm.h

@@ -0,0 +1,97 @@

+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */

+/* include/kcm.h - Kerberos cache manager protocol declarations */

+/*

+ * Copyright (C) 2014 by the Massachusetts Institute of Technology.

+ * All rights reserved.

+ *

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ *

+ * * Redistributions of source code must retain the above copyright

+ *   notice, this list of conditions and the following disclaimer.

+ *

+ * * Redistributions in binary form must reproduce the above copyright

+ *   notice, this list of conditions and the following disclaimer in

+ *   the documentation and/or other materials provided with the

+ *   distribution.

+ *