|
 |
6cf099 |
From ce69c907f04214e16c07c5a05fb8dac12b271aba Mon Sep 17 00:00:00 2001
|
|
|
6cf099 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
6cf099 |
Date: Thu, 17 Sep 2015 17:09:24 +0200
|
|
|
6cf099 |
Subject: [PATCH 92/96] IPA: Change ipa_server_trust_add_send request to be
|
|
|
6cf099 |
reusable from ID code
|
|
|
6cf099 |
|
|
|
6cf099 |
Required for:
|
|
|
6cf099 |
https://fedorahosted.org/sssd/ticket/2639
|
|
|
6cf099 |
|
|
|
6cf099 |
Expose a request ipa_server_trusted_dom_setup_send that sets up a
|
|
|
6cf099 |
trusted domain. The setup might include actions like retrieving a keytab
|
|
|
6cf099 |
for one-way trusts.
|
|
|
6cf099 |
|
|
|
6cf099 |
Creating the AD ID context for the trused domain is now done in the
|
|
|
6cf099 |
caller of this new request.
|
|
|
6cf099 |
|
|
|
6cf099 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
6cf099 |
(cherry picked from commit 1ccfd8e2e5cf4cdb6807d9809c150b7f6ba3e0eb)
|
|
|
6cf099 |
---
|
|
|
6cf099 |
src/providers/ipa/ipa_subdomains.h | 11 +++
|
|
|
6cf099 |
src/providers/ipa/ipa_subdomains_server.c | 122 ++++++++++++++++--------------
|
|
|
6cf099 |
2 files changed, 75 insertions(+), 58 deletions(-)
|
|
|
6cf099 |
|
|
|
6cf099 |
diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h
|
|
|
6cf099 |
index 2302c5f03e80de2ea1efad424769e777cd6dd8d5..0c13f8ed2eeda87237dfb097f532c7137095ddf1 100644
|
|
|
6cf099 |
--- a/src/providers/ipa/ipa_subdomains.h
|
|
|
6cf099 |
+++ b/src/providers/ipa/ipa_subdomains.h
|
|
|
6cf099 |
@@ -52,6 +52,17 @@ struct ipa_ad_server_ctx {
|
|
|
6cf099 |
struct ipa_ad_server_ctx *next, *prev;
|
|
|
6cf099 |
};
|
|
|
6cf099 |
|
|
|
6cf099 |
+/* Can be used to set up trusted subdomain, for example fetch
|
|
|
6cf099 |
+ * keytab in server mode
|
|
|
6cf099 |
+ */
|
|
|
6cf099 |
+struct tevent_req *
|
|
|
6cf099 |
+ipa_server_trusted_dom_setup_send(TALLOC_CTX *mem_ctx,
|
|
|
6cf099 |
+ struct tevent_context *ev,
|
|
|
6cf099 |
+ struct be_ctx *be_ctx,
|
|
|
6cf099 |
+ struct ipa_id_ctx *id_ctx,
|
|
|
6cf099 |
+ struct sss_domain_info *subdom);
|
|
|
6cf099 |
+errno_t ipa_server_trusted_dom_setup_recv(struct tevent_req *req);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
/* To be used by ipa_subdomains.c only */
|
|
|
6cf099 |
struct tevent_req *
|
|
|
6cf099 |
ipa_server_create_trusts_send(TALLOC_CTX *mem_ctx,
|
|
|
6cf099 |
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
|
|
|
6cf099 |
index dfecab1bc362b5772379bae6d51f9cef8443f225..c561118946e2ba76b2b4076e5057b1b5c0075a41 100644
|
|
|
6cf099 |
--- a/src/providers/ipa/ipa_subdomains_server.c
|
|
|
6cf099 |
+++ b/src/providers/ipa/ipa_subdomains_server.c
|
|
|
6cf099 |
@@ -563,7 +563,7 @@ done:
|
|
|
6cf099 |
return ret;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
-struct ipa_server_trust_add_state {
|
|
|
6cf099 |
+struct ipa_server_trusted_dom_setup_state {
|
|
|
6cf099 |
struct tevent_context *ev;
|
|
|
6cf099 |
struct be_ctx *be_ctx;
|
|
|
6cf099 |
struct ipa_id_ctx *id_ctx;
|
|
|
6cf099 |
@@ -578,22 +578,22 @@ struct ipa_server_trust_add_state {
|
|
|
6cf099 |
const char *ccache;
|
|
|
6cf099 |
};
|
|
|
6cf099 |
|
|
|
6cf099 |
-static errno_t ipa_server_trust_add_1way(struct tevent_req *req);
|
|
|
6cf099 |
+static errno_t ipa_server_trusted_dom_setup_1way(struct tevent_req *req);
|
|
|
6cf099 |
static void ipa_server_trust_1way_kt_done(struct tevent_req *subreq);
|
|
|
6cf099 |
-static errno_t ipa_server_trust_add_step(struct tevent_req *req);
|
|
|
6cf099 |
|
|
|
6cf099 |
-static struct tevent_req *
|
|
|
6cf099 |
-ipa_server_trust_add_send(TALLOC_CTX *mem_ctx,
|
|
|
6cf099 |
- struct tevent_context *ev,
|
|
|
6cf099 |
- struct be_ctx *be_ctx,
|
|
|
6cf099 |
- struct ipa_id_ctx *id_ctx,
|
|
|
6cf099 |
- struct sss_domain_info *subdom)
|
|
|
6cf099 |
+struct tevent_req *
|
|
|
6cf099 |
+ipa_server_trusted_dom_setup_send(TALLOC_CTX *mem_ctx,
|
|
|
6cf099 |
+ struct tevent_context *ev,
|
|
|
6cf099 |
+ struct be_ctx *be_ctx,
|
|
|
6cf099 |
+ struct ipa_id_ctx *id_ctx,
|
|
|
6cf099 |
+ struct sss_domain_info *subdom)
|
|
|
6cf099 |
{
|
|
|
6cf099 |
struct tevent_req *req = NULL;
|
|
|
6cf099 |
- struct ipa_server_trust_add_state *state = NULL;
|
|
|
6cf099 |
+ struct ipa_server_trusted_dom_setup_state *state = NULL;
|
|
|
6cf099 |
errno_t ret;
|
|
|
6cf099 |
|
|
|
6cf099 |
- req = tevent_req_create(mem_ctx, &state, struct ipa_server_trust_add_state);
|
|
|
6cf099 |
+ req = tevent_req_create(mem_ctx, &state,
|
|
|
6cf099 |
+ struct ipa_server_trusted_dom_setup_state);
|
|
|
6cf099 |
if (req == NULL) {
|
|
|
6cf099 |
return NULL;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
@@ -626,16 +626,19 @@ ipa_server_trust_add_send(TALLOC_CTX *mem_ctx,
|
|
|
6cf099 |
ipa_trust_dir2str(state->direction));
|
|
|
6cf099 |
|
|
|
6cf099 |
if (state->direction & LSA_TRUST_DIRECTION_OUTBOUND) {
|
|
|
6cf099 |
- /* Use system keytab */
|
|
|
6cf099 |
- ret = ipa_server_trust_add_step(req);
|
|
|
6cf099 |
+ /* Use system keytab, nothing to do here */
|
|
|
6cf099 |
+ ret = EOK;
|
|
|
6cf099 |
+ goto immediate;
|
|
|
6cf099 |
} else if (state->direction & LSA_TRUST_DIRECTION_INBOUND) {
|
|
|
6cf099 |
/* Need special keytab */
|
|
|
6cf099 |
- ret = ipa_server_trust_add_1way(req);
|
|
|
6cf099 |
+ ret = ipa_server_trusted_dom_setup_1way(req);
|
|
|
6cf099 |
if (ret == EAGAIN) {
|
|
|
6cf099 |
/* In progress.. */
|
|
|
6cf099 |
return req;
|
|
|
6cf099 |
} else if (ret == EOK) {
|
|
|
6cf099 |
- ret = ipa_server_trust_add_step(req);
|
|
|
6cf099 |
+ /* Keytab available, shortcut */
|
|
|
6cf099 |
+ ret = EOK;
|
|
|
6cf099 |
+ goto immediate;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
} else {
|
|
|
6cf099 |
/* Even unset is an error at this point */
|
|
|
6cf099 |
@@ -658,12 +661,12 @@ immediate:
|
|
|
6cf099 |
return req;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
-static errno_t ipa_server_trust_add_1way(struct tevent_req *req)
|
|
|
6cf099 |
+static errno_t ipa_server_trusted_dom_setup_1way(struct tevent_req *req)
|
|
|
6cf099 |
{
|
|
|
6cf099 |
errno_t ret;
|
|
|
6cf099 |
struct tevent_req *subreq = NULL;
|
|
|
6cf099 |
- struct ipa_server_trust_add_state *state =
|
|
|
6cf099 |
- tevent_req_data(req, struct ipa_server_trust_add_state);
|
|
|
6cf099 |
+ struct ipa_server_trusted_dom_setup_state *state =
|
|
|
6cf099 |
+ tevent_req_data(req, struct ipa_server_trusted_dom_setup_state);
|
|
|
6cf099 |
const char *hostname;
|
|
|
6cf099 |
|
|
|
6cf099 |
state->keytab = forest_keytab(state, state->forest);
|
|
|
6cf099 |
@@ -715,8 +718,8 @@ static void ipa_server_trust_1way_kt_done(struct tevent_req *subreq)
|
|
|
6cf099 |
errno_t ret;
|
|
|
6cf099 |
struct tevent_req *req = tevent_req_callback_data(subreq,
|
|
|
6cf099 |
struct tevent_req);
|
|
|
6cf099 |
- struct ipa_server_trust_add_state *state =
|
|
|
6cf099 |
- tevent_req_data(req, struct ipa_server_trust_add_state);
|
|
|
6cf099 |
+ struct ipa_server_trusted_dom_setup_state *state =
|
|
|
6cf099 |
+ tevent_req_data(req, struct ipa_server_trusted_dom_setup_state);
|
|
|
6cf099 |
|
|
|
6cf099 |
ret = ipa_getkeytab_recv(subreq, NULL);
|
|
|
6cf099 |
talloc_zfree(subreq);
|
|
|
6cf099 |
@@ -764,46 +767,12 @@ static void ipa_server_trust_1way_kt_done(struct tevent_req *subreq)
|
|
|
6cf099 |
DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
6cf099 |
"Keytab %s contains the expected principals\n", state->new_keytab);
|
|
|
6cf099 |
|
|
|
6cf099 |
- ret = ipa_server_trust_add_step(req);
|
|
|
6cf099 |
- if (ret != EOK) {
|
|
|
6cf099 |
- DEBUG(SSSDBG_OP_FAILURE,
|
|
|
6cf099 |
- "ipa_server_trust_add_step failed: %d\n", ret);
|
|
|
6cf099 |
- tevent_req_error(req, ret);
|
|
|
6cf099 |
- return;
|
|
|
6cf099 |
- }
|
|
|
6cf099 |
-
|
|
|
6cf099 |
DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
6cf099 |
"Established trust context for %s\n", state->subdom->name);
|
|
|
6cf099 |
tevent_req_done(req);
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
-static errno_t ipa_server_trust_add_step(struct tevent_req *req)
|
|
|
6cf099 |
-{
|
|
|
6cf099 |
- struct ipa_ad_server_ctx *trust_ctx;
|
|
|
6cf099 |
- struct ad_id_ctx *ad_id_ctx;
|
|
|
6cf099 |
- errno_t ret;
|
|
|
6cf099 |
- struct ipa_server_trust_add_state *state =
|
|
|
6cf099 |
- tevent_req_data(req, struct ipa_server_trust_add_state);
|
|
|
6cf099 |
-
|
|
|
6cf099 |
- ret = ipa_ad_ctx_new(state->be_ctx, state->id_ctx, state->subdom, &ad_id_ctx);
|
|
|
6cf099 |
- if (ret != EOK) {
|
|
|
6cf099 |
- DEBUG(SSSDBG_OP_FAILURE,
|
|
|
6cf099 |
- "Cannot create ad_id_ctx for subdomain %s\n", state->subdom->name);
|
|
|
6cf099 |
- return ret;
|
|
|
6cf099 |
- }
|
|
|
6cf099 |
-
|
|
|
6cf099 |
- trust_ctx = talloc(state->id_ctx->server_mode, struct ipa_ad_server_ctx);
|
|
|
6cf099 |
- if (trust_ctx == NULL) {
|
|
|
6cf099 |
- return ENOMEM;
|
|
|
6cf099 |
- }
|
|
|
6cf099 |
- trust_ctx->dom = state->subdom;
|
|
|
6cf099 |
- trust_ctx->ad_id_ctx = ad_id_ctx;
|
|
|
6cf099 |
-
|
|
|
6cf099 |
- DLIST_ADD(state->id_ctx->server_mode->trusts, trust_ctx);
|
|
|
6cf099 |
- return EOK;
|
|
|
6cf099 |
-}
|
|
|
6cf099 |
-
|
|
|
6cf099 |
-static errno_t ipa_server_trust_add_recv(struct tevent_req *req)
|
|
|
6cf099 |
+errno_t ipa_server_trusted_dom_setup_recv(struct tevent_req *req)
|
|
|
6cf099 |
{
|
|
|
6cf099 |
TEVENT_REQ_RETURN_ON_ERROR(req);
|
|
|
6cf099 |
return EOK;
|
|
|
6cf099 |
@@ -817,6 +786,7 @@ struct ipa_server_create_trusts_state {
|
|
|
6cf099 |
};
|
|
|
6cf099 |
|
|
|
6cf099 |
static errno_t ipa_server_create_trusts_step(struct tevent_req *req);
|
|
|
6cf099 |
+static errno_t ipa_server_create_trusts_ctx(struct tevent_req *req);
|
|
|
6cf099 |
static void ipa_server_create_trusts_done(struct tevent_req *subreq);
|
|
|
6cf099 |
|
|
|
6cf099 |
struct tevent_req *
|
|
|
6cf099 |
@@ -879,8 +849,11 @@ static errno_t ipa_server_create_trusts_step(struct tevent_req *req)
|
|
|
6cf099 |
|
|
|
6cf099 |
/* Newly detected trust */
|
|
|
6cf099 |
if (trust_iter == NULL) {
|
|
|
6cf099 |
- subreq = ipa_server_trust_add_send(state, state->ev, state->be_ctx,
|
|
|
6cf099 |
- state->id_ctx, state->domiter);
|
|
|
6cf099 |
+ subreq = ipa_server_trusted_dom_setup_send(state,
|
|
|
6cf099 |
+ state->ev,
|
|
|
6cf099 |
+ state->be_ctx,
|
|
|
6cf099 |
+ state->id_ctx,
|
|
|
6cf099 |
+ state->domiter);
|
|
|
6cf099 |
if (subreq == NULL) {
|
|
|
6cf099 |
return ENOMEM;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
@@ -898,13 +871,19 @@ static void ipa_server_create_trusts_done(struct tevent_req *subreq)
|
|
|
6cf099 |
struct tevent_req *req = tevent_req_callback_data(subreq,
|
|
|
6cf099 |
struct tevent_req);
|
|
|
6cf099 |
|
|
|
6cf099 |
- ret = ipa_server_trust_add_recv(subreq);
|
|
|
6cf099 |
+ ret = ipa_server_trusted_dom_setup_recv(subreq);
|
|
|
6cf099 |
talloc_zfree(subreq);
|
|
|
6cf099 |
if (ret != EOK) {
|
|
|
6cf099 |
tevent_req_error(req, ret);
|
|
|
6cf099 |
return;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
+ ret = ipa_server_create_trusts_ctx(req);
|
|
|
6cf099 |
+ if (ret != EOK) {
|
|
|
6cf099 |
+ tevent_req_error(req, ret);
|
|
|
6cf099 |
+ return;
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
+
|
|
|
6cf099 |
ret = ipa_server_create_trusts_step(req);
|
|
|
6cf099 |
if (ret == EOK) {
|
|
|
6cf099 |
tevent_req_done(req);
|
|
|
6cf099 |
@@ -917,6 +896,33 @@ static void ipa_server_create_trusts_done(struct tevent_req *subreq)
|
|
|
6cf099 |
/* Will cycle back */
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
+static errno_t ipa_server_create_trusts_ctx(struct tevent_req *req)
|
|
|
6cf099 |
+{
|
|
|
6cf099 |
+ struct ipa_ad_server_ctx *trust_ctx;
|
|
|
6cf099 |
+ struct ad_id_ctx *ad_id_ctx;
|
|
|
6cf099 |
+ errno_t ret;
|
|
|
6cf099 |
+ struct ipa_server_create_trusts_state *state = NULL;
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ state = tevent_req_data(req, struct ipa_server_create_trusts_state);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ ret = ipa_ad_ctx_new(state->be_ctx, state->id_ctx, state->domiter, &ad_id_ctx);
|
|
|
6cf099 |
+ if (ret != EOK) {
|
|
|
6cf099 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
6cf099 |
+ "Cannot create ad_id_ctx for subdomain %s\n", state->domiter->name);
|
|
|
6cf099 |
+ return ret;
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ trust_ctx = talloc(state->id_ctx->server_mode, struct ipa_ad_server_ctx);
|
|
|
6cf099 |
+ if (trust_ctx == NULL) {
|
|
|
6cf099 |
+ return ENOMEM;
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
+ trust_ctx->dom = state->domiter;
|
|
|
6cf099 |
+ trust_ctx->ad_id_ctx = ad_id_ctx;
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ DLIST_ADD(state->id_ctx->server_mode->trusts, trust_ctx);
|
|
|
6cf099 |
+ return EOK;
|
|
|
6cf099 |
+}
|
|
|
6cf099 |
+
|
|
|
6cf099 |
errno_t ipa_server_create_trusts_recv(struct tevent_req *req)
|
|
|
6cf099 |
{
|
|
|
6cf099 |
TEVENT_REQ_RETURN_ON_ERROR(req);
|
|
|
6cf099 |
--
|
|
|
6cf099 |
2.4.3
|
|
|
6cf099 |
|