>From dfd0c40db796db05d72bb94acd5fb2cf1eafe723 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 24 Sep 2014 16:10:41 +0200 Subject: [PATCH 1/3] UTIL: Always write capaths We used to only generate the [capaths] section on the IPA server itself, when running in a trusted setup. But we also found out that the capaths are often required to make SSO fully work, so it's better to always generate them. --- src/providers/ad/ad_subdomains.c | 2 +- src/providers/ipa/ipa_subdomains.c | 4 +-- src/util/domain_info_utils.c | 69 ++++++++++++++++++-------------------- src/util/util.h | 3 +- 4 files changed, 36 insertions(+), 42 deletions(-) diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index f7574d05d236ac89d401daae1f049531b56786cc..bc5bc8914ce84ecfbff69ff837250b5bf3a3515b 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -467,7 +467,7 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *ctx) return ret; } - ret = sss_write_domain_mappings(ctx->be_ctx->domain, false); + ret = sss_write_domain_mappings(ctx->be_ctx->domain); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "sss_krb5_write_mappings failed.\n"); /* Just continue */ diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 5245048466548475e48a619be52785bdb12295a0..d37f48e2be75a5b4a39e173f8c5e6b4892d6c8c4 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -282,9 +282,7 @@ ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx) return ret; } - ret = sss_write_domain_mappings(ctx->be_ctx->domain, - dp_opt_get_bool(ctx->id_ctx->ipa_options->basic, - IPA_SERVER_MODE)); + ret = sss_write_domain_mappings(ctx->be_ctx->domain); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "sss_krb5_write_mappings failed.\n"); diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index 8933f52353abd63ce825e80b1cde2aad03ed7797..c5691b7efa963a452f6fc5ffa8308e1a297010bf 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -364,7 +364,7 @@ sss_krb5_touch_config(void) } errno_t -sss_write_domain_mappings(struct sss_domain_info *domain, bool add_capaths) +sss_write_domain_mappings(struct sss_domain_info *domain) { struct sss_domain_info *dom; struct sss_domain_info *parent_dom; @@ -378,7 +378,7 @@ sss_write_domain_mappings(struct sss_domain_info *domain, bool add_capaths) mode_t old_mode; FILE *fstream = NULL; int i; - bool capaths_started; + bool capaths_started = false; char *uc_forest; char *uc_parent; @@ -466,48 +466,45 @@ sss_write_domain_mappings(struct sss_domain_info *domain, bool add_capaths) } } - if (add_capaths) { - capaths_started = false; - parent_dom = domain; - uc_parent = get_uppercase_realm(tmp_ctx, parent_dom->name); - if (uc_parent == NULL) { + parent_dom = domain; + uc_parent = get_uppercase_realm(tmp_ctx, parent_dom->name); + if (uc_parent == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "get_uppercase_realm failed.\n"); + ret = ENOMEM; + goto done; + } + + for (dom = get_next_domain(domain, true); + dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */ + dom = get_next_domain(dom, false)) { + + if (dom->forest == NULL) { + continue; + } + + uc_forest = get_uppercase_realm(tmp_ctx, dom->forest); + if (uc_forest == NULL) { DEBUG(SSSDBG_OP_FAILURE, "get_uppercase_realm failed.\n"); ret = ENOMEM; goto done; } - for (dom = get_next_domain(domain, true); - dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */ - dom = get_next_domain(dom, false)) { - - if (dom->forest == NULL) { - continue; - } - - uc_forest = get_uppercase_realm(tmp_ctx, dom->forest); - if (uc_forest == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "get_uppercase_realm failed.\n"); - ret = ENOMEM; - goto done; - } - - if (!capaths_started) { - ret = fprintf(fstream, "[capaths]\n"); - if (ret < 0) { - DEBUG(SSSDBG_OP_FAILURE, "fprintf failed\n"); - ret = EIO; - goto done; - } - capaths_started = true; - } - - ret = fprintf(fstream, "%s = {\n %s = %s\n}\n%s = {\n %s = %s\n}\n", - dom->realm, uc_parent, uc_forest, - uc_parent, dom->realm, uc_forest); + if (!capaths_started) { + ret = fprintf(fstream, "[capaths]\n"); if (ret < 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "fprintf failed\n"); + DEBUG(SSSDBG_OP_FAILURE, "fprintf failed\n"); + ret = EIO; goto done; } + capaths_started = true; + } + + ret = fprintf(fstream, "%s = {\n %s = %s\n}\n%s = {\n %s = %s\n}\n", + dom->realm, uc_parent, uc_forest, + uc_parent, dom->realm, uc_forest); + if (ret < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "fprintf failed\n"); + goto done; } } diff --git a/src/util/util.h b/src/util/util.h index d3b746be3cac7cc4051a218b8ae40c3784251d82..bd691a2138f2efa34487e9738f471cb014a33083 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -544,8 +544,7 @@ errno_t sssd_domain_init(TALLOC_CTX *mem_ctx, #define IS_SUBDOMAIN(dom) ((dom)->parent != NULL) -errno_t sss_write_domain_mappings(struct sss_domain_info *domain, - bool add_capaths); +errno_t sss_write_domain_mappings(struct sss_domain_info *domain); /* from util_lock.c */ errno_t sss_br_lock_file(int fd, size_t start, size_t len, -- 1.9.3