websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 4.7.2

Browse Source
This commit is contained in:
Mario Fetka
2021-08-09 20:54:00 +02:00
parent 3bfaa6e020
commit a791de49a2
2175 changed files with 1764288 additions and 331861 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
daemons/ipa-kdb/Makefile.am
View File

@@ -1,15 +1,11 @@
AUTOMAKE_OPTIONS = 1.7 subdir-objects
NULL =
KRB5_UTIL_DIR = ../../util
IPA_UTIL_DIR = ../../../util
KRB5_UTIL_SRCS = $(KRB5_UTIL_DIR)/ipa_krb5.c \
$(KRB5_UTIL_DIR)/ipa_pwd.c
AM_CPPFLAGS = \
-I. \
-I$(srcdir) \
-I$(KRB5_UTIL_DIR) \
-I$(IPA_UTIL_DIR) \
-I$(top_srcdir)/util \
-DPREFIX=\""$(prefix)"\" \
-DBINDIR=\""$(bindir)"\" \
-DLIBDIR=\""$(libdir)"\" \
@@ -22,6 +18,7 @@ AM_CPPFLAGS = \
$(WARN_CFLAGS) \
$(NDRPAC_CFLAGS) \
$(NSS_CFLAGS) \
$(SSSCERTMAP_CFLAGS) \
$(NULL)
plugindir = $(libdir)/krb5/plugins/kdb
@@ -31,17 +28,24 @@ plugin_LTLIBRARIES = \
ipadb_la_SOURCES = \
ipa_kdb.c \
ipa_kdb.h \
ipa_kdb_common.c \
ipa_kdb_mkey.c \
ipa_kdb_passwords.c \
ipa_kdb_principals.c \
ipa_kdb_pwdpolicy.c \
ipa_kdb_mspac.c \
ipa_kdb_mspac_private.h \
ipa_kdb_delegation.c \
ipa_kdb_audit_as.c \
$(KRB5_UTIL_SRCS) \
$(NULL)
dist_noinst_DATA = ipa_kdb.exports
if BUILD_IPA_CERTAUTH_PLUGIN
ipadb_la_SOURCES += ipa_kdb_certauth.c
endif
ipadb_la_LDFLAGS = \
-avoid-version \
-module \
@@ -53,9 +57,13 @@ ipadb_la_LIBADD = \
$(NDRPAC_LIBS) \
$(UNISTRING_LIBS) \
$(NSS_LIBS) \
$(SSSCERTMAP_LIBS) \
$(top_builddir)/util/libutil.la \
$(NULL)
if HAVE_CHECK
if HAVE_CMOCKA
TESTS_ENVIRONMENT = . $(srcdir)/tests/test_setup.sh;
dist_ipa_kdb_tests_SOURCES = tests/test_setup.sh
TESTS = ipa_kdb_tests
check_PROGRAMS = ipa_kdb_tests
endif
@@ -71,26 +79,30 @@ ipa_kdb_tests_SOURCES = \
ipa_kdb_mspac.c \
ipa_kdb_delegation.c \
ipa_kdb_audit_as.c \
$(KRB5_UTIL_SRCS) \
$(NULL)
ipa_kdb_tests_CFLAGS = $(CHECK_CFLAGS)
if BUILD_IPA_CERTAUTH_PLUGIN
ipa_kdb_tests_SOURCES += ipa_kdb_certauth.c
endif
ipa_kdb_tests_CFLAGS = $(CMOCKA_CFLAGS)
ipa_kdb_tests_LDADD = \
$(CHECK_LIBS) \
$(CMOCKA_LIBS) \
$(KRB5_LIBS) \
$(LDAP_LIBS) \
$(NDRPAC_LIBS) \
$(UNISTRING_LIBS) \
$(NSS_LIBS) \
$(SSSCERTMAP_LIBS) \
$(top_builddir)/util/libutil.la \
-lkdb5 \
-lsss_idmap \
$(NULL)
dist_noinst_DATA = ipa_kdb.exports
clean-local:
rm -f tests/.dirstamp
EXTRA_DIST = \
README \
README.s4u2proxy.txt \
$(NULL)
MAINTAINERCLEANFILES = \
*~ \
Makefile.in

504
daemons/ipa-kdb/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.14.1 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -16,7 +16,17 @@
VPATH = @srcdir@
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@@ -79,17 +89,25 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
@HAVE_CHECK_TRUE@TESTS = ipa_kdb_tests$(EXEEXT)
@HAVE_CHECK_TRUE@check_PROGRAMS = ipa_kdb_tests$(EXEEXT)
subdir = ipa-kdb
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/depcomp $(dist_noinst_DATA) \
$(top_srcdir)/test-driver README
@BUILD_IPA_CERTAUTH_PLUGIN_TRUE@am__append_1 = ipa_kdb_certauth.c
@HAVE_CMOCKA_TRUE@TESTS = ipa_kdb_tests$(EXEEXT)
@HAVE_CMOCKA_TRUE@check_PROGRAMS = ipa_kdb_tests$(EXEEXT)
@BUILD_IPA_CERTAUTH_PLUGIN_TRUE@am__append_2 = ipa_kdb_certauth.c
subdir = daemons/ipa-kdb
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/../version.m4 \
$(top_srcdir)/configure.ac
am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/VERSION.m4 \
$(top_srcdir)/server.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(dist_noinst_DATA) \
$(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
@@ -126,9 +144,14 @@ LTLIBRARIES = $(plugin_LTLIBRARIES)
am__DEPENDENCIES_1 =
ipadb_la_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
am__objects_1 = ipa_krb5.lo ipa_pwd.lo
am__objects_2 =
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(top_builddir)/util/libutil.la $(am__DEPENDENCIES_1)
am__ipadb_la_SOURCES_DIST = ipa_kdb.c ipa_kdb.h ipa_kdb_common.c \
ipa_kdb_mkey.c ipa_kdb_passwords.c ipa_kdb_principals.c \
ipa_kdb_pwdpolicy.c ipa_kdb_mspac.c ipa_kdb_mspac_private.h \
ipa_kdb_delegation.c ipa_kdb_audit_as.c ipa_kdb_certauth.c
am__objects_1 =
@BUILD_IPA_CERTAUTH_PLUGIN_TRUE@am__objects_2 = ipa_kdb_certauth.lo
am_ipadb_la_OBJECTS = ipa_kdb.lo ipa_kdb_common.lo ipa_kdb_mkey.lo \
ipa_kdb_passwords.lo ipa_kdb_principals.lo \
ipa_kdb_pwdpolicy.lo ipa_kdb_mspac.lo ipa_kdb_delegation.lo \
@@ -141,9 +164,14 @@ am__v_lt_1 =
ipadb_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
$(ipadb_la_LDFLAGS) $(LDFLAGS) -o $@
am__objects_3 = ipa_kdb_tests-ipa_krb5.$(OBJEXT) \
ipa_kdb_tests-ipa_pwd.$(OBJEXT)
am_ipa_kdb_tests_OBJECTS = ipa_kdb_tests-ipa_kdb_tests.$(OBJEXT) \
am__ipa_kdb_tests_SOURCES_DIST = tests/ipa_kdb_tests.c ipa_kdb.c \
ipa_kdb_common.c ipa_kdb_mkey.c ipa_kdb_passwords.c \
ipa_kdb_principals.c ipa_kdb_pwdpolicy.c ipa_kdb_mspac.c \
ipa_kdb_delegation.c ipa_kdb_audit_as.c ipa_kdb_certauth.c
am__dirstamp = $(am__leading_dot)dirstamp
@BUILD_IPA_CERTAUTH_PLUGIN_TRUE@am__objects_3 = ipa_kdb_tests-ipa_kdb_certauth.$(OBJEXT)
am_ipa_kdb_tests_OBJECTS = \
tests/ipa_kdb_tests-ipa_kdb_tests.$(OBJEXT) \
ipa_kdb_tests-ipa_kdb.$(OBJEXT) \
ipa_kdb_tests-ipa_kdb_common.$(OBJEXT) \
ipa_kdb_tests-ipa_kdb_mkey.$(OBJEXT) \
@@ -152,13 +180,17 @@ am_ipa_kdb_tests_OBJECTS = ipa_kdb_tests-ipa_kdb_tests.$(OBJEXT) \
ipa_kdb_tests-ipa_kdb_pwdpolicy.$(OBJEXT) \
ipa_kdb_tests-ipa_kdb_mspac.$(OBJEXT) \
ipa_kdb_tests-ipa_kdb_delegation.$(OBJEXT) \
ipa_kdb_tests-ipa_kdb_audit_as.$(OBJEXT) $(am__objects_3) \
$(am__objects_2)
ipa_kdb_tests_OBJECTS = $(am_ipa_kdb_tests_OBJECTS)
ipa_kdb_tests-ipa_kdb_audit_as.$(OBJEXT) $(am__objects_1) \
$(am__objects_3)
am__dist_ipa_kdb_tests_SOURCES_DIST = tests/test_setup.sh
dist_ipa_kdb_tests_OBJECTS =
ipa_kdb_tests_OBJECTS = $(am_ipa_kdb_tests_OBJECTS) \
$(dist_ipa_kdb_tests_OBJECTS)
ipa_kdb_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(top_builddir)/util/libutil.la $(am__DEPENDENCIES_1)
ipa_kdb_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(ipa_kdb_tests_CFLAGS) \
$(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
@@ -176,7 +208,27 @@ am__v_at_0 = @
am__v_at_1 =
DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__depfiles_maybe = depfiles
am__maybe_remake_depfiles = depfiles
am__depfiles_remade = ./$(DEPDIR)/ipa_kdb.Plo \
./$(DEPDIR)/ipa_kdb_audit_as.Plo \
./$(DEPDIR)/ipa_kdb_certauth.Plo \
./$(DEPDIR)/ipa_kdb_common.Plo \
./$(DEPDIR)/ipa_kdb_delegation.Plo \
./$(DEPDIR)/ipa_kdb_mkey.Plo ./$(DEPDIR)/ipa_kdb_mspac.Plo \
./$(DEPDIR)/ipa_kdb_passwords.Plo \
./$(DEPDIR)/ipa_kdb_principals.Plo \
./$(DEPDIR)/ipa_kdb_pwdpolicy.Plo \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_audit_as.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_common.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_delegation.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mkey.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mspac.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_passwords.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_principals.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_pwdpolicy.Po \
tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
@@ -196,8 +248,11 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
SOURCES = $(ipadb_la_SOURCES) $(ipa_kdb_tests_SOURCES)
DIST_SOURCES = $(ipadb_la_SOURCES) $(ipa_kdb_tests_SOURCES)
SOURCES = $(ipadb_la_SOURCES) $(ipa_kdb_tests_SOURCES) \
$(dist_ipa_kdb_tests_SOURCES)
DIST_SOURCES = $(am__ipadb_la_SOURCES_DIST) \
$(am__ipa_kdb_tests_SOURCES_DIST) \
$(am__dist_ipa_kdb_tests_SOURCES_DIST)
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
@@ -400,10 +455,13 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log)
TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \
$(TEST_LOG_FLAGS)
am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp \
$(top_srcdir)/test-driver README
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
API_VERSION = @API_VERSION@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
@@ -412,13 +470,15 @@ AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CHECK_CFLAGS = @CHECK_CFLAGS@
CHECK_LIBS = @CHECK_LIBS@
CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
CMOCKA_LIBS = @CMOCKA_LIBS@
CONFIG_STATUS = @CONFIG_STATUS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DIRSRV_CFLAGS = @DIRSRV_CFLAGS@
@@ -432,31 +492,61 @@ ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
INTLLIBS = @INTLLIBS@
INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
LIBOBJS = @LIBOBJS@
LIBPDB_NAME = @LIBPDB_NAME@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIBVERTO_CFLAGS = @LIBVERTO_CFLAGS@
LIBVERTO_LIBS = @LIBVERTO_LIBS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBICONV = @LTLIBICONV@
LTLIBINTL = @LTLIBINTL@
LTLIBOBJS = @LTLIBOBJS@
MAINT = @MAINT@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
MK_ASSIGN = @MK_ASSIGN@
MK_ELSE = @MK_ELSE@
MK_ENDIF = @MK_ENDIF@
MK_IFEQ = @MK_IFEQ@
MSGATTRIB = @MSGATTRIB@
MSGFMT = @MSGFMT@
MSGFMT_015 = @MSGFMT_015@
MSGMERGE = @MSGMERGE@
NAMED_GROUP = @NAMED_GROUP@
NDRNBT_CFLAGS = @NDRNBT_CFLAGS@
NDRNBT_LIBS = @NDRNBT_LIBS@
NDRPAC_CFLAGS = @NDRPAC_CFLAGS@
@@ -469,10 +559,10 @@ NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OPENLDAP_CFLAGS = @OPENLDAP_CFLAGS@
OPENLDAP_LIBS = @OPENLDAP_LIBS@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
@@ -486,8 +576,16 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
@@ -495,10 +593,13 @@ RANLIB = @RANLIB@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SSL_LIBS = @SSL_LIBS@
SSSCERTMAP_CFLAGS = @SSSCERTMAP_CFLAGS@
SSSCERTMAP_LIBS = @SSSCERTMAP_LIBS@
SSSIDMAP_CFLAGS = @SSSIDMAP_CFLAGS@
SSSIDMAP_LIBS = @SSSIDMAP_LIBS@
SSSNSSIDMAP_CFLAGS = @SSSNSSIDMAP_CFLAGS@
@@ -510,8 +611,16 @@ TEVENT_CFLAGS = @TEVENT_CFLAGS@
TEVENT_LIBS = @TEVENT_LIBS@
UNISTRING_LIBS = @UNISTRING_LIBS@
UNLINK = @UNLINK@
USE_NLS = @USE_NLS@
UUID_CFLAGS = @UUID_CFLAGS@
UUID_LIBS = @UUID_LIBS@
VENDOR_SUFFIX = @VENDOR_SUFFIX@
VERSION = @VERSION@
XGETTEXT = @XGETTEXT@
XGETTEXT_015 = @XGETTEXT_015@
XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
XMLRPC_CFLAGS = @XMLRPC_CFLAGS@
XMLRPC_LIBS = @XMLRPC_LIBS@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
@@ -542,6 +651,7 @@ host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
i18ntests = @i18ntests@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
@@ -565,22 +675,18 @@ sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
AUTOMAKE_OPTIONS = 1.7 subdir-objects
NULL =
KRB5_UTIL_DIR = ../../util
IPA_UTIL_DIR = ../../../util
KRB5_UTIL_SRCS = $(KRB5_UTIL_DIR)/ipa_krb5.c \
$(KRB5_UTIL_DIR)/ipa_pwd.c
AM_CPPFLAGS = \
-I. \
-I$(srcdir) \
-I$(KRB5_UTIL_DIR) \
-I$(IPA_UTIL_DIR) \
-I$(top_srcdir)/util \
-DPREFIX=\""$(prefix)"\" \
-DBINDIR=\""$(bindir)"\" \
-DLIBDIR=\""$(libdir)"\" \
@@ -593,6 +699,7 @@ AM_CPPFLAGS = \
$(WARN_CFLAGS) \
$(NDRPAC_CFLAGS) \
$(NSS_CFLAGS) \
$(SSSCERTMAP_CFLAGS) \
$(NULL)
plugindir = $(libdir)/krb5/plugins/kdb
@@ -600,19 +707,11 @@ plugin_LTLIBRARIES = \
ipadb.la \
$(NULL)
ipadb_la_SOURCES = \
ipa_kdb.c \
ipa_kdb_common.c \
ipa_kdb_mkey.c \
ipa_kdb_passwords.c \
ipa_kdb_principals.c \
ipa_kdb_pwdpolicy.c \
ipa_kdb_mspac.c \
ipa_kdb_delegation.c \
ipa_kdb_audit_as.c \
$(KRB5_UTIL_SRCS) \
$(NULL)
ipadb_la_SOURCES = ipa_kdb.c ipa_kdb.h ipa_kdb_common.c ipa_kdb_mkey.c \
ipa_kdb_passwords.c ipa_kdb_principals.c ipa_kdb_pwdpolicy.c \
ipa_kdb_mspac.c ipa_kdb_mspac_private.h ipa_kdb_delegation.c \
ipa_kdb_audit_as.c $(NULL) $(am__append_1)
dist_noinst_DATA = ipa_kdb.exports
ipadb_la_LDFLAGS = \
-avoid-version \
-module \
@@ -624,48 +723,41 @@ ipadb_la_LIBADD = \
$(NDRPAC_LIBS) \
$(UNISTRING_LIBS) \
$(NSS_LIBS) \
$(SSSCERTMAP_LIBS) \
$(top_builddir)/util/libutil.la \
$(NULL)
ipa_kdb_tests_SOURCES = \
tests/ipa_kdb_tests.c \
ipa_kdb.c \
ipa_kdb_common.c \
ipa_kdb_mkey.c \
ipa_kdb_passwords.c \
ipa_kdb_principals.c \
ipa_kdb_pwdpolicy.c \
ipa_kdb_mspac.c \
ipa_kdb_delegation.c \
ipa_kdb_audit_as.c \
$(KRB5_UTIL_SRCS) \
$(NULL)
ipa_kdb_tests_CFLAGS = $(CHECK_CFLAGS)
@HAVE_CMOCKA_TRUE@TESTS_ENVIRONMENT = . $(srcdir)/tests/test_setup.sh;
@HAVE_CMOCKA_TRUE@dist_ipa_kdb_tests_SOURCES = tests/test_setup.sh
ipa_kdb_tests_SOURCES = tests/ipa_kdb_tests.c ipa_kdb.c \
ipa_kdb_common.c ipa_kdb_mkey.c ipa_kdb_passwords.c \
ipa_kdb_principals.c ipa_kdb_pwdpolicy.c ipa_kdb_mspac.c \
ipa_kdb_delegation.c ipa_kdb_audit_as.c $(NULL) \
$(am__append_2)
ipa_kdb_tests_CFLAGS = $(CMOCKA_CFLAGS)
ipa_kdb_tests_LDADD = \
$(CHECK_LIBS) \
$(CMOCKA_LIBS) \
$(KRB5_LIBS) \
$(LDAP_LIBS) \
$(NDRPAC_LIBS) \
$(UNISTRING_LIBS) \
$(NSS_LIBS) \
$(SSSCERTMAP_LIBS) \
$(top_builddir)/util/libutil.la \
-lkdb5 \
-lsss_idmap \
$(NULL)
dist_noinst_DATA = ipa_kdb.exports
EXTRA_DIST = \
README \
README.s4u2proxy.txt \
$(NULL)
MAINTAINERCLEANFILES = \
*~ \
Makefile.in
all: all-am
.SUFFIXES:
.SUFFIXES: .c .lo .log .o .obj .test .test$(EXEEXT) .trs
$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps)
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
@@ -674,28 +766,36 @@ $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__confi
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign ipa-kdb/Makefile'; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign daemons/ipa-kdb/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign ipa-kdb/Makefile
.PRECIOUS: Makefile
$(AUTOMAKE) --foreign daemons/ipa-kdb/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
$(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
clean-checkPROGRAMS:
@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
echo " rm -f" $$list; \
rm -f $$list || exit $$?; \
test -n "$(EXEEXT)" || exit 0; \
list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
echo " rm -f" $$list; \
rm -f $$list
install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
@$(NORMAL_INSTALL)
@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
@@ -733,15 +833,14 @@ clean-pluginLTLIBRARIES:
ipadb.la: $(ipadb_la_OBJECTS) $(ipadb_la_DEPENDENCIES) $(EXTRA_ipadb_la_DEPENDENCIES)
$(AM_V_CCLD)$(ipadb_la_LINK) -rpath $(plugindir) $(ipadb_la_OBJECTS) $(ipadb_la_LIBADD) $(LIBS)
clean-checkPROGRAMS:
@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
echo " rm -f" $$list; \
rm -f $$list || exit $$?; \
test -n "$(EXEEXT)" || exit 0; \
list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
echo " rm -f" $$list; \
rm -f $$list
tests/$(am__dirstamp):
@$(MKDIR_P) tests
@: > tests/$(am__dirstamp)
tests/$(DEPDIR)/$(am__dirstamp):
@$(MKDIR_P) tests/$(DEPDIR)
@: > tests/$(DEPDIR)/$(am__dirstamp)
tests/ipa_kdb_tests-ipa_kdb_tests.$(OBJEXT): tests/$(am__dirstamp) \
tests/$(DEPDIR)/$(am__dirstamp)
ipa_kdb_tests$(EXEEXT): $(ipa_kdb_tests_OBJECTS) $(ipa_kdb_tests_DEPENDENCIES) $(EXTRA_ipa_kdb_tests_DEPENDENCIES)
@rm -f ipa_kdb_tests$(EXEEXT)
@@ -749,82 +848,76 @@ ipa_kdb_tests$(EXEEXT): $(ipa_kdb_tests_OBJECTS) $(ipa_kdb_tests_DEPENDENCIES) $
mostlyclean-compile:
-rm -f *.$(OBJEXT)
-rm -f tests/*.$(OBJEXT)
distclean-compile:
-rm -f *.tab.c
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_audit_as.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_common.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_delegation.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_mkey.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_mspac.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_passwords.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_principals.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_pwdpolicy.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_audit_as.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_common.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_delegation.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mkey.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mspac.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_passwords.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_principals.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_pwdpolicy.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_krb5.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_pwd.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_krb5.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_pwd.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_audit_as.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_certauth.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_common.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_delegation.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_mkey.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_mspac.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_passwords.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_principals.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_pwdpolicy.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_audit_as.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_common.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_delegation.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mkey.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mspac.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_passwords.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_principals.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_pwdpolicy.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po@am__quote@ # am--include-marker
$(am__depfiles_remade):
@$(MKDIR_P) $(@D)
@echo '# dummy' >$@-t && $(am__mv) $@-t $@
am--depfiles: $(am__depfiles_remade)
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
.c.obj:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
ipa_krb5.lo: $(KRB5_UTIL_DIR)/ipa_krb5.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ipa_krb5.lo -MD -MP -MF $(DEPDIR)/ipa_krb5.Tpo -c -o ipa_krb5.lo `test -f '$(KRB5_UTIL_DIR)/ipa_krb5.c' || echo '$(srcdir)/'`$(KRB5_UTIL_DIR)/ipa_krb5.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_krb5.Tpo $(DEPDIR)/ipa_krb5.Plo
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(KRB5_UTIL_DIR)/ipa_krb5.c' object='ipa_krb5.lo' libtool=yes @AMDEPBACKSLASH@
tests/ipa_kdb_tests-ipa_kdb_tests.o: tests/ipa_kdb_tests.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -MT tests/ipa_kdb_tests-ipa_kdb_tests.o -MD -MP -MF tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Tpo -c -o tests/ipa_kdb_tests-ipa_kdb_tests.o `test -f 'tests/ipa_kdb_tests.c' || echo '$(srcdir)/'`tests/ipa_kdb_tests.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Tpo tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests/ipa_kdb_tests.c' object='tests/ipa_kdb_tests-ipa_kdb_tests.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ipa_krb5.lo `test -f '$(KRB5_UTIL_DIR)/ipa_krb5.c' || echo '$(srcdir)/'`$(KRB5_UTIL_DIR)/ipa_krb5.c
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -c -o tests/ipa_kdb_tests-ipa_kdb_tests.o `test -f 'tests/ipa_kdb_tests.c' || echo '$(srcdir)/'`tests/ipa_kdb_tests.c
ipa_pwd.lo: $(KRB5_UTIL_DIR)/ipa_pwd.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ipa_pwd.lo -MD -MP -MF $(DEPDIR)/ipa_pwd.Tpo -c -o ipa_pwd.lo `test -f '$(KRB5_UTIL_DIR)/ipa_pwd.c' || echo '$(srcdir)/'`$(KRB5_UTIL_DIR)/ipa_pwd.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_pwd.Tpo $(DEPDIR)/ipa_pwd.Plo
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(KRB5_UTIL_DIR)/ipa_pwd.c' object='ipa_pwd.lo' libtool=yes @AMDEPBACKSLASH@
tests/ipa_kdb_tests-ipa_kdb_tests.obj: tests/ipa_kdb_tests.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -MT tests/ipa_kdb_tests-ipa_kdb_tests.obj -MD -MP -MF tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Tpo -c -o tests/ipa_kdb_tests-ipa_kdb_tests.obj `if test -f 'tests/ipa_kdb_tests.c'; then $(CYGPATH_W) 'tests/ipa_kdb_tests.c'; else $(CYGPATH_W) '$(srcdir)/tests/ipa_kdb_tests.c'; fi`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Tpo tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests/ipa_kdb_tests.c' object='tests/ipa_kdb_tests-ipa_kdb_tests.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ipa_pwd.lo `test -f '$(KRB5_UTIL_DIR)/ipa_pwd.c' || echo '$(srcdir)/'`$(KRB5_UTIL_DIR)/ipa_pwd.c
ipa_kdb_tests-ipa_kdb_tests.o: tests/ipa_kdb_tests.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -MT ipa_kdb_tests-ipa_kdb_tests.o -MD -MP -MF $(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Tpo -c -o ipa_kdb_tests-ipa_kdb_tests.o `test -f 'tests/ipa_kdb_tests.c' || echo '$(srcdir)/'`tests/ipa_kdb_tests.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Tpo $(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests/ipa_kdb_tests.c' object='ipa_kdb_tests-ipa_kdb_tests.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -c -o ipa_kdb_tests-ipa_kdb_tests.o `test -f 'tests/ipa_kdb_tests.c' || echo '$(srcdir)/'`tests/ipa_kdb_tests.c
ipa_kdb_tests-ipa_kdb_tests.obj: tests/ipa_kdb_tests.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -MT ipa_kdb_tests-ipa_kdb_tests.obj -MD -MP -MF $(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Tpo -c -o ipa_kdb_tests-ipa_kdb_tests.obj `if test -f 'tests/ipa_kdb_tests.c'; then $(CYGPATH_W) 'tests/ipa_kdb_tests.c'; else $(CYGPATH_W) '$(srcdir)/tests/ipa_kdb_tests.c'; fi`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Tpo $(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests/ipa_kdb_tests.c' object='ipa_kdb_tests-ipa_kdb_tests.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -c -o ipa_kdb_tests-ipa_kdb_tests.obj `if test -f 'tests/ipa_kdb_tests.c'; then $(CYGPATH_W) 'tests/ipa_kdb_tests.c'; else $(CYGPATH_W) '$(srcdir)/tests/ipa_kdb_tests.c'; fi`
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -c -o tests/ipa_kdb_tests-ipa_kdb_tests.obj `if test -f 'tests/ipa_kdb_tests.c'; then $(CYGPATH_W) 'tests/ipa_kdb_tests.c'; else $(CYGPATH_W) '$(srcdir)/tests/ipa_kdb_tests.c'; fi`
ipa_kdb_tests-ipa_kdb.o: ipa_kdb.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -MT ipa_kdb_tests-ipa_kdb.o -MD -MP -MF $(DEPDIR)/ipa_kdb_tests-ipa_kdb.Tpo -c -o ipa_kdb_tests-ipa_kdb.o `test -f 'ipa_kdb.c' || echo '$(srcdir)/'`ipa_kdb.c
@@ -952,33 +1045,19 @@ ipa_kdb_tests-ipa_kdb_audit_as.obj: ipa_kdb_audit_as.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -c -o ipa_kdb_tests-ipa_kdb_audit_as.obj `if test -f 'ipa_kdb_audit_as.c'; then $(CYGPATH_W) 'ipa_kdb_audit_as.c'; else $(CYGPATH_W) '$(srcdir)/ipa_kdb_audit_as.c'; fi`
ipa_kdb_tests-ipa_krb5.o: $(KRB5_UTIL_DIR)/ipa_krb5.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -MT ipa_kdb_tests-ipa_krb5.o -MD -MP -MF $(DEPDIR)/ipa_kdb_tests-ipa_krb5.Tpo -c -o ipa_kdb_tests-ipa_krb5.o `test -f '$(KRB5_UTIL_DIR)/ipa_krb5.c' || echo '$(srcdir)/'`$(KRB5_UTIL_DIR)/ipa_krb5.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_kdb_tests-ipa_krb5.Tpo $(DEPDIR)/ipa_kdb_tests-ipa_krb5.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(KRB5_UTIL_DIR)/ipa_krb5.c' object='ipa_kdb_tests-ipa_krb5.o' libtool=no @AMDEPBACKSLASH@
ipa_kdb_tests-ipa_kdb_certauth.o: ipa_kdb_certauth.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -MT ipa_kdb_tests-ipa_kdb_certauth.o -MD -MP -MF $(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Tpo -c -o ipa_kdb_tests-ipa_kdb_certauth.o `test -f 'ipa_kdb_certauth.c' || echo '$(srcdir)/'`ipa_kdb_certauth.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Tpo $(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipa_kdb_certauth.c' object='ipa_kdb_tests-ipa_kdb_certauth.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -c -o ipa_kdb_tests-ipa_krb5.o `test -f '$(KRB5_UTIL_DIR)/ipa_krb5.c' || echo '$(srcdir)/'`$(KRB5_UTIL_DIR)/ipa_krb5.c
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -c -o ipa_kdb_tests-ipa_kdb_certauth.o `test -f 'ipa_kdb_certauth.c' || echo '$(srcdir)/'`ipa_kdb_certauth.c
ipa_kdb_tests-ipa_krb5.obj: $(KRB5_UTIL_DIR)/ipa_krb5.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -MT ipa_kdb_tests-ipa_krb5.obj -MD -MP -MF $(DEPDIR)/ipa_kdb_tests-ipa_krb5.Tpo -c -o ipa_kdb_tests-ipa_krb5.obj `if test -f '$(KRB5_UTIL_DIR)/ipa_krb5.c'; then $(CYGPATH_W) '$(KRB5_UTIL_DIR)/ipa_krb5.c'; else $(CYGPATH_W) '$(srcdir)/$(KRB5_UTIL_DIR)/ipa_krb5.c'; fi`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_kdb_tests-ipa_krb5.Tpo $(DEPDIR)/ipa_kdb_tests-ipa_krb5.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(KRB5_UTIL_DIR)/ipa_krb5.c' object='ipa_kdb_tests-ipa_krb5.obj' libtool=no @AMDEPBACKSLASH@
ipa_kdb_tests-ipa_kdb_certauth.obj: ipa_kdb_certauth.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -MT ipa_kdb_tests-ipa_kdb_certauth.obj -MD -MP -MF $(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Tpo -c -o ipa_kdb_tests-ipa_kdb_certauth.obj `if test -f 'ipa_kdb_certauth.c'; then $(CYGPATH_W) 'ipa_kdb_certauth.c'; else $(CYGPATH_W) '$(srcdir)/ipa_kdb_certauth.c'; fi`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Tpo $(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipa_kdb_certauth.c' object='ipa_kdb_tests-ipa_kdb_certauth.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -c -o ipa_kdb_tests-ipa_krb5.obj `if test -f '$(KRB5_UTIL_DIR)/ipa_krb5.c'; then $(CYGPATH_W) '$(KRB5_UTIL_DIR)/ipa_krb5.c'; else $(CYGPATH_W) '$(srcdir)/$(KRB5_UTIL_DIR)/ipa_krb5.c'; fi`
ipa_kdb_tests-ipa_pwd.o: $(KRB5_UTIL_DIR)/ipa_pwd.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -MT ipa_kdb_tests-ipa_pwd.o -MD -MP -MF $(DEPDIR)/ipa_kdb_tests-ipa_pwd.Tpo -c -o ipa_kdb_tests-ipa_pwd.o `test -f '$(KRB5_UTIL_DIR)/ipa_pwd.c' || echo '$(srcdir)/'`$(KRB5_UTIL_DIR)/ipa_pwd.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_kdb_tests-ipa_pwd.Tpo $(DEPDIR)/ipa_kdb_tests-ipa_pwd.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(KRB5_UTIL_DIR)/ipa_pwd.c' object='ipa_kdb_tests-ipa_pwd.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -c -o ipa_kdb_tests-ipa_pwd.o `test -f '$(KRB5_UTIL_DIR)/ipa_pwd.c' || echo '$(srcdir)/'`$(KRB5_UTIL_DIR)/ipa_pwd.c
ipa_kdb_tests-ipa_pwd.obj: $(KRB5_UTIL_DIR)/ipa_pwd.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -MT ipa_kdb_tests-ipa_pwd.obj -MD -MP -MF $(DEPDIR)/ipa_kdb_tests-ipa_pwd.Tpo -c -o ipa_kdb_tests-ipa_pwd.obj `if test -f '$(KRB5_UTIL_DIR)/ipa_pwd.c'; then $(CYGPATH_W) '$(KRB5_UTIL_DIR)/ipa_pwd.c'; else $(CYGPATH_W) '$(srcdir)/$(KRB5_UTIL_DIR)/ipa_pwd.c'; fi`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_kdb_tests-ipa_pwd.Tpo $(DEPDIR)/ipa_kdb_tests-ipa_pwd.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(KRB5_UTIL_DIR)/ipa_pwd.c' object='ipa_kdb_tests-ipa_pwd.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -c -o ipa_kdb_tests-ipa_pwd.obj `if test -f '$(KRB5_UTIL_DIR)/ipa_pwd.c'; then $(CYGPATH_W) '$(KRB5_UTIL_DIR)/ipa_pwd.c'; else $(CYGPATH_W) '$(srcdir)/$(KRB5_UTIL_DIR)/ipa_pwd.c'; fi`
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -c -o ipa_kdb_tests-ipa_kdb_certauth.obj `if test -f 'ipa_kdb_certauth.c'; then $(CYGPATH_W) 'ipa_kdb_certauth.c'; else $(CYGPATH_W) '$(srcdir)/ipa_kdb_certauth.c'; fi`
mostlyclean-libtool:
-rm -f *.lo
@@ -1068,7 +1147,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
if test -n "$$am__remaking_logs"; then \
echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \
"recursion detected" >&2; \
else \
elif test -n "$$redo_logs"; then \
am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \
fi; \
if $(am__make_dryrun); then :; else \
@@ -1158,7 +1237,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
fi; \
$$success || exit 1
check-TESTS:
check-TESTS: $(check_PROGRAMS)
@list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list
@list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list
@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
@@ -1201,7 +1280,10 @@ ipa_kdb_tests.log: ipa_kdb_tests$(EXEEXT)
@am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
@am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT)
distdir: $(DISTFILES)
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
@@ -1269,18 +1351,39 @@ clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-rm -f tests/$(DEPDIR)/$(am__dirstamp)
-rm -f tests/$(am__dirstamp)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
clean: clean-am
clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
clean-am: clean-checkPROGRAMS clean-generic clean-libtool clean-local \
clean-pluginLTLIBRARIES mostlyclean-am
distclean: distclean-am
-rm -rf ./$(DEPDIR)
-rm -f ./$(DEPDIR)/ipa_kdb.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_audit_as.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_certauth.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_common.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_delegation.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_mkey.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_mspac.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_passwords.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_principals.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_pwdpolicy.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_audit_as.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_common.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_delegation.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mkey.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mspac.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_passwords.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_principals.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_pwdpolicy.Po
-rm -f tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
@@ -1326,7 +1429,27 @@ install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -rf ./$(DEPDIR)
-rm -f ./$(DEPDIR)/ipa_kdb.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_audit_as.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_certauth.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_common.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_delegation.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_mkey.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_mspac.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_passwords.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_principals.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_pwdpolicy.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_audit_as.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_common.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_delegation.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mkey.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mspac.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_passwords.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_principals.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_pwdpolicy.Po
-rm -f tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
@@ -1347,22 +1470,27 @@ uninstall-am: uninstall-pluginLTLIBRARIES
.MAKE: check-am install-am install-strip
.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
clean-checkPROGRAMS clean-generic clean-libtool \
clean-pluginLTLIBRARIES cscopelist-am ctags ctags-am distclean \
distclean-compile distclean-generic distclean-libtool \
distclean-tags distdir dvi dvi-am html html-am info info-am \
install install-am install-data install-data-am install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-pdf install-pdf-am install-pluginLTLIBRARIES \
install-ps install-ps-am install-strip installcheck \
installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-compile \
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
recheck tags tags-am uninstall uninstall-am \
uninstall-pluginLTLIBRARIES
.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \
check-am clean clean-checkPROGRAMS clean-generic clean-libtool \
clean-local clean-pluginLTLIBRARIES cscopelist-am ctags \
ctags-am distclean distclean-compile distclean-generic \
distclean-libtool distclean-tags distdir dvi dvi-am html \
html-am info info-am install install-am install-data \
install-data-am install-dvi install-dvi-am install-exec \
install-exec-am install-html install-html-am install-info \
install-info-am install-man install-pdf install-pdf-am \
install-pluginLTLIBRARIES install-ps install-ps-am \
install-strip installcheck installcheck-am installdirs \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
pdf pdf-am ps ps-am recheck tags tags-am uninstall \
uninstall-am uninstall-pluginLTLIBRARIES
.PRECIOUS: Makefile
clean-local:
rm -f tests/.dirstamp
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.

16
daemons/ipa-kdb/README.s4u2proxy.txt
View File

@@ -31,7 +31,7 @@ principals that are being considered proxies[1]. That is: the
principals of the services that want to impersonate client principals
against other services.
The ipaAllowedToImpersonate must point to a groupOfPrincipal based
The ipaAllowToImpersonate must point to a groupOfPrincipal based
object that contains the list of client principals (normally these are
user principals) that can be impersonated by this service.
If the attribute is missing than the service is allowed to impersonate
@@ -46,7 +46,7 @@ order to allow a service to access it impersonating another principal.
At the moment no wildcarding is implemented so services have to be
explicitly listed in their respective groups.
I have some idea of adding wildcard support at least for the
ipaAllowedToImpersonate group in order to separate user principals by
ipaAllowToImpersonate group in order to separate user principals by
REALM. So you can say all users of REALM1 can be impersonated by this
service but no users of REALM2.
@@ -94,6 +94,15 @@ This is done with:
kdamin.local
modprinc +ok_to_auth_as_delegate HTTP/ipaserver.example.com
NOTE: Do not grant +ok_to_auth_as_delegate in production without
carefully considering the outcome. This flags grants a service the
ability to impersonate any user to itself, which, combined with the
permission to proxy, means it will be allowed to impersonate any user
to the target service w/o any explicit user permission/delegation.
This flag is *NOT* necessary to permit proxying, it is used in this
example only because the kvno utility is hardwired to test both s4u2self
and s4u2proxy at the same time and would fail to operate without it.
Then run kvno as follows:
# Init credntials as HTTP
@@ -110,6 +119,9 @@ ldap/ipaserver.example.com
If this works it means you successfully impersonated the admin user with
the HTTP service against the ldap service.
Cleanup by removing the self-impersonation flag:
modprinc -ok_to_auth_as_delegate HTTP/ipaserver.example.com
Simo.

302
daemons/ipa-kdb/ipa_kdb.c
View File

@@ -50,12 +50,14 @@ static void ipadb_context_free(krb5_context kcontext,
free((*ctx)->uri);
free((*ctx)->base);
free((*ctx)->realm_base);
free((*ctx)->accounts_base);
free((*ctx)->kdc_hostname);
/* ldap free lcontext */
if ((*ctx)->lcontext) {
ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL);
}
free((*ctx)->supp_encs);
free((*ctx)->def_encs);
ipadb_mspac_struct_free(&(*ctx)->mspac);
krb5_free_default_realm(kcontext, (*ctx)->realm);
@@ -65,6 +67,10 @@ static void ipadb_context_free(krb5_context kcontext,
}
free(cfg->authz_data);
#ifdef HAVE_KRB5_CERTAUTH_PLUGIN
ipa_certauth_free_moddata(&((*ctx)->certauth_moddata));
#endif
free(*ctx);
*ctx = NULL;
}
@@ -104,7 +110,7 @@ static char *ipadb_realm_to_ldapi_uri(char *realm)
/* copy path and escape '/' to '%2f' */
for (q = LDAPIDIR; *q; q++) {
if (*q == '/') {
strncpy(p, "%2f", 3);
memcpy(p, "%2f", 3);
p += 3;
} else {
*p = *q;
@@ -224,6 +230,10 @@ static int ipadb_load_global_config(struct ipadb_context *ipactx)
int ret;
char **authz_data_list;
if (!ipactx || !ipactx->lcontext) {
return EINVAL;
}
ret = asprintf(&base, "cn=ipaConfig,cn=etc,%s", ipactx->base);
if (ret == -1) {
ret = ENOMEM;
@@ -256,12 +266,13 @@ static int ipadb_load_global_config(struct ipadb_context *ipactx)
vals[i]->bv_val, vals[i]->bv_len) == 0) {
ipactx->config.disable_last_success = true;
continue;
}
if (strncasecmp("KDC:Disable Lockout",
vals[i]->bv_val, vals[i]->bv_len) == 0) {
} else if (strncasecmp("KDC:Disable Lockout",
vals[i]->bv_val, vals[i]->bv_len) == 0) {
ipactx->config.disable_lockout = true;
continue;
} else if (strncasecmp("KDC:Disable Default Preauth for SPNs",
vals[i]->bv_val, vals[i]->bv_len) == 0) {
ipactx->config.disable_preauth_for_spns = true;
}
}
}
@@ -295,27 +306,85 @@ const struct ipadb_global_config *
ipadb_get_global_config(struct ipadb_context *ipactx)
{
time_t now = 0;
int ret;
if (time(&now) != (time_t)-1
&& now - ipactx->config.last_update > IPADB_GLOBAL_CONFIG_CACHE_TIME)
ipadb_load_global_config(ipactx);
if (time(&now) != (time_t)-1 &&
now - ipactx->config.last_update > IPADB_GLOBAL_CONFIG_CACHE_TIME) {
if (!ipactx->lcontext) {
ret = ipadb_get_connection(ipactx);
if (ret != 0)
return NULL;
}
ret = ipadb_load_global_config(ipactx);
if (ret != 0)
return NULL;
}
return &ipactx->config;
}
int ipadb_get_connection(struct ipadb_context *ipactx)
int ipadb_get_enc_salt_types(struct ipadb_context *ipactx,
LDAPMessage *entry, char *attr,
krb5_key_salt_tuple **enc_salt_types,
int *n_enc_salt_types)
{
struct berval **vals = NULL;
char **cvals = NULL;
int c = 0;
int i;
int ret = 0;
krb5_key_salt_tuple *kst;
int n_kst;
vals = ldap_get_values_len(ipactx->lcontext, entry, attr);
if (!vals || !vals[0]) {
goto done;
}
for (c = 0; vals[c]; c++) /* count */ ;
cvals = calloc(c, sizeof(char *));
if (!cvals) {
ret = ENOMEM;
goto done;
}
for (i = 0; i < c; i++) {
cvals[i] = strndup(vals[i]->bv_val, vals[i]->bv_len);
if (!cvals[i]) {
ret = ENOMEM;
goto done;
}
}
ret = parse_bval_key_salt_tuples(ipactx->kcontext,
(const char * const *)cvals, c,
&kst, &n_kst);
if (ret) {
goto done;
}
if (*enc_salt_types) {
free(*enc_salt_types);
}
*enc_salt_types = kst;
*n_enc_salt_types = n_kst;
done:
ldap_value_free_len(vals);
for (i = 0; i < c && cvals[i]; i++) {
free(cvals[i]);
}
free(cvals);
return ret;
}
int ipadb_get_connection(struct ipadb_context *ipactx)
{
struct timeval tv = { 5, 0 };
LDAPMessage *res = NULL;
LDAPMessage *first;
krb5_key_salt_tuple *kst;
int n_kst;
int ret;
int v3;
int i;
char **cvals = NULL;
int c = 0;
if (!ipactx->uri) {
return EINVAL;
@@ -370,38 +439,21 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
goto done;
}
vals = ldap_get_values_len(ipactx->lcontext, first,
"krbSupportedEncSaltTypes");
if (!vals || !vals[0]) {
goto done;
}
for (c = 0; vals[c]; c++) /* count */ ;
cvals = calloc(c, sizeof(char *));
if (!cvals) {
ret = ENOMEM;
goto done;
}
for (i = 0; i < c; i++) {
cvals[i] = strndup(vals[i]->bv_val, vals[i]->bv_len);
if (!cvals[i]) {
ret = ENOMEM;
goto done;
}
}
ret = parse_bval_key_salt_tuples(ipactx->kcontext,
(const char * const *)cvals, c,
&kst, &n_kst);
/* defaults first, this is used to tell what default enc:salts to use
* for kadmin password changes */
ret = ipadb_get_enc_salt_types(ipactx, first, "krbDefaultEncSaltTypes",
&ipactx->def_encs, &ipactx->n_def_encs);
if (ret) {
goto done;
}
if (ipactx->supp_encs) {
free(ipactx->supp_encs);
/* supported enc salt types, use to tell kadmin what to accept
* but also to detect if kadmin is requesting the default set */
ret = ipadb_get_enc_salt_types(ipactx, first, "krbSupportedEncSaltTypes",
&ipactx->supp_encs, &ipactx->n_supp_encs);
if (ret) {
goto done;
}
ipactx->supp_encs = kst;
ipactx->n_supp_encs = n_kst;
/* get additional options */
ret = ipadb_load_global_config(ipactx);
@@ -413,6 +465,12 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
ret = ipadb_reinit_mspac(ipactx, false);
if (ret && ret != ENOENT) {
/* TODO: log that there is an issue with adtrust settings */
if (ipactx->lcontext == NULL) {
/* for some reason ldap connection was reset in ipadb_reinit_mspac
* and is no longer established => failure of ipadb_get_connection
*/
goto done;
}
}
ret = 0;
@@ -420,12 +478,6 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
done:
ldap_msgfree(res);
ldap_value_free_len(vals);
for (i = 0; i < c && cvals[i]; i++) {
free(cvals[i]);
}
free(cvals);
if (ret) {
if (ipactx->lcontext) {
ldap_unbind_ext_s(ipactx->lcontext, NULL, NULL);
@@ -470,6 +522,7 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
if (!ipactx) {
return ENOMEM;
}
ipactx->magic = IPA_CONTEXT_MAGIC;
/* only check for unsupported 'temporary' value for now */
for (i = 0; db_args != NULL && db_args[i] != NULL; i++) {
@@ -513,6 +566,12 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
goto fail;
}
ret = asprintf(&ipactx->accounts_base, "cn=accounts,%s", ipactx->base);
if (ret == -1) {
ret = ENOMEM;
goto fail;
}
ret = uname(&uname_data);
if (ret) {
ret = EINVAL;
@@ -572,6 +631,7 @@ static krb5_error_code ipadb_get_age(krb5_context kcontext,
return 0;
}
#if KRB5_KDB_DAL_MAJOR_VERSION == 5
static void *ipadb_alloc(krb5_context context, void *ptr, size_t size)
{
return realloc(ptr, size);
@@ -581,48 +641,114 @@ static void ipadb_free(krb5_context context, void *ptr)
{
free(ptr);
}
#endif
/* KDB Virtual Table */
kdb_vftabl kdb_function_table = {
KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */
0, /* minor version number */
ipadb_init_library, /* init_library */
ipadb_fini_library, /* fini_library */
ipadb_init_module, /* init_module */
ipadb_fini_module, /* fini_module */
ipadb_create, /* create */
NULL, /* destroy */
ipadb_get_age, /* get_age */
NULL, /* lock */
NULL, /* unlock */
ipadb_get_principal, /* get_principal */
ipadb_free_principal, /* free_principal */
ipadb_put_principal, /* put_principal */
ipadb_delete_principal, /* delete_principal */
ipadb_iterate, /* iterate */
ipadb_create_pwd_policy, /* create_policy */
ipadb_get_pwd_policy, /* get_policy */
ipadb_put_pwd_policy, /* put_policy */
ipadb_iterate_pwd_policy, /* iter_policy */
ipadb_delete_pwd_policy, /* delete_policy */
ipadb_free_pwd_policy, /* free_policy */
ipadb_alloc, /* alloc */
ipadb_free, /* free */
ipadb_fetch_master_key, /* fetch_master_key */
NULL, /* fetch_master_key_list */
ipadb_store_master_key_list, /* store_master_key_list */
NULL, /* dbe_search_enctype */
ipadb_change_pwd, /* change_pwd */
NULL, /* promote_db */
NULL, /* decrypt_key_data */
NULL, /* encrypt_key_data */
ipadb_sign_authdata, /* sign_authdata */
ipadb_check_transited_realms, /* check_transited_realms */
ipadb_check_policy_as, /* check_policy_as */
NULL, /* check_policy_tgs */
ipadb_audit_as_req, /* audit_as_req */
NULL, /* refresh_config */
ipadb_check_allowed_to_delegate /* check_allowed_to_delegate */
};
/* We explicitly want to keep different ABI tables below separate. */
/* Do not merge them together. Older ABI does not need to be updated */
#if KRB5_KDB_DAL_MAJOR_VERSION == 5
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
.min_ver = 0,
.init_library = ipadb_init_library,
.fini_library = ipadb_fini_library,
.init_module = ipadb_init_module,
.fini_module = ipadb_fini_module,
.create = ipadb_create,
.get_age = ipadb_get_age,
.get_principal = ipadb_get_principal,
.free_principal = ipadb_free_principal,
.put_principal = ipadb_put_principal,
.delete_principal = ipadb_delete_principal,
.iterate = ipadb_iterate,
.create_policy = ipadb_create_pwd_policy,
.get_policy = ipadb_get_pwd_policy,
.put_policy = ipadb_put_pwd_policy,
.iter_policy = ipadb_iterate_pwd_policy,
.delete_policy = ipadb_delete_pwd_policy,
.free_policy = ipadb_free_pwd_policy,
.alloc = ipadb_alloc,
.free = ipadb_free,
.fetch_master_key = ipadb_fetch_master_key,
.store_master_key_list = ipadb_store_master_key_list,
.change_pwd = ipadb_change_pwd,
.sign_authdata = ipadb_sign_authdata,
.check_transited_realms = ipadb_check_transited_realms,
.check_policy_as = ipadb_check_policy_as,
.audit_as_req = ipadb_audit_as_req,
.check_allowed_to_delegate = ipadb_check_allowed_to_delegate
};
#endif
#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
.min_ver = 0,
.init_library = ipadb_init_library,
.fini_library = ipadb_fini_library,
.init_module = ipadb_init_module,
.fini_module = ipadb_fini_module,
.create = ipadb_create,
.get_age = ipadb_get_age,
.get_principal = ipadb_get_principal,
.put_principal = ipadb_put_principal,
.delete_principal = ipadb_delete_principal,
.iterate = ipadb_iterate,
.create_policy = ipadb_create_pwd_policy,
.get_policy = ipadb_get_pwd_policy,
.put_policy = ipadb_put_pwd_policy,
.iter_policy = ipadb_iterate_pwd_policy,
.delete_policy = ipadb_delete_pwd_policy,
.fetch_master_key = ipadb_fetch_master_key,
.store_master_key_list = ipadb_store_master_key_list,
.change_pwd = ipadb_change_pwd,
.sign_authdata = ipadb_sign_authdata,
.check_transited_realms = ipadb_check_transited_realms,
.check_policy_as = ipadb_check_policy_as,
.audit_as_req = ipadb_audit_as_req,
.check_allowed_to_delegate = ipadb_check_allowed_to_delegate
};
#endif
#if ((KRB5_KDB_DAL_MAJOR_VERSION == 6) || \
(KRB5_KDB_DAL_MAJOR_VERSION == 7)) && \
defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
.min_ver = 1,
.init_library = ipadb_init_library,
.fini_library = ipadb_fini_library,
.init_module = ipadb_init_module,
.fini_module = ipadb_fini_module,
.create = ipadb_create,
.get_age = ipadb_get_age,
.get_principal = ipadb_get_principal,
.put_principal = ipadb_put_principal,
.delete_principal = ipadb_delete_principal,
.iterate = ipadb_iterate,
.create_policy = ipadb_create_pwd_policy,
.get_policy = ipadb_get_pwd_policy,
.put_policy = ipadb_put_pwd_policy,
.iter_policy = ipadb_iterate_pwd_policy,
.delete_policy = ipadb_delete_pwd_policy,
.fetch_master_key = ipadb_fetch_master_key,
.store_master_key_list = ipadb_store_master_key_list,
.change_pwd = ipadb_change_pwd,
.sign_authdata = ipadb_sign_authdata,
.check_transited_realms = ipadb_check_transited_realms,
.check_policy_as = ipadb_check_policy_as,
.audit_as_req = ipadb_audit_as_req,
.check_allowed_to_delegate = ipadb_check_allowed_to_delegate,
/* The order is important, DAL version 6.1 added
* the free_principal_e_data callback */
.free_principal_e_data = ipadb_free_principal_e_data,
};
#endif
#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \
(KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
(KRB5_KDB_DAL_MAJOR_VERSION != 7)
#error unsupported DAL major version
#endif

1
daemons/ipa-kdb/ipa_kdb.exports
View File

@@ -3,6 +3,7 @@ EXPORTED {
# public symbols
global:
kdb_function_table;
certauth_ipakdb_initvt;
# everything else is local
local:

64
daemons/ipa-kdb/ipa_kdb.h
View File

@@ -30,6 +30,8 @@
* filtering purposes */
#define SECURID 1
#include "config.h"
#include <errno.h>
#include <kdb.h>
#include <ldap.h>
@@ -40,6 +42,9 @@
#include <arpa/inet.h>
#include <endian.h>
#include <unistd.h>
#ifdef HAVE_KRB5_CERTAUTH_PLUGIN
#include <krb5/certauth_plugin.h>
#endif
#include "ipa_krb5.h"
#include "ipa_pwd.h"
@@ -93,20 +98,29 @@ struct ipadb_global_config {
bool disable_lockout;
char **authz_data;
enum ipadb_user_auth user_auth;
bool disable_preauth_for_spns;
};
#define IPA_CONTEXT_MAGIC 0x0c027ea7
struct ipadb_context {
int magic;
char *uri;
char *base;
char *realm;
char *realm_base;
char *accounts_base;
char *kdc_hostname;
LDAP *lcontext;
krb5_context kcontext;
bool override_restrictions;
krb5_key_salt_tuple *supp_encs;
int n_supp_encs;
krb5_key_salt_tuple *def_encs;
int n_def_encs;
struct ipadb_mspac *mspac;
#ifdef HAVE_KRB5_CERTAUTH_PLUGIN
krb5_certauth_moddata certauth_moddata;
#endif
/* Don't access this directly, use ipadb_get_global_config(). */
struct ipadb_global_config config;
@@ -171,21 +185,51 @@ int ipadb_ldap_attr_has_value(LDAP *lcontext, LDAPMessage *le,
int ipadb_ldap_deref_results(LDAP *lcontext, LDAPMessage *le,
LDAPDerefRes **results);
struct ipadb_multires;
krb5_error_code ipadb_multires_init(LDAP *lcontext, struct ipadb_multires **r);
void ipadb_multires_free(struct ipadb_multires *r);
LDAPMessage *ipadb_multires_next_entry(struct ipadb_multires *r);
krb5_error_code ipadb_multibase_search(struct ipadb_context *ipactx,
char **basedns, int scope,
char *filter, char **attrs,
struct ipadb_multires **res,
bool any);
/* PRINCIPALS FUNCTIONS */
krb5_error_code ipadb_get_principal(krb5_context kcontext,
krb5_const_principal search_for,
unsigned int flags,
krb5_db_entry **entry);
void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry);
/* Helper function for DAL API 6.1 or later */
void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data);
krb5_error_code ipadb_put_principal(krb5_context kcontext,
krb5_db_entry *entry,
char **db_args);
krb5_error_code ipadb_delete_principal(krb5_context kcontext,
krb5_const_principal search_for);
krb5_error_code
ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
unsigned int flags,
const char *principal,
const char *filter,
LDAPMessage **result);
krb5_error_code ipadb_find_principal(krb5_context kcontext,
unsigned int flags,
LDAPMessage *res,
char **principal,
LDAPMessage **entry);
#if KRB5_KDB_API_VERSION < 8
krb5_error_code ipadb_iterate(krb5_context kcontext,
char *match_entry,
int (*func)(krb5_pointer, krb5_db_entry *),
krb5_pointer func_arg);
#else
krb5_error_code ipadb_iterate(krb5_context kcontext,
char *match_entry,
int (*func)(krb5_pointer, krb5_db_entry *),
krb5_pointer func_arg, krb5_flags iterflags);
#endif
/* POLICY FUNCTIONS */
@@ -265,6 +309,14 @@ krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
const krb5_data *tr_contents,
const krb5_data *client_realm,
const krb5_data *server_realm);
/* Checks whether a principal's realm is one of trusted domains' realm or NetBIOS name
* and returns the realm of the matched trusted domain in 'trusted_domain'
* Returns 0 in case of success and KRB5_KDB_NOENTRY otherwise
* If DAL driver is not initialized, returns KRB5_KDB_DBNOTINITED */
krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
const char *test_realm, size_t size,
char **trusted_realm);
/* DELEGATION CHECKS */
krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
@@ -276,6 +328,10 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
void ipadb_audit_as_req(krb5_context kcontext,
krb5_kdc_req *request,
#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
const krb5_address *local_addr,
const krb5_address *remote_addr,
#endif
krb5_db_entry *client,
krb5_db_entry *server,
krb5_timestamp authtime,
@@ -286,3 +342,11 @@ void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le,
enum ipadb_user_auth *user_auth);
const struct ipadb_global_config *
ipadb_get_global_config(struct ipadb_context *ipactx);
int ipadb_get_enc_salt_types(struct ipadb_context *ipactx, LDAPMessage *entry,
char *attr, krb5_key_salt_tuple **enc_salt_types,
int *n_enc_salt_types);
#ifdef HAVE_KRB5_CERTAUTH_PLUGIN
/* CERTAUTH PLUGIN */
void ipa_certauth_free_moddata(krb5_certauth_moddata *moddata);
#endif

8
daemons/ipa-kdb/ipa_kdb_audit_as.c
View File

@@ -20,11 +20,16 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <syslog.h>
#include "ipa_kdb.h"
#include "ipa_pwd.h"
void ipadb_audit_as_req(krb5_context kcontext,
krb5_kdc_req *request,
#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
const krb5_address *local_addr,
const krb5_address *remote_addr,
#endif
krb5_db_entry *client,
krb5_db_entry *server,
krb5_timestamp authtime,
@@ -121,6 +126,9 @@ void ipadb_audit_as_req(krb5_context kcontext,
client->mask |= KMASK_LAST_FAILED;
break;
default:
krb5_klog_syslog(LOG_ERR,
"File '%s' line %d: Got an unexpected value of "
"error_code: %d\n", __FILE__, __LINE__, error_code);
return;
}

439
daemons/ipa-kdb/ipa_kdb_certauth.c Normal file
View File

@@ -0,0 +1,439 @@
/** BEGIN COPYRIGHT BLOCK
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Additional permission under GPLv3 section 7:
*
* In the following paragraph, "GPL" means the GNU General Public
* License, version 3 or any later version, and "Non-GPL Code" means
* code that is governed neither by the GPL nor a license
* compatible with the GPL.
*
* You may link the code of this Program with Non-GPL Code and convey
* linked combinations including the two, provided that such Non-GPL
* Code only links to the code of this Program through those well
* defined interfaces identified in the file named EXCEPTION found in
* the source code files (the "Approved Interfaces"). The files of
* Non-GPL Code may instantiate templates or use macros or inline
* functions from the Approved Interfaces without causing the resulting
* work to be covered by the GPL. Only the copyright holders of this
* Program may make changes or additions to the list of Approved
* Interfaces.
*
* Authors:
* Sumit Bose <sbose@redhat.com>
*
* Copyright (C) 2017 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
#include <errno.h>
//#include <krb5/certauth_plugin.h>
#include <syslog.h>
#include <sss_certmap.h>
#include "ipa_krb5.h"
#include "ipa_kdb.h"
#define IPA_OC_CERTMAP_RULE "ipaCertMapRule"
#define IPA_CERTMAP_MAPRULE "ipaCertMapMapRule"
#define IPA_CERTMAP_MATCHRULE "ipaCertMapMatchRule"
#define IPA_CERTMAP_PRIORITY "ipaCertMapPriority"
#define IPA_ENABLED_FLAG "ipaEnabledFlag"
#define IPA_TRUE_VALUE "TRUE"
#define IPA_ASSOCIATED_DOMAIN "associatedDomain"
#define OBJECTCLASS "objectClass"
#define CERTMAP_FILTER "(&("OBJECTCLASS"="IPA_OC_CERTMAP_RULE")" \
"("IPA_ENABLED_FLAG"="IPA_TRUE_VALUE"))"
#define DEFAULT_CERTMAP_LIFETIME 300
#ifndef discard_const
#define discard_const(ptr) ((void *)((uintptr_t)(ptr)))
#endif
struct krb5_certauth_moddata_st {
char *local_domain;
struct sss_certmap_ctx *sss_certmap_ctx;
struct ipadb_context *ipactx;
time_t valid_until;
};
void ipa_certmap_debug(void *private,
const char *file, long line,
const char *function,
const char *format, ...)
{
va_list ap;
char str[255] = { 0 };
va_start(ap, format);
vsnprintf(str, sizeof(str)-1, format, ap);
va_end(ap);
krb5_klog_syslog(LOG_INFO, str);
}
void ipa_certauth_free_moddata(krb5_certauth_moddata *moddata)
{
if (moddata == NULL || *moddata == NULL) {
return;
}
free((*moddata)->local_domain);
(*moddata)->local_domain = NULL;
sss_certmap_free_ctx((*moddata)->sss_certmap_ctx);
(*moddata)->sss_certmap_ctx = NULL;
free(*moddata);
return;
}
static krb5_error_code ipa_get_init_data(krb5_context kcontext,
krb5_certauth_moddata moddata_out)
{
int ret;
struct sss_certmap_ctx *ctx = NULL;
struct ipadb_context *ipactx;
krb5_error_code kerr;
char *basedn = NULL;
LDAPMessage *result = NULL;
LDAPMessage *le;
LDAP *lc;
size_t c;
uint32_t prio;
char *map_rule = NULL;
char *match_rule = NULL;
char **domains = NULL;
const char *certmap_attrs[] = { OBJECTCLASS,
IPA_CERTMAP_PRIORITY,
IPA_CERTMAP_MATCHRULE,
IPA_CERTMAP_MAPRULE,
IPA_ASSOCIATED_DOMAIN,
IPA_ENABLED_FLAG,
NULL};
krb5_klog_syslog(LOG_INFO, "Initializing IPA certauth plugin.");
ipactx = ipadb_get_context(kcontext);
if (ipactx == NULL || ipactx->magic != IPA_CONTEXT_MAGIC) {
return KRB5_KDB_DBNOTINITED;
}
if (ipactx->certauth_moddata == NULL) {
ipactx->certauth_moddata = moddata_out;
if (ipactx->realm != NULL) {
ipactx->certauth_moddata->local_domain = strdup(ipactx->realm);
if (ipactx->certauth_moddata->local_domain == NULL) {
free(ipactx->certauth_moddata);
ipactx->certauth_moddata = NULL;
ret = ENOMEM;
goto done;
}
}
ipactx->certauth_moddata->ipactx = ipactx;
}
ret = asprintf(&basedn, "cn=certmap,%s", ipactx->base);
if (ret == -1) {
return ENOMEM;
}
kerr = ipadb_simple_search(ipactx,basedn, LDAP_SCOPE_SUBTREE,
CERTMAP_FILTER, discard_const(certmap_attrs),
&result);
if (kerr != 0 && kerr != KRB5_KDB_NOENTRY) {
goto done;
}
ret = sss_certmap_init(NULL, ipa_certmap_debug, NULL, &ctx);
if (ret != 0) {
return ret;
}
if (kerr == KRB5_KDB_NOENTRY) {
ret = sss_certmap_add_rule(ctx, SSS_CERTMAP_MIN_PRIO,
NULL, NULL, NULL);
if (ret != 0) {
goto done;
}
} else {
lc = ipactx->lcontext;
for (le = ldap_first_entry(lc, result); le;
le = ldap_next_entry(lc, le)) {
prio = SSS_CERTMAP_MIN_PRIO;
ret = ipadb_ldap_attr_to_uint32(lc, le, IPA_CERTMAP_PRIORITY,
&prio);
if (ret != 0 && ret != ENOENT) {
goto done;
}
free(map_rule);
map_rule = NULL;
ret = ipadb_ldap_attr_to_str(lc, le, IPA_CERTMAP_MAPRULE,
&map_rule);
if (ret != 0 && ret != ENOENT) {
goto done;
}
free(match_rule);
match_rule = NULL;
ret = ipadb_ldap_attr_to_str(lc, le, IPA_CERTMAP_MATCHRULE,
&match_rule);
if (ret != 0 && ret != ENOENT) {
goto done;
}
if (domains != NULL) {
for (c = 0; domains[c] != NULL; c++) {
free(domains[c]);
}
free(domains);
domains = NULL;
}
ret = ipadb_ldap_attr_to_strlist(lc, le, IPA_ASSOCIATED_DOMAIN,
&domains);
if (ret != 0 && ret != ENOENT) {
goto done;
}
ret = sss_certmap_add_rule(ctx, prio, match_rule, map_rule,
(const char **) domains);
if (ret != 0) {
goto done;
}
}
}
sss_certmap_free_ctx(ipactx->certauth_moddata->sss_certmap_ctx);
ipactx->certauth_moddata->sss_certmap_ctx = ctx;
ipactx->certauth_moddata->valid_until = time(NULL)
+ DEFAULT_CERTMAP_LIFETIME;
krb5_klog_syslog(LOG_DEBUG,
"Successfully updates certificate mapping rules.");
ret = 0;
done:
ldap_msgfree(result);
free(basedn);
free(map_rule);
free(match_rule);
if (domains != NULL) {
for (c = 0; domains[c] != NULL; c++) {
free(domains[c]);
}
free(domains);
domains = NULL;
}
if (ret != 0) {
sss_certmap_free_ctx(ctx);
}
return ret;
}
static krb5_error_code ipa_certauth_authorize(krb5_context context,
krb5_certauth_moddata moddata,
const uint8_t *cert,
size_t cert_len,
krb5_const_principal princ,
const void *opts,
const krb5_db_entry *db_entry,
char ***authinds_out)
{
char *cert_filter = NULL;
char **domains = NULL;
int ret;
size_t c;
char *principal = NULL;
char **auth_inds = NULL;
LDAPMessage *res = NULL;
krb5_error_code kerr;
LDAPMessage *lentry;
if (moddata == NULL) {
return KRB5_PLUGIN_NO_HANDLE;
}
if (moddata->sss_certmap_ctx == NULL || time(NULL) > moddata->valid_until) {
kerr = ipa_get_init_data(context, moddata);
if (kerr != 0) {
krb5_klog_syslog(LOG_ERR, "Failed to init certmapping data");
return KRB5_PLUGIN_NO_HANDLE;
}
}
ret = krb5_unparse_name(context, db_entry->princ, &principal);
if (ret != 0) {
ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
goto done;
}
krb5_klog_syslog(LOG_INFO, "Doing certauth authorize for [%s]", principal);
ret = sss_certmap_get_search_filter(moddata->sss_certmap_ctx,
cert, cert_len,
&cert_filter, &domains);
if (ret != 0) {
if (ret == ENOENT) {
ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
}
goto done;
}
krb5_klog_syslog(LOG_INFO, "Got cert filter [%s]", cert_filter);
/* If there are no domains assigned the rule will apply to the local
* domain only. */
if (domains != NULL) {
if (moddata->local_domain == NULL) {
/* We don't know our own domain name, in general this should not
* happen. But to be fault tolerant we allow matching rule which
* do not have a domain assigned. */
ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
goto done;
}
for (c = 0; domains[c] != NULL; c++) {
if (strcasecmp(domains[c], moddata->local_domain) == 0) {
break;
}
}
/* Our domain was not in the list */
if (domains[c] == NULL) {
ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
goto done;
}
}
kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx,
KRB5_KDB_FLAG_ALIAS_OK,
principal,
cert_filter,
&res);
if (kerr != 0) {
krb5_klog_syslog(LOG_ERR, "Search failed [%d]", kerr);
ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
goto done;
}
kerr = ipadb_find_principal(context, KRB5_KDB_FLAG_ALIAS_OK, res,
&principal, &lentry);
if (kerr == KRB5_KDB_NOENTRY) {
krb5_klog_syslog(LOG_INFO, "No matching entry found");
ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
goto done;
} else if (kerr != 0) {
krb5_klog_syslog(LOG_ERR, "ipadb_find_principal failed [%d]", kerr);
ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
goto done;
}
/* Associate authentication indicator "pkinit" with the successful match.
* SSSD interface doesn't give us a clue which rule did match
* so there is nothing more to add here. */
auth_inds = calloc(2, sizeof(char *));
if (auth_inds != NULL) {
ret = asprintf(&auth_inds[0], "pkinit");
if (ret != -1) {
auth_inds[1] = NULL;
*authinds_out = auth_inds;
} else {
free(auth_inds);
}
}
/* TODO: add more tests ? */
ret = 0;
done:
sss_certmap_free_filter_and_domains(cert_filter, domains);
krb5_free_unparsed_name(context, principal);
ldap_msgfree(res);
return ret;
}
static krb5_error_code ipa_certauth_init(krb5_context kcontext,
krb5_certauth_moddata *moddata_out)
{
struct krb5_certauth_moddata_st *certauth_moddata;
certauth_moddata = calloc(1, sizeof(struct krb5_certauth_moddata_st));
if (certauth_moddata == NULL) {
return ENOMEM;
}
*moddata_out = certauth_moddata;
return 0;
}
static void ipa_certauth_fini(krb5_context context,
krb5_certauth_moddata moddata_out)
{
krb5_klog_syslog(LOG_INFO, "IPA certauth plugin un-loaded.");
return;
}
static void ipa_certauth_free_indicator(krb5_context context,
krb5_certauth_moddata moddata,
char **authinds)
{
size_t i = 0;
if ((authinds == NULL) || (moddata == NULL)) {
return;
}
for(i=0; authinds[i]; i++) {
free(authinds[i]);
authinds[i] = NULL;
}
free(authinds);
}
krb5_error_code certauth_ipakdb_initvt(krb5_context context,
int maj_ver, int min_ver,
krb5_plugin_vtable vtable)
{
krb5_certauth_vtable vt;
if (maj_ver != 1) {
return KRB5_PLUGIN_VER_NOTSUPP;
}
vt = (krb5_certauth_vtable) vtable;
vt->name = "ipakdb";
vt->authorize = ipa_certauth_authorize;
vt->init = ipa_certauth_init;
vt->fini = ipa_certauth_fini;
vt->free_ind = ipa_certauth_free_indicator;
return 0;
}

139
daemons/ipa-kdb/ipa_kdb_common.c
View File

@@ -23,7 +23,7 @@
#include "ipa_kdb.h"
#include <unicase.h>
static struct timeval std_timeout = {300, 0};
static struct timeval std_timeout = {30, 0};
char *ipadb_filter_escape(const char *input, bool star)
{
@@ -158,6 +158,14 @@ static bool ipadb_need_retry(struct ipadb_context *ipactx, int error)
return false;
}
static int ipadb_check_connection(struct ipadb_context *ipactx)
{
if (ipactx->lcontext == NULL) {
return ipadb_get_connection(ipactx);
}
return 0;
}
krb5_error_code ipadb_simple_search(struct ipadb_context *ipactx,
char *basedn, int scope,
char *filter, char **attrs,
@@ -165,6 +173,10 @@ krb5_error_code ipadb_simple_search(struct ipadb_context *ipactx,
{
int ret;
ret = ipadb_check_connection(ipactx);
if (ret != 0)
return ipadb_simple_ldap_to_kerr(ret);
ret = ldap_search_ext_s(ipactx->lcontext, basedn, scope,
filter, attrs, 0, NULL, NULL,
&std_timeout, LDAP_NO_LIMIT,
@@ -187,6 +199,10 @@ krb5_error_code ipadb_simple_delete(struct ipadb_context *ipactx, char *dn)
{
int ret;
ret = ipadb_check_connection(ipactx);
if (ret != 0)
return ipadb_simple_ldap_to_kerr(ret);
ret = ldap_delete_ext_s(ipactx->lcontext, dn, NULL, NULL);
/* first test if we need to retry to connect */
@@ -204,6 +220,10 @@ krb5_error_code ipadb_simple_add(struct ipadb_context *ipactx,
{
int ret;
ret = ipadb_check_connection(ipactx);
if (ret != 0)
return ipadb_simple_ldap_to_kerr(ret);
ret = ldap_add_ext_s(ipactx->lcontext, dn, mods, NULL, NULL);
/* first test if we need to retry to connect */
@@ -221,6 +241,10 @@ krb5_error_code ipadb_simple_modify(struct ipadb_context *ipactx,
{
int ret;
ret = ipadb_check_connection(ipactx);
if (ret != 0)
return ipadb_simple_ldap_to_kerr(ret);
ret = ldap_modify_ext_s(ipactx->lcontext, dn, mods, NULL, NULL);
/* first test if we need to retry to connect */
@@ -320,6 +344,11 @@ krb5_error_code ipadb_deref_search(struct ipadb_context *ipactx,
retry = true;
while (retry) {
times--;
ret = ipadb_check_connection(ipactx);
if (ret != 0)
break;
ret = ldap_search_ext_s(ipactx->lcontext, base_dn,
scope, filter,
entry_attrs, 0,
@@ -581,3 +610,111 @@ done:
ldap_controls_free(ctrls);
return ret;
}
struct ipadb_multires {
LDAP *lcontext;
LDAPMessage **res;
LDAPMessage *next;
ssize_t cursor;
ssize_t count;
};
krb5_error_code ipadb_multires_init(LDAP *lcontext, struct ipadb_multires **r)
{
*r = malloc(sizeof(struct ipadb_multires));
if (!*r) return ENOMEM;
(*r)->lcontext = lcontext;
(*r)->res = NULL;
(*r)->next = NULL;
(*r)->cursor = -1;
(*r)->count = 0;
return 0;
}
void ipadb_multires_free(struct ipadb_multires *r)
{
if (r != NULL) {
for (int i = 0; i < r->count; i++) {
ldap_msgfree(r->res[i]);
}
free(r);
}
}
LDAPMessage *ipadb_multires_next_entry(struct ipadb_multires *r)
{
if (r->count == 0) return NULL;
if (r->next) {
r->next = ldap_next_entry(r->lcontext, r->next);
}
if (r->next == NULL) {
if (r->cursor >= r->count - 1) {
return NULL;
}
r->cursor++;
r->next = ldap_first_entry(r->lcontext, r->res[r->cursor]);
}
return r->next;
}
krb5_error_code ipadb_multibase_search(struct ipadb_context *ipactx,
char **basedns, int scope,
char *filter, char **attrs,
struct ipadb_multires **res,
bool any)
{
int ret;
ret = ipadb_multires_init(ipactx->lcontext, res);
if (ret != 0) return ret;
ret = ipadb_check_connection(ipactx);
if (ret != 0) {
ipadb_multires_free(*res);
*res = NULL;
return ipadb_simple_ldap_to_kerr(ret);
}
for (int b = 0; basedns[b]; b++) {
LDAPMessage *r;
ret = ldap_search_ext_s(ipactx->lcontext, basedns[b], scope,
filter, attrs, 0, NULL, NULL,
&std_timeout, LDAP_NO_LIMIT, &r);
/* first test if we need to retry to connect */
if (ret != 0 &&
ipadb_need_retry(ipactx, ret)) {
ldap_msgfree(r);
ret = ldap_search_ext_s(ipactx->lcontext, basedns[b], scope,
filter, attrs, 0, NULL, NULL,
&std_timeout, LDAP_NO_LIMIT, &r);
}
if (ret != 0) break;
if (ldap_count_entries(ipactx->lcontext, r) > 0) {
void *tmp = realloc((*res)->res, (((*res)->count + 1) *
sizeof(LDAPMessage *)));
if (tmp == NULL) {
ret = ENOMEM;
break;
}
(*res)->res = tmp;
(*res)->res[(*res)->count] = r;
(*res)->count++;
if (any) break;
}
}
if (ret != 0) {
ipadb_multires_free(*res);
*res = NULL;
}
return ipadb_simple_ldap_to_kerr(ret);
}

529
daemons/ipa-kdb/ipa_kdb_mspac.c
View File

@@ -20,6 +20,8 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "config.h"
#include "ipa_kdb.h"
#include "ipa_mspac.h"
#include <talloc.h>
@@ -28,34 +30,7 @@
#include "util/time.h"
#include "gen_ndr/ndr_krb5pac.h"
struct ipadb_adtrusts {
char *domain_name;
char *flat_name;
char *domain_sid;
struct dom_sid domsid;
struct dom_sid *sid_blacklist_incoming;
int len_sid_blacklist_incoming;
struct dom_sid *sid_blacklist_outgoing;
int len_sid_blacklist_outgoing;
struct ipadb_adtrusts *parent;
char *parent_name;
};
struct ipadb_mspac {
char *flat_domain_name;
char *flat_server_name;
struct dom_sid domsid;
char *fallback_group;
uint32_t fallback_rid;
int num_trusts;
struct ipadb_adtrusts *trusts;
time_t last_update;
};
int krb5_klog_syslog(int, const char *, ...);
#include "ipa_kdb_mspac_private.h"
static char *user_pac_attrs[] = {
"objectClass",
@@ -116,12 +91,17 @@ static struct {
#define AUTHZ_DATA_TYPE_PAD "PAD"
#define AUTHZ_DATA_TYPE_NONE "NONE"
static int string_to_sid(char *str, struct dom_sid *sid)
int string_to_sid(const char *str, struct dom_sid *sid)
{
unsigned long val;
char *s, *t;
const char *s;
char *t;
int i;
if (str == NULL) {
return EINVAL;
}
memset(sid, '\0', sizeof(struct dom_sid));
s = str;
@@ -177,7 +157,7 @@ static int string_to_sid(char *str, struct dom_sid *sid)
return 0;
}
static char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
{
size_t c;
size_t len;
@@ -185,13 +165,18 @@ static char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
uint32_t ia;
char *buf;
if (dom_sid == NULL) {
if (dom_sid == NULL
|| dom_sid->num_auths < 0
|| dom_sid->num_auths > SID_SUB_AUTHS) {
return NULL;
}
len = 25 + dom_sid->num_auths * 11;
buf = talloc_zero_size(memctx, len);
if (buf == NULL) {
return NULL;
}
ia = (dom_sid->id_auth[5]) +
(dom_sid->id_auth[4] << 8 ) +
@@ -1099,68 +1084,72 @@ static int map_groups(TALLOC_CTX *memctx, krb5_context kcontext,
continue;
}
ldap_derefresponse_free(deref_results);
ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
switch (ret) {
case ENOENT:
/* No entry found, try next SID */
break;
case 0:
if (deref_results == NULL) {
krb5_klog_syslog(LOG_ERR, "No results.");
do {
ldap_derefresponse_free(deref_results);
ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
switch (ret) {
case ENOENT:
/* No entry found, try next SID */
break;
}
case 0:
if (deref_results == NULL) {
krb5_klog_syslog(LOG_ERR, "No results.");
break;
}
for (dres = deref_results; dres; dres = dres->next) {
count++;
}
for (dres = deref_results; dres; dres = dres->next) {
count++;
}
sids = talloc_realloc(memctx, sids, struct dom_sid, count);
if (sids == NULL) {
krb5_klog_syslog(LOG_ERR, "talloc_realloc failed.");
kerr = ENOMEM;
sids = talloc_realloc(memctx, sids, struct dom_sid, count);
if (sids == NULL) {
krb5_klog_syslog(LOG_ERR, "talloc_realloc failed.");
kerr = ENOMEM;
goto done;
}
for (dres = deref_results; dres; dres = dres->next) {
gid = 0;
memset(&sid, '\0', sizeof(struct dom_sid));
for (dval = dres->attrVals; dval; dval = dval->next) {
if (strcasecmp(dval->type, "gidNumber") == 0) {
errno = 0;
gid = strtoul((char *)dval->vals[0].bv_val,
&endptr,10);
if (gid == 0 || gid >= UINT32_MAX || errno != 0 ||
*endptr != '\0') {
continue;
}
}
if (strcasecmp(dval->type,
"ipaNTSecurityIdentifier") == 0) {
kerr = string_to_sid((char *)dval->vals[0].bv_val, &sid);
if (kerr != 0) {
continue;
}
}
}
if (gid != 0 && sid.sid_rev_num != 0) {
/* TODO: check if gid maps to sid */
if (sid_index >= count) {
krb5_klog_syslog(LOG_ERR, "Index larger than "
"array, this shoould "
"never happen.");
kerr = EFAULT;
goto done;
}
memcpy(&sids[sid_index], &sid, sizeof(struct dom_sid));
sid_index++;
}
}
break;
default:
goto done;
}
}
for (dres = deref_results; dres; dres = dres->next) {
gid = 0;
memset(&sid, '\0', sizeof(struct dom_sid));
for (dval = dres->attrVals; dval; dval = dval->next) {
if (strcasecmp(dval->type, "gidNumber") == 0) {
errno = 0;
gid = strtoul((char *)dval->vals[0].bv_val,
&endptr,10);
if (gid == 0 || gid >= UINT32_MAX || errno != 0 ||
*endptr != '\0') {
continue;
}
}
if (strcasecmp(dval->type,
"ipaNTSecurityIdentifier") == 0) {
kerr = string_to_sid((char *)dval->vals[0].bv_val, &sid);
if (kerr != 0) {
continue;
}
}
}
if (gid != 0 && sid.sid_rev_num != 0) {
/* TODO: check if gid maps to sid */
if (sid_index >= count) {
krb5_klog_syslog(LOG_ERR, "Index larger than "
"array, this shoould "
"never happen.");
kerr = EFAULT;
goto done;
}
memcpy(&sids[sid_index], &sid, sizeof(struct dom_sid));
sid_index++;
}
}
break;
default:
goto done;
}
lentry = ldap_next_entry(ipactx->lcontext, lentry);
} while (lentry != NULL);
}
*_ipa_group_sids_count = sid_index;
@@ -1320,10 +1309,26 @@ static void filter_logon_info_log_message(struct dom_sid *sid)
}
}
static krb5_error_code filter_logon_info(krb5_context context,
TALLOC_CTX *memctx,
krb5_data realm,
struct PAC_LOGON_INFO_CTR *info)
static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid)
{
char *domstr = NULL;
domstr = dom_sid_string(NULL, sid);
if (domstr) {
krb5_klog_syslog(LOG_ERR, "PAC filtering issue: SID [%s-%d] is not allowed "
"from a trusted source and will be excluded.", domstr, rid);
talloc_free(domstr);
} else {
krb5_klog_syslog(LOG_ERR, "PAC filtering issue: SID is not allowed "
"from a trusted source and will be excluded."
"Unable to allocate memory to display SID.");
}
}
krb5_error_code filter_logon_info(krb5_context context,
TALLOC_CTX *memctx,
krb5_data realm,
struct PAC_LOGON_INFO_CTR *info)
{
/* We must refuse a PAC that comes signed with a cross realm TGT
@@ -1331,9 +1336,21 @@ static krb5_error_code filter_logon_info(krb5_context context,
* attempt at getting us to sign fake credentials with the help of a
* compromised trusted realm */
/* NOTE: there are two outcomes from filtering:
* REJECT TICKET -- ticket is rejected if domain SID of
* the principal with MS-PAC is filtered out or
* its primary group RID is filtered out
*
* REMOVE SID -- SIDs are removed from the list of SIDs associated
* with the principal if they are filtered out
* This applies also to secondary RIDs of the principal
* if domain_sid-<secondary RID> is filtered out
*/
struct ipadb_context *ipactx;
struct ipadb_adtrusts *domain;
int i, j, k, count;
int i, j, k, l, count;
uint32_t rid;
bool result;
char *domstr = NULL;
@@ -1375,7 +1392,77 @@ static krb5_error_code filter_logon_info(krb5_context context,
&domain->parent->sid_blacklist_incoming[k], true);
if (result) {
filter_logon_info_log_message(info->info->info3.base.domain_sid);
return EINVAL;
return KRB5KDC_ERR_POLICY;
}
}
}
/* Check if this user's SIDs membership is filtered too */
for(k = 0; k < domain->len_sid_blacklist_incoming; k++) {
/* Short-circuit if there are no RIDs. This may happen if we filtered everything already.
* In normal situation there would be at least primary gid as RID in the RIDs array
* but if we filtered out the primary RID, this MS-PAC is invalid */
count = info->info->info3.base.groups.count;
result = dom_sid_is_prefix(info->info->info3.base.domain_sid,
&domain->sid_blacklist_incoming[k]);
if (result) {
i = 0;
j = 0;
if (domain->sid_blacklist_incoming[k].num_auths - info->info->info3.base.domain_sid->num_auths != 1) {
krb5_klog_syslog(LOG_ERR, "Incoming SID blacklist element matching domain [%s with SID %s] "
"has more than one RID component. Invalid check skipped.",
domain->domain_name, domain->domain_sid);
break;
}
rid = domain->sid_blacklist_incoming[k].sub_auths[domain->sid_blacklist_incoming[k].num_auths - 1];
if (rid == info->info->info3.base.rid) {
filter_logon_info_log_message_rid(info->info->info3.base.domain_sid, rid);
/* Actual user's SID is filtered out */
return KRB5KDC_ERR_POLICY;
}
if (rid == info->info->info3.base.primary_gid) {
/* User's primary group SID is filtered out */
return KRB5KDC_ERR_POLICY;
}
if (count == 0) {
/* Having checked actual user's SID and primary group SID, and having no other RIDs,
* skip checks below and continue to next blacklist element */
continue;
}
do {
if (rid == info->info->info3.base.groups.rids[i].rid) {
filter_logon_info_log_message_rid(info->info->info3.base.domain_sid, rid);
/* If this is just a non-primary RID, we simply remove it from the array of RIDs */
l = count - i - j - 1;
if (l != 0) {
memmove(info->info->info3.base.groups.rids+i,
info->info->info3.base.groups.rids+i+1,
sizeof(struct samr_RidWithAttribute)*l);
}
j++;
} else {
i++;
}
} while ((i + j) < count);
if (j != 0) {
count = count-j;
if (count == 0) {
/* All RIDs were filtered out. Unusual but MS-KILE 3.3.5.6.3.1 says SHOULD, not MUST for GroupCount */
info->info->info3.base.groups.count = 0;
talloc_free(info->info->info3.base.groups.rids);
info->info->info3.base.groups.rids = NULL;
} else {
info->info->info3.base.groups.rids = talloc_realloc(memctx,
info->info->info3.base.groups.rids,
struct samr_RidWithAttribute, count);
if (!info->info->info3.base.groups.rids) {
info->info->info3.base.groups.count = 0;
return ENOMEM;
}
info->info->info3.base.groups.count = count;
}
}
}
}
@@ -1397,7 +1484,15 @@ static krb5_error_code filter_logon_info(krb5_context context,
if (result) {
filter_logon_info_log_message(info->info->info3.sids[i].sid);
} else {
/* Go over incoming SID blacklist */
for(k = 0; k < domain->len_sid_blacklist_incoming; k++) {
/* if SID is an exact match, filter it out */
result = dom_sid_check(&domain->sid_blacklist_incoming[k], info->info->info3.sids[i].sid, true);
if (result) {
filter_logon_info_log_message(info->info->info3.sids[i].sid);
break;
}
/* if SID is a suffix of the blacklist element, filter it out*/
result = dom_sid_is_prefix(&domain->sid_blacklist_incoming[k], info->info->info3.sids[i].sid);
if (result) {
filter_logon_info_log_message(info->info->info3.sids[i].sid);
@@ -1406,11 +1501,17 @@ static krb5_error_code filter_logon_info(krb5_context context,
}
}
if (result) {
k = count - i - j - 1;
if (k != 0) {
memmove(info->info->info3.sids+i,
info->info->info3.sids+i+1,
sizeof(struct netr_SidAttr)*k);
}
j++;
memmove(info->info->info3.sids+i, info->info->info3.sids+i+1, count-i-1);
} else {
i++;
}
i++;
} while (i < count);
} while ((i + j) < count);
if (j != 0) {
count = count-j;
@@ -1434,10 +1535,17 @@ static krb5_error_code filter_logon_info(krb5_context context,
/* According to MS-KILE, ResourceGroups must be zero, so check
* that it is the case here */
#ifdef HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP
if (info->info->resource_groups.domain_sid != NULL &&
info->info->resource_groups.groups.count != 0) {
return EINVAL;
}
#else
if (info->info->res_group_dom_sid != NULL &&
info->info->res_groups.count != 0) {
return EINVAL;
}
#endif
return 0;
}
@@ -1888,9 +1996,11 @@ void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
}
ipactx = ipadb_get_context(context);
gcfg = ipadb_get_global_config(ipactx);
if (gcfg != NULL)
tmp = gcfg->authz_data;
if (ipactx != NULL) {
gcfg = ipadb_get_global_config(ipactx);
if (gcfg != NULL)
tmp = gcfg->authz_data;
}
if (ipactx == NULL || tmp == NULL) {
krb5_klog_syslog(LOG_ERR, "No default authorization data types " \
"available, no authorization data will " \
@@ -1908,7 +2018,7 @@ void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
service_specific = false;
authz_data_type = authz_data_list[c];
sep = strchr(authz_data_list[c], ':');
if (sep != NULL) {
if (sep != NULL && entry != NULL) {
if (entry->princ == NULL) {
krb5_klog_syslog(LOG_ERR, "Missing principal in database "
"entry, no authorization data will " \
@@ -2007,9 +2117,11 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
struct ipadb_context *ipactx;
bool with_pac;
bool with_pad;
bool make_ad = false;
int result;
krb5_db_entry *client_entry = NULL;
krb5_boolean is_equal;
bool force_reinit_mspac = false;
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
@@ -2042,43 +2154,56 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
ks_client_princ = client->princ;
}
/* We only need to check the server entry here, because even if the client
* is a service with a valid authorization data it will result to NONE
* because ipadb_get_pac() can only generate a pac for 'real' IPA users.
* (I assume this will be the same for PAD.) */
get_authz_data_types(context, server, &with_pac, &with_pad);
if (client_entry == NULL) client_entry = client;
if (is_as_req) {
get_authz_data_types(context, client_entry, &with_pac, &with_pad);
} else {
get_authz_data_types(context, server, &with_pac, &with_pad);
}
if (with_pad) {
krb5_klog_syslog(LOG_ERR, "PAD authorization data is requested but " \
"currently not supported.");
}
if (is_as_req && with_pac && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
/* Be aggressive here: special case for discovering range type
* immediately after establishing the trust by IPA framework */
if ((krb5_princ_size(context, ks_client_princ) == 2) &&
(strncmp(krb5_princ_component(context, ks_client_princ, 0)->data, "HTTP",
krb5_princ_component(context, ks_client_princ, 0)->length) == 0)) {
ipactx = ipadb_get_context(context);
if (!ipactx) {
kerr = ENOMEM;
goto done;
}
if (ulc_casecmp(krb5_princ_component(context, ks_client_princ, 1)->data,
krb5_princ_component(context, ks_client_princ, 1)->length,
ipactx->kdc_hostname, strlen(ipactx->kdc_hostname),
NULL, NULL, &result) == 0) {
kerr = ipadb_reinit_mspac(ipactx, true);
}
/* we need to create a PAC if we are requested one and this is an AS REQ,
* or we are doing protocol transition (s4u2self) */
if ((is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) ||
(flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
make_ad = true;
}
if (with_pac && make_ad) {
ipactx = ipadb_get_context(context);
if (!ipactx) {
kerr = ENOMEM;
goto done;
}
kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac);
/* Be aggressive here: special case for discovering range type
* immediately after establishing the trust by IPA framework. For all
* other cases call ipadb_reinit_mspac() with force_reinit_mspac set
* to 'false' to make sure the information about trusted domains is
* updated on a regular basis for all worker processes. */
if ((krb5_princ_size(context, ks_client_princ) == 2) &&
(strncmp(krb5_princ_component(context, ks_client_princ, 0)->data, "HTTP",
krb5_princ_component(context, ks_client_princ, 0)->length) == 0) &&
(ulc_casecmp(krb5_princ_component(context, ks_client_princ, 1)->data,
krb5_princ_component(context, ks_client_princ, 1)->length,
ipactx->kdc_hostname, strlen(ipactx->kdc_hostname),
NULL, NULL, &result) == 0)) {
force_reinit_mspac = true;
}
(void)ipadb_reinit_mspac(ipactx, force_reinit_mspac);
kerr = ipadb_get_pac(context, client, &pac);
if (kerr != 0 && kerr != ENOENT) {
goto done;
}
}
if (!is_as_req && with_pac) {
} else if (with_pac && !is_as_req) {
/* find the existing PAC, if present */
kerr = krb5_find_authdata(context, tgt_auth_data, NULL,
KRB5_AUTHDATA_WIN2K_PAC, &pac_auth_data);
@@ -2088,7 +2213,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
/* check or generate pac data */
if ((pac_auth_data == NULL) || (pac_auth_data[0] == NULL)) {
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac);
kerr = ipadb_get_pac(context, client_entry, &pac);
if (kerr != 0 && kerr != ENOENT) {
goto done;
}
@@ -2141,7 +2266,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
kerr = 0;
done:
if (client_entry != NULL) {
if (client_entry != NULL && client_entry != client) {
ipadb_free_principal(context, client_entry);
}
krb5_pac_free(context, pac);
@@ -2170,7 +2295,7 @@ static char *get_server_netbios_name(struct ipadb_context *ipactx)
void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
{
int i;
int i, j;
if (!*mspac) return;
@@ -2187,6 +2312,12 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
free((*mspac)->trusts[i].sid_blacklist_outgoing);
free((*mspac)->trusts[i].parent_name);
(*mspac)->trusts[i].parent = NULL;
if ((*mspac)->trusts[i].upn_suffixes) {
for (j = 0; (*mspac)->trusts[i].upn_suffixes[j]; j++) {
free((*mspac)->trusts[i].upn_suffixes[j]);
}
free((*mspac)->trusts[i].upn_suffixes);
}
}
free((*mspac)->trusts);
}
@@ -2302,7 +2433,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
LDAP *lc = ipactx->lcontext;
char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName",
"ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
"ipaNTSIDBlacklistOutgoing", NULL };
"ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL };
char *filter = "(objectclass=ipaNTTrustedDomain)";
krb5_error_code kerr;
LDAPMessage *res = NULL;
@@ -2311,6 +2442,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
char *base = NULL;
char *dnstr = NULL;
char *dnl = NULL;
LDAPDN dn = NULL;
char **sid_blacklist_incoming = NULL;
char **sid_blacklist_outgoing = NULL;
int ret, n, i;
@@ -2359,26 +2491,42 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
goto done;
}
t[n].flat_name = NULL;
ret = ipadb_ldap_attr_to_str(lc, le, "ipaNTFlatName",
&t[n].flat_name);
if (ret) {
if (ret && ret != ENOENT) {
ret = EINVAL;
goto done;
}
t[n].domain_sid = NULL;
ret = ipadb_ldap_attr_to_str(lc, le, "ipaNTTrustedDomainSID",
&t[n].domain_sid);
if (ret) {
if (ret && ret != ENOENT) {
ret = EINVAL;
goto done;
}
ret = string_to_sid(t[n].domain_sid, &t[n].domsid);
if (ret) {
if (ret && t[n].domain_sid != NULL) {
ret = EINVAL;
goto done;
}
ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTAdditionalSuffixes",
&t[n].upn_suffixes);
if (ret) {
if (ret == ENOENT) {
/* This attribute is optional */
ret = 0;
t[n].upn_suffixes = NULL;
} else {
ret = EINVAL;
goto done;
}
}
ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTSIDBlacklistIncoming",
&sid_blacklist_incoming);
@@ -2422,26 +2570,32 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
goto done;
}
/* Note that after ldap_str2rdn() call dnl will point to end of one RDN
* which would be '\0' for trust root domain and ',' for subdomain */
dnl--; dnl[0] = '\0';
ret = ldap_str2rdn(dnstr, &rdn, &dnl, LDAP_DN_FORMAT_LDAPV3);
/* Create a DN, which is now everything before the base,
* to get list of rdn values -- the last one would be a root domain.
* Since with cross-forest trust we have to route everything via root
* domain, that is enough for us to assign parentship. */
ret = ldap_str2dn(dnstr, &dn, LDAP_DN_FORMAT_LDAPV3);
if (ret) {
goto done;
}
ldap_rdnfree(rdn);
if (dnl[0] != '\0') {
dnl++;
ret = ldap_str2rdn(dnl, &rdn, &dnl, LDAP_DN_FORMAT_LDAPV3);
if (ret) {
goto done;
}
t[n].parent_name = strndup(rdn[0]->la_value.bv_val, rdn[0]->la_value.bv_len);
ldap_rdnfree(rdn);
rdn = NULL;
for (i = 0; dn[i] != NULL; i++) {
rdn = dn[i];
}
/* We should have a single AVA in the domain RDN */
if (rdn == NULL) {
ldap_dnfree(dn);
ret = EINVAL;
goto done;
}
t[n].parent_name = strndup(rdn[0]->la_value.bv_val, rdn[0]->la_value.bv_len);
ldap_dnfree(dn);
free(dnstr);
dnstr = NULL;
}
@@ -2686,9 +2840,86 @@ krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
}
}
ret = KRB5KRB_AP_ERR_ILL_CR_TKT;
/* Tell to KDC that we don't handle this transition so that rules in krb5.conf could play its role */
ret = KRB5_PLUGIN_NO_HANDLE;
if (has_client_realm && has_transited_contents && has_server_realm) {
ret = 0;
}
return ret;
}
/* Checks whether a principal's realm is one of trusted domains' realm or NetBIOS name
* and returns the realm of the matched trusted domain in 'trusted_domain'
* Returns 0 in case of success and KRB5_KDB_NOENTRY otherwise
* If DAL driver is not initialized, returns KRB5_KDB_DBNOTINITED */
krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
const char *test_realm, size_t size,
char **trusted_realm)
{
struct ipadb_context *ipactx;
int i, j, length;
const char *name;
bool result = false;
if (test_realm == NULL || test_realm[0] == '\0') {
return KRB5_KDB_NOENTRY;
}
ipactx = ipadb_get_context(kcontext);
if (!ipactx || !ipactx->mspac) {
return KRB5_KDB_DBNOTINITED;
}
/* First, compare realm with ours, it would not be from a trusted realm then */
if (strncasecmp(test_realm, ipactx->realm, size) == 0) {
return KRB5_KDB_NOENTRY;
}
if (!ipactx->mspac || !ipactx->mspac->trusts) {
return KRB5_KDB_NOENTRY;
}
/* Iterate through list of trusts and check if input realm belongs to any of the trust */
for(i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
result = strncasecmp(test_realm,
ipactx->mspac->trusts[i].domain_name,
size) == 0;
if (!result && (ipactx->mspac->trusts[i].flat_name != NULL)) {
result = strncasecmp(test_realm,
ipactx->mspac->trusts[i].flat_name,
size) == 0;
}
if (!result && (ipactx->mspac->trusts[i].upn_suffixes != NULL)) {
for (j = 0; ipactx->mspac->trusts[i].upn_suffixes[j]; j++) {
result = strncasecmp(test_realm,
ipactx->mspac->trusts[i].upn_suffixes[j],
size) == 0;
if (result)
break;
}
}
if (result) {
/* return the realm if caller supplied a place for it */
if (trusted_realm != NULL) {
name = (ipactx->mspac->trusts[i].parent_name != NULL) ?
ipactx->mspac->trusts[i].parent_name :
ipactx->mspac->trusts[i].domain_name;
length = strlen(name) + 1;
*trusted_realm = calloc(1, length);
if (*trusted_realm != NULL) {
for (j = 0; j < length; j++) {
(*trusted_realm)[j] = toupper(name[j]);
}
} else {
return KRB5_KDB_NOENTRY;
}
}
return 0;
}
}
return KRB5_KDB_NOENTRY;
}

54
daemons/ipa-kdb/ipa_kdb_mspac_private.h Normal file
View File

@@ -0,0 +1,54 @@
/*
* MIT Kerberos KDC database backend for FreeIPA
* This head file contains private declarations for ipa_kdb_mspac.c and should
* be used only there or in unit-test.
*
* Authors: Sumit Bose <sbose@redhat.com>
*
* see file 'COPYING' for use and warranty information
*
* This program is free software you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#pragma once
struct ipadb_mspac {
char *flat_domain_name;
char *flat_server_name;
struct dom_sid domsid;
char *fallback_group;
uint32_t fallback_rid;
int num_trusts;
struct ipadb_adtrusts *trusts;
time_t last_update;
};
struct ipadb_adtrusts {
char *domain_name;
char *flat_name;
char *domain_sid;
struct dom_sid domsid;
struct dom_sid *sid_blacklist_incoming;
int len_sid_blacklist_incoming;
struct dom_sid *sid_blacklist_outgoing;
int len_sid_blacklist_outgoing;
struct ipadb_adtrusts *parent;
char *parent_name;
char **upn_suffixes;
};
int string_to_sid(const char *str, struct dom_sid *sid);
char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid);

22
daemons/ipa-kdb/ipa_kdb_passwords.c
View File

@@ -159,6 +159,22 @@ krb5_error_code ipadb_change_pwd(krb5_context context,
pwd.data = passwd;
pwd.length = strlen(passwd);
/* detect if kadmin is just passing along the default set */
if (ks_tuple_count == ipactx->n_supp_encs) {
for (i = 0; i < ks_tuple_count; i++) {
if (ks_tuple[i].ks_enctype != ipactx->supp_encs[i].ks_enctype)
break;
if (ks_tuple[i].ks_salttype != ipactx->supp_encs[i].ks_salttype)
break;
}
if (i == ks_tuple_count) {
/* we got passed the default supported enctypes, replace with
* the actual default enctypes to use */
ks_tuple = ipactx->def_encs;
ks_tuple_count = ipactx->n_def_encs;
}
}
/* We further filter supported enctypes to restrict to the list
* we have in ldap */
kerr = filter_key_salt_tuples(context, ks_tuple, ks_tuple_count,
@@ -237,7 +253,11 @@ krb5_error_code ipadb_get_pwd_expiration(krb5_context context,
if (truexp) {
if (ied->pol) {
*expire_time = mod_time + ied->pol->max_pwd_life;
if (ied->pol->max_pwd_life) {
*expire_time = mod_time + ied->pol->max_pwd_life;
} else {
*expire_time = 0;
}
} else {
*expire_time = mod_time + IPAPWD_DEFAULT_PWDLIFE;
}

615
daemons/ipa-kdb/ipa_kdb_principals.c
View File

@@ -31,16 +31,26 @@
"(objectclass=krbprincipal)" \
"(objectclass=ipakrbprincipal))" \
"(|(ipakrbprincipalalias=%s)" \
"(krbprincipalname=%s)))"
"(krbprincipalname:caseIgnoreIA5Match:=%s)))"
#define PRINC_SEARCH_FILTER "(&(|(objectclass=krbprincipalaux)" \
"(objectclass=krbprincipal))" \
"(krbprincipalname=%s))"
#define PRINC_TGS_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \
"(objectclass=krbprincipal)" \
"(objectclass=ipakrbprincipal))" \
"(|(ipakrbprincipalalias=%s)" \
"(krbprincipalname:caseIgnoreIA5Match:=%s))" \
"%s)"
#define PRINC_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \
"(objectclass=krbprincipal))" \
"(krbprincipalname=%s)" \
"%s)"
static char *std_principal_attrs[] = {
"krbPrincipalName",
"krbCanonicalName",
"ipaKrbPrincipalAlias",
"krbUPEnabled",
"krbPrincipalKey",
"krbTicketPolicyReference",
@@ -54,6 +64,7 @@ static char *std_principal_attrs[] = {
"krbLastSuccessfulAuth",
"krbLastFailedAuth",
"krbLoginFailedCount",
"krbPrincipalAuthInd",
"krbExtraData",
"krbLastAdminUnlock",
"krbObjectReferences",
@@ -88,13 +99,14 @@ static char *std_principal_obj_classes[] = {
"krbprincipal",
"krbprincipalaux",
"krbTicketPolicyAux",
"ipakrbprincipal",
NULL
};
#define STD_PRINCIPAL_OBJ_CLASSES_SIZE (sizeof(std_principal_obj_classes) / sizeof(char *) - 1)
#define DEFAULT_TL_DATA_CONTENT "\x00\x00\x00\x00principal@UNINITIALIZED"
static int ipadb_ldap_attr_to_tl_data(LDAP *lcontext, LDAPMessage *le,
char *attrname,
krb5_tl_data **result, int *num)
@@ -163,7 +175,7 @@ done:
static krb5_error_code ipadb_set_tl_data(krb5_db_entry *entry,
krb5_int16 type,
krb5_ui_2 length,
krb5_octet *data)
const krb5_octet *data)
{
krb5_error_code kerr;
krb5_tl_data *new_td = NULL;
@@ -299,6 +311,8 @@ static void ipadb_validate_radius(struct ipadb_context *ipactx,
"ipatokenRadiusConfigLink");
if (vals == NULL || vals[0] == NULL)
*ua &= ~IPADB_USER_AUTH_RADIUS;
else
*ua = IPADB_USER_AUTH_RADIUS;
if (vals != NULL)
ldap_value_free_len(vals);
@@ -311,10 +325,6 @@ static void ipadb_validate_password(struct ipadb_context *ipactx,
/* If no mechanisms are set, use password. */
if (*ua == IPADB_USER_AUTH_NONE)
*ua |= IPADB_USER_AUTH_PASSWORD;
/* If any other mechanism has passed validation, don't use password. */
else if (*ua & ~IPADB_USER_AUTH_PASSWORD)
*ua &= ~IPADB_USER_AUTH_PASSWORD;
}
static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
@@ -324,17 +334,18 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
enum ipadb_user_auth ua = IPADB_USER_AUTH_NONE;
const struct ipadb_global_config *gcfg = NULL;
/* Get the user's user_auth settings. */
ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
/* Get the global user_auth settings. */
gcfg = ipadb_get_global_config(ipactx);
if (gcfg != NULL)
gua = gcfg->user_auth;
/* If the disabled flag is set, ignore everything else. */
if ((ua | gua) & IPADB_USER_AUTH_DISABLED)
return IPADB_USER_AUTH_DISABLED;
/* Get the user's user_auth settings if not disabled. */
if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
/* Filter out the disabled flag. */
gua &= ~IPADB_USER_AUTH_DISABLED;
ua &= ~IPADB_USER_AUTH_DISABLED;
/* Determine which user_auth policy is active: user or global. */
if (ua == IPADB_USER_AUTH_NONE)
@@ -348,13 +359,170 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
return ua;
}
#define OSA_ADB_PRINC_VERSION_1 0x12345C01
/* The XDR encoding of OSA_PRINC_ENC is as follows:
version: int (signed 32 bit integer)
name: nullstring (null terminated variable string)
aux_attributes: long (signed 32 bit integer)
old_key_next: u_int (unsigned 32 bit integer)
adm_hist_kvno: u_char (unisgned char)
old_keys: array of keys, we do not care so alway u_int of 0
*/
#define OSA_PRINC_ENC_BASE_SIZE 20
static krb5_error_code ipadb_policydn_to_kdam_tl_data(const char *policydn,
krb5_db_entry *entry)
{
krb5_error_code kerr;
uint32_t tmp;
char *policy_name = NULL;
char *p;
uint8_t *buf = NULL;
size_t buf_len;
int slen;
int plen;
int cur;
/* policy objects must use cn as the RDN */
if (strncmp(policydn, "cn=", 3) != 0) {
return KRB5_KDB_INTERNAL_ERROR;
}
/* Should we try to consider the case where a ',' is part of the polict
* name ? */
policy_name = strdup(&policydn[3]);
if (!policy_name) {
kerr = ENOMEM;
goto done;
}
p = strchr(policy_name, ',');
if (p) *p = '\0';
/* Now we open code a basic KRB5_TL_KADM_DATA which is a XDR encoded
* structure in MIT code */
slen = strlen(policy_name) + 1;
/* A xdr varstring is preceeded by a 32bit len field and is always 32
* bit aligned */
plen = slen + 4;
plen = (((plen + 3) / 4) * 4);
buf_len = OSA_PRINC_ENC_BASE_SIZE + plen;
buf = calloc(1, buf_len);
if (!buf) {
kerr = ENOMEM;
goto done;
}
/* version */
cur = 0;
tmp = htobe32(OSA_ADB_PRINC_VERSION_1);
memcpy(&buf[cur], &tmp, 4);
cur += 4;
/* name */
tmp = htobe32(slen);
memcpy(&buf[cur], &tmp, 4);
memcpy(&buf[cur + 4], policy_name, slen);
cur += plen;
/* All the other fileds are left empty */
kerr = ipadb_set_tl_data(entry, KRB5_TL_KADM_DATA, buf_len, buf);
done:
free(policy_name);
free(buf);
return kerr;
}
static void strv_free(char **strv)
{
int i;
if (strv == NULL) {
return;
}
for (i = 0; strv[i] != NULL; i++) {
free(strv[i]);
}
free(strv);
}
static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext,
LDAP *lcontext,
LDAPMessage *lentry,
krb5_db_entry *entry)
{
krb5_error_code ret = 0;
char **authinds = NULL;
char *aistr = NULL;
char *ap = NULL;
size_t len = 0;
size_t l = 0;
int count = 0;
int i = 0;
ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "krbPrincipalAuthInd",
&authinds);
switch (ret) {
case 0:
break;
case ENOENT:
return 0;
default:
return ret;
}
for (count = 0; authinds != NULL && authinds[count] != NULL; count++) {
len += strlen(authinds[count]) + 1;
}
if (len == 0) {
strv_free(authinds);
return 0;
}
aistr = malloc(len);
if (aistr == NULL) {
ret = errno;
goto cleanup;
}
/* Create a space-separated string of authinds. */
ap = aistr;
l = len;
for (i = 0; i < count; i++) {
ret = snprintf(ap, l, "%s ", authinds[i]);
if (ret <= 0 || ret > l) {
ret = ENOMEM;
goto cleanup;
}
ap += ret;
l -= ret;
}
aistr[len - 1] = '\0';
ret = krb5_dbe_set_string(kcontext, entry, "require_auth",
aistr);
cleanup:
strv_free(authinds);
free(aistr);
return ret;
}
static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
char *principal,
LDAPMessage *lentry,
krb5_db_entry **kentry,
uint32_t *polmask)
{
krb5_octet otp_string[] = {'o', 't', 'p', 0, '[', ']', 0 };
const krb5_octet rad_string[] = "otp\0[{\"indicators\": [\"radius\"]}]";
const krb5_octet otp_string[] = "otp\0[{\"indicators\": [\"otp\"]}]";
struct ipadb_context *ipactx;
enum ipadb_user_auth ua;
LDAP *lcontext;
@@ -516,13 +684,25 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
case 0:
entry->tl_data = res_tl_data;
entry->n_tl_data = result;
break;
case ENOENT:
/* The kadmin utility expects always at least KRB5_TL_MOD_PRINC tl_data
* to be available. So if krbExtraData is missing (may happen when a
* user is created but no password has been set yet) then add a default
* one. */
kerr = ipadb_set_tl_data(entry, KRB5_TL_MOD_PRINC,
sizeof(DEFAULT_TL_DATA_CONTENT),
(const krb5_octet *)DEFAULT_TL_DATA_CONTENT);
break;
default:
kerr = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
ret = ipadb_get_ldap_auth_ind(kcontext, lcontext, lentry, entry);
if (ret)
goto done;
ret = ipadb_ldap_attr_to_key_data(lcontext, lentry,
"krbPrincipalKey",
&res_key_data, &result, &mkvno);
@@ -616,6 +796,9 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
}
ied->pw_policy_dn = restring;
kerr = ipadb_policydn_to_kdam_tl_data(restring, entry);
if (kerr) goto done;
ret = ipadb_ldap_attr_to_strlist(lcontext, lentry,
"passwordHistory", &restrlist);
if (ret != 0 && ret != ENOENT) {
@@ -669,11 +852,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
}
/* If enabled, set the otp user string, enabling otp. */
if (ua & (IPADB_USER_AUTH_RADIUS | IPADB_USER_AUTH_OTP)) {
if (ua & IPADB_USER_AUTH_OTP) {
kerr = ipadb_set_tl_data(entry, KRB5_TL_STRING_ATTRS,
sizeof(otp_string), otp_string);
if (kerr)
goto done;
} else if (ua & IPADB_USER_AUTH_RADIUS) {
kerr = ipadb_set_tl_data(entry, KRB5_TL_STRING_ATTRS,
sizeof(rad_string), rad_string);
if (kerr)
goto done;
}
kerr = 0;
@@ -687,10 +875,12 @@ done:
return kerr;
}
static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
unsigned int flags,
char *principal,
LDAPMessage **result)
krb5_error_code
ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
unsigned int flags,
const char *principal,
const char *filter,
LDAPMessage **result)
{
krb5_error_code kerr;
char *src_filter = NULL;
@@ -713,11 +903,21 @@ static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
goto done;
}
if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
esc_original_princ, esc_original_princ);
if (filter == NULL) {
if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
esc_original_princ, esc_original_princ);
} else {
ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
}
} else {
ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
esc_original_princ, esc_original_princ, filter);
} else {
ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
esc_original_princ, filter);
}
}
if (ret == -1) {
@@ -736,11 +936,20 @@ done:
return kerr;
}
static krb5_error_code ipadb_find_principal(krb5_context kcontext,
unsigned int flags,
LDAPMessage *res,
char **principal,
LDAPMessage **entry)
static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
unsigned int flags,
char *principal,
LDAPMessage **result)
{
return ipadb_fetch_principals_with_extra_filter(ipactx, flags, principal,
NULL, result);
}
krb5_error_code ipadb_find_principal(krb5_context kcontext,
unsigned int flags,
LDAPMessage *res,
char **principal,
LDAPMessage **entry)
{
struct ipadb_context *ipactx;
bool found = false;
@@ -780,6 +989,17 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
NULL, NULL, &result) != 0)
return KRB5_KDB_INTERNAL_ERROR;
found = (result == 0);
if (found) {
/* replace the incoming principal with the value having
* the correct case. This ensures that valid name/alias
* is returned even if krbCanonicalName is not present
*/
free(*principal);
*principal = strdup(vals[i]->bv_val);
if (!(*principal)) {
return KRB5_KDB_INTERNAL_ERROR;
}
}
} else {
found = (strcmp(vals[i]->bv_val, (*principal)) == 0);
}
@@ -830,6 +1050,25 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
return 0;
}
static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx,
krb5_db_entry *entry)
{
const struct ipadb_global_config *config;
struct ipadb_e_data *ied;
config = ipadb_get_global_config(ipactx);
if (config->disable_preauth_for_spns) {
ied = (struct ipadb_e_data *)entry->e_data;
if (ied && ied->ipa_user != true) {
/* not a user, assume SPN */
return 0;
}
}
/* By default require preauth for all principals */
return KRB5_KDB_REQUIRES_PRE_AUTH;
}
static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
LDAPMessage *lentry,
krb5_db_entry *entry,
@@ -900,7 +1139,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
if (ret == 0) {
entry->attributes |= result;
} else {
entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH;
entry->attributes |= maybe_require_preauth(ipactx, entry);
}
}
}
@@ -916,7 +1155,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
entry->max_renewable_life = 604800;
}
if (polmask & TKTFLAGS_BIT) {
entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH;
entry->attributes |= maybe_require_preauth(ipactx, entry);
}
kerr = 0;
@@ -942,8 +1181,10 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
struct ipadb_context *ipactx;
krb5_error_code kerr;
char *principal = NULL;
char *trusted_realm = NULL;
LDAPMessage *res = NULL;
LDAPMessage *lentry;
krb5_db_entry *kentry = NULL;
uint32_t pol;
ipactx = ipadb_get_context(kcontext);
@@ -963,7 +1204,95 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
kerr = ipadb_find_principal(kcontext, flags, res, &principal, &lentry);
if (kerr != 0) {
goto done;
if ((kerr == KRB5_KDB_NOENTRY) &&
((flags & (KRB5_KDB_FLAG_CANONICALIZE |
KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY)) != 0)) {
/* First check if we got enterprise principal which looks like
* username\@enterprise_realm@REALM */
char *realm;
krb5_data *upn;
upn = krb5_princ_component(kcontext, search_for,
krb5_princ_size(kcontext, search_for) - 1);
if (upn == NULL) {
kerr = KRB5_KDB_NOENTRY;
goto done;
}
realm = memrchr(upn->data, '@', upn->length);
if (realm == NULL) {
kerr = KRB5_KDB_NOENTRY;
goto done;
}
/* skip '@' and use part after '@' as an enterprise realm for comparison */
realm++;
/* check for our realm */
if (strncasecmp(ipactx->realm, realm,
upn->length - (realm - upn->data)) == 0) {
/* it looks like it is ok to use malloc'ed strings as principal */
krb5_free_unparsed_name(kcontext, principal);
principal = strndup((const char *) upn->data, upn->length);
if (principal == NULL) {
kerr = ENOMEM;
goto done;
}
ldap_msgfree(res);
res = NULL;
kerr = ipadb_fetch_principals(ipactx, flags, principal, &res);
if (kerr != 0) {
goto done;
}
kerr = ipadb_find_principal(kcontext, flags, res, &principal,
&lentry);
if (kerr != 0) {
goto done;
}
} else {
kerr = ipadb_is_princ_from_trusted_realm(kcontext,
realm,
upn->length - (realm - upn->data),
&trusted_realm);
if (kerr == KRB5_KDB_NOENTRY) {
/* try to refresh trusted domain data and try again */
kerr = ipadb_reinit_mspac(ipactx, false);
if (kerr != 0) {
kerr = KRB5_KDB_NOENTRY;
goto done;
}
kerr = ipadb_is_princ_from_trusted_realm(kcontext, realm,
upn->length - (realm - upn->data),
&trusted_realm);
}
if (kerr == 0) {
kentry = calloc(1, sizeof(krb5_db_entry));
if (!kentry) {
kerr = ENOMEM;
goto done;
}
kerr = krb5_parse_name(kcontext, principal,
&kentry->princ);
if (kerr != 0) {
goto done;
}
kerr = krb5_set_principal_realm(kcontext, kentry->princ, trusted_realm);
if (kerr != 0) {
goto done;
}
*entry = kentry;
}
goto done;
}
} else {
goto done;
}
}
kerr = ipadb_parse_ldap_entry(kcontext, principal, lentry, entry, &pol);
@@ -979,17 +1308,42 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
}
done:
free(trusted_realm);
if ((kerr != 0) && (kentry != NULL)) {
ipadb_free_principal(kcontext, kentry);
}
ldap_msgfree(res);
krb5_free_unparsed_name(kcontext, principal);
return kerr;
}
void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry)
void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data)
{
struct ipadb_e_data *ied;
krb5_tl_data *prev, *next;
int i;
ied = (struct ipadb_e_data *)e_data;
if (ied->magic == IPA_E_DATA_MAGIC) {
ldap_memfree(ied->entry_dn);
free(ied->passwd);
free(ied->pw_policy_dn);
for (i = 0; ied->pw_history && ied->pw_history[i]; i++) {
free(ied->pw_history[i]);
}
free(ied->pw_history);
for (i = 0; ied->authz_data && ied->authz_data[i]; i++) {
free(ied->authz_data[i]);
}
free(ied->authz_data);
free(ied->pol);
free(ied);
}
}
void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry)
{
krb5_tl_data *prev, *next;
if (entry) {
krb5_free_principal(kcontext, entry->princ);
prev = entry->tl_data;
@@ -1002,22 +1356,7 @@ void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry)
ipa_krb5_free_key_data(entry->key_data, entry->n_key_data);
if (entry->e_data) {
ied = (struct ipadb_e_data *)entry->e_data;
if (ied->magic == IPA_E_DATA_MAGIC) {
ldap_memfree(ied->entry_dn);
free(ied->passwd);
free(ied->pw_policy_dn);
for (i = 0; ied->pw_history && ied->pw_history[i]; i++) {
free(ied->pw_history[i]);
}
free(ied->pw_history);
for (i = 0; ied->authz_data && ied->authz_data[i]; i++) {
free(ied->authz_data[i]);
}
free(ied->authz_data);
free(ied->pol);
free(ied);
}
ipadb_free_principal_e_data(kcontext, entry->e_data);
}
free(entry);
@@ -1474,32 +1813,103 @@ done:
return kerr;
}
static krb5_error_code ipadb_principal_to_mods(krb5_context kcontext,
struct ipadb_mods *imods,
char *principal,
int mod_op)
{
krb5_error_code kerr;
if (principal == NULL) {
kerr = EINVAL;
goto done;
}
kerr = ipadb_get_ldap_mod_str(imods, "krbPrincipalName",
principal, mod_op);
if (kerr) {
goto done;
}
kerr = ipadb_get_ldap_mod_str(imods, "krbCanonicalName",
principal, mod_op);
if (kerr) {
goto done;
}
kerr = 0;
done:
return kerr;
}
static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
struct ipadb_mods *imods,
krb5_db_entry *entry,
int mod_op)
{
krb5_error_code ret = 0;
char **strlist = NULL;
char *ais = NULL;
char *ai = NULL;
char *s = NULL;
size_t ai_size = 0;
int cnt = 0;
int i = 0;
ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais);
if (ret) {
return ret;
}
if (ais == NULL) {
return 0;
}
ai_size = strlen(ais) + 1;
for (i = 0; i < ai_size; i++) {
if (ais[i] != ' ') {
continue;
}
if (i > 0 && ais[i - 1] != ' ') {
cnt++;
}
}
strlist = calloc(cnt + 2, sizeof(*strlist));
if (strlist == NULL) {
free(ais);
return errno;
}
cnt = 0;
ai = strtok_r(ais, " ", &s);
while (ai != NULL) {
if (ai[0] != '\0') {
strlist[cnt++] = ai;
}
ai = strtok_r(NULL, " ", &s);
}
ret = ipadb_get_ldap_mod_str_list(imods, "krbPrincipalAuthInd",
strlist, cnt, mod_op);
free(ais);
free(strlist);
return ret;
}
static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
struct ipadb_mods *imods,
krb5_db_entry *entry,
char *principal,
int mod_op)
{
krb5_error_code kerr;
krb5_int32 time32le;
int mkvno;
char *req_auth_str = NULL;
/* check each mask flag in order */
/* KADM5_PRINCIPAL */
if (entry->mask & KMASK_PRINCIPAL) {
kerr = ipadb_get_ldap_mod_str(imods, "krbPrincipalName",
principal, mod_op);
if (kerr) {
goto done;
}
kerr = ipadb_get_ldap_mod_str(imods, "ipaKrbPrincipalAlias",
principal, mod_op);
if (kerr) {
goto done;
}
}
/* KADM5_PRINC_EXPIRE_TIME */
if (entry->mask & KMASK_PRINC_EXPIRE_TIME) {
kerr = ipadb_get_ldap_mod_time(imods,
@@ -1517,6 +1927,11 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
"krbPasswordExpiration",
entry->pw_expiration,
mod_op);
if (entry->pw_expiration == 0) {
kerr = ipadb_get_ldap_mod_time(imods,
"krbPasswordExpiration",
entry->pw_expiration, LDAP_MOD_DELETE);
}
if (kerr) {
goto done;
}
@@ -1675,6 +2090,10 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
}
}
kerr = ipadb_get_ldap_mod_auth_ind(kcontext, imods, entry, mod_op);
if (kerr)
goto done;
/* KADM5_TL_DATA */
if (entry->mask & KMASK_TL_DATA) {
kerr = ipadb_get_tl_data(entry,
@@ -1694,12 +2113,36 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
}
}
kerr = krb5_dbe_get_string(kcontext, entry, "require_auth",
&req_auth_str);
if (kerr) {
goto done;
}
/* Do not store auth indicators from the string attribute in
* krbExtraData. Remove require_auth value from the entry temporarily. */
if (req_auth_str != NULL) {
kerr = krb5_dbe_set_string(kcontext, entry, "require_auth", NULL);
if (kerr) {
goto done;
}
}
kerr = ipadb_get_ldap_mod_extra_data(imods,
entry->tl_data,
mod_op);
if (kerr && kerr != ENOENT) {
goto done;
}
/* Restore require_auth value */
if (req_auth_str != NULL) {
kerr = krb5_dbe_set_string(kcontext, entry, "require_auth",
req_auth_str);
if (kerr) {
goto done;
}
}
}
/* KADM5_LOAD */
@@ -1744,6 +2187,12 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
kerr = ipadb_get_ldap_mod_time(imods,
"krbPasswordExpiration",
expire_time, mod_op);
if (expire_time == 0) {
kerr = ipadb_get_ldap_mod_time(imods,
"krbPasswordExpiration",
expire_time, LDAP_MOD_DELETE);
}
if (kerr) {
goto done;
}
@@ -1777,6 +2226,7 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
kerr = 0;
done:
free(req_auth_str);
return kerr;
}
@@ -1863,8 +2313,12 @@ static krb5_error_code ipadb_add_principal(krb5_context kcontext,
goto done;
}
kerr = ipadb_entry_to_mods(kcontext, imods,
entry, principal, LDAP_MOD_ADD);
kerr = ipadb_principal_to_mods(kcontext, imods, principal, LDAP_MOD_ADD);
if (kerr != 0) {
goto done;
}
kerr = ipadb_entry_to_mods(kcontext, imods, entry, LDAP_MOD_ADD);
if (kerr != 0) {
goto done;
}
@@ -1895,6 +2349,11 @@ static krb5_error_code ipadb_modify_principal(krb5_context kcontext,
return KRB5_KDB_DBNOTINITED;
}
kerr = new_ipadb_mods(&imods);
if (kerr) {
goto done;
}
ied = (struct ipadb_e_data *)entry->e_data;
if (!ied || !ied->entry_dn) {
kerr = krb5_unparse_name(kcontext, entry->princ, &principal);
@@ -1919,15 +2378,16 @@ static krb5_error_code ipadb_modify_principal(krb5_context kcontext,
kerr = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
kerr = ipadb_principal_to_mods(kcontext, imods, principal,
LDAP_MOD_REPLACE);
if (kerr != 0) {
goto done;
}
}
kerr = new_ipadb_mods(&imods);
if (kerr) {
goto done;
}
kerr = ipadb_entry_to_mods(kcontext, imods,
entry, principal, LDAP_MOD_REPLACE);
kerr = ipadb_entry_to_mods(kcontext, imods, entry, LDAP_MOD_REPLACE);
if (kerr != 0) {
goto done;
}
@@ -2087,10 +2547,17 @@ done:
return kerr;
}
#if KRB5_KDB_API_VERSION < 8
krb5_error_code ipadb_iterate(krb5_context kcontext,
char *match_entry,
int (*func)(krb5_pointer, krb5_db_entry *),
krb5_pointer func_arg)
#else
krb5_error_code ipadb_iterate(krb5_context kcontext,
char *match_entry,
int (*func)(krb5_pointer, krb5_db_entry *),
krb5_pointer func_arg, krb5_flags iterflags)
#endif
{
struct ipadb_context *ipactx;
krb5_error_code kerr;

23
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
View File

@@ -137,10 +137,11 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
osa_policy_ent_t *policy)
{
struct ipadb_context *ipactx;
char *bases[3] = { NULL };
char *esc_name = NULL;
char *src_filter = NULL;
krb5_error_code kerr;
LDAPMessage *res = NULL;
struct ipadb_multires *res = NULL;
LDAPMessage *lentry;
osa_policy_ent_t pentry = NULL;
uint32_t result;
@@ -150,6 +151,8 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
if (!ipactx) {
return KRB5_KDB_DBNOTINITED;
}
bases[0] = ipactx->realm_base;
bases[1] = ipactx->accounts_base;
esc_name = ipadb_filter_escape(name, true);
if (!esc_name) {
@@ -162,14 +165,14 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
goto done;
}
kerr = ipadb_simple_search(ipactx,
ipactx->realm_base, LDAP_SCOPE_SUBTREE,
src_filter, std_pwdpolicy_attrs, &res);
kerr = ipadb_multibase_search(ipactx, bases, LDAP_SCOPE_SUBTREE,
src_filter, std_pwdpolicy_attrs, &res,
true);
if (kerr) {
goto done;
}
lentry = ldap_first_entry(ipactx->lcontext, res);
lentry = ipadb_multires_next_entry(res);
if (!lentry) {
kerr = KRB5_KDB_INTERNAL_ERROR;
goto done;
@@ -237,6 +240,13 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
pentry->pw_lockout_duration = result;
}
ret = ipa_kstuples_to_string(ipactx->supp_encs, ipactx->n_supp_encs,
&pentry->allowed_keysalts);
if (ret != 0) {
kerr = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
*policy = pentry;
done:
@@ -245,7 +255,7 @@ done:
}
free(esc_name);
free(src_filter);
ldap_msgfree(res);
ipadb_multires_free(res);
return kerr;
}
@@ -274,6 +284,7 @@ void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val)
{
if (val) {
free(val->name);
free(val->allowed_keysalts);
free(val);
}
}

459
daemons/ipa-kdb/tests/ipa_kdb_tests.c
View File

@@ -1,51 +1,40 @@
/** BEGIN COPYRIGHT BLOCK
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Additional permission under GPLv3 section 7:
*
* In the following paragraph, "GPL" means the GNU General Public
* License, version 3 or any later version, and "Non-GPL Code" means
* code that is governed neither by the GPL nor a license
* compatible with the GPL.
*
* You may link the code of this Program with Non-GPL Code and convey
* linked combinations including the two, provided that such Non-GPL
* Code only links to the code of this Program through those well
* defined interfaces identified in the file named EXCEPTION found in
* the source code files (the "Approved Interfaces"). The files of
* Non-GPL Code may instantiate templates or use macros or inline
* functions from the Approved Interfaces without causing the resulting
* work to be covered by the GPL. Only the copyright holders of this
* Program may make changes or additions to the list of Approved
* Interfaces.
*
* Authors:
* Sumit Bose <sbose@redhat.com>
*
* Copyright (C) 2013 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
/*
Authors:
Sumit Bose <sbose@redhat.com>
#include <check.h>
#include <stdlib.h>
Copyright (C) 2015 Red Hat
ipa-kdb tests
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <errno.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdbool.h>
#include <krb5/krb5.h>
#include <kdb.h>
#include <stddef.h>
#include <stdint.h>
#include <setjmp.h>
#include <cmocka.h>
#include "ipa-kdb/ipa_kdb.h"
#include <talloc.h>
#include "gen_ndr/ndr_krb5pac.h"
#include "gen_ndr/netlogon.h"
#include "ipa_kdb.h"
#include "ipa_kdb_mspac_private.h"
#define NFS_PRINC_STRING "nfs/fully.qualified.host.name@REALM.NAME"
#define NON_NFS_PRINC_STRING "abcdef/fully.qualified.host.name@REALM.NAME"
@@ -71,10 +60,249 @@ int krb5_klog_syslog(int l, const char *format, ...)
return 0;
}
struct test_ctx {
krb5_context krb5_ctx;
};
#define DOMAIN_NAME "my.domain"
#define REALM "MY.DOMAIN"
#define REALM_LEN (sizeof(REALM) - 1)
#define FLAT_NAME "MYDOM"
#define DOM_SID "S-1-5-21-1-2-3"
#define DOM_SID_TRUST "S-1-5-21-4-5-6"
#define BLACKLIST_SID "S-1-5-1"
static int setup(void **state)
{
int ret;
krb5_context krb5_ctx;
krb5_error_code kerr;
struct ipadb_context *ipa_ctx;
struct test_ctx *test_ctx;
kerr = krb5_init_context(&krb5_ctx);
assert_int_equal(kerr, 0);
kerr = krb5_set_default_realm(krb5_ctx, "EXAMPLE.COM");
assert_int_equal(kerr, 0);
kerr = krb5_db_setup_lib_handle(krb5_ctx);
assert_int_equal(kerr, 0);
ipa_ctx = calloc(1, sizeof(struct ipadb_context));
assert_non_null(ipa_ctx);
ipa_ctx->mspac = calloc(1, sizeof(struct ipadb_mspac));
assert_non_null(ipa_ctx->mspac);
/* make sure data is not read from LDAP */
ipa_ctx->mspac->last_update = time(NULL) - 1;
ret = string_to_sid(DOM_SID, &ipa_ctx->mspac->domsid);
assert_int_equal(ret, 0);
ipa_ctx->mspac->num_trusts = 1;
ipa_ctx->mspac->trusts = calloc(1, sizeof(struct ipadb_adtrusts));
assert_non_null(ipa_ctx->mspac->trusts);
ipa_ctx->mspac->trusts[0].domain_name = strdup(DOMAIN_NAME);
assert_non_null(ipa_ctx->mspac->trusts[0].domain_name);
ipa_ctx->mspac->trusts[0].flat_name = strdup(FLAT_NAME);
assert_non_null(ipa_ctx->mspac->trusts[0].flat_name);
ipa_ctx->mspac->trusts[0].domain_sid = strdup(DOM_SID_TRUST);
assert_non_null(ipa_ctx->mspac->trusts[0].domain_sid);
ret = string_to_sid(DOM_SID_TRUST, &ipa_ctx->mspac->trusts[0].domsid);
assert_int_equal(ret, 0);
ipa_ctx->mspac->trusts[0].len_sid_blacklist_incoming = 1;
ipa_ctx->mspac->trusts[0].sid_blacklist_incoming = calloc(
ipa_ctx->mspac->trusts[0].len_sid_blacklist_incoming,
sizeof(struct dom_sid));
assert_non_null(ipa_ctx->mspac->trusts[0].sid_blacklist_incoming);
ret = string_to_sid(BLACKLIST_SID,
&ipa_ctx->mspac->trusts[0].sid_blacklist_incoming[0]);
assert_int_equal(ret, 0);
ipa_ctx->kcontext = krb5_ctx;
kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
assert_int_equal(kerr, 0);
test_ctx = talloc(NULL, struct test_ctx);
assert_non_null(test_ctx);
test_ctx->krb5_ctx = krb5_ctx;
*state = test_ctx;
return 0;
}
static int teardown(void **state)
{
struct test_ctx *test_ctx;
struct ipadb_context *ipa_ctx;
test_ctx = (struct test_ctx *) *state;
ipa_ctx = ipadb_get_context(test_ctx->krb5_ctx);
assert_non_null(ipa_ctx);
ipadb_mspac_struct_free(&ipa_ctx->mspac);
krb5_db_fini(test_ctx->krb5_ctx);
krb5_free_context(test_ctx->krb5_ctx);
talloc_free(test_ctx);
return 0;
}
extern krb5_error_code filter_logon_info(krb5_context context,
TALLOC_CTX *memctx,
krb5_data realm,
struct PAC_LOGON_INFO_CTR *info);
void test_filter_logon_info(void **state)
{
krb5_error_code kerr;
krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
struct test_ctx *test_ctx;
struct PAC_LOGON_INFO_CTR *info;
int ret;
struct dom_sid dom_sid;
size_t c;
size_t d;
test_ctx = (struct test_ctx *) *state;
info = talloc_zero(test_ctx, struct PAC_LOGON_INFO_CTR);
assert_non_null(info);
info->info = talloc_zero(info, struct PAC_LOGON_INFO);
assert_non_null(info->info);
/* wrong flat name */
info->info->info3.base.logon_domain.string = talloc_strdup(info->info,
"WRONG");
assert_non_null(info->info->info3.base.logon_domain.string);
kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
assert_int_equal(kerr, EINVAL);
info->info->info3.base.logon_domain.string = talloc_strdup(info->info,
FLAT_NAME);
assert_non_null(info->info->info3.base.logon_domain.string);
/* missing domain SID */
kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
assert_int_equal(kerr, EINVAL);
/* wrong domain SID */
ret = string_to_sid("S-1-5-21-1-1-1", &dom_sid);
assert_int_equal(ret, 0);
info->info->info3.base.domain_sid = &dom_sid;
kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
assert_int_equal(kerr, EINVAL);
/* matching domain SID */
ret = string_to_sid(DOM_SID_TRUST, &dom_sid);
assert_int_equal(ret, 0);
info->info->info3.base.domain_sid = &dom_sid;
kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info);
assert_int_equal(kerr, 0);
/* empty SIDs */
info->info->info3.sidcount = 3;
info->info->info3.sids = talloc_zero_array(info->info,
struct netr_SidAttr,
info->info->info3.sidcount);
assert_non_null(info->info->info3.sids);
for(c = 0; c < info->info->info3.sidcount; c++) {
info->info->info3.sids[c].sid = talloc_zero(info->info->info3.sids,
struct dom_sid2);
assert_non_null(info->info->info3.sids[c].sid);
}
kerr = filter_logon_info(test_ctx->krb5_ctx, NULL, realm, info);
assert_int_equal(kerr, 0);
assert_int_equal(info->info->info3.sidcount, 3);
struct test_data {
size_t sidcount;
const char *sids[3];
size_t exp_sidcount;
const char *exp_sids[3];
} test_data[] = {
/* only allowed SIDs */
{3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"},
3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"}},
/* last SID filtered */
{3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", BLACKLIST_SID"-1002"},
2, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001"}},
/* center SID filtered */
{3, {DOM_SID_TRUST"-1000", BLACKLIST_SID"-1001", DOM_SID_TRUST"-1002"},
2, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1002"}},
/* first SID filtered */
{3, {BLACKLIST_SID"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"},
2, {DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"}},
/* first and last SID filtered */
{3, {BLACKLIST_SID"-1000", DOM_SID_TRUST"-1001", BLACKLIST_SID"-1002"},
1, {DOM_SID_TRUST"-1001"}},
/* two SIDs in a rwo filtered */
{3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", DOM_SID_TRUST"-1002"},
1, {DOM_SID_TRUST"-1002"}},
/* all SIDs filtered*/
{3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", BLACKLIST_SID"-1002"},
0, {}},
{0, {}, 0 , {}}
};
for (c = 0; test_data[c].sidcount != 0; c++) {
talloc_free(info->info->info3.sids);
info->info->info3.sidcount = test_data[c].sidcount;
info->info->info3.sids = talloc_zero_array(info->info,
struct netr_SidAttr,
info->info->info3.sidcount);
assert_non_null(info->info->info3.sids);
for(d = 0; d < info->info->info3.sidcount; d++) {
info->info->info3.sids[d].sid = talloc_zero(info->info->info3.sids,
struct dom_sid2);
assert_non_null(info->info->info3.sids[d].sid);
}
for (d = 0; d < info->info->info3.sidcount; d++) {
ret = string_to_sid(test_data[c].sids[d],
info->info->info3.sids[d].sid);
assert_int_equal(ret, 0);
}
kerr = filter_logon_info(test_ctx->krb5_ctx, NULL, realm, info);
assert_int_equal(kerr, 0);
assert_int_equal(info->info->info3.sidcount, test_data[c].exp_sidcount);
if (test_data[c].exp_sidcount == 0) {
assert_null(info->info->info3.sids);
} else {
for (d = 0; d < test_data[c].exp_sidcount; d++) {
assert_string_equal(test_data[c].exp_sids[d],
dom_sid_string(info->info->info3.sids,
info->info->info3.sids[d].sid));
}
}
}
talloc_free(info);
}
extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
bool *with_pac, bool *with_pad);
START_TEST(test_get_authz_data_types)
void test_get_authz_data_types(void **state)
{
bool with_pac;
bool with_pad;
@@ -90,50 +318,45 @@ START_TEST(test_get_authz_data_types)
char *ad_none_and_pad[] = {"NONE", "PAD", NULL};
char *ad_global_pac_nfs_none[] = {"MS-PAC", "nfs:NONE", NULL};
char *ad_global_pac_nfs_pad[] = {"MS-PAC", "nfs:PAD", NULL};
krb5_context krb5_ctx;
krb5_error_code kerr;
struct ipadb_context *ipa_ctx;
krb5_principal nfs_princ;
krb5_principal non_nfs_princ;
struct test_ctx *test_ctx;
test_ctx = (struct test_ctx *) *state;
ipa_ctx = ipadb_get_context(test_ctx->krb5_ctx);
assert_non_null(ipa_ctx);
get_authz_data_types(NULL, NULL, NULL, NULL);
with_pad = true;
get_authz_data_types(NULL, NULL, NULL, &with_pad);
fail_unless(!with_pad, "with_pad not false with NULL inuput.");
assert_false(with_pad);
with_pac = true;
get_authz_data_types(NULL, NULL, &with_pac, NULL);
fail_unless(!with_pac, "with_pac not false with NULL inuput.");
assert_false(with_pad);
with_pad = true;
with_pac = true;
get_authz_data_types(NULL, NULL, &with_pac, &with_pad);
fail_unless(!with_pad, "with_pad not false with NULL inuput.");
fail_unless(!with_pac, "with_pac not false with NULL inuput.");
assert_false(with_pac);
assert_false(with_pad);
entry = calloc(1, sizeof(krb5_db_entry));
fail_unless(entry != NULL, "calloc krb5_db_entry failed.");
assert_non_null(entry);
ied = calloc(1, sizeof(struct ipadb_e_data));
fail_unless(ied != NULL, "calloc struct ipadb_e_data failed.");
assert_non_null(ied);
entry->e_data = (void *) ied;
kerr = krb5_init_context(&krb5_ctx);
fail_unless(kerr == 0, "krb5_init_context failed.");
kerr = krb5_db_setup_lib_handle(krb5_ctx);
fail_unless(kerr == 0, "krb5_db_setup_lib_handle failed.\n");
ipa_ctx = calloc(1, sizeof(struct ipadb_context));
fail_unless(ipa_ctx != NULL, "calloc failed.\n");
ipa_ctx->kcontext = krb5_ctx;
kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
fail_unless(kerr == 0, "krb5_db_set_context failed.\n");
kerr = krb5_parse_name(test_ctx->krb5_ctx, NFS_PRINC_STRING, &nfs_princ);
assert_int_equal(kerr, 0);
kerr = krb5_parse_name(krb5_ctx, NFS_PRINC_STRING, &nfs_princ);
fail_unless(kerr == 0, "krb5_parse_name failed.");
kerr = krb5_parse_name(krb5_ctx, NON_NFS_PRINC_STRING, &non_nfs_princ);
fail_unless(kerr == 0, "krb5_parse_name failed.");
kerr = krb5_parse_name(test_ctx->krb5_ctx, NON_NFS_PRINC_STRING,
&non_nfs_princ);
assert_int_equal(kerr, 0);
struct test_set {
char **authz_data;
@@ -178,42 +401,94 @@ START_TEST(test_get_authz_data_types)
/* Set last_update to avoid LDAP lookups during tests */
ipa_ctx->config.last_update = time(NULL);
entry->princ = test_set[c].princ;
get_authz_data_types(krb5_ctx, entry, &with_pac, &with_pad);
fail_unless(with_pad == test_set[c].exp_with_pad, "with_pad not %s %s.",
test_set[c].exp_with_pad ? "true" : "false",
test_set[c].err_msg);
fail_unless(with_pac == test_set[c].exp_with_pac, "with_pac not %s %s.",
test_set[c].exp_with_pac ? "true" : "false",
test_set[c].err_msg);
get_authz_data_types(test_ctx->krb5_ctx, entry, &with_pac, &with_pad);
assert_true(with_pad == test_set[c].exp_with_pad);
assert_true(with_pac == test_set[c].exp_with_pac);
/* test if global default are returned if there is no server entry */
if (test_set[c].authz_data == NULL && test_set[c].princ == NULL) {
get_authz_data_types(test_ctx->krb5_ctx, NULL, &with_pac,
&with_pad);
assert_true(with_pad == test_set[c].exp_with_pad);
assert_true(with_pac == test_set[c].exp_with_pac);
}
}
krb5_free_principal(krb5_ctx, nfs_princ);
krb5_free_principal(krb5_ctx, non_nfs_princ);
krb5_db_fini(krb5_ctx);
krb5_free_context(krb5_ctx);
free(ied);
free(entry);
krb5_free_principal(test_ctx->krb5_ctx, nfs_princ);
krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
}
END_TEST
Suite * ipa_kdb_suite(void)
void test_string_to_sid(void **state)
{
Suite *s = suite_create("IPA kdb");
int ret;
struct dom_sid sid;
struct dom_sid exp_sid = {1, 5, {0, 0, 0, 0, 0, 5},
{21, 2127521184, 1604012920, 1887927527, 72713,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0}};
TCase *tc_helper = tcase_create("Helper functions");
tcase_add_test(tc_helper, test_get_authz_data_types);
suite_add_tcase(s, tc_helper);
ret = string_to_sid(NULL, &sid);
assert_int_equal(ret, EINVAL);
return s;
ret = string_to_sid("abc", &sid);
assert_int_equal(ret, EINVAL);
ret = string_to_sid("S-", &sid);
assert_int_equal(ret, EINVAL);
ret = string_to_sid("S-ABC", &sid);
assert_int_equal(ret, EINVAL);
ret = string_to_sid("S-123", &sid);
assert_int_equal(ret, EINVAL);
ret = string_to_sid("S-1-123-1-2-3-4-5-6-7-8-9-0-1-2-3-4-5-6", &sid);
assert_int_equal(ret, EINVAL);
ret = string_to_sid("S-1-5-21-2127521184-1604012920-1887927527-72713",
&sid);
assert_int_equal(ret, 0);
assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
}
int main(void)
void test_dom_sid_string(void **state)
{
int number_failed;
struct test_ctx *test_ctx;
char *str_sid;
struct dom_sid test_sid = {1, 5, {0, 0, 0, 0, 0, 5},
{21, 2127521184, 1604012920, 1887927527, 72713,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0}};
Suite *s = ipa_kdb_suite ();
SRunner *sr = srunner_create (s);
srunner_run_all (sr, CK_VERBOSE);
number_failed = srunner_ntests_failed (sr);
srunner_free (sr);
test_ctx = (struct test_ctx *) *state;
return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
str_sid = dom_sid_string(test_ctx, NULL);
assert_null(str_sid);
str_sid = dom_sid_string(test_ctx, &test_sid);
assert_non_null(str_sid);
assert_string_equal(str_sid,
"S-1-5-21-2127521184-1604012920-1887927527-72713");
test_sid.num_auths = -3;
str_sid = dom_sid_string(test_ctx, &test_sid);
test_sid.num_auths = 16;
str_sid = dom_sid_string(test_ctx, &test_sid);
}
int main(int argc, const char *argv[])
{
const struct CMUnitTest tests[] = {
cmocka_unit_test_setup_teardown(test_get_authz_data_types,
setup, teardown),
cmocka_unit_test_setup_teardown(test_filter_logon_info,
setup, teardown),
cmocka_unit_test(test_string_to_sid),
cmocka_unit_test_setup_teardown(test_dom_sid_string,
setup, teardown),
};
return cmocka_run_group_tests(tests, NULL, NULL);
}

2
daemons/ipa-kdb/tests/test_setup.sh Executable file
View File

@@ -0,0 +1,2 @@
KRB5_CONFIG=/dev/null
export KRB5_CONFIG