From e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Jul 06 2016 17:12:11 +0000
Subject: IPA/AD: globally set krb5 canonicalization flag


If Kerberos principal canonicalization is configured in SSSD, currently
it is the default for the IPA provider, a configuration snippet is
generated for the system-wide libkrb5 configuration so that all
kerberized applications will use canonicalization by default.

Resolves https://fedorahosted.org/sssd/ticket/3041

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

---

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 5b0bee8..05dfc30 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -504,11 +504,16 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx)
 {
     const char *path;
     errno_t ret;
+    bool canonicalize;
 
     path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic,
                              AD_KRB5_CONFD_PATH);
 
-    ret = sss_write_krb5_conf_snippet(path);
+    canonicalize = dp_opt_get_bool(
+                             subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts,
+                             KRB5_CANONICALIZE);
+
+    ret = sss_write_krb5_conf_snippet(path, canonicalize);
     if (ret != EOK) {
         DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
         /* Just continue */
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index cb443db..a02a65d 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -76,8 +76,11 @@ ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx)
           "Re-initializing domain %s\n", ctx->be_ctx->domain->name);
 
     ret = sss_write_krb5_conf_snippet(
-                              dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic,
-                                                IPA_KRB5_CONFD_PATH));
+                          dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic,
+                                            IPA_KRB5_CONFD_PATH),
+                          dp_opt_get_bool(
+                    ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts,
+                    KRB5_CANONICALIZE));
     if (ret != EOK) {
         DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
         /* Just continue */
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
index aaba2df..4ea5936 100644
--- a/src/tests/cmocka/test_utils.c
+++ b/src/tests/cmocka/test_utils.c
@@ -1247,16 +1247,16 @@ void test_sss_write_krb5_conf_snippet(void **state)
     char *path;
     char *file;
 
-    ret = sss_write_krb5_conf_snippet(NULL);
+    ret = sss_write_krb5_conf_snippet(NULL, false);
     assert_int_equal(ret, EINVAL);
 
-    ret = sss_write_krb5_conf_snippet("abc");
+    ret = sss_write_krb5_conf_snippet("abc", false);
     assert_int_equal(ret, EINVAL);
 
-    ret = sss_write_krb5_conf_snippet("");
+    ret = sss_write_krb5_conf_snippet("", false);
     assert_int_equal(ret, EOK);
 
-    ret = sss_write_krb5_conf_snippet("none");
+    ret = sss_write_krb5_conf_snippet("none", false);
     assert_int_equal(ret, EOK);
 
     cwd = getcwd(buf, PATH_MAX);
@@ -1268,11 +1268,11 @@ void test_sss_write_krb5_conf_snippet(void **state)
     ret = asprintf(&file, "%s/%s/localauth_plugin", cwd, TESTS_PATH);
     assert_true(ret > 0);
 
-    ret = sss_write_krb5_conf_snippet(path);
+    ret = sss_write_krb5_conf_snippet(path, true);
     assert_int_equal(ret, EOK);
 
     /* Check if writing a second time will work as well */
-    ret = sss_write_krb5_conf_snippet(path);
+    ret = sss_write_krb5_conf_snippet(path, true);
     assert_int_equal(ret, EOK);
 
 #ifdef HAVE_KRB5_LOCALAUTH_PLUGIN
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index adb3f12..6fc15a0 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -658,7 +658,45 @@ done:
 #endif
 }
 
-errno_t sss_write_krb5_conf_snippet(const char *path)
+#define KRB5_LIBDEFAUTLS_CONFIG \
+"[libdefaults]\n" \
+" canonicalize = true\n"
+
+static errno_t sss_write_krb5_libdefaults_snippet(const char *path)
+{
+    int ret;
+    TALLOC_CTX *tmp_ctx = NULL;
+    const char *file_name;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+        return ENOMEM;
+    }
+
+    file_name = talloc_asprintf(tmp_ctx, "%s/krb5_libdefaults", path);
+    if (file_name == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+        ret = ENOMEM;
+        goto done;
+    }
+
+    DEBUG(SSSDBG_FUNC_DATA, "File for KRB5 kibdefaults configuration is [%s]\n",
+                             file_name);
+
+    ret = sss_write_krb5_snippet_common(file_name, KRB5_LIBDEFAUTLS_CONFIG);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_snippet_common failed.\n");
+        goto done;
+    }
+
+done:
+
+    talloc_free(tmp_ctx);
+    return ret;
+}
+
+errno_t sss_write_krb5_conf_snippet(const char *path, bool canonicalize)
 {
     errno_t ret;
     errno_t err;
@@ -680,6 +718,14 @@ errno_t sss_write_krb5_conf_snippet(const char *path)
         goto done;
     }
 
+    if (canonicalize) {
+        ret = sss_write_krb5_libdefaults_snippet(path);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_libdefaults_snippet failed.\n");
+            goto done;
+        }
+    }
+
     ret = EOK;
 
 done:
diff --git a/src/util/util.h b/src/util/util.h
index 36d8231..9207648 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -525,7 +525,7 @@ errno_t sssd_domain_init(TALLOC_CTX *mem_ctx,
 
 errno_t sss_write_domain_mappings(struct sss_domain_info *domain);
 
-errno_t sss_write_krb5_conf_snippet(const char *path);
+errno_t sss_write_krb5_conf_snippet(const char *path, bool canonicalize);
 
 errno_t get_dom_names(TALLOC_CTX *mem_ctx,
                       struct sss_domain_info *start_dom,