1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 /*
26 * Initialization routines
27 */
28
29 #include "idmapd.h"
30 #include <signal.h>
31 #include <thread.h>
32 #include <string.h>
33 #include <errno.h>
34 #include <assert.h>
35 #include <unistd.h>
36 #include <sys/types.h>
37 #include <sys/stat.h>
38 #include <rpcsvc/daemon_utils.h>
39
40
41 int
init_mapping_system()42 init_mapping_system()
43 {
44 int rc = 0;
45
46 if (rwlock_init(&_idmapdstate.rwlk_cfg, USYNC_THREAD, NULL) != 0)
47 return (-1);
48 if ((rc = load_config()) < 0)
49 return (rc);
50
51 (void) setegid(DAEMON_GID);
52 (void) seteuid(DAEMON_UID);
53 if (init_dbs() < 0) {
54 rc = -1;
55 fini_mapping_system();
56 }
57 (void) seteuid(0);
58 (void) setegid(0);
59
60 return (rc);
61 }
62
63 void
fini_mapping_system()64 fini_mapping_system()
65 {
66 fini_dbs();
67 }
68
69 int
load_config()70 load_config()
71 {
72 int rc;
73 if ((_idmapdstate.cfg = idmap_cfg_init()) == NULL) {
74 degrade_svc(0, "failed to initialize config");
75 return (-1);
76 }
77
78 rc = idmap_cfg_upgrade(_idmapdstate.cfg);
79 if (rc != 0) {
80 degrade_svc(0, "fatal error while upgrading configuration");
81 return (rc);
82 }
83
84 rc = idmap_cfg_load(_idmapdstate.cfg, 0);
85 if (rc < -1) {
86 /* Total failure */
87 degrade_svc(0, "fatal error while loading configuration");
88 return (rc);
89 }
90
91 if (rc != 0)
92 /* Partial failure */
93 idmapdlog(LOG_ERR, "Various errors occurred while loading "
94 "the configuration; check the logs");
95
96 if ((rc = idmap_cfg_start_updates()) < 0) {
97 /* Total failure */
98 degrade_svc(0, "could not start config updater");
99 return (rc);
100 }
101
102 if (DBG(CONFIG, 1))
103 idmapdlog(LOG_DEBUG, "Initial configuration loaded");
104
105 return (0);
106 }
107
108
109 void
reload_gcs()110 reload_gcs()
111 {
112 int i, j;
113 adutils_ad_t **new_gcs;
114 adutils_ad_t **old_gcs = _idmapdstate.gcs;
115 int new_num_gcs;
116 int old_num_gcs = _idmapdstate.num_gcs;
117 idmap_pg_config_t *pgcfg = &_idmapdstate.cfg->pgcfg;
118 idmap_trustedforest_t *trustfor = pgcfg->trusted_forests;
119 int num_trustfor = pgcfg->num_trusted_forests;
120 ad_disc_domainsinforest_t *domain_in_forest;
121
122 if (pgcfg->domain_name == NULL) {
123 /* No domain name specified - workgroup mode. */
124 new_gcs = NULL;
125 new_num_gcs = 0;
126 goto out;
127 }
128
129 if (pgcfg->global_catalog == NULL ||
130 pgcfg->global_catalog[0].host[0] == '\0') {
131 /*
132 * No GCs. Continue to use the previous AD config in case
133 * that's still good but auto-discovery had a transient failure.
134 * If that stops working we'll go into degraded mode anyways
135 * when it does.
136 */
137 degrade_svc(0,
138 "Global Catalog servers not configured/discoverable");
139 return;
140 }
141
142 new_num_gcs = 1 + num_trustfor;
143 new_gcs = calloc(new_num_gcs, sizeof (adutils_ad_t *));
144 if (new_gcs == NULL) {
145 degrade_svc(0, "could not allocate AD context array "
146 "(out of memory)");
147 return;
148 }
149
150 if (adutils_ad_alloc(&new_gcs[0], NULL, ADUTILS_AD_GLOBAL_CATALOG) !=
151 ADUTILS_SUCCESS) {
152 free(new_gcs);
153 degrade_svc(0, "could not initialize AD context "
154 "(out of memory)");
155 return;
156 }
157
158 for (i = 0; pgcfg->global_catalog[i].host[0] != '\0'; i++) {
159 if (idmap_add_ds(new_gcs[0],
160 pgcfg->global_catalog[i].host,
161 pgcfg->global_catalog[i].port) != 0) {
162 adutils_ad_free(&new_gcs[0]);
163 free(new_gcs);
164 degrade_svc(0, "could not set AD hosts "
165 "(out of memory)");
166 return;
167 }
168 }
169
170 if (pgcfg->domains_in_forest != NULL) {
171 for (i = 0; pgcfg->domains_in_forest[i].domain[0] != '\0';
172 i++) {
173 if (adutils_add_domain(new_gcs[0],
174 pgcfg->domains_in_forest[i].domain,
175 pgcfg->domains_in_forest[i].sid) != 0) {
176 adutils_ad_free(&new_gcs[0]);
177 free(new_gcs);
178 degrade_svc(0, "could not set AD domains "
179 "(out of memory)");
180 return;
181 }
182 }
183 }
184
185 for (i = 0; i < num_trustfor; i++) {
186 if (adutils_ad_alloc(&new_gcs[i + 1], NULL,
187 ADUTILS_AD_GLOBAL_CATALOG) != ADUTILS_SUCCESS) {
188 degrade_svc(0, "could not initialize trusted AD "
189 "context (out of memory)");
190 new_num_gcs = i + 1;
191 goto out;
192 }
193 for (j = 0; trustfor[i].global_catalog[j].host[0] != '\0';
194 j++) {
195 if (idmap_add_ds(new_gcs[i + 1],
196 trustfor[i].global_catalog[j].host,
197 trustfor[i].global_catalog[j].port) != 0) {
198 adutils_ad_free(&new_gcs[i + 1]);
199 degrade_svc(0, "could not set trusted "
200 "AD hosts (out of memory)");
201 new_num_gcs = i + 1;
202 goto out;
203 }
204 }
205 for (j = 0; trustfor[i].domains_in_forest[j].domain[0] != '\0';
206 j++) {
207 domain_in_forest = &trustfor[i].domains_in_forest[j];
208 /* Only add domains which are marked */
209 if (domain_in_forest->trusted) {
210 if (adutils_add_domain(new_gcs[i + 1],
211 domain_in_forest->domain,
212 domain_in_forest->sid) != 0) {
213 adutils_ad_free(&new_gcs[i + 1]);
214 degrade_svc(0, "could not set trusted "
215 "AD domains (out of memory)");
216 new_num_gcs = i + 1;
217 goto out;
218 }
219 }
220 }
221 }
222
223 out:
224 _idmapdstate.gcs = new_gcs;
225 _idmapdstate.num_gcs = new_num_gcs;
226
227 if (old_gcs != NULL) {
228 for (i = 0; i < old_num_gcs; i++)
229 adutils_ad_free(&old_gcs[i]);
230 free(old_gcs);
231 }
232 }
233
234 /*
235 * NEEDSWORK: This should load entries for domain servers for all known
236 * domains - the joined domain, other domains in the forest, and trusted
237 * domains in other forests. However, we don't yet discover any DCs other
238 * than the DCs for the joined domain.
239 */
240 static
241 void
reload_dcs(void)242 reload_dcs(void)
243 {
244 int i;
245 adutils_ad_t **new_dcs;
246 adutils_ad_t **old_dcs = _idmapdstate.dcs;
247 int new_num_dcs;
248 int old_num_dcs = _idmapdstate.num_dcs;
249 idmap_pg_config_t *pgcfg = &_idmapdstate.cfg->pgcfg;
250
251 if (pgcfg->domain_name == NULL) {
252 /* No domain name specified - workgroup mode. */
253 new_dcs = NULL;
254 new_num_dcs = 0;
255 goto out;
256 }
257
258 if (pgcfg->domain_controller == NULL ||
259 pgcfg->domain_controller[0].host[0] == '\0') {
260 /*
261 * No DCs. Continue to use the previous AD config in case
262 * that's still good but auto-discovery had a transient failure.
263 * If that stops working we'll go into degraded mode anyways
264 * when it does.
265 */
266 degrade_svc(0,
267 "Domain controller servers not configured/discoverable");
268 return;
269 }
270
271 new_num_dcs = 1;
272 new_dcs = calloc(new_num_dcs, sizeof (adutils_ad_t *));
273 if (new_dcs == NULL)
274 goto nomem;
275
276 if (adutils_ad_alloc(&new_dcs[0], pgcfg->domain_name,
277 ADUTILS_AD_DATA) != ADUTILS_SUCCESS)
278 goto nomem;
279
280 for (i = 0; pgcfg->domain_controller[i].host[0] != '\0'; i++) {
281 if (idmap_add_ds(new_dcs[0],
282 pgcfg->domain_controller[i].host,
283 pgcfg->domain_controller[i].port) != 0)
284 goto nomem;
285 }
286
287 /*
288 * NEEDSWORK: All we need here is to add the domain and SID for
289 * this DC to the list of domains supported by this entry. Isn't
290 * there an easier way to find the SID than to walk through the list
291 * of all of the domains in the forest?
292 */
293 ad_disc_domainsinforest_t *dif = pgcfg->domains_in_forest;
294 if (dif != NULL) {
295 for (; dif->domain[0] != '\0'; dif++) {
296 if (domain_eq(pgcfg->domain_name, dif->domain)) {
297 if (adutils_add_domain(new_dcs[0],
298 dif->domain, dif->sid) != 0)
299 goto nomem;
300 break;
301 }
302 }
303 }
304
305 out:
306 _idmapdstate.dcs = new_dcs;
307 _idmapdstate.num_dcs = new_num_dcs;
308
309 if (old_dcs != NULL) {
310 for (i = 0; i < old_num_dcs; i++)
311 adutils_ad_free(&old_dcs[i]);
312 free(old_dcs);
313 }
314
315 return;
316
317 nomem:
318 degrade_svc(0, "out of memory");
319
320 if (new_dcs != NULL) {
321 if (new_dcs[0] != NULL)
322 adutils_ad_free(&new_dcs[0]);
323 free(new_dcs);
324 }
325 }
326
327
328 void
reload_ad(void)329 reload_ad(void)
330 {
331 reload_gcs();
332 reload_dcs();
333 }
334
335 void
print_idmapdstate(void)336 print_idmapdstate(void)
337 {
338 int i, j;
339 idmap_pg_config_t *pgcfg;
340 idmap_trustedforest_t *tf;
341
342 RDLOCK_CONFIG();
343
344 if (_idmapdstate.cfg == NULL) {
345 idmapdlog(LOG_INFO, "Null configuration");
346 UNLOCK_CONFIG();
347 return;
348 }
349
350 pgcfg = &_idmapdstate.cfg->pgcfg;
351
352 idmapdlog(LOG_DEBUG, "list_size_limit=%llu", pgcfg->list_size_limit);
353 idmapdlog(LOG_DEBUG, "default_domain=%s",
354 CHECK_NULL(pgcfg->default_domain));
355 idmapdlog(LOG_DEBUG, "domain_name=%s", CHECK_NULL(pgcfg->domain_name));
356 idmapdlog(LOG_DEBUG, "machine_sid=%s", CHECK_NULL(pgcfg->machine_sid));
357 if (pgcfg->domain_controller == NULL ||
358 pgcfg->domain_controller[0].host[0] == '\0') {
359 idmapdlog(LOG_DEBUG, "No domain controllers known");
360 } else {
361 for (i = 0; pgcfg->domain_controller[i].host[0] != '\0'; i++)
362 idmapdlog(LOG_DEBUG, "domain_controller=%s port=%d",
363 pgcfg->domain_controller[i].host,
364 pgcfg->domain_controller[i].port);
365 }
366 idmapdlog(LOG_DEBUG, "forest_name=%s", CHECK_NULL(pgcfg->forest_name));
367 idmapdlog(LOG_DEBUG, "site_name=%s", CHECK_NULL(pgcfg->site_name));
368 if (pgcfg->global_catalog == NULL ||
369 pgcfg->global_catalog[0].host[0] == '\0') {
370 idmapdlog(LOG_DEBUG, "No global catalog servers known");
371 } else {
372 for (i = 0; pgcfg->global_catalog[i].host[0] != '\0'; i++)
373 idmapdlog(LOG_DEBUG, "global_catalog=%s port=%d",
374 pgcfg->global_catalog[i].host,
375 pgcfg->global_catalog[i].port);
376 }
377 if (pgcfg->domains_in_forest == NULL ||
378 pgcfg->domains_in_forest[0].domain[0] == '\0') {
379 idmapdlog(LOG_DEBUG, "No domains in forest %s known",
380 CHECK_NULL(pgcfg->forest_name));
381 } else {
382 for (i = 0; pgcfg->domains_in_forest[i].domain[0] != '\0'; i++)
383 idmapdlog(LOG_DEBUG, "domains in forest %s = %s",
384 CHECK_NULL(pgcfg->forest_name),
385 pgcfg->domains_in_forest[i].domain);
386 }
387 if (pgcfg->trusted_domains == NULL ||
388 pgcfg->trusted_domains[0].domain[0] == '\0') {
389 idmapdlog(LOG_DEBUG, "No trusted domains known");
390 } else {
391 for (i = 0; pgcfg->trusted_domains[i].domain[0] != '\0'; i++)
392 idmapdlog(LOG_DEBUG, "trusted domain = %s",
393 pgcfg->trusted_domains[i].domain);
394 }
395
396 for (i = 0; i < pgcfg->num_trusted_forests; i++) {
397 tf = &pgcfg->trusted_forests[i];
398 for (j = 0; tf->global_catalog[j].host[0] != '\0'; j++)
399 idmapdlog(LOG_DEBUG,
400 "trusted forest %s global_catalog=%s port=%d",
401 tf->forest_name,
402 tf->global_catalog[j].host,
403 tf->global_catalog[j].port);
404 for (j = 0; tf->domains_in_forest[j].domain[0] != '\0'; j++) {
405 if (tf->domains_in_forest[j].trusted) {
406 idmapdlog(LOG_DEBUG,
407 "trusted forest %s domain=%s",
408 tf->forest_name,
409 tf->domains_in_forest[j].domain);
410 }
411 }
412 }
413
414 idmapdlog(LOG_DEBUG, "directory_based_mapping=%s",
415 enum_lookup(pgcfg->directory_based_mapping, directory_mapping_map));
416 idmapdlog(LOG_DEBUG, "ad_unixuser_attr=%s",
417 CHECK_NULL(pgcfg->ad_unixuser_attr));
418 idmapdlog(LOG_DEBUG, "ad_unixgroup_attr=%s",
419 CHECK_NULL(pgcfg->ad_unixgroup_attr));
420 idmapdlog(LOG_DEBUG, "nldap_winname_attr=%s",
421 CHECK_NULL(pgcfg->nldap_winname_attr));
422
423 UNLOCK_CONFIG();
424 }
425
426 int
create_directory(const char * path,uid_t uid,gid_t gid)427 create_directory(const char *path, uid_t uid, gid_t gid)
428 {
429 int rc;
430
431 if ((rc = mkdir(path, 0700)) < 0 && errno != EEXIST) {
432 idmapdlog(LOG_ERR, "Error creating directory %s (%s)",
433 path, strerror(errno));
434 return (-1);
435 }
436
437 if (lchown(path, uid, gid) < 0) {
438 idmapdlog(LOG_ERR, "Error creating directory %s (%s)",
439 path, strerror(errno));
440 if (rc == 0)
441 (void) rmdir(path);
442 return (-1);
443 }
444 return (0);
445 }
446