1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
24 */
25
26
27 /*
28 * Config routines common to idmap(1M) and idmapd(1M)
29 */
30
31 #include <stdlib.h>
32 #include <strings.h>
33 #include <libintl.h>
34 #include <ctype.h>
35 #include <errno.h>
36 #include <stdio.h>
37 #include <stdarg.h>
38 #include <uuid/uuid.h>
39 #include <pthread.h>
40 #include <port.h>
41 #include <sys/socket.h>
42 #include <net/route.h>
43 #include <sys/u8_textprep.h>
44 #include <netinet/in.h>
45 #include <arpa/inet.h>
46 #include <netdb.h>
47 #include <note.h>
48 #include "idmapd.h"
49 #include "addisc.h"
50
51 #define MACHINE_SID_LEN (9 + 3 * 11)
52 #define FMRI_BASE "svc:/system/idmap"
53 #define CONFIG_PG "config"
54 #define DEBUG_PG "debug"
55 #define RECONFIGURE 1
56 #define POKE_AUTO_DISCOVERY 2
57 #define KICK_AUTO_DISCOVERY 3
58
59 /*
60 * Default cache timeouts. Can override via svccfg
61 * config/id_cache_timeout = count: seconds
62 * config/name_cache_timeout = count: seconds
63 */
64 #define ID_CACHE_TMO_DEFAULT 86400
65 #define NAME_CACHE_TMO_DEFAULT 604800
66
67 /*
68 * Default maximum time between rediscovery runs.
69 * config/rediscovery_interval = count: seconds
70 */
71 #define REDISCOVERY_INTERVAL_DEFAULT 3600
72
73 /*
74 * Mininum time between rediscovery runs, in case adutils gives us a
75 * really short TTL (which it never should, but be defensive)
76 * (not configurable) seconds.
77 */
78 #define MIN_REDISCOVERY_INTERVAL 60
79
80 enum event_type {
81 EVENT_NOTHING, /* Woke up for no good reason */
82 EVENT_TIMEOUT, /* Timeout expired */
83 EVENT_ROUTING, /* An interesting routing event happened */
84 EVENT_POKED, /* Requested from degrade_svc() */
85 EVENT_KICKED, /* Force rediscovery, i.e. DC failed. */
86 EVENT_REFRESH, /* SMF refresh */
87 };
88
89
90 static void idmapd_set_krb5_realm(char *);
91
92 static pthread_t update_thread_handle = 0;
93
94 static int idmapd_ev_port = -1;
95 static int rt_sock = -1;
96
97 struct enum_lookup_map directory_mapping_map[] = {
98 { DIRECTORY_MAPPING_NONE, "none" },
99 { DIRECTORY_MAPPING_NAME, "name" },
100 { DIRECTORY_MAPPING_IDMU, "idmu" },
101 { 0, NULL },
102 };
103
104 struct enum_lookup_map trust_dir_map[] = {
105 { 1, "they trust us" },
106 { 2, "we trust them" },
107 { 3, "we trust each other" },
108 { 0, NULL },
109 };
110
111 static int
generate_machine_uuid(char ** machine_uuid)112 generate_machine_uuid(char **machine_uuid)
113 {
114 uuid_t uu;
115
116 *machine_uuid = calloc(1, UUID_PRINTABLE_STRING_LENGTH + 1);
117 if (*machine_uuid == NULL) {
118 idmapdlog(LOG_ERR, "Out of memory");
119 return (-1);
120 }
121
122 uuid_clear(uu);
123 uuid_generate_time(uu);
124 uuid_unparse(uu, *machine_uuid);
125
126 return (0);
127 }
128
129 static int
generate_machine_sid(char ** machine_sid,char * machine_uuid)130 generate_machine_sid(char **machine_sid, char *machine_uuid)
131 {
132 union {
133 uuid_t uu;
134 uint32_t v[4];
135 } uv;
136 int len;
137
138 /*
139 * Split the 128-bit machine UUID into three 32-bit values
140 * we'll use as the "sub-authorities" of the machine SID.
141 * The machine_sid will have the form S-1-5-21-J-K-L
142 * (that's four sub-authorities altogether) where:
143 * J = last 4 bytes of node_addr,
144 * K = time_mid, time_hi_and_version
145 * L = time_low
146 * (see struct uuid)
147 */
148
149 (void) memset(&uv, 0, sizeof (uv));
150 (void) uuid_parse(machine_uuid, uv.uu);
151
152 len = asprintf(machine_sid, "S-1-5-21-%u-%u-%u",
153 uv.v[3], uv.v[0], uv.v[1]);
154
155 if (len == -1 || *machine_sid == NULL) {
156 idmapdlog(LOG_ERR, "Out of memory");
157 return (-1);
158 }
159
160 return (0);
161 }
162
163
164 /* In the case of error, exists is set to FALSE anyway */
165 static int
prop_exists(idmap_cfg_handles_t * handles,const char * name,boolean_t * exists)166 prop_exists(idmap_cfg_handles_t *handles, const char *name, boolean_t *exists)
167 {
168
169 scf_property_t *scf_prop;
170
171 *exists = B_FALSE;
172
173 scf_prop = scf_property_create(handles->main);
174 if (scf_prop == NULL) {
175 idmapdlog(LOG_ERR, "scf_property_create() failed: %s",
176 scf_strerror(scf_error()));
177 return (-1);
178 }
179
180 if (scf_pg_get_property(handles->config_pg, name, scf_prop) == 0)
181 *exists = B_TRUE;
182
183 scf_property_destroy(scf_prop);
184
185 return (0);
186 }
187
188 static int
get_debug(idmap_cfg_handles_t * handles,const char * name)189 get_debug(idmap_cfg_handles_t *handles, const char *name)
190 {
191 int64_t i64 = 0;
192
193 scf_property_t *scf_prop;
194 scf_value_t *value;
195
196 scf_prop = scf_property_create(handles->main);
197 if (scf_prop == NULL) {
198 idmapdlog(LOG_ERR, "scf_property_create() failed: %s",
199 scf_strerror(scf_error()));
200 abort();
201 }
202 value = scf_value_create(handles->main);
203 if (value == NULL) {
204 idmapdlog(LOG_ERR, "scf_value_create() failed: %s",
205 scf_strerror(scf_error()));
206 abort();
207 }
208
209 if (scf_pg_get_property(handles->debug_pg, name, scf_prop) < 0) {
210 /* this is OK: the property is just undefined */
211 goto destruction;
212 }
213
214
215 if (scf_property_get_value(scf_prop, value) < 0) {
216 /* It is still OK when a property doesn't have any value */
217 goto destruction;
218 }
219
220 if (scf_value_get_integer(value, &i64) != 0) {
221 idmapdlog(LOG_ERR, "Can not retrieve %s/%s: %s",
222 DEBUG_PG, name, scf_strerror(scf_error()));
223 abort();
224 }
225
226 destruction:
227 scf_value_destroy(value);
228 scf_property_destroy(scf_prop);
229
230 return ((int)i64);
231 }
232
233 static int
get_val_bool(idmap_cfg_handles_t * handles,const char * name,boolean_t * val,boolean_t default_val)234 get_val_bool(idmap_cfg_handles_t *handles, const char *name,
235 boolean_t *val, boolean_t default_val)
236 {
237 int rc = 0;
238
239 scf_property_t *scf_prop;
240 scf_value_t *value;
241
242 *val = default_val;
243
244 scf_prop = scf_property_create(handles->main);
245 if (scf_prop == NULL) {
246 idmapdlog(LOG_ERR, "scf_property_create() failed: %s",
247 scf_strerror(scf_error()));
248 return (-1);
249 }
250 value = scf_value_create(handles->main);
251 if (value == NULL) {
252 idmapdlog(LOG_ERR, "scf_value_create() failed: %s",
253 scf_strerror(scf_error()));
254 scf_property_destroy(scf_prop);
255 return (-1);
256 }
257
258 /* It is OK if the property is undefined */
259 if (scf_pg_get_property(handles->config_pg, name, scf_prop) < 0)
260 goto destruction;
261
262
263 /* It is still OK when a property doesn't have any value */
264 if (scf_property_get_value(scf_prop, value) < 0)
265 goto destruction;
266
267 uint8_t b;
268 rc = scf_value_get_boolean(value, &b);
269
270 if (rc == 0)
271 *val = (boolean_t)b;
272
273 destruction:
274 scf_value_destroy(value);
275 scf_property_destroy(scf_prop);
276
277 return (rc);
278 }
279
280 static int
get_val_int(idmap_cfg_handles_t * handles,const char * name,void * val,scf_type_t type)281 get_val_int(idmap_cfg_handles_t *handles, const char *name,
282 void *val, scf_type_t type)
283 {
284 int rc = 0;
285
286 scf_property_t *scf_prop;
287 scf_value_t *value;
288
289 switch (type) {
290 case SCF_TYPE_COUNT:
291 *(uint64_t *)val = 0;
292 break;
293 case SCF_TYPE_INTEGER:
294 *(int64_t *)val = 0;
295 break;
296 default:
297 idmapdlog(LOG_ERR, "Invalid scf integer type (%d)",
298 type);
299 abort();
300 }
301
302 scf_prop = scf_property_create(handles->main);
303 if (scf_prop == NULL) {
304 idmapdlog(LOG_ERR, "scf_property_create() failed: %s",
305 scf_strerror(scf_error()));
306 return (-1);
307 }
308 value = scf_value_create(handles->main);
309 if (value == NULL) {
310 idmapdlog(LOG_ERR, "scf_value_create() failed: %s",
311 scf_strerror(scf_error()));
312 scf_property_destroy(scf_prop);
313 return (-1);
314 }
315
316 if (scf_pg_get_property(handles->config_pg, name, scf_prop) < 0)
317 /* this is OK: the property is just undefined */
318 goto destruction;
319
320
321 if (scf_property_get_value(scf_prop, value) < 0)
322 /* It is still OK when a property doesn't have any value */
323 goto destruction;
324
325 switch (type) {
326 case SCF_TYPE_COUNT:
327 rc = scf_value_get_count(value, val);
328 break;
329 case SCF_TYPE_INTEGER:
330 rc = scf_value_get_integer(value, val);
331 break;
332 default:
333 abort(); /* tested above */
334 /* NOTREACHED */
335 }
336
337 if (rc != 0) {
338 idmapdlog(LOG_ERR, "Can not retrieve config/%s: %s",
339 name, scf_strerror(scf_error()));
340 }
341
342 destruction:
343 scf_value_destroy(value);
344 scf_property_destroy(scf_prop);
345
346 return (rc);
347 }
348
349 static char *
scf_value2string(const char * name,scf_value_t * value)350 scf_value2string(const char *name, scf_value_t *value)
351 {
352 static size_t max_val = 0;
353
354 if (max_val == 0)
355 max_val = scf_limit(SCF_LIMIT_MAX_VALUE_LENGTH);
356
357 char buf[max_val + 1];
358 if (scf_value_get_astring(value, buf, max_val + 1) < 0) {
359 idmapdlog(LOG_ERR, "Can not retrieve config/%s: %s",
360 name, scf_strerror(scf_error()));
361 return (NULL);
362 }
363
364 char *s = strdup(buf);
365 if (s == NULL)
366 idmapdlog(LOG_ERR, "Out of memory");
367
368 return (s);
369 }
370
371 static int
get_val_ds(idmap_cfg_handles_t * handles,const char * name,int defport,ad_disc_ds_t ** val)372 get_val_ds(idmap_cfg_handles_t *handles, const char *name, int defport,
373 ad_disc_ds_t **val)
374 {
375 char port_str[8];
376 struct addrinfo hints;
377 struct addrinfo *ai;
378 ad_disc_ds_t *servers = NULL;
379 scf_property_t *scf_prop;
380 scf_value_t *value;
381 scf_iter_t *iter;
382 char *host, *portstr;
383 int err, len, i;
384 int count = 0;
385 int rc = -1;
386
387 *val = NULL;
388
389 restart:
390 scf_prop = scf_property_create(handles->main);
391 if (scf_prop == NULL) {
392 idmapdlog(LOG_ERR, "scf_property_create() failed: %s",
393 scf_strerror(scf_error()));
394 return (-1);
395 }
396
397 value = scf_value_create(handles->main);
398 if (value == NULL) {
399 idmapdlog(LOG_ERR, "scf_value_create() failed: %s",
400 scf_strerror(scf_error()));
401 scf_property_destroy(scf_prop);
402 return (-1);
403 }
404
405 iter = scf_iter_create(handles->main);
406 if (iter == NULL) {
407 idmapdlog(LOG_ERR, "scf_iter_create() failed: %s",
408 scf_strerror(scf_error()));
409 scf_value_destroy(value);
410 scf_property_destroy(scf_prop);
411 return (-1);
412 }
413
414 if (scf_pg_get_property(handles->config_pg, name, scf_prop) < 0) {
415 /* this is OK: the property is just undefined */
416 rc = 0;
417 goto destruction;
418 }
419
420 if (scf_iter_property_values(iter, scf_prop) < 0) {
421 idmapdlog(LOG_ERR,
422 "scf_iter_property_values(%s) failed: %s",
423 name, scf_strerror(scf_error()));
424 goto destruction;
425 }
426
427 /* Workaround scf bugs -- can't reset an iteration */
428 if (count == 0) {
429 while (scf_iter_next_value(iter, value) > 0)
430 count++;
431
432 if (count == 0) {
433 /* no values */
434 rc = 0;
435 goto destruction;
436 }
437
438 scf_value_destroy(value);
439 scf_iter_destroy(iter);
440 scf_property_destroy(scf_prop);
441 goto restart;
442 }
443
444 if ((servers = calloc(count + 1, sizeof (*servers))) == NULL) {
445 idmapdlog(LOG_ERR, "Out of memory");
446 goto destruction;
447 }
448
449 (void) memset(&hints, 0, sizeof (hints));
450 hints.ai_protocol = IPPROTO_TCP;
451 hints.ai_socktype = SOCK_STREAM;
452 host = NULL;
453
454 i = 0;
455 while (i < count && scf_iter_next_value(iter, value) > 0) {
456 if (host) {
457 free(host);
458 host = NULL;
459 }
460 servers[i].priority = 0;
461 servers[i].weight = 100;
462 servers[i].port = defport;
463 if ((host = scf_value2string(name, value)) == NULL)
464 continue;
465 if ((portstr = strchr(host, ':')) != NULL) {
466 *portstr++ = '\0';
467 servers[i].port = strtol(portstr,
468 (char **)NULL, 10);
469 if (servers[i].port == 0)
470 servers[i].port = defport;
471 }
472
473 /*
474 * Ignore this server if the hostname is too long
475 * or empty (continue without i++)
476 */
477 len = strlen(host);
478 if (len == 0) {
479 if (DBG(CONFIG, 1)) {
480 idmapdlog(LOG_INFO, "%s host=\"\"", name);
481 }
482 continue;
483 }
484 if (len >= sizeof (servers->host)) {
485 idmapdlog(LOG_ERR, "Host name too long: %s", host);
486 idmapdlog(LOG_ERR, "ignoring %s value", name);
487 continue;
488 }
489
490 /*
491 * Get the host address too. If we can't, then
492 * log an error and skip this host.
493 */
494 (void) snprintf(port_str, sizeof (port_str),
495 "%d", servers[i].port);
496 ai = NULL;
497 err = getaddrinfo(host, port_str, &hints, &ai);
498 if (err != 0) {
499 idmapdlog(LOG_ERR, "No address for host: %s (%s)",
500 host, gai_strerror(err));
501 idmapdlog(LOG_ERR, "ignoring %s value", name);
502 continue;
503 }
504
505 (void) strlcpy(servers[i].host, host,
506 sizeof (servers->host));
507 (void) memcpy(&servers[i].addr, ai->ai_addr, ai->ai_addrlen);
508 freeaddrinfo(ai);
509
510 /* Added a DS to the array. */
511 i++;
512 }
513 free(host);
514
515 if (i == 0) {
516 if (DBG(CONFIG, 1)) {
517 idmapdlog(LOG_INFO, "%s is empty", name);
518 }
519 free(servers);
520 servers = NULL;
521 }
522 *val = servers;
523
524 rc = 0;
525
526 destruction:
527 scf_value_destroy(value);
528 scf_iter_destroy(iter);
529 scf_property_destroy(scf_prop);
530
531 if (rc < 0) {
532 if (servers)
533 free(servers);
534 *val = NULL;
535 }
536
537 return (rc);
538 }
539
540 static int
get_val_astring(idmap_cfg_handles_t * handles,const char * name,char ** val)541 get_val_astring(idmap_cfg_handles_t *handles, const char *name, char **val)
542 {
543 int rc = 0;
544
545 scf_property_t *scf_prop;
546 scf_value_t *value;
547
548 scf_prop = scf_property_create(handles->main);
549 if (scf_prop == NULL) {
550 idmapdlog(LOG_ERR, "scf_property_create() failed: %s",
551 scf_strerror(scf_error()));
552 return (-1);
553 }
554 value = scf_value_create(handles->main);
555 if (value == NULL) {
556 idmapdlog(LOG_ERR, "scf_value_create() failed: %s",
557 scf_strerror(scf_error()));
558 scf_property_destroy(scf_prop);
559 return (-1);
560 }
561
562 *val = NULL;
563
564 if (scf_pg_get_property(handles->config_pg, name, scf_prop) < 0)
565 /* this is OK: the property is just undefined */
566 goto destruction;
567
568 if (scf_property_get_value(scf_prop, value) < 0) {
569 idmapdlog(LOG_ERR,
570 "scf_property_get_value(%s) failed: %s",
571 name, scf_strerror(scf_error()));
572 rc = -1;
573 goto destruction;
574 }
575
576 *val = scf_value2string(name, value);
577 if (*val == NULL)
578 rc = -1;
579
580 destruction:
581 scf_value_destroy(value);
582 scf_property_destroy(scf_prop);
583
584 if (rc < 0) {
585 if (*val)
586 free(*val);
587 *val = NULL;
588 }
589
590 return (rc);
591 }
592
593
594 static int
del_val(idmap_cfg_handles_t * handles,scf_propertygroup_t * pg,const char * name)595 del_val(
596 idmap_cfg_handles_t *handles,
597 scf_propertygroup_t *pg,
598 const char *name)
599 {
600 int rc = -1;
601 int ret;
602 scf_transaction_t *tx = NULL;
603 scf_transaction_entry_t *ent = NULL;
604
605 if ((tx = scf_transaction_create(handles->main)) == NULL) {
606 idmapdlog(LOG_ERR,
607 "scf_transaction_create() failed: %s",
608 scf_strerror(scf_error()));
609 goto destruction;
610 }
611 if ((ent = scf_entry_create(handles->main)) == NULL) {
612 idmapdlog(LOG_ERR,
613 "scf_entry_create() failed: %s",
614 scf_strerror(scf_error()));
615 goto destruction;
616 }
617
618 do {
619 if (scf_pg_update(pg) == -1) {
620 idmapdlog(LOG_ERR,
621 "scf_pg_update(%s) failed: %s",
622 name, scf_strerror(scf_error()));
623 goto destruction;
624 }
625 if (scf_transaction_start(tx, pg) != 0) {
626 idmapdlog(LOG_ERR,
627 "scf_transaction_start(%s) failed: %s",
628 name, scf_strerror(scf_error()));
629 goto destruction;
630 }
631
632 if (scf_transaction_property_delete(tx, ent, name) != 0) {
633 /* Don't complain if it already doesn't exist. */
634 if (scf_error() != SCF_ERROR_NOT_FOUND) {
635 idmapdlog(LOG_ERR,
636 "scf_transaction_property_delete() failed:"
637 " %s",
638 scf_strerror(scf_error()));
639 }
640 goto destruction;
641 }
642
643 ret = scf_transaction_commit(tx);
644
645 if (ret == 0)
646 scf_transaction_reset(tx);
647 } while (ret == 0);
648
649 if (ret == -1) {
650 idmapdlog(LOG_ERR,
651 "scf_transaction_commit(%s) failed: %s",
652 name, scf_strerror(scf_error()));
653 goto destruction;
654 }
655
656 rc = 0;
657
658 destruction:
659 if (ent != NULL)
660 scf_entry_destroy(ent);
661 if (tx != NULL)
662 scf_transaction_destroy(tx);
663 return (rc);
664 }
665
666
667 static int
set_val(idmap_cfg_handles_t * handles,scf_propertygroup_t * pg,const char * name,scf_value_t * value)668 set_val(
669 idmap_cfg_handles_t *handles,
670 scf_propertygroup_t *pg,
671 const char *name,
672 scf_value_t *value)
673 {
674 int rc = -1;
675 int i;
676 scf_property_t *prop = NULL;
677 scf_transaction_t *tx = NULL;
678 scf_transaction_entry_t *ent = NULL;
679
680 if ((prop = scf_property_create(handles->main)) == NULL ||
681 (tx = scf_transaction_create(handles->main)) == NULL ||
682 (ent = scf_entry_create(handles->main)) == NULL) {
683 idmapdlog(LOG_ERR, "Unable to set property %s",
684 name, scf_strerror(scf_error()));
685 goto destruction;
686 }
687
688 for (i = 0; i < MAX_TRIES; i++) {
689 int ret;
690
691 if (scf_pg_update(pg) == -1) {
692 idmapdlog(LOG_ERR,
693 "scf_pg_update() failed: %s",
694 scf_strerror(scf_error()));
695 goto destruction;
696 }
697
698 if (scf_transaction_start(tx, pg) == -1) {
699 idmapdlog(LOG_ERR,
700 "scf_transaction_start(%s) failed: %s",
701 name, scf_strerror(scf_error()));
702 goto destruction;
703 }
704
705 ret = scf_pg_get_property(pg, name, prop);
706 if (ret == SCF_SUCCESS) {
707 if (scf_transaction_property_change_type(tx, ent, name,
708 scf_value_type(value)) < 0) {
709 idmapdlog(LOG_ERR,
710 "scf_transaction_property_change_type(%s)"
711 " failed: %s",
712 name, scf_strerror(scf_error()));
713 goto destruction;
714 }
715 } else if (scf_error() == SCF_ERROR_NOT_FOUND) {
716 if (scf_transaction_property_new(tx, ent, name,
717 scf_value_type(value)) < 0) {
718 idmapdlog(LOG_ERR,
719 "scf_transaction_property_new() failed: %s",
720 scf_strerror(scf_error()));
721 goto destruction;
722 }
723 } else {
724 idmapdlog(LOG_ERR,
725 "scf_pg_get_property(%s) failed: %s",
726 name, scf_strerror(scf_error()));
727 goto destruction;
728 }
729
730 if (scf_entry_add_value(ent, value) == -1) {
731 idmapdlog(LOG_ERR,
732 "scf_entry_add_value() failed: %s",
733 scf_strerror(scf_error()));
734 goto destruction;
735 }
736
737 ret = scf_transaction_commit(tx);
738 if (ret == 0) {
739 /*
740 * Property group set in scf_transaction_start()
741 * is not the most recent. Update pg, reset tx and
742 * retry tx.
743 */
744 idmapdlog(LOG_WARNING,
745 "scf_transaction_commit(%s) failed: %s",
746 name, scf_strerror(scf_error()));
747 scf_transaction_reset(tx);
748 continue;
749 }
750 if (ret != 1) {
751 idmapdlog(LOG_ERR,
752 "scf_transaction_commit(%s) failed: %s",
753 name, scf_strerror(scf_error()));
754 goto destruction;
755 }
756 /* Success! */
757 rc = 0;
758 break;
759 }
760
761 destruction:
762 scf_entry_destroy(ent);
763 scf_transaction_destroy(tx);
764 scf_property_destroy(prop);
765 return (rc);
766 }
767
768 static int
set_val_integer(idmap_cfg_handles_t * handles,scf_propertygroup_t * pg,const char * name,int64_t val)769 set_val_integer(
770 idmap_cfg_handles_t *handles,
771 scf_propertygroup_t *pg,
772 const char *name,
773 int64_t val)
774 {
775 scf_value_t *value = NULL;
776 int rc;
777
778 if ((value = scf_value_create(handles->main)) == NULL) {
779 idmapdlog(LOG_ERR, "Unable to set property %s",
780 name, scf_strerror(scf_error()));
781 return (-1);
782 }
783
784 scf_value_set_integer(value, val);
785
786 rc = set_val(handles, pg, name, value);
787
788 scf_value_destroy(value);
789
790 return (rc);
791 }
792
793
794 static int
set_val_astring(idmap_cfg_handles_t * handles,scf_propertygroup_t * pg,const char * name,const char * val)795 set_val_astring(
796 idmap_cfg_handles_t *handles,
797 scf_propertygroup_t *pg,
798 const char *name,
799 const char *val)
800 {
801 scf_value_t *value = NULL;
802 int rc = -1;
803
804 if ((value = scf_value_create(handles->main)) == NULL) {
805 idmapdlog(LOG_ERR, "Unable to set property %s",
806 name, scf_strerror(scf_error()));
807 goto out;
808 }
809
810 if (scf_value_set_astring(value, val) == -1) {
811 idmapdlog(LOG_ERR,
812 "scf_value_set_astring() failed: %s",
813 scf_strerror(scf_error()));
814 goto out;
815 }
816
817 rc = set_val(handles, pg, name, value);
818
819 out:
820 scf_value_destroy(value);
821 return (rc);
822 }
823
824
825
826 /*
827 * This function updates a boolean value.
828 * If nothing has changed it returns 0 else 1
829 */
830 static int
update_bool(boolean_t * value,boolean_t * new,char * name)831 update_bool(boolean_t *value, boolean_t *new, char *name)
832 {
833 if (*value == *new)
834 return (0);
835
836 if (DBG(CONFIG, 1)) {
837 idmapdlog(LOG_INFO, "change %s=%s", name,
838 *new ? "true" : "false");
839 }
840
841 *value = *new;
842 return (1);
843 }
844
845 /*
846 * This function updates a uint64_t value.
847 * If nothing has changed it returns 0 else 1
848 */
849 static int
update_uint64(uint64_t * value,uint64_t * new,char * name)850 update_uint64(uint64_t *value, uint64_t *new, char *name)
851 {
852 if (*value == *new)
853 return (0);
854
855 if (DBG(CONFIG, 1))
856 idmapdlog(LOG_INFO, "change %s=%llu", name, *new);
857
858 *value = *new;
859 return (1);
860 }
861
862 /*
863 * This function updates a string value.
864 * If nothing has changed it returns 0 else 1
865 */
866 static int
update_string(char ** value,char ** new,char * name)867 update_string(char **value, char **new, char *name)
868 {
869 int changed;
870
871 if (*new == NULL && *value != NULL)
872 changed = 1;
873 else if (*new != NULL && *value == NULL)
874 changed = 1;
875 else if (*new != NULL && *value != NULL && strcmp(*new, *value) != 0)
876 changed = 1;
877 else
878 changed = 0;
879
880 /*
881 * Note that even if unchanged we can't just return; we must free one
882 * of the values.
883 */
884
885 if (DBG(CONFIG, 1) && changed)
886 idmapdlog(LOG_INFO, "change %s=%s", name, CHECK_NULL(*new));
887
888 free(*value);
889 *value = *new;
890 *new = NULL;
891 return (changed);
892 }
893
894 static int
update_enum(int * value,int * new,char * name,struct enum_lookup_map * map)895 update_enum(int *value, int *new, char *name, struct enum_lookup_map *map)
896 {
897 if (*value == *new)
898 return (0);
899
900 if (DBG(CONFIG, 1)) {
901 idmapdlog(LOG_INFO, "change %s=%s", name,
902 enum_lookup(*new, map));
903 }
904
905 *value = *new;
906
907 return (1);
908 }
909
910 /*
911 * This function updates a directory service structure.
912 * If nothing has changed it returns 0 else 1
913 */
914 static int
update_dirs(ad_disc_ds_t ** value,ad_disc_ds_t ** new,char * name)915 update_dirs(ad_disc_ds_t **value, ad_disc_ds_t **new, char *name)
916 {
917
918 if (*value == *new)
919 /* Nothing to do */
920 return (0);
921
922 if (*value != NULL && *new != NULL &&
923 ad_disc_compare_ds(*value, *new) == 0) {
924 free(*new);
925 *new = NULL;
926 return (0);
927 }
928
929 if (*value != NULL)
930 free(*value);
931
932 *value = *new;
933 *new = NULL;
934
935 if (*value == NULL) {
936 /* We're unsetting this DS property */
937 if (DBG(CONFIG, 1))
938 idmapdlog(LOG_INFO, "change %s=<none>", name);
939 return (1);
940 }
941
942 if (DBG(CONFIG, 1)) {
943 /* List all the new DSs */
944 char buf[64];
945 ad_disc_ds_t *ds;
946 for (ds = *value; ds->host[0] != '\0'; ds++) {
947 if (ad_disc_getnameinfo(buf, sizeof (buf), &ds->addr))
948 (void) strlcpy(buf, "?", sizeof (buf));
949 idmapdlog(LOG_INFO, "change %s=%s addr=%s port=%d",
950 name, ds->host, buf, ds->port);
951 }
952 }
953 return (1);
954 }
955
956 /*
957 * This function updates a trusted domains structure.
958 * If nothing has changed it returns 0 else 1
959 */
960 static int
update_trusted_domains(ad_disc_trusteddomains_t ** value,ad_disc_trusteddomains_t ** new,char * name)961 update_trusted_domains(ad_disc_trusteddomains_t **value,
962 ad_disc_trusteddomains_t **new, char *name)
963 {
964 int i;
965
966 if (*value == *new)
967 /* Nothing to do */
968 return (0);
969
970 if (*value != NULL && *new != NULL &&
971 ad_disc_compare_trusteddomains(*value, *new) == 0) {
972 free(*new);
973 *new = NULL;
974 return (0);
975 }
976
977 if (*value != NULL)
978 free(*value);
979
980 *value = *new;
981 *new = NULL;
982
983 if (*value == NULL) {
984 /* We're unsetting this DS property */
985 if (DBG(CONFIG, 1))
986 idmapdlog(LOG_INFO, "change %s=<none>", name);
987 return (1);
988 }
989
990 if (DBG(CONFIG, 1)) {
991 /* List all the new domains */
992 for (i = 0; (*value)[i].domain[0] != '\0'; i++) {
993 idmapdlog(LOG_INFO, "change %s=%s direction=%s", name,
994 (*value)[i].domain,
995 enum_lookup((*value)[i].direction, trust_dir_map));
996 }
997 }
998 return (1);
999 }
1000
1001
1002 /*
1003 * This function updates a domains in a forest structure.
1004 * If nothing has changed it returns 0 else 1
1005 */
1006 static int
update_domains_in_forest(ad_disc_domainsinforest_t ** value,ad_disc_domainsinforest_t ** new,char * name)1007 update_domains_in_forest(ad_disc_domainsinforest_t **value,
1008 ad_disc_domainsinforest_t **new, char *name)
1009 {
1010 int i;
1011
1012 if (*value == *new)
1013 /* Nothing to do */
1014 return (0);
1015
1016 if (*value != NULL && *new != NULL &&
1017 ad_disc_compare_domainsinforest(*value, *new) == 0) {
1018 free(*new);
1019 *new = NULL;
1020 return (0);
1021 }
1022
1023 if (*value != NULL)
1024 free(*value);
1025
1026 *value = *new;
1027 *new = NULL;
1028
1029 if (*value == NULL) {
1030 /* We're unsetting this DS property */
1031 if (DBG(CONFIG, 1))
1032 idmapdlog(LOG_INFO, "change %s=<none>", name);
1033 return (1);
1034 }
1035
1036 if (DBG(CONFIG, 1)) {
1037 /* List all the new domains */
1038 for (i = 0; (*value)[i].domain[0] != '\0'; i++) {
1039 idmapdlog(LOG_INFO, "change %s=%s", name,
1040 (*value)[i].domain);
1041 }
1042 }
1043 return (1);
1044 }
1045
1046
1047 static void
free_trusted_forests(idmap_trustedforest_t ** value,int * num_values)1048 free_trusted_forests(idmap_trustedforest_t **value, int *num_values)
1049 {
1050 int i;
1051
1052 for (i = 0; i < *num_values; i++) {
1053 free((*value)[i].forest_name);
1054 free((*value)[i].global_catalog);
1055 free((*value)[i].domains_in_forest);
1056 }
1057 free(*value);
1058 *value = NULL;
1059 *num_values = 0;
1060 }
1061
1062
1063 static int
compare_trusteddomainsinforest(ad_disc_domainsinforest_t * df1,ad_disc_domainsinforest_t * df2)1064 compare_trusteddomainsinforest(ad_disc_domainsinforest_t *df1,
1065 ad_disc_domainsinforest_t *df2)
1066 {
1067 int i, j;
1068 int num_df1 = 0;
1069 int num_df2 = 0;
1070 boolean_t match;
1071
1072 for (i = 0; df1[i].domain[0] != '\0'; i++)
1073 if (df1[i].trusted)
1074 num_df1++;
1075
1076 for (j = 0; df2[j].domain[0] != '\0'; j++)
1077 if (df2[j].trusted)
1078 num_df2++;
1079
1080 if (num_df1 != num_df2)
1081 return (1);
1082
1083 for (i = 0; df1[i].domain[0] != '\0'; i++) {
1084 if (df1[i].trusted) {
1085 match = B_FALSE;
1086 for (j = 0; df2[j].domain[0] != '\0'; j++) {
1087 if (df2[j].trusted &&
1088 domain_eq(df1[i].domain, df2[j].domain) &&
1089 strcmp(df1[i].sid, df2[j].sid) == 0) {
1090 match = B_TRUE;
1091 break;
1092 }
1093 }
1094 if (!match)
1095 return (1);
1096 }
1097 }
1098 return (0);
1099 }
1100
1101
1102
1103 /*
1104 * This function updates trusted forest structure.
1105 * If nothing has changed it returns 0 else 1
1106 */
1107 static int
update_trusted_forest(idmap_trustedforest_t ** value,int * num_value,idmap_trustedforest_t ** new,int * num_new,char * name)1108 update_trusted_forest(idmap_trustedforest_t **value, int *num_value,
1109 idmap_trustedforest_t **new, int *num_new, char *name)
1110 {
1111 int i, j;
1112 boolean_t match;
1113
1114 if (*value == *new)
1115 /* Nothing to do */
1116 return (0);
1117
1118 if (*value != NULL && *new != NULL) {
1119 if (*num_value != *num_new)
1120 goto not_equal;
1121 for (i = 0; i < *num_value; i++) {
1122 match = B_FALSE;
1123 for (j = 0; j < *num_new; j++) {
1124 if (strcmp((*value)[i].forest_name,
1125 (*new)[j].forest_name) == 0 &&
1126 ad_disc_compare_ds(
1127 (*value)[i].global_catalog,
1128 (*new)[j].global_catalog) == 0 &&
1129 compare_trusteddomainsinforest(
1130 (*value)[i].domains_in_forest,
1131 (*new)[j].domains_in_forest) == 0) {
1132 match = B_TRUE;
1133 break;
1134 }
1135 }
1136 if (!match)
1137 goto not_equal;
1138 }
1139 free_trusted_forests(new, num_new);
1140 return (0);
1141 }
1142 not_equal:
1143 if (*value != NULL)
1144 free_trusted_forests(value, num_value);
1145 *value = *new;
1146 *num_value = *num_new;
1147 *new = NULL;
1148 *num_new = 0;
1149
1150 if (*value == NULL) {
1151 /* We're unsetting this DS property */
1152 if (DBG(CONFIG, 1))
1153 idmapdlog(LOG_INFO, "change %s=<none>", name);
1154 return (1);
1155 }
1156
1157 if (DBG(CONFIG, 1)) {
1158 /* List all the trusted forests */
1159 for (i = 0; i < *num_value; i++) {
1160 idmap_trustedforest_t *f = &(*value)[i];
1161 for (j = 0;
1162 f->domains_in_forest[j].domain[0] != '\0';
1163 j++) {
1164 /* List trusted Domains in the forest. */
1165 if (f->domains_in_forest[j].trusted)
1166 idmapdlog(LOG_INFO,
1167 "change %s=%s domain=%s",
1168 name, f->forest_name,
1169 f->domains_in_forest[j].domain);
1170 }
1171 /* List the hosts */
1172 for (j = 0;
1173 f->global_catalog[j].host[0] != '\0';
1174 j++) {
1175 idmapdlog(LOG_INFO,
1176 "change %s=%s host=%s port=%d",
1177 name, f->forest_name,
1178 f->global_catalog[j].host,
1179 f->global_catalog[j].port);
1180 }
1181 }
1182 }
1183 return (1);
1184 }
1185
1186 const char *
enum_lookup(int value,struct enum_lookup_map * map)1187 enum_lookup(int value, struct enum_lookup_map *map)
1188 {
1189 for (; map->string != NULL; map++) {
1190 if (value == map->value) {
1191 return (map->string);
1192 }
1193 }
1194 return ("(invalid)");
1195 }
1196
1197 /*
1198 * Returns 1 if the PF_ROUTE socket event indicates that we should rescan the
1199 * interfaces.
1200 *
1201 * Shamelessly based on smb_nics_changed() and other PF_ROUTE uses in ON.
1202 */
1203 static
1204 boolean_t
pfroute_event_is_interesting(int rt_sock)1205 pfroute_event_is_interesting(int rt_sock)
1206 {
1207 int nbytes;
1208 int64_t msg[2048 / 8];
1209 struct rt_msghdr *rtm;
1210 boolean_t is_interesting = B_FALSE;
1211
1212 for (;;) {
1213 if ((nbytes = read(rt_sock, msg, sizeof (msg))) <= 0)
1214 break;
1215 rtm = (struct rt_msghdr *)msg;
1216 if (rtm->rtm_version != RTM_VERSION)
1217 continue;
1218 if (nbytes < rtm->rtm_msglen)
1219 continue;
1220 switch (rtm->rtm_type) {
1221 case RTM_NEWADDR:
1222 case RTM_DELADDR:
1223 case RTM_IFINFO:
1224 is_interesting = B_TRUE;
1225 break;
1226 default:
1227 break;
1228 }
1229 }
1230 return (is_interesting);
1231 }
1232
1233 /*
1234 * Wait for an event, and report what kind of event occurred.
1235 *
1236 * Note that there are cases where we are awoken but don't care about
1237 * the lower-level event. We can't just loop here because we can't
1238 * readily calculate how long to sleep the next time. We return
1239 * EVENT_NOTHING and let the caller loop.
1240 */
1241 static
1242 enum event_type
wait_for_event(struct timespec * timeoutp)1243 wait_for_event(struct timespec *timeoutp)
1244 {
1245 port_event_t pe;
1246
1247 (void) memset(&pe, 0, sizeof (pe));
1248 if (port_get(idmapd_ev_port, &pe, timeoutp) != 0) {
1249 switch (errno) {
1250 case EINTR:
1251 return (EVENT_NOTHING);
1252 case ETIME:
1253 /* Timeout */
1254 return (EVENT_TIMEOUT);
1255 default:
1256 /* EBADF, EBADFD, EFAULT, EINVAL (end of time?)? */
1257 idmapdlog(LOG_ERR, "Event port failed: %s",
1258 strerror(errno));
1259 exit(1);
1260 /* NOTREACHED */
1261 }
1262 }
1263
1264
1265 switch (pe.portev_source) {
1266 case 0:
1267 /*
1268 * This isn't documented, but seems to be what you get if
1269 * the timeout is zero seconds and there are no events
1270 * pending.
1271 */
1272 return (EVENT_TIMEOUT);
1273
1274 case PORT_SOURCE_USER:
1275 switch (pe.portev_events) {
1276 case RECONFIGURE:
1277 return (EVENT_REFRESH);
1278 case POKE_AUTO_DISCOVERY:
1279 return (EVENT_POKED);
1280 case KICK_AUTO_DISCOVERY:
1281 return (EVENT_KICKED);
1282 }
1283 return (EVENT_NOTHING);
1284
1285 case PORT_SOURCE_FD:
1286 if (pe.portev_object == rt_sock) {
1287 /*
1288 * PF_ROUTE socket read event:
1289 * re-associate fd
1290 * handle event
1291 */
1292 if (port_associate(idmapd_ev_port, PORT_SOURCE_FD,
1293 rt_sock, POLLIN, NULL) != 0) {
1294 idmapdlog(LOG_ERR, "Failed to re-associate the "
1295 "routing socket with the event port: %s",
1296 strerror(errno));
1297 abort();
1298 }
1299 /*
1300 * The network configuration may still be in flux.
1301 * No matter, the resolver will re-transmit and
1302 * timeout if need be.
1303 */
1304 if (pfroute_event_is_interesting(rt_sock)) {
1305 if (DBG(CONFIG, 1)) {
1306 idmapdlog(LOG_DEBUG,
1307 "Interesting routing event");
1308 }
1309 return (EVENT_ROUTING);
1310 } else {
1311 if (DBG(CONFIG, 2)) {
1312 idmapdlog(LOG_DEBUG,
1313 "Boring routing event");
1314 }
1315 return (EVENT_NOTHING);
1316 }
1317 }
1318 /* Event on an FD other than the routing FD? Ignore it. */
1319 break;
1320 }
1321
1322 return (EVENT_NOTHING);
1323 }
1324
1325 void *
idmap_cfg_update_thread(void * arg)1326 idmap_cfg_update_thread(void *arg)
1327 {
1328 NOTE(ARGUNUSED(arg))
1329 idmap_pg_config_t *pgcfg = &_idmapdstate.cfg->pgcfg;
1330 const ad_disc_t ad_ctx = _idmapdstate.cfg->handles.ad_ctx;
1331 int flags = CFG_DISCOVER;
1332
1333 for (;;) {
1334 struct timespec timeout;
1335 struct timespec *timeoutp;
1336 int rc;
1337 int ttl, max_ttl;
1338
1339 (void) ad_disc_SubnetChanged(ad_ctx);
1340
1341 rc = idmap_cfg_load(_idmapdstate.cfg, flags);
1342 if (rc < -1) {
1343 idmapdlog(LOG_ERR, "Fatal errors while reading "
1344 "SMF properties");
1345 exit(1);
1346 } else if (rc == -1) {
1347 idmapdlog(LOG_WARNING,
1348 "Errors re-loading configuration may cause AD "
1349 "lookups to fail");
1350 }
1351
1352 /*
1353 * Wait for an interesting event. Note that we might get
1354 * boring events between interesting events. If so, we loop.
1355 */
1356 flags = CFG_DISCOVER;
1357 for (;;) {
1358 /*
1359 * If we don't know our domain name, don't bother
1360 * with rediscovery until the next config change.
1361 * Avoids hourly noise in workgroup mode.
1362 */
1363 if (pgcfg->domain_name == NULL)
1364 ttl = -1;
1365 else
1366 ttl = ad_disc_get_TTL(ad_ctx);
1367 if (ttl < 0) {
1368 timeoutp = NULL;
1369 } else {
1370 max_ttl = (int)pgcfg->rediscovery_interval;
1371 if (ttl > max_ttl)
1372 ttl = max_ttl;
1373 if (ttl < MIN_REDISCOVERY_INTERVAL)
1374 ttl = MIN_REDISCOVERY_INTERVAL;
1375 timeout.tv_sec = ttl;
1376 timeout.tv_nsec = 0;
1377 timeoutp = &timeout;
1378 }
1379
1380 if (DBG(CONFIG, 1))
1381 idmapdlog(LOG_DEBUG,
1382 "_cfg_update_thread waiting");
1383
1384 switch (wait_for_event(timeoutp)) {
1385 case EVENT_NOTHING:
1386 if (DBG(CONFIG, 2))
1387 idmapdlog(LOG_DEBUG, "Boring event.");
1388 continue;
1389 case EVENT_REFRESH:
1390 if (DBG(CONFIG, 1))
1391 idmapdlog(LOG_INFO, "SMF refresh");
1392 /*
1393 * Forget any DC we had previously.
1394 */
1395 flags |= CFG_FORGET_DC;
1396
1397 /*
1398 * Blow away the ccache, we might have
1399 * re-joined the domain or joined a new one
1400 */
1401 (void) unlink(IDMAP_CACHEDIR "/ccache");
1402 break;
1403 case EVENT_POKED:
1404 if (DBG(CONFIG, 1))
1405 idmapdlog(LOG_DEBUG, "poked");
1406 break;
1407 case EVENT_KICKED:
1408 if (DBG(CONFIG, 1))
1409 idmapdlog(LOG_DEBUG, "kicked");
1410 flags |= CFG_FORGET_DC;
1411 break;
1412 case EVENT_TIMEOUT:
1413 if (DBG(CONFIG, 1))
1414 idmapdlog(LOG_DEBUG, "TTL expired");
1415 break;
1416 case EVENT_ROUTING:
1417 /* Already logged to DEBUG */
1418 break;
1419 }
1420 /* An interesting event! */
1421 break;
1422 }
1423 }
1424 /*
1425 * Lint isn't happy with the concept of a function declared to
1426 * return something, that doesn't return. Of course, merely adding
1427 * the return isn't enough, because it's never reached...
1428 */
1429 /*NOTREACHED*/
1430 return (NULL);
1431 }
1432
1433 int
idmap_cfg_start_updates(void)1434 idmap_cfg_start_updates(void)
1435 {
1436 if ((idmapd_ev_port = port_create()) < 0) {
1437 idmapdlog(LOG_ERR, "Failed to create event port: %s",
1438 strerror(errno));
1439 return (-1);
1440 }
1441
1442 if ((rt_sock = socket(PF_ROUTE, SOCK_RAW, 0)) < 0) {
1443 idmapdlog(LOG_ERR, "Failed to open routing socket: %s",
1444 strerror(errno));
1445 (void) close(idmapd_ev_port);
1446 return (-1);
1447 }
1448
1449 if (fcntl(rt_sock, F_SETFL, O_NDELAY|O_NONBLOCK) < 0) {
1450 idmapdlog(LOG_ERR, "Failed to set routing socket flags: %s",
1451 strerror(errno));
1452 (void) close(rt_sock);
1453 (void) close(idmapd_ev_port);
1454 return (-1);
1455 }
1456
1457 if (port_associate(idmapd_ev_port, PORT_SOURCE_FD,
1458 rt_sock, POLLIN, NULL) != 0) {
1459 idmapdlog(LOG_ERR, "Failed to associate the routing "
1460 "socket with the event port: %s", strerror(errno));
1461 (void) close(rt_sock);
1462 (void) close(idmapd_ev_port);
1463 return (-1);
1464 }
1465
1466 if ((errno = pthread_create(&update_thread_handle, NULL,
1467 idmap_cfg_update_thread, NULL)) != 0) {
1468 idmapdlog(LOG_ERR, "Failed to start update thread: %s",
1469 strerror(errno));
1470 (void) port_dissociate(idmapd_ev_port, PORT_SOURCE_FD, rt_sock);
1471 (void) close(rt_sock);
1472 (void) close(idmapd_ev_port);
1473 return (-1);
1474 }
1475
1476 return (0);
1477 }
1478
1479 /*
1480 * Reject attribute names with invalid characters.
1481 */
1482 static
1483 int
valid_ldap_attr(const char * attr)1484 valid_ldap_attr(const char *attr) {
1485 for (; *attr; attr++) {
1486 if (!isalnum(*attr) && *attr != '-' &&
1487 *attr != '_' && *attr != '.' && *attr != ';')
1488 return (0);
1489 }
1490 return (1);
1491 }
1492
1493 static
1494 void
idmapd_set_debug(idmap_cfg_handles_t * handles,enum idmapd_debug item,const char * name)1495 idmapd_set_debug(
1496 idmap_cfg_handles_t *handles,
1497 enum idmapd_debug item,
1498 const char *name)
1499 {
1500 int val;
1501
1502 if (item < 0 || item > IDMAPD_DEBUG_MAX)
1503 return;
1504
1505 val = get_debug(handles, name);
1506
1507 if (val != _idmapdstate.debug[item])
1508 idmapdlog(LOG_DEBUG, "%s/%s = %d", DEBUG_PG, name, val);
1509
1510 _idmapdstate.debug[item] = val;
1511 }
1512
1513 static
1514 void
check_smf_debug_mode(idmap_cfg_handles_t * handles)1515 check_smf_debug_mode(idmap_cfg_handles_t *handles)
1516 {
1517 idmapd_set_debug(handles, IDMAPD_DEBUG_ALL, "all");
1518 idmapd_set_debug(handles, IDMAPD_DEBUG_CONFIG, "config");
1519 idmapd_set_debug(handles, IDMAPD_DEBUG_MAPPING, "mapping");
1520 idmapd_set_debug(handles, IDMAPD_DEBUG_DISC, "discovery");
1521 idmapd_set_debug(handles, IDMAPD_DEBUG_DNS, "dns");
1522 idmapd_set_debug(handles, IDMAPD_DEBUG_LDAP, "ldap");
1523
1524 adutils_set_debug(AD_DEBUG_ALL, _idmapdstate.debug[IDMAPD_DEBUG_ALL]);
1525 adutils_set_debug(AD_DEBUG_DISC, _idmapdstate.debug[IDMAPD_DEBUG_DISC]);
1526 adutils_set_debug(AD_DEBUG_DNS, _idmapdstate.debug[IDMAPD_DEBUG_DNS]);
1527 adutils_set_debug(AD_DEBUG_LDAP, _idmapdstate.debug[IDMAPD_DEBUG_LDAP]);
1528 }
1529
1530 /*
1531 * This is the half of idmap_cfg_load() that loads property values from
1532 * SMF (using the config/ property group of the idmap FMRI).
1533 *
1534 * Return values: 0 -> success, -1 -> failure, -2 -> hard failures
1535 * -3 -> hard smf config failures
1536 * reading from SMF.
1537 */
1538 static int
idmap_cfg_load_smf(idmap_cfg_handles_t * handles,idmap_pg_config_t * pgcfg,int * const errors)1539 idmap_cfg_load_smf(idmap_cfg_handles_t *handles, idmap_pg_config_t *pgcfg,
1540 int * const errors)
1541 {
1542 int rc;
1543 char *s;
1544
1545 *errors = 0;
1546
1547 if (scf_pg_update(handles->config_pg) < 0) {
1548 idmapdlog(LOG_ERR, "scf_pg_update() failed: %s",
1549 scf_strerror(scf_error()));
1550 return (-2);
1551 }
1552
1553 if (scf_pg_update(handles->debug_pg) < 0) {
1554 idmapdlog(LOG_ERR, "scf_pg_update() failed: %s",
1555 scf_strerror(scf_error()));
1556 return (-2);
1557 }
1558
1559 check_smf_debug_mode(handles);
1560
1561 rc = get_val_bool(handles, "unresolvable_sid_mapping",
1562 &pgcfg->eph_map_unres_sids, B_TRUE);
1563 if (rc != 0)
1564 (*errors)++;
1565
1566 rc = get_val_bool(handles, "use_ads",
1567 &pgcfg->use_ads, B_TRUE);
1568 if (rc != 0)
1569 (*errors)++;
1570
1571 rc = get_val_bool(handles, "use_lsa",
1572 &pgcfg->use_lsa, B_TRUE);
1573 if (rc != 0)
1574 (*errors)++;
1575
1576 rc = get_val_bool(handles, "disable_cross_forest_trusts",
1577 &pgcfg->disable_cross_forest_trusts, B_TRUE);
1578 if (rc != 0)
1579 (*errors)++;
1580
1581 rc = get_val_astring(handles, "directory_based_mapping", &s);
1582 if (rc != 0)
1583 (*errors)++;
1584 else if (s == NULL || strcasecmp(s, "none") == 0)
1585 pgcfg->directory_based_mapping = DIRECTORY_MAPPING_NONE;
1586 else if (strcasecmp(s, "name") == 0)
1587 pgcfg->directory_based_mapping = DIRECTORY_MAPPING_NAME;
1588 else if (strcasecmp(s, "idmu") == 0)
1589 pgcfg->directory_based_mapping = DIRECTORY_MAPPING_IDMU;
1590 else {
1591 pgcfg->directory_based_mapping = DIRECTORY_MAPPING_NONE;
1592 idmapdlog(LOG_ERR,
1593 "config/directory_based_mapping: invalid value \"%s\" ignored",
1594 s);
1595 (*errors)++;
1596 }
1597 free(s);
1598
1599 rc = get_val_int(handles, "list_size_limit",
1600 &pgcfg->list_size_limit, SCF_TYPE_COUNT);
1601 if (rc != 0)
1602 (*errors)++;
1603
1604 rc = get_val_int(handles, "id_cache_timeout",
1605 &pgcfg->id_cache_timeout, SCF_TYPE_COUNT);
1606 if (rc != 0)
1607 (*errors)++;
1608 if (pgcfg->id_cache_timeout == 0)
1609 pgcfg->id_cache_timeout = ID_CACHE_TMO_DEFAULT;
1610
1611 rc = get_val_int(handles, "name_cache_timeout",
1612 &pgcfg->name_cache_timeout, SCF_TYPE_COUNT);
1613 if (rc != 0)
1614 (*errors)++;
1615 if (pgcfg->name_cache_timeout == 0)
1616 pgcfg->name_cache_timeout = NAME_CACHE_TMO_DEFAULT;
1617
1618 rc = get_val_int(handles, "rediscovery_interval",
1619 &pgcfg->rediscovery_interval, SCF_TYPE_COUNT);
1620 if (rc != 0)
1621 (*errors)++;
1622 if (pgcfg->rediscovery_interval == 0)
1623 pgcfg->rediscovery_interval = REDISCOVERY_INTERVAL_DEFAULT;
1624
1625 rc = get_val_astring(handles, "domain_name",
1626 &pgcfg->domain_name);
1627 if (rc != 0)
1628 (*errors)++;
1629 else {
1630 if (pgcfg->domain_name != NULL &&
1631 pgcfg->domain_name[0] == '\0') {
1632 free(pgcfg->domain_name);
1633 pgcfg->domain_name = NULL;
1634 }
1635 (void) ad_disc_set_DomainName(handles->ad_ctx,
1636 pgcfg->domain_name);
1637 pgcfg->domain_name_auto_disc = B_FALSE;
1638 }
1639
1640 rc = get_val_astring(handles, "default_domain",
1641 &pgcfg->default_domain);
1642 if (rc != 0) {
1643 /*
1644 * SCF failures fetching config/default_domain we treat
1645 * as fatal as they may leave ID mapping rules that
1646 * match unqualified winnames flapping in the wind.
1647 */
1648 return (-2);
1649 }
1650
1651 if (pgcfg->default_domain == NULL && pgcfg->domain_name != NULL) {
1652 pgcfg->default_domain = strdup(pgcfg->domain_name);
1653 }
1654
1655 rc = get_val_astring(handles, "domain_guid", &s);
1656 if (rc != 0) {
1657 (*errors)++;
1658 } else if (s == NULL || s[0] == '\0') {
1659 /* OK, not set. */
1660 free(s);
1661 } else {
1662 uuid_t u;
1663
1664 if (uuid_parse(s, u) != 0) {
1665 idmapdlog(LOG_ERR,
1666 "config/domain_guid: invalid value \"%s\" ignored", s);
1667 free(s);
1668 (*errors)++;
1669 } else {
1670 pgcfg->domain_guid = s;
1671 pgcfg->domain_guid_auto_disc = B_FALSE;
1672 (void) ad_disc_set_DomainGUID(handles->ad_ctx, u);
1673 }
1674 }
1675
1676 rc = get_val_astring(handles, "machine_uuid", &pgcfg->machine_uuid);
1677 if (rc != 0)
1678 (*errors)++;
1679 if (pgcfg->machine_uuid == NULL) {
1680 /* If machine_uuid not configured, generate one */
1681 if (generate_machine_uuid(&pgcfg->machine_uuid) < 0)
1682 return (-2);
1683 rc = set_val_astring(handles, handles->config_pg,
1684 "machine_uuid", pgcfg->machine_uuid);
1685 if (rc != 0)
1686 (*errors)++;
1687 }
1688
1689 rc = get_val_astring(handles, "machine_sid", &pgcfg->machine_sid);
1690 if (rc != 0)
1691 (*errors)++;
1692 if (pgcfg->machine_sid == NULL) {
1693 /*
1694 * If machine_sid not configured, generate one
1695 * from the machine UUID.
1696 */
1697 if (generate_machine_sid(&pgcfg->machine_sid,
1698 pgcfg->machine_uuid) < 0)
1699 return (-2);
1700 rc = set_val_astring(handles, handles->config_pg,
1701 "machine_sid", pgcfg->machine_sid);
1702 if (rc != 0)
1703 (*errors)++;
1704 }
1705
1706 rc = get_val_ds(handles, "domain_controller", 389,
1707 &pgcfg->domain_controller);
1708 if (rc != 0)
1709 (*errors)++;
1710 else {
1711 (void) ad_disc_set_DomainController(handles->ad_ctx,
1712 pgcfg->domain_controller);
1713 pgcfg->domain_controller_auto_disc = B_FALSE;
1714 }
1715
1716 rc = get_val_ds(handles, "preferred_dc", 389,
1717 &pgcfg->preferred_dc);
1718 if (rc != 0)
1719 (*errors)++;
1720 else {
1721 (void) ad_disc_set_PreferredDC(handles->ad_ctx,
1722 pgcfg->preferred_dc);
1723 pgcfg->preferred_dc_auto_disc = B_FALSE;
1724 }
1725
1726 rc = get_val_astring(handles, "forest_name", &pgcfg->forest_name);
1727 if (rc != 0)
1728 (*errors)++;
1729 else {
1730 (void) ad_disc_set_ForestName(handles->ad_ctx,
1731 pgcfg->forest_name);
1732 pgcfg->forest_name_auto_disc = B_FALSE;
1733 }
1734
1735 rc = get_val_astring(handles, "site_name", &pgcfg->site_name);
1736 if (rc != 0)
1737 (*errors)++;
1738 else
1739 (void) ad_disc_set_SiteName(handles->ad_ctx, pgcfg->site_name);
1740
1741 rc = get_val_ds(handles, "global_catalog", 3268,
1742 &pgcfg->global_catalog);
1743 if (rc != 0)
1744 (*errors)++;
1745 else {
1746 (void) ad_disc_set_GlobalCatalog(handles->ad_ctx,
1747 pgcfg->global_catalog);
1748 pgcfg->global_catalog_auto_disc = B_FALSE;
1749 }
1750
1751 /* Unless we're doing directory-based name mapping, we're done. */
1752 if (pgcfg->directory_based_mapping != DIRECTORY_MAPPING_NAME)
1753 return (0);
1754
1755 rc = get_val_astring(handles, "ad_unixuser_attr",
1756 &pgcfg->ad_unixuser_attr);
1757 if (rc != 0)
1758 return (-2);
1759 if (pgcfg->ad_unixuser_attr != NULL &&
1760 !valid_ldap_attr(pgcfg->ad_unixuser_attr)) {
1761 idmapdlog(LOG_ERR, "config/ad_unixuser_attr=%s is not a "
1762 "valid LDAP attribute name", pgcfg->ad_unixuser_attr);
1763 return (-3);
1764 }
1765
1766 rc = get_val_astring(handles, "ad_unixgroup_attr",
1767 &pgcfg->ad_unixgroup_attr);
1768 if (rc != 0)
1769 return (-2);
1770 if (pgcfg->ad_unixgroup_attr != NULL &&
1771 !valid_ldap_attr(pgcfg->ad_unixgroup_attr)) {
1772 idmapdlog(LOG_ERR, "config/ad_unixgroup_attr=%s is not a "
1773 "valid LDAP attribute name", pgcfg->ad_unixgroup_attr);
1774 return (-3);
1775 }
1776
1777 rc = get_val_astring(handles, "nldap_winname_attr",
1778 &pgcfg->nldap_winname_attr);
1779 if (rc != 0)
1780 return (-2);
1781 if (pgcfg->nldap_winname_attr != NULL &&
1782 !valid_ldap_attr(pgcfg->nldap_winname_attr)) {
1783 idmapdlog(LOG_ERR, "config/nldap_winname_attr=%s is not a "
1784 "valid LDAP attribute name", pgcfg->nldap_winname_attr);
1785 return (-3);
1786 }
1787 if (pgcfg->ad_unixuser_attr == NULL &&
1788 pgcfg->ad_unixgroup_attr == NULL &&
1789 pgcfg->nldap_winname_attr == NULL) {
1790 idmapdlog(LOG_ERR,
1791 "If config/directory_based_mapping property is set to "
1792 "\"name\" then at least one of the following name mapping "
1793 "attributes must be specified. (config/ad_unixuser_attr OR "
1794 "config/ad_unixgroup_attr OR config/nldap_winname_attr)");
1795 return (-3);
1796 }
1797
1798 return (rc);
1799 }
1800
1801 static
1802 void
log_if_unable(const void * val,const char * what)1803 log_if_unable(const void *val, const char *what)
1804 {
1805 if (val == NULL) {
1806 idmapdlog(LOG_DEBUG, "unable to discover %s", what);
1807 }
1808 }
1809
1810 static
1811 void
discover_trusted_domains(idmap_pg_config_t * pgcfg,ad_disc_t ad_ctx)1812 discover_trusted_domains(idmap_pg_config_t *pgcfg, ad_disc_t ad_ctx)
1813 {
1814 ad_disc_t trusted_ctx;
1815 int i, j, k, l;
1816 char *forestname;
1817 int num_trusteddomains;
1818 boolean_t new_forest;
1819 char *trusteddomain;
1820 ad_disc_ds_t *globalcatalog;
1821 idmap_trustedforest_t *trustedforests;
1822 ad_disc_domainsinforest_t *domainsinforest;
1823
1824 pgcfg->trusted_domains =
1825 ad_disc_get_TrustedDomains(ad_ctx, NULL);
1826
1827 if (pgcfg->forest_name != NULL && pgcfg->trusted_domains != NULL &&
1828 pgcfg->trusted_domains[0].domain[0] != '\0') {
1829 /*
1830 * We have trusted domains. We need to go through every
1831 * one and find its forest. If it is a new forest we then need
1832 * to find its Global Catalog and the domains in the forest
1833 */
1834 for (i = 0; pgcfg->trusted_domains[i].domain[0] != '\0'; i++)
1835 continue;
1836 num_trusteddomains = i;
1837
1838 trustedforests = calloc(num_trusteddomains,
1839 sizeof (idmap_trustedforest_t));
1840 j = 0;
1841 for (i = 0; pgcfg->trusted_domains[i].domain[0] != '\0'; i++) {
1842 trusteddomain = pgcfg->trusted_domains[i].domain;
1843 trusted_ctx = ad_disc_init();
1844 (void) ad_disc_set_DomainName(trusted_ctx,
1845 trusteddomain);
1846 forestname =
1847 ad_disc_get_ForestName(trusted_ctx, NULL);
1848 if (forestname == NULL) {
1849 if (DBG(CONFIG, 1)) {
1850 idmapdlog(LOG_DEBUG,
1851 "unable to discover Forest Name"
1852 " for the trusted domain %s",
1853 trusteddomain);
1854 }
1855 ad_disc_fini(trusted_ctx);
1856 continue;
1857 }
1858
1859 if (strcasecmp(forestname, pgcfg->forest_name) == 0) {
1860 /*
1861 * Ignore the domain as it is part of
1862 * the primary forest
1863 */
1864 free(forestname);
1865 ad_disc_fini(trusted_ctx);
1866 continue;
1867 }
1868
1869 /* Is this a new forest? */
1870 new_forest = B_TRUE;
1871 for (k = 0; k < j; k++) {
1872 if (strcasecmp(forestname,
1873 trustedforests[k].forest_name) == 0) {
1874 new_forest = B_FALSE;
1875 domainsinforest =
1876 trustedforests[k].domains_in_forest;
1877 break;
1878 }
1879 }
1880 if (!new_forest) {
1881 /* Mark the domain as trusted */
1882 for (l = 0;
1883 domainsinforest[l].domain[0] != '\0'; l++) {
1884 if (domain_eq(trusteddomain,
1885 domainsinforest[l].domain)) {
1886 domainsinforest[l].trusted =
1887 TRUE;
1888 break;
1889 }
1890 }
1891 free(forestname);
1892 ad_disc_fini(trusted_ctx);
1893 continue;
1894 }
1895
1896 /*
1897 * Get the Global Catalog and the domains in
1898 * this new forest.
1899 */
1900 globalcatalog =
1901 ad_disc_get_GlobalCatalog(trusted_ctx,
1902 AD_DISC_PREFER_SITE, NULL);
1903 if (globalcatalog == NULL) {
1904 if (DBG(CONFIG, 1)) {
1905 idmapdlog(LOG_DEBUG,
1906 "unable to discover Global Catalog"
1907 " for the trusted domain %s",
1908 trusteddomain);
1909 }
1910 free(forestname);
1911 ad_disc_fini(trusted_ctx);
1912 continue;
1913 }
1914 domainsinforest =
1915 ad_disc_get_DomainsInForest(trusted_ctx, NULL);
1916 if (domainsinforest == NULL) {
1917 if (DBG(CONFIG, 1)) {
1918 idmapdlog(LOG_DEBUG,
1919 "unable to discover Domains in the"
1920 " Forest for the trusted domain %s",
1921 trusteddomain);
1922 }
1923 free(globalcatalog);
1924 free(forestname);
1925 ad_disc_fini(trusted_ctx);
1926 continue;
1927 }
1928
1929 trustedforests[j].forest_name = forestname;
1930 trustedforests[j].global_catalog = globalcatalog;
1931 trustedforests[j].domains_in_forest = domainsinforest;
1932 j++;
1933 /* Mark the domain as trusted */
1934 for (l = 0; domainsinforest[l].domain[0] != '\0';
1935 l++) {
1936 if (domain_eq(trusteddomain,
1937 domainsinforest[l].domain)) {
1938 domainsinforest[l].trusted = TRUE;
1939 break;
1940 }
1941 }
1942 ad_disc_fini(trusted_ctx);
1943 }
1944 if (j > 0) {
1945 pgcfg->num_trusted_forests = j;
1946 pgcfg->trusted_forests = trustedforests;
1947 } else {
1948 free(trustedforests);
1949 }
1950 }
1951 }
1952
1953 /*
1954 * This is the half of idmap_cfg_load() that auto-discovers values of
1955 * discoverable properties that weren't already set via SMF properties.
1956 *
1957 * idmap_cfg_discover() is called *after* idmap_cfg_load_smf(), so it
1958 * needs to be careful not to overwrite any properties set in SMF.
1959 */
1960 static void
idmap_cfg_discover1(idmap_cfg_handles_t * handles,idmap_pg_config_t * pgcfg)1961 idmap_cfg_discover1(idmap_cfg_handles_t *handles, idmap_pg_config_t *pgcfg)
1962 {
1963 ad_disc_t ad_ctx = handles->ad_ctx;
1964 FILE *status_fp = NULL;
1965 time_t t0, t1;
1966
1967 t0 = time(NULL);
1968 if (DBG(CONFIG, 1))
1969 idmapdlog(LOG_DEBUG, "Running domain discovery.");
1970
1971 (void) unlink(IDMAP_CACHEDIR "/discovery.log");
1972 status_fp = fopen(IDMAP_CACHEDIR "/discovery.log", "w");
1973 if (status_fp) {
1974 (void) fchmod(fileno(status_fp), 0644);
1975 ad_disc_set_StatusFP(ad_ctx, status_fp);
1976 }
1977
1978 if (pgcfg->domain_name == NULL) {
1979 idmapdlog(LOG_DEBUG, "No domain name specified.");
1980 if (status_fp)
1981 (void) fprintf(status_fp, "(no domain name)\n");
1982 goto out;
1983 }
1984
1985 if (pgcfg->domain_controller == NULL)
1986 pgcfg->domain_controller =
1987 ad_disc_get_DomainController(ad_ctx,
1988 AD_DISC_PREFER_SITE,
1989 &pgcfg->domain_controller_auto_disc);
1990
1991 if (pgcfg->domain_guid == NULL) {
1992 char buf[UUID_PRINTABLE_STRING_LENGTH];
1993 uchar_t *u = ad_disc_get_DomainGUID(ad_ctx,
1994 &pgcfg->domain_guid_auto_disc);
1995 (void) memset(buf, 0, sizeof (buf));
1996 if (u != NULL) {
1997 uuid_unparse(u, buf);
1998 pgcfg->domain_guid = strdup(buf);
1999 }
2000 }
2001
2002 if (pgcfg->forest_name == NULL)
2003 pgcfg->forest_name = ad_disc_get_ForestName(ad_ctx,
2004 &pgcfg->forest_name_auto_disc);
2005
2006 if (pgcfg->site_name == NULL)
2007 pgcfg->site_name = ad_disc_get_SiteName(ad_ctx,
2008 &pgcfg->site_name_auto_disc);
2009
2010 if (DBG(CONFIG, 1)) {
2011 log_if_unable(pgcfg->domain_name, "Domain Name");
2012 log_if_unable(pgcfg->domain_controller,
2013 "Domain Controller");
2014 log_if_unable(pgcfg->domain_guid, "Domain GUID");
2015 log_if_unable(pgcfg->forest_name, "Forest Name");
2016 log_if_unable(pgcfg->site_name, "Site Name");
2017 }
2018
2019 out:
2020 if (status_fp) {
2021 ad_disc_set_StatusFP(ad_ctx, NULL);
2022 (void) fclose(status_fp);
2023 status_fp = NULL;
2024 }
2025
2026 if (DBG(CONFIG, 1))
2027 idmapdlog(LOG_DEBUG, "Domain discovery done.");
2028
2029 /*
2030 * Log when this took more than 15 sec.
2031 */
2032 t1 = time(NULL);
2033 if (t1 > (t0 + 15)) {
2034 idmapdlog(LOG_NOTICE, "Domain discovery took %d sec.",
2035 (int)(t1 - t0));
2036 idmapdlog(LOG_NOTICE, "Check the DNS configuration.");
2037 }
2038 }
2039
2040 /*
2041 * This is the second part of discovery, which can take a while.
2042 * We don't want to hold up parties who just want to know what
2043 * domain controller we're using (like smbd), so this part runs
2044 * after we've updated that info in the "live" config and told
2045 * such consumers to go ahead.
2046 *
2047 * This is a lot like idmap_cfg_discover(), but used LDAP queries
2048 * get the forest information from the global catalog servers.
2049 *
2050 * Note: the previous update_* calls have usually nuked any
2051 * useful information from pgcfg before we get here, so we
2052 * can only use it store discovery results, not to read.
2053 */
2054 static void
idmap_cfg_discover2(idmap_cfg_handles_t * handles,idmap_pg_config_t * pgcfg)2055 idmap_cfg_discover2(idmap_cfg_handles_t *handles, idmap_pg_config_t *pgcfg)
2056 {
2057 ad_disc_t ad_ctx = handles->ad_ctx;
2058 FILE *status_fp = NULL;
2059 time_t t0, t1;
2060
2061 t0 = time(NULL);
2062 if (DBG(CONFIG, 1))
2063 idmapdlog(LOG_DEBUG, "Running forest discovery.");
2064
2065 status_fp = fopen(IDMAP_CACHEDIR "/discovery.log", "a");
2066 if (status_fp)
2067 ad_disc_set_StatusFP(ad_ctx, status_fp);
2068
2069 if (pgcfg->global_catalog == NULL)
2070 pgcfg->global_catalog =
2071 ad_disc_get_GlobalCatalog(ad_ctx,
2072 AD_DISC_PREFER_SITE,
2073 &pgcfg->global_catalog_auto_disc);
2074
2075 if (pgcfg->global_catalog != NULL) {
2076 pgcfg->domains_in_forest =
2077 ad_disc_get_DomainsInForest(ad_ctx, NULL);
2078
2079 if (!pgcfg->disable_cross_forest_trusts)
2080 discover_trusted_domains(pgcfg, ad_ctx);
2081 }
2082
2083 if (DBG(CONFIG, 1)) {
2084 log_if_unable(pgcfg->global_catalog, "Global Catalog");
2085 log_if_unable(pgcfg->domains_in_forest,
2086 "Domains in the Forest");
2087 /* Empty trusted domains list is OK. */
2088 }
2089
2090 if (status_fp) {
2091 ad_disc_set_StatusFP(ad_ctx, NULL);
2092 (void) fclose(status_fp);
2093 status_fp = NULL;
2094 }
2095
2096 if (DBG(CONFIG, 1))
2097 idmapdlog(LOG_DEBUG, "Forest discovery done.");
2098
2099 /*
2100 * Log when this took more than 30 sec.
2101 */
2102 t1 = time(NULL);
2103 if (t1 > (t0 + 30)) {
2104 idmapdlog(LOG_NOTICE, "Forest discovery took %d sec.",
2105 (int)(t1 - t0));
2106 idmapdlog(LOG_NOTICE, "Check AD join status.");
2107 }
2108 }
2109
2110
2111 /*
2112 * idmap_cfg_load() is called at startup, and periodically via the
2113 * update thread when the auto-discovery TTLs expire, as well as part of
2114 * the refresh method, to update the current configuration. It always
2115 * reads from SMF, but you still have to refresh the service after
2116 * changing the config pg in order for the changes to take effect.
2117 *
2118 * There is one flag:
2119 *
2120 * - CFG_DISCOVER
2121 *
2122 * If CFG_DISCOVER is set then idmap_cfg_load() calls
2123 * idmap_cfg_discover() to discover, via DNS and LDAP lookups, property
2124 * values that weren't set in SMF.
2125 *
2126 * idmap_cfg_load() will log (to LOG_NOTICE) whether the configuration
2127 * changed.
2128 *
2129 * Return values: 0 -> success, -1 -> failure, -2 -> hard failures
2130 * reading from SMF.
2131 */
2132 int
idmap_cfg_load(idmap_cfg_t * cfg,int flags)2133 idmap_cfg_load(idmap_cfg_t *cfg, int flags)
2134 {
2135 const ad_disc_t ad_ctx = cfg->handles.ad_ctx;
2136 int rc = 0;
2137 int errors;
2138 int changed = 0;
2139 int dc_changed = 0;
2140 int ad_reload_required = 0;
2141 idmap_pg_config_t new_pgcfg, *live_pgcfg;
2142
2143 if (DBG(CONFIG, 1))
2144 idmapdlog(LOG_DEBUG, "Loading configuration.");
2145
2146 live_pgcfg = &cfg->pgcfg;
2147 (void) memset(&new_pgcfg, 0, sizeof (new_pgcfg));
2148
2149 (void) pthread_mutex_lock(&cfg->handles.mutex);
2150
2151 if ((rc = idmap_cfg_load_smf(&cfg->handles, &new_pgcfg, &errors)) < -1)
2152 goto err;
2153
2154 if (flags & CFG_DISCOVER) {
2155
2156 ad_disc_refresh(ad_ctx);
2157
2158 /*
2159 * Unless we've been asked to forget the current DC,
2160 * give preference (in order) to the preferred DC if
2161 * configured, or the current DC. These preferences
2162 * reduce undesirable DC changes.
2163 */
2164 if (flags & CFG_FORGET_DC) {
2165 (void) ad_disc_set_PreferredDC(ad_ctx, NULL);
2166 } else if (new_pgcfg.preferred_dc != NULL) {
2167 (void) ad_disc_set_PreferredDC(ad_ctx,
2168 new_pgcfg.preferred_dc);
2169 } else if (live_pgcfg->domain_controller != NULL) {
2170 (void) ad_disc_set_PreferredDC(ad_ctx,
2171 live_pgcfg->domain_controller);
2172 } else {
2173 (void) ad_disc_set_PreferredDC(ad_ctx, NULL);
2174 }
2175
2176 /*
2177 * We want a way to tell adspriv_getdcname_1_svc()
2178 * (and others) that discovery is running and therefore
2179 * they may want to wait a bit or return an error...
2180 */
2181 (void) mutex_lock(&_idmapdstate.addisc_lk);
2182 _idmapdstate.addisc_st |= ADDISC_ST_RUNNING;
2183 (void) mutex_unlock(&_idmapdstate.addisc_lk);
2184
2185 idmap_cfg_discover1(&cfg->handles, &new_pgcfg);
2186
2187 WRLOCK_CONFIG();
2188 (void) mutex_lock(&_idmapdstate.addisc_lk);
2189 _idmapdstate.addisc_st = 0;
2190 (void) cond_broadcast(&_idmapdstate.addisc_cv);
2191 (void) mutex_unlock(&_idmapdstate.addisc_lk);
2192 } else {
2193 WRLOCK_CONFIG();
2194 }
2195
2196 /* Non-discoverable props updated here */
2197
2198 changed += update_uint64(&live_pgcfg->list_size_limit,
2199 &new_pgcfg.list_size_limit, "list_size_limit");
2200
2201 changed += update_uint64(&live_pgcfg->id_cache_timeout,
2202 &new_pgcfg.id_cache_timeout, "id_cache_timeout");
2203
2204 changed += update_uint64(&live_pgcfg->name_cache_timeout,
2205 &new_pgcfg.name_cache_timeout, "name_cache_timeout");
2206
2207 changed += update_uint64(&live_pgcfg->rediscovery_interval,
2208 &new_pgcfg.rediscovery_interval, "rediscovery_interval");
2209
2210 changed += update_string(&live_pgcfg->machine_sid,
2211 &new_pgcfg.machine_sid, "machine_sid");
2212
2213 changed += update_bool(&live_pgcfg->eph_map_unres_sids,
2214 &new_pgcfg.eph_map_unres_sids, "unresolvable_sid_mapping");
2215
2216 changed += update_bool(&live_pgcfg->use_ads,
2217 &new_pgcfg.use_ads, "use_ads");
2218
2219 changed += update_bool(&live_pgcfg->use_lsa,
2220 &new_pgcfg.use_lsa, "use_lsa");
2221
2222 changed += update_bool(&live_pgcfg->disable_cross_forest_trusts,
2223 &new_pgcfg.disable_cross_forest_trusts,
2224 "disable_cross_forest_trusts");
2225
2226 changed += update_enum(&live_pgcfg->directory_based_mapping,
2227 &new_pgcfg.directory_based_mapping, "directory_based_mapping",
2228 directory_mapping_map);
2229
2230 changed += update_string(&live_pgcfg->ad_unixuser_attr,
2231 &new_pgcfg.ad_unixuser_attr, "ad_unixuser_attr");
2232
2233 changed += update_string(&live_pgcfg->ad_unixgroup_attr,
2234 &new_pgcfg.ad_unixgroup_attr, "ad_unixgroup_attr");
2235
2236 changed += update_string(&live_pgcfg->nldap_winname_attr,
2237 &new_pgcfg.nldap_winname_attr, "nldap_winname_attr");
2238
2239 changed += update_string(&live_pgcfg->default_domain,
2240 &new_pgcfg.default_domain, "default_domain");
2241
2242 changed += update_dirs(&live_pgcfg->preferred_dc,
2243 &new_pgcfg.preferred_dc, "preferred_dc");
2244
2245 /* Props that can be discovered or set in SMF updated here */
2246
2247 if (update_string(&live_pgcfg->domain_name,
2248 &new_pgcfg.domain_name, "domain_name")) {
2249 changed++;
2250 ad_reload_required = TRUE;
2251 idmapd_set_krb5_realm(live_pgcfg->domain_name);
2252 }
2253 live_pgcfg->domain_name_auto_disc = new_pgcfg.domain_name_auto_disc;
2254
2255 changed += update_string(&live_pgcfg->domain_guid,
2256 &new_pgcfg.domain_guid, "domain_guid");
2257 live_pgcfg->domain_guid_auto_disc = new_pgcfg.domain_guid_auto_disc;
2258
2259 dc_changed = update_dirs(&live_pgcfg->domain_controller,
2260 &new_pgcfg.domain_controller, "domain_controller");
2261 changed += dc_changed;
2262 live_pgcfg->domain_controller_auto_disc =
2263 new_pgcfg.domain_controller_auto_disc;
2264
2265 changed += update_string(&live_pgcfg->forest_name,
2266 &new_pgcfg.forest_name, "forest_name");
2267 live_pgcfg->forest_name_auto_disc = new_pgcfg.forest_name_auto_disc;
2268
2269 changed += update_string(&live_pgcfg->site_name,
2270 &new_pgcfg.site_name, "site_name");
2271 live_pgcfg->site_name_auto_disc = new_pgcfg.site_name_auto_disc;
2272
2273 if (DBG(CONFIG, 1)) {
2274 if (changed)
2275 idmapdlog(LOG_NOTICE, "Configuration changed");
2276 else
2277 idmapdlog(LOG_NOTICE, "Configuration unchanged");
2278 }
2279
2280 UNLOCK_CONFIG();
2281
2282 if (dc_changed != 0) {
2283 notify_dc_changed();
2284 }
2285
2286 /*
2287 * Discovery2 can take a while.
2288 */
2289 if (flags & CFG_DISCOVER) {
2290 if (live_pgcfg->domain_name != NULL &&
2291 live_pgcfg->forest_name != NULL)
2292 idmap_cfg_discover2(&cfg->handles, &new_pgcfg);
2293 ad_disc_done(ad_ctx);
2294 }
2295
2296 WRLOCK_CONFIG();
2297
2298 /* More props that can be discovered or set in SMF */
2299
2300 changed += update_dirs(&live_pgcfg->global_catalog,
2301 &new_pgcfg.global_catalog, "global_catalog");
2302 live_pgcfg->global_catalog_auto_disc =
2303 new_pgcfg.global_catalog_auto_disc;
2304
2305 /* Props that are only discovered (never in SMF) */
2306
2307 if (update_domains_in_forest(&live_pgcfg->domains_in_forest,
2308 &new_pgcfg.domains_in_forest, "domains_in_forest")) {
2309 changed++;
2310 ad_reload_required = TRUE;
2311 }
2312
2313 if (update_trusted_domains(&live_pgcfg->trusted_domains,
2314 &new_pgcfg.trusted_domains, "trusted_domains")) {
2315 changed++;
2316 if (live_pgcfg->trusted_domains != NULL &&
2317 live_pgcfg->trusted_domains[0].domain[0] != '\0')
2318 ad_reload_required = TRUE;
2319 }
2320
2321 if (update_trusted_forest(&live_pgcfg->trusted_forests,
2322 &live_pgcfg->num_trusted_forests, &new_pgcfg.trusted_forests,
2323 &new_pgcfg.num_trusted_forests, "trusted_forest")) {
2324 changed++;
2325 if (live_pgcfg->trusted_forests != NULL)
2326 ad_reload_required = TRUE;
2327 }
2328
2329 if (DBG(CONFIG, 1)) {
2330 if (changed)
2331 idmapdlog(LOG_NOTICE, "Configuration changed");
2332 else
2333 idmapdlog(LOG_NOTICE, "Configuration unchanged");
2334 }
2335
2336 UNLOCK_CONFIG();
2337
2338 if (ad_reload_required)
2339 reload_ad();
2340
2341 idmap_cfg_unload(&new_pgcfg);
2342
2343 err:
2344 (void) pthread_mutex_unlock(&cfg->handles.mutex);
2345
2346 if (rc < -1)
2347 return (rc);
2348
2349 return ((errors == 0) ? 0 : -1);
2350 }
2351
2352 /*
2353 * Initialize 'cfg'.
2354 */
2355 idmap_cfg_t *
idmap_cfg_init()2356 idmap_cfg_init()
2357 {
2358 idmap_cfg_handles_t *handles;
2359
2360 /* First the smf repository handles: */
2361 idmap_cfg_t *cfg = calloc(1, sizeof (idmap_cfg_t));
2362 if (!cfg) {
2363 idmapdlog(LOG_ERR, "Out of memory");
2364 return (NULL);
2365 }
2366 handles = &cfg->handles;
2367
2368 (void) pthread_mutex_init(&handles->mutex, NULL);
2369
2370 if (!(handles->main = scf_handle_create(SCF_VERSION))) {
2371 idmapdlog(LOG_ERR, "scf_handle_create() failed: %s",
2372 scf_strerror(scf_error()));
2373 goto error;
2374 }
2375
2376 if (scf_handle_bind(handles->main) < 0) {
2377 idmapdlog(LOG_ERR, "scf_handle_bind() failed: %s",
2378 scf_strerror(scf_error()));
2379 goto error;
2380 }
2381
2382 if (!(handles->service = scf_service_create(handles->main)) ||
2383 !(handles->instance = scf_instance_create(handles->main)) ||
2384 !(handles->config_pg = scf_pg_create(handles->main)) ||
2385 !(handles->debug_pg = scf_pg_create(handles->main))) {
2386 idmapdlog(LOG_ERR, "scf handle creation failed: %s",
2387 scf_strerror(scf_error()));
2388 goto error;
2389 }
2390
2391 if (scf_handle_decode_fmri(handles->main,
2392 FMRI_BASE "/:properties/" CONFIG_PG,
2393 NULL, /* scope */
2394 handles->service, /* service */
2395 handles->instance, /* instance */
2396 handles->config_pg, /* pg */
2397 NULL, /* prop */
2398 SCF_DECODE_FMRI_EXACT) < 0) {
2399 idmapdlog(LOG_ERR, "scf_handle_decode_fmri() failed: %s",
2400 scf_strerror(scf_error()));
2401 goto error;
2402 }
2403
2404 if (scf_service_get_pg(handles->service,
2405 DEBUG_PG, handles->debug_pg) < 0) {
2406 idmapdlog(LOG_ERR, "Property group \"%s\": %s",
2407 DEBUG_PG, scf_strerror(scf_error()));
2408 goto error;
2409 }
2410
2411 check_smf_debug_mode(handles);
2412
2413 /* Initialize AD Auto Discovery context */
2414 handles->ad_ctx = ad_disc_init();
2415 if (handles->ad_ctx == NULL)
2416 goto error;
2417
2418 return (cfg);
2419
2420 error:
2421 (void) idmap_cfg_fini(cfg);
2422 return (NULL);
2423 }
2424
2425 void
idmap_cfg_unload(idmap_pg_config_t * pgcfg)2426 idmap_cfg_unload(idmap_pg_config_t *pgcfg)
2427 {
2428
2429 if (pgcfg->default_domain) {
2430 free(pgcfg->default_domain);
2431 pgcfg->default_domain = NULL;
2432 }
2433 if (pgcfg->domain_name) {
2434 free(pgcfg->domain_name);
2435 pgcfg->domain_name = NULL;
2436 }
2437 if (pgcfg->domain_guid) {
2438 free(pgcfg->domain_guid);
2439 pgcfg->domain_guid = NULL;
2440 }
2441 if (pgcfg->machine_sid) {
2442 free(pgcfg->machine_sid);
2443 pgcfg->machine_sid = NULL;
2444 }
2445 if (pgcfg->domain_controller) {
2446 free(pgcfg->domain_controller);
2447 pgcfg->domain_controller = NULL;
2448 }
2449 if (pgcfg->forest_name) {
2450 free(pgcfg->forest_name);
2451 pgcfg->forest_name = NULL;
2452 }
2453 if (pgcfg->site_name) {
2454 free(pgcfg->site_name);
2455 pgcfg->site_name = NULL;
2456 }
2457 if (pgcfg->global_catalog) {
2458 free(pgcfg->global_catalog);
2459 pgcfg->global_catalog = NULL;
2460 }
2461 if (pgcfg->trusted_domains) {
2462 free(pgcfg->trusted_domains);
2463 pgcfg->trusted_domains = NULL;
2464 }
2465 if (pgcfg->trusted_forests)
2466 free_trusted_forests(&pgcfg->trusted_forests,
2467 &pgcfg->num_trusted_forests);
2468
2469 if (pgcfg->ad_unixuser_attr) {
2470 free(pgcfg->ad_unixuser_attr);
2471 pgcfg->ad_unixuser_attr = NULL;
2472 }
2473 if (pgcfg->ad_unixgroup_attr) {
2474 free(pgcfg->ad_unixgroup_attr);
2475 pgcfg->ad_unixgroup_attr = NULL;
2476 }
2477 if (pgcfg->nldap_winname_attr) {
2478 free(pgcfg->nldap_winname_attr);
2479 pgcfg->nldap_winname_attr = NULL;
2480 }
2481 }
2482
2483 int
idmap_cfg_fini(idmap_cfg_t * cfg)2484 idmap_cfg_fini(idmap_cfg_t *cfg)
2485 {
2486 idmap_cfg_handles_t *handles = &cfg->handles;
2487 idmap_cfg_unload(&cfg->pgcfg);
2488
2489 (void) pthread_mutex_destroy(&handles->mutex);
2490 scf_pg_destroy(handles->config_pg);
2491 if (handles->debug_pg != NULL)
2492 scf_pg_destroy(handles->debug_pg);
2493 scf_instance_destroy(handles->instance);
2494 scf_service_destroy(handles->service);
2495 scf_handle_destroy(handles->main);
2496 if (handles->ad_ctx != NULL)
2497 ad_disc_fini(handles->ad_ctx);
2498 free(cfg);
2499
2500 return (0);
2501 }
2502
2503 void
idmap_cfg_poke_updates(void)2504 idmap_cfg_poke_updates(void)
2505 {
2506 int prev_st;
2507
2508 if (DBG(CONFIG, 1)) {
2509 idmapdlog(LOG_INFO, "idmap_cfg_poke_updates");
2510 }
2511
2512 (void) mutex_lock(&_idmapdstate.addisc_lk);
2513 prev_st = _idmapdstate.addisc_st;
2514 _idmapdstate.addisc_st |= ADDISC_ST_REQUESTED;
2515 (void) mutex_unlock(&_idmapdstate.addisc_lk);
2516
2517 if (prev_st & ADDISC_ST_REQUESTED) {
2518 idmapdlog(LOG_DEBUG, "already poked");
2519 } else {
2520 idmapdlog(LOG_DEBUG, "port send poke");
2521 (void) port_send(idmapd_ev_port, POKE_AUTO_DISCOVERY, NULL);
2522 }
2523 }
2524
2525 void
idmap_cfg_force_rediscovery(void)2526 idmap_cfg_force_rediscovery(void)
2527 {
2528 int prev_st;
2529
2530 if (DBG(CONFIG, 1)) {
2531 idmapdlog(LOG_INFO, "idmap_cfg_force_rediscovery");
2532 }
2533
2534 (void) mutex_lock(&_idmapdstate.addisc_lk);
2535 prev_st = _idmapdstate.addisc_st;
2536 _idmapdstate.addisc_st |= ADDISC_ST_REQUESTED;
2537 (void) mutex_unlock(&_idmapdstate.addisc_lk);
2538
2539 if (prev_st & ADDISC_ST_REQUESTED) {
2540 idmapdlog(LOG_DEBUG, "already kicked");
2541 } else {
2542 idmapdlog(LOG_DEBUG, "port send kick");
2543 (void) port_send(idmapd_ev_port, KICK_AUTO_DISCOVERY, NULL);
2544 }
2545 }
2546
2547 /*ARGSUSED*/
2548 void
idmap_cfg_hup_handler(int sig)2549 idmap_cfg_hup_handler(int sig)
2550 {
2551 if (idmapd_ev_port >= 0)
2552 (void) port_send(idmapd_ev_port, RECONFIGURE, NULL);
2553 }
2554
2555 /*
2556 * Upgrade the debug flags.
2557 *
2558 * We're replacing a single debug flag with a fine-grained mechanism that
2559 * is also capable of considerably more verbosity. We'll take a stab at
2560 * producing roughly the same level of output.
2561 */
2562 static
2563 int
upgrade_debug(idmap_cfg_handles_t * handles)2564 upgrade_debug(idmap_cfg_handles_t *handles)
2565 {
2566 boolean_t debug_present;
2567 const char DEBUG_PROP[] = "debug";
2568 int rc;
2569
2570 rc = prop_exists(handles, DEBUG_PROP, &debug_present);
2571
2572 if (rc != 0)
2573 return (rc);
2574
2575 if (!debug_present)
2576 return (0);
2577
2578 idmapdlog(LOG_INFO,
2579 "Upgrading old %s/%s setting to %s/* settings.",
2580 CONFIG_PG, DEBUG_PROP, DEBUG_PG);
2581
2582 rc = set_val_integer(handles, handles->debug_pg, "config", 1);
2583 if (rc != 0)
2584 return (rc);
2585 rc = set_val_integer(handles, handles->debug_pg, "discovery", 1);
2586 if (rc != 0)
2587 return (rc);
2588
2589 rc = del_val(handles, handles->config_pg, DEBUG_PROP);
2590 if (rc != 0)
2591 return (rc);
2592
2593 return (0);
2594 }
2595
2596 /*
2597 * Upgrade the DS mapping flags.
2598 *
2599 * If the old ds_name_mapping_enabled flag is present, then
2600 * if the new directory_based_mapping value is present, then
2601 * if the two are compatible, delete the old and note it
2602 * else delete the old and warn
2603 * else
2604 * set the new based on the old, and note it
2605 * delete the old
2606 */
2607 static
2608 int
upgrade_directory_mapping(idmap_cfg_handles_t * handles)2609 upgrade_directory_mapping(idmap_cfg_handles_t *handles)
2610 {
2611 boolean_t legacy_ds_name_mapping_present;
2612 const char DS_NAME_MAPPING_ENABLED[] = "ds_name_mapping_enabled";
2613 const char DIRECTORY_BASED_MAPPING[] = "directory_based_mapping";
2614 int rc;
2615
2616 rc = prop_exists(handles, DS_NAME_MAPPING_ENABLED,
2617 &legacy_ds_name_mapping_present);
2618
2619 if (rc != 0)
2620 return (rc);
2621
2622 if (!legacy_ds_name_mapping_present)
2623 return (0);
2624
2625 boolean_t legacy_ds_name_mapping_enabled;
2626 rc = get_val_bool(handles, DS_NAME_MAPPING_ENABLED,
2627 &legacy_ds_name_mapping_enabled, B_FALSE);
2628 if (rc != 0)
2629 return (rc);
2630
2631 char *legacy_mode;
2632 char *legacy_bool_string;
2633 if (legacy_ds_name_mapping_enabled) {
2634 legacy_mode = "name";
2635 legacy_bool_string = "true";
2636 } else {
2637 legacy_mode = "none";
2638 legacy_bool_string = "false";
2639 }
2640
2641 char *directory_based_mapping;
2642 rc = get_val_astring(handles, DIRECTORY_BASED_MAPPING,
2643 &directory_based_mapping);
2644 if (rc != 0)
2645 return (rc);
2646
2647 if (directory_based_mapping == NULL) {
2648 idmapdlog(LOG_INFO,
2649 "Upgrading old %s=%s setting\n"
2650 "to %s=%s.",
2651 DS_NAME_MAPPING_ENABLED, legacy_bool_string,
2652 DIRECTORY_BASED_MAPPING, legacy_mode);
2653 rc = set_val_astring(handles, handles->config_pg,
2654 DIRECTORY_BASED_MAPPING, legacy_mode);
2655 if (rc != 0)
2656 return (rc);
2657 } else {
2658 boolean_t new_name_mapping;
2659 if (strcasecmp(directory_based_mapping, "name") == 0)
2660 new_name_mapping = B_TRUE;
2661 else
2662 new_name_mapping = B_FALSE;
2663
2664 if (legacy_ds_name_mapping_enabled == new_name_mapping) {
2665 idmapdlog(LOG_INFO,
2666 "Automatically removing old %s=%s setting\n"
2667 "in favor of %s=%s.",
2668 DS_NAME_MAPPING_ENABLED, legacy_bool_string,
2669 DIRECTORY_BASED_MAPPING, directory_based_mapping);
2670 } else {
2671 idmapdlog(LOG_WARNING,
2672 "Removing conflicting %s=%s setting\n"
2673 "in favor of %s=%s.",
2674 DS_NAME_MAPPING_ENABLED, legacy_bool_string,
2675 DIRECTORY_BASED_MAPPING, directory_based_mapping);
2676 }
2677 free(directory_based_mapping);
2678 }
2679
2680 rc = del_val(handles, handles->config_pg, DS_NAME_MAPPING_ENABLED);
2681 if (rc != 0)
2682 return (rc);
2683
2684 return (0);
2685 }
2686
2687 /*
2688 * Do whatever is necessary to upgrade idmap's configuration before
2689 * we load it.
2690 */
2691 int
idmap_cfg_upgrade(idmap_cfg_t * cfg)2692 idmap_cfg_upgrade(idmap_cfg_t *cfg)
2693 {
2694 int rc;
2695
2696 rc = upgrade_directory_mapping(&cfg->handles);
2697 if (rc != 0)
2698 return (rc);
2699
2700 rc = upgrade_debug(&cfg->handles);
2701 if (rc != 0)
2702 return (rc);
2703
2704 return (0);
2705 }
2706
2707 /*
2708 * The LDAP code passes principal names lacking any
2709 * realm information, which causes mech_krb5 to do
2710 * awful things trying to figure out the realm.
2711 * Avoid that by making sure it has a default,
2712 * even when krb5.conf is not configured.
2713 */
2714 static void
idmapd_set_krb5_realm(char * domain)2715 idmapd_set_krb5_realm(char *domain)
2716 {
2717 static char realm[MAXHOSTNAMELEN];
2718 size_t ilen, olen;
2719 int err;
2720
2721 if (domain == NULL) {
2722 (void) unsetenv("KRB5_DEFAULT_REALM");
2723 return;
2724 }
2725
2726 /* Convert to upper case, in place. */
2727 (void) strlcpy(realm, domain, sizeof (realm));
2728 olen = ilen = strlen(realm);
2729 (void) u8_textprep_str(realm, &ilen, realm, &olen,
2730 U8_TEXTPREP_TOUPPER, U8_UNICODE_LATEST, &err);
2731
2732 (void) setenv("KRB5_DEFAULT_REALM", realm, 1);
2733 }
2734