1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2013 Nexenta Systems, Inc. All rights reserved.
24 */
25
26 /*
27 * Initialization routines
28 */
29
30 #include "idmapd.h"
31 #include <signal.h>
32 #include <thread.h>
33 #include <string.h>
34 #include <errno.h>
35 #include <assert.h>
36 #include <unistd.h>
37 #include <sys/types.h>
38 #include <sys/stat.h>
39 #include <rpcsvc/daemon_utils.h>
40
41
42 int
init_mapping_system()43 init_mapping_system()
44 {
45 int rc = 0;
46
47 if (rwlock_init(&_idmapdstate.rwlk_cfg, USYNC_THREAD, NULL) != 0)
48 return (-1);
49 if ((rc = load_config()) < 0)
50 return (rc);
51
52 (void) setegid(DAEMON_GID);
53 (void) seteuid(DAEMON_UID);
54 if (init_dbs() < 0) {
55 rc = -1;
56 fini_mapping_system();
57 }
58 (void) seteuid(0);
59 (void) setegid(0);
60
61 return (rc);
62 }
63
64 void
fini_mapping_system()65 fini_mapping_system()
66 {
67 fini_dbs();
68 }
69
70 int
load_config()71 load_config()
72 {
73 int rc;
74 if ((_idmapdstate.cfg = idmap_cfg_init()) == NULL) {
75 degrade_svc(0, "failed to initialize config");
76 return (-1);
77 }
78
79 rc = idmap_cfg_upgrade(_idmapdstate.cfg);
80 if (rc != 0) {
81 degrade_svc(0, "fatal error while upgrading configuration");
82 return (rc);
83 }
84
85 rc = idmap_cfg_load(_idmapdstate.cfg, 0);
86 if (rc < -1) {
87 /* Total failure */
88 degrade_svc(0, "fatal error while loading configuration");
89 return (rc);
90 }
91
92 if (rc != 0)
93 /* Partial failure */
94 idmapdlog(LOG_ERR, "Various errors occurred while loading "
95 "the configuration; check the logs");
96
97 if ((rc = idmap_cfg_start_updates()) < 0) {
98 /* Total failure */
99 degrade_svc(0, "could not start config updater");
100 return (rc);
101 }
102
103 if (DBG(CONFIG, 1))
104 idmapdlog(LOG_DEBUG, "Initial configuration loaded");
105
106 return (0);
107 }
108
109
110 void
reload_gcs()111 reload_gcs()
112 {
113 int i, j;
114 adutils_ad_t **new_gcs;
115 adutils_ad_t **old_gcs = _idmapdstate.gcs;
116 int new_num_gcs;
117 int old_num_gcs = _idmapdstate.num_gcs;
118 idmap_pg_config_t *pgcfg = &_idmapdstate.cfg->pgcfg;
119 idmap_trustedforest_t *trustfor = pgcfg->trusted_forests;
120 int num_trustfor = pgcfg->num_trusted_forests;
121 ad_disc_domainsinforest_t *domain_in_forest;
122
123 if (pgcfg->use_ads == B_FALSE ||
124 pgcfg->domain_name == NULL) {
125 /*
126 * ADS disabled, or no domain name specified.
127 * Not using adutils. (but still can use lsa)
128 */
129 new_gcs = NULL;
130 new_num_gcs = 0;
131 goto out;
132 }
133
134 if (pgcfg->global_catalog == NULL ||
135 pgcfg->global_catalog[0].host[0] == '\0') {
136 /*
137 * No GCs. Continue to use the previous AD config in case
138 * that's still good but auto-discovery had a transient failure.
139 * If that stops working we'll go into degraded mode anyways
140 * when it does.
141 */
142 degrade_svc(0,
143 "Global Catalog servers not configured/discoverable");
144 return;
145 }
146
147 new_num_gcs = 1 + num_trustfor;
148 new_gcs = calloc(new_num_gcs, sizeof (adutils_ad_t *));
149 if (new_gcs == NULL) {
150 degrade_svc(0, "could not allocate AD context array "
151 "(out of memory)");
152 return;
153 }
154
155 if (adutils_ad_alloc(&new_gcs[0], NULL, ADUTILS_AD_GLOBAL_CATALOG) !=
156 ADUTILS_SUCCESS) {
157 free(new_gcs);
158 degrade_svc(0, "could not initialize AD context "
159 "(out of memory)");
160 return;
161 }
162
163 for (i = 0; pgcfg->global_catalog[i].host[0] != '\0'; i++) {
164 if (idmap_add_ds(new_gcs[0],
165 pgcfg->global_catalog[i].host,
166 pgcfg->global_catalog[i].port) != 0) {
167 adutils_ad_free(&new_gcs[0]);
168 free(new_gcs);
169 degrade_svc(0, "could not set AD hosts "
170 "(out of memory)");
171 return;
172 }
173 }
174
175 if (pgcfg->domains_in_forest != NULL) {
176 for (i = 0; pgcfg->domains_in_forest[i].domain[0] != '\0';
177 i++) {
178 if (adutils_add_domain(new_gcs[0],
179 pgcfg->domains_in_forest[i].domain,
180 pgcfg->domains_in_forest[i].sid) != 0) {
181 adutils_ad_free(&new_gcs[0]);
182 free(new_gcs);
183 degrade_svc(0, "could not set AD domains "
184 "(out of memory)");
185 return;
186 }
187 }
188 }
189
190 for (i = 0; i < num_trustfor; i++) {
191 if (adutils_ad_alloc(&new_gcs[i + 1], NULL,
192 ADUTILS_AD_GLOBAL_CATALOG) != ADUTILS_SUCCESS) {
193 degrade_svc(0, "could not initialize trusted AD "
194 "context (out of memory)");
195 new_num_gcs = i + 1;
196 goto out;
197 }
198 for (j = 0; trustfor[i].global_catalog[j].host[0] != '\0';
199 j++) {
200 if (idmap_add_ds(new_gcs[i + 1],
201 trustfor[i].global_catalog[j].host,
202 trustfor[i].global_catalog[j].port) != 0) {
203 adutils_ad_free(&new_gcs[i + 1]);
204 degrade_svc(0, "could not set trusted "
205 "AD hosts (out of memory)");
206 new_num_gcs = i + 1;
207 goto out;
208 }
209 }
210 for (j = 0; trustfor[i].domains_in_forest[j].domain[0] != '\0';
211 j++) {
212 domain_in_forest = &trustfor[i].domains_in_forest[j];
213 /* Only add domains which are marked */
214 if (domain_in_forest->trusted) {
215 if (adutils_add_domain(new_gcs[i + 1],
216 domain_in_forest->domain,
217 domain_in_forest->sid) != 0) {
218 adutils_ad_free(&new_gcs[i + 1]);
219 degrade_svc(0, "could not set trusted "
220 "AD domains (out of memory)");
221 new_num_gcs = i + 1;
222 goto out;
223 }
224 }
225 }
226 }
227
228 out:
229 _idmapdstate.gcs = new_gcs;
230 _idmapdstate.num_gcs = new_num_gcs;
231
232 if (old_gcs != NULL) {
233 for (i = 0; i < old_num_gcs; i++)
234 adutils_ad_free(&old_gcs[i]);
235 free(old_gcs);
236 }
237 }
238
239 /*
240 * NEEDSWORK: This should load entries for domain servers for all known
241 * domains - the joined domain, other domains in the forest, and trusted
242 * domains in other forests. However, we don't yet discover any DCs other
243 * than the DCs for the joined domain.
244 */
245 static
246 void
reload_dcs(void)247 reload_dcs(void)
248 {
249 int i;
250 adutils_ad_t **new_dcs;
251 adutils_ad_t **old_dcs = _idmapdstate.dcs;
252 int new_num_dcs;
253 int old_num_dcs = _idmapdstate.num_dcs;
254 idmap_pg_config_t *pgcfg = &_idmapdstate.cfg->pgcfg;
255
256 if (pgcfg->use_ads == B_FALSE ||
257 pgcfg->domain_name == NULL) {
258 /*
259 * ADS disabled, or no domain name specified.
260 * Not using adutils. (but still can use lsa)
261 */
262 new_dcs = NULL;
263 new_num_dcs = 0;
264 goto out;
265 }
266
267 if (pgcfg->domain_controller == NULL ||
268 pgcfg->domain_controller[0].host[0] == '\0') {
269 /*
270 * No DCs. Continue to use the previous AD config in case
271 * that's still good but auto-discovery had a transient failure.
272 * If that stops working we'll go into degraded mode anyways
273 * when it does.
274 */
275 degrade_svc(0,
276 "Domain controller servers not configured/discoverable");
277 return;
278 }
279
280 new_num_dcs = 1;
281 new_dcs = calloc(new_num_dcs, sizeof (adutils_ad_t *));
282 if (new_dcs == NULL)
283 goto nomem;
284
285 if (adutils_ad_alloc(&new_dcs[0], pgcfg->domain_name,
286 ADUTILS_AD_DATA) != ADUTILS_SUCCESS)
287 goto nomem;
288
289 for (i = 0; pgcfg->domain_controller[i].host[0] != '\0'; i++) {
290 if (idmap_add_ds(new_dcs[0],
291 pgcfg->domain_controller[i].host,
292 pgcfg->domain_controller[i].port) != 0)
293 goto nomem;
294 }
295
296 /*
297 * NEEDSWORK: All we need here is to add the domain and SID for
298 * this DC to the list of domains supported by this entry. Isn't
299 * there an easier way to find the SID than to walk through the list
300 * of all of the domains in the forest?
301 */
302 ad_disc_domainsinforest_t *dif = pgcfg->domains_in_forest;
303 if (dif != NULL) {
304 for (; dif->domain[0] != '\0'; dif++) {
305 if (domain_eq(pgcfg->domain_name, dif->domain)) {
306 if (adutils_add_domain(new_dcs[0],
307 dif->domain, dif->sid) != 0)
308 goto nomem;
309 break;
310 }
311 }
312 }
313
314 out:
315 _idmapdstate.dcs = new_dcs;
316 _idmapdstate.num_dcs = new_num_dcs;
317
318 if (old_dcs != NULL) {
319 for (i = 0; i < old_num_dcs; i++)
320 adutils_ad_free(&old_dcs[i]);
321 free(old_dcs);
322 }
323
324 return;
325
326 nomem:
327 degrade_svc(0, "out of memory");
328
329 if (new_dcs != NULL) {
330 if (new_dcs[0] != NULL)
331 adutils_ad_free(&new_dcs[0]);
332 free(new_dcs);
333 }
334 }
335
336
337 void
reload_ad(void)338 reload_ad(void)
339 {
340 reload_gcs();
341 reload_dcs();
342 }
343
344 void
print_idmapdstate(void)345 print_idmapdstate(void)
346 {
347 int i, j;
348 idmap_pg_config_t *pgcfg;
349 idmap_trustedforest_t *tf;
350
351 RDLOCK_CONFIG();
352
353 if (_idmapdstate.cfg == NULL) {
354 idmapdlog(LOG_INFO, "Null configuration");
355 UNLOCK_CONFIG();
356 return;
357 }
358
359 pgcfg = &_idmapdstate.cfg->pgcfg;
360
361 idmapdlog(LOG_DEBUG, "list_size_limit=%llu", pgcfg->list_size_limit);
362 idmapdlog(LOG_DEBUG, "default_domain=%s",
363 CHECK_NULL(pgcfg->default_domain));
364 idmapdlog(LOG_DEBUG, "domain_name=%s", CHECK_NULL(pgcfg->domain_name));
365 idmapdlog(LOG_DEBUG, "machine_sid=%s", CHECK_NULL(pgcfg->machine_sid));
366 if (pgcfg->domain_controller == NULL ||
367 pgcfg->domain_controller[0].host[0] == '\0') {
368 idmapdlog(LOG_DEBUG, "No domain controllers known");
369 } else {
370 for (i = 0; pgcfg->domain_controller[i].host[0] != '\0'; i++)
371 idmapdlog(LOG_DEBUG, "domain_controller=%s port=%d",
372 pgcfg->domain_controller[i].host,
373 pgcfg->domain_controller[i].port);
374 }
375 idmapdlog(LOG_DEBUG, "forest_name=%s", CHECK_NULL(pgcfg->forest_name));
376 idmapdlog(LOG_DEBUG, "site_name=%s", CHECK_NULL(pgcfg->site_name));
377 if (pgcfg->global_catalog == NULL ||
378 pgcfg->global_catalog[0].host[0] == '\0') {
379 idmapdlog(LOG_DEBUG, "No global catalog servers known");
380 } else {
381 for (i = 0; pgcfg->global_catalog[i].host[0] != '\0'; i++)
382 idmapdlog(LOG_DEBUG, "global_catalog=%s port=%d",
383 pgcfg->global_catalog[i].host,
384 pgcfg->global_catalog[i].port);
385 }
386 if (pgcfg->domains_in_forest == NULL ||
387 pgcfg->domains_in_forest[0].domain[0] == '\0') {
388 idmapdlog(LOG_DEBUG, "No domains in forest %s known",
389 CHECK_NULL(pgcfg->forest_name));
390 } else {
391 for (i = 0; pgcfg->domains_in_forest[i].domain[0] != '\0'; i++)
392 idmapdlog(LOG_DEBUG, "domains in forest %s = %s",
393 CHECK_NULL(pgcfg->forest_name),
394 pgcfg->domains_in_forest[i].domain);
395 }
396 if (pgcfg->trusted_domains == NULL ||
397 pgcfg->trusted_domains[0].domain[0] == '\0') {
398 idmapdlog(LOG_DEBUG, "No trusted domains known");
399 } else {
400 for (i = 0; pgcfg->trusted_domains[i].domain[0] != '\0'; i++)
401 idmapdlog(LOG_DEBUG, "trusted domain = %s",
402 pgcfg->trusted_domains[i].domain);
403 }
404
405 for (i = 0; i < pgcfg->num_trusted_forests; i++) {
406 tf = &pgcfg->trusted_forests[i];
407 for (j = 0; tf->global_catalog[j].host[0] != '\0'; j++)
408 idmapdlog(LOG_DEBUG,
409 "trusted forest %s global_catalog=%s port=%d",
410 tf->forest_name,
411 tf->global_catalog[j].host,
412 tf->global_catalog[j].port);
413 for (j = 0; tf->domains_in_forest[j].domain[0] != '\0'; j++) {
414 if (tf->domains_in_forest[j].trusted) {
415 idmapdlog(LOG_DEBUG,
416 "trusted forest %s domain=%s",
417 tf->forest_name,
418 tf->domains_in_forest[j].domain);
419 }
420 }
421 }
422
423 idmapdlog(LOG_DEBUG, "directory_based_mapping=%s",
424 enum_lookup(pgcfg->directory_based_mapping, directory_mapping_map));
425 idmapdlog(LOG_DEBUG, "ad_unixuser_attr=%s",
426 CHECK_NULL(pgcfg->ad_unixuser_attr));
427 idmapdlog(LOG_DEBUG, "ad_unixgroup_attr=%s",
428 CHECK_NULL(pgcfg->ad_unixgroup_attr));
429 idmapdlog(LOG_DEBUG, "nldap_winname_attr=%s",
430 CHECK_NULL(pgcfg->nldap_winname_attr));
431
432 UNLOCK_CONFIG();
433 }
434
435 int
create_directory(const char * path,uid_t uid,gid_t gid)436 create_directory(const char *path, uid_t uid, gid_t gid)
437 {
438 int rc;
439
440 if ((rc = mkdir(path, 0700)) < 0 && errno != EEXIST) {
441 idmapdlog(LOG_ERR, "Error creating directory %s (%s)",
442 path, strerror(errno));
443 return (-1);
444 }
445
446 if (lchown(path, uid, gid) < 0) {
447 idmapdlog(LOG_ERR, "Error creating directory %s (%s)",
448 path, strerror(errno));
449 if (rc == 0)
450 (void) rmdir(path);
451 return (-1);
452 }
453 return (0);
454 }
455