1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright 2019 Nexenta Systems, Inc. All rights reserved. 24 * Copyright 2023 RackTop Systems, Inc. 25 */ 26 27 28 /* 29 * Config routines common to idmap(8) and idmapd(8) 30 */ 31 32 #include <stdlib.h> 33 #include <strings.h> 34 #include <libintl.h> 35 #include <ctype.h> 36 #include <errno.h> 37 #include <stdio.h> 38 #include <stdarg.h> 39 #include <uuid/uuid.h> 40 #include <pthread.h> 41 #include <port.h> 42 #include <sys/socket.h> 43 #include <net/route.h> 44 #include <sys/u8_textprep.h> 45 #include <netinet/in.h> 46 #include <arpa/inet.h> 47 #include <netdb.h> 48 #include <note.h> 49 #include <limits.h> 50 #include "idmapd.h" 51 #include "addisc.h" 52 53 #define MACHINE_SID_LEN (9 + 3 * 11) 54 #define FMRI_BASE "svc:/system/idmap" 55 #define CONFIG_PG "config" 56 #define DEBUG_PG "debug" 57 #define RECONFIGURE 1 58 #define POKE_AUTO_DISCOVERY 2 59 #define KICK_AUTO_DISCOVERY 3 60 61 /* 62 * Default cache timeouts. Can override via svccfg 63 * config/id_cache_timeout = count: seconds 64 * config/name_cache_timeout = count: seconds 65 */ 66 #define ID_CACHE_TMO_DEFAULT 86400 67 #define NAME_CACHE_TMO_DEFAULT 604800 68 69 /* 70 * Default maximum time between rediscovery runs. 71 * config/rediscovery_interval = count: seconds 72 */ 73 #define REDISCOVERY_INTERVAL_DEFAULT 3600 74 75 /* 76 * Minimum time between rediscovery runs, in case adutils gives us a 77 * really short TTL (which it never should, but be defensive) 78 * (not configurable) seconds. 79 */ 80 #define MIN_REDISCOVERY_INTERVAL 60 81 82 /* 83 * Max number of concurrent door calls 84 */ 85 #define MAX_THREADS_DEFAULT 40 86 87 /* 88 * Number of failed discovery attempts before we mark the service degraded. 89 */ 90 #define DISCOVERY_RETRY_DEGRADE_CUTOFF 6 91 92 /* 93 * Default maximum time between discovery attempts when we don't have a DC. 94 * config/discovery_retry_max_delay = count: seconds 95 */ 96 #define DISCOVERY_RETRY_MAX_DELAY_DEFAULT 30 97 98 /* 99 * Initial retry delay when discovery fails. Doubles on every failure. 100 */ 101 #define DISCOVERY_RETRY_INITIAL_DELAY 1 102 103 enum event_type { 104 EVENT_NOTHING, /* Woke up for no good reason */ 105 EVENT_TIMEOUT, /* Timeout expired */ 106 EVENT_ROUTING, /* An interesting routing event happened */ 107 EVENT_POKED, /* Requested from degrade_svc() */ 108 EVENT_KICKED, /* Force rediscovery, i.e. DC failed. */ 109 EVENT_REFRESH, /* SMF refresh */ 110 }; 111 112 113 static void idmapd_set_krb5_realm(char *); 114 115 static pthread_t update_thread_handle = 0; 116 117 static int idmapd_ev_port = -1; 118 static int rt_sock = -1; 119 120 struct enum_lookup_map directory_mapping_map[] = { 121 { DIRECTORY_MAPPING_NONE, "none" }, 122 { DIRECTORY_MAPPING_NAME, "name" }, 123 { DIRECTORY_MAPPING_IDMU, "idmu" }, 124 { 0, NULL }, 125 }; 126 127 struct enum_lookup_map trust_dir_map[] = { 128 { 1, "they trust us" }, 129 { 2, "we trust them" }, 130 { 3, "we trust each other" }, 131 { 0, NULL }, 132 }; 133 134 static int 135 generate_machine_uuid(char **machine_uuid) 136 { 137 uuid_t uu; 138 139 *machine_uuid = calloc(1, UUID_PRINTABLE_STRING_LENGTH + 1); 140 if (*machine_uuid == NULL) { 141 idmapdlog(LOG_ERR, "Out of memory"); 142 return (-1); 143 } 144 145 uuid_clear(uu); 146 uuid_generate_time(uu); 147 uuid_unparse(uu, *machine_uuid); 148 149 return (0); 150 } 151 152 static int 153 generate_machine_sid(char **machine_sid, char *machine_uuid) 154 { 155 union { 156 uuid_t uu; 157 uint32_t v[4]; 158 } uv; 159 int len; 160 161 /* 162 * Split the 128-bit machine UUID into three 32-bit values 163 * we'll use as the "sub-authorities" of the machine SID. 164 * The machine_sid will have the form S-1-5-21-J-K-L 165 * (that's four sub-authorities altogether) where: 166 * J = last 4 bytes of node_addr, 167 * K = time_mid, time_hi_and_version 168 * L = time_low 169 * (see struct uuid) 170 */ 171 172 (void) memset(&uv, 0, sizeof (uv)); 173 (void) uuid_parse(machine_uuid, uv.uu); 174 175 len = asprintf(machine_sid, "S-1-5-21-%u-%u-%u", 176 uv.v[3], uv.v[0], uv.v[1]); 177 178 if (len == -1 || *machine_sid == NULL) { 179 idmapdlog(LOG_ERR, "Out of memory"); 180 return (-1); 181 } 182 183 return (0); 184 } 185 186 187 /* In the case of error, exists is set to FALSE anyway */ 188 static int 189 prop_exists(idmap_cfg_handles_t *handles, const char *name, boolean_t *exists) 190 { 191 192 scf_property_t *scf_prop; 193 194 *exists = B_FALSE; 195 196 scf_prop = scf_property_create(handles->main); 197 if (scf_prop == NULL) { 198 idmapdlog(LOG_ERR, "scf_property_create() failed: %s", 199 scf_strerror(scf_error())); 200 return (-1); 201 } 202 203 if (scf_pg_get_property(handles->config_pg, name, scf_prop) == 0) 204 *exists = B_TRUE; 205 206 scf_property_destroy(scf_prop); 207 208 return (0); 209 } 210 211 static int 212 get_debug(idmap_cfg_handles_t *handles, const char *name) 213 { 214 int64_t i64 = 0; 215 216 scf_property_t *scf_prop; 217 scf_value_t *value; 218 219 scf_prop = scf_property_create(handles->main); 220 if (scf_prop == NULL) { 221 idmapdlog(LOG_ERR, "scf_property_create() failed: %s", 222 scf_strerror(scf_error())); 223 abort(); 224 } 225 value = scf_value_create(handles->main); 226 if (value == NULL) { 227 idmapdlog(LOG_ERR, "scf_value_create() failed: %s", 228 scf_strerror(scf_error())); 229 abort(); 230 } 231 232 if (scf_pg_get_property(handles->debug_pg, name, scf_prop) < 0) { 233 /* this is OK: the property is just undefined */ 234 goto destruction; 235 } 236 237 238 if (scf_property_get_value(scf_prop, value) < 0) { 239 /* It is still OK when a property doesn't have any value */ 240 goto destruction; 241 } 242 243 if (scf_value_get_integer(value, &i64) != 0) { 244 idmapdlog(LOG_ERR, "Can not retrieve %s/%s: %s", 245 DEBUG_PG, name, scf_strerror(scf_error())); 246 abort(); 247 } 248 249 destruction: 250 scf_value_destroy(value); 251 scf_property_destroy(scf_prop); 252 253 return ((int)i64); 254 } 255 256 static int 257 get_val_bool(idmap_cfg_handles_t *handles, const char *name, 258 boolean_t *val, boolean_t default_val) 259 { 260 int rc = 0; 261 262 scf_property_t *scf_prop; 263 scf_value_t *value; 264 265 *val = default_val; 266 267 scf_prop = scf_property_create(handles->main); 268 if (scf_prop == NULL) { 269 idmapdlog(LOG_ERR, "scf_property_create() failed: %s", 270 scf_strerror(scf_error())); 271 return (-1); 272 } 273 value = scf_value_create(handles->main); 274 if (value == NULL) { 275 idmapdlog(LOG_ERR, "scf_value_create() failed: %s", 276 scf_strerror(scf_error())); 277 scf_property_destroy(scf_prop); 278 return (-1); 279 } 280 281 /* It is OK if the property is undefined */ 282 if (scf_pg_get_property(handles->config_pg, name, scf_prop) < 0) 283 goto destruction; 284 285 286 /* It is still OK when a property doesn't have any value */ 287 if (scf_property_get_value(scf_prop, value) < 0) 288 goto destruction; 289 290 uint8_t b; 291 rc = scf_value_get_boolean(value, &b); 292 293 if (rc == 0) 294 *val = (boolean_t)b; 295 296 destruction: 297 scf_value_destroy(value); 298 scf_property_destroy(scf_prop); 299 300 return (rc); 301 } 302 303 static int 304 get_val_int(idmap_cfg_handles_t *handles, const char *name, 305 void *val, scf_type_t type) 306 { 307 int rc = 0; 308 309 scf_property_t *scf_prop; 310 scf_value_t *value; 311 312 switch (type) { 313 case SCF_TYPE_COUNT: 314 *(uint64_t *)val = 0; 315 break; 316 case SCF_TYPE_INTEGER: 317 *(int64_t *)val = 0; 318 break; 319 default: 320 idmapdlog(LOG_ERR, "Invalid scf integer type (%d)", 321 type); 322 abort(); 323 } 324 325 scf_prop = scf_property_create(handles->main); 326 if (scf_prop == NULL) { 327 idmapdlog(LOG_ERR, "scf_property_create() failed: %s", 328 scf_strerror(scf_error())); 329 return (-1); 330 } 331 value = scf_value_create(handles->main); 332 if (value == NULL) { 333 idmapdlog(LOG_ERR, "scf_value_create() failed: %s", 334 scf_strerror(scf_error())); 335 scf_property_destroy(scf_prop); 336 return (-1); 337 } 338 339 if (scf_pg_get_property(handles->config_pg, name, scf_prop) < 0) 340 /* this is OK: the property is just undefined */ 341 goto destruction; 342 343 344 if (scf_property_get_value(scf_prop, value) < 0) 345 /* It is still OK when a property doesn't have any value */ 346 goto destruction; 347 348 switch (type) { 349 case SCF_TYPE_COUNT: 350 rc = scf_value_get_count(value, val); 351 break; 352 case SCF_TYPE_INTEGER: 353 rc = scf_value_get_integer(value, val); 354 break; 355 default: 356 abort(); /* tested above */ 357 /* NOTREACHED */ 358 } 359 360 if (rc != 0) { 361 idmapdlog(LOG_ERR, "Can not retrieve config/%s: %s", 362 name, scf_strerror(scf_error())); 363 } 364 365 destruction: 366 scf_value_destroy(value); 367 scf_property_destroy(scf_prop); 368 369 return (rc); 370 } 371 372 static char * 373 scf_value2string(const char *name, scf_value_t *value) 374 { 375 static size_t max_val = 0; 376 377 if (max_val == 0) 378 max_val = scf_limit(SCF_LIMIT_MAX_VALUE_LENGTH); 379 380 char buf[max_val + 1]; 381 if (scf_value_get_astring(value, buf, max_val + 1) < 0) { 382 idmapdlog(LOG_ERR, "Can not retrieve config/%s: %s", 383 name, scf_strerror(scf_error())); 384 return (NULL); 385 } 386 387 char *s = strdup(buf); 388 if (s == NULL) 389 idmapdlog(LOG_ERR, "Out of memory"); 390 391 return (s); 392 } 393 394 static int 395 get_val_ds(idmap_cfg_handles_t *handles, const char *name, int defport, 396 ad_disc_ds_t **val) 397 { 398 char port_str[8]; 399 struct addrinfo hints; 400 struct addrinfo *ai; 401 ad_disc_ds_t *servers = NULL; 402 scf_property_t *scf_prop; 403 scf_value_t *value; 404 scf_iter_t *iter; 405 char *host, *portstr; 406 int err, len, i; 407 int count = 0; 408 int rc = -1; 409 410 *val = NULL; 411 412 restart: 413 scf_prop = scf_property_create(handles->main); 414 if (scf_prop == NULL) { 415 idmapdlog(LOG_ERR, "scf_property_create() failed: %s", 416 scf_strerror(scf_error())); 417 return (-1); 418 } 419 420 value = scf_value_create(handles->main); 421 if (value == NULL) { 422 idmapdlog(LOG_ERR, "scf_value_create() failed: %s", 423 scf_strerror(scf_error())); 424 scf_property_destroy(scf_prop); 425 return (-1); 426 } 427 428 iter = scf_iter_create(handles->main); 429 if (iter == NULL) { 430 idmapdlog(LOG_ERR, "scf_iter_create() failed: %s", 431 scf_strerror(scf_error())); 432 scf_value_destroy(value); 433 scf_property_destroy(scf_prop); 434 return (-1); 435 } 436 437 if (scf_pg_get_property(handles->config_pg, name, scf_prop) < 0) { 438 /* this is OK: the property is just undefined */ 439 rc = 0; 440 goto destruction; 441 } 442 443 if (scf_iter_property_values(iter, scf_prop) < 0) { 444 idmapdlog(LOG_ERR, 445 "scf_iter_property_values(%s) failed: %s", 446 name, scf_strerror(scf_error())); 447 goto destruction; 448 } 449 450 /* Workaround scf bugs -- can't reset an iteration */ 451 if (count == 0) { 452 while (scf_iter_next_value(iter, value) > 0) 453 count++; 454 455 if (count == 0) { 456 /* no values */ 457 rc = 0; 458 goto destruction; 459 } 460 461 scf_value_destroy(value); 462 scf_iter_destroy(iter); 463 scf_property_destroy(scf_prop); 464 goto restart; 465 } 466 467 if ((servers = calloc(count + 1, sizeof (*servers))) == NULL) { 468 idmapdlog(LOG_ERR, "Out of memory"); 469 goto destruction; 470 } 471 472 (void) memset(&hints, 0, sizeof (hints)); 473 hints.ai_protocol = IPPROTO_TCP; 474 hints.ai_socktype = SOCK_STREAM; 475 host = NULL; 476 477 i = 0; 478 while (i < count && scf_iter_next_value(iter, value) > 0) { 479 if (host) { 480 free(host); 481 host = NULL; 482 } 483 servers[i].priority = 0; 484 servers[i].weight = 100; 485 servers[i].port = defport; 486 if ((host = scf_value2string(name, value)) == NULL) 487 continue; 488 if ((portstr = strchr(host, ':')) != NULL) { 489 *portstr++ = '\0'; 490 servers[i].port = strtol(portstr, 491 (char **)NULL, 10); 492 if (servers[i].port == 0) 493 servers[i].port = defport; 494 } 495 496 /* 497 * Ignore this server if the hostname is too long 498 * or empty (continue without i++) 499 */ 500 len = strlen(host); 501 if (len == 0) { 502 if (DBG(CONFIG, 1)) { 503 idmapdlog(LOG_INFO, "%s host=\"\"", name); 504 } 505 continue; 506 } 507 if (len >= sizeof (servers->host)) { 508 idmapdlog(LOG_ERR, "Host name too long: %s", host); 509 idmapdlog(LOG_ERR, "ignoring %s value", name); 510 continue; 511 } 512 513 /* 514 * Get the host address too. If we can't, then 515 * log an error and skip this host. 516 */ 517 (void) snprintf(port_str, sizeof (port_str), 518 "%d", servers[i].port); 519 ai = NULL; 520 err = getaddrinfo(host, port_str, &hints, &ai); 521 if (err != 0) { 522 idmapdlog(LOG_ERR, "No address for host: %s (%s)", 523 host, gai_strerror(err)); 524 idmapdlog(LOG_ERR, "ignoring %s value", name); 525 continue; 526 } 527 528 (void) strlcpy(servers[i].host, host, 529 sizeof (servers->host)); 530 (void) memcpy(&servers[i].addr, ai->ai_addr, ai->ai_addrlen); 531 freeaddrinfo(ai); 532 533 /* Added a DS to the array. */ 534 i++; 535 } 536 free(host); 537 538 if (i == 0) { 539 if (DBG(CONFIG, 1)) { 540 idmapdlog(LOG_INFO, "%s is empty", name); 541 } 542 free(servers); 543 servers = NULL; 544 } 545 *val = servers; 546 547 rc = 0; 548 549 destruction: 550 scf_value_destroy(value); 551 scf_iter_destroy(iter); 552 scf_property_destroy(scf_prop); 553 554 if (rc < 0) { 555 if (servers) 556 free(servers); 557 *val = NULL; 558 } 559 560 return (rc); 561 } 562 563 static int 564 get_val_astring(idmap_cfg_handles_t *handles, const char *name, char **val) 565 { 566 int rc = 0; 567 568 scf_property_t *scf_prop; 569 scf_value_t *value; 570 571 scf_prop = scf_property_create(handles->main); 572 if (scf_prop == NULL) { 573 idmapdlog(LOG_ERR, "scf_property_create() failed: %s", 574 scf_strerror(scf_error())); 575 return (-1); 576 } 577 value = scf_value_create(handles->main); 578 if (value == NULL) { 579 idmapdlog(LOG_ERR, "scf_value_create() failed: %s", 580 scf_strerror(scf_error())); 581 scf_property_destroy(scf_prop); 582 return (-1); 583 } 584 585 *val = NULL; 586 587 if (scf_pg_get_property(handles->config_pg, name, scf_prop) < 0) 588 /* this is OK: the property is just undefined */ 589 goto destruction; 590 591 if (scf_property_get_value(scf_prop, value) < 0) { 592 idmapdlog(LOG_ERR, 593 "scf_property_get_value(%s) failed: %s", 594 name, scf_strerror(scf_error())); 595 rc = -1; 596 goto destruction; 597 } 598 599 *val = scf_value2string(name, value); 600 if (*val == NULL) 601 rc = -1; 602 603 destruction: 604 scf_value_destroy(value); 605 scf_property_destroy(scf_prop); 606 607 if (rc < 0) { 608 if (*val) 609 free(*val); 610 *val = NULL; 611 } 612 613 return (rc); 614 } 615 616 617 static int 618 del_val( 619 idmap_cfg_handles_t *handles, 620 scf_propertygroup_t *pg, 621 const char *name) 622 { 623 int rc = -1; 624 int ret; 625 scf_transaction_t *tx = NULL; 626 scf_transaction_entry_t *ent = NULL; 627 628 if ((tx = scf_transaction_create(handles->main)) == NULL) { 629 idmapdlog(LOG_ERR, 630 "scf_transaction_create() failed: %s", 631 scf_strerror(scf_error())); 632 goto destruction; 633 } 634 if ((ent = scf_entry_create(handles->main)) == NULL) { 635 idmapdlog(LOG_ERR, 636 "scf_entry_create() failed: %s", 637 scf_strerror(scf_error())); 638 goto destruction; 639 } 640 641 do { 642 if (scf_pg_update(pg) == -1) { 643 idmapdlog(LOG_ERR, 644 "scf_pg_update(%s) failed: %s", 645 name, scf_strerror(scf_error())); 646 goto destruction; 647 } 648 if (scf_transaction_start(tx, pg) != 0) { 649 idmapdlog(LOG_ERR, 650 "scf_transaction_start(%s) failed: %s", 651 name, scf_strerror(scf_error())); 652 goto destruction; 653 } 654 655 if (scf_transaction_property_delete(tx, ent, name) != 0) { 656 /* Don't complain if it already doesn't exist. */ 657 if (scf_error() != SCF_ERROR_NOT_FOUND) { 658 idmapdlog(LOG_ERR, 659 "scf_transaction_property_delete() failed:" 660 " %s", 661 scf_strerror(scf_error())); 662 } 663 goto destruction; 664 } 665 666 ret = scf_transaction_commit(tx); 667 668 if (ret == 0) 669 scf_transaction_reset(tx); 670 } while (ret == 0); 671 672 if (ret == -1) { 673 idmapdlog(LOG_ERR, 674 "scf_transaction_commit(%s) failed: %s", 675 name, scf_strerror(scf_error())); 676 goto destruction; 677 } 678 679 rc = 0; 680 681 destruction: 682 if (ent != NULL) 683 scf_entry_destroy(ent); 684 if (tx != NULL) 685 scf_transaction_destroy(tx); 686 return (rc); 687 } 688 689 690 static int 691 set_val( 692 idmap_cfg_handles_t *handles, 693 scf_propertygroup_t *pg, 694 const char *name, 695 scf_value_t *value) 696 { 697 int rc = -1; 698 int i; 699 scf_property_t *prop = NULL; 700 scf_transaction_t *tx = NULL; 701 scf_transaction_entry_t *ent = NULL; 702 703 if ((prop = scf_property_create(handles->main)) == NULL || 704 (tx = scf_transaction_create(handles->main)) == NULL || 705 (ent = scf_entry_create(handles->main)) == NULL) { 706 idmapdlog(LOG_ERR, "Unable to set property %s", 707 name, scf_strerror(scf_error())); 708 goto destruction; 709 } 710 711 for (i = 0; i < MAX_TRIES; i++) { 712 int ret; 713 714 if (scf_pg_update(pg) == -1) { 715 idmapdlog(LOG_ERR, 716 "scf_pg_update() failed: %s", 717 scf_strerror(scf_error())); 718 goto destruction; 719 } 720 721 if (scf_transaction_start(tx, pg) == -1) { 722 idmapdlog(LOG_ERR, 723 "scf_transaction_start(%s) failed: %s", 724 name, scf_strerror(scf_error())); 725 goto destruction; 726 } 727 728 ret = scf_pg_get_property(pg, name, prop); 729 if (ret == SCF_SUCCESS) { 730 if (scf_transaction_property_change_type(tx, ent, name, 731 scf_value_type(value)) < 0) { 732 idmapdlog(LOG_ERR, 733 "scf_transaction_property_change_type(%s)" 734 " failed: %s", 735 name, scf_strerror(scf_error())); 736 goto destruction; 737 } 738 } else if (scf_error() == SCF_ERROR_NOT_FOUND) { 739 if (scf_transaction_property_new(tx, ent, name, 740 scf_value_type(value)) < 0) { 741 idmapdlog(LOG_ERR, 742 "scf_transaction_property_new() failed: %s", 743 scf_strerror(scf_error())); 744 goto destruction; 745 } 746 } else { 747 idmapdlog(LOG_ERR, 748 "scf_pg_get_property(%s) failed: %s", 749 name, scf_strerror(scf_error())); 750 goto destruction; 751 } 752 753 if (scf_entry_add_value(ent, value) == -1) { 754 idmapdlog(LOG_ERR, 755 "scf_entry_add_value() failed: %s", 756 scf_strerror(scf_error())); 757 goto destruction; 758 } 759 760 ret = scf_transaction_commit(tx); 761 if (ret == 0) { 762 /* 763 * Property group set in scf_transaction_start() 764 * is not the most recent. Update pg, reset tx and 765 * retry tx. 766 */ 767 idmapdlog(LOG_WARNING, 768 "scf_transaction_commit(%s) failed: %s", 769 name, scf_strerror(scf_error())); 770 scf_transaction_reset(tx); 771 continue; 772 } 773 if (ret != 1) { 774 idmapdlog(LOG_ERR, 775 "scf_transaction_commit(%s) failed: %s", 776 name, scf_strerror(scf_error())); 777 goto destruction; 778 } 779 /* Success! */ 780 rc = 0; 781 break; 782 } 783 784 destruction: 785 scf_entry_destroy(ent); 786 scf_transaction_destroy(tx); 787 scf_property_destroy(prop); 788 return (rc); 789 } 790 791 static int 792 set_val_integer( 793 idmap_cfg_handles_t *handles, 794 scf_propertygroup_t *pg, 795 const char *name, 796 int64_t val) 797 { 798 scf_value_t *value = NULL; 799 int rc; 800 801 if ((value = scf_value_create(handles->main)) == NULL) { 802 idmapdlog(LOG_ERR, "Unable to set property %s", 803 name, scf_strerror(scf_error())); 804 return (-1); 805 } 806 807 scf_value_set_integer(value, val); 808 809 rc = set_val(handles, pg, name, value); 810 811 scf_value_destroy(value); 812 813 return (rc); 814 } 815 816 817 static int 818 set_val_astring( 819 idmap_cfg_handles_t *handles, 820 scf_propertygroup_t *pg, 821 const char *name, 822 const char *val) 823 { 824 scf_value_t *value = NULL; 825 int rc = -1; 826 827 if ((value = scf_value_create(handles->main)) == NULL) { 828 idmapdlog(LOG_ERR, "Unable to set property %s", 829 name, scf_strerror(scf_error())); 830 goto out; 831 } 832 833 if (scf_value_set_astring(value, val) == -1) { 834 idmapdlog(LOG_ERR, 835 "scf_value_set_astring() failed: %s", 836 scf_strerror(scf_error())); 837 goto out; 838 } 839 840 rc = set_val(handles, pg, name, value); 841 842 out: 843 scf_value_destroy(value); 844 return (rc); 845 } 846 847 848 849 /* 850 * This function updates a boolean value. 851 * If nothing has changed it returns 0 else 1 852 */ 853 static int 854 update_bool(boolean_t *value, boolean_t *new, char *name) 855 { 856 if (*value == *new) 857 return (0); 858 859 if (DBG(CONFIG, 1)) { 860 idmapdlog(LOG_INFO, "change %s=%s", name, 861 *new ? "true" : "false"); 862 } 863 864 *value = *new; 865 return (1); 866 } 867 868 /* 869 * This function updates a uint64_t value. 870 * If nothing has changed it returns 0 else 1 871 */ 872 static int 873 update_uint64(uint64_t *value, uint64_t *new, char *name) 874 { 875 if (*value == *new) 876 return (0); 877 878 if (DBG(CONFIG, 1)) 879 idmapdlog(LOG_INFO, "change %s=%llu", name, *new); 880 881 *value = *new; 882 return (1); 883 } 884 885 /* 886 * This function updates a string value. 887 * If nothing has changed it returns 0 else 1 888 */ 889 static int 890 update_string(char **value, char **new, char *name) 891 { 892 int changed; 893 894 if (*new == NULL && *value != NULL) 895 changed = 1; 896 else if (*new != NULL && *value == NULL) 897 changed = 1; 898 else if (*new != NULL && *value != NULL && strcmp(*new, *value) != 0) 899 changed = 1; 900 else 901 changed = 0; 902 903 /* 904 * Note that even if unchanged we can't just return; we must free one 905 * of the values. 906 */ 907 908 if (DBG(CONFIG, 1) && changed) 909 idmapdlog(LOG_INFO, "change %s=%s", name, CHECK_NULL(*new)); 910 911 free(*value); 912 *value = *new; 913 *new = NULL; 914 return (changed); 915 } 916 917 static int 918 update_enum(int *value, int *new, char *name, struct enum_lookup_map *map) 919 { 920 if (*value == *new) 921 return (0); 922 923 if (DBG(CONFIG, 1)) { 924 idmapdlog(LOG_INFO, "change %s=%s", name, 925 enum_lookup(*new, map)); 926 } 927 928 *value = *new; 929 930 return (1); 931 } 932 933 /* 934 * This function updates a directory service structure. 935 * If nothing has changed it returns 0 else 1 936 */ 937 static int 938 update_dirs(ad_disc_ds_t **value, ad_disc_ds_t **new, char *name) 939 { 940 941 if (*value == *new) 942 /* Nothing to do */ 943 return (0); 944 945 if (*value != NULL && *new != NULL && 946 ad_disc_compare_ds(*value, *new) == 0) { 947 free(*new); 948 *new = NULL; 949 return (0); 950 } 951 952 if (*value != NULL) 953 free(*value); 954 955 *value = *new; 956 *new = NULL; 957 958 if (*value == NULL) { 959 /* We're unsetting this DS property */ 960 if (DBG(CONFIG, 1)) 961 idmapdlog(LOG_INFO, "change %s=<none>", name); 962 return (1); 963 } 964 965 if (DBG(CONFIG, 1)) { 966 /* List all the new DSs */ 967 char buf[64]; 968 ad_disc_ds_t *ds; 969 for (ds = *value; ds->host[0] != '\0'; ds++) { 970 if (ad_disc_getnameinfo(buf, sizeof (buf), &ds->addr)) 971 (void) strlcpy(buf, "?", sizeof (buf)); 972 idmapdlog(LOG_INFO, "change %s=%s addr=%s port=%d", 973 name, ds->host, buf, ds->port); 974 } 975 } 976 return (1); 977 } 978 979 /* 980 * This function updates a trusted domains structure. 981 * If nothing has changed it returns 0 else 1 982 */ 983 static int 984 update_trusted_domains(ad_disc_trusteddomains_t **value, 985 ad_disc_trusteddomains_t **new, char *name) 986 { 987 int i; 988 989 if (*value == *new) 990 /* Nothing to do */ 991 return (0); 992 993 if (*value != NULL && *new != NULL && 994 ad_disc_compare_trusteddomains(*value, *new) == 0) { 995 free(*new); 996 *new = NULL; 997 return (0); 998 } 999 1000 if (*value != NULL) 1001 free(*value); 1002 1003 *value = *new; 1004 *new = NULL; 1005 1006 if (*value == NULL) { 1007 /* We're unsetting this DS property */ 1008 if (DBG(CONFIG, 1)) 1009 idmapdlog(LOG_INFO, "change %s=<none>", name); 1010 return (1); 1011 } 1012 1013 if (DBG(CONFIG, 1)) { 1014 /* List all the new domains */ 1015 for (i = 0; (*value)[i].domain[0] != '\0'; i++) { 1016 idmapdlog(LOG_INFO, "change %s=%s direction=%s", name, 1017 (*value)[i].domain, 1018 enum_lookup((*value)[i].direction, trust_dir_map)); 1019 } 1020 } 1021 return (1); 1022 } 1023 1024 1025 /* 1026 * This function updates a domains in a forest structure. 1027 * If nothing has changed it returns 0 else 1 1028 */ 1029 static int 1030 update_domains_in_forest(ad_disc_domainsinforest_t **value, 1031 ad_disc_domainsinforest_t **new, char *name) 1032 { 1033 int i; 1034 1035 if (*value == *new) 1036 /* Nothing to do */ 1037 return (0); 1038 1039 if (*value != NULL && *new != NULL && 1040 ad_disc_compare_domainsinforest(*value, *new) == 0) { 1041 free(*new); 1042 *new = NULL; 1043 return (0); 1044 } 1045 1046 if (*value != NULL) 1047 free(*value); 1048 1049 *value = *new; 1050 *new = NULL; 1051 1052 if (*value == NULL) { 1053 /* We're unsetting this DS property */ 1054 if (DBG(CONFIG, 1)) 1055 idmapdlog(LOG_INFO, "change %s=<none>", name); 1056 return (1); 1057 } 1058 1059 if (DBG(CONFIG, 1)) { 1060 /* List all the new domains */ 1061 for (i = 0; (*value)[i].domain[0] != '\0'; i++) { 1062 idmapdlog(LOG_INFO, "change %s=%s", name, 1063 (*value)[i].domain); 1064 } 1065 } 1066 return (1); 1067 } 1068 1069 1070 static void 1071 free_trusted_forests(idmap_trustedforest_t **value, int *num_values) 1072 { 1073 int i; 1074 1075 for (i = 0; i < *num_values; i++) { 1076 free((*value)[i].forest_name); 1077 free((*value)[i].global_catalog); 1078 free((*value)[i].domains_in_forest); 1079 } 1080 free(*value); 1081 *value = NULL; 1082 *num_values = 0; 1083 } 1084 1085 1086 static int 1087 compare_trusteddomainsinforest(ad_disc_domainsinforest_t *df1, 1088 ad_disc_domainsinforest_t *df2) 1089 { 1090 int i, j; 1091 int num_df1 = 0; 1092 int num_df2 = 0; 1093 boolean_t match; 1094 1095 for (i = 0; df1[i].domain[0] != '\0'; i++) 1096 if (df1[i].trusted) 1097 num_df1++; 1098 1099 for (j = 0; df2[j].domain[0] != '\0'; j++) 1100 if (df2[j].trusted) 1101 num_df2++; 1102 1103 if (num_df1 != num_df2) 1104 return (1); 1105 1106 for (i = 0; df1[i].domain[0] != '\0'; i++) { 1107 if (df1[i].trusted) { 1108 match = B_FALSE; 1109 for (j = 0; df2[j].domain[0] != '\0'; j++) { 1110 if (df2[j].trusted && 1111 domain_eq(df1[i].domain, df2[j].domain) && 1112 strcmp(df1[i].sid, df2[j].sid) == 0) { 1113 match = B_TRUE; 1114 break; 1115 } 1116 } 1117 if (!match) 1118 return (1); 1119 } 1120 } 1121 return (0); 1122 } 1123 1124 1125 1126 /* 1127 * This function updates trusted forest structure. 1128 * If nothing has changed it returns 0 else 1 1129 */ 1130 static int 1131 update_trusted_forest(idmap_trustedforest_t **value, int *num_value, 1132 idmap_trustedforest_t **new, int *num_new, char *name) 1133 { 1134 int i, j; 1135 boolean_t match; 1136 1137 if (*value == *new) 1138 /* Nothing to do */ 1139 return (0); 1140 1141 if (*value != NULL && *new != NULL) { 1142 if (*num_value != *num_new) 1143 goto not_equal; 1144 for (i = 0; i < *num_value; i++) { 1145 match = B_FALSE; 1146 for (j = 0; j < *num_new; j++) { 1147 if (strcmp((*value)[i].forest_name, 1148 (*new)[j].forest_name) == 0 && 1149 ad_disc_compare_ds( 1150 (*value)[i].global_catalog, 1151 (*new)[j].global_catalog) == 0 && 1152 compare_trusteddomainsinforest( 1153 (*value)[i].domains_in_forest, 1154 (*new)[j].domains_in_forest) == 0) { 1155 match = B_TRUE; 1156 break; 1157 } 1158 } 1159 if (!match) 1160 goto not_equal; 1161 } 1162 free_trusted_forests(new, num_new); 1163 return (0); 1164 } 1165 not_equal: 1166 if (*value != NULL) 1167 free_trusted_forests(value, num_value); 1168 *value = *new; 1169 *num_value = *num_new; 1170 *new = NULL; 1171 *num_new = 0; 1172 1173 if (*value == NULL) { 1174 /* We're unsetting this DS property */ 1175 if (DBG(CONFIG, 1)) 1176 idmapdlog(LOG_INFO, "change %s=<none>", name); 1177 return (1); 1178 } 1179 1180 if (DBG(CONFIG, 1)) { 1181 /* List all the trusted forests */ 1182 for (i = 0; i < *num_value; i++) { 1183 idmap_trustedforest_t *f = &(*value)[i]; 1184 for (j = 0; 1185 f->domains_in_forest[j].domain[0] != '\0'; 1186 j++) { 1187 /* List trusted Domains in the forest. */ 1188 if (f->domains_in_forest[j].trusted) 1189 idmapdlog(LOG_INFO, 1190 "change %s=%s domain=%s", 1191 name, f->forest_name, 1192 f->domains_in_forest[j].domain); 1193 } 1194 /* List the hosts */ 1195 for (j = 0; 1196 f->global_catalog[j].host[0] != '\0'; 1197 j++) { 1198 idmapdlog(LOG_INFO, 1199 "change %s=%s host=%s port=%d", 1200 name, f->forest_name, 1201 f->global_catalog[j].host, 1202 f->global_catalog[j].port); 1203 } 1204 } 1205 } 1206 return (1); 1207 } 1208 1209 const char * 1210 enum_lookup(int value, struct enum_lookup_map *map) 1211 { 1212 for (; map->string != NULL; map++) { 1213 if (value == map->value) { 1214 return (map->string); 1215 } 1216 } 1217 return ("(invalid)"); 1218 } 1219 1220 /* 1221 * Returns 1 if the PF_ROUTE socket event indicates that we should rescan the 1222 * interfaces. 1223 * 1224 * Shamelessly based on smb_nics_changed() and other PF_ROUTE uses in ON. 1225 */ 1226 static 1227 boolean_t 1228 pfroute_event_is_interesting(int rt_sock) 1229 { 1230 int nbytes; 1231 int64_t msg[2048 / 8]; 1232 struct rt_msghdr *rtm; 1233 boolean_t is_interesting = B_FALSE; 1234 1235 for (;;) { 1236 if ((nbytes = read(rt_sock, msg, sizeof (msg))) <= 0) 1237 break; 1238 rtm = (struct rt_msghdr *)msg; 1239 if (rtm->rtm_version != RTM_VERSION) 1240 continue; 1241 if (nbytes < rtm->rtm_msglen) 1242 continue; 1243 switch (rtm->rtm_type) { 1244 case RTM_NEWADDR: 1245 case RTM_DELADDR: 1246 case RTM_IFINFO: 1247 is_interesting = B_TRUE; 1248 break; 1249 default: 1250 break; 1251 } 1252 } 1253 return (is_interesting); 1254 } 1255 1256 /* 1257 * Wait for an event, and report what kind of event occurred. 1258 * 1259 * Note that there are cases where we are awoken but don't care about 1260 * the lower-level event. We can't just loop here because we can't 1261 * readily calculate how long to sleep the next time. We return 1262 * EVENT_NOTHING and let the caller loop. 1263 */ 1264 static 1265 enum event_type 1266 wait_for_event(struct timespec *timeoutp) 1267 { 1268 port_event_t pe; 1269 1270 (void) memset(&pe, 0, sizeof (pe)); 1271 if (port_get(idmapd_ev_port, &pe, timeoutp) != 0) { 1272 switch (errno) { 1273 case EINTR: 1274 return (EVENT_NOTHING); 1275 case ETIME: 1276 /* Timeout */ 1277 return (EVENT_TIMEOUT); 1278 default: 1279 /* EBADF, EBADFD, EFAULT, EINVAL (end of time?)? */ 1280 idmapdlog(LOG_ERR, "Event port failed: %s", 1281 strerror(errno)); 1282 exit(1); 1283 /* NOTREACHED */ 1284 } 1285 } 1286 1287 1288 switch (pe.portev_source) { 1289 case 0: 1290 /* 1291 * This isn't documented, but seems to be what you get if 1292 * the timeout is zero seconds and there are no events 1293 * pending. 1294 */ 1295 return (EVENT_TIMEOUT); 1296 1297 case PORT_SOURCE_USER: 1298 switch (pe.portev_events) { 1299 case RECONFIGURE: 1300 return (EVENT_REFRESH); 1301 case POKE_AUTO_DISCOVERY: 1302 return (EVENT_POKED); 1303 case KICK_AUTO_DISCOVERY: 1304 return (EVENT_KICKED); 1305 } 1306 return (EVENT_NOTHING); 1307 1308 case PORT_SOURCE_FD: 1309 if (pe.portev_object == rt_sock) { 1310 /* 1311 * PF_ROUTE socket read event: 1312 * re-associate fd 1313 * handle event 1314 */ 1315 if (port_associate(idmapd_ev_port, PORT_SOURCE_FD, 1316 rt_sock, POLLIN, NULL) != 0) { 1317 idmapdlog(LOG_ERR, "Failed to re-associate the " 1318 "routing socket with the event port: %s", 1319 strerror(errno)); 1320 abort(); 1321 } 1322 /* 1323 * The network configuration may still be in flux. 1324 * No matter, the resolver will re-transmit and 1325 * timeout if need be. 1326 */ 1327 if (pfroute_event_is_interesting(rt_sock)) { 1328 if (DBG(CONFIG, 1)) { 1329 idmapdlog(LOG_DEBUG, 1330 "Interesting routing event"); 1331 } 1332 return (EVENT_ROUTING); 1333 } else { 1334 if (DBG(CONFIG, 2)) { 1335 idmapdlog(LOG_DEBUG, 1336 "Boring routing event"); 1337 } 1338 return (EVENT_NOTHING); 1339 } 1340 } 1341 /* Event on an FD other than the routing FD? Ignore it. */ 1342 break; 1343 } 1344 1345 return (EVENT_NOTHING); 1346 } 1347 1348 void * 1349 idmap_cfg_update_thread(void *arg) 1350 { 1351 NOTE(ARGUNUSED(arg)) 1352 idmap_pg_config_t *pgcfg = &_idmapdstate.cfg->pgcfg; 1353 const ad_disc_t ad_ctx = _idmapdstate.cfg->handles.ad_ctx; 1354 int flags = CFG_DISCOVER; 1355 uint_t retry_count = 0; 1356 1357 for (;;) { 1358 struct timespec timeout; 1359 struct timespec *timeoutp; 1360 int rc; 1361 int ttl, max_ttl; 1362 1363 (void) ad_disc_SubnetChanged(ad_ctx); 1364 1365 rc = idmap_cfg_load(_idmapdstate.cfg, flags); 1366 if (rc < -1) { 1367 idmapdlog(LOG_ERR, "Fatal errors while reading " 1368 "SMF properties"); 1369 exit(1); 1370 } else if (rc == -1) { 1371 idmapdlog(LOG_WARNING, 1372 "Errors re-loading configuration may cause AD " 1373 "lookups to fail"); 1374 } 1375 1376 /* 1377 * If we don't know our domain name, we're not in a domain; 1378 * don't bother with rediscovery until the next config change. 1379 * Avoids hourly noise in workgroup mode. 1380 * 1381 * If we don't have a DC currently, use a greatly reduced TTL 1382 * until we get one. Degrade if that takes too long. 1383 */ 1384 if (pgcfg->domain_name == NULL) { 1385 ttl = -1; 1386 /* We don't need a DC if we're no longer in a domain. */ 1387 if (retry_count >= DISCOVERY_RETRY_DEGRADE_CUTOFF) 1388 restore_svc(); 1389 retry_count = 0; 1390 } else if (pgcfg->domain_controller == NULL || 1391 pgcfg->global_catalog == NULL) { 1392 if (retry_count == 0) 1393 ttl = DISCOVERY_RETRY_INITIAL_DELAY; 1394 else 1395 ttl *= 2; 1396 1397 if (ttl > pgcfg->discovery_retry_max_delay) 1398 ttl = pgcfg->discovery_retry_max_delay; 1399 1400 if (++retry_count >= DISCOVERY_RETRY_DEGRADE_CUTOFF) { 1401 degrade_svc(B_FALSE, 1402 "Too many DC discovery failures"); 1403 } 1404 } else { 1405 ttl = ad_disc_get_TTL(ad_ctx); 1406 max_ttl = (int)pgcfg->rediscovery_interval; 1407 if (ttl > max_ttl) 1408 ttl = max_ttl; 1409 if (ttl < MIN_REDISCOVERY_INTERVAL) 1410 ttl = MIN_REDISCOVERY_INTERVAL; 1411 if (retry_count >= DISCOVERY_RETRY_DEGRADE_CUTOFF) 1412 restore_svc(); 1413 retry_count = 0; 1414 } 1415 1416 /* 1417 * Wait for an interesting event. Note that we might get 1418 * boring events between interesting events. If so, we loop. 1419 */ 1420 flags = CFG_DISCOVER; 1421 for (;;) { 1422 if (ttl < 0) { 1423 timeoutp = NULL; 1424 } else { 1425 timeout.tv_sec = ttl; 1426 timeout.tv_nsec = 0; 1427 timeoutp = &timeout; 1428 } 1429 1430 if (DBG(CONFIG, 1)) 1431 idmapdlog(LOG_DEBUG, 1432 "_cfg_update_thread waiting"); 1433 1434 switch (wait_for_event(timeoutp)) { 1435 case EVENT_NOTHING: 1436 if (DBG(CONFIG, 2)) 1437 idmapdlog(LOG_DEBUG, "Boring event."); 1438 continue; 1439 case EVENT_REFRESH: 1440 if (DBG(CONFIG, 1)) 1441 idmapdlog(LOG_INFO, "SMF refresh"); 1442 /* 1443 * Forget any DC we had previously. 1444 */ 1445 flags |= CFG_FORGET_DC; 1446 break; 1447 case EVENT_POKED: 1448 if (DBG(CONFIG, 1)) 1449 idmapdlog(LOG_DEBUG, "poked"); 1450 break; 1451 case EVENT_KICKED: 1452 if (DBG(CONFIG, 1)) 1453 idmapdlog(LOG_DEBUG, "kicked"); 1454 flags |= CFG_FORGET_DC; 1455 break; 1456 case EVENT_TIMEOUT: 1457 if (DBG(CONFIG, 1)) 1458 idmapdlog(LOG_DEBUG, "TTL expired"); 1459 break; 1460 case EVENT_ROUTING: 1461 /* Already logged to DEBUG */ 1462 break; 1463 } 1464 /* An interesting event! */ 1465 break; 1466 } 1467 } 1468 /* 1469 * Lint isn't happy with the concept of a function declared to 1470 * return something, that doesn't return. Of course, merely adding 1471 * the return isn't enough, because it's never reached... 1472 */ 1473 /*NOTREACHED*/ 1474 return (NULL); 1475 } 1476 1477 int 1478 idmap_cfg_start_updates(void) 1479 { 1480 if ((idmapd_ev_port = port_create()) < 0) { 1481 idmapdlog(LOG_ERR, "Failed to create event port: %s", 1482 strerror(errno)); 1483 return (-1); 1484 } 1485 1486 if ((rt_sock = socket(PF_ROUTE, SOCK_RAW, 0)) < 0) { 1487 idmapdlog(LOG_ERR, "Failed to open routing socket: %s", 1488 strerror(errno)); 1489 (void) close(idmapd_ev_port); 1490 return (-1); 1491 } 1492 1493 if (fcntl(rt_sock, F_SETFL, O_NDELAY|O_NONBLOCK) < 0) { 1494 idmapdlog(LOG_ERR, "Failed to set routing socket flags: %s", 1495 strerror(errno)); 1496 (void) close(rt_sock); 1497 (void) close(idmapd_ev_port); 1498 return (-1); 1499 } 1500 1501 if (port_associate(idmapd_ev_port, PORT_SOURCE_FD, 1502 rt_sock, POLLIN, NULL) != 0) { 1503 idmapdlog(LOG_ERR, "Failed to associate the routing " 1504 "socket with the event port: %s", strerror(errno)); 1505 (void) close(rt_sock); 1506 (void) close(idmapd_ev_port); 1507 return (-1); 1508 } 1509 1510 if ((errno = pthread_create(&update_thread_handle, NULL, 1511 idmap_cfg_update_thread, NULL)) != 0) { 1512 idmapdlog(LOG_ERR, "Failed to start update thread: %s", 1513 strerror(errno)); 1514 (void) port_dissociate(idmapd_ev_port, PORT_SOURCE_FD, rt_sock); 1515 (void) close(rt_sock); 1516 (void) close(idmapd_ev_port); 1517 return (-1); 1518 } 1519 1520 return (0); 1521 } 1522 1523 /* 1524 * Reject attribute names with invalid characters. 1525 */ 1526 static 1527 int 1528 valid_ldap_attr(const char *attr) 1529 { 1530 for (; *attr; attr++) { 1531 if (!isalnum(*attr) && *attr != '-' && 1532 *attr != '_' && *attr != '.' && *attr != ';') 1533 return (0); 1534 } 1535 return (1); 1536 } 1537 1538 static 1539 void 1540 idmapd_set_debug( 1541 idmap_cfg_handles_t *handles, 1542 enum idmapd_debug item, 1543 const char *name) 1544 { 1545 int val; 1546 1547 if (item < 0 || item > IDMAPD_DEBUG_MAX) 1548 return; 1549 1550 val = get_debug(handles, name); 1551 1552 if (val != _idmapdstate.debug[item]) 1553 idmapdlog(LOG_DEBUG, "%s/%s = %d", DEBUG_PG, name, val); 1554 1555 _idmapdstate.debug[item] = val; 1556 } 1557 1558 static 1559 void 1560 check_smf_debug_mode(idmap_cfg_handles_t *handles) 1561 { 1562 idmapd_set_debug(handles, IDMAPD_DEBUG_ALL, "all"); 1563 idmapd_set_debug(handles, IDMAPD_DEBUG_CONFIG, "config"); 1564 idmapd_set_debug(handles, IDMAPD_DEBUG_MAPPING, "mapping"); 1565 idmapd_set_debug(handles, IDMAPD_DEBUG_DISC, "discovery"); 1566 idmapd_set_debug(handles, IDMAPD_DEBUG_DNS, "dns"); 1567 idmapd_set_debug(handles, IDMAPD_DEBUG_LDAP, "ldap"); 1568 1569 adutils_set_debug(AD_DEBUG_ALL, _idmapdstate.debug[IDMAPD_DEBUG_ALL]); 1570 adutils_set_debug(AD_DEBUG_DISC, _idmapdstate.debug[IDMAPD_DEBUG_DISC]); 1571 adutils_set_debug(AD_DEBUG_DNS, _idmapdstate.debug[IDMAPD_DEBUG_DNS]); 1572 adutils_set_debug(AD_DEBUG_LDAP, _idmapdstate.debug[IDMAPD_DEBUG_LDAP]); 1573 } 1574 1575 /* 1576 * This is the half of idmap_cfg_load() that loads property values from 1577 * SMF (using the config/ property group of the idmap FMRI). 1578 * 1579 * Return values: 0 -> success, -1 -> failure, -2 -> hard failures 1580 * -3 -> hard smf config failures 1581 * reading from SMF. 1582 */ 1583 static int 1584 idmap_cfg_load_smf(idmap_cfg_handles_t *handles, idmap_pg_config_t *pgcfg, 1585 int * const errors) 1586 { 1587 int rc; 1588 char *s; 1589 1590 *errors = 0; 1591 1592 if (scf_pg_update(handles->config_pg) < 0) { 1593 idmapdlog(LOG_ERR, "scf_pg_update() failed: %s", 1594 scf_strerror(scf_error())); 1595 return (-2); 1596 } 1597 1598 if (scf_pg_update(handles->debug_pg) < 0) { 1599 idmapdlog(LOG_ERR, "scf_pg_update() failed: %s", 1600 scf_strerror(scf_error())); 1601 return (-2); 1602 } 1603 1604 check_smf_debug_mode(handles); 1605 1606 rc = get_val_bool(handles, "unresolvable_sid_mapping", 1607 &pgcfg->eph_map_unres_sids, B_TRUE); 1608 if (rc != 0) 1609 (*errors)++; 1610 1611 rc = get_val_bool(handles, "use_ads", 1612 &pgcfg->use_ads, B_TRUE); 1613 if (rc != 0) 1614 (*errors)++; 1615 1616 rc = get_val_bool(handles, "use_lsa", 1617 &pgcfg->use_lsa, B_TRUE); 1618 if (rc != 0) 1619 (*errors)++; 1620 1621 rc = get_val_bool(handles, "disable_cross_forest_trusts", 1622 &pgcfg->disable_cross_forest_trusts, B_TRUE); 1623 if (rc != 0) 1624 (*errors)++; 1625 1626 rc = get_val_astring(handles, "directory_based_mapping", &s); 1627 if (rc != 0) 1628 (*errors)++; 1629 else if (s == NULL || strcasecmp(s, "none") == 0) 1630 pgcfg->directory_based_mapping = DIRECTORY_MAPPING_NONE; 1631 else if (strcasecmp(s, "name") == 0) 1632 pgcfg->directory_based_mapping = DIRECTORY_MAPPING_NAME; 1633 else if (strcasecmp(s, "idmu") == 0) 1634 pgcfg->directory_based_mapping = DIRECTORY_MAPPING_IDMU; 1635 else { 1636 pgcfg->directory_based_mapping = DIRECTORY_MAPPING_NONE; 1637 idmapdlog(LOG_ERR, 1638 "config/directory_based_mapping: invalid value \"%s\" ignored", 1639 s); 1640 (*errors)++; 1641 } 1642 free(s); 1643 1644 rc = get_val_int(handles, "list_size_limit", 1645 &pgcfg->list_size_limit, SCF_TYPE_COUNT); 1646 if (rc != 0) 1647 (*errors)++; 1648 1649 rc = get_val_int(handles, "max_threads", 1650 &pgcfg->max_threads, SCF_TYPE_COUNT); 1651 if (rc != 0) 1652 (*errors)++; 1653 if (pgcfg->max_threads == 0) 1654 pgcfg->max_threads = MAX_THREADS_DEFAULT; 1655 if (pgcfg->max_threads > UINT_MAX) 1656 pgcfg->max_threads = UINT_MAX; 1657 1658 rc = get_val_int(handles, "discovery_retry_max_delay", 1659 &pgcfg->discovery_retry_max_delay, SCF_TYPE_COUNT); 1660 if (rc != 0) 1661 (*errors)++; 1662 if (pgcfg->discovery_retry_max_delay == 0) 1663 pgcfg->discovery_retry_max_delay = 1664 DISCOVERY_RETRY_MAX_DELAY_DEFAULT; 1665 1666 rc = get_val_int(handles, "id_cache_timeout", 1667 &pgcfg->id_cache_timeout, SCF_TYPE_COUNT); 1668 if (rc != 0) 1669 (*errors)++; 1670 if (pgcfg->id_cache_timeout == 0) 1671 pgcfg->id_cache_timeout = ID_CACHE_TMO_DEFAULT; 1672 1673 rc = get_val_int(handles, "name_cache_timeout", 1674 &pgcfg->name_cache_timeout, SCF_TYPE_COUNT); 1675 if (rc != 0) 1676 (*errors)++; 1677 if (pgcfg->name_cache_timeout == 0) 1678 pgcfg->name_cache_timeout = NAME_CACHE_TMO_DEFAULT; 1679 1680 rc = get_val_int(handles, "rediscovery_interval", 1681 &pgcfg->rediscovery_interval, SCF_TYPE_COUNT); 1682 if (rc != 0) 1683 (*errors)++; 1684 if (pgcfg->rediscovery_interval == 0) 1685 pgcfg->rediscovery_interval = REDISCOVERY_INTERVAL_DEFAULT; 1686 1687 rc = get_val_astring(handles, "domain_name", 1688 &pgcfg->domain_name); 1689 if (rc != 0) 1690 (*errors)++; 1691 else { 1692 if (pgcfg->domain_name != NULL && 1693 pgcfg->domain_name[0] == '\0') { 1694 free(pgcfg->domain_name); 1695 pgcfg->domain_name = NULL; 1696 } 1697 if (pgcfg->domain_name != NULL) 1698 pgcfg->domain_name_auto_disc = B_FALSE; 1699 (void) ad_disc_set_DomainName(handles->ad_ctx, 1700 pgcfg->domain_name); 1701 } 1702 1703 rc = get_val_astring(handles, "default_domain", 1704 &pgcfg->default_domain); 1705 if (rc != 0) { 1706 /* 1707 * SCF failures fetching config/default_domain we treat 1708 * as fatal as they may leave ID mapping rules that 1709 * match unqualified winnames flapping in the wind. 1710 */ 1711 return (-2); 1712 } 1713 1714 if (pgcfg->default_domain == NULL && pgcfg->domain_name != NULL) { 1715 pgcfg->default_domain = strdup(pgcfg->domain_name); 1716 } 1717 1718 rc = get_val_astring(handles, "domain_guid", &s); 1719 if (rc != 0) { 1720 (*errors)++; 1721 } else if (s == NULL || s[0] == '\0') { 1722 /* OK, not set. */ 1723 free(s); 1724 } else { 1725 uuid_t u; 1726 1727 if (uuid_parse(s, u) != 0) { 1728 idmapdlog(LOG_ERR, 1729 "config/domain_guid: invalid value \"%s\" ignored", s); 1730 free(s); 1731 (*errors)++; 1732 } else { 1733 pgcfg->domain_guid = s; 1734 pgcfg->domain_guid_auto_disc = B_FALSE; 1735 (void) ad_disc_set_DomainGUID(handles->ad_ctx, u); 1736 } 1737 } 1738 1739 rc = get_val_astring(handles, "machine_uuid", &pgcfg->machine_uuid); 1740 if (rc != 0) 1741 (*errors)++; 1742 if (pgcfg->machine_uuid == NULL) { 1743 /* If machine_uuid not configured, generate one */ 1744 if (generate_machine_uuid(&pgcfg->machine_uuid) < 0) 1745 return (-2); 1746 rc = set_val_astring(handles, handles->config_pg, 1747 "machine_uuid", pgcfg->machine_uuid); 1748 if (rc != 0) 1749 (*errors)++; 1750 } 1751 1752 rc = get_val_astring(handles, "machine_sid", &pgcfg->machine_sid); 1753 if (rc != 0) 1754 (*errors)++; 1755 if (pgcfg->machine_sid == NULL) { 1756 /* 1757 * If machine_sid not configured, generate one 1758 * from the machine UUID. 1759 */ 1760 if (generate_machine_sid(&pgcfg->machine_sid, 1761 pgcfg->machine_uuid) < 0) 1762 return (-2); 1763 rc = set_val_astring(handles, handles->config_pg, 1764 "machine_sid", pgcfg->machine_sid); 1765 if (rc != 0) 1766 (*errors)++; 1767 } 1768 1769 rc = get_val_ds(handles, "domain_controller", 389, 1770 &pgcfg->domain_controller); 1771 if (rc != 0) 1772 (*errors)++; 1773 else { 1774 (void) ad_disc_set_DomainController(handles->ad_ctx, 1775 pgcfg->domain_controller); 1776 pgcfg->domain_controller_auto_disc = B_FALSE; 1777 } 1778 1779 rc = get_val_ds(handles, "preferred_dc", 389, 1780 &pgcfg->preferred_dc); 1781 if (rc != 0) 1782 (*errors)++; 1783 else { 1784 (void) ad_disc_set_PreferredDC(handles->ad_ctx, 1785 pgcfg->preferred_dc); 1786 pgcfg->preferred_dc_auto_disc = B_FALSE; 1787 } 1788 1789 rc = get_val_astring(handles, "forest_name", &pgcfg->forest_name); 1790 if (rc != 0) 1791 (*errors)++; 1792 else { 1793 if (pgcfg->forest_name != NULL && 1794 pgcfg->forest_name[0] == '\0') { 1795 free(pgcfg->forest_name); 1796 pgcfg->forest_name = NULL; 1797 } 1798 if (pgcfg->forest_name != NULL) 1799 pgcfg->forest_name_auto_disc = B_FALSE; 1800 (void) ad_disc_set_ForestName(handles->ad_ctx, 1801 pgcfg->forest_name); 1802 } 1803 1804 rc = get_val_astring(handles, "site_name", &pgcfg->site_name); 1805 if (rc != 0) 1806 (*errors)++; 1807 else { 1808 if (pgcfg->site_name != NULL && 1809 pgcfg->site_name[0] == '\0') { 1810 free(pgcfg->site_name); 1811 pgcfg->site_name = NULL; 1812 } 1813 if (pgcfg->site_name != NULL) 1814 pgcfg->site_name_auto_disc = B_FALSE; 1815 (void) ad_disc_set_SiteName(handles->ad_ctx, pgcfg->site_name); 1816 } 1817 1818 rc = get_val_ds(handles, "global_catalog", 3268, 1819 &pgcfg->global_catalog); 1820 if (rc != 0) 1821 (*errors)++; 1822 else { 1823 (void) ad_disc_set_GlobalCatalog(handles->ad_ctx, 1824 pgcfg->global_catalog); 1825 pgcfg->global_catalog_auto_disc = B_FALSE; 1826 } 1827 1828 /* Unless we're doing directory-based name mapping, we're done. */ 1829 if (pgcfg->directory_based_mapping != DIRECTORY_MAPPING_NAME) 1830 return (0); 1831 1832 rc = get_val_astring(handles, "ad_unixuser_attr", 1833 &pgcfg->ad_unixuser_attr); 1834 if (rc != 0) 1835 return (-2); 1836 if (pgcfg->ad_unixuser_attr != NULL && 1837 !valid_ldap_attr(pgcfg->ad_unixuser_attr)) { 1838 idmapdlog(LOG_ERR, "config/ad_unixuser_attr=%s is not a " 1839 "valid LDAP attribute name", pgcfg->ad_unixuser_attr); 1840 return (-3); 1841 } 1842 1843 rc = get_val_astring(handles, "ad_unixgroup_attr", 1844 &pgcfg->ad_unixgroup_attr); 1845 if (rc != 0) 1846 return (-2); 1847 if (pgcfg->ad_unixgroup_attr != NULL && 1848 !valid_ldap_attr(pgcfg->ad_unixgroup_attr)) { 1849 idmapdlog(LOG_ERR, "config/ad_unixgroup_attr=%s is not a " 1850 "valid LDAP attribute name", pgcfg->ad_unixgroup_attr); 1851 return (-3); 1852 } 1853 1854 rc = get_val_astring(handles, "nldap_winname_attr", 1855 &pgcfg->nldap_winname_attr); 1856 if (rc != 0) 1857 return (-2); 1858 if (pgcfg->nldap_winname_attr != NULL && 1859 !valid_ldap_attr(pgcfg->nldap_winname_attr)) { 1860 idmapdlog(LOG_ERR, "config/nldap_winname_attr=%s is not a " 1861 "valid LDAP attribute name", pgcfg->nldap_winname_attr); 1862 return (-3); 1863 } 1864 if (pgcfg->ad_unixuser_attr == NULL && 1865 pgcfg->ad_unixgroup_attr == NULL && 1866 pgcfg->nldap_winname_attr == NULL) { 1867 idmapdlog(LOG_ERR, 1868 "If config/directory_based_mapping property is set to " 1869 "\"name\" then at least one of the following name mapping " 1870 "attributes must be specified. (config/ad_unixuser_attr OR " 1871 "config/ad_unixgroup_attr OR config/nldap_winname_attr)"); 1872 return (-3); 1873 } 1874 1875 return (rc); 1876 } 1877 1878 static 1879 void 1880 log_if_unable(const void *val, const char *what) 1881 { 1882 if (val == NULL) { 1883 idmapdlog(LOG_DEBUG, "unable to discover %s", what); 1884 } 1885 } 1886 1887 static 1888 void 1889 discover_trusted_domains(idmap_pg_config_t *pgcfg, ad_disc_t ad_ctx) 1890 { 1891 ad_disc_t trusted_ctx; 1892 int i, j, k, l; 1893 char *forestname; 1894 int num_trusteddomains; 1895 boolean_t new_forest; 1896 char *trusteddomain; 1897 ad_disc_ds_t *globalcatalog; 1898 idmap_trustedforest_t *trustedforests; 1899 ad_disc_domainsinforest_t *domainsinforest; 1900 1901 pgcfg->trusted_domains = 1902 ad_disc_get_TrustedDomains(ad_ctx, NULL); 1903 1904 if (pgcfg->forest_name != NULL && pgcfg->trusted_domains != NULL && 1905 pgcfg->trusted_domains[0].domain[0] != '\0') { 1906 /* 1907 * We have trusted domains. We need to go through every 1908 * one and find its forest. If it is a new forest we then need 1909 * to find its Global Catalog and the domains in the forest 1910 */ 1911 for (i = 0; pgcfg->trusted_domains[i].domain[0] != '\0'; i++) 1912 continue; 1913 num_trusteddomains = i; 1914 1915 trustedforests = calloc(num_trusteddomains, 1916 sizeof (idmap_trustedforest_t)); 1917 j = 0; 1918 for (i = 0; pgcfg->trusted_domains[i].domain[0] != '\0'; i++) { 1919 trusteddomain = pgcfg->trusted_domains[i].domain; 1920 trusted_ctx = ad_disc_init(); 1921 (void) ad_disc_set_DomainName(trusted_ctx, 1922 trusteddomain); 1923 forestname = 1924 ad_disc_get_ForestName(trusted_ctx, NULL); 1925 if (forestname == NULL) { 1926 if (DBG(CONFIG, 1)) { 1927 idmapdlog(LOG_DEBUG, 1928 "unable to discover Forest Name" 1929 " for the trusted domain %s", 1930 trusteddomain); 1931 } 1932 ad_disc_fini(trusted_ctx); 1933 continue; 1934 } 1935 1936 if (strcasecmp(forestname, pgcfg->forest_name) == 0) { 1937 /* 1938 * Ignore the domain as it is part of 1939 * the primary forest 1940 */ 1941 free(forestname); 1942 ad_disc_fini(trusted_ctx); 1943 continue; 1944 } 1945 1946 /* Is this a new forest? */ 1947 new_forest = B_TRUE; 1948 for (k = 0; k < j; k++) { 1949 if (strcasecmp(forestname, 1950 trustedforests[k].forest_name) == 0) { 1951 new_forest = B_FALSE; 1952 domainsinforest = 1953 trustedforests[k].domains_in_forest; 1954 break; 1955 } 1956 } 1957 if (!new_forest) { 1958 /* Mark the domain as trusted */ 1959 for (l = 0; 1960 domainsinforest[l].domain[0] != '\0'; l++) { 1961 if (domain_eq(trusteddomain, 1962 domainsinforest[l].domain)) { 1963 domainsinforest[l].trusted = 1964 TRUE; 1965 break; 1966 } 1967 } 1968 free(forestname); 1969 ad_disc_fini(trusted_ctx); 1970 continue; 1971 } 1972 1973 /* 1974 * Get the Global Catalog and the domains in 1975 * this new forest. 1976 */ 1977 globalcatalog = 1978 ad_disc_get_GlobalCatalog(trusted_ctx, 1979 AD_DISC_PREFER_SITE, NULL); 1980 if (globalcatalog == NULL) { 1981 if (DBG(CONFIG, 1)) { 1982 idmapdlog(LOG_DEBUG, 1983 "unable to discover Global Catalog" 1984 " for the trusted domain %s", 1985 trusteddomain); 1986 } 1987 free(forestname); 1988 ad_disc_fini(trusted_ctx); 1989 continue; 1990 } 1991 domainsinforest = 1992 ad_disc_get_DomainsInForest(trusted_ctx, NULL); 1993 if (domainsinforest == NULL) { 1994 if (DBG(CONFIG, 1)) { 1995 idmapdlog(LOG_DEBUG, 1996 "unable to discover Domains in the" 1997 " Forest for the trusted domain %s", 1998 trusteddomain); 1999 } 2000 free(globalcatalog); 2001 free(forestname); 2002 ad_disc_fini(trusted_ctx); 2003 continue; 2004 } 2005 2006 trustedforests[j].forest_name = forestname; 2007 trustedforests[j].global_catalog = globalcatalog; 2008 trustedforests[j].domains_in_forest = domainsinforest; 2009 j++; 2010 /* Mark the domain as trusted */ 2011 for (l = 0; domainsinforest[l].domain[0] != '\0'; 2012 l++) { 2013 if (domain_eq(trusteddomain, 2014 domainsinforest[l].domain)) { 2015 domainsinforest[l].trusted = TRUE; 2016 break; 2017 } 2018 } 2019 ad_disc_fini(trusted_ctx); 2020 } 2021 if (j > 0) { 2022 pgcfg->num_trusted_forests = j; 2023 pgcfg->trusted_forests = trustedforests; 2024 } else { 2025 free(trustedforests); 2026 } 2027 } 2028 } 2029 2030 /* 2031 * This is the half of idmap_cfg_load() that auto-discovers values of 2032 * discoverable properties that weren't already set via SMF properties. 2033 * 2034 * idmap_cfg_discover() is called *after* idmap_cfg_load_smf(), so it 2035 * needs to be careful not to overwrite any properties set in SMF. 2036 */ 2037 static void 2038 idmap_cfg_discover1(idmap_cfg_handles_t *handles, idmap_pg_config_t *pgcfg) 2039 { 2040 ad_disc_t ad_ctx = handles->ad_ctx; 2041 FILE *status_fp = NULL; 2042 time_t t0, t1; 2043 2044 t0 = time(NULL); 2045 if (DBG(CONFIG, 1)) 2046 idmapdlog(LOG_DEBUG, "Running domain discovery."); 2047 2048 (void) unlink(IDMAP_CACHEDIR "/discovery.log"); 2049 status_fp = fopen(IDMAP_CACHEDIR "/discovery.log", "w"); 2050 if (status_fp) { 2051 (void) fchmod(fileno(status_fp), 0644); 2052 ad_disc_set_StatusFP(ad_ctx, status_fp); 2053 } 2054 2055 if (pgcfg->domain_name == NULL) { 2056 idmapdlog(LOG_DEBUG, "No domain name specified."); 2057 if (status_fp) 2058 (void) fprintf(status_fp, "(no domain name)\n"); 2059 goto out; 2060 } 2061 2062 if (pgcfg->domain_controller == NULL) 2063 pgcfg->domain_controller = 2064 ad_disc_get_DomainController(ad_ctx, 2065 AD_DISC_PREFER_SITE, 2066 &pgcfg->domain_controller_auto_disc); 2067 2068 if (pgcfg->domain_guid == NULL) { 2069 char buf[UUID_PRINTABLE_STRING_LENGTH]; 2070 uchar_t *u = ad_disc_get_DomainGUID(ad_ctx, 2071 &pgcfg->domain_guid_auto_disc); 2072 (void) memset(buf, 0, sizeof (buf)); 2073 if (u != NULL) { 2074 uuid_unparse(u, buf); 2075 pgcfg->domain_guid = strdup(buf); 2076 } 2077 } 2078 2079 if (pgcfg->forest_name == NULL) 2080 pgcfg->forest_name = ad_disc_get_ForestName(ad_ctx, 2081 &pgcfg->forest_name_auto_disc); 2082 2083 if (pgcfg->site_name == NULL) 2084 pgcfg->site_name = ad_disc_get_SiteName(ad_ctx, 2085 &pgcfg->site_name_auto_disc); 2086 2087 if (DBG(CONFIG, 1)) { 2088 log_if_unable(pgcfg->domain_name, "Domain Name"); 2089 log_if_unable(pgcfg->domain_controller, 2090 "Domain Controller"); 2091 log_if_unable(pgcfg->domain_guid, "Domain GUID"); 2092 log_if_unable(pgcfg->forest_name, "Forest Name"); 2093 log_if_unable(pgcfg->site_name, "Site Name"); 2094 } 2095 2096 out: 2097 if (status_fp) { 2098 ad_disc_set_StatusFP(ad_ctx, NULL); 2099 (void) fclose(status_fp); 2100 status_fp = NULL; 2101 } 2102 2103 if (DBG(CONFIG, 1)) 2104 idmapdlog(LOG_DEBUG, "Domain discovery done."); 2105 2106 /* 2107 * Log when this took more than 15 sec. 2108 */ 2109 t1 = time(NULL); 2110 if (t1 > (t0 + 15)) { 2111 idmapdlog(LOG_NOTICE, "Domain discovery took %d sec.", 2112 (int)(t1 - t0)); 2113 idmapdlog(LOG_NOTICE, "Check the DNS configuration."); 2114 } 2115 } 2116 2117 /* 2118 * This is the second part of discovery, which can take a while. 2119 * We don't want to hold up parties who just want to know what 2120 * domain controller we're using (like smbd), so this part runs 2121 * after we've updated that info in the "live" config and told 2122 * such consumers to go ahead. 2123 * 2124 * This is a lot like idmap_cfg_discover(), but used LDAP queries 2125 * get the forest information from the global catalog servers. 2126 * 2127 * Note: the previous update_* calls have usually nuked any 2128 * useful information from pgcfg before we get here, so we 2129 * can only use it store discovery results, not to read. 2130 */ 2131 static void 2132 idmap_cfg_discover2(idmap_cfg_handles_t *handles, idmap_pg_config_t *pgcfg) 2133 { 2134 ad_disc_t ad_ctx = handles->ad_ctx; 2135 FILE *status_fp = NULL; 2136 time_t t0, t1; 2137 2138 t0 = time(NULL); 2139 if (DBG(CONFIG, 1)) 2140 idmapdlog(LOG_DEBUG, "Running forest discovery."); 2141 2142 status_fp = fopen(IDMAP_CACHEDIR "/discovery.log", "a"); 2143 if (status_fp) 2144 ad_disc_set_StatusFP(ad_ctx, status_fp); 2145 2146 if (pgcfg->global_catalog == NULL) 2147 pgcfg->global_catalog = 2148 ad_disc_get_GlobalCatalog(ad_ctx, 2149 AD_DISC_PREFER_SITE, 2150 &pgcfg->global_catalog_auto_disc); 2151 2152 if (pgcfg->global_catalog != NULL) { 2153 pgcfg->domains_in_forest = 2154 ad_disc_get_DomainsInForest(ad_ctx, NULL); 2155 2156 if (!pgcfg->disable_cross_forest_trusts) 2157 discover_trusted_domains(pgcfg, ad_ctx); 2158 } 2159 2160 if (DBG(CONFIG, 1)) { 2161 log_if_unable(pgcfg->global_catalog, "Global Catalog"); 2162 log_if_unable(pgcfg->domains_in_forest, 2163 "Domains in the Forest"); 2164 /* Empty trusted domains list is OK. */ 2165 } 2166 2167 if (status_fp) { 2168 ad_disc_set_StatusFP(ad_ctx, NULL); 2169 (void) fclose(status_fp); 2170 status_fp = NULL; 2171 } 2172 2173 if (DBG(CONFIG, 1)) 2174 idmapdlog(LOG_DEBUG, "Forest discovery done."); 2175 2176 /* 2177 * Log when this took more than 30 sec. 2178 */ 2179 t1 = time(NULL); 2180 if (t1 > (t0 + 30)) { 2181 idmapdlog(LOG_NOTICE, "Forest discovery took %d sec.", 2182 (int)(t1 - t0)); 2183 idmapdlog(LOG_NOTICE, "Check AD join status."); 2184 } 2185 } 2186 2187 2188 /* 2189 * idmap_cfg_load() is called at startup, and periodically via the 2190 * update thread when the auto-discovery TTLs expire, as well as part of 2191 * the refresh method, to update the current configuration. It always 2192 * reads from SMF, but you still have to refresh the service after 2193 * changing the config pg in order for the changes to take effect. 2194 * 2195 * There is one flag: 2196 * 2197 * - CFG_DISCOVER 2198 * 2199 * If CFG_DISCOVER is set then idmap_cfg_load() calls 2200 * idmap_cfg_discover() to discover, via DNS and LDAP lookups, property 2201 * values that weren't set in SMF. 2202 * 2203 * idmap_cfg_load() will log (to LOG_NOTICE) whether the configuration 2204 * changed. 2205 * 2206 * Return values: 0 -> success, -1 -> failure, -2 -> hard failures 2207 * reading from SMF. 2208 */ 2209 int 2210 idmap_cfg_load(idmap_cfg_t *cfg, int flags) 2211 { 2212 const ad_disc_t ad_ctx = cfg->handles.ad_ctx; 2213 int rc = 0; 2214 int errors; 2215 int changed = 0; 2216 bool_t dc_changed = FALSE; 2217 bool_t gc_changed = FALSE; 2218 idmap_pg_config_t new_pgcfg, *live_pgcfg; 2219 2220 if (DBG(CONFIG, 1)) 2221 idmapdlog(LOG_DEBUG, "Loading configuration."); 2222 2223 live_pgcfg = &cfg->pgcfg; 2224 (void) memset(&new_pgcfg, 0, sizeof (new_pgcfg)); 2225 2226 (void) pthread_mutex_lock(&cfg->handles.mutex); 2227 2228 if ((rc = idmap_cfg_load_smf(&cfg->handles, &new_pgcfg, &errors)) < -1) 2229 goto err; 2230 2231 if (flags & CFG_DISCOVER) { 2232 2233 ad_disc_refresh(ad_ctx); 2234 2235 /* 2236 * Unless we've been asked to forget the current DC, 2237 * give preference (in order) to the preferred DC if 2238 * configured, or the current DC. These preferences 2239 * reduce undesirable DC changes. 2240 */ 2241 if (flags & CFG_FORGET_DC) { 2242 (void) ad_disc_set_PreferredDC(ad_ctx, NULL); 2243 } else if (new_pgcfg.preferred_dc != NULL) { 2244 (void) ad_disc_set_PreferredDC(ad_ctx, 2245 new_pgcfg.preferred_dc); 2246 } else if (live_pgcfg->domain_controller != NULL) { 2247 (void) ad_disc_set_PreferredDC(ad_ctx, 2248 live_pgcfg->domain_controller); 2249 } else { 2250 (void) ad_disc_set_PreferredDC(ad_ctx, NULL); 2251 } 2252 2253 /* 2254 * We want a way to tell adspriv_getdcname_1_svc() 2255 * (and others) that discovery is running and therefore 2256 * they may want to wait a bit or return an error... 2257 */ 2258 (void) mutex_lock(&_idmapdstate.addisc_lk); 2259 _idmapdstate.addisc_st |= ADDISC_ST_RUNNING; 2260 (void) mutex_unlock(&_idmapdstate.addisc_lk); 2261 2262 idmap_cfg_discover1(&cfg->handles, &new_pgcfg); 2263 2264 WRLOCK_CONFIG(); 2265 (void) mutex_lock(&_idmapdstate.addisc_lk); 2266 _idmapdstate.addisc_st = 0; 2267 (void) cond_broadcast(&_idmapdstate.addisc_cv); 2268 (void) mutex_unlock(&_idmapdstate.addisc_lk); 2269 } else { 2270 WRLOCK_CONFIG(); 2271 } 2272 2273 /* Non-discoverable props updated here */ 2274 2275 changed += update_uint64(&live_pgcfg->list_size_limit, 2276 &new_pgcfg.list_size_limit, "list_size_limit"); 2277 2278 changed += update_uint64(&live_pgcfg->max_threads, 2279 &new_pgcfg.max_threads, "max_threads"); 2280 2281 changed += update_uint64(&live_pgcfg->discovery_retry_max_delay, 2282 &new_pgcfg.discovery_retry_max_delay, "discovery_retry_max_delay"); 2283 2284 changed += update_uint64(&live_pgcfg->id_cache_timeout, 2285 &new_pgcfg.id_cache_timeout, "id_cache_timeout"); 2286 2287 changed += update_uint64(&live_pgcfg->name_cache_timeout, 2288 &new_pgcfg.name_cache_timeout, "name_cache_timeout"); 2289 2290 changed += update_uint64(&live_pgcfg->rediscovery_interval, 2291 &new_pgcfg.rediscovery_interval, "rediscovery_interval"); 2292 2293 changed += update_string(&live_pgcfg->machine_sid, 2294 &new_pgcfg.machine_sid, "machine_sid"); 2295 2296 changed += update_bool(&live_pgcfg->eph_map_unres_sids, 2297 &new_pgcfg.eph_map_unres_sids, "unresolvable_sid_mapping"); 2298 2299 changed += update_bool(&live_pgcfg->use_ads, 2300 &new_pgcfg.use_ads, "use_ads"); 2301 2302 changed += update_bool(&live_pgcfg->use_lsa, 2303 &new_pgcfg.use_lsa, "use_lsa"); 2304 2305 changed += update_bool(&live_pgcfg->disable_cross_forest_trusts, 2306 &new_pgcfg.disable_cross_forest_trusts, 2307 "disable_cross_forest_trusts"); 2308 2309 changed += update_enum(&live_pgcfg->directory_based_mapping, 2310 &new_pgcfg.directory_based_mapping, "directory_based_mapping", 2311 directory_mapping_map); 2312 2313 changed += update_string(&live_pgcfg->ad_unixuser_attr, 2314 &new_pgcfg.ad_unixuser_attr, "ad_unixuser_attr"); 2315 2316 changed += update_string(&live_pgcfg->ad_unixgroup_attr, 2317 &new_pgcfg.ad_unixgroup_attr, "ad_unixgroup_attr"); 2318 2319 changed += update_string(&live_pgcfg->nldap_winname_attr, 2320 &new_pgcfg.nldap_winname_attr, "nldap_winname_attr"); 2321 2322 changed += update_string(&live_pgcfg->default_domain, 2323 &new_pgcfg.default_domain, "default_domain"); 2324 2325 changed += update_dirs(&live_pgcfg->preferred_dc, 2326 &new_pgcfg.preferred_dc, "preferred_dc"); 2327 2328 /* Props that can be discovered or set in SMF updated here */ 2329 2330 if (update_string(&live_pgcfg->domain_name, 2331 &new_pgcfg.domain_name, "domain_name")) { 2332 changed++; 2333 dc_changed = TRUE; 2334 gc_changed = TRUE; 2335 idmapd_set_krb5_realm(live_pgcfg->domain_name); 2336 } 2337 live_pgcfg->domain_name_auto_disc = new_pgcfg.domain_name_auto_disc; 2338 2339 changed += update_string(&live_pgcfg->domain_guid, 2340 &new_pgcfg.domain_guid, "domain_guid"); 2341 live_pgcfg->domain_guid_auto_disc = new_pgcfg.domain_guid_auto_disc; 2342 2343 if (update_dirs(&live_pgcfg->domain_controller, 2344 &new_pgcfg.domain_controller, "domain_controller")) { 2345 changed++; 2346 dc_changed = TRUE; 2347 } 2348 live_pgcfg->domain_controller_auto_disc = 2349 new_pgcfg.domain_controller_auto_disc; 2350 2351 changed += update_string(&live_pgcfg->forest_name, 2352 &new_pgcfg.forest_name, "forest_name"); 2353 live_pgcfg->forest_name_auto_disc = new_pgcfg.forest_name_auto_disc; 2354 2355 changed += update_string(&live_pgcfg->site_name, 2356 &new_pgcfg.site_name, "site_name"); 2357 live_pgcfg->site_name_auto_disc = new_pgcfg.site_name_auto_disc; 2358 2359 if (DBG(CONFIG, 1)) { 2360 if (changed) 2361 idmapdlog(LOG_NOTICE, "Configuration changed"); 2362 else 2363 idmapdlog(LOG_NOTICE, "Configuration unchanged"); 2364 } 2365 2366 UNLOCK_CONFIG(); 2367 2368 if (dc_changed) { 2369 notify_dc_changed(); 2370 } 2371 2372 /* 2373 * Discovery2 can take a while. 2374 */ 2375 if (flags & CFG_DISCOVER) { 2376 if (live_pgcfg->domain_name != NULL && 2377 live_pgcfg->forest_name != NULL) 2378 idmap_cfg_discover2(&cfg->handles, &new_pgcfg); 2379 ad_disc_done(ad_ctx); 2380 } 2381 2382 WRLOCK_CONFIG(); 2383 2384 /* More props that can be discovered or set in SMF */ 2385 2386 if (update_dirs(&live_pgcfg->global_catalog, 2387 &new_pgcfg.global_catalog, "global_catalog")) { 2388 changed++; 2389 gc_changed = TRUE; 2390 } 2391 live_pgcfg->global_catalog_auto_disc = 2392 new_pgcfg.global_catalog_auto_disc; 2393 2394 /* Props that are only discovered (never in SMF) */ 2395 2396 if (update_domains_in_forest(&live_pgcfg->domains_in_forest, 2397 &new_pgcfg.domains_in_forest, "domains_in_forest")) { 2398 changed++; 2399 gc_changed = TRUE; 2400 } 2401 2402 if (update_trusted_domains(&live_pgcfg->trusted_domains, 2403 &new_pgcfg.trusted_domains, "trusted_domains")) { 2404 changed++; 2405 if (live_pgcfg->trusted_domains != NULL && 2406 live_pgcfg->trusted_domains[0].domain[0] != '\0') 2407 gc_changed = TRUE; 2408 } 2409 2410 if (update_trusted_forest(&live_pgcfg->trusted_forests, 2411 &live_pgcfg->num_trusted_forests, &new_pgcfg.trusted_forests, 2412 &new_pgcfg.num_trusted_forests, "trusted_forest")) { 2413 changed++; 2414 if (live_pgcfg->trusted_forests != NULL) 2415 gc_changed = TRUE; 2416 } 2417 2418 if (DBG(CONFIG, 1)) { 2419 if (changed) 2420 idmapdlog(LOG_NOTICE, "Configuration changed"); 2421 else 2422 idmapdlog(LOG_NOTICE, "Configuration unchanged"); 2423 } 2424 2425 UNLOCK_CONFIG(); 2426 2427 if (dc_changed) 2428 reload_dcs(); 2429 if (gc_changed) 2430 reload_gcs(); 2431 2432 idmap_cfg_unload(&new_pgcfg); 2433 2434 err: 2435 (void) pthread_mutex_unlock(&cfg->handles.mutex); 2436 2437 if (rc < -1) 2438 return (rc); 2439 2440 return ((errors == 0) ? 0 : -1); 2441 } 2442 2443 /* 2444 * Initialize 'cfg'. 2445 */ 2446 idmap_cfg_t * 2447 idmap_cfg_init() 2448 { 2449 idmap_cfg_handles_t *handles; 2450 2451 /* First the smf repository handles: */ 2452 idmap_cfg_t *cfg = calloc(1, sizeof (idmap_cfg_t)); 2453 if (!cfg) { 2454 idmapdlog(LOG_ERR, "Out of memory"); 2455 return (NULL); 2456 } 2457 handles = &cfg->handles; 2458 2459 (void) pthread_mutex_init(&handles->mutex, NULL); 2460 2461 if (!(handles->main = scf_handle_create(SCF_VERSION))) { 2462 idmapdlog(LOG_ERR, "scf_handle_create() failed: %s", 2463 scf_strerror(scf_error())); 2464 goto error; 2465 } 2466 2467 if (scf_handle_bind(handles->main) < 0) { 2468 idmapdlog(LOG_ERR, "scf_handle_bind() failed: %s", 2469 scf_strerror(scf_error())); 2470 goto error; 2471 } 2472 2473 if (!(handles->service = scf_service_create(handles->main)) || 2474 !(handles->instance = scf_instance_create(handles->main)) || 2475 !(handles->config_pg = scf_pg_create(handles->main)) || 2476 !(handles->debug_pg = scf_pg_create(handles->main))) { 2477 idmapdlog(LOG_ERR, "scf handle creation failed: %s", 2478 scf_strerror(scf_error())); 2479 goto error; 2480 } 2481 2482 if (scf_handle_decode_fmri(handles->main, 2483 FMRI_BASE "/:properties/" CONFIG_PG, 2484 NULL, /* scope */ 2485 handles->service, /* service */ 2486 handles->instance, /* instance */ 2487 handles->config_pg, /* pg */ 2488 NULL, /* prop */ 2489 SCF_DECODE_FMRI_EXACT) < 0) { 2490 idmapdlog(LOG_ERR, "scf_handle_decode_fmri() failed: %s", 2491 scf_strerror(scf_error())); 2492 goto error; 2493 } 2494 2495 if (scf_service_get_pg(handles->service, 2496 DEBUG_PG, handles->debug_pg) < 0) { 2497 idmapdlog(LOG_ERR, "Property group \"%s\": %s", 2498 DEBUG_PG, scf_strerror(scf_error())); 2499 goto error; 2500 } 2501 2502 check_smf_debug_mode(handles); 2503 2504 /* Initialize AD Auto Discovery context */ 2505 handles->ad_ctx = ad_disc_init(); 2506 if (handles->ad_ctx == NULL) 2507 goto error; 2508 2509 return (cfg); 2510 2511 error: 2512 (void) idmap_cfg_fini(cfg); 2513 return (NULL); 2514 } 2515 2516 void 2517 idmap_cfg_unload(idmap_pg_config_t *pgcfg) 2518 { 2519 2520 if (pgcfg->default_domain) { 2521 free(pgcfg->default_domain); 2522 pgcfg->default_domain = NULL; 2523 } 2524 if (pgcfg->domain_name) { 2525 free(pgcfg->domain_name); 2526 pgcfg->domain_name = NULL; 2527 } 2528 if (pgcfg->domain_guid) { 2529 free(pgcfg->domain_guid); 2530 pgcfg->domain_guid = NULL; 2531 } 2532 if (pgcfg->machine_sid) { 2533 free(pgcfg->machine_sid); 2534 pgcfg->machine_sid = NULL; 2535 } 2536 if (pgcfg->domain_controller) { 2537 free(pgcfg->domain_controller); 2538 pgcfg->domain_controller = NULL; 2539 } 2540 if (pgcfg->forest_name) { 2541 free(pgcfg->forest_name); 2542 pgcfg->forest_name = NULL; 2543 } 2544 if (pgcfg->site_name) { 2545 free(pgcfg->site_name); 2546 pgcfg->site_name = NULL; 2547 } 2548 if (pgcfg->global_catalog) { 2549 free(pgcfg->global_catalog); 2550 pgcfg->global_catalog = NULL; 2551 } 2552 if (pgcfg->trusted_domains) { 2553 free(pgcfg->trusted_domains); 2554 pgcfg->trusted_domains = NULL; 2555 } 2556 if (pgcfg->trusted_forests) 2557 free_trusted_forests(&pgcfg->trusted_forests, 2558 &pgcfg->num_trusted_forests); 2559 2560 if (pgcfg->ad_unixuser_attr) { 2561 free(pgcfg->ad_unixuser_attr); 2562 pgcfg->ad_unixuser_attr = NULL; 2563 } 2564 if (pgcfg->ad_unixgroup_attr) { 2565 free(pgcfg->ad_unixgroup_attr); 2566 pgcfg->ad_unixgroup_attr = NULL; 2567 } 2568 if (pgcfg->nldap_winname_attr) { 2569 free(pgcfg->nldap_winname_attr); 2570 pgcfg->nldap_winname_attr = NULL; 2571 } 2572 } 2573 2574 int 2575 idmap_cfg_fini(idmap_cfg_t *cfg) 2576 { 2577 idmap_cfg_handles_t *handles = &cfg->handles; 2578 idmap_cfg_unload(&cfg->pgcfg); 2579 2580 (void) pthread_mutex_destroy(&handles->mutex); 2581 scf_pg_destroy(handles->config_pg); 2582 if (handles->debug_pg != NULL) 2583 scf_pg_destroy(handles->debug_pg); 2584 scf_instance_destroy(handles->instance); 2585 scf_service_destroy(handles->service); 2586 scf_handle_destroy(handles->main); 2587 if (handles->ad_ctx != NULL) 2588 ad_disc_fini(handles->ad_ctx); 2589 free(cfg); 2590 2591 return (0); 2592 } 2593 2594 void 2595 idmap_cfg_poke_updates(void) 2596 { 2597 int prev_st; 2598 2599 if (DBG(CONFIG, 1)) { 2600 idmapdlog(LOG_INFO, "idmap_cfg_poke_updates"); 2601 } 2602 2603 (void) mutex_lock(&_idmapdstate.addisc_lk); 2604 prev_st = _idmapdstate.addisc_st; 2605 _idmapdstate.addisc_st |= ADDISC_ST_REQUESTED; 2606 (void) mutex_unlock(&_idmapdstate.addisc_lk); 2607 2608 if (prev_st & ADDISC_ST_REQUESTED) { 2609 idmapdlog(LOG_DEBUG, "already poked"); 2610 } else { 2611 idmapdlog(LOG_DEBUG, "port send poke"); 2612 (void) port_send(idmapd_ev_port, POKE_AUTO_DISCOVERY, NULL); 2613 } 2614 } 2615 2616 void 2617 idmap_cfg_force_rediscovery(void) 2618 { 2619 int prev_st; 2620 2621 if (DBG(CONFIG, 1)) { 2622 idmapdlog(LOG_INFO, "idmap_cfg_force_rediscovery"); 2623 } 2624 2625 (void) mutex_lock(&_idmapdstate.addisc_lk); 2626 prev_st = _idmapdstate.addisc_st; 2627 _idmapdstate.addisc_st |= ADDISC_ST_REQUESTED; 2628 (void) mutex_unlock(&_idmapdstate.addisc_lk); 2629 2630 if (prev_st & ADDISC_ST_REQUESTED) { 2631 idmapdlog(LOG_DEBUG, "already kicked"); 2632 } else { 2633 idmapdlog(LOG_DEBUG, "port send kick"); 2634 (void) port_send(idmapd_ev_port, KICK_AUTO_DISCOVERY, NULL); 2635 } 2636 } 2637 2638 /*ARGSUSED*/ 2639 void 2640 idmap_cfg_hup_handler(int sig) 2641 { 2642 if (idmapd_ev_port >= 0) 2643 (void) port_send(idmapd_ev_port, RECONFIGURE, NULL); 2644 } 2645 2646 /* 2647 * Upgrade the debug flags. 2648 * 2649 * We're replacing a single debug flag with a fine-grained mechanism that 2650 * is also capable of considerably more verbosity. We'll take a stab at 2651 * producing roughly the same level of output. 2652 */ 2653 static 2654 int 2655 upgrade_debug(idmap_cfg_handles_t *handles) 2656 { 2657 boolean_t debug_present; 2658 const char DEBUG_PROP[] = "debug"; 2659 int rc; 2660 2661 rc = prop_exists(handles, DEBUG_PROP, &debug_present); 2662 2663 if (rc != 0) 2664 return (rc); 2665 2666 if (!debug_present) 2667 return (0); 2668 2669 idmapdlog(LOG_INFO, 2670 "Upgrading old %s/%s setting to %s/* settings.", 2671 CONFIG_PG, DEBUG_PROP, DEBUG_PG); 2672 2673 rc = set_val_integer(handles, handles->debug_pg, "config", 1); 2674 if (rc != 0) 2675 return (rc); 2676 rc = set_val_integer(handles, handles->debug_pg, "discovery", 1); 2677 if (rc != 0) 2678 return (rc); 2679 2680 rc = del_val(handles, handles->config_pg, DEBUG_PROP); 2681 if (rc != 0) 2682 return (rc); 2683 2684 return (0); 2685 } 2686 2687 /* 2688 * Upgrade the DS mapping flags. 2689 * 2690 * If the old ds_name_mapping_enabled flag is present, then 2691 * if the new directory_based_mapping value is present, then 2692 * if the two are compatible, delete the old and note it 2693 * else delete the old and warn 2694 * else 2695 * set the new based on the old, and note it 2696 * delete the old 2697 */ 2698 static 2699 int 2700 upgrade_directory_mapping(idmap_cfg_handles_t *handles) 2701 { 2702 boolean_t legacy_ds_name_mapping_present; 2703 const char DS_NAME_MAPPING_ENABLED[] = "ds_name_mapping_enabled"; 2704 const char DIRECTORY_BASED_MAPPING[] = "directory_based_mapping"; 2705 int rc; 2706 2707 rc = prop_exists(handles, DS_NAME_MAPPING_ENABLED, 2708 &legacy_ds_name_mapping_present); 2709 2710 if (rc != 0) 2711 return (rc); 2712 2713 if (!legacy_ds_name_mapping_present) 2714 return (0); 2715 2716 boolean_t legacy_ds_name_mapping_enabled; 2717 rc = get_val_bool(handles, DS_NAME_MAPPING_ENABLED, 2718 &legacy_ds_name_mapping_enabled, B_FALSE); 2719 if (rc != 0) 2720 return (rc); 2721 2722 char *legacy_mode; 2723 char *legacy_bool_string; 2724 if (legacy_ds_name_mapping_enabled) { 2725 legacy_mode = "name"; 2726 legacy_bool_string = "true"; 2727 } else { 2728 legacy_mode = "none"; 2729 legacy_bool_string = "false"; 2730 } 2731 2732 char *directory_based_mapping; 2733 rc = get_val_astring(handles, DIRECTORY_BASED_MAPPING, 2734 &directory_based_mapping); 2735 if (rc != 0) 2736 return (rc); 2737 2738 if (directory_based_mapping == NULL) { 2739 idmapdlog(LOG_INFO, 2740 "Upgrading old %s=%s setting\n" 2741 "to %s=%s.", 2742 DS_NAME_MAPPING_ENABLED, legacy_bool_string, 2743 DIRECTORY_BASED_MAPPING, legacy_mode); 2744 rc = set_val_astring(handles, handles->config_pg, 2745 DIRECTORY_BASED_MAPPING, legacy_mode); 2746 if (rc != 0) 2747 return (rc); 2748 } else { 2749 boolean_t new_name_mapping; 2750 if (strcasecmp(directory_based_mapping, "name") == 0) 2751 new_name_mapping = B_TRUE; 2752 else 2753 new_name_mapping = B_FALSE; 2754 2755 if (legacy_ds_name_mapping_enabled == new_name_mapping) { 2756 idmapdlog(LOG_INFO, 2757 "Automatically removing old %s=%s setting\n" 2758 "in favor of %s=%s.", 2759 DS_NAME_MAPPING_ENABLED, legacy_bool_string, 2760 DIRECTORY_BASED_MAPPING, directory_based_mapping); 2761 } else { 2762 idmapdlog(LOG_WARNING, 2763 "Removing conflicting %s=%s setting\n" 2764 "in favor of %s=%s.", 2765 DS_NAME_MAPPING_ENABLED, legacy_bool_string, 2766 DIRECTORY_BASED_MAPPING, directory_based_mapping); 2767 } 2768 free(directory_based_mapping); 2769 } 2770 2771 rc = del_val(handles, handles->config_pg, DS_NAME_MAPPING_ENABLED); 2772 if (rc != 0) 2773 return (rc); 2774 2775 return (0); 2776 } 2777 2778 /* 2779 * Do whatever is necessary to upgrade idmap's configuration before 2780 * we load it. 2781 */ 2782 int 2783 idmap_cfg_upgrade(idmap_cfg_t *cfg) 2784 { 2785 int rc; 2786 2787 rc = upgrade_directory_mapping(&cfg->handles); 2788 if (rc != 0) 2789 return (rc); 2790 2791 rc = upgrade_debug(&cfg->handles); 2792 if (rc != 0) 2793 return (rc); 2794 2795 return (0); 2796 } 2797 2798 /* 2799 * The LDAP code passes principal names lacking any 2800 * realm information, which causes mech_krb5 to do 2801 * awful things trying to figure out the realm. 2802 * Avoid that by making sure it has a default, 2803 * even when krb5.conf is not configured. 2804 */ 2805 static void 2806 idmapd_set_krb5_realm(char *domain) 2807 { 2808 static char realm[MAXHOSTNAMELEN]; 2809 size_t ilen, olen; 2810 int err; 2811 2812 (void) unlink(IDMAP_CACHEDIR "/ccache"); 2813 2814 if (domain == NULL) { 2815 (void) unsetenv("KRB5_DEFAULT_REALM"); 2816 return; 2817 } 2818 2819 /* Convert to upper case, in place. */ 2820 (void) strlcpy(realm, domain, sizeof (realm)); 2821 olen = ilen = strlen(realm); 2822 (void) u8_textprep_str(realm, &ilen, realm, &olen, 2823 U8_TEXTPREP_TOUPPER, U8_UNICODE_LATEST, &err); 2824 2825 (void) setenv("KRB5_DEFAULT_REALM", realm, 1); 2826 } 2827