xref: /illumos-gate/usr/src/cmd/idmap/idmapd/init.c (revision 16f0fd39d0c84c014919d701f87f5fc48be58d31)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * Initialization routines
28  */
29 
30 #include "idmapd.h"
31 #include <signal.h>
32 #include <thread.h>
33 #include <string.h>
34 #include <errno.h>
35 #include <assert.h>
36 #include <unistd.h>
37 #include <sys/types.h>
38 #include <sys/stat.h>
39 #include <rpcsvc/daemon_utils.h>
40 
41 
42 int
43 init_mapping_system()
44 {
45 	int rc = 0;
46 
47 	if (rwlock_init(&_idmapdstate.rwlk_cfg, USYNC_THREAD, NULL) != 0)
48 		return (-1);
49 	if ((rc = load_config()) < 0)
50 		return (rc);
51 
52 	(void) setegid(DAEMON_GID);
53 	(void) seteuid(DAEMON_UID);
54 	if (init_dbs() < 0) {
55 		rc = -1;
56 		fini_mapping_system();
57 	}
58 	(void) seteuid(0);
59 	(void) setegid(0);
60 
61 	return (rc);
62 }
63 
64 void
65 fini_mapping_system()
66 {
67 	fini_dbs();
68 }
69 
70 int
71 load_config()
72 {
73 	int rc;
74 	if ((_idmapdstate.cfg = idmap_cfg_init()) == NULL) {
75 		degrade_svc(0, "failed to initialize config");
76 		return (-1);
77 	}
78 
79 	rc = idmap_cfg_upgrade(_idmapdstate.cfg);
80 	if (rc != 0) {
81 		degrade_svc(0, "fatal error while upgrading configuration");
82 		return (rc);
83 	}
84 
85 	rc = idmap_cfg_load(_idmapdstate.cfg, 0);
86 	if (rc < -1) {
87 		/* Total failure */
88 		degrade_svc(0, "fatal error while loading configuration");
89 		return (rc);
90 	}
91 
92 	if (rc != 0)
93 		/* Partial failure */
94 		idmapdlog(LOG_ERR, "Various errors occurred while loading "
95 		    "the configuration; check the logs");
96 
97 	if ((rc = idmap_cfg_start_updates()) < 0) {
98 		/* Total failure */
99 		degrade_svc(0, "could not start config updater");
100 		return (rc);
101 	}
102 
103 	idmapdlog(LOG_DEBUG, "Initial configuration loaded");
104 
105 	return (0);
106 }
107 
108 
109 void
110 reload_gcs()
111 {
112 	int		i, j;
113 	adutils_ad_t	**new_gcs;
114 	adutils_ad_t	**old_gcs;
115 	int		new_num_gcs;
116 	int		old_num_gcs;
117 	idmap_pg_config_t *pgcfg = &_idmapdstate.cfg->pgcfg;
118 	idmap_trustedforest_t *trustfor = pgcfg->trusted_forests;
119 	int		num_trustfor = pgcfg->num_trusted_forests;
120 	ad_disc_domainsinforest_t *domain_in_forest;
121 
122 	if (pgcfg->global_catalog == NULL ||
123 	    pgcfg->global_catalog[0].host[0] == '\0') {
124 		/*
125 		 * No GCs.  Continue to use the previous AD config in case
126 		 * that's still good but auto-discovery had a transient failure.
127 		 * If that stops working we'll go into degraded mode anyways
128 		 * when it does.
129 		 */
130 		degrade_svc(0,
131 		    "Global Catalog servers not configured/discoverable");
132 		return;
133 	}
134 
135 	old_gcs = _idmapdstate.gcs;
136 	old_num_gcs = _idmapdstate.num_gcs;
137 
138 	new_num_gcs = 1 + num_trustfor;
139 	new_gcs = calloc(new_num_gcs, sizeof (adutils_ad_t *));
140 	if (new_gcs == NULL) {
141 		degrade_svc(0, "could not allocate AD context array "
142 		    "(out of memory)");
143 		return;
144 	}
145 
146 	if (adutils_ad_alloc(&new_gcs[0], NULL, ADUTILS_AD_GLOBAL_CATALOG) !=
147 	    ADUTILS_SUCCESS) {
148 		free(new_gcs);
149 		degrade_svc(0, "could not initialize AD context "
150 		    "(out of memory)");
151 		return;
152 	}
153 
154 	for (i = 0; pgcfg->global_catalog[i].host[0] != '\0'; i++) {
155 		if (idmap_add_ds(new_gcs[0],
156 		    pgcfg->global_catalog[i].host,
157 		    pgcfg->global_catalog[i].port) != 0) {
158 			adutils_ad_free(&new_gcs[0]);
159 			free(new_gcs);
160 			degrade_svc(0, "could not set AD hosts "
161 			    "(out of memory)");
162 			return;
163 		}
164 	}
165 
166 	if (pgcfg->domains_in_forest != NULL) {
167 		for (i = 0; pgcfg->domains_in_forest[i].domain[0] != '\0';
168 		    i++) {
169 			if (adutils_add_domain(new_gcs[0],
170 			    pgcfg->domains_in_forest[i].domain,
171 			    pgcfg->domains_in_forest[i].sid) != 0) {
172 				adutils_ad_free(&new_gcs[0]);
173 				free(new_gcs);
174 				degrade_svc(0, "could not set AD domains "
175 				    "(out of memory)");
176 				return;
177 			}
178 		}
179 	}
180 
181 	for (i = 0; i < num_trustfor; i++) {
182 		if (adutils_ad_alloc(&new_gcs[i + 1], NULL,
183 		    ADUTILS_AD_GLOBAL_CATALOG) != ADUTILS_SUCCESS) {
184 			degrade_svc(0, "could not initialize trusted AD "
185 			    "context (out of memory)");
186 				new_num_gcs = i + 1;
187 				goto out;
188 		}
189 		for (j = 0; trustfor[i].global_catalog[j].host[0] != '\0';
190 		    j++) {
191 			if (idmap_add_ds(new_gcs[i + 1],
192 			    trustfor[i].global_catalog[j].host,
193 			    trustfor[i].global_catalog[j].port) != 0) {
194 				adutils_ad_free(&new_gcs[i + 1]);
195 				degrade_svc(0, "could not set trusted "
196 				    "AD hosts (out of memory)");
197 				new_num_gcs = i + 1;
198 				goto out;
199 			}
200 		}
201 		for (j = 0; trustfor[i].domains_in_forest[j].domain[0] != '\0';
202 		    j++) {
203 			domain_in_forest = &trustfor[i].domains_in_forest[j];
204 			/* Only add domains which are marked */
205 			if (domain_in_forest->trusted) {
206 				if (adutils_add_domain(new_gcs[i + 1],
207 				    domain_in_forest->domain,
208 				    domain_in_forest->sid) != 0) {
209 					adutils_ad_free(&new_gcs[i + 1]);
210 					degrade_svc(0, "could not set trusted "
211 					    "AD domains (out of memory)");
212 					new_num_gcs = i + 1;
213 					goto out;
214 				}
215 			}
216 		}
217 	}
218 
219 out:
220 	_idmapdstate.gcs = new_gcs;
221 	_idmapdstate.num_gcs = new_num_gcs;
222 
223 
224 	if (old_gcs != NULL) {
225 		for (i = 0; i < old_num_gcs; i++)
226 			adutils_ad_free(&old_gcs[i]);
227 		free(old_gcs);
228 	}
229 }
230 
231 /*
232  * NEEDSWORK:  This should load entries for domain servers for all known
233  * domains - the joined domain, other domains in the forest, and trusted
234  * domains in other forests.  However, we don't yet discover any DCs other
235  * than the DCs for the joined domain.
236  */
237 static
238 void
239 reload_dcs(void)
240 {
241 	int		i;
242 	adutils_ad_t	**new_dcs;
243 	adutils_ad_t	**old_dcs;
244 	int		new_num_dcs;
245 	int		old_num_dcs;
246 	idmap_pg_config_t *pgcfg = &_idmapdstate.cfg->pgcfg;
247 
248 	if (pgcfg->domain_controller == NULL ||
249 	    pgcfg->domain_controller[0].host[0] == '\0') {
250 		/*
251 		 * No DCs.  Continue to use the previous AD config in case
252 		 * that's still good but auto-discovery had a transient failure.
253 		 * If that stops working we'll go into degraded mode anyways
254 		 * when it does.
255 		 */
256 		degrade_svc(0,
257 		    "Domain controller servers not configured/discoverable");
258 		return;
259 	}
260 
261 	old_dcs = _idmapdstate.dcs;
262 	old_num_dcs = _idmapdstate.num_dcs;
263 
264 	new_num_dcs = 1;
265 	new_dcs = calloc(new_num_dcs, sizeof (adutils_ad_t *));
266 	if (new_dcs == NULL)
267 		goto nomem;
268 
269 	if (adutils_ad_alloc(&new_dcs[0], pgcfg->domain_name,
270 	    ADUTILS_AD_DATA) != ADUTILS_SUCCESS)
271 		goto nomem;
272 
273 	for (i = 0; pgcfg->domain_controller[i].host[0] != '\0'; i++) {
274 		if (idmap_add_ds(new_dcs[0],
275 		    pgcfg->domain_controller[i].host,
276 		    pgcfg->domain_controller[i].port) != 0)
277 			goto nomem;
278 	}
279 
280 	/*
281 	 * NEEDSWORK:  All we need here is to add the domain and SID for
282 	 * this DC to the list of domains supported by this entry.  Isn't
283 	 * there an easier way to find the SID than to walk through the list
284 	 * of all of the domains in the forest?
285 	 */
286 	ad_disc_domainsinforest_t *dif = pgcfg->domains_in_forest;
287 	if (dif != NULL) {
288 		for (; dif->domain[0] != '\0'; dif++) {
289 			if (domain_eq(pgcfg->domain_name, dif->domain)) {
290 				if (adutils_add_domain(new_dcs[0],
291 				    dif->domain, dif->sid) != 0)
292 					goto nomem;
293 				break;
294 			}
295 		}
296 	}
297 
298 	_idmapdstate.dcs = new_dcs;
299 	_idmapdstate.num_dcs = new_num_dcs;
300 
301 	if (old_dcs != NULL) {
302 		for (i = 0; i < old_num_dcs; i++)
303 			adutils_ad_free(&old_dcs[i]);
304 		free(old_dcs);
305 	}
306 
307 	return;
308 
309 nomem:
310 	degrade_svc(0, "out of memory");
311 
312 	if (new_dcs != NULL) {
313 		if (new_dcs[0] != NULL)
314 			adutils_ad_free(&new_dcs[0]);
315 		free(new_dcs);
316 	}
317 }
318 
319 
320 void
321 reload_ad(void)
322 {
323 	reload_gcs();
324 	reload_dcs();
325 }
326 
327 void
328 print_idmapdstate()
329 {
330 	int i, j;
331 	idmap_pg_config_t *pgcfg;
332 	idmap_trustedforest_t *tf;
333 
334 	RDLOCK_CONFIG();
335 
336 	if (_idmapdstate.cfg == NULL) {
337 		idmapdlog(LOG_INFO, "Null configuration");
338 		UNLOCK_CONFIG();
339 		return;
340 	}
341 
342 	pgcfg = &_idmapdstate.cfg->pgcfg;
343 
344 	idmapdlog(LOG_DEBUG, "list_size_limit=%llu", pgcfg->list_size_limit);
345 	idmapdlog(LOG_DEBUG, "default_domain=%s",
346 	    CHECK_NULL(pgcfg->default_domain));
347 	idmapdlog(LOG_DEBUG, "domain_name=%s", CHECK_NULL(pgcfg->domain_name));
348 	idmapdlog(LOG_DEBUG, "machine_sid=%s", CHECK_NULL(pgcfg->machine_sid));
349 	if (pgcfg->domain_controller == NULL ||
350 	    pgcfg->domain_controller[0].host[0] == '\0') {
351 		idmapdlog(LOG_DEBUG, "No domain controllers known");
352 	} else {
353 		for (i = 0; pgcfg->domain_controller[i].host[0] != '\0'; i++)
354 			idmapdlog(LOG_DEBUG, "domain_controller=%s port=%d",
355 			    pgcfg->domain_controller[i].host,
356 			    pgcfg->domain_controller[i].port);
357 	}
358 	idmapdlog(LOG_DEBUG, "forest_name=%s", CHECK_NULL(pgcfg->forest_name));
359 	idmapdlog(LOG_DEBUG, "site_name=%s", CHECK_NULL(pgcfg->site_name));
360 	if (pgcfg->global_catalog == NULL ||
361 	    pgcfg->global_catalog[0].host[0] == '\0') {
362 		idmapdlog(LOG_DEBUG, "No global catalog servers known");
363 	} else {
364 		for (i = 0; pgcfg->global_catalog[i].host[0] != '\0'; i++)
365 			idmapdlog(LOG_DEBUG, "global_catalog=%s port=%d",
366 			    pgcfg->global_catalog[i].host,
367 			    pgcfg->global_catalog[i].port);
368 	}
369 	if (pgcfg->domains_in_forest == NULL ||
370 	    pgcfg->domains_in_forest[0].domain[0] == '\0') {
371 		idmapdlog(LOG_DEBUG, "No domains in forest %s known",
372 		    CHECK_NULL(pgcfg->forest_name));
373 	} else {
374 		for (i = 0; pgcfg->domains_in_forest[i].domain[0] != '\0'; i++)
375 			idmapdlog(LOG_DEBUG, "domains in forest %s = %s",
376 			    CHECK_NULL(pgcfg->forest_name),
377 			    pgcfg->domains_in_forest[i].domain);
378 	}
379 	if (pgcfg->trusted_domains == NULL ||
380 	    pgcfg->trusted_domains[0].domain[0] == '\0') {
381 		idmapdlog(LOG_DEBUG, "No trusted domains known");
382 	} else {
383 		for (i = 0; pgcfg->trusted_domains[i].domain[0] != '\0'; i++)
384 			idmapdlog(LOG_DEBUG, "trusted domain = %s",
385 			    pgcfg->trusted_domains[i].domain);
386 	}
387 
388 	for (i = 0; i < pgcfg->num_trusted_forests; i++) {
389 		tf = &pgcfg->trusted_forests[i];
390 		for (j = 0; tf->global_catalog[j].host[0] != '\0'; j++)
391 			idmapdlog(LOG_DEBUG,
392 			    "trusted forest %s global_catalog=%s port=%d",
393 			    tf->forest_name,
394 			    tf->global_catalog[j].host,
395 			    tf->global_catalog[j].port);
396 		for (j = 0; tf->domains_in_forest[j].domain[0] != '\0'; j++) {
397 			if (tf->domains_in_forest[j].trusted) {
398 				idmapdlog(LOG_DEBUG,
399 				    "trusted forest %s domain=%s",
400 				    tf->forest_name,
401 				    tf->domains_in_forest[j].domain);
402 			}
403 		}
404 	}
405 
406 	idmapdlog(LOG_DEBUG, "directory_based_mapping=%s",
407 	    enum_lookup(pgcfg->directory_based_mapping, directory_mapping_map));
408 	idmapdlog(LOG_DEBUG, "ad_unixuser_attr=%s",
409 	    CHECK_NULL(pgcfg->ad_unixuser_attr));
410 	idmapdlog(LOG_DEBUG, "ad_unixgroup_attr=%s",
411 	    CHECK_NULL(pgcfg->ad_unixgroup_attr));
412 	idmapdlog(LOG_DEBUG, "nldap_winname_attr=%s",
413 	    CHECK_NULL(pgcfg->nldap_winname_attr));
414 
415 	UNLOCK_CONFIG();
416 }
417 
418 int
419 create_directory(const char *path, uid_t uid, gid_t gid)
420 {
421 	int	rc;
422 
423 	if ((rc = mkdir(path, 0700)) < 0 && errno != EEXIST) {
424 		idmapdlog(LOG_ERR, "Error creating directory %s (%s)",
425 		    path, strerror(errno));
426 		return (-1);
427 	}
428 
429 	if (lchown(path, uid, gid) < 0) {
430 		idmapdlog(LOG_ERR, "Error creating directory %s (%s)",
431 		    path, strerror(errno));
432 		if (rc == 0)
433 			(void) rmdir(path);
434 		return (-1);
435 	}
436 	return (0);
437 }
438