xref: /titanic_50/usr/src/cmd/idmap/idmapd/init.c (revision 5c066ec28ea93f3a7c93082611a61747f255290a)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * Initialization routines
28  */
29 
30 #include "idmapd.h"
31 #include <signal.h>
32 #include <thread.h>
33 #include <string.h>
34 #include <errno.h>
35 #include <assert.h>
36 #include <unistd.h>
37 #include <sys/types.h>
38 #include <sys/stat.h>
39 #include <rpcsvc/daemon_utils.h>
40 
41 
42 int
43 init_mapping_system()
44 {
45 	int rc = 0;
46 
47 	if (rwlock_init(&_idmapdstate.rwlk_cfg, USYNC_THREAD, NULL) != 0)
48 		return (-1);
49 	if ((rc = load_config()) < 0)
50 		return (rc);
51 
52 	(void) setegid(DAEMON_GID);
53 	(void) seteuid(DAEMON_UID);
54 	if (init_dbs() < 0) {
55 		rc = -1;
56 		fini_mapping_system();
57 	}
58 	(void) seteuid(0);
59 	(void) setegid(0);
60 
61 	return (rc);
62 }
63 
64 void
65 fini_mapping_system()
66 {
67 	fini_dbs();
68 }
69 
70 int
71 load_config()
72 {
73 	int rc;
74 	if ((_idmapdstate.cfg = idmap_cfg_init()) == NULL) {
75 		degrade_svc(0, "failed to initialize config");
76 		return (-1);
77 	}
78 
79 	rc = idmap_cfg_load(_idmapdstate.cfg, 0);
80 	if (rc < -1) {
81 		/* Total failure */
82 		degrade_svc(0, "fatal error while loading configuration");
83 		return (rc);
84 	}
85 
86 	if (rc != 0)
87 		/* Partial failure */
88 		idmapdlog(LOG_ERR, "Various errors occurred while loading "
89 		    "the configuration; check the logs");
90 
91 	if ((rc = idmap_cfg_start_updates()) < 0) {
92 		/* Total failure */
93 		degrade_svc(0, "could not start config updater");
94 		return (rc);
95 	}
96 
97 	idmapdlog(LOG_DEBUG, "Initial configuration loaded");
98 
99 	return (0);
100 }
101 
102 
103 void
104 reload_ad()
105 {
106 	int		i, j;
107 	adutils_ad_t	**new_ads = NULL;
108 	adutils_ad_t	**old_ads;
109 	int		new_num_ads;
110 	int		old_num_ads;
111 	idmap_pg_config_t *pgcfg = &_idmapdstate.cfg->pgcfg;
112 	idmap_trustedforest_t *trustfor = pgcfg->trusted_forests;
113 	int		num_trustfor = pgcfg->num_trusted_forests;
114 	ad_disc_domainsinforest_t *domain_in_forest;
115 
116 	if (pgcfg->global_catalog == NULL ||
117 	    pgcfg->global_catalog[0].host[0] == '\0') {
118 		/*
119 		 * No GCs.  Continue to use the previous AD config in case
120 		 * that's still good but auto-discovery had a transient failure.
121 		 * If that stops working we'll go into degraded mode anyways
122 		 * when it does.
123 		 */
124 		degrade_svc(0,
125 		    "Global Catalog servers not configured/discoverable");
126 		return;
127 	}
128 
129 	old_ads = _idmapdstate.ads;
130 	old_num_ads = _idmapdstate.num_ads;
131 
132 	new_num_ads = 1 + num_trustfor;
133 	new_ads = calloc(new_num_ads, sizeof (adutils_ad_t *));
134 	if (new_ads == NULL) {
135 		degrade_svc(0, "could not allocate AD context array "
136 		    "(out of memory)");
137 		return;
138 	}
139 
140 	if (adutils_ad_alloc(&new_ads[0], pgcfg->default_domain,
141 	    ADUTILS_AD_GLOBAL_CATALOG) != ADUTILS_SUCCESS) {
142 		free(new_ads);
143 		degrade_svc(0, "could not initialize AD context "
144 		    "(out of memory)");
145 		return;
146 	}
147 
148 	for (i = 0; pgcfg->global_catalog[i].host[0] != '\0'; i++) {
149 		if (idmap_add_ds(new_ads[0],
150 		    pgcfg->global_catalog[i].host,
151 		    pgcfg->global_catalog[i].port) != 0) {
152 			adutils_ad_free(&new_ads[0]);
153 			free(new_ads);
154 			degrade_svc(0, "could not set AD hosts "
155 			    "(out of memory)");
156 			return;
157 		}
158 	}
159 
160 	if (pgcfg->domains_in_forest != NULL) {
161 		for (i = 0; pgcfg->domains_in_forest[i].domain[0] != '\0';
162 		    i++) {
163 			if (adutils_add_domain(new_ads[0],
164 			    pgcfg->domains_in_forest[i].domain,
165 			    pgcfg->domains_in_forest[i].sid) != 0) {
166 				adutils_ad_free(&new_ads[0]);
167 				free(new_ads);
168 				degrade_svc(0, "could not set AD domains "
169 				    "(out of memory)");
170 				return;
171 			}
172 		}
173 	}
174 
175 	for (i = 0; i < num_trustfor; i++) {
176 		if (adutils_ad_alloc(&new_ads[i + 1], NULL,
177 		    ADUTILS_AD_GLOBAL_CATALOG) != ADUTILS_SUCCESS) {
178 			degrade_svc(0, "could not initialize trusted AD "
179 			    "context (out of memory)");
180 				new_num_ads = i + 1;
181 				goto out;
182 		}
183 		for (j = 0; trustfor[i].global_catalog[j].host[0] != '\0';
184 		    j++) {
185 			if (idmap_add_ds(new_ads[i + 1],
186 			    trustfor[i].global_catalog[j].host,
187 			    trustfor[i].global_catalog[j].port) != 0) {
188 				adutils_ad_free(&new_ads[i + 1]);
189 				degrade_svc(0, "could not set trusted "
190 				    "AD hosts (out of memory)");
191 				new_num_ads = i + 1;
192 				goto out;
193 			}
194 		}
195 		for (j = 0; trustfor[i].domains_in_forest[j].domain[0] != '\0';
196 		    j++) {
197 			domain_in_forest = &trustfor[i].domains_in_forest[j];
198 			/* Only add domains which are marked */
199 			if (domain_in_forest->trusted) {
200 				if (adutils_add_domain(new_ads[i + 1],
201 				    domain_in_forest->domain,
202 				    domain_in_forest->sid) != 0) {
203 					adutils_ad_free(&new_ads[i + 1]);
204 					degrade_svc(0, "could not set trusted "
205 					    "AD domains (out of memory)");
206 					new_num_ads = i + 1;
207 					goto out;
208 				}
209 			}
210 		}
211 	}
212 
213 out:
214 	_idmapdstate.ads = new_ads;
215 	_idmapdstate.num_ads = new_num_ads;
216 
217 
218 	if (old_ads != NULL) {
219 		for (i = 0; i < old_num_ads; i++)
220 			adutils_ad_free(&old_ads[i]);
221 		free(old_ads);
222 	}
223 }
224 
225 
226 void
227 print_idmapdstate()
228 {
229 	int i, j;
230 	idmap_pg_config_t *pgcfg;
231 	idmap_trustedforest_t *tf;
232 
233 	RDLOCK_CONFIG();
234 
235 	if (_idmapdstate.cfg == NULL) {
236 		idmapdlog(LOG_INFO, "Null configuration");
237 		UNLOCK_CONFIG();
238 		return;
239 	}
240 
241 	pgcfg = &_idmapdstate.cfg->pgcfg;
242 
243 	idmapdlog(LOG_DEBUG, "list_size_limit=%llu", pgcfg->list_size_limit);
244 	idmapdlog(LOG_DEBUG, "default_domain=%s",
245 	    CHECK_NULL(pgcfg->default_domain));
246 	idmapdlog(LOG_DEBUG, "domain_name=%s", CHECK_NULL(pgcfg->domain_name));
247 	idmapdlog(LOG_DEBUG, "machine_sid=%s", CHECK_NULL(pgcfg->machine_sid));
248 	if (pgcfg->domain_controller == NULL ||
249 	    pgcfg->domain_controller[0].host[0] == '\0') {
250 		idmapdlog(LOG_DEBUG, "No domain controllers known");
251 	} else {
252 		for (i = 0; pgcfg->domain_controller[i].host[0] != '\0'; i++)
253 			idmapdlog(LOG_DEBUG, "domain_controller=%s port=%d",
254 			    pgcfg->domain_controller[i].host,
255 			    pgcfg->domain_controller[i].port);
256 	}
257 	idmapdlog(LOG_DEBUG, "forest_name=%s", CHECK_NULL(pgcfg->forest_name));
258 	idmapdlog(LOG_DEBUG, "site_name=%s", CHECK_NULL(pgcfg->site_name));
259 	if (pgcfg->global_catalog == NULL ||
260 	    pgcfg->global_catalog[0].host[0] == '\0') {
261 		idmapdlog(LOG_DEBUG, "No global catalog servers known");
262 	} else {
263 		for (i = 0; pgcfg->global_catalog[i].host[0] != '\0'; i++)
264 			idmapdlog(LOG_DEBUG, "global_catalog=%s port=%d",
265 			    pgcfg->global_catalog[i].host,
266 			    pgcfg->global_catalog[i].port);
267 	}
268 	if (pgcfg->domains_in_forest == NULL ||
269 	    pgcfg->domains_in_forest[0].domain[0] == '\0') {
270 		idmapdlog(LOG_DEBUG, "No domains in forest %s known",
271 		    CHECK_NULL(pgcfg->forest_name));
272 	} else {
273 		for (i = 0; pgcfg->domains_in_forest[i].domain[0] != '\0'; i++)
274 			idmapdlog(LOG_DEBUG, "domains in forest %s = %s",
275 			    CHECK_NULL(pgcfg->forest_name),
276 			    pgcfg->domains_in_forest[i].domain);
277 	}
278 	if (pgcfg->trusted_domains == NULL ||
279 	    pgcfg->trusted_domains[0].domain[0] == '\0') {
280 		idmapdlog(LOG_DEBUG, "No trusted domains known");
281 	} else {
282 		for (i = 0; pgcfg->trusted_domains[i].domain[0] != '\0'; i++)
283 			idmapdlog(LOG_DEBUG, "trusted domain = %s",
284 			    pgcfg->trusted_domains[i].domain);
285 	}
286 
287 	for (i = 0; i < pgcfg->num_trusted_forests; i++) {
288 		tf = &pgcfg->trusted_forests[i];
289 		for (j = 0; tf->global_catalog[j].host[0] != '\0'; j++)
290 			idmapdlog(LOG_DEBUG,
291 			    "trusted forest %s global_catalog=%s port=%d",
292 			    tf->forest_name,
293 			    tf->global_catalog[j].host,
294 			    tf->global_catalog[j].port);
295 		for (j = 0; tf->domains_in_forest[j].domain[0] != '\0'; j++) {
296 			if (tf->domains_in_forest[j].trusted) {
297 				idmapdlog(LOG_DEBUG,
298 				    "trusted forest %s domain=%s",
299 				    tf->forest_name,
300 				    tf->domains_in_forest[j].domain);
301 			}
302 		}
303 	}
304 
305 	idmapdlog(LOG_DEBUG, "ds_name_mapping_enabled=%s",
306 	    (pgcfg->ds_name_mapping_enabled == TRUE) ? "true" : "false");
307 	idmapdlog(LOG_DEBUG, "ad_unixuser_attr=%s",
308 	    CHECK_NULL(pgcfg->ad_unixuser_attr));
309 	idmapdlog(LOG_DEBUG, "ad_unixgroup_attr=%s",
310 	    CHECK_NULL(pgcfg->ad_unixgroup_attr));
311 	idmapdlog(LOG_DEBUG, "nldap_winname_attr=%s",
312 	    CHECK_NULL(pgcfg->nldap_winname_attr));
313 
314 	UNLOCK_CONFIG();
315 }
316 
317 int
318 create_directory(const char *path, uid_t uid, gid_t gid)
319 {
320 	int	rc;
321 
322 	if ((rc = mkdir(path, 0700)) < 0 && errno != EEXIST) {
323 		idmapdlog(LOG_ERR, "Error creating directory %s (%s)",
324 		    path, strerror(errno));
325 		return (-1);
326 	}
327 
328 	if (lchown(path, uid, gid) < 0) {
329 		idmapdlog(LOG_ERR, "Error creating directory %s (%s)",
330 		    path, strerror(errno));
331 		if (rc == 0)
332 			(void) rmdir(path);
333 		return (-1);
334 	}
335 	return (0);
336 }
337