1c5c4113dSnw141292 /* 2c5c4113dSnw141292 * CDDL HEADER START 3c5c4113dSnw141292 * 4c5c4113dSnw141292 * The contents of this file are subject to the terms of the 5c5c4113dSnw141292 * Common Development and Distribution License (the "License"). 6c5c4113dSnw141292 * You may not use this file except in compliance with the License. 7c5c4113dSnw141292 * 8c5c4113dSnw141292 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9c5c4113dSnw141292 * or http://www.opensolaris.org/os/licensing. 10c5c4113dSnw141292 * See the License for the specific language governing permissions 11c5c4113dSnw141292 * and limitations under the License. 12c5c4113dSnw141292 * 13c5c4113dSnw141292 * When distributing Covered Code, include this CDDL HEADER in each 14c5c4113dSnw141292 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15c5c4113dSnw141292 * If applicable, add the following below this CDDL HEADER, with the 16c5c4113dSnw141292 * fields enclosed by brackets "[]" replaced with your own identifying 17c5c4113dSnw141292 * information: Portions Copyright [yyyy] [name of copyright owner] 18c5c4113dSnw141292 * 19c5c4113dSnw141292 * CDDL HEADER END 20c5c4113dSnw141292 */ 21c5c4113dSnw141292 /* 224edd44c5Sjp151216 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23c5c4113dSnw141292 * Use is subject to license terms. 24c5c4113dSnw141292 */ 25c5c4113dSnw141292 26c5c4113dSnw141292 /* 27c5c4113dSnw141292 * Initialization routines 28c5c4113dSnw141292 */ 29c5c4113dSnw141292 30c5c4113dSnw141292 #include "idmapd.h" 31c5c4113dSnw141292 #include <signal.h> 32c5c4113dSnw141292 #include <thread.h> 33c5c4113dSnw141292 #include <string.h> 34c5c4113dSnw141292 #include <errno.h> 35c5c4113dSnw141292 #include <assert.h> 36c5c4113dSnw141292 #include <unistd.h> 37c5c4113dSnw141292 #include <sys/types.h> 38c5c4113dSnw141292 #include <sys/stat.h> 398edda628Sbaban #include <rpcsvc/daemon_utils.h> 40c5c4113dSnw141292 41c5c4113dSnw141292 42c5c4113dSnw141292 int 434edd44c5Sjp151216 init_mapping_system() 444edd44c5Sjp151216 { 458edda628Sbaban int rc = 0; 468edda628Sbaban 47c5c4113dSnw141292 if (rwlock_init(&_idmapdstate.rwlk_cfg, USYNC_THREAD, NULL) != 0) 48c5c4113dSnw141292 return (-1); 49e8c27ec8Sbaban if ((rc = load_config()) < 0) 50e8c27ec8Sbaban return (rc); 518edda628Sbaban 528edda628Sbaban (void) setegid(DAEMON_GID); 538edda628Sbaban (void) seteuid(DAEMON_UID); 54c5c4113dSnw141292 if (init_dbs() < 0) { 558edda628Sbaban rc = -1; 56c5c4113dSnw141292 fini_mapping_system(); 57c5c4113dSnw141292 } 588edda628Sbaban (void) seteuid(0); 598edda628Sbaban (void) setegid(0); 608edda628Sbaban 618edda628Sbaban return (rc); 62c5c4113dSnw141292 } 63c5c4113dSnw141292 64c5c4113dSnw141292 void 654edd44c5Sjp151216 fini_mapping_system() 664edd44c5Sjp151216 { 67c5c4113dSnw141292 fini_dbs(); 68c5c4113dSnw141292 } 69c5c4113dSnw141292 70c5c4113dSnw141292 int 714edd44c5Sjp151216 load_config() 724edd44c5Sjp151216 { 73e3c2d6aaSnw141292 int rc; 74c5c4113dSnw141292 if ((_idmapdstate.cfg = idmap_cfg_init()) == NULL) { 75349d5d8fSnw141292 degrade_svc(0, "failed to initialize config"); 76c5c4113dSnw141292 return (-1); 77c5c4113dSnw141292 } 78c8e26105Sjp151216 79349d5d8fSnw141292 rc = idmap_cfg_load(_idmapdstate.cfg, 0); 80e3c2d6aaSnw141292 if (rc < -1) { 81e3c2d6aaSnw141292 /* Total failure */ 82349d5d8fSnw141292 degrade_svc(0, "fatal error while loading configuration"); 83e8c27ec8Sbaban return (rc); 84c5c4113dSnw141292 } 85c8e26105Sjp151216 86e3c2d6aaSnw141292 if (rc != 0) 87e3c2d6aaSnw141292 /* Partial failure */ 8871590c90Snw141292 idmapdlog(LOG_ERR, "Various errors occurred while loading " 8971590c90Snw141292 "the configuration; check the logs"); 90e3c2d6aaSnw141292 910dcc7149Snw141292 if ((rc = idmap_cfg_start_updates()) < 0) { 920dcc7149Snw141292 /* Total failure */ 93349d5d8fSnw141292 degrade_svc(0, "could not start config updater"); 940dcc7149Snw141292 return (rc); 950dcc7149Snw141292 } 96e3c2d6aaSnw141292 9771590c90Snw141292 idmapdlog(LOG_DEBUG, "Initial configuration loaded"); 98e3c2d6aaSnw141292 99c5c4113dSnw141292 return (0); 100c5c4113dSnw141292 } 101c5c4113dSnw141292 102c8e26105Sjp151216 103349d5d8fSnw141292 void 1044edd44c5Sjp151216 reload_ad() 1054edd44c5Sjp151216 { 106*4d61c878SJulian Pullen int i, j; 107*4d61c878SJulian Pullen adutils_ad_t **new_ads = NULL; 108*4d61c878SJulian Pullen adutils_ad_t **old_ads; 109*4d61c878SJulian Pullen int new_num_ads; 110*4d61c878SJulian Pullen int old_num_ads; 111c8e26105Sjp151216 idmap_pg_config_t *pgcfg = &_idmapdstate.cfg->pgcfg; 112*4d61c878SJulian Pullen idmap_trustedforest_t *trustfor = pgcfg->trusted_forests; 113*4d61c878SJulian Pullen int num_trustfor = pgcfg->num_trusted_forests; 114*4d61c878SJulian Pullen ad_disc_domainsinforest_t *domain_in_forest; 115c8e26105Sjp151216 116349d5d8fSnw141292 if (pgcfg->global_catalog == NULL || 117349d5d8fSnw141292 pgcfg->global_catalog[0].host[0] == '\0') { 118349d5d8fSnw141292 /* 119349d5d8fSnw141292 * No GCs. Continue to use the previous AD config in case 120349d5d8fSnw141292 * that's still good but auto-discovery had a transient failure. 121349d5d8fSnw141292 * If that stops working we'll go into degraded mode anyways 122349d5d8fSnw141292 * when it does. 123349d5d8fSnw141292 */ 124349d5d8fSnw141292 degrade_svc(0, 125349d5d8fSnw141292 "Global Catalog servers not configured/discoverable"); 126349d5d8fSnw141292 return; 127c8e26105Sjp151216 } 128c8e26105Sjp151216 129*4d61c878SJulian Pullen old_ads = _idmapdstate.ads; 130*4d61c878SJulian Pullen old_num_ads = _idmapdstate.num_ads; 131c8e26105Sjp151216 132*4d61c878SJulian Pullen new_num_ads = 1 + num_trustfor; 133*4d61c878SJulian Pullen new_ads = calloc(new_num_ads, sizeof (adutils_ad_t *)); 134*4d61c878SJulian Pullen if (new_ads == NULL) { 135*4d61c878SJulian Pullen degrade_svc(0, "could not allocate AD context array " 136*4d61c878SJulian Pullen "(out of memory)"); 137*4d61c878SJulian Pullen return; 138*4d61c878SJulian Pullen } 139*4d61c878SJulian Pullen 140*4d61c878SJulian Pullen if (adutils_ad_alloc(&new_ads[0], pgcfg->default_domain, 1412b4a7802SBaban Kenkre ADUTILS_AD_GLOBAL_CATALOG) != ADUTILS_SUCCESS) { 142*4d61c878SJulian Pullen free(new_ads); 143*4d61c878SJulian Pullen degrade_svc(0, "could not initialize AD context " 144*4d61c878SJulian Pullen "(out of memory)"); 145349d5d8fSnw141292 return; 146c8e26105Sjp151216 } 147c8e26105Sjp151216 148c8e26105Sjp151216 for (i = 0; pgcfg->global_catalog[i].host[0] != '\0'; i++) { 149*4d61c878SJulian Pullen if (idmap_add_ds(new_ads[0], 150c8e26105Sjp151216 pgcfg->global_catalog[i].host, 151c8e26105Sjp151216 pgcfg->global_catalog[i].port) != 0) { 152*4d61c878SJulian Pullen adutils_ad_free(&new_ads[0]); 153*4d61c878SJulian Pullen free(new_ads); 154*4d61c878SJulian Pullen degrade_svc(0, "could not set AD hosts " 155*4d61c878SJulian Pullen "(out of memory)"); 156349d5d8fSnw141292 return; 157c8e26105Sjp151216 } 158c8e26105Sjp151216 } 159c8e26105Sjp151216 160*4d61c878SJulian Pullen if (pgcfg->domains_in_forest != NULL) { 161*4d61c878SJulian Pullen for (i = 0; pgcfg->domains_in_forest[i].domain[0] != '\0'; 162*4d61c878SJulian Pullen i++) { 163*4d61c878SJulian Pullen if (adutils_add_domain(new_ads[0], 164*4d61c878SJulian Pullen pgcfg->domains_in_forest[i].domain, 165*4d61c878SJulian Pullen pgcfg->domains_in_forest[i].sid) != 0) { 166*4d61c878SJulian Pullen adutils_ad_free(&new_ads[0]); 167*4d61c878SJulian Pullen free(new_ads); 168*4d61c878SJulian Pullen degrade_svc(0, "could not set AD domains " 169*4d61c878SJulian Pullen "(out of memory)"); 170*4d61c878SJulian Pullen return; 171*4d61c878SJulian Pullen } 172*4d61c878SJulian Pullen } 173*4d61c878SJulian Pullen } 174c8e26105Sjp151216 175*4d61c878SJulian Pullen for (i = 0; i < num_trustfor; i++) { 176*4d61c878SJulian Pullen if (adutils_ad_alloc(&new_ads[i + 1], NULL, 177*4d61c878SJulian Pullen ADUTILS_AD_GLOBAL_CATALOG) != ADUTILS_SUCCESS) { 178*4d61c878SJulian Pullen degrade_svc(0, "could not initialize trusted AD " 179*4d61c878SJulian Pullen "context (out of memory)"); 180*4d61c878SJulian Pullen new_num_ads = i + 1; 181*4d61c878SJulian Pullen goto out; 182*4d61c878SJulian Pullen } 183*4d61c878SJulian Pullen for (j = 0; trustfor[i].global_catalog[j].host[0] != '\0'; 184*4d61c878SJulian Pullen j++) { 185*4d61c878SJulian Pullen if (idmap_add_ds(new_ads[i + 1], 186*4d61c878SJulian Pullen trustfor[i].global_catalog[j].host, 187*4d61c878SJulian Pullen trustfor[i].global_catalog[j].port) != 0) { 188*4d61c878SJulian Pullen adutils_ad_free(&new_ads[i + 1]); 189*4d61c878SJulian Pullen degrade_svc(0, "could not set trusted " 190*4d61c878SJulian Pullen "AD hosts (out of memory)"); 191*4d61c878SJulian Pullen new_num_ads = i + 1; 192*4d61c878SJulian Pullen goto out; 193*4d61c878SJulian Pullen } 194*4d61c878SJulian Pullen } 195*4d61c878SJulian Pullen for (j = 0; trustfor[i].domains_in_forest[j].domain[0] != '\0'; 196*4d61c878SJulian Pullen j++) { 197*4d61c878SJulian Pullen domain_in_forest = &trustfor[i].domains_in_forest[j]; 198*4d61c878SJulian Pullen /* Only add domains which are marked */ 199*4d61c878SJulian Pullen if (domain_in_forest->trusted) { 200*4d61c878SJulian Pullen if (adutils_add_domain(new_ads[i + 1], 201*4d61c878SJulian Pullen domain_in_forest->domain, 202*4d61c878SJulian Pullen domain_in_forest->sid) != 0) { 203*4d61c878SJulian Pullen adutils_ad_free(&new_ads[i + 1]); 204*4d61c878SJulian Pullen degrade_svc(0, "could not set trusted " 205*4d61c878SJulian Pullen "AD domains (out of memory)"); 206*4d61c878SJulian Pullen new_num_ads = i + 1; 207*4d61c878SJulian Pullen goto out; 208*4d61c878SJulian Pullen } 209*4d61c878SJulian Pullen } 210*4d61c878SJulian Pullen } 211*4d61c878SJulian Pullen } 212*4d61c878SJulian Pullen 213*4d61c878SJulian Pullen out: 214*4d61c878SJulian Pullen _idmapdstate.ads = new_ads; 215*4d61c878SJulian Pullen _idmapdstate.num_ads = new_num_ads; 216*4d61c878SJulian Pullen 217*4d61c878SJulian Pullen 218*4d61c878SJulian Pullen if (old_ads != NULL) { 219*4d61c878SJulian Pullen for (i = 0; i < old_num_ads; i++) 220*4d61c878SJulian Pullen adutils_ad_free(&old_ads[i]); 221*4d61c878SJulian Pullen free(old_ads); 222*4d61c878SJulian Pullen } 223c8e26105Sjp151216 } 224c8e26105Sjp151216 225c8e26105Sjp151216 226c5c4113dSnw141292 void 2274edd44c5Sjp151216 print_idmapdstate() 2284edd44c5Sjp151216 { 229*4d61c878SJulian Pullen int i, j; 230e8c27ec8Sbaban idmap_pg_config_t *pgcfg; 231*4d61c878SJulian Pullen idmap_trustedforest_t *tf; 232c8e26105Sjp151216 233c5c4113dSnw141292 RDLOCK_CONFIG(); 234c5c4113dSnw141292 235c8e26105Sjp151216 if (_idmapdstate.cfg == NULL) { 23671590c90Snw141292 idmapdlog(LOG_INFO, "Null configuration"); 237c8e26105Sjp151216 UNLOCK_CONFIG(); 238c8e26105Sjp151216 return; 239c5c4113dSnw141292 } 240c8e26105Sjp151216 241e8c27ec8Sbaban pgcfg = &_idmapdstate.cfg->pgcfg; 242e8c27ec8Sbaban 24371590c90Snw141292 idmapdlog(LOG_DEBUG, "list_size_limit=%llu", pgcfg->list_size_limit); 24471590c90Snw141292 idmapdlog(LOG_DEBUG, "default_domain=%s", 245c8e26105Sjp151216 CHECK_NULL(pgcfg->default_domain)); 24671590c90Snw141292 idmapdlog(LOG_DEBUG, "domain_name=%s", CHECK_NULL(pgcfg->domain_name)); 24771590c90Snw141292 idmapdlog(LOG_DEBUG, "machine_sid=%s", CHECK_NULL(pgcfg->machine_sid)); 248c8e26105Sjp151216 if (pgcfg->domain_controller == NULL || 249c8e26105Sjp151216 pgcfg->domain_controller[0].host[0] == '\0') { 25071590c90Snw141292 idmapdlog(LOG_DEBUG, "No domain controllers known"); 251c8e26105Sjp151216 } else { 252c8e26105Sjp151216 for (i = 0; pgcfg->domain_controller[i].host[0] != '\0'; i++) 25371590c90Snw141292 idmapdlog(LOG_DEBUG, "domain_controller=%s port=%d", 25471590c90Snw141292 pgcfg->domain_controller[i].host, 255c8e26105Sjp151216 pgcfg->domain_controller[i].port); 256c8e26105Sjp151216 } 25771590c90Snw141292 idmapdlog(LOG_DEBUG, "forest_name=%s", CHECK_NULL(pgcfg->forest_name)); 25871590c90Snw141292 idmapdlog(LOG_DEBUG, "site_name=%s", CHECK_NULL(pgcfg->site_name)); 259c8e26105Sjp151216 if (pgcfg->global_catalog == NULL || 260c8e26105Sjp151216 pgcfg->global_catalog[0].host[0] == '\0') { 26171590c90Snw141292 idmapdlog(LOG_DEBUG, "No global catalog servers known"); 262c8e26105Sjp151216 } else { 263c8e26105Sjp151216 for (i = 0; pgcfg->global_catalog[i].host[0] != '\0'; i++) 26471590c90Snw141292 idmapdlog(LOG_DEBUG, "global_catalog=%s port=%d", 265c8e26105Sjp151216 pgcfg->global_catalog[i].host, 266c8e26105Sjp151216 pgcfg->global_catalog[i].port); 267c8e26105Sjp151216 } 268*4d61c878SJulian Pullen if (pgcfg->domains_in_forest == NULL || 269*4d61c878SJulian Pullen pgcfg->domains_in_forest[0].domain[0] == '\0') { 270*4d61c878SJulian Pullen idmapdlog(LOG_DEBUG, "No domains in forest %s known", 271*4d61c878SJulian Pullen CHECK_NULL(pgcfg->forest_name)); 272*4d61c878SJulian Pullen } else { 273*4d61c878SJulian Pullen for (i = 0; pgcfg->domains_in_forest[i].domain[0] != '\0'; i++) 274*4d61c878SJulian Pullen idmapdlog(LOG_DEBUG, "domains in forest %s = %s", 275*4d61c878SJulian Pullen CHECK_NULL(pgcfg->forest_name), 276*4d61c878SJulian Pullen pgcfg->domains_in_forest[i].domain); 277*4d61c878SJulian Pullen } 278*4d61c878SJulian Pullen if (pgcfg->trusted_domains == NULL || 279*4d61c878SJulian Pullen pgcfg->trusted_domains[0].domain[0] == '\0') { 280*4d61c878SJulian Pullen idmapdlog(LOG_DEBUG, "No trusted domains known"); 281*4d61c878SJulian Pullen } else { 282*4d61c878SJulian Pullen for (i = 0; pgcfg->trusted_domains[i].domain[0] != '\0'; i++) 283*4d61c878SJulian Pullen idmapdlog(LOG_DEBUG, "trusted domain = %s", 284*4d61c878SJulian Pullen pgcfg->trusted_domains[i].domain); 285*4d61c878SJulian Pullen } 286*4d61c878SJulian Pullen 287*4d61c878SJulian Pullen for (i = 0; i < pgcfg->num_trusted_forests; i++) { 288*4d61c878SJulian Pullen tf = &pgcfg->trusted_forests[i]; 289*4d61c878SJulian Pullen for (j = 0; tf->global_catalog[j].host[0] != '\0'; j++) 290*4d61c878SJulian Pullen idmapdlog(LOG_DEBUG, 291*4d61c878SJulian Pullen "trusted forest %s global_catalog=%s port=%d", 292*4d61c878SJulian Pullen tf->forest_name, 293*4d61c878SJulian Pullen tf->global_catalog[j].host, 294*4d61c878SJulian Pullen tf->global_catalog[j].port); 295*4d61c878SJulian Pullen for (j = 0; tf->domains_in_forest[j].domain[0] != '\0'; j++) { 296*4d61c878SJulian Pullen if (tf->domains_in_forest[j].trusted) { 297*4d61c878SJulian Pullen idmapdlog(LOG_DEBUG, 298*4d61c878SJulian Pullen "trusted forest %s domain=%s", 299*4d61c878SJulian Pullen tf->forest_name, 300*4d61c878SJulian Pullen tf->domains_in_forest[j].domain); 301*4d61c878SJulian Pullen } 302*4d61c878SJulian Pullen } 303*4d61c878SJulian Pullen } 304*4d61c878SJulian Pullen 30571590c90Snw141292 idmapdlog(LOG_DEBUG, "ds_name_mapping_enabled=%s", 306e8c27ec8Sbaban (pgcfg->ds_name_mapping_enabled == TRUE) ? "true" : "false"); 30771590c90Snw141292 idmapdlog(LOG_DEBUG, "ad_unixuser_attr=%s", 308e8c27ec8Sbaban CHECK_NULL(pgcfg->ad_unixuser_attr)); 30971590c90Snw141292 idmapdlog(LOG_DEBUG, "ad_unixgroup_attr=%s", 310e8c27ec8Sbaban CHECK_NULL(pgcfg->ad_unixgroup_attr)); 31171590c90Snw141292 idmapdlog(LOG_DEBUG, "nldap_winname_attr=%s", 312e8c27ec8Sbaban CHECK_NULL(pgcfg->nldap_winname_attr)); 313c8e26105Sjp151216 314c5c4113dSnw141292 UNLOCK_CONFIG(); 315c5c4113dSnw141292 } 316c5c4113dSnw141292 317c5c4113dSnw141292 int 3184edd44c5Sjp151216 create_directory(const char *path, uid_t uid, gid_t gid) 3194edd44c5Sjp151216 { 320c5c4113dSnw141292 int rc; 321c5c4113dSnw141292 322c5c4113dSnw141292 if ((rc = mkdir(path, 0700)) < 0 && errno != EEXIST) { 32371590c90Snw141292 idmapdlog(LOG_ERR, "Error creating directory %s (%s)", 32471590c90Snw141292 path, strerror(errno)); 325c5c4113dSnw141292 return (-1); 326c5c4113dSnw141292 } 327c5c4113dSnw141292 328c5c4113dSnw141292 if (lchown(path, uid, gid) < 0) { 32971590c90Snw141292 idmapdlog(LOG_ERR, "Error creating directory %s (%s)", 33071590c90Snw141292 path, strerror(errno)); 331c5c4113dSnw141292 if (rc == 0) 332c5c4113dSnw141292 (void) rmdir(path); 333c5c4113dSnw141292 return (-1); 334c5c4113dSnw141292 } 335c5c4113dSnw141292 return (0); 336c5c4113dSnw141292 } 337