1/* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21/* 22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25/* 26 * Initialization routines 27 */ 28 29#include "idmapd.h" 30#include <signal.h> 31#include <thread.h> 32#include <string.h> 33#include <errno.h> 34#include <assert.h> 35#include <unistd.h> 36#include <sys/types.h> 37#include <sys/stat.h> 38#include <rpcsvc/daemon_utils.h> 39 40 41int 42init_mapping_system() 43{ 44 int rc = 0; 45 46 if (rwlock_init(&_idmapdstate.rwlk_cfg, USYNC_THREAD, NULL) != 0) 47 return (-1); 48 if ((rc = load_config()) < 0) 49 return (rc); 50 51 (void) setegid(DAEMON_GID); 52 (void) seteuid(DAEMON_UID); 53 if (init_dbs() < 0) { 54 rc = -1; 55 fini_mapping_system(); 56 } 57 (void) seteuid(0); 58 (void) setegid(0); 59 60 return (rc); 61} 62 63void 64fini_mapping_system() 65{ 66 fini_dbs(); 67} 68 69int 70load_config() 71{ 72 int rc; 73 if ((_idmapdstate.cfg = idmap_cfg_init()) == NULL) { 74 degrade_svc(0, "failed to initialize config"); 75 return (-1); 76 } 77 78 rc = idmap_cfg_upgrade(_idmapdstate.cfg); 79 if (rc != 0) { 80 degrade_svc(0, "fatal error while upgrading configuration"); 81 return (rc); 82 } 83 84 rc = idmap_cfg_load(_idmapdstate.cfg, 0); 85 if (rc < -1) { 86 /* Total failure */ 87 degrade_svc(0, "fatal error while loading configuration"); 88 return (rc); 89 } 90 91 if (rc != 0) 92 /* Partial failure */ 93 idmapdlog(LOG_ERR, "Various errors occurred while loading " 94 "the configuration; check the logs"); 95 96 if ((rc = idmap_cfg_start_updates()) < 0) { 97 /* Total failure */ 98 degrade_svc(0, "could not start config updater"); 99 return (rc); 100 } 101 102 if (DBG(CONFIG, 1)) 103 idmapdlog(LOG_DEBUG, "Initial configuration loaded"); 104 105 return (0); 106} 107 108 109void 110reload_gcs() 111{ 112 int i, j; 113 adutils_ad_t **new_gcs; 114 adutils_ad_t **old_gcs = _idmapdstate.gcs; 115 int new_num_gcs; 116 int old_num_gcs = _idmapdstate.num_gcs; 117 idmap_pg_config_t *pgcfg = &_idmapdstate.cfg->pgcfg; 118 idmap_trustedforest_t *trustfor = pgcfg->trusted_forests; 119 int num_trustfor = pgcfg->num_trusted_forests; 120 ad_disc_domainsinforest_t *domain_in_forest; 121 122 if (pgcfg->domain_name == NULL) { 123 /* No domain name specified - workgroup mode. */ 124 new_gcs = NULL; 125 new_num_gcs = 0; 126 goto out; 127 } 128 129 if (pgcfg->global_catalog == NULL || 130 pgcfg->global_catalog[0].host[0] == '\0') { 131 /* 132 * No GCs. Continue to use the previous AD config in case 133 * that's still good but auto-discovery had a transient failure. 134 * If that stops working we'll go into degraded mode anyways 135 * when it does. 136 */ 137 degrade_svc(0, 138 "Global Catalog servers not configured/discoverable"); 139 return; 140 } 141 142 new_num_gcs = 1 + num_trustfor; 143 new_gcs = calloc(new_num_gcs, sizeof (adutils_ad_t *)); 144 if (new_gcs == NULL) { 145 degrade_svc(0, "could not allocate AD context array " 146 "(out of memory)"); 147 return; 148 } 149 150 if (adutils_ad_alloc(&new_gcs[0], NULL, ADUTILS_AD_GLOBAL_CATALOG) != 151 ADUTILS_SUCCESS) { 152 free(new_gcs); 153 degrade_svc(0, "could not initialize AD context " 154 "(out of memory)"); 155 return; 156 } 157 158 for (i = 0; pgcfg->global_catalog[i].host[0] != '\0'; i++) { 159 if (idmap_add_ds(new_gcs[0], 160 pgcfg->global_catalog[i].host, 161 pgcfg->global_catalog[i].port) != 0) { 162 adutils_ad_free(&new_gcs[0]); 163 free(new_gcs); 164 degrade_svc(0, "could not set AD hosts " 165 "(out of memory)"); 166 return; 167 } 168 } 169 170 if (pgcfg->domains_in_forest != NULL) { 171 for (i = 0; pgcfg->domains_in_forest[i].domain[0] != '\0'; 172 i++) { 173 if (adutils_add_domain(new_gcs[0], 174 pgcfg->domains_in_forest[i].domain, 175 pgcfg->domains_in_forest[i].sid) != 0) { 176 adutils_ad_free(&new_gcs[0]); 177 free(new_gcs); 178 degrade_svc(0, "could not set AD domains " 179 "(out of memory)"); 180 return; 181 } 182 } 183 } 184 185 for (i = 0; i < num_trustfor; i++) { 186 if (adutils_ad_alloc(&new_gcs[i + 1], NULL, 187 ADUTILS_AD_GLOBAL_CATALOG) != ADUTILS_SUCCESS) { 188 degrade_svc(0, "could not initialize trusted AD " 189 "context (out of memory)"); 190 new_num_gcs = i + 1; 191 goto out; 192 } 193 for (j = 0; trustfor[i].global_catalog[j].host[0] != '\0'; 194 j++) { 195 if (idmap_add_ds(new_gcs[i + 1], 196 trustfor[i].global_catalog[j].host, 197 trustfor[i].global_catalog[j].port) != 0) { 198 adutils_ad_free(&new_gcs[i + 1]); 199 degrade_svc(0, "could not set trusted " 200 "AD hosts (out of memory)"); 201 new_num_gcs = i + 1; 202 goto out; 203 } 204 } 205 for (j = 0; trustfor[i].domains_in_forest[j].domain[0] != '\0'; 206 j++) { 207 domain_in_forest = &trustfor[i].domains_in_forest[j]; 208 /* Only add domains which are marked */ 209 if (domain_in_forest->trusted) { 210 if (adutils_add_domain(new_gcs[i + 1], 211 domain_in_forest->domain, 212 domain_in_forest->sid) != 0) { 213 adutils_ad_free(&new_gcs[i + 1]); 214 degrade_svc(0, "could not set trusted " 215 "AD domains (out of memory)"); 216 new_num_gcs = i + 1; 217 goto out; 218 } 219 } 220 } 221 } 222 223out: 224 _idmapdstate.gcs = new_gcs; 225 _idmapdstate.num_gcs = new_num_gcs; 226 227 if (old_gcs != NULL) { 228 for (i = 0; i < old_num_gcs; i++) 229 adutils_ad_free(&old_gcs[i]); 230 free(old_gcs); 231 } 232} 233 234/* 235 * NEEDSWORK: This should load entries for domain servers for all known 236 * domains - the joined domain, other domains in the forest, and trusted 237 * domains in other forests. However, we don't yet discover any DCs other 238 * than the DCs for the joined domain. 239 */ 240static 241void 242reload_dcs(void) 243{ 244 int i; 245 adutils_ad_t **new_dcs; 246 adutils_ad_t **old_dcs = _idmapdstate.dcs; 247 int new_num_dcs; 248 int old_num_dcs = _idmapdstate.num_dcs; 249 idmap_pg_config_t *pgcfg = &_idmapdstate.cfg->pgcfg; 250 251 if (pgcfg->domain_name == NULL) { 252 /* No domain name specified - workgroup mode. */ 253 new_dcs = NULL; 254 new_num_dcs = 0; 255 goto out; 256 } 257 258 if (pgcfg->domain_controller == NULL || 259 pgcfg->domain_controller[0].host[0] == '\0') { 260 /* 261 * No DCs. Continue to use the previous AD config in case 262 * that's still good but auto-discovery had a transient failure. 263 * If that stops working we'll go into degraded mode anyways 264 * when it does. 265 */ 266 degrade_svc(0, 267 "Domain controller servers not configured/discoverable"); 268 return; 269 } 270 271 new_num_dcs = 1; 272 new_dcs = calloc(new_num_dcs, sizeof (adutils_ad_t *)); 273 if (new_dcs == NULL) 274 goto nomem; 275 276 if (adutils_ad_alloc(&new_dcs[0], pgcfg->domain_name, 277 ADUTILS_AD_DATA) != ADUTILS_SUCCESS) 278 goto nomem; 279 280 for (i = 0; pgcfg->domain_controller[i].host[0] != '\0'; i++) { 281 if (idmap_add_ds(new_dcs[0], 282 pgcfg->domain_controller[i].host, 283 pgcfg->domain_controller[i].port) != 0) 284 goto nomem; 285 } 286 287 /* 288 * NEEDSWORK: All we need here is to add the domain and SID for 289 * this DC to the list of domains supported by this entry. Isn't 290 * there an easier way to find the SID than to walk through the list 291 * of all of the domains in the forest? 292 */ 293 ad_disc_domainsinforest_t *dif = pgcfg->domains_in_forest; 294 if (dif != NULL) { 295 for (; dif->domain[0] != '\0'; dif++) { 296 if (domain_eq(pgcfg->domain_name, dif->domain)) { 297 if (adutils_add_domain(new_dcs[0], 298 dif->domain, dif->sid) != 0) 299 goto nomem; 300 break; 301 } 302 } 303 } 304 305out: 306 _idmapdstate.dcs = new_dcs; 307 _idmapdstate.num_dcs = new_num_dcs; 308 309 if (old_dcs != NULL) { 310 for (i = 0; i < old_num_dcs; i++) 311 adutils_ad_free(&old_dcs[i]); 312 free(old_dcs); 313 } 314 315 return; 316 317nomem: 318 degrade_svc(0, "out of memory"); 319 320 if (new_dcs != NULL) { 321 if (new_dcs[0] != NULL) 322 adutils_ad_free(&new_dcs[0]); 323 free(new_dcs); 324 } 325} 326 327 328void 329reload_ad(void) 330{ 331 reload_gcs(); 332 reload_dcs(); 333} 334 335void 336print_idmapdstate(void) 337{ 338 int i, j; 339 idmap_pg_config_t *pgcfg; 340 idmap_trustedforest_t *tf; 341 342 RDLOCK_CONFIG(); 343 344 if (_idmapdstate.cfg == NULL) { 345 idmapdlog(LOG_INFO, "Null configuration"); 346 UNLOCK_CONFIG(); 347 return; 348 } 349 350 pgcfg = &_idmapdstate.cfg->pgcfg; 351 352 idmapdlog(LOG_DEBUG, "list_size_limit=%llu", pgcfg->list_size_limit); 353 idmapdlog(LOG_DEBUG, "default_domain=%s", 354 CHECK_NULL(pgcfg->default_domain)); 355 idmapdlog(LOG_DEBUG, "domain_name=%s", CHECK_NULL(pgcfg->domain_name)); 356 idmapdlog(LOG_DEBUG, "machine_sid=%s", CHECK_NULL(pgcfg->machine_sid)); 357 if (pgcfg->domain_controller == NULL || 358 pgcfg->domain_controller[0].host[0] == '\0') { 359 idmapdlog(LOG_DEBUG, "No domain controllers known"); 360 } else { 361 for (i = 0; pgcfg->domain_controller[i].host[0] != '\0'; i++) 362 idmapdlog(LOG_DEBUG, "domain_controller=%s port=%d", 363 pgcfg->domain_controller[i].host, 364 pgcfg->domain_controller[i].port); 365 } 366 idmapdlog(LOG_DEBUG, "forest_name=%s", CHECK_NULL(pgcfg->forest_name)); 367 idmapdlog(LOG_DEBUG, "site_name=%s", CHECK_NULL(pgcfg->site_name)); 368 if (pgcfg->global_catalog == NULL || 369 pgcfg->global_catalog[0].host[0] == '\0') { 370 idmapdlog(LOG_DEBUG, "No global catalog servers known"); 371 } else { 372 for (i = 0; pgcfg->global_catalog[i].host[0] != '\0'; i++) 373 idmapdlog(LOG_DEBUG, "global_catalog=%s port=%d", 374 pgcfg->global_catalog[i].host, 375 pgcfg->global_catalog[i].port); 376 } 377 if (pgcfg->domains_in_forest == NULL || 378 pgcfg->domains_in_forest[0].domain[0] == '\0') { 379 idmapdlog(LOG_DEBUG, "No domains in forest %s known", 380 CHECK_NULL(pgcfg->forest_name)); 381 } else { 382 for (i = 0; pgcfg->domains_in_forest[i].domain[0] != '\0'; i++) 383 idmapdlog(LOG_DEBUG, "domains in forest %s = %s", 384 CHECK_NULL(pgcfg->forest_name), 385 pgcfg->domains_in_forest[i].domain); 386 } 387 if (pgcfg->trusted_domains == NULL || 388 pgcfg->trusted_domains[0].domain[0] == '\0') { 389 idmapdlog(LOG_DEBUG, "No trusted domains known"); 390 } else { 391 for (i = 0; pgcfg->trusted_domains[i].domain[0] != '\0'; i++) 392 idmapdlog(LOG_DEBUG, "trusted domain = %s", 393 pgcfg->trusted_domains[i].domain); 394 } 395 396 for (i = 0; i < pgcfg->num_trusted_forests; i++) { 397 tf = &pgcfg->trusted_forests[i]; 398 for (j = 0; tf->global_catalog[j].host[0] != '\0'; j++) 399 idmapdlog(LOG_DEBUG, 400 "trusted forest %s global_catalog=%s port=%d", 401 tf->forest_name, 402 tf->global_catalog[j].host, 403 tf->global_catalog[j].port); 404 for (j = 0; tf->domains_in_forest[j].domain[0] != '\0'; j++) { 405 if (tf->domains_in_forest[j].trusted) { 406 idmapdlog(LOG_DEBUG, 407 "trusted forest %s domain=%s", 408 tf->forest_name, 409 tf->domains_in_forest[j].domain); 410 } 411 } 412 } 413 414 idmapdlog(LOG_DEBUG, "directory_based_mapping=%s", 415 enum_lookup(pgcfg->directory_based_mapping, directory_mapping_map)); 416 idmapdlog(LOG_DEBUG, "ad_unixuser_attr=%s", 417 CHECK_NULL(pgcfg->ad_unixuser_attr)); 418 idmapdlog(LOG_DEBUG, "ad_unixgroup_attr=%s", 419 CHECK_NULL(pgcfg->ad_unixgroup_attr)); 420 idmapdlog(LOG_DEBUG, "nldap_winname_attr=%s", 421 CHECK_NULL(pgcfg->nldap_winname_attr)); 422 423 UNLOCK_CONFIG(); 424} 425 426int 427create_directory(const char *path, uid_t uid, gid_t gid) 428{ 429 int rc; 430 431 if ((rc = mkdir(path, 0700)) < 0 && errno != EEXIST) { 432 idmapdlog(LOG_ERR, "Error creating directory %s (%s)", 433 path, strerror(errno)); 434 return (-1); 435 } 436 437 if (lchown(path, uid, gid) < 0) { 438 idmapdlog(LOG_ERR, "Error creating directory %s (%s)", 439 path, strerror(errno)); 440 if (rc == 0) 441 (void) rmdir(path); 442 return (-1); 443 } 444 return (0); 445} 446