From 7b3995dc8af40a9d5f2fbeccaa1ff78e5e194879 Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Tue, 26 Mar 2013 14:00:23 +0100 Subject: [PATCH] Support realm login policy * Add a new login policy which respects domain policy for logins allowed on the machine, ie: HBAC. * Default to domain login policy after joining the domain. * 'realm permit -a' follows domain login policy https://bugs.freedesktop.org/show_bug.cgi?id=60628 --- dbus/org.freedesktop.realmd.xml | 4 ++++ dbus/realm-dbus-constants.h | 1 + doc/manual/realm.xml | 5 +++-- service/realm-kerberos.c | 5 +++++ service/realm-kerberos.h | 5 +++-- service/realm-samba.c | 3 +++ service/realm-sssd-ad.c | 10 +++++++--- service/realm-sssd-ipa.c | 6 +++++- service/realm-sssd.c | 7 +++++++ service/realm-sssd.h | 15 ++++++++++++--- tools/realm-logins.c | 2 +- 11 files changed, 51 insertions(+), 12 deletions(-) diff --git a/dbus/org.freedesktop.realmd.xml b/dbus/org.freedesktop.realmd.xml index 71db54c..b97b3a3 100644 --- a/dbus/org.freedesktop.realmd.xml +++ b/dbus/org.freedesktop.realmd.xml @@ -384,6 +384,10 @@ allow-any-login: allow login by any authenticated user present in this realm. + allow-realm-logins: allow + logins according to the realm or domain policy for logins + on this machine. This usually defaults to allowing any realm + user to log in. allow-permitted-logins: only allow the logins permitted in the #org.freedesktop.realmd.Realm:PermittedLogins diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h index 727f88f..c2797f6 100644 --- a/dbus/realm-dbus-constants.h +++ b/dbus/realm-dbus-constants.h @@ -53,6 +53,7 @@ G_BEGIN_DECLS #define REALM_DBUS_NAME_CHARS "abcdefghijklnmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_" #define REALM_DBUS_LOGIN_POLICY_ANY "allow-any-login" +#define REALM_DBUS_LOGIN_POLICY_REALM "allow-realm-logins" #define REALM_DBUS_LOGIN_POLICY_PERMITTED "allow-permitted-logins" #define REALM_DBUS_LOGIN_POLICY_DENY "deny-any-login" diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml index f93374e..c5e0c9c 100644 --- a/doc/manual/realm.xml +++ b/doc/manual/realm.xml @@ -319,8 +319,9 @@ $ realm permit DOMAIN\User - Permit login by any valid user of the - realm. + Permit login according to the realm or + domain policy for logins on this machine. This usually + defaults to allowing any realm user to log in. diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c index 689b899..f38cc59 100644 --- a/service/realm-kerberos.c +++ b/service/realm-kerberos.c @@ -640,6 +640,9 @@ handle_change_login_policy (RealmDbusRealm *realm, if (g_str_equal (policies[i], REALM_DBUS_LOGIN_POLICY_ANY)) { policy = REALM_KERBEROS_ALLOW_ANY_LOGIN; policies_set++; + } else if (g_str_equal (policies[i], REALM_DBUS_LOGIN_POLICY_REALM)) { + policy = REALM_KERBEROS_ALLOW_REALM_LOGINS; + policies_set++; } else if (g_str_equal (policies[i], REALM_DBUS_LOGIN_POLICY_PERMITTED)) { policy = REALM_KERBEROS_ALLOW_PERMITTED_LOGINS; policies_set++; @@ -1221,6 +1224,8 @@ realm_kerberos_login_policy_to_string (RealmKerberosLoginPolicy value) switch (value) { case REALM_KERBEROS_ALLOW_ANY_LOGIN: return REALM_DBUS_LOGIN_POLICY_ANY; + case REALM_KERBEROS_ALLOW_REALM_LOGINS: + return REALM_DBUS_LOGIN_POLICY_REALM; case REALM_KERBEROS_ALLOW_PERMITTED_LOGINS: return REALM_DBUS_LOGIN_POLICY_PERMITTED; case REALM_KERBEROS_DENY_ANY_LOGIN: diff --git a/service/realm-kerberos.h b/service/realm-kerberos.h index 7f6da55..10cce4d 100644 --- a/service/realm-kerberos.h +++ b/service/realm-kerberos.h @@ -28,8 +28,9 @@ G_BEGIN_DECLS typedef enum { REALM_KERBEROS_POLICY_NOT_SET = 0, REALM_KERBEROS_ALLOW_ANY_LOGIN = 1, - REALM_KERBEROS_ALLOW_PERMITTED_LOGINS = 2, - REALM_KERBEROS_DENY_ANY_LOGIN = 3, + REALM_KERBEROS_ALLOW_REALM_LOGINS, + REALM_KERBEROS_ALLOW_PERMITTED_LOGINS, + REALM_KERBEROS_DENY_ANY_LOGIN, } RealmKerberosLoginPolicy; #define REALM_TYPE_KERBEROS (realm_kerberos_get_type ()) diff --git a/service/realm-samba.c b/service/realm-samba.c index 4ed36e0..643c909 100644 --- a/service/realm-samba.c +++ b/service/realm-samba.c @@ -554,6 +554,9 @@ realm_samba_logins_async (RealmKerberos *realm, async = g_simple_async_result_new (G_OBJECT (realm), callback, user_data, realm_samba_logins_async); + if (login_policy == REALM_KERBEROS_ALLOW_REALM_LOGINS) + login_policy = REALM_KERBEROS_ALLOW_ANY_LOGIN; + /* Sadly we don't support this option */ if (login_policy != REALM_KERBEROS_ALLOW_ANY_LOGIN && login_policy != REALM_KERBEROS_POLICY_NOT_SET) { diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c index ac93fc1..b4534a0 100644 --- a/service/realm-sssd-ad.c +++ b/service/realm-sssd-ad.c @@ -112,7 +112,7 @@ realm_sssd_ad_constructed (GObject *obj) realm_kerberos_set_supported_leave_creds (kerberos, supported); realm_kerberos_set_suggested_admin (kerberos, "Administrator"); - realm_kerberos_set_login_policy (kerberos, REALM_KERBEROS_ALLOW_ANY_LOGIN); + realm_kerberos_set_login_policy (kerberos, REALM_KERBEROS_ALLOW_REALM_LOGINS); realm_kerberos_set_required_package_sets (kerberos, ALL_PACKAGES); } @@ -229,8 +229,7 @@ configure_sssd_for_domain (RealmIniConfig *config, "id_provider", "ad", "auth_provider", "ad", - "access_provider", "simple", - "simple_allow_users", ",", + "access_provider", "ad", "chpass_provider", "ad", "ad_domain", domain, @@ -711,7 +710,12 @@ void realm_sssd_ad_class_init (RealmSssdAdClass *klass) { GObjectClass *object_class = G_OBJECT_CLASS (klass); + RealmSssdClass *sssd_class = REALM_SSSD_CLASS (klass); + object_class->constructed = realm_sssd_ad_constructed; + + /* The provider in sssd.conf relevant to this realm type */ + sssd_class->sssd_conf_provider_name = "ad"; } static void diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c index 17329a9..86149bd 100644 --- a/service/realm-sssd-ipa.c +++ b/service/realm-sssd-ipa.c @@ -106,7 +106,12 @@ void realm_sssd_ipa_class_init (RealmSssdIpaClass *klass) { GObjectClass *object_class = G_OBJECT_CLASS (klass); + RealmSssdClass *sssd_class = REALM_SSSD_CLASS (klass); + object_class->constructed = realm_sssd_ipa_constructed; + + /* The provider in sssd.conf relevant to this realm type */ + sssd_class->sssd_conf_provider_name = "ipa"; } typedef struct { @@ -211,7 +216,6 @@ on_ipa_client_do_restart (GObject *source, "full_name_format", "%1$s@%2$s", "cache_credentials", "True", "use_fully_qualified_names", "True", - "simple_allow_users", ",", "krb5_store_password_if_offline", "True", "fallback_homedir", home, NULL); diff --git a/service/realm-sssd.c b/service/realm-sssd.c index d528d72..a91dc79 100644 --- a/service/realm-sssd.c +++ b/service/realm-sssd.c @@ -122,6 +122,7 @@ realm_sssd_logins_async (RealmKerberos *realm, GAsyncReadyCallback callback, gpointer user_data) { + RealmSssdClass *sssd_class = REALM_SSSD_GET_CLASS (realm); RealmSssd *self = REALM_SSSD (realm); GSimpleAsyncResult *async; gchar **remove_names = NULL; @@ -149,6 +150,9 @@ realm_sssd_logins_async (RealmKerberos *realm, case REALM_KERBEROS_ALLOW_ANY_LOGIN: access_provider = "permit"; break; + case REALM_KERBEROS_ALLOW_REALM_LOGINS: + access_provider = sssd_class->sssd_conf_provider_name; + break; case REALM_KERBEROS_ALLOW_PERMITTED_LOGINS: access_provider = "simple"; break; @@ -301,6 +305,7 @@ update_login_formats (RealmSssd *self) static void update_login_policy (RealmSssd *self) { + RealmSssdClass *sssd_class = REALM_SSSD_GET_CLASS (self); RealmKerberosLoginPolicy policy = REALM_KERBEROS_POLICY_NOT_SET; RealmKerberos *kerberos = REALM_KERBEROS (self); GPtrArray *permitted; @@ -321,6 +326,8 @@ update_login_policy (RealmSssd *self) g_strfreev (values); g_free (access); policy = REALM_KERBEROS_ALLOW_PERMITTED_LOGINS; + } else if (g_strcmp0 (access, sssd_class->sssd_conf_provider_name) == 0) { + policy = REALM_KERBEROS_ALLOW_REALM_LOGINS; } else if (g_strcmp0 (access, "permit") == 0) { policy = REALM_KERBEROS_ALLOW_ANY_LOGIN; } else if (g_strcmp0 (access, "deny") == 0) { diff --git a/service/realm-sssd.h b/service/realm-sssd.h index a488f76..84268e2 100644 --- a/service/realm-sssd.h +++ b/service/realm-sssd.h @@ -24,9 +24,12 @@ G_BEGIN_DECLS -#define REALM_TYPE_SSSD (realm_sssd_get_type ()) -#define REALM_SSSD(inst) (G_TYPE_CHECK_INSTANCE_CAST ((inst), REALM_TYPE_SSSD, RealmSssd)) -#define REALM_IS_SSSD(inst) (G_TYPE_CHECK_INSTANCE_TYPE ((inst), REALM_TYPE_SSSD)) +#define REALM_TYPE_SSSD (realm_sssd_get_type ()) +#define REALM_SSSD(inst) (G_TYPE_CHECK_INSTANCE_CAST ((inst), REALM_TYPE_SSSD, RealmSssd)) +#define REALM_IS_SSSD(inst) (G_TYPE_CHECK_INSTANCE_TYPE ((inst), REALM_TYPE_SSSD)) +#define REALM_SSSD_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), REALM_TYPE_SSSD, RealmSssdClass)) +#define REALM_IS_SSSD_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass), REALM_TYPE_SSSD)) +#define REALM_SSSD_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), REALM_TYPE_SSSD, RealmSssdClass)) typedef struct _RealmSssd RealmSssd; typedef struct _RealmSssdClass RealmSssdClass; @@ -39,6 +42,12 @@ struct _RealmSssd { struct _RealmSssdClass { RealmKerberosClass parent_class; + + /* + * This is set by derived classes and is a value for the sssd.conf + * provider relevant to this realm, surch as "ipa" or "ad" + */ + const char *sssd_conf_provider_name; }; typedef struct _RealmSssd RealmSssd; diff --git a/tools/realm-logins.c b/tools/realm-logins.c index 935f44b..bea26ed 100644 --- a/tools/realm-logins.c +++ b/tools/realm-logins.c @@ -154,7 +154,7 @@ perform_permit_or_deny_all (RealmClient *client, options = realm_build_options (NULL, NULL); g_variant_ref_sink (options); - policy = permit ? REALM_DBUS_LOGIN_POLICY_ANY : REALM_DBUS_LOGIN_POLICY_DENY; + policy = permit ? REALM_DBUS_LOGIN_POLICY_REALM : REALM_DBUS_LOGIN_POLICY_DENY; realm_dbus_realm_call_change_login_policy (realm, policy, (const gchar * const *)logins, (const gchar * const *)logins, -- 1.8.1.4