Skip to content

Commit

Permalink
KCM: Handle its own configuration
Browse files Browse the repository at this point in the history
KCM now uses the /var/lib/sss/db/config_kcm.ldb database to store its
configuration. config.ldb is no longer used by KCM.

The configuration text file remains the same.

Resolves: SSSD#6926
  • Loading branch information
aplopez committed Sep 27, 2023
1 parent a2e0fad commit 2d4f5f3
Show file tree
Hide file tree
Showing 6 changed files with 88 additions and 10 deletions.
1 change: 1 addition & 0 deletions Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -1793,6 +1793,7 @@ sssd_kcm_SOURCES = \
src/util/sss_sockets.c \
src/util/sss_krb5.c \
src/util/sss_iobuf.c \
src/confdb/confdb_setup.c \
$(SSSD_RESPONDER_OBJ) \
$(NULL)
sssd_kcm_CFLAGS = \
Expand Down
1 change: 1 addition & 0 deletions src/confdb/confdb.h
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@

#define CONFDB_DEFAULT_CFG_FILE_VER 2
#define CONFDB_FILE "config.ldb"
#define CONFDB_KCM_FILE "config_kcm.ldb"
#define SSSD_CONFIG_FILE_NAME "sssd.conf"
#define SSSD_CONFIG_FILE SSSD_CONF_DIR"/"SSSD_CONFIG_FILE_NAME
#define CONFDB_DEFAULT_CONFIG_DIR_NAME "conf.d"
Expand Down
87 changes: 86 additions & 1 deletion src/responder/kcm/kcm.c
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@

#include <popt.h>

#include "confdb/confdb_setup.h"
#include "responder/kcm/kcmsrv_ccache.h"
#include "responder/kcm/kcmsrv_pvt.h"
#include "responder/kcm/kcm_renew.h"
Expand All @@ -38,6 +39,11 @@
#define SSS_KCM_SOCKET_NAME DEFAULT_KCM_SOCKET_PATH
#endif

#define CONF_FILE_PERM_ERROR_MSG "Cannot read config file %s. Please check "\
"that the file is accessible only by the "\
"owner and owned by root.root.\n"


static int kcm_responder_ctx_destructor(void *ptr)
{
struct resp_ctx *rctx = talloc_get_type(ptr, struct resp_ctx);
Expand Down Expand Up @@ -311,21 +317,63 @@ static int kcm_process_init(TALLOC_CTX *mem_ctx,
return ret;
}

static errno_t load_configuration(const char *config_file,
const char *config_dir,
const char *only_section)
{
errno_t ret;
TALLOC_CTX *tmp_ctx;
struct confdb_ctx *cdb;
char *cdb_file;

tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to allocate the initial context\n");
return ENOMEM;
}

cdb_file = talloc_asprintf(tmp_ctx, "%s/%s", DB_PATH, CONFDB_KCM_FILE);
if (cdb_file == NULL) {
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to allocate memory for the filename\n");
ret = ENOMEM;
goto done;
}

ret = confdb_setup(tmp_ctx, cdb_file, config_file, config_dir, only_section,
&cdb);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Unable to setup ConfDB [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}

ret = EOK;

done:
talloc_free(tmp_ctx);
return ret;
}

int main(int argc, const char *argv[])
{
TALLOC_CTX *tmp_ctx;
int opt;
poptContext pc;
char *opt_logger = NULL;
char *opt_config_file = NULL;
const char *config_file = NULL;
struct main_context *main_ctx;
int ret;
uid_t uid = 0;
gid_t gid = 0;
int flags = 0;

struct poptOption long_options[] = {
POPT_AUTOHELP
SSSD_MAIN_OPTS
SSSD_LOGGER_OPTS
SSSD_SERVER_OPTS(uid, gid)
SSSD_CONFIG_OPTS(opt_config_file)
POPT_TABLEEND
};

Expand All @@ -347,14 +395,49 @@ int main(int argc, const char *argv[])

poptFreeContext(pc);

tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) {
return 3;
}

/* set up things like debug, signals, daemonization, etc. */
debug_log_file = "sssd_kcm";
DEBUG_INIT(debug_level, opt_logger);

ret = server_setup("kcm", true, 0, uid, gid, CONFDB_FILE,
if (opt_config_file == NULL) {
config_file = SSSD_CONFIG_FILE;
} else {
config_file = opt_config_file;
}

/* Parse config file, fail if cannot be done */
ret = load_configuration(config_file, CONFDB_DEFAULT_CONFIG_DIR, "kcm");
if (ret != EOK) {
switch (ret) {
case EPERM:
case EACCES:
DEBUG(SSSDBG_FATAL_FAILURE,
CONF_FILE_PERM_ERROR_MSG, config_file);
sss_log(SSS_LOG_CRIT, CONF_FILE_PERM_ERROR_MSG, config_file);
break;
default:
DEBUG(SSSDBG_FATAL_FAILURE,
"KCM couldn't load the configuration database [%d]: %s\n",
ret, sss_strerror(ret));
sss_log(SSS_LOG_CRIT,
"KCM couldn't load the configuration database [%d]: %s\n",
ret, sss_strerror(ret));
break;
}
return 4;
}

ret = server_setup("kcm", true, flags, uid, gid, CONFDB_KCM_FILE,
CONFDB_KCM_CONF_ENTRY, &main_ctx, true);
if (ret != EOK) return 2;

DEBUG(SSSDBG_TRACE_FUNC, "CONFIG: %s\n", config_file);

ret = die_if_parent_died();
if (ret != EOK) {
/* This is not fatal, don't return */
Expand All @@ -370,5 +453,7 @@ int main(int argc, const char *argv[])
/* loop on main */
server_loop(main_ctx);

free(opt_config_file);

return 0;
}
5 changes: 0 additions & 5 deletions src/sysv/gentoo/sssd-kcm.in
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,6 @@ command_background="true"
command_args="--uid=0 --gid=0 --logger=files ${SSSD_KCM_OPTIONS}"
pidfile="@pidpath@/sssd_kcm.pid"

start_pre()
{
"@sbindir@/sssd" --genconf-section=kcm || return $?
}

depend()
{
need localmount clock
Expand Down
1 change: 0 additions & 1 deletion src/sysv/systemd/sssd-kcm.service.in
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ Also=sssd-kcm.socket

[Service]
Environment=DEBUG_LOGGER=--logger=files
ExecStartPre=-@sbindir@/sssd --genconf-section=kcm
ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}
# Currently SSSD KCM server ('sssd_kcm') always runs under 'root'
# ('User=' and 'Group=' defaults to 'root' for system services)
Expand Down
3 changes: 0 additions & 3 deletions src/tests/intg/test_kcm.py
Original file line number Diff line number Diff line change
Expand Up @@ -79,9 +79,6 @@ def create_conf_fixture(request, contents):


def create_sssd_kcm_fixture(sock_path, krb5_conf_path, request):
if subprocess.call(['sssd', "--genconf"]) != 0:
raise Exception("failed to regenerate confdb")

resp_path = os.path.join(config.LIBEXEC_PATH, "sssd", "sssd_kcm")
if not os.access(resp_path, os.X_OK):
# It would be cleaner to use pytest.mark.skipif on the package level
Expand Down

0 comments on commit 2d4f5f3

Please sign in to comment.