pam: add pam_sss_gss module for gssapi authentication

Makefile.am

@@ -1585,12 +1585,14 @@ sssd_pam_SOURCES = \
     src/responder/pam/pamsrv_cmd.c \
     src/responder/pam/pamsrv_p11.c \
     src/responder/pam/pamsrv_dp.c \
+    src/responder/pam/pamsrv_gssapi.c \
     src/responder/pam/pam_prompting_config.c \
     src/sss_client/pam_sss_prompt_config.c \
     src/responder/pam/pam_helpers.c \
     $(SSSD_RESPONDER_OBJ)
 sssd_pam_CFLAGS = \
     $(AM_CFLAGS) \
+    $(GSSAPI_KRB5_CFLAGS) \
     $(NULL)
 sssd_pam_LDADD = \
     $(LIBADD_DL) \
@@ -1599,6 +1601,7 @@ sssd_pam_LDADD = \
     $(SELINUX_LIBS) \
     $(PAM_LIBS) \
     $(SYSTEMD_DAEMON_LIBS) \
+    $(GSSAPI_KRB5_LIBS) \
     libsss_certmap.la \
     $(SSSD_INTERNAL_LTLIBS) \
     libsss_iface.la \
@@ -2710,6 +2713,7 @@ pam_srv_tests_SOURCES = \
     src/sss_client/pam_message.c \
     src/responder/pam/pamsrv_cmd.c \
     src/responder/pam/pamsrv_p11.c \
+    src/responder/pam/pamsrv_gssapi.c \
     src/responder/pam/pam_helpers.c \
     src/responder/pam/pamsrv_dp.c \
     src/responder/pam/pam_LOCAL_domain.c \
@@ -2721,6 +2725,7 @@ pam_srv_tests_CFLAGS = \
     -I$(abs_builddir)/src \
     $(AM_CFLAGS) \
     $(CMOCKA_CFLAGS) \
+    $(GSSAPI_KRB5_CFLAGS) \
     $(NULL)
 pam_srv_tests_LDFLAGS = \
     -Wl,-wrap,sss_packet_get_body \
@@ -2736,6 +2741,7 @@ pam_srv_tests_LDADD = \
     $(SSSD_LIBS) \
     $(SSSD_INTERNAL_LTLIBS) \
     $(SYSTEMD_DAEMON_LIBS) \
+    $(GSSAPI_KRB5_LIBS) \
     libsss_test_common.la \
     libsss_idmap.la \
     libsss_certmap.la \
@@ -4149,6 +4155,28 @@ pam_sss_la_LDFLAGS = \
     -avoid-version \
     -Wl,--version-script,$(srcdir)/src/sss_client/sss_pam.exports
 
+pamlib_LTLIBRARIES += pam_sss_gss.la
+pam_sss_gss_la_SOURCES = \
+    src/sss_client/pam_sss_gss.c \
+    src/sss_client/common.c \
+    $(NULL)
+
+pam_sss_gss_la_CFLAGS = \
+    $(AM_CFLAGS) \
+    $(GSSAPI_KRB5_CFLAGS) \
+    $(NULL)
+
+pam_sss_gss_la_LIBADD = \
+    $(CLIENT_LIBS) \
+    $(PAM_LIBS) \
+    $(GSSAPI_KRB5_LIBS) \
+    $(NULL)
+
+pam_sss_gss_la_LDFLAGS = \
+    -module \
+    -avoid-version \
+    -Wl,--version-script,$(srcdir)/src/sss_client/pam_sss_gss.exports
+
 if BUILD_SUDO
 
 libsss_sudo_la_SOURCES = \
@@ -4187,7 +4215,10 @@ endif
 
 dist_noinst_DATA += \
     src/sss_client/sss_nss.exports \
-    src/sss_client/sss_pam.exports
+    src/sss_client/sss_pam.exports \
+    src/sss_client/pam_sss_gss.exports \
+    $(NULL)
+
 if BUILD_SUDO
 dist_noinst_DATA += src/sss_client/sss_sudo.exports
 endif

configure.ac

@@ -182,6 +182,7 @@ m4_include([src/external/libldb.m4])
 m4_include([src/external/libdhash.m4])
 m4_include([src/external/libcollection.m4])
 m4_include([src/external/libini_config.m4])
+m4_include([src/external/libgssapi_krb5.m4])
 m4_include([src/external/pam.m4])
 m4_include([src/external/ldap.m4])
 m4_include([src/external/libpcre.m4])

contrib/sssd.spec.in

@@ -1166,6 +1166,7 @@ done
 %license src/sss_client/COPYING src/sss_client/COPYING.LESSER
 /%{_lib}/libnss_sss.so.2
 /%{_lib}/security/pam_sss.so
+/%{_lib}/security/pam_sss_gss.so
 %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
 %{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so
 %if (0%{?with_cifs_utils_plugin} == 1)
@@ -1178,6 +1179,7 @@ done
 %dir %{_libdir}/%{name}/modules
 %{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so
 %{_mandir}/man8/pam_sss.8*
+%{_mandir}/man8/pam_sss_gss.8*
 %{_mandir}/man8/sssd_krb5_locator_plugin.8*
 
 %files -n libsss_sudo

src/confdb/confdb.c

@@ -871,6 +871,35 @@ static int confdb_get_domain_section(TALLOC_CTX *mem_ctx,
     return ret;
 }
 
+static char *confdb_get_domain_hostname(TALLOC_CTX *mem_ctx,
+                                        struct ldb_result *res,
+                                        const char *provider)
+{
+    char sys[HOST_NAME_MAX + 1] = {'\0'};
+    const char *opt = NULL;
+    int ret;
+
+    if (strcasecmp(provider, "ad") == 0) {
+        opt = ldb_msg_find_attr_as_string(res->msgs[0], "ad_hostname", NULL);
+    } else if (strcasecmp(provider, "ipa") == 0) {
+        opt = ldb_msg_find_attr_as_string(res->msgs[0], "ipa_hostname", NULL);
+    }
+
+    if (opt != NULL) {
+        return talloc_strdup(mem_ctx, opt);
+    }
+
+    ret = gethostname(sys, sizeof(sys));
+    if (ret != 0) {
+        ret = errno;
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get hostname [%d]: %s\n", ret,
+              sss_strerror(ret));
+        return NULL;
+    }
+
+    return talloc_strdup(mem_ctx, sys);
+}
+
 static int confdb_get_domain_internal(struct confdb_ctx *cdb,
                                       TALLOC_CTX *mem_ctx,
                                       const char *name,
@@ -1536,6 +1565,44 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
         goto done;
     }
 
+    domain->hostname = confdb_get_domain_hostname(domain, res, domain->provider);
+    if (domain->hostname == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get domain hostname\n");
+        goto done;
+    }
+
+    domain->krb5_keytab = NULL;
+    tmp = ldb_msg_find_attr_as_string(res->msgs[0], "krb5_keytab", NULL);
+    if (tmp != NULL) {
+        domain->krb5_keytab = talloc_strdup(domain, tmp);
+        if (domain->krb5_keytab == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get domain keytab!\n");
+            goto done;
+        }
+    }
+
+    tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_SERVICES,
+                                      "-");
+    if (tmp != NULL) {
+        ret = split_on_separator(domain, tmp, ',', true, true,
+                                 &domain->gssapi_services, NULL);
+        if (ret != 0) {
+            DEBUG(SSSDBG_FATAL_FAILURE,
+                  "Cannot parse %s\n", CONFDB_PAM_GSSAPI_SERVICES);
+            goto done;
+        }
+    }
+
+    tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_CHECK_UPN,
+                                      NULL);
+    if (tmp != NULL) {
+        domain->gssapi_check_upn = talloc_strdup(domain, tmp);
+        if (domain->gssapi_check_upn == NULL) {
+            ret = ENOMEM;
+            goto done;
+        }
+    }
+
     domain->has_views = false;
     domain->view_name = NULL;
 

src/confdb/confdb.h

@@ -144,6 +144,8 @@
 #define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
 #define CONFDB_PAM_P11_URI "p11_uri"
 #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme"
+#define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services"
+#define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn"
 
 /* SUDO */
 #define CONFDB_SUDO_CONF_ENTRY "config/sudo"
@@ -425,6 +427,16 @@ struct sss_domain_info {
     /* Do not use the _output_fqnames property directly in new code, but rather
      * use sss_domain_info_{get,set}_output_fqnames(). */
     bool output_fqnames;
+
+    /* Hostname associated with this domain. */
+    const char *hostname;
+
+    /* Keytab used by this domain. */
+    const char *krb5_keytab;
+
+    /* List of PAM services that are allowed to authenticate with GSSAPI. */
+    char **gssapi_services;
+    char *gssapi_check_upn; /* true | false | NULL */
 };
 
 /**

src/config/SSSDConfig/sssdoptions.py

@@ -104,6 +104,8 @@ def __init__(self):
         'p11_wait_for_card_timeout': _('Additional timeout to wait for a card if requested'),
         'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
         'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'),
+        'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'),
+        'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'),
 
         # [sudo]
         'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),

src/config/SSSDConfigTest.py

@@ -653,7 +653,9 @@ def testListOptions(self):
             'full_name_format',
             're_expression',
             'cached_auth_timeout',
-            'auto_private_groups']
+            'auto_private_groups',
+            'pam_gssapi_services',
+            'pam_gssapi_check_upn']
 
         self.assertTrue(type(options) == dict,
                         "Options should be a dictionary")
@@ -1030,7 +1032,9 @@ def testRemoveProvider(self):
             'full_name_format',
             're_expression',
             'cached_auth_timeout',
-            'auto_private_groups']
+            'auto_private_groups',
+            'pam_gssapi_services',
+            'pam_gssapi_check_upn']
 
         self.assertTrue(type(options) == dict,
                         "Options should be a dictionary")

src/config/cfg_rules.ini

@@ -139,6 +139,8 @@ option = pam_p11_allowed_services
 option = p11_wait_for_card_timeout
 option = p11_uri
 option = pam_initgroups_scheme
+option = pam_gssapi_services
+option = pam_gssapi_check_upn
 
 [rule/allowed_sudo_options]
 validator = ini_allowed_options
@@ -437,6 +439,8 @@ option = wildcard_limit
 option = full_name_format
 option = re_expression
 option = auto_private_groups
+option = pam_gssapi_services
+option = pam_gssapi_check_upn
 
 #Entry cache timeouts
 option = entry_cache_user_timeout
@@ -831,6 +835,8 @@ option = ad_backup_server
 option = ad_site
 option = use_fully_qualified_names
 option = auto_private_groups
+option = pam_gssapi_services
+option = pam_gssapi_check_upn
 
 [rule/sssd_checks]
 validator = sssd_checks

src/config/etc/sssd.api.conf

@@ -80,6 +80,8 @@ pam_p11_allowed_services = str, None, false
 p11_wait_for_card_timeout = int, None, false
 p11_uri = str, None, false
 pam_initgroups_scheme = str, None, false
+pam_gssapi_services = str, None, false
+pam_gssapi_check_upn = bool, None, false
 
 [sudo]
 # sudo service
@@ -199,6 +201,8 @@ cached_auth_timeout = int, None, false
 full_name_format = str, None, false
 re_expression = str, None, false
 auto_private_groups = str, None, false
+pam_gssapi_services = str, None, false
+pam_gssapi_check_upn = bool, None, false
 
 #Entry cache timeouts
 entry_cache_user_timeout = int, None, false

src/db/sysdb_subdomains.c

@@ -125,6 +125,18 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
         }
     }
 
+    dom->hostname = talloc_strdup(dom, parent->hostname);
+    if (dom->hostname == NULL && parent->hostname != NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to copy hostname.\n");
+        goto fail;
+    }
+
+    dom->krb5_keytab = talloc_strdup(dom, parent->krb5_keytab);
+    if (dom->krb5_keytab == NULL && parent->krb5_keytab != NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to copy krb5_keytab.\n");
+        goto fail;
+    }
+
     dom->enumerate = enumerate;
     dom->fqnames = true;
     dom->mpg_mode = mpg_mode;
@@ -172,6 +184,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
     dom->homedir_substr = parent->homedir_substr;
     dom->override_gid = parent->override_gid;
 
+    dom->gssapi_services = parent->gssapi_services;
+
     if (parent->sysdb == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n");
         goto fail;
@@ -229,6 +243,29 @@ check_subdom_config_file(struct confdb_ctx *confdb,
           sd_conf_path, CONFDB_DOMAIN_FQ,
           subdomain->fqnames ? "TRUE" : "FALSE");
 
+    /* allow to set pam_gssapi_services */
+    ret = confdb_get_string_as_list(confdb, subdomain, sd_conf_path,
+                                    CONFDB_PAM_GSSAPI_SERVICES,
+                                    &subdomain->gssapi_services);
+    if (ret != EOK && ret != ENOENT) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Failed to get %s option for the subdomain: %s\n",
+              CONFDB_PAM_GSSAPI_SERVICES, subdomain->name);
+        goto done;
+    }
+
+    /* allow to set pam_gssapi_check_upn */
+    ret = confdb_get_string(confdb, subdomain, sd_conf_path,
+                            CONFDB_PAM_GSSAPI_CHECK_UPN,
+                            subdomain->parent->gssapi_check_upn,
+                            &subdomain->gssapi_check_upn);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Failed to get %s option for the subdomain: %s\n",
+              CONFDB_PAM_GSSAPI_CHECK_UPN, subdomain->name);
+        goto done;
+    }
+
     ret = EOK;
 done:
     talloc_free(tmp_ctx);

src/external/libgssapi_krb5.m4

@@ -0,0 +1,8 @@
+AC_SUBST(GSSAPI_KRB5_CFLAGS)
+AC_SUBST(GSSAPI_KRB5_LIBS)
+
+PKG_CHECK_MODULES(GSSAPI_KRB5,
+    krb5-gssapi,
+    ,
+    AC_MSG_ERROR("Please install krb5-devel")
+    )

src/man/Makefile.am

@@ -69,8 +69,8 @@ man_MANS = \
     sssd.8 sssd.conf.5 sssd-ldap.5 sssd-ldap-attributes.5 \
     sssd-krb5.5 sssd-simple.5 sss-certmap.5 \
     sssd_krb5_locator_plugin.8 \
-    pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 sss_seed.8 \
-    sss_override.8 idmap_sss.8 sssctl.8 sssd-session-recording.5 \
+    pam_sss.8 pam_sss_gss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 \
+	sss_seed.8 sss_override.8 idmap_sss.8 sssctl.8 sssd-session-recording.5 \
     $(NULL)
 
 if BUILD_LOCAL_PROVIDER