xref: /illumos-gate/usr/src/cmd/idmap/idmapd/init.c (revision 4edd44c5) 
1c5c4113dSnw /*
2c5c4113dSnw  * CDDL HEADER START
3c5c4113dSnw  *
4c5c4113dSnw  * The contents of this file are subject to the terms of the
5c5c4113dSnw  * Common Development and Distribution License (the "License").
6c5c4113dSnw  * You may not use this file except in compliance with the License.
7c5c4113dSnw  *
8c5c4113dSnw  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9c5c4113dSnw  * or http://www.opensolaris.org/os/licensing.
10c5c4113dSnw  * See the License for the specific language governing permissions
11c5c4113dSnw  * and limitations under the License.
12c5c4113dSnw  *
13c5c4113dSnw  * When distributing Covered Code, include this CDDL HEADER in each
14c5c4113dSnw  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15c5c4113dSnw  * If applicable, add the following below this CDDL HEADER, with the
16c5c4113dSnw  * fields enclosed by brackets "[]" replaced with your own identifying
17c5c4113dSnw  * information: Portions Copyright [yyyy] [name of copyright owner]
18c5c4113dSnw  *
19c5c4113dSnw  * CDDL HEADER END
20c5c4113dSnw  */
21c5c4113dSnw /*
22*4edd44c5Sjp  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23c5c4113dSnw  * Use is subject to license terms.
24c5c4113dSnw  */
25c5c4113dSnw 
26c5c4113dSnw #pragma ident	"%Z%%M%	%I%	%E% SMI"
27c5c4113dSnw 
28c5c4113dSnw /*
29c5c4113dSnw  * Initialization routines
30c5c4113dSnw  */
31c5c4113dSnw 
32c5c4113dSnw #include "idmapd.h"
33c5c4113dSnw #include <signal.h>
34c5c4113dSnw #include <thread.h>
35c5c4113dSnw #include <string.h>
36c5c4113dSnw #include <errno.h>
37c5c4113dSnw #include <assert.h>
38c5c4113dSnw #include <unistd.h>
39c5c4113dSnw #include <sys/types.h>
40c5c4113dSnw #include <sys/stat.h>
418edda628Sbaban #include <rpcsvc/daemon_utils.h>
42c5c4113dSnw 
43c5c4113dSnw static const char *me = "idmapd";
44c5c4113dSnw 
45c5c4113dSnw int
46*4edd44c5Sjp init_mapping_system()
47*4edd44c5Sjp {
488edda628Sbaban 	int rc = 0;
498edda628Sbaban 
50c5c4113dSnw 	if (rwlock_init(&_idmapdstate.rwlk_cfg, USYNC_THREAD, NULL) != 0)
51c5c4113dSnw 		return (-1);
52e8c27ec8Sbaban 	if ((rc = load_config()) < 0)
53e8c27ec8Sbaban 		return (rc);
548edda628Sbaban 
558edda628Sbaban 	(void) setegid(DAEMON_GID);
568edda628Sbaban 	(void) seteuid(DAEMON_UID);
57c5c4113dSnw 	if (init_dbs() < 0) {
588edda628Sbaban 		rc = -1;
59c5c4113dSnw 		fini_mapping_system();
60c5c4113dSnw 	}
618edda628Sbaban 	(void) seteuid(0);
628edda628Sbaban 	(void) setegid(0);
638edda628Sbaban 
648edda628Sbaban 	return (rc);
65c5c4113dSnw }
66c5c4113dSnw 
67c5c4113dSnw void
68*4edd44c5Sjp fini_mapping_system()
69*4edd44c5Sjp {
70c5c4113dSnw 	fini_dbs();
71c5c4113dSnw }
72c5c4113dSnw 
73c5c4113dSnw int
74*4edd44c5Sjp load_config()
75*4edd44c5Sjp {
76e3c2d6aaSnw 	int rc;
77c8e26105Sjp 	idmap_pg_config_t *pgcfg;
78c5c4113dSnw 	if ((_idmapdstate.cfg = idmap_cfg_init()) == NULL) {
79651c0131Sbaban 		idmapdlog(LOG_ERR, "%s: failed to initialize config", me);
80c8e26105Sjp 		degrade_svc();
81c5c4113dSnw 		return (-1);
82c5c4113dSnw 	}
83c8e26105Sjp 	pgcfg = &_idmapdstate.cfg->pgcfg;
84c8e26105Sjp 
85e3c2d6aaSnw 	rc = idmap_cfg_load(&_idmapdstate.cfg->handles,
86e3c2d6aaSnw 	    &_idmapdstate.cfg->pgcfg, 0);
87e3c2d6aaSnw 	if (rc < -1) {
88e3c2d6aaSnw 		/* Total failure */
89c8e26105Sjp 		degrade_svc();
90e3c2d6aaSnw 		idmapdlog(LOG_ERR, "%s: Fatal error while loading "
91e3c2d6aaSnw 		    "configuration", me);
92e8c27ec8Sbaban 		return (rc);
93c5c4113dSnw 	}
94c8e26105Sjp 
95e3c2d6aaSnw 	if (rc != 0)
96e3c2d6aaSnw 		/* Partial failure */
97e3c2d6aaSnw 		idmapdlog(LOG_ERR, "%s: Various errors occurred while loading "
98*4edd44c5Sjp 		    "the configuration; check the logs", me);
99e3c2d6aaSnw 
100c8e26105Sjp 	if (pgcfg->global_catalog == NULL ||
101c8e26105Sjp 	    pgcfg->global_catalog[0].host[0] == '\0') {
102c8e26105Sjp 		degrade_svc();
103e3c2d6aaSnw 		idmapdlog(LOG_INFO,
104e3c2d6aaSnw 		    "%s: Global catalog server is not configured; AD lookup "
105e3c2d6aaSnw 		    "will fail until one or more global catalog server names "
106e3c2d6aaSnw 		    "are configured or discovered; auto-discovery will begin "
107e3c2d6aaSnw 		    "shortly", me);
108e3c2d6aaSnw 	} else {
109e3c2d6aaSnw 		restore_svc();
110c8e26105Sjp 	}
111c8e26105Sjp 
112c8e26105Sjp 	(void) reload_ad();
113c8e26105Sjp 
114c8e26105Sjp 	if (idmap_cfg_start_updates(_idmapdstate.cfg) < 0)
115c8e26105Sjp 		idmapdlog(LOG_ERR, "%s: could not start config updater",
116*4edd44c5Sjp 		    me);
117e3c2d6aaSnw 
118e3c2d6aaSnw 	idmapdlog(LOG_DEBUG, "%s: initial configuration loaded", me);
119e3c2d6aaSnw 
120c8e26105Sjp 	return (0);
121c8e26105Sjp }
122c8e26105Sjp 
123c8e26105Sjp 
124c8e26105Sjp int
125*4edd44c5Sjp reload_ad()
126*4edd44c5Sjp {
127c8e26105Sjp 	int	i;
128c8e26105Sjp 	ad_t	*old;
129c8e26105Sjp 	ad_t	*new;
130c8e26105Sjp 
131c8e26105Sjp 	idmap_pg_config_t *pgcfg = &_idmapdstate.cfg->pgcfg;
132c8e26105Sjp 
133c8e26105Sjp 	if (pgcfg->default_domain == NULL ||
134c8e26105Sjp 	    pgcfg->global_catalog == NULL) {
135c8e26105Sjp 		if (_idmapdstate.ad == NULL)
136c8e26105Sjp 			idmapdlog(LOG_ERR, "%s: AD lookup disabled", me);
137c8e26105Sjp 		else
138c8e26105Sjp 			idmapdlog(LOG_ERR, "%s: cannot update AD context", me);
139c5c4113dSnw 		return (-1);
140c5c4113dSnw 	}
141c8e26105Sjp 
142c8e26105Sjp 	old = _idmapdstate.ad;
143c8e26105Sjp 
144c8e26105Sjp 	if (idmap_ad_alloc(&new, pgcfg->default_domain,
145c8e26105Sjp 	    IDMAP_AD_GLOBAL_CATALOG) != 0) {
146c8e26105Sjp 		if (old == NULL)
147c8e26105Sjp 			degrade_svc();
148c8e26105Sjp 		idmapdlog(LOG_ERR, "%s: could not initialize AD context", me);
149c8e26105Sjp 		return (-1);
150c8e26105Sjp 	}
151c8e26105Sjp 
152c8e26105Sjp 	for (i = 0; pgcfg->global_catalog[i].host[0] != '\0'; i++) {
153c8e26105Sjp 		if (idmap_add_ds(new,
154c8e26105Sjp 		    pgcfg->global_catalog[i].host,
155c8e26105Sjp 		    pgcfg->global_catalog[i].port) != 0) {
156c8e26105Sjp 			idmap_ad_free(&new);
157c8e26105Sjp 			if (old == NULL)
158c8e26105Sjp 				degrade_svc();
159c8e26105Sjp 			idmapdlog(LOG_ERR,
160c8e26105Sjp 			    "%s: could not initialize AD DS context", me);
161c8e26105Sjp 			return (-1);
162c8e26105Sjp 		}
163c8e26105Sjp 	}
164c8e26105Sjp 
165c8e26105Sjp 	_idmapdstate.ad = new;
166c8e26105Sjp 
167c8e26105Sjp 	if (old != NULL)
168c8e26105Sjp 		idmap_ad_free(&old);
169c8e26105Sjp 
170c5c4113dSnw 	return (0);
171c5c4113dSnw }
172c5c4113dSnw 
173c8e26105Sjp 
174c5c4113dSnw void
175*4edd44c5Sjp print_idmapdstate()
176*4edd44c5Sjp {
177c8e26105Sjp 	int i;
178e8c27ec8Sbaban 	idmap_pg_config_t *pgcfg;
179c8e26105Sjp 
180c5c4113dSnw 	RDLOCK_CONFIG();
181c5c4113dSnw 
182c8e26105Sjp 	if (_idmapdstate.cfg == NULL) {
183c8e26105Sjp 		idmapdlog(LOG_INFO, "%s: Null configuration", me);
184c8e26105Sjp 		UNLOCK_CONFIG();
185c8e26105Sjp 		return;
186c8e26105Sjp 	}
187c5c4113dSnw 
188e8c27ec8Sbaban 	pgcfg = &_idmapdstate.cfg->pgcfg;
189e8c27ec8Sbaban 
190c8e26105Sjp 	idmapdlog(LOG_DEBUG, "%s: list_size_limit=%llu", me,
191c8e26105Sjp 	    pgcfg->list_size_limit);
192c8e26105Sjp 	idmapdlog(LOG_DEBUG, "%s: default_domain=%s", me,
193c8e26105Sjp 	    CHECK_NULL(pgcfg->default_domain));
194c8e26105Sjp 	idmapdlog(LOG_DEBUG, "%s: domain_name=%s", me,
195c8e26105Sjp 	    CHECK_NULL(pgcfg->domain_name));
196c8e26105Sjp 	idmapdlog(LOG_DEBUG, "%s: machine_sid=%s", me,
197c8e26105Sjp 	    CHECK_NULL(pgcfg->machine_sid));
198c8e26105Sjp 	if (pgcfg->domain_controller == NULL ||
199c8e26105Sjp 	    pgcfg->domain_controller[0].host[0] == '\0') {
200c8e26105Sjp 		idmapdlog(LOG_DEBUG, "%s: No domain controllers known", me);
201c8e26105Sjp 	} else {
202c8e26105Sjp 		for (i = 0; pgcfg->domain_controller[i].host[0] != '\0'; i++)
203c8e26105Sjp 			idmapdlog(LOG_DEBUG, "%s: domain_controller=%s port=%d",
204c8e26105Sjp 			    me, pgcfg->domain_controller[i].host,
205c8e26105Sjp 			    pgcfg->domain_controller[i].port);
206c8e26105Sjp 	}
207c8e26105Sjp 	idmapdlog(LOG_DEBUG, "%s: forest_name=%s", me,
208c8e26105Sjp 	    CHECK_NULL(pgcfg->forest_name));
209c8e26105Sjp 	idmapdlog(LOG_DEBUG, "%s: site_name=%s", me,
210c8e26105Sjp 	    CHECK_NULL(pgcfg->site_name));
211c8e26105Sjp 	if (pgcfg->global_catalog == NULL ||
212c8e26105Sjp 	    pgcfg->global_catalog[0].host[0] == '\0') {
213c8e26105Sjp 		idmapdlog(LOG_DEBUG, "%s: No global catalog servers known", me);
214c8e26105Sjp 	} else {
215c8e26105Sjp 		for (i = 0; pgcfg->global_catalog[i].host[0] != '\0'; i++)
216c8e26105Sjp 			idmapdlog(LOG_DEBUG, "%s: global_catalog=%s port=%d",
217c8e26105Sjp 			    me,
218c8e26105Sjp 			    pgcfg->global_catalog[i].host,
219c8e26105Sjp 			    pgcfg->global_catalog[i].port);
220c5c4113dSnw 	}
221e8c27ec8Sbaban 	idmapdlog(LOG_DEBUG, "%s: ds_name_mapping_enabled=%s", me,
222e8c27ec8Sbaban 	    (pgcfg->ds_name_mapping_enabled == TRUE) ? "true" : "false");
223e8c27ec8Sbaban 	idmapdlog(LOG_DEBUG, "%s: ad_unixuser_attr=%s", me,
224e8c27ec8Sbaban 	    CHECK_NULL(pgcfg->ad_unixuser_attr));
225e8c27ec8Sbaban 	idmapdlog(LOG_DEBUG, "%s: ad_unixgroup_attr=%s", me,
226e8c27ec8Sbaban 	    CHECK_NULL(pgcfg->ad_unixgroup_attr));
227e8c27ec8Sbaban 	idmapdlog(LOG_DEBUG, "%s: nldap_winname_attr=%s", me,
228e8c27ec8Sbaban 	    CHECK_NULL(pgcfg->nldap_winname_attr));
229c8e26105Sjp 
230c5c4113dSnw 	UNLOCK_CONFIG();
231c5c4113dSnw }
232c5c4113dSnw 
233c5c4113dSnw int
234*4edd44c5Sjp create_directory(const char *path, uid_t uid, gid_t gid)
235*4edd44c5Sjp {
236c5c4113dSnw 	int	rc;
237c5c4113dSnw 
238c5c4113dSnw 	if ((rc = mkdir(path, 0700)) < 0 && errno != EEXIST) {
239c5c4113dSnw 		idmapdlog(LOG_ERR,
240*4edd44c5Sjp 		    "%s: Error creating directory %s (%s)",
241*4edd44c5Sjp 		    me, path, strerror(errno));
242c5c4113dSnw 		return (-1);
243c5c4113dSnw 	}
244c5c4113dSnw 
245c5c4113dSnw 	if (lchown(path, uid, gid) < 0) {
246c5c4113dSnw 		idmapdlog(LOG_ERR,
247*4edd44c5Sjp 		    "%s: Error creating directory %s (%s)",
248*4edd44c5Sjp 		    me, path, strerror(errno));
249c5c4113dSnw 		if (rc == 0)
250c5c4113dSnw 			(void) rmdir(path);
251c5c4113dSnw 		return (-1);
252c5c4113dSnw 	}
253c5c4113dSnw 	return (0);
254c5c4113dSnw }
255