1b3700b07SGordon Ross /*
2b3700b07SGordon Ross  * This file and its contents are supplied under the terms of the
3b3700b07SGordon Ross  * Common Development and Distribution License ("CDDL"), version 1.0.
4b3700b07SGordon Ross  * You may only use this file in accordance with the terms of version
5b3700b07SGordon Ross  * 1.0 of the CDDL.
6b3700b07SGordon Ross  *
7b3700b07SGordon Ross  * A full copy of the text of the CDDL should have accompanied this
8b3700b07SGordon Ross  * source.  A copy of the CDDL is also available via the Internet at
9b3700b07SGordon Ross  * http://www.illumos.org/license/CDDL.
10b3700b07SGordon Ross  */
11b3700b07SGordon Ross 
12b3700b07SGordon Ross /*
13*bdc3270fSMatt Barden  * Copyright 2020 Nexenta by DDN, Inc. All rights reserved.
14b3700b07SGordon Ross  */
15b3700b07SGordon Ross 
16b3700b07SGordon Ross #include <stdio.h>
17b3700b07SGordon Ross #include <stdlib.h>
18b3700b07SGordon Ross #include <stdarg.h>
19b3700b07SGordon Ross #include <string.h>
20b3700b07SGordon Ross #include <syslog.h>
21b3700b07SGordon Ross 
22b3700b07SGordon Ross #include <sys/types.h>
23b3700b07SGordon Ross #include <sys/errno.h>
24b3700b07SGordon Ross #include <sys/socket.h>
25b3700b07SGordon Ross #include <netinet/in.h>
26b3700b07SGordon Ross #include <sys/note.h>
27b3700b07SGordon Ross #include <synch.h>
28b3700b07SGordon Ross #include <thread.h>
29b3700b07SGordon Ross 
30*bdc3270fSMatt Barden #include <ads/dsgetdc.h>
31*bdc3270fSMatt Barden 
32b3700b07SGordon Ross #include "idmapd.h"
33b3700b07SGordon Ross #include "libadutils.h"
34b3700b07SGordon Ross #include "locate_plugin.h"
35b3700b07SGordon Ross 
36b3700b07SGordon Ross /* osconf.h - sigh */
37b3700b07SGordon Ross #define	KRB5_DEFAULT_PORT	88
38b3700b07SGordon Ross #define	DEFAULT_KADM5_PORT	749
39b3700b07SGordon Ross #define	DEFAULT_KPASSWD_PORT	464
40b3700b07SGordon Ross 
41b3700b07SGordon Ross /*
42b3700b07SGordon Ross  * This is an "override plugin" used by libkrb5.  See:
43b3700b07SGordon Ross  * lib/gss_mechs/mech_krb5/krb5/os/locate_kdc.c
44b3700b07SGordon Ross  *
45b3700b07SGordon Ross  * The interface is based on:
46b3700b07SGordon Ross  * http://web.mit.edu/~kerberos/krb5-1.12/doc/plugindev/locate.html
47b3700b07SGordon Ross  */
48b3700b07SGordon Ross 
49b3700b07SGordon Ross /*
50b3700b07SGordon Ross  * Called by krb5int_locate_server / override_locate_server
51b3700b07SGordon Ross  */
52b3700b07SGordon Ross 
53b3700b07SGordon Ross krb5_error_code
_krb5_override_service_locator(void * arg0,enum locate_service_type svc,const char * realm,int socktype,int family,int (* cbfunc)(void *,int,struct sockaddr *),void * cbdata)54b3700b07SGordon Ross _krb5_override_service_locator(
55b3700b07SGordon Ross     void *arg0,
56b3700b07SGordon Ross     enum locate_service_type svc,
57b3700b07SGordon Ross     const char *realm,
58b3700b07SGordon Ross     int socktype,
59b3700b07SGordon Ross     int family,
60b3700b07SGordon Ross     int (*cbfunc)(void *, int, struct sockaddr *),
61b3700b07SGordon Ross     void *cbdata)
62b3700b07SGordon Ross {
63b3700b07SGordon Ross 	_NOTE(ARGUNUSED(arg0))
64b3700b07SGordon Ross 	idmap_pg_config_t *pgcfg;
65b3700b07SGordon Ross 	ad_disc_ds_t *ds;
66b3700b07SGordon Ross 	int rc = KRB5_PLUGIN_NO_HANDLE;
67b3700b07SGordon Ross 	short port;
68b3700b07SGordon Ross 
69b3700b07SGordon Ross 	/*
70b3700b07SGordon Ross 	 * Is this a service we want to override?
71b3700b07SGordon Ross 	 */
72b3700b07SGordon Ross 	switch (svc) {
73b3700b07SGordon Ross 	case locate_service_kdc:
74b3700b07SGordon Ross 	case locate_service_master_kdc:
75b3700b07SGordon Ross 		port = htons(KRB5_DEFAULT_PORT);
76b3700b07SGordon Ross 		break;
77b3700b07SGordon Ross 	case locate_service_kadmin:
78b3700b07SGordon Ross 		port = htons(DEFAULT_KADM5_PORT);
79b3700b07SGordon Ross 		break;
80b3700b07SGordon Ross 	case locate_service_kpasswd:
81b3700b07SGordon Ross 		port = htons(DEFAULT_KPASSWD_PORT);
82b3700b07SGordon Ross 		break;
83b3700b07SGordon Ross 	case locate_service_krb524:
84b3700b07SGordon Ross 	default:
85b3700b07SGordon Ross 		return (rc);
86b3700b07SGordon Ross 	}
87b3700b07SGordon Ross 
88b3700b07SGordon Ross 	RDLOCK_CONFIG();
89b3700b07SGordon Ross 	pgcfg = &_idmapdstate.cfg->pgcfg;
90b3700b07SGordon Ross 
91b3700b07SGordon Ross 	/*
92b3700b07SGordon Ross 	 * Is this a realm we want to override?
93b3700b07SGordon Ross 	 */
94b3700b07SGordon Ross 	if (pgcfg->domain_name == NULL)
95b3700b07SGordon Ross 		goto out;
96b3700b07SGordon Ross 	if (0 != strcasecmp(realm, pgcfg->domain_name))
97b3700b07SGordon Ross 		goto out;
98b3700b07SGordon Ross 
99b3700b07SGordon Ross 	/*
100b3700b07SGordon Ross 	 * Yes, this is our domain.  Have a DC?
101b3700b07SGordon Ross 	 */
102b3700b07SGordon Ross 	if ((ds = pgcfg->domain_controller) == NULL) {
103b3700b07SGordon Ross 		rc = KRB5_REALM_CANT_RESOLVE;
104b3700b07SGordon Ross 		goto out;
105b3700b07SGordon Ross 	}
106b3700b07SGordon Ross 
107*bdc3270fSMatt Barden 	if ((ds->flags & DS_KDC_FLAG) == 0) {
108*bdc3270fSMatt Barden 		idmapdlog(LOG_WARNING, "Domain Controller is not a KDC: "
109*bdc3270fSMatt Barden 		    "Kerberos auth may be slow");
110*bdc3270fSMatt Barden 		goto out;
111*bdc3270fSMatt Barden 	}
112*bdc3270fSMatt Barden 
113b3700b07SGordon Ross 	switch (family) {
114b3700b07SGordon Ross 	case AF_UNSPEC:
115b3700b07SGordon Ross 		break;	/* OK */
116b3700b07SGordon Ross 	case AF_INET:
117b3700b07SGordon Ross 	case AF_INET6:
118b3700b07SGordon Ross 		if (family == ds->addr.ss_family)
119b3700b07SGordon Ross 			break;	/* OK */
120b3700b07SGordon Ross 		/* else fallthrough */
121b3700b07SGordon Ross 	default:
122b3700b07SGordon Ross 		rc = KRB5_ERR_NO_SERVICE;
123b3700b07SGordon Ross 		goto out;
124b3700b07SGordon Ross 	}
125b3700b07SGordon Ross 
126b3700b07SGordon Ross 	/*
127b3700b07SGordon Ross 	 * Provide the service address we have.
128b3700b07SGordon Ross 	 */
129b3700b07SGordon Ross 	switch (ds->addr.ss_family) {
130b3700b07SGordon Ross 	case AF_INET: {
131b3700b07SGordon Ross 		struct sockaddr_in sin;
132b3700b07SGordon Ross 		struct sockaddr_in *dsa = (void *)&ds->addr;
133b3700b07SGordon Ross 		(void) memset(&sin, 0, sizeof (sin));
134b3700b07SGordon Ross 		sin.sin_family = AF_INET;
135b3700b07SGordon Ross 		sin.sin_port = port;
136b3700b07SGordon Ross 		(void) memcpy(&sin.sin_addr, &dsa->sin_addr,
137b3700b07SGordon Ross 		    sizeof (sin.sin_addr));
138b3700b07SGordon Ross 		rc = cbfunc(cbdata, socktype, (struct sockaddr *)&sin);
139b3700b07SGordon Ross 		break;
140b3700b07SGordon Ross 	}
141b3700b07SGordon Ross 	case AF_INET6: {
142b3700b07SGordon Ross 		struct sockaddr_in6 sin6;
143b3700b07SGordon Ross 		struct sockaddr_in6 *dsa6 = (void *)&ds->addr;
144b3700b07SGordon Ross 		(void) memset(&sin6, 0, sizeof (sin6));
145b3700b07SGordon Ross 		sin6.sin6_family = AF_INET6;
146b3700b07SGordon Ross 		sin6.sin6_port = port;
147b3700b07SGordon Ross 		(void) memcpy(&sin6.sin6_addr, &dsa6->sin6_addr,
148b3700b07SGordon Ross 		    sizeof (sin6.sin6_addr));
149b3700b07SGordon Ross 		rc = cbfunc(cbdata, socktype, (struct sockaddr *)&sin6);
150b3700b07SGordon Ross 		break;
151b3700b07SGordon Ross 	}
152b3700b07SGordon Ross 	default:
153b3700b07SGordon Ross 		rc = KRB5_ERR_NO_SERVICE;
154b3700b07SGordon Ross 		goto out;
155b3700b07SGordon Ross 	}
156b3700b07SGordon Ross 	/* rc from cbfunc is special. */
157b3700b07SGordon Ross 	if (rc)
158b3700b07SGordon Ross 		rc = ENOMEM;
159b3700b07SGordon Ross 
160b3700b07SGordon Ross out:
161b3700b07SGordon Ross 	UNLOCK_CONFIG();
162b3700b07SGordon Ross 
163b3700b07SGordon Ross 	return (rc);
164b3700b07SGordon Ross }