|
 |
403b09 |
From ed178aad6751ea7673d8e730bd5a6709921a1ff0 Mon Sep 17 00:00:00 2001
|
|
|
403b09 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
403b09 |
Date: Wed, 6 Jul 2016 17:29:37 +0200
|
|
|
403b09 |
Subject: [PATCH] kdb: check for local realm in enterprise principals
|
|
|
403b09 |
|
|
|
403b09 |
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
403b09 |
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
403b09 |
---
|
|
|
403b09 |
daemons/ipa-kdb/ipa_kdb_principals.c | 52 +++++++++++++++++++++++++++---------
|
|
|
403b09 |
1 file changed, 40 insertions(+), 12 deletions(-)
|
|
|
403b09 |
|
|
|
403b09 |
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
|
403b09 |
index 6cdfa909452a4b55912b2a5a74648abd2053482a..5b80909475565d6bb4fa8cba67629094daf51eb3 100644
|
|
|
403b09 |
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
|
403b09 |
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
|
403b09 |
@@ -1198,30 +1198,58 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
|
|
|
403b09 |
/* skip '@' and use part after '@' as an enterprise realm for comparison */
|
|
|
403b09 |
realm++;
|
|
|
403b09 |
|
|
|
403b09 |
- kerr = ipadb_is_princ_from_trusted_realm(kcontext,
|
|
|
403b09 |
- realm,
|
|
|
403b09 |
- upn->length - (realm - upn->data),
|
|
|
403b09 |
- &trusted_realm);
|
|
|
403b09 |
- if (kerr == 0) {
|
|
|
403b09 |
- kentry = calloc(1, sizeof(krb5_db_entry));
|
|
|
403b09 |
- if (!kentry) {
|
|
|
403b09 |
+ /* check for our realm */
|
|
|
403b09 |
+ if (strncasecmp(ipactx->realm, realm,
|
|
|
403b09 |
+ upn->length - (realm - upn->data)) == 0) {
|
|
|
403b09 |
+ /* it looks like it is ok to use malloc'ed strings as principal */
|
|
|
403b09 |
+ krb5_free_unparsed_name(kcontext, principal);
|
|
|
403b09 |
+ principal = strndup((const char *) upn->data, upn->length);
|
|
|
403b09 |
+ if (principal == NULL) {
|
|
|
403b09 |
kerr = ENOMEM;
|
|
|
403b09 |
goto done;
|
|
|
403b09 |
}
|
|
|
403b09 |
- kerr = krb5_parse_name(kcontext, principal,
|
|
|
403b09 |
- &kentry->princ);
|
|
|
403b09 |
+
|
|
|
403b09 |
+ ldap_msgfree(res);
|
|
|
403b09 |
+ res = NULL;
|
|
|
403b09 |
+ kerr = ipadb_fetch_principals(ipactx, flags, principal, &res;;
|
|
|
403b09 |
if (kerr != 0) {
|
|
|
403b09 |
goto done;
|
|
|
403b09 |
}
|
|
|
403b09 |
|
|
|
403b09 |
- kerr = krb5_set_principal_realm(kcontext, kentry->princ, trusted_realm);
|
|
|
403b09 |
+ kerr = ipadb_find_principal(kcontext, flags, res, &principal,
|
|
|
403b09 |
+ &lentry);
|
|
|
403b09 |
if (kerr != 0) {
|
|
|
403b09 |
goto done;
|
|
|
403b09 |
}
|
|
|
403b09 |
- *entry = kentry;
|
|
|
403b09 |
+ } else {
|
|
|
403b09 |
+
|
|
|
403b09 |
+ kerr = ipadb_is_princ_from_trusted_realm(kcontext,
|
|
|
403b09 |
+ realm,
|
|
|
403b09 |
+ upn->length - (realm - upn->data),
|
|
|
403b09 |
+ &trusted_realm);
|
|
|
403b09 |
+ if (kerr == 0) {
|
|
|
403b09 |
+ kentry = calloc(1, sizeof(krb5_db_entry));
|
|
|
403b09 |
+ if (!kentry) {
|
|
|
403b09 |
+ kerr = ENOMEM;
|
|
|
403b09 |
+ goto done;
|
|
|
403b09 |
+ }
|
|
|
403b09 |
+ kerr = krb5_parse_name(kcontext, principal,
|
|
|
403b09 |
+ &kentry->princ);
|
|
|
403b09 |
+ if (kerr != 0) {
|
|
|
403b09 |
+ goto done;
|
|
|
403b09 |
+ }
|
|
|
403b09 |
+
|
|
|
403b09 |
+ kerr = krb5_set_principal_realm(kcontext, kentry->princ, trusted_realm);
|
|
|
403b09 |
+ if (kerr != 0) {
|
|
|
403b09 |
+ goto done;
|
|
|
403b09 |
+ }
|
|
|
403b09 |
+ *entry = kentry;
|
|
|
403b09 |
+ }
|
|
|
403b09 |
+ goto done;
|
|
|
403b09 |
}
|
|
|
403b09 |
+ } else {
|
|
|
403b09 |
+ goto done;
|
|
|
403b09 |
}
|
|
|
403b09 |
- goto done;
|
|
|
403b09 |
}
|
|
|
403b09 |
|
|
|
403b09 |
kerr = ipadb_parse_ldap_entry(kcontext, principal, lentry, entry, &pol;;
|
|
|
403b09 |
--
|
|
|
403b09 |
2.4.3
|
|
|
403b09 |
|