|
 |
9991ea |
From ede01c14e58a98af728152635e5d75be0deb389d Mon Sep 17 00:00:00 2001
|
|
|
9991ea |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
9991ea |
Date: Tue, 25 Feb 2014 17:50:55 +0200
|
|
|
9991ea |
Subject: [PATCH 49/51] ipa-kdb: in case of delegation use original client's
|
|
|
9991ea |
database entry, not the proxy
|
|
|
9991ea |
MIME-Version: 1.0
|
|
|
9991ea |
Content-Type: text/plain; charset=UTF-8
|
|
|
9991ea |
Content-Transfer-Encoding: 8bit
|
|
|
9991ea |
|
|
|
9991ea |
https://fedorahosted.org/freeipa/ticket/4195
|
|
|
9991ea |
|
|
|
9991ea |
Reviewed-By: Tomáš Babej <tbabej@redhat.com>
|
|
|
9991ea |
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
|
|
9991ea |
---
|
|
|
9991ea |
daemons/ipa-kdb/ipa_kdb_mspac.c | 9 +++++++--
|
|
|
9991ea |
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
|
9991ea |
|
|
|
9991ea |
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
9991ea |
index ff67391538234e2272ea1ec886ec96fa88ea579b..2a0480fff029d29fb56286d85108936f6c579901 100644
|
|
|
9991ea |
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
9991ea |
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
9991ea |
@@ -1983,12 +1983,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
|
|
|
9991ea |
bool with_pac;
|
|
|
9991ea |
bool with_pad;
|
|
|
9991ea |
int result;
|
|
|
9991ea |
+ krb5_db_entry *client_entry = NULL;
|
|
|
9991ea |
|
|
|
9991ea |
/* When using s4u2proxy client_princ actually refers to the proxied user
|
|
|
9991ea |
* while client->princ to the proxy service asking for the TGS on behalf
|
|
|
9991ea |
* of the proxied user. So always use client_princ in preference */
|
|
|
9991ea |
if (client_princ != NULL) {
|
|
|
9991ea |
ks_client_princ = client_princ;
|
|
|
9991ea |
+ kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);
|
|
|
9991ea |
} else {
|
|
|
9991ea |
ks_client_princ = client->princ;
|
|
|
9991ea |
}
|
|
|
9991ea |
@@ -2025,7 +2027,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
|
|
|
9991ea |
}
|
|
|
9991ea |
}
|
|
|
9991ea |
|
|
|
9991ea |
- kerr = ipadb_get_pac(context, client, &pac;;
|
|
|
9991ea |
+ kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac;;
|
|
|
9991ea |
if (kerr != 0 && kerr != ENOENT) {
|
|
|
9991ea |
goto done;
|
|
|
9991ea |
}
|
|
|
9991ea |
@@ -2041,7 +2043,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
|
|
|
9991ea |
/* check or generate pac data */
|
|
|
9991ea |
if ((pac_auth_data == NULL) || (pac_auth_data[0] == NULL)) {
|
|
|
9991ea |
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
|
|
|
9991ea |
- kerr = ipadb_get_pac(context, client, &pac;;
|
|
|
9991ea |
+ kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac;;
|
|
|
9991ea |
if (kerr != 0 && kerr != ENOENT) {
|
|
|
9991ea |
goto done;
|
|
|
9991ea |
}
|
|
|
9991ea |
@@ -2094,6 +2096,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
|
|
|
9991ea |
kerr = 0;
|
|
|
9991ea |
|
|
|
9991ea |
done:
|
|
|
9991ea |
+ if (client_entry != NULL) {
|
|
|
9991ea |
+ ipadb_free_principal(context, client_entry);
|
|
|
9991ea |
+ }
|
|
|
9991ea |
krb5_pac_free(context, pac);
|
|
|
9991ea |
return kerr;
|
|
|
9991ea |
}
|
|
|
9991ea |
--
|
|
|
9991ea |
1.8.5.3
|
|
|
9991ea |
|