403b09
From ed178aad6751ea7673d8e730bd5a6709921a1ff0 Mon Sep 17 00:00:00 2001
403b09
From: Sumit Bose <sbose@redhat.com>
403b09
Date: Wed, 6 Jul 2016 17:29:37 +0200
403b09
Subject: [PATCH] kdb: check for local realm in enterprise principals
403b09
403b09
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
403b09
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
403b09
---
403b09
 daemons/ipa-kdb/ipa_kdb_principals.c | 52 +++++++++++++++++++++++++++---------
403b09
 1 file changed, 40 insertions(+), 12 deletions(-)
403b09
403b09
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
403b09
index 6cdfa909452a4b55912b2a5a74648abd2053482a..5b80909475565d6bb4fa8cba67629094daf51eb3 100644
403b09
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
403b09
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
403b09
@@ -1198,30 +1198,58 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
403b09
             /* skip '@' and use part after '@' as an enterprise realm for comparison */
403b09
             realm++;
403b09
 
403b09
-            kerr = ipadb_is_princ_from_trusted_realm(kcontext,
403b09
-                                                     realm,
403b09
-                                                     upn->length - (realm - upn->data),
403b09
-                                                     &trusted_realm);
403b09
-            if (kerr == 0) {
403b09
-                kentry = calloc(1, sizeof(krb5_db_entry));
403b09
-                if (!kentry) {
403b09
+            /* check for our realm */
403b09
+            if (strncasecmp(ipactx->realm, realm,
403b09
+                            upn->length - (realm - upn->data)) == 0) {
403b09
+                /* it looks like it is ok to use malloc'ed strings as principal */
403b09
+                krb5_free_unparsed_name(kcontext, principal);
403b09
+                principal = strndup((const char *) upn->data, upn->length);
403b09
+                if (principal == NULL) {
403b09
                     kerr = ENOMEM;
403b09
                     goto done;
403b09
                 }
403b09
-                kerr = krb5_parse_name(kcontext, principal,
403b09
-                                       &kentry->princ);
403b09
+
403b09
+                ldap_msgfree(res);
403b09
+                res = NULL;
403b09
+                kerr = ipadb_fetch_principals(ipactx, flags, principal, &res;;
403b09
                 if (kerr != 0) {
403b09
                     goto done;
403b09
                 }
403b09
 
403b09
-                kerr = krb5_set_principal_realm(kcontext, kentry->princ, trusted_realm);
403b09
+                kerr = ipadb_find_principal(kcontext, flags, res, &principal,
403b09
+                                            &lentry);
403b09
                 if (kerr != 0) {
403b09
                     goto done;
403b09
                 }
403b09
-                *entry = kentry;
403b09
+            } else {
403b09
+
403b09
+                kerr = ipadb_is_princ_from_trusted_realm(kcontext,
403b09
+                                                         realm,
403b09
+                                                         upn->length - (realm - upn->data),
403b09
+                                                         &trusted_realm);
403b09
+                if (kerr == 0) {
403b09
+                    kentry = calloc(1, sizeof(krb5_db_entry));
403b09
+                    if (!kentry) {
403b09
+                        kerr = ENOMEM;
403b09
+                        goto done;
403b09
+                    }
403b09
+                    kerr = krb5_parse_name(kcontext, principal,
403b09
+                                           &kentry->princ);
403b09
+                    if (kerr != 0) {
403b09
+                        goto done;
403b09
+                    }
403b09
+
403b09
+                    kerr = krb5_set_principal_realm(kcontext, kentry->princ, trusted_realm);
403b09
+                    if (kerr != 0) {
403b09
+                        goto done;
403b09
+                    }
403b09
+                    *entry = kentry;
403b09
+                }
403b09
+                goto done;
403b09
             }
403b09
+        } else {
403b09
+            goto done;
403b09
         }
403b09
-        goto done;
403b09
     }
403b09
 
403b09
     kerr = ipadb_parse_ldap_entry(kcontext, principal, lentry, entry, &pol;;
403b09
-- 
403b09
2.4.3
403b09