rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0015-Fall-back-to-krbprincipalname-when-validating-host-a.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   20c842f101540f6d6443b5227480dbc324cf439c
  2.   SOURCES
  3.   0015-Fall-back-to-krbprincipalname-when-validating-host-a.patch
Blob History Raw
7e1b55 
From 3b7f537dd3022ecb758b2f0f8b2aba530e74bff7 Mon Sep 17 00:00:00 2001
7e1b55 
From: Rob Crittenden <rcritten@redhat.com>
7e1b55 
Date: Mon, 12 Jul 2021 11:02:10 -0400
7e1b55 
Subject: [PATCH] Fall back to krbprincipalname when validating host auth
7e1b55 
 indicators
7e1b55
7e1b55 
When adding a new host the principal cannot be determined because it
7e1b55 
relies on either:
7e1b55
7e1b55 
a) an entry to already exist
7e1b55 
b) krbprincipalname be a component of the dn
7e1b55
7e1b55 
As a result the full dn is being passed into ipapython.Kerberos
7e1b55 
which can't parse it.
7e1b55
7e1b55 
Look into the entry in validate_validate_auth_indicator() for
7e1b55 
krbprincipalname in this case.
7e1b55
7e1b55 
https://pagure.io/freeipa/issue/8206
7e1b55
7e1b55 
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
7e1b55 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
7e1b55 
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
7e1b55 
---
7e1b55 
 ipaserver/plugins/service.py             |  5 +++++
7e1b55 
 ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++
7e1b55 
 2 files changed, 16 insertions(+)
7e1b55
7e1b55 
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
7e1b55 
index cfbbff3c69c6a92535df58c51767c3d0952c7b0b..498f5e444364c6330e053d1057b727fb5181f70b 100644
7e1b55 
--- a/ipaserver/plugins/service.py
7e1b55 
+++ b/ipaserver/plugins/service.py
7e1b55 
@@ -209,6 +209,11 @@ def validate_auth_indicator(entry):
7e1b55 
     # and shouldn't be allowed to have auth indicators.
7e1b55 
     # https://pagure.io/freeipa/issue/8206
7e1b55 
     pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
7e1b55 
+    if pkey == str(entry.dn):
7e1b55 
+        # krbcanonicalname may not be set yet if this is a host entry,
7e1b55 
+        # try krbprincipalname
7e1b55 
+        if 'krbprincipalname' in entry:
7e1b55 
+            pkey = entry['krbprincipalname']
7e1b55 
     principal = kerberos.Principal(pkey)
7e1b55 
     server = api.Command.server_find(principal.hostname)['result']
7e1b55 
     if server:
7e1b55 
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
7e1b55 
index 9cfde3565d48e103a0549e2bfb7579e07668f41b..ff50e796cd19fca2c7b6c87d73940779db8daa0b 100644
7e1b55 
--- a/ipatests/test_xmlrpc/test_host_plugin.py
7e1b55 
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
7e1b55 
@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test):
7e1b55 
         )):
7e1b55 
             command()
7e1b55
7e1b55 
+    def test_add_non_master_with_auth_ind(self, host5):
7e1b55 
+        host5.ensure_missing()
7e1b55 
+        command = host5.make_command(
7e1b55 
+            'host_add', host5.fqdn, krbprincipalauthind=['radius'],
7e1b55 
+            force=True
7e1b55 
+        )
7e1b55 
+        result = command()
7e1b55 
+        # The fact that the command succeeds exercises the change but
7e1b55 
+        # let's check the indicator as well.
7e1b55 
+        assert result['result']['krbprincipalauthind'] == ('radius',)
7e1b55 
+
7e1b55
7e1b55 
 @pytest.mark.tier1
7e1b55 
 class TestValidation(XMLRPC_test):
7e1b55 
--
7e1b55 
2.26.3
7e1b55

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation