From 817e83837d249a63395d90ac47dc975a23f00c6c Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <abokovoy@redhat.com>

Date: Tue, 25 Feb 2014 20:53:49 +0200

Subject: [PATCH 50/51] ipa-kdb: make sure we don't produce MS-PAC in case of

 authdata flag cleared by admin

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

When admin clears authdata flag for the service principal, KDC will pass

NULL client pointer (service proxy) to the DAL driver.

Make sure we bail out correctly.

Reviewed-By: Tomáš Babej <tbabej@redhat.com>

Reviewed-By: Simo Sorce <ssorce@redhat.com>

---

 daemons/ipa-kdb/ipa_kdb_mspac.c | 8 ++++++++

 1 file changed, 8 insertions(+)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c

index 2a0480fff029d29fb56286d85108936f6c579901..9137cd5ad1e6166fd5d6e765fab2c8178ca0587c 100644

--- a/daemons/ipa-kdb/ipa_kdb_mspac.c

+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c

@@ -1985,6 +1985,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,

     int result;

     krb5_db_entry *client_entry = NULL;

+

+    /* When client is NULL, authdata flag on the service principal was cleared

+     * by an admin. We don't generate MS-PAC in this case */

+    if (client == NULL) {

+        *signed_auth_data = NULL;

+        return 0;

+    }

+

     /* When using s4u2proxy client_princ actually refers to the proxied user

      * while client->princ to the proxy service asking for the TGS on behalf

      * of the proxied user. So always use client_princ in preference */

-- 

1.8.5.3