From 4b7059b4f29832d98b4ff4f266007d007ca07a19 Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <abokovoy@redhat.com>

Date: Fri, 28 Feb 2014 22:03:29 +0200

Subject: [PATCH] fix filtering of subdomain-based trust users

https://fedorahosted.org/freeipa/ticket/4207

---

 daemons/ipa-kdb/ipa_kdb_mspac.c | 41 ++++++++++++++++++++++++++++++++---------

 1 file changed, 32 insertions(+), 9 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c

index 9137cd5ad1e6166fd5d6e765fab2c8178ca0587c..68f27f0e2d9028cdaece80c4bd3440d0438d20db 100644

--- a/daemons/ipa-kdb/ipa_kdb_mspac.c

+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c

@@ -806,6 +806,12 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,

     krb5_error_code kerr;

     enum ndr_err_code ndr_err;

+    /* When no client entry is there, we cannot generate MS-PAC */

+    if (!client) {

+        *pac = NULL;

+        return 0;

+    }

+

     ipactx = ipadb_get_context(kcontext);

     if (!ipactx) {

         return KRB5_KDB_DBNOTINITED;

@@ -1534,6 +1540,12 @@ static krb5_error_code ipadb_add_transited_service(krb5_context context,

     uint32_t i;

     char *tmpstr;

+    /* When proxy is NULL, authdata flag on the service principal was cleared

+     * by an admin. We don't generate MS-PAC in this case */

+    if (proxy == NULL) {

+        return 0;

+    }

+

     tmpctx = talloc_new(NULL);

     if (!tmpctx) {

         kerr = ENOMEM;

@@ -1731,6 +1743,12 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,

     }

     if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {

+        if (proxy == NULL) {

+            *pac = NULL;

+            kerr = 0;

+            goto done;

+        }

+

         kerr = ipadb_add_transited_service(context, proxy, server,

                                            old_pac, new_pac);

         if (kerr) {

@@ -1986,20 +2004,27 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,

     krb5_db_entry *client_entry = NULL;

-    /* When client is NULL, authdata flag on the service principal was cleared

-     * by an admin. We don't generate MS-PAC in this case */

-    if (client == NULL) {

-        *signed_auth_data = NULL;

-        return 0;

-    }

+    is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);

     /* When using s4u2proxy client_princ actually refers to the proxied user

      * while client->princ to the proxy service asking for the TGS on behalf

      * of the proxied user. So always use client_princ in preference */

     if (client_princ != NULL) {

         ks_client_princ = client_princ;

-        kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);

+        if (!is_as_req) {

+            kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);

+            /* If we didn't find client_princ in our database, it might be:

+             * - a principal from another realm, handle it down in ipadb_get/verify_pac()

+             */

+            if (!kerr) {

+                client_entry = NULL;

+            }

+        }

     } else {

+        if (client == NULL) {

+            *signed_auth_data = NULL;

+            return 0;

+        }

         ks_client_princ = client->princ;

     }

@@ -2014,8 +2039,6 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,

                                   "currently not supported.");

     }

-    is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);

-

     if (is_as_req && with_pac && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {

         /* Be aggressive here: special case for discovering range type

          * immediately after establishing the trust by IPA framework */

-- 

1.8.5.3