From 7b546dc31c64e35bee7805ca59c8ec5f934077d8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 06 2021 13:33:46 +0000 Subject: import ipa-4.8.7-16.module+el8.3.0+10289+b6566038 --- diff --git a/SOURCES/0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch b/SOURCES/0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch new file mode 100644 index 0000000..6593fab --- /dev/null +++ b/SOURCES/0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch @@ -0,0 +1,127 @@ +From 81cbee4e3ff2e667946e0d41097b402257608b7e Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 6 Nov 2020 14:07:10 +0200 +Subject: [PATCH] ipa-kdb: fix crash in MS-PAC cache init code + +When initializing UPN suffixes, we calculate their sizes and didn't use +the right variable to allocate their size. This affects us if there are +more than one UPN suffix available for a trust due to memory corruption +while filling in sizes. + +Add unit test for multiple UPN suffixes. + +Fixes: https://pagure.io/freeipa/issue/8566 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Rob Crittenden +Reviewed-By: Robbie Harwood +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +- + daemons/ipa-kdb/tests/ipa_kdb_tests.c | 50 +++++++++++++++++++++++++++ + 2 files changed, 51 insertions(+), 1 deletion(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index dd29db190..fe5b586b6 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -2610,7 +2610,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) + for (; t[n].upn_suffixes[len] != NULL; len++); + + if (len != 0) { +- t[n].upn_suffixes_len = calloc(n, sizeof(size_t)); ++ t[n].upn_suffixes_len = calloc(len, sizeof(size_t)); + if (t[n].upn_suffixes_len == NULL) { + ret = ENOMEM; + goto done; +diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c +index d3ef5c00d..752b24ea4 100644 +--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c ++++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c +@@ -71,6 +71,10 @@ + #define DOM_SID "S-1-5-21-1-2-3" + #define DOM_SID_TRUST "S-1-5-21-4-5-6" + #define BLACKLIST_SID "S-1-5-1" ++#define NUM_SUFFIXES 10 ++#define SUFFIX_TEMPLATE "d%0d" DOMAIN_NAME ++#define TEST_REALM_TEMPLATE "some." SUFFIX_TEMPLATE ++#define EXTERNAL_REALM "WRONG.DOMAIN" + + static int setup(void **state) + { +@@ -92,6 +96,9 @@ + ipa_ctx = calloc(1, sizeof(struct ipadb_context)); + assert_non_null(ipa_ctx); + ++ kerr = krb5_get_default_realm(krb5_ctx, &ipa_ctx->realm); ++ assert_int_equal(kerr, 0); ++ + ipa_ctx->mspac = calloc(1, sizeof(struct ipadb_mspac)); + assert_non_null(ipa_ctx->mspac); + +@@ -126,6 +133,15 @@ + &ipa_ctx->mspac->trusts[0].sid_blacklist_incoming[0]); + assert_int_equal(ret, 0); + ++ ipa_ctx->mspac->trusts[0].upn_suffixes = calloc(NUM_SUFFIXES + 1, sizeof(char *)); ++ ipa_ctx->mspac->trusts[0].upn_suffixes_len = calloc(NUM_SUFFIXES, sizeof(size_t)); ++ for (size_t i = 0; i < NUM_SUFFIXES; i++) { ++ asprintf(&(ipa_ctx->mspac->trusts[0].upn_suffixes[i]), SUFFIX_TEMPLATE, i); ++ ipa_ctx->mspac->trusts[0].upn_suffixes_len[i] = ++ strlen(ipa_ctx->mspac->trusts[0].upn_suffixes[i]); ++ ++ } ++ + ipa_ctx->kcontext = krb5_ctx; + kerr = krb5_db_set_context(krb5_ctx, ipa_ctx); + assert_int_equal(kerr, 0); +@@ -478,6 +494,38 @@ + } + + ++void test_check_trusted_realms(void **state) ++{ ++ struct test_ctx *test_ctx; ++ krb5_error_code kerr = 0; ++ char *trusted_realm = NULL; ++ ++ test_ctx = (struct test_ctx *) *state; ++ ++ for(size_t i = 0; i < NUM_SUFFIXES; i++) { ++ char *test_realm = NULL; ++ asprintf(&test_realm, TEST_REALM_TEMPLATE, i); ++ ++ if (test_realm) { ++ kerr = ipadb_is_princ_from_trusted_realm( ++ test_ctx->krb5_ctx, ++ test_realm, ++ strlen(test_realm), ++ &trusted_realm); ++ assert_int_equal(kerr, 0); ++ free(test_realm); ++ free(trusted_realm); ++ } ++ } ++ ++ kerr = ipadb_is_princ_from_trusted_realm( ++ test_ctx->krb5_ctx, ++ EXTERNAL_REALM, ++ strlen(EXTERNAL_REALM), ++ &trusted_realm); ++ assert_int_equal(kerr, KRB5_KDB_NOENTRY); ++} ++ + int main(int argc, const char *argv[]) + { + const struct CMUnitTest tests[] = { +@@ -488,6 +536,8 @@ + cmocka_unit_test(test_string_to_sid), + cmocka_unit_test_setup_teardown(test_dom_sid_string, + setup, teardown), ++ cmocka_unit_test_setup_teardown(test_check_trusted_realms, ++ setup, teardown), + }; + + return cmocka_run_group_tests(tests, NULL, NULL); +-- +2.29.2 + diff --git a/SOURCES/0029-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1935146.patch b/SOURCES/0029-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1935146.patch new file mode 100644 index 0000000..366fd17 --- /dev/null +++ b/SOURCES/0029-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1935146.patch @@ -0,0 +1,625 @@ +Adapted version due to missing patches: + + commit 1f1e7dbe6131b3cdc0ba81b454c7729126bfa6ee + Author: Slava Aseev + Date: Mon Nov 23 18:23:01 2020 +0300 + + ipa-kdb: handle dates up to 2106-02-07 06:28:16 + + commit 44c222aca9bb0056004f15dfb187d3f249ed0452 + Author: Alexander Bokovoy + Date: Thu Dec 17 12:22:47 2020 +0200 + + ipa-kdb: use predefined filters for a wild-card searches + + commit 78a7ab0daf0d5ebd388046aec6e1c9328e0564a8 + Author: Robbie Harwood + Date: Tue Nov 10 14:07:47 2020 -0500 + + ipa-kdb: implement AS-REQ lifetime jitter + + commit d6a8fc290aa93fc5d53025f4400a9736366175eb + Author: Rob Crittenden + Date: Thu Sep 24 22:39:36 2020 -0400 + + Pass the user to the password policy check in the kdb driver + +From 701d0fb0415497fe9fe8fbf25fa800041e2a2b40 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 23 Feb 2021 10:06:25 +0200 +Subject: [PATCH] ipa-kdb: fix compiler warnings + +There are few fields in KDB structures that have 'conflicting' types but +need to be compared. They come from MIT Kerberos and we have no choice +here. + +In the same way, SID structures have own requirements. + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Robbie Harwood +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + daemons/ipa-kdb/ipa_kdb_audit_as.c | 4 ++-- + daemons/ipa-kdb/ipa_kdb_mspac.c | 6 +++--- + daemons/ipa-kdb/ipa_kdb_principals.c | 6 +++--- + daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +- + 4 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c +index ed48ea758..ec2046bfe 100644 +--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c ++++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c +@@ -110,13 +110,13 @@ void ipadb_audit_as_req(krb5_context kcontext, + } + + if (client->last_failed + ied->pol->lockout_duration > authtime && +- (client->fail_auth_count >= ied->pol->max_fail && ++ (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail && + ied->pol->max_fail != 0)) { + /* client already locked, nothing more to do */ + break; + } + if (ied->pol->max_fail == 0 || +- client->fail_auth_count < ied->pol->max_fail) { ++ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) { + /* let's increase the fail counter */ + client->fail_auth_count++; + client->mask |= KMASK_FAIL_AUTH_COUNT; +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index c6ac593ca..050100430 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -147,9 +147,9 @@ int string_to_sid(const char *str, struct dom_sid *sid) + + char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid) + { +- size_t c; ++ int8_t c; + size_t len; +- int ofs; ++ size_t ofs; + uint32_t ia; + char *buf; + +@@ -2606,7 +2606,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) + + t[n].upn_suffixes_len = NULL; + if (t[n].upn_suffixes != NULL) { +- size_t len = 0; ++ int len = 0; + + for (; t[n].upn_suffixes[len] != NULL; len++); + +diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c +index d1fa51578..59337a4ca 100644 +--- a/daemons/ipa-kdb/ipa_kdb_principals.c ++++ b/daemons/ipa-kdb/ipa_kdb_principals.c +@@ -491,7 +491,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext, + l = len; + for (i = 0; i < count; i++) { + ret = snprintf(ap, l, "%s ", authinds[i]); +- if (ret <= 0 || ret > l) { ++ if (ret <= 0 || ret > (int) l) { + ret = ENOMEM; + goto cleanup; + } +@@ -2064,7 +2064,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext, + char *s = NULL; + size_t ai_size = 0; + int cnt = 0; +- int i = 0; ++ size_t i = 0; + + ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais); + if (ret) { +@@ -2445,7 +2445,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods) + { + krb5_error_code kerr; + LDAPMod *m = NULL; +- int i; ++ size_t i; + + kerr = ipadb_mods_new(imods, &m); + if (kerr) { +diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c +index 4965e6d7f..6f21ef867 100644 +--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c ++++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c +@@ -328,7 +328,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext, + } + + if (ied->pol->max_fail == 0 || +- client->fail_auth_count < ied->pol->max_fail) { ++ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) { + /* still within allowed failures range */ + return 0; + } +-- +2.29.2 + +From d454ca8f004954f19622fe61ad9e2854359f3784 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 24 Feb 2021 20:51:40 +0200 +Subject: [PATCH] ipa-kdb: add missing prototypes + +On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings +about function prototypes missing. If -Werror is specified, this breaks +compilation. + +We also default to -Werror=implicit-function-declaration + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Robbie Harwood +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 4 ++++ + daemons/ipa-kdb/ipa_kdb_mspac.c | 20 ++++++++++++-------- + daemons/ipa-kdb/ipa_kdb_mspac_private.h | 4 ++++ + 3 files changed, 20 insertions(+), 8 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c +index 7f03f2f03..6976f9ba9 100644 +--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c ++++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c +@@ -9,6 +9,10 @@ + #include "ipa_krb5.h" + #include "ipa_kdb.h" + ++krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context, ++ int maj_ver, int min_ver, ++ krb5_plugin_vtable vtable); ++ + static krb5_error_code + ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, + const krb5_kdc_req *request, +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 050100430..c05fb717a 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -2403,9 +2403,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac) + *mspac = NULL; + } + +-krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist, +- struct dom_sid **result_sids, +- int *result_length) ++static krb5_error_code ++ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist, ++ struct dom_sid **result_sids, ++ int *result_length) + { + int len, i; + char **source; +@@ -2436,9 +2437,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist, + return 0; + } + +-krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust, +- char **sid_blacklist_incoming, +- char **sid_blacklist_outgoing) ++static krb5_error_code ++ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust, ++ char **sid_blacklist_incoming, ++ char **sid_blacklist_outgoing) + { + krb5_error_code kerr; + +@@ -2459,7 +2461,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus + return 0; + } + +-krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx) ++static krb5_error_code ++ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx) + { + char *attrs[] = { NULL }; + char *filter = "(objectclass=ipaNTTrustedDomain)"; +@@ -2504,7 +2507,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blacklist_incoming, char ***si + } + } + +-krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) ++static krb5_error_code ++ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) + { + struct ipadb_adtrusts *t; + LDAP *lc = ipactx->lcontext; +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h +index b21aa163f..2369e16f8 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h ++++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h +@@ -53,3 +53,7 @@ struct ipadb_adtrusts { + + int string_to_sid(const char *str, struct dom_sid *sid); + char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid); ++krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx, ++ krb5_data realm, struct PAC_LOGON_INFO_CTR *info); ++void get_authz_data_types(krb5_context context, krb5_db_entry *entry, ++ bool *_with_pac, bool *_with_pad); +\ No newline at end of file +-- +2.29.2 + +From da98a6fcb81ee3ac7df8bb238a0793809c2be3fd Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 24 Feb 2021 20:52:15 +0200 +Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth + +Add prototype to the exported function + +Replace few tabs by spaces and mark static code as static. + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Robbie Harwood +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c +index bc6b26578..3a3060c92 100644 +--- a/daemons/ipa-kdb/ipa_kdb_certauth.c ++++ b/daemons/ipa-kdb/ipa_kdb_certauth.c +@@ -71,10 +71,13 @@ struct krb5_certauth_moddata_st { + time_t valid_until; + }; + +-void ipa_certmap_debug(void *private, +- const char *file, long line, +- const char *function, +- const char *format, ...) ++krb5_error_code certauth_ipakdb_initvt(krb5_context context, ++ int maj_ver, int min_ver, ++ krb5_plugin_vtable vtable); ++ ++static void ipa_certmap_debug(void *private, const char *file, long line, ++ const char *function, ++ const char *format, ...) + { + va_list ap; + char str[255] = { 0 }; +@@ -354,12 +357,12 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context, + * so there is nothing more to add here. */ + auth_inds = calloc(2, sizeof(char *)); + if (auth_inds != NULL) { +- ret = asprintf(&auth_inds[0], "pkinit"); +- if (ret != -1) { ++ ret = asprintf(&auth_inds[0], "pkinit"); ++ if (ret != -1) { + auth_inds[1] = NULL; + *authinds_out = auth_inds; +- } else { +- free(auth_inds); ++ } else { ++ free(auth_inds); + } + } + +@@ -404,12 +407,12 @@ static void ipa_certauth_free_indicator(krb5_context context, + size_t i = 0; + + if ((authinds == NULL) || (moddata == NULL)) { +- return; ++ return; + } + + for(i=0; authinds[i]; i++) { +- free(authinds[i]); +- authinds[i] = NULL; ++ free(authinds[i]); ++ authinds[i] = NULL; + } + + free(authinds); +-- +2.29.2 + +From aa7f99c08ff41f216d60152d6235922c561c2881 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 24 Feb 2021 20:55:41 +0200 +Subject: [PATCH] ipa-kdb: mark test functions as static + +No need to define missing prototypes to single use test functions. + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Robbie Harwood +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + daemons/ipa-kdb/tests/ipa_kdb_tests.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c +index 368a2f978..960200b6e 100644 +--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c ++++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c +@@ -180,7 +180,7 @@ extern krb5_error_code filter_logon_info(krb5_context context, + krb5_data realm, + struct PAC_LOGON_INFO_CTR *info); + +-void test_filter_logon_info(void **state) ++static void test_filter_logon_info(void **state) + { + krb5_error_code kerr; + krb5_data realm = {KV5M_DATA, REALM_LEN, REALM}; +@@ -315,10 +315,7 @@ void test_filter_logon_info(void **state) + + } + +-extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry, +- bool *with_pac, bool *with_pad); +- +-void test_get_authz_data_types(void **state) ++static void test_get_authz_data_types(void **state) + { + bool with_pac; + bool with_pad; +@@ -436,7 +433,7 @@ void test_get_authz_data_types(void **state) + krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ); + } + +-void test_string_to_sid(void **state) ++static void test_string_to_sid(void **state) + { + int ret; + struct dom_sid sid; +@@ -468,7 +465,7 @@ void test_string_to_sid(void **state) + assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid)); + } + +-void test_dom_sid_string(void **state) ++static void test_dom_sid_string(void **state) + { + struct test_ctx *test_ctx; + char *str_sid; +@@ -494,7 +491,7 @@ void test_dom_sid_string(void **state) + } + + +-void test_check_trusted_realms(void **state) ++static void test_check_trusted_realms(void **state) + { + struct test_ctx *test_ctx; + krb5_error_code kerr = 0; +-- +2.29.2 + +From 79baa0932d1349d46d162e7478fa4e3c8e88dc09 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 19 Feb 2021 15:37:47 +0200 +Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context + +Calling to ipadb_get_connection() will remove LDAP context if any error +happens. This means upper layers must always verify that LDAP context +exists after such calls. + +ipadb_get_user_auth() may re-read global configuration and that may fail +and cause IPA context to have NULL LDAP context. + +Fixes: https://pagure.io/freeipa/issue/8681 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Robbie Harwood +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + daemons/ipa-kdb/ipa_kdb.c | 1 + + daemons/ipa-kdb/ipa_kdb_mspac.c | 32 +++++++++++++++------------- + daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------ + 3 files changed, 37 insertions(+), 22 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c +index 33d2a6773..e7b8d7dbf 100644 +--- a/daemons/ipa-kdb/ipa_kdb.c ++++ b/daemons/ipa-kdb/ipa_kdb.c +@@ -56,6 +56,7 @@ static void ipadb_context_free(krb5_context kcontext, + /* ldap free lcontext */ + if ((*ctx)->lcontext) { + ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL); ++ (*ctx)->lcontext = NULL; + } + free((*ctx)->supp_encs); + free((*ctx)->def_encs); +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index c05fb717a..1e59189ed 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -416,7 +416,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + TALLOC_CTX *memctx, + struct netr_SamInfo3 *info3) + { +- LDAP *lcontext = ipactx->lcontext; + LDAPDerefRes *deref_results = NULL; + struct dom_sid sid; + gid_t prigid = -1; +@@ -433,7 +432,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + bool is_idobject = false; + krb5_principal princ; + +- ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass", ++ ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass", + &objectclasses); + if (ret == 0 && objectclasses != NULL) { + for (c = 0; objectclasses[c] != NULL; c++) { +@@ -470,13 +469,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + } + + if (is_host) { +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres); ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres); + if (ret) { + /* fqdn is mandatory for hosts */ + return ret; + } + } else if (is_service) { +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres); ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, ++ "krbCanonicalName", &strres); + if (ret) { + /* krbCanonicalName is mandatory for services */ + return ret; +@@ -496,7 +496,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + return ENOENT; + } + } else { +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres); ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres); + if (ret) { + /* uid is mandatory */ + return ret; +@@ -509,7 +509,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + if (is_host || is_service) { + prigid = 515; /* Well known RID for domain computers group */ + } else { +- ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres); ++ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry, ++ "gidNumber", &intres); + if (ret) { + /* gidNumber is mandatory */ + return ret; +@@ -540,7 +541,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + info3->base.kickoff_time = -1; + #endif + +- ret = ipadb_ldap_attr_to_time_t(lcontext, lentry, ++ ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry, + "krbLastPwdChange", &timeres); + switch (ret) { + case 0: +@@ -557,7 +558,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + info3->base.allow_password_change = 0; + info3->base.force_password_change = -1; + +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres); ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres); + switch (ret) { + case 0: + info3->base.full_name.string = talloc_strdup(memctx, strres); +@@ -570,7 +571,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + return ret; + } + +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, + "ipaNTLogonScript", &strres); + switch (ret) { + case 0: +@@ -584,7 +585,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + return ret; + } + +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, + "ipaNTProfilePath", &strres); + switch (ret) { + case 0: +@@ -598,7 +599,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + return ret; + } + +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, + "ipaNTHomeDirectory", &strres); + switch (ret) { + case 0: +@@ -612,7 +613,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + return ret; + } + +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, + "ipaNTHomeDirectoryDrive", &strres); + switch (ret) { + case 0: +@@ -643,7 +644,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + info3->base.rid = 515; + } + } else { +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, + "ipaNTSecurityIdentifier", &strres); + if (ret) { + /* SID is mandatory */ +@@ -660,7 +661,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + } + } + +- ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results); ++ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results); + switch (ret) { + LDAPDerefRes *dres; + LDAPDerefVal *dval; +@@ -2511,7 +2512,7 @@ static krb5_error_code + ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) + { + struct ipadb_adtrusts *t; +- LDAP *lc = ipactx->lcontext; ++ LDAP *lc = NULL; + char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName", + "ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming", + "ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL }; +@@ -2545,6 +2546,7 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) + goto done; + } + ++ lc = ipactx->lcontext; + for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) { + dnstr = ldap_get_dn(lc, le); + +diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c +index 59337a4ca..0a98ff054 100644 +--- a/daemons/ipa-kdb/ipa_kdb_principals.c ++++ b/daemons/ipa-kdb/ipa_kdb_principals.c +@@ -335,6 +335,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx, + if (gcfg != NULL) + gua = gcfg->user_auth; + ++ /* lcontext == NULL means ipadb_get_global_config() failed to load ++ * global config and cleared the ipactx */ ++ if (ipactx->lcontext == NULL) ++ return IPADB_USER_AUTH_NONE; ++ + /* Get the user's user_auth settings if not disabled. */ + if ((gua & IPADB_USER_AUTH_DISABLED) == 0) + ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua); +@@ -608,8 +613,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, + free(entry); + return KRB5_KDB_DBNOTINITED; + } +- lcontext = ipactx->lcontext; +- if (!lcontext) { ++ ++ entry->magic = KRB5_KDB_MAGIC_NUMBER; ++ entry->len = KRB5_KDB_V1_BASE_LENGTH; ++ ++ /* Get User Auth configuration. */ ++ ua = ipadb_get_user_auth(ipactx, lentry); ++ ++ /* ipadb_get_user_auth() calls into ipadb_get_global_config() ++ * and that might fail, causing lcontext to become NULL */ ++ if (!ipactx->lcontext) { + krb5_klog_syslog(LOG_INFO, + "No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n"); + ret = ipadb_get_connection(ipactx); +@@ -621,11 +634,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, + } + } + +- entry->magic = KRB5_KDB_MAGIC_NUMBER; +- entry->len = KRB5_KDB_V1_BASE_LENGTH; +- +- /* Get User Auth configuration. */ +- ua = ipadb_get_user_auth(ipactx, lentry); ++ /* If any code below would result in invalidating ipactx->lcontext, ++ * lcontext must be updated with the new ipactx->lcontext value. ++ * We rely on the fact that none of LDAP-parsing helpers does it. */ ++ lcontext = ipactx->lcontext; + + /* ignore mask for now */ + +-- +2.29.2 + diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 999ec31..532c8b2 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -149,7 +149,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 14%{?dist} +Release: 16%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -191,6 +191,8 @@ Patch0024: 0024-wgi-plugins.py-ignore-empty-plugin-directories_rhbz#1895910 Patch0025: 0025-ipatests-support-subordinate-upn-suffixes_rhbz#1914823.patch Patch0026: 0026-ipa-kdb-support-subordinate-superior-UPN-suffixes_rhbz#1914823.patch Patch0027: 0027-ad-trust-accept-subordinate-domains-of-the-forest-trust-root_rhbz#1914823.patch +Patch0028: 0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch +Patch0029: 0029-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1935146.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-4.8.0-Remove-csrgen.patch Patch1003: 1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch @@ -868,7 +870,6 @@ export PATH=/usr/bin:/usr/sbin:$PATH export PYTHON=%{__python3} %configure --with-vendor-suffix=-%{release} \ - --with-ipaplatform=rhel \ %{enable_server_option} \ %{with_ipatests_option} \ %{linter_options} @@ -1542,6 +1543,14 @@ fi %changelog +* Tue Mar 9 2021 Thomas Woerner - 4.8.7-16 +- Fix krb5kdc is crashing intermittently on IPA server + Resolves: RHBZ#1935146 + +* Fri Feb 19 2021 Alexander Bokovoy - 4.8.7-15 +- ipa-kdb: fix crash in MS-PAC cache init code + Resolves: RHBZ#1930562 + * Tue Jan 12 2021 Rafael Jeffman - 4.8.7-14 - wgi/plugins.py: ignore empty plugin directories Resolves: RHBZ#1895910