rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   1d33c395aee1620bec2ed2168abea94dc29e31da
  2.   SOURCES
  3.   0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
Blob History Raw
1d33c3 
From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
1d33c3 
From: Iker Pedrosa <ipedrosa@redhat.com>
1d33c3 
Date: Thu, 13 Jan 2022 11:28:30 +0100
1d33c3 
Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
1d33c3 
MIME-Version: 1.0
1d33c3 
Content-Type: text/plain; charset=UTF-8
1d33c3 
Content-Transfer-Encoding: 8bit
1d33c3
1d33c3 
AD and IPA providers use a common fo_server object for LDAP and
1d33c3 
Kerberos, which is created with the LDAP data. This means that due to
1d33c3 
the changes introduced in
1d33c3 
https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
1d33c3 
the port in use for the Kerberos requests would be the one specified for
1d33c3 
LDAP, usually the default one (389).
1d33c3
1d33c3 
In order to avoid that, AD and IPA providers shouldn't change the
1d33c3 
Kerberos port with the one provided for LDAP.
1d33c3
1d33c3 
:fixes: A critical regression that prevented authentication of users via
1d33c3 
AD and IPA providers was fixed. LDAP port was reused for Kerberos
1d33c3 
communication and this provider would send incomprehensible information
1d33c3 
to this port.
1d33c3
1d33c3 
Resolves: https://github.com/SSSD/sssd/issues/5947
1d33c3
1d33c3 
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
1d33c3
1d33c3 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
1d33c3 
---
1d33c3 
 src/providers/ad/ad_common.c     |  1 +
1d33c3 
 src/providers/ipa/ipa_common.c   |  1 +
1d33c3 
 src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
1d33c3 
 src/providers/krb5/krb5_common.h |  1 +
1d33c3 
 4 files changed, 23 insertions(+), 14 deletions(-)
1d33c3
1d33c3 
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
1d33c3 
index e263444c5..1ca5f8e3a 100644
1d33c3 
--- a/src/providers/ad/ad_common.c
1d33c3 
+++ b/src/providers/ad/ad_common.c
1d33c3 
@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
1d33c3 
     if (service->krb5_service->write_kdcinfo) {
1d33c3 
         ret = write_krb5info_file_from_fo_server(service->krb5_service,
1d33c3 
                                                  server,
1d33c3 
+                                                 true,
1d33c3 
                                                  SSS_KRB5KDC_FO_SRV,
1d33c3 
                                                  ad_krb5info_file_filter);
1d33c3 
         if (ret != EOK) {
1d33c3 
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
1d33c3 
index 1509cb1ce..e6c1f9aa4 100644
1d33c3 
--- a/src/providers/ipa/ipa_common.c
1d33c3 
+++ b/src/providers/ipa/ipa_common.c
1d33c3 
@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
1d33c3 
     if (service->krb5_service->write_kdcinfo) {
1d33c3 
         ret = write_krb5info_file_from_fo_server(service->krb5_service,
1d33c3 
                                                  server,
1d33c3 
+                                                 true,
1d33c3 
                                                  SSS_KRB5KDC_FO_SRV,
1d33c3 
                                                  NULL);
1d33c3 
         if (ret != EOK) {
1d33c3 
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
1d33c3 
index 719ce6a12..5ffa20809 100644
1d33c3 
--- a/src/providers/krb5/krb5_common.c
1d33c3 
+++ b/src/providers/krb5/krb5_common.c
1d33c3 
@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
1d33c3
1d33c3 
 errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
1d33c3 
                                            struct fo_server *server,
1d33c3 
+                                           bool force_default_port,
1d33c3 
                                            const char *service,
1d33c3 
                                            bool (*filter)(struct fo_server *))
1d33c3 
 {
1d33c3 
@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
1d33c3 
     if (filter == NULL || filter(server) == false) {
1d33c3 
         address = fo_server_address_or_name(tmp_ctx, server);
1d33c3 
         if (address) {
1d33c3 
-            port = fo_get_server_port(server);
1d33c3 
-            if (port != 0) {
1d33c3 
-                address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
1d33c3 
-                if (address == NULL) {
1d33c3 
-                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
1d33c3 
-                    talloc_free(tmp_ctx);
1d33c3 
-                    return ENOMEM;
1d33c3 
+            if (!force_default_port) {
1d33c3 
+                port = fo_get_server_port(server);
1d33c3 
+                if (port != 0) {
1d33c3 
+                    address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
1d33c3 
+                    if (address == NULL) {
1d33c3 
+                        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
1d33c3 
+                        talloc_free(tmp_ctx);
1d33c3 
+                        return ENOMEM;
1d33c3 
+                    }
1d33c3 
                 }
1d33c3 
             }
1d33c3
1d33c3 
@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
1d33c3 
                 continue;
1d33c3 
             }
1d33c3
1d33c3 
-            port = fo_get_server_port(item);
1d33c3 
-            if (port != 0) {
1d33c3 
-                address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
1d33c3 
-                if (address == NULL) {
1d33c3 
-                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
1d33c3 
-                    talloc_free(tmp_ctx);
1d33c3 
-                    return ENOMEM;
1d33c3 
+            if (!force_default_port) {
1d33c3 
+                port = fo_get_server_port(item);
1d33c3 
+                if (port != 0) {
1d33c3 
+                    address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
1d33c3 
+                    if (address == NULL) {
1d33c3 
+                        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
1d33c3 
+                        talloc_free(tmp_ctx);
1d33c3 
+                        return ENOMEM;
1d33c3 
+                    }
1d33c3 
                 }
1d33c3 
             }
1d33c3
1d33c3 
@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
1d33c3 
     if (krb5_service->write_kdcinfo) {
1d33c3 
         ret = write_krb5info_file_from_fo_server(krb5_service,
1d33c3 
                                                  server,
1d33c3 
+                                                 false,
1d33c3 
                                                  krb5_service->name,
1d33c3 
                                                  NULL);
1d33c3 
         if (ret != EOK) {
1d33c3 
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
1d33c3 
index 151f446d1..2fd39a751 100644
1d33c3 
--- a/src/providers/krb5/krb5_common.h
1d33c3 
+++ b/src/providers/krb5/krb5_common.h
1d33c3 
@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
1d33c3
1d33c3 
 errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
1d33c3 
                                            struct fo_server *server,
1d33c3 
+                                           bool force_default_port,
1d33c3 
                                            const char *service,
1d33c3 
                                            bool (*filter)(struct fo_server *));
1d33c3
1d33c3 
--
1d33c3 
2.26.3
1d33c3

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation