rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   68a25425a268aa3ef98c28a86289a1213c3223bd
  2.   SOURCES
  3.   0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
Blob History Raw
68a254 
From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
68a254 
From: Iker Pedrosa <ipedrosa@redhat.com>
68a254 
Date: Thu, 13 Jan 2022 11:28:30 +0100
68a254 
Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
68a254 
MIME-Version: 1.0
68a254 
Content-Type: text/plain; charset=UTF-8
68a254 
Content-Transfer-Encoding: 8bit
68a254
68a254 
AD and IPA providers use a common fo_server object for LDAP and
68a254 
Kerberos, which is created with the LDAP data. This means that due to
68a254 
the changes introduced in
68a254 
https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
68a254 
the port in use for the Kerberos requests would be the one specified for
68a254 
LDAP, usually the default one (389).
68a254
68a254 
In order to avoid that, AD and IPA providers shouldn't change the
68a254 
Kerberos port with the one provided for LDAP.
68a254
68a254 
:fixes: A critical regression that prevented authentication of users via
68a254 
AD and IPA providers was fixed. LDAP port was reused for Kerberos
68a254 
communication and this provider would send incomprehensible information
68a254 
to this port.
68a254
68a254 
Resolves: https://github.com/SSSD/sssd/issues/5947
68a254
68a254 
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
68a254
68a254 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
68a254 
---
68a254 
 src/providers/ad/ad_common.c     |  1 +
68a254 
 src/providers/ipa/ipa_common.c   |  1 +
68a254 
 src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
68a254 
 src/providers/krb5/krb5_common.h |  1 +
68a254 
 4 files changed, 23 insertions(+), 14 deletions(-)
68a254
68a254 
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
68a254 
index e263444c5..1ca5f8e3a 100644
68a254 
--- a/src/providers/ad/ad_common.c
68a254 
+++ b/src/providers/ad/ad_common.c
68a254 
@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
68a254 
     if (service->krb5_service->write_kdcinfo) {
68a254 
         ret = write_krb5info_file_from_fo_server(service->krb5_service,
68a254 
                                                  server,
68a254 
+                                                 true,
68a254 
                                                  SSS_KRB5KDC_FO_SRV,
68a254 
                                                  ad_krb5info_file_filter);
68a254 
         if (ret != EOK) {
68a254 
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
68a254 
index 1509cb1ce..e6c1f9aa4 100644
68a254 
--- a/src/providers/ipa/ipa_common.c
68a254 
+++ b/src/providers/ipa/ipa_common.c
68a254 
@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
68a254 
     if (service->krb5_service->write_kdcinfo) {
68a254 
         ret = write_krb5info_file_from_fo_server(service->krb5_service,
68a254 
                                                  server,
68a254 
+                                                 true,
68a254 
                                                  SSS_KRB5KDC_FO_SRV,
68a254 
                                                  NULL);
68a254 
         if (ret != EOK) {
68a254 
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
68a254 
index 719ce6a12..5ffa20809 100644
68a254 
--- a/src/providers/krb5/krb5_common.c
68a254 
+++ b/src/providers/krb5/krb5_common.c
68a254 
@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
68a254
68a254 
 errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
68a254 
                                            struct fo_server *server,
68a254 
+                                           bool force_default_port,
68a254 
                                            const char *service,
68a254 
                                            bool (*filter)(struct fo_server *))
68a254 
 {
68a254 
@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
68a254 
     if (filter == NULL || filter(server) == false) {
68a254 
         address = fo_server_address_or_name(tmp_ctx, server);
68a254 
         if (address) {
68a254 
-            port = fo_get_server_port(server);
68a254 
-            if (port != 0) {
68a254 
-                address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
68a254 
-                if (address == NULL) {
68a254 
-                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
68a254 
-                    talloc_free(tmp_ctx);
68a254 
-                    return ENOMEM;
68a254 
+            if (!force_default_port) {
68a254 
+                port = fo_get_server_port(server);
68a254 
+                if (port != 0) {
68a254 
+                    address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
68a254 
+                    if (address == NULL) {
68a254 
+                        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
68a254 
+                        talloc_free(tmp_ctx);
68a254 
+                        return ENOMEM;
68a254 
+                    }
68a254 
                 }
68a254 
             }
68a254
68a254 
@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
68a254 
                 continue;
68a254 
             }
68a254
68a254 
-            port = fo_get_server_port(item);
68a254 
-            if (port != 0) {
68a254 
-                address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
68a254 
-                if (address == NULL) {
68a254 
-                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
68a254 
-                    talloc_free(tmp_ctx);
68a254 
-                    return ENOMEM;
68a254 
+            if (!force_default_port) {
68a254 
+                port = fo_get_server_port(item);
68a254 
+                if (port != 0) {
68a254 
+                    address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
68a254 
+                    if (address == NULL) {
68a254 
+                        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
68a254 
+                        talloc_free(tmp_ctx);
68a254 
+                        return ENOMEM;
68a254 
+                    }
68a254 
                 }
68a254 
             }
68a254
68a254 
@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
68a254 
     if (krb5_service->write_kdcinfo) {
68a254 
         ret = write_krb5info_file_from_fo_server(krb5_service,
68a254 
                                                  server,
68a254 
+                                                 false,
68a254 
                                                  krb5_service->name,
68a254 
                                                  NULL);
68a254 
         if (ret != EOK) {
68a254 
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
68a254 
index 151f446d1..2fd39a751 100644
68a254 
--- a/src/providers/krb5/krb5_common.h
68a254 
+++ b/src/providers/krb5/krb5_common.h
68a254 
@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
68a254
68a254 
 errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
68a254 
                                            struct fo_server *server,
68a254 
+                                           bool force_default_port,
68a254 
                                            const char *service,
68a254 
                                            bool (*filter)(struct fo_server *));
68a254
68a254 
--
68a254 
2.26.3
68a254

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation