|
 |
d296fa |
From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
|
|
|
d296fa |
From: Iker Pedrosa <ipedrosa@redhat.com>
|
|
|
d296fa |
Date: Thu, 13 Jan 2022 11:28:30 +0100
|
|
|
d296fa |
Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
|
|
|
d296fa |
MIME-Version: 1.0
|
|
|
d296fa |
Content-Type: text/plain; charset=UTF-8
|
|
|
d296fa |
Content-Transfer-Encoding: 8bit
|
|
|
d296fa |
|
|
|
d296fa |
AD and IPA providers use a common fo_server object for LDAP and
|
|
|
d296fa |
Kerberos, which is created with the LDAP data. This means that due to
|
|
|
d296fa |
the changes introduced in
|
|
|
d296fa |
https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
|
|
|
d296fa |
the port in use for the Kerberos requests would be the one specified for
|
|
|
d296fa |
LDAP, usually the default one (389).
|
|
|
d296fa |
|
|
|
d296fa |
In order to avoid that, AD and IPA providers shouldn't change the
|
|
|
d296fa |
Kerberos port with the one provided for LDAP.
|
|
|
d296fa |
|
|
|
d296fa |
:fixes: A critical regression that prevented authentication of users via
|
|
|
d296fa |
AD and IPA providers was fixed. LDAP port was reused for Kerberos
|
|
|
d296fa |
communication and this provider would send incomprehensible information
|
|
|
d296fa |
to this port.
|
|
|
d296fa |
|
|
|
d296fa |
Resolves: https://github.com/SSSD/sssd/issues/5947
|
|
|
d296fa |
|
|
|
d296fa |
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
|
d296fa |
|
|
|
d296fa |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
d296fa |
---
|
|
|
d296fa |
src/providers/ad/ad_common.c | 1 +
|
|
|
d296fa |
src/providers/ipa/ipa_common.c | 1 +
|
|
|
d296fa |
src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
|
|
|
d296fa |
src/providers/krb5/krb5_common.h | 1 +
|
|
|
d296fa |
4 files changed, 23 insertions(+), 14 deletions(-)
|
|
|
d296fa |
|
|
|
d296fa |
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
|
|
d296fa |
index e263444c5..1ca5f8e3a 100644
|
|
|
d296fa |
--- a/src/providers/ad/ad_common.c
|
|
|
d296fa |
+++ b/src/providers/ad/ad_common.c
|
|
|
d296fa |
@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
|
|
d296fa |
if (service->krb5_service->write_kdcinfo) {
|
|
|
d296fa |
ret = write_krb5info_file_from_fo_server(service->krb5_service,
|
|
|
d296fa |
server,
|
|
|
d296fa |
+ true,
|
|
|
d296fa |
SSS_KRB5KDC_FO_SRV,
|
|
|
d296fa |
ad_krb5info_file_filter);
|
|
|
d296fa |
if (ret != EOK) {
|
|
|
d296fa |
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
|
|
|
d296fa |
index 1509cb1ce..e6c1f9aa4 100644
|
|
|
d296fa |
--- a/src/providers/ipa/ipa_common.c
|
|
|
d296fa |
+++ b/src/providers/ipa/ipa_common.c
|
|
|
d296fa |
@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
|
|
|
d296fa |
if (service->krb5_service->write_kdcinfo) {
|
|
|
d296fa |
ret = write_krb5info_file_from_fo_server(service->krb5_service,
|
|
|
d296fa |
server,
|
|
|
d296fa |
+ true,
|
|
|
d296fa |
SSS_KRB5KDC_FO_SRV,
|
|
|
d296fa |
NULL);
|
|
|
d296fa |
if (ret != EOK) {
|
|
|
d296fa |
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
|
|
|
d296fa |
index 719ce6a12..5ffa20809 100644
|
|
|
d296fa |
--- a/src/providers/krb5/krb5_common.c
|
|
|
d296fa |
+++ b/src/providers/krb5/krb5_common.c
|
|
|
d296fa |
@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
|
|
|
d296fa |
|
|
|
d296fa |
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
|
|
d296fa |
struct fo_server *server,
|
|
|
d296fa |
+ bool force_default_port,
|
|
|
d296fa |
const char *service,
|
|
|
d296fa |
bool (*filter)(struct fo_server *))
|
|
|
d296fa |
{
|
|
|
d296fa |
@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
|
|
d296fa |
if (filter == NULL || filter(server) == false) {
|
|
|
d296fa |
address = fo_server_address_or_name(tmp_ctx, server);
|
|
|
d296fa |
if (address) {
|
|
|
d296fa |
- port = fo_get_server_port(server);
|
|
|
d296fa |
- if (port != 0) {
|
|
|
d296fa |
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
|
|
d296fa |
- if (address == NULL) {
|
|
|
d296fa |
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
|
|
d296fa |
- talloc_free(tmp_ctx);
|
|
|
d296fa |
- return ENOMEM;
|
|
|
d296fa |
+ if (!force_default_port) {
|
|
|
d296fa |
+ port = fo_get_server_port(server);
|
|
|
d296fa |
+ if (port != 0) {
|
|
|
d296fa |
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
|
|
d296fa |
+ if (address == NULL) {
|
|
|
d296fa |
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
|
|
d296fa |
+ talloc_free(tmp_ctx);
|
|
|
d296fa |
+ return ENOMEM;
|
|
|
d296fa |
+ }
|
|
|
d296fa |
}
|
|
|
d296fa |
}
|
|
|
d296fa |
|
|
|
d296fa |
@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
|
|
d296fa |
continue;
|
|
|
d296fa |
}
|
|
|
d296fa |
|
|
|
d296fa |
- port = fo_get_server_port(item);
|
|
|
d296fa |
- if (port != 0) {
|
|
|
d296fa |
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
|
|
d296fa |
- if (address == NULL) {
|
|
|
d296fa |
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
|
|
d296fa |
- talloc_free(tmp_ctx);
|
|
|
d296fa |
- return ENOMEM;
|
|
|
d296fa |
+ if (!force_default_port) {
|
|
|
d296fa |
+ port = fo_get_server_port(item);
|
|
|
d296fa |
+ if (port != 0) {
|
|
|
d296fa |
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
|
|
d296fa |
+ if (address == NULL) {
|
|
|
d296fa |
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
|
|
d296fa |
+ talloc_free(tmp_ctx);
|
|
|
d296fa |
+ return ENOMEM;
|
|
|
d296fa |
+ }
|
|
|
d296fa |
}
|
|
|
d296fa |
}
|
|
|
d296fa |
|
|
|
d296fa |
@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
|
|
|
d296fa |
if (krb5_service->write_kdcinfo) {
|
|
|
d296fa |
ret = write_krb5info_file_from_fo_server(krb5_service,
|
|
|
d296fa |
server,
|
|
|
d296fa |
+ false,
|
|
|
d296fa |
krb5_service->name,
|
|
|
d296fa |
NULL);
|
|
|
d296fa |
if (ret != EOK) {
|
|
|
d296fa |
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
|
|
|
d296fa |
index 151f446d1..2fd39a751 100644
|
|
|
d296fa |
--- a/src/providers/krb5/krb5_common.h
|
|
|
d296fa |
+++ b/src/providers/krb5/krb5_common.h
|
|
|
d296fa |
@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
|
|
|
d296fa |
|
|
|
d296fa |
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
|
|
d296fa |
struct fo_server *server,
|
|
|
d296fa |
+ bool force_default_port,
|
|
|
d296fa |
const char *service,
|
|
|
d296fa |
bool (*filter)(struct fo_server *));
|
|
|
d296fa |
|
|
|
d296fa |
--
|
|
|
d296fa |
2.26.3
|
|
|
d296fa |
|