rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   7c2775a403a4c318f8c91144f2a7ae063a0a9576
  2.   SOURCES
  3.   0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
Blob History Raw
6ee0df 
From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
6ee0df 
From: Iker Pedrosa <ipedrosa@redhat.com>
6ee0df 
Date: Thu, 13 Jan 2022 11:28:30 +0100
6ee0df 
Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
6ee0df 
MIME-Version: 1.0
6ee0df 
Content-Type: text/plain; charset=UTF-8
6ee0df 
Content-Transfer-Encoding: 8bit
6ee0df
6ee0df 
AD and IPA providers use a common fo_server object for LDAP and
6ee0df 
Kerberos, which is created with the LDAP data. This means that due to
6ee0df 
the changes introduced in
6ee0df 
https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
6ee0df 
the port in use for the Kerberos requests would be the one specified for
6ee0df 
LDAP, usually the default one (389).
6ee0df
6ee0df 
In order to avoid that, AD and IPA providers shouldn't change the
6ee0df 
Kerberos port with the one provided for LDAP.
6ee0df
6ee0df 
:fixes: A critical regression that prevented authentication of users via
6ee0df 
AD and IPA providers was fixed. LDAP port was reused for Kerberos
6ee0df 
communication and this provider would send incomprehensible information
6ee0df 
to this port.
6ee0df
6ee0df 
Resolves: https://github.com/SSSD/sssd/issues/5947
6ee0df
6ee0df 
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
6ee0df
6ee0df 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
6ee0df 
---
6ee0df 
 src/providers/ad/ad_common.c     |  1 +
6ee0df 
 src/providers/ipa/ipa_common.c   |  1 +
6ee0df 
 src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
6ee0df 
 src/providers/krb5/krb5_common.h |  1 +
6ee0df 
 4 files changed, 23 insertions(+), 14 deletions(-)
6ee0df
6ee0df 
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
6ee0df 
index e263444c5..1ca5f8e3a 100644
6ee0df 
--- a/src/providers/ad/ad_common.c
6ee0df 
+++ b/src/providers/ad/ad_common.c
6ee0df 
@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
6ee0df 
     if (service->krb5_service->write_kdcinfo) {
6ee0df 
         ret = write_krb5info_file_from_fo_server(service->krb5_service,
6ee0df 
                                                  server,
6ee0df 
+                                                 true,
6ee0df 
                                                  SSS_KRB5KDC_FO_SRV,
6ee0df 
                                                  ad_krb5info_file_filter);
6ee0df 
         if (ret != EOK) {
6ee0df 
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
6ee0df 
index 1509cb1ce..e6c1f9aa4 100644
6ee0df 
--- a/src/providers/ipa/ipa_common.c
6ee0df 
+++ b/src/providers/ipa/ipa_common.c
6ee0df 
@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
6ee0df 
     if (service->krb5_service->write_kdcinfo) {
6ee0df 
         ret = write_krb5info_file_from_fo_server(service->krb5_service,
6ee0df 
                                                  server,
6ee0df 
+                                                 true,
6ee0df 
                                                  SSS_KRB5KDC_FO_SRV,
6ee0df 
                                                  NULL);
6ee0df 
         if (ret != EOK) {
6ee0df 
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
6ee0df 
index 719ce6a12..5ffa20809 100644
6ee0df 
--- a/src/providers/krb5/krb5_common.c
6ee0df 
+++ b/src/providers/krb5/krb5_common.c
6ee0df 
@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
6ee0df
6ee0df 
 errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
6ee0df 
                                            struct fo_server *server,
6ee0df 
+                                           bool force_default_port,
6ee0df 
                                            const char *service,
6ee0df 
                                            bool (*filter)(struct fo_server *))
6ee0df 
 {
6ee0df 
@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
6ee0df 
     if (filter == NULL || filter(server) == false) {
6ee0df 
         address = fo_server_address_or_name(tmp_ctx, server);
6ee0df 
         if (address) {
6ee0df 
-            port = fo_get_server_port(server);
6ee0df 
-            if (port != 0) {
6ee0df 
-                address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
6ee0df 
-                if (address == NULL) {
6ee0df 
-                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
6ee0df 
-                    talloc_free(tmp_ctx);
6ee0df 
-                    return ENOMEM;
6ee0df 
+            if (!force_default_port) {
6ee0df 
+                port = fo_get_server_port(server);
6ee0df 
+                if (port != 0) {
6ee0df 
+                    address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
6ee0df 
+                    if (address == NULL) {
6ee0df 
+                        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
6ee0df 
+                        talloc_free(tmp_ctx);
6ee0df 
+                        return ENOMEM;
6ee0df 
+                    }
6ee0df 
                 }
6ee0df 
             }
6ee0df
6ee0df 
@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
6ee0df 
                 continue;
6ee0df 
             }
6ee0df
6ee0df 
-            port = fo_get_server_port(item);
6ee0df 
-            if (port != 0) {
6ee0df 
-                address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
6ee0df 
-                if (address == NULL) {
6ee0df 
-                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
6ee0df 
-                    talloc_free(tmp_ctx);
6ee0df 
-                    return ENOMEM;
6ee0df 
+            if (!force_default_port) {
6ee0df 
+                port = fo_get_server_port(item);
6ee0df 
+                if (port != 0) {
6ee0df 
+                    address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
6ee0df 
+                    if (address == NULL) {
6ee0df 
+                        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
6ee0df 
+                        talloc_free(tmp_ctx);
6ee0df 
+                        return ENOMEM;
6ee0df 
+                    }
6ee0df 
                 }
6ee0df 
             }
6ee0df
6ee0df 
@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
6ee0df 
     if (krb5_service->write_kdcinfo) {
6ee0df 
         ret = write_krb5info_file_from_fo_server(krb5_service,
6ee0df 
                                                  server,
6ee0df 
+                                                 false,
6ee0df 
                                                  krb5_service->name,
6ee0df 
                                                  NULL);
6ee0df 
         if (ret != EOK) {
6ee0df 
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
6ee0df 
index 151f446d1..2fd39a751 100644
6ee0df 
--- a/src/providers/krb5/krb5_common.h
6ee0df 
+++ b/src/providers/krb5/krb5_common.h
6ee0df 
@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
6ee0df
6ee0df 
 errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
6ee0df 
                                            struct fo_server *server,
6ee0df 
+                                           bool force_default_port,
6ee0df 
                                            const char *service,
6ee0df 
                                            bool (*filter)(struct fo_server *));
6ee0df
6ee0df 
--
6ee0df 
2.26.3
6ee0df

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation