|
 |
62a0d7 |
From 18cbf559addfeb77ad83b81e23431295a3e5c6ae Mon Sep 17 00:00:00 2001
|
|
|
62a0d7 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
62a0d7 |
Date: Fri, 6 May 2016 15:02:19 +0200
|
|
|
62a0d7 |
Subject: [PATCH] IPA: Handle requests for netgroups from trusted domains
|
|
|
62a0d7 |
gracefully
|
|
|
62a0d7 |
|
|
|
62a0d7 |
In ipa_account_info_handler we first check if the request is for a user
|
|
|
62a0d7 |
from a trusted domain and go that way for all request types. In
|
|
|
62a0d7 |
contrast, in the ipa_account_info_done we first check if the requested
|
|
|
62a0d7 |
object is a netgroup. If both are true, we first start a subdomain
|
|
|
62a0d7 |
lookup send but then call netgroup lookup recv, which results in talloc
|
|
|
62a0d7 |
type mismatch and crashes sssd_be.
|
|
|
62a0d7 |
|
|
|
62a0d7 |
Resolves:
|
|
|
62a0d7 |
https://fedorahosted.org/sssd/ticket/3007
|
|
|
62a0d7 |
---
|
|
|
62a0d7 |
src/providers/ipa/ipa_id.c | 22 ++++++++++++++--------
|
|
|
62a0d7 |
1 file changed, 14 insertions(+), 8 deletions(-)
|
|
|
62a0d7 |
|
|
|
62a0d7 |
diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
|
|
|
62a0d7 |
index 29e22982c415220c931f0422e10cd06dfa1a195b..dff4b23580d8c7502a1fbe9c57d21b8c555883be 100644
|
|
|
62a0d7 |
--- a/src/providers/ipa/ipa_id.c
|
|
|
62a0d7 |
+++ b/src/providers/ipa/ipa_id.c
|
|
|
62a0d7 |
@@ -115,21 +115,27 @@ void ipa_account_info_handler(struct be_req *breq)
|
|
|
62a0d7 |
return sdap_handler_done(breq, DP_ERR_OK, EOK, "Success");
|
|
|
62a0d7 |
}
|
|
|
62a0d7 |
|
|
|
62a0d7 |
- if (strcasecmp(ar->domain, be_ctx->domain->name) != 0) {
|
|
|
62a0d7 |
- /* if domain names do not match, this is a subdomain case
|
|
|
62a0d7 |
- * subdomain lookups are handled differently on the server
|
|
|
62a0d7 |
- * and the client
|
|
|
62a0d7 |
- */
|
|
|
62a0d7 |
- req = ipa_subdomain_account_send(breq, be_ctx->ev, ipa_ctx, breq, ar);
|
|
|
62a0d7 |
-
|
|
|
62a0d7 |
- } else if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_NETGROUP) {
|
|
|
62a0d7 |
+ if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_NETGROUP) {
|
|
|
62a0d7 |
/* netgroups are handled by a separate request function */
|
|
|
62a0d7 |
if (ar->filter_type != BE_FILTER_NAME) {
|
|
|
62a0d7 |
return sdap_handler_done(breq, DP_ERR_FATAL,
|
|
|
62a0d7 |
EINVAL, "Invalid filter type");
|
|
|
62a0d7 |
}
|
|
|
62a0d7 |
+
|
|
|
62a0d7 |
+ if ((strcasecmp(ar->domain, be_ctx->domain->name) != 0)) {
|
|
|
62a0d7 |
+ return sdap_handler_done(breq, DP_ERR_OK, EOK,
|
|
|
62a0d7 |
+ "netgroups in subdomains are "
|
|
|
62a0d7 |
+ "not handled\n");
|
|
|
62a0d7 |
+ }
|
|
|
62a0d7 |
+
|
|
|
62a0d7 |
req = ipa_id_get_netgroup_send(breq, be_ctx->ev,
|
|
|
62a0d7 |
ipa_ctx, ar->filter_value);
|
|
|
62a0d7 |
+ } else if (strcasecmp(ar->domain, be_ctx->domain->name) != 0) {
|
|
|
62a0d7 |
+ /* if domain names do not match, this is a subdomain case
|
|
|
62a0d7 |
+ * subdomain lookups are handled differently on the server
|
|
|
62a0d7 |
+ * and the client
|
|
|
62a0d7 |
+ */
|
|
|
62a0d7 |
+ req = ipa_subdomain_account_send(breq, be_ctx->ev, ipa_ctx, breq, ar);
|
|
|
62a0d7 |
} else {
|
|
|
62a0d7 |
/* any account request is handled by sdap,
|
|
|
62a0d7 |
* any invalid request is caught there. */
|
|
|
62a0d7 |
--
|
|
|
62a0d7 |
2.4.11
|
|
|
62a0d7 |
|