rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0148-IPA-AD-check-auth-ctx-before-using-it.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   45d81bea72b5c0655b17432ce15813c10e83768b
  2.   SOURCES
  3.   0148-IPA-AD-check-auth-ctx-before-using-it.patch
Blob History Raw
45d81b 
From 1083c5f195ecf29435f24e136cf6470992614494 Mon Sep 17 00:00:00 2001
45d81b 
From: Sumit Bose <sbose@redhat.com>
45d81b 
Date: Tue, 8 Nov 2016 11:51:57 +0100
45d81b 
Subject: [PATCH 148/149] IPA/AD: check auth ctx before using it
45d81b
45d81b 
In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to
45d81b 
set the 'canonicalize' option in the system-wide Kerberos configuration
45d81b 
according to the settings in SSSD if the AD or IPA provider were used.
45d81b 
Unfortunately the patch implied that the auth provider is the same as
45d81b 
the id provider which might not always be the case. A different auth
45d81b 
provider caused a crash in the backend which is fixed by this patch.
45d81b
45d81b 
Resolves https://fedorahosted.org/sssd/ticket/3234
45d81b
45d81b 
Reviewed-by: Petr Cech <pcech@redhat.com>
45d81b 
(cherry picked from commit ea11ed3ea6291488dd762033246edc4ce3951aeb)
45d81b 
---
45d81b 
 src/providers/ad/ad_subdomains.c   | 13 +++++++++++--
45d81b 
 src/providers/ipa/ipa_subdomains.c | 20 +++++++++++++++++---
45d81b 
 2 files changed, 28 insertions(+), 5 deletions(-)
45d81b
45d81b 
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
45d81b 
index 52bf5361fa8de02c7165cbc3513a923ec018fc15..5e57d218c072a2627f165ae072cb761e1a146048 100644
45d81b 
--- a/src/providers/ad/ad_subdomains.c
45d81b 
+++ b/src/providers/ad/ad_subdomains.c
45d81b 
@@ -618,14 +618,23 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx)
45d81b 
 {
45d81b 
     const char *path;
45d81b 
     errno_t ret;
45d81b 
-    bool canonicalize;
45d81b 
+    bool canonicalize = false;
45d81b
45d81b 
     path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic,
45d81b 
                              AD_KRB5_CONFD_PATH);
45d81b
45d81b 
-    canonicalize = dp_opt_get_bool(
45d81b 
+    if (subdoms_ctx->ad_id_ctx->ad_options->auth_ctx != NULL
45d81b 
+            && subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts != NULL) {
45d81b 
+        canonicalize = dp_opt_get_bool(
45d81b 
                              subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts,
45d81b 
                              KRB5_CANONICALIZE);
45d81b 
+    } else {
45d81b 
+        DEBUG(SSSDBG_CONF_SETTINGS, "Auth provider data is not available, "
45d81b 
+                                    "most probably because the auth provider "
45d81b 
+                                    "is not 'ad'. Kerberos configuration "
45d81b 
+                                    "snippet to set the 'canonicalize' option "
45d81b 
+                                    "will not be created.\n");
45d81b 
+    }
45d81b
45d81b 
     ret = sss_write_krb5_conf_snippet(path, canonicalize);
45d81b 
     if (ret != EOK) {
45d81b 
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
45d81b 
index d02d2d5c05904c54c5e1997aece82f940b7334ee..eb1bc92691da9e82e07595ed84eea35fff78d1a5 100644
45d81b 
--- a/src/providers/ipa/ipa_subdomains.c
45d81b 
+++ b/src/providers/ipa/ipa_subdomains.c
45d81b 
@@ -73,16 +73,30 @@ static errno_t
45d81b 
 ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx)
45d81b 
 {
45d81b 
     errno_t ret;
45d81b 
+    bool canonicalize = false;
45d81b
45d81b 
     DEBUG(SSSDBG_TRACE_INTERNAL,
45d81b 
           "Re-initializing domain %s\n", ctx->be_ctx->domain->name);
45d81b
45d81b 
+    if (ctx->ipa_id_ctx->ipa_options->auth_ctx != NULL
45d81b 
+          && ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx != NULL
45d81b 
+          && ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts != NULL
45d81b 
+       ) {
45d81b 
+        canonicalize = dp_opt_get_bool(
45d81b 
+                    ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts,
45d81b 
+                    KRB5_CANONICALIZE);
45d81b 
+    } else {
45d81b 
+        DEBUG(SSSDBG_CONF_SETTINGS, "Auth provider data is not available, "
45d81b 
+                                    "most probably because the auth provider "
45d81b 
+                                    "is not 'ipa'. Kerberos configuration "
45d81b 
+                                    "snippet to set the 'canonicalize' option "
45d81b 
+                                    "will not be created.\n");
45d81b 
+    }
45d81b 
+
45d81b 
     ret = sss_write_krb5_conf_snippet(
45d81b 
                           dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic,
45d81b 
                                             IPA_KRB5_CONFD_PATH),
45d81b 
-                          dp_opt_get_bool(
45d81b 
-                    ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts,
45d81b 
-                    KRB5_CANONICALIZE));
45d81b 
+                          canonicalize);
45d81b 
     if (ret != EOK) {
45d81b 
         DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
45d81b 
         /* Just continue */
45d81b 
--
45d81b 
2.7.4
45d81b

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation