From 1083c5f195ecf29435f24e136cf6470992614494 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 8 Nov 2016 11:51:57 +0100
Subject: [PATCH 148/149] IPA/AD: check auth ctx before using it
In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to
set the 'canonicalize' option in the system-wide Kerberos configuration
according to the settings in SSSD if the AD or IPA provider were used.
Unfortunately the patch implied that the auth provider is the same as
the id provider which might not always be the case. A different auth
provider caused a crash in the backend which is fixed by this patch.
Resolves https://fedorahosted.org/sssd/ticket/3234
Reviewed-by: Petr Cech <pcech@redhat.com>
(cherry picked from commit ea11ed3ea6291488dd762033246edc4ce3951aeb)
---
src/providers/ad/ad_subdomains.c | 13 +++++++++++--
src/providers/ipa/ipa_subdomains.c | 20 +++++++++++++++++---
2 files changed, 28 insertions(+), 5 deletions(-)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 52bf5361fa8de02c7165cbc3513a923ec018fc15..5e57d218c072a2627f165ae072cb761e1a146048 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -618,14 +618,23 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx)
{
const char *path;
errno_t ret;
- bool canonicalize;
+ bool canonicalize = false;
path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic,
AD_KRB5_CONFD_PATH);
- canonicalize = dp_opt_get_bool(
+ if (subdoms_ctx->ad_id_ctx->ad_options->auth_ctx != NULL
+ && subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts != NULL) {
+ canonicalize = dp_opt_get_bool(
subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts,
KRB5_CANONICALIZE);
+ } else {
+ DEBUG(SSSDBG_CONF_SETTINGS, "Auth provider data is not available, "
+ "most probably because the auth provider "
+ "is not 'ad'. Kerberos configuration "
+ "snippet to set the 'canonicalize' option "
+ "will not be created.\n");
+ }
ret = sss_write_krb5_conf_snippet(path, canonicalize);
if (ret != EOK) {
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index d02d2d5c05904c54c5e1997aece82f940b7334ee..eb1bc92691da9e82e07595ed84eea35fff78d1a5 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -73,16 +73,30 @@ static errno_t
ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx)
{
errno_t ret;
+ bool canonicalize = false;
DEBUG(SSSDBG_TRACE_INTERNAL,
"Re-initializing domain %s\n", ctx->be_ctx->domain->name);
+ if (ctx->ipa_id_ctx->ipa_options->auth_ctx != NULL
+ && ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx != NULL
+ && ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts != NULL
+ ) {
+ canonicalize = dp_opt_get_bool(
+ ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts,
+ KRB5_CANONICALIZE);
+ } else {
+ DEBUG(SSSDBG_CONF_SETTINGS, "Auth provider data is not available, "
+ "most probably because the auth provider "
+ "is not 'ipa'. Kerberos configuration "
+ "snippet to set the 'canonicalize' option "
+ "will not be created.\n");
+ }
+
ret = sss_write_krb5_conf_snippet(
dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic,
IPA_KRB5_CONFD_PATH),
- dp_opt_get_bool(
- ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts,
- KRB5_CANONICALIZE));
+ canonicalize);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
/* Just continue */
--
2.7.4