]> git.ipfire.org Git - ipfire-3.x.git/blob - sssd/patches/0024-IPA-AD-check-auth-ctx-before-using-it.patch
projects / ipfire-3.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
git: Update to 2.23.0
[ipfire-3.x.git] / sssd / patches / 0024-IPA-AD-check-auth-ctx-before-using-it.patch
1 From a859747b84125124ea794aa422f5b811bb0dba2d Mon Sep 17 00:00:00 2001
2 From: Sumit Bose <sbose@redhat.com>
3 Date: Tue, 8 Nov 2016 11:51:57 +0100
4 Subject: [PATCH 24/39] IPA/AD: check auth ctx before using it
5
6 In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to
7 set the 'canonicalize' option in the system-wide Kerberos configuration
8 according to the settings in SSSD if the AD or IPA provider were used.
9 Unfortunately the patch implied that the auth provider is the same as
10 the id provider which might not always be the case. A different auth
11 provider caused a crash in the backend which is fixed by this patch.
12
13 Resolves https://fedorahosted.org/sssd/ticket/3234
14
15 Reviewed-by: Petr Cech <pcech@redhat.com>
16 (cherry picked from commit ea11ed3ea6291488dd762033246edc4ce3951aeb)
17 (cherry picked from commit 37e070c8c2ea79d8d84bae3da3a34c81212744ab)
18 ---
19 src/providers/ad/ad_subdomains.c | 13 +++++++++++--
20 src/providers/ipa/ipa_subdomains.c | 20 +++++++++++++++++---
21 2 files changed, 28 insertions(+), 5 deletions(-)
22
23 diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
24 index 52bf5361f..5e57d218c 100644
25 --- a/src/providers/ad/ad_subdomains.c
26 +++ b/src/providers/ad/ad_subdomains.c
27 @@ -618,14 +618,23 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx)
28 {
29 const char *path;
30 errno_t ret;
31 - bool canonicalize;
32 + bool canonicalize = false;
33
34 path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic,
35 AD_KRB5_CONFD_PATH);
36
37 - canonicalize = dp_opt_get_bool(
38 + if (subdoms_ctx->ad_id_ctx->ad_options->auth_ctx != NULL
39 + && subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts != NULL) {
40 + canonicalize = dp_opt_get_bool(
41 subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts,
42 KRB5_CANONICALIZE);
43 + } else {
44 + DEBUG(SSSDBG_CONF_SETTINGS, "Auth provider data is not available, "
45 + "most probably because the auth provider "
46 + "is not 'ad'. Kerberos configuration "
47 + "snippet to set the 'canonicalize' option "
48 + "will not be created.\n");
49 + }
50
51 ret = sss_write_krb5_conf_snippet(path, canonicalize);
52 if (ret != EOK) {
53 diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
54 index 8653e3f46..b2e96b204 100644
55 --- a/src/providers/ipa/ipa_subdomains.c
56 +++ b/src/providers/ipa/ipa_subdomains.c
57 @@ -73,16 +73,30 @@ static errno_t
58 ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx)
59 {
60 errno_t ret;
61 + bool canonicalize = false;
62
63 DEBUG(SSSDBG_TRACE_INTERNAL,
64 "Re-initializing domain %s\n", ctx->be_ctx->domain->name);
65
66 + if (ctx->ipa_id_ctx->ipa_options->auth_ctx != NULL
67 + && ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx != NULL
68 + && ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts != NULL
69 + ) {
70 + canonicalize = dp_opt_get_bool(
71 + ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts,
72 + KRB5_CANONICALIZE);
73 + } else {
74 + DEBUG(SSSDBG_CONF_SETTINGS, "Auth provider data is not available, "
75 + "most probably because the auth provider "
76 + "is not 'ipa'. Kerberos configuration "
77 + "snippet to set the 'canonicalize' option "
78 + "will not be created.\n");
79 + }
80 +
81 ret = sss_write_krb5_conf_snippet(
82 dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic,
83 IPA_KRB5_CONFD_PATH),
84 - dp_opt_get_bool(
85 - ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts,
86 - KRB5_CANONICALIZE));
87 + canonicalize);
88 if (ret != EOK) {
89 DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
90 /* Just continue */
91 --
92 2.11.0
93
IPFire 3.x development tree