ipa/SOURCES/0027-ad-trust-accept-subordinate-domains-of-the-forest-trust-root_rhbz#1914823.patch

58 lines
2.3 KiB
Diff
Raw Normal View History

From 6b224e57672e3f73f93bb9eddd9031e945529a1e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 24 Nov 2020 16:03:36 +0200
Subject: [PATCH] ad trust: accept subordinate domains of the forest trust root
Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for
subordinate UPN suffixes but missed the case where subordinate UPN is a
subdomain of the forest root domain and not mentioned in the UPN
suffixes list.
Correct this situation by applying the same check to the trusted domain
name as well.
Fixes: https://pagure.io/freeipa/issue/8554
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index f2bd60e11..c6ac593ca 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2976,10 +2976,20 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
/* Iterate through list of trusts and check if input realm belongs to any of the trust */
for(i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
+ size_t len = 0;
result = strncasecmp(test_realm,
ipactx->mspac->trusts[i].domain_name,
size) == 0;
+ if (!result) {
+ len = strlen(ipactx->mspac->trusts[i].domain_name);
+ if ((size > len) && (test_realm[size - len - 1] == '.')) {
+ result = strncasecmp(test_realm + (size - len),
+ ipactx->mspac->trusts[i].domain_name,
+ len) == 0;
+ }
+ }
+
if (!result && (ipactx->mspac->trusts[i].flat_name != NULL)) {
result = strncasecmp(test_realm,
ipactx->mspac->trusts[i].flat_name,
@@ -2995,7 +3005,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
/* if UPN suffix did not match exactly, find if it is
* superior to the test_realm, e.g. if test_realm ends
* with the UPN suffix prefixed with dot*/
- size_t len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
+ len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
if ((size > len) && (test_realm[size - len - 1] == '.')) {
result = strncasecmp(test_realm + (size - len),
ipactx->mspac->trusts[i].upn_suffixes[j],
--
2.29.2