58 lines
2.3 KiB
Diff
58 lines
2.3 KiB
Diff
|
From 6b224e57672e3f73f93bb9eddd9031e945529a1e Mon Sep 17 00:00:00 2001
|
||
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||
|
Date: Tue, 24 Nov 2020 16:03:36 +0200
|
||
|
Subject: [PATCH] ad trust: accept subordinate domains of the forest trust root
|
||
|
|
||
|
Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for
|
||
|
subordinate UPN suffixes but missed the case where subordinate UPN is a
|
||
|
subdomain of the forest root domain and not mentioned in the UPN
|
||
|
suffixes list.
|
||
|
|
||
|
Correct this situation by applying the same check to the trusted domain
|
||
|
name as well.
|
||
|
|
||
|
Fixes: https://pagure.io/freeipa/issue/8554
|
||
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||
|
---
|
||
|
daemons/ipa-kdb/ipa_kdb_mspac.c | 12 +++++++++++-
|
||
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||
|
index f2bd60e11..c6ac593ca 100644
|
||
|
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||
|
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||
|
@@ -2976,10 +2976,20 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
|
||
|
|
||
|
/* Iterate through list of trusts and check if input realm belongs to any of the trust */
|
||
|
for(i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
|
||
|
+ size_t len = 0;
|
||
|
result = strncasecmp(test_realm,
|
||
|
ipactx->mspac->trusts[i].domain_name,
|
||
|
size) == 0;
|
||
|
|
||
|
+ if (!result) {
|
||
|
+ len = strlen(ipactx->mspac->trusts[i].domain_name);
|
||
|
+ if ((size > len) && (test_realm[size - len - 1] == '.')) {
|
||
|
+ result = strncasecmp(test_realm + (size - len),
|
||
|
+ ipactx->mspac->trusts[i].domain_name,
|
||
|
+ len) == 0;
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
if (!result && (ipactx->mspac->trusts[i].flat_name != NULL)) {
|
||
|
result = strncasecmp(test_realm,
|
||
|
ipactx->mspac->trusts[i].flat_name,
|
||
|
@@ -2995,7 +3005,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
|
||
|
/* if UPN suffix did not match exactly, find if it is
|
||
|
* superior to the test_realm, e.g. if test_realm ends
|
||
|
* with the UPN suffix prefixed with dot*/
|
||
|
- size_t len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
|
||
|
+ len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
|
||
|
if ((size > len) && (test_realm[size - len - 1] == '.')) {
|
||
|
result = strncasecmp(test_realm + (size - len),
|
||
|
ipactx->mspac->trusts[i].upn_suffixes[j],
|
||
|
--
|
||
|
2.29.2
|
||
|
|