From 6d235cb833fcfa8b124d2439a3d66840f1172a67 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Thu, 21 Sep 2023 14:19:47 +0300
Subject: [PATCH] - Apply
 0009-ipa-kdb-fix-error-handling-of-is_master_host.patch

---
 ...fix-error-handling-of-is_master_host.patch | 85 +++++++++++++++++++
 SPECS/ipa.spec                                | 10 ++-
 2 files changed, 93 insertions(+), 2 deletions(-)
 create mode 100644 SOURCES/0009-ipa-kdb-fix-error-handling-of-is_master_host.patch

diff --git a/SOURCES/0009-ipa-kdb-fix-error-handling-of-is_master_host.patch b/SOURCES/0009-ipa-kdb-fix-error-handling-of-is_master_host.patch
new file mode 100644
index 0000000..1a3e29b
--- /dev/null
+++ b/SOURCES/0009-ipa-kdb-fix-error-handling-of-is_master_host.patch
@@ -0,0 +1,85 @@
+From c84c59c66f1b22ebc671960cae90088a024d2d62 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Aug 01 2023 11:31:09 +0000
+Subject: ipa-kdb: fix error handling of is_master_host()
+
+
+Adding proper error handling to the is_master_host() function to allow
+it to make the difference between the absence of a master host object
+and a connection failure. This will keep the krb5kdc daemon from
+continuing to run with a NULL LDAP context.
+
+Fixes: https://pagure.io/freeipa/issue/9422
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+
+---
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 83b507c..1558e2b 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -401,27 +401,29 @@ static krb5_error_code ipadb_add_asserted_identity(struct ipadb_context *ipactx,
+     return 0;
+ }
+ 
+-static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
++static krb5_error_code
++is_master_host(struct ipadb_context *ipactx, const char *fqdn, bool *result)
+ {
+-    int ret;
++    int err;
+     char *master_host_base = NULL;
+-    LDAPMessage *result = NULL;
+-    krb5_error_code err;
++    LDAPMessage *ldap_res = NULL;
+ 
+-    ret = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
++    err = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
+                                       fqdn, ipactx->base);
+-    if (ret == -1) {
+-        return false;
+-    }
++    if (err == -1)
++        return ENOMEM;
++
+     err = ipadb_simple_search(ipactx, master_host_base, LDAP_SCOPE_BASE,
+-                              NULL, NULL, &result);
++                              NULL, NULL, &ldap_res);
+     free(master_host_base);
+-    ldap_msgfree(result);
+-    if (err == 0) {
+-        return true;
+-    }
++    ldap_msgfree(ldap_res);
++    if (err != KRB5_KDB_NOENTRY && err != 0)
++        return err;
++
++    if (result)
++        *result = err != KRB5_KDB_NOENTRY;
+ 
+-    return false;
++    return 0;
+ }
+ 
+ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+@@ -692,9 +694,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+     if ((is_host || is_service)) {
+         /* it is either host or service, so get the hostname first */
+         char *sep = strchr(info3->base.account_name.string, '/');
+-        bool is_master = is_master_host(
+-                            ipactx,
+-                            sep ? sep + 1 : info3->base.account_name.string);
++        bool is_master;
++
++        ret = is_master_host(ipactx,
++                             sep ? sep + 1 : info3->base.account_name.string,
++                             &is_master);
++        if (ret)
++            return ret;
++
+         if (is_master) {
+             /* Well known RID of domain controllers group */
+             if (info3->base.rid == 0) {
+
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 1617b31..6a0f7c6 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -189,7 +189,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        6%{?rc_version:.%rc_version}%{?dist}.alma.1
+Release:        7%{?rc_version:.%rc_version}%{?dist}.alma.1
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -216,7 +216,10 @@ Patch0004:      0004-server-install-remove-error-log-about-missing-bkup-file_rhb
 Patch0005:      0005-automember-rebuild-add-a-notice-about-high-CPU-usage_rhbz#2018198.patch
 Patch0006:      0006-ipa-kdb-PAC-consistency-checker-needs-to-handle-child-domains-as-well_rhbz#2166324.patch
 Patch0007:      0007-Wipe-the-ipa-ca-DNS-record-when-updating-system-records_rhbz#2158775.patch
-# Patch taken from Oracle Linux ipa-4.9.11-5.0.2.module+el8.8.0+21110+f1feef29.src.rpm
+# Patches were taken from:
+# https://git.almalinux.org/rpms/ipa/raw/commit/86257fbf820076b5edaa9a657bc7ba79ef8fe058/SOURCES/0026-ipa-kdb-fix-error-handling-of-is_master_host.patch
+Patch0009:      0009-ipa-kdb-fix-error-handling-of-is_master_host.patch
+# Oracle Linux ipa-4.9.11-5.0.2.module+el8.8.0+21110+f1feef29.src.rpm
 Patch0008:      0008-Use-krb5_pac_full_sign_compat-when-available.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
@@ -1717,6 +1720,9 @@ fi
 %endif
 
 %changelog
+* Thu Sep 21 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.9.11-7.alma.1
+- Apply 0009-ipa-kdb-fix-error-handling-of-is_master_host.patch
+
 * Thu Aug 03 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 4.9.11-6.alma.1
 - bump required version of krb5 (albz#411)