- Apply 0009-ipa-kdb-fix-error-handling-of-is_master_host.patch
This commit is contained in:
parent
e4d8b700db
commit
6d235cb833
@ -0,0 +1,85 @@
|
|||||||
|
From c84c59c66f1b22ebc671960cae90088a024d2d62 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Aug 01 2023 11:31:09 +0000
|
||||||
|
Subject: ipa-kdb: fix error handling of is_master_host()
|
||||||
|
|
||||||
|
|
||||||
|
Adding proper error handling to the is_master_host() function to allow
|
||||||
|
it to make the difference between the absence of a master host object
|
||||||
|
and a connection failure. This will keep the krb5kdc daemon from
|
||||||
|
continuing to run with a NULL LDAP context.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9422
|
||||||
|
|
||||||
|
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
index 83b507c..1558e2b 100644
|
||||||
|
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
@@ -401,27 +401,29 @@ static krb5_error_code ipadb_add_asserted_identity(struct ipadb_context *ipactx,
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
|
||||||
|
+static krb5_error_code
|
||||||
|
+is_master_host(struct ipadb_context *ipactx, const char *fqdn, bool *result)
|
||||||
|
{
|
||||||
|
- int ret;
|
||||||
|
+ int err;
|
||||||
|
char *master_host_base = NULL;
|
||||||
|
- LDAPMessage *result = NULL;
|
||||||
|
- krb5_error_code err;
|
||||||
|
+ LDAPMessage *ldap_res = NULL;
|
||||||
|
|
||||||
|
- ret = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
|
||||||
|
+ err = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
|
||||||
|
fqdn, ipactx->base);
|
||||||
|
- if (ret == -1) {
|
||||||
|
- return false;
|
||||||
|
- }
|
||||||
|
+ if (err == -1)
|
||||||
|
+ return ENOMEM;
|
||||||
|
+
|
||||||
|
err = ipadb_simple_search(ipactx, master_host_base, LDAP_SCOPE_BASE,
|
||||||
|
- NULL, NULL, &result);
|
||||||
|
+ NULL, NULL, &ldap_res);
|
||||||
|
free(master_host_base);
|
||||||
|
- ldap_msgfree(result);
|
||||||
|
- if (err == 0) {
|
||||||
|
- return true;
|
||||||
|
- }
|
||||||
|
+ ldap_msgfree(ldap_res);
|
||||||
|
+ if (err != KRB5_KDB_NOENTRY && err != 0)
|
||||||
|
+ return err;
|
||||||
|
+
|
||||||
|
+ if (result)
|
||||||
|
+ *result = err != KRB5_KDB_NOENTRY;
|
||||||
|
|
||||||
|
- return false;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
@@ -692,9 +694,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
if ((is_host || is_service)) {
|
||||||
|
/* it is either host or service, so get the hostname first */
|
||||||
|
char *sep = strchr(info3->base.account_name.string, '/');
|
||||||
|
- bool is_master = is_master_host(
|
||||||
|
- ipactx,
|
||||||
|
- sep ? sep + 1 : info3->base.account_name.string);
|
||||||
|
+ bool is_master;
|
||||||
|
+
|
||||||
|
+ ret = is_master_host(ipactx,
|
||||||
|
+ sep ? sep + 1 : info3->base.account_name.string,
|
||||||
|
+ &is_master);
|
||||||
|
+ if (ret)
|
||||||
|
+ return ret;
|
||||||
|
+
|
||||||
|
if (is_master) {
|
||||||
|
/* Well known RID of domain controllers group */
|
||||||
|
if (info3->base.rid == 0) {
|
||||||
|
|
@ -189,7 +189,7 @@
|
|||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 6%{?rc_version:.%rc_version}%{?dist}.alma.1
|
Release: 7%{?rc_version:.%rc_version}%{?dist}.alma.1
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -216,7 +216,10 @@ Patch0004: 0004-server-install-remove-error-log-about-missing-bkup-file_rhb
|
|||||||
Patch0005: 0005-automember-rebuild-add-a-notice-about-high-CPU-usage_rhbz#2018198.patch
|
Patch0005: 0005-automember-rebuild-add-a-notice-about-high-CPU-usage_rhbz#2018198.patch
|
||||||
Patch0006: 0006-ipa-kdb-PAC-consistency-checker-needs-to-handle-child-domains-as-well_rhbz#2166324.patch
|
Patch0006: 0006-ipa-kdb-PAC-consistency-checker-needs-to-handle-child-domains-as-well_rhbz#2166324.patch
|
||||||
Patch0007: 0007-Wipe-the-ipa-ca-DNS-record-when-updating-system-records_rhbz#2158775.patch
|
Patch0007: 0007-Wipe-the-ipa-ca-DNS-record-when-updating-system-records_rhbz#2158775.patch
|
||||||
# Patch taken from Oracle Linux ipa-4.9.11-5.0.2.module+el8.8.0+21110+f1feef29.src.rpm
|
# Patches were taken from:
|
||||||
|
# https://git.almalinux.org/rpms/ipa/raw/commit/86257fbf820076b5edaa9a657bc7ba79ef8fe058/SOURCES/0026-ipa-kdb-fix-error-handling-of-is_master_host.patch
|
||||||
|
Patch0009: 0009-ipa-kdb-fix-error-handling-of-is_master_host.patch
|
||||||
|
# Oracle Linux ipa-4.9.11-5.0.2.module+el8.8.0+21110+f1feef29.src.rpm
|
||||||
Patch0008: 0008-Use-krb5_pac_full_sign_compat-when-available.patch
|
Patch0008: 0008-Use-krb5_pac_full_sign_compat-when-available.patch
|
||||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||||
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
||||||
@ -1717,6 +1720,9 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Sep 21 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.9.11-7.alma.1
|
||||||
|
- Apply 0009-ipa-kdb-fix-error-handling-of-is_master_host.patch
|
||||||
|
|
||||||
* Thu Aug 03 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 4.9.11-6.alma.1
|
* Thu Aug 03 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 4.9.11-6.alma.1
|
||||||
- bump required version of krb5 (albz#411)
|
- bump required version of krb5 (albz#411)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user