- Apply 0009-ipa-kdb-fix-error-handling-of-is_master_host.patch

This commit is contained in:
eabdullin 2023-09-21 14:19:47 +03:00
parent e4d8b700db
commit 6d235cb833
2 changed files with 93 additions and 2 deletions

View File

@ -0,0 +1,85 @@
From c84c59c66f1b22ebc671960cae90088a024d2d62 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Aug 01 2023 11:31:09 +0000
Subject: ipa-kdb: fix error handling of is_master_host()
Adding proper error handling to the is_master_host() function to allow
it to make the difference between the absence of a master host object
and a connection failure. This will keep the krb5kdc daemon from
continuing to run with a NULL LDAP context.
Fixes: https://pagure.io/freeipa/issue/9422
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 83b507c..1558e2b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -401,27 +401,29 @@ static krb5_error_code ipadb_add_asserted_identity(struct ipadb_context *ipactx,
return 0;
}
-static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
+static krb5_error_code
+is_master_host(struct ipadb_context *ipactx, const char *fqdn, bool *result)
{
- int ret;
+ int err;
char *master_host_base = NULL;
- LDAPMessage *result = NULL;
- krb5_error_code err;
+ LDAPMessage *ldap_res = NULL;
- ret = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
+ err = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
fqdn, ipactx->base);
- if (ret == -1) {
- return false;
- }
+ if (err == -1)
+ return ENOMEM;
+
err = ipadb_simple_search(ipactx, master_host_base, LDAP_SCOPE_BASE,
- NULL, NULL, &result);
+ NULL, NULL, &ldap_res);
free(master_host_base);
- ldap_msgfree(result);
- if (err == 0) {
- return true;
- }
+ ldap_msgfree(ldap_res);
+ if (err != KRB5_KDB_NOENTRY && err != 0)
+ return err;
+
+ if (result)
+ *result = err != KRB5_KDB_NOENTRY;
- return false;
+ return 0;
}
static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
@@ -692,9 +694,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
if ((is_host || is_service)) {
/* it is either host or service, so get the hostname first */
char *sep = strchr(info3->base.account_name.string, '/');
- bool is_master = is_master_host(
- ipactx,
- sep ? sep + 1 : info3->base.account_name.string);
+ bool is_master;
+
+ ret = is_master_host(ipactx,
+ sep ? sep + 1 : info3->base.account_name.string,
+ &is_master);
+ if (ret)
+ return ret;
+
if (is_master) {
/* Well known RID of domain controllers group */
if (info3->base.rid == 0) {

View File

@ -189,7 +189,7 @@
Name: %{package_name} Name: %{package_name}
Version: %{IPA_VERSION} Version: %{IPA_VERSION}
Release: 6%{?rc_version:.%rc_version}%{?dist}.alma.1 Release: 7%{?rc_version:.%rc_version}%{?dist}.alma.1
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
License: GPLv3+ License: GPLv3+
@ -216,7 +216,10 @@ Patch0004: 0004-server-install-remove-error-log-about-missing-bkup-file_rhb
Patch0005: 0005-automember-rebuild-add-a-notice-about-high-CPU-usage_rhbz#2018198.patch Patch0005: 0005-automember-rebuild-add-a-notice-about-high-CPU-usage_rhbz#2018198.patch
Patch0006: 0006-ipa-kdb-PAC-consistency-checker-needs-to-handle-child-domains-as-well_rhbz#2166324.patch Patch0006: 0006-ipa-kdb-PAC-consistency-checker-needs-to-handle-child-domains-as-well_rhbz#2166324.patch
Patch0007: 0007-Wipe-the-ipa-ca-DNS-record-when-updating-system-records_rhbz#2158775.patch Patch0007: 0007-Wipe-the-ipa-ca-DNS-record-when-updating-system-records_rhbz#2158775.patch
# Patch taken from Oracle Linux ipa-4.9.11-5.0.2.module+el8.8.0+21110+f1feef29.src.rpm # Patches were taken from:
# https://git.almalinux.org/rpms/ipa/raw/commit/86257fbf820076b5edaa9a657bc7ba79ef8fe058/SOURCES/0026-ipa-kdb-fix-error-handling-of-is_master_host.patch
Patch0009: 0009-ipa-kdb-fix-error-handling-of-is_master_host.patch
# Oracle Linux ipa-4.9.11-5.0.2.module+el8.8.0+21110+f1feef29.src.rpm
Patch0008: 0008-Use-krb5_pac_full_sign_compat-when-available.patch Patch0008: 0008-Use-krb5_pac_full_sign_compat-when-available.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
@ -1717,6 +1720,9 @@ fi
%endif %endif
%changelog %changelog
* Thu Sep 21 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.9.11-7.alma.1
- Apply 0009-ipa-kdb-fix-error-handling-of-is_master_host.patch
* Thu Aug 03 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 4.9.11-6.alma.1 * Thu Aug 03 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 4.9.11-6.alma.1
- bump required version of krb5 (albz#411) - bump required version of krb5 (albz#411)