diff --git a/SOURCES/0026-ipa-kdb-fix-error-handling-of-is_master_host.patch b/SOURCES/0026-ipa-kdb-fix-error-handling-of-is_master_host.patch new file mode 100644 index 0000000..1a3e29b --- /dev/null +++ b/SOURCES/0026-ipa-kdb-fix-error-handling-of-is_master_host.patch @@ -0,0 +1,85 @@ +From c84c59c66f1b22ebc671960cae90088a024d2d62 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Aug 01 2023 11:31:09 +0000 +Subject: ipa-kdb: fix error handling of is_master_host() + + +Adding proper error handling to the is_master_host() function to allow +it to make the difference between the absence of a master host object +and a connection failure. This will keep the krb5kdc daemon from +continuing to run with a NULL LDAP context. + +Fixes: https://pagure.io/freeipa/issue/9422 + +Signed-off-by: Julien Rische +Reviewed-By: Alexander Bokovoy + +--- + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 83b507c..1558e2b 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -401,27 +401,29 @@ static krb5_error_code ipadb_add_asserted_identity(struct ipadb_context *ipactx, + return 0; + } + +-static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn) ++static krb5_error_code ++is_master_host(struct ipadb_context *ipactx, const char *fqdn, bool *result) + { +- int ret; ++ int err; + char *master_host_base = NULL; +- LDAPMessage *result = NULL; +- krb5_error_code err; ++ LDAPMessage *ldap_res = NULL; + +- ret = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s", ++ err = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s", + fqdn, ipactx->base); +- if (ret == -1) { +- return false; +- } ++ if (err == -1) ++ return ENOMEM; ++ + err = ipadb_simple_search(ipactx, master_host_base, LDAP_SCOPE_BASE, +- NULL, NULL, &result); ++ NULL, NULL, &ldap_res); + free(master_host_base); +- ldap_msgfree(result); +- if (err == 0) { +- return true; +- } ++ ldap_msgfree(ldap_res); ++ if (err != KRB5_KDB_NOENTRY && err != 0) ++ return err; ++ ++ if (result) ++ *result = err != KRB5_KDB_NOENTRY; + +- return false; ++ return 0; + } + + static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, +@@ -692,9 +694,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + if ((is_host || is_service)) { + /* it is either host or service, so get the hostname first */ + char *sep = strchr(info3->base.account_name.string, '/'); +- bool is_master = is_master_host( +- ipactx, +- sep ? sep + 1 : info3->base.account_name.string); ++ bool is_master; ++ ++ ret = is_master_host(ipactx, ++ sep ? sep + 1 : info3->base.account_name.string, ++ &is_master); ++ if (ret) ++ return ret; ++ + if (is_master) { + /* Well known RID of domain controllers group */ + if (info3->base.rid == 0) { + diff --git a/SPECS/freeipa.spec b/SPECS/freeipa.spec index 64393a3..5951f8f 100644 --- a/SPECS/freeipa.spec +++ b/SPECS/freeipa.spec @@ -223,7 +223,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 8%{?rc_version:.%rc_version}%{?dist}.alma +Release: 9%{?rc_version:.%rc_version}%{?dist}.alma.1 Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -275,6 +275,8 @@ Patch0024: 0024-ipa-kdb-postpone-ticket-checksum-configuration.patch # Patch was taken from # https://pagure.io/freeipa/c/7060e3a031fb4e4cdf85f616f1e1a3435d61e696.patch Patch0025: 0025-Fix-OTP-on-s390x.patch +# https://pagure.io/freeipa/c/c84c59c66f1b22ebc671960cae90088a024d2d62.patch +Patch0026: 0026-ipa-kdb-fix-error-handling-of-is_master_host.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif @@ -1763,6 +1765,9 @@ fi %endif %changelog +* Tue Sep 12 2023 Eduard Abdullin - 4.10.1-9.alma.1 +- Apply 0026-ipa-kdb-fix-error-handling-of-is_master_host.patch + * Wed Aug 02 2023 Eduard Abdullin - 4.10.1-8.alma - Apply 0025-Fix-OTP-on-s390x patch