Remove outdated patches
This commit is contained in:
parent
307dce1d32
commit
8b42b6320e
46
4045.patch
46
4045.patch
@ -1,46 +0,0 @@
|
|||||||
From cf8ab60234a263d2d813701ad07d71132b0b845e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
Date: Mon, 16 Dec 2019 14:39:51 +0100
|
|
||||||
Subject: [PATCH] DNS install check: Fix overlapping DNS zone from the master
|
|
||||||
itself
|
|
||||||
|
|
||||||
The change to allow overlapping zone to be from the master itself has
|
|
||||||
introduced two issues: The check for the master itself should only executed
|
|
||||||
if options.force and options.allow_zone_overlap are both false and the
|
|
||||||
reverse zone check later on was still handling ValueError instead of
|
|
||||||
dnsutil.DNSZoneAlreadyExists.
|
|
||||||
|
|
||||||
Both issues have been fixed and the deployment with existing name servers
|
|
||||||
is properly working again.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8150
|
|
||||||
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/dns.py | 10 +++++-----
|
|
||||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
|
|
||||||
index 36ba6f899d..9f08e86f9b 100644
|
|
||||||
--- a/ipaserver/install/dns.py
|
|
||||||
+++ b/ipaserver/install/dns.py
|
|
||||||
@@ -135,15 +135,15 @@ def install_check(standalone, api, replica, options, hostname):
|
|
||||||
logger.warning("%s Please make sure that the domain is "
|
|
||||||
"properly delegated to this IPA server.",
|
|
||||||
e)
|
|
||||||
-
|
|
||||||
- hst = dnsutil.DNSName(hostname).make_absolute().to_text()
|
|
||||||
- if hst not in e.kwargs['ns']:
|
|
||||||
- raise ValueError(str(e))
|
|
||||||
+ else:
|
|
||||||
+ hst = dnsutil.DNSName(hostname).make_absolute().to_text()
|
|
||||||
+ if hst not in e.kwargs['ns']:
|
|
||||||
+ raise ValueError(str(e))
|
|
||||||
|
|
||||||
for reverse_zone in options.reverse_zones:
|
|
||||||
try:
|
|
||||||
dnsutil.check_zone_overlap(reverse_zone)
|
|
||||||
- except ValueError as e:
|
|
||||||
+ except dnsutil.DNSZoneAlreadyExists as e:
|
|
||||||
if options.force or options.allow_zone_overlap:
|
|
||||||
logger.warning('%s', str(e))
|
|
||||||
else:
|
|
@ -1,124 +0,0 @@
|
|||||||
From 1836688dde1bbc746365f85b803a53afe7f83a47 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Mon, 2 Mar 2020 16:49:48 +0100
|
|
||||||
Subject: [PATCH 1/3] Support opendnssec 2.1.6
|
|
||||||
|
|
||||||
The installation of IPA DNS server is using ods-ksmutil, but
|
|
||||||
openddnssec 2.1.6 does not ship any more /usr/bin/ods-ksmutil. The tool
|
|
||||||
is replaced by /usr/sbin/ods-enforcer and /usr/sbin/ods-enforcer-db-setup.
|
|
||||||
|
|
||||||
The master branch currently supports fedora 30+, but fedora 30 and 31 are
|
|
||||||
still shipping opendnssec 1.4 while fedora 32+ is shipping opendnssec 2.1.6.
|
|
||||||
Because of this, the code needs to check at run-time if the ods-ksmutil
|
|
||||||
command is available. If the file is missing, the code falls back to
|
|
||||||
the new ods-enforcer and ods-enforcer-db-setup commands.
|
|
||||||
|
|
||||||
This commit defines paths.ODS_ENFORCER and paths.ODS_ENFORCER_DB_SETUP
|
|
||||||
for all platforms, but the commands are used only if ods-ksmutil is not found.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8214
|
|
||||||
---
|
|
||||||
ipaplatform/base/paths.py | 4 ++--
|
|
||||||
ipaplatform/base/tasks.py | 6 ++++--
|
|
||||||
ipaplatform/debian/paths.py | 2 --
|
|
||||||
3 files changed, 6 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
|
|
||||||
index f3a95500e3..0efe8b5a90 100644
|
|
||||||
--- a/ipaplatform/base/paths.py
|
|
||||||
+++ b/ipaplatform/base/paths.py
|
|
||||||
@@ -190,8 +190,8 @@ class BasePathNamespace:
|
|
||||||
NSUPDATE = "/usr/bin/nsupdate"
|
|
||||||
ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
|
|
||||||
ODS_SIGNER = "/usr/sbin/ods-signer"
|
|
||||||
- ODS_ENFORCER = None
|
|
||||||
- ODS_ENFORCER_DB_SETUP = None
|
|
||||||
+ ODS_ENFORCER = "/usr/sbin/ods-enforcer"
|
|
||||||
+ ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup"
|
|
||||||
OPENSSL = "/usr/bin/openssl"
|
|
||||||
PK12UTIL = "/usr/bin/pk12util"
|
|
||||||
SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"
|
|
||||||
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
|
|
||||||
index 86617a07f5..d36039aa23 100644
|
|
||||||
--- a/ipaplatform/base/tasks.py
|
|
||||||
+++ b/ipaplatform/base/tasks.py
|
|
||||||
@@ -290,9 +290,11 @@ def unconfigure_dns_resolver(self, fstore=None):
|
|
||||||
def run_ods_setup(self):
|
|
||||||
"""Initialize a new kasp.db
|
|
||||||
"""
|
|
||||||
- if paths.ODS_KSMUTIL is not None:
|
|
||||||
+ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
|
|
||||||
+ # OpenDNSSEC 1.4
|
|
||||||
cmd = [paths.ODS_KSMUTIL, 'setup']
|
|
||||||
else:
|
|
||||||
+ # OpenDNSSEC 2.x
|
|
||||||
cmd = [paths.ODS_ENFORCER_DB_SETUP]
|
|
||||||
return ipautil.run(cmd, stdin="y", runas=constants.ODS_USER)
|
|
||||||
|
|
||||||
@@ -305,7 +307,7 @@ def run_ods_manager(self, params, **kwargs):
|
|
||||||
"""
|
|
||||||
assert params[0] != 'setup'
|
|
||||||
|
|
||||||
- if paths.ODS_KSMUTIL is not None:
|
|
||||||
+ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
|
|
||||||
# OpenDNSSEC 1.4
|
|
||||||
cmd = [paths.ODS_KSMUTIL]
|
|
||||||
else:
|
|
||||||
diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
|
|
||||||
index 764b5a2815..3a28c70ff4 100644
|
|
||||||
--- a/ipaplatform/debian/paths.py
|
|
||||||
+++ b/ipaplatform/debian/paths.py
|
|
||||||
@@ -67,8 +67,6 @@ class DebianPathNamespace(BasePathNamespace):
|
|
||||||
SBIN_SERVICE = "/usr/sbin/service"
|
|
||||||
CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
|
|
||||||
ODS_KSMUTIL = None
|
|
||||||
- ODS_ENFORCER = "/usr/sbin/ods-enforcer"
|
|
||||||
- ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup"
|
|
||||||
UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
|
|
||||||
BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
|
|
||||||
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"
|
|
||||||
|
|
||||||
From 70acce828f46d9d6516b590a9b84d379359b8204 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Tue, 3 Mar 2020 08:00:58 +0100
|
|
||||||
Subject: [PATCH 3/3] Remove the <Interval> from opendnssec conf
|
|
||||||
|
|
||||||
In opendnssec 2.1.6, the <Interval> element is not supported in the
|
|
||||||
configuration file.
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/8214
|
|
||||||
---
|
|
||||||
install/share/opendnssec_conf.template | 2 +-
|
|
||||||
ipaserver/install/opendnssecinstance.py | 6 ++++++
|
|
||||||
2 files changed, 7 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/install/share/opendnssec_conf.template b/install/share/opendnssec_conf.template
|
|
||||||
index 3d01fb4156..5658693ac3 100644
|
|
||||||
--- a/install/share/opendnssec_conf.template
|
|
||||||
+++ b/install/share/opendnssec_conf.template
|
|
||||||
@@ -33,7 +33,7 @@
|
|
||||||
</Privileges>
|
|
||||||
|
|
||||||
<Datastore><SQLite>$KASP_DB</SQLite></Datastore>
|
|
||||||
- <Interval>PT3600S</Interval>
|
|
||||||
+ $INTERVAL
|
|
||||||
<!-- <ManualKeyGeneration/> -->
|
|
||||||
<!-- <RolloverNotification>P14D</RolloverNotification> -->
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
|
|
||||||
index df39705a44..6354521b4e 100644
|
|
||||||
--- a/ipaserver/install/opendnssecinstance.py
|
|
||||||
+++ b/ipaserver/install/opendnssecinstance.py
|
|
||||||
@@ -179,6 +179,12 @@ def __setup_conf_files(self):
|
|
||||||
# add pin to template
|
|
||||||
sub_conf_dict = self.conf_file_dict
|
|
||||||
sub_conf_dict['PIN'] = pin
|
|
||||||
+ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
|
|
||||||
+ # OpenDNSSEC 1.4
|
|
||||||
+ sub_conf_dict['INTERVAL'] = '<Interval>PT3600S</Interval>'
|
|
||||||
+ else:
|
|
||||||
+ # OpenDNSSEC 2.x
|
|
||||||
+ sub_conf_dict['INTERVAL'] = '<!-- Interval not used in 2x -->'
|
|
||||||
|
|
||||||
ods_conf_txt = ipautil.template_file(
|
|
||||||
os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"),
|
|
@ -1,61 +0,0 @@
|
|||||||
From d92f21ae1b3051f96043c64320a768551de39d5a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Isaac Boukris <iboukris@gmail.com>
|
|
||||||
Date: Fri, 31 Jan 2020 22:58:18 +0100
|
|
||||||
Subject: [PATCH 1/2] Fix DAL v8 support
|
|
||||||
|
|
||||||
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
index 3982c131b..8f3c22070 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
@@ -720,8 +720,8 @@ stub_sign_authdata(krb5_context context, unsigned int flags,
|
|
||||||
void *ad_info, krb5_data ***auth_indicators,
|
|
||||||
krb5_authdata ***signed_auth_data)
|
|
||||||
{
|
|
||||||
- krb5_db_entry *krbtgt = header_server ? header_server : server;
|
|
||||||
- krb5_keyblock *krbtgt_key = header_key ? header_key : server_key;
|
|
||||||
+ krb5_db_entry *krbtgt = header_server ? header_server : local_tgt;
|
|
||||||
+ krb5_keyblock *krbtgt_key = header_key ? header_key : local_tgt_key;
|
|
||||||
|
|
||||||
return ipadb_sign_authdata(context, flags, client_princ, client, server,
|
|
||||||
krbtgt, client_key, server_key, krbtgt_key,
|
|
||||||
--
|
|
||||||
2.24.1
|
|
||||||
|
|
||||||
|
|
||||||
From c940f96b700d845afda014d41a0004068d379a9a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Isaac Boukris <iboukris@gmail.com>
|
|
||||||
Date: Fri, 31 Jan 2020 23:03:09 +0100
|
|
||||||
Subject: [PATCH 2/2] Fix legacy S4U2Proxy in DAL v8 support
|
|
||||||
|
|
||||||
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb.c | 6 ++++++
|
|
||||||
1 file changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
index 8f3c22070..7bd30be85 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
@@ -723,6 +723,12 @@ stub_sign_authdata(krb5_context context, unsigned int flags,
|
|
||||||
krb5_db_entry *krbtgt = header_server ? header_server : local_tgt;
|
|
||||||
krb5_keyblock *krbtgt_key = header_key ? header_key : local_tgt_key;
|
|
||||||
|
|
||||||
+ if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
|
|
||||||
+ client = header_server;
|
|
||||||
+ krbtgt = local_tgt;
|
|
||||||
+ krbtgt_key = local_tgt_key;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return ipadb_sign_authdata(context, flags, client_princ, client, server,
|
|
||||||
krbtgt, client_key, server_key, krbtgt_key,
|
|
||||||
session_key, authtime, tgt_auth_data,
|
|
||||||
--
|
|
||||||
2.24.1
|
|
||||||
|
|
@ -1,409 +0,0 @@
|
|||||||
From b750e3f153ef97144ea6696672000f70da8d9bf1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Date: Thu, 9 Jan 2020 16:44:15 -0500
|
|
||||||
Subject: [PATCH 1/3] [KDB] Handle the removal of KRB5_KDB_FLAG_ALIAS_OK
|
|
||||||
|
|
||||||
In ac8865a22138ab0c657208c41be8fd6bc7968148 (between 1.17 and 1.18),
|
|
||||||
krb5 removed this flag, and always accepts aliases.
|
|
||||||
|
|
||||||
Related-to: https://pagure.io/freeipa/issue/7879
|
|
||||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb_certauth.c | 21 +++++++-------
|
|
||||||
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 11 +++++--
|
|
||||||
daemons/ipa-kdb/ipa_kdb_principals.c | 43 ++++++++++++++++------------
|
|
||||||
3 files changed, 43 insertions(+), 32 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
|
|
||||||
index 47911aa3d..bc6b26578 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
|
|
||||||
@@ -261,16 +261,18 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
|
|
||||||
const krb5_db_entry *db_entry,
|
|
||||||
char ***authinds_out)
|
|
||||||
{
|
|
||||||
- char *cert_filter = NULL;
|
|
||||||
- char **domains = NULL;
|
|
||||||
- int ret;
|
|
||||||
+ char *cert_filter = NULL, **domains = NULL;
|
|
||||||
+ int ret, flags = 0;
|
|
||||||
size_t c;
|
|
||||||
- char *principal = NULL;
|
|
||||||
- char **auth_inds = NULL;
|
|
||||||
+ char *principal = NULL, **auth_inds = NULL;
|
|
||||||
LDAPMessage *res = NULL;
|
|
||||||
krb5_error_code kerr;
|
|
||||||
LDAPMessage *lentry;
|
|
||||||
|
|
||||||
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
|
|
||||||
+ flags = KRB5_KDB_FLAG_ALIAS_OK;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
if (moddata == NULL) {
|
|
||||||
return KRB5_PLUGIN_NO_HANDLE;
|
|
||||||
}
|
|
||||||
@@ -327,10 +329,8 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx,
|
|
||||||
- KRB5_KDB_FLAG_ALIAS_OK,
|
|
||||||
- principal,
|
|
||||||
- cert_filter,
|
|
||||||
+ kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx, flags,
|
|
||||||
+ principal, cert_filter,
|
|
||||||
&res);
|
|
||||||
if (kerr != 0) {
|
|
||||||
krb5_klog_syslog(LOG_ERR, "Search failed [%d]", kerr);
|
|
||||||
@@ -338,8 +338,7 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- kerr = ipadb_find_principal(context, KRB5_KDB_FLAG_ALIAS_OK, res,
|
|
||||||
- &principal, &lentry);
|
|
||||||
+ kerr = ipadb_find_principal(context, flags, res, &principal, &lentry);
|
|
||||||
if (kerr == KRB5_KDB_NOENTRY) {
|
|
||||||
krb5_klog_syslog(LOG_INFO, "No matching entry found");
|
|
||||||
ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
||||||
index 9467b1ba1..8d2ad66f7 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
||||||
@@ -22,9 +22,14 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
|
|
||||||
enum ipadb_user_auth ua;
|
|
||||||
struct ipadb_e_data *ied;
|
|
||||||
struct ipadb_e_pol_limits *pol_limits = NULL;
|
|
||||||
- int valid_auth_indicators = 0;
|
|
||||||
+ int valid_auth_indicators = 0, flags = 0;
|
|
||||||
krb5_db_entry *client_actual = NULL;
|
|
||||||
|
|
||||||
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
|
|
||||||
+ flags = KRB5_KDB_FLAG_ALIAS_OK;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+
|
|
||||||
*status = NULL;
|
|
||||||
*lifetime_out = 0;
|
|
||||||
*renew_lifetime_out = 0;
|
|
||||||
@@ -33,8 +38,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
|
|
||||||
if (ied == NULL || ied->magic != IPA_E_DATA_MAGIC) {
|
|
||||||
/* e-data is not availble, getting user auth from LDAP */
|
|
||||||
krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: client e_data not availble. Try fetching...");
|
|
||||||
- kerr = ipadb_get_principal(context, request->client,
|
|
||||||
- KRB5_KDB_FLAG_ALIAS_OK, &client_actual);
|
|
||||||
+ kerr = ipadb_get_principal(context, request->client, flags,
|
|
||||||
+ &client_actual);
|
|
||||||
if (kerr != 0) {
|
|
||||||
krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: ipadb_find_principal failed.");
|
|
||||||
return kerr;
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
index 47e44f090..da0b841a1 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
@@ -964,8 +964,7 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
|
|
||||||
LDAPMessage **result)
|
|
||||||
{
|
|
||||||
krb5_error_code kerr;
|
|
||||||
- char *src_filter = NULL;
|
|
||||||
- char *esc_original_princ = NULL;
|
|
||||||
+ char *src_filter = NULL, *esc_original_princ = NULL;
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
if (!ipactx->lcontext) {
|
|
||||||
@@ -976,28 +975,33 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* escape filter but do not touch '*' as this function accepts
|
|
||||||
- * wildcards in names */
|
|
||||||
+ /* Escape filter but do not touch '*' as this function accepts
|
|
||||||
+ * wildcards in names. */
|
|
||||||
esc_original_princ = ipadb_filter_escape(principal, false);
|
|
||||||
if (!esc_original_princ) {
|
|
||||||
kerr = KRB5_KDB_INTERNAL_ERROR;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (filter == NULL) {
|
|
||||||
- if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
|
|
||||||
+ /* Starting in DAL 8.0, aliases are always okay. */
|
|
||||||
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
|
|
||||||
+ if (!(flags & KRB5_KDB_FLAG_ALIAS_OK)) {
|
|
||||||
+ if (filter == NULL) {
|
|
||||||
+ ret = asprintf(&src_filter, PRINC_SEARCH_FILTER,
|
|
||||||
+ esc_original_princ);
|
|
||||||
+ } else {
|
|
||||||
+ ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
|
|
||||||
+ esc_original_princ, filter);
|
|
||||||
+ }
|
|
||||||
+ } else
|
|
||||||
+#endif
|
|
||||||
+ {
|
|
||||||
+ if (filter == NULL) {
|
|
||||||
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
|
|
||||||
esc_original_princ, esc_original_princ);
|
|
||||||
} else {
|
|
||||||
- ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
|
|
||||||
- }
|
|
||||||
- } else {
|
|
||||||
- if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
|
|
||||||
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
|
|
||||||
esc_original_princ, esc_original_princ, filter);
|
|
||||||
- } else {
|
|
||||||
- ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
|
|
||||||
- esc_original_princ, filter);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1006,11 +1010,8 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- kerr = ipadb_simple_search(ipactx,
|
|
||||||
- ipactx->base, LDAP_SCOPE_SUBTREE,
|
|
||||||
- src_filter, std_principal_attrs,
|
|
||||||
- result);
|
|
||||||
-
|
|
||||||
+ kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE,
|
|
||||||
+ src_filter, std_principal_attrs, result);
|
|
||||||
done:
|
|
||||||
free(src_filter);
|
|
||||||
free(esc_original_princ);
|
|
||||||
@@ -1054,6 +1055,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
|
|
||||||
/* We need to check for a strict match as a '*' in the name may have
|
|
||||||
* caused the ldap server to return multiple entries. */
|
|
||||||
for (int i = 0; vals[i]; i++) {
|
|
||||||
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
|
|
||||||
if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
|
|
||||||
found = strcmp(vals[i]->bv_val, *principal) == 0;
|
|
||||||
if (found)
|
|
||||||
@@ -1061,6 +1063,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
|
|
||||||
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/* The KDC will accept aliases when doing TGT lookup
|
|
||||||
* (ref_tgt_again in do_tgs_req.c), so use case-insensitive
|
|
||||||
@@ -1094,6 +1097,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
|
|
||||||
if (vals == NULL)
|
|
||||||
break;
|
|
||||||
|
|
||||||
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
|
|
||||||
/* If aliases aren't accepted by the KDC, use case-sensitive
|
|
||||||
* comparison. */
|
|
||||||
if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
|
|
||||||
@@ -1103,6 +1107,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
free(*principal);
|
|
||||||
*principal = strdup(vals[0]->bv_val);
|
|
||||||
@@ -2601,7 +2606,9 @@ krb5_error_code ipadb_delete_principal(krb5_context kcontext,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
|
|
||||||
flags = KRB5_KDB_FLAG_ALIAS_OK;
|
|
||||||
+#endif
|
|
||||||
kerr = ipadb_find_principal(kcontext, flags, res, &canonicalized, &lentry);
|
|
||||||
if (kerr != 0) {
|
|
||||||
goto done;
|
|
||||||
--
|
|
||||||
2.24.1
|
|
||||||
|
|
||||||
|
|
||||||
From 0dfebd690dc79db8f4fdcd663508e5d7e095eb20 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Date: Thu, 9 Jan 2020 17:02:44 -0500
|
|
||||||
Subject: [PATCH 2/3] [KDB] Support DAL version 8.0
|
|
||||||
|
|
||||||
Provide stubs for backward compatibility. DAL 8.0 was released with
|
|
||||||
krb5-1.18.
|
|
||||||
|
|
||||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb.c | 61 ++++++++++++++++++++++++++++++++++++++-
|
|
||||||
freeipa.spec.in | 2 +-
|
|
||||||
2 files changed, 61 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
index 612857b38..9a5c29b13 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
@@ -751,8 +751,67 @@ kdb_vftabl kdb_function_table = {
|
|
||||||
};
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 8)
|
|
||||||
+/* Version 8 adds several arguments here. However, if we want to actually use
|
|
||||||
+ * them in mspac, we really ought to drop support for older DAL versions. */
|
|
||||||
+static inline krb5_error_code
|
|
||||||
+stub_sign_authdata(krb5_context context, unsigned int flags,
|
|
||||||
+ krb5_const_principal client_princ,
|
|
||||||
+ krb5_const_principal server_princ, krb5_db_entry *client,
|
|
||||||
+ krb5_db_entry *server, krb5_db_entry *header_server,
|
|
||||||
+ krb5_db_entry *local_tgt, krb5_keyblock *client_key,
|
|
||||||
+ krb5_keyblock *server_key, krb5_keyblock *header_key,
|
|
||||||
+ krb5_keyblock *local_tgt_key, krb5_keyblock *session_key,
|
|
||||||
+ krb5_timestamp authtime, krb5_authdata **tgt_auth_data,
|
|
||||||
+ void *ad_info, krb5_data ***auth_indicators,
|
|
||||||
+ krb5_authdata ***signed_auth_data)
|
|
||||||
+{
|
|
||||||
+ krb5_db_entry *krbtgt = header_server ? header_server : server;
|
|
||||||
+ krb5_keyblock *krbtgt_key = header_key ? header_key : server_key;
|
|
||||||
+
|
|
||||||
+ return ipadb_sign_authdata(context, flags, client_princ, client, server,
|
|
||||||
+ krbtgt, client_key, server_key, krbtgt_key,
|
|
||||||
+ session_key, authtime, tgt_auth_data,
|
|
||||||
+ signed_auth_data);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+kdb_vftabl kdb_function_table = {
|
|
||||||
+ .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
|
|
||||||
+ .min_ver = 0,
|
|
||||||
+ .init_library = ipadb_init_library,
|
|
||||||
+ .fini_library = ipadb_fini_library,
|
|
||||||
+ .init_module = ipadb_init_module,
|
|
||||||
+ .fini_module = ipadb_fini_module,
|
|
||||||
+ .create = ipadb_create,
|
|
||||||
+ .get_age = ipadb_get_age,
|
|
||||||
+ .get_principal = ipadb_get_principal,
|
|
||||||
+ .put_principal = ipadb_put_principal,
|
|
||||||
+ .delete_principal = ipadb_delete_principal,
|
|
||||||
+ .iterate = ipadb_iterate,
|
|
||||||
+ .create_policy = ipadb_create_pwd_policy,
|
|
||||||
+ .get_policy = ipadb_get_pwd_policy,
|
|
||||||
+ .put_policy = ipadb_put_pwd_policy,
|
|
||||||
+ .iter_policy = ipadb_iterate_pwd_policy,
|
|
||||||
+ .delete_policy = ipadb_delete_pwd_policy,
|
|
||||||
+ .fetch_master_key = ipadb_fetch_master_key,
|
|
||||||
+ .store_master_key_list = ipadb_store_master_key_list,
|
|
||||||
+ .change_pwd = ipadb_change_pwd,
|
|
||||||
+ .sign_authdata = stub_sign_authdata,
|
|
||||||
+ .check_transited_realms = ipadb_check_transited_realms,
|
|
||||||
+ .check_policy_as = ipadb_check_policy_as,
|
|
||||||
+ .audit_as_req = ipadb_audit_as_req,
|
|
||||||
+ .check_allowed_to_delegate = ipadb_check_allowed_to_delegate,
|
|
||||||
+ .free_principal_e_data = ipadb_free_principal_e_data,
|
|
||||||
+ .get_s4u_x509_principal = NULL,
|
|
||||||
+ .allowed_to_delegate_from = NULL,
|
|
||||||
+ .get_authdata_info = NULL,
|
|
||||||
+ .free_authdata_info = NULL,
|
|
||||||
+};
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \
|
|
||||||
(KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
|
|
||||||
- (KRB5_KDB_DAL_MAJOR_VERSION != 7)
|
|
||||||
+ (KRB5_KDB_DAL_MAJOR_VERSION != 7) && \
|
|
||||||
+ (KRB5_KDB_DAL_MAJOR_VERSION != 8)
|
|
||||||
#error unsupported DAL major version
|
|
||||||
#endif
|
|
||||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
|
||||||
index 502ac2499..7617c935a 100755
|
|
||||||
--- a/freeipa.spec.in
|
|
||||||
+++ b/freeipa.spec.in
|
|
||||||
@@ -61,7 +61,7 @@
|
|
||||||
%global alt_name ipa
|
|
||||||
# Fix for CVE-2018-20217
|
|
||||||
%global krb5_version 1.16.1-24
|
|
||||||
-%global krb5_kdb_version 7.0
|
|
||||||
+%global krb5_kdb_version 8.0
|
|
||||||
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
|
|
||||||
%global python_netaddr_version 0.7.16
|
|
||||||
# Require 4.7.0 which brings Python 3 bindings
|
|
||||||
--
|
|
||||||
2.24.1
|
|
||||||
|
|
||||||
|
|
||||||
From fb48a25c43c2110c27d36f09ac533403738328e2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Date: Thu, 9 Jan 2020 17:08:07 -0500
|
|
||||||
Subject: [PATCH 3/3] [KDB] Drop support for DAL version 5.0
|
|
||||||
|
|
||||||
No supported Linux distro packages a version of krb5 with this DAL, so
|
|
||||||
we don't lose anything by removing it.
|
|
||||||
|
|
||||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb.c | 49 +--------------------------------------
|
|
||||||
1 file changed, 1 insertion(+), 48 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
index 9a5c29b13..3982c131b 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
@@ -635,57 +635,11 @@ static krb5_error_code ipadb_get_age(krb5_context kcontext,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
-#if KRB5_KDB_DAL_MAJOR_VERSION == 5
|
|
||||||
-static void *ipadb_alloc(krb5_context context, void *ptr, size_t size)
|
|
||||||
-{
|
|
||||||
- return realloc(ptr, size);
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-static void ipadb_free(krb5_context context, void *ptr)
|
|
||||||
-{
|
|
||||||
- free(ptr);
|
|
||||||
-}
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
/* KDB Virtual Table */
|
|
||||||
|
|
||||||
/* We explicitly want to keep different ABI tables below separate. */
|
|
||||||
/* Do not merge them together. Older ABI does not need to be updated */
|
|
||||||
|
|
||||||
-#if KRB5_KDB_DAL_MAJOR_VERSION == 5
|
|
||||||
-kdb_vftabl kdb_function_table = {
|
|
||||||
- .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
|
|
||||||
- .min_ver = 0,
|
|
||||||
- .init_library = ipadb_init_library,
|
|
||||||
- .fini_library = ipadb_fini_library,
|
|
||||||
- .init_module = ipadb_init_module,
|
|
||||||
- .fini_module = ipadb_fini_module,
|
|
||||||
- .create = ipadb_create,
|
|
||||||
- .get_age = ipadb_get_age,
|
|
||||||
- .get_principal = ipadb_get_principal,
|
|
||||||
- .free_principal = ipadb_free_principal,
|
|
||||||
- .put_principal = ipadb_put_principal,
|
|
||||||
- .delete_principal = ipadb_delete_principal,
|
|
||||||
- .iterate = ipadb_iterate,
|
|
||||||
- .create_policy = ipadb_create_pwd_policy,
|
|
||||||
- .get_policy = ipadb_get_pwd_policy,
|
|
||||||
- .put_policy = ipadb_put_pwd_policy,
|
|
||||||
- .iter_policy = ipadb_iterate_pwd_policy,
|
|
||||||
- .delete_policy = ipadb_delete_pwd_policy,
|
|
||||||
- .free_policy = ipadb_free_pwd_policy,
|
|
||||||
- .alloc = ipadb_alloc,
|
|
||||||
- .free = ipadb_free,
|
|
||||||
- .fetch_master_key = ipadb_fetch_master_key,
|
|
||||||
- .store_master_key_list = ipadb_store_master_key_list,
|
|
||||||
- .change_pwd = ipadb_change_pwd,
|
|
||||||
- .sign_authdata = ipadb_sign_authdata,
|
|
||||||
- .check_transited_realms = ipadb_check_transited_realms,
|
|
||||||
- .check_policy_as = ipadb_check_policy_as,
|
|
||||||
- .audit_as_req = ipadb_audit_as_req,
|
|
||||||
- .check_allowed_to_delegate = ipadb_check_allowed_to_delegate
|
|
||||||
-};
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
|
|
||||||
kdb_vftabl kdb_function_table = {
|
|
||||||
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
|
|
||||||
@@ -809,8 +763,7 @@ kdb_vftabl kdb_function_table = {
|
|
||||||
};
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \
|
|
||||||
- (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
|
|
||||||
+#if (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
|
|
||||||
(KRB5_KDB_DAL_MAJOR_VERSION != 7) && \
|
|
||||||
(KRB5_KDB_DAL_MAJOR_VERSION != 8)
|
|
||||||
#error unsupported DAL major version
|
|
||||||
--
|
|
||||||
2.24.1
|
|
||||||
|
|
@ -1,272 +0,0 @@
|
|||||||
From 86a8d9480aa402f885c72ccbcfeeb2bac488f268 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Date: Wed, 31 Jul 2019 18:20:34 -0400
|
|
||||||
Subject: [PATCH 1/3] Make the coding style explicit
|
|
||||||
|
|
||||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/README | 18 ++++++++++++++++++
|
|
||||||
1 file changed, 18 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/README b/daemons/ipa-kdb/README
|
|
||||||
index b0786853b..4075082ee 100644
|
|
||||||
--- a/daemons/ipa-kdb/README
|
|
||||||
+++ b/daemons/ipa-kdb/README
|
|
||||||
@@ -1 +1,19 @@
|
|
||||||
This is the ipa krb5kdc database backend.
|
|
||||||
+
|
|
||||||
+As the KDB interfaces heavily with krb5, we inherit its code style as well.
|
|
||||||
+However, note the following changes:
|
|
||||||
+
|
|
||||||
+- no modelines (and different file preamble)
|
|
||||||
+- return types don't require their own line
|
|
||||||
+- single-statement blocks may optionally be braced
|
|
||||||
+- /* and */ do not ever get their own line
|
|
||||||
+- C99 for-loops are permitted (and encouraged)
|
|
||||||
+- a restricted set of other C99 features are permitted
|
|
||||||
+
|
|
||||||
+In particular, variable-length arrays, flexible array members, compound
|
|
||||||
+literals, universal character names, and //-style comments are not permitted.
|
|
||||||
+
|
|
||||||
+Use of regular malloc/free is preferred over talloc for new code.
|
|
||||||
+
|
|
||||||
+By and large, existing code mostly conforms to these requirements. New code
|
|
||||||
+must conform to them.
|
|
||||||
--
|
|
||||||
2.24.1
|
|
||||||
|
|
||||||
|
|
||||||
From 01c1b270cd83ab6573dc0a502ac37d0182503c3d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Date: Fri, 1 Nov 2019 16:48:55 -0400
|
|
||||||
Subject: [PATCH 2/3] Use separate variable for client fetch in kdcpolicy
|
|
||||||
|
|
||||||
`client` is not intended to be modified as a parameter of the AS check
|
|
||||||
function. Fixes an "incompatible pointer type" compiler warning.
|
|
||||||
|
|
||||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 6 ++++--
|
|
||||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
||||||
index 0b8aa668f..9467b1ba1 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
||||||
@@ -23,6 +23,7 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
|
|
||||||
struct ipadb_e_data *ied;
|
|
||||||
struct ipadb_e_pol_limits *pol_limits = NULL;
|
|
||||||
int valid_auth_indicators = 0;
|
|
||||||
+ krb5_db_entry *client_actual = NULL;
|
|
||||||
|
|
||||||
*status = NULL;
|
|
||||||
*lifetime_out = 0;
|
|
||||||
@@ -32,13 +33,14 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
|
|
||||||
if (ied == NULL || ied->magic != IPA_E_DATA_MAGIC) {
|
|
||||||
/* e-data is not availble, getting user auth from LDAP */
|
|
||||||
krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: client e_data not availble. Try fetching...");
|
|
||||||
- kerr = ipadb_get_principal(context, request->client, KRB5_KDB_FLAG_ALIAS_OK, &client);
|
|
||||||
+ kerr = ipadb_get_principal(context, request->client,
|
|
||||||
+ KRB5_KDB_FLAG_ALIAS_OK, &client_actual);
|
|
||||||
if (kerr != 0) {
|
|
||||||
krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: ipadb_find_principal failed.");
|
|
||||||
return kerr;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ied = (struct ipadb_e_data *)client->e_data;
|
|
||||||
+ ied = (struct ipadb_e_data *)client_actual->e_data;
|
|
||||||
if (ied == NULL && ied->magic != IPA_E_DATA_MAGIC) {
|
|
||||||
krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: client e_data fetching failed.");
|
|
||||||
return EINVAL;
|
|
||||||
--
|
|
||||||
2.24.1
|
|
||||||
|
|
||||||
|
|
||||||
From 6bdd6b3d265ffc2f437e2a69707978758c2efdd8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Date: Thu, 9 Jan 2020 16:11:28 -0500
|
|
||||||
Subject: [PATCH 3/3] Fix several leaks in ipadb_find_principal
|
|
||||||
|
|
||||||
`vals` is often leaked during early exit. Refactor function to use a
|
|
||||||
single exit path to prevent this.
|
|
||||||
|
|
||||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb_principals.c | 132 +++++++++++++--------------
|
|
||||||
1 file changed, 64 insertions(+), 68 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
index 9e711cea5..47e44f090 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
@@ -1035,100 +1035,96 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
|
|
||||||
struct ipadb_context *ipactx;
|
|
||||||
bool found = false;
|
|
||||||
LDAPMessage *le = NULL;
|
|
||||||
- struct berval **vals;
|
|
||||||
- int i, result;
|
|
||||||
+ struct berval **vals = NULL;
|
|
||||||
+ int result;
|
|
||||||
+ krb5_error_code ret;
|
|
||||||
|
|
||||||
ipactx = ipadb_get_context(kcontext);
|
|
||||||
if (!ipactx) {
|
|
||||||
- return KRB5_KDB_DBNOTINITED;
|
|
||||||
+ ret = KRB5_KDB_DBNOTINITED;
|
|
||||||
+ goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- while (!found) {
|
|
||||||
-
|
|
||||||
- if (!le) {
|
|
||||||
- le = ldap_first_entry(ipactx->lcontext, res);
|
|
||||||
- } else {
|
|
||||||
- le = ldap_next_entry(ipactx->lcontext, le);
|
|
||||||
- }
|
|
||||||
- if (!le) {
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
+ for (le = ldap_first_entry(ipactx->lcontext, res); le != NULL;
|
|
||||||
+ le = ldap_next_entry(ipactx->lcontext, le)) {
|
|
||||||
vals = ldap_get_values_len(ipactx->lcontext, le, "krbprincipalname");
|
|
||||||
- if (vals == NULL) {
|
|
||||||
+ if (vals == NULL)
|
|
||||||
continue;
|
|
||||||
- }
|
|
||||||
|
|
||||||
- /* we need to check for a strict match as a '*' in the name may have
|
|
||||||
- * caused the ldap server to return multiple entries */
|
|
||||||
- for (i = 0; vals[i]; i++) {
|
|
||||||
- /* KDC will accept aliases when doing TGT lookup (ref_tgt_again in do_tgs_req.c */
|
|
||||||
- /* Use case-insensitive comparison in such cases */
|
|
||||||
- if ((flags & KRB5_KDB_FLAG_ALIAS_OK) != 0) {
|
|
||||||
- if (ulc_casecmp(vals[i]->bv_val, vals[i]->bv_len,
|
|
||||||
- (*principal), strlen(*principal),
|
|
||||||
- NULL, NULL, &result) != 0)
|
|
||||||
- return KRB5_KDB_INTERNAL_ERROR;
|
|
||||||
- found = (result == 0);
|
|
||||||
- if (found) {
|
|
||||||
- /* replace the incoming principal with the value having
|
|
||||||
- * the correct case. This ensures that valid name/alias
|
|
||||||
- * is returned even if krbCanonicalName is not present
|
|
||||||
- */
|
|
||||||
- free(*principal);
|
|
||||||
- *principal = strdup(vals[i]->bv_val);
|
|
||||||
- if (!(*principal)) {
|
|
||||||
- return KRB5_KDB_INTERNAL_ERROR;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
- } else {
|
|
||||||
- found = (strcmp(vals[i]->bv_val, (*principal)) == 0);
|
|
||||||
+ /* We need to check for a strict match as a '*' in the name may have
|
|
||||||
+ * caused the ldap server to return multiple entries. */
|
|
||||||
+ for (int i = 0; vals[i]; i++) {
|
|
||||||
+ if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
|
|
||||||
+ found = strcmp(vals[i]->bv_val, *principal) == 0;
|
|
||||||
+ if (found)
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ continue;
|
|
||||||
}
|
|
||||||
- if (found) {
|
|
||||||
- break;
|
|
||||||
+
|
|
||||||
+ /* The KDC will accept aliases when doing TGT lookup
|
|
||||||
+ * (ref_tgt_again in do_tgs_req.c), so use case-insensitive
|
|
||||||
+ * comparison. */
|
|
||||||
+ if (ulc_casecmp(vals[i]->bv_val, vals[i]->bv_len, *principal,
|
|
||||||
+ strlen(*principal), NULL, NULL, &result) != 0) {
|
|
||||||
+ ret = KRB5_KDB_INTERNAL_ERROR;
|
|
||||||
+ goto done;
|
|
||||||
}
|
|
||||||
+ if (result != 0)
|
|
||||||
+ continue;
|
|
||||||
+
|
|
||||||
+ /* Fix case on the incoming principal to ensure that a valid
|
|
||||||
+ * name/alias is returned even if krbCanonicalName is not
|
|
||||||
+ * present. */
|
|
||||||
+ free(*principal);
|
|
||||||
+ *principal = strdup(vals[i]->bv_val);
|
|
||||||
+ if (!*principal) {
|
|
||||||
+ ret = KRB5_KDB_INTERNAL_ERROR;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ found = true;
|
|
||||||
+ break;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- ldap_value_free_len(vals);
|
|
||||||
-
|
|
||||||
- if (!found) {
|
|
||||||
+ if (!found)
|
|
||||||
continue;
|
|
||||||
- }
|
|
||||||
|
|
||||||
- /* we need to check if this is the canonical name */
|
|
||||||
+ /* We need to check if this is the canonical name. */
|
|
||||||
+ ldap_value_free_len(vals);
|
|
||||||
vals = ldap_get_values_len(ipactx->lcontext, le, "krbcanonicalname");
|
|
||||||
- if (vals == NULL) {
|
|
||||||
- continue;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* Again, if aliases are accepted by KDC, use case-insensitive comparison */
|
|
||||||
- if ((flags & KRB5_KDB_FLAG_ALIAS_OK) != 0) {
|
|
||||||
- found = true;
|
|
||||||
- } else {
|
|
||||||
- found = (strcmp(vals[0]->bv_val, (*principal)) == 0);
|
|
||||||
- }
|
|
||||||
+ if (vals == NULL)
|
|
||||||
+ break;
|
|
||||||
|
|
||||||
- if (!found) {
|
|
||||||
- /* search does not allow aliases */
|
|
||||||
- ldap_value_free_len(vals);
|
|
||||||
- continue;
|
|
||||||
+ /* If aliases aren't accepted by the KDC, use case-sensitive
|
|
||||||
+ * comparison. */
|
|
||||||
+ if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
|
|
||||||
+ found = strcmp(vals[0]->bv_val, *principal) == 0;
|
|
||||||
+ if (!found) {
|
|
||||||
+ ldap_value_free_len(vals);
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
free(*principal);
|
|
||||||
*principal = strdup(vals[0]->bv_val);
|
|
||||||
- if (!(*principal)) {
|
|
||||||
- return KRB5_KDB_INTERNAL_ERROR;
|
|
||||||
+ if (!*principal) {
|
|
||||||
+ ret = KRB5_KDB_INTERNAL_ERROR;
|
|
||||||
+ goto done;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- ldap_value_free_len(vals);
|
|
||||||
+ break;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!found || !le) {
|
|
||||||
- return KRB5_KDB_NOENTRY;
|
|
||||||
+ ret = KRB5_KDB_NOENTRY;
|
|
||||||
+ goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ret = 0;
|
|
||||||
*entry = le;
|
|
||||||
- return 0;
|
|
||||||
+done:
|
|
||||||
+ if (vals)
|
|
||||||
+ ldap_value_free_len(vals);
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx,
|
|
||||||
--
|
|
||||||
2.24.1
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From 30b8c8b9985a5eb41e700b80fd03f95548e45fba Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Feb 17 2020 15:40:16 +0000
|
|
||||||
Subject: kdb: make sure audit_as_req callback signature change is preserved
|
|
||||||
|
|
||||||
|
|
||||||
audit_as_req() callback has changed its signature with MIT krb5 commit
|
|
||||||
20991d55efbe1f987c1dbc1065f2d58c8f34031b in 2017, we should preserve the
|
|
||||||
change for any newer DAL versions. Otherwise audit_as_req() callback
|
|
||||||
would reference wrong data and we might crash.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8200
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
|
|
||||||
index 7519f26..ae37a5a 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb.h
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb.h
|
|
||||||
@@ -345,7 +345,7 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
|
|
||||||
|
|
||||||
void ipadb_audit_as_req(krb5_context kcontext,
|
|
||||||
krb5_kdc_req *request,
|
|
||||||
-#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
|
|
||||||
+#if (KRB5_KDB_DAL_MAJOR_VERSION >= 7)
|
|
||||||
const krb5_address *local_addr,
|
|
||||||
const krb5_address *remote_addr,
|
|
||||||
#endif
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
|
|
||||||
index 77748a7..a60bc82 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
|
|
||||||
@@ -25,7 +25,7 @@
|
|
||||||
|
|
||||||
void ipadb_audit_as_req(krb5_context kcontext,
|
|
||||||
krb5_kdc_req *request,
|
|
||||||
-#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
|
|
||||||
+#if (KRB5_KDB_DAL_MAJOR_VERSION >= 7)
|
|
||||||
const krb5_address *local_addr,
|
|
||||||
const krb5_address *remote_addr,
|
|
||||||
#endif
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user