rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import ipa-4.8.7-16.module+el8.3.0+10289+b6566038

Browse Source
This commit is contained in:
CentOS Sources 2021-04-06 09:33:46 -04:00 committed by Andrew Lukoshko
parent 6e41b73a3b
commit eb3a2cb921
3 changed files with 763 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
SOURCES/0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch Normal file
View File

@ -0,0 +1,127 @@
From 81cbee4e3ff2e667946e0d41097b402257608b7e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 6 Nov 2020 14:07:10 +0200
Subject: [PATCH] ipa-kdb: fix crash in MS-PAC cache init code
When initializing UPN suffixes, we calculate their sizes and didn't use
the right variable to allocate their size. This affects us if there are
more than one UPN suffix available for a trust due to memory corruption
while filling in sizes.
Add unit test for multiple UPN suffixes.
Fixes: https://pagure.io/freeipa/issue/8566
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 50 +++++++++++++++++++++++++++
2 files changed, 51 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index dd29db190..fe5b586b6 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2610,7 +2610,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
for (; t[n].upn_suffixes[len] != NULL; len++);
if (len != 0) {
- t[n].upn_suffixes_len = calloc(n, sizeof(size_t));
+ t[n].upn_suffixes_len = calloc(len, sizeof(size_t));
if (t[n].upn_suffixes_len == NULL) {
ret = ENOMEM;
goto done;
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index d3ef5c00d..752b24ea4 100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -71,6 +71,10 @@
#define DOM_SID "S-1-5-21-1-2-3"
#define DOM_SID_TRUST "S-1-5-21-4-5-6"
#define BLACKLIST_SID "S-1-5-1"
+#define NUM_SUFFIXES 10
+#define SUFFIX_TEMPLATE "d%0d" DOMAIN_NAME
+#define TEST_REALM_TEMPLATE "some." SUFFIX_TEMPLATE
+#define EXTERNAL_REALM "WRONG.DOMAIN"
static int setup(void **state)
{
@@ -92,6 +96,9 @@
ipa_ctx = calloc(1, sizeof(struct ipadb_context));
assert_non_null(ipa_ctx);
+ kerr = krb5_get_default_realm(krb5_ctx, &ipa_ctx->realm);
+ assert_int_equal(kerr, 0);
+
ipa_ctx->mspac = calloc(1, sizeof(struct ipadb_mspac));
assert_non_null(ipa_ctx->mspac);
@@ -126,6 +133,15 @@
&ipa_ctx->mspac->trusts[0].sid_blacklist_incoming[0]);
assert_int_equal(ret, 0);
+ ipa_ctx->mspac->trusts[0].upn_suffixes = calloc(NUM_SUFFIXES + 1, sizeof(char *));
+ ipa_ctx->mspac->trusts[0].upn_suffixes_len = calloc(NUM_SUFFIXES, sizeof(size_t));
+ for (size_t i = 0; i < NUM_SUFFIXES; i++) {
+ asprintf(&(ipa_ctx->mspac->trusts[0].upn_suffixes[i]), SUFFIX_TEMPLATE, i);
+ ipa_ctx->mspac->trusts[0].upn_suffixes_len[i] =
+ strlen(ipa_ctx->mspac->trusts[0].upn_suffixes[i]);
+
+ }
+
ipa_ctx->kcontext = krb5_ctx;
kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
assert_int_equal(kerr, 0);
@@ -478,6 +494,38 @@
}
+void test_check_trusted_realms(void **state)
+{
+ struct test_ctx *test_ctx;
+ krb5_error_code kerr = 0;
+ char *trusted_realm = NULL;
+
+ test_ctx = (struct test_ctx *) *state;
+
+ for(size_t i = 0; i < NUM_SUFFIXES; i++) {
+ char *test_realm = NULL;
+ asprintf(&test_realm, TEST_REALM_TEMPLATE, i);
+
+ if (test_realm) {
+ kerr = ipadb_is_princ_from_trusted_realm(
+ test_ctx->krb5_ctx,
+ test_realm,
+ strlen(test_realm),
+ &trusted_realm);
+ assert_int_equal(kerr, 0);
+ free(test_realm);
+ free(trusted_realm);
+ }
+ }
+
+ kerr = ipadb_is_princ_from_trusted_realm(
+ test_ctx->krb5_ctx,
+ EXTERNAL_REALM,
+ strlen(EXTERNAL_REALM),
+ &trusted_realm);
+ assert_int_equal(kerr, KRB5_KDB_NOENTRY);
+}
+
int main(int argc, const char *argv[])
{
const struct CMUnitTest tests[] = {
@@ -488,6 +536,8 @@
cmocka_unit_test(test_string_to_sid),
cmocka_unit_test_setup_teardown(test_dom_sid_string,
setup, teardown),
+ cmocka_unit_test_setup_teardown(test_check_trusted_realms,
+ setup, teardown),
};
return cmocka_run_group_tests(tests, NULL, NULL);
--
2.29.2

625
SOURCES/0029-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1935146.patch Normal file
View File

@ -0,0 +1,625 @@
Adapted version due to missing patches:
commit 1f1e7dbe6131b3cdc0ba81b454c7729126bfa6ee
Author: Slava Aseev <ptrnine@altlinux.org>
Date: Mon Nov 23 18:23:01 2020 +0300
ipa-kdb: handle dates up to 2106-02-07 06:28:16
commit 44c222aca9bb0056004f15dfb187d3f249ed0452
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu Dec 17 12:22:47 2020 +0200
ipa-kdb: use predefined filters for a wild-card searches
commit 78a7ab0daf0d5ebd388046aec6e1c9328e0564a8
Author: Robbie Harwood <rharwood@redhat.com>
Date: Tue Nov 10 14:07:47 2020 -0500
ipa-kdb: implement AS-REQ lifetime jitter
commit d6a8fc290aa93fc5d53025f4400a9736366175eb
Author: Rob Crittenden <rcritten@redhat.com>
Date: Thu Sep 24 22:39:36 2020 -0400
Pass the user to the password policy check in the kdb driver
From 701d0fb0415497fe9fe8fbf25fa800041e2a2b40 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 23 Feb 2021 10:06:25 +0200
Subject: [PATCH] ipa-kdb: fix compiler warnings
There are few fields in KDB structures that have 'conflicting' types but
need to be compared. They come from MIT Kerberos and we have no choice
here.
In the same way, SID structures have own requirements.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_audit_as.c | 4 ++--
daemons/ipa-kdb/ipa_kdb_mspac.c | 6 +++---
daemons/ipa-kdb/ipa_kdb_principals.c | 6 +++---
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +-
4 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
index ed48ea758..ec2046bfe 100644
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
@@ -110,13 +110,13 @@ void ipadb_audit_as_req(krb5_context kcontext,
}
if (client->last_failed + ied->pol->lockout_duration > authtime &&
- (client->fail_auth_count >= ied->pol->max_fail &&
+ (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail &&
ied->pol->max_fail != 0)) {
/* client already locked, nothing more to do */
break;
}
if (ied->pol->max_fail == 0 ||
- client->fail_auth_count < ied->pol->max_fail) {
+ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
/* let's increase the fail counter */
client->fail_auth_count++;
client->mask |= KMASK_FAIL_AUTH_COUNT;
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index c6ac593ca..050100430 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -147,9 +147,9 @@ int string_to_sid(const char *str, struct dom_sid *sid)
char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
{
- size_t c;
+ int8_t c;
size_t len;
- int ofs;
+ size_t ofs;
uint32_t ia;
char *buf;
@@ -2606,7 +2606,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
t[n].upn_suffixes_len = NULL;
if (t[n].upn_suffixes != NULL) {
- size_t len = 0;
+ int len = 0;
for (; t[n].upn_suffixes[len] != NULL; len++);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index d1fa51578..59337a4ca 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -491,7 +491,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext,
l = len;
for (i = 0; i < count; i++) {
ret = snprintf(ap, l, "%s ", authinds[i]);
- if (ret <= 0 || ret > l) {
+ if (ret <= 0 || ret > (int) l) {
ret = ENOMEM;
goto cleanup;
}
@@ -2064,7 +2064,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
char *s = NULL;
size_t ai_size = 0;
int cnt = 0;
- int i = 0;
+ size_t i = 0;
ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais);
if (ret) {
@@ -2445,7 +2445,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods)
{
krb5_error_code kerr;
LDAPMod *m = NULL;
- int i;
+ size_t i;
kerr = ipadb_mods_new(imods, &m);
if (kerr) {
diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
index 4965e6d7f..6f21ef867 100644
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
@@ -328,7 +328,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
}
if (ied->pol->max_fail == 0 ||
- client->fail_auth_count < ied->pol->max_fail) {
+ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
/* still within allowed failures range */
return 0;
}
--
2.29.2
From d454ca8f004954f19622fe61ad9e2854359f3784 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 24 Feb 2021 20:51:40 +0200
Subject: [PATCH] ipa-kdb: add missing prototypes
On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings
about function prototypes missing. If -Werror is specified, this breaks
compilation.
We also default to -Werror=implicit-function-declaration
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 4 ++++
daemons/ipa-kdb/ipa_kdb_mspac.c | 20 ++++++++++++--------
daemons/ipa-kdb/ipa_kdb_mspac_private.h | 4 ++++
3 files changed, 20 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index 7f03f2f03..6976f9ba9 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -9,6 +9,10 @@
#include "ipa_krb5.h"
#include "ipa_kdb.h"
+krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context,
+ int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable);
+
static krb5_error_code
ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
const krb5_kdc_req *request,
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 050100430..c05fb717a 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2403,9 +2403,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
*mspac = NULL;
}
-krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
- struct dom_sid **result_sids,
- int *result_length)
+static krb5_error_code
+ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
+ struct dom_sid **result_sids,
+ int *result_length)
{
int len, i;
char **source;
@@ -2436,9 +2437,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
return 0;
}
-krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
- char **sid_blacklist_incoming,
- char **sid_blacklist_outgoing)
+static krb5_error_code
+ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
+ char **sid_blacklist_incoming,
+ char **sid_blacklist_outgoing)
{
krb5_error_code kerr;
@@ -2459,7 +2461,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus
return 0;
}
-krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
+static krb5_error_code
+ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
{
char *attrs[] = { NULL };
char *filter = "(objectclass=ipaNTTrustedDomain)";
@@ -2504,7 +2507,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blacklist_incoming, char ***si
}
}
-krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+static krb5_error_code
+ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
{
struct ipadb_adtrusts *t;
LDAP *lc = ipactx->lcontext;
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
index b21aa163f..2369e16f8 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
@@ -53,3 +53,7 @@ struct ipadb_adtrusts {
int string_to_sid(const char *str, struct dom_sid *sid);
char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid);
+krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx,
+ krb5_data realm, struct PAC_LOGON_INFO_CTR *info);
+void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
+ bool *_with_pac, bool *_with_pad);
\ No newline at end of file
--
2.29.2
From da98a6fcb81ee3ac7df8bb238a0793809c2be3fd Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 24 Feb 2021 20:52:15 +0200
Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth
Add prototype to the exported function
Replace few tabs by spaces and mark static code as static.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
index bc6b26578..3a3060c92 100644
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
@@ -71,10 +71,13 @@ struct krb5_certauth_moddata_st {
time_t valid_until;
};
-void ipa_certmap_debug(void *private,
- const char *file, long line,
- const char *function,
- const char *format, ...)
+krb5_error_code certauth_ipakdb_initvt(krb5_context context,
+ int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable);
+
+static void ipa_certmap_debug(void *private, const char *file, long line,
+ const char *function,
+ const char *format, ...)
{
va_list ap;
char str[255] = { 0 };
@@ -354,12 +357,12 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
* so there is nothing more to add here. */
auth_inds = calloc(2, sizeof(char *));
if (auth_inds != NULL) {
- ret = asprintf(&auth_inds[0], "pkinit");
- if (ret != -1) {
+ ret = asprintf(&auth_inds[0], "pkinit");
+ if (ret != -1) {
auth_inds[1] = NULL;
*authinds_out = auth_inds;
- } else {
- free(auth_inds);
+ } else {
+ free(auth_inds);
}
}
@@ -404,12 +407,12 @@ static void ipa_certauth_free_indicator(krb5_context context,
size_t i = 0;
if ((authinds == NULL) || (moddata == NULL)) {
- return;
+ return;
}
for(i=0; authinds[i]; i++) {
- free(authinds[i]);
- authinds[i] = NULL;
+ free(authinds[i]);
+ authinds[i] = NULL;
}
free(authinds);
--
2.29.2
From aa7f99c08ff41f216d60152d6235922c561c2881 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 24 Feb 2021 20:55:41 +0200
Subject: [PATCH] ipa-kdb: mark test functions as static
No need to define missing prototypes to single use test functions.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index 368a2f978..960200b6e 100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -180,7 +180,7 @@ extern krb5_error_code filter_logon_info(krb5_context context,
krb5_data realm,
struct PAC_LOGON_INFO_CTR *info);
-void test_filter_logon_info(void **state)
+static void test_filter_logon_info(void **state)
{
krb5_error_code kerr;
krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
@@ -315,10 +315,7 @@ void test_filter_logon_info(void **state)
}
-extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
- bool *with_pac, bool *with_pad);
-
-void test_get_authz_data_types(void **state)
+static void test_get_authz_data_types(void **state)
{
bool with_pac;
bool with_pad;
@@ -436,7 +433,7 @@ void test_get_authz_data_types(void **state)
krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
}
-void test_string_to_sid(void **state)
+static void test_string_to_sid(void **state)
{
int ret;
struct dom_sid sid;
@@ -468,7 +465,7 @@ void test_string_to_sid(void **state)
assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
}
-void test_dom_sid_string(void **state)
+static void test_dom_sid_string(void **state)
{
struct test_ctx *test_ctx;
char *str_sid;
@@ -494,7 +491,7 @@ void test_dom_sid_string(void **state)
}
-void test_check_trusted_realms(void **state)
+static void test_check_trusted_realms(void **state)
{
struct test_ctx *test_ctx;
krb5_error_code kerr = 0;
--
2.29.2
From 79baa0932d1349d46d162e7478fa4e3c8e88dc09 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 19 Feb 2021 15:37:47 +0200
Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
Calling to ipadb_get_connection() will remove LDAP context if any error
happens. This means upper layers must always verify that LDAP context
exists after such calls.
ipadb_get_user_auth() may re-read global configuration and that may fail
and cause IPA context to have NULL LDAP context.
Fixes: https://pagure.io/freeipa/issue/8681
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.c | 1 +
daemons/ipa-kdb/ipa_kdb_mspac.c | 32 +++++++++++++++-------------
daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------
3 files changed, 37 insertions(+), 22 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 33d2a6773..e7b8d7dbf 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -56,6 +56,7 @@ static void ipadb_context_free(krb5_context kcontext,
/* ldap free lcontext */
if ((*ctx)->lcontext) {
ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL);
+ (*ctx)->lcontext = NULL;
}
free((*ctx)->supp_encs);
free((*ctx)->def_encs);
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index c05fb717a..1e59189ed 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -416,7 +416,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
TALLOC_CTX *memctx,
struct netr_SamInfo3 *info3)
{
- LDAP *lcontext = ipactx->lcontext;
LDAPDerefRes *deref_results = NULL;
struct dom_sid sid;
gid_t prigid = -1;
@@ -433,7 +432,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
bool is_idobject = false;
krb5_principal princ;
- ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
+ ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass",
&objectclasses);
if (ret == 0 && objectclasses != NULL) {
for (c = 0; objectclasses[c] != NULL; c++) {
@@ -470,13 +469,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
}
if (is_host) {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
if (ret) {
/* fqdn is mandatory for hosts */
return ret;
}
} else if (is_service) {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "krbCanonicalName", &strres);
if (ret) {
/* krbCanonicalName is mandatory for services */
return ret;
@@ -496,7 +496,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ENOENT;
}
} else {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres);
if (ret) {
/* uid is mandatory */
return ret;
@@ -509,7 +509,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
if (is_host || is_service) {
prigid = 515; /* Well known RID for domain computers group */
} else {
- ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
+ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry,
+ "gidNumber", &intres);
if (ret) {
/* gidNumber is mandatory */
return ret;
@@ -540,7 +541,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.kickoff_time = -1;
#endif
- ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry,
"krbLastPwdChange", &timeres);
switch (ret) {
case 0:
@@ -557,7 +558,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.allow_password_change = 0;
info3->base.force_password_change = -1;
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres);
switch (ret) {
case 0:
info3->base.full_name.string = talloc_strdup(memctx, strres);
@@ -570,7 +571,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTLogonScript", &strres);
switch (ret) {
case 0:
@@ -584,7 +585,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTProfilePath", &strres);
switch (ret) {
case 0:
@@ -598,7 +599,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTHomeDirectory", &strres);
switch (ret) {
case 0:
@@ -612,7 +613,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTHomeDirectoryDrive", &strres);
switch (ret) {
case 0:
@@ -643,7 +644,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.rid = 515;
}
} else {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTSecurityIdentifier", &strres);
if (ret) {
/* SID is mandatory */
@@ -660,7 +661,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
}
}
- ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results);
+ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
switch (ret) {
LDAPDerefRes *dres;
LDAPDerefVal *dval;
@@ -2511,7 +2512,7 @@ static krb5_error_code
ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
{
struct ipadb_adtrusts *t;
- LDAP *lc = ipactx->lcontext;
+ LDAP *lc = NULL;
char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName",
"ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
"ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL };
@@ -2545,6 +2546,7 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
goto done;
}
+ lc = ipactx->lcontext;
for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) {
dnstr = ldap_get_dn(lc, le);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 59337a4ca..0a98ff054 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -335,6 +335,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
if (gcfg != NULL)
gua = gcfg->user_auth;
+ /* lcontext == NULL means ipadb_get_global_config() failed to load
+ * global config and cleared the ipactx */
+ if (ipactx->lcontext == NULL)
+ return IPADB_USER_AUTH_NONE;
+
/* Get the user's user_auth settings if not disabled. */
if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
@@ -608,8 +613,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
free(entry);
return KRB5_KDB_DBNOTINITED;
}
- lcontext = ipactx->lcontext;
- if (!lcontext) {
+
+ entry->magic = KRB5_KDB_MAGIC_NUMBER;
+ entry->len = KRB5_KDB_V1_BASE_LENGTH;
+
+ /* Get User Auth configuration. */
+ ua = ipadb_get_user_auth(ipactx, lentry);
+
+ /* ipadb_get_user_auth() calls into ipadb_get_global_config()
+ * and that might fail, causing lcontext to become NULL */
+ if (!ipactx->lcontext) {
krb5_klog_syslog(LOG_INFO,
"No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
ret = ipadb_get_connection(ipactx);
@@ -621,11 +634,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
}
}
- entry->magic = KRB5_KDB_MAGIC_NUMBER;
- entry->len = KRB5_KDB_V1_BASE_LENGTH;
-
- /* Get User Auth configuration. */
- ua = ipadb_get_user_auth(ipactx, lentry);
+ /* If any code below would result in invalidating ipactx->lcontext,
+ * lcontext must be updated with the new ipactx->lcontext value.
+ * We rely on the fact that none of LDAP-parsing helpers does it. */
+ lcontext = ipactx->lcontext;
/* ignore mask for now */
--
2.29.2

12
SPECS/ipa.spec
View File

@ -149,7 +149,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 14%{?dist}
Release: 16%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -191,6 +191,8 @@ Patch0024: 0024-wgi-plugins.py-ignore-empty-plugin-directories_rhbz#1895910
Patch0025: 0025-ipatests-support-subordinate-upn-suffixes_rhbz#1914823.patch
Patch0026: 0026-ipa-kdb-support-subordinate-superior-UPN-suffixes_rhbz#1914823.patch
Patch0027: 0027-ad-trust-accept-subordinate-domains-of-the-forest-trust-root_rhbz#1914823.patch
Patch0028: 0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch
Patch0029: 0029-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1935146.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-4.8.0-Remove-csrgen.patch
Patch1003: 1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
@ -1541,6 +1543,14 @@ fi
%changelog
* Tue Mar 9 2021 Thomas Woerner <twoerner@redhat.com> - 4.8.7-16
- Fix krb5kdc is crashing intermittently on IPA server
Resolves: RHBZ#1935146
* Fri Feb 19 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.7-15
- ipa-kdb: fix crash in MS-PAC cache init code
Resolves: RHBZ#1930562
* Tue Jan 12 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.8.7-14
- wgi/plugins.py: ignore empty plugin directories
Resolves: RHBZ#1895910