From 6b224e57672e3f73f93bb9eddd9031e945529a1e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 24 Nov 2020 16:03:36 +0200 Subject: [PATCH] ad trust: accept subordinate domains of the forest trust root Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for subordinate UPN suffixes but missed the case where subordinate UPN is a subdomain of the forest root domain and not mentioned in the UPN suffixes list. Correct this situation by applying the same check to the trusted domain name as well. Fixes: https://pagure.io/freeipa/issue/8554 Signed-off-by: Alexander Bokovoy Reviewed-By: Alexander Bokovoy --- daemons/ipa-kdb/ipa_kdb_mspac.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index f2bd60e11..c6ac593ca 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2976,10 +2976,20 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, /* Iterate through list of trusts and check if input realm belongs to any of the trust */ for(i = 0 ; i < ipactx->mspac->num_trusts ; i++) { + size_t len = 0; result = strncasecmp(test_realm, ipactx->mspac->trusts[i].domain_name, size) == 0; + if (!result) { + len = strlen(ipactx->mspac->trusts[i].domain_name); + if ((size > len) && (test_realm[size - len - 1] == '.')) { + result = strncasecmp(test_realm + (size - len), + ipactx->mspac->trusts[i].domain_name, + len) == 0; + } + } + if (!result && (ipactx->mspac->trusts[i].flat_name != NULL)) { result = strncasecmp(test_realm, ipactx->mspac->trusts[i].flat_name, @@ -2995,7 +3005,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, /* if UPN suffix did not match exactly, find if it is * superior to the test_realm, e.g. if test_realm ends * with the UPN suffix prefixed with dot*/ - size_t len = ipactx->mspac->trusts[i].upn_suffixes_len[j]; + len = ipactx->mspac->trusts[i].upn_suffixes_len[j]; if ((size > len) && (test_realm[size - len - 1] == '.')) { result = strncasecmp(test_realm + (size - len), ipactx->mspac->trusts[i].upn_suffixes[j], -- 2.29.2