rpms/ipa
6
0
Fork 0
Code Issues Pull Requests Releases Activity
a3e6f860a5
ipa/SOURCES/0024-kdb-PAC-generator-do-not-fail-if-canonical-principal-is-missing_rhel.patch
eabdullin a3e6f860a5 - adtrustinstance: make sure NetBIOS name defaults are set 
properly
- ipatests: wait for replica update in test_dns_locations
- ipa-kdb: Disable Bronze-Bit check if PAC not available
- ipapython: Clean up krb5_error
- ipapython: Correct return type of krb5_free_cred_contents
- ipa-kdb: Fix memory leak during PAC verification
- sidgen: ignore staged users when generating SIDs
- kdb: PAC generator: do not fail if canonical principal is missing
- Fix some mistakes in ipadb_check_for_bronze_bit_attack()
- ipa-kdb: Rework ipadb_reinit_mspac()
- ipatests: fix tasks.wait_for_replication method
- ipa-kdb: Fix double free in ipadb_reinit_mspac()
2024-04-10 10:27:12 +03:00

46 lines
1.9 KiB
Diff
Raw Blame History

From dcb9d6edc7ae4278cd552e87f644705faa13d558 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Jan 31 2024 08:31:13 +0000
Subject: kdb: PAC generator: do not fail if canonical principal is missing
krbCanonicalName is mandatory for services but IPA services created
before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no normalization done
to set krbCanonicalName; services created after that version were
upgraded to do have krbCanonicalName.
Accept krbPrincipalName alone since they have no alias either */
Fixes: https://pagure.io/freeipa/issue/9465
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
---
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 9e1431c..8035036 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -496,8 +496,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"krbCanonicalName", &strres);
if (ret) {
- /* krbCanonicalName is mandatory for services */
- return ret;
+ /* krbCanonicalName is mandatory for services but IPA services
+ * created before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no
+ * normalization to set krbCanonicalName; services created after
+ * that version were upgraded to do have krbCanonicalName.
+ *
+ * Accept krbPrincipalName alone since they have no alias either */
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "krbPrincipalName", &strres);
+ if (ret)
+ return ret;
}
ret = krb5_parse_name(ipactx->kcontext, strres, &princ);
Reference in New Issue View Git Blame Copy Permalink