626 lines
23 KiB
Diff
626 lines
23 KiB
Diff
Adapted version due to missing patches:
|
|
|
|
commit 1f1e7dbe6131b3cdc0ba81b454c7729126bfa6ee
|
|
Author: Slava Aseev <ptrnine@altlinux.org>
|
|
Date: Mon Nov 23 18:23:01 2020 +0300
|
|
|
|
ipa-kdb: handle dates up to 2106-02-07 06:28:16
|
|
|
|
commit 44c222aca9bb0056004f15dfb187d3f249ed0452
|
|
Author: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Thu Dec 17 12:22:47 2020 +0200
|
|
|
|
ipa-kdb: use predefined filters for a wild-card searches
|
|
|
|
commit 78a7ab0daf0d5ebd388046aec6e1c9328e0564a8
|
|
Author: Robbie Harwood <rharwood@redhat.com>
|
|
Date: Tue Nov 10 14:07:47 2020 -0500
|
|
|
|
ipa-kdb: implement AS-REQ lifetime jitter
|
|
|
|
commit d6a8fc290aa93fc5d53025f4400a9736366175eb
|
|
Author: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Thu Sep 24 22:39:36 2020 -0400
|
|
|
|
Pass the user to the password policy check in the kdb driver
|
|
|
|
From 701d0fb0415497fe9fe8fbf25fa800041e2a2b40 Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Tue, 23 Feb 2021 10:06:25 +0200
|
|
Subject: [PATCH] ipa-kdb: fix compiler warnings
|
|
|
|
There are few fields in KDB structures that have 'conflicting' types but
|
|
need to be compared. They come from MIT Kerberos and we have no choice
|
|
here.
|
|
|
|
In the same way, SID structures have own requirements.
|
|
|
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
---
|
|
daemons/ipa-kdb/ipa_kdb_audit_as.c | 4 ++--
|
|
daemons/ipa-kdb/ipa_kdb_mspac.c | 6 +++---
|
|
daemons/ipa-kdb/ipa_kdb_principals.c | 6 +++---
|
|
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +-
|
|
4 files changed, 9 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
|
|
index ed48ea758..ec2046bfe 100644
|
|
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
|
|
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
|
|
@@ -110,13 +110,13 @@ void ipadb_audit_as_req(krb5_context kcontext,
|
|
}
|
|
|
|
if (client->last_failed + ied->pol->lockout_duration > authtime &&
|
|
- (client->fail_auth_count >= ied->pol->max_fail &&
|
|
+ (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail &&
|
|
ied->pol->max_fail != 0)) {
|
|
/* client already locked, nothing more to do */
|
|
break;
|
|
}
|
|
if (ied->pol->max_fail == 0 ||
|
|
- client->fail_auth_count < ied->pol->max_fail) {
|
|
+ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
|
|
/* let's increase the fail counter */
|
|
client->fail_auth_count++;
|
|
client->mask |= KMASK_FAIL_AUTH_COUNT;
|
|
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
index c6ac593ca..050100430 100644
|
|
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
@@ -147,9 +147,9 @@ int string_to_sid(const char *str, struct dom_sid *sid)
|
|
|
|
char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
|
|
{
|
|
- size_t c;
|
|
+ int8_t c;
|
|
size_t len;
|
|
- int ofs;
|
|
+ size_t ofs;
|
|
uint32_t ia;
|
|
char *buf;
|
|
|
|
@@ -2606,7 +2606,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
|
|
t[n].upn_suffixes_len = NULL;
|
|
if (t[n].upn_suffixes != NULL) {
|
|
- size_t len = 0;
|
|
+ int len = 0;
|
|
|
|
for (; t[n].upn_suffixes[len] != NULL; len++);
|
|
|
|
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
index d1fa51578..59337a4ca 100644
|
|
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
@@ -491,7 +491,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext,
|
|
l = len;
|
|
for (i = 0; i < count; i++) {
|
|
ret = snprintf(ap, l, "%s ", authinds[i]);
|
|
- if (ret <= 0 || ret > l) {
|
|
+ if (ret <= 0 || ret > (int) l) {
|
|
ret = ENOMEM;
|
|
goto cleanup;
|
|
}
|
|
@@ -2064,7 +2064,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
|
|
char *s = NULL;
|
|
size_t ai_size = 0;
|
|
int cnt = 0;
|
|
- int i = 0;
|
|
+ size_t i = 0;
|
|
|
|
ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais);
|
|
if (ret) {
|
|
@@ -2445,7 +2445,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods)
|
|
{
|
|
krb5_error_code kerr;
|
|
LDAPMod *m = NULL;
|
|
- int i;
|
|
+ size_t i;
|
|
|
|
kerr = ipadb_mods_new(imods, &m);
|
|
if (kerr) {
|
|
diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
|
index 4965e6d7f..6f21ef867 100644
|
|
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
|
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
|
@@ -328,7 +328,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
|
|
}
|
|
|
|
if (ied->pol->max_fail == 0 ||
|
|
- client->fail_auth_count < ied->pol->max_fail) {
|
|
+ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
|
|
/* still within allowed failures range */
|
|
return 0;
|
|
}
|
|
--
|
|
2.29.2
|
|
|
|
From d454ca8f004954f19622fe61ad9e2854359f3784 Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Wed, 24 Feb 2021 20:51:40 +0200
|
|
Subject: [PATCH] ipa-kdb: add missing prototypes
|
|
|
|
On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings
|
|
about function prototypes missing. If -Werror is specified, this breaks
|
|
compilation.
|
|
|
|
We also default to -Werror=implicit-function-declaration
|
|
|
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
---
|
|
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 4 ++++
|
|
daemons/ipa-kdb/ipa_kdb_mspac.c | 20 ++++++++++++--------
|
|
daemons/ipa-kdb/ipa_kdb_mspac_private.h | 4 ++++
|
|
3 files changed, 20 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
index 7f03f2f03..6976f9ba9 100644
|
|
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
@@ -9,6 +9,10 @@
|
|
#include "ipa_krb5.h"
|
|
#include "ipa_kdb.h"
|
|
|
|
+krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context,
|
|
+ int maj_ver, int min_ver,
|
|
+ krb5_plugin_vtable vtable);
|
|
+
|
|
static krb5_error_code
|
|
ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
|
|
const krb5_kdc_req *request,
|
|
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
index 050100430..c05fb717a 100644
|
|
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
@@ -2403,9 +2403,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
|
|
*mspac = NULL;
|
|
}
|
|
|
|
-krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
|
|
- struct dom_sid **result_sids,
|
|
- int *result_length)
|
|
+static krb5_error_code
|
|
+ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
|
|
+ struct dom_sid **result_sids,
|
|
+ int *result_length)
|
|
{
|
|
int len, i;
|
|
char **source;
|
|
@@ -2436,9 +2437,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
|
|
return 0;
|
|
}
|
|
|
|
-krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
|
|
- char **sid_blacklist_incoming,
|
|
- char **sid_blacklist_outgoing)
|
|
+static krb5_error_code
|
|
+ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
|
|
+ char **sid_blacklist_incoming,
|
|
+ char **sid_blacklist_outgoing)
|
|
{
|
|
krb5_error_code kerr;
|
|
|
|
@@ -2459,7 +2461,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus
|
|
return 0;
|
|
}
|
|
|
|
-krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
|
|
+static krb5_error_code
|
|
+ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
|
|
{
|
|
char *attrs[] = { NULL };
|
|
char *filter = "(objectclass=ipaNTTrustedDomain)";
|
|
@@ -2504,7 +2507,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blacklist_incoming, char ***si
|
|
}
|
|
}
|
|
|
|
-krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
+static krb5_error_code
|
|
+ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
{
|
|
struct ipadb_adtrusts *t;
|
|
LDAP *lc = ipactx->lcontext;
|
|
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
|
index b21aa163f..2369e16f8 100644
|
|
--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
|
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
|
@@ -53,3 +53,7 @@ struct ipadb_adtrusts {
|
|
|
|
int string_to_sid(const char *str, struct dom_sid *sid);
|
|
char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid);
|
|
+krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx,
|
|
+ krb5_data realm, struct PAC_LOGON_INFO_CTR *info);
|
|
+void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
|
|
+ bool *_with_pac, bool *_with_pad);
|
|
\ No newline at end of file
|
|
--
|
|
2.29.2
|
|
|
|
From da98a6fcb81ee3ac7df8bb238a0793809c2be3fd Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Wed, 24 Feb 2021 20:52:15 +0200
|
|
Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth
|
|
|
|
Add prototype to the exported function
|
|
|
|
Replace few tabs by spaces and mark static code as static.
|
|
|
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
---
|
|
daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++-----------
|
|
1 file changed, 14 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
|
|
index bc6b26578..3a3060c92 100644
|
|
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
|
|
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
|
|
@@ -71,10 +71,13 @@ struct krb5_certauth_moddata_st {
|
|
time_t valid_until;
|
|
};
|
|
|
|
-void ipa_certmap_debug(void *private,
|
|
- const char *file, long line,
|
|
- const char *function,
|
|
- const char *format, ...)
|
|
+krb5_error_code certauth_ipakdb_initvt(krb5_context context,
|
|
+ int maj_ver, int min_ver,
|
|
+ krb5_plugin_vtable vtable);
|
|
+
|
|
+static void ipa_certmap_debug(void *private, const char *file, long line,
|
|
+ const char *function,
|
|
+ const char *format, ...)
|
|
{
|
|
va_list ap;
|
|
char str[255] = { 0 };
|
|
@@ -354,12 +357,12 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
|
|
* so there is nothing more to add here. */
|
|
auth_inds = calloc(2, sizeof(char *));
|
|
if (auth_inds != NULL) {
|
|
- ret = asprintf(&auth_inds[0], "pkinit");
|
|
- if (ret != -1) {
|
|
+ ret = asprintf(&auth_inds[0], "pkinit");
|
|
+ if (ret != -1) {
|
|
auth_inds[1] = NULL;
|
|
*authinds_out = auth_inds;
|
|
- } else {
|
|
- free(auth_inds);
|
|
+ } else {
|
|
+ free(auth_inds);
|
|
}
|
|
}
|
|
|
|
@@ -404,12 +407,12 @@ static void ipa_certauth_free_indicator(krb5_context context,
|
|
size_t i = 0;
|
|
|
|
if ((authinds == NULL) || (moddata == NULL)) {
|
|
- return;
|
|
+ return;
|
|
}
|
|
|
|
for(i=0; authinds[i]; i++) {
|
|
- free(authinds[i]);
|
|
- authinds[i] = NULL;
|
|
+ free(authinds[i]);
|
|
+ authinds[i] = NULL;
|
|
}
|
|
|
|
free(authinds);
|
|
--
|
|
2.29.2
|
|
|
|
From aa7f99c08ff41f216d60152d6235922c561c2881 Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Wed, 24 Feb 2021 20:55:41 +0200
|
|
Subject: [PATCH] ipa-kdb: mark test functions as static
|
|
|
|
No need to define missing prototypes to single use test functions.
|
|
|
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
---
|
|
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 13 +++++--------
|
|
1 file changed, 5 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
|
index 368a2f978..960200b6e 100644
|
|
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
|
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
|
@@ -180,7 +180,7 @@ extern krb5_error_code filter_logon_info(krb5_context context,
|
|
krb5_data realm,
|
|
struct PAC_LOGON_INFO_CTR *info);
|
|
|
|
-void test_filter_logon_info(void **state)
|
|
+static void test_filter_logon_info(void **state)
|
|
{
|
|
krb5_error_code kerr;
|
|
krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
|
|
@@ -315,10 +315,7 @@ void test_filter_logon_info(void **state)
|
|
|
|
}
|
|
|
|
-extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
|
|
- bool *with_pac, bool *with_pad);
|
|
-
|
|
-void test_get_authz_data_types(void **state)
|
|
+static void test_get_authz_data_types(void **state)
|
|
{
|
|
bool with_pac;
|
|
bool with_pad;
|
|
@@ -436,7 +433,7 @@ void test_get_authz_data_types(void **state)
|
|
krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
|
|
}
|
|
|
|
-void test_string_to_sid(void **state)
|
|
+static void test_string_to_sid(void **state)
|
|
{
|
|
int ret;
|
|
struct dom_sid sid;
|
|
@@ -468,7 +465,7 @@ void test_string_to_sid(void **state)
|
|
assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
|
|
}
|
|
|
|
-void test_dom_sid_string(void **state)
|
|
+static void test_dom_sid_string(void **state)
|
|
{
|
|
struct test_ctx *test_ctx;
|
|
char *str_sid;
|
|
@@ -494,7 +491,7 @@ void test_dom_sid_string(void **state)
|
|
}
|
|
|
|
|
|
-void test_check_trusted_realms(void **state)
|
|
+static void test_check_trusted_realms(void **state)
|
|
{
|
|
struct test_ctx *test_ctx;
|
|
krb5_error_code kerr = 0;
|
|
--
|
|
2.29.2
|
|
|
|
From 79baa0932d1349d46d162e7478fa4e3c8e88dc09 Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Fri, 19 Feb 2021 15:37:47 +0200
|
|
Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
|
|
|
|
Calling to ipadb_get_connection() will remove LDAP context if any error
|
|
happens. This means upper layers must always verify that LDAP context
|
|
exists after such calls.
|
|
|
|
ipadb_get_user_auth() may re-read global configuration and that may fail
|
|
and cause IPA context to have NULL LDAP context.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/8681
|
|
|
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
---
|
|
daemons/ipa-kdb/ipa_kdb.c | 1 +
|
|
daemons/ipa-kdb/ipa_kdb_mspac.c | 32 +++++++++++++++-------------
|
|
daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------
|
|
3 files changed, 37 insertions(+), 22 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
|
index 33d2a6773..e7b8d7dbf 100644
|
|
--- a/daemons/ipa-kdb/ipa_kdb.c
|
|
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
|
@@ -56,6 +56,7 @@ static void ipadb_context_free(krb5_context kcontext,
|
|
/* ldap free lcontext */
|
|
if ((*ctx)->lcontext) {
|
|
ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL);
|
|
+ (*ctx)->lcontext = NULL;
|
|
}
|
|
free((*ctx)->supp_encs);
|
|
free((*ctx)->def_encs);
|
|
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
index c05fb717a..1e59189ed 100644
|
|
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
@@ -416,7 +416,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
TALLOC_CTX *memctx,
|
|
struct netr_SamInfo3 *info3)
|
|
{
|
|
- LDAP *lcontext = ipactx->lcontext;
|
|
LDAPDerefRes *deref_results = NULL;
|
|
struct dom_sid sid;
|
|
gid_t prigid = -1;
|
|
@@ -433,7 +432,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
bool is_idobject = false;
|
|
krb5_principal princ;
|
|
|
|
- ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
|
|
+ ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass",
|
|
&objectclasses);
|
|
if (ret == 0 && objectclasses != NULL) {
|
|
for (c = 0; objectclasses[c] != NULL; c++) {
|
|
@@ -470,13 +469,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
}
|
|
|
|
if (is_host) {
|
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres);
|
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
|
|
if (ret) {
|
|
/* fqdn is mandatory for hosts */
|
|
return ret;
|
|
}
|
|
} else if (is_service) {
|
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres);
|
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
+ "krbCanonicalName", &strres);
|
|
if (ret) {
|
|
/* krbCanonicalName is mandatory for services */
|
|
return ret;
|
|
@@ -496,7 +496,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
return ENOENT;
|
|
}
|
|
} else {
|
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
|
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres);
|
|
if (ret) {
|
|
/* uid is mandatory */
|
|
return ret;
|
|
@@ -509,7 +509,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
if (is_host || is_service) {
|
|
prigid = 515; /* Well known RID for domain computers group */
|
|
} else {
|
|
- ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
|
|
+ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry,
|
|
+ "gidNumber", &intres);
|
|
if (ret) {
|
|
/* gidNumber is mandatory */
|
|
return ret;
|
|
@@ -540,7 +541,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
info3->base.kickoff_time = -1;
|
|
#endif
|
|
|
|
- ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
|
|
+ ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry,
|
|
"krbLastPwdChange", &timeres);
|
|
switch (ret) {
|
|
case 0:
|
|
@@ -557,7 +558,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
info3->base.allow_password_change = 0;
|
|
info3->base.force_password_change = -1;
|
|
|
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres);
|
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres);
|
|
switch (ret) {
|
|
case 0:
|
|
info3->base.full_name.string = talloc_strdup(memctx, strres);
|
|
@@ -570,7 +571,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
return ret;
|
|
}
|
|
|
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
"ipaNTLogonScript", &strres);
|
|
switch (ret) {
|
|
case 0:
|
|
@@ -584,7 +585,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
return ret;
|
|
}
|
|
|
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
"ipaNTProfilePath", &strres);
|
|
switch (ret) {
|
|
case 0:
|
|
@@ -598,7 +599,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
return ret;
|
|
}
|
|
|
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
"ipaNTHomeDirectory", &strres);
|
|
switch (ret) {
|
|
case 0:
|
|
@@ -612,7 +613,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
return ret;
|
|
}
|
|
|
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
"ipaNTHomeDirectoryDrive", &strres);
|
|
switch (ret) {
|
|
case 0:
|
|
@@ -643,7 +644,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
info3->base.rid = 515;
|
|
}
|
|
} else {
|
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
"ipaNTSecurityIdentifier", &strres);
|
|
if (ret) {
|
|
/* SID is mandatory */
|
|
@@ -660,7 +661,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
}
|
|
}
|
|
|
|
- ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results);
|
|
+ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
|
|
switch (ret) {
|
|
LDAPDerefRes *dres;
|
|
LDAPDerefVal *dval;
|
|
@@ -2511,7 +2512,7 @@ static krb5_error_code
|
|
ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
{
|
|
struct ipadb_adtrusts *t;
|
|
- LDAP *lc = ipactx->lcontext;
|
|
+ LDAP *lc = NULL;
|
|
char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName",
|
|
"ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
|
|
"ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL };
|
|
@@ -2545,6 +2546,7 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
goto done;
|
|
}
|
|
|
|
+ lc = ipactx->lcontext;
|
|
for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) {
|
|
dnstr = ldap_get_dn(lc, le);
|
|
|
|
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
index 59337a4ca..0a98ff054 100644
|
|
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
@@ -335,6 +335,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
|
|
if (gcfg != NULL)
|
|
gua = gcfg->user_auth;
|
|
|
|
+ /* lcontext == NULL means ipadb_get_global_config() failed to load
|
|
+ * global config and cleared the ipactx */
|
|
+ if (ipactx->lcontext == NULL)
|
|
+ return IPADB_USER_AUTH_NONE;
|
|
+
|
|
/* Get the user's user_auth settings if not disabled. */
|
|
if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
|
|
ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
|
|
@@ -608,8 +613,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
|
free(entry);
|
|
return KRB5_KDB_DBNOTINITED;
|
|
}
|
|
- lcontext = ipactx->lcontext;
|
|
- if (!lcontext) {
|
|
+
|
|
+ entry->magic = KRB5_KDB_MAGIC_NUMBER;
|
|
+ entry->len = KRB5_KDB_V1_BASE_LENGTH;
|
|
+
|
|
+ /* Get User Auth configuration. */
|
|
+ ua = ipadb_get_user_auth(ipactx, lentry);
|
|
+
|
|
+ /* ipadb_get_user_auth() calls into ipadb_get_global_config()
|
|
+ * and that might fail, causing lcontext to become NULL */
|
|
+ if (!ipactx->lcontext) {
|
|
krb5_klog_syslog(LOG_INFO,
|
|
"No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
|
|
ret = ipadb_get_connection(ipactx);
|
|
@@ -621,11 +634,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
|
}
|
|
}
|
|
|
|
- entry->magic = KRB5_KDB_MAGIC_NUMBER;
|
|
- entry->len = KRB5_KDB_V1_BASE_LENGTH;
|
|
-
|
|
- /* Get User Auth configuration. */
|
|
- ua = ipadb_get_user_auth(ipactx, lentry);
|
|
+ /* If any code below would result in invalidating ipactx->lcontext,
|
|
+ * lcontext must be updated with the new ipactx->lcontext value.
|
|
+ * We rely on the fact that none of LDAP-parsing helpers does it. */
|
|
+ lcontext = ipactx->lcontext;
|
|
|
|
/* ignore mask for now */
|
|
|
|
--
|
|
2.29.2
|
|
|