199 lines
7.7 KiB
Diff
199 lines
7.7 KiB
Diff
|
From 6bd6571dfe97fb9c6ce9040c3fcfb4965f95eda1 Mon Sep 17 00:00:00 2001
|
||
|
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
|
||
|
Date: Tue, 28 Mar 2017 14:35:22 +0200
|
||
|
Subject: [PATCH 28/93] UTIL: Set udp_preference_limit=0 in krb5 snippet
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
We add udp_preference_limit = 0 to krb5 snippet if ad provider is
|
||
|
used. This option enable TCP connection before UDP, when sending
|
||
|
a message to the KDC.
|
||
|
|
||
|
Resolves:
|
||
|
https://pagure.io/SSSD/sssd/issue/3254
|
||
|
|
||
|
Signed-off-by: Jakub Hrozek <jhrozek@redhat.com>
|
||
|
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||
|
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
||
|
---
|
||
|
src/providers/ad/ad_subdomains.c | 2 +-
|
||
|
src/providers/ipa/ipa_subdomains.c | 2 +-
|
||
|
src/tests/cmocka/test_utils.c | 12 ++++-----
|
||
|
src/util/domain_info_utils.c | 54 +++++++++++++++++++++++++++++---------
|
||
|
src/util/util.h | 3 ++-
|
||
|
5 files changed, 51 insertions(+), 22 deletions(-)
|
||
|
|
||
|
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||
|
index 749c5b42f16d81aecdecf1961541fb34eb0732b9..280aa54c23bf61e60d23ea91bd44a39f9f43d155 100644
|
||
|
--- a/src/providers/ad/ad_subdomains.c
|
||
|
+++ b/src/providers/ad/ad_subdomains.c
|
||
|
@@ -702,7 +702,7 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx)
|
||
|
"will not be created.\n");
|
||
|
}
|
||
|
|
||
|
- ret = sss_write_krb5_conf_snippet(path, canonicalize);
|
||
|
+ ret = sss_write_krb5_conf_snippet(path, canonicalize, true);
|
||
|
if (ret != EOK) {
|
||
|
DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
|
||
|
/* Just continue */
|
||
|
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
|
||
|
index e052f98477b65c5e9778d889333bd9101763db23..7f8bcdbad3e8375c8d56a51a7ac615b29ee0457d 100644
|
||
|
--- a/src/providers/ipa/ipa_subdomains.c
|
||
|
+++ b/src/providers/ipa/ipa_subdomains.c
|
||
|
@@ -117,7 +117,7 @@ ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx)
|
||
|
ret = sss_write_krb5_conf_snippet(
|
||
|
dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic,
|
||
|
IPA_KRB5_CONFD_PATH),
|
||
|
- canonicalize);
|
||
|
+ canonicalize, false);
|
||
|
if (ret != EOK) {
|
||
|
DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
|
||
|
/* Just continue */
|
||
|
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
|
||
|
index 25508b172287c455d706baff9c3068f95a3ee403..7cbb395dab6c1336716518daac1d700fcaa7b789 100644
|
||
|
--- a/src/tests/cmocka/test_utils.c
|
||
|
+++ b/src/tests/cmocka/test_utils.c
|
||
|
@@ -1350,16 +1350,16 @@ void test_sss_write_krb5_conf_snippet(void **state)
|
||
|
char *file;
|
||
|
char *file_krb5_libdefaults;
|
||
|
|
||
|
- ret = sss_write_krb5_conf_snippet(NULL, false);
|
||
|
+ ret = sss_write_krb5_conf_snippet(NULL, false, false);
|
||
|
assert_int_equal(ret, EINVAL);
|
||
|
|
||
|
- ret = sss_write_krb5_conf_snippet("abc", false);
|
||
|
+ ret = sss_write_krb5_conf_snippet("abc", false, false);
|
||
|
assert_int_equal(ret, EINVAL);
|
||
|
|
||
|
- ret = sss_write_krb5_conf_snippet("", false);
|
||
|
+ ret = sss_write_krb5_conf_snippet("", false, false);
|
||
|
assert_int_equal(ret, EOK);
|
||
|
|
||
|
- ret = sss_write_krb5_conf_snippet("none", false);
|
||
|
+ ret = sss_write_krb5_conf_snippet("none", false, false);
|
||
|
assert_int_equal(ret, EOK);
|
||
|
|
||
|
cwd = getcwd(buf, PATH_MAX);
|
||
|
@@ -1375,11 +1375,11 @@ void test_sss_write_krb5_conf_snippet(void **state)
|
||
|
"%s/%s/krb5_libdefaults", cwd, TESTS_PATH);
|
||
|
assert_true(ret > 0);
|
||
|
|
||
|
- ret = sss_write_krb5_conf_snippet(path, true);
|
||
|
+ ret = sss_write_krb5_conf_snippet(path, true, true);
|
||
|
assert_int_equal(ret, EOK);
|
||
|
|
||
|
/* Check if writing a second time will work as well */
|
||
|
- ret = sss_write_krb5_conf_snippet(path, true);
|
||
|
+ ret = sss_write_krb5_conf_snippet(path, true, true);
|
||
|
assert_int_equal(ret, EOK);
|
||
|
|
||
|
#ifdef HAVE_KRB5_LOCALAUTH_PLUGIN
|
||
|
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
|
||
|
index 1aacfa2832890a8c3914336aa53d350577ec29f8..3a3f5130a32e2c5fe4b81819bf2de697a4474111 100644
|
||
|
--- a/src/util/domain_info_utils.c
|
||
|
+++ b/src/util/domain_info_utils.c
|
||
|
@@ -734,15 +734,14 @@ done:
|
||
|
#endif
|
||
|
}
|
||
|
|
||
|
-#define KRB5_LIBDEFAUTLS_CONFIG \
|
||
|
-"[libdefaults]\n" \
|
||
|
-" canonicalize = true\n"
|
||
|
-
|
||
|
-static errno_t sss_write_krb5_libdefaults_snippet(const char *path)
|
||
|
+static errno_t sss_write_krb5_libdefaults_snippet(const char *path,
|
||
|
+ bool canonicalize,
|
||
|
+ bool udp_limit)
|
||
|
{
|
||
|
int ret;
|
||
|
TALLOC_CTX *tmp_ctx = NULL;
|
||
|
const char *file_name;
|
||
|
+ char *file_contents;
|
||
|
|
||
|
tmp_ctx = talloc_new(NULL);
|
||
|
if (tmp_ctx == NULL) {
|
||
|
@@ -760,7 +759,37 @@ static errno_t sss_write_krb5_libdefaults_snippet(const char *path)
|
||
|
DEBUG(SSSDBG_FUNC_DATA, "File for KRB5 kibdefaults configuration is [%s]\n",
|
||
|
file_name);
|
||
|
|
||
|
- ret = sss_write_krb5_snippet_common(file_name, KRB5_LIBDEFAUTLS_CONFIG);
|
||
|
+ file_contents = talloc_strdup(tmp_ctx, "[libdefaults]\n");
|
||
|
+ if (file_contents == NULL) {
|
||
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
||
|
+ "talloc_asprintf failed while creating the content\n");
|
||
|
+ ret = ENOMEM;
|
||
|
+ goto done;
|
||
|
+ }
|
||
|
+
|
||
|
+ if (canonicalize == true) {
|
||
|
+ file_contents = talloc_asprintf_append(file_contents,
|
||
|
+ " canonicalize = true\n");
|
||
|
+ if (file_contents == NULL) {
|
||
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
||
|
+ "talloc_asprintf failed while appending to the content\n");
|
||
|
+ ret = ENOMEM;
|
||
|
+ goto done;
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ if (udp_limit == true) {
|
||
|
+ file_contents = talloc_asprintf_append(file_contents,
|
||
|
+ " udp_preference_limit = 0\n");
|
||
|
+ if (file_contents == NULL) {
|
||
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
||
|
+ "talloc_asprintf failed while appending to the content\n");
|
||
|
+ ret = ENOMEM;
|
||
|
+ goto done;
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ ret = sss_write_krb5_snippet_common(file_name, file_contents);
|
||
|
if (ret != EOK) {
|
||
|
DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_snippet_common failed.\n");
|
||
|
goto done;
|
||
|
@@ -772,7 +801,8 @@ done:
|
||
|
return ret;
|
||
|
}
|
||
|
|
||
|
-errno_t sss_write_krb5_conf_snippet(const char *path, bool canonicalize)
|
||
|
+errno_t sss_write_krb5_conf_snippet(const char *path, bool canonicalize,
|
||
|
+ bool udp_limit)
|
||
|
{
|
||
|
errno_t ret;
|
||
|
errno_t err;
|
||
|
@@ -794,12 +824,10 @@ errno_t sss_write_krb5_conf_snippet(const char *path, bool canonicalize)
|
||
|
goto done;
|
||
|
}
|
||
|
|
||
|
- if (canonicalize) {
|
||
|
- ret = sss_write_krb5_libdefaults_snippet(path);
|
||
|
- if (ret != EOK) {
|
||
|
- DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_libdefaults_snippet failed.\n");
|
||
|
- goto done;
|
||
|
- }
|
||
|
+ ret = sss_write_krb5_libdefaults_snippet(path, canonicalize, udp_limit);
|
||
|
+ if (ret != EOK) {
|
||
|
+ DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_libdefaults_snippet failed.\n");
|
||
|
+ goto done;
|
||
|
}
|
||
|
|
||
|
ret = EOK;
|
||
|
diff --git a/src/util/util.h b/src/util/util.h
|
||
|
index 81d5e9b67495dcaafd0194bce700a0d2ae32b72e..9b64dead88f05f16b00e73d59b2af06dcd485ff7 100644
|
||
|
--- a/src/util/util.h
|
||
|
+++ b/src/util/util.h
|
||
|
@@ -582,7 +582,8 @@ errno_t sss_get_domain_mappings_content(TALLOC_CTX *mem_ctx,
|
||
|
|
||
|
errno_t sss_write_domain_mappings(struct sss_domain_info *domain);
|
||
|
|
||
|
-errno_t sss_write_krb5_conf_snippet(const char *path, bool canonicalize);
|
||
|
+errno_t sss_write_krb5_conf_snippet(const char *path, bool canonicalize,
|
||
|
+ bool udp_limit);
|
||
|
|
||
|
errno_t get_dom_names(TALLOC_CTX *mem_ctx,
|
||
|
struct sss_domain_info *start_dom,
|
||
|
--
|
||
|
2.14.1
|
||
|
|