[Freeipa-devel] [PATCH] 0138, 0141: ipa-kdb fixes

Alexander Bokovoy abokovoy at redhat.com
Tue Feb 25 18:58:03 UTC 2014


Resending patch 0138 together with another case Simo found out today:
when authdata flag is cleared by admin for the service principal, we'll
get NULL client database entry. In such case we have to bail out.


-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 8e7c41bf35d68bfad2dc5b790cf6f5b964949417 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 25 Feb 2014 17:50:55 +0200
Subject: [PATCH v1 1/2] ipa-kdb: in case of delegation use original client's
 database entry, not the proxy

https://fedorahosted.org/freeipa/ticket/4195
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index ff67391..2a0480f 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1983,12 +1983,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
     bool with_pac;
     bool with_pad;
     int result;
+    krb5_db_entry *client_entry = NULL;
 
     /* When using s4u2proxy client_princ actually refers to the proxied user
      * while client->princ to the proxy service asking for the TGS on behalf
      * of the proxied user. So always use client_princ in preference */
     if (client_princ != NULL) {
         ks_client_princ = client_princ;
+        kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);
     } else {
         ks_client_princ = client->princ;
     }
@@ -2025,7 +2027,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
             }
         }
 
-        kerr = ipadb_get_pac(context, client, &pac);
+        kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac);
         if (kerr != 0 && kerr != ENOENT) {
             goto done;
         }
@@ -2041,7 +2043,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
         /* check or generate pac data */
         if ((pac_auth_data == NULL) || (pac_auth_data[0] == NULL)) {
             if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
-                kerr = ipadb_get_pac(context, client, &pac);
+                kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac);
                 if (kerr != 0 && kerr != ENOENT) {
                     goto done;
                 }
@@ -2094,6 +2096,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
     kerr = 0;
 
 done:
+    if (client_entry != NULL) {
+        ipadb_free_principal(context, client_entry);
+    }
     krb5_pac_free(context, pac);
     return kerr;
 }
-- 
1.8.3.1

-------------- next part --------------
>From d3af14384d6612121dfa8e75b3cb690c490a1004 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 25 Feb 2014 20:53:49 +0200
Subject: [PATCH 4/4] ipa-kdb: make sure we don't produce MS-PAC in case of
 authdata flag cleared by admin

When admin clears authdata flag for the service principal, KDC will pass
NULL client pointer (service proxy) to the DAL driver.

Make sure we bail out correctly.
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 2170675..771b40b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1989,6 +1989,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
     int result;
     krb5_db_entry *client_entry = NULL;
 
+
+    /* When client is NULL, authdata flag on the service principal was cleared
+     * by an admin. We don't generate MS-PAC in this case */
+    if (client == NULL) {
+        *signed_auth_data = NULL;
+        return 0;
+    }
+
     /* When using s4u2proxy client_princ actually refers to the proxied user
      * while client->princ to the proxy service asking for the TGS on behalf
      * of the proxied user. So always use client_princ in preference */
-- 
1.8.3.1



More information about the Freeipa-devel mailing list