[Freeipa-devel] [PATCH] 0174-0175 ipa-kdb fixes

Alexander Bokovoy abokovoy at redhat.com
Wed Jan 21 10:03:48 UTC 2015 

Hi,

couple patches to fix Kerberos DAL driver in relation to trusts.

Patch 0174:
Allow using CA paths defined in krb5.conf on top of what we define
automatically for trusted domains.
https://fedorahosted.org/freeipa/ticket/4791

Patch 0175:
Change error code reported back to Kerberos client when a principal from
a disabled trusted domain attempts to access resources we control.

The error code will help older SSSD to properly reflect error message in
the PAM stack.
https://fedorahosted.org/freeipa/ticket/4788

-- 
/ Alexander Bokovoy
-------------- next part --------------
From 5539c7d29e185c4ee6489a9f93008e2b0c2670c9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Fri, 5 Dec 2014 21:22:23 +0200
Subject: [PATCH 1/2] ipa-kdb: when processing transitions, hand over
 unknown ones to KDC

When processing cross-realm trust transitions, let the KDC to handle
those we don't know about. Admins might define the transitions as
explicit [capaths] in krb5.conf.

https://fedorahosted.org/freeipa/ticket/4791
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index a450007..0cbdd4c 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2688,7 +2688,8 @@ krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
 		}
 	}
 
-	ret = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	/* Tell to KDC that we don't handle this transition so that rules in krb5.conf could play its role */
+	ret = KRB5_PLUGIN_NO_HANDLE;
 	if (has_client_realm && has_transited_contents && has_server_realm) {
 		ret = 0;
 	}
-- 
2.1.0

-------------- next part --------------
From c3d2718b3f28fabfdfb29cd6d0ee87d848e32d2f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 10 Dec 2014 14:59:38 +0200
Subject: [PATCH 2/2] ipa-kdb: reject principals from disabled domains as a KDC
 policy

Fixes https://fedorahosted.org/freeipa/ticket/4788
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 0cbdd4c..5d7f892 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1375,7 +1375,7 @@ static krb5_error_code filter_logon_info(krb5_context context,
                                    &domain->parent->sid_blacklist_incoming[k], true);
             if (result) {
                 filter_logon_info_log_message(info->info->info3.base.domain_sid);
-                return EINVAL;
+                return KRB5KDC_ERR_POLICY;
             }
         }
     }
-- 
2.1.0

More information about the Freeipa-devel mailing list