[Freeipa-devel] [PATCH] 0174-0175 ipa-kdb fixes
Alexander Bokovoy
abokovoy at redhat.com
Wed Jan 21 10:03:48 UTC 2015
Hi,
couple patches to fix Kerberos DAL driver in relation to trusts.
Patch 0174:
Allow using CA paths defined in krb5.conf on top of what we define
automatically for trusted domains.
https://fedorahosted.org/freeipa/ticket/4791
Patch 0175:
Change error code reported back to Kerberos client when a principal from
a disabled trusted domain attempts to access resources we control.
The error code will help older SSSD to properly reflect error message in
the PAM stack.
https://fedorahosted.org/freeipa/ticket/4788
--
/ Alexander Bokovoy
-------------- next part --------------
From 5539c7d29e185c4ee6489a9f93008e2b0c2670c9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Fri, 5 Dec 2014 21:22:23 +0200
Subject: [PATCH 1/2] ipa-kdb: when processing transitions, hand over
unknown ones to KDC
When processing cross-realm trust transitions, let the KDC to handle
those we don't know about. Admins might define the transitions as
explicit [capaths] in krb5.conf.
https://fedorahosted.org/freeipa/ticket/4791
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index a450007..0cbdd4c 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2688,7 +2688,8 @@ krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
}
}
- ret = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ /* Tell to KDC that we don't handle this transition so that rules in krb5.conf could play its role */
+ ret = KRB5_PLUGIN_NO_HANDLE;
if (has_client_realm && has_transited_contents && has_server_realm) {
ret = 0;
}
--
2.1.0
-------------- next part --------------
From c3d2718b3f28fabfdfb29cd6d0ee87d848e32d2f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 10 Dec 2014 14:59:38 +0200
Subject: [PATCH 2/2] ipa-kdb: reject principals from disabled domains as a KDC
policy
Fixes https://fedorahosted.org/freeipa/ticket/4788
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 0cbdd4c..5d7f892 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1375,7 +1375,7 @@ static krb5_error_code filter_logon_info(krb5_context context,
&domain->parent->sid_blacklist_incoming[k], true);
if (result) {
filter_logon_info_log_message(info->info->info3.base.domain_sid);
- return EINVAL;
+ return KRB5KDC_ERR_POLICY;
}
}
}
--
2.1.0
More information about the Freeipa-devel
mailing list