URL: https://github.com/freeipa/freeipa/pull/1149 Author: tomaskrizek Title: #1149: [Backport][ipa-4-5] ipa-kdb: reinit trusted domain data for enterprise principals Action: opened
PR body: """ This PR was opened automatically because PR #1115 was pushed to master and backport to ipa-4-5 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1149/head:pr1149 git checkout pr1149
From b964861192c6ee56a46d8c5d081591ddbe802320 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sbose@f26-ipa.ipaf26.devel> Date: Wed, 27 Sep 2017 14:17:49 +0200 Subject: [PATCH] ipa-kdb: reinit trusted domain data for enterprise principals While processing enterprise principals the information about trusted domains might not be up-to-date. With this patch ipadb_reinit_mspac() is called if an unknown domain is part of the enterprise principal. Resolves https://pagure.io/freeipa/issue/7172 --- daemons/ipa-kdb/ipa_kdb_principals.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 82c857430b..b27612258b 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -1259,6 +1259,17 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext, realm, upn->length - (realm - upn->data), &trusted_realm); + if (kerr == KRB5_KDB_NOENTRY) { + /* try to refresh trusted domain data and try again */ + kerr = ipadb_reinit_mspac(ipactx, false); + if (kerr != 0) { + kerr = KRB5_KDB_NOENTRY; + goto done; + } + kerr = ipadb_is_princ_from_trusted_realm(kcontext, realm, + upn->length - (realm - upn->data), + &trusted_realm); + } if (kerr == 0) { kentry = calloc(1, sizeof(krb5_db_entry)); if (!kentry) {
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
