On 26.11.2013 16:35, Jan Cholasta wrote:
On 26.11.2013 14:24, Simo Sorce wrote:
On Tue, 2013-11-26 at 14:11 +0100, Jan Cholasta wrote:
kadmin.local still returns an error for me with this patch applied:
kadmin.local: modprinc +ok_as_delegate
host/[email protected]
modify_principal: Kerberos database internal error while modifying
"host/[email protected]".
I think I made a mistake using mod_op in ipadb_get_ldap_mod_str(), and
should have used LDAP_MOD_ADD because we do not want to replace the
objectclass object, we want to add to it.
Any chance you can check quickly changing that ? I've blown the setup I
was using when I created the patch
That fixed it, so ACK with the change included.
Modified patch attached.
--
Jan Cholasta
>From 8d790ed550bf023da171405bde2cd08e97877dd4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <[email protected]>
Date: Tue, 26 Nov 2013 15:41:31 +0000
Subject: [PATCH] Add krbticketPolicyAux objectclass if needed
When modifying ticket flags add the objectclass to the object if it is missing.
---
daemons/ipa-kdb/ipa_kdb.h | 1 +
daemons/ipa-kdb/ipa_kdb_principals.c | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 35 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 1c2aefc..5ad256b 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -117,6 +117,7 @@ struct ipadb_e_data {
struct ipapwd_policy *pol;
time_t last_admin_unlock;
char **authz_data;
+ bool has_tktpolaux;
};
struct ipadb_context *ipadb_get_context(krb5_context kcontext);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 38059d2..a520952 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -468,6 +468,17 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
ied->ipa_user = true;
}
+ /* check if it has the krbTicketPolicyAux objectclass */
+ ret = ipadb_ldap_attr_has_value(lcontext, lentry,
+ "objectClass", "krbTicketPolicyAux");
+ if (ret != 0 && ret != ENOENT) {
+ kerr = ret;
+ goto done;
+ }
+ if (ret == 0) {
+ ied->has_tktpolaux = true;
+ }
+
ret = ipadb_ldap_attr_to_str(lcontext, lentry,
"krbPwdPolicyReference", &restring);
switch (ret) {
@@ -1411,6 +1422,29 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
/* KADM5_ATTRIBUTES */
if (entry->mask & KMASK_ATTRIBUTES) {
+ /* if the object does not have the krbTicketPolicyAux class
+ * we need to add it or this will fail, only for modifications.
+ * We always add this objectclass by default when doing an add
+ * from scratch. */
+ if ((mod_op == LDAP_MOD_REPLACE) && entry->e_data) {
+ struct ipadb_e_data *ied;
+
+ ied = (struct ipadb_e_data *)entry->e_data;
+ if (ied->magic != IPA_E_DATA_MAGIC) {
+ kerr = EINVAL;
+ goto done;
+ }
+
+ if (!ied->has_tktpolaux) {
+ kerr = ipadb_get_ldap_mod_str(imods, "objectclass",
+ "krbTicketPolicyAux",
+ LDAP_MOD_ADD);
+ if (kerr) {
+ goto done;
+ }
+ }
+ }
+
kerr = ipadb_get_ldap_mod_int(imods,
"krbTicketFlags",
(int)entry->attributes,
--
1.8.3.1
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
