Ticket #937 was reopened a while ago because one corner case, new users
that have never been assigned a password cause kadmin/kadmin.local to
throw a fit when they try to visualize information about those user's
principals.

This patch fakes up modification information when no krbExtraData is
available for the principal so that kadmin is happy.

Tested and working as designed.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
From c72564182da6bc21a532d896f77c400d4cfc0166 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Tue, 24 Nov 2015 17:08:51 -0500
Subject: [PATCH] Return default TL_DATA is krbExtraData is missing

Signed-off-by: Simo Sorce <s...@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/937
---
 daemons/ipa-kdb/ipa_kdb_principals.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 1f9b14a6aba673d0a2a4188af76b7fb391aa1cbd..95c61f0060061b912f8d0a22dd7254369ee8e327 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -95,6 +95,8 @@ static char *std_principal_obj_classes[] = {
 
 #define STD_PRINCIPAL_OBJ_CLASSES_SIZE (sizeof(std_principal_obj_classes) / sizeof(char *) - 1)
 
+#define DEFAULT_TL_DATA_CONTENT "\x00\x00\x00\x00principal@UNINITIALIZED"
+
 static int ipadb_ldap_attr_to_tl_data(LDAP *lcontext, LDAPMessage *le,
                                       char *attrname,
                                       krb5_tl_data **result, int *num)
@@ -163,7 +165,7 @@ done:
 static krb5_error_code ipadb_set_tl_data(krb5_db_entry *entry,
                                          krb5_int16 type,
                                          krb5_ui_2 length,
-                                         krb5_octet *data)
+                                         const krb5_octet *data)
 {
     krb5_error_code kerr;
     krb5_tl_data *new_td = NULL;
@@ -595,6 +597,13 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
         entry->tl_data = res_tl_data;
         entry->n_tl_data = result;
     case ENOENT:
+        /* The kadmin utility expects always at least KRB5_TL_MOD_PRINC tl_data
+         * to be available. So if krbExtraData is missing (may happen when a
+         * user is created but no password has been set yet) then add a default
+         * one. */
+        kerr = ipadb_set_tl_data(entry, KRB5_TL_MOD_PRINC,
+                                 sizeof(DEFAULT_TL_DATA_CONTENT),
+                                 (const krb5_octet *)DEFAULT_TL_DATA_CONTENT);
         break;
     default:
         kerr = KRB5_KDB_INTERNAL_ERROR;
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to