Hi, although enterprise principals for trusted domains now are working as expected they do not work for the local domain:
# kinit -E admin@IPA.DEVEL kinit: Client 'admin\@IPA.DEVEL@IPA.DEVEL' not found in Kerberos database while getting initial credentials Attached patch handles this case. It is not that nice because of the duplication of ipadb_fetch_principals() and ipadb_find_principal(). But I think there was a reason I do not remember why we didn't check for enterprise principals before checking the local database. If there is no such reason it might make sense to check for enterprise principals before doing the lookup. Please let me know if I should change the patch accordingly or if the current version is ok, bye, Sumit
From a1ca7928148a58a1ac61f6d418750200866a4a63 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Wed, 6 Jul 2016 17:29:37 +0200 Subject: [PATCH] kdb: check for local realm in enterprise principals --- daemons/ipa-kdb/ipa_kdb_principals.c | 52 +++++++++++++++++++++++++++--------- 1 file changed, 40 insertions(+), 12 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 6cdfa909452a4b55912b2a5a74648abd2053482a..5b80909475565d6bb4fa8cba67629094daf51eb3 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -1198,30 +1198,58 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext, /* skip '@' and use part after '@' as an enterprise realm for comparison */ realm++; - kerr = ipadb_is_princ_from_trusted_realm(kcontext, - realm, - upn->length - (realm - upn->data), - &trusted_realm); - if (kerr == 0) { - kentry = calloc(1, sizeof(krb5_db_entry)); - if (!kentry) { + /* check for our realm */ + if (strncasecmp(ipactx->realm, realm, + upn->length - (realm - upn->data)) == 0) { + /* it looks like it is ok to use malloc'ed strings as principal */ + krb5_free_unparsed_name(kcontext, principal); + principal = strndup((const char *) upn->data, upn->length); + if (principal == NULL) { kerr = ENOMEM; goto done; } - kerr = krb5_parse_name(kcontext, principal, - &kentry->princ); + + ldap_msgfree(res); + res = NULL; + kerr = ipadb_fetch_principals(ipactx, flags, principal, &res); if (kerr != 0) { goto done; } - kerr = krb5_set_principal_realm(kcontext, kentry->princ, trusted_realm); + kerr = ipadb_find_principal(kcontext, flags, res, &principal, + &lentry); if (kerr != 0) { goto done; } - *entry = kentry; + } else { + + kerr = ipadb_is_princ_from_trusted_realm(kcontext, + realm, + upn->length - (realm - upn->data), + &trusted_realm); + if (kerr == 0) { + kentry = calloc(1, sizeof(krb5_db_entry)); + if (!kentry) { + kerr = ENOMEM; + goto done; + } + kerr = krb5_parse_name(kcontext, principal, + &kentry->princ); + if (kerr != 0) { + goto done; + } + + kerr = krb5_set_principal_realm(kcontext, kentry->princ, trusted_realm); + if (kerr != 0) { + goto done; + } + *entry = kentry; + } + goto done; } + } else { + goto done; } - goto done; } kerr = ipadb_parse_ldap_entry(kcontext, principal, lentry, entry, &pol); -- 2.4.11
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code