URL: https://github.com/SSSD/sssd/pull/5949
Author: ikerexxe
Title: #5949: krb5: AD and IPA don't change Kerberos port
Action: opened
PR body:
"""
AD and IPA providers use a common fo_server object for LDAP and
Kerberos, which is created with the LDAP data. This means that due to
the changes introduced in
https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
the port in use for the Kerberos requests would be the one specified for
LDAP, usually the default one (389).
In order to avoid that, AD and IPA providers shouldn't change the
Kerberos port with the one provided for LDAP.
Resolves: https://github.com/SSSD/sssd/issues/5947
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5949/head:pr5949
git checkout pr5949
From f6fb31f149498f050ea536e8e4f140f4c54488f7 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa
Date: Thu, 13 Jan 2022 11:28:30 +0100
Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
AD and IPA providers use a common fo_server object for LDAP and
Kerberos, which is created with the LDAP data. This means that due to
the changes introduced in
https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
the port in use for the Kerberos requests would be the one specified for
LDAP, usually the default one (389).
In order to avoid that, AD and IPA providers shouldn't change the
Kerberos port with the one provided for LDAP.
Resolves: https://github.com/SSSD/sssd/issues/5947
Signed-off-by: Iker Pedrosa
---
src/providers/ad/ad_common.c | 1 +
src/providers/ipa/ipa_common.c | 1 +
src/providers/krb5/krb5_common.c | 34 +++-
src/providers/krb5/krb5_common.h | 1 +
4 files changed, 23 insertions(+), 14 deletions(-)
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index e263444c54..1ca5f8e3a6 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
if (service->krb5_service->write_kdcinfo) {
ret = write_krb5info_file_from_fo_server(service->krb5_service,
server,
+ true,
SSS_KRB5KDC_FO_SRV,
ad_krb5info_file_filter);
if (ret != EOK) {
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 1509cb1ce6..e6c1f9aa48 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
if (service->krb5_service->write_kdcinfo) {
ret = write_krb5info_file_from_fo_server(service->krb5_service,
server,
+ true,
SSS_KRB5KDC_FO_SRV,
NULL);
if (ret != EOK) {
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index 719ce6a12b..5ffa208094 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
struct fo_server *server,
+ bool force_default_port,
const char *service,
bool (*filter)(struct fo_server *))
{
@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
if (filter == NULL || filter(server) == false) {
address = fo_server_address_or_name(tmp_ctx, server);
if (address) {
-port = fo_get_server_port(server);
-if (port != 0) {
-address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
-if (address == NULL) {
-DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
-talloc_free(tmp_ctx);
-return ENOMEM;
+if (!force_default_port) {
+port = fo_get_server_port(server);
+if (port != 0) {
+address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
+if (address == NULL) {
+DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+talloc_free(tmp_ctx);
+return ENOMEM;
+}
}
}
@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,