[Freeipa-devel] [freeipa PR#1115][opened] ipa-kdb: reinit trusted domain data for enterprise principals

Wed, 27 Sep 2017 23:31:31 -0700 

   URL: https://github.com/freeipa/freeipa/pull/1115
Author: sumit-bose
 Title: #1115: ipa-kdb: reinit trusted domain data for enterprise principals
Action: opened

PR body:
"""
While processing enterprise principals the information about trusted domains
might not be up-to-date. With this patch ipadb_reinit_mspac() is called if an
unknown domain is part of the enterprise principal.

Resolves https://pagure.io/freeipa/issue/7172
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1115/head:pr1115
git checkout pr1115

From 26120d3fe97841890f08b59a37a2c58183d2d9ad Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@f26-ipa.ipaf26.devel>
Date: Wed, 27 Sep 2017 14:17:49 +0200
Subject: [PATCH] ipa-kdb: reinit trusted domain data for enterprise principals

While processing enterprise principals the information about trusted domains
might not be up-to-date. With this patch ipadb_reinit_mspac() is called if an
unknown domain is part of the enterprise principal.

Resolves https://pagure.io/freeipa/issue/7172
---
 daemons/ipa-kdb/ipa_kdb_principals.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 82c857430b..7935ad58d5 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1259,6 +1259,16 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
                                                          realm,
                                                          upn->length - (realm - upn->data),
                                                          &trusted_realm);
+                if (kerr == KRB5_KDB_NOENTRY) {
+                    /* try to refresh trusted domain data and try again */
+                    kerr = ipadb_reinit_mspac(ipactx, false);
+                    if (kerr != 0) {
+                        goto done;
+                    }
+                    kerr = ipadb_is_princ_from_trusted_realm(kcontext, realm,
+                                              upn->length - (realm - upn->data),
+                                              &trusted_realm);
+                }
                 if (kerr == 0) {
                     kentry = calloc(1, sizeof(krb5_db_entry));
                     if (!kentry) {

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to