URL: https://github.com/freeipa/freeipa/pull/1529 Author: sumit-bose Title: #1529: ipa-kdb: update trust information in all workers Action: opened
PR body: """ Currently there is already code to make sure that after trust is established an AS-REQ of the local HTTP principal causes a refresh of the internal structures holding the information about the trusted domains. But this refreshes only the data of the current krb5kdc worker process on the local host. Other workers and the KDCs on other hosts will update the data eventually when a request with a principal from a trusted realm is handled. During this phase, which might last quite long if remote principals are only handled rarely, TGTs for local principals might or might not contain a PAC because the decision if a PAC should be added or not is based on the information about trusted domains. Since the PAC is needed to access services on the AD side this access might fail intermittently depending which worker process on which host is handling the request. This might e.g. affect SSSD running on the IPA server with two-way trust. To fix this this patch calls ipadb_reinit_mspac() whenever a PAC is needed but without the 'force' flag so that the refresh will only happen if it wasn't called recently (currently not more often than once a minute). An alternative might be to do the refresh only when processing cross-realm TGT requests. But this would be already too late because the local principal asking for a cross-realm ticket would not have a PAC and hence the first attempt will still fail due to the missing PAC. And injecting the PAC in the cross-realm TGT while there is none in the requesting ticket does not sound right. Related to https://pagure.io/freeipa/issue/7351 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1529/head:pr1529 git checkout pr1529
From e2d6e693329146d180bb577604373d4f0a4ae3dc Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Mon, 4 Dec 2017 16:57:31 +0100 Subject: [PATCH] ipa-kdb: update trust information in all workers Currently there is already code to make sure that after trust is established an AS-REQ of the local HTTP principal causes a refresh of the internal structures holding the information about the trusted domains. But this refreshes only the data of the current krb5kdc worker process on the local host. Other workers and the KDCs on other hosts will update the data eventually when a request with a principal from a trusted realm is handled. During this phase, which might last quite long if remote principals are only handled rarely, TGTs for local principals might or might not contain a PAC because the decision if a PAC should be added or not is based on the information about trusted domains. Since the PAC is needed to access services on the AD side this access might fail intermittently depending which worker process on which host is handling the request. This might e.g. affect SSSD running on the IPA server with two-way trust. To fix this this patch calls ipadb_reinit_mspac() whenever a PAC is needed but without the 'force' flag so that the refresh will only happen if it wasn't called recently (currently not more often than once a minute). An alternative might be to do the refresh only when processing cross-realm TGT requests. But this would be already too late because the local principal asking for a cross-realm ticket would not have a PAC and hence the first attempt will still fail due to the missing PAC. And injecting the PAC in the cross-realm TGT while there is none in the requesting ticket does not sound right. Related to https://pagure.io/freeipa/issue/7351 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 00cc19ca1e..11e036986a 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2121,6 +2121,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, int result; krb5_db_entry *client_entry = NULL; krb5_boolean is_equal; + bool force_reinit_mspac = false; is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); @@ -2174,24 +2175,30 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, } if (with_pac && make_ad) { + + ipactx = ipadb_get_context(context); + if (!ipactx) { + kerr = ENOMEM; + goto done; + } + /* Be aggressive here: special case for discovering range type - * immediately after establishing the trust by IPA framework */ + * immediately after establishing the trust by IPA framework. For all + * other cases call ipadb_reinit_mspac() with force_reinit_mspac set + * to 'false' to make sure the information about trusted domains is + * updated on a regular basis for all worker processes. */ if ((krb5_princ_size(context, ks_client_princ) == 2) && (strncmp(krb5_princ_component(context, ks_client_princ, 0)->data, "HTTP", - krb5_princ_component(context, ks_client_princ, 0)->length) == 0)) { - ipactx = ipadb_get_context(context); - if (!ipactx) { - kerr = ENOMEM; - goto done; - } - if (ulc_casecmp(krb5_princ_component(context, ks_client_princ, 1)->data, - krb5_princ_component(context, ks_client_princ, 1)->length, - ipactx->kdc_hostname, strlen(ipactx->kdc_hostname), - NULL, NULL, &result) == 0) { - (void)ipadb_reinit_mspac(ipactx, true); - } + krb5_princ_component(context, ks_client_princ, 0)->length) == 0) && + (ulc_casecmp(krb5_princ_component(context, ks_client_princ, 1)->data, + krb5_princ_component(context, ks_client_princ, 1)->length, + ipactx->kdc_hostname, strlen(ipactx->kdc_hostname), + NULL, NULL, &result) == 0)) { + force_reinit_mspac = true; } + (void)ipadb_reinit_mspac(ipactx, force_reinit_mspac); + kerr = ipadb_get_pac(context, client, &pac); if (kerr != 0 && kerr != ENOENT) { goto done;
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
