Hi!
In case we've got constraint delegation, we need to look into the delegated entry, not the service that is going to delegate it. I'm not sure we need to pass original entry in both cases but with this patch we have solved long standing problem of testing AD trusts in automated CI. https://fedorahosted.org/freeipa/ticket/4195 -- / Alexander Bokovoy
>From 8e7c41bf35d68bfad2dc5b790cf6f5b964949417 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Tue, 25 Feb 2014 17:50:55 +0200 Subject: [PATCH v1 1/2] ipa-kdb: in case of delegation use original client's database entry, not the proxy https://fedorahosted.org/freeipa/ticket/4195 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index ff67391..2a0480f 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1983,12 +1983,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, bool with_pac; bool with_pad; int result; + krb5_db_entry *client_entry = NULL; /* When using s4u2proxy client_princ actually refers to the proxied user * while client->princ to the proxy service asking for the TGS on behalf * of the proxied user. So always use client_princ in preference */ if (client_princ != NULL) { ks_client_princ = client_princ; + kerr = ipadb_get_principal(context, client_princ, flags, &client_entry); } else { ks_client_princ = client->princ; } @@ -2025,7 +2027,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, } } - kerr = ipadb_get_pac(context, client, &pac); + kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac); if (kerr != 0 && kerr != ENOENT) { goto done; } @@ -2041,7 +2043,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, /* check or generate pac data */ if ((pac_auth_data == NULL) || (pac_auth_data[0] == NULL)) { if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { - kerr = ipadb_get_pac(context, client, &pac); + kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac); if (kerr != 0 && kerr != ENOENT) { goto done; } @@ -2094,6 +2096,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, kerr = 0; done: + if (client_entry != NULL) { + ipadb_free_principal(context, client_entry); + } krb5_pac_free(context, pac); return kerr; } -- 1.8.3.1
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
