Re: [Freeipa-devel] [PATCH] #3901
On Tue, 2013-11-26 at 14:11 +0100, Jan Cholasta wrote: On 17.9.2013 17:26, Jan Cholasta wrote: On 10.9.2013 21:12, Simo Sorce wrote: I think the attached (untested) patch should solve the issue. Is it sufficient or do we want to change framework code somehow ? Simo. I think no changes to the framework are necessary. It already adds krbTicketPolicyAux when krbTicketFlags is touched in host-add and host-mod. Honza kadmin.local still returns an error for me with this patch applied: kadmin.local: modprinc +ok_as_delegate host/test.example@example.com modify_principal: Kerberos database internal error while modifying host/test.example@example.com. I think I made a mistake using mod_op in ipadb_get_ldap_mod_str(), and should have used LDAP_MOD_ADD because we do not want to replace the objectclass object, we want to add to it. Any chance you can check quickly changing that ? I've blown the setup I was using when I created the patch Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #3901
On 26.11.2013 14:24, Simo Sorce wrote: On Tue, 2013-11-26 at 14:11 +0100, Jan Cholasta wrote: kadmin.local still returns an error for me with this patch applied: kadmin.local: modprinc +ok_as_delegate host/test.example@example.com modify_principal: Kerberos database internal error while modifying host/test.example@example.com. I think I made a mistake using mod_op in ipadb_get_ldap_mod_str(), and should have used LDAP_MOD_ADD because we do not want to replace the objectclass object, we want to add to it. Any chance you can check quickly changing that ? I've blown the setup I was using when I created the patch That fixed it, so ACK with the change included. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #3901
On 26.11.2013 16:35, Jan Cholasta wrote: On 26.11.2013 14:24, Simo Sorce wrote: On Tue, 2013-11-26 at 14:11 +0100, Jan Cholasta wrote: kadmin.local still returns an error for me with this patch applied: kadmin.local: modprinc +ok_as_delegate host/test.example@example.com modify_principal: Kerberos database internal error while modifying host/test.example@example.com. I think I made a mistake using mod_op in ipadb_get_ldap_mod_str(), and should have used LDAP_MOD_ADD because we do not want to replace the objectclass object, we want to add to it. Any chance you can check quickly changing that ? I've blown the setup I was using when I created the patch That fixed it, so ACK with the change included. Modified patch attached. -- Jan Cholasta From 8d790ed550bf023da171405bde2cd08e97877dd4 Mon Sep 17 00:00:00 2001 From: Simo Sorce s...@redhat.com Date: Tue, 26 Nov 2013 15:41:31 + Subject: [PATCH] Add krbticketPolicyAux objectclass if needed When modifying ticket flags add the objectclass to the object if it is missing. --- daemons/ipa-kdb/ipa_kdb.h| 1 + daemons/ipa-kdb/ipa_kdb_principals.c | 34 ++ 2 files changed, 35 insertions(+) diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 1c2aefc..5ad256b 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -117,6 +117,7 @@ struct ipadb_e_data { struct ipapwd_policy *pol; time_t last_admin_unlock; char **authz_data; +bool has_tktpolaux; }; struct ipadb_context *ipadb_get_context(krb5_context kcontext); diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 38059d2..a520952 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -468,6 +468,17 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, ied-ipa_user = true; } +/* check if it has the krbTicketPolicyAux objectclass */ +ret = ipadb_ldap_attr_has_value(lcontext, lentry, +objectClass, krbTicketPolicyAux); +if (ret != 0 ret != ENOENT) { +kerr = ret; +goto done; +} +if (ret == 0) { +ied-has_tktpolaux = true; +} + ret = ipadb_ldap_attr_to_str(lcontext, lentry, krbPwdPolicyReference, restring); switch (ret) { @@ -1411,6 +1422,29 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext, /* KADM5_ATTRIBUTES */ if (entry-mask KMASK_ATTRIBUTES) { +/* if the object does not have the krbTicketPolicyAux class + * we need to add it or this will fail, only for modifications. + * We always add this objectclass by default when doing an add + * from scratch. */ +if ((mod_op == LDAP_MOD_REPLACE) entry-e_data) { +struct ipadb_e_data *ied; + +ied = (struct ipadb_e_data *)entry-e_data; +if (ied-magic != IPA_E_DATA_MAGIC) { +kerr = EINVAL; +goto done; +} + +if (!ied-has_tktpolaux) { +kerr = ipadb_get_ldap_mod_str(imods, objectclass, + krbTicketPolicyAux, + LDAP_MOD_ADD); +if (kerr) { +goto done; +} +} +} + kerr = ipadb_get_ldap_mod_int(imods, krbTicketFlags, (int)entry-attributes, -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #3901
On 11/26/2013 04:42 PM, Jan Cholasta wrote: On 26.11.2013 16:35, Jan Cholasta wrote: On 26.11.2013 14:24, Simo Sorce wrote: On Tue, 2013-11-26 at 14:11 +0100, Jan Cholasta wrote: kadmin.local still returns an error for me with this patch applied: kadmin.local: modprinc +ok_as_delegate host/test.example@example.com modify_principal: Kerberos database internal error while modifying host/test.example@example.com. I think I made a mistake using mod_op in ipadb_get_ldap_mod_str(), and should have used LDAP_MOD_ADD because we do not want to replace the objectclass object, we want to add to it. Any chance you can check quickly changing that ? I've blown the setup I was using when I created the patch That fixed it, so ACK with the change included. Modified patch attached. Thanks! Added ticket link to commit message and pushed to master: a1165ffbb80446890e3757113c9682c8526ed666 -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #3901
On 10.9.2013 21:12, Simo Sorce wrote: I think the attached (untested) patch should solve the issue. Is it sufficient or do we want to change framework code somehow ? Simo. I think no changes to the framework are necessary. It already adds krbTicketPolicyAux when krbTicketFlags is touched in host-add and host-mod. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel