Re: [Freeipa-devel] [PATCH] #3901
On Tue, 2013-11-26 at 14:11 +0100, Jan Cholasta wrote: On 17.9.2013 17:26, Jan Cholasta wrote: On 10.9.2013 21:12, Simo Sorce wrote: I think the attached (untested) patch should solve the issue. Is it sufficient or do we want to change framework code somehow ? Simo. I think no changes to the framework are necessary. It already adds krbTicketPolicyAux when krbTicketFlags is touched in host-add and host-mod. Honza kadmin.local still returns an error for me with this patch applied: kadmin.local: modprinc +ok_as_delegate host/test.example@example.com modify_principal: Kerberos database internal error while modifying host/test.example@example.com. I think I made a mistake using mod_op in ipadb_get_ldap_mod_str(), and should have used LDAP_MOD_ADD because we do not want to replace the objectclass object, we want to add to it. Any chance you can check quickly changing that ? I've blown the setup I was using when I created the patch Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #3901
On 26.11.2013 14:24, Simo Sorce wrote: On Tue, 2013-11-26 at 14:11 +0100, Jan Cholasta wrote: kadmin.local still returns an error for me with this patch applied: kadmin.local: modprinc +ok_as_delegate host/test.example@example.com modify_principal: Kerberos database internal error while modifying host/test.example@example.com. I think I made a mistake using mod_op in ipadb_get_ldap_mod_str(), and should have used LDAP_MOD_ADD because we do not want to replace the objectclass object, we want to add to it. Any chance you can check quickly changing that ? I've blown the setup I was using when I created the patch That fixed it, so ACK with the change included. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #3901
On 26.11.2013 16:35, Jan Cholasta wrote:
On 26.11.2013 14:24, Simo Sorce wrote:
On Tue, 2013-11-26 at 14:11 +0100, Jan Cholasta wrote:
kadmin.local still returns an error for me with this patch applied:
kadmin.local: modprinc +ok_as_delegate
host/test.example@example.com
modify_principal: Kerberos database internal error while modifying
host/test.example@example.com.
I think I made a mistake using mod_op in ipadb_get_ldap_mod_str(), and
should have used LDAP_MOD_ADD because we do not want to replace the
objectclass object, we want to add to it.
Any chance you can check quickly changing that ? I've blown the setup I
was using when I created the patch
That fixed it, so ACK with the change included.
Modified patch attached.
--
Jan Cholasta
From 8d790ed550bf023da171405bde2cd08e97877dd4 Mon Sep 17 00:00:00 2001
From: Simo Sorce s...@redhat.com
Date: Tue, 26 Nov 2013 15:41:31 +
Subject: [PATCH] Add krbticketPolicyAux objectclass if needed
When modifying ticket flags add the objectclass to the object if it is missing.
---
daemons/ipa-kdb/ipa_kdb.h| 1 +
daemons/ipa-kdb/ipa_kdb_principals.c | 34 ++
2 files changed, 35 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 1c2aefc..5ad256b 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -117,6 +117,7 @@ struct ipadb_e_data {
struct ipapwd_policy *pol;
time_t last_admin_unlock;
char **authz_data;
+bool has_tktpolaux;
};
struct ipadb_context *ipadb_get_context(krb5_context kcontext);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 38059d2..a520952 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -468,6 +468,17 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
ied-ipa_user = true;
}
+/* check if it has the krbTicketPolicyAux objectclass */
+ret = ipadb_ldap_attr_has_value(lcontext, lentry,
+objectClass, krbTicketPolicyAux);
+if (ret != 0 ret != ENOENT) {
+kerr = ret;
+goto done;
+}
+if (ret == 0) {
+ied-has_tktpolaux = true;
+}
+
ret = ipadb_ldap_attr_to_str(lcontext, lentry,
krbPwdPolicyReference, restring);
switch (ret) {
@@ -1411,6 +1422,29 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
/* KADM5_ATTRIBUTES */
if (entry-mask KMASK_ATTRIBUTES) {
+/* if the object does not have the krbTicketPolicyAux class
+ * we need to add it or this will fail, only for modifications.
+ * We always add this objectclass by default when doing an add
+ * from scratch. */
+if ((mod_op == LDAP_MOD_REPLACE) entry-e_data) {
+struct ipadb_e_data *ied;
+
+ied = (struct ipadb_e_data *)entry-e_data;
+if (ied-magic != IPA_E_DATA_MAGIC) {
+kerr = EINVAL;
+goto done;
+}
+
+if (!ied-has_tktpolaux) {
+kerr = ipadb_get_ldap_mod_str(imods, objectclass,
+ krbTicketPolicyAux,
+ LDAP_MOD_ADD);
+if (kerr) {
+goto done;
+}
+}
+}
+
kerr = ipadb_get_ldap_mod_int(imods,
krbTicketFlags,
(int)entry-attributes,
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #3901
On 11/26/2013 04:42 PM, Jan Cholasta wrote: On 26.11.2013 16:35, Jan Cholasta wrote: On 26.11.2013 14:24, Simo Sorce wrote: On Tue, 2013-11-26 at 14:11 +0100, Jan Cholasta wrote: kadmin.local still returns an error for me with this patch applied: kadmin.local: modprinc +ok_as_delegate host/test.example@example.com modify_principal: Kerberos database internal error while modifying host/test.example@example.com. I think I made a mistake using mod_op in ipadb_get_ldap_mod_str(), and should have used LDAP_MOD_ADD because we do not want to replace the objectclass object, we want to add to it. Any chance you can check quickly changing that ? I've blown the setup I was using when I created the patch That fixed it, so ACK with the change included. Modified patch attached. Thanks! Added ticket link to commit message and pushed to master: a1165ffbb80446890e3757113c9682c8526ed666 -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] #3901
On 10.9.2013 21:12, Simo Sorce wrote: I think the attached (untested) patch should solve the issue. Is it sufficient or do we want to change framework code somehow ? Simo. I think no changes to the framework are necessary. It already adds krbTicketPolicyAux when krbTicketFlags is touched in host-add and host-mod. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
