URL: https://github.com/SSSD/sssd/pull/74 Author: sumit-bose Title: #74: IPA/AD: check auth ctx before using it Action: opened
PR body: """ In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to set the 'canonicalize' option in the system-wide Kerberos configuration according to the settings in SSSD if the AD or IPA provider were used. Unfortunately the patch implied that the auth provider is the same as the id provider which might not always be the case. A different auth provider caused a crash in the backend which is fixed by this patch. Resolves https://fedorahosted.org/sssd/ticket/3234 I tried to add an integration test to see if SSSD can start with a mixed configuration but the AD provider tries to set some SASL parameters which requires e.g. an existing keytab which is afaik currently not available in the integration test. Since this issue it easy to reproduce manually (start SSSD with id_provder=ad and auth_provider=krb5) I hope it is acceptable that an integration test can be added later when the infrastructure for AD provider tests is available? """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/74/head:pr74 git checkout pr74
From ca62775b3e6ad1bb4212476a8b6a413e13a9b6ed Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Tue, 8 Nov 2016 11:51:57 +0100 Subject: [PATCH] IPA/AD: check auth ctx before using it In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to set the 'canonicalize' option in the system-wide Kerberos configuration according to the settings in SSSD if the AD or IPA provider were used. Unfortunately the patch implied that the auth provider is the same as the id provider which might not always be the case. A different auth provider caused a crash in the backend which is fixed by this patch. Resolves https://fedorahosted.org/sssd/ticket/3234 --- src/providers/ad/ad_subdomains.c | 13 +++++++++++-- src/providers/ipa/ipa_subdomains.c | 20 +++++++++++++++++--- 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 52bf536..5e57d21 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -618,14 +618,23 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx) { const char *path; errno_t ret; - bool canonicalize; + bool canonicalize = false; path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic, AD_KRB5_CONFD_PATH); - canonicalize = dp_opt_get_bool( + if (subdoms_ctx->ad_id_ctx->ad_options->auth_ctx != NULL + && subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts != NULL) { + canonicalize = dp_opt_get_bool( subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts, KRB5_CANONICALIZE); + } else { + DEBUG(SSSDBG_CONF_SETTINGS, "Auth provider data is not available, " + "most probably because the auth provider " + "is not 'ad'. Kerberos configuration " + "snippet to set the 'canonicalize' option " + "will not be created.\n"); + } ret = sss_write_krb5_conf_snippet(path, canonicalize); if (ret != EOK) { diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 8653e3f..b2e96b2 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -73,16 +73,30 @@ static errno_t ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx) { errno_t ret; + bool canonicalize = false; DEBUG(SSSDBG_TRACE_INTERNAL, "Re-initializing domain %s\n", ctx->be_ctx->domain->name); + if (ctx->ipa_id_ctx->ipa_options->auth_ctx != NULL + && ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx != NULL + && ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts != NULL + ) { + canonicalize = dp_opt_get_bool( + ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts, + KRB5_CANONICALIZE); + } else { + DEBUG(SSSDBG_CONF_SETTINGS, "Auth provider data is not available, " + "most probably because the auth provider " + "is not 'ipa'. Kerberos configuration " + "snippet to set the 'canonicalize' option " + "will not be created.\n"); + } + ret = sss_write_krb5_conf_snippet( dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic, IPA_KRB5_CONFD_PATH), - dp_opt_get_bool( - ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts, - KRB5_CANONICALIZE)); + canonicalize); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n"); /* Just continue */
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org