dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Source Code
GIT

Blame SOURCES/0139-krb5-accept-changed-principal-if-krb5_canonicalize-T.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s
  1.   60d7aa4f36196ac810fd688d806dd57cda6196d5
  2.   SOURCES
  3.   0139-krb5-accept-changed-principal-if-krb5_canonicalize-T.patch
Blob History Raw
bb7cd1 
From 04a1802749b6ebf72730357b06bf8cabe09ebb01 Mon Sep 17 00:00:00 2001
bb7cd1 
From: Sumit Bose <sbose@redhat.com>
bb7cd1 
Date: Wed, 24 May 2017 16:10:26 +0200
bb7cd1 
Subject: [PATCH 139/141] krb5: accept changed principal if
bb7cd1 
 krb5_canonicalize=True
bb7cd1
bb7cd1 
Currently SSSD accepts significant changes in the principal only if
bb7cd1 
krb5_use_enterprise_principal=True. But canonicalization can lead to
bb7cd1 
similar changes so they should be accepted in this case as well.
bb7cd1
bb7cd1 
Resolves:
bb7cd1 
https://pagure.io/SSSD/sssd/issue/3408
bb7cd1
bb7cd1 
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
bb7cd1 
(cherry picked from commit ca95807a9060e454ee68f6f30558d6f7ee968c39)
bb7cd1 
---
bb7cd1 
 src/providers/krb5/krb5_auth.c | 3 +++
bb7cd1 
 1 file changed, 3 insertions(+)
bb7cd1
bb7cd1 
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
bb7cd1 
index 894bd41bde031ac33187bfa3b14202e9429a9198..03ea9d88cac67919d4b9ba3a1cf2efa208662195 100644
bb7cd1 
--- a/src/providers/krb5/krb5_auth.c
bb7cd1 
+++ b/src/providers/krb5/krb5_auth.c
bb7cd1 
@@ -829,6 +829,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
bb7cd1 
     char *renew_interval_str;
bb7cd1 
     time_t renew_interval_time = 0;
bb7cd1 
     bool use_enterprise_principal;
bb7cd1 
+    bool canonicalize;
bb7cd1
bb7cd1 
     ret = handle_child_recv(subreq, pd, &buf, &len;;
bb7cd1 
     talloc_zfree(subreq);
bb7cd1 
@@ -908,6 +909,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
bb7cd1
bb7cd1 
     use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts,
bb7cd1 
                                                KRB5_USE_ENTERPRISE_PRINCIPAL);
bb7cd1 
+    canonicalize = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_CANONICALIZE);
bb7cd1
bb7cd1 
     /* Check if the cases of our upn are correct and update it if needed.
bb7cd1 
      * Fail if the upn differs by more than just the case for non-enterprise
bb7cd1 
@@ -915,6 +917,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
bb7cd1 
     if (res->correct_upn != NULL &&
bb7cd1 
         strcmp(kr->upn, res->correct_upn) != 0) {
bb7cd1 
         if (strcasecmp(kr->upn, res->correct_upn) == 0 ||
bb7cd1 
+            canonicalize == true ||
bb7cd1 
             use_enterprise_principal == true) {
bb7cd1 
             talloc_free(kr->upn);
bb7cd1 
             kr->upn = talloc_strdup(kr, res->correct_upn);
bb7cd1 
--
bb7cd1 
2.9.4
bb7cd1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation