Tree - rpms/sssd - CentOS Git server

dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Source
Stats
Files

Commit: 518b872a04d0e061317c2efdb92c536b9f8c48e8
Blob Blame History Raw
From 18cbf559addfeb77ad83b81e23431295a3e5c6ae Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 6 May 2016 15:02:19 +0200
Subject: [PATCH] IPA: Handle requests for netgroups from trusted domains
 gracefully

In ipa_account_info_handler we first check if the request is for a user
from a trusted domain and go that way for all request types. In
contrast, in the ipa_account_info_done we first check if the requested
object is a netgroup. If both are true, we first start a subdomain
lookup send but then call netgroup lookup recv, which results in talloc
type mismatch and crashes sssd_be.

Resolves:
https://fedorahosted.org/sssd/ticket/3007
---
 src/providers/ipa/ipa_id.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
index 29e22982c415220c931f0422e10cd06dfa1a195b..dff4b23580d8c7502a1fbe9c57d21b8c555883be 100644
--- a/src/providers/ipa/ipa_id.c
+++ b/src/providers/ipa/ipa_id.c
@@ -115,21 +115,27 @@ void ipa_account_info_handler(struct be_req *breq)
         return sdap_handler_done(breq, DP_ERR_OK, EOK, "Success");
     }
 
-    if (strcasecmp(ar->domain, be_ctx->domain->name) != 0) {
-        /* if domain names do not match, this is a subdomain case
-         * subdomain lookups are handled differently on the server
-         * and the client
-         */
-        req = ipa_subdomain_account_send(breq, be_ctx->ev, ipa_ctx, breq, ar);
-
-    } else if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_NETGROUP) {
+    if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_NETGROUP) {
         /* netgroups are handled by a separate request function */
         if (ar->filter_type != BE_FILTER_NAME) {
             return sdap_handler_done(breq, DP_ERR_FATAL,
                                      EINVAL, "Invalid filter type");
         }
+
+        if ((strcasecmp(ar->domain, be_ctx->domain->name) != 0)) {
+            return sdap_handler_done(breq, DP_ERR_OK, EOK,
+                                     "netgroups in subdomains are "
+                                     "not handled\n");
+        }
+
         req = ipa_id_get_netgroup_send(breq, be_ctx->ev,
                                        ipa_ctx, ar->filter_value);
+    } else if (strcasecmp(ar->domain, be_ctx->domain->name) != 0) {
+        /* if domain names do not match, this is a subdomain case
+         * subdomain lookups are handled differently on the server
+         * and the client
+         */
+        req = ipa_subdomain_account_send(breq, be_ctx->ev, ipa_ctx, breq, ar);
     } else {
         /* any account request is handled by sdap,
          * any invalid request is caught there. */
-- 
2.4.11
dpward / rpms / sssd

Source Code

Files
