From 817e83837d249a63395d90ac47dc975a23f00c6c Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 25 Feb 2014 20:53:49 +0200 Subject: [PATCH 50/51] ipa-kdb: make sure we don't produce MS-PAC in case of authdata flag cleared by admin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When admin clears authdata flag for the service principal, KDC will pass NULL client pointer (service proxy) to the DAL driver. Make sure we bail out correctly. Reviewed-By: Tomáš Babej Reviewed-By: Simo Sorce --- daemons/ipa-kdb/ipa_kdb_mspac.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 2a0480fff029d29fb56286d85108936f6c579901..9137cd5ad1e6166fd5d6e765fab2c8178ca0587c 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1985,6 +1985,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, int result; krb5_db_entry *client_entry = NULL; + + /* When client is NULL, authdata flag on the service principal was cleared + * by an admin. We don't generate MS-PAC in this case */ + if (client == NULL) { + *signed_auth_data = NULL; + return 0; + } + /* When using s4u2proxy client_princ actually refers to the proxied user * while client->princ to the proxy service asking for the TGS on behalf * of the proxied user. So always use client_princ in preference */ -- 1.8.5.3