|
 |
ced817 |
From 8ad535b618d60fa016061212ff85d0ad28ccae59 Mon Sep 17 00:00:00 2001
|
|
|
ced817 |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
ced817 |
Date: Mon, 12 Jul 2021 11:02:10 -0400
|
|
|
ced817 |
Subject: [PATCH] Fall back to krbprincipalname when validating host auth
|
|
|
ced817 |
indicators
|
|
|
ced817 |
|
|
|
ced817 |
When adding a new host the principal cannot be determined because it
|
|
|
ced817 |
relies on either:
|
|
|
ced817 |
|
|
|
ced817 |
a) an entry to already exist
|
|
|
ced817 |
b) krbprincipalname be a component of the dn
|
|
|
ced817 |
|
|
|
ced817 |
As a result the full dn is being passed into ipapython.Kerberos
|
|
|
ced817 |
which can't parse it.
|
|
|
ced817 |
|
|
|
ced817 |
Look into the entry in validate_validate_auth_indicator() for
|
|
|
ced817 |
krbprincipalname in this case.
|
|
|
ced817 |
|
|
|
ced817 |
https://pagure.io/freeipa/issue/8206
|
|
|
ced817 |
|
|
|
ced817 |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
ced817 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
ced817 |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
ced817 |
---
|
|
|
ced817 |
ipaserver/plugins/service.py | 5 +++++
|
|
|
ced817 |
ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++
|
|
|
ced817 |
2 files changed, 16 insertions(+)
|
|
|
ced817 |
|
|
|
ced817 |
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
|
|
|
ced817 |
index cfbbff3c6..498f5e444 100644
|
|
|
ced817 |
--- a/ipaserver/plugins/service.py
|
|
|
ced817 |
+++ b/ipaserver/plugins/service.py
|
|
|
ced817 |
@@ -209,6 +209,11 @@ def validate_auth_indicator(entry):
|
|
|
ced817 |
# and shouldn't be allowed to have auth indicators.
|
|
|
ced817 |
# https://pagure.io/freeipa/issue/8206
|
|
|
ced817 |
pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
|
|
|
ced817 |
+ if pkey == str(entry.dn):
|
|
|
ced817 |
+ # krbcanonicalname may not be set yet if this is a host entry,
|
|
|
ced817 |
+ # try krbprincipalname
|
|
|
ced817 |
+ if 'krbprincipalname' in entry:
|
|
|
ced817 |
+ pkey = entry['krbprincipalname']
|
|
|
ced817 |
principal = kerberos.Principal(pkey)
|
|
|
ced817 |
server = api.Command.server_find(principal.hostname)['result']
|
|
|
ced817 |
if server:
|
|
|
ced817 |
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
|
|
|
ced817 |
index 9cfde3565..ff50e796c 100644
|
|
|
ced817 |
--- a/ipatests/test_xmlrpc/test_host_plugin.py
|
|
|
ced817 |
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
|
|
|
ced817 |
@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test):
|
|
|
ced817 |
)):
|
|
|
ced817 |
command()
|
|
|
ced817 |
|
|
|
ced817 |
+ def test_add_non_master_with_auth_ind(self, host5):
|
|
|
ced817 |
+ host5.ensure_missing()
|
|
|
ced817 |
+ command = host5.make_command(
|
|
|
ced817 |
+ 'host_add', host5.fqdn, krbprincipalauthind=['radius'],
|
|
|
ced817 |
+ force=True
|
|
|
ced817 |
+ )
|
|
|
ced817 |
+ result = command()
|
|
|
ced817 |
+ # The fact that the command succeeds exercises the change but
|
|
|
ced817 |
+ # let's check the indicator as well.
|
|
|
ced817 |
+ assert result['result']['krbprincipalauthind'] == ('radius',)
|
|
|
ced817 |
+
|
|
|
ced817 |
|
|
|
ced817 |
@pytest.mark.tier1
|
|
|
ced817 |
class TestValidation(XMLRPC_test):
|
|
|
ced817 |
--
|
|
|
ced817 |
2.31.1
|
|
|
ced817 |
|