rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0027-ad-trust-accept-subordinate-domains-of-the-forest-trust-root_rhbz#1914823.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   cce5dfeb1cdab26286407f8ba8e55ce7bfc197f5
  2.   SOURCES
  3.   0027-ad-trust-accept-subordinate-domains-of-the-forest-trust-root_rhbz#1914823.patch
Blob History Raw
cce5df 
From 6b224e57672e3f73f93bb9eddd9031e945529a1e Mon Sep 17 00:00:00 2001
cce5df 
From: Alexander Bokovoy <abokovoy@redhat.com>
cce5df 
Date: Tue, 24 Nov 2020 16:03:36 +0200
cce5df 
Subject: [PATCH] ad trust: accept subordinate domains of the forest trust root
cce5df
cce5df 
Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for
cce5df 
subordinate UPN suffixes but missed the case where subordinate UPN is a
cce5df 
subdomain of the forest root domain and not mentioned in the UPN
cce5df 
suffixes list.
cce5df
cce5df 
Correct this situation by applying the same check to the trusted domain
cce5df 
name as well.
cce5df
cce5df 
Fixes: https://pagure.io/freeipa/issue/8554
cce5df 
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
cce5df 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
cce5df 
---
cce5df 
 daemons/ipa-kdb/ipa_kdb_mspac.c | 12 +++++++++++-
cce5df 
 1 file changed, 11 insertions(+), 1 deletion(-)
cce5df
cce5df 
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
cce5df 
index f2bd60e11..c6ac593ca 100644
cce5df 
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
cce5df 
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
cce5df 
@@ -2976,10 +2976,20 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
cce5df
cce5df 
 	/* Iterate through list of trusts and check if input realm belongs to any of the trust */
cce5df 
 	for(i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
cce5df 
+		size_t len = 0;
cce5df 
 		result = strncasecmp(test_realm,
cce5df 
 				     ipactx->mspac->trusts[i].domain_name,
cce5df 
 				     size) == 0;
cce5df
cce5df 
+		if (!result) {
cce5df 
+			len = strlen(ipactx->mspac->trusts[i].domain_name);
cce5df 
+			if ((size > len) && (test_realm[size - len - 1] == '.')) {
cce5df 
+				result = strncasecmp(test_realm + (size - len),
cce5df 
+						     ipactx->mspac->trusts[i].domain_name,
cce5df 
+						     len) == 0;
cce5df 
+			}
cce5df 
+		}
cce5df 
+
cce5df 
                 if (!result && (ipactx->mspac->trusts[i].flat_name != NULL)) {
cce5df 
 			result = strncasecmp(test_realm,
cce5df 
 					     ipactx->mspac->trusts[i].flat_name,
cce5df 
@@ -2995,7 +3005,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
cce5df 
 					/* if UPN suffix did not match exactly, find if it is
cce5df 
 					 * superior to the test_realm, e.g. if test_realm ends
cce5df 
 					 * with the UPN suffix prefixed with dot*/
cce5df 
-					size_t len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
cce5df 
+					len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
cce5df 
 					if ((size > len) && (test_realm[size - len - 1] == '.')) {
cce5df 
 						result = strncasecmp(test_realm + (size - len),
cce5df 
 								     ipactx->mspac->trusts[i].upn_suffixes[j],
cce5df 
--
cce5df 
2.29.2
cce5df

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation