rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   b71eec8463182d06c52ffec280d883bc3f37d11e
  2.   SOURCES
  3.   0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
Blob History Raw
b71eec 
From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
b71eec 
From: Iker Pedrosa <ipedrosa@redhat.com>
b71eec 
Date: Thu, 13 Jan 2022 11:28:30 +0100
b71eec 
Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
b71eec 
MIME-Version: 1.0
b71eec 
Content-Type: text/plain; charset=UTF-8
b71eec 
Content-Transfer-Encoding: 8bit
b71eec
b71eec 
AD and IPA providers use a common fo_server object for LDAP and
b71eec 
Kerberos, which is created with the LDAP data. This means that due to
b71eec 
the changes introduced in
b71eec 
https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
b71eec 
the port in use for the Kerberos requests would be the one specified for
b71eec 
LDAP, usually the default one (389).
b71eec
b71eec 
In order to avoid that, AD and IPA providers shouldn't change the
b71eec 
Kerberos port with the one provided for LDAP.
b71eec
b71eec 
:fixes: A critical regression that prevented authentication of users via
b71eec 
AD and IPA providers was fixed. LDAP port was reused for Kerberos
b71eec 
communication and this provider would send incomprehensible information
b71eec 
to this port.
b71eec
b71eec 
Resolves: https://github.com/SSSD/sssd/issues/5947
b71eec
b71eec 
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
b71eec
b71eec 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
b71eec 
---
b71eec 
 src/providers/ad/ad_common.c     |  1 +
b71eec 
 src/providers/ipa/ipa_common.c   |  1 +
b71eec 
 src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
b71eec 
 src/providers/krb5/krb5_common.h |  1 +
b71eec 
 4 files changed, 23 insertions(+), 14 deletions(-)
b71eec
b71eec 
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
b71eec 
index e263444c5..1ca5f8e3a 100644
b71eec 
--- a/src/providers/ad/ad_common.c
b71eec 
+++ b/src/providers/ad/ad_common.c
b71eec 
@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
b71eec 
     if (service->krb5_service->write_kdcinfo) {
b71eec 
         ret = write_krb5info_file_from_fo_server(service->krb5_service,
b71eec 
                                                  server,
b71eec 
+                                                 true,
b71eec 
                                                  SSS_KRB5KDC_FO_SRV,
b71eec 
                                                  ad_krb5info_file_filter);
b71eec 
         if (ret != EOK) {
b71eec 
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
b71eec 
index 1509cb1ce..e6c1f9aa4 100644
b71eec 
--- a/src/providers/ipa/ipa_common.c
b71eec 
+++ b/src/providers/ipa/ipa_common.c
b71eec 
@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
b71eec 
     if (service->krb5_service->write_kdcinfo) {
b71eec 
         ret = write_krb5info_file_from_fo_server(service->krb5_service,
b71eec 
                                                  server,
b71eec 
+                                                 true,
b71eec 
                                                  SSS_KRB5KDC_FO_SRV,
b71eec 
                                                  NULL);
b71eec 
         if (ret != EOK) {
b71eec 
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
b71eec 
index 719ce6a12..5ffa20809 100644
b71eec 
--- a/src/providers/krb5/krb5_common.c
b71eec 
+++ b/src/providers/krb5/krb5_common.c
b71eec 
@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
b71eec
b71eec 
 errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
b71eec 
                                            struct fo_server *server,
b71eec 
+                                           bool force_default_port,
b71eec 
                                            const char *service,
b71eec 
                                            bool (*filter)(struct fo_server *))
b71eec 
 {
b71eec 
@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
b71eec 
     if (filter == NULL || filter(server) == false) {
b71eec 
         address = fo_server_address_or_name(tmp_ctx, server);
b71eec 
         if (address) {
b71eec 
-            port = fo_get_server_port(server);
b71eec 
-            if (port != 0) {
b71eec 
-                address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
b71eec 
-                if (address == NULL) {
b71eec 
-                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
b71eec 
-                    talloc_free(tmp_ctx);
b71eec 
-                    return ENOMEM;
b71eec 
+            if (!force_default_port) {
b71eec 
+                port = fo_get_server_port(server);
b71eec 
+                if (port != 0) {
b71eec 
+                    address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
b71eec 
+                    if (address == NULL) {
b71eec 
+                        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
b71eec 
+                        talloc_free(tmp_ctx);
b71eec 
+                        return ENOMEM;
b71eec 
+                    }
b71eec 
                 }
b71eec 
             }
b71eec
b71eec 
@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
b71eec 
                 continue;
b71eec 
             }
b71eec
b71eec 
-            port = fo_get_server_port(item);
b71eec 
-            if (port != 0) {
b71eec 
-                address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
b71eec 
-                if (address == NULL) {
b71eec 
-                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
b71eec 
-                    talloc_free(tmp_ctx);
b71eec 
-                    return ENOMEM;
b71eec 
+            if (!force_default_port) {
b71eec 
+                port = fo_get_server_port(item);
b71eec 
+                if (port != 0) {
b71eec 
+                    address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
b71eec 
+                    if (address == NULL) {
b71eec 
+                        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
b71eec 
+                        talloc_free(tmp_ctx);
b71eec 
+                        return ENOMEM;
b71eec 
+                    }
b71eec 
                 }
b71eec 
             }
b71eec
b71eec 
@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
b71eec 
     if (krb5_service->write_kdcinfo) {
b71eec 
         ret = write_krb5info_file_from_fo_server(krb5_service,
b71eec 
                                                  server,
b71eec 
+                                                 false,
b71eec 
                                                  krb5_service->name,
b71eec 
                                                  NULL);
b71eec 
         if (ret != EOK) {
b71eec 
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
b71eec 
index 151f446d1..2fd39a751 100644
b71eec 
--- a/src/providers/krb5/krb5_common.h
b71eec 
+++ b/src/providers/krb5/krb5_common.h
b71eec 
@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
b71eec
b71eec 
 errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
b71eec 
                                            struct fo_server *server,
b71eec 
+                                           bool force_default_port,
b71eec 
                                            const char *service,
b71eec 
                                            bool (*filter)(struct fo_server *));
b71eec
b71eec 
--
b71eec 
2.26.3
b71eec

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation