[Freeipa-devel] [PATCH] 0138 ipa-kdb: in case of delegation use original client's database entry, not the proxy

Alexander Bokovoy abokovoy at redhat.com
Tue Feb 25 16:00:20 UTC 2014 

Hi!


In case we've got constraint delegation, we need to look into the
delegated entry, not the service that is going to delegate it.

I'm not sure we need to pass original entry in both cases but with this
patch we have solved long standing problem of testing AD trusts in
automated CI.

https://fedorahosted.org/freeipa/ticket/4195


-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 8e7c41bf35d68bfad2dc5b790cf6f5b964949417 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 25 Feb 2014 17:50:55 +0200
Subject: [PATCH v1 1/2] ipa-kdb: in case of delegation use original client's
 database entry, not the proxy

https://fedorahosted.org/freeipa/ticket/4195
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index ff67391..2a0480f 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1983,12 +1983,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
     bool with_pac;
     bool with_pad;
     int result;
+    krb5_db_entry *client_entry = NULL;
 
     /* When using s4u2proxy client_princ actually refers to the proxied user
      * while client->princ to the proxy service asking for the TGS on behalf
      * of the proxied user. So always use client_princ in preference */
     if (client_princ != NULL) {
         ks_client_princ = client_princ;
+        kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);
     } else {
         ks_client_princ = client->princ;
     }
@@ -2025,7 +2027,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
             }
         }
 
-        kerr = ipadb_get_pac(context, client, &pac);
+        kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac);
         if (kerr != 0 && kerr != ENOENT) {
             goto done;
         }
@@ -2041,7 +2043,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
         /* check or generate pac data */
         if ((pac_auth_data == NULL) || (pac_auth_data[0] == NULL)) {
             if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
-                kerr = ipadb_get_pac(context, client, &pac);
+                kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac);
                 if (kerr != 0 && kerr != ENOENT) {
                     goto done;
                 }
@@ -2094,6 +2096,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
     kerr = 0;
 
 done:
+    if (client_entry != NULL) {
+        ipadb_free_principal(context, client_entry);
+    }
     krb5_pac_free(context, pac);
     return kerr;
 }
-- 
1.8.3.1

More information about the Freeipa-devel mailing list