summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlexander Bokovoy <abokovoy@redhat.com>2013-07-18 13:32:42 +0300
committerAlexander Bokovoy <abokovoy@redhat.com>2013-07-18 17:16:49 +0300
commit219dc85533a310b21c92b0a99502375435b82a33 (patch)
tree64b968cc86f51a847d655041412dd09e42dc6191
parent8e17f1e9579b9171639c109be51ada9032c52df7 (diff)
downloadfreeipa-219dc85533a310b21c92b0a99502375435b82a33.zip
freeipa-219dc85533a310b21c92b0a99502375435b82a33.tar.gz
freeipa-219dc85533a310b21c92b0a99502375435b82a33.tar.xz
WIP: reinit mspac on HTTP TGT acquisition to aid trust-add case
-rw-r--r--daemons/ipa-kdb/ipa_kdb.c4
-rw-r--r--daemons/ipa-kdb/ipa_kdb.h2
-rw-r--r--daemons/ipa-kdb/ipa_kdb_mspac.c26
3 files changed, 26 insertions, 6 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 51b879c..cfdafce 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -393,8 +393,8 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
goto done;
}
- /* get adtrust options */
- ret = ipadb_reinit_mspac(ipactx);
+ /* get adtrust options using default refresh interval */
+ ret = ipadb_reinit_mspac(ipactx, -1);
if (ret && ret != ENOENT) {
/* TODO: log that there is an issue with adtrust settings */
}
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 9e8e0c6..c0e81e0 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -250,7 +250,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
krb5_authdata **tgt_auth_data,
krb5_authdata ***signed_auth_data);
-krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx);
+krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, int interval);
void ipadb_mspac_struct_free(struct ipadb_mspac **mspac);
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index d6c4f9a..fe34859 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1282,7 +1282,8 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context,
return NULL;
}
- kerr = ipadb_reinit_mspac(ipactx);
+ /* re-init MS-PAC info using default update interval */
+ kerr = ipadb_reinit_mspac(ipactx, -1);
if (kerr != 0) {
return NULL;
}
@@ -1805,6 +1806,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
krb5_error_code kerr;
krb5_pac pac = NULL;
krb5_data pac_data;
+ struct ipadb_context *ipactx;
bool with_pac;
bool with_pad;
@@ -1831,6 +1833,21 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
if (is_as_req && with_pac && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
+ /* Be aggressive here: special case for discovering range type
+ * immediately after establishing the trust by IPA framework */
+ if ((krb5_princ_size(context, ks_client_princ) == 2) &&
+ (strncmp(krb5_princ_component(context, ks_client_princ, 0)->data, "HTTP",
+ krb5_princ_component(context, ks_client_princ, 0)->length) == 0)) {
+ ipactx = ipadb_get_context(context);
+ if (!ipactx) {
+ goto done;
+ }
+ if (strncmp(krb5_princ_component(context, ks_client_princ, 1)->data,
+ ipactx->kdc_hostname,
+ krb5_princ_component(context, ks_client_princ, 1)->length) == 0) {
+ kerr = ipadb_reinit_mspac(ipactx, 1);
+ }
+ }
kerr = ipadb_get_pac(context, client, &pac);
if (kerr != 0 && kerr != ENOENT) {
@@ -2155,7 +2172,7 @@ done:
return ret;
}
-krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
+krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, int interval)
{
char *dom_attrs[] = { "ipaNTFlatName",
"ipaNTFallbackPrimaryGroup",
@@ -2174,8 +2191,11 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
* avoid heavy load on the directory server if there are lots of requests
* from domains which we do not trust. */
now = time(NULL);
+ if (interval <= 0) {
+ interval = 60;
+ }
if (ipactx->mspac != NULL && now > ipactx->mspac->last_update &&
- (now - ipactx->mspac->last_update) < 60) {
+ (now - ipactx->mspac->last_update) < interval) {
return 0;
}