diff options
| author | Martin Kosek <mkosek@redhat.com> | 2013-02-07 15:45:46 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-02-12 10:37:28 +0100 |
| commit | e08307d3fa4cd1ca83c64a13273920fb78fdd680 (patch) | |
| tree | cd105487fe53c4ae00c917808fa574a19f8b639c /daemons/ipa-kdb/ipa_kdb_mspac.c | |
| parent | ce90a4538bb78eba310f34b3dc4b51413d50c4be (diff) | |
| download | freeipa-e08307d3fa4cd1ca83c64a13273920fb78fdd680.tar.gz freeipa-e08307d3fa4cd1ca83c64a13273920fb78fdd680.tar.xz freeipa-e08307d3fa4cd1ca83c64a13273920fb78fdd680.zip | |
ipa-kdb: reinitialize LDAP configuration for known realms
ipa-kdb did not reinitialize trusted domain configuration when it
was loaded to ipa-kdb. However, admin then would have to restart
krb5kdc if he wanted to apply the change to running krb5kdc service.
Run ipadb_reinit_mspac unconditionally every time when trusted domain
is loaded. Among the already configured 1 minute grace time, also
add a quick check if there is at least one configured trusted domain
before reinitializing the mspac structure.
https://fedorahosted.org/freeipa/ticket/3289
Diffstat (limited to 'daemons/ipa-kdb/ipa_kdb_mspac.c')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 57 |
1 files changed, 45 insertions, 12 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 7307071a0..441769600 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1173,20 +1173,16 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context, struct ipadb_adtrusts *domain; krb5_error_code kerr; - domain = get_domain_from_realm(context, realm); - if (domain == NULL) { - ipactx = ipadb_get_context(context); - if (!ipactx) { - return NULL; - } - - kerr = ipadb_reinit_mspac(ipactx); - if (kerr != 0) { - return NULL; - } + ipactx = ipadb_get_context(context); + if (!ipactx) { + return NULL; + } - domain = get_domain_from_realm(context, realm); + kerr = ipadb_reinit_mspac(ipactx); + if (kerr != 0) { + return NULL; } + domain = get_domain_from_realm(context, realm); return domain; } @@ -1753,6 +1749,30 @@ krb5_error_code ipadb_mspac_fill_well_known_sids(struct ipadb_mspac *mspac) return 0; } +krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx) +{ + char *attrs[] = { NULL }; + char *filter = "(objectclass=ipaNTTrustedDomain)"; + char *base = NULL; + LDAPMessage *result = NULL; + int ret; + + ret = asprintf(&base, "cn=ad,cn=trusts,%s", ipactx->base); + if (ret == -1) { + ret = ENOMEM; + goto done; + } + + /* Run a quick search if there is any trust defined */ + ret = ipadb_simple_search(ipactx, base, LDAP_SCOPE_SUBTREE, + filter, attrs, &result); + +done: + ldap_msgfree(result); + free(base); + return ret; +} + krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) { struct ipadb_adtrusts *t; @@ -1856,6 +1876,19 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx) return 0; } + if (ipactx->mspac && ipactx->mspac->num_trusts == 0) { + /* Check if there is any trust configured. If not, just return + * and do not re-initialize the MS-PAC structure. */ + ret = ipadb_mspac_check_trusted_domains(ipactx); + if (ret == KRB5_KDB_NOENTRY) { + ret = 0; + goto done; + } else if (ret != 0) { + ret = EIO; + goto done; + } + } + /* clean up in case we had old values around */ ipadb_mspac_struct_free(&ipactx->mspac); |