From 4a1e58d85409fbb7a12ac244c3dbef8c0c1b15df Mon Sep 17 00:00:00 2001
From: Michal Zidek <mzidek@redhat.com>
Date: Thu, 9 Aug 2012 14:38:23 +0200
Subject: SRV resolution for backup servers should not be permitted.

https://fedorahosted.org/sssd/ticket/1463
---
 src/man/include/service_discovery.xml |  2 +-
 src/providers/ad/ad_common.c          | 10 +++++++++-
 src/providers/ipa/ipa_common.c        | 10 +++++++++-
 src/providers/krb5/krb5_common.c      | 11 +++++++++--
 src/providers/ldap/ldap_common.c      | 10 +++++++++-
 5 files changed, 37 insertions(+), 6 deletions(-)

diff --git a/src/man/include/service_discovery.xml b/src/man/include/service_discovery.xml
index 78ebd0989..5b96ad864 100644
--- a/src/man/include/service_discovery.xml
+++ b/src/man/include/service_discovery.xml
@@ -3,7 +3,7 @@
     <para>
         The service discovery feature allows back ends to automatically
         find the appropriate servers to connect to using a special DNS
-        query.
+        query. This feature is not supported for backup servers.
     </para>
     <refsect2 id='configuration'>
         <title>Configuration</title>
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index a4703ee72..800ef131f 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -152,7 +152,7 @@ ad_servers_init(TALLOC_CTX *mem_ctx,
                 bool primary)
 {
     size_t i;
-    errno_t ret;
+    errno_t ret = 0;
     char **list;
     char *ad_domain;
     TALLOC_CTX *tmp_ctx;
@@ -172,6 +172,14 @@ ad_servers_init(TALLOC_CTX *mem_ctx,
     /* Add each of these servers to the failover service */
     for (i = 0; list[i]; i++) {
         if (be_fo_is_srv_identifier(list[i])) {
+            if (!primary) {
+                DEBUG(SSSDBG_MINOR_FAILURE,
+                      ("Failed to add server [%s] to failover service: "
+                       "SRV resolution only allowed for primary servers!\n",
+                       list[i]));
+                continue;
+            }
+
             ret = be_fo_add_srv_server(bectx, AD_SERVICE_NAME, "ldap",
                                        ad_domain, BE_FO_PROTO_TCP,
                                        false, NULL);
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index b5f6337d9..bf62fcb94 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -806,7 +806,7 @@ errno_t ipa_servers_init(struct be_ctx *ctx,
     TALLOC_CTX *tmp_ctx;
     char **list = NULL;
     char *ipa_domain;
-    int ret;
+    int ret = 0;
     int i;
 
     tmp_ctx = talloc_new(NULL);
@@ -827,6 +827,14 @@ errno_t ipa_servers_init(struct be_ctx *ctx,
         talloc_steal(service, list[i]);
 
         if (be_fo_is_srv_identifier(list[i])) {
+            if (!primary) {
+                DEBUG(SSSDBG_MINOR_FAILURE,
+                      ("Failed to add server [%s] to failover service: "
+                       "SRV resolution only allowed for primary servers!\n",
+                       list[i]));
+                continue;
+            }
+
             ipa_domain = dp_opt_get_string(options->basic, IPA_DOMAIN);
             ret = be_fo_add_srv_server(ctx, "IPA", "ldap", ipa_domain,
                                        BE_FO_PROTO_TCP, false, NULL);
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index ad79db9d6..98a2f7da2 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -473,7 +473,7 @@ errno_t krb5_servers_init(struct be_ctx *ctx,
 {
     TALLOC_CTX *tmp_ctx;
     char **list = NULL;
-    errno_t ret;
+    errno_t ret = 0;
     int i;
     char *port_str;
     long port;
@@ -493,7 +493,6 @@ errno_t krb5_servers_init(struct be_ctx *ctx,
     }
 
     for (i = 0; list[i]; i++) {
-
         talloc_steal(service, list[i]);
         server_spec = talloc_strdup(service, list[i]);
         if (!server_spec) {
@@ -502,6 +501,14 @@ errno_t krb5_servers_init(struct be_ctx *ctx,
         }
 
         if (be_fo_is_srv_identifier(server_spec)) {
+            if (!primary) {
+                DEBUG(SSSDBG_MINOR_FAILURE,
+                      ("Failed to add server [%s] to failover service: "
+                       "SRV resolution only allowed for primary servers!\n",
+                       list[i]));
+                continue;
+            }
+
             ret = be_fo_add_srv_server(ctx, service_name, service_name, NULL,
                                        BE_FO_PROTO_UDP, true, NULL);
             if (ret) {
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 1fc5ebb55..570ec9709 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -1116,7 +1116,7 @@ errno_t sdap_urls_init(struct be_ctx *ctx,
     char *srv_user_data;
     char **list = NULL;
     LDAPURLDesc *lud;
-    errno_t ret;
+    errno_t ret = 0;
     int i;
 
     tmp_ctx = talloc_new(NULL);
@@ -1135,6 +1135,14 @@ errno_t sdap_urls_init(struct be_ctx *ctx,
     /* now for each URI add a new server to the failover service */
     for (i = 0; list[i]; i++) {
         if (be_fo_is_srv_identifier(list[i])) {
+            if (!primary) {
+                DEBUG(SSSDBG_MINOR_FAILURE,
+                      ("Failed to add server [%s] to failover service: "
+                       "SRV resolution only allowed for primary servers!\n",
+                       list[i]));
+                continue;
+            }
+
             if (!dns_service_name) {
                 DEBUG(0, ("Missing DNS service name for service [%s].\n",
                           service_name));
-- 
cgit