ipa-kdb: update trust information in all workers

Currently there is already code to make sure that after trust is established an AS-REQ of the local HTTP principal causes a refresh of the internal structures holding the information about the trusted domains. But this refreshes only the data of the current krb5kdc worker process on the local host. Other workers and the KDCs on other hosts will update the data eventually when a request with a principal from a trusted realm is handled. During this phase, which might last quite long if remote principals are only handled rarely, TGTs for local principals might or might not contain a PAC because the decision if a PAC should be added or not is based on the information about trusted domains. Since the PAC is needed to access services on the AD side this access might fail intermittently depending which worker process on which host is handling the request. This might e.g. affect SSSD running on the IPA server with two-way trust. To fix this this patch calls ipadb_reinit_mspac() whenever a PAC is needed but without the 'force' flag so that the refresh will only happen if it wasn't called recently (currently not more often than once a minute). An alternative might be to do the refresh only when processing cross-realm TGT requests. But this would be already too late because the local principal asking for a cross-realm ticket would not have a PAC and hence the first attempt will still fail due to the missing PAC. And injecting the PAC in the cross-realm TGT while there is none in the requesting ticket does not sound right. Related to https://pagure.io/freeipa/issue/7351 Reviewed-By: Simo Sorce <ssorce@redhat.com>
author: Sumit Bose <sbose@redhat.com> 2017-12-04 16:57:31 +0100
committer: Christian Heimes <cheimes@redhat.com> 2018-02-08 18:46:47 +0100
commit: 73f61ce214e784ab8176a1f7acac6a3dbf1474ae (patch)
tree: b194d51aa6cfbedb62920d9765e71b6dab15f430
parent: 40ac8158358e4ebe83208d41ff17164a58c8dc80 (diff)
download: freeipa-73f61ce214e784ab8176a1f7acac6a3dbf1474ae.tar.gz
freeipa-73f61ce214e784ab8176a1f7acac6a3dbf1474ae.tar.xz
freeipa-73f61ce214e784ab8176a1f7acac6a3dbf1474ae.zip
1 files changed, 20 insertions, 13 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 00cc19ca1..11e036986 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2121,6 +2121,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
     int result;
     krb5_db_entry *client_entry = NULL;
     krb5_boolean is_equal;
+    bool force_reinit_mspac = false;
 
 
     is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
@@ -2174,24 +2175,30 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
     }
 
     if (with_pac && make_ad) {
+
+        ipactx = ipadb_get_context(context);
+        if (!ipactx) {
+            kerr = ENOMEM;
+            goto done;
+        }
+
         /* Be aggressive here: special case for discovering range type
-         * immediately after establishing the trust by IPA framework */
+         * immediately after establishing the trust by IPA framework. For all
+         * other cases call ipadb_reinit_mspac() with force_reinit_mspac set
+         * to 'false' to make sure the information about trusted domains is
+         * updated on a regular basis for all worker processes. */
         if ((krb5_princ_size(context, ks_client_princ) == 2) &&
             (strncmp(krb5_princ_component(context, ks_client_princ, 0)->data, "HTTP",
-                     krb5_princ_component(context, ks_client_princ, 0)->length) == 0)) {
-            ipactx = ipadb_get_context(context);
-            if (!ipactx) {
-                kerr = ENOMEM;
-                goto done;
-            }
-            if (ulc_casecmp(krb5_princ_component(context, ks_client_princ, 1)->data,
-                            krb5_princ_component(context, ks_client_princ, 1)->length,
-                            ipactx->kdc_hostname, strlen(ipactx->kdc_hostname),
-                            NULL, NULL, &result) == 0) {
-                (void)ipadb_reinit_mspac(ipactx, true);
-            }
+                     krb5_princ_component(context, ks_client_princ, 0)->length) == 0) &&
+            (ulc_casecmp(krb5_princ_component(context, ks_client_princ, 1)->data,
+                         krb5_princ_component(context, ks_client_princ, 1)->length,
+                         ipactx->kdc_hostname, strlen(ipactx->kdc_hostname),
+                         NULL, NULL, &result) == 0)) {
+            force_reinit_mspac = true;
         }
 
+        (void)ipadb_reinit_mspac(ipactx, force_reinit_mspac);
+
         kerr = ipadb_get_pac(context, client, &pac);
         if (kerr != 0 && kerr != ENOENT) {
             goto done;
author	Sumit Bose <sbose@redhat.com>	2017-12-04 16:57:31 +0100
committer	Christian Heimes <cheimes@redhat.com>	2018-02-08 18:46:47 +0100
commit	73f61ce214e784ab8176a1f7acac6a3dbf1474ae (patch)
tree	b194d51aa6cfbedb62920d9765e71b6dab15f430
parent	40ac8158358e4ebe83208d41ff17164a58c8dc80 (diff)
download	freeipa-73f61ce214e784ab8176a1f7acac6a3dbf1474ae.tar.gz freeipa-73f61ce214e784ab8176a1f7acac6a3dbf1474ae.tar.xz freeipa-73f61ce214e784ab8176a1f7acac6a3dbf1474ae.zip