diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2014-02-25 20:53:49 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-02-26 14:19:49 +0100 |
| commit | f7955abdda854e58c60b74039bbd155f2dc66e75 (patch) | |
| tree | 4ebd6c345c3848233cf077fd34e5ba25f2bb24a4 /daemons | |
| parent | fb2eca8d1ef5244a6c9701f75cd684e07c2a9d57 (diff) | |
| download | freeipa-f7955abdda854e58c60b74039bbd155f2dc66e75.tar.gz freeipa-f7955abdda854e58c60b74039bbd155f2dc66e75.tar.xz freeipa-f7955abdda854e58c60b74039bbd155f2dc66e75.zip | |
ipa-kdb: make sure we don't produce MS-PAC in case of authdata flag cleared by admin
When admin clears authdata flag for the service principal, KDC will pass
NULL client pointer (service proxy) to the DAL driver.
Make sure we bail out correctly.
Reviewed-By: Tomáš Babej <tbabej@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Diffstat (limited to 'daemons')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 2a0480fff..9137cd5ad 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1985,6 +1985,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, int result; krb5_db_entry *client_entry = NULL; + + /* When client is NULL, authdata flag on the service principal was cleared + * by an admin. We don't generate MS-PAC in this case */ + if (client == NULL) { + *signed_auth_data = NULL; + return 0; + } + /* When using s4u2proxy client_princ actually refers to the proxied user * while client->princ to the proxy service asking for the TGS on behalf * of the proxied user. So always use client_princ in preference */ |