summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2016-07-06 17:29:37 +0200
committerSumit Bose <sbose@redhat.com>2016-07-06 18:49:09 +0200
commita1ca7928148a58a1ac61f6d418750200866a4a63 (patch)
tree24974706a4f15c944c67cf051cf9674ad0c7dcef
parentf0f82fafe2e58e1087fe494b403d1231748640d6 (diff)
downloadfreeipa-master.tar.gz
freeipa-master.tar.xz
freeipa-master.zip
kdb: check for local realm in enterprise principalsHEADmaster
-rw-r--r--daemons/ipa-kdb/ipa_kdb_principals.c52
1 files changed, 40 insertions, 12 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 6cdfa9094..5b8090947 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1198,30 +1198,58 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
/* skip '@' and use part after '@' as an enterprise realm for comparison */
realm++;
- kerr = ipadb_is_princ_from_trusted_realm(kcontext,
- realm,
- upn->length - (realm - upn->data),
- &trusted_realm);
- if (kerr == 0) {
- kentry = calloc(1, sizeof(krb5_db_entry));
- if (!kentry) {
+ /* check for our realm */
+ if (strncasecmp(ipactx->realm, realm,
+ upn->length - (realm - upn->data)) == 0) {
+ /* it looks like it is ok to use malloc'ed strings as principal */
+ krb5_free_unparsed_name(kcontext, principal);
+ principal = strndup((const char *) upn->data, upn->length);
+ if (principal == NULL) {
kerr = ENOMEM;
goto done;
}
- kerr = krb5_parse_name(kcontext, principal,
- &kentry->princ);
+
+ ldap_msgfree(res);
+ res = NULL;
+ kerr = ipadb_fetch_principals(ipactx, flags, principal, &res);
if (kerr != 0) {
goto done;
}
- kerr = krb5_set_principal_realm(kcontext, kentry->princ, trusted_realm);
+ kerr = ipadb_find_principal(kcontext, flags, res, &principal,
+ &lentry);
if (kerr != 0) {
goto done;
}
- *entry = kentry;
+ } else {
+
+ kerr = ipadb_is_princ_from_trusted_realm(kcontext,
+ realm,
+ upn->length - (realm - upn->data),
+ &trusted_realm);
+ if (kerr == 0) {
+ kentry = calloc(1, sizeof(krb5_db_entry));
+ if (!kentry) {
+ kerr = ENOMEM;
+ goto done;
+ }
+ kerr = krb5_parse_name(kcontext, principal,
+ &kentry->princ);
+ if (kerr != 0) {
+ goto done;
+ }
+
+ kerr = krb5_set_principal_realm(kcontext, kentry->princ, trusted_realm);
+ if (kerr != 0) {
+ goto done;
+ }
+ *entry = kentry;
+ }
+ goto done;
}
+ } else {
+ goto done;
}
- goto done;
}
kerr = ipadb_parse_ldap_entry(kcontext, principal, lentry, entry, &pol);