From e08307d3fa4cd1ca83c64a13273920fb78fdd680 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Thu, 7 Feb 2013 15:45:46 +0100 Subject: ipa-kdb: reinitialize LDAP configuration for known realms ipa-kdb did not reinitialize trusted domain configuration when it was loaded to ipa-kdb. However, admin then would have to restart krb5kdc if he wanted to apply the change to running krb5kdc service. Run ipadb_reinit_mspac unconditionally every time when trusted domain is loaded. Among the already configured 1 minute grace time, also add a quick check if there is at least one configured trusted domain before reinitializing the mspac structure. https://fedorahosted.org/freeipa/ticket/3289 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 57 ++++++++++++++++++++++++++++++++--------- 1 file changed, 45 insertions(+), 12 deletions(-) (limited to 'daemons/ipa-kdb') diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 7307071a0..441769600 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1173,20 +1173,16 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context, struct ipadb_adtrusts *domain; krb5_error_code kerr; - domain = get_domain_from_realm(context, realm); - if (domain == NULL) { - ipactx = ipadb_get_context(context); - if (!ipactx) { - return NULL; - } - - kerr = ipadb_reinit_mspac(ipactx); - if (kerr != 0) { - return NULL; - } + ipactx = ipadb_get_context(context); + if (!ipactx) { + return NULL; + } - domain = get_domain_from_realm(context, realm); + kerr = ipadb_reinit_mspac(ipactx); + if (kerr != 0) { + return NULL; } + domain = get_domain_from_realm(context, realm); return domain; } @@ -1753,6 +1749,30 @@ krb5_error_code ipadb_mspac_fill_well_known_sids(struct ipadb_mspac *mspac) return 0; } +krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx) +{ + char *attrs[] = { NULL }; + char *filter = "(objectclass=ipaNTTrustedDomain)"; + char *base = NULL; + LDAPMessage *result = NULL; + int ret; + + ret = asprintf(&base, "cn=ad,cn=trusts,%s", ipactx->base); + if (ret == -1) { + ret = ENOMEM; + goto done; + } + + /* Run a quick search if there is any trust defined */ + ret = ipadb_simple_search(ipactx, base, LDAP_SCOPE_SUBTREE, + filter, attrs, &result); + +done: + ldap_msgfree(result); + free(base); + return ret; +} + krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) { struct ipadb_adtrusts *t; @@ -1856,6 +1876,19 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx) return 0; } + if (ipactx->mspac && ipactx->mspac->num_trusts == 0) { + /* Check if there is any trust configured. If not, just return + * and do not re-initialize the MS-PAC structure. */ + ret = ipadb_mspac_check_trusted_domains(ipactx); + if (ret == KRB5_KDB_NOENTRY) { + ret = 0; + goto done; + } else if (ret != 0) { + ret = EIO; + goto done; + } + } + /* clean up in case we had old values around */ ipadb_mspac_struct_free(&ipactx->mspac); -- cgit