diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2014-02-25 17:50:55 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-02-26 14:19:48 +0100 |
| commit | fb2eca8d1ef5244a6c9701f75cd684e07c2a9d57 (patch) | |
| tree | 6d367cad6ae30995ca074b0918ece4b85827083c /daemons | |
| parent | 090a9669d8457a47880554bfbd1d99d0584e24ff (diff) | |
| download | freeipa-fb2eca8d1ef5244a6c9701f75cd684e07c2a9d57.tar.gz freeipa-fb2eca8d1ef5244a6c9701f75cd684e07c2a9d57.tar.xz freeipa-fb2eca8d1ef5244a6c9701f75cd684e07c2a9d57.zip | |
ipa-kdb: in case of delegation use original client's database entry, not the proxy
https://fedorahosted.org/freeipa/ticket/4195
Reviewed-By: Tomáš Babej <tbabej@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Diffstat (limited to 'daemons')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index ff6739153..2a0480fff 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1983,12 +1983,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, bool with_pac; bool with_pad; int result; + krb5_db_entry *client_entry = NULL; /* When using s4u2proxy client_princ actually refers to the proxied user * while client->princ to the proxy service asking for the TGS on behalf * of the proxied user. So always use client_princ in preference */ if (client_princ != NULL) { ks_client_princ = client_princ; + kerr = ipadb_get_principal(context, client_princ, flags, &client_entry); } else { ks_client_princ = client->princ; } @@ -2025,7 +2027,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, } } - kerr = ipadb_get_pac(context, client, &pac); + kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac); if (kerr != 0 && kerr != ENOENT) { goto done; } @@ -2041,7 +2043,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, /* check or generate pac data */ if ((pac_auth_data == NULL) || (pac_auth_data[0] == NULL)) { if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { - kerr = ipadb_get_pac(context, client, &pac); + kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac); if (kerr != 0 && kerr != ENOENT) { goto done; } @@ -2094,6 +2096,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, kerr = 0; done: + if (client_entry != NULL) { + ipadb_free_principal(context, client_entry); + } krb5_pac_free(context, pac); return kerr; } |