diff options
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 16 | ||||
| -rw-r--r-- | install/share/60basev3.ldif | 2 |
2 files changed, 10 insertions, 8 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 8594309db..5d11f3c37 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2139,11 +2139,13 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, ks_client_princ = client->princ; } - /* We only need to check the server entry here, because even if the client - * is a service with a valid authorization data it will result to NONE - * because ipadb_get_pac() can only generate a pac for 'real' IPA users. - * (I assume this will be the same for PAD.) */ - get_authz_data_types(context, server, &with_pac, &with_pad); + if (client_entry == NULL) client_entry = client; + + if (is_as_req) { + get_authz_data_types(context, client_entry, &with_pac, &with_pad); + } else { + get_authz_data_types(context, server, &with_pac, &with_pad); + } if (with_pad) { krb5_klog_syslog(LOG_ERR, "PAD authorization data is requested but " \ @@ -2185,7 +2187,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, /* check or generate pac data */ if ((pac_auth_data == NULL) || (pac_auth_data[0] == NULL)) { if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { - kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac); + kerr = ipadb_get_pac(context, client_entry, &pac); if (kerr != 0 && kerr != ENOENT) { goto done; } @@ -2238,7 +2240,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, kerr = 0; done: - if (client_entry != NULL) { + if (client_entry != NULL && client_entry != client) { ipadb_free_principal(context, client_entry); } krb5_pac_free(context, pac); diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index f04044cc4..5ebe335c3 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -76,7 +76,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3') -objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid) MAY ( userClass $ ipaKrbAuthzData ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget $ ipaPermTargetTo $ ipaPermTargetFrom ) X-ORIGIN 'IPA v4.0' ) objectClasses: (2.16.840.1.113730.3.8.12.22 NAME 'ipaAllowedOperations' SUP top AUXILIARY DESC 'Class to apply access controls to arbitrary operations' MAY ( ipaAllowedToPerform $ ipaProtectedOperation ) X-ORIGIN 'IPA v4.0') objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrapped public keys' SUP top AUXILIARY MUST ( ipaPublicKey ) X-ORIGIN 'IPA v4.1' ) |