Skip to content

Commit eb34d57

Browse files
ikerexxeikerexxe
committed
krb5_child: fix enterprise principal parsing in keep-alive sessions
When keep-alive sessions transition between command types (e.g., from SSS_PAM_PREAUTH to SSS_PAM_AUTHENTICATE), enterprise principal settings were not being updated, causing parsing inconsistencies in complex AD environments. This change ensures that when the backend sends updated enterprise principal settings for different command types, the principals are correctly re-parsed with the appropriate flags, fixing UPN handling in multi-domain AD environments. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com> Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit dd3cd95)
1 parent 34092f4 commit eb34d57

File tree

1 file changed

+42
-9
lines changed

1 file changed

+42
-9
lines changed

src/providers/krb5/krb5_child.c

Lines changed: 42 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -144,6 +144,7 @@ static errno_t k5c_attach_passkey_msg(struct krb5_req *kr, struct sss_passkey_ch
144144
static errno_t k5c_attach_keep_alive_msg(struct krb5_req *kr);
145145
static errno_t k5c_recv_data(struct krb5_req *kr, int fd, uint32_t *offline);
146146
static errno_t k5c_send_data(struct krb5_req *kr, int fd, errno_t error);
147+
static int k5c_setup(struct krb5_req *kr, uint32_t offline);
147148

148149
static errno_t k5c_become_user(uid_t uid, gid_t gid, bool is_posix)
149150
{
@@ -882,6 +883,12 @@ static errno_t krb5_req_update(struct krb5_req *dest, struct krb5_req *src)
882883
talloc_free(dest->pd);
883884
dest->pd = talloc_steal(dest, src->pd);
884885

886+
/* Update settings that may change between commands */
887+
dest->use_enterprise_princ = src->use_enterprise_princ;
888+
dest->validate = src->validate;
889+
dest->posix_domain = src->posix_domain;
890+
dest->send_pac = src->send_pac;
891+
885892
return EOK;
886893
}
887894

@@ -949,6 +956,13 @@ static krb5_error_code k5c_send_and_recv(struct krb5_req *kr)
949956
goto done;
950957
}
951958

959+
ret = k5c_setup(kr, offline);
960+
if (ret != EOK) {
961+
DEBUG(SSSDBG_CRIT_FAILURE, "k5c_setup failed during keep-alive [%d]: %s\n",
962+
ret, sss_strerror(ret));
963+
goto done;
964+
}
965+
952966
done:
953967
talloc_free(tmpkr);
954968
return ret;
@@ -4037,6 +4051,7 @@ static int k5c_ccache_check(struct krb5_req *kr, uint32_t offline)
40374051

40384052
static int k5c_setup(struct krb5_req *kr, uint32_t offline)
40394053
{
4054+
krb5_principal princ;
40404055
krb5_error_code kerr;
40414056
int parse_flags;
40424057

@@ -4064,28 +4079,46 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline)
40644079
}
40654080

40664081
parse_flags = kr->use_enterprise_princ ? KRB5_PRINCIPAL_PARSE_ENTERPRISE : 0;
4067-
kerr = sss_krb5_parse_name_flags(kr->ctx, kr->upn, parse_flags, &kr->princ);
4082+
kerr = sss_krb5_parse_name_flags(kr->ctx, kr->upn, parse_flags, &princ);
40684083
if (kerr != 0) {
40694084
KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
40704085
return kerr;
40714086
}
4087+
if (kr->princ == NULL || !krb5_principal_compare(kr->ctx, kr->princ, princ)) {
4088+
DEBUG(SSSDBG_TRACE_FUNC, "Updating principal\n");
4089+
if (kr->princ != NULL) {
4090+
krb5_free_principal(kr->ctx, kr->princ);
4091+
}
4092+
kr->princ = princ;
4093+
} else {
4094+
DEBUG(SSSDBG_TRACE_FUNC, "Principal unchanged, keeping existing\n");
4095+
krb5_free_principal(kr->ctx, princ);
4096+
}
40724097

4073-
kerr = krb5_parse_name(kr->ctx, kr->upn, &kr->princ_orig);
4074-
if (kerr != 0) {
4075-
KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
4076-
return kerr;
4098+
if (kr->princ_orig == NULL) {
4099+
kerr = krb5_parse_name(kr->ctx, kr->upn, &kr->princ_orig);
4100+
if (kerr != 0) {
4101+
KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
4102+
return kerr;
4103+
}
40774104
}
40784105

4106+
sss_krb5_free_unparsed_name(kr->ctx, kr->name);
4107+
kr->name = NULL;
40794108
kerr = krb5_unparse_name(kr->ctx, kr->princ, &kr->name);
40804109
if (kerr != 0) {
40814110
KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
40824111
return kerr;
40834112
}
40844113

4085-
kr->creds = calloc(1, sizeof(krb5_creds));
4086-
if (kr->creds == NULL) {
4087-
DEBUG(SSSDBG_CRIT_FAILURE, "calloc failed.\n");
4088-
return ENOMEM;
4114+
if (kr->creds != NULL) {
4115+
krb5_free_cred_contents(kr->ctx, kr->creds);
4116+
} else {
4117+
kr->creds = calloc(1, sizeof(krb5_creds));
4118+
if (kr->creds == NULL) {
4119+
DEBUG(SSSDBG_CRIT_FAILURE, "calloc failed.\n");
4120+
return ENOMEM;
4121+
}
40894122
}
40904123

40914124
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER

0 commit comments

Comments
 (0)