IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Revert "MS-PAC: Special case NFS services"

Browse Source 
This reverts commit 5269458f55.

With the implementation of https://fedorahosted.org/freeipa/ticket/2960
a special hardcoded handling of NFS service tickets is not needed
anymore.
This commit is contained in:
Sumit Bose
2013-02-12 09:59:00 +01:00
committed by Martin Kosek
parent f6f8307be2
commit 15cc21cce9
1 changed files with 1 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
daemons/ipa-kdb/ipa_kdb_mspac.c
View File

@@ -743,24 +743,6 @@ static bool is_cross_realm_krbtgt(krb5_const_principal princ)
return true;
}
static bool is_service_of_type(krb5_const_principal princ, const char *type)
{
size_t len;
if (princ->length < 2) {
return false;
}
len = strlen(type);
if ((princ->data[0].length == len) ||
(strncasecmp(princ->data[0].data, type, len) == 0)) {
return true;
}
return false;
}
static char *gen_sid_string(TALLOC_CTX *memctx, struct dom_sid *dom_sid,
uint32_t rid)
{
@@ -1555,7 +1537,6 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
krb5_error_code kerr;
krb5_pac pac = NULL;
krb5_data pac_data;
bool is_nfs = false;
/* When using s4u2proxy client_princ actually refers to the proxied user
* while client->princ to the proxy service asking for the TGS on behalf
@@ -1566,32 +1547,17 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
ks_client_princ = client->princ;
}
/* NFS Server on Linux is limited and will choke on big tickets.
* So avoid attachnig the PAC to nfs/ tickets for now.
* FIXME: remove this when we have interface to support disabling
* PACs on arbitrary services */
if (is_service_of_type(ks_client_princ, "nfs") ||
is_service_of_type(server->princ, "nfs")) {
is_nfs = true;
}
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
if (is_nfs) {
*signed_auth_data = NULL;
kerr = 0;
goto done;
}
kerr = ipadb_get_pac(context, client, &pac);
if (kerr != 0 && kerr != ENOENT) {
goto done;
}
}
if (!is_as_req & !is_nfs) {
if (!is_as_req) {
/* find the existing PAC, if present */
kerr = krb5_find_authdata(context, tgt_auth_data, NULL,
KRB5_AUTHDATA_WIN2K_PAC, &pac_auth_data);