Handle the removal of KRB5_KDB_FLAG_ALIAS_OK

In ac8865a22138ab0c657208c41be8fd6bc7968148 (between 1.17 and 1.18),
krb5 removed this flag, and always accepts aliases.

Related-to: https://pagure.io/freeipa/issue/7879
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

daemons/ipa-kdb/ipa_kdb_certauth.c

@@ -261,16 +261,18 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
                                               const krb5_db_entry *db_entry,
                                               char ***authinds_out)
 {
-    char *cert_filter = NULL;
+    char *cert_filter = NULL, **domains = NULL;
-    char **domains = NULL;
+    int ret, flags = 0;
-    int ret;
     size_t c;
-    char *principal = NULL;
+    char *principal = NULL, **auth_inds = NULL;
-    char **auth_inds = NULL;
     LDAPMessage *res = NULL;
     krb5_error_code kerr;
     LDAPMessage *lentry;
 
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
+    flags = KRB5_KDB_FLAG_ALIAS_OK;
+#endif
+
     if (moddata == NULL) {
         return KRB5_PLUGIN_NO_HANDLE;
     }
@@ -327,10 +329,8 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
         }
     }
 
-    kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx,
+    kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx, flags,
-                                                    KRB5_KDB_FLAG_ALIAS_OK,
+                                                    principal, cert_filter,
-                                                    principal,
-                                                    cert_filter,
                                                     &res);
     if (kerr != 0) {
         krb5_klog_syslog(LOG_ERR, "Search failed [%d]", kerr);
@@ -338,8 +338,7 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
         goto done;
     }
 
-    kerr = ipadb_find_principal(context, KRB5_KDB_FLAG_ALIAS_OK, res,
+    kerr = ipadb_find_principal(context, flags, res, &principal, &lentry);
-                                &principal, &lentry);
     if (kerr == KRB5_KDB_NOENTRY) {
         krb5_klog_syslog(LOG_INFO, "No matching entry found");
         ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;

daemons/ipa-kdb/ipa_kdb_kdcpolicy.c

@@ -22,9 +22,14 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
     enum ipadb_user_auth ua;
     struct ipadb_e_data *ied;
     struct ipadb_e_pol_limits *pol_limits = NULL;
-    int valid_auth_indicators = 0;
+    int valid_auth_indicators = 0, flags = 0;
     krb5_db_entry *client_actual = NULL;
 
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
+    flags = KRB5_KDB_FLAG_ALIAS_OK;
+#endif
+
+
     *status = NULL;
     *lifetime_out = 0;
     *renew_lifetime_out = 0;
@@ -33,8 +38,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
     if (ied == NULL || ied->magic != IPA_E_DATA_MAGIC) {
         /* e-data is not availble, getting user auth from LDAP */
         krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: client e_data not availble. Try fetching...");
-        kerr = ipadb_get_principal(context, request->client,
+        kerr = ipadb_get_principal(context, request->client, flags,
-                                   KRB5_KDB_FLAG_ALIAS_OK, &client_actual);
+                                   &client_actual);
         if (kerr != 0) {
             krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: ipadb_find_principal failed.");
             return kerr;

daemons/ipa-kdb/ipa_kdb_principals.c

@@ -964,8 +964,7 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
                                          LDAPMessage **result)
 {
     krb5_error_code kerr;
-    char *src_filter = NULL;
+    char *src_filter = NULL, *esc_original_princ = NULL;
-    char *esc_original_princ = NULL;
     int ret;
 
     if (!ipactx->lcontext) {
@@ -976,29 +975,34 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
         }
     }
 
-    /* escape filter but do not touch '*' as this function accepts
+    /* Escape filter but do not touch '*' as this function accepts
-     * wildcards in names */
+     * wildcards in names. */
     esc_original_princ = ipadb_filter_escape(principal, false);
     if (!esc_original_princ) {
         kerr = KRB5_KDB_INTERNAL_ERROR;
         goto done;
     }
 
-    if (filter == NULL) {
+    /* Starting in DAL 8.0, aliases are always okay. */
-        if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
-            ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
+    if (!(flags & KRB5_KDB_FLAG_ALIAS_OK)) {
-                           esc_original_princ, esc_original_princ);
+        if (filter == NULL) {
-        } else {
+            ret = asprintf(&src_filter, PRINC_SEARCH_FILTER,
-            ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
+                           esc_original_princ);
-        }
-    } else {
-        if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
-            ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
-                           esc_original_princ, esc_original_princ, filter);
         } else {
             ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
                            esc_original_princ, filter);
         }
+    } else
+#endif
+    {
+        if (filter == NULL) {
+            ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
+                           esc_original_princ, esc_original_princ);
+        } else {
+            ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
+                           esc_original_princ, esc_original_princ, filter);
+        }
     }
 
     if (ret == -1) {
@@ -1006,11 +1010,8 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
         goto done;
     }
 
-    kerr = ipadb_simple_search(ipactx,
+    kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE,
-                               ipactx->base, LDAP_SCOPE_SUBTREE,
+                               src_filter, std_principal_attrs, result);
-                               src_filter, std_principal_attrs,
-                               result);
-
 done:
     free(src_filter);
     free(esc_original_princ);
@@ -1054,6 +1055,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
         /* We need to check for a strict match as a '*' in the name may have
          * caused the ldap server to return multiple entries. */
         for (int i = 0; vals[i]; i++) {
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
             if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
                 found = strcmp(vals[i]->bv_val, *principal) == 0;
                 if (found)
@@ -1061,6 +1063,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
 
                 continue;
             }
+#endif
 
             /* The KDC will accept aliases when doing TGT lookup
              * (ref_tgt_again in do_tgs_req.c), so use case-insensitive
@@ -1094,6 +1097,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
         if (vals == NULL)
             break;
 
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
         /* If aliases aren't accepted by the KDC, use case-sensitive
          * comparison. */
         if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
@@ -1103,6 +1107,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
                 continue;
             }
         }
+#endif
 
         free(*principal);
         *principal = strdup(vals[0]->bv_val);
@@ -2601,7 +2606,9 @@ krb5_error_code ipadb_delete_principal(krb5_context kcontext,
         goto done;
     }
 
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
     flags = KRB5_KDB_FLAG_ALIAS_OK;
+#endif
     kerr = ipadb_find_principal(kcontext, flags, res, &canonicalized, &lentry);
     if (kerr != 0) {
         goto done;