kdb: check for local realm in enterprise principals

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-07-06 17:29:37 +02:00 · 2016-07-06 17:29:37 +02:00 · 6d6da6b281
commit 6d6da6b281
parent c1d8629b74
1 changed files with 40 additions and 12 deletions
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@ -1198,30 +1198,58 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
            /* skip '@' and use part after '@' as an enterprise realm for comparison */
            realm++;

-            kerr = ipadb_is_princ_from_trusted_realm(kcontext,
-                                                     realm,
-                                                     upn->length - (realm - upn->data),
-                                                     &trusted_realm);
-            if (kerr == 0) {
-                kentry = calloc(1, sizeof(krb5_db_entry));
-                if (!kentry) {
+            /* check for our realm */
+            if (strncasecmp(ipactx->realm, realm,
+                            upn->length - (realm - upn->data)) == 0) {
+                /* it looks like it is ok to use malloc'ed strings as principal */
+                krb5_free_unparsed_name(kcontext, principal);
+                principal = strndup((const char *) upn->data, upn->length);
+                if (principal == NULL) {
                    kerr = ENOMEM;
                    goto done;
                }
-                kerr = krb5_parse_name(kcontext, principal,
-                                       &kentry->princ);
+
+                ldap_msgfree(res);
+                res = NULL;
+                kerr = ipadb_fetch_principals(ipactx, flags, principal, &res);
                if (kerr != 0) {
                    goto done;
                }

-                kerr = krb5_set_principal_realm(kcontext, kentry->princ, trusted_realm);
+                kerr = ipadb_find_principal(kcontext, flags, res, &principal,
+                                            &lentry);
                if (kerr != 0) {
                    goto done;
                }
-                *entry = kentry;
+            } else {
+
+                kerr = ipadb_is_princ_from_trusted_realm(kcontext,
+                                                         realm,
+                                                         upn->length - (realm - upn->data),
+                                                         &trusted_realm);
+                if (kerr == 0) {
+                    kentry = calloc(1, sizeof(krb5_db_entry));
+                    if (!kentry) {
+                        kerr = ENOMEM;
+                        goto done;
+                    }
+                    kerr = krb5_parse_name(kcontext, principal,
+                                           &kentry->princ);
+                    if (kerr != 0) {
+                        goto done;
+                    }
+
+                    kerr = krb5_set_principal_realm(kcontext, kentry->princ, trusted_realm);
+                    if (kerr != 0) {
+                        goto done;
+                    }
+                    *entry = kentry;
+                }
+                goto done;
            }
+        } else {
+            goto done;
        }
-        goto done;
    }

    kerr = ipadb_parse_ldap_entry(kcontext, principal, lentry, entry, &pol);