ipadb: reload trust information if domain is not known

Currently the data about trusted domains is read once at startup. If a new trust is added the KDC must be restarted to know about the new trust. This patch reloads the trust data if there is a request from an unknown domain. To make DOS attacks a bit harder the data can be updated only once in a minute. Fixes https://fedorahosted.org/freeipa/ticket/3156
2025-02-25 18:55:28 -06:00 · 2012-10-09 10:25:53 +02:00 · 2012-10-09 10:25:53 +02:00 · 70d7ec587a
commit 70d7ec587a
parent 12f4584f57
1 changed files with 39 additions and 1 deletions
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@ -40,6 +40,7 @@ struct ipadb_mspac {

    int num_trusts;
    struct ipadb_adtrusts *trusts;
+    time_t last_update;
 };


@ -1006,6 +1007,31 @@ static struct ipadb_adtrusts *get_domain_from_realm(krb5_context context,
    return NULL;
 }

+static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context,
+                                                           krb5_data realm)
+{
+    struct ipadb_context *ipactx;
+    struct ipadb_adtrusts *domain;
+    krb5_error_code kerr;
+
+    domain = get_domain_from_realm(context, realm);
+    if (domain == NULL) {
+        ipactx = ipadb_get_context(context);
+        if (!ipactx) {
+            return NULL;
+        }
+
+        kerr = ipadb_reinit_mspac(ipactx);
+        if (kerr != 0) {
+            return NULL;
+        }
+
+        domain = get_domain_from_realm(context, realm);
+    }
+
+    return domain;
+}
+
 static krb5_error_code filter_logon_info(krb5_context context,
                                         TALLOC_CTX *memctx,
                                         krb5_data realm,
@ -1020,7 +1046,7 @@ static krb5_error_code filter_logon_info(krb5_context context,
    struct ipadb_adtrusts *domain;
    char *domsid;

-    domain = get_domain_from_realm(context, realm);
+    domain = get_domain_from_realm_update(context, realm);
    if (!domain) {
        return EINVAL;
    }
@ -1550,6 +1576,16 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
    struct dom_sid gsid;
    char *resstr;
    int ret;
+    time_t now;
+
+    /* Do not update the mspac struct more than once a minute. This would
+     * avoid heavy load on the directory server if there are lots of requests
+     * from domains which we do not trust. */
+    now = time(NULL);
+    if (ipactx->mspac != NULL && now > ipactx->mspac->last_update &&
+        (now - ipactx->mspac->last_update) < 60) {
+        return 0;
+    }

    /* clean up in case we had old values around */
    ipadb_mspac_struct_free(&ipactx->mspac);
@ -1560,6 +1596,8 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
        goto done;
    }

+    ipactx->mspac->last_update = now;
+
    kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE,
                               "(objectclass=ipaNTDomainAttrs)", dom_attrs,
                                &result);