ipa-kdb: reinitialize LDAP configuration for known realms

ipa-kdb did not reinitialize trusted domain configuration when it was loaded to ipa-kdb. However, admin then would have to restart krb5kdc if he wanted to apply the change to running krb5kdc service. Run ipadb_reinit_mspac unconditionally every time when trusted domain is loaded. Among the already configured 1 minute grace time, also add a quick check if there is at least one configured trusted domain before reinitializing the mspac structure. https://fedorahosted.org/freeipa/ticket/3289
2025-01-11 08:41:55 -06:00 · 2013-02-07 15:45:46 +01:00 · 2013-02-07 15:45:46 +01:00 · e08307d3fa
commit e08307d3fa
parent ce90a4538b
1 changed files with 46 additions and 13 deletions
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@ -1173,21 +1173,17 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context,
    struct ipadb_adtrusts *domain;
    krb5_error_code kerr;

-    domain = get_domain_from_realm(context, realm);
-    if (domain == NULL) {
-        ipactx = ipadb_get_context(context);
-        if (!ipactx) {
-            return NULL;
-        }
-
-        kerr = ipadb_reinit_mspac(ipactx);
-        if (kerr != 0) {
-            return NULL;
-        }
-
-        domain = get_domain_from_realm(context, realm);
+    ipactx = ipadb_get_context(context);
+    if (!ipactx) {
+        return NULL;
    }

+    kerr = ipadb_reinit_mspac(ipactx);
+    if (kerr != 0) {
+        return NULL;
+    }
+    domain = get_domain_from_realm(context, realm);
+
    return domain;
 }

@ -1753,6 +1749,30 @@ krb5_error_code ipadb_mspac_fill_well_known_sids(struct ipadb_mspac *mspac)
    return 0;
 }

+krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
+{
+    char *attrs[] = { NULL };
+    char *filter = "(objectclass=ipaNTTrustedDomain)";
+    char *base = NULL;
+    LDAPMessage *result = NULL;
+    int ret;
+
+    ret = asprintf(&base, "cn=ad,cn=trusts,%s", ipactx->base);
+    if (ret == -1) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    /* Run a quick search if there is any trust defined */
+    ret = ipadb_simple_search(ipactx, base, LDAP_SCOPE_SUBTREE,
+                              filter, attrs, &result);
+
+done:
+    ldap_msgfree(result);
+    free(base);
+    return ret;
+}
+
 krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
 {
    struct ipadb_adtrusts *t;
@ -1856,6 +1876,19 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
        return 0;
    }

+    if (ipactx->mspac && ipactx->mspac->num_trusts == 0) {
+        /* Check if there is any trust configured. If not, just return
+         * and do not re-initialize the MS-PAC structure. */
+        ret = ipadb_mspac_check_trusted_domains(ipactx);
+        if (ret == KRB5_KDB_NOENTRY) {
+            ret = 0;
+            goto done;
+        } else if (ret != 0) {
+            ret = EIO;
+            goto done;
+        }
+    }
+
    /* clean up in case we had old values around */
    ipadb_mspac_struct_free(&ipactx->mspac);