Allow the realm to be included in the name passed to add_service_principal()

This is more kerberos-like and it doesn't hurt anything, we just won't allow realms other than our own to be used. 437566
2025-01-12 09:11:55 -06:00 · 2008-03-17 14:09:44 -04:00 · 2008-03-17 14:09:44 -04:00 · e54a16ae1c
commit e54a16ae1c
parent c3fedca013
2 changed files with 11 additions and 3 deletions
--- a/ipa-python/ipaerror.py
+++ b/ipa-python/ipaerror.py
@ -158,6 +158,11 @@ INPUT_MALFORMED_SERVICE_PRINCIPAL = gen_error_code(
        0x0005,
        "The requested service principal is not of the form: service/fully-qualified host name")

+INPUT_REALM_MISMATCH = gen_error_code(
+        INPUT_CATEGORY,
+        0x0006,
+        "The realm for the principal does not match the realm for this IPA server.")
+
 #
 # Connection errors
 #
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@ -1820,9 +1820,12 @@ class IPAServer:

        # Don't let the user set the realm
        if name.find('@') > 0:
-            raise ipaerror.gen_exception(ipaerror.INPUT_INVALID_PARAMETER)
-
-        princ_name = name + "@" + self.realm
+            r = name[name.find('@')+1:]
+            if (r != self.realm):
+                raise ipaerror.gen_exception(ipaerror.INPUT_REALM_MISMATCH)
+            princ_name = name
+        else:
+            princ_name = name + "@" + self.realm
        
        conn = self.getConnection(opts)
        if not self.__is_service_unique(name, opts):