ipa-kdb: make sure we don't produce MS-PAC in case of authdata flag cleared by admin

When admin clears authdata flag for the service principal, KDC will pass
NULL client pointer (service proxy) to the DAL driver.

Make sure we bail out correctly.

Reviewed-By: Tomáš Babej <tbabej@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This commit is contained in:
Alexander Bokovoy 2014-02-25 20:53:49 +02:00 committed by Petr Viktorin
parent fb2eca8d1e
commit f7955abdda

View File

@ -1985,6 +1985,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
int result;
krb5_db_entry *client_entry = NULL;
/* When client is NULL, authdata flag on the service principal was cleared
* by an admin. We don't generate MS-PAC in this case */
if (client == NULL) {
*signed_auth_data = NULL;
return 0;
}
/* When using s4u2proxy client_princ actually refers to the proxied user
* while client->princ to the proxy service asking for the TGS on behalf
* of the proxied user. So always use client_princ in preference */