mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
ipa-kdb: make sure we don't produce MS-PAC in case of authdata flag cleared by admin
When admin clears authdata flag for the service principal, KDC will pass NULL client pointer (service proxy) to the DAL driver. Make sure we bail out correctly. Reviewed-By: Tomáš Babej <tbabej@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
This commit is contained in:
parent
fb2eca8d1e
commit
f7955abdda
@ -1985,6 +1985,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
|
||||
int result;
|
||||
krb5_db_entry *client_entry = NULL;
|
||||
|
||||
|
||||
/* When client is NULL, authdata flag on the service principal was cleared
|
||||
* by an admin. We don't generate MS-PAC in this case */
|
||||
if (client == NULL) {
|
||||
*signed_auth_data = NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* When using s4u2proxy client_princ actually refers to the proxied user
|
||||
* while client->princ to the proxy service asking for the TGS on behalf
|
||||
* of the proxied user. So always use client_princ in preference */
|
||||
|
Loading…
Reference in New Issue
Block a user