IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
8d634d8abf
freeipa/daemons/ipa-kdb
History
Alexander Bokovoy 0c32ebf858 ipa-kdb: PAC consistency checker needs to handle child domains as well 
When PAC check is performed, we might get a signing TGT instead of the
client DB entry. This means it is a principal from a trusted domain but
we don't know which one exactly because we only have a krbtgt for the
forest root. This happens in MIT Kerberos 1.20 or later where KDB's
issue_pac() callback never gets the original client principal directly.

Look into known child domains as well and make pass the check if both
NetBIOS name and SID correspond to one of the trusted domains under this
forest root. Move check for the SID before NetBIOS name check because we
can use SID of the domain in PAC to find out the right child domain in
our trusted domains' topology list.

Fixes: https://pagure.io/freeipa/issue/9316

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-02-09 14:29:38 -05:00
..
tests ipa-kdb: add krb5 1.20 support 2022-11-02 11:03:04 +02:00
ipa_kdb_audit_as.c ipa-kdb: fix compiler warnings 2021-03-01 10:44:25 -05:00
ipa_kdb_certauth.c ipa-kdb: do not fail if certmap rule cannot be added 2022-10-07 17:02:43 +02:00
ipa_kdb_common.c ipa-kdb: handle dates up to 2106-02-07 06:28:16 2020-12-18 20:38:40 +02:00
ipa_kdb_delegation.c ipa-kdb: for delegation check, use different error codes before and after krb5 1.20 2022-11-14 10:12:42 -05:00
ipa_kdb_kdcpolicy.c ipa-kdb: avoid additional checks for a well-known anonymous principal 2022-05-30 12:12:44 +03:00
ipa_kdb_mkey.c ipa-kdb: Get/Store Master Key directly from LDAP 2011-08-26 08:24:49 -04:00
ipa_kdb_mspac_private.h ipa-kdb: add krb5 1.20 support 2022-11-02 11:03:04 +02:00
ipa_kdb_mspac_v6.c ipa-kdb: refactor MS-PAC processing to prepare for krb5 1.20 2022-11-02 11:03:04 +02:00
ipa_kdb_mspac_v9.c ipa-kdb: add krb5 1.20 support 2022-11-02 11:03:04 +02:00
ipa_kdb_mspac.c ipa-kdb: PAC consistency checker needs to handle child domains as well 2023-02-09 14:29:38 -05:00
ipa_kdb_passwords.c Add missing break statement to password quality switch 2021-01-15 10:01:28 +01:00
ipa_kdb_principals.c ipa-kdb: add krb5 1.20 support 2022-11-02 11:03:04 +02:00
ipa_kdb_pwdpolicy.c ipa-kdb: fix compiler warnings 2021-03-01 10:44:25 -05:00
ipa_kdb.c ipa-kdb: add krb5 1.20 support 2022-11-02 11:03:04 +02:00
ipa_kdb.exports Add a skeleton kdcpolicy plugin 2019-09-10 12:33:21 +03:00
ipa_kdb.h ipa-kdb: add krb5 1.20 support 2022-11-02 11:03:04 +02:00
ipa-print-pac.c Fix use of comparison functions to avoid GCC bug 95189 2021-11-23 10:31:34 +01:00
Makefile.am ipa-kdb: fix make check 2022-03-29 14:01:29 -04:00
README Make the coding style explicit 2020-01-15 10:00:08 +01:00
README.s4u2proxy.txt Fix s4u2proxy README and add warning 2015-06-08 14:37:29 -04:00

README 

This is the ipa krb5kdc database backend.

As the KDB interfaces heavily with krb5, we inherit its code style as well.
However, note the following changes:

- no modelines (and different file preamble)
- return types don't require their own line
- single-statement blocks may optionally be braced
- /* and */ do not ever get their own line
- C99 for-loops are permitted (and encouraged)
- a restricted set of other C99 features are permitted

In particular, variable-length arrays, flexible array members, compound
literals, universal character names, and //-style comments are not permitted.

Use of regular malloc/free is preferred over talloc for new code.

By and large, existing code mostly conforms to these requirements.  New code
must conform to them.