freeipa/daemons
Alexander Bokovoy b5876f30d4 ipa-kdb: refactor principal lookup to support S4U2Self correctly
Restructure logic of ipadb_get_principal() to separate retrieval of a
principal by a name and by an alias. Separate enterprise principal name
type processing into a helper function to be able to reuse it for own
aliases.

Unify code in client referrals part to do the same and use krb5 API to
deal with principals rather than parsing strings. The end result is the
same but we follow common rules in MIT Kerberos to process principals.

An enterprise principal is typically "name@SOMEREALM@REALM", but any
principal might be parsed as enterprise principal, so we could get
"name@REALM" marked as such. When unparsing the enterprise principal,
re-parse it again with default realm values, to get our realm
normalization.

This behavior would fix situations when GSSAPI calls are operating on a
non-qualified principal name that was imported as a
GSS_KRB5_NT_ENTERPRISE_NAME when calling gss_import_name().

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-27 17:57:39 +03:00
..
dnssec Fix various OpenDNSSEC 2.1 issues 2020-04-21 21:37:06 +02:00
ipa-kdb ipa-kdb: refactor principal lookup to support S4U2Self correctly 2020-05-27 17:57:39 +03:00
ipa-otpd Py3: Replace six.moves imports 2018-10-05 12:06:19 +02:00
ipa-sam Use /run and /run/lock instead of /var 2020-04-15 18:48:50 +02:00
ipa-slapi-plugins CVE-2020-1722: prevent use of too long passwords 2020-04-14 12:36:01 +03:00
ipa-version.h.in Build: move version handling from Makefile to configure 2016-11-09 13:08:32 +01:00
Makefile.am Build: properly integrate ipa-version.h.in into build system 2016-11-29 15:28:24 +01:00