URL: https://github.com/freeipa/freeipa/pull/5889 Author: rcritten Title: #5889: Fall back to krbprincipalname when validating host auth indicators Action: opened
PR body: """ When adding a new host the principal cannot be determined because it relies on either: a) an entry to already exist b) krbprincipalname be a component of the dn As a result the full dn is being passed into ipapython.Kerberos which can't parse it. Look into the entry in validate_validate_auth_indicator() for krbprincipalname in this case. https://pagure.io/freeipa/issue/8206 Signed-off-by: Rob Crittenden <[email protected]> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5889/head:pr5889 git checkout pr5889
From 27dbb78c8f37d5f6069cca328a9fd708ec0ff5d8 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <[email protected]> Date: Mon, 12 Jul 2021 11:02:10 -0400 Subject: [PATCH] Fall back to krbprincipalname when validating host auth indicators When adding a new host the principal cannot be determined because it relies on either: a) an entry to already exist b) krbprincipalname be a component of the dn As a result the full dn is being passed into ipapython.Kerberos which can't parse it. Look into the entry in validate_validate_auth_indicator() for krbprincipalname in this case. https://pagure.io/freeipa/issue/8206 Signed-off-by: Rob Crittenden <[email protected]> --- ipaserver/plugins/service.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index cfbbff3c69c..498f5e44436 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -209,6 +209,11 @@ def validate_auth_indicator(entry): # and shouldn't be allowed to have auth indicators. # https://pagure.io/freeipa/issue/8206 pkey = api.Object['service'].get_primary_key_from_dn(entry.dn) + if pkey == str(entry.dn): + # krbcanonicalname may not be set yet if this is a host entry, + # try krbprincipalname + if 'krbprincipalname' in entry: + pkey = entry['krbprincipalname'] principal = kerberos.Principal(pkey) server = api.Command.server_find(principal.hostname)['result'] if server:
_______________________________________________ FreeIPA-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
