URL: https://github.com/SSSD/sssd/pull/5732 Author: sumit-bose Title: #5732: AD: do not override LDAP data during GC lookups - 1.16 Action: opened
PR body: """ The Global Catalog contains user and group information of the whole forest and hence any Global Catalog server can be used. Currently when a Global Catalog server is looked up the data of the LDAP server is overwritten as well. I guess the original intention was to use a single server for both services. However since the Global Catalog server can come from any domain in the forest this might overwrite the LDAP data of a DC from the local domain with the data from a AD of a remote domain and as a result lookups for users and groups from the local domain might fail since the remote DC does not has this information available at the LDAP port. In most cases this overwrite is hidden by a following lookup to find a KDC for authentication which is searched only in the local domain again where the LDAP data is overwritten again to make sure the same DC is used for LDAP and Kerberos communication. But depending on the connection timeouts and lifetime of Kerberos tickets the KDC lookup might be skipped because new credentials are not needed and as a result the wrong LDAP data is used. To avoid this the LDAP data is now only set if the current lookup is not a Global Catalog lookup. Resolves: https://github.com/SSSD/sssd/issues/5351 Reviewed-by: Pavel Březina <pbrez...@redhat.com> (cherry picked from commit 5f3b9e1d45df77bca1b2665e67bbd73b26fafbc2) """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5732/head:pr5732 git checkout pr5732
From 0642978b0df9e9e4ff02a73e8df21b3caefd334c Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Fri, 19 Jun 2020 13:36:49 +0200 Subject: [PATCH] AD: do not override LDAP data during GC lookups MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Global Catalog contains user and group information of the whole forest and hence any Global Catalog server can be used. Currently when a Global Catalog server is looked up the data of the LDAP server is overwritten as well. I guess the original intention was to use a single server for both services. However since the Global Catalog server can come from any domain in the forest this might overwrite the LDAP data of a DC from the local domain with the data from a AD of a remote domain and as a result lookups for users and groups from the local domain might fail since the remote DC does not has this information available at the LDAP port. In most cases this overwrite is hidden by a following lookup to find a KDC for authentication which is searched only in the local domain again where the LDAP data is overwritten again to make sure the same DC is used for LDAP and Kerberos communication. But depending on the connection timeouts and lifetime of Kerberos tickets the KDC lookup might be skipped because new credentials are not needed and as a result the wrong LDAP data is used. To avoid this the LDAP data is now only set if the current lookup is not a Global Catalog lookup. Resolves: https://github.com/SSSD/sssd/issues/5351 Reviewed-by: Pavel Březina <pbrez...@redhat.com> (cherry picked from commit 5f3b9e1d45df77bca1b2665e67bbd73b26fafbc2) --- src/providers/ad/ad_common.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 4e51d08e67..c99c4d1100 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -942,10 +942,14 @@ ad_resolve_callback(void *private_data, struct fo_server *server) } /* free old one and replace with new one */ - talloc_zfree(service->sdap->uri); - service->sdap->uri = new_uri; - talloc_zfree(service->sdap->sockaddr); - service->sdap->sockaddr = talloc_steal(service->sdap, sockaddr); + if (sdata == NULL || !sdata->gc) { + /* do not update LDAP data during GC lookups because the selected server + * might be from a different domain. */ + talloc_zfree(service->sdap->uri); + service->sdap->uri = new_uri; + talloc_zfree(service->sdap->sockaddr); + service->sdap->sockaddr = talloc_steal(service->sdap, sockaddr); + } talloc_zfree(service->gc->uri); talloc_zfree(service->gc->sockaddr);
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
