ipa-kdb: Rework ipadb_reinit_mspac()

Modify ipadb_reinit_mspac() to allocate and initialize ipactx->mspac only if all its attributes can be set. If not, ipactx->mspac is set to NULL. This makes easier to determine if the KDC is able to generate PACs or not. Also ipadb_reinit_mspac() is now able to return a status message explaining why initialization of the PAC generator failed. This message is printed in KDC logs. Fixes: https://pagure.io/freeipa/issue/9535 Signed-off-by: Julien Rische <jrische@redhat.com> Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
freeipa · Feb 16, 2024 · 8359293 · 8359293
1 parent e5bb0f3
commit 8359293
Show file tree

Hide file tree

Showing 7 changed files with 219 additions and 170 deletions.
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
@@ -449,6 +449,7 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
     struct timeval tv = { 5, 0 };
     LDAPMessage *res = NULL;
     LDAPMessage *first;
+    const char *stmsg;
     int ret;
     int v3;
 
@@ -528,16 +529,9 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
     }
 
     /* get adtrust options using default refresh interval */
-    ret = ipadb_reinit_mspac(ipactx, false);
-    if (ret && ret != ENOENT) {
-        /* TODO: log that there is an issue with adtrust settings */
-        if (ipactx->lcontext == NULL) {
-            /* for some reason ldap connection was reset in ipadb_reinit_mspac
-             * and is no longer established => failure of ipadb_get_connection
-             */
-            goto done;
-        }
-    }
+    ret = ipadb_reinit_mspac(ipactx, false, &stmsg);
+    if (ret && stmsg)
+        krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg);
 
     ret = 0;
 

diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
@@ -371,7 +371,9 @@ krb5_error_code ipadb_v9_issue_pac(krb5_context context, unsigned int flags,
                                    krb5_data ***auth_indicators);
 #endif
 
-krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit);
+krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx,
+                                   bool force_reinit,
+                                   const char **stmsg);
 
 void ipadb_mspac_struct_free(struct ipadb_mspac **mspac);
 krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,