From b927dc7c8d5d4f467749958d3e6330ff70fc3ea2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Apr 02 2019 21:06:48 +0000
Subject: ipa: ipa_getkeytab don't call libnss_sss


Resolves: https://pagure.io/SSSD/sssd/issue/3992

ipa-getkeytab is a help process which might even get called during
the startup of SSSD. Hence it should not try to use any SSSD responder
especially not the NSS responder.

Typically we call helpers with the environment of the calling SSSD
component where then _SSS_LOOPS environment variable is set to 'NO' to
skip calls to SSSD in libnss_sss. Since we have to set the KRB5CCNAME
environment variable to the ccache with the current TGT for the host
principal when calling ipa-getkeytab execle() is used to call
ipa_getkeytab which unfortunately replaces the environment of the caller
with the one provided in the last argument of the call. To make sure
ipa_getkeytab does not call back into SSSD we have to set _SSS_LOOPS=NO
here as well.

Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
(cherry picked from commit d409c10d00101734d1af0c9e0256e607ee8b09c7)

---

diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index dd09336..1d480e5 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -481,7 +481,7 @@ static void ipa_getkeytab_exec(const char *ccache,
 {
     errno_t ret;
     int debug_fd;
-    const char *gkt_env[2] = { NULL, NULL };
+    const char *gkt_env[3] = { NULL, "_SSS_LOOPS=NO", NULL };
 
     if (debug_level >= SSSDBG_TRACE_LIBS) {
         debug_fd = get_fd_from_debug_file();