#6099 Validation of kerberos enterprise principal alias fails if the trusted domain entry doesn't have ipantadditionalsuffixes attribute
Closed: Fixed None Opened 7 years ago by mkubik.

Steps to reproduce:

  1. Create trust to AD domain (or mock the appropriate ldap entries) ad.domain.net
  2. Create an user upn_user
  3. Add an alias upn_user\@ad.domain.net@REALM.COM
  4. The alias should be rejected as it overlaps with the trusted domain's UPN

If the trusted domain doesn't have any additional suffixes set, the UPN validation fails.

[Wed Jul 20 14:02:13.564686 2016] [wsgi:error] [pid 840] ipa: ERROR: non-public: KeyError: 'ipantadditionalsuffixes'
[Wed Jul 20 14:02:13.564701 2016] [wsgi:error] [pid 840] Traceback (most recent call last):
[Wed Jul 20 14:02:13.564702 2016] [wsgi:error] [pid 840]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 352, in wsgi_execute
[Wed Jul 20 14:02:13.564704 2016] [wsgi:error] [pid 840]     result = self.Command[name](*args, **options)
[Wed Jul 20 14:02:13.564705 2016] [wsgi:error] [pid 840]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Wed Jul 20 14:02:13.564706 2016] [wsgi:error] [pid 840]     return self.__do_call(*args, **options)
[Wed Jul 20 14:02:13.564707 2016] [wsgi:error] [pid 840]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Wed Jul 20 14:02:13.564708 2016] [wsgi:error] [pid 840]     ret = self.run(*args, **options)
[Wed Jul 20 14:02:13.564708 2016] [wsgi:error] [pid 840]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Wed Jul 20 14:02:13.564709 2016] [wsgi:error] [pid 840]     return self.execute(*args, **options)
[Wed Jul 20 14:02:13.564710 2016] [wsgi:error] [pid 840]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 2330, in execute
[Wed Jul 20 14:02:13.564711 2016] [wsgi:error] [pid 840]     *keys, **options)
[Wed Jul 20 14:02:13.564712 2016] [wsgi:error] [pid 840]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseuser.py", line 642, in pre_callback
[Wed Jul 20 14:02:13.564714 2016] [wsgi:error] [pid 840]     check_principal_realm_in_trust_namespace(self.api, *keys)
[Wed Jul 20 14:02:13.564715 2016] [wsgi:error] [pid 840]   File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 972, in check_principal_realm_in_trust_namespace
[Wed Jul 20 14:02:13.564716 2016] [wsgi:error] [pid 840]     set(upn.lower() for upn in obj['ipantadditionalsuffixes']))
[Wed Jul 20 14:02:13.564717 2016] [wsgi:error] [pid 840] KeyError: 'ipantadditionalsuffixes'
[Wed Jul 20 14:02:13.564949 2016] [wsgi:error] [pid 840] ipa: INFO: [jsonserver_kerb] admin@TEST.EXAMPLE.COM: user_add_principal/1(u'krbalias_user', (u'krbalias_user\\\\@domain2@TEST.EXAMPLE.COM',), version=u'2.210'): KeyError

master:

  • da2305d harden the check for trust namespace overlap in new principals

Metadata Update from @mkubik:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.4.1

6 years ago

Login to comment on this ticket.

Metadata