ipa-kdb: handle own enterprise principal lookup for S4U2Self

For an enterprise principal, unparse by omiting our local realm if it is there. Additionally, we need unescaped version of the name to be able to pass it for LDAP filter construction. Related: https://pagure.io/freeipa/issue/8319 Signed-off-by: Alexander Bokovoy <[email protected]>
f-trivino · May 19, 2020 · 73ab324 · 73ab324
1 parent 9a3c93b
commit 73ab324
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1283,7 +1283,16 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
         return KRB5_KDB_DBNOTINITED;
     }
 
-    kerr = krb5_unparse_name(kcontext, search_for, &principal);
+    /* For enterprise principal drop our own realm if that is there */
+    if (krb5_princ_type(kcontext, search_for) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+        kerr = krb5_unparse_name_flags(
+                kcontext, search_for,
+                KRB5_PRINCIPAL_UNPARSE_SHORT | KRB5_PRINCIPAL_UNPARSE_DISPLAY,
+                &principal);
+    } else {
+        kerr = krb5_unparse_name(kcontext, search_for, &principal);
+    }
+
     if (kerr != 0) {
         goto done;
     }