[krb5/f18] proposed fix for always writing krbLastAdminUnlock
Nalin Dahyabhai
nalin at fedoraproject.org
Thu Dec 13 22:33:06 UTC 2012
commit eaaf670849c36e22a953d86765396c19f1ab58d2
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Thu Dec 13 17:32:01 2012 -0500
proposed fix for always writing krbLastAdminUnlock
- libkdb_ldap: add a workaround to keep the KDC from attempting to write to an
entry's krbLastAdminUnlock attribute on every AS request (#860759, RT#7502)
- correct dates on commits from earlier this week
krb5-kldap-lastadminunlock.patch | 27 +++++++++++++++++++++++++++
krb5.spec | 12 +++++++++---
2 files changed, 36 insertions(+), 3 deletions(-)
---
diff --git a/krb5-kldap-lastadminunlock.patch b/krb5-kldap-lastadminunlock.patch
new file mode 100644
index 0000000..4be9e32
--- /dev/null
+++ b/krb5-kldap-lastadminunlock.patch
@@ -0,0 +1,27 @@
+Submitted as RT#7502.
+
+Try to avoid writing krbLastAdminUnlock when we're just doing auditing
+in the KDC. Because we know that kdb5_ldap_put_principal() only writes
+the attribute when it's nonzero, we temporarily set the value to zero to
+make sure that it isn't written.
+
+--- src/plugins/kdb/ldap/libkdb_ldap/lockout.c
++++ src/plugins/kdb/ldap/libkdb_ldap/lockout.c
+@@ -217,8 +217,14 @@ krb5_ldap_lockout_audit(krb5_context context,
+ }
+
+ if (entry->mask) {
+- code = krb5_ldap_put_principal(context, entry, NULL);
+- if (code != 0)
++ /* temporarily clear the last-admin-unlock time so that we don't try
++ * to write to it -- we're just here to update audit data */
++ if ((code = krb5_dbe_lookup_last_admin_unlock(context, entry,
++ &unlock_time)) ||
++ (code = krb5_dbe_update_last_admin_unlock(context, entry, 0)) ||
++ (code = krb5_ldap_put_principal(context, entry, NULL)) ||
++ (code = krb5_dbe_update_last_admin_unlock(context, entry,
++ unlock_time)))
+ return code;
+ }
+
+
diff --git a/krb5.spec b/krb5.spec
index d154f90..b37cc97 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -29,7 +29,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.10.3
-Release: 9%{?dist}
+Release: 10%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.3-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -86,6 +86,7 @@ Patch109: krb5-1.10.3-as_rep_skew.patch
Patch110: krb5-1.10.3-keytab-etype-corners-prep.patch
Patch111: krb5-1.10.3-keytab-etype-corners.patch
Patch112: krb5-1.10.3-timeout_over.patch
+Patch113: krb5-kldap-lastadminunlock.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -284,6 +285,7 @@ ln -s NOTICE LICENSE
%patch110 -p1 -b .keytab-etype-corners-prep
%patch111 -p1 -b .keytab-etype-corners
%patch112 -p1 -b .timeout_over
+%patch113 -p1 -b .kldap-lastadminunlock
rm src/lib/krb5/krb/deltat.c
gzip doc/*.ps
@@ -850,11 +852,15 @@ exit 0
%{_sbindir}/uuserver
%changelog
-* Tue Dec 13 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10.3-9
+* Thu Dec 13 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10.3-10
+- libkdb_ldap: add a workaround to keep the KDC from attempting to write to an
+ entry's krbLastAdminUnlock attribute on every AS request (#860759, RT#7502)
+
+* Tue Dec 11 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10.3-9
- when building with our bundled copy of libverto, package it in with -libs
rather than with -server (#886049)
-* Mon Dec 12 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10.3-8
+* Mon Dec 10 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10.3-8
- untag a couple of other patches which don't strictly need to apply during
%%{?_rawbuild} builds (more of #874177)
More information about the scm-commits
mailing list