From ff13573ce50814b7eb87a45b641be05df8a1631e Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Wed, 9 Sep 2020 21:48:29 -0500 Subject: [PATCH] hdb: Do not apply new service key delay to clients The new [hdb] new_service_key_delay parameter should not apply to principal entries when used as clients. Otherwise new passwords would not take effect immediately, and that would be very confusing. --- kdc/fast.c | 3 ++- kdc/kerberos5.c | 3 ++- kdc/krb5tgs.c | 3 ++- lib/hdb/common.c | 7 ++++--- lib/hdb/hdb.h | 1 + lib/kadm5/get_s.c | 8 ++++---- 6 files changed, 15 insertions(+), 10 deletions(-) diff --git a/kdc/fast.c b/kdc/fast.c index 293e10c6b..4ab078307 100644 --- a/kdc/fast.c +++ b/kdc/fast.c @@ -429,7 +429,8 @@ _kdc_fast_unwrap_request(astgs_request_t r) } ret = _kdc_db_fetch(r->context, r->config, armor_server, - HDB_F_GET_SERVER, NULL, NULL, &armor_user); + HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS, + NULL, NULL, &armor_user); if(ret == HDB_ERR_NOT_FOUND_HERE) { kdc_log(r->context, r->config, 5, "armor key does not have secrets at this KDC, " diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index e03c6a69b..aa6f5aeaa 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -1945,7 +1945,8 @@ _kdc_as_rep(astgs_request_t r) goto out; } ret = _kdc_db_fetch(context, config, r->server_princ, - HDB_F_GET_SERVER | flags | (is_tgs ? HDB_F_GET_KRBTGT : 0), + HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | + flags | (is_tgs ? HDB_F_GET_KRBTGT : 0), NULL, NULL, &r->server); switch (ret) { case 0: /* Success */ diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index b1398062d..a84118c17 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -1702,7 +1702,8 @@ tgs_build_reply(astgs_request_t priv, */ server_lookup: - ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | flags, + ret = _kdc_db_fetch(context, config, sp, + HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags, NULL, NULL, &server); priv->server = server; if (ret == HDB_ERR_NOT_FOUND_HERE) { diff --git a/lib/hdb/common.c b/lib/hdb/common.c index 666eab1d7..44fda92f6 100644 --- a/lib/hdb/common.c +++ b/lib/hdb/common.c @@ -1161,10 +1161,11 @@ fix_keys(krb5_context context, size_t i; /* - * If we want a specific kvno, or if we're not decrypting the keys, or if - * there's no new-key delay, then we're out. + * If we want a specific kvno, or if the caller doesn't want new keys + * delayed, or if there's no new-key delay configured, or we're not + * fetching for use as a service principal, then we're out. */ - if (!(flags & HDB_F_DECRYPT) || kvno || h->entry.flags.virtual || + if (!(flags & HDB_F_DELAY_NEW_KEYS) || kvno || h->entry.flags.virtual || h->entry.flags.virtual_keys || db->new_service_key_delay <= 0) return 0; diff --git a/lib/hdb/hdb.h b/lib/hdb/hdb.h index e21a4d720..00e73fe42 100644 --- a/lib/hdb/hdb.h +++ b/lib/hdb/hdb.h @@ -66,6 +66,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; #define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ #define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ #define HDB_F_PRECHECK 16384 /* check that the operation would succeed */ +#define HDB_F_DELAY_NEW_KEYS 32768 /* apply [hdb] new_service_key_delay */ /* hdb_capability_flags */ #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 diff --git a/lib/kadm5/get_s.c b/lib/kadm5/get_s.c index 562286523..480edb24e 100644 --- a/lib/kadm5/get_s.c +++ b/lib/kadm5/get_s.c @@ -123,7 +123,8 @@ kadm5_s_get_principal(void *server_handle, kadm5_server_context *context = server_handle; kadm5_ret_t ret; hdb_entry_ex ent; - unsigned int flags = HDB_F_GET_ANY | HDB_F_ADMIN_DATA; + unsigned int flags = HDB_F_GET_ANY | HDB_F_ADMIN_DATA | + HDB_F_DELAY_NEW_KEYS; if ((mask & KADM5_KEY_DATA) || (mask & KADM5_KVNO)) flags |= HDB_F_ALL_KVNOS | HDB_F_DECRYPT; @@ -148,9 +149,8 @@ kadm5_s_get_principal(void *server_handle, * For now we won't attempt to recover the log. */ - ret = hdb_fetch_kvno(context->context, context->db, princ, - HDB_F_DECRYPT|HDB_F_ALL_KVNOS| - HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, 0, 0, &ent); + ret = hdb_fetch_kvno(context->context, context->db, princ, flags, + 0 /*timestamp*/, 0/*etype*/, 0/*kvno*/, &ent); if (!context->keep_open) context->db->hdb_close(context->context, context->db);