diff --git a/SOURCES/0008-Use-krb5_pac_full_sign_compat-when-available.patch b/SOURCES/0008-Use-krb5_pac_full_sign_compat-when-available.patch new file mode 100644 index 0000000..3fe891b --- /dev/null +++ b/SOURCES/0008-Use-krb5_pac_full_sign_compat-when-available.patch @@ -0,0 +1,71 @@ +From a8d81b5005ea15a35d0d63330b922037de3ca253 Mon Sep 17 00:00:00 2001 +From: David Sloboda +Date: Fri, 30 Jun 2023 15:37:34 +0200 +Subject: [PATCH] OLERRATA-43634 - Support for PAC extended KDC signature + +In November 2022, Microsoft introduced a new PAC signature type called +"extended KDC signature" (or "full PAC checksum"). This new PAC +signature will be required by default by Active Directory in July 2023 +for S4U requests, and opt-out will no longer be possible after October +2023. + +Support for this new signature type was added to MIT krb5, but it relies +on the new KDB API introduced in krb5 1.20. For older MIT krb5 versions, +the code generating extended KDC signatures cannot be backported as it +is without backporting the full new KDB API code too. This would have +too much impact to be done. + +As a consequence, krb5 packages for Fedora 37, CentOS 8 Stream, and RHEL +8 will include a downstream-only update adding the +krb5_pac_full_sign_compat() function, which can be used in combination +with the prior to 1.20 KDB API to generate PAC extended KDC signatures. + +Fixes: https://pagure.io/freeipa/issue/9373 +Signed-off-by: Julien Rische +Reviewed-By: Alexander Bokovoy +Signed-off-by: David Sloboda +--- +diff -Nuar freeipa-4.9.11.orig/daemons/ipa-kdb/ipa_kdb_mspac_v6.c freeipa-4.9.11/daemons/ipa-kdb/ipa_kdb_mspac_v6.c +--- freeipa-4.9.11.orig/daemons/ipa-kdb/ipa_kdb_mspac_v6.c 2022-11-25 17:16:11.352773047 +0100 ++++ freeipa-4.9.11/daemons/ipa-kdb/ipa_kdb_mspac_v6.c 2023-06-30 14:58:17.198538781 +0200 +@@ -176,11 +176,21 @@ + + /* only pass with_realm TRUE when it is cross-realm ticket and S4U2Self + * was requested */ ++#ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT ++ kerr = krb5_pac_full_sign_compat( ++ context, pac, authtime, client_princ, server->princ, server_key, ++ right_krbtgt_signing_key, ++ (is_issuing_referral && (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)), ++ pac_data ++ ); ++#else ++ /* Use standard function, PAC extended KDC signature not supported */ + kerr = krb5_pac_sign_ext(context, pac, authtime, client_princ, server_key, + right_krbtgt_signing_key, + (is_issuing_referral && + (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)), + pac_data); ++#endif + + done: + free(princ); +diff -Nuar freeipa-4.9.11.orig/server.m4 freeipa-4.9.11/server.m4 +--- freeipa-4.9.11.orig/server.m4 2022-11-25 17:16:11.353773052 +0100 ++++ freeipa-4.9.11/server.m4 2023-06-30 14:59:52.845995040 +0200 +@@ -91,6 +91,15 @@ + [have_kdb_issue_pac=no], [#include ]) + + dnl --------------------------------------------------------------------------- ++dnl - Check for KRB5 krb5_kdc_sign_ticket function ++dnl --------------------------------------------------------------------------- ++ ++AC_CHECK_LIB(krb5, krb5_pac_full_sign_compat, ++ [AC_DEFINE([HAVE_KRB5_PAC_FULL_SIGN_COMPAT], [1], ++ [krb5_pac_full_sign_compat() is available.])], ++ [AC_MSG_NOTICE([krb5_pac_full_sign_compat() is not available])]) ++ ++dnl --------------------------------------------------------------------------- + dnl - Check for UUID library + dnl --------------------------------------------------------------------------- + PKG_CHECK_MODULES([UUID], [uuid]) diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 4aab5cf..6aab42f 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -189,7 +189,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 5%{?rc_version:.%rc_version}%{?dist} +Release: 6%{?rc_version:.%rc_version}%{?dist}.alma Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -216,6 +216,8 @@ Patch0004: 0004-server-install-remove-error-log-about-missing-bkup-file_rhb Patch0005: 0005-automember-rebuild-add-a-notice-about-high-CPU-usage_rhbz#2018198.patch Patch0006: 0006-ipa-kdb-PAC-consistency-checker-needs-to-handle-child-domains-as-well_rhbz#2166324.patch Patch0007: 0007-Wipe-the-ipa-ca-DNS-record-when-updating-system-records_rhbz#2158775.patch +# Patch taken from Oracle Linux ipa-4.9.11-5.0.2.module+el8.8.0+21110+f1feef29.src.rpm +Patch0008: 0008-Use-krb5_pac_full_sign_compat-when-available.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch @@ -1715,6 +1717,9 @@ fi %endif %changelog +* Thu Jul 13 2023 Andrew Lukoshko - 4.9.11-6.alma +- kdb: Use krb5_pac_full_sign_compat() when available + * Fri Feb 10 2023 Rafael Jeffman - 4.9.11-5 - Wipe the ipa-ca DNS record when updating system records Resolves: RHBZ#2158775