From 5d0ca0e625aea2553a39ae3e56174285cb123f13 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Wed, 27 Sep 2023 18:23:43 +0200 Subject: [PATCH] ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older Resolves: RHEL-12198 Signed-off-by: Julien Rische --- ...-SIGNEDPATH-optional-with-krb5-DAL-8.patch | 98 +++++++++++++++++++ ipa.spec | 9 +- 2 files changed, 105 insertions(+), 2 deletions(-) create mode 100644 0014-ipa-kdb-Make-AD-SIGNEDPATH-optional-with-krb5-DAL-8.patch diff --git a/0014-ipa-kdb-Make-AD-SIGNEDPATH-optional-with-krb5-DAL-8.patch b/0014-ipa-kdb-Make-AD-SIGNEDPATH-optional-with-krb5-DAL-8.patch new file mode 100644 index 0000000..856717c --- /dev/null +++ b/0014-ipa-kdb-Make-AD-SIGNEDPATH-optional-with-krb5-DAL-8.patch @@ -0,0 +1,98 @@ +From d394afc1210a21378c018d0ff93d400a57324289 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Mon, 25 Sep 2023 15:14:03 +0200 +Subject: [PATCH] ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and + older + +Since krb5 1.20, the PAC is generated by default, and the AD-SIGNEDPATH +authdata is no longer generated. However, on krb5 versions prior to +1.20, the KDC still expects an AD-SIGNEDPATH when verifying a +constrained delegation (S4U2Proxy) TGS-REQ. In IPA's case this +requirement is not needed, because the PAC signatures are already +fulfilling this role. + +CentOS and RHEL downstream releases of krb5 will include the +"optional_ad_signedpath" KDB string attribute allowing to disable the +AD-SIGNEDPATH requirement in case the PAC is present. + +This commit sets the "optional_ad_signedpath" string attribute to "true" +systematically on the TGS principal if the database abstract layer (DAL) +of krb5 is version 8 or older (prior to krb5 1.20). + +Fixes: https://pagure.io/freeipa/issue/9448 + +Signed-off-by: Julien Rische +Reviewed-By: Alexander Bokovoy +--- + daemons/ipa-kdb/ipa_kdb_principals.c | 38 ++++++++++++++++++++++++++-- + 1 file changed, 36 insertions(+), 2 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c +index e95cb453c..fadb132ed 100644 +--- a/daemons/ipa-kdb/ipa_kdb_principals.c ++++ b/daemons/ipa-kdb/ipa_kdb_principals.c +@@ -113,6 +113,10 @@ static char *std_principal_obj_classes[] = { + + #define DEFAULT_TL_DATA_CONTENT "\x00\x00\x00\x00principal@UNINITIALIZED" + ++#ifndef KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH ++#define KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH "optional_ad_signedpath" ++#endif ++ + static int ipadb_ldap_attr_to_tl_data(LDAP *lcontext, LDAPMessage *le, + char *attrname, + krb5_tl_data **result, int *num) +@@ -178,6 +182,25 @@ done: + return ret; + } + ++static bool ++is_tgs_princ(krb5_context kcontext, krb5_const_principal princ) ++{ ++ krb5_data *primary; ++ size_t l_tgs_name; ++ ++ if (2 != krb5_princ_size(kcontext, princ)) ++ return false; ++ ++ primary = krb5_princ_component(kcontext, princ, 0); ++ ++ l_tgs_name = strlen(KRB5_TGS_NAME); ++ ++ if (l_tgs_name != primary->length) ++ return false; ++ ++ return 0 == memcmp(primary->data, KRB5_TGS_NAME, l_tgs_name); ++} ++ + static krb5_error_code ipadb_set_tl_data(krb5_db_entry *entry, + krb5_int16 type, + krb5_ui_2 length, +@@ -1647,11 +1670,22 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext, + + /* Lookup local names and aliases first. */ + kerr = dbget_princ(kcontext, ipactx, search_for, flags, entry); +- if (kerr != KRB5_KDB_NOENTRY) { ++ if (kerr == KRB5_KDB_NOENTRY) { ++ kerr = dbget_alias(kcontext, ipactx, search_for, flags, entry); ++ } ++ if (kerr) + return kerr; ++ ++#if KRB5_KDB_DAL_MAJOR_VERSION <= 8 ++ /* If TGS principal, some virtual attributes may be added */ ++ if (is_tgs_princ(kcontext, (*entry)->princ)) { ++ kerr = krb5_dbe_set_string(kcontext, *entry, ++ KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH, ++ "true"); + } ++#endif + +- return dbget_alias(kcontext, ipactx, search_for, flags, entry); ++ return kerr; + } + + void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data) +-- +2.41.0 + diff --git a/ipa.spec b/ipa.spec index 4db2e66..83150fc 100644 --- a/ipa.spec +++ b/ipa.spec @@ -64,7 +64,7 @@ %if 0%{?rhel} %global package_name ipa %global alt_name freeipa -%global krb5_version 1.18.2-25 +%global krb5_version 1.18.2-26 %global krb5_kdb_version 8.0 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.19 @@ -189,7 +189,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 8%{?rc_version:.%rc_version}%{?dist} +Release: 9%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -222,6 +222,7 @@ Patch0010: 0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch Patch0011: 0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch Patch0012: 0012-ipatests-fix-test_topology_rhbz#2232351.patch Patch0013: 0013-Installer-activate-nss-and-pam-services-in-sssd.conf_rhbz#2216532.patch +Patch0014: 0014-ipa-kdb-Make-AD-SIGNEDPATH-optional-with-krb5-DAL-8.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch @@ -1736,6 +1737,10 @@ fi %endif %changelog +* Wed Oct 04 2023 Julien Rische - 4.9.12-9 +- ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older + Resolves: RHEL-12198 + * Thu Aug 31 2023 Rafael Jeffman - 4.9.12-8 - Require krb5 release 1.18.2-25 or later Resolves: RHBZ#2234711