import ipa-4.9.11-6.module+el8.8.0+19022+e8902f4b
This commit is contained in:
parent
77e6c50e87
commit
9d780aea82
@ -0,0 +1,80 @@
|
||||
From 0fff1cd15158ba8a6299e8bd82e13d695dceb98e Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Fri, 24 Mar 2023 18:32:37 +0100
|
||||
Subject: [PATCH] kdb: Use krb5_pac_full_sign_compat() when available
|
||||
|
||||
In November 2022, Microsoft introduced a new PAC signature type called
|
||||
"extended KDC signature" (or "full PAC checksum"). This new PAC
|
||||
signature will be required by default by Active Directory in July 2023
|
||||
for S4U requests, and opt-out will no longer be possible after October
|
||||
2023.
|
||||
|
||||
Support for this new signature type was added to MIT krb5, but it relies
|
||||
on the new KDB API introduced in krb5 1.20. For older MIT krb5 versions,
|
||||
the code generating extended KDC signatures cannot be backported as it
|
||||
is without backporting the full new KDB API code too. This would have
|
||||
too much impact to be done.
|
||||
|
||||
As a consequence, krb5 packages for Fedora 37, CentOS 8 Stream, and RHEL
|
||||
8 will include a downstream-only update adding the
|
||||
krb5_pac_full_sign_compat() function, which can be used in combination
|
||||
with the prior to 1.20 KDB API to generate PAC extended KDC signatures.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9373
|
||||
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
(cherry picked from commit 922d13ae7847c078b2b71540c7ebda469f0c239f)
|
||||
---
|
||||
daemons/ipa-kdb/ipa_kdb_mspac_v6.c | 10 ++++++++++
|
||||
server.m4 | 9 +++++++++
|
||||
2 files changed, 19 insertions(+)
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_v6.c b/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
|
||||
index e506a0fd2..faf47ad1b 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
|
||||
@@ -176,11 +176,21 @@ static krb5_error_code ipadb_sign_pac(krb5_context context,
|
||||
|
||||
/* only pass with_realm TRUE when it is cross-realm ticket and S4U2Self
|
||||
* was requested */
|
||||
+#ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
|
||||
+ kerr = krb5_pac_full_sign_compat(
|
||||
+ context, pac, authtime, client_princ, server->princ, server_key,
|
||||
+ right_krbtgt_signing_key,
|
||||
+ (is_issuing_referral && (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)),
|
||||
+ pac_data
|
||||
+ );
|
||||
+#else
|
||||
+ /* Use standard function, PAC extended KDC signature not supported */
|
||||
kerr = krb5_pac_sign_ext(context, pac, authtime, client_princ, server_key,
|
||||
right_krbtgt_signing_key,
|
||||
(is_issuing_referral &&
|
||||
(flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)),
|
||||
pac_data);
|
||||
+#endif
|
||||
|
||||
done:
|
||||
free(princ);
|
||||
diff --git a/server.m4 b/server.m4
|
||||
index a5d083fa2..2ee2cf519 100644
|
||||
--- a/server.m4
|
||||
+++ b/server.m4
|
||||
@@ -90,6 +90,15 @@ AC_CHECK_MEMBER([kdb_vftabl.issue_pac],
|
||||
[have_kdb_issue_pac=yes],
|
||||
[have_kdb_issue_pac=no], [#include <kdb.h>])
|
||||
|
||||
+dnl ---------------------------------------------------------------------------
|
||||
+dnl - Check for KRB5 krb5_kdc_sign_ticket function
|
||||
+dnl ---------------------------------------------------------------------------
|
||||
+
|
||||
+AC_CHECK_LIB(krb5, krb5_pac_full_sign_compat,
|
||||
+ [AC_DEFINE([HAVE_KRB5_PAC_FULL_SIGN_COMPAT], [1],
|
||||
+ [krb5_pac_full_sign_compat() is available.])],
|
||||
+ [AC_MSG_NOTICE([krb5_pac_full_sign_compat() is not available])])
|
||||
+
|
||||
dnl ---------------------------------------------------------------------------
|
||||
dnl - Check for UUID library
|
||||
dnl ---------------------------------------------------------------------------
|
||||
--
|
||||
2.39.2
|
||||
|
||||
@ -64,7 +64,7 @@
|
||||
%if 0%{?rhel}
|
||||
%global package_name ipa
|
||||
%global alt_name freeipa
|
||||
%global krb5_version 1.18.2-2
|
||||
%global krb5_version 1.18.2-24
|
||||
%global krb5_kdb_version 8.0
|
||||
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
|
||||
%global python_netaddr_version 0.7.19
|
||||
@ -189,7 +189,7 @@
|
||||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 5%{?rc_version:.%rc_version}%{?dist}
|
||||
Release: 6%{?rc_version:.%rc_version}%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPLv3+
|
||||
@ -216,6 +216,7 @@ Patch0004: 0004-server-install-remove-error-log-about-missing-bkup-file_rhb
|
||||
Patch0005: 0005-automember-rebuild-add-a-notice-about-high-CPU-usage_rhbz#2018198.patch
|
||||
Patch0006: 0006-ipa-kdb-PAC-consistency-checker-needs-to-handle-child-domains-as-well_rhbz#2166324.patch
|
||||
Patch0007: 0007-Wipe-the-ipa-ca-DNS-record-when-updating-system-records_rhbz#2158775.patch
|
||||
Patch0008: 0008-kdb-Use-krb5_pac_full_sign_compat-when-available.patch
|
||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
||||
Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
|
||||
@ -1715,6 +1716,10 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Jun 01 2023 Julien Rische <jrische@redhat.com> - 4.9.11-6
|
||||
- Add support for PAC extended KDC signature
|
||||
Resolves: rhbz#2211387
|
||||
|
||||
* Fri Feb 10 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-5
|
||||
- Wipe the ipa-ca DNS record when updating system records
|
||||
Resolves: RHBZ#2158775
|
||||
|
||||
Loading…
Reference in New Issue
Block a user