import ipa-4.9.6-10.module+el8.5.0+13587+92118e57
This commit is contained in:
parent
32d9493df4
commit
c07c360d7e
222
SOURCES/freeipa-4.9.6-bf-2.patch
Normal file
222
SOURCES/freeipa-4.9.6-bf-2.patch
Normal file
@ -0,0 +1,222 @@
|
||||
From fe59e6a0b06926a3d71c6b6f361714d1422d5b0f Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Thu, 11 Nov 2021 09:58:09 +0200
|
||||
Subject: [PATCH 1/2] ipa-kdb: honor SID from the host or service entry
|
||||
|
||||
If the SID was explicitly set for the host or service entry, honor it
|
||||
when issuing PAC. For normal services and hosts we don't allocate
|
||||
individual SIDs but for cifs/... principals on domain members we do as
|
||||
they need to login to Samba domain controller.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9031
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 46 ++++++++++++++++++++-------------
|
||||
1 file changed, 28 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
index 0e0ee3616..6f272f9fe 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
@@ -653,6 +653,28 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||
* clear it after detecting the changes */
|
||||
info3->base.acct_flags = ACB_USE_AES_KEYS;
|
||||
|
||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
||||
+ "ipaNTSecurityIdentifier", &strres);
|
||||
+ if (ret) {
|
||||
+ /* SID is mandatory for all but host/services */
|
||||
+ if (!(is_host || is_service)) {
|
||||
+ return ret;
|
||||
+ }
|
||||
+ info3->base.rid = 0;
|
||||
+ } else {
|
||||
+ ret = ipadb_string_to_sid(strres, &sid);
|
||||
+ free(strres);
|
||||
+ if (ret) {
|
||||
+ return ret;
|
||||
+ }
|
||||
+ ret = sid_split_rid(&sid, &info3->base.rid);
|
||||
+ if (ret) {
|
||||
+ return ret;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* If SID was present prefer using it even for hosts and services
|
||||
+ * but we still need to set the account flags correctly */
|
||||
if ((is_host || is_service)) {
|
||||
/* it is either host or service, so get the hostname first */
|
||||
char *sep = strchr(info3->base.account_name.string, '/');
|
||||
@@ -661,29 +683,17 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||
sep ? sep + 1 : info3->base.account_name.string);
|
||||
if (is_master) {
|
||||
/* Well known RID of domain controllers group */
|
||||
- info3->base.rid = 516;
|
||||
+ if (info3->base.rid == 0) {
|
||||
+ info3->base.rid = 516;
|
||||
+ }
|
||||
info3->base.acct_flags |= ACB_SVRTRUST;
|
||||
} else {
|
||||
/* Well known RID of domain computers group */
|
||||
- info3->base.rid = 515;
|
||||
+ if (info3->base.rid == 0) {
|
||||
+ info3->base.rid = 515;
|
||||
+ }
|
||||
info3->base.acct_flags |= ACB_WSTRUST;
|
||||
}
|
||||
- } else {
|
||||
- ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
||||
- "ipaNTSecurityIdentifier", &strres);
|
||||
- if (ret) {
|
||||
- /* SID is mandatory */
|
||||
- return ret;
|
||||
- }
|
||||
- ret = ipadb_string_to_sid(strres, &sid);
|
||||
- free(strres);
|
||||
- if (ret) {
|
||||
- return ret;
|
||||
- }
|
||||
- ret = sid_split_rid(&sid, &info3->base.rid);
|
||||
- if (ret) {
|
||||
- return ret;
|
||||
- }
|
||||
}
|
||||
|
||||
ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
||||
From 21af43550aa0a31e1ec5240578bd64fcbdd4ee24 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Thu, 11 Nov 2021 10:16:47 +0200
|
||||
Subject: [PATCH 2/2] ipa-kdb: validate domain SID in incoming PAC for trusted
|
||||
domains for S4U
|
||||
|
||||
Previously, ipadb_check_logon_info() was called only for cross-realm
|
||||
case. Now we call it for both in-realm and cross-realm cases. In case of
|
||||
the S4U2Proxy, we would be passed a PAC of the original caller which
|
||||
might be a principal from the trusted realm. We cannot validate that PAC
|
||||
against our local client DB entry because this is the proxy entry which
|
||||
is guaranteed to have different SID.
|
||||
|
||||
In such case, validate the SID of the domain in PAC against our realm
|
||||
and any trusted doman but skip an additional check of the DB entry in
|
||||
the S4U2Proxy case.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9031
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 54 ++++++++++++++++++++++++++-------
|
||||
1 file changed, 43 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
index 6f272f9fe..6f7d1ac15 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
@@ -1637,11 +1637,13 @@ static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid)
|
||||
static krb5_error_code check_logon_info_consistent(krb5_context context,
|
||||
TALLOC_CTX *memctx,
|
||||
krb5_const_principal client_princ,
|
||||
+ krb5_boolean is_s4u,
|
||||
struct PAC_LOGON_INFO_CTR *info)
|
||||
{
|
||||
krb5_error_code kerr = 0;
|
||||
struct ipadb_context *ipactx;
|
||||
bool result;
|
||||
+ bool is_from_trusted_domain = false;
|
||||
krb5_db_entry *client_actual = NULL;
|
||||
struct ipadb_e_data *ied = NULL;
|
||||
int flags = 0;
|
||||
@@ -1671,14 +1673,36 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
||||
result = dom_sid_check(&ipactx->mspac->domsid,
|
||||
info->info->info3.base.domain_sid, true);
|
||||
if (!result) {
|
||||
- /* memctx is freed by the caller */
|
||||
- char *sid = dom_sid_string(memctx, info->info->info3.base.domain_sid);
|
||||
- char *dom = dom_sid_string(memctx, &ipactx->mspac->domsid);
|
||||
- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC record claims domain SID different "
|
||||
- "to local domain SID: local [%s], PAC [%s]",
|
||||
- dom ? dom : "<failed to display>",
|
||||
- sid ? sid : "<failed to display>");
|
||||
- return KRB5KDC_ERR_POLICY;
|
||||
+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
|
||||
+ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
|
||||
+ /* Iterate through list of trusts and check if this SID belongs to
|
||||
+ * one of the domains we trust */
|
||||
+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
|
||||
+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
|
||||
+ info->info->info3.base.domain_sid, true);
|
||||
+ if (result) {
|
||||
+ is_from_trusted_domain = true;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!result) {
|
||||
+ /* memctx is freed by the caller */
|
||||
+ char *sid = dom_sid_string(memctx, info->info->info3.base.domain_sid);
|
||||
+ char *dom = dom_sid_string(memctx, &ipactx->mspac->domsid);
|
||||
+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC record claims domain SID different "
|
||||
+ "to local domain SID or any trusted domain SID: "
|
||||
+ "local [%s], PAC [%s]",
|
||||
+ dom ? dom : "<failed to display>",
|
||||
+ sid ? sid : "<failed to display>");
|
||||
+ return KRB5KDC_ERR_POLICY;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (is_s4u && is_from_trusted_domain) {
|
||||
+ /* If the PAC belongs to a user from the trusted domain, we cannot compare SIDs */
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
|
||||
@@ -1703,6 +1727,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+
|
||||
kerr = ipadb_get_sid_from_pac(memctx, info->info, &client_sid);
|
||||
if (kerr) {
|
||||
goto done;
|
||||
@@ -1956,6 +1981,7 @@ krb5_error_code filter_logon_info(krb5_context context,
|
||||
static krb5_error_code ipadb_check_logon_info(krb5_context context,
|
||||
krb5_const_principal client_princ,
|
||||
krb5_boolean is_cross_realm,
|
||||
+ krb5_boolean is_s4u,
|
||||
krb5_data *pac_blob,
|
||||
struct dom_sid *requester_sid)
|
||||
{
|
||||
@@ -1999,8 +2025,11 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
|
||||
|
||||
if (!is_cross_realm) {
|
||||
/* For local realm case we need to check whether the PAC is for our user
|
||||
- * but we don't need to process further */
|
||||
- kerr = check_logon_info_consistent(context, tmpctx, client_princ, &info);
|
||||
+ * but we don't need to process further. In S4U2Proxy case when the client
|
||||
+ * is ours but operates on behalf of the cross-realm principal, we will
|
||||
+ * search through the trusted domains but otherwise skip the exact SID check
|
||||
+ * as we are not responsible for the principal from the trusted domain */
|
||||
+ kerr = check_logon_info_consistent(context, tmpctx, client_princ, is_s4u, &info);
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -2251,7 +2280,10 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
|
||||
#endif
|
||||
|
||||
kerr = ipadb_check_logon_info(context,
|
||||
- client_princ, is_cross_realm, &pac_blob,
|
||||
+ client_princ,
|
||||
+ is_cross_realm,
|
||||
+ (flags & KRB5_KDB_FLAGS_S4U),
|
||||
+ &pac_blob,
|
||||
requester_sid);
|
||||
if (kerr != 0) {
|
||||
goto done;
|
||||
--
|
||||
2.33.1
|
||||
|
122
SOURCES/freeipa-4.9.6-bf-3.patch
Normal file
122
SOURCES/freeipa-4.9.6-bf-3.patch
Normal file
@ -0,0 +1,122 @@
|
||||
From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Fri, 26 Nov 2021 11:13:51 +0200
|
||||
Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and
|
||||
MS-SFU updates
|
||||
|
||||
New versions of MS-KILE and MS-SFU after Windows Server November 2021
|
||||
security updates add PAC_REQUESTER_SID buffer check behavior:
|
||||
|
||||
- PAC_REQUESTER_SID should only be added for TGT requests
|
||||
|
||||
- if PAC_REQUESTER_SID is present, KDC must verify that the cname on
|
||||
the ticket resolves to the account with the same SID as the
|
||||
PAC_REQUESTER_SID. If it doesn't KDC must respond with
|
||||
KDC_ERR_TKT_REVOKED
|
||||
|
||||
Change requester SID check to skip exact check for non-local
|
||||
PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
|
||||
we know about.
|
||||
|
||||
If requester SID is the same as in PAC, we already do cname vs PAC SID
|
||||
verification.
|
||||
|
||||
With these changes FreeIPA works against Windows Server 2019 with
|
||||
November 2021 security fixes in cross-realm S4U2Self operations.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9031
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++---------
|
||||
1 file changed, 34 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
index 538cfbba9..1b972c167 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
||||
"local [%s], PAC [%s]",
|
||||
dom ? dom : "<failed to display>",
|
||||
sid ? sid : "<failed to display>");
|
||||
- return KRB5KDC_ERR_POLICY;
|
||||
+ return KRB5KDC_ERR_TGT_REVOKED;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
||||
kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
|
||||
if (kerr != 0) {
|
||||
krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed.");
|
||||
- return KRB5KDC_ERR_POLICY;
|
||||
+ return KRB5KDC_ERR_TGT_REVOKED;
|
||||
}
|
||||
|
||||
ied = (struct ipadb_e_data *)client_actual->e_data;
|
||||
@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
||||
"local [%s] vs PAC [%s]",
|
||||
local_sid ? local_sid : "<failed to display>",
|
||||
pac_sid ? pac_sid : "<failed to display>");
|
||||
- kerr = KRB5KDC_ERR_POLICY;
|
||||
+ kerr = KRB5KDC_ERR_TGT_REVOKED;
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
|
||||
/* Check that requester SID is the same as in the PAC entry */
|
||||
if (requester_sid != NULL) {
|
||||
struct dom_sid client_sid;
|
||||
+ bool is_from_trusted_domain = false;
|
||||
kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid);
|
||||
if (kerr) {
|
||||
goto done;
|
||||
}
|
||||
result = dom_sid_check(&client_sid, requester_sid, true);
|
||||
if (!result) {
|
||||
- /* memctx is freed by the caller */
|
||||
- char *pac_sid = dom_sid_string(tmpctx, &client_sid);
|
||||
- char *req_sid = dom_sid_string(tmpctx, requester_sid);
|
||||
- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
|
||||
- "different from what PAC requester claims. "
|
||||
- "PAC [%s] vs PAC requester [%s]",
|
||||
- pac_sid ? pac_sid : "<failed to display>",
|
||||
- req_sid ? req_sid : "<failed to display>");
|
||||
- kerr = KRB5KDC_ERR_POLICY;
|
||||
- goto done;
|
||||
+ struct ipadb_context *ipactx = ipadb_get_context(context);
|
||||
+ if (!ipactx || !ipactx->mspac) {
|
||||
+ return KRB5_KDB_DBNOTINITED;
|
||||
+ }
|
||||
+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
|
||||
+ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
|
||||
+ /* Iterate through list of trusts and check if this SID belongs to
|
||||
+ * one of the domains we trust */
|
||||
+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
|
||||
+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
|
||||
+ requester_sid, false);
|
||||
+ if (result) {
|
||||
+ is_from_trusted_domain = true;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!is_from_trusted_domain) {
|
||||
+ /* memctx is freed by the caller */
|
||||
+ char *pac_sid = dom_sid_string(tmpctx, &client_sid);
|
||||
+ char *req_sid = dom_sid_string(tmpctx, requester_sid);
|
||||
+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
|
||||
+ "different from what PAC requester claims. "
|
||||
+ "PAC [%s] vs PAC requester [%s]",
|
||||
+ pac_sid ? pac_sid : "<failed to display>",
|
||||
+ req_sid ? req_sid : "<failed to display>");
|
||||
+ kerr = KRB5KDC_ERR_TGT_REVOKED;
|
||||
+ goto done;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
3979
SOURCES/freeipa-4.9.6-bf.patch
Normal file
3979
SOURCES/freeipa-4.9.6-bf.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -68,8 +68,8 @@
|
||||
%global krb5_kdb_version 8.0
|
||||
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
|
||||
%global python_netaddr_version 0.7.19
|
||||
# Require 4.7.0 which brings Python 3 bindings
|
||||
%global samba_version 4.12.3-12
|
||||
# Require 4.14.5-6 which brings CVE-2020-25717 fixes in RHEL 8.5.z
|
||||
%global samba_version 4.14.5-6
|
||||
%global selinux_policy_version 3.14.3-52
|
||||
%global slapi_nis_version 0.56.4
|
||||
%global python_ldap_version 3.1.0-1
|
||||
@ -92,9 +92,9 @@
|
||||
%global krb5_version 1.18.2-29
|
||||
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
|
||||
%global python_netaddr_version 0.7.16
|
||||
# Require 4.7.0 which brings Python 3 bindings
|
||||
# Require 4.12 which has DsRGetForestTrustInformation access rights fixes
|
||||
%global samba_version 2:4.12.10
|
||||
|
||||
# Require 4.14.6 which brings CVE-2020-25717 fixes
|
||||
%global samba_version 2:4.14.6
|
||||
|
||||
# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface
|
||||
%global selinux_policy_version 3.14.5-45
|
||||
@ -191,7 +191,7 @@
|
||||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 6%{?rc_version:.%rc_version}%{?dist}
|
||||
Release: 10%{?rc_version:.%rc_version}%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPLv3+
|
||||
@ -228,6 +228,11 @@ Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
%endif
|
||||
%endif
|
||||
# RHEL spec file only: END
|
||||
# SID hardening patches
|
||||
Patch1100: freeipa-4.9.6-bf.patch
|
||||
Patch1101: freeipa-4.9.6-bf-2.patch
|
||||
Patch1102: freeipa-4.9.6-bf-3.patch
|
||||
|
||||
|
||||
# For the timestamp trick in patch application
|
||||
BuildRequires: diffstat
|
||||
@ -471,6 +476,8 @@ Requires: gssproxy >= 0.7.0-2
|
||||
Requires: sssd-dbus >= %{sssd_version}
|
||||
Requires: libpwquality
|
||||
Requires: cracklib-dicts
|
||||
# NDR libraries are internal in Samba and change with version without changing SONAME
|
||||
Requires: samba-client-libs >= %{samba_version}
|
||||
|
||||
Provides: %{alt_name}-server = %{version}
|
||||
Conflicts: %{alt_name}-server
|
||||
@ -1377,6 +1384,7 @@ fi
|
||||
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
|
||||
%dir %{_libexecdir}/ipa/oddjob
|
||||
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
|
||||
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid
|
||||
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
|
||||
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
|
||||
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
|
||||
@ -1709,6 +1717,22 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-10
|
||||
- Bump realease version due to build issue.
|
||||
Related: RHBZ#2021489
|
||||
|
||||
* Thu Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-9
|
||||
- Hardening for CVE-2020-25717, part 3
|
||||
Related: RHBZ#2021489
|
||||
|
||||
* Thu Nov 18 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-8
|
||||
- Hardening for CVE-2020-25717, part 2
|
||||
- Related: RHBZ#2021171
|
||||
|
||||
* Sun Nov 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-7
|
||||
- Hardening for CVE-2020-25717
|
||||
- Related: RHBZ#2021171
|
||||
|
||||
* Fri Sep 17 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-6
|
||||
- Don't store entries with a usercertificate in the LDAP cache
|
||||
Resolves: RHBZ#1999893
|
||||
|
Loading…
Reference in New Issue
Block a user