- ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older
This commit is contained in:
parent
ff8b7c7405
commit
c43fbe87ff
@ -0,0 +1,98 @@
|
|||||||
|
From d394afc1210a21378c018d0ff93d400a57324289 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Mon, 25 Sep 2023 15:14:03 +0200
|
||||||
|
Subject: [PATCH] ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and
|
||||||
|
older
|
||||||
|
|
||||||
|
Since krb5 1.20, the PAC is generated by default, and the AD-SIGNEDPATH
|
||||||
|
authdata is no longer generated. However, on krb5 versions prior to
|
||||||
|
1.20, the KDC still expects an AD-SIGNEDPATH when verifying a
|
||||||
|
constrained delegation (S4U2Proxy) TGS-REQ. In IPA's case this
|
||||||
|
requirement is not needed, because the PAC signatures are already
|
||||||
|
fulfilling this role.
|
||||||
|
|
||||||
|
CentOS and RHEL downstream releases of krb5 will include the
|
||||||
|
"optional_ad_signedpath" KDB string attribute allowing to disable the
|
||||||
|
AD-SIGNEDPATH requirement in case the PAC is present.
|
||||||
|
|
||||||
|
This commit sets the "optional_ad_signedpath" string attribute to "true"
|
||||||
|
systematically on the TGS principal if the database abstract layer (DAL)
|
||||||
|
of krb5 is version 8 or older (prior to krb5 1.20).
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9448
|
||||||
|
|
||||||
|
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
---
|
||||||
|
daemons/ipa-kdb/ipa_kdb_principals.c | 38 ++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 36 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
|
index e95cb453c..fadb132ed 100644
|
||||||
|
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
|
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
|
@@ -113,6 +113,10 @@ static char *std_principal_obj_classes[] = {
|
||||||
|
|
||||||
|
#define DEFAULT_TL_DATA_CONTENT "\x00\x00\x00\x00principal@UNINITIALIZED"
|
||||||
|
|
||||||
|
+#ifndef KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH
|
||||||
|
+#define KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH "optional_ad_signedpath"
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
static int ipadb_ldap_attr_to_tl_data(LDAP *lcontext, LDAPMessage *le,
|
||||||
|
char *attrname,
|
||||||
|
krb5_tl_data **result, int *num)
|
||||||
|
@@ -178,6 +182,25 @@ done:
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static bool
|
||||||
|
+is_tgs_princ(krb5_context kcontext, krb5_const_principal princ)
|
||||||
|
+{
|
||||||
|
+ krb5_data *primary;
|
||||||
|
+ size_t l_tgs_name;
|
||||||
|
+
|
||||||
|
+ if (2 != krb5_princ_size(kcontext, princ))
|
||||||
|
+ return false;
|
||||||
|
+
|
||||||
|
+ primary = krb5_princ_component(kcontext, princ, 0);
|
||||||
|
+
|
||||||
|
+ l_tgs_name = strlen(KRB5_TGS_NAME);
|
||||||
|
+
|
||||||
|
+ if (l_tgs_name != primary->length)
|
||||||
|
+ return false;
|
||||||
|
+
|
||||||
|
+ return 0 == memcmp(primary->data, KRB5_TGS_NAME, l_tgs_name);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static krb5_error_code ipadb_set_tl_data(krb5_db_entry *entry,
|
||||||
|
krb5_int16 type,
|
||||||
|
krb5_ui_2 length,
|
||||||
|
@@ -1647,11 +1670,22 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
|
||||||
|
|
||||||
|
/* Lookup local names and aliases first. */
|
||||||
|
kerr = dbget_princ(kcontext, ipactx, search_for, flags, entry);
|
||||||
|
- if (kerr != KRB5_KDB_NOENTRY) {
|
||||||
|
+ if (kerr == KRB5_KDB_NOENTRY) {
|
||||||
|
+ kerr = dbget_alias(kcontext, ipactx, search_for, flags, entry);
|
||||||
|
+ }
|
||||||
|
+ if (kerr)
|
||||||
|
return kerr;
|
||||||
|
+
|
||||||
|
+#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
|
||||||
|
+ /* If TGS principal, some virtual attributes may be added */
|
||||||
|
+ if (is_tgs_princ(kcontext, (*entry)->princ)) {
|
||||||
|
+ kerr = krb5_dbe_set_string(kcontext, *entry,
|
||||||
|
+ KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH,
|
||||||
|
+ "true");
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
- return dbget_alias(kcontext, ipactx, search_for, flags, entry);
|
||||||
|
+ return kerr;
|
||||||
|
}
|
||||||
|
|
||||||
|
void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data)
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -64,7 +64,7 @@
|
|||||||
%if 0%{?rhel}
|
%if 0%{?rhel}
|
||||||
%global package_name ipa
|
%global package_name ipa
|
||||||
%global alt_name freeipa
|
%global alt_name freeipa
|
||||||
%global krb5_version 1.18.2-25
|
%global krb5_version 1.18.2-26
|
||||||
%global krb5_kdb_version 8.0
|
%global krb5_kdb_version 8.0
|
||||||
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
|
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
|
||||||
%global python_netaddr_version 0.7.19
|
%global python_netaddr_version 0.7.19
|
||||||
@ -189,7 +189,7 @@
|
|||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 8%{?rc_version:.%rc_version}%{?dist}
|
Release: 9%{?rc_version:.%rc_version}%{?dist}.alma.1
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -222,6 +222,11 @@ Patch0010: 0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch
|
|||||||
Patch0011: 0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch
|
Patch0011: 0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch
|
||||||
Patch0012: 0012-ipatests-fix-test_topology_rhbz#2232351.patch
|
Patch0012: 0012-ipatests-fix-test_topology_rhbz#2232351.patch
|
||||||
Patch0013: 0013-Installer-activate-nss-and-pam-services-in-sssd.conf_rhbz#2216532.patch
|
Patch0013: 0013-Installer-activate-nss-and-pam-services-in-sssd.conf_rhbz#2216532.patch
|
||||||
|
|
||||||
|
# Patches were taken from:
|
||||||
|
# https://gitlab.com/redhat/centos-stream/rpms/ipa/-/commit/5d0ca0e625aea2553a39ae3e56174285cb123f13
|
||||||
|
Patch0014: 0014-ipa-kdb-Make-AD-SIGNEDPATH-optional-with-krb5-DAL-8.patch
|
||||||
|
|
||||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||||
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
||||||
Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
|
Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
|
||||||
@ -1736,6 +1741,9 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Nov 14 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.9.12-9.alma.1
|
||||||
|
- ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older
|
||||||
|
|
||||||
* Thu Aug 31 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-8
|
* Thu Aug 31 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-8
|
||||||
- Require krb5 release 1.18.2-25 or later
|
- Require krb5 release 1.18.2-25 or later
|
||||||
Resolves: RHBZ#2234711
|
Resolves: RHBZ#2234711
|
||||||
|
Loading…
Reference in New Issue
Block a user