- adtrustinstance: make sure NetBIOS name defaults are set

properly
- ipatests: wait for replica update in test_dns_locations
- ipa-kdb: Disable Bronze-Bit check if PAC not available
- ipapython: Clean up krb5_error
- ipapython: Correct return type of krb5_free_cred_contents
- ipa-kdb: Fix memory leak during PAC verification
- sidgen: ignore staged users when generating SIDs
- kdb: PAC generator: do not fail if canonical principal is missing
- Fix some mistakes in ipadb_check_for_bronze_bit_attack()
- ipa-kdb: Rework ipadb_reinit_mspac()
- ipatests: fix tasks.wait_for_replication method
- ipa-kdb: Fix double free in ipadb_reinit_mspac()

SOURCES/0008-Use-krb5_pac_full_sign_compat-when-available.patch

@@ -0,0 +1,71 @@
+From a8d81b5005ea15a35d0d63330b922037de3ca253 Mon Sep 17 00:00:00 2001
+From: David Sloboda <david.x.sloboda@oracle.com>
+Date: Fri, 30 Jun 2023 15:37:34 +0200
+Subject: [PATCH] OLERRATA-43634 - Support for PAC extended KDC signature
+
+In November 2022, Microsoft introduced a new PAC signature type called
+"extended KDC signature" (or "full PAC checksum"). This new PAC
+signature will be required by default by Active Directory in July 2023
+for S4U requests, and opt-out will no longer be possible after October
+2023.
+
+Support for this new signature type was added to MIT krb5, but it relies
+on the new KDB API introduced in krb5 1.20. For older MIT krb5 versions,
+the code generating extended KDC signatures cannot be backported as it
+is without backporting the full new KDB API code too. This would have
+too much impact to be done.
+
+As a consequence, krb5 packages for Fedora 37, CentOS 8 Stream, and RHEL
+8 will include a downstream-only update adding the
+krb5_pac_full_sign_compat() function, which can be used in combination
+with the prior to 1.20 KDB API to generate PAC extended KDC signatures.
+
+Fixes: https://pagure.io/freeipa/issue/9373
+Signed-off-by: Julien Rische <jrische@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
+---
+diff -Nuar freeipa-4.9.11.orig/daemons/ipa-kdb/ipa_kdb_mspac_v6.c freeipa-4.9.11/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
+--- freeipa-4.9.11.orig/daemons/ipa-kdb/ipa_kdb_mspac_v6.c	2022-11-25 17:16:11.352773047 +0100
++++ freeipa-4.9.11/daemons/ipa-kdb/ipa_kdb_mspac_v6.c	2023-06-30 14:58:17.198538781 +0200
+@@ -176,11 +176,21 @@
+ 
+     /* only pass with_realm TRUE when it is cross-realm ticket and S4U2Self
+      * was requested */
++#ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
++    kerr = krb5_pac_full_sign_compat(
++        context, pac, authtime, client_princ, server->princ, server_key,
++        right_krbtgt_signing_key,
++        (is_issuing_referral && (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)),
++        pac_data
++    );
++#else
++    /* Use standard function, PAC extended KDC signature not supported */
+     kerr = krb5_pac_sign_ext(context, pac, authtime, client_princ, server_key,
+                              right_krbtgt_signing_key,
+                              (is_issuing_referral &&
+                               (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)),
+                              pac_data);
++#endif
+ 
+ done:
+     free(princ);
+diff -Nuar freeipa-4.9.11.orig/server.m4 freeipa-4.9.11/server.m4
+--- freeipa-4.9.11.orig/server.m4	2022-11-25 17:16:11.353773052 +0100
++++ freeipa-4.9.11/server.m4	2023-06-30 14:59:52.845995040 +0200
+@@ -91,6 +91,15 @@
+                 [have_kdb_issue_pac=no], [#include <kdb.h>])
+ 
+ dnl ---------------------------------------------------------------------------
++dnl - Check for KRB5 krb5_kdc_sign_ticket function
++dnl ---------------------------------------------------------------------------
++
++AC_CHECK_LIB(krb5, krb5_pac_full_sign_compat,
++             [AC_DEFINE([HAVE_KRB5_PAC_FULL_SIGN_COMPAT], [1],
++                        [krb5_pac_full_sign_compat() is available.])],
++             [AC_MSG_NOTICE([krb5_pac_full_sign_compat() is not available])])
++
++dnl ---------------------------------------------------------------------------
+ dnl - Check for UUID library
+ dnl ---------------------------------------------------------------------------
+ PKG_CHECK_MODULES([UUID], [uuid])

SOURCES/0009-ipa-kdb-fix-error-handling-of-is_master_host.patch

@@ -0,0 +1,85 @@
+From c84c59c66f1b22ebc671960cae90088a024d2d62 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Aug 01 2023 11:31:09 +0000
+Subject: ipa-kdb: fix error handling of is_master_host()
+
+
+Adding proper error handling to the is_master_host() function to allow
+it to make the difference between the absence of a master host object
+and a connection failure. This will keep the krb5kdc daemon from
+continuing to run with a NULL LDAP context.
+
+Fixes: https://pagure.io/freeipa/issue/9422
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+
+---
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 83b507c..1558e2b 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -401,27 +401,29 @@ static krb5_error_code ipadb_add_asserted_identity(struct ipadb_context *ipactx,
+     return 0;
+ }
+ 
+-static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
++static krb5_error_code
++is_master_host(struct ipadb_context *ipactx, const char *fqdn, bool *result)
+ {
+-    int ret;
++    int err;
+     char *master_host_base = NULL;
+-    LDAPMessage *result = NULL;
+-    krb5_error_code err;
++    LDAPMessage *ldap_res = NULL;
+ 
+-    ret = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
++    err = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
+                                       fqdn, ipactx->base);
+-    if (ret == -1) {
+-        return false;
+-    }
++    if (err == -1)
++        return ENOMEM;
++
+     err = ipadb_simple_search(ipactx, master_host_base, LDAP_SCOPE_BASE,
+-                              NULL, NULL, &result);
++                              NULL, NULL, &ldap_res);
+     free(master_host_base);
+-    ldap_msgfree(result);
+-    if (err == 0) {
+-        return true;
+-    }
++    ldap_msgfree(ldap_res);
++    if (err != KRB5_KDB_NOENTRY && err != 0)
++        return err;
++
++    if (result)
++        *result = err != KRB5_KDB_NOENTRY;
+ 
+-    return false;
++    return 0;
+ }
+ 
+ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+@@ -692,9 +694,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+     if ((is_host || is_service)) {
+         /* it is either host or service, so get the hostname first */
+         char *sep = strchr(info3->base.account_name.string, '/');
+-        bool is_master = is_master_host(
+-                            ipactx,
+-                            sep ? sep + 1 : info3->base.account_name.string);
++        bool is_master;
++
++        ret = is_master_host(ipactx,
++                             sep ? sep + 1 : info3->base.account_name.string,
++                             &is_master);
++        if (ret)
++            return ret;
++
+         if (is_master) {
+             /* Well known RID of domain controllers group */
+             if (info3->base.rid == 0) {
+

SOURCES/0014-ipa-kdb-Make-AD-SIGNEDPATH-optional-with-krb5-DAL-8.patch

@@ -0,0 +1,98 @@
+From d394afc1210a21378c018d0ff93d400a57324289 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Mon, 25 Sep 2023 15:14:03 +0200
+Subject: [PATCH] ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and
+ older
+
+Since krb5 1.20, the PAC is generated by default, and the AD-SIGNEDPATH
+authdata is no longer generated. However, on krb5 versions prior to
+1.20, the KDC still expects an AD-SIGNEDPATH when verifying a
+constrained delegation (S4U2Proxy) TGS-REQ. In IPA's case this
+requirement is not needed, because the PAC signatures are already
+fulfilling this role.
+
+CentOS and RHEL downstream releases of krb5 will include the
+"optional_ad_signedpath" KDB string attribute allowing to disable the
+AD-SIGNEDPATH requirement in case the PAC is present.
+
+This commit sets the "optional_ad_signedpath" string attribute to "true"
+systematically on the TGS principal if the database abstract layer (DAL)
+of krb5 is version 8 or older (prior to krb5 1.20).
+
+Fixes: https://pagure.io/freeipa/issue/9448
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_principals.c | 38 ++++++++++++++++++++++++++--
+ 1 file changed, 36 insertions(+), 2 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
+index e95cb453c..fadb132ed 100644
+--- a/daemons/ipa-kdb/ipa_kdb_principals.c
++++ b/daemons/ipa-kdb/ipa_kdb_principals.c
+@@ -113,6 +113,10 @@ static char *std_principal_obj_classes[] = {
+ 
+ #define DEFAULT_TL_DATA_CONTENT "\x00\x00\x00\x00principal@UNINITIALIZED"
+ 
++#ifndef KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH
++#define KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH "optional_ad_signedpath"
++#endif
++
+ static int ipadb_ldap_attr_to_tl_data(LDAP *lcontext, LDAPMessage *le,
+                                       char *attrname,
+                                       krb5_tl_data **result, int *num)
+@@ -178,6 +182,25 @@ done:
+     return ret;
+ }
+ 
++static bool
++is_tgs_princ(krb5_context kcontext, krb5_const_principal princ)
++{
++    krb5_data *primary;
++    size_t l_tgs_name;
++
++    if (2 != krb5_princ_size(kcontext, princ))
++        return false;
++
++    primary = krb5_princ_component(kcontext, princ, 0);
++
++    l_tgs_name = strlen(KRB5_TGS_NAME);
++
++    if (l_tgs_name != primary->length)
++        return false;
++
++    return 0 == memcmp(primary->data, KRB5_TGS_NAME, l_tgs_name);
++}
++
+ static krb5_error_code ipadb_set_tl_data(krb5_db_entry *entry,
+                                          krb5_int16 type,
+                                          krb5_ui_2 length,
+@@ -1647,11 +1670,22 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
+ 
+     /* Lookup local names and aliases first. */
+     kerr = dbget_princ(kcontext, ipactx, search_for, flags, entry);
+-    if (kerr != KRB5_KDB_NOENTRY) {
++    if (kerr == KRB5_KDB_NOENTRY) {
++        kerr = dbget_alias(kcontext, ipactx, search_for, flags, entry);
++    }
++    if (kerr)
+         return kerr;
++
++#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
++    /* If TGS principal, some virtual attributes may be added */
++    if (is_tgs_princ(kcontext, (*entry)->princ)) {
++        kerr = krb5_dbe_set_string(kcontext, *entry,
++                                   KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH,
++                                   "true");
+     }
++#endif
+ 
+-    return dbget_alias(kcontext, ipactx, search_for, flags, entry);
++    return kerr;
+ }
+ 
+ void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data)
+-- 
+2.41.0
+

SOURCES/0015-CVE-2023-5455.patch

@@ -0,0 +1,118 @@
+From 13778d88ca2ac73b729821bdea844172a18c0cb9 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Fri, 6 Oct 2023 20:16:29 +0000
+Subject: [PATCH] Check the HTTP Referer header on all requests
+
+The referer was only checked in WSGIExecutioner classes:
+
+ - jsonserver
+ - KerberosWSGIExecutioner
+ - xmlserver
+ - jsonserver_kerb
+
+This left /i18n_messages, /session/login_kerberos,
+/session/login_x509, /session/login_password,
+/session/change_password and /session/sync_token unprotected
+against CSRF attacks.
+
+CVE-2023-5455
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/rpcserver.py | 34 +++++++++++++++++++++++++++++++---
+ 1 file changed, 31 insertions(+), 3 deletions(-)
+
+diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
+index b7116469d73..198fc9e7dba 100644
+--- a/ipaserver/rpcserver.py
++++ b/ipaserver/rpcserver.py
+@@ -156,6 +156,19 @@ _success_template = """<html>
+ </html>"""
+ 
+ class HTTP_Status(plugable.Plugin):
++    def check_referer(self, environ):
++        if "HTTP_REFERER" not in environ:
++            logger.error("Rejecting request with missing Referer")
++            return False
++        if (not environ["HTTP_REFERER"].startswith(
++                "https://%s/ipa" % self.api.env.host)
++                and not self.env.in_tree):
++            logger.error("Rejecting request with bad Referer %s",
++                         environ["HTTP_REFERER"])
++            return False
++        logger.debug("Valid Referer %s", environ["HTTP_REFERER"])
++        return True
++
+     def not_found(self, environ, start_response, url, message):
+         """
+         Return a 404 Not Found error.
+@@ -331,9 +344,6 @@ class wsgi_dispatch(Executioner, HTTP_Status):
+         self.__apps[key] = app
+ 
+ 
+-
+-
+-
+ class WSGIExecutioner(Executioner):
+     """
+     Base class for execution backends with a WSGI application interface.
+@@ -897,6 +907,9 @@ class jsonserver_session(jsonserver, KerberosSession):
+ 
+         logger.debug('WSGI jsonserver_session.__call__:')
+ 
++        if not self.check_referer(environ):
++            return self.bad_request(environ, start_response, 'denied')
++
+         # Redirect to login if no Kerberos credentials
+         ccache_name = self.get_environ_creds(environ)
+         if ccache_name is None:
+@@ -949,6 +962,9 @@ class KerberosLogin(Backend, KerberosSession):
+     def __call__(self, environ, start_response):
+         logger.debug('WSGI KerberosLogin.__call__:')
+ 
++        if not self.check_referer(environ):
++            return self.bad_request(environ, start_response, 'denied')
++
+         # Redirect to login if no Kerberos credentials
+         user_ccache_name = self.get_environ_creds(environ)
+         if user_ccache_name is None:
+@@ -967,6 +983,9 @@ class login_x509(KerberosLogin):
+     def __call__(self, environ, start_response):
+         logger.debug('WSGI login_x509.__call__:')
+ 
++        if not self.check_referer(environ):
++            return self.bad_request(environ, start_response, 'denied')
++
+         if 'KRB5CCNAME' not in environ:
+             return self.unauthorized(
+                 environ, start_response, 'KRB5CCNAME not set',
+@@ -1015,6 +1034,9 @@ class login_password(Backend, KerberosSession):
+ 
+         logger.debug('WSGI login_password.__call__:')
+ 
++        if not self.check_referer(environ):
++            return self.bad_request(environ, start_response, 'denied')
++
+         # Get the user and password parameters from the request
+         content_type = environ.get('CONTENT_TYPE', '').lower()
+         if not content_type.startswith('application/x-www-form-urlencoded'):
+@@ -1147,6 +1169,9 @@ class change_password(Backend, HTTP_Status):
+     def __call__(self, environ, start_response):
+         logger.info('WSGI change_password.__call__:')
+ 
++        if not self.check_referer(environ):
++            return self.bad_request(environ, start_response, 'denied')
++
+         # Get the user and password parameters from the request
+         content_type = environ.get('CONTENT_TYPE', '').lower()
+         if not content_type.startswith('application/x-www-form-urlencoded'):
+@@ -1364,6 +1389,9 @@ class xmlserver_session(xmlserver, KerberosSession):
+ 
+         logger.debug('WSGI xmlserver_session.__call__:')
+ 
++        if not self.check_referer(environ):
++            return self.bad_request(environ, start_response, 'denied')
++
+         ccache_name = environ.get('KRB5CCNAME')
+ 
+         # Redirect to /ipa/xml if no Kerberos credentials

SOURCES/0016-ipa-kdb-Detect-and-block-Bronze-Bit-attacks.patch

@@ -0,0 +1,262 @@
+From a847e2483b4c4832ee5129901da169f4eb0d1392 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Mon, 9 Oct 2023 15:47:03 +0200
+Subject: [PATCH] ipa-kdb: Detect and block Bronze-Bit attacks
+
+The C8S/RHEL8 version of FreeIPA is vulnerable to the Bronze-Bit attack
+because it does not implement PAC ticket signature to protect the
+"forwardable" flag. However, it does implement the PAC extended KDC
+signature, which protects against PAC spoofing.
+
+Based on information available in the PAC and the
+"ok-to-auth-as-delegate" attribute in the database. It is possible to
+detect and reject requests where the "forwardable" flag was flipped by
+the attacker in the evidence ticket.
+---
+ daemons/ipa-kdb/ipa_kdb.h           |  13 +++
+ daemons/ipa-kdb/ipa_kdb_kdcpolicy.c |   6 +
+ daemons/ipa-kdb/ipa_kdb_mspac.c     | 173 ++++++++++++++++++++++++++++
+ ipaserver/install/server/install.py |   8 ++
+ 4 files changed, 200 insertions(+)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
+index 7aa5be4948e..02b2cb6313e 100644
+--- a/daemons/ipa-kdb/ipa_kdb.h
++++ b/daemons/ipa-kdb/ipa_kdb.h
+@@ -367,6 +367,19 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
+                                                   const char *test_realm, size_t size,
+                                                   char **trusted_realm);
+ 
++/* Try to detect a Bronze-Bit attack based on the content of the request and
++ * data from the KDB.
++ *
++ *   context     krb5 context
++ *   request     KDB request
++ *   detected    Set to "true" if a bronze bit attack is detected and the
++ *               pointer is not NULL. Remains unset otherwise.
++ *   status      If the call fails and the pointer is not NULL, set it with a
++ *               message describing the cause of the failure. */
++krb5_error_code
++ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
++                                  bool *detected, const char **status);
++
+ /* DELEGATION CHECKS */
+ 
+ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
+diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+index f2804c9b23a..1032dff0b5c 100644
+--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
++++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+@@ -185,6 +185,12 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
+                         const char **status, krb5_deltat *lifetime_out,
+                         krb5_deltat *renew_lifetime_out)
+ {
++    krb5_error_code kerr;
++
++    kerr = ipadb_check_for_bronze_bit_attack(context, request, NULL, status);
++    if (kerr)
++        return KRB5KDC_ERR_POLICY;
++
+     *status = NULL;
+     *lifetime_out = 0;
+     *renew_lifetime_out = 0;
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 83cb9914d23..b4e22d4316a 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -3298,3 +3298,176 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
+ 
+ 	return KRB5_KDB_NOENTRY;
+ }
++
++krb5_error_code
++ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
++                                  bool *detected, const char **status)
++{
++    krb5_error_code kerr;
++    const char *st = NULL;
++    size_t i, j;
++    krb5_ticket *evidence_tkt;
++    krb5_authdata **authdata, **ifrel = NULL;
++    krb5_pac pac = NULL;
++    TALLOC_CTX *tmpctx = NULL;
++    krb5_data fullsign = { 0, 0, NULL }, linfo_blob = { 0, 0, NULL };
++    DATA_BLOB linfo_data;
++    struct PAC_LOGON_INFO_CTR linfo;
++    enum ndr_err_code ndr_err;
++    struct dom_sid asserted_identity_sid;
++    bool evtkt_is_s4u2self = false;
++    krb5_db_entry *proxy_entry = NULL;
++
++    /* If no additional ticket, this is not a constrained delegateion request.
++     * Skip checks. */
++    if (!(request->kdc_options & KDC_OPT_CNAME_IN_ADDL_TKT)) {
++        kerr = 0;
++        goto end;
++    }
++
++    evidence_tkt = request->second_ticket[0];
++
++    /* No need to check the Forwardable flag. If it was not set, this request
++     * would have failed earlier. */
++
++    /* We only support general constrained delegation (not RBCD), which is not
++     * available for cross-realms. */
++    if (!krb5_realm_compare(context, evidence_tkt->server, request->server)) {
++        st = "S4U2PROXY_NOT_SUPPORTED_FOR_CROSS_REALMS";
++        kerr = ENOTSUP;
++        goto end;
++    }
++
++    authdata = evidence_tkt->enc_part2->authorization_data;
++
++    /* Search for the PAC. */
++    for (i = 0; authdata != NULL && authdata[i] != NULL; i++) {
++        if (authdata[i]->ad_type != KRB5_AUTHDATA_IF_RELEVANT)
++            continue;
++
++        kerr = krb5_decode_authdata_container(context,
++                                              KRB5_AUTHDATA_IF_RELEVANT,
++                                              authdata[i], &ifrel);
++        if (kerr) {
++            st = "S4U2PROXY_CANNOT_DECODE_EVIDENCE_TKT_AUTHDATA";
++            goto end;
++        }
++
++        for (j = 0; ifrel[j] != NULL; j++) {
++            if (ifrel[j]->ad_type == KRB5_AUTHDATA_WIN2K_PAC)
++                break;
++        }
++        if (ifrel[j] != NULL)
++            break;
++
++        krb5_free_authdata(context, ifrel);
++        ifrel = NULL;
++    }
++
++    if (ifrel == NULL) {
++        st = "S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC";
++        kerr = ENOENT;
++        goto end;
++    }
++
++    /* Parse the PAC. */
++    kerr = krb5_pac_parse(context, ifrel[j]->contents, ifrel[j]->length, &pac);
++    if (kerr) {
++        st = "S4U2PROXY_CANNOT_DECODE_EVICENCE_TKT_PAC";
++        goto end;
++    }
++
++    /* Check that the PAC extanded KDC signature is present. If it is, it was
++     * already tested.
++     * If absent, the context of the PAC cannot be trusted. */
++    kerr = krb5_pac_get_buffer(context, pac, KRB5_PAC_FULL_CHECKSUM, &fullsign);
++    if (kerr) {
++        st = "S4U2PROXY_MISSING_EXTENDED_KDC_SIGN_IN_EVIDENCE_TKT_PAC";
++        goto end;
++    }
++
++    /* Get the PAC Logon Info. */
++    kerr = krb5_pac_get_buffer(context, pac, KRB5_PAC_LOGON_INFO, &linfo_blob);
++    if (kerr) {
++        st = "S4U2PROXY_NO_PAC_LOGON_INFO_IN_EVIDENCE_TKT";
++        goto end;
++    }
++
++    /* Parse the PAC Logon Info. */
++    tmpctx = talloc_new(NULL);
++    if (!tmpctx) {
++        st = "OUT_OF_MEMORY";
++        kerr = ENOMEM;
++        goto end;
++    }
++
++    linfo_data.length = linfo_blob.length;
++    linfo_data.data = (uint8_t *)linfo_blob.data;
++    ndr_err = ndr_pull_union_blob(&linfo_data, tmpctx, &linfo,
++                                  PAC_TYPE_LOGON_INFO,
++                                  (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
++    if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
++        st = "S4U2PROXY_CANNOT_PARSE_ENVIDENCE_TKT_PAC_LOGON_INFO";
++        kerr = EINVAL;
++        goto end;
++    }
++
++    /* Check that the extra SIDs array is not empty. */
++    if (linfo.info->info3.sidcount == 0) {
++        st = "S4U2PROXY_NO_EXTRA_SID";
++        kerr = ENOENT;
++        goto end;
++    }
++
++    /* Search for the S-1-18-2 domain SID, which indicates the ticket was
++     * obtained using S4U2Self */
++    kerr = ipadb_string_to_sid("S-1-18-2", &asserted_identity_sid);
++    if (kerr) {
++        st = "S4U2PROXY_CANNOT_CREATE_ASSERTED_IDENTITY_SID";
++        goto end;
++    }
++
++    for (i = 0; i < linfo.info->info3.sidcount; i++) {
++        if (dom_sid_check(&asserted_identity_sid,
++                          linfo.info->info3.sids[0].sid, true)) {
++            evtkt_is_s4u2self = true;
++            break;
++        }
++    }
++
++    /* If the ticket was obtained using S4U2Self, the proxy principal entry must
++     * have the "ok_to_auth_as_delegate" attribute set to true. */
++    if (evtkt_is_s4u2self) {
++        kerr = ipadb_get_principal(context, evidence_tkt->server, 0,
++                                   &proxy_entry);
++        if (kerr) {
++            st = "S4U2PROXY_CANNOT_FIND_PROXY_PRINCIPAL";
++            goto end;
++        }
++
++        if (!(proxy_entry->attributes & KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)) {
++            /* This evidence ticket cannot be forwardable given the privileges
++             * of the proxy principal.
++             * This is a Bronze Bit attack. */
++            if (detected)
++                *detected = true;
++            st = "S4U2PROXY_BRONZE_BIT_ATTACK_DETECTED";
++            kerr = EBADE;
++            goto end;
++        }
++    }
++
++    kerr = 0;
++
++end:
++    if (st && status)
++        *status = st;
++
++    krb5_free_authdata(context, ifrel);
++    krb5_pac_free(context, pac);
++    krb5_free_data_contents(context, &linfo_blob);
++    krb5_free_data_contents(context, &fullsign);
++    talloc_free(tmpctx);
++    ipadb_free_principal(context, proxy_entry);
++    return kerr;
++}
+diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
+index 4e4076410f1..bfbb83bcbfa 100644
+--- a/ipaserver/install/server/install.py
++++ b/ipaserver/install/server/install.py
+@@ -978,6 +978,14 @@ def install(installer):
+     # Set the admin user kerberos password
+     ds.change_admin_password(admin_password)
+ 
++    # Force KDC to refresh the cached value of ipaKrbAuthzData by restarting.
++    # ipaKrbAuthzData has to be set with "MS-PAC" to trigger PAC generation,
++    # which is required to handle S4U2Proxy with the Bronze-Bit fix.
++    # Not doing so would cause API malfunction for around a minute, which is
++    # long enough to cause the hereafter client installation to fail.
++    service.print_msg("Restarting the KDC")
++    krb.restart()
++
+     # Call client install script
+     service.print_msg("Configuring client side components")
+     try:

SOURCES/0017-Integration-tests-for-verifying-Referer.patch

@@ -0,0 +1,356 @@
+From 86b073a7f03ba0edf4dd91f85b96c89107e9e673 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 12 Oct 2023 20:34:01 +0000
+Subject: [PATCH] Integration tests for verifying Referer header in the UI
+
+Validate that the change_password and login_password endpoints
+verify the HTTP Referer header. There is some overlap in the
+tests: belt and suspenders.
+
+All endpoints except session/login_x509 are covered, sometimes
+having to rely on expected bad results (see the i18n endpoint).
+
+session/login_x509 is not tested yet as it requires significant
+additional setup in order to associate a user certificate with
+a user entry, etc.
+
+This can be manually verified by modifying /etc/httpd/conf.d/ipa.conf
+and adding:
+
+Satisfy Any
+Require all granted
+
+Then comment out Auth and SSLVerify, etc. and restart httpd.
+
+With a valid Referer will fail with a 401 and log that there is no
+KRB5CCNAME. This comes after the referer check.
+
+With an invalid Referer it will fail with a 400 Bad Request as
+expected.
+
+CVE-2023-5455
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ ipatests/test_ipaserver/httptest.py           |   7 +-
+ ipatests/test_ipaserver/test_changepw.py      |  12 +-
+ .../test_ipaserver/test_login_password.py     |  88 ++++++++++++
+ ipatests/test_ipaserver/test_referer.py       | 136 ++++++++++++++++++
+ ipatests/util.py                              |   4 +-
+ 5 files changed, 242 insertions(+), 5 deletions(-)
+ create mode 100644 ipatests/test_ipaserver/test_login_password.py
+ create mode 100644 ipatests/test_ipaserver/test_referer.py
+
+diff --git a/ipatests/test_ipaserver/httptest.py b/ipatests/test_ipaserver/httptest.py
+index 6cd034a7196..8924798fc93 100644
+--- a/ipatests/test_ipaserver/httptest.py
++++ b/ipatests/test_ipaserver/httptest.py
+@@ -36,7 +36,7 @@ class Unauthorized_HTTP_test:
+     content_type = 'application/x-www-form-urlencoded'
+     accept_language = 'en-us'
+ 
+-    def send_request(self, method='POST', params=None):
++    def send_request(self, method='POST', params=None, host=None):
+         """
+         Send a request to HTTP server
+ 
+@@ -45,7 +45,10 @@ class Unauthorized_HTTP_test:
+         if params is not None:
+             if self.content_type == 'application/x-www-form-urlencoded':
+                 params = urllib.parse.urlencode(params, True)
+-        url = 'https://' + self.host + self.app_uri
++        if host:
++            url = 'https://' + host + self.app_uri
++        else:
++            url = 'https://' + self.host + self.app_uri
+ 
+         headers = {'Content-Type': self.content_type,
+                    'Accept-Language': self.accept_language,
+diff --git a/ipatests/test_ipaserver/test_changepw.py b/ipatests/test_ipaserver/test_changepw.py
+index c3a47ab265f..df38ddb3d9e 100644
+--- a/ipatests/test_ipaserver/test_changepw.py
++++ b/ipatests/test_ipaserver/test_changepw.py
+@@ -53,10 +53,11 @@ class test_changepw(XMLRPC_test, Unauthorized_HTTP_test):
+ 
+         request.addfinalizer(fin)
+ 
+-    def _changepw(self, user, old_password, new_password):
++    def _changepw(self, user, old_password, new_password, host=None):
+         return self.send_request(params={'user': str(user),
+                                   'old_password' : str(old_password),
+                                   'new_password' : str(new_password)},
++                                 host=host
+                                  )
+ 
+     def _checkpw(self, user, password):
+@@ -89,6 +90,15 @@ class test_changepw(XMLRPC_test, Unauthorized_HTTP_test):
+         # make sure that password is NOT changed
+         self._checkpw(testuser, old_password)
+ 
++    def test_invalid_referer(self):
++        response = self._changepw(testuser, old_password, new_password,
++                                  'attacker.test')
++
++        assert_equal(response.status, 400)
++
++        # make sure that password is NOT changed
++        self._checkpw(testuser, old_password)
++
+     def test_pwpolicy_error(self):
+         response = self._changepw(testuser, old_password, '1')
+ 
+diff --git a/ipatests/test_ipaserver/test_login_password.py b/ipatests/test_ipaserver/test_login_password.py
+new file mode 100644
+index 00000000000..9425cb7977f
+--- /dev/null
++++ b/ipatests/test_ipaserver/test_login_password.py
+@@ -0,0 +1,88 @@
++# Copyright (C) 2023  Red Hat
++# see file 'COPYING' for use and warranty information
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++import os
++import pytest
++import uuid
++
++from ipatests.test_ipaserver.httptest import Unauthorized_HTTP_test
++from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
++from ipatests.util import assert_equal
++from ipalib import api, errors
++from ipapython.ipautil import run
++
++testuser = u'tuser'
++password = u'password'
++
++
++@pytest.mark.tier1
++class test_login_password(XMLRPC_test, Unauthorized_HTTP_test):
++    app_uri = '/ipa/session/login_password'
++
++    @pytest.fixture(autouse=True)
++    def login_setup(self, request):
++        ccache = os.path.join('/tmp', str(uuid.uuid4()))
++        try:
++            api.Command['user_add'](uid=testuser, givenname=u'Test', sn=u'User')
++            api.Command['passwd'](testuser, password=password)
++            run(['kinit', testuser], stdin='{0}\n{0}\n{0}\n'.format(password),
++                env={"KRB5CCNAME": ccache})
++        except errors.ExecutionError as e:
++            pytest.skip(
++                'Cannot set up test user: %s' % e
++            )
++
++        def fin():
++            try:
++                api.Command['user_del']([testuser])
++            except errors.NotFound:
++                pass
++            os.unlink(ccache)
++
++        request.addfinalizer(fin)
++
++    def _login(self, user, password, host=None):
++        return self.send_request(params={'user': str(user),
++                                 'password' : str(password)},
++                                 host=host)
++
++    def test_bad_options(self):
++        for params in (
++            None,                             # no params
++            {"user": "foo"},                  # missing options
++            {"user": "foo", "password": ""},  # empty option
++        ):
++            response = self.send_request(params=params)
++            assert_equal(response.status, 400)
++            assert_equal(response.reason, 'Bad Request')
++
++    def test_invalid_auth(self):
++        response = self._login(testuser, 'wrongpassword')
++
++        assert_equal(response.status, 401)
++        assert_equal(response.getheader('X-IPA-Rejection-Reason'),
++                     'invalid-password')
++
++    def test_invalid_referer(self):
++        response = self._login(testuser, password, 'attacker.test')
++
++        assert_equal(response.status, 400)
++
++    def test_success(self):
++        response = self._login(testuser, password)
++
++        assert_equal(response.status, 200)
++        assert response.getheader('X-IPA-Rejection-Reason') is None
+diff --git a/ipatests/test_ipaserver/test_referer.py b/ipatests/test_ipaserver/test_referer.py
+new file mode 100644
+index 00000000000..4eade8bbaf3
+--- /dev/null
++++ b/ipatests/test_ipaserver/test_referer.py
+@@ -0,0 +1,136 @@
++# Copyright (C) 2023  Red Hat
++# see file 'COPYING' for use and warranty information
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++import os
++import pytest
++import uuid
++
++from ipatests.test_ipaserver.httptest import Unauthorized_HTTP_test
++from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
++from ipatests.util import assert_equal
++from ipalib import api, errors
++from ipapython.ipautil import run
++
++testuser = u'tuser'
++password = u'password'
++
++
++@pytest.mark.tier1
++class test_referer(XMLRPC_test, Unauthorized_HTTP_test):
++
++    @pytest.fixture(autouse=True)
++    def login_setup(self, request):
++        ccache = os.path.join('/tmp', str(uuid.uuid4()))
++        tokenid = None
++        try:
++            api.Command['user_add'](uid=testuser, givenname=u'Test', sn=u'User')
++            api.Command['passwd'](testuser, password=password)
++            run(['kinit', testuser], stdin='{0}\n{0}\n{0}\n'.format(password),
++                env={"KRB5CCNAME": ccache})
++            result = api.Command["otptoken_add"](
++                type='HOTP', description='testotp',
++                ipatokenotpalgorithm='sha512', ipatokenowner=testuser,
++                ipatokenotpdigits='6')
++            tokenid = result['result']['ipatokenuniqueid'][0]
++        except errors.ExecutionError as e:
++            pytest.skip(
++                'Cannot set up test user: %s' % e
++            )
++
++        def fin():
++            try:
++                api.Command['user_del']([testuser])
++                api.Command['otptoken_del']([tokenid])
++            except errors.NotFound:
++                pass
++            os.unlink(ccache)
++
++        request.addfinalizer(fin)
++
++    def _request(self, params={}, host=None):
++        # implicit is that self.app_uri is set to the appropriate value
++        return self.send_request(params=params, host=host)
++
++    def test_login_password_valid(self):
++        """Valid authentication of a user"""
++        self.app_uri = "/ipa/session/login_password"
++        response = self._request(
++            params={'user': 'tuser', 'password': password})
++        assert_equal(response.status, 200, self.app_uri)
++
++    def test_change_password_valid(self):
++        """This actually changes the user password"""
++        self.app_uri = "/ipa/session/change_password"
++        response = self._request(
++            params={'user': 'tuser',
++                    'old_password': password,
++                    'new_password': 'new_password'}
++        )
++        assert_equal(response.status, 200, self.app_uri)
++
++    def test_sync_token_valid(self):
++        """We aren't testing that sync works, just that we can get there"""
++        self.app_uri = "/ipa/session/sync_token"
++        response = self._request(
++            params={'user': 'tuser',
++                    'first_code': '1234',
++                    'second_code': '5678',
++                    'password': 'password'})
++        assert_equal(response.status, 200, self.app_uri)
++
++    def test_i18n_messages_valid(self):
++        # i18n_messages requires a valid JSON request and we send
++        # nothing. If we get a 500 error then it got past the
++        # referer check.
++        self.app_uri = "/ipa/i18n_messages"
++        response = self._request()
++        assert_equal(response.status, 500, self.app_uri)
++
++    # /ipa/session/login_x509 is not tested yet as it requires
++    # significant additional setup.
++    # This can be manually verified by adding
++    # Satisfy Any and Require all granted to the configuration
++    # section and comment out all Auth directives. The request
++    # will fail and log that there is no KRB5CCNAME which comes
++    # after the referer check.
++
++    def test_endpoints_auth_required(self):
++        """Test endpoints that require pre-authorization which will
++           fail before we even get to the Referer check
++        """
++        self.endpoints = {
++            "/ipa/xml",
++            "/ipa/session/login_kerberos",
++            "/ipa/session/json",
++            "/ipa/session/xml"
++        }
++        for self.app_uri in self.endpoints:
++            response = self._request(host="attacker.test")
++
++            # referer is checked after auth
++            assert_equal(response.status, 401, self.app_uri)
++
++    def notest_endpoints_invalid(self):
++        """Pass in a bad Referer, expect a 400 Bad Request"""
++        self.endpoints = {
++            "/ipa/session/login_password",
++            "/ipa/session/change_password",
++            "/ipa/session/sync_token",
++        }
++        for self.app_uri in self.endpoints:
++            response = self._request(host="attacker.test")
++
++            assert_equal(response.status, 400, self.app_uri)
+diff --git a/ipatests/util.py b/ipatests/util.py
+index 929c3e899c3..61af0c40d07 100644
+--- a/ipatests/util.py
++++ b/ipatests/util.py
+@@ -163,12 +163,12 @@ class ExceptionNotRaised(Exception):
+         return self.msg % self.expected.__name__
+ 
+ 
+-def assert_equal(val1, val2):
++def assert_equal(val1, val2, msg=''):
+     """
+     Assert ``val1`` and ``val2`` are the same type and of equal value.
+     """
+     assert type(val1) is type(val2), '%r != %r' % (val1, val2)
+-    assert val1 == val2, '%r != %r' % (val1, val2)
++    assert val1 == val2, '%r != %r %r' % (val1, val2, msg)
+ 
+ 
+ def assert_not_equal(val1, val2):

SOURCES/0018-adtrustinstance-make-sure-NetBIOS-name-defaults-are-.patch

@@ -0,0 +1,35 @@
+From eab52d3cda9bbec716008c040551bd11facd0e11 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 17 Jan 2024 12:27:26 +0200
+Subject: [PATCH] adtrustinstance: make sure NetBIOS name defaults are set
+ properly
+
+Some tools may pass None as NetBIOS name if not put explicitly by a
+user. This meant to use default NetBIOS name generator based on the
+domain (realm) name. However, this wasn't done properly, so None is
+passed later to python-ldap and it rejects such LDAP entry.
+
+Fixes: https://pagure.io/freeipa/issue/9514
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipaserver/install/adtrustinstance.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
+index d55ba849157bee8e335e2e0772514fc15ec11193..2ff68dfb46371a6118eb67515347eb762a37e1ec 100644
+--- a/ipaserver/install/adtrustinstance.py
++++ b/ipaserver/install/adtrustinstance.py
+@@ -189,6 +189,8 @@ class ADTRUSTInstance(service.Service):
+         self.fqdn = self.fqdn or api.env.host
+         self.host_netbios_name = make_netbios_name(self.fqdn)
+         self.realm = self.realm or api.env.realm
++        if not self.netbios_name:
++            self.netbios_name = make_netbios_name(self.realm)
+ 
+         self.suffix = ipautil.realm_to_suffix(self.realm)
+         self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
+-- 
+2.43.0
+

SOURCES/0019-ipatests-wait-for-replica-update-in-test_dns_locatio.patch

@@ -0,0 +1,42 @@
+From 3b2f3d41e4de0bcb78bfaecb32e06cbd22b809c2 Mon Sep 17 00:00:00 2001
+From: Masahiro Matsuya <mmatsuya@redhat.com>
+Date: Tue, 9 Jan 2024 23:12:11 +0900
+Subject: [PATCH] ipatests: wait for replica update in test_dns_locations
+
+test_ipa_ca_records and test_adtrust_system_records can fail with
+NXDOMAIN, because it doesn't wait enough for the update on replica.
+It can be resolved by waiting for the update with wait_for_replication.
+
+Fixes: https://pagure.io/freeipa/issue/9504
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipatests/test_integration/test_dns_locations.py | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ipatests/test_integration/test_dns_locations.py b/ipatests/test_integration/test_dns_locations.py
+index 44900af8015ff62728f64bc626eedfcead41e214..89a310892954cbee88d1cf38683e80a2e47122ef 100644
+--- a/ipatests/test_integration/test_dns_locations.py
++++ b/ipatests/test_integration/test_dns_locations.py
+@@ -534,6 +534,9 @@ class TestDNSLocations(IntegrationTest):
+ 
+         expected_servers = (self.master.ip, self.replicas[1].ip)
+ 
++        ldap = self.master.ldap_connect()
++        tasks.wait_for_replication(ldap)
++
+         for ip in (self.master.ip, self.replicas[0].ip, self.replicas[1].ip):
+             self._test_A_rec_against_server(ip, self.domain, expected_servers)
+ 
+@@ -557,6 +560,9 @@ class TestDNSLocations(IntegrationTest):
+             (self.PRIO_HIGH, self.WEIGHT, DNSName(self.master.hostname)),
+         )
+ 
++        ldap = self.master.ldap_connect()
++        tasks.wait_for_replication(ldap)
++
+         for ip in (self.master.ip, self.replicas[0].ip, self.replicas[1].ip):
+             self._test_SRV_rec_against_server(
+                     ip, self.domain, expected_servers,
+-- 
+2.43.0
+

SOURCES/0020-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel.patch

@@ -0,0 +1,147 @@
+From 27b96c17dd51d076e04d97662b7c788658a5094a Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Jan 26 2024 09:35:57 +0000
+Subject: ipa-kdb: Disable Bronze-Bit check if PAC not available
+
+
+The Bronze-Bit check introduced in commit
+a847e2483b4c4832ee5129901da169f4eb0d1392 requires the MS-PAC to be
+present in the evidence ticket in order for S4U2Proxy requests to be
+accepted. This actually requires SIDs to be set.
+
+However, domains that were initialized before commit
+e527857d000e558b3288a7a210400abaf2171237 may still not have SIDs
+configured. This would results in all S4U2Proxy requests to fail
+(including all the HTTP API requests).
+
+This present commit disables the check for the Bronze-Bit exploit
+(CVE-2020-17049) in case the domain is not able to generate PACs.
+Instead, it prints a warning message in the KDC logs each time a
+S4U2Proxy request is processed.
+
+Fixes: https://pagure.io/freeipa/issue/9521
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+
+---
+
+diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
+index c6926f7..621c235 100644
+--- a/daemons/ipa-kdb/ipa_kdb.h
++++ b/daemons/ipa-kdb/ipa_kdb.h
+@@ -368,17 +368,21 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
+                                                   char **trusted_realm);
+ 
+ /* Try to detect a Bronze-Bit attack based on the content of the request and
+- * data from the KDB.
++ * data from the KDB. This check will work only if the domain supports MS-PAC.
+  *
+  *   context     krb5 context
+  *   request     KDB request
+- *   detected    Set to "true" if a bronze bit attack is detected and the
+- *               pointer is not NULL. Remains unset otherwise.
++ *   supported   If not NULL, set to "false" in case the Bronze-Bit exploit
++ *               detection process silently failed to complete because the
++ *               domain does not meet requirements. Set to "true" otherwise.
++ *   detected    If not NULL, set to "true" if a Bronze-Bit attack is detected.
++ *               Set to "false" otherwise.
+  *   status      If the call fails and the pointer is not NULL, set it with a
+  *               message describing the cause of the failure. */
+ krb5_error_code
+ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
+-                                  bool *detected, const char **status);
++                                  bool *supported, bool *detected,
++                                  const char **status);
+ 
+ /* DELEGATION CHECKS */
+ 
+diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+index ee0546c..713e9a0 100644
+--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
++++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+@@ -186,11 +186,19 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
+                         krb5_deltat *renew_lifetime_out)
+ {
+     krb5_error_code kerr;
++    bool supported;
+ 
+-    kerr = ipadb_check_for_bronze_bit_attack(context, request, NULL, status);
++    kerr = ipadb_check_for_bronze_bit_attack(context, request, supported, NULL,
++                                             status);
+     if (kerr)
+         return KRB5KDC_ERR_POLICY;
+ 
++    if (!supported)
++        krb5_klog_syslog(LOG_WARNING, "MS-PAC not available. This makes "
++                         "FreeIPA vulnerable to the Bronze-Bit exploit "
++                         "(CVE-2020-17049). Please generate SIDs to enable "
++                         "PAC support.");
++
+     *status = NULL;
+     *lifetime_out = 0;
+     *renew_lifetime_out = 0;
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 05d5b40..a18beff 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -3301,11 +3301,14 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
+ 
+ krb5_error_code
+ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
+-                                  bool *detected, const char **status)
++                                  bool *supported, bool *detected,
++                                  const char **status)
+ {
+     krb5_error_code kerr;
+     const char *st = NULL;
+     size_t i, j;
++    bool in_supported = true, in_detected = false;
++    struct ipadb_context *ipactx;
+     krb5_ticket *evidence_tkt;
+     krb5_authdata **authdata, **ifrel = NULL;
+     krb5_pac pac = NULL;
+@@ -3325,6 +3328,21 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
+         goto end;
+     }
+ 
++    ipactx = ipadb_get_context(context);
++    if (!ipactx) {
++        kerr = KRB5_KDB_DBNOTINITED;
++        goto end;
++    }
++
++    /* Handle the case where the domain is not able to generate PACs (probably
++     * because SIDs are not set). In this case, we just skip the Bronze-Bit
++     * check. */
++    if (!ipactx->mspac) {
++        in_supported = false;
++        kerr = 0;
++        goto end;
++    }
++
+     evidence_tkt = request->second_ticket[0];
+ 
+     /* No need to check the Forwardable flag. If it was not set, this request
+@@ -3449,8 +3467,7 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
+             /* This evidence ticket cannot be forwardable given the privileges
+              * of the proxy principal.
+              * This is a Bronze Bit attack. */
+-            if (detected)
+-                *detected = true;
++            in_detected = true;
+             st = "S4U2PROXY_BRONZE_BIT_ATTACK_DETECTED";
+             kerr = EBADE;
+             goto end;
+@@ -3462,6 +3479,10 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
+ end:
+     if (st && status)
+         *status = st;
++    if (supported)
++        *supported = in_supported;
++    if (detected)
++        *detected = in_detected;
+ 
+     krb5_free_authdata(context, ifrel);
+     krb5_pac_free(context, pac);
+

SOURCES/0021-Fix-session-cookie-access_rhel.patch

@@ -0,0 +1,238 @@
+From 381af470779ea87335f57038dcbe72cd042ae6bb Mon Sep 17 00:00:00 2001
+From: Stanislav Levin <slev@altlinux.org>
+Date: Jan 30 2024 15:11:05 +0000
+Subject: ipapython: Clean up krb5_error
+
+
+`krb5_error` has different definition in MIT krb.
+https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/types/krb5_error.html
+
+> Error message structure.
+>
+> Declaration:
+> typedef struct _krb5_error krb5_error
+
+While `krb5_error_code`
+https://web.mit.edu/kerberos/www/krb5-latest/doc/appdev/refs/types/krb5_error_code.html#c.krb5_error_code
+
+> krb5_error_code
+> Used to convey an operation status.
+>
+> The value 0 indicates success; any other values are com_err codes. Use krb5_get_error_message() to obtain a string describing the error.
+>
+> Declaration
+> typedef krb5_int32 krb5_error_code
+
+And this is what was actually used.
+
+To prevent confusion of types `krb5_error` was replaced with
+`krb5_error_code`.
+
+Fixes: https://pagure.io/freeipa/issue/9519
+Signed-off-by: Stanislav Levin <slev@altlinux.org>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+
+---
+
+diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
+index c43ef7d..371cf15 100644
+--- a/ipapython/session_storage.py
++++ b/ipapython/session_storage.py
+@@ -111,7 +111,7 @@ class KRB5Error(Exception):
+ 
+ 
+ def krb5_errcheck(result, func, arguments):
+-    """Error checker for krb5_error return value"""
++    """Error checker for krb5_error_code return value"""
+     if result != 0:
+         raise KRB5Error(result, func.__name__, arguments)
+ 
+@@ -119,14 +119,13 @@ def krb5_errcheck(result, func, arguments):
+ krb5_context = ctypes.POINTER(_krb5_context)
+ krb5_ccache = ctypes.POINTER(_krb5_ccache)
+ krb5_data_p = ctypes.POINTER(_krb5_data)
+-krb5_error = ctypes.c_int32
+ krb5_creds = _krb5_creds
+ krb5_pointer = ctypes.c_void_p
+ krb5_cc_cursor = krb5_pointer
+ 
+ krb5_init_context = LIBKRB5.krb5_init_context
+ krb5_init_context.argtypes = (ctypes.POINTER(krb5_context), )
+-krb5_init_context.restype = krb5_error
++krb5_init_context.restype = krb5_error_code
+ krb5_init_context.errcheck = krb5_errcheck
+ 
+ krb5_free_context = LIBKRB5.krb5_free_context
+@@ -143,30 +142,30 @@ krb5_free_data_contents.restype = None
+ 
+ krb5_cc_default = LIBKRB5.krb5_cc_default
+ krb5_cc_default.argtypes = (krb5_context, ctypes.POINTER(krb5_ccache), )
+-krb5_cc_default.restype = krb5_error
++krb5_cc_default.restype = krb5_error_code
+ krb5_cc_default.errcheck = krb5_errcheck
+ 
+ krb5_cc_close = LIBKRB5.krb5_cc_close
+ krb5_cc_close.argtypes = (krb5_context, krb5_ccache, )
+-krb5_cc_close.restype = krb5_error
++krb5_cc_close.restype = krb5_error_code
+ krb5_cc_close.errcheck = krb5_errcheck
+ 
+ krb5_parse_name = LIBKRB5.krb5_parse_name
+ krb5_parse_name.argtypes = (krb5_context, ctypes.c_char_p,
+                             ctypes.POINTER(krb5_principal), )
+-krb5_parse_name.restype = krb5_error
++krb5_parse_name.restype = krb5_error_code
+ krb5_parse_name.errcheck = krb5_errcheck
+ 
+ krb5_cc_set_config = LIBKRB5.krb5_cc_set_config
+ krb5_cc_set_config.argtypes = (krb5_context, krb5_ccache, krb5_principal,
+                                ctypes.c_char_p, krb5_data_p, )
+-krb5_cc_set_config.restype = krb5_error
++krb5_cc_set_config.restype = krb5_error_code
+ krb5_cc_set_config.errcheck = krb5_errcheck
+ 
+ krb5_cc_get_principal = LIBKRB5.krb5_cc_get_principal
+ krb5_cc_get_principal.argtypes = (krb5_context, krb5_ccache,
+                                   ctypes.POINTER(krb5_principal), )
+-krb5_cc_get_principal.restype = krb5_error
++krb5_cc_get_principal.restype = krb5_error_code
+ krb5_cc_get_principal.errcheck = krb5_errcheck
+ 
+ # krb5_build_principal is a variadic function but that can't be expressed
+@@ -177,26 +176,26 @@ krb5_build_principal.argtypes = (krb5_context, ctypes.POINTER(krb5_principal),
+                                  ctypes.c_uint, ctypes.c_char_p,
+                                  ctypes.c_char_p, ctypes.c_char_p,
+                                  ctypes.c_char_p, ctypes.c_char_p, )
+-krb5_build_principal.restype = krb5_error
++krb5_build_principal.restype = krb5_error_code
+ krb5_build_principal.errcheck = krb5_errcheck
+ 
+ krb5_cc_start_seq_get = LIBKRB5.krb5_cc_start_seq_get
+ krb5_cc_start_seq_get.argtypes = (krb5_context, krb5_ccache,
+                                   ctypes.POINTER(krb5_cc_cursor), )
+-krb5_cc_start_seq_get.restype = krb5_error
++krb5_cc_start_seq_get.restype = krb5_error_code
+ krb5_cc_start_seq_get.errcheck = krb5_errcheck
+ 
+ krb5_cc_next_cred = LIBKRB5.krb5_cc_next_cred
+ krb5_cc_next_cred.argtypes = (krb5_context, krb5_ccache,
+                               ctypes.POINTER(krb5_cc_cursor),
+                               ctypes.POINTER(krb5_creds), )
+-krb5_cc_next_cred.restype = krb5_error
++krb5_cc_next_cred.restype = krb5_error_code
+ krb5_cc_next_cred.errcheck = krb5_errcheck
+ 
+ krb5_cc_end_seq_get = LIBKRB5.krb5_cc_end_seq_get
+ krb5_cc_end_seq_get.argtypes = (krb5_context, krb5_ccache,
+                                 ctypes.POINTER(krb5_cc_cursor), )
+-krb5_cc_end_seq_get.restype = krb5_error
++krb5_cc_end_seq_get.restype = krb5_error_code
+ krb5_cc_end_seq_get.errcheck = krb5_errcheck
+ 
+ krb5_free_cred_contents = LIBKRB5.krb5_free_cred_contents
+@@ -212,7 +211,7 @@ krb5_principal_compare.restype = krb5_boolean
+ krb5_unparse_name = LIBKRB5.krb5_unparse_name
+ krb5_unparse_name.argtypes = (krb5_context, krb5_principal,
+                               ctypes.POINTER(ctypes.c_char_p), )
+-krb5_unparse_name.restype = krb5_error
++krb5_unparse_name.restype = krb5_error_code
+ krb5_unparse_name.errcheck = krb5_errcheck
+ 
+ krb5_free_unparsed_name = LIBKRB5.krb5_free_unparsed_name
+
+From 2a4bad8bb3295c5c0f5a760ecd41871c4c5a0c56 Mon Sep 17 00:00:00 2001
+From: Stanislav Levin <slev@altlinux.org>
+Date: Jan 30 2024 15:11:05 +0000
+Subject: ipapython: Correct return type of krb5_free_cred_contents
+
+
+According to https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_free_cred_contents.html
+
+> krb5_free_cred_contents - Free the contents of a krb5_creds structure.
+>
+> void krb5_free_cred_contents(krb5_context context, krb5_creds * val)
+> param:
+> [in] context - Library context
+>
+> [in] val - Credential structure to free contents of
+>
+> This function frees the contents of val , but not the structure itself.
+
+https://github.com/krb5/krb5/blob/5b00197227231943bd2305328c8260dd0b0dbcf0/src/lib/krb5/krb/kfree.c#L166
+
+This leads to undefined behavior and `krb5_free_cred_contents` can
+raise KRB5Error (because of garbage data) while actually its foreign
+function doesn't.
+
+Fixes: https://pagure.io/freeipa/issue/9519
+Signed-off-by: Stanislav Levin <slev@altlinux.org>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+
+---
+
+diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
+index 371cf15..dc36f54 100644
+--- a/ipapython/session_storage.py
++++ b/ipapython/session_storage.py
+@@ -200,8 +200,7 @@ krb5_cc_end_seq_get.errcheck = krb5_errcheck
+ 
+ krb5_free_cred_contents = LIBKRB5.krb5_free_cred_contents
+ krb5_free_cred_contents.argtypes = (krb5_context, ctypes.POINTER(krb5_creds))
+-krb5_free_cred_contents.restype = krb5_error
+-krb5_free_cred_contents.errcheck = krb5_errcheck
++krb5_free_cred_contents.restype = None
+ 
+ krb5_principal_compare = LIBKRB5.krb5_principal_compare
+ krb5_principal_compare.argtypes = (krb5_context, krb5_principal,
+
+From beb402afdbf32c01eed860e9416356f7b492ad74 Mon Sep 17 00:00:00 2001
+From: Stanislav Levin <slev@altlinux.org>
+Date: Jan 30 2024 15:11:05 +0000
+Subject: ipapython: Propagate KRB5Error exceptions on iterating ccache
+
+
+`ipapython.session_storage.get_data` iterates over
+credentials in a credential cache till `krb5_cc_next_cred` returns
+an error. This function doesn't expect any error on calling
+other kerberos foreign functions during iteration. But that can
+actually happen and KRB5Error exceptions stop an iteration while
+they should be propagated.
+
+With this change iteration will exactly stop on `krb5_cc_next_cred`
+error as it was supposed to be.
+
+Fixes: https://pagure.io/freeipa/issue/9519
+Signed-off-by: Stanislav Levin <slev@altlinux.org>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+
+---
+
+diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
+index dc36f54..e890dc9 100644
+--- a/ipapython/session_storage.py
++++ b/ipapython/session_storage.py
+@@ -312,8 +312,12 @@ def get_data(princ_name, key):
+                 checkcreds = krb5_creds()
+                 # the next function will throw an error and break out of the
+                 # while loop when we try to access past the last cred
+-                krb5_cc_next_cred(context, ccache, ctypes.byref(cursor),
+-                                  ctypes.byref(checkcreds))
++                try:
++                    krb5_cc_next_cred(context, ccache, ctypes.byref(cursor),
++                                      ctypes.byref(checkcreds))
++                except KRB5Error:
++                    break
++
+                 if (krb5_principal_compare(context, principal,
+                                           checkcreds.client) == 1 and
+                     krb5_principal_compare(context, srv_princ,
+@@ -328,8 +332,6 @@ def get_data(princ_name, key):
+                 else:
+                     krb5_free_cred_contents(context,
+                                             ctypes.byref(checkcreds))
+-        except KRB5Error:
+-            pass
+         finally:
+             krb5_cc_end_seq_get(context, ccache, ctypes.byref(cursor))
+ 
+

SOURCES/0022-ipa-kdb-Fix-memory-leak-during-PAC-verification_rhel.patch

@@ -0,0 +1,89 @@
+From bac601b7f35827236a106f7137f378e4888260da Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Jan 30 2024 15:17:44 +0000
+Subject: ipa-kdb: Fix memory leak during PAC verification
+
+
+Commit 0022bd70d93708d325855d5271516d6cd894d6e8 introduced a memory leak
+during the copy of some PAC buffers, because of an unfreed memory
+allocation context.
+
+Fixes: https://pagure.io/freeipa/issue/9520
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+
+---
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index a18beff..9e1431c 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -2316,6 +2316,7 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context,
+     size_t i;
+     struct dom_sid *requester_sid = NULL;
+     struct dom_sid req_sid;
++    TALLOC_CTX *tmpctx = NULL;
+ 
+     if (signing_krbtgt != NULL &&
+         ipadb_is_cross_realm_krbtgt(signing_krbtgt->princ)) {
+@@ -2371,6 +2372,12 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context,
+         goto done;
+     }
+ 
++    tmpctx = talloc_new(NULL);
++    if (tmpctx == NULL) {
++        kerr = ENOMEM;
++        goto done;
++    }
++
+     for (i = 0; i < num_buffers; i++) {
+         if (types[i] == KRB5_PAC_SERVER_CHECKSUM ||
+             types[i] == KRB5_PAC_PRIVSVR_CHECKSUM ||
+@@ -2395,32 +2402,21 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context,
+             DATA_BLOB pac_attrs_data;
+             krb5_boolean pac_requested;
+ 
+-            TALLOC_CTX *tmpctx = talloc_new(NULL);
+-            if (tmpctx == NULL) {
+-                kerr = ENOMEM;
+-                goto done;
+-            }
+-
+             kerr = ipadb_client_requested_pac(context, old_pac, tmpctx, &pac_requested);
+-            if (kerr != 0) {
+-                talloc_free(tmpctx);
++            if (kerr)
+                 goto done;
+-            }
+ 
+             kerr = ipadb_get_pac_attrs_blob(tmpctx, &pac_requested, &pac_attrs_data);
+-            if (kerr) {
+-                talloc_free(tmpctx);
++            if (kerr)
+                 goto done;
+-            }
++
+             data.magic = KV5M_DATA;
+             data.data = (char *)pac_attrs_data.data;
+             data.length = pac_attrs_data.length;
+ 
+             kerr = krb5_pac_add_buffer(context, new_pac, PAC_TYPE_ATTRIBUTES_INFO, &data);
+-            if (kerr) {
+-                talloc_free(tmpctx);
++            if (kerr)
+                 goto done;
+-            }
+ 
+             continue;
+         }
+@@ -2467,6 +2463,8 @@ done:
+     if (kerr != 0 && (new_pac != *pac)) {
+         krb5_pac_free(context, new_pac);
+     }
++    if (tmpctx)
++        talloc_free(tmpctx);
+     krb5_free_data_contents(context, &pac_blob);
+     free(types);
+     return kerr;
+

SOURCES/0023-Do-not-ignore-staged-users-in-sidgen-plugin_rhel.patch

@@ -0,0 +1,108 @@
+From b56a80581ef388e19d5761020454e51463036cd6 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 23 Jan 2024 14:47:50 +0200
+Subject: [PATCH] sidgen: ignore staged users when generating SIDs
+
+Staged users have
+
+  uidNumber: -1
+  gidNumber: -1
+  ipaUniqueID: autogenerate
+
+We cannot generate ipaSecurityIdentifier based on those UID/GID numbers.
+However, '-1' value will trigger an error
+
+ find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 483]: ID value too large.
+
+And that, in turn, will cause stopping SID generation for all users.
+
+Detect 'ipaUniqueID: autogenerate' situation and ignore these entries.
+
+Fixes: https://pagure.io/freeipa/issue/9517
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
+---
+ daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h    |  2 ++
+ .../ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c | 12 ++++++++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
+index 0feff7eec..bd46982d0 100644
+--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
+@@ -45,6 +45,8 @@
+ #define UID_NUMBER "uidnumber"
+ #define GID_NUMBER "gidnumber"
+ #define IPA_SID "ipantsecurityidentifier"
++#define IPA_UNIQUEID "ipauniqueid"
++#define IPA_UNIQUEID_AUTOGENERATE "autogenerate"
+ #define DOM_ATTRS_FILTER OBJECTCLASS"=ipantdomainattrs"
+ #define DOMAIN_ID_RANGE_FILTER OBJECTCLASS"=ipadomainidrange"
+ #define POSIX_ACCOUNT "posixaccount"
+diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
+index 6f784804c..cb763ebf8 100644
+--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
+@@ -454,6 +454,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
+     uint32_t id;
+     char *sid = NULL;
+     char **objectclasses = NULL;
++    char *uniqueid = NULL;
+     Slapi_PBlock *mod_pb = NULL;
+     Slapi_Mods *smods = NULL;
+     int result;
+@@ -479,6 +480,16 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
+         goto done;
+     }
+ 
++    uniqueid = slapi_entry_attr_get_charptr(entry, IPA_UNIQUEID);
++    if (uniqueid != NULL &&
++        strncmp(IPA_UNIQUEID_AUTOGENERATE, uniqueid,
++                sizeof(IPA_UNIQUEID_AUTOGENERATE)) == 0) {
++        LOG("Staged entry [%s] does not have Posix IDs, nothing to do.\n",
++            dn_str);
++        ret = 0;
++        goto done;
++    }
++
+     if (uid_number >= UINT32_MAX || gid_number >= UINT32_MAX) {
+         LOG_FATAL("ID value too large.\n");
+         ret = LDAP_CONSTRAINT_VIOLATION;
+@@ -554,6 +565,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
+     }
+ 
+ done:
++    slapi_ch_free_string(&uniqueid);
+     slapi_ch_free_string(&sid);
+     slapi_pblock_destroy(mod_pb);
+     slapi_mods_free(&smods);
+-- 
+2.43.0
+
+From 07150b71537744f491d022c737ef04775c72a10a Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 23 Jan 2024 14:53:39 +0200
+Subject: [PATCH] sidgen: fix missing prototypes
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
+---
+ daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
+index bd46982d0..aec862796 100644
+--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
+@@ -106,3 +106,6 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
+                             const char *base_dn,
+                             const char *dom_sid,
+                             struct range_info **ranges);
++
++int sidgen_task_init(Slapi_PBlock *pb);
++int ipa_sidgen_init(Slapi_PBlock *pb);
+-- 
+2.43.0

SOURCES/0024-kdb-PAC-generator-do-not-fail-if-canonical-principal-is-missing_rhel.patch

@@ -0,0 +1,45 @@
+From dcb9d6edc7ae4278cd552e87f644705faa13d558 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Jan 31 2024 08:31:13 +0000
+Subject: kdb: PAC generator: do not fail if canonical principal is missing
+
+
+krbCanonicalName is mandatory for services but IPA services created
+before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no normalization done
+to set krbCanonicalName; services created after that version were
+upgraded to do have krbCanonicalName.
+
+Accept krbPrincipalName alone since they have no alias either */
+
+Fixes: https://pagure.io/freeipa/issue/9465
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
+
+---
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 9e1431c..8035036 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -496,8 +496,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+         ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+                                      "krbCanonicalName", &strres);
+         if (ret) {
+-            /* krbCanonicalName is mandatory for services */
+-            return ret;
++            /* krbCanonicalName is mandatory for services but IPA services
++             * created before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no
++             * normalization to set krbCanonicalName; services created after
++             * that version were upgraded to do have krbCanonicalName.
++             *
++             * Accept krbPrincipalName alone since they have no alias either */
++            ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
++                                         "krbPrincipalName", &strres);
++            if (ret)
++                return ret;
+         }
+ 
+         ret = krb5_parse_name(ipactx->kcontext, strres, &princ);
+

SOURCES/0025-ipd-kdb-Fix-some-mistakes-in.patch

@@ -0,0 +1,61 @@
+From 81aa6ef695838a4b2fb5a53e773ea379a492913d Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Feb 12 2024 14:25:16 +0000
+Subject: ipd-kdb: Fix some mistakes in ipadb_check_for_bronze_bit_attack()
+
+
+Fixes: https://pagure.io/freeipa/issue/9521
+Signed-off-by: Julien Rische <jrische@redhat.com>
+Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
+
+---
+
+diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
+index 621c235..5de5ea7 100644
+--- a/daemons/ipa-kdb/ipa_kdb.h
++++ b/daemons/ipa-kdb/ipa_kdb.h
+@@ -382,7 +382,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
+  *   status      If the call fails and the pointer is not NULL, set it with a
+  *               message describing the cause of the failure. */
+ krb5_error_code
+-ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
++ipadb_check_for_bronze_bit_attack(krb5_context context,
++                                  const krb5_kdc_req *request,
+                                   bool *supported, bool *detected,
+                                   const char **status);
+ 
+diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+index 713e9a0..44959f3 100644
+--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
++++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+@@ -188,7 +188,7 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
+     krb5_error_code kerr;
+     bool supported;
+ 
+-    kerr = ipadb_check_for_bronze_bit_attack(context, request, supported, NULL,
++    kerr = ipadb_check_for_bronze_bit_attack(context, request, &supported, NULL,
+                                              status);
+     if (kerr)
+         return KRB5KDC_ERR_POLICY;
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 8035036..886ed77 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -3306,13 +3306,14 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
+ }
+ 
+ krb5_error_code
+-ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
++ipadb_check_for_bronze_bit_attack(krb5_context context,
++                                  const krb5_kdc_req *request,
+                                   bool *supported, bool *detected,
+                                   const char **status)
+ {
+     krb5_error_code kerr;
+     const char *st = NULL;
+-    size_t i, j;
++    size_t i, j = 0;
+     bool in_supported = true, in_detected = false;
+     struct ipadb_context *ipactx;
+     krb5_ticket *evidence_tkt;
+

SOURCES/0026-ipa-kdb-Rework-ipadb_reinit_mspac.patch

@@ -0,0 +1,697 @@
+From 7f072e348d318e928f6270a182ca04dee8716677 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Feb 16 2024 09:17:20 +0000
+Subject: ipa-kdb: Rework ipadb_reinit_mspac()
+
+
+Modify ipadb_reinit_mspac() to allocate and initialize ipactx->mspac
+only if all its attributes can be set. If not, ipactx->mspac is set to
+NULL. This makes easier to determine if the KDC is able to generate PACs
+or not.
+
+Also ipadb_reinit_mspac() is now able to return a status message
+explaining why initialization of the PAC generator failed. This message
+is printed in KDC logs.
+
+Fixes: https://pagure.io/freeipa/issue/9535
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
+
+---
+
+diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
+index 0c6325d..fcadb8e 100644
+--- a/daemons/ipa-kdb/ipa_kdb.c
++++ b/daemons/ipa-kdb/ipa_kdb.c
+@@ -394,6 +394,7 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
+     struct timeval tv = { 5, 0 };
+     LDAPMessage *res = NULL;
+     LDAPMessage *first;
++    const char *stmsg;
+     int ret;
+     int v3;
+ 
+@@ -473,16 +474,9 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
+     }
+ 
+     /* get adtrust options using default refresh interval */
+-    ret = ipadb_reinit_mspac(ipactx, false);
+-    if (ret && ret != ENOENT) {
+-        /* TODO: log that there is an issue with adtrust settings */
+-        if (ipactx->lcontext == NULL) {
+-            /* for some reason ldap connection was reset in ipadb_reinit_mspac
+-             * and is no longer established => failure of ipadb_get_connection
+-             */
+-            goto done;
+-        }
+-    }
++    ret = ipadb_reinit_mspac(ipactx, false, &stmsg);
++    if (ret && stmsg)
++        krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg);
+ 
+     ret = 0;
+ 
+diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
+index 5de5ea7..7baf469 100644
+--- a/daemons/ipa-kdb/ipa_kdb.h
++++ b/daemons/ipa-kdb/ipa_kdb.h
+@@ -352,7 +352,9 @@ krb5_error_code ipadb_v9_issue_pac(krb5_context context, unsigned int flags,
+                                    krb5_data ***auth_indicators);
+ #endif
+ 
+-krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit);
++krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx,
++                                   bool force_reinit,
++                                   const char **stmsg);
+ 
+ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac);
+ krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 886ed77..deed513 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -793,16 +793,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+         return ret;
+     }
+ 
++    if (!ipactx->mspac) {
++        /* can't give a PAC without server NetBIOS name or primary group RID */
++        return ENOENT;
++    }
++
+     if (info3->base.primary_gid == 0) {
+         if (is_host || is_service) {
+             info3->base.primary_gid = 515;  /* Well known RID for domain computers group */
+         } else {
+-            if (ipactx->mspac->fallback_rid) {
+-                info3->base.primary_gid = ipactx->mspac->fallback_rid;
+-            } else {
+-                /* can't give a pack without a primary group rid */
+-                return ENOENT;
+-            }
++            info3->base.primary_gid = ipactx->mspac->fallback_rid;
+         }
+     }
+ 
+@@ -812,26 +812,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+     /* always zero out, not used for Krb, only NTLM */
+     memset(&info3->base.key, '\0', sizeof(info3->base.key));
+ 
+-    if (ipactx->mspac->flat_server_name) {
+-        info3->base.logon_server.string =
+-                    talloc_strdup(memctx, ipactx->mspac->flat_server_name);
+-        if (!info3->base.logon_server.string) {
+-            return ENOMEM;
+-        }
+-    } else {
+-        /* can't give a pack without Server NetBIOS Name :-| */
+-        return ENOENT;
++    info3->base.logon_server.string =
++        talloc_strdup(memctx, ipactx->mspac->flat_server_name);
++    if (!info3->base.logon_server.string) {
++        return ENOMEM;
+     }
+ 
+-    if (ipactx->mspac->flat_domain_name) {
+-        info3->base.logon_domain.string =
+-                    talloc_strdup(memctx, ipactx->mspac->flat_domain_name);
+-        if (!info3->base.logon_domain.string) {
+-            return ENOMEM;
+-        }
+-    } else {
+-        /* can't give a pack without Domain NetBIOS Name :-| */
+-        return ENOENT;
++    info3->base.logon_domain.string =
++        talloc_strdup(memctx, ipactx->mspac->flat_domain_name);
++    if (!info3->base.logon_domain.string) {
++        return ENOMEM;
+     }
+ 
+     if (is_host || is_service) {
+@@ -1044,6 +1034,11 @@ krb5_error_code ipadb_get_pac(krb5_context kcontext,
+         return KRB5_KDB_DBNOTINITED;
+     }
+ 
++    /* Check if PAC generator is initialized */
++    if (!ipactx->mspac) {
++        return ENOENT;
++    }
++
+     ied = (struct ipadb_e_data *)client->e_data;
+     if (ied->magic != IPA_E_DATA_MAGIC) {
+         return EINVAL;
+@@ -1626,14 +1621,14 @@ static struct ipadb_adtrusts *get_domain_from_realm(krb5_context context,
+ {
+     struct ipadb_context *ipactx;
+     struct ipadb_adtrusts *domain;
+-    int i;
++    size_t i;
+ 
+     ipactx = ipadb_get_context(context);
+     if (!ipactx) {
+         return NULL;
+     }
+ 
+-    if (ipactx->mspac == NULL) {
++    if (!ipactx->mspac) {
+         return NULL;
+     }
+ 
+@@ -1655,6 +1650,7 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context,
+ {
+     struct ipadb_context *ipactx;
+     struct ipadb_adtrusts *domain;
++    const char *stmsg = NULL;
+     krb5_error_code kerr;
+ 
+     ipactx = ipadb_get_context(context);
+@@ -1663,8 +1659,10 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context,
+     }
+ 
+     /* re-init MS-PAC info using default update interval */
+-    kerr = ipadb_reinit_mspac(ipactx, false);
++    kerr = ipadb_reinit_mspac(ipactx, false, &stmsg);
+     if (kerr != 0) {
++        if (stmsg)
++            krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg);
+         return NULL;
+     }
+     domain = get_domain_from_realm(context, realm);
+@@ -1717,6 +1715,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
+     struct ipadb_e_data *ied = NULL;
+     int flags = 0;
+     struct dom_sid client_sid;
++    const char *stmsg = NULL;
+ #ifdef KRB5_KDB_FLAG_ALIAS_OK
+     flags = KRB5_KDB_FLAG_ALIAS_OK;
+ #endif
+@@ -1730,10 +1729,14 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
+      * check that our own view on the PAC details is up to date */
+     if (ipactx->mspac->domsid.num_auths == 0) {
+         /* Force re-init of KDB's view on our domain */
+-        kerr = ipadb_reinit_mspac(ipactx, true);
++        kerr = ipadb_reinit_mspac(ipactx, true, &stmsg);
+         if (kerr != 0) {
+-            krb5_klog_syslog(LOG_ERR,
+-                             "PAC issue: unable to update realm's view on PAC info");
++            if (stmsg) {
++                krb5_klog_syslog(LOG_ERR, "MS-PAC generator: %s", stmsg);
++            } else {
++                krb5_klog_syslog(LOG_ERR, "PAC issue: unable to update " \
++                                 "realm's view on PAC info");
++            }
+             return KRB5KDC_ERR_POLICY;
+         }
+     }
+@@ -1746,7 +1749,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
+         if (is_s4u && (ipactx->mspac->trusts != NULL)) {
+             /* Iterate through list of trusts and check if this SID belongs to
+              * one of the domains we trust */
+-            for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
++            for(size_t i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
+                 result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
+                                        info->info->info3.base.domain_sid, true);
+                 if (result) {
+@@ -1858,11 +1861,11 @@ krb5_error_code filter_logon_info(krb5_context context,
+         struct ipadb_mspac *mspac_ctx = ipactx->mspac;
+         result = FALSE;
+         /* Didn't match but perhaps the original PAC was issued by a child domain's DC? */
+-        for (k = 0; k < mspac_ctx->num_trusts; k++) {
+-            result = dom_sid_check(&mspac_ctx->trusts[k].domsid,
++        for (size_t m = 0; m < mspac_ctx->num_trusts; m++) {
++            result = dom_sid_check(&mspac_ctx->trusts[m].domsid,
+                              info->info->info3.base.domain_sid, true);
+             if (result) {
+-                domain = &mspac_ctx->trusts[k];
++                domain = &mspac_ctx->trusts[m];
+                 break;
+             }
+         }
+@@ -2091,10 +2094,10 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
+                 return KRB5_KDB_DBNOTINITED;
+             }
+             /* In S4U case we might be dealing with the PAC issued by the trusted domain */
+-            if ((ipactx->mspac->trusts != NULL)) {
++            if (ipactx->mspac->trusts) {
+                 /* Iterate through list of trusts and check if this SID belongs to
+                 * one of the domains we trust */
+-                for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
++                for(size_t i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
+                     result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
+                                            &client_sid, false);
+                     if (result) {
+@@ -2631,7 +2634,7 @@ static char *get_server_netbios_name(struct ipadb_context *ipactx)
+ 
+ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
+ {
+-    int i, j;
++    size_t i, j;
+ 
+     if (!*mspac) return;
+ 
+@@ -2786,7 +2789,8 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+     LDAPDN dn = NULL;
+     char **sid_blocklist_incoming = NULL;
+     char **sid_blocklist_outgoing = NULL;
+-    int ret, n, i;
++    size_t i, n;
++    int ret;
+ 
+     ret = asprintf(&base, "cn=ad,cn=trusts,%s", ipactx->base);
+     if (ret == -1) {
+@@ -2871,7 +2875,7 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+ 
+         t[n].upn_suffixes_len = NULL;
+         if (t[n].upn_suffixes != NULL) {
+-            int len = 0;
++            size_t len = 0;
+ 
+             for (; t[n].upn_suffixes[len] != NULL; len++);
+ 
+@@ -2986,108 +2990,114 @@ done:
+     return ret;
+ }
+ 
+-krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit)
++krb5_error_code
++ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit,
++                   const char **stmsg)
+ {
+     char *dom_attrs[] = { "ipaNTFlatName",
+                           "ipaNTFallbackPrimaryGroup",
+                           "ipaNTSecurityIdentifier",
+                           NULL };
+     char *grp_attrs[] = { "ipaNTSecurityIdentifier", NULL };
+-    krb5_error_code kerr;
+     LDAPMessage *result = NULL;
+     LDAPMessage *lentry;
+-    struct dom_sid gsid;
+-    char *resstr;
+-    int ret;
++    struct dom_sid gsid, domsid;
++    char *resstr = NULL;
++    char *flat_domain_name = NULL;
++    char *flat_server_name = NULL;
++    char *fallback_group = NULL;
++    uint32_t fallback_rid;
+     time_t now;
++    const char *in_stmsg = NULL;
++    int err;
++    krb5_error_code trust_kerr = 0;
++
+ 
+     /* Do not update the mspac struct more than once a minute. This would
+      * avoid heavy load on the directory server if there are lots of requests
+      * from domains which we do not trust. */
+     now = time(NULL);
+ 
+-    if (ipactx->mspac != NULL &&
+-        (force_reinit == false) &&
+-        (now > ipactx->mspac->last_update) &&
+-        (now - ipactx->mspac->last_update) < 60) {
+-        return 0;
+-    }
+-
+-    if (ipactx->mspac && ipactx->mspac->num_trusts == 0) {
+-        /* Check if there is any trust configured. If not, just return
+-         * and do not re-initialize the MS-PAC structure. */
+-        kerr = ipadb_mspac_check_trusted_domains(ipactx);
+-        if (kerr == KRB5_KDB_NOENTRY) {
+-            kerr = 0;
+-            goto done;
+-        } else if (kerr != 0) {
+-            goto done;
++    if (ipactx->mspac) {
++        if (!force_reinit &&
++            (now > ipactx->mspac->last_update) &&
++            (now - ipactx->mspac->last_update) < 60) {
++            /* SKIP */
++            err = 0;
++            goto end;
+         }
+-    }
+-
+-    /* clean up in case we had old values around */
+-    ipadb_mspac_struct_free(&ipactx->mspac);
+ 
+-    ipactx->mspac = calloc(1, sizeof(struct ipadb_mspac));
+-    if (!ipactx->mspac) {
+-        kerr = ENOMEM;
+-        goto done;
++        if (ipactx->mspac->num_trusts == 0) {
++            /* Check if there is any trust configured. If not, just return
++             * and do not re-initialize the MS-PAC structure. */
++            err = ipadb_mspac_check_trusted_domains(ipactx);
++            if (err) {
++                if (err == KRB5_KDB_NOENTRY) {
++                    /* SKIP */
++                    err = 0;
++                } else {
++                    in_stmsg = "Failed to fetch trusted domains information";
++                }
++                goto end;
++            }
++        }
+     }
+ 
+-    ipactx->mspac->last_update = now;
+-
+-    kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE,
+-                               "(objectclass=ipaNTDomainAttrs)", dom_attrs,
+-                                &result);
+-    if (kerr == KRB5_KDB_NOENTRY) {
+-        return ENOENT;
+-    } else if (kerr != 0) {
+-        return EIO;
++    err = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE,
++                              "(objectclass=ipaNTDomainAttrs)", dom_attrs,
++                              &result);
++    if (err == KRB5_KDB_NOENTRY) {
++        err = ENOENT;
++        in_stmsg = "Local domain NT attributes not configured";
++        goto end;
++    } else if (err) {
++        err = EIO;
++        in_stmsg = "Failed to fetch local domain NT attributes";
++        goto end;
+     }
+ 
+     lentry = ldap_first_entry(ipactx->lcontext, result);
+     if (!lentry) {
+-        kerr = ENOENT;
+-        goto done;
++        err = ENOENT;
++        in_stmsg = "Local domain NT attributes not configured";
++        goto end;
+     }
+ 
+-    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+-                                 "ipaNTFlatName",
+-                                 &ipactx->mspac->flat_domain_name);
+-    if (ret) {
+-        kerr = ret;
+-        goto done;
++    err = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "ipaNTFlatName",
++                                 &flat_domain_name);
++    if (err) {
++        in_stmsg = "Local domain NT flat name not configured";
++        goto end;
+     }
+ 
+-    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+-                                 "ipaNTSecurityIdentifier",
+-                                 &resstr);
+-    if (ret) {
+-        kerr = ret;
+-        goto done;
++    err = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
++                                 "ipaNTSecurityIdentifier", &resstr);
++    if (err) {
++        in_stmsg = "Local domain SID not configured";
++        goto end;
+     }
+ 
+-    ret = ipadb_string_to_sid(resstr, &ipactx->mspac->domsid);
+-    if (ret) {
+-        kerr = ret;
+-        free(resstr);
+-        goto done;
++    err = ipadb_string_to_sid(resstr, &domsid);
++    if (err) {
++        in_stmsg = "Malformed local domain SID";
++        goto end;
+     }
++
+     free(resstr);
+ 
+-    free(ipactx->mspac->flat_server_name);
+-    ipactx->mspac->flat_server_name = get_server_netbios_name(ipactx);
+-    if (!ipactx->mspac->flat_server_name) {
+-        kerr = ENOMEM;
+-        goto done;
++    flat_server_name = get_server_netbios_name(ipactx);
++    if (!flat_server_name) {
++        err = ENOMEM;
++        goto end;
+     }
+ 
+-    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+-                                 "ipaNTFallbackPrimaryGroup",
+-                                 &ipactx->mspac->fallback_group);
+-    if (ret && ret != ENOENT) {
+-        kerr = ret;
+-        goto done;
++    err = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
++                                 "ipaNTFallbackPrimaryGroup", &fallback_group);
++    if (err) {
++        in_stmsg = (err == ENOENT)
++          ? "Local fallback primary group not configured"
++          : "Failed to fetch local fallback primary group";
++        goto end;
+     }
+ 
+     /* result and lentry not valid any more from here on */
+@@ -3095,53 +3105,81 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_rein
+     result = NULL;
+     lentry = NULL;
+ 
+-    if (ret != ENOENT) {
+-        kerr = ipadb_simple_search(ipactx, ipactx->mspac->fallback_group,
+-                                   LDAP_SCOPE_BASE,
+-                                   "(objectclass=posixGroup)",
+-                                   grp_attrs, &result);
+-        if (kerr && kerr != KRB5_KDB_NOENTRY) {
+-            kerr = ret;
+-            goto done;
+-        }
++    err = ipadb_simple_search(ipactx, fallback_group, LDAP_SCOPE_BASE,
++                              "(objectclass=posixGroup)", grp_attrs, &result);
++    if (err) {
++        in_stmsg = (err == KRB5_KDB_NOENTRY)
++          ? "Local fallback primary group has no POSIX definition"
++          : "Failed to fetch SID of POSIX group mapped as local fallback " \
++            "primary group";
++        goto end;
++    }
+ 
+-        lentry = ldap_first_entry(ipactx->lcontext, result);
+-        if (!lentry) {
+-            kerr = ENOENT;
+-            goto done;
+-        }
++    lentry = ldap_first_entry(ipactx->lcontext, result);
++    if (!lentry) {
++        err = ENOENT;
++        goto end;
++    }
+ 
+-        if (kerr == 0) {
+-            ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+-                                         "ipaNTSecurityIdentifier",
+-                                         &resstr);
+-            if (ret && ret != ENOENT) {
+-                kerr = ret;
+-                goto done;
+-            }
+-            if (ret == 0) {
+-                ret = ipadb_string_to_sid(resstr, &gsid);
+-                if (ret) {
+-                    free(resstr);
+-                    kerr = ret;
+-                    goto done;
+-                }
+-                ret = sid_split_rid(&gsid, &ipactx->mspac->fallback_rid);
+-                if (ret) {
+-                    free(resstr);
+-                    kerr = ret;
+-                    goto done;
+-                }
+-                free(resstr);
+-            }
+-        }
++    err = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
++                                 "ipaNTSecurityIdentifier", &resstr);
++    if (err) {
++        in_stmsg = (err == ENOENT)
++          ? "The POSIX group set as fallback primary group has no SID " \
++            "configured"
++          : "Failed to fetch SID of POSIX group set as local fallback " \
++            "primary group";
++        goto end;
+     }
+ 
+-    kerr = ipadb_mspac_get_trusted_domains(ipactx);
++    err = ipadb_string_to_sid(resstr, &gsid);
++    if (err) {
++        in_stmsg = "Malformed SID of POSIX group set as local fallback " \
++                   "primary group";
++        goto end;
++    }
+ 
+-done:
++    err = sid_split_rid(&gsid, &fallback_rid);
++    if (err) {
++        in_stmsg = "Malformed SID of POSIX group mapped as local fallback " \
++                   "primary group";
++        goto end;
++    }
++
++    /* clean up in case we had old values around */
++    ipadb_mspac_struct_free(&ipactx->mspac);
++
++    ipactx->mspac = calloc(1, sizeof(struct ipadb_mspac));
++    if (!ipactx->mspac) {
++        err = ENOMEM;
++        goto end;
++    }
++
++    ipactx->mspac->last_update      = now;
++    ipactx->mspac->flat_domain_name = flat_domain_name;
++    ipactx->mspac->flat_server_name = flat_server_name;
++    ipactx->mspac->domsid           = domsid;
++    ipactx->mspac->fallback_group   = fallback_group;
++    ipactx->mspac->fallback_rid     = fallback_rid;
++
++    trust_kerr = ipadb_mspac_get_trusted_domains(ipactx);
++    if (trust_kerr)
++        in_stmsg = "Failed to assemble trusted domains information";
++
++end:
++    if (stmsg)
++        *stmsg = in_stmsg;
++
++    if (resstr) free(resstr);
+     ldap_msgfree(result);
+-    return kerr;
++
++    if (err) {
++        if (flat_domain_name) free(flat_domain_name);
++        if (flat_server_name) free(flat_server_name);
++        if (fallback_group)   free(fallback_group);
++    }
++
++    return err ? (krb5_error_code)err : trust_kerr;
+ }
+ 
+ krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
+@@ -3151,11 +3189,11 @@ krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
+ {
+ 	struct ipadb_context *ipactx;
+ 	bool has_transited_contents, has_client_realm, has_server_realm;
+-        int i;
++        size_t i;
+         krb5_error_code ret;
+ 
+         ipactx = ipadb_get_context(kcontext);
+-        if (!ipactx || !ipactx->mspac) {
++        if (!ipactx) {
+             return KRB5_KDB_DBNOTINITED;
+         }
+ 
+@@ -3217,7 +3255,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
+ 						  char **trusted_realm)
+ {
+ 	struct ipadb_context *ipactx;
+-	int i, j, length;
++	size_t i, j, length;
+ 	const char *name;
+ 	bool result = false;
+ 
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
+index 7f0ca7a..e650cfa 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
++++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
+@@ -31,7 +31,7 @@ struct ipadb_mspac {
+     char *fallback_group;
+     uint32_t fallback_rid;
+ 
+-    int num_trusts;
++    size_t num_trusts;
+     struct ipadb_adtrusts *trusts;
+     time_t last_update;
+ };
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_v6.c b/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
+index faf47ad..96cd50e 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
+@@ -233,6 +233,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
+     krb5_db_entry *client_entry = NULL;
+     krb5_boolean is_equal;
+     bool force_reinit_mspac = false;
++    const char *stmsg = NULL;
+ 
+ 
+     is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
+@@ -309,7 +310,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
+             force_reinit_mspac = true;
+         }
+ 
+-        (void)ipadb_reinit_mspac(ipactx, force_reinit_mspac);
++        kerr = ipadb_reinit_mspac(ipactx, force_reinit_mspac, &stmsg);
++        if (kerr && stmsg)
++            krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg);
+ 
+         kerr = ipadb_get_pac(context, flags, client, server, NULL, authtime, &pac);
+         if (kerr != 0 && kerr != ENOENT) {
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_v9.c b/daemons/ipa-kdb/ipa_kdb_mspac_v9.c
+index 3badd5b..60db048 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac_v9.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac_v9.c
+@@ -46,6 +46,7 @@ ipadb_v9_issue_pac(krb5_context context, unsigned int flags,
+     bool with_pad;
+     krb5_error_code kerr = 0;
+     bool is_as_req = flags & CLIENT_REFERRALS_FLAGS;
++    const char *stmsg = NULL;
+ 
+     if (is_as_req) {
+         get_authz_data_types(context, client, &with_pac, &with_pad);
+@@ -110,12 +111,19 @@ ipadb_v9_issue_pac(krb5_context context, unsigned int flags,
+                     force_reinit_mspac = TRUE;
+                 }
+             }
+-            (void)ipadb_reinit_mspac(ipactx, force_reinit_mspac);
+ 
+-            /* MS-PAC needs proper configuration and if it is missing, we simply skip issuing one */
+-            if (ipactx->mspac->flat_server_name == NULL) {
++            /* MS-PAC generator has to be initalized */
++            kerr = ipadb_reinit_mspac(ipactx, force_reinit_mspac, &stmsg);
++            if (kerr && stmsg)
++                krb5_klog_syslog(LOG_ERR, "MS-PAC generator: %s", stmsg);
++
++            /* Continue even if initilization of PAC generator failed.
++             * It may caused by the trust objects part only. */
++
++            /* At least the core part of the PAC generator is required. */
++            if (!ipactx->mspac)
+                 return KRB5_PLUGIN_OP_NOTSUPP;
+-            }
++
+             kerr = ipadb_get_pac(context, flags,
+                                  client, server, replaced_reply_key,
+                                  authtime, &new_pac);
+diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
+index fadb132..07cc877 100644
+--- a/daemons/ipa-kdb/ipa_kdb_principals.c
++++ b/daemons/ipa-kdb/ipa_kdb_principals.c
+@@ -1495,6 +1495,7 @@ static krb5_error_code dbget_alias(krb5_context kcontext,
+     krb5_db_entry *kentry = NULL;
+     krb5_data *realm;
+     krb5_boolean check = FALSE;
++    const char *stmsg = NULL;
+ 
+     /* TODO: also support hostbased aliases */
+ 
+@@ -1562,8 +1563,11 @@ static krb5_error_code dbget_alias(krb5_context kcontext,
+     if (kerr == KRB5_KDB_NOENTRY) {
+         /* If no trusted realm found, refresh trusted domain data and try again
+          * because it might be a freshly added trust to AD */
+-        kerr = ipadb_reinit_mspac(ipactx, false);
++        kerr = ipadb_reinit_mspac(ipactx, false, &stmsg);
+         if (kerr != 0) {
++            if (stmsg)
++                krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s",
++                                 stmsg);
+             kerr = KRB5_KDB_NOENTRY;
+             goto done;
+         }

SOURCES/0027-ipatests-fix-tasks_wait_for_replication-method.patch

@@ -0,0 +1,34 @@
+From 44a762413c83f9637399afeb61b1e4b1ac111260 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Feb 14 2024 12:24:48 +0000
+Subject: ipatests: fix tasks.wait_for_replication method
+
+
+With the fix for https://pagure.io/freeipa/issue/9171, the
+method entry.single_value['nsds5replicaupdateinprogress'] now
+returns a Boolean instead of a string "TRUE"/"FALSE".
+
+The method tasks.wait_for_replication needs to be fixed so that
+it properly detects when replication is not done.
+
+Fixes: https://pagure.io/freeipa/issue/9530
+
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+
+---
+
+diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
+index 9068ba6..952c9e6 100755
+--- a/ipatests/pytest_ipa/integration/tasks.py
++++ b/ipatests/pytest_ipa/integration/tasks.py
+@@ -1510,7 +1510,7 @@ def wait_for_replication(ldap, timeout=30,
+         statuses = [entry.single_value[status_attr] for entry in entries]
+         wrong_statuses = [s for s in statuses
+                           if not re.match(target_status_re, s)]
+-        if any(e.single_value[progress_attr] == 'TRUE' for e in entries):
++        if any(e.single_value[progress_attr] for e in entries):
+             msg = 'Replication not finished'
+             logger.debug(msg)
+         elif wrong_statuses:
+

SOURCES/0028-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch

@@ -0,0 +1,27 @@
+From ac44c3d0a69aa2b3f8230c3ab13dca5ab5a78dd0 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Tue, 20 Feb 2024 15:14:24 +0100
+Subject: [PATCH] ipa-kdb: Fix double free in ipadb_reinit_mspac()
+
+Fixes: https://pagure.io/freeipa/issue/9535
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index b0eb3324bf4b7d8eeb7b332c39de4023784f6337..9723103d8a77294ed7457d9b48bfc0d98b9ccef1 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -3084,6 +3084,7 @@ ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit,
+     }
+ 
+     free(resstr);
++    resstr = NULL;
+ 
+     flat_server_name = get_server_netbios_name(ipactx);
+     if (!flat_server_name) {
+-- 
+2.43.0

SPECS/ipa.spec

@@ -64,7 +64,7 @@
 %if 0%{?rhel}
 %global package_name ipa
 %global alt_name freeipa
-%global krb5_version 1.18.2-25
+%global krb5_version 1.18.2-26
 %global krb5_kdb_version 8.0
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
 %global python_netaddr_version 0.7.19
@@ -189,7 +189,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        8%{?rc_version:.%rc_version}%{?dist}
+Release:        14%{?rc_version:.%rc_version}%{?dist}.alma.1
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -222,6 +222,37 @@ Patch0010:      0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch
 Patch0011:      0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch
 Patch0012:      0012-ipatests-fix-test_topology_rhbz#2232351.patch
 Patch0013:      0013-Installer-activate-nss-and-pam-services-in-sssd.conf_rhbz#2216532.patch
+
+# Patches were taken from:
+# https://gitlab.com/redhat/centos-stream/rpms/ipa/-/commit/5d0ca0e625aea2553a39ae3e56174285cb123f13
+Patch0014:      0014-ipa-kdb-Make-AD-SIGNEDPATH-optional-with-krb5-DAL-8.patch
+# https://github.com/freeipa/freeipa/commit/13778d88ca2ac73b729821bdea844172a18c0cb9
+Patch0015:      0015-CVE-2023-5455.patch
+# https://github.com/freeipa/freeipa/commit/a847e2483b4c4832ee5129901da169f4eb0d1392
+Patch0016:      0016-ipa-kdb-Detect-and-block-Bronze-Bit-attacks.patch
+# https://github.com/freeipa/freeipa/commit/86b073a7f03ba0edf4dd91f85b96c89107e9e673
+Patch0017:      0017-Integration-tests-for-verifying-Referer.patch
+
+# https://gitlab.com/redhat/centos-stream/rpms/ipa/-/commit/e57a97aa674560ef56317c22526c47d73fbdbc4d
+Patch0018: 0018-adtrustinstance-make-sure-NetBIOS-name-defaults-are-.patch
+# https://gitlab.com/redhat/centos-stream/rpms/ipa/-/commit/13b768665085c547533f5cd433b6c80243a8605a
+Patch0019: 0019-ipatests-wait-for-replica-update-in-test_dns_locatio.patch
+# https://gitlab.com/redhat/centos-stream/rpms/ipa/-/blob/4ced5cbefbd3d602546a4a16a38ce24fbae6aee8/
+Patch0020: 0020-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel.patch
+Patch0021: 0021-Fix-session-cookie-access_rhel.patch
+Patch0022: 0022-ipa-kdb-Fix-memory-leak-during-PAC-verification_rhel.patch
+Patch0023: 0023-Do-not-ignore-staged-users-in-sidgen-plugin_rhel.patch
+Patch0024: 0024-kdb-PAC-generator-do-not-fail-if-canonical-principal-is-missing_rhel.patch
+# https://pagure.io/freeipa/c/81aa6ef695838a4b2fb5a53e773ea379a492913d
+Patch0025: 0025-ipd-kdb-Fix-some-mistakes-in.patch
+# https://pagure.io/freeipa/c/7f072e348d318e928f6270a182ca04dee8716677
+Patch0026: 0026-ipa-kdb-Rework-ipadb_reinit_mspac.patch
+# https://pagure.io/freeipa/c/44a762413c83f9637399afeb61b1e4b1ac111260
+Patch0027: 0027-ipatests-fix-tasks_wait_for_replication-method.patch
+# https://gitlab.com/redhat/centos-stream/rpms/ipa/-/commit/a727d75b875b82042f453746bf3c2e24d374364f
+Patch0028: 0028-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch
+
+
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
 Patch1003:      1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
@@ -1736,6 +1767,29 @@ fi
 %endif
 
 %changelog
+* Wed Apr 10 2024 Eduard Abdullin <eabdullin@almalinux.org> - 4.9.12-14.alma.1
+- adtrustinstance: make sure NetBIOS name defaults are set
+ properly
+- ipatests: wait for replica update in test_dns_locations
+- ipa-kdb: Disable Bronze-Bit check if PAC not available
+- ipapython: Clean up krb5_error
+- ipapython: Correct return type of krb5_free_cred_contents
+- ipa-kdb: Fix memory leak during PAC verification
+- sidgen: ignore staged users when generating SIDs
+- kdb: PAC generator: do not fail if canonical principal is missing
+- Fix some mistakes in ipadb_check_for_bronze_bit_attack()
+- ipa-kdb: Rework ipadb_reinit_mspac()
+- ipatests: fix tasks.wait_for_replication method
+- ipa-kdb: Fix double free in ipadb_reinit_mspac()
+
+* Mon Jan 15 2024 Eduard Abdullin <eabdullin@almalinux.org> - 4.9.12-11.alma.1
+- CVE-2023-5455
+- ipa-kdb: Detect and block Bronze-Bit attacks
+- Integration tests for verifying Referer header in the UI
+
+* Wed Nov 14 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.9.12-9.alma.1
+- ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older
+
 * Thu Aug 31 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-8
 - Require krb5 release 1.18.2-25 or later
   Resolves: RHBZ#2234711