.gitignore

@@ -1 +1,4 @@
-SOURCES/freeipa-4.9.12.tar.gz
+SOURCES/freeipa-4.9.11.tar.gz
+/freeipa-4.9.11.tar.gz
+/freeipa-4.9.12.tar.gz
+/freeipa-4.9.12.tar.gz.asc

.ipa.metadata

@@ -1 +0,0 @@
-ea6c8a209748b4ad8d07da556f705a366b3dd6c1 SOURCES/freeipa-4.9.12.tar.gz

0014-ipa-kdb-Make-AD-SIGNEDPATH-optional-with-krb5-DAL-8.patch

@@ -0,0 +1,98 @@
+From d394afc1210a21378c018d0ff93d400a57324289 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Mon, 25 Sep 2023 15:14:03 +0200
+Subject: [PATCH] ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and
+ older
+
+Since krb5 1.20, the PAC is generated by default, and the AD-SIGNEDPATH
+authdata is no longer generated. However, on krb5 versions prior to
+1.20, the KDC still expects an AD-SIGNEDPATH when verifying a
+constrained delegation (S4U2Proxy) TGS-REQ. In IPA's case this
+requirement is not needed, because the PAC signatures are already
+fulfilling this role.
+
+CentOS and RHEL downstream releases of krb5 will include the
+"optional_ad_signedpath" KDB string attribute allowing to disable the
+AD-SIGNEDPATH requirement in case the PAC is present.
+
+This commit sets the "optional_ad_signedpath" string attribute to "true"
+systematically on the TGS principal if the database abstract layer (DAL)
+of krb5 is version 8 or older (prior to krb5 1.20).
+
+Fixes: https://pagure.io/freeipa/issue/9448
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_principals.c | 38 ++++++++++++++++++++++++++--
+ 1 file changed, 36 insertions(+), 2 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
+index e95cb453c..fadb132ed 100644
+--- a/daemons/ipa-kdb/ipa_kdb_principals.c
++++ b/daemons/ipa-kdb/ipa_kdb_principals.c
+@@ -113,6 +113,10 @@ static char *std_principal_obj_classes[] = {
+ 
+ #define DEFAULT_TL_DATA_CONTENT "\x00\x00\x00\x00principal@UNINITIALIZED"
+ 
++#ifndef KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH
++#define KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH "optional_ad_signedpath"
++#endif
++
+ static int ipadb_ldap_attr_to_tl_data(LDAP *lcontext, LDAPMessage *le,
+                                       char *attrname,
+                                       krb5_tl_data **result, int *num)
+@@ -178,6 +182,25 @@ done:
+     return ret;
+ }
+ 
++static bool
++is_tgs_princ(krb5_context kcontext, krb5_const_principal princ)
++{
++    krb5_data *primary;
++    size_t l_tgs_name;
++
++    if (2 != krb5_princ_size(kcontext, princ))
++        return false;
++
++    primary = krb5_princ_component(kcontext, princ, 0);
++
++    l_tgs_name = strlen(KRB5_TGS_NAME);
++
++    if (l_tgs_name != primary->length)
++        return false;
++
++    return 0 == memcmp(primary->data, KRB5_TGS_NAME, l_tgs_name);
++}
++
+ static krb5_error_code ipadb_set_tl_data(krb5_db_entry *entry,
+                                          krb5_int16 type,
+                                          krb5_ui_2 length,
+@@ -1647,11 +1670,22 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
+ 
+     /* Lookup local names and aliases first. */
+     kerr = dbget_princ(kcontext, ipactx, search_for, flags, entry);
+-    if (kerr != KRB5_KDB_NOENTRY) {
++    if (kerr == KRB5_KDB_NOENTRY) {
++        kerr = dbget_alias(kcontext, ipactx, search_for, flags, entry);
++    }
++    if (kerr)
+         return kerr;
++
++#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
++    /* If TGS principal, some virtual attributes may be added */
++    if (is_tgs_princ(kcontext, (*entry)->princ)) {
++        kerr = krb5_dbe_set_string(kcontext, *entry,
++                                   KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH,
++                                   "true");
+     }
++#endif
+ 
+-    return dbget_alias(kcontext, ipactx, search_for, flags, entry);
++    return kerr;
+ }
+ 
+ void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data)
+-- 
+2.41.0
+

SOURCES/freeipa-4.9.12.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmRnL+gACgkQaYdvcqbi
-00/1Gg/8CFABojXZyUkQnWeaHdrFeHeE+DW2qTs9Wr/TQwF67fYkh7lj3p+WqMlD
-kMMNAfLn4wUnJNDMv64QlE6RAz71KetQlQt+mZQVT9M0nDepLhBw86qmNbJj611J
-+2B79hzNLT8tmOf9NyLRJbFp3QebSPELX9hycPj1Ovd1tr/61tcwcNzE6ZLrX5vb
-IPkCT2bo+6MceIsR50tTRxxK6J9jFYX73PjHJ5Ix7ssDf4vg2OBRTwUdLeZAkWlA
-q+0bPPp+F3PWLhnSs+vIs5plHUI/hcGCt9pTvw/d6jUUxuwZadGGbRZSyDN7aj2Q
-zEXeZsCtOSk5cx65lWHl+7TTyVvCoemeZPZ92EiCtVJfiuK3/6a/WFWanBZoO0E3
-N0p6HUcvIRPrEj0nQwH2vr0zkfSPA4g30k+Q9qeP3ArN+i+5OFfuiwiqk1AIJ2rv
-ERhBRryOaNeiVpYghMQdtacWP/qQunfH6VdhA61Q089/lhomGeSytQI+fV4TXOhV
-ldV7dftaWpQT3QYWSsKzoiHpyjIwOA8dBvQF2YDX7LNmeO/hj4ToFp00CVCWdb0j
-MHs2X9p42kkhw2oZOf3GNyNvpybxUv59ER4YDEHbj8+iZyVjiqfcp71373DqpieW
-iGjB3Wc0gO3cdYk3Mdl0SgkD7k0U9iwwh7qJeqqUYT3gKf9mqbY=
-=dT0o
------END PGP SIGNATURE-----

gating.yaml

@@ -0,0 +1,7 @@
+# recipients: abokovoy, frenaud, kaleem, ftrivino
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}

ipa.spec

@@ -64,7 +64,7 @@
 %if 0%{?rhel}
 %global package_name ipa
 %global alt_name freeipa
-%global krb5_version 1.18.2-25
+%global krb5_version 1.18.2-26
 %global krb5_kdb_version 8.0
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
 %global python_netaddr_version 0.7.19
@@ -189,7 +189,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        8%{?rc_version:.%rc_version}%{?dist}
+Release:        9%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -222,6 +222,7 @@ Patch0010:      0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch
 Patch0011:      0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch
 Patch0012:      0012-ipatests-fix-test_topology_rhbz#2232351.patch
 Patch0013:      0013-Installer-activate-nss-and-pam-services-in-sssd.conf_rhbz#2216532.patch
+Patch0014:      0014-ipa-kdb-Make-AD-SIGNEDPATH-optional-with-krb5-DAL-8.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
 Patch1003:      1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
@@ -1736,6 +1737,10 @@ fi
 %endif
 
 %changelog
+* Wed Oct 04 2023 Julien Rische <jrische@redhat.com> - 4.9.12-9
+- ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older
+  Resolves: RHEL-12198
+
 * Thu Aug 31 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-8
 - Require krb5 release 1.18.2-25 or later
   Resolves: RHBZ#2234711

rpminspect.yaml

@@ -0,0 +1,9 @@
+---
+specname:
+    match: suffix
+runpath:
+    allowed_paths:
+        - /usr/lib64/samba
+annocheck:
+    - hardened: --ignore-unknown --verbose --skip-run-path
+

sources

@@ -0,0 +1,2 @@
+SHA512 (freeipa-4.9.12.tar.gz) = a4d7d46042bbbf8ca3df6bca45cdab9f3bfb7634fc516c1939533e5e200035374c6e72981dde7dc96a176679b69275fc54f0dfb174beeee66ba21d72006d4b1f
+SHA512 (freeipa-4.9.12.tar.gz.asc) = 95ad27a52df1e4dd9ad9f058c53199cfd26e5b1c4269dd5a7b55147881033d55cc2656e812975015aff228e7f98417e3b22584b8413d53ec299ece98e1279e6f