From 0206369eec8530e96c66986c4ca501d8962193ce Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 30 Jan 2023 14:22:30 +0200 Subject: [PATCH] ipa-kdb: PAC consistency checker needs to handle child domains as well When PAC check is performed, we might get a signing TGT instead of the client DB entry. This means it is a principal from a trusted domain but we don't know which one exactly because we only have a krbtgt for the forest root. This happens in MIT Kerberos 1.20 or later where KDB's issue_pac() callback never gets the original client principal directly. Look into known child domains as well and make pass the check if both NetBIOS name and SID correspond to one of the trusted domains under this forest root. Move check for the SID before NetBIOS name check because we can use SID of the domain in PAC to find out the right child domain in our trusted domains' topology list. Fixes: https://pagure.io/freeipa/issue/9316 Signed-off-by: Alexander Bokovoy Reviewed-By: Rafael Guterres Jeffman Reviewed-By: Rob Crittenden --- daemons/ipa-kdb/ipa_kdb_mspac.c | 51 +++++++++++++++++++++------------ 1 file changed, 32 insertions(+), 19 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index a15050e2166f95c227d2e3c7d238e1ea2fe01235..476d1cb558a53420821ccfb1b794cb6bedce7794 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1827,11 +1827,43 @@ krb5_error_code filter_logon_info(krb5_context context, bool result; char *domstr = NULL; + ipactx = ipadb_get_context(context); + if (!ipactx || !ipactx->mspac) { + return KRB5_KDB_DBNOTINITED; + } + domain = get_domain_from_realm_update(context, realm); if (!domain) { return EINVAL; } + /* check exact sid */ + result = dom_sid_check(&domain->domsid, info->info->info3.base.domain_sid, true); + if (!result) { + struct ipadb_mspac *mspac_ctx = ipactx->mspac; + result = FALSE; + /* Didn't match but perhaps the original PAC was issued by a child domain's DC? */ + for (k = 0; k < mspac_ctx->num_trusts; k++) { + result = dom_sid_check(&mspac_ctx->trusts[k].domsid, + info->info->info3.base.domain_sid, true); + if (result) { + domain = &mspac_ctx->trusts[k]; + break; + } + } + if (!result) { + domstr = dom_sid_string(NULL, info->info->info3.base.domain_sid); + krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain = %s, " + "expected domain SID = %s, " + "found domain SID = %s", + domain->domain_name, domain->domain_sid, + domstr ? domstr : ""); + talloc_free(domstr); + return EINVAL; + } + } + + /* At this point we may have changed the domain we look at, */ /* check netbios/flat name */ if (strcasecmp(info->info->info3.base.logon_domain.string, domain->flat_name) != 0) { @@ -1843,21 +1875,6 @@ krb5_error_code filter_logon_info(krb5_context context, return EINVAL; } - /* check exact sid */ - result = dom_sid_check(&domain->domsid, info->info->info3.base.domain_sid, true); - if (!result) { - domstr = dom_sid_string(NULL, info->info->info3.base.domain_sid); - if (!domstr) { - return EINVAL; - } - krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain = %s, " - "expected domain SID = %s, " - "found domain SID = %s", - domain->domain_name, domain->domain_sid, domstr); - talloc_free(domstr); - return EINVAL; - } - /* Check if this domain has been filtered out by the trust itself*/ if (domain->parent != NULL) { for(k = 0; k < domain->parent->len_sid_blocklist_incoming; k++) { @@ -1944,10 +1961,6 @@ krb5_error_code filter_logon_info(krb5_context context, * should include different possibilities into account * */ if (info->info->info3.sidcount != 0) { - ipactx = ipadb_get_context(context); - if (!ipactx || !ipactx->mspac) { - return KRB5_KDB_DBNOTINITED; - } count = info->info->info3.sidcount; i = 0; j = 0; -- 2.39.1