00abb6c62b
- Resolves: rhbz#2162656 Passwordless (GSSAPI) SSH not working for subdomain - Resolves: rhbz#2166326 Removing the last DNS type for ipa-ca does not work - Resolves: rhbz#2167473 RFE - Add a warning note about possible performance impact of the Auto Member rebuild task - Resolves: rhbz#2168244 requestsearchtimelimit=0 doesn't seems to be work with ipa-acme-manage pruning command Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
112 lines
4.5 KiB
Diff
112 lines
4.5 KiB
Diff
From 0206369eec8530e96c66986c4ca501d8962193ce Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Mon, 30 Jan 2023 14:22:30 +0200
|
|
Subject: [PATCH] ipa-kdb: PAC consistency checker needs to handle child
|
|
domains as well
|
|
|
|
When PAC check is performed, we might get a signing TGT instead of the
|
|
client DB entry. This means it is a principal from a trusted domain but
|
|
we don't know which one exactly because we only have a krbtgt for the
|
|
forest root. This happens in MIT Kerberos 1.20 or later where KDB's
|
|
issue_pac() callback never gets the original client principal directly.
|
|
|
|
Look into known child domains as well and make pass the check if both
|
|
NetBIOS name and SID correspond to one of the trusted domains under this
|
|
forest root. Move check for the SID before NetBIOS name check because we
|
|
can use SID of the domain in PAC to find out the right child domain in
|
|
our trusted domains' topology list.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9316
|
|
|
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
---
|
|
daemons/ipa-kdb/ipa_kdb_mspac.c | 51 +++++++++++++++++++++------------
|
|
1 file changed, 32 insertions(+), 19 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
index a15050e2166f95c227d2e3c7d238e1ea2fe01235..476d1cb558a53420821ccfb1b794cb6bedce7794 100644
|
|
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
@@ -1827,11 +1827,43 @@ krb5_error_code filter_logon_info(krb5_context context,
|
|
bool result;
|
|
char *domstr = NULL;
|
|
|
|
+ ipactx = ipadb_get_context(context);
|
|
+ if (!ipactx || !ipactx->mspac) {
|
|
+ return KRB5_KDB_DBNOTINITED;
|
|
+ }
|
|
+
|
|
domain = get_domain_from_realm_update(context, realm);
|
|
if (!domain) {
|
|
return EINVAL;
|
|
}
|
|
|
|
+ /* check exact sid */
|
|
+ result = dom_sid_check(&domain->domsid, info->info->info3.base.domain_sid, true);
|
|
+ if (!result) {
|
|
+ struct ipadb_mspac *mspac_ctx = ipactx->mspac;
|
|
+ result = FALSE;
|
|
+ /* Didn't match but perhaps the original PAC was issued by a child domain's DC? */
|
|
+ for (k = 0; k < mspac_ctx->num_trusts; k++) {
|
|
+ result = dom_sid_check(&mspac_ctx->trusts[k].domsid,
|
|
+ info->info->info3.base.domain_sid, true);
|
|
+ if (result) {
|
|
+ domain = &mspac_ctx->trusts[k];
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+ if (!result) {
|
|
+ domstr = dom_sid_string(NULL, info->info->info3.base.domain_sid);
|
|
+ krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain = %s, "
|
|
+ "expected domain SID = %s, "
|
|
+ "found domain SID = %s",
|
|
+ domain->domain_name, domain->domain_sid,
|
|
+ domstr ? domstr : "<failed to display>");
|
|
+ talloc_free(domstr);
|
|
+ return EINVAL;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ /* At this point we may have changed the domain we look at, */
|
|
/* check netbios/flat name */
|
|
if (strcasecmp(info->info->info3.base.logon_domain.string,
|
|
domain->flat_name) != 0) {
|
|
@@ -1843,21 +1875,6 @@ krb5_error_code filter_logon_info(krb5_context context,
|
|
return EINVAL;
|
|
}
|
|
|
|
- /* check exact sid */
|
|
- result = dom_sid_check(&domain->domsid, info->info->info3.base.domain_sid, true);
|
|
- if (!result) {
|
|
- domstr = dom_sid_string(NULL, info->info->info3.base.domain_sid);
|
|
- if (!domstr) {
|
|
- return EINVAL;
|
|
- }
|
|
- krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain = %s, "
|
|
- "expected domain SID = %s, "
|
|
- "found domain SID = %s",
|
|
- domain->domain_name, domain->domain_sid, domstr);
|
|
- talloc_free(domstr);
|
|
- return EINVAL;
|
|
- }
|
|
-
|
|
/* Check if this domain has been filtered out by the trust itself*/
|
|
if (domain->parent != NULL) {
|
|
for(k = 0; k < domain->parent->len_sid_blocklist_incoming; k++) {
|
|
@@ -1944,10 +1961,6 @@ krb5_error_code filter_logon_info(krb5_context context,
|
|
* should include different possibilities into account
|
|
* */
|
|
if (info->info->info3.sidcount != 0) {
|
|
- ipactx = ipadb_get_context(context);
|
|
- if (!ipactx || !ipactx->mspac) {
|
|
- return KRB5_KDB_DBNOTINITED;
|
|
- }
|
|
count = info->info->info3.sidcount;
|
|
i = 0;
|
|
j = 0;
|
|
--
|
|
2.39.1
|
|
|