rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity
b412308f26
ipa/0001-ipa-kdb-issue-PAC_REQUESTER_SID-only-for-TGTs.patch
Florence Blanc-Renaud 848d623257 ipa-4.9.8-1 
- Resolves: rhbz#2015608 - [Rebase] Rebase ipa to latest 4.9.x release RHEL9
- Resolves: rhbz#1825010 - Concerns regarding 'ipa pwpolicy-mod --minlife 24 --maxlife 1'
- Resolves: rhbz#1966289 - Info about searchrecordslimit set search limit to 10,000 after upgrade
- Resolves: rhbz#1980356 - reinstalling samba client causes winbindd coredump
- Resolves: rhbz#1986054 - fix automountlocation-tofiles output
- Resolves: rhbz#2020205 - Missing bind-pkcs11-utils causing failures in OpenDNSSec
- Resolves: rhbz#2021445 - CVE-2020-25719 ipa: samba: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets
2021-12-02 21:16:40 +01:00

37 lines
1.3 KiB
Diff
Raw Blame History

From 669f3d71161741c676ddd6a08bd08d4a4ccd495b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 26 Nov 2021 17:40:54 +0200
Subject: [PATCH] ipa-kdb: issue PAC_REQUESTER_SID only for TGTs
MS-KILE 3.3.5.6.4.8 in revision after Windows Server November 2021
security fixes added the following requirement:
- PAC_REQUESTER_SID is only added in TGT case (including referrals and
tickets to RODCs)
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 6f7d1ac15daf17dfca36ebd3265c866725d24717..538cfbba958068bd2ee0aaae7a2743ae82237898 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1148,7 +1148,8 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
#endif
#ifdef HAVE_PAC_REQUESTER_SID
- {
+ /* MS-KILE 3.3.5.6.4.8: add PAC_REQUESTER_SID only in TGT case */
+ if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0) {
union PAC_INFO pac_requester_sid;
/* == Package PAC_REQUESTER_SID == */
memset(&pac_requester_sid, 0, sizeof(pac_requester_sid));
--
2.31.1
Reference in New Issue View Git Blame Copy Permalink