125 lines
5.5 KiB
Diff
125 lines
5.5 KiB
Diff
|
From 72132c413a2b19fbc21120ce51698978fd926360 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Sumit Bose <sbose@redhat.com>
|
||
|
|
Date: Tue, 20 Sep 2022 15:37:01 +0200
|
||
|
|
Subject: [PATCH] krb5: respect krb5_validate for PAC checks
|
||
|
|
MIME-Version: 1.0
|
||
|
|
Content-Type: text/plain; charset=UTF-8
|
||
|
|
Content-Transfer-Encoding: 8bit
|
||
|
|
|
||
|
|
The first step of checking the PAC is the same as during the Kerberos
|
||
|
|
ticket validation, requesting a service ticket for a service principal
|
||
|
|
from the local keytab. By default ticket validation is enable for the
|
||
|
|
IPA and AD provider where checking the PAC might become important. If
|
||
|
|
ticket validation is disabled manually it is most probably because there
|
||
|
|
are issues requesting the service ticket and fixing those is currently
|
||
|
|
not possible.
|
||
|
|
|
||
|
|
Currently when SSSD is configured to check the PAC it ignores the
|
||
|
|
krb5_validate setting and tries to request a service ticket which would
|
||
|
|
fail in the case ticket validation is disabled for a reason. To not
|
||
|
|
cause regressions with this patch SSSD will skip the PAC checks if
|
||
|
|
ticket validation is disabled.
|
||
|
|
|
||
|
|
Resolves: https://github.com/SSSD/sssd/issues/6355
|
||
|
|
|
||
|
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||
|
|
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||
|
|
(cherry picked from commit f4dffaeaef16f146fc03970f62761fc335a3c7cc)
|
||
|
|
---
|
||
|
|
src/man/include/krb5_options.xml | 11 ++++++++++-
|
||
|
|
src/man/sssd.conf.5.xml | 13 ++++++++++---
|
||
|
|
src/providers/krb5/krb5_child.c | 9 ++++-----
|
||
|
|
src/providers/krb5/krb5_init_shared.c | 10 ++++++++++
|
||
|
|
4 files changed, 34 insertions(+), 9 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/src/man/include/krb5_options.xml b/src/man/include/krb5_options.xml
|
||
|
|
index c3292d1bb..d82be7bfa 100644
|
||
|
|
--- a/src/man/include/krb5_options.xml
|
||
|
|
+++ b/src/man/include/krb5_options.xml
|
||
|
|
@@ -26,7 +26,16 @@
|
||
|
|
keytab entry as the last entry or the only entry in the keytab file.
|
||
|
|
</para>
|
||
|
|
<para>
|
||
|
|
- Default: false
|
||
|
|
+ Default: false (IPA and AD provider: true)
|
||
|
|
+ </para>
|
||
|
|
+ <para>
|
||
|
|
+ Please note that the ticket validation is the first step when
|
||
|
|
+ checking the PAC (see 'pac_check' in the
|
||
|
|
+ <citerefentry>
|
||
|
|
+ <refentrytitle>sssd.conf</refentrytitle>
|
||
|
|
+ <manvolnum>5</manvolnum>
|
||
|
|
+ </citerefentry> manual page for details). If ticket
|
||
|
|
+ validation is disabled the PAC checks will be skipped as well.
|
||
|
|
</para>
|
||
|
|
</listitem>
|
||
|
|
</varlistentry>
|
||
|
|
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||
|
|
index 615b41550..7a9920815 100644
|
||
|
|
--- a/src/man/sssd.conf.5.xml
|
||
|
|
+++ b/src/man/sssd.conf.5.xml
|
||
|
|
@@ -2238,9 +2238,16 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
|
||
|
|
<para>
|
||
|
|
Apply additional checks on the PAC of the Kerberos
|
||
|
|
ticket which is available in Active Directory and
|
||
|
|
- FreeIPA domains, if configured. The following
|
||
|
|
- options can be used alone or in a comma-separated
|
||
|
|
- list:
|
||
|
|
+ FreeIPA domains, if configured. Please note that
|
||
|
|
+ Kerberos ticket validation must be enabled to be
|
||
|
|
+ able to check the PAC, i.e. the krb5_validate option
|
||
|
|
+ must be set to 'True' which is the default for the
|
||
|
|
+ IPA and AD provider. If krb5_validate is set to
|
||
|
|
+ 'False' the PAC checks will be skipped.
|
||
|
|
+ </para>
|
||
|
|
+ <para>
|
||
|
|
+ The following options can be used alone or in a
|
||
|
|
+ comma-separated list:
|
||
|
|
<variablelist>
|
||
|
|
<varlistentry>
|
||
|
|
<term>no_check</term>
|
||
|
|
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
||
|
|
index 0a592da00..8727b4202 100644
|
||
|
|
--- a/src/providers/krb5/krb5_child.c
|
||
|
|
+++ b/src/providers/krb5/krb5_child.c
|
||
|
|
@@ -3866,11 +3866,10 @@ int main(int argc, const char *argv[])
|
||
|
|
goto done;
|
||
|
|
}
|
||
|
|
|
||
|
|
- /* To be able to read the PAC we have to request a service ticket where we
|
||
|
|
- * have a key to decrypt it, this is the same step we use for validating
|
||
|
|
- * the ticket. */
|
||
|
|
- if (cli_opts.check_pac_flags != 0) {
|
||
|
|
- kr->validate = true;
|
||
|
|
+ if (cli_opts.check_pac_flags != 0 && !kr->validate) {
|
||
|
|
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||
|
|
+ "PAC check is requested but krb5_validate is set to false. "
|
||
|
|
+ "PAC checks will be skipped.\n");
|
||
|
|
}
|
||
|
|
|
||
|
|
kerr = privileged_krb5_setup(kr, offline);
|
||
|
|
diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c
|
||
|
|
index ee48f459b..3e6ebe2ed 100644
|
||
|
|
--- a/src/providers/krb5/krb5_init_shared.c
|
||
|
|
+++ b/src/providers/krb5/krb5_init_shared.c
|
||
|
|
@@ -77,6 +77,16 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx,
|
||
|
|
goto done;
|
||
|
|
}
|
||
|
|
|
||
|
|
+ if (krb5_auth_ctx->check_pac_flags != 0
|
||
|
|
+ && !dp_opt_get_bool(krb5_auth_ctx->opts, KRB5_VALIDATE)) {
|
||
|
|
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||
|
|
+ "PAC check is requested but krb5_validate is set to false. "
|
||
|
|
+ "PAC checks will be skipped.\n");
|
||
|
|
+ sss_log(SSS_LOG_WARNING,
|
||
|
|
+ "PAC check is requested but krb5_validate is set to false. "
|
||
|
|
+ "PAC checks will be skipped.");
|
||
|
|
+ }
|
||
|
|
+
|
||
|
|
ret = parse_krb5_map_user(krb5_auth_ctx,
|
||
|
|
dp_opt_get_cstring(krb5_auth_ctx->opts,
|
||
|
|
KRB5_MAP_USER),
|
||
|
|
--
|
||
|
|
2.37.3
|
||
|
|
|