diff --git a/SOURCES/0011-krb5-respect-krb5_validate-for-PAC-checks.patch b/SOURCES/0011-krb5-respect-krb5_validate-for-PAC-checks.patch new file mode 100644 index 0000000..d747ae3 --- /dev/null +++ b/SOURCES/0011-krb5-respect-krb5_validate-for-PAC-checks.patch @@ -0,0 +1,124 @@ +From 72132c413a2b19fbc21120ce51698978fd926360 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 20 Sep 2022 15:37:01 +0200 +Subject: [PATCH] krb5: respect krb5_validate for PAC checks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The first step of checking the PAC is the same as during the Kerberos +ticket validation, requesting a service ticket for a service principal +from the local keytab. By default ticket validation is enable for the +IPA and AD provider where checking the PAC might become important. If +ticket validation is disabled manually it is most probably because there +are issues requesting the service ticket and fixing those is currently +not possible. + +Currently when SSSD is configured to check the PAC it ignores the +krb5_validate setting and tries to request a service ticket which would +fail in the case ticket validation is disabled for a reason. To not +cause regressions with this patch SSSD will skip the PAC checks if +ticket validation is disabled. + +Resolves: https://github.com/SSSD/sssd/issues/6355 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Tomáš Halman +(cherry picked from commit f4dffaeaef16f146fc03970f62761fc335a3c7cc) +--- + src/man/include/krb5_options.xml | 11 ++++++++++- + src/man/sssd.conf.5.xml | 13 ++++++++++--- + src/providers/krb5/krb5_child.c | 9 ++++----- + src/providers/krb5/krb5_init_shared.c | 10 ++++++++++ + 4 files changed, 34 insertions(+), 9 deletions(-) + +diff --git a/src/man/include/krb5_options.xml b/src/man/include/krb5_options.xml +index c3292d1bb..d82be7bfa 100644 +--- a/src/man/include/krb5_options.xml ++++ b/src/man/include/krb5_options.xml +@@ -26,7 +26,16 @@ + keytab entry as the last entry or the only entry in the keytab file. + + +- Default: false ++ Default: false (IPA and AD provider: true) ++ ++ ++ Please note that the ticket validation is the first step when ++ checking the PAC (see 'pac_check' in the ++ ++ sssd.conf ++ 5 ++ manual page for details). If ticket ++ validation is disabled the PAC checks will be skipped as well. + + + +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index 615b41550..7a9920815 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -2238,9 +2238,16 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit + + Apply additional checks on the PAC of the Kerberos + ticket which is available in Active Directory and +- FreeIPA domains, if configured. The following +- options can be used alone or in a comma-separated +- list: ++ FreeIPA domains, if configured. Please note that ++ Kerberos ticket validation must be enabled to be ++ able to check the PAC, i.e. the krb5_validate option ++ must be set to 'True' which is the default for the ++ IPA and AD provider. If krb5_validate is set to ++ 'False' the PAC checks will be skipped. ++ ++ ++ The following options can be used alone or in a ++ comma-separated list: + + + no_check +diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c +index 0a592da00..8727b4202 100644 +--- a/src/providers/krb5/krb5_child.c ++++ b/src/providers/krb5/krb5_child.c +@@ -3866,11 +3866,10 @@ int main(int argc, const char *argv[]) + goto done; + } + +- /* To be able to read the PAC we have to request a service ticket where we +- * have a key to decrypt it, this is the same step we use for validating +- * the ticket. */ +- if (cli_opts.check_pac_flags != 0) { +- kr->validate = true; ++ if (cli_opts.check_pac_flags != 0 && !kr->validate) { ++ DEBUG(SSSDBG_IMPORTANT_INFO, ++ "PAC check is requested but krb5_validate is set to false. " ++ "PAC checks will be skipped.\n"); + } + + kerr = privileged_krb5_setup(kr, offline); +diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c +index ee48f459b..3e6ebe2ed 100644 +--- a/src/providers/krb5/krb5_init_shared.c ++++ b/src/providers/krb5/krb5_init_shared.c +@@ -77,6 +77,16 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx, + goto done; + } + ++ if (krb5_auth_ctx->check_pac_flags != 0 ++ && !dp_opt_get_bool(krb5_auth_ctx->opts, KRB5_VALIDATE)) { ++ DEBUG(SSSDBG_IMPORTANT_INFO, ++ "PAC check is requested but krb5_validate is set to false. " ++ "PAC checks will be skipped.\n"); ++ sss_log(SSS_LOG_WARNING, ++ "PAC check is requested but krb5_validate is set to false. " ++ "PAC checks will be skipped."); ++ } ++ + ret = parse_krb5_map_user(krb5_auth_ctx, + dp_opt_get_cstring(krb5_auth_ctx->opts, + KRB5_MAP_USER), +-- +2.37.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index bcd13a8..1800e3b 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -19,7 +19,7 @@ Name: sssd Version: 2.7.3 -Release: 4%{?dist} +Release: 4%{?dist}.1 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -37,6 +37,7 @@ Patch0007: 0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch Patch0008: 0008-RESPONDER-Fix-client-ID-tracking.patch Patch0009: 0009-Analyzer-support-parallel-requests-parsing.patch Patch0010: 0010-CLIENT-fix-client-fd-leak.patch +Patch0011: 0011-krb5-respect-krb5_validate-for-PAC-checks.patch ### Downstream Patches ### @@ -1187,6 +1188,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Thu Oct 13 2022 Alexey Tikhonov - 2.7.3-4.1 +- Resolves: rhbz#2128544 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) [rhel-8.7.0.z] + * Fri Aug 26 2022 Alexey Tikhonov - 2.7.3-4 - Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8