import sssd-2.7.3-4.el8_7.1
This commit is contained in:
parent
6559c78444
commit
3b446ac03c
124
SOURCES/0011-krb5-respect-krb5_validate-for-PAC-checks.patch
Normal file
124
SOURCES/0011-krb5-respect-krb5_validate-for-PAC-checks.patch
Normal file
@ -0,0 +1,124 @@
|
||||
From 72132c413a2b19fbc21120ce51698978fd926360 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 20 Sep 2022 15:37:01 +0200
|
||||
Subject: [PATCH] krb5: respect krb5_validate for PAC checks
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The first step of checking the PAC is the same as during the Kerberos
|
||||
ticket validation, requesting a service ticket for a service principal
|
||||
from the local keytab. By default ticket validation is enable for the
|
||||
IPA and AD provider where checking the PAC might become important. If
|
||||
ticket validation is disabled manually it is most probably because there
|
||||
are issues requesting the service ticket and fixing those is currently
|
||||
not possible.
|
||||
|
||||
Currently when SSSD is configured to check the PAC it ignores the
|
||||
krb5_validate setting and tries to request a service ticket which would
|
||||
fail in the case ticket validation is disabled for a reason. To not
|
||||
cause regressions with this patch SSSD will skip the PAC checks if
|
||||
ticket validation is disabled.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6355
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit f4dffaeaef16f146fc03970f62761fc335a3c7cc)
|
||||
---
|
||||
src/man/include/krb5_options.xml | 11 ++++++++++-
|
||||
src/man/sssd.conf.5.xml | 13 ++++++++++---
|
||||
src/providers/krb5/krb5_child.c | 9 ++++-----
|
||||
src/providers/krb5/krb5_init_shared.c | 10 ++++++++++
|
||||
4 files changed, 34 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/man/include/krb5_options.xml b/src/man/include/krb5_options.xml
|
||||
index c3292d1bb..d82be7bfa 100644
|
||||
--- a/src/man/include/krb5_options.xml
|
||||
+++ b/src/man/include/krb5_options.xml
|
||||
@@ -26,7 +26,16 @@
|
||||
keytab entry as the last entry or the only entry in the keytab file.
|
||||
</para>
|
||||
<para>
|
||||
- Default: false
|
||||
+ Default: false (IPA and AD provider: true)
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Please note that the ticket validation is the first step when
|
||||
+ checking the PAC (see 'pac_check' in the
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>sssd.conf</refentrytitle>
|
||||
+ <manvolnum>5</manvolnum>
|
||||
+ </citerefentry> manual page for details). If ticket
|
||||
+ validation is disabled the PAC checks will be skipped as well.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 615b41550..7a9920815 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -2238,9 +2238,16 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
|
||||
<para>
|
||||
Apply additional checks on the PAC of the Kerberos
|
||||
ticket which is available in Active Directory and
|
||||
- FreeIPA domains, if configured. The following
|
||||
- options can be used alone or in a comma-separated
|
||||
- list:
|
||||
+ FreeIPA domains, if configured. Please note that
|
||||
+ Kerberos ticket validation must be enabled to be
|
||||
+ able to check the PAC, i.e. the krb5_validate option
|
||||
+ must be set to 'True' which is the default for the
|
||||
+ IPA and AD provider. If krb5_validate is set to
|
||||
+ 'False' the PAC checks will be skipped.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ The following options can be used alone or in a
|
||||
+ comma-separated list:
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>no_check</term>
|
||||
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
||||
index 0a592da00..8727b4202 100644
|
||||
--- a/src/providers/krb5/krb5_child.c
|
||||
+++ b/src/providers/krb5/krb5_child.c
|
||||
@@ -3866,11 +3866,10 @@ int main(int argc, const char *argv[])
|
||||
goto done;
|
||||
}
|
||||
|
||||
- /* To be able to read the PAC we have to request a service ticket where we
|
||||
- * have a key to decrypt it, this is the same step we use for validating
|
||||
- * the ticket. */
|
||||
- if (cli_opts.check_pac_flags != 0) {
|
||||
- kr->validate = true;
|
||||
+ if (cli_opts.check_pac_flags != 0 && !kr->validate) {
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
+ "PAC check is requested but krb5_validate is set to false. "
|
||||
+ "PAC checks will be skipped.\n");
|
||||
}
|
||||
|
||||
kerr = privileged_krb5_setup(kr, offline);
|
||||
diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c
|
||||
index ee48f459b..3e6ebe2ed 100644
|
||||
--- a/src/providers/krb5/krb5_init_shared.c
|
||||
+++ b/src/providers/krb5/krb5_init_shared.c
|
||||
@@ -77,6 +77,16 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ if (krb5_auth_ctx->check_pac_flags != 0
|
||||
+ && !dp_opt_get_bool(krb5_auth_ctx->opts, KRB5_VALIDATE)) {
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
+ "PAC check is requested but krb5_validate is set to false. "
|
||||
+ "PAC checks will be skipped.\n");
|
||||
+ sss_log(SSS_LOG_WARNING,
|
||||
+ "PAC check is requested but krb5_validate is set to false. "
|
||||
+ "PAC checks will be skipped.");
|
||||
+ }
|
||||
+
|
||||
ret = parse_krb5_map_user(krb5_auth_ctx,
|
||||
dp_opt_get_cstring(krb5_auth_ctx->opts,
|
||||
KRB5_MAP_USER),
|
||||
--
|
||||
2.37.3
|
||||
|
@ -19,7 +19,7 @@
|
||||
|
||||
Name: sssd
|
||||
Version: 2.7.3
|
||||
Release: 4%{?dist}
|
||||
Release: 4%{?dist}.1
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
@ -37,6 +37,7 @@ Patch0007: 0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch
|
||||
Patch0008: 0008-RESPONDER-Fix-client-ID-tracking.patch
|
||||
Patch0009: 0009-Analyzer-support-parallel-requests-parsing.patch
|
||||
Patch0010: 0010-CLIENT-fix-client-fd-leak.patch
|
||||
Patch0011: 0011-krb5-respect-krb5_validate-for-PAC-checks.patch
|
||||
|
||||
### Downstream Patches ###
|
||||
|
||||
@ -1187,6 +1188,9 @@ fi
|
||||
%systemd_postun_with_restart sssd.service
|
||||
|
||||
%changelog
|
||||
* Thu Oct 13 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4.1
|
||||
- Resolves: rhbz#2128544 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) [rhel-8.7.0.z]
|
||||
|
||||
* Fri Aug 26 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4
|
||||
- Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user