Resolves: upstream#4126 pcscd rejecting sssd ldap_child as unauthorized
This commit is contained in:
parent
069e6c9dc8
commit
b81369e441
98
0005-ldap_child-do-not-try-PKINIT.patch
Normal file
98
0005-ldap_child-do-not-try-PKINIT.patch
Normal file
@ -0,0 +1,98 @@
|
||||
From 580d61884b6c0a81357d8f9fa69fe69d1f017185 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 6 Dec 2019 12:29:49 +0100
|
||||
Subject: [PATCH] ldap_child: do not try PKINIT
|
||||
|
||||
if the PKINIT plugin is installed and pkinit_identities is set in
|
||||
/etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only
|
||||
wants to authenticate with a keytab. As a result ldap_child might try to
|
||||
access a Smartcard which is either not allowed at all or might cause
|
||||
unexpected delays.
|
||||
|
||||
To avoid this the current patch sets pkinit_identities for LDAP child
|
||||
explicitly to make the PKINIT plugin fail because if installed libkrb5
|
||||
will always use it.
|
||||
|
||||
It turned out the setting pre-authentication options requires some
|
||||
internal flags to be set and krb5_get_init_creds_opt_alloc() must be
|
||||
used to initialize the options struct.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/4126
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/providers/ldap/ldap_child.c | 30 ++++++++++++++++++++++--------
|
||||
1 file changed, 22 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
|
||||
index 408d64db4..b081df90f 100644
|
||||
--- a/src/providers/ldap/ldap_child.c
|
||||
+++ b/src/providers/ldap/ldap_child.c
|
||||
@@ -277,7 +277,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
||||
krb5_ccache ccache = NULL;
|
||||
krb5_principal kprinc;
|
||||
krb5_creds my_creds;
|
||||
- krb5_get_init_creds_opt options;
|
||||
+ krb5_get_init_creds_opt *options = NULL;
|
||||
krb5_error_code krberr;
|
||||
krb5_timestamp kdc_time_offset;
|
||||
int canonicalize = 0;
|
||||
@@ -392,19 +392,32 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
||||
}
|
||||
|
||||
memset(&my_creds, 0, sizeof(my_creds));
|
||||
- memset(&options, 0, sizeof(options));
|
||||
|
||||
- krb5_get_init_creds_opt_set_address_list(&options, NULL);
|
||||
- krb5_get_init_creds_opt_set_forwardable(&options, 0);
|
||||
- krb5_get_init_creds_opt_set_proxiable(&options, 0);
|
||||
- krb5_get_init_creds_opt_set_tkt_life(&options, lifetime);
|
||||
+ krberr = krb5_get_init_creds_opt_alloc(context, &options);
|
||||
+ if (krberr != 0) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "krb5_get_init_creds_opt_alloc failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ krb5_get_init_creds_opt_set_address_list(options, NULL);
|
||||
+ krb5_get_init_creds_opt_set_forwardable(options, 0);
|
||||
+ krb5_get_init_creds_opt_set_proxiable(options, 0);
|
||||
+ krb5_get_init_creds_opt_set_tkt_life(options, lifetime);
|
||||
+ krberr = krb5_get_init_creds_opt_set_pa(context, options,
|
||||
+ "X509_user_identity", "");
|
||||
+ if (krberr != 0) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "krb5_get_init_creds_opt_set_pa failed [%d], ignored.\n",
|
||||
+ krberr);
|
||||
+ }
|
||||
+
|
||||
|
||||
tmp_str = getenv("KRB5_CANONICALIZE");
|
||||
if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) {
|
||||
DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n");
|
||||
canonicalize = 1;
|
||||
}
|
||||
- sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
|
||||
+ sss_krb5_get_init_creds_opt_set_canonicalize(options, canonicalize);
|
||||
|
||||
ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s",
|
||||
DB_PATH, realm_name);
|
||||
@@ -433,7 +446,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
||||
}
|
||||
|
||||
krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
|
||||
- keytab, 0, NULL, &options);
|
||||
+ keytab, 0, NULL, options);
|
||||
if (krberr != 0) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"krb5_get_init_creds_keytab() failed: %d\n", krberr);
|
||||
@@ -513,6 +526,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
||||
*expire_time_out = my_creds.times.endtime - kdc_time_offset;
|
||||
|
||||
done:
|
||||
+ krb5_get_init_creds_opt_free(context, options);
|
||||
if (krberr != 0) {
|
||||
if (*_krb5_msg == NULL) {
|
||||
/* no custom error message provided hence get one from libkrb5 */
|
||||
--
|
||||
2.20.1
|
||||
|
@ -36,7 +36,7 @@
|
||||
|
||||
Name: sssd
|
||||
Version: 2.2.3
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
URL: https://pagure.io/SSSD/sssd/
|
||||
@ -47,6 +47,7 @@ Patch0001: 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
|
||||
Patch0002: 0002-BUILD-Accept-krb5-1.18-for-building-the-PAC-plugin.patch
|
||||
Patch0003: 0003-INI-sssctl-config-check-command-error-messages.patch
|
||||
Patch0004: 0004-certmap-mention-special-regex-characters-in-man-page.patch
|
||||
Patch0005: 0005-ldap_child-do-not-try-PKINIT.patch
|
||||
|
||||
### Downstream only patches ###
|
||||
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
|
||||
@ -1075,6 +1076,9 @@ fi
|
||||
%{_libdir}/%{name}/modules/libwbclient.so
|
||||
|
||||
%changelog
|
||||
* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-4
|
||||
- Resolves: upstream#4126 pcscd rejecting sssd ldap_child as unauthorized
|
||||
|
||||
* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-3
|
||||
- Resolves: upstream#4127 - [Doc]Provide explanation on escape character for
|
||||
match rules sss-certmap
|
||||
|
Loading…
Reference in New Issue
Block a user