From b81369e44199efbafa3f90a8d086a963d9454ec0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Thu, 27 Feb 2020 03:03:56 +0100 Subject: [PATCH] Resolves: upstream#4126 pcscd rejecting sssd ldap_child as unauthorized --- 0005-ldap_child-do-not-try-PKINIT.patch | 98 +++++++++++++++++++++++++ sssd.spec | 6 +- 2 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 0005-ldap_child-do-not-try-PKINIT.patch diff --git a/0005-ldap_child-do-not-try-PKINIT.patch b/0005-ldap_child-do-not-try-PKINIT.patch new file mode 100644 index 0000000..c0d5c51 --- /dev/null +++ b/0005-ldap_child-do-not-try-PKINIT.patch @@ -0,0 +1,98 @@ +From 580d61884b6c0a81357d8f9fa69fe69d1f017185 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 6 Dec 2019 12:29:49 +0100 +Subject: [PATCH] ldap_child: do not try PKINIT + +if the PKINIT plugin is installed and pkinit_identities is set in +/etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only +wants to authenticate with a keytab. As a result ldap_child might try to +access a Smartcard which is either not allowed at all or might cause +unexpected delays. + +To avoid this the current patch sets pkinit_identities for LDAP child +explicitly to make the PKINIT plugin fail because if installed libkrb5 +will always use it. + +It turned out the setting pre-authentication options requires some +internal flags to be set and krb5_get_init_creds_opt_alloc() must be +used to initialize the options struct. + +Related to https://pagure.io/SSSD/sssd/issue/4126 + +Reviewed-by: Alexey Tikhonov +--- + src/providers/ldap/ldap_child.c | 30 ++++++++++++++++++++++-------- + 1 file changed, 22 insertions(+), 8 deletions(-) + +diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c +index 408d64db4..b081df90f 100644 +--- a/src/providers/ldap/ldap_child.c ++++ b/src/providers/ldap/ldap_child.c +@@ -277,7 +277,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, + krb5_ccache ccache = NULL; + krb5_principal kprinc; + krb5_creds my_creds; +- krb5_get_init_creds_opt options; ++ krb5_get_init_creds_opt *options = NULL; + krb5_error_code krberr; + krb5_timestamp kdc_time_offset; + int canonicalize = 0; +@@ -392,19 +392,32 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, + } + + memset(&my_creds, 0, sizeof(my_creds)); +- memset(&options, 0, sizeof(options)); + +- krb5_get_init_creds_opt_set_address_list(&options, NULL); +- krb5_get_init_creds_opt_set_forwardable(&options, 0); +- krb5_get_init_creds_opt_set_proxiable(&options, 0); +- krb5_get_init_creds_opt_set_tkt_life(&options, lifetime); ++ krberr = krb5_get_init_creds_opt_alloc(context, &options); ++ if (krberr != 0) { ++ DEBUG(SSSDBG_OP_FAILURE, "krb5_get_init_creds_opt_alloc failed.\n"); ++ goto done; ++ } ++ ++ krb5_get_init_creds_opt_set_address_list(options, NULL); ++ krb5_get_init_creds_opt_set_forwardable(options, 0); ++ krb5_get_init_creds_opt_set_proxiable(options, 0); ++ krb5_get_init_creds_opt_set_tkt_life(options, lifetime); ++ krberr = krb5_get_init_creds_opt_set_pa(context, options, ++ "X509_user_identity", ""); ++ if (krberr != 0) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "krb5_get_init_creds_opt_set_pa failed [%d], ignored.\n", ++ krberr); ++ } ++ + + tmp_str = getenv("KRB5_CANONICALIZE"); + if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) { + DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n"); + canonicalize = 1; + } +- sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize); ++ sss_krb5_get_init_creds_opt_set_canonicalize(options, canonicalize); + + ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s", + DB_PATH, realm_name); +@@ -433,7 +446,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, + } + + krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc, +- keytab, 0, NULL, &options); ++ keytab, 0, NULL, options); + if (krberr != 0) { + DEBUG(SSSDBG_OP_FAILURE, + "krb5_get_init_creds_keytab() failed: %d\n", krberr); +@@ -513,6 +526,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, + *expire_time_out = my_creds.times.endtime - kdc_time_offset; + + done: ++ krb5_get_init_creds_opt_free(context, options); + if (krberr != 0) { + if (*_krb5_msg == NULL) { + /* no custom error message provided hence get one from libkrb5 */ +-- +2.20.1 + diff --git a/sssd.spec b/sssd.spec index 10e58bf..5421646 100644 --- a/sssd.spec +++ b/sssd.spec @@ -36,7 +36,7 @@ Name: sssd Version: 2.2.3 -Release: 3%{?dist} +Release: 4%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://pagure.io/SSSD/sssd/ @@ -47,6 +47,7 @@ Patch0001: 0001-Fix-build-failure-against-samba-4.12.0rc1.patch Patch0002: 0002-BUILD-Accept-krb5-1.18-for-building-the-PAC-plugin.patch Patch0003: 0003-INI-sssctl-config-check-command-error-messages.patch Patch0004: 0004-certmap-mention-special-regex-characters-in-man-page.patch +Patch0005: 0005-ldap_child-do-not-try-PKINIT.patch ### Downstream only patches ### Patch0502: 0502-SYSTEMD-Use-capabilities.patch @@ -1075,6 +1076,9 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Wed Feb 26 2020 Michal Židek - 2.2.3-4 +- Resolves: upstream#4126 pcscd rejecting sssd ldap_child as unauthorized + * Wed Feb 26 2020 Michal Židek - 2.2.3-3 - Resolves: upstream#4127 - [Doc]Provide explanation on escape character for match rules sss-certmap