From 72132c413a2b19fbc21120ce51698978fd926360 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 20 Sep 2022 15:37:01 +0200 Subject: [PATCH] krb5: respect krb5_validate for PAC checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The first step of checking the PAC is the same as during the Kerberos ticket validation, requesting a service ticket for a service principal from the local keytab. By default ticket validation is enable for the IPA and AD provider where checking the PAC might become important. If ticket validation is disabled manually it is most probably because there are issues requesting the service ticket and fixing those is currently not possible. Currently when SSSD is configured to check the PAC it ignores the krb5_validate setting and tries to request a service ticket which would fail in the case ticket validation is disabled for a reason. To not cause regressions with this patch SSSD will skip the PAC checks if ticket validation is disabled. Resolves: https://github.com/SSSD/sssd/issues/6355 Reviewed-by: Alexey Tikhonov Reviewed-by: Tomáš Halman (cherry picked from commit f4dffaeaef16f146fc03970f62761fc335a3c7cc) --- src/man/include/krb5_options.xml | 11 ++++++++++- src/man/sssd.conf.5.xml | 13 ++++++++++--- src/providers/krb5/krb5_child.c | 9 ++++----- src/providers/krb5/krb5_init_shared.c | 10 ++++++++++ 4 files changed, 34 insertions(+), 9 deletions(-) diff --git a/src/man/include/krb5_options.xml b/src/man/include/krb5_options.xml index c3292d1bb..d82be7bfa 100644 --- a/src/man/include/krb5_options.xml +++ b/src/man/include/krb5_options.xml @@ -26,7 +26,16 @@ keytab entry as the last entry or the only entry in the keytab file. - Default: false + Default: false (IPA and AD provider: true) + + + Please note that the ticket validation is the first step when + checking the PAC (see 'pac_check' in the + + sssd.conf + 5 + manual page for details). If ticket + validation is disabled the PAC checks will be skipped as well. diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 615b41550..7a9920815 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -2238,9 +2238,16 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit Apply additional checks on the PAC of the Kerberos ticket which is available in Active Directory and - FreeIPA domains, if configured. The following - options can be used alone or in a comma-separated - list: + FreeIPA domains, if configured. Please note that + Kerberos ticket validation must be enabled to be + able to check the PAC, i.e. the krb5_validate option + must be set to 'True' which is the default for the + IPA and AD provider. If krb5_validate is set to + 'False' the PAC checks will be skipped. + + + The following options can be used alone or in a + comma-separated list: no_check diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 0a592da00..8727b4202 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -3866,11 +3866,10 @@ int main(int argc, const char *argv[]) goto done; } - /* To be able to read the PAC we have to request a service ticket where we - * have a key to decrypt it, this is the same step we use for validating - * the ticket. */ - if (cli_opts.check_pac_flags != 0) { - kr->validate = true; + if (cli_opts.check_pac_flags != 0 && !kr->validate) { + DEBUG(SSSDBG_IMPORTANT_INFO, + "PAC check is requested but krb5_validate is set to false. " + "PAC checks will be skipped.\n"); } kerr = privileged_krb5_setup(kr, offline); diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c index ee48f459b..3e6ebe2ed 100644 --- a/src/providers/krb5/krb5_init_shared.c +++ b/src/providers/krb5/krb5_init_shared.c @@ -77,6 +77,16 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx, goto done; } + if (krb5_auth_ctx->check_pac_flags != 0 + && !dp_opt_get_bool(krb5_auth_ctx->opts, KRB5_VALIDATE)) { + DEBUG(SSSDBG_IMPORTANT_INFO, + "PAC check is requested but krb5_validate is set to false. " + "PAC checks will be skipped.\n"); + sss_log(SSS_LOG_WARNING, + "PAC check is requested but krb5_validate is set to false. " + "PAC checks will be skipped."); + } + ret = parse_krb5_map_user(krb5_auth_ctx, dp_opt_get_cstring(krb5_auth_ctx->opts, KRB5_MAP_USER), -- 2.37.3