99 lines
3.9 KiB
Diff
99 lines
3.9 KiB
Diff
From 580d61884b6c0a81357d8f9fa69fe69d1f017185 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Fri, 6 Dec 2019 12:29:49 +0100
|
|
Subject: [PATCH] ldap_child: do not try PKINIT
|
|
|
|
if the PKINIT plugin is installed and pkinit_identities is set in
|
|
/etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only
|
|
wants to authenticate with a keytab. As a result ldap_child might try to
|
|
access a Smartcard which is either not allowed at all or might cause
|
|
unexpected delays.
|
|
|
|
To avoid this the current patch sets pkinit_identities for LDAP child
|
|
explicitly to make the PKINIT plugin fail because if installed libkrb5
|
|
will always use it.
|
|
|
|
It turned out the setting pre-authentication options requires some
|
|
internal flags to be set and krb5_get_init_creds_opt_alloc() must be
|
|
used to initialize the options struct.
|
|
|
|
Related to https://pagure.io/SSSD/sssd/issue/4126
|
|
|
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
---
|
|
src/providers/ldap/ldap_child.c | 30 ++++++++++++++++++++++--------
|
|
1 file changed, 22 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
|
|
index 408d64db4..b081df90f 100644
|
|
--- a/src/providers/ldap/ldap_child.c
|
|
+++ b/src/providers/ldap/ldap_child.c
|
|
@@ -277,7 +277,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
|
krb5_ccache ccache = NULL;
|
|
krb5_principal kprinc;
|
|
krb5_creds my_creds;
|
|
- krb5_get_init_creds_opt options;
|
|
+ krb5_get_init_creds_opt *options = NULL;
|
|
krb5_error_code krberr;
|
|
krb5_timestamp kdc_time_offset;
|
|
int canonicalize = 0;
|
|
@@ -392,19 +392,32 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
|
}
|
|
|
|
memset(&my_creds, 0, sizeof(my_creds));
|
|
- memset(&options, 0, sizeof(options));
|
|
|
|
- krb5_get_init_creds_opt_set_address_list(&options, NULL);
|
|
- krb5_get_init_creds_opt_set_forwardable(&options, 0);
|
|
- krb5_get_init_creds_opt_set_proxiable(&options, 0);
|
|
- krb5_get_init_creds_opt_set_tkt_life(&options, lifetime);
|
|
+ krberr = krb5_get_init_creds_opt_alloc(context, &options);
|
|
+ if (krberr != 0) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "krb5_get_init_creds_opt_alloc failed.\n");
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ krb5_get_init_creds_opt_set_address_list(options, NULL);
|
|
+ krb5_get_init_creds_opt_set_forwardable(options, 0);
|
|
+ krb5_get_init_creds_opt_set_proxiable(options, 0);
|
|
+ krb5_get_init_creds_opt_set_tkt_life(options, lifetime);
|
|
+ krberr = krb5_get_init_creds_opt_set_pa(context, options,
|
|
+ "X509_user_identity", "");
|
|
+ if (krberr != 0) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
+ "krb5_get_init_creds_opt_set_pa failed [%d], ignored.\n",
|
|
+ krberr);
|
|
+ }
|
|
+
|
|
|
|
tmp_str = getenv("KRB5_CANONICALIZE");
|
|
if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) {
|
|
DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n");
|
|
canonicalize = 1;
|
|
}
|
|
- sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
|
|
+ sss_krb5_get_init_creds_opt_set_canonicalize(options, canonicalize);
|
|
|
|
ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s",
|
|
DB_PATH, realm_name);
|
|
@@ -433,7 +446,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
|
}
|
|
|
|
krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
|
|
- keytab, 0, NULL, &options);
|
|
+ keytab, 0, NULL, options);
|
|
if (krberr != 0) {
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
"krb5_get_init_creds_keytab() failed: %d\n", krberr);
|
|
@@ -513,6 +526,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
|
*expire_time_out = my_creds.times.endtime - kdc_time_offset;
|
|
|
|
done:
|
|
+ krb5_get_init_creds_opt_free(context, options);
|
|
if (krberr != 0) {
|
|
if (*_krb5_msg == NULL) {
|
|
/* no custom error message provided hence get one from libkrb5 */
|
|
--
|
|
2.20.1
|
|
|