|
|
58e6ee |
From 72132c413a2b19fbc21120ce51698978fd926360 Mon Sep 17 00:00:00 2001
|
|
|
58e6ee |
From: Sumit Bose <sbose@redhat.com>
|
|
|
58e6ee |
Date: Tue, 20 Sep 2022 15:37:01 +0200
|
|
|
58e6ee |
Subject: [PATCH] krb5: respect krb5_validate for PAC checks
|
|
|
58e6ee |
MIME-Version: 1.0
|
|
|
58e6ee |
Content-Type: text/plain; charset=UTF-8
|
|
|
58e6ee |
Content-Transfer-Encoding: 8bit
|
|
|
58e6ee |
|
|
|
58e6ee |
The first step of checking the PAC is the same as during the Kerberos
|
|
|
58e6ee |
ticket validation, requesting a service ticket for a service principal
|
|
|
58e6ee |
from the local keytab. By default ticket validation is enable for the
|
|
|
58e6ee |
IPA and AD provider where checking the PAC might become important. If
|
|
|
58e6ee |
ticket validation is disabled manually it is most probably because there
|
|
|
58e6ee |
are issues requesting the service ticket and fixing those is currently
|
|
|
58e6ee |
not possible.
|
|
|
58e6ee |
|
|
|
58e6ee |
Currently when SSSD is configured to check the PAC it ignores the
|
|
|
58e6ee |
krb5_validate setting and tries to request a service ticket which would
|
|
|
58e6ee |
fail in the case ticket validation is disabled for a reason. To not
|
|
|
58e6ee |
cause regressions with this patch SSSD will skip the PAC checks if
|
|
|
58e6ee |
ticket validation is disabled.
|
|
|
58e6ee |
|
|
|
58e6ee |
Resolves: https://github.com/SSSD/sssd/issues/6355
|
|
|
58e6ee |
|
|
|
58e6ee |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
58e6ee |
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
|
|
58e6ee |
(cherry picked from commit f4dffaeaef16f146fc03970f62761fc335a3c7cc)
|
|
|
58e6ee |
---
|
|
|
58e6ee |
src/man/include/krb5_options.xml | 11 ++++++++++-
|
|
|
58e6ee |
src/man/sssd.conf.5.xml | 13 ++++++++++---
|
|
|
58e6ee |
src/providers/krb5/krb5_child.c | 9 ++++-----
|
|
|
58e6ee |
src/providers/krb5/krb5_init_shared.c | 10 ++++++++++
|
|
|
58e6ee |
4 files changed, 34 insertions(+), 9 deletions(-)
|
|
|
58e6ee |
|
|
|
58e6ee |
diff --git a/src/man/include/krb5_options.xml b/src/man/include/krb5_options.xml
|
|
|
58e6ee |
index c3292d1bb..d82be7bfa 100644
|
|
|
58e6ee |
--- a/src/man/include/krb5_options.xml
|
|
|
58e6ee |
+++ b/src/man/include/krb5_options.xml
|
|
|
58e6ee |
@@ -26,7 +26,16 @@
|
|
|
58e6ee |
keytab entry as the last entry or the only entry in the keytab file.
|
|
|
58e6ee |
</para>
|
|
|
58e6ee |
<para>
|
|
|
58e6ee |
- Default: false
|
|
|
58e6ee |
+ Default: false (IPA and AD provider: true)
|
|
|
58e6ee |
+ </para>
|
|
|
58e6ee |
+ <para>
|
|
|
58e6ee |
+ Please note that the ticket validation is the first step when
|
|
|
58e6ee |
+ checking the PAC (see 'pac_check' in the
|
|
|
58e6ee |
+ <citerefentry>
|
|
|
58e6ee |
+ <refentrytitle>sssd.conf</refentrytitle>
|
|
|
58e6ee |
+ <manvolnum>5</manvolnum>
|
|
|
58e6ee |
+ </citerefentry> manual page for details). If ticket
|
|
|
58e6ee |
+ validation is disabled the PAC checks will be skipped as well.
|
|
|
58e6ee |
</para>
|
|
|
58e6ee |
</listitem>
|
|
|
58e6ee |
</varlistentry>
|
|
|
58e6ee |
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
|
58e6ee |
index 615b41550..7a9920815 100644
|
|
|
58e6ee |
--- a/src/man/sssd.conf.5.xml
|
|
|
58e6ee |
+++ b/src/man/sssd.conf.5.xml
|
|
|
58e6ee |
@@ -2238,9 +2238,16 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
|
|
|
58e6ee |
<para>
|
|
|
58e6ee |
Apply additional checks on the PAC of the Kerberos
|
|
|
58e6ee |
ticket which is available in Active Directory and
|
|
|
58e6ee |
- FreeIPA domains, if configured. The following
|
|
|
58e6ee |
- options can be used alone or in a comma-separated
|
|
|
58e6ee |
- list:
|
|
|
58e6ee |
+ FreeIPA domains, if configured. Please note that
|
|
|
58e6ee |
+ Kerberos ticket validation must be enabled to be
|
|
|
58e6ee |
+ able to check the PAC, i.e. the krb5_validate option
|
|
|
58e6ee |
+ must be set to 'True' which is the default for the
|
|
|
58e6ee |
+ IPA and AD provider. If krb5_validate is set to
|
|
|
58e6ee |
+ 'False' the PAC checks will be skipped.
|
|
|
58e6ee |
+ </para>
|
|
|
58e6ee |
+ <para>
|
|
|
58e6ee |
+ The following options can be used alone or in a
|
|
|
58e6ee |
+ comma-separated list:
|
|
|
58e6ee |
<variablelist>
|
|
|
58e6ee |
<varlistentry>
|
|
|
58e6ee |
<term>no_check</term>
|
|
|
58e6ee |
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
|
|
58e6ee |
index 0a592da00..8727b4202 100644
|
|
|
58e6ee |
--- a/src/providers/krb5/krb5_child.c
|
|
|
58e6ee |
+++ b/src/providers/krb5/krb5_child.c
|
|
|
58e6ee |
@@ -3866,11 +3866,10 @@ int main(int argc, const char *argv[])
|
|
|
58e6ee |
goto done;
|
|
|
58e6ee |
}
|
|
|
58e6ee |
|
|
|
58e6ee |
- /* To be able to read the PAC we have to request a service ticket where we
|
|
|
58e6ee |
- * have a key to decrypt it, this is the same step we use for validating
|
|
|
58e6ee |
- * the ticket. */
|
|
|
58e6ee |
- if (cli_opts.check_pac_flags != 0) {
|
|
|
58e6ee |
- kr->validate = true;
|
|
|
58e6ee |
+ if (cli_opts.check_pac_flags != 0 && !kr->validate) {
|
|
|
58e6ee |
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
|
|
58e6ee |
+ "PAC check is requested but krb5_validate is set to false. "
|
|
|
58e6ee |
+ "PAC checks will be skipped.\n");
|
|
|
58e6ee |
}
|
|
|
58e6ee |
|
|
|
58e6ee |
kerr = privileged_krb5_setup(kr, offline);
|
|
|
58e6ee |
diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c
|
|
|
58e6ee |
index ee48f459b..3e6ebe2ed 100644
|
|
|
58e6ee |
--- a/src/providers/krb5/krb5_init_shared.c
|
|
|
58e6ee |
+++ b/src/providers/krb5/krb5_init_shared.c
|
|
|
58e6ee |
@@ -77,6 +77,16 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx,
|
|
|
58e6ee |
goto done;
|
|
|
58e6ee |
}
|
|
|
58e6ee |
|
|
|
58e6ee |
+ if (krb5_auth_ctx->check_pac_flags != 0
|
|
|
58e6ee |
+ && !dp_opt_get_bool(krb5_auth_ctx->opts, KRB5_VALIDATE)) {
|
|
|
58e6ee |
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
|
|
58e6ee |
+ "PAC check is requested but krb5_validate is set to false. "
|
|
|
58e6ee |
+ "PAC checks will be skipped.\n");
|
|
|
58e6ee |
+ sss_log(SSS_LOG_WARNING,
|
|
|
58e6ee |
+ "PAC check is requested but krb5_validate is set to false. "
|
|
|
58e6ee |
+ "PAC checks will be skipped.");
|
|
|
58e6ee |
+ }
|
|
|
58e6ee |
+
|
|
|
58e6ee |
ret = parse_krb5_map_user(krb5_auth_ctx,
|
|
|
58e6ee |
dp_opt_get_cstring(krb5_auth_ctx->opts,
|
|
|
58e6ee |
KRB5_MAP_USER),
|
|
|
58e6ee |
--
|
|
|
58e6ee |
2.37.3
|
|
|
58e6ee |
|