|
|
0034f4 |
From 0e618c36ed74c240f7acd071ccb7bfd405b2d827 Mon Sep 17 00:00:00 2001
|
|
|
0034f4 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
0034f4 |
Date: Tue, 22 Nov 2022 14:43:21 +0100
|
|
|
0034f4 |
Subject: [PATCH 19/19] pac: relax default check
|
|
|
0034f4 |
|
|
|
0034f4 |
To avoid issues with the UPN check during PAC validation when
|
|
|
0034f4 |
'ldap_user_principal' is set to a not existing attribute to skip reading
|
|
|
0034f4 |
user principals a new 'pac_check' option, 'check_upn_allow_missing' is
|
|
|
0034f4 |
added to the default options. With this option only a log message is
|
|
|
0034f4 |
shown but the check will not fail.
|
|
|
0034f4 |
|
|
|
0034f4 |
Resolves: https://github.com/SSSD/sssd/issues/6451
|
|
|
0034f4 |
|
|
|
0034f4 |
(cherry picked from commit 51b11db8b99a77ba5ccf6f850c2e81b5a6ee9f79)
|
|
|
0034f4 |
|
|
|
0034f4 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
0034f4 |
---
|
|
|
0034f4 |
src/confdb/confdb.h | 2 +-
|
|
|
0034f4 |
src/man/sssd.conf.5.xml | 30 +++++++++++++++++++++++++++++-
|
|
|
0034f4 |
src/providers/ad/ad_pac_common.c | 24 ++++++++++++++++++++----
|
|
|
0034f4 |
src/util/pac_utils.c | 10 ++++++++++
|
|
|
0034f4 |
src/util/util.h | 2 ++
|
|
|
0034f4 |
5 files changed, 62 insertions(+), 6 deletions(-)
|
|
|
0034f4 |
|
|
|
0034f4 |
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
|
0034f4 |
index 83f6be7f9..5fda67585 100644
|
|
|
0034f4 |
--- a/src/confdb/confdb.h
|
|
|
0034f4 |
+++ b/src/confdb/confdb.h
|
|
|
0034f4 |
@@ -181,7 +181,7 @@
|
|
|
0034f4 |
#define CONFDB_PAC_LIFETIME "pac_lifetime"
|
|
|
0034f4 |
#define CONFDB_PAC_CHECK "pac_check"
|
|
|
0034f4 |
#define CONFDB_PAC_CHECK_DEFAULT "no_check"
|
|
|
0034f4 |
-#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_dns_info_ex"
|
|
|
0034f4 |
+#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_allow_missing, check_upn_dns_info_ex"
|
|
|
0034f4 |
|
|
|
0034f4 |
/* InfoPipe */
|
|
|
0034f4 |
#define CONFDB_IFP_CONF_ENTRY "config/ifp"
|
|
|
0034f4 |
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
|
0034f4 |
index 7a9920815..d9f4a7481 100644
|
|
|
0034f4 |
--- a/src/man/sssd.conf.5.xml
|
|
|
0034f4 |
+++ b/src/man/sssd.conf.5.xml
|
|
|
0034f4 |
@@ -2275,6 +2275,34 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
|
|
|
0034f4 |
consistent.</para>
|
|
|
0034f4 |
</listitem>
|
|
|
0034f4 |
</varlistentry>
|
|
|
0034f4 |
+ <varlistentry>
|
|
|
0034f4 |
+ <term>check_upn_allow_missing</term>
|
|
|
0034f4 |
+ <listitem>
|
|
|
0034f4 |
+ <para>This option should be used together
|
|
|
0034f4 |
+ with 'check_upn' and handles the case where
|
|
|
0034f4 |
+ a UPN is set on the server-side but is not
|
|
|
0034f4 |
+ read by SSSD. The typical example is a
|
|
|
0034f4 |
+ FreeIPA domain where 'ldap_user_principal'
|
|
|
0034f4 |
+ is set to a not existing attribute name.
|
|
|
0034f4 |
+ This was typically done to work-around
|
|
|
0034f4 |
+ issues in the handling of enterprise
|
|
|
0034f4 |
+ principals. But this is fixed since quite
|
|
|
0034f4 |
+ some time and FreeIPA can handle enterprise
|
|
|
0034f4 |
+ principals just fine and there is no need
|
|
|
0034f4 |
+ anymore to set 'ldap_user_principal'.</para>
|
|
|
0034f4 |
+ <para>Currently this option is set by
|
|
|
0034f4 |
+ default to avoid regressions in such
|
|
|
0034f4 |
+ environments. A log message will be added
|
|
|
0034f4 |
+ to the system log and SSSD's debug log in
|
|
|
0034f4 |
+ case a UPN is found in the PAC but not in
|
|
|
0034f4 |
+ SSSD's cache. To avoid this log message it
|
|
|
0034f4 |
+ would be best to evaluate if the
|
|
|
0034f4 |
+ 'ldap_user_principal' option can be removed.
|
|
|
0034f4 |
+ If this is not possible, removing
|
|
|
0034f4 |
+ 'check_upn' will skip the test and avoid the
|
|
|
0034f4 |
+ log message.</para>
|
|
|
0034f4 |
+ </listitem>
|
|
|
0034f4 |
+ </varlistentry>
|
|
|
0034f4 |
<varlistentry>
|
|
|
0034f4 |
<term>upn_dns_info_present</term>
|
|
|
0034f4 |
<listitem>
|
|
|
0034f4 |
@@ -2305,7 +2333,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
|
|
|
0034f4 |
</para>
|
|
|
0034f4 |
<para>
|
|
|
0034f4 |
Default: no_check (AD and IPA provider
|
|
|
0034f4 |
- 'check_upn, check_upn_dns_info_ex')
|
|
|
0034f4 |
+ 'check_upn, check_upn_allow_missing, check_upn_dns_info_ex')
|
|
|
0034f4 |
</para>
|
|
|
0034f4 |
</listitem>
|
|
|
0034f4 |
</varlistentry>
|
|
|
0034f4 |
diff --git a/src/providers/ad/ad_pac_common.c b/src/providers/ad/ad_pac_common.c
|
|
|
0034f4 |
index 79f79b7a7..fcb54cd2c 100644
|
|
|
0034f4 |
--- a/src/providers/ad/ad_pac_common.c
|
|
|
0034f4 |
+++ b/src/providers/ad/ad_pac_common.c
|
|
|
0034f4 |
@@ -215,10 +215,26 @@ errno_t check_upn_and_sid_from_user_and_pac(struct ldb_message *msg,
|
|
|
0034f4 |
DEBUG(SSSDBG_MINOR_FAILURE, "User object does not have a UPN but PAC "
|
|
|
0034f4 |
"says otherwise, maybe ldap_user_principal option is set.\n");
|
|
|
0034f4 |
if (pac_check_opts & CHECK_PAC_CHECK_UPN) {
|
|
|
0034f4 |
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
0034f4 |
- "UPN is missing but PAC UPN check required, "
|
|
|
0034f4 |
- "PAC validation failed.\n");
|
|
|
0034f4 |
- return ERR_CHECK_PAC_FAILED;
|
|
|
0034f4 |
+ if (pac_check_opts & CHECK_PAC_CHECK_UPN_ALLOW_MISSING) {
|
|
|
0034f4 |
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
|
|
0034f4 |
+ "UPN is missing but PAC UPN check required, "
|
|
|
0034f4 |
+ "PAC validation failed. However, "
|
|
|
0034f4 |
+ "'check_upn_allow_missing' is set and the error is "
|
|
|
0034f4 |
+ "ignored. To make this message go away please check "
|
|
|
0034f4 |
+ "why the UPN is not read from the server. In FreeIPA "
|
|
|
0034f4 |
+ "environments 'ldap_user_principal' is most probably "
|
|
|
0034f4 |
+ "set to a non-existing attribute name to avoid "
|
|
|
0034f4 |
+ "issues with enterprise principals. This is not "
|
|
|
0034f4 |
+ "needed anymore with recent versions of FreeIPA.\n");
|
|
|
0034f4 |
+ sss_log(SSS_LOG_CRIT, "PAC validation issue, please check "
|
|
|
0034f4 |
+ "sssd_pac.log for details");
|
|
|
0034f4 |
+ return EOK;
|
|
|
0034f4 |
+ } else {
|
|
|
0034f4 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
0034f4 |
+ "UPN is missing but PAC UPN check required, "
|
|
|
0034f4 |
+ "PAC validation failed.\n");
|
|
|
0034f4 |
+ return ERR_CHECK_PAC_FAILED;
|
|
|
0034f4 |
+ }
|
|
|
0034f4 |
}
|
|
|
0034f4 |
}
|
|
|
0034f4 |
|
|
|
0034f4 |
diff --git a/src/util/pac_utils.c b/src/util/pac_utils.c
|
|
|
0034f4 |
index c53b0c082..4499d8dfd 100644
|
|
|
0034f4 |
--- a/src/util/pac_utils.c
|
|
|
0034f4 |
+++ b/src/util/pac_utils.c
|
|
|
0034f4 |
@@ -64,6 +64,8 @@ static errno_t check_check_pac_opt(const char *inp, uint32_t *check_pac_flags)
|
|
|
0034f4 |
flags |= CHECK_PAC_CHECK_UPN_DNS_INFO_EX;
|
|
|
0034f4 |
flags |= CHECK_PAC_UPN_DNS_INFO_PRESENT;
|
|
|
0034f4 |
flags |= CHECK_PAC_CHECK_UPN;
|
|
|
0034f4 |
+ } else if (strcasecmp(list[c], CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR) == 0) {
|
|
|
0034f4 |
+ flags |= CHECK_PAC_CHECK_UPN_ALLOW_MISSING;
|
|
|
0034f4 |
} else {
|
|
|
0034f4 |
DEBUG(SSSDBG_OP_FAILURE, "Unknown value [%s] for pac_check.\n",
|
|
|
0034f4 |
list[c]);
|
|
|
0034f4 |
@@ -72,6 +74,14 @@ static errno_t check_check_pac_opt(const char *inp, uint32_t *check_pac_flags)
|
|
|
0034f4 |
}
|
|
|
0034f4 |
}
|
|
|
0034f4 |
|
|
|
0034f4 |
+ if ((flags & CHECK_PAC_CHECK_UPN_ALLOW_MISSING)
|
|
|
0034f4 |
+ && !(flags & CHECK_PAC_CHECK_UPN)) {
|
|
|
0034f4 |
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
|
|
0034f4 |
+ "pac_check option '%s' is set but '%s' is not set, this means "
|
|
|
0034f4 |
+ "the UPN is not checked.\n",
|
|
|
0034f4 |
+ CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR, CHECK_PAC_CHECK_UPN_STR);
|
|
|
0034f4 |
+ }
|
|
|
0034f4 |
+
|
|
|
0034f4 |
ret = EOK;
|
|
|
0034f4 |
|
|
|
0034f4 |
done:
|
|
|
0034f4 |
diff --git a/src/util/util.h b/src/util/util.h
|
|
|
0034f4 |
index 6d9111874..4b2651c2c 100644
|
|
|
0034f4 |
--- a/src/util/util.h
|
|
|
0034f4 |
+++ b/src/util/util.h
|
|
|
0034f4 |
@@ -818,6 +818,8 @@ uint64_t get_spend_time_us(uint64_t st);
|
|
|
0034f4 |
#define CHECK_PAC_CHECK_UPN_DNS_INFO_EX (1 << 3)
|
|
|
0034f4 |
#define CHECK_PAC_UPN_DNS_INFO_EX_PRESENT_STR "upn_dns_info_ex_present"
|
|
|
0034f4 |
#define CHECK_PAC_UPN_DNS_INFO_EX_PRESENT (1 << 4)
|
|
|
0034f4 |
+#define CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR "check_upn_allow_missing"
|
|
|
0034f4 |
+#define CHECK_PAC_CHECK_UPN_ALLOW_MISSING (1 << 5)
|
|
|
0034f4 |
|
|
|
0034f4 |
errno_t get_pac_check_config(struct confdb_ctx *cdb, uint32_t *pac_check_opts);
|
|
|
0034f4 |
#endif /* __SSSD_UTIL_H__ */
|
|
|
0034f4 |
--
|
|
|
0034f4 |
2.37.3
|
|
|
0034f4 |
|