freeipa

Clone
Source Code
GIT

2d7cc19 ipa-kdb: PAC consistency checker needs to handle child domains as well

1 file Authored by abbra a year ago, Committed by rcritten a year ago,
raw patch tree parent
1 file changed. 32 lines added. 19 lines removed.
daemons/ipa-kdb/ipa_kdb_mspac.c
file modified
+32 -19 
    ipa-kdb: PAC consistency checker needs to handle child domains as well
    
    When PAC check is performed, we might get a signing TGT instead of the
    client DB entry. This means it is a principal from a trusted domain but
    we don't know which one exactly because we only have a krbtgt for the
    forest root. This happens in MIT Kerberos 1.20 or later where KDB's
    issue_pac() callback never gets the original client principal directly.
    
    Look into known child domains as well and make pass the check if both
    NetBIOS name and SID correspond to one of the trusted domains under this
    forest root. Move check for the SID before NetBIOS name check because we
    can use SID of the domain in PAC to find out the right child domain in
    our trusted domains' topology list.
    
    Fixes: https://pagure.io/freeipa/issue/9316
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
file modified
+32 -19
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.