3f1b373 Tolerate absence of PAC ticket signature depending of server capabilities

10 files Authored by jrische a year ago, Committed by frenaud a year ago,
    Tolerate absence of PAC ticket signature depending of server capabilities
    Since November 2020, Active Directory KDC generates a new type of
    signature as part of the PAC. It is called "ticket signature", and is
    generated based on the encrypted part of the ticket. The presence of
    this signature is not mandatory in order for the PAC to be accepted for
    S4U requests.
    However, the behavior is different for MIT krb5. Support was added as
    part of the 1.20 release, and this signature is required in order to
    process S4U requests. Contrary to the PAC extended KDC signature, the
    code generating this signature cannot be isolated and backported to
    older krb5 versions because this version of the KDB API does not allow
    passing the content of the ticket's encrypted part to IPA.
    This is an issue in gradual upgrade scenarios where some IPA servers
    rely on 1.19 and older versions of MIT krb5, while others use version
    1.20 or newer. A service ticket that was provided by 1.19- IPA KDC will
    be rejected when used by a service against a 1.20+ IPA KDC for S4U
    On Fedora, CentOS 9 Stream, and RHEL 9, when the krb5 version is 1.20 or
    newer, it will include a downstream-only update adding the
    "optional_pac_tkt_chksum" KDB string attribute allowing to tolerate the
    absence of PAC ticket signatures, if necessary.
    This commit adds an extra step during the installation and update
    processes where it adds a "pacTktSignSupported" ipaConfigString
    attribute in "cn=KDC,cn=[server],cn=masters,cn=ipa,cn=etc,[basedn]" if
    the MIT krb5 version IPA what built with was 1.20 or newer.
    This commit also set "optional_pac_tkt_chksum" as a virtual KDB entry
    attribute. This means the value of the attribute is not actually stored
    in the database (to avoid race conditions), but its value is determined
    at the KDC starting time by search the "pacTktSignSupported"
    ipaConfigString in the server list. If this value is missing for at
    least of them is missing, enforcement of the PAC ticket signature is
    disabled by setting "optional_pac_tkt_chksum" to true for the local
    realm TGS KDB entry.
    For foreign realm TGS KDB entries, the "optional_pac_tkt_chksum" virtual
    string attribute is set to true systematically, because, at least for
    now, trusted AD domains can still have PAC ticket signature support
    Given the fact the "pacTktSignSupported" ipaConfigString for a single
    server is added when this server is updated, and that the value of
    "optional_pac_tkt_chksum" is determined at KDC starting time based on
    the ipaConfigString attributes of all the KDCs in the domain, this
    requires to restart all the KDCs in the domain after all IPA servers
    were updated in order for PAC ticket signature enforcement to actually
    take effect.
    Fixes: https://pagure.io/freeipa/issue/9371
    Signed-off-by: Julien Rische <jrische@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
file modified
+6 -0
file modified
+1 -0
file modified
+55 -0
file modified
+1 -0
file modified
+8 -7
file modified
+4 -0
file modified
+2 -0