freeipa

Clone
Source Code
GIT

5213c1e ipa-kdb: validate domain SID in incoming PAC for trusted domains for S4U

1 file Authored by abbra 2 years ago, Committed by frenaud 2 years ago,
raw patch tree parent
1 file changed. 43 lines added. 11 lines removed.
daemons/ipa-kdb/ipa_kdb_mspac.c
file modified
+43 -11 
    ipa-kdb: validate domain SID in incoming PAC for trusted domains for S4U
    
    Previously, ipadb_check_logon_info() was called only for cross-realm
    case. Now we call it for both in-realm and cross-realm cases. In case of
    the S4U2Proxy, we would be passed a PAC of the original caller which
    might be a principal from the trusted realm. We cannot validate that PAC
    against our local client DB entry because this is the proxy entry which
    is guaranteed to have different SID.
    
    In such case, validate the SID of the domain in PAC against our realm
    and any trusted doman but skip an additional check of the DB entry in
    the S4U2Proxy case.
    
    Related: https://pagure.io/freeipa/issue/9031
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
file modified
+43 -11
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.