freeipa

Clone
Source Code
GIT

5638bdc ipa-pwd-extop: allow ipasam to request RC4-HMAC in Kerberos keys for trusted domain objects

1 file Authored by abbra 2 years ago, Committed by frenaud 2 years ago,
raw patch tree parent
1 file changed. 14 lines added. 6 lines removed.
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
file modified
+14 -6 
    ipa-pwd-extop: allow ipasam to request RC4-HMAC in Kerberos keys for trusted domain objects
    
    This is a problem since we added commit b5fbbd1 in 2019. Its logic
    allowed to add RC4-HMAC keys for cifs/.. service principal but it didn't
    account for the case when cifs/.. principal initiates the request.
    
    Since ipasam only uses GETKEYTAB control, provide this extension only
    here and don't allow the same for SETKEYTAB. At the point of check for
    the bind DN, we already have verified that the DN is allowed to write to
    the krbPrincipalKey attribute so there is no leap of faith to 'any
    cifs/... principal' here.
    
    A principal must be member of cn=adtrust
    agents,cn=sysaccounts,cn=etc,$SUFFIX to allow perform this operation
    
    Fixes: https://pagure.io/freeipa/issue/9134
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
file modified
+14 -6
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.