freeipa

Clone
Source Code
GIT

7d93bda ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates

1 file Authored by abbra 2 years ago, Committed by frenaud 2 years ago,
raw patch tree parent
1 file changed. 34 lines added. 13 lines removed.
daemons/ipa-kdb/ipa_kdb_mspac.c
file modified
+34 -13 
    ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates
    
    New versions of MS-KILE and MS-SFU after Windows Server November 2021
    security updates add PAC_REQUESTER_SID buffer check behavior:
    
     - PAC_REQUESTER_SID should only be added for TGT requests
    
     - if PAC_REQUESTER_SID is present, KDC must verify that the cname on
       the ticket resolves to the account with the same SID as the
       PAC_REQUESTER_SID. If it doesn't KDC must respond with
       KDC_ERR_TKT_REVOKED
    
    Change requester SID check to skip exact check for non-local
    PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
    we know about.
    
    If requester SID is the same as in PAC, we already do cname vs PAC SID
    verification.
    
    With these changes FreeIPA works against Windows Server 2019 with
    November 2021 security fixes in cross-realm S4U2Self operations.
    
    Fixes: https://pagure.io/freeipa/issue/9031
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
file modified
+34 -13
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.