freeipa

Clone
Source Code
GIT

d69603c ipa-kdb: filter out group membership from MS-PAC for exact SID matches too

1 file Authored by abbra 8 years ago, Committed by mkosek 8 years ago,
raw patch tree parent
1 file changed. 99 lines added. 1 lines removed.
daemons/ipa-kdb/ipa_kdb_mspac.c
file modified
+99 -1 
    ipa-kdb: filter out group membership from MS-PAC for exact SID matches too
    
    When incoming SID blacklist contains exact SIDs of users and groups,
    attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.
    
    Note that we treat user's SID and primary group RID filtering as violation
    of the KDC policy because the resulting MS-PAC will have no user SID or
    primary group and thus will be invalid.
    
    For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1
    it is OK to have empty group RIDs array as GroupCount SHOULD be
    equal to Groups.MembershipCount returned by SamrGetGroupsForUser
    [MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty.
    
    Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475
    
    Reviewed-By: Tomas Babej <tbabej@redhat.com>
file modified
+99 -1
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.