freeipa

Clone
Source Code
GIT

eb5a93d ipa-kdb: use entry DN to compare aliased entries in S4U operations

1 file Authored by abbra 2 years ago, Committed by rcritten 2 years ago,
raw patch tree parent
1 file changed. 35 lines added. 1 lines removed.
daemons/ipa-kdb/ipa_kdb_delegation.c
file modified
+35 -1 
    ipa-kdb: use entry DN to compare aliased entries in S4U operations
    
    When working with aliased entries, we need a reliable way to detect
    whether two principals reference the same database entry. This is
    important in S4U checks.
    
    Ideally, we should be using SIDs for these checks as S4U requires PAC
    record presence which cannot be issued without a SID associated with an
    entry. This is true for user principals and a number of host/service
    principals associated with Samba. Other service principals do not have
    SIDs because we do not allocate POSIX IDs to them in FreeIPA. When PAC
    is issued for these principals, they get SID of a domain computer or
    domain controller depending on their placement (IPA client or IPA
    server).
    
    Since 389-ds always returns unique entry DN for the same entry, rely on
    this value instead. We could have used ipaUniqueID but for Kerberos
    principals created through the KDB (kadmin/kdb5_util) we don't have
    ipaUniqueID in the entry.
    
    Fixes: https://pagure.io/freeipa/issue/9031
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
file modified
+35 -1
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.