MS-PAC is a specification that defines how Kerberos KDC and clients should handle privilege attribute certificate (PAC) data. PAC record is generated by Active Directory KDCs to allow AD clients to receive most important details about a Kerberos principal they’d need to make decisions on access control or login details for the user.
Windows systems typically do not allow access to their services when PAC is not present in the Kerberos ticket presented to the server application. There are few cases where a lack of a PAC is considered to be anonymous access.
FreeIPA by default does not issue PAC in the Kerberos tickets. Content of PAC is built around Active Directory security concepts which are based on being able to address every resource and object through use of Security Identifiers (SIDs). Linux environments do not have SIDs associated with each user or group. SIDs are used extensively in SMB protocol and Active Directory-related activities. At the same time, use of PAC structure improves caching capabilities and allows to communicate more efficiently and securely a large set of user-specific details to identity clients.
When FreeIPA is configured to establish forest trust to Active Directory, it starts to associate SIDs with IPA users and groups. This information is used by IPA KDC to create the PAC record in Kerberos tickets for IPA users. When users from trusted AD domains are used to request service tickets to services in IPA domain, PAC records from their cross-realm tickets validated and re-issued, including local IPA group membership information and filtering unwanted SIDs.
In Active Directory a trust between domains requires the presence of a PAC in the cross-realm referral. This can be inferred from MS-KILE section 3.3.5.7.2 "TGT without a PAC" as cross-realm krbtgt principal does not have AuthenticationDataNotRequired field set. Since IPA-IPA trust support would be built on top of existing trust to Active Directory support, trusted IPA domains must have PAC generated and required by both sides.
Currently the configuration to enable IPA KDC to issue PAC records is only added when ipa-adtrust-install is run. We want to move this part of the configuration to the normal installers (ipa-server-install, ipa-replica-install) and make it possible to issue PACs in IPA environment by default. This way when IPA-IPA trust is added, we would be able to rely on PAC structure in trusted users' tickets similar to trust to Active Directory.
ipa-adtrust-install
ipa-server-install
ipa-replica-install
Metadata Update from @abbra: - Issue assigned to frenaud
master:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Custom field changelog adjusted to New installations of IPA now configure the server to generate SIDs by default. Previously, this setup was executed as part the the ipa-adtrust-install command.
Metadata Update from @frenaud: - Custom field changelog adjusted to New installations of IPA now configure the server to generate SIDs by default. Previously, this setup was executed as part of the ipa-adtrust-install command. (was: New installations of IPA now configure the server to generate SIDs by default. Previously, this setup was executed as part the the ipa-adtrust-install command.)
Metadata Update from @abbra: - Issue tagged with: rfe
Log in to comment on this ticket.