Upcoming MIT Kerberos 1.20 version will change KDB interface around PAC record handling. Below are commit messages that describe these changes from MIT Kebreros git repo:
Author: Greg Hudson <ghudson@mit.edu> Date: Fri Jan 7 22:41:30 2022 -0500 Replace AD-SIGNEDPATH with minimal PACs Remove all of the AD-SIGNEDPATH code. Instead, issue a signed minimal PAC in all tickets and require a valid PAC to be present in all tickets presented for S4U operations. Remove the get_authdata_info() and sign_authdata() DAL methods, and add an issue_pac() method to allow the KDB to add or copy buffers to the PAC. Add a disable_pac realm flag. Microsoft revised the S4U2Proxy rules for forwardable tickets. All S4U2Proxy operations require forwardable evidence tickets, but S4U2Self should issue a forwardable ticket if the requesting service has no ok-to-auth-as-delegate bit but also no constrained delegation privileges for traditional S4U2Proxy. Implement these rules, extending the check_allowed_to_delegate() DAL method so that the KDC can ask if a principal has any delegation privileges. Combine the KRB5_KDB_FLAG_ISSUE_PAC and KRB5_FLAG_CLIENT_REFERRALS_ONLY flags into KRB5_KDB_FLAG_CLIENT. Rename the KRB5_KDB_FLAG_CANONICALIZE flag to KRB5_KDB_FLAG_REFERRAL_OK, and only pass it to get_principal() for lookup operations that can use a realm referral. For consistency with Active Directory, honor the no-auth-data-required server principal flag for S4U2Proxy but not for S4U2Self. Previously we did the reverse. ticket: 9044 (new) commit c85894cfb784257a6acb4d77d8c75137d2508f5e Author: Greg Hudson <ghudson@mit.edu> Date: Fri Jan 7 19:58:42 2022 -0500 Add minimal KDC MS-RPCE (NDR) encoder/decoder Add NDR marshalling functions for S4U_DELEGATION_INFO PAC buffers. [ghudson@mit.edu: added safety checks; made minor style changes; edited commit message] commit ee4e3c5c9eee061048d5b7393b8f3820d1a563a8 Author: Isaac Boukris <iboukris@gmail.com> Date: Fri Jan 7 13:46:24 2022 -0500 Add PAC ticket signature APIs Microsoft added a third PAC signature over the ticket to prevent servers from setting the forwardable flag on evidence tickets. Add new APIs to generate and verify ticket signatures, as well as defines for this and other new PAC buffer types. Deprecate the old signing functions as they cannot generate ticket signatures. Modify several error returns to better match the protocol errors generated by Active Directory. [ghudson@mit.edu: adjusted contracts for KDC requirements; simplified and commented code changes; wrote commit message. rharwood@redhat.com also did some work on this commit.] ticket: 9043 (new)
This ticket tracks changes required for FreeIPA to compile and work with MIT Kerberos 1.20. A test version of MIT Kerberos 1.20 (still unreleased) is built in COPR abbra/krb5-test. It also includes modified Samba 4.15.3 which compiles against new MIT Kerberos version as well.
abbra/krb5-test
master:
ipa-4-9:
ipa-4-10:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Custom field changelog adjusted to FreeIPA now supports MIT Kerberos 1.20. Resource-based constrained delegation is not yet implemented.
Login to comment on this ticket.