#9371 Tolerate absence of PAC ticket signature depending of domain and servers capabilities
Closed: fixed 2 years ago by frenaud. Opened 2 years ago by jrische.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 9): Bug 2182683

We are working on backporting the upstream implementation[1] of PAC extended KDC signature to RHEL9/8 and Fedora Rawhide/38/37. The function that is being used to generate this signature is also meant to generate the PAC ticket signature. This implementation also require the PAC ticket signature to be present in constrained delegation requests for the PAC to be accepted.

However, the signature generation function cannot be used by prior to 1.20 versions of krb5 because of API limitations. This is why we are backporting a slightly modified version of the extended PAC signature support. It allows generating the PAC extended KDC signature without the ticket signature, and tolerate the absence of the ticket signature.

When the version of krb5 is 1.20 or newer, this is not a problem. However, in case of gradual upgrade environments (including both 1.20+ and 1.19- servers), 1.20 servers will reject a PAC generated by a 1.19- server, because it does not contain any ticket signature.

In order to keep supporting constrained delegation in this kind of setup, we are adding support for a "optional_pac_full_chksum" string attribute for KDB entries. It will allow to tolerate the absence of PAC ticket signature for a certain realm.

IPA should be able to set this attribute according to the state of the domain:

  * Set "optional_pac_full_chksum" to "true" if RHEL8 or RHEL9.1- or Fedora 36/37 servers are present
  * Set "optional_pac_full_chksum" to "false" (or unset) if all servers are RHEL9.2+ or Fedora 38+

[1] https://github.com/krb5/krb5/pull/1284

Metadata Update from @jrische:
- Issue assigned to jrische

2 years ago

Metadata Update from @jrische:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2182683

2 years ago

master:

  • 9cd5f49 kdb: Use krb5_pac_full_sign_compat() when available
  • 3f1b373 Tolerate absence of PAC ticket signature depending of server capabilities
  • 545a363 Filter out constrained delegation ACL from KDB entry

ipa-4-10:

  • 630cda5 kdb: Use krb5_pac_full_sign_compat() when available
  • bbe545f Tolerate absence of PAC ticket signature depending of server capabilities
  • 7ea3b86 Filter out constrained delegation ACL from KDB entry

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

master:

  • e00f457 ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT
  • 4ef8258 ipa-kdb: protect against context corruption
  • 03897d8 ipa-kdb: postpone ticket checksum configuration
  • d551e85 ipa-kdb: process out of realm server lookup during S4U
  • 9cdf010 ipa-kdb: skip verification of PAC full checksum
  • 18bf495 ipalib/x509.py: Add signature_algorithm_parameters

ipa-4-10:

  • 3d0decd ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT
  • 803a447 ipa-kdb: protect against context corruption
  • fefa024 ipa-kdb: postpone ticket checksum configuration
  • bd8fcd6 ipa-kdb: process out of realm server lookup during S4U
  • 1b55e9b ipa-kdb: skip verification of PAC full checksum
  • 11ce2b2 ipalib/x509.py: Add signature_algorithm_parameters

master:

  • 3a706e8 ipa-kdb: be compatible with krb5 1.19 when checking for server referral

Log in to comment on this ticket.

Metadata