Issue #9521: Enable Bronze-Bit check only if SIDs are set - freeipa

freeipa

#9521 Enable Bronze-Bit check only if SIDs are set

Closed: fixed a year ago by frenaud. Opened a year ago by jrische.

The recently released Bronze-Bit detection mechanism relies on the PAC to filter S4U2Proxy requests. However on FreeIPA v4.9, for the PAC to be present, the impersonated principal need to have an SID.

IPA domains initialized before the SID generation task was executed as part of ipa-server-install may still not have PACs generated in tickets if this task was not executed by administrators. This is a major issue as updating IPA on these domains will cause the HTTP API to stop working, because the API relies on S4U2Proxy, and the Bronze-Bit check needs an evidence ticket with a PAC to accept the request.

The Bronze-Bit check should be executed only if the IPA domain is able to generate PACs.

Metadata Update from @jrische:
- Custom field rhbz adjusted to RHEL-22313

a year ago

frenaud commented a year ago

ipa-4-9:

27b96c1 ipa-kdb: Disable Bronze-Bit check if PAC not available

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

frenaud commented a year ago

ipa-4-9:

81aa6ef ipd-kdb: Fix some mistakes in ipadb_check_for_bronze_bit_attack()

Metadata

Assignee

jrische

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

tester

None

changelog

None

design

None

rhbz

RHEL-22313

freeipa

Source Code

#9521 Enable Bronze-Bit check only if SIDs are set Closed: fixed a year ago by frenaud. Opened a year ago by jrische.

Metadata

#9521 Enable Bronze-Bit check only if SIDs are set

Closed: fixed a year ago by frenaud. Opened a year ago by jrische.