|
 |
1e9f11 |
From 669f3d71161741c676ddd6a08bd08d4a4ccd495b Mon Sep 17 00:00:00 2001
|
|
|
1e9f11 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
1e9f11 |
Date: Fri, 26 Nov 2021 17:40:54 +0200
|
|
|
1e9f11 |
Subject: [PATCH] ipa-kdb: issue PAC_REQUESTER_SID only for TGTs
|
|
|
1e9f11 |
|
|
|
1e9f11 |
MS-KILE 3.3.5.6.4.8 in revision after Windows Server November 2021
|
|
|
1e9f11 |
security fixes added the following requirement:
|
|
|
1e9f11 |
|
|
|
1e9f11 |
- PAC_REQUESTER_SID is only added in TGT case (including referrals and
|
|
|
1e9f11 |
tickets to RODCs)
|
|
|
1e9f11 |
|
|
|
1e9f11 |
Fixes: https://pagure.io/freeipa/issue/9031
|
|
|
1e9f11 |
|
|
|
1e9f11 |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
1e9f11 |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
1e9f11 |
---
|
|
|
1e9f11 |
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 ++-
|
|
|
1e9f11 |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
1e9f11 |
|
|
|
1e9f11 |
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
1e9f11 |
index 6f7d1ac15daf17dfca36ebd3265c866725d24717..538cfbba958068bd2ee0aaae7a2743ae82237898 100644
|
|
|
1e9f11 |
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
1e9f11 |
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
1e9f11 |
@@ -1148,7 +1148,8 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
|
|
|
1e9f11 |
#endif
|
|
|
1e9f11 |
|
|
|
1e9f11 |
#ifdef HAVE_PAC_REQUESTER_SID
|
|
|
1e9f11 |
- {
|
|
|
1e9f11 |
+ /* MS-KILE 3.3.5.6.4.8: add PAC_REQUESTER_SID only in TGT case */
|
|
|
1e9f11 |
+ if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0) {
|
|
|
1e9f11 |
union PAC_INFO pac_requester_sid;
|
|
|
1e9f11 |
/* == Package PAC_REQUESTER_SID == */
|
|
|
1e9f11 |
memset(&pac_requester_sid, 0, sizeof(pac_requester_sid));
|
|
|
1e9f11 |
--
|
|
|
1e9f11 |
2.31.1
|
|
|
1e9f11 |
|