|
 |
ac7d03 |
From 542c31e057cbd4bd6261abcc883ace14f69719d6 Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Simo Sorce <simo@redhat.com>
|
|
|
ac7d03 |
Date: Mon, 10 Apr 2017 15:32:54 -0400
|
|
|
ac7d03 |
Subject: [PATCH] Fix s4u2self with adtrust
|
|
|
ac7d03 |
|
|
|
ac7d03 |
When ADtrust is installed we add a PAC to all tickets, during protocol
|
|
|
ac7d03 |
transition we need to generate a new PAC for the requested user ticket,
|
|
|
ac7d03 |
not check the existing PAC on the requestor ticket.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
https://pagure.io/freeipa/issue/6862
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
ac7d03 |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
ac7d03 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
daemons/ipa-kdb/ipa_kdb_mspac.c | 14 ++++++++++----
|
|
|
ac7d03 |
1 file changed, 10 insertions(+), 4 deletions(-)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
ac7d03 |
index cf1bd5b4eaf6ac8eba92639cc48cb7c333a6e836..00cc19ca1e757e28530eafcd38ebf73003e251e3 100644
|
|
|
ac7d03 |
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
ac7d03 |
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
ac7d03 |
@@ -2117,6 +2117,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
|
|
|
ac7d03 |
struct ipadb_context *ipactx;
|
|
|
ac7d03 |
bool with_pac;
|
|
|
ac7d03 |
bool with_pad;
|
|
|
ac7d03 |
+ bool make_ad = false;
|
|
|
ac7d03 |
int result;
|
|
|
ac7d03 |
krb5_db_entry *client_entry = NULL;
|
|
|
ac7d03 |
krb5_boolean is_equal;
|
|
|
ac7d03 |
@@ -2165,7 +2166,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
|
|
|
ac7d03 |
"currently not supported.");
|
|
|
ac7d03 |
}
|
|
|
ac7d03 |
|
|
|
ac7d03 |
- if (is_as_req && with_pac && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
|
|
|
ac7d03 |
+ /* we need to create a PAC if we are requested one and this is an AS REQ,
|
|
|
ac7d03 |
+ * or we are doing protocol transition (s4u2self) */
|
|
|
ac7d03 |
+ if ((is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) ||
|
|
|
ac7d03 |
+ (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
|
|
|
ac7d03 |
+ make_ad = true;
|
|
|
ac7d03 |
+ }
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ if (with_pac && make_ad) {
|
|
|
ac7d03 |
/* Be aggressive here: special case for discovering range type
|
|
|
ac7d03 |
* immediately after establishing the trust by IPA framework */
|
|
|
ac7d03 |
if ((krb5_princ_size(context, ks_client_princ) == 2) &&
|
|
|
ac7d03 |
@@ -2188,9 +2196,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
|
|
|
ac7d03 |
if (kerr != 0 && kerr != ENOENT) {
|
|
|
ac7d03 |
goto done;
|
|
|
ac7d03 |
}
|
|
|
ac7d03 |
- }
|
|
|
ac7d03 |
-
|
|
|
ac7d03 |
- if (!is_as_req && with_pac) {
|
|
|
ac7d03 |
+ } else if (with_pac && !is_as_req) {
|
|
|
ac7d03 |
/* find the existing PAC, if present */
|
|
|
ac7d03 |
kerr = krb5_find_authdata(context, tgt_auth_data, NULL,
|
|
|
ac7d03 |
KRB5_AUTHDATA_WIN2K_PAC, &pac_auth_data);
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.9.3
|
|
|
ac7d03 |
|