rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0017-PAC-allow-to-disable-UPN-check.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   0034f4c3c0c1a36c573b02cd43a825fccfaf65ac
  2.   SOURCES
  3.   0017-PAC-allow-to-disable-UPN-check.patch
Blob History Raw
0034f4 
From a86d1740167031bf6444ff821a201164c11ba09c Mon Sep 17 00:00:00 2001
0034f4 
From: Sumit Bose <sbose@redhat.com>
0034f4 
Date: Wed, 16 Nov 2022 09:28:54 +0100
0034f4 
Subject: [PATCH 17/19] PAC: allow to disable UPN check
0034f4
0034f4 
Currently it was not possible to skip the UPN check which checks if the
0034f4 
UPN in the PAC and the one stored in SSSD's cache are different.
0034f4 
Additionally the related debug message will show both principals if they
0034f4 
differ.
0034f4
0034f4 
Resolves: https://github.com/SSSD/sssd/issues/6451
0034f4
0034f4 
(cherry picked from commit 91789449b7a8b20056e1edfedd8f8cf92f7a0a2a)
0034f4
0034f4 
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
0034f4 
---
0034f4 
 src/providers/ad/ad_pac_common.c | 16 +++++++++++++---
0034f4 
 1 file changed, 13 insertions(+), 3 deletions(-)
0034f4
0034f4 
diff --git a/src/providers/ad/ad_pac_common.c b/src/providers/ad/ad_pac_common.c
0034f4 
index 0ed817111..79f79b7a7 100644
0034f4 
--- a/src/providers/ad/ad_pac_common.c
0034f4 
+++ b/src/providers/ad/ad_pac_common.c
0034f4 
@@ -224,9 +224,19 @@ errno_t check_upn_and_sid_from_user_and_pac(struct ldb_message *msg,
0034f4
0034f4 
         if (user_data != NULL) {
0034f4 
             if (strcasecmp(user_data, upn_dns_info->upn_name) != 0) {
0034f4 
-                DEBUG(SSSDBG_CRIT_FAILURE,
0034f4 
-                      "UPN of user entry and PAC do not match.\n");
0034f4 
-                return ERR_CHECK_PAC_FAILED;
0034f4 
+                if (pac_check_opts & CHECK_PAC_CHECK_UPN) {
0034f4 
+                    DEBUG(SSSDBG_CRIT_FAILURE, "UPN of user entry [%s] and "
0034f4 
+                                               "PAC [%s] do not match.\n",
0034f4 
+                                               user_data,
0034f4 
+                                               upn_dns_info->upn_name);
0034f4 
+                    return ERR_CHECK_PAC_FAILED;
0034f4 
+                } else {
0034f4 
+                    DEBUG(SSSDBG_IMPORTANT_INFO, "UPN of user entry [%s] and "
0034f4 
+                                                 "PAC [%s] do not match, "
0034f4 
+                                                 "ignored.\n", user_data,
0034f4 
+                                                 upn_dns_info->upn_name);
0034f4 
+                    return EOK;
0034f4 
+                }
0034f4 
             }
0034f4 
         }
0034f4
0034f4 
--
0034f4 
2.37.3
0034f4

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation