rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0017-PAC-allow-to-disable-UPN-check.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   1c5238e91d5c24d5de1af7ca91eec5505c06660f
  2.   SOURCES
  3.   0017-PAC-allow-to-disable-UPN-check.patch
Blob History Raw
1c5238 
From a86d1740167031bf6444ff821a201164c11ba09c Mon Sep 17 00:00:00 2001
1c5238 
From: Sumit Bose <sbose@redhat.com>
1c5238 
Date: Wed, 16 Nov 2022 09:28:54 +0100
1c5238 
Subject: [PATCH 17/19] PAC: allow to disable UPN check
1c5238
1c5238 
Currently it was not possible to skip the UPN check which checks if the
1c5238 
UPN in the PAC and the one stored in SSSD's cache are different.
1c5238 
Additionally the related debug message will show both principals if they
1c5238 
differ.
1c5238
1c5238 
Resolves: https://github.com/SSSD/sssd/issues/6451
1c5238
1c5238 
(cherry picked from commit 91789449b7a8b20056e1edfedd8f8cf92f7a0a2a)
1c5238
1c5238 
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
1c5238 
---
1c5238 
 src/providers/ad/ad_pac_common.c | 16 +++++++++++++---
1c5238 
 1 file changed, 13 insertions(+), 3 deletions(-)
1c5238
1c5238 
diff --git a/src/providers/ad/ad_pac_common.c b/src/providers/ad/ad_pac_common.c
1c5238 
index 0ed817111..79f79b7a7 100644
1c5238 
--- a/src/providers/ad/ad_pac_common.c
1c5238 
+++ b/src/providers/ad/ad_pac_common.c
1c5238 
@@ -224,9 +224,19 @@ errno_t check_upn_and_sid_from_user_and_pac(struct ldb_message *msg,
1c5238
1c5238 
         if (user_data != NULL) {
1c5238 
             if (strcasecmp(user_data, upn_dns_info->upn_name) != 0) {
1c5238 
-                DEBUG(SSSDBG_CRIT_FAILURE,
1c5238 
-                      "UPN of user entry and PAC do not match.\n");
1c5238 
-                return ERR_CHECK_PAC_FAILED;
1c5238 
+                if (pac_check_opts & CHECK_PAC_CHECK_UPN) {
1c5238 
+                    DEBUG(SSSDBG_CRIT_FAILURE, "UPN of user entry [%s] and "
1c5238 
+                                               "PAC [%s] do not match.\n",
1c5238 
+                                               user_data,
1c5238 
+                                               upn_dns_info->upn_name);
1c5238 
+                    return ERR_CHECK_PAC_FAILED;
1c5238 
+                } else {
1c5238 
+                    DEBUG(SSSDBG_IMPORTANT_INFO, "UPN of user entry [%s] and "
1c5238 
+                                                 "PAC [%s] do not match, "
1c5238 
+                                                 "ignored.\n", user_data,
1c5238 
+                                                 upn_dns_info->upn_name);
1c5238 
+                    return EOK;
1c5238 
+                }
1c5238 
             }
1c5238 
         }
1c5238
1c5238 
--
1c5238 
2.37.3
1c5238

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation