rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0019-pac-relax-default-check.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   0034f4c3c0c1a36c573b02cd43a825fccfaf65ac
  2.   SOURCES
  3.   0019-pac-relax-default-check.patch
Blob History Raw
0034f4 
From 0e618c36ed74c240f7acd071ccb7bfd405b2d827 Mon Sep 17 00:00:00 2001
0034f4 
From: Sumit Bose <sbose@redhat.com>
0034f4 
Date: Tue, 22 Nov 2022 14:43:21 +0100
0034f4 
Subject: [PATCH 19/19] pac: relax default check
0034f4
0034f4 
To avoid issues with the UPN check during PAC validation  when
0034f4 
'ldap_user_principal' is set to a not existing attribute to skip reading
0034f4 
user principals a new 'pac_check' option, 'check_upn_allow_missing' is
0034f4 
added to the default options. With this option only a log message is
0034f4 
shown but the check will not fail.
0034f4
0034f4 
Resolves: https://github.com/SSSD/sssd/issues/6451
0034f4
0034f4 
(cherry picked from commit 51b11db8b99a77ba5ccf6f850c2e81b5a6ee9f79)
0034f4
0034f4 
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
0034f4 
---
0034f4 
 src/confdb/confdb.h              |  2 +-
0034f4 
 src/man/sssd.conf.5.xml          | 30 +++++++++++++++++++++++++++++-
0034f4 
 src/providers/ad/ad_pac_common.c | 24 ++++++++++++++++++++----
0034f4 
 src/util/pac_utils.c             | 10 ++++++++++
0034f4 
 src/util/util.h                  |  2 ++
0034f4 
 5 files changed, 62 insertions(+), 6 deletions(-)
0034f4
0034f4 
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
0034f4 
index 83f6be7f9..5fda67585 100644
0034f4 
--- a/src/confdb/confdb.h
0034f4 
+++ b/src/confdb/confdb.h
0034f4 
@@ -181,7 +181,7 @@
0034f4 
 #define CONFDB_PAC_LIFETIME "pac_lifetime"
0034f4 
 #define CONFDB_PAC_CHECK "pac_check"
0034f4 
 #define CONFDB_PAC_CHECK_DEFAULT "no_check"
0034f4 
-#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_dns_info_ex"
0034f4 
+#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_allow_missing, check_upn_dns_info_ex"
0034f4
0034f4 
 /* InfoPipe */
0034f4 
 #define CONFDB_IFP_CONF_ENTRY "config/ifp"
0034f4 
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
0034f4 
index 7a9920815..d9f4a7481 100644
0034f4 
--- a/src/man/sssd.conf.5.xml
0034f4 
+++ b/src/man/sssd.conf.5.xml
0034f4 
@@ -2275,6 +2275,34 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
0034f4 
                                     consistent.</para>
0034f4 
                                 </listitem>
0034f4 
                             </varlistentry>
0034f4 
+                            <varlistentry>
0034f4 
+                                <term>check_upn_allow_missing</term>
0034f4 
+                                <listitem>
0034f4 
+                                    <para>This option should be used together
0034f4 
+                                    with 'check_upn' and handles the case where
0034f4 
+                                    a UPN is set on the server-side but is not
0034f4 
+                                    read by SSSD. The typical example is a
0034f4 
+                                    FreeIPA domain where 'ldap_user_principal'
0034f4 
+                                    is set to a not existing attribute name.
0034f4 
+                                    This was typically done to work-around
0034f4 
+                                    issues in the handling of enterprise
0034f4 
+                                    principals. But this is fixed since quite
0034f4 
+                                    some time and FreeIPA can handle enterprise
0034f4 
+                                    principals just fine and there is no need
0034f4 
+                                    anymore to set 'ldap_user_principal'.</para>
0034f4 
+                                    <para>Currently this option is set by
0034f4 
+                                    default to avoid regressions in such
0034f4 
+                                    environments. A log message will be added
0034f4 
+                                    to the system log and SSSD's debug log in
0034f4 
+                                    case a UPN is found in the PAC but not in
0034f4 
+                                    SSSD's cache. To avoid this log message it
0034f4 
+                                    would be best to evaluate if the
0034f4 
+                                    'ldap_user_principal' option can be removed.
0034f4 
+                                    If this is not possible, removing
0034f4 
+                                    'check_upn' will skip the test and avoid the
0034f4 
+                                    log message.</para>
0034f4 
+                                </listitem>
0034f4 
+                            </varlistentry>
0034f4 
                             <varlistentry>
0034f4 
                                 <term>upn_dns_info_present</term>
0034f4 
                                 <listitem>
0034f4 
@@ -2305,7 +2333,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
0034f4 
                         </para>
0034f4 
                         <para>
0034f4 
                             Default: no_check (AD and IPA provider
0034f4 
-                            'check_upn, check_upn_dns_info_ex')
0034f4 
+                            'check_upn, check_upn_allow_missing, check_upn_dns_info_ex')
0034f4 
                         </para>
0034f4 
                     </listitem>
0034f4 
                 </varlistentry>
0034f4 
diff --git a/src/providers/ad/ad_pac_common.c b/src/providers/ad/ad_pac_common.c
0034f4 
index 79f79b7a7..fcb54cd2c 100644
0034f4 
--- a/src/providers/ad/ad_pac_common.c
0034f4 
+++ b/src/providers/ad/ad_pac_common.c
0034f4 
@@ -215,10 +215,26 @@ errno_t check_upn_and_sid_from_user_and_pac(struct ldb_message *msg,
0034f4 
             DEBUG(SSSDBG_MINOR_FAILURE, "User object does not have a UPN but PAC "
0034f4 
                       "says otherwise, maybe ldap_user_principal option is set.\n");
0034f4 
             if (pac_check_opts & CHECK_PAC_CHECK_UPN) {
0034f4 
-                DEBUG(SSSDBG_CRIT_FAILURE,
0034f4 
-                      "UPN is missing but PAC UPN check required, "
0034f4 
-                      "PAC validation failed.\n");
0034f4 
-                return ERR_CHECK_PAC_FAILED;
0034f4 
+                if (pac_check_opts & CHECK_PAC_CHECK_UPN_ALLOW_MISSING) {
0034f4 
+                    DEBUG(SSSDBG_IMPORTANT_INFO,
0034f4 
+                          "UPN is missing but PAC UPN check required, "
0034f4 
+                          "PAC validation failed. However, "
0034f4 
+                          "'check_upn_allow_missing' is set and the error is "
0034f4 
+                          "ignored. To make this message go away please check "
0034f4 
+                          "why the UPN is not read from the server. In FreeIPA "
0034f4 
+                          "environments 'ldap_user_principal' is most probably "
0034f4 
+                          "set to a non-existing attribute name to avoid "
0034f4 
+                          "issues with enterprise principals. This is not "
0034f4 
+                          "needed anymore with recent versions of FreeIPA.\n");
0034f4 
+                    sss_log(SSS_LOG_CRIT, "PAC validation issue, please check "
0034f4 
+                                          "sssd_pac.log for details");
0034f4 
+                    return EOK;
0034f4 
+                } else {
0034f4 
+                    DEBUG(SSSDBG_CRIT_FAILURE,
0034f4 
+                          "UPN is missing but PAC UPN check required, "
0034f4 
+                          "PAC validation failed.\n");
0034f4 
+                    return ERR_CHECK_PAC_FAILED;
0034f4 
+                }
0034f4 
             }
0034f4 
         }
0034f4
0034f4 
diff --git a/src/util/pac_utils.c b/src/util/pac_utils.c
0034f4 
index c53b0c082..4499d8dfd 100644
0034f4 
--- a/src/util/pac_utils.c
0034f4 
+++ b/src/util/pac_utils.c
0034f4 
@@ -64,6 +64,8 @@ static errno_t check_check_pac_opt(const char *inp, uint32_t *check_pac_flags)
0034f4 
             flags |= CHECK_PAC_CHECK_UPN_DNS_INFO_EX;
0034f4 
             flags |= CHECK_PAC_UPN_DNS_INFO_PRESENT;
0034f4 
             flags |= CHECK_PAC_CHECK_UPN;
0034f4 
+        } else if (strcasecmp(list[c], CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR) == 0) {
0034f4 
+            flags |= CHECK_PAC_CHECK_UPN_ALLOW_MISSING;
0034f4 
         } else {
0034f4 
             DEBUG(SSSDBG_OP_FAILURE, "Unknown value [%s] for pac_check.\n",
0034f4 
                                      list[c]);
0034f4 
@@ -72,6 +74,14 @@ static errno_t check_check_pac_opt(const char *inp, uint32_t *check_pac_flags)
0034f4 
         }
0034f4 
     }
0034f4
0034f4 
+    if ((flags & CHECK_PAC_CHECK_UPN_ALLOW_MISSING)
0034f4 
+                && !(flags & CHECK_PAC_CHECK_UPN)) {
0034f4 
+        DEBUG(SSSDBG_CONF_SETTINGS,
0034f4 
+              "pac_check option '%s' is set but '%s' is not set, this means "
0034f4 
+              "the UPN is not checked.\n",
0034f4 
+              CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR, CHECK_PAC_CHECK_UPN_STR);
0034f4 
+    }
0034f4 
+
0034f4 
     ret = EOK;
0034f4
0034f4 
 done:
0034f4 
diff --git a/src/util/util.h b/src/util/util.h
0034f4 
index 6d9111874..4b2651c2c 100644
0034f4 
--- a/src/util/util.h
0034f4 
+++ b/src/util/util.h
0034f4 
@@ -818,6 +818,8 @@ uint64_t get_spend_time_us(uint64_t st);
0034f4 
 #define CHECK_PAC_CHECK_UPN_DNS_INFO_EX (1 << 3)
0034f4 
 #define CHECK_PAC_UPN_DNS_INFO_EX_PRESENT_STR "upn_dns_info_ex_present"
0034f4 
 #define CHECK_PAC_UPN_DNS_INFO_EX_PRESENT (1 << 4)
0034f4 
+#define CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR "check_upn_allow_missing"
0034f4 
+#define CHECK_PAC_CHECK_UPN_ALLOW_MISSING (1 << 5)
0034f4
0034f4 
 errno_t get_pac_check_config(struct confdb_ctx *cdb, uint32_t *pac_check_opts);
0034f4 
 #endif /* __SSSD_UTIL_H__ */
0034f4 
--
0034f4 
2.37.3
0034f4

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation