rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0019-pac-relax-default-check.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   1c5238e91d5c24d5de1af7ca91eec5505c06660f
  2.   SOURCES
  3.   0019-pac-relax-default-check.patch
Blob History Raw
1c5238 
From 0e618c36ed74c240f7acd071ccb7bfd405b2d827 Mon Sep 17 00:00:00 2001
1c5238 
From: Sumit Bose <sbose@redhat.com>
1c5238 
Date: Tue, 22 Nov 2022 14:43:21 +0100
1c5238 
Subject: [PATCH 19/19] pac: relax default check
1c5238
1c5238 
To avoid issues with the UPN check during PAC validation  when
1c5238 
'ldap_user_principal' is set to a not existing attribute to skip reading
1c5238 
user principals a new 'pac_check' option, 'check_upn_allow_missing' is
1c5238 
added to the default options. With this option only a log message is
1c5238 
shown but the check will not fail.
1c5238
1c5238 
Resolves: https://github.com/SSSD/sssd/issues/6451
1c5238
1c5238 
(cherry picked from commit 51b11db8b99a77ba5ccf6f850c2e81b5a6ee9f79)
1c5238
1c5238 
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
1c5238 
---
1c5238 
 src/confdb/confdb.h              |  2 +-
1c5238 
 src/man/sssd.conf.5.xml          | 30 +++++++++++++++++++++++++++++-
1c5238 
 src/providers/ad/ad_pac_common.c | 24 ++++++++++++++++++++----
1c5238 
 src/util/pac_utils.c             | 10 ++++++++++
1c5238 
 src/util/util.h                  |  2 ++
1c5238 
 5 files changed, 62 insertions(+), 6 deletions(-)
1c5238
1c5238 
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
1c5238 
index 83f6be7f9..5fda67585 100644
1c5238 
--- a/src/confdb/confdb.h
1c5238 
+++ b/src/confdb/confdb.h
1c5238 
@@ -181,7 +181,7 @@
1c5238 
 #define CONFDB_PAC_LIFETIME "pac_lifetime"
1c5238 
 #define CONFDB_PAC_CHECK "pac_check"
1c5238 
 #define CONFDB_PAC_CHECK_DEFAULT "no_check"
1c5238 
-#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_dns_info_ex"
1c5238 
+#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_allow_missing, check_upn_dns_info_ex"
1c5238
1c5238 
 /* InfoPipe */
1c5238 
 #define CONFDB_IFP_CONF_ENTRY "config/ifp"
1c5238 
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
1c5238 
index 7a9920815..d9f4a7481 100644
1c5238 
--- a/src/man/sssd.conf.5.xml
1c5238 
+++ b/src/man/sssd.conf.5.xml
1c5238 
@@ -2275,6 +2275,34 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
1c5238 
                                     consistent.</para>
1c5238 
                                 </listitem>
1c5238 
                             </varlistentry>
1c5238 
+                            <varlistentry>
1c5238 
+                                <term>check_upn_allow_missing</term>
1c5238 
+                                <listitem>
1c5238 
+                                    <para>This option should be used together
1c5238 
+                                    with 'check_upn' and handles the case where
1c5238 
+                                    a UPN is set on the server-side but is not
1c5238 
+                                    read by SSSD. The typical example is a
1c5238 
+                                    FreeIPA domain where 'ldap_user_principal'
1c5238 
+                                    is set to a not existing attribute name.
1c5238 
+                                    This was typically done to work-around
1c5238 
+                                    issues in the handling of enterprise
1c5238 
+                                    principals. But this is fixed since quite
1c5238 
+                                    some time and FreeIPA can handle enterprise
1c5238 
+                                    principals just fine and there is no need
1c5238 
+                                    anymore to set 'ldap_user_principal'.</para>
1c5238 
+                                    <para>Currently this option is set by
1c5238 
+                                    default to avoid regressions in such
1c5238 
+                                    environments. A log message will be added
1c5238 
+                                    to the system log and SSSD's debug log in
1c5238 
+                                    case a UPN is found in the PAC but not in
1c5238 
+                                    SSSD's cache. To avoid this log message it
1c5238 
+                                    would be best to evaluate if the
1c5238 
+                                    'ldap_user_principal' option can be removed.
1c5238 
+                                    If this is not possible, removing
1c5238 
+                                    'check_upn' will skip the test and avoid the
1c5238 
+                                    log message.</para>
1c5238 
+                                </listitem>
1c5238 
+                            </varlistentry>
1c5238 
                             <varlistentry>
1c5238 
                                 <term>upn_dns_info_present</term>
1c5238 
                                 <listitem>
1c5238 
@@ -2305,7 +2333,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
1c5238 
                         </para>
1c5238 
                         <para>
1c5238 
                             Default: no_check (AD and IPA provider
1c5238 
-                            'check_upn, check_upn_dns_info_ex')
1c5238 
+                            'check_upn, check_upn_allow_missing, check_upn_dns_info_ex')
1c5238 
                         </para>
1c5238 
                     </listitem>
1c5238 
                 </varlistentry>
1c5238 
diff --git a/src/providers/ad/ad_pac_common.c b/src/providers/ad/ad_pac_common.c
1c5238 
index 79f79b7a7..fcb54cd2c 100644
1c5238 
--- a/src/providers/ad/ad_pac_common.c
1c5238 
+++ b/src/providers/ad/ad_pac_common.c
1c5238 
@@ -215,10 +215,26 @@ errno_t check_upn_and_sid_from_user_and_pac(struct ldb_message *msg,
1c5238 
             DEBUG(SSSDBG_MINOR_FAILURE, "User object does not have a UPN but PAC "
1c5238 
                       "says otherwise, maybe ldap_user_principal option is set.\n");
1c5238 
             if (pac_check_opts & CHECK_PAC_CHECK_UPN) {
1c5238 
-                DEBUG(SSSDBG_CRIT_FAILURE,
1c5238 
-                      "UPN is missing but PAC UPN check required, "
1c5238 
-                      "PAC validation failed.\n");
1c5238 
-                return ERR_CHECK_PAC_FAILED;
1c5238 
+                if (pac_check_opts & CHECK_PAC_CHECK_UPN_ALLOW_MISSING) {
1c5238 
+                    DEBUG(SSSDBG_IMPORTANT_INFO,
1c5238 
+                          "UPN is missing but PAC UPN check required, "
1c5238 
+                          "PAC validation failed. However, "
1c5238 
+                          "'check_upn_allow_missing' is set and the error is "
1c5238 
+                          "ignored. To make this message go away please check "
1c5238 
+                          "why the UPN is not read from the server. In FreeIPA "
1c5238 
+                          "environments 'ldap_user_principal' is most probably "
1c5238 
+                          "set to a non-existing attribute name to avoid "
1c5238 
+                          "issues with enterprise principals. This is not "
1c5238 
+                          "needed anymore with recent versions of FreeIPA.\n");
1c5238 
+                    sss_log(SSS_LOG_CRIT, "PAC validation issue, please check "
1c5238 
+                                          "sssd_pac.log for details");
1c5238 
+                    return EOK;
1c5238 
+                } else {
1c5238 
+                    DEBUG(SSSDBG_CRIT_FAILURE,
1c5238 
+                          "UPN is missing but PAC UPN check required, "
1c5238 
+                          "PAC validation failed.\n");
1c5238 
+                    return ERR_CHECK_PAC_FAILED;
1c5238 
+                }
1c5238 
             }
1c5238 
         }
1c5238
1c5238 
diff --git a/src/util/pac_utils.c b/src/util/pac_utils.c
1c5238 
index c53b0c082..4499d8dfd 100644
1c5238 
--- a/src/util/pac_utils.c
1c5238 
+++ b/src/util/pac_utils.c
1c5238 
@@ -64,6 +64,8 @@ static errno_t check_check_pac_opt(const char *inp, uint32_t *check_pac_flags)
1c5238 
             flags |= CHECK_PAC_CHECK_UPN_DNS_INFO_EX;
1c5238 
             flags |= CHECK_PAC_UPN_DNS_INFO_PRESENT;
1c5238 
             flags |= CHECK_PAC_CHECK_UPN;
1c5238 
+        } else if (strcasecmp(list[c], CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR) == 0) {
1c5238 
+            flags |= CHECK_PAC_CHECK_UPN_ALLOW_MISSING;
1c5238 
         } else {
1c5238 
             DEBUG(SSSDBG_OP_FAILURE, "Unknown value [%s] for pac_check.\n",
1c5238 
                                      list[c]);
1c5238 
@@ -72,6 +74,14 @@ static errno_t check_check_pac_opt(const char *inp, uint32_t *check_pac_flags)
1c5238 
         }
1c5238 
     }
1c5238
1c5238 
+    if ((flags & CHECK_PAC_CHECK_UPN_ALLOW_MISSING)
1c5238 
+                && !(flags & CHECK_PAC_CHECK_UPN)) {
1c5238 
+        DEBUG(SSSDBG_CONF_SETTINGS,
1c5238 
+              "pac_check option '%s' is set but '%s' is not set, this means "
1c5238 
+              "the UPN is not checked.\n",
1c5238 
+              CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR, CHECK_PAC_CHECK_UPN_STR);
1c5238 
+    }
1c5238 
+
1c5238 
     ret = EOK;
1c5238
1c5238 
 done:
1c5238 
diff --git a/src/util/util.h b/src/util/util.h
1c5238 
index 6d9111874..4b2651c2c 100644
1c5238 
--- a/src/util/util.h
1c5238 
+++ b/src/util/util.h
1c5238 
@@ -818,6 +818,8 @@ uint64_t get_spend_time_us(uint64_t st);
1c5238 
 #define CHECK_PAC_CHECK_UPN_DNS_INFO_EX (1 << 3)
1c5238 
 #define CHECK_PAC_UPN_DNS_INFO_EX_PRESENT_STR "upn_dns_info_ex_present"
1c5238 
 #define CHECK_PAC_UPN_DNS_INFO_EX_PRESENT (1 << 4)
1c5238 
+#define CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR "check_upn_allow_missing"
1c5238 
+#define CHECK_PAC_CHECK_UPN_ALLOW_MISSING (1 << 5)
1c5238
1c5238 
 errno_t get_pac_check_config(struct confdb_ctx *cdb, uint32_t *pac_check_opts);
1c5238 
 #endif /* __SSSD_UTIL_H__ */
1c5238 
--
1c5238 
2.37.3
1c5238

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation