|
 |
ecf709 |
From 0956acb31884e87ef48c3be8c59960acfc03a547 Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
ecf709 |
Date: Thu, 8 Jun 2017 11:06:02 +0200
|
|
|
ecf709 |
Subject: [PATCH 171/171] krb5: disable enterprise principals during password
|
|
|
ecf709 |
changes
|
|
|
ecf709 |
|
|
|
ecf709 |
Currently using enterprise principals during password changes does not
|
|
|
ecf709 |
work reliable.
|
|
|
ecf709 |
|
|
|
ecf709 |
First there is a special behavior if canonicalization, which in general
|
|
|
ecf709 |
should be used together with enterprise principals, is enabled with AD,
|
|
|
ecf709 |
see https://pagure.io/SSSD/sssd/issue/1405 and
|
|
|
ecf709 |
https://pagure.io/SSSD/sssd/issue/1615 for details. As a result of this
|
|
|
ecf709 |
SSSD currently disables canonicalization during password changes.
|
|
|
ecf709 |
|
|
|
ecf709 |
Additionally it looks like MIT Kerberos does not handle canonicalized
|
|
|
ecf709 |
principals well, even if canonicalization is enabled, if not the default
|
|
|
ecf709 |
krbtgt/REALM@REALM but kadmin/changepw@REALM is requested. Since it is
|
|
|
ecf709 |
currently not clear what is the expected behavior here it make sense to
|
|
|
ecf709 |
completely disable enterprise principals during password changes for the
|
|
|
ecf709 |
time being.
|
|
|
ecf709 |
|
|
|
ecf709 |
Resolves https://pagure.io/SSSD/sssd/issue/3426
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ecf709 |
(cherry picked from commit 614057ea85c05d3a6d4b62217a41b8b5db8d5d38)
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/providers/krb5/krb5_child_handler.c | 3 ++-
|
|
|
ecf709 |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
|
|
|
ecf709 |
index 11ac867e62d2ff96b827cf6d4ff341fc8ff0a286..0007f92a61ba711aed6be5ee28664e5f7de0f226 100644
|
|
|
ecf709 |
--- a/src/providers/krb5/krb5_child_handler.c
|
|
|
ecf709 |
+++ b/src/providers/krb5/krb5_child_handler.c
|
|
|
ecf709 |
@@ -143,7 +143,8 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
|
|
|
ecf709 |
return EINVAL;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
- if (kr->pd->cmd == SSS_CMD_RENEW || kr->is_offline) {
|
|
|
ecf709 |
+ if (kr->pd->cmd == SSS_CMD_RENEW || kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM
|
|
|
ecf709 |
+ || kr->pd->cmd == SSS_PAM_CHAUTHTOK || kr->is_offline) {
|
|
|
ecf709 |
use_enterprise_principal = false;
|
|
|
ecf709 |
} else {
|
|
|
ecf709 |
use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts,
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.4
|
|
|
ecf709 |
|