From 580d61884b6c0a81357d8f9fa69fe69d1f017185 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 6 Dec 2019 12:29:49 +0100 Subject: [PATCH] ldap_child: do not try PKINIT if the PKINIT plugin is installed and pkinit_identities is set in /etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only wants to authenticate with a keytab. As a result ldap_child might try to access a Smartcard which is either not allowed at all or might cause unexpected delays. To avoid this the current patch sets pkinit_identities for LDAP child explicitly to make the PKINIT plugin fail because if installed libkrb5 will always use it. It turned out the setting pre-authentication options requires some internal flags to be set and krb5_get_init_creds_opt_alloc() must be used to initialize the options struct. Related to https://pagure.io/SSSD/sssd/issue/4126 Reviewed-by: Alexey Tikhonov --- src/providers/ldap/ldap_child.c | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c index 408d64db4..b081df90f 100644 --- a/src/providers/ldap/ldap_child.c +++ b/src/providers/ldap/ldap_child.c @@ -277,7 +277,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, krb5_ccache ccache = NULL; krb5_principal kprinc; krb5_creds my_creds; - krb5_get_init_creds_opt options; + krb5_get_init_creds_opt *options = NULL; krb5_error_code krberr; krb5_timestamp kdc_time_offset; int canonicalize = 0; @@ -392,19 +392,32 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, } memset(&my_creds, 0, sizeof(my_creds)); - memset(&options, 0, sizeof(options)); - krb5_get_init_creds_opt_set_address_list(&options, NULL); - krb5_get_init_creds_opt_set_forwardable(&options, 0); - krb5_get_init_creds_opt_set_proxiable(&options, 0); - krb5_get_init_creds_opt_set_tkt_life(&options, lifetime); + krberr = krb5_get_init_creds_opt_alloc(context, &options); + if (krberr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_get_init_creds_opt_alloc failed.\n"); + goto done; + } + + krb5_get_init_creds_opt_set_address_list(options, NULL); + krb5_get_init_creds_opt_set_forwardable(options, 0); + krb5_get_init_creds_opt_set_proxiable(options, 0); + krb5_get_init_creds_opt_set_tkt_life(options, lifetime); + krberr = krb5_get_init_creds_opt_set_pa(context, options, + "X509_user_identity", ""); + if (krberr != 0) { + DEBUG(SSSDBG_OP_FAILURE, + "krb5_get_init_creds_opt_set_pa failed [%d], ignored.\n", + krberr); + } + tmp_str = getenv("KRB5_CANONICALIZE"); if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) { DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n"); canonicalize = 1; } - sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize); + sss_krb5_get_init_creds_opt_set_canonicalize(options, canonicalize); ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s", DB_PATH, realm_name); @@ -433,7 +446,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, } krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc, - keytab, 0, NULL, &options); + keytab, 0, NULL, options); if (krberr != 0) { DEBUG(SSSDBG_OP_FAILURE, "krb5_get_init_creds_keytab() failed: %d\n", krberr); @@ -513,6 +526,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, *expire_time_out = my_creds.times.endtime - kdc_time_offset; done: + krb5_get_init_creds_opt_free(context, options); if (krberr != 0) { if (*_krb5_msg == NULL) { /* no custom error message provided hence get one from libkrb5 */ -- 2.20.1