From fa4a9c4afcc0c62a693034e21f33356e64735687 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 24 Jun 2013 20:59:53 +0200 Subject: krb5: do not send pac for IPA users from the local domain So far we didn't send the PAC of IPA users to the PAC responder during password authentication because group memberships for IPA users can be retrieved efficiently with LDAP calls. Recently patches added PAC support for the AD provider as well and removed the restriction for the IPA users. This patch restores the original behaviour by introducing a new flag in struct krb5_ctx which is only set for the IPA provider. Additionally a different flag is renamed to make it's purpose more clear. Fixes https://fedorahosted.org/sssd/ticket/1995 --- src/providers/ipa/ipa_init.c | 1 + src/providers/krb5/krb5_auth.h | 1 + src/providers/krb5/krb5_child.c | 14 +++++++------- src/providers/krb5/krb5_child_handler.c | 12 +++++++++--- src/providers/krb5/krb5_common.h | 2 ++ 5 files changed, 20 insertions(+), 10 deletions(-) diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index ece62bb8..77a51433 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -300,6 +300,7 @@ int sssm_ipa_auth_init(struct be_ctx *bectx, goto done; } krb5_auth_ctx->service = ipa_options->service->krb5_service; + krb5_auth_ctx->is_ipa = true; ipa_options->auth_ctx->krb5_auth_ctx = krb5_auth_ctx; ret = ipa_get_auth_options(ipa_options, bectx->cdb, bectx->conf_path, diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h index cf290ca0..d31925da 100644 --- a/src/providers/krb5/krb5_auth.h +++ b/src/providers/krb5/krb5_auth.h @@ -55,6 +55,7 @@ struct krb5child_req { bool valid_tgt; bool run_as_user; bool upn_from_different_realm; + bool send_pac; }; errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd, diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index cba72502..130be96b 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -53,7 +53,7 @@ struct krb5_req { char *ccname; char *keytab; bool validate; - bool upn_from_different_realm; + bool send_pac; bool use_enterprise_princ; char *fast_ccname; @@ -987,9 +987,9 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) goto done; } - /* Try to find and send the PAC to the PAC responder for principals which - * do not belong to our realm. Failures are not critical. */ - if (kr->upn_from_different_realm) { + /* Try to find and send the PAC to the PAC responder. + * Failures are not critical. */ + if (kr->send_pac) { kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ, kr->creds->client, keytab, &pac_authdata); if (kerr != 0) { @@ -1551,7 +1551,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size, size_t p = 0; uint32_t len; uint32_t validate; - uint32_t different_realm; + uint32_t send_pac; uint32_t use_enterprise_princ; struct pam_data *pd; errno_t ret; @@ -1573,8 +1573,8 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size, SAFEALIGN_COPY_UINT32_CHECK(&validate, buf + p, size, &p); kr->validate = (validate == 0) ? false : true; SAFEALIGN_COPY_UINT32_CHECK(offline, buf + p, size, &p); - SAFEALIGN_COPY_UINT32_CHECK(&different_realm, buf + p, size, &p); - kr->upn_from_different_realm = (different_realm == 0) ? false : true; + SAFEALIGN_COPY_UINT32_CHECK(&send_pac, buf + p, size, &p); + kr->send_pac = (send_pac == 0) ? false : true; SAFEALIGN_COPY_UINT32_CHECK(&use_enterprise_princ, buf + p, size, &p); kr->use_enterprise_princ = (use_enterprise_princ == 0) ? false : true; SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index 292ba00b..161fa269 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -129,7 +129,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr, size_t rp; const char *keytab; uint32_t validate; - uint32_t different_realm; + uint32_t send_pac; uint32_t use_enterprise_principal; size_t username_len = 0; errno_t ret; @@ -141,7 +141,13 @@ static errno_t create_send_buffer(struct krb5child_req *kr, } validate = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) ? 1 : 0; - different_realm = kr->upn_from_different_realm ? 1 : 0; + + /* Always send PAC except for local IPA users */ + if (kr->krb5_ctx->is_ipa) { + send_pac = kr->upn_from_different_realm ? 1 : 0; + } else { + send_pac = 1; + } use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_USE_ENTERPRISE_PRINCIPAL) ? 1 : 0; @@ -184,7 +190,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr, SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->gid, &rp); SAFEALIGN_COPY_UINT32(&buf->data[rp], &validate, &rp); SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->is_offline, &rp); - SAFEALIGN_COPY_UINT32(&buf->data[rp], &different_realm, &rp); + SAFEALIGN_COPY_UINT32(&buf->data[rp], &send_pac, &rp); SAFEALIGN_COPY_UINT32(&buf->data[rp], &use_enterprise_principal, &rp); SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(kr->upn), &rp); diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index eb563888..501cdef1 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -129,6 +129,8 @@ struct krb5_ctx { bool use_fast; hash_table_t *wait_queue_hash; + + bool is_ipa; }; struct remove_info_files_ctx { -- cgit