IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipa-kdb: add asserted identity SIDs

Browse Source 
Depending on whether identity of a principal was asserted by the KDC or
by a service doing protocol transition (S4U2Self), AD DCs add a
special extra SID to a PAC record:

 - S-1-18-1 is a SID for an Authentication Authority Asserted Identity
 - S-1-18-2 is a SID for a Service Asserted Identity

This behavior is governed by [MS-SFU] 3.2.5.1.2 "KDC replies with Service
Ticket".

In order to add an asserted identity SID, we need to pass down the
client flags as set by the KDC and check for a protocol transition bit.

Fixes: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Alexander Bokovoy 2020-05-12 22:44:12 +03:00
parent 44a255d423
commit 015ae27598
1 changed files with 47 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
daemons/ipa-kdb/ipa_kdb_mspac.c
View File

@ -358,6 +358,46 @@ static int sid_split_rid(struct dom_sid *sid, uint32_t *rid)
return 0;
}
/* Add Asserted Identity SID */
static krb5_error_code ipadb_add_asserted_identity(struct ipadb_context *ipactx,
unsigned int flags,
TALLOC_CTX *memctx,
struct netr_SamInfo3 *info3)
{
struct netr_SidAttr *arr = NULL;
uint32_t sidcount = info3->sidcount;
krb5_error_code ret = 0;
arr = talloc_realloc(memctx,
info3->sids,
struct netr_SidAttr,
sidcount + 1);
if (!arr) {
return ENOMEM;
}
arr[sidcount].sid = talloc_zero(arr, struct dom_sid2);
if (!arr[sidcount].sid) {
return ENOMEM;
}
/* For S4U2Self, add Service Asserted Identity SID
* otherwise, add Authentication Authority Asserted Identity SID */
ret = string_to_sid((flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
"S-1-18-2" : "S-1-18-1",
arr[sidcount].sid);
if (ret) {
return ret;
}
arr[sidcount].attributes = SE_GROUP_MANDATORY |
SE_GROUP_ENABLED |
SE_GROUP_ENABLED_BY_DEFAULT;
info3->sids = arr;
info3->sidcount = sidcount + 1;
info3->base.user_flags |= NETLOGON_EXTRA_SIDS;
return 0;
}
static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
{
int ret;
@ -383,6 +423,7 @@ static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
LDAPMessage *lentry,
unsigned int flags,
TALLOC_CTX *memctx,
struct netr_SamInfo3 *info3)
{
@ -788,11 +829,13 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.failed_logon_count = 0; /* We do not have it */
info3->base.reserved = 0; /* Reserved */
return 0;
ret = ipadb_add_asserted_identity(ipactx, flags, memctx, info3);
return ret;
}
static krb5_error_code ipadb_get_pac(krb5_context kcontext,
krb5_db_entry *client,
unsigned int flags,
krb5_pac *pac)
{
TALLOC_CTX *tmpctx;
@ -855,7 +898,7 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
}
/* == Fill Info3 == */
kerr = ipadb_fill_info3(ipactx, lentry, tmpctx,
kerr = ipadb_fill_info3(ipactx, lentry, flags, tmpctx,
&pac_info.logon_info.info->info3);
if (kerr) {
goto done;
@ -2272,7 +2315,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
(void)ipadb_reinit_mspac(ipactx, force_reinit_mspac);
kerr = ipadb_get_pac(context, client, &pac);
kerr = ipadb_get_pac(context, client, flags, &pac);
if (kerr != 0 && kerr != ENOENT) {
goto done;
}
@ -2286,7 +2329,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
/* check or generate pac data */
if ((pac_auth_data == NULL) || (pac_auth_data[0] == NULL)) {
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
kerr = ipadb_get_pac(context, client_entry, &pac);
kerr = ipadb_get_pac(context, client_entry, flags, &pac);
if (kerr != 0 && kerr != ENOENT) {
goto done;
}