freeipa/daemons
Alexander Bokovoy 0c08faf3c1 ipa-kdb: validate domain SID in incoming PAC for trusted domains for S4U
Previously, ipadb_check_logon_info() was called only for cross-realm
case. Now we call it for both in-realm and cross-realm cases. In case of
the S4U2Proxy, we would be passed a PAC of the original caller which
might be a principal from the trusted realm. We cannot validate that PAC
against our local client DB entry because this is the proxy entry which
is guaranteed to have different SID.

In such case, validate the SID of the domain in PAC against our realm
and any trusted doman but skip an additional check of the DB entry in
the S4U2Proxy case.

Related: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-11 16:13:56 -05:00
..
dnssec dnssec: concurrency issue when disabling old replica key 2021-03-09 16:52:38 +01:00
ipa-kdb ipa-kdb: validate domain SID in incoming PAC for trusted domains for S4U 2021-11-11 16:13:56 -05:00
ipa-otpd ipa-otpd: handle LDAP timeout in a better way 2021-04-23 11:13:36 +03:00
ipa-sam ipa-sam: return NetBIOS domain name instead of DNS one 2021-02-02 09:41:00 +02:00
ipa-slapi-plugins extdom: return LDAP_NO_SUCH_OBJECT if domains differ 2021-09-01 13:45:25 -04:00
ipa-version.h.in Build: move version handling from Makefile to configure 2016-11-09 13:08:32 +01:00
Makefile.am build: Unify compiler warning flags used 2021-01-15 14:11:56 +01:00