freeipa/daemons
Alexander Bokovoy 0c32ebf858 ipa-kdb: PAC consistency checker needs to handle child domains as well
When PAC check is performed, we might get a signing TGT instead of the
client DB entry. This means it is a principal from a trusted domain but
we don't know which one exactly because we only have a krbtgt for the
forest root. This happens in MIT Kerberos 1.20 or later where KDB's
issue_pac() callback never gets the original client principal directly.

Look into known child domains as well and make pass the check if both
NetBIOS name and SID correspond to one of the trusted domains under this
forest root. Move check for the SID before NetBIOS name check because we
can use SID of the domain in PAC to find out the right child domain in
our trusted domains' topology list.

Fixes: https://pagure.io/freeipa/issue/9316

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-02-09 14:29:38 -05:00
..
dnssec pylint: remove useless suppression 2023-01-10 08:30:58 +01:00
ipa-kdb ipa-kdb: PAC consistency checker needs to handle child domains as well 2023-02-09 14:29:38 -05:00
ipa-otpd Fixes: ipa-otpd@.service: deprecated syslog setting 2022-12-19 08:06:52 +01:00
ipa-sam ipa-sam: retrieve trusted domain account credential from the TDO itself 2022-04-13 18:37:12 +02:00
ipa-slapi-plugins extdom: avoid sss_nss_getorigby*() calls when get*_r_wrapper() returns object from a wrong domain (performance optimization) 2022-10-04 14:01:56 +02:00
ipa-version.h.in Build: move version handling from Makefile to configure 2016-11-09 13:08:32 +01:00
Makefile.am build: Unify compiler warning flags used 2021-01-15 14:11:56 +01:00