freeipa/daemons
Alexander Bokovoy 637412acfd ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates
New versions of MS-KILE and MS-SFU after Windows Server November 2021
security updates add PAC_REQUESTER_SID buffer check behavior:

 - PAC_REQUESTER_SID should only be added for TGT requests

 - if PAC_REQUESTER_SID is present, KDC must verify that the cname on
   the ticket resolves to the account with the same SID as the
   PAC_REQUESTER_SID. If it doesn't KDC must respond with
   KDC_ERR_TKT_REVOKED

Change requester SID check to skip exact check for non-local
PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
we know about.

If requester SID is the same as in PAC, we already do cname vs PAC SID
verification.

With these changes FreeIPA works against Windows Server 2019 with
November 2021 security fixes in cross-realm S4U2Self operations.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-29 21:00:42 +02:00
..
dnssec dnssec: concurrency issue when disabling old replica key 2021-03-09 16:52:38 +01:00
ipa-kdb ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates 2021-11-29 21:00:42 +02:00
ipa-otpd ipa-otpd: handle LDAP timeout in a better way 2021-04-23 11:13:36 +03:00
ipa-sam ipa-sam: return NetBIOS domain name instead of DNS one 2021-02-02 09:41:00 +02:00
ipa-slapi-plugins Fix use of comparison functions to avoid GCC bug 95189 2021-11-23 10:31:34 +01:00
ipa-version.h.in Build: move version handling from Makefile to configure 2016-11-09 13:08:32 +01:00
Makefile.am build: Unify compiler warning flags used 2021-01-15 14:11:56 +01:00