3f1b373cb2
Since November 2020, Active Directory KDC generates a new type of signature as part of the PAC. It is called "ticket signature", and is generated based on the encrypted part of the ticket. The presence of this signature is not mandatory in order for the PAC to be accepted for S4U requests. However, the behavior is different for MIT krb5. Support was added as part of the 1.20 release, and this signature is required in order to process S4U requests. Contrary to the PAC extended KDC signature, the code generating this signature cannot be isolated and backported to older krb5 versions because this version of the KDB API does not allow passing the content of the ticket's encrypted part to IPA. This is an issue in gradual upgrade scenarios where some IPA servers rely on 1.19 and older versions of MIT krb5, while others use version 1.20 or newer. A service ticket that was provided by 1.19- IPA KDC will be rejected when used by a service against a 1.20+ IPA KDC for S4U requests. On Fedora, CentOS 9 Stream, and RHEL 9, when the krb5 version is 1.20 or newer, it will include a downstream-only update adding the "optional_pac_tkt_chksum" KDB string attribute allowing to tolerate the absence of PAC ticket signatures, if necessary. This commit adds an extra step during the installation and update processes where it adds a "pacTktSignSupported" ipaConfigString attribute in "cn=KDC,cn=[server],cn=masters,cn=ipa,cn=etc,[basedn]" if the MIT krb5 version IPA what built with was 1.20 or newer. This commit also set "optional_pac_tkt_chksum" as a virtual KDB entry attribute. This means the value of the attribute is not actually stored in the database (to avoid race conditions), but its value is determined at the KDC starting time by search the "pacTktSignSupported" ipaConfigString in the server list. If this value is missing for at least of them is missing, enforcement of the PAC ticket signature is disabled by setting "optional_pac_tkt_chksum" to true for the local realm TGS KDB entry. For foreign realm TGS KDB entries, the "optional_pac_tkt_chksum" virtual string attribute is set to true systematically, because, at least for now, trusted AD domains can still have PAC ticket signature support disabled. Given the fact the "pacTktSignSupported" ipaConfigString for a single server is added when this server is updated, and that the value of "optional_pac_tkt_chksum" is determined at KDC starting time based on the ipaConfigString attributes of all the KDCs in the domain, this requires to restart all the KDCs in the domain after all IPA servers were updated in order for PAC ticket signature enforcement to actually take effect. Fixes: https://pagure.io/freeipa/issue/9371 Signed-off-by: Julien Rische <jrische@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> |
||
---|---|---|
.copr | ||
.github | ||
asn1 | ||
client | ||
contrib | ||
daemons | ||
doc | ||
init | ||
install | ||
ipaclient | ||
ipalib | ||
ipaplatform | ||
ipapython | ||
ipaserver | ||
ipasphinx | ||
ipatests | ||
po | ||
pypi | ||
selinux | ||
util | ||
.freeipa-pr-ci.yaml | ||
.git-commit-template | ||
.gitignore | ||
.lgtm.yml | ||
.mailmap | ||
.readthedocs.yaml | ||
.tox-install.sh | ||
.wheelconstraints.in | ||
ACI.txt | ||
API.txt | ||
autogen.sh | ||
BUILD.txt | ||
CODE_OF_CONDUCT.md | ||
configure.ac | ||
Contributors.txt | ||
COPYING | ||
COPYING.openssl | ||
freeipa.doap.rdf | ||
freeipa.spec.in | ||
gpgkey-0E63D716D76AC080A4A33513F40800B6298EB963.asc | ||
ipa.in | ||
ipasetup.py.in | ||
make-doc | ||
make-test | ||
makeaci.in | ||
makeapi.in | ||
Makefile.am | ||
Makefile.python.am | ||
Makefile.pythonscripts.am | ||
makerpms.sh | ||
pylint_plugins.py | ||
pylintrc | ||
README.md | ||
server.m4 | ||
tox.ini | ||
VERSION.m4 |
FreeIPA Server
FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based management tools.
FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.
FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization.
Benefits
FreeIPA:
- Allows all your users to access all the machines with the same credentials and security settings
- Allows users to access personal files transparently from any machine in an authenticated and secure way
- Uses an advanced grouping mechanism to restrict network access to services and files only to specific users
- Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
- Enables delegation of selected administrative tasks to other power users
- Integrates into Active Directory environments
Components
The FreeIPA project provides unified installation and management tools for the following components:
- LDAP Server - based on the 389 project
- KDC - based on MIT Kerberos implementation
- PKI based on Dogtag project
- Samba libraries for Active Directory integration
- DNS Server based on BIND and the Bind-DynDB-LDAP plugin
Project Website
Releases, announcements and other information can be found on the IPA server project page at http://www.freeipa.org/ .
Documentation
The most up-to-date documentation can be found at http://freeipa.org/page/Documentation .
Quick Start
To get started quickly, start here: http://www.freeipa.org/page/Quick_Start_Guide
For developers
- Building FreeIPA from source
- http://www.freeipa.org/page/Build
- See the BUILD.txt file in the source root directory
Licensing
Please see the file called COPYING.
Contacts
- If you want to be informed about new code releases, bug fixes, security fixes, general news and information about the IPA server subscribe to the freeipa-announce mailing list at https://www.redhat.com/mailman/listinfo/freeipa-interest/ .
- If you have a bug report please submit it at: https://pagure.io/freeipa/issues
- If you want to participate in actively developing IPA please subscribe to the freeipa-devel mailing list at https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/ or join us in IRC at irc://irc.libera.chat/freeipa