freeipa/daemons
Alexander Bokovoy 5638bdcb85 ipa-pwd-extop: allow ipasam to request RC4-HMAC in Kerberos keys for trusted domain objects
This is a problem since we added commit b5fbbd1 in 2019. Its logic
allowed to add RC4-HMAC keys for cifs/.. service principal but it didn't
account for the case when cifs/.. principal initiates the request.

Since ipasam only uses GETKEYTAB control, provide this extension only
here and don't allow the same for SETKEYTAB. At the point of check for
the bind DN, we already have verified that the DN is allowed to write to
the krbPrincipalKey attribute so there is no leap of faith to 'any
cifs/... principal' here.

A principal must be member of cn=adtrust
agents,cn=sysaccounts,cn=etc,$SUFFIX to allow perform this operation

Fixes: https://pagure.io/freeipa/issue/9134

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-04-13 18:37:12 +02:00
..
dnssec dnssec: concurrency issue when disabling old replica key 2021-03-09 16:52:38 +01:00
ipa-kdb ipa-kdb: fix make check 2022-03-29 14:01:29 -04:00
ipa-otpd pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
ipa-sam ipa-sam: return NetBIOS domain name instead of DNS one 2021-02-02 09:41:00 +02:00
ipa-slapi-plugins ipa-pwd-extop: allow ipasam to request RC4-HMAC in Kerberos keys for trusted domain objects 2022-04-13 18:37:12 +02:00
ipa-version.h.in Build: move version handling from Makefile to configure 2016-11-09 13:08:32 +01:00
Makefile.am build: Unify compiler warning flags used 2021-01-15 14:11:56 +01:00