On Fri, 2011-12-02 at 10:10 -0500, Simo Sorce wrote:
> On Fri, 2011-12-02 at 09:27 -0500, Rob Crittenden wrote:
> > Simo Sorce wrote:
> > > Hello all,
> > >
> > > with this set of patches it is possible to allow constrained delegation
> > > of credentials so that a service can impersonate a user when
>
> [..]
>
> > In the third patch in ipadb_get_delegation_acl() you can just fall
> > through to the return.
>
> Removed useless check.
> I also noticed I had added the prototype declaration for the new vtable
> function in the 2nd patch instead of the 3rd where it belongs by
> mistake.
>
> So I fixed that too.
>
> > I think the content of this e-mail should be added as a README to the
> > source tree.
>
> Ok, I dumped and adapted the email content into a README file and added
> it to the third patch.
>
> I also fixed the patch names as per policy.
>
> Simo.
We have discovered a few issues w/ MIT 1.9 and s4u2proxy used outside of
the 'artificial' test done by kvno.
I pushed a patch to handle part of the problem as a new krb5 package in
ipa-devel.
Soon we will have a patch for mod_auth_kerb that handles an issue there.
But we still have an unresolved issue when using the adtrust
functionality and our KDC releases PACs.
The attached patch can be used to deal with that case. As you can see
this is not intended for production, but can be used until we have a
better fix on the KDC side.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
>From 33aebb5702fd77926340d1d0fb6556299a3831c0 Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Mon, 5 Dec 2011 15:46:59 -0500
Subject: [PATCH] ipa-kdb: temporary workaround for s4u2proxy ops
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 160974ceb9cede21a3709316551fa5e1f1c5d5df..62b11becf2fa94cf88e9edf221ece36def758b6f 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -683,7 +683,11 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
}
}
- if (!is_as_req) {
+ if (!is_as_req &&
+ !(flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
+ /* FIXME: flags check is temporary,
+ * remove once KDC code properly passes us keys for s4u2 ops */
+ /* WARNING: THIS IS A SECURITY ISSUE, DO NOT SHIP WITH THIS HACK */
kerr = ipadb_verify_pac(context, flags,
ks_client_princ, client,
server_key, krbtgt_key,
--
1.7.7.1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
