diff options
| author | Simo Sorce <simo@redhat.com> | 2012-11-19 12:26:04 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-11-30 16:30:10 -0500 |
| commit | 5269458f552380759c86018cd1f30b64761be92e (patch) | |
| tree | 3dd2d9544450c81c940540378bbb8073a5c7d9c1 /daemons/ipa-kdb/ipa_kdb_mspac.c | |
| parent | c8d522bc98fb11be92529259e7a2072796012910 (diff) | |
| download | freeipa-5269458f552380759c86018cd1f30b64761be92e.tar.gz freeipa-5269458f552380759c86018cd1f30b64761be92e.tar.xz freeipa-5269458f552380759c86018cd1f30b64761be92e.zip | |
MS-PAC: Special case NFS services
The current Linux NFS server is severely limited when it comes to handling
kerberos tickets. Bsically any ticket bigger than 2k will cause it to fail
authentication due to kernel->userspace upcall interface restrictions.
Until we have additional support in IPA to indivdually mark principals to
opt out of getting PACs attached we always prevent PACs from being attached
to TGTs or Tickets where NFS is involved.
Diffstat (limited to 'daemons/ipa-kdb/ipa_kdb_mspac.c')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 36 |
1 files changed, 35 insertions, 1 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 881a7a712..efb4cb9b6 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -637,6 +637,24 @@ static bool is_cross_realm_krbtgt(krb5_const_principal princ) return true; } +static bool is_service_of_type(krb5_const_principal princ, const char *type) +{ + size_t len; + + if (princ->length < 2) { + return false; + } + + len = strlen(type); + + if ((princ->data[0].length == len) || + (strncasecmp(princ->data[0].data, type, len) == 0)) { + return true; + } + + return false; +} + static char *gen_sid_string(TALLOC_CTX *memctx, struct dom_sid *dom_sid, uint32_t rid) { @@ -1362,6 +1380,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, krb5_error_code kerr; krb5_pac pac = NULL; krb5_data pac_data; + bool is_nfs = false; /* When using s4u2proxy client_princ actually refers to the proxied user * while client->princ to the proxy service asking for the TGS on behalf @@ -1372,17 +1391,32 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, ks_client_princ = client->princ; } + /* NFS Server on Linux is limited and will choke on big tickets. + * So avoid attachnig the PAC to nfs/ tickets for now. + * FIXME: remove this when we have interface to support disabling + * PACs on arbitrary services */ + if (is_service_of_type(ks_client_princ, "nfs") || + is_service_of_type(server->princ, "nfs")) { + is_nfs = true; + } + is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) { + if (is_nfs) { + *signed_auth_data = NULL; + kerr = 0; + goto done; + } + kerr = ipadb_get_pac(context, client, &pac); if (kerr != 0 && kerr != ENOENT) { goto done; } } - if (!is_as_req) { + if (!is_as_req & !is_nfs) { /* find the existing PAC, if present */ kerr = krb5_find_authdata(context, tgt_auth_data, NULL, KRB5_AUTHDATA_WIN2K_PAC, &pac_auth_data); |