krb5: do not send pac for IPA users from the local domain

So far we didn't send the PAC of IPA users to the PAC responder during
password authentication because group memberships for IPA users can be
retrieved efficiently with LDAP calls. Recently patches added PAC
support for the AD provider as well and removed the restriction for the
IPA users. This patch restores the original behaviour by introducing a
new flag in struct krb5_ctx which is only set for the IPA provider.
Additionally a different flag is renamed to make it's purpose more
clear.

Fixes https://fedorahosted.org/sssd/ticket/1995

5 files changed, 20 insertions, 10 deletions

diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index ece62bb89..77a514332 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -300,6 +300,7 @@ int sssm_ipa_auth_init(struct be_ctx *bectx,
         goto done;
     }
     krb5_auth_ctx->service = ipa_options->service->krb5_service;
+    krb5_auth_ctx->is_ipa = true;
     ipa_options->auth_ctx->krb5_auth_ctx = krb5_auth_ctx;
 
     ret = ipa_get_auth_options(ipa_options, bectx->cdb, bectx->conf_path,
diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h
index cf290ca05..d31925dae 100644
--- a/src/providers/krb5/krb5_auth.h
+++ b/src/providers/krb5/krb5_auth.h
@@ -55,6 +55,7 @@ struct krb5child_req {
     bool valid_tgt;
     bool run_as_user;
     bool upn_from_different_realm;
+    bool send_pac;
 };
 
 errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd,
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index cba72502d..130be96bb 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -53,7 +53,7 @@ struct krb5_req {
     char *ccname;
     char *keytab;
     bool validate;
-    bool upn_from_different_realm;
+    bool send_pac;
     bool use_enterprise_princ;
     char *fast_ccname;
 
@@ -987,9 +987,9 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
         goto done;
     }
 
-    /* Try to find and send the PAC to the PAC responder for principals which
-     * do not belong to our realm. Failures are not critical. */
-    if (kr->upn_from_different_realm) {
+    /* Try to find and send the PAC to the PAC responder.
+     * Failures are not critical. */
+    if (kr->send_pac) {
         kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ,
                                kr->creds->client, keytab, &pac_authdata);
         if (kerr != 0) {
@@ -1551,7 +1551,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
     size_t p = 0;
     uint32_t len;
     uint32_t validate;
-    uint32_t different_realm;
+    uint32_t send_pac;
     uint32_t use_enterprise_princ;
     struct pam_data *pd;
     errno_t ret;
@@ -1573,8 +1573,8 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
     SAFEALIGN_COPY_UINT32_CHECK(&validate, buf + p, size, &p);
     kr->validate = (validate == 0) ? false : true;
     SAFEALIGN_COPY_UINT32_CHECK(offline, buf + p, size, &p);
-    SAFEALIGN_COPY_UINT32_CHECK(&different_realm, buf + p, size, &p);
-    kr->upn_from_different_realm = (different_realm == 0) ? false : true;
+    SAFEALIGN_COPY_UINT32_CHECK(&send_pac, buf + p, size, &p);
+    kr->send_pac = (send_pac == 0) ? false : true;
     SAFEALIGN_COPY_UINT32_CHECK(&use_enterprise_princ, buf + p, size, &p);
     kr->use_enterprise_princ = (use_enterprise_princ == 0) ? false : true;
     SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index 292ba00b3..161fa269a 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -129,7 +129,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
     size_t rp;
     const char *keytab;
     uint32_t validate;
-    uint32_t different_realm;
+    uint32_t send_pac;
     uint32_t use_enterprise_principal;
     size_t username_len = 0;
     errno_t ret;
@@ -141,7 +141,13 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
     }
 
     validate = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) ? 1 : 0;
-    different_realm = kr->upn_from_different_realm ? 1 : 0;
+
+    /* Always send PAC except for local IPA users */
+    if (kr->krb5_ctx->is_ipa) {
+        send_pac = kr->upn_from_different_realm ? 1 : 0;
+    } else {
+        send_pac = 1;
+    }
     use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts,
                                          KRB5_USE_ENTERPRISE_PRINCIPAL) ? 1 : 0;
 
@@ -184,7 +190,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
     SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->gid, &rp);
     SAFEALIGN_COPY_UINT32(&buf->data[rp], &validate, &rp);
     SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->is_offline, &rp);
-    SAFEALIGN_COPY_UINT32(&buf->data[rp], &different_realm, &rp);
+    SAFEALIGN_COPY_UINT32(&buf->data[rp], &send_pac, &rp);
     SAFEALIGN_COPY_UINT32(&buf->data[rp], &use_enterprise_principal, &rp);
 
     SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(kr->upn), &rp);
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index eb563888c..501cdef10 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -129,6 +129,8 @@ struct krb5_ctx {
     bool use_fast;
 
     hash_table_t *wait_queue_hash;
+
+    bool is_ipa;
 };
 
 struct remove_info_files_ctx {