diff options
| author | Simo Sorce <simo@redhat.com> | 2017-04-10 15:32:54 -0400 |
|---|---|---|
| committer | Pavel Vomacka <pvomacka@redhat.com> | 2017-04-12 09:46:43 +0200 |
| commit | e88d5e815ea440bcef4acdc5f8fcb3a29e6eaec9 (patch) | |
| tree | 509c4f413dac4f4a554944fbd49eaa75208e1b88 | |
| parent | a726e98f034347227765d7303a033a0538f5d8a1 (diff) | |
| download | freeipa-e88d5e815ea440bcef4acdc5f8fcb3a29e6eaec9.tar.gz freeipa-e88d5e815ea440bcef4acdc5f8fcb3a29e6eaec9.tar.xz freeipa-e88d5e815ea440bcef4acdc5f8fcb3a29e6eaec9.zip | |
Fix s4u2self with adtrust
When ADtrust is installed we add a PAC to all tickets, during protocol
transition we need to generate a new PAC for the requested user ticket,
not check the existing PAC on the requestor ticket.
https://pagure.io/freeipa/issue/6862
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index cf1bd5b4e..00cc19ca1 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2117,6 +2117,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, struct ipadb_context *ipactx; bool with_pac; bool with_pad; + bool make_ad = false; int result; krb5_db_entry *client_entry = NULL; krb5_boolean is_equal; @@ -2165,7 +2166,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, "currently not supported."); } - if (is_as_req && with_pac && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) { + /* we need to create a PAC if we are requested one and this is an AS REQ, + * or we are doing protocol transition (s4u2self) */ + if ((is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) || + (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) { + make_ad = true; + } + + if (with_pac && make_ad) { /* Be aggressive here: special case for discovering range type * immediately after establishing the trust by IPA framework */ if ((krb5_princ_size(context, ks_client_princ) == 2) && @@ -2188,9 +2196,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, if (kerr != 0 && kerr != ENOENT) { goto done; } - } - - if (!is_as_req && with_pac) { + } else if (with_pac && !is_as_req) { /* find the existing PAC, if present */ kerr = krb5_find_authdata(context, tgt_auth_data, NULL, KRB5_AUTHDATA_WIN2K_PAC, &pac_auth_data); |