pac: fix issue with pac_check=no_check #8318
Conversation
So far SSSD expected that the PAC contains the logon_info buffer even if PAC checks are disabled with the 'no_check' option. This causes issues with PACs issues by MIT Kerberos KDCs which do not contain this buffer. This patches makes sure that the logon_info is not expected if 'no_check' is set and adds some clarifications to the man page. Resolves: SSSD#8300
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request correctly addresses an issue where SSSD would incorrectly require the logon_info buffer in a PAC even when PAC checks were disabled via pac_check=no_check. This caused authentication failures with PACs from non-AD KDCs like MIT Kerberos. The change in ad_pac_common.c wraps the logon_info check in a condition that respects the pac_check_opts, ensuring the check is only performed when PAC validation is active. The accompanying update to the sssd.conf man page provides valuable clarification for administrators regarding the scope of PAC checks. The changes are correct and well-implemented.
|
This is also a good fit for 'sssd-2-9', right? |
Hi, yes, this issue is present in 'sssd-2-9' as well. bye, |
|
Note: Covscan is green. |
| </para> | ||
| <para> | ||
| Please note that the checks listed below only apply | ||
| to PACs issued by Active Directory. PACs issued |
| * broken if PAC checking is not switched off. This is important because | ||
| * new versions MIT Kerberos will add a PAC buffer as well, but without | ||
| * an AD logon_info buffer. */ | ||
| if (pac_check_opts != 0) { |
There was a problem hiding this comment.
IIUC, this condition will be met for IPA with default value of pac_check.
Does IPA add logon_info?
There was a problem hiding this comment.
Hi,
yes, IPA adds to logon_info buffer.
bye,
Sumit
There was a problem hiding this comment.
Both man page and comment update mention only AD, thus a bit misleading.
2 participants
So far SSSD expected that the PAC contains the logon_info buffer even if PAC checks are disabled with the 'no_check' option. This causes issues with PACs issues by MIT Kerberos KDCs which do not contain this buffer. This patches makes sure that the logon_info is not expected if 'no_check' is set and adds some clarifications to the man page.
Resolves: #8300