Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PAC: allow to disable UPN check and relax default check - sssd-2-7 #6466

Closed
wants to merge 3 commits into from
Closed

PAC: allow to disable UPN check and relax default check - sssd-2-7 #6466

wants to merge 3 commits into from

Conversation

sumit-bose
Copy link
Contributor

To avoid issues with the UPN check during PAC validation when
'ldap_user_principal' is set to a not existing attribute to skip reading
user principals a new 'pac_check' option, 'check_upn_allow_missing' is
added to the default options. With this option only a log message is shown
but the check will not fail.

Resolves: #6451

@sumit-bose
PAC: allow to disable UPN check
8327546 
Currently it was not possible to skip the UPN check which checks if the
UPN in the PAC and the one stored in SSSD's cache are different.
Additionally the related debug message will show both principals if they
differ.

Resolves: SSSD#6451

(cherry picked from commit 9178944)
@sumit-bose
ipa: do not add guessed principal to the cache
be46256 
Currently on IPA clients a calculated principal based on the user name
and the Kerberos realm is added to the cached user object. This code is
quite old and might have been necessary at times when sub-domain support
was added to SSSD. But since quite some time SSSD is capable of
generating the principal on the fly during authentication if nothing is
stored in the cache.

Removing the code makes the cache more consistent with other use-cases,
e.g. with the IPA server where this attribute is empty, and allows to
properly detect a missing UPN, e.g. during the PAC validation.

Resolves: SSSD#6451

(cherry picked from commit b3d7a4f)
@sumit-bose
pac: relax default check
55241fd 
To avoid issues with the UPN check during PAC validation  when
'ldap_user_principal' is set to a not existing attribute to skip reading
user principals a new 'pac_check' option, 'check_upn_allow_missing' is
added to the default options. With this option only a log message is
shown but the check will not fail.

Resolves: SSSD#6451

(cherry picked from commit 51b11db)
@sumit-bose sumit-bose mentioned this pull request Dec 2, 2022
Closed
@alexey-tikhonov alexey-tikhonov self-assigned this Dec 2, 2022
@alexey-tikhonov
Copy link
Member

Pushed PR: #6466

  • sssd-2-7
    • 0e618c3 - pac: relax default check
    • 29aa434 - ipa: do not add guessed principal to the cache
    • a86d174 - PAC: allow to disable UPN check

@alexey-tikhonov alexey-tikhonov mentioned this pull request Dec 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexey-tikhonov alexey-tikhonov alexey-tikhonov approved these changes

Assignees

@alexey-tikhonov alexey-tikhonov

Labels
Bugzilla Pushed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sumit-bose @alexey-tikhonov