Skip to content

pam: apply SIDs from PAC to authentication indicators#8571

Merged
alexey-tikhonov merged 3 commits intoSSSD:masterfrom
sumit-bose:pac_ama
Apr 20, 2026
Merged

pam: apply SIDs from PAC to authentication indicators#8571
alexey-tikhonov merged 3 commits intoSSSD:masterfrom
sumit-bose:pac_ama

Conversation

@sumit-bose
Copy link
Copy Markdown
Contributor

@sumit-bose sumit-bose commented Apr 1, 2026

This patch reads the PAC of a Kerberos ticket while evaluating the
authentication indicators of the Kerberos ticket during a pam_sss_gss
request. Based on the value of the pam_gssapi_indicators_apply option
the found SIDs might add additional authentication indicators to the
evaluation.

The primary use case is to handle SIDs added by Active Directory's
Authentication Mechanism Assurance (AMA).

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces the pam_gssapi_indicators_apply configuration option, which allows SSSD to assign additional authentication indicators based on information extracted from Kerberos tickets, specifically SIDs from the PAC. The implementation involves updating the configuration schema, documentation, and the PAM responder's GSSAPI logic to handle PAC data parsing and SID-to-indicator mapping. Review feedback identifies a bug where an error code is not properly set upon memory allocation failure and suggests improving the robustness of GSSAPI attribute matching to avoid partial string matches.

Comment thread src/responder/pam/pamsrv_gssapi.c
Comment thread src/responder/pam/pamsrv_gssapi.c
Comment on lines 662 to +663
if (strncmp(AUTH_INDICATORS_TAG, attrs->elements[i].value,
sizeof(AUTH_INDICATORS_TAG) - 1) != 0)
sizeof(AUTH_INDICATORS_TAG) - 1) == 0) {
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The check for AUTH_INDICATORS_TAG uses strncmp without checking the length of the attribute name. This could lead to a partial match if another attribute name starts with "auth-indicators". For consistency and correctness, it's better to perform an exact match, similar to how MSPAC_TAG is checked.

        if (attrs->elements[i].length == sizeof(AUTH_INDICATORS_TAG) - 1 &&
            strncmp(AUTH_INDICATORS_TAG, (char *)attrs->elements[i].value,
                    sizeof(AUTH_INDICATORS_TAG) - 1) == 0) {

github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 1, 2026
View reviewed changes
Comment thread src/providers/ad/ad_pac_common.c Dismissed
@sumit-bose sumit-bose force-pushed the pac_ama branch 4 times, most recently from 6bddc35 to 99bcff1 Compare April 2, 2026 06:22
@sumit-bose sumit-bose requested a review from thalman April 2, 2026 12:37
@alexey-tikhonov alexey-tikhonov added the no-backport This should go to target branch only. label Apr 9, 2026
@alexey-tikhonov alexey-tikhonov requested a review from pbrezina April 9, 2026 12:31
thalman
thalman requested changes Apr 15, 2026
View reviewed changes
Comment thread src/responder/pam/pamsrv_gssapi.c
pbrezina
pbrezina requested changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@pbrezina pbrezina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, code looks good, but it deserves a release note.

@sumit-bose
Copy link
Copy Markdown
Contributor Author

sumit-bose commented Apr 16, 2026

Hi, code looks good, but it deserves a release note.

Hi,

thanks for the review, added.

bye,
Sumit

thalman
thalman approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@thalman thalman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the work, ACK

sssd-bot
sssd-bot reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sssd-bot sssd-bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review done using Claude Code / claude-opus-4-6

Functional Issues

  1. Missing NULL check after talloc_asprintf_append in handle_pac() (src/responder/pam/pamsrv_gssapi.c:594): In the SID matching loop, talloc_asprintf_append can return NULL on allocation failure, but the return value is not checked. If it fails, exported becomes NULL, and on the next loop iteration talloc_asprintf_append(NULL, ...) has undefined behavior. After the loop, *exported at line 600 would be a NULL pointer dereference. The existing pattern in gssapi_get_indicators() (line 732) correctly checks for NULL after each talloc_asprintf_append — the same pattern should be applied here.

    // Current code (line 594):
exported = talloc_asprintf_append(exported, "%s ",
                        state->indicators_apply_sid[d] + l + 1);
// Missing: if (exported == NULL) { ret = ENOMEM; goto done; }

  2. Pre-existing bug in gssapi_get_state() — wrong variable in NULL check (src/responder/pam/pamsrv_gssapi.c:846): After state->username = talloc_strdup(state, username), the code checks if (state == NULL) instead of if (state->username == NULL). This means a talloc_strdup failure is never detected, and the code proceeds with a NULL username pointer. While this bug pre-dates this PR, the function was modified in this PR (new pam_ctx parameter and SID list initialization), so it's worth fixing now.

    // Current (line 845-848):
state->username = talloc_strdup(state, username);
if (state == NULL) {   // <-- should be: state->username == NULL
    talloc_free(state);
    return NULL;
}

Nits & Non-functional Issues

  1. Typo in comment (src/confdb/confdb.h:451): "addition" should be "additional":

    /* List of addition Kerberos ticket data ... */
//         ^^^^^^^^^^ should be "additional"

  2. Inconsistent attribute name matching (src/responder/pam/pamsrv_gssapi.c:663 vs :667): The AUTH_INDICATORS_TAG check uses a prefix match (strncmp without length check), while the MSPAC_TAG check correctly verifies exact length first. This means any attribute starting with "auth-indicators" would match. In practice this is not a problem since GSSAPI attribute names are well-defined, and this pattern is pre-existing in the original code. For consistency, consider adding a length check for AUTH_INDICATORS_TAG as well.

  3. Misleading comment (src/responder/pam/pamsrv_gssapi.c:712): The comment /* exported_from_pac will have a trailing whitespace */ is not always true — when no SIDs match in handle_pac(), exported_from_pac is an empty string "" with no trailing whitespace.

  4. Extra blank line (src/responder/pam/pamsrv_gssapi.c:523): There is a double blank line between idmap_free() and handle_pac().

  5. Inconsistent indentation in gssapi_get_indicators() (src/responder/pam/pamsrv_gssapi.c:719-728): The is_auth_indicator block uses 8-space indentation for its body, while surrounding code uses 4-space indentation:

    if (is_auth_indicator) {
        DEBUG(SSSDBG_TRACE_FUNC,     // 8-space indent
                "attribute's...          // 8-space indent

Confirmed Issues from Existing Review Comments

  1. Gemini bot — missing ret = ENOMEM on talloc_strdup failure: This was raised for src/responder/pam/pamsrv_gssapi.c:574. Confirmed fixedret = ENOMEM is now set at line 578 before goto done.

  2. thalman — entering condition even when handle_pac returns error: This was raised for the exported_from_pac handling block. Confirmed fixed — the code now uses else if (line 711) so the append is only reached when handle_pac returns EOK.

  3. pbrezina — missing release note: Confirmed fixed — a :relnote: tag is included in the top commit message.

(testing comment update)

@alexey-tikhonov alexey-tikhonov added backport-to-sssd-2-9 and removed no-backport This should go to target branch only. labels Apr 20, 2026
@SSSD SSSD deleted a comment from alexey-tikhonov Apr 20, 2026
@sumit-bose
Copy link
Copy Markdown
Contributor Author

sumit-bose commented Apr 20, 2026

Review done using Claude Code / claude-opus-4-6

Functional Issues

1. **Missing NULL check after `talloc_asprintf_append` in `handle_pac()` (`src/responder/pam/pamsrv_gssapi.c:594`)**: In the SID matching loop, `talloc_asprintf_append` can return NULL on allocation failure, but the return value is not checked. If it fails, `exported` becomes NULL, and on the next loop iteration `talloc_asprintf_append(NULL, ...)` has undefined behavior. After the loop, `*exported` at line 600 would be a NULL pointer dereference. The existing pattern in `gssapi_get_indicators()` (line 732) correctly checks for NULL after each `talloc_asprintf_append` — the same pattern should be applied here.
   ```c
   // Current code (line 594):
   exported = talloc_asprintf_append(exported, "%s ",
                           state->indicators_apply_sid[d] + l + 1);
   // Missing: if (exported == NULL) { ret = ENOMEM; goto done; }
   ```

fixed

2. **Pre-existing bug in `gssapi_get_state()` — wrong variable in NULL check (`src/responder/pam/pamsrv_gssapi.c:846`)**: After `state->username = talloc_strdup(state, username)`, the code checks `if (state == NULL)` instead of `if (state->username == NULL)`. This means a `talloc_strdup` failure is never detected, and the code proceeds with a NULL `username` pointer. While this bug pre-dates this PR, the function was modified in this PR (new `pam_ctx` parameter and SID list initialization), so it's worth fixing now.
   ```c
   // Current (line 845-848):
   state->username = talloc_strdup(state, username);
   if (state == NULL) {   // <-- should be: state->username == NULL
       talloc_free(state);
       return NULL;
   }
   ```

fixed

Nits & Non-functional Issues

1. **Typo in comment (`src/confdb/confdb.h:451`)**: "addition" should be "additional":
   ```c
   /* List of addition Kerberos ticket data ... */
   //         ^^^^^^^^^^ should be "additional"
   ```

fixed

2. **Inconsistent attribute name matching (`src/responder/pam/pamsrv_gssapi.c:663` vs `:667`)**: The `AUTH_INDICATORS_TAG` check uses a prefix match (`strncmp` without length check), while the `MSPAC_TAG` check correctly verifies exact length first. This means any attribute starting with `"auth-indicators"` would match. In practice this is not a problem since GSSAPI attribute names are well-defined, and this pattern is pre-existing in the original code. For consistency, consider adding a length check for `AUTH_INDICATORS_TAG` as well.

I guess this is valid but since it is from existing code, I'd prefer if this can be fixed in a separate PR.

3. **Misleading comment (`src/responder/pam/pamsrv_gssapi.c:712`)**: The comment `/* exported_from_pac will have a trailing whitespace */` is not always true — when no SIDs match in `handle_pac()`, `exported_from_pac` is an empty string `""` with no trailing whitespace.

Since a trailing whitespace is only important if exported_from_pac is not empty I ignored this comment.

4. **Extra blank line (`src/responder/pam/pamsrv_gssapi.c:523`)**: There is a double blank line between `idmap_free()` and `handle_pac()`.

fixed

5. **Inconsistent indentation in `gssapi_get_indicators()` (`src/responder/pam/pamsrv_gssapi.c:719-728`)**: The `is_auth_indicator` block uses 8-space indentation for its body, while surrounding code uses 4-space indentation:
   ```c
   if (is_auth_indicator) {
           DEBUG(SSSDBG_TRACE_FUNC,     // 8-space indent
                   "attribute's...          // 8-space indent
   ```

This is exisintg code, so I prefer to keep it as it is.

Confirmed Issues from Existing Review Comments

1. **Gemini bot — missing `ret = ENOMEM` on `talloc_strdup` failure**: This was raised for `src/responder/pam/pamsrv_gssapi.c:574`. **Confirmed fixed** — `ret = ENOMEM` is now set at line 578 before `goto done`.

2. **thalman — entering condition even when `handle_pac` returns error**: This was raised for the `exported_from_pac` handling block. **Confirmed fixed** — the code now uses `else if` (line 711) so the append is only reached when `handle_pac` returns `EOK`.

3. **pbrezina — missing release note**: **Confirmed fixed** — a `:relnote:` tag is included in the top commit message.

(testing comment update)

@alexey-tikhonov
Copy link
Copy Markdown
Member

alexey-tikhonov commented Apr 20, 2026

test_kcm__tgt_renewal_updates_ticket_as_configured is a known flaky test.

@sumit-bose @sssd-bot
ad: move ad_get_sids_from_pac() to ad_pac_common.c
82932d6 
To make ad_get_sids_from_pac() better reusable it is moved with its
dependencies into ad_pac_common.c

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
@sumit-bose @sssd-bot
pam: add pam_gssapi_indicators_apply option
845e4ef 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
@sumit-bose @sssd-bot
pam: apply SIDs from PAC to authentication indicators
55bb9c2 
This patch reads the PAC of a Kerberos ticket while evaluating the
authentication indicators of the Kerberos ticket during a pam_sss_gss
request. Based on the value of the pam_gssapi_indicators_apply option
the found SIDs might add additional authentication indicators to the
evaluation.

The primary use case is to handle SIDs added by Active Directory's
Authentication Mechanism Assurance (AMA).

:relnote: During the processing of the pam_sss_gss request SSSD will
read the SID from the PAC of the Kerberos ticket and might add
authentication indicators based on the value of the new option
pam_gssapi_indicators_apply. The primary use case is to handle SIDs
added by Active Directory's Authentication Mechanism Assurance (AMA).

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
@sssd-bot
Copy link
Copy Markdown
Contributor

sssd-bot commented Apr 20, 2026

The pull request was accepted by @alexey-tikhonov with the following PR CI status:

🟢 CodeQL (success)
🟢 osh-diff-scan:fedora-rawhide-x86_64:upstream (success)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-44-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🟢 Build / freebsd (success)
🟢 Build / make-distcheck (success)
🟢 ci / intgcheck (centos-10) (success)
🟢 ci / intgcheck (fedora-42) (success)
🟢 ci / intgcheck (fedora-43) (success)
🟢 ci / intgcheck (fedora-44) (success)
🟢 ci / intgcheck (fedora-45) (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-10) (success)
🟢 ci / system (fedora-42) (success)
🟢 ci / system (fedora-43) (success)
🟢 ci / system (fedora-44) (success)
🔴 ci / system (fedora-45) (failure)
➖ Coverity scan / coverity (skipped)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.

@alexey-tikhonov alexey-tikhonov merged commit 1f680ed into SSSD:master Apr 20, 2026
10 of 15 checks passed
@sssd-bot sssd-bot mentioned this pull request Apr 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sssd-bot sssd-bot sssd-bot left review comments

@thalman thalman thalman approved these changes

@pbrezina pbrezina pbrezina approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@thalman thalman

@pbrezina pbrezina

Labels

Accepted backport-to-sssd-2-9

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@sumit-bose @alexey-tikhonov @sssd-bot @thalman @pbrezina @github-advanced-security