[autobackport: sssd-2-9] pam: apply SIDs from PAC to authentication indicators

[sssd-bot]

This is an automatic backport of PR#8571 pam: apply SIDs from PAC to authentication indicators to branch sssd-2-9, created by @sumit-bose.

Caution

@sumit-bose The patches did not apply cleanly. It is necessary to resolve conflicts before merging this pull request. Commits that introduced conflict are marked with CONFLICT!.

You can push changes to this pull request

git remote add sssd-bot git@github.com:sssd-bot/sssd.git
git fetch sssd-bot refs/heads/SSSD-sssd-backport-pr8571-to-sssd-2-9
git checkout SSSD-sssd-backport-pr8571-to-sssd-2-9
git push sssd-bot SSSD-sssd-backport-pr8571-to-sssd-2-9 --force

---

Original commits
3f9c415 - ad: move ad_get_sids_from_pac() to ad_pac_common.c
22de4fd - pam: add pam_gssapi_indicators_apply option
1f680ed - pam: apply SIDs from PAC to authentication indicators

Backported commits

• deb0cf8 - ad: move ad_get_sids_from_pac() to ad_pac_common.c
• 33dcd2c - CONFLICT! pam: add pam_gssapi_indicators_apply option
• 1db8d6e - CONFLICT! pam: apply SIDs from PAC to authentication indicators

Conflicting Files Information (check for deleted and re-added files)

• CONFLICT! pam: add pam_gssapi_indicators_apply option

On branch SSSD-sssd-backport-pr8571-to-sssd-2-9
You are currently cherry-picking commit 22de4fd2d.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   src/confdb/confdb.h
	modified:   src/config/SSSDConfig/sssdoptions.py
	modified:   src/config/SSSDConfigTest.py
	modified:   src/config/cfg_rules.ini
	modified:   src/config/etc/sssd.api.conf
	modified:   src/db/sysdb_subdomains.c
	modified:   src/responder/pam/pamsrv.h

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   src/man/sssd.conf.5.xml
	both modified:   src/responder/pam/pamsrv.c
```* CONFLICT! pam: apply SIDs from PAC to authentication indicators

On branch SSSD-sssd-backport-pr8571-to-sssd-2-9
You are currently cherry-picking commit 1f680ed.
(fix conflicts and run "git cherry-pick --continue")
(use "git cherry-pick --skip" to skip this patch)
(use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
modified: src/config/SSSDConfig/sssdoptions.py
modified: src/responder/pam/pamsrv_cmd.c
modified: src/responder/pam/pamsrv_gssapi.c

Unmerged paths:
(use "git add/rm ..." as appropriate to mark resolution)
both modified: Makefile.am
deleted by us: src/responder/pam/pamsrv_json.c
both modified: src/tests/system/tests/test_ipa.py

---

**Original Pull Request Body**

This patch reads the PAC of a Kerberos ticket while evaluating the
authentication indicators of the Kerberos ticket during a pam_sss_gss
request. Based on the value of the pam_gssapi_indicators_apply option
the found SIDs might add additional authentication indicators to the
evaluation.

The primary use case is to handle SIDs added by Active Directory's
Authentication Mechanism Assurance (AMA).

[gemini-code-assist]

Code Review

This pull request introduces the pam_gssapi_indicators_apply configuration option, allowing SIDs from the Kerberos PAC to be mapped to authentication indicators, and implements a new JSON-based authentication selection mechanism. While the feature set is comprehensive, the PR contains several critical issues: unresolved git conflict markers are present across multiple files (Makefile, documentation, and source code), which will break the build and tests. Furthermore, potential NULL pointer dereferences were identified in the list-processing logic within pamsrv_json.c and pamsrv_gssapi.c that must be addressed to prevent runtime crashes.

[gemini-code-assist]

Potential NULL pointer dereference. If indicators_apply is an empty list, indicators_apply[0] will be NULL, and dereferencing it will cause a crash.

    if (indicators_apply != NULL && indicators_apply[0] != NULL && indicators_apply[0][0] != '\0') {

[alexey-tikhonov]

@sumit-bose, would you like to wait for #8620 and cherry-pick those patches here as well?

[sumit-bose]

@sumit-bose, would you like to wait for #8620 and cherry-pick those patches here as well?

Hi,

I'm fine either way, but it might be easier to merge this and backport #8620 separately.

bye,
Sumit

[alexey-tikhonov]

it might be easier to merge this and backport #8620 separately.

ok

[sssd-bot]

The pull request was accepted by @alexey-tikhonov with the following PR CI status:

---

🟢 CodeQL (success)
🟢 rpm-build:centos-stream-9-x86_64:upstream (success)
🟢 Build / make-distcheck (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-9) (success)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

---

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.