Fix s4u2self with adtrust #709
Conversation
When ADtrust is installed we add a PAC to all tickets, during protocol transition we need to generate a new PAC for the requested user ticket, not check the existing PAC on the requestor ticket. https://pagure.io/freeipa/issue/6862 Signed-off-by: Simo Sorce <simo@redhat.com>
|
Hi @simo5, I tested webUI authentication with a IPA user and it is working with this patch. |
| /* we need to create a PAC if we are requested one and this is an AS REQ, | ||
| * or we are doing protocol transition (s4u2self) */ | ||
| if ((is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) || | ||
| (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) { |
There was a problem hiding this comment.
I think if should be (flags & KRB5_KDB_FLAGS_S4U) because both protocol transition and constraint delegation are in KRB5_KDB_FLAGS_S4U and fetch_kdb_authdata() does check against this constant when looking if it is included.
There was a problem hiding this comment.
No this would force a rebuild of the PAC in s4u2proxy cases.
In that case we check and forward port the PAC or create it. And this case is already handled in pre-existing code.
There was a problem hiding this comment.
Ok, the other case (constraint delegation) of KRB5_KDB_FLAGS_S4U flag is handled already.
| /* we need to create a PAC if we are requested one and this is an AS REQ, | ||
| * or we are doing protocol transition (s4u2self) */ | ||
| if ((is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) || | ||
| (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) { |
There was a problem hiding this comment.
Ok, the other case (constraint delegation) of KRB5_KDB_FLAGS_S4U flag is handled already.
When ADtrust is installed we add a PAC to all tickets, during protocol
transition we need to generate a new PAC for the requested user ticket,
not check the existing PAC on the requestor ticket.
https://pagure.io/freeipa/issue/6862