[Freeipa-devel] [freeipa PR#6113][opened] PAC fixes for Windows Server November 2021 security release

URL: https://github.com/freeipa/freeipa/pull/6113 Author: abbra Title: #6113: PAC fixes for Windows Server November 2021 security release Action: opened PR body: """ ### ipa-kdb: issue PAC_REQUESTER_SID only for TGTs MS-KILE 3.3.5.6.4.8 in revision after Windows Server November 2021 security fixes added the following requirement: - PAC_REQUESTER_SID is only added in TGT case (including referrals and tickets to RODCs) ### ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates New versions of MS-KILE and MS-SFU after Windows Server November 2021 security updates add PAC_REQUESTER_SID buffer check behavior: - PAC_REQUESTER_SID should only be added for TGT requests - if PAC_REQUESTER_SID is present, KDC must verify that the cname on the ticket resolves to the account with the same SID as the PAC_REQUESTER_SID. If it doesn't KDC must respond with KDC_ERR_TKT_REVOKED Change requester SID check to skip exact check for non-local PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains we know about. If requester SID is the same as in PAC, we already do cname vs PAC SID verification. With these changes FreeIPA works against Windows Server 2019 with November 2021 security fixes in cross-realm S4U2Self operations. Fixes: https://pagure.io/freeipa/issue/9031 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6113/head:pr6113 git checkout pr6113