On Чцв, 01 лют 2024, Steve Berg via FreeIPA-users wrote:
Is there anyway to just delete all these SID requirements? My ipa domain doesn't have a trust to anything windows and there's no plan to ever set that up.
No.
S4U protocol extensions for Kerberos are requiring PAC buffers presence as per the MS-SFU spec. The changes came in in 2021 as a part of the fixes to 'dollar sign attack'. You can get a partial view of that with https://wiki.samba.org/index.php/Security/Dollar_Ticket_Attack or several talks we gave over past few years at various conferences. Most notable: - Andrew Bartlett, "sambaXP 2022: The Inside Story on the Dollar Ticket Attack" https://www.youtube.com/watch?v=1BnraIAcybg
- Andreas Schneider, Alexander Bokovoy, "sambaXP 2023: Samba AD / MIT Kerberos: path out of experimental" https://www.youtube.com/watch?v=0_cdYuIYw0o
As such, you may be able to disable PAC generation to individual service principals with 'ipa service-mod --pac-type NONE service_principal' but if these principals would be using S4U protocol extensions (S4U2Self or S4U2Proxy), this cannot be done because these extensions require use of PAC structure and PAC structure requires SIDs. Specifically, FreeIPA API and Web UI rely on S4U extensions internally.
This is not a theoretical issue in IPA environment. There is working exploit that can be used to break through when SIDs aren't enforced in pure Kerberos environment. We fixed it in upstream MIT Kerberos and FreeIPA some time ago but the change required ABI break which we cannot allow in RHEL 8 due to details of Kerberos libraries support level. We had to find a different way.
For deployments using RHEL 8 since RHEL 8.5 SIDs generated by default. For deployments upgraded to new version, an update needs to be done by administrators but that requires changes specific to each deployment. Red Hat support folks wrote two articles which help with the upgrade process.
https://access.redhat.com/articles/7027037 explains how POSIX ID ranges and SID information is connected together.
https://access.redhat.com/solutions/7052703 explains how to adjust IPA deployment to upgrade to enable SIDs.
Both articles available to RHEL subscribers, including users of the free developer subscription, https://developers.redhat.com/
Been trying to add the RID and it fails but doesn't tell me why it failed.
Can you share what you have tried?
On 2/1/24 11:43, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
On Thu, Feb 1, 2024 at 12:51 PM Steve Berg via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Still not working. I do not have any trust set up with any active directory currently, we have a AD running on the network but that and my ipa domain don't trust each other in any way.
Got two idranges setup:
Range name: domain_id_range First Posix ID of the range: 824400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range
Range name: EDIPIs_id_range First Posix ID of the range: 1009210100 Number of IDs in the range: 619332697 Range type: local domain range
The above range is missing RID base and secondary rid base. You can refer to this KCS: https://access.redhat.com/solutions/7052703especially section *3. **Fixing ID range issues*. You will have to add ipabaseridand ipasecondarybaseridto the range. RID Values from 1,000-200,999and 100,000,000-100,199,999are already taken by the id range domain_id_range, you can pick any values not overlapping. flo
-- //- Fixer of that which is broke -// //- Home =sberg@mississippi.com -// //- Sinners can repent, but stupid is forever. -//