[sssd/f20] Backport an upstream patch to ignore PAC verification failures
Jakub Hrozek
jhrozek at fedoraproject.org
Thu Dec 11 10:17:55 UTC 2014
commit d2828982ebfd24e56f4aac581745fdbeda77650b
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Thu Dec 11 11:15:33 2014 +0100
Backport an upstream patch to ignore PAC verification failures
...5_pac_verify-failures-should-not-be-fatal.patch | 42 ++++++++++++++++++++
sssd.spec | 6 ++-
2 files changed, 47 insertions(+), 1 deletions(-)
---
diff --git a/0002-PAC-krb5_pac_verify-failures-should-not-be-fatal.patch b/0002-PAC-krb5_pac_verify-failures-should-not-be-fatal.patch
new file mode 100644
index 0000000..da57223
--- /dev/null
+++ b/0002-PAC-krb5_pac_verify-failures-should-not-be-fatal.patch
@@ -0,0 +1,42 @@
+From df62ac0be0ab00bb1661098590c2aec6773f321e Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Mon, 4 Aug 2014 13:36:42 +0200
+Subject: [PATCH] PAC: krb5_pac_verify failures should not be fatal
+
+As noted in the MIT KRB5 documentation, some servers send PAC with no
+checksum, therefire the PAC validation should not be fatal, instead, we
+should treat a failure from krb5_pac_verify as if there was no PAC at
+all.
+
+Reported on sssd-devel by Thomas Sondergaard
+
+(cherry picked from commit 6e51d44a65b15c2f0491b0a8b452caac0bc00584)
+---
+ src/sss_client/sssd_pac.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/sss_client/sssd_pac.c b/src/sss_client/sssd_pac.c
+index 469758a65c1ec3502becb48175753a965a48773c..d1790df50465772e1f310f84e7e6b0e364192720 100644
+--- a/src/sss_client/sssd_pac.c
++++ b/src/sss_client/sssd_pac.c
+@@ -151,7 +151,16 @@ static krb5_error_code sssdpac_verify(krb5_context kcontext,
+ req->ticket->enc_part2->times.authtime,
+ req->ticket->enc_part2->client, key, NULL);
+ if (kerr != 0) {
+- return EINVAL;
++ /* The krb5 documentation says:
++ * A checksum mismatch can occur if the PAC was copied from a
++ * cross-realm TGT by an ignorant KDC; also Apple Mac OS X Server
++ * Open Directory (as of 10.6) generates PACs with no server checksum
++ * at all. One should consider not failing the whole authentication
++ * because of this reason, but, instead, treating the ticket as
++ * if it did not contain a PAC or marking the PAC information as
++ * non-verified.
++ */
++ return 0;
+ }
+
+ sss_data.len = sssdctx->data.length;
+--
+1.9.3
+
diff --git a/sssd.spec b/sssd.spec
index 78b0a68..809ce86 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -14,7 +14,7 @@
Name: sssd
Version: 1.11.7
-Release: 3%{?dist}
+Release: 4%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -24,6 +24,7 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0001: 0001-sysdb_get_user_attr-use-fqn-for-subdomain-users.patch
+Patch0002: 0002-PAC-krb5_pac_verify-failures-should-not-be-fatal.patch
Patch0602: 0602-FEDORA-Add-CIFS-idmap-plugin.patch
### Dependencies ###
@@ -752,6 +753,9 @@ fi
%postun -n libsss_idmap -p /sbin/ldconfig
%changelog
+* Thu Dec 11 2014 Jakub Hrozek <jhrozek at redhat.com> - 1.11.7-4
+- Backport an upstream patch to ignore PAC verification failures
+
* Thu Sep 25 2014 Jakub Hrozek <jhrozek at redhat.com> - 1.11.7-3
- Fix a sysdb lookup error that resulted in IFP not returning subdomain users
More information about the scm-commits
mailing list