Resolves: upstream#4126 pcscd rejecting sssd ldap_child as unauthorized

2020-02-27 03:03:56 +01:00 · 2020-02-27 03:03:56 +01:00 · b81369e441
commit b81369e441
parent 069e6c9dc8
2 changed files with 103 additions and 1 deletions
--- a/0005-ldap_child-do-not-try-PKINIT.patch
+++ b/0005-ldap_child-do-not-try-PKINIT.patch
@ -0,0 +1,98 @@
+From 580d61884b6c0a81357d8f9fa69fe69d1f017185 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 6 Dec 2019 12:29:49 +0100
+Subject: [PATCH] ldap_child: do not try PKINIT
+
+if the PKINIT plugin is installed and pkinit_identities is set in
+/etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only
+wants to authenticate with a keytab. As a result ldap_child might try to
+access a Smartcard which is either not allowed at all or might cause
+unexpected delays.
+
+To avoid this the current patch sets pkinit_identities for LDAP child
+explicitly to make the PKINIT plugin fail because if installed libkrb5
+will always use it.
+
+It turned out the setting pre-authentication options requires some
+internal flags to be set and krb5_get_init_creds_opt_alloc() must be
+used to initialize the options struct.
+
+Related to https://pagure.io/SSSD/sssd/issue/4126
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+---
+ src/providers/ldap/ldap_child.c | 30 ++++++++++++++++++++++--------
+ 1 file changed, 22 insertions(+), 8 deletions(-)
+
+diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
+index 408d64db4..b081df90f 100644
+--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
+@@ -277,7 +277,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
+     krb5_ccache ccache = NULL;
+     krb5_principal kprinc;
+     krb5_creds my_creds;
+-    krb5_get_init_creds_opt options;
+    krb5_get_init_creds_opt *options = NULL;
+     krb5_error_code krberr;
+     krb5_timestamp kdc_time_offset;
+     int canonicalize = 0;
+@@ -392,19 +392,32 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
+     }
+ 
+     memset(&my_creds, 0, sizeof(my_creds));
+-    memset(&options, 0, sizeof(options));
+ 
+-    krb5_get_init_creds_opt_set_address_list(&options, NULL);
+-    krb5_get_init_creds_opt_set_forwardable(&options, 0);
+-    krb5_get_init_creds_opt_set_proxiable(&options, 0);
+-    krb5_get_init_creds_opt_set_tkt_life(&options, lifetime);
+    krberr = krb5_get_init_creds_opt_alloc(context, &options);
+    if (krberr != 0) {
+        DEBUG(SSSDBG_OP_FAILURE, "krb5_get_init_creds_opt_alloc failed.\n");
+        goto done;
+    }
+
+    krb5_get_init_creds_opt_set_address_list(options, NULL);
+    krb5_get_init_creds_opt_set_forwardable(options, 0);
+    krb5_get_init_creds_opt_set_proxiable(options, 0);
+    krb5_get_init_creds_opt_set_tkt_life(options, lifetime);
+    krberr = krb5_get_init_creds_opt_set_pa(context, options,
+                                            "X509_user_identity", "");
+    if (krberr != 0) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "krb5_get_init_creds_opt_set_pa failed [%d], ignored.\n",
+              krberr);
+    }
+
+ 
+     tmp_str = getenv("KRB5_CANONICALIZE");
+     if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) {
+         DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n");
+         canonicalize = 1;
+     }
+-    sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
+    sss_krb5_get_init_creds_opt_set_canonicalize(options, canonicalize);
+ 
+     ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s",
+                                   DB_PATH, realm_name);
+@@ -433,7 +446,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
+     }
+ 
+     krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
+-                                        keytab, 0, NULL, &options);
+                                        keytab, 0, NULL, options);
+     if (krberr != 0) {
+         DEBUG(SSSDBG_OP_FAILURE,
+               "krb5_get_init_creds_keytab() failed: %d\n", krberr);
+@@ -513,6 +526,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
+     *expire_time_out = my_creds.times.endtime - kdc_time_offset;
+ 
+ done:
+    krb5_get_init_creds_opt_free(context, options);
+     if (krberr != 0) {
+         if (*_krb5_msg == NULL) {
+             /* no custom error message provided hence get one from libkrb5 */
+-- 
+2.20.1
+
--- a/sssd.spec
+++ b/sssd.spec
@ -36,7 +36,7 @@

 Name: sssd
 Version: 2.2.3
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://pagure.io/SSSD/sssd/
@ -47,6 +47,7 @@ Patch0001: 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
 Patch0002: 0002-BUILD-Accept-krb5-1.18-for-building-the-PAC-plugin.patch
 Patch0003: 0003-INI-sssctl-config-check-command-error-messages.patch
 Patch0004: 0004-certmap-mention-special-regex-characters-in-man-page.patch
+Patch0005: 0005-ldap_child-do-not-try-PKINIT.patch

 ### Downstream only patches ###
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
@ -1075,6 +1076,9 @@ fi
                                %{_libdir}/%{name}/modules/libwbclient.so

 %changelog
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-4
+- Resolves: upstream#4126 pcscd rejecting sssd ldap_child as unauthorized
+
 * Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-3
 - Resolves: upstream#4127 - [Doc]Provide explanation on escape character for
                            match rules sss-certmap