Hi, attached patch attempts to bring us up to MS-KILE version 25.0 support by verifying that if number of additional SIDs in KERB_VALIDATION_INFO structure is equal to one then this SID must be
AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY, S-1-18-1 This SID means the client's identity is asserted by an authentication authority based on proof of possession of client credentials. During AD interop event at Microsoft earlier this year Simo found out that this is the case for Windows Server 2012 and we need to relax our check to allow this case. https://fedorahosted.org/freeipa/ticket/3231 I haven't tested it against Windows Server 2012 yet but sending the patch out for early check and verification. -- / Alexander Bokovoy
>From 5c95c684722e3418352aa7ab971b2e7234e58769 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <[email protected]> Date: Thu, 22 Nov 2012 17:45:40 +0200 Subject: [PATCH] ipa-kdb: Support Windows 2012 Server Windows 2012 Server changed procedure how KERB_VALIDATION_INFO ([MS-PAC] section 2.5) is populated. Detailed description is available in [MS-KILE] version 25.0 and above. In particular, SidCount should be set to one and list of sids should contain the AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY SID (S-1-18-1). Refactor KERB_VALIDATION_INFO verification and add support for the case when SidCount is equal to one. https://fedorahosted.org/freeipa/ticket/3231 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 881a7a7124b3f6651c44bc393b6899d093f8dfc6..4a0d974d628fd3794054ba200b76e0530e20cef7 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -87,6 +87,7 @@ static char *memberof_pac_attrs[] = { #define SID_ID_AUTHS 6 #define SID_SUB_AUTHS 15 #define MAX(a,b) (((a)>(b))?(a):(b)) +#define SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY "S-1-18-1" static int string_to_sid(char *str, struct dom_sid *sid) { @@ -1079,10 +1080,33 @@ static krb5_error_code filter_logon_info(krb5_context context, } talloc_free(domsid); - /* According to MS-KILE, info->info->info3.sids must be zero, so check - * that it is the case here */ + /* According to MS-KILE 25.0, info->info->info3.sids may be non zero, so check + * should include different possibilities into account + * */ if (info->info->info3.sidcount != 0) { - return EINVAL; + switch (info->info->info3.sidcount) { + case 1: + /* sidcount is 1, info3.sids must contain SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY */ + domsid = dom_sid_string(NULL, info->info->info3.sids[0].sid); + if (!domsid) { + return EINVAL; + } + + if (strcmp(domsid, SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY) != 0) { + krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain = %s, " + "expected extra sid to be %s, received %s ", + domain->domain_name, SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY, + domsid); + talloc_free(domsid); + return EINVAL; + } + + talloc_free(domsid); + break; + default: + return EINVAL; + break; + } } /* According to MS-KILE, ResourceGroups must be zero, so check -- 1.8.0
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
