On Чцв, 01 лют 2024, Steve Berg via FreeIPA-users wrote:
Is there anyway to just delete all these SID requirements? My ipa
domain doesn't have a trust to anything windows and there's no plan to
ever set that up.
No.
S4U protocol extensions for Kerberos are requiring PAC buffers presence
as per the MS-SFU spec. The changes came in in 2021 as a part of the
fixes to 'dollar sign attack'. You can get a partial view of that with
https://wiki.samba.org/index.php/Security/Dollar_Ticket_Attack or
several talks we gave over past few years at various conferences. Most
notable:
- Andrew Bartlett, "sambaXP 2022: The Inside Story on the Dollar Ticket
Attack"
https://www.youtube.com/watch?v=1BnraIAcybg
- Andreas Schneider, Alexander Bokovoy, "sambaXP 2023: Samba AD / MIT
Kerberos: path out of experimental"
https://www.youtube.com/watch?v=0_cdYuIYw0o
As such, you may be able to disable PAC generation to individual service
principals with 'ipa service-mod --pac-type NONE service_principal' but
if these principals would be using S4U protocol extensions (S4U2Self or
S4U2Proxy), this cannot be done because these extensions require use of
PAC structure and PAC structure requires SIDs. Specifically, FreeIPA API
and Web UI rely on S4U extensions internally.
This is not a theoretical issue in IPA environment. There is working
exploit that can be used to break through when SIDs aren't enforced in
pure Kerberos environment. We fixed it in upstream MIT Kerberos and
FreeIPA some time ago but the change required ABI break which we cannot
allow in RHEL 8 due to details of Kerberos libraries support level. We
had to find a different way.
For deployments using RHEL 8 since RHEL 8.5 SIDs generated by default.
For deployments upgraded to new version, an update needs to be done by
administrators but that requires changes specific to each deployment.
Red Hat support folks wrote two articles which help with the upgrade
process.
https://access.redhat.com/articles/7027037 explains how POSIX ID ranges
and SID information is connected together.
https://access.redhat.com/solutions/7052703 explains how to adjust IPA
deployment to upgrade to enable SIDs.
Both articles available to RHEL subscribers, including users of the free
developer subscription, https://developers.redhat.com/
Been trying to add the RID and it fails but doesn't tell me why it failed.
Can you share what you have tried?
On 2/1/24 11:43, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
On Thu, Feb 1, 2024 at 12:51 PM Steve Berg via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
Still not working. I do not have any trust set up with any active
directory currently, we have a AD running on the network but that
and my
ipa domain don't trust each other in any way.
Got two idranges setup:
-----------
Range name: domain_id_range
First Posix ID of the range: 824400000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
Range name: EDIPIs_id_range
First Posix ID of the range: 1009210100
Number of IDs in the range: 619332697
Range type: local domain range
-----------
The above range is missing RID base and secondary rid base.
You can refer to this KCS:
https://access.redhat.com/solutions/7052703especially section *3.
**Fixing ID range issues*. You will have to add ipabaseridand
ipasecondarybaseridto the range.
RID Values from 1,000-200,999and 100,000,000-100,199,999are already
taken by the id range domain_id_range, you can pick any values not
overlapping.
flo
--
//- Fixer of that which is broke -//
//- Home =sb...@mississippi.com -//
//- Sinners can repent, but stupid is forever. -//
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
