On Пан, 10 сак 2025, Sumit Bose via sssd-devel wrote:
Am Mon, Mar 10, 2025 at 05:44:07PM +0300 schrieb Ivan Korytov via sssd-devel:
Hello!
I'm in middle of implementing a feature for krb5_child to include
client addresses (IP and NetBIOS) in initial Kerberos tickets and have
some questions.
Hi,
thanks for your interest in SSSD. Why do you need to add some NetBIOS
information?
A bit of context: Samba AD does put NetBIOS addresses into the ticket
and also pulls them out to perform authorization. This is done for about
20 years now. Samba AD DC is then able to check whether a particualar
workstation is allowed to perform operations as a machine enrolled into
the domain.
Ivan recently submitted a small PR to MIT Kerberos to enable showing
these addresses in klist: https://github.com/krb5/krb5/pull/1413
1) In sssd there is already a sss_iface_addr_list_get function to get
IPv4 and IPv6 network addresses but it is in be_dyndns.c, so using it
from krb5 provider seems wrong. Do you prefer separate implementations
for different use cases (because it might change in future) or
deduplicating functionality as much as possible?
It dedpends on how useful `struct sss_iface_addr` is for you. If you can
use it to created the needed data for
`krb5_get_init_creds_opt_set_address_list()` then it would be ideal if
you can move `sss_iface_addr_list_get()` to some more general place
(maybe src/util/) and use this in both places.
But if you need lots of extra processing than it might be easier to call
`getifaddrs()` from krb5_child and do the processing directly.
2) Is it safe to rely on value of ad_hostname? Do I need to use
gethostname or because ad_hostname has a default value from the same
function I can use just it and not have a duplicate failsafe?
Using the value of ad_hostname is recommended since the actual hostname
might different from the name known to AD for whatever reasons.
We definitely need to use the name that AD knows about.
3) How frequently are proxy tickets used and is there a way to test
them?
Afaik nobody asked about proxy ticket until now, so I guess they are not
often used on the context of SSSD. There are no tests for this as well
because to my knowledge SSSD should not be affected by the flag and any
further usage of the TGT is up to libkrb5.
4) I've noticed strange behavior when changing password. Addresses are
included correctly until kpasswd request is done. After that request
get_and_save_tgt is called to obtain a new ticket for user as per usual
login. But this time addresses are not included. If I force to include
addresses again, before get_and_save_tgt in changepw_child, then they
are included. Normal login works fine and it uses same the
get_and_save_tgt function.
Not sure if the answers your questions but in `make_chpw_options()` in
the MIT Kerberos source code the KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST
flag is unset.
Correct. Password change is a specific action which involves requesting
a temporary ticket to kadmin/changepw service. For this ticket MIT
Kerberos inherits flags which affect preauthentication and unsets
options which only apply to the actual ticket.
HTH
bye,
Sumit
Could krb5_free_cred_contents somehow cleanup more than needed? IIRC
flag KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST is set, but the list becomes
empty at this stage.
Also, some of TGT requests will include addresses though it is not
needed and I cannot trace why they would do that.
--
Ivan Korytov
koryto...@basealt.ru
--
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
