[Freeipa-devel] [PATCH] #2122 Fix PAC re-signing
Sumit Bose
sbose at redhat.com
Thu Nov 24 12:54:19 UTC 2011
On Wed, Nov 23, 2011 at 11:53:11AM +0100, Sumit Bose wrote:
> On Tue, Nov 22, 2011 at 07:10:54PM -0500, Simo Sorce wrote:
> > In some cases the KDC will decide to use a different checksum type when
> > re-signing a PAC to include it in a service ticket.
> >
> > This is common in a cross-realm trust with AD as most AD DCs will use a
> > HMAC-MD5-RC4 checksum while IPA's KDC will instead choose to use
> > HMAC-SHA-AES when re-signing the PAC.
> >
> > In current MIT code re-signing a PAC with a signature that differs in
> > length from the original will cause an error.
> >
> > While MIT should handle this properly, we use the workaround of
> > regenerating the PAC from scratch so that there is no trace of the
> > previous signatures.
> >
> > Tested while obtaining a cross-realm ticket from an AD domain against a
> > service belonging to an IPA domain.
>
> I see "authdata (kdb) handling failure: Cannot allocate memory" in
> krb5kdc.log when trying to log in with putty into the IPA server. Do you
> already have an idea or shall I start gdb?
I think I found two issues which should be fixed by the following patch:
- krb5_pac_add_buffer() expects krb5_pac and not krb5_pac * as a second
argument
- your patch copies all buffers, including the checksums, which you
wanted to remove from the new pac
With this patch applied I do not see any errors in the krb5kdc.log and
ssh from AD to IPA server works.
HTH
bye,
Sumit
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c
b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 63c18b5..68a347a 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -28,6 +28,10 @@
#define KRB5INT_PAC_SIGN_AVAILABLE 1
#define KRB5INT_FIND_AUTHDATA_AVAILABLE 1
+#define PAC_SERVER_CHECKSUM 6 /**< Server checksum */
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c
b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 63c18b5..68a347a 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -28,6 +28,10 @@
#define KRB5INT_PAC_SIGN_AVAILABLE 1
#define KRB5INT_FIND_AUTHDATA_AVAILABLE 1
+#define PAC_SERVER_CHECKSUM 6 /**< Server checksum */
+#define PAC_PRIVSVR_CHECKSUM 7 /**< KDC checksum */
+
+
#if KRB5INT_PAC_SIGN_AVAILABLE
krb5_error_code
krb5int_pac_sign(krb5_context context,
@@ -604,16 +608,19 @@ static krb5_error_code
ipadb_verify_pac(krb5_context context,
}
for (i = 0; i < num_buffers; i++) {
- kerr = krb5_pac_get_buffer(context, old_pac,
- buffer_types[i], &data);
- if (kerr == 0) {
- kerr = krb5_pac_add_buffer(context, &new_pac,
- buffer_types[i], &data);
- }
- krb5_free_data_contents(context, &data);
- if (kerr) {
- krb5_pac_free(context, new_pac);
- goto done;
+ if (buffer_types[i] != PAC_SERVER_CHECKSUM &&
+ buffer_types[i] != PAC_PRIVSVR_CHECKSUM) {
+ kerr = krb5_pac_get_buffer(context, old_pac,
+ buffer_types[i], &data);
+ if (kerr == 0) {
+ kerr = krb5_pac_add_buffer(context, new_pac,
+ buffer_types[i], &data);
+ }
+ krb5_free_data_contents(context, &data);
+ if (kerr) {
+ krb5_pac_free(context, new_pac);
+ goto done;
+ }
}
}
>
> bye,
> Sumit
>
> >
> > Simo.
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list