Bug 2182683

Summary: Tolerate absence of PAC ticket signature depending of domain and servers capabilities [rhel-9]
Product: Red Hat Enterprise Linux 9 Reporter: Julien Rische <jrische>
Component: ipaAssignee: Julien Rische <jrische>
Status: CLOSED ERRATA QA Contact: Michal Polovka <mpolovka>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.2CC: amore, frenaud, ftrivino, mjurasek, rcritten, tscherf
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.10.2-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2182685 2211389 (view as bug list) Environment:
Last Closed: 2023-11-07 08:34:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2182685, 2211389    

Description Julien Rische 2023-03-29 10:43:16 UTC 
We are working on backporting the upstream implementation[1] of PAC extended KDC signature to RHEL9/8 and Fedora Rawhide/38/37. The function that is being used to generate this signature is also meant to generate the PAC ticket signature. This implementation also require the PAC ticket signature to be present in constrained delegation requests for the PAC to be accepted.

However, the signature generation function cannot be used by prior to 1.20 versions of krb5 because of API limitations. This is why we are backporting a slightly modified version of the extended PAC signature support. It allows generating the PAC extended KDC signature without the ticket signature, and tolerate the absence of the ticket signature.

When the version of krb5 is 1.20 or newer, this is not a problem. However, in case of gradual upgrade environments (including both 1.20+ and 1.19- servers), 1.20 servers will reject a PAC generated by a 1.19- server, because it does not contain any ticket signature.

In order to keep supporting constrained delegation in this kind of setup, we are adding support for a "optional_pac_full_chksum" string attribute for KDB entries. It will allow to tolerate the absence of PAC ticket signature for a certain realm.

IPA should be able to set this attribute according to the state of the domain:

  * Set "optional_pac_full_chksum" to "true" if RHEL8 or RHEL9.1- or Fedora 36/37 servers are present
  * Set "optional_pac_full_chksum" to "false" (or unset) if all servers are RHEL9.2+ or Fedora 38+

[1] https://github.com/krb5/krb5/pull/1284
Comment 1 Julien Rische 2023-04-24 11:42:00 UTC 
Upstream pull request:
https://github.com/freeipa/freeipa/pull/6785
Comment 3 Julien Rische 2023-05-03 08:09:45 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/9371
Comment 5 Florence Blanc-Renaud 2023-05-24 11:23:13 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/9cd5f49c74f28dbe070b072b394747a039cef463
https://pagure.io/freeipa/c/3f1b373cb2028416e40a26e3dd99b0f4c82525c7
https://pagure.io/freeipa/c/545a363dd2f7f551fa3ec3fed66c80b30ae3c1e1
Comment 6 Trivino 2023-05-29 12:31:43 UTC 
KCS optional_pac_full_chksum new option will be handled automatically by IPA KDC (as done for other use cases, e.g. LDAP..). Hence, removing docimpact.
Comment 10 Florence Blanc-Renaud 2023-06-01 06:07:54 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/9cd5f49c74f28dbe070b072b394747a039cef463
https://pagure.io/freeipa/c/3f1b373cb2028416e40a26e3dd99b0f4c82525c7
https://pagure.io/freeipa/c/545a363dd2f7f551fa3ec3fed66c80b30ae3c1e1
Comment 11 Florence Blanc-Renaud 2023-06-01 06:09:27 UTC 
Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/630cda5c06428825dd5604493621b9cbdab70073
https://pagure.io/freeipa/c/bbe545ff9feb972e549c743025e4a26b14ef8f89
https://pagure.io/freeipa/c/7ea3b86696f5451f1d227d365018ab7dc53024af
Comment 12 Florence Blanc-Renaud 2023-06-01 09:13:13 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/e00f457f755e78d384beb8cc7ac312e9741b56af
https://pagure.io/freeipa/c/4ef8258d58046ee905c929c0e889653a8b86d383
https://pagure.io/freeipa/c/03897d8a6899691b7218428b296f6d22ccadcfb2
https://pagure.io/freeipa/c/d551e853fc4e213cf384bc983d0e76d8568ee954
https://pagure.io/freeipa/c/9cdf010ca6c8b03d9f7cc338e8253219e0e877b0
https://pagure.io/freeipa/c/18bf495ce88fbb032f23f7db7f941458ecf55c7a
Comment 13 Florence Blanc-Renaud 2023-06-01 13:51:35 UTC 
Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/3d0decd9efc4883328e95f9ff89002aec32462ec
https://pagure.io/freeipa/c/803a44777f901217d634f8fd7feed8b66ece352a
https://pagure.io/freeipa/c/fefa0248296413b6ee5ad2543d8feb1b31840aee
https://pagure.io/freeipa/c/bd8fcd6f5bc62a4bfc544b69c0d960291be05d37
https://pagure.io/freeipa/c/1b55e9b1cb4f192635878b0b7242104d58a37d2b
https://pagure.io/freeipa/c/11ce2b2133364916de06f4c42d8a19ce438bd41c
Comment 14 Florence Blanc-Renaud 2023-06-02 11:09:56 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/3a706e86200dd3ab9d317fb6f71ba80d3ae2f642
Comment 24 errata-xmlrpc 2023-11-07 08:34:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6477