Bug 2182685

Summary: Tolerate absence of PAC ticket signature depending of domain and servers capabilities [rawhide,f38]
Product: [Fedora] Fedora Reporter: Julien Rische <jrische>
Component: freeipaAssignee: Julien Rische <jrische>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: abokovoy, frenaud, ftrivino, ipa-maint, ipa-qe, jhrozek, mhjacks, pvoborni, rcritten, ssorce, tscherf, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeipa-4.10.2-1.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2182683 Environment:
Last Closed: 2023-08-01 02:48:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2182683    
Bug Blocks:    

Description Julien Rische 2023-03-29 10:45:46 UTC
+++ This bug was initially created as a clone of Bug #2182683 +++

We are working on backporting the upstream implementation[1] of PAC extended KDC signature to RHEL9/8 and Fedora Rawhide/38/37. The function that is being used to generate this signature is also meant to generate the PAC ticket signature. This implementation also require the PAC ticket signature to be present in constrained delegation requests for the PAC to be accepted.

However, the signature generation function cannot be used by prior to 1.20 versions of krb5 because of API limitations. This is why we are backporting a slightly modified version of the extended PAC signature support. It allows generating the PAC extended KDC signature without the ticket signature, and tolerate the absence of the ticket signature.

When the version of krb5 is 1.20 or newer, this is not a problem. However, in case of gradual upgrade environments (including both 1.20+ and 1.19- servers), 1.20 servers will reject a PAC generated by a 1.19- server, because it does not contain any ticket signature.

In order to keep supporting constrained delegation in this kind of setup, we are adding support for a "optional_pac_full_chksum" string attribute for KDB entries. It will allow to tolerate the absence of PAC ticket signature for a certain realm.

IPA should be able to set this attribute according to the state of the domain:

  * Set "optional_pac_full_chksum" to "true" if RHEL8 or RHEL9.1- or Fedora 36/37 servers are present
  * Set "optional_pac_full_chksum" to "false" (or unset) if all servers are RHEL9.2+ or Fedora 38+

[1] https://github.com/krb5/krb5/pull/1284

Comment 1 Julien Rische 2023-04-24 11:42:27 UTC
Upstream pull request:
https://github.com/freeipa/freeipa/pull/6785

Comment 6 Florence Blanc-Renaud 2023-06-02 11:10:27 UTC
Fixed upstream
master:
https://pagure.io/freeipa/c/3a706e86200dd3ab9d317fb6f71ba80d3ae2f642

Comment 7 Fedora Update System 2023-06-13 13:41:21 UTC
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569

Comment 8 Fedora Update System 2023-06-13 13:55:29 UTC
FEDORA-2023-5cd7789569 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Fedora Update System 2023-07-20 12:12:15 UTC
FEDORA-2023-95e3fe4d76 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-95e3fe4d76

Comment 10 Fedora Update System 2023-07-21 02:20:13 UTC
FEDORA-2023-95e3fe4d76 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-95e3fe4d76`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-95e3fe4d76

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2023-08-01 02:48:55 UTC
FEDORA-2023-95e3fe4d76 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.