Bug 2182685

Summary: Tolerate absence of PAC ticket signature depending of domain and servers capabilities [rawhide,f38]
Product: [Fedora] Fedora Reporter: Julien Rische <jrische>
Component: freeipaAssignee: Julien Rische <jrische>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: abokovoy, frenaud, ftrivino, ipa-maint, ipa-qe, jhrozek, mhjacks, pvoborni, rcritten, ssorce, tscherf, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeipa-4.10.2-1.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2182683 Environment:
Last Closed: 2023-08-01 02:48:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2182683    
Bug Blocks:    

Description Julien Rische 2023-03-29 10:45:46 UTC 
+++ This bug was initially created as a clone of Bug #2182683 +++

We are working on backporting the upstream implementation[1] of PAC extended KDC signature to RHEL9/8 and Fedora Rawhide/38/37. The function that is being used to generate this signature is also meant to generate the PAC ticket signature. This implementation also require the PAC ticket signature to be present in constrained delegation requests for the PAC to be accepted.

However, the signature generation function cannot be used by prior to 1.20 versions of krb5 because of API limitations. This is why we are backporting a slightly modified version of the extended PAC signature support. It allows generating the PAC extended KDC signature without the ticket signature, and tolerate the absence of the ticket signature.

When the version of krb5 is 1.20 or newer, this is not a problem. However, in case of gradual upgrade environments (including both 1.20+ and 1.19- servers), 1.20 servers will reject a PAC generated by a 1.19- server, because it does not contain any ticket signature.

In order to keep supporting constrained delegation in this kind of setup, we are adding support for a "optional_pac_full_chksum" string attribute for KDB entries. It will allow to tolerate the absence of PAC ticket signature for a certain realm.

IPA should be able to set this attribute according to the state of the domain:

  * Set "optional_pac_full_chksum" to "true" if RHEL8 or RHEL9.1- or Fedora 36/37 servers are present
  * Set "optional_pac_full_chksum" to "false" (or unset) if all servers are RHEL9.2+ or Fedora 38+

[1] https://github.com/krb5/krb5/pull/1284
Comment 1 Julien Rische 2023-04-24 11:42:27 UTC 
Upstream pull request:
https://github.com/freeipa/freeipa/pull/6785
Comment 2 Florence Blanc-Renaud 2023-05-24 11:24:04 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/9cd5f49c74f28dbe070b072b394747a039cef463
https://pagure.io/freeipa/c/3f1b373cb2028416e40a26e3dd99b0f4c82525c7
https://pagure.io/freeipa/c/545a363dd2f7f551fa3ec3fed66c80b30ae3c1e1
Comment 3 Florence Blanc-Renaud 2023-06-01 06:09:52 UTC 
Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/630cda5c06428825dd5604493621b9cbdab70073
https://pagure.io/freeipa/c/bbe545ff9feb972e549c743025e4a26b14ef8f89
https://pagure.io/freeipa/c/7ea3b86696f5451f1d227d365018ab7dc53024af
Comment 4 Florence Blanc-Renaud 2023-06-01 09:13:23 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/e00f457f755e78d384beb8cc7ac312e9741b56af
https://pagure.io/freeipa/c/4ef8258d58046ee905c929c0e889653a8b86d383
https://pagure.io/freeipa/c/03897d8a6899691b7218428b296f6d22ccadcfb2
https://pagure.io/freeipa/c/d551e853fc4e213cf384bc983d0e76d8568ee954
https://pagure.io/freeipa/c/9cdf010ca6c8b03d9f7cc338e8253219e0e877b0
https://pagure.io/freeipa/c/18bf495ce88fbb032f23f7db7f941458ecf55c7a
Comment 5 Florence Blanc-Renaud 2023-06-01 13:51:41 UTC 
Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/3d0decd9efc4883328e95f9ff89002aec32462ec
https://pagure.io/freeipa/c/803a44777f901217d634f8fd7feed8b66ece352a
https://pagure.io/freeipa/c/fefa0248296413b6ee5ad2543d8feb1b31840aee
https://pagure.io/freeipa/c/bd8fcd6f5bc62a4bfc544b69c0d960291be05d37
https://pagure.io/freeipa/c/1b55e9b1cb4f192635878b0b7242104d58a37d2b
https://pagure.io/freeipa/c/11ce2b2133364916de06f4c42d8a19ce438bd41c
Comment 6 Florence Blanc-Renaud 2023-06-02 11:10:27 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/3a706e86200dd3ab9d317fb6f71ba80d3ae2f642
Comment 7 Fedora Update System 2023-06-13 13:41:21 UTC 
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569
Comment 8 Fedora Update System 2023-06-13 13:55:29 UTC 
FEDORA-2023-5cd7789569 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2023-07-20 12:12:15 UTC 
FEDORA-2023-95e3fe4d76 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-95e3fe4d76
Comment 10 Fedora Update System 2023-07-21 02:20:13 UTC 
FEDORA-2023-95e3fe4d76 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-95e3fe4d76`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-95e3fe4d76

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2023-08-01 02:48:55 UTC 
FEDORA-2023-95e3fe4d76 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.