Bug 2182685 - Tolerate absence of PAC ticket signature depending of domain and servers capabilities [rawhide,f38]
Summary: Tolerate absence of PAC ticket signature depending of domain and servers capa...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Julien Rische
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 2182683
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-29 10:45 UTC by Julien Rische
Modified: 2023-08-01 02:48 UTC (History)
12 users (show)

Fixed In Version: freeipa-4.10.2-1.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2182683
Environment:
Last Closed: 2023-08-01 02:48:55 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github freeipa freeipa pull 6785 0 None open [WIP] Handle PAC signatures based on domain and server capabilities 2023-04-24 11:42:27 UTC
Red Hat Issue Tracker FREEIPA-9611 0 None None None 2023-03-29 10:49:15 UTC

Description Julien Rische 2023-03-29 10:45:46 UTC
+++ This bug was initially created as a clone of Bug #2182683 +++

We are working on backporting the upstream implementation[1] of PAC extended KDC signature to RHEL9/8 and Fedora Rawhide/38/37. The function that is being used to generate this signature is also meant to generate the PAC ticket signature. This implementation also require the PAC ticket signature to be present in constrained delegation requests for the PAC to be accepted.

However, the signature generation function cannot be used by prior to 1.20 versions of krb5 because of API limitations. This is why we are backporting a slightly modified version of the extended PAC signature support. It allows generating the PAC extended KDC signature without the ticket signature, and tolerate the absence of the ticket signature.

When the version of krb5 is 1.20 or newer, this is not a problem. However, in case of gradual upgrade environments (including both 1.20+ and 1.19- servers), 1.20 servers will reject a PAC generated by a 1.19- server, because it does not contain any ticket signature.

In order to keep supporting constrained delegation in this kind of setup, we are adding support for a "optional_pac_full_chksum" string attribute for KDB entries. It will allow to tolerate the absence of PAC ticket signature for a certain realm.

IPA should be able to set this attribute according to the state of the domain:

  * Set "optional_pac_full_chksum" to "true" if RHEL8 or RHEL9.1- or Fedora 36/37 servers are present
  * Set "optional_pac_full_chksum" to "false" (or unset) if all servers are RHEL9.2+ or Fedora 38+

[1] https://github.com/krb5/krb5/pull/1284

Comment 1 Julien Rische 2023-04-24 11:42:27 UTC
Upstream pull request:
https://github.com/freeipa/freeipa/pull/6785

Comment 6 Florence Blanc-Renaud 2023-06-02 11:10:27 UTC
Fixed upstream
master:
https://pagure.io/freeipa/c/3a706e86200dd3ab9d317fb6f71ba80d3ae2f642

Comment 7 Fedora Update System 2023-06-13 13:41:21 UTC
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569

Comment 8 Fedora Update System 2023-06-13 13:55:29 UTC
FEDORA-2023-5cd7789569 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Fedora Update System 2023-07-20 12:12:15 UTC
FEDORA-2023-95e3fe4d76 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-95e3fe4d76

Comment 10 Fedora Update System 2023-07-21 02:20:13 UTC
FEDORA-2023-95e3fe4d76 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-95e3fe4d76`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-95e3fe4d76

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2023-08-01 02:48:55 UTC
FEDORA-2023-95e3fe4d76 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.