Compare commits
3 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| a68fbf4a8b | |||
| 57b3f1eb1f | |||
| d2b442d1af |
@@ -0,0 +1,49 @@
|
||||
From e5224f0cb684e61203d2cd8045266f7248696204 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 10 Oct 2025 12:57:40 +0200
|
||||
Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If a client is joined to AD or IPA SSSD's localauth plugin can handle
|
||||
the mapping of Kerberos principals to local accounts. In case it cannot
|
||||
map the Kerberos principals libkrb5 is currently configured to fall back
|
||||
to the default localauth plugins 'default', 'rule', 'names',
|
||||
'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
|
||||
All plugins except 'an2ln' require some explicit configuration by either
|
||||
the administrator or the local user. To avoid some unexpected mapping is
|
||||
done by the 'an2ln' plugin this patch disables it in the configuration
|
||||
snippets for SSSD's localauth plugin.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/8021
|
||||
|
||||
:relnote: After startup SSSD already creates a Kerberos configuration
|
||||
snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
|
||||
if the AD or IPA providers are used. This enables SSSD's localauth plugin.
|
||||
Starting with this release the an2ln plugin is disabled in the
|
||||
configuration snippet as well. If this file or its content are included in
|
||||
the Kerberos configuration it will fix CVE-2025-11561.
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310)
|
||||
---
|
||||
src/util/domain_info_utils.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
|
||||
index edaf967e1..5c1f05018 100644
|
||||
--- a/src/util/domain_info_utils.c
|
||||
+++ b/src/util/domain_info_utils.c
|
||||
@@ -751,6 +751,7 @@ done:
|
||||
#define LOCALAUTH_PLUGIN_CONFIG \
|
||||
"[plugins]\n" \
|
||||
" localauth = {\n" \
|
||||
+" disable = an2ln\n" \
|
||||
" module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
|
||||
" }\n"
|
||||
|
||||
--
|
||||
2.51.1
|
||||
|
||||
25
sssd.changes
25
sssd.changes
@@ -1,8 +1,11 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 25 17:42:38 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
|
||||
Tue Nov 18 11:15:49 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
|
||||
|
||||
- Add python3-setuptools build dependency
|
||||
- Drop nscd build dependency
|
||||
- Install file in krb5.conf.d to include sssd krb5 config snippets;
|
||||
(bsc#1244325);
|
||||
- Disable Kerberos localauth an2ln plugin for AD; (CVE-2025-11561);
|
||||
(bsc#1251827); Add patch
|
||||
0005-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 21 16:33:00 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
|
||||
@@ -10,21 +13,6 @@ Tue Jan 21 16:33:00 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
|
||||
- Migrate away from update-alternatives, replaced by package
|
||||
conflicts; (bsc#1235789); (bsc#1216739);
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
|
||||
|
||||
- Update filelists involving memberof.so and idmap/sss.so to
|
||||
avoid gobbling up one file into multiple sssd subpackages.
|
||||
(Between samba-4.20 and 4.21, %ldbdir changes from
|
||||
/usr/lib64/ldb2/modules/ldb to /usr/lib64/samba/ldb, so now
|
||||
`%_libdir/samba` is a bit too broad.)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 17 09:19:20 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
|
||||
|
||||
- Fix spec file for openSUSE ALP and SUSE SLFO, where the
|
||||
python3_fix_shebang_path RPM macro is not available
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jul 11 09:41:21 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
|
||||
|
||||
@@ -1839,7 +1827,6 @@ Wed Apr 4 16:13:33 PDT 2012 - ben.kevan@gmail.com
|
||||
connect to an auth server
|
||||
|
||||
-------------------------------------------------------------------
|
||||
|
||||
Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de
|
||||
|
||||
- Update to new upstream release 1.8.0
|
||||
|
||||
39
sssd.spec
39
sssd.spec
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package sssd
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
# Copyright (c) 2025 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@@ -32,6 +32,7 @@ Patch1: krb-noversion.diff
|
||||
Patch2: harden_sssd-ifp.service.patch
|
||||
Patch3: harden_sssd-kcm.service.patch
|
||||
Patch4: symvers.patch
|
||||
Patch5: 0005-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
|
||||
BuildRequires: autoconf >= 2.59
|
||||
BuildRequires: automake
|
||||
BuildRequires: bind-utils
|
||||
@@ -48,6 +49,7 @@ BuildRequires: libtool
|
||||
BuildRequires: libunistring-devel
|
||||
BuildRequires: libxml2-tools
|
||||
BuildRequires: libxslt-tools
|
||||
BuildRequires: nscd
|
||||
BuildRequires: nss_wrapper
|
||||
BuildRequires: openldap2-devel
|
||||
BuildRequires: pam-devel
|
||||
@@ -85,14 +87,6 @@ BuildRequires: pkgconfig(talloc)
|
||||
BuildRequires: pkgconfig(tdb) >= 1.1.3
|
||||
BuildRequires: pkgconfig(tevent)
|
||||
BuildRequires: pkgconfig(uuid)
|
||||
BuildRequires: python3-setuptools
|
||||
%if 0%{?suse_version} && 0%{?suse_version} < 1600
|
||||
# samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4);
|
||||
# this conflicts with
|
||||
# openldap2-devel pulls libldap2 wants libldap-data(-2.6)
|
||||
# Package contains just config files, not needed for build.
|
||||
#!BuildIgnore: libldap-data
|
||||
%endif
|
||||
%{?systemd_ordering}
|
||||
Requires: sssd-ldap = %version-%release
|
||||
Requires(postun): pam-config
|
||||
@@ -398,6 +392,8 @@ Security Services Daemon (sssd).
|
||||
%autosetup -p1
|
||||
|
||||
%build
|
||||
# help configure find nscd
|
||||
export PATH="$PATH:/usr/sbin"
|
||||
|
||||
autoreconf -fiv
|
||||
%configure \
|
||||
@@ -434,7 +430,7 @@ perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
|
||||
b="%buildroot"
|
||||
|
||||
# Copy some defaults
|
||||
%if "%{?_distconfdir}" != ""
|
||||
%if %{?_distconfdir:1}
|
||||
install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf"
|
||||
install -d -m 0755 "$b/%_distconfdir/sssd/conf.d"
|
||||
%else
|
||||
@@ -466,7 +462,13 @@ mkdir -p %{buildroot}%{_sysconfdir}/cifs-utils
|
||||
ln -s -f %{cifs_idmap_lib} %{buildroot}%{cifs_idmap_plugin}
|
||||
|
||||
%python3_fix_shebang
|
||||
%python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze
|
||||
%if 0%{?suse_version} >= 1600
|
||||
%python3_fix_shebang_path %buildroot/%_libexecdir/%name/
|
||||
%endif
|
||||
|
||||
mkdir -pv "$b/%_sysconfdir/krb5.conf.d"
|
||||
ln -sv %_datadir/%name/krb5-snippets/enable_sssd_conf_dir \
|
||||
"$b/%_sysconfdir/krb5.conf.d/enable_sssd_conf_dir"
|
||||
|
||||
%check
|
||||
# sss_config-tests fails
|
||||
@@ -474,7 +476,7 @@ ln -s -f %{cifs_idmap_lib} %{buildroot}%{cifs_idmap_plugin}
|
||||
|
||||
%pre
|
||||
%service_add_pre sssd.service
|
||||
%if "%{?_distconfdir}" != ""
|
||||
%if %{?_distconfdir:1}
|
||||
# Prepare for migration to /usr/etc; save any old .rpmsave
|
||||
for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do
|
||||
test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || :
|
||||
@@ -561,7 +563,7 @@ touch /run/systemd/rpm/sssd-was-active
|
||||
fi
|
||||
|
||||
%posttrans
|
||||
%if "%{?_distconfdir}" != ""
|
||||
%if %{?_distconfdir:1}
|
||||
# Migration to /usr/etc, restore just created .rpmsave
|
||||
for i in sssd/sssd.conf logrotate.d/sssd pam.d/sssd-shadowutils ; do
|
||||
test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i" || :
|
||||
@@ -675,7 +677,7 @@ fi
|
||||
%attr(755,root,root) %dir %sssdstatedir/mc/
|
||||
%attr(700,root,root) %dir %sssdstatedir/keytabs/
|
||||
%attr(750,root,root) %dir %_localstatedir/log/%name/
|
||||
%if "%{?_distconfdir}" != ""
|
||||
%if %{?_distconfdir:1}
|
||||
%dir %_distconfdir/sssd/
|
||||
%%dir %_distconfdir/sssd/conf.d
|
||||
%config(noreplace) %_distconfdir/sssd/sssd.conf
|
||||
@@ -773,7 +775,6 @@ fi
|
||||
%dir %_libdir/%name/
|
||||
%_libdir/%name/libsss_krb5.so
|
||||
%dir %_datadir/%name/
|
||||
%exclude %_datadir/%name/krb5-snippets/
|
||||
%dir %_datadir/%name/sssd.api.d/
|
||||
%_datadir/%name/sssd.api.d/sssd-krb5.conf
|
||||
%dir %_mandir/??/
|
||||
@@ -782,11 +783,16 @@ fi
|
||||
%_mandir/??/man5/sssd-krb5.5*
|
||||
|
||||
%files krb5-common
|
||||
%dir %pubconfpath/krb5.include.d
|
||||
%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
|
||||
%dir %_libdir/%name/
|
||||
%_libdir/%name/libsss_krb5_common.so
|
||||
%dir %_libexecdir/%name/
|
||||
%_libexecdir/%name/krb5_child
|
||||
%_libexecdir/%name/ldap_child
|
||||
%dir %{_datadir}/sssd/krb5-snippets
|
||||
%_datadir/%name/krb5-snippets/enable_sssd_conf_dir
|
||||
%exclude %_datadir/%name/krb5-snippets/sssd_enable_idp
|
||||
|
||||
%files ldap
|
||||
%dir %_libdir/%name/
|
||||
@@ -824,8 +830,7 @@ fi
|
||||
%python3_sitelib/sssd/
|
||||
|
||||
%files winbind-idmap
|
||||
%dir %_libdir/samba/
|
||||
%_libdir/samba/idmap/
|
||||
%_libdir/samba/
|
||||
%_mandir/man8/idmap_sss.8*
|
||||
|
||||
%files cifs-idmap-plugin
|
||||
|
||||
Reference in New Issue
Block a user