Overview

File 0029-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch of Package sssd.41688

From f7f9be47b693a74a7fa9f88713745a470dc02c4e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 4 Jul 2016 15:23:58 +0200
Subject: [PATCH 1/2] localauth: remove enable_only sssd from config snippet

Resolves https://fedorahosted.org/sssd/ticket/2788

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/util/domain_info_utils.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 67c959c81..421e713b9 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -531,8 +531,7 @@ done:
 "[plugins]\n" \
 " localauth = {\n" \
 "  module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
-"  enable_only = sssd\n" \
-" }"
+" }\n"
 
 static errno_t sss_write_krb5_localauth_snippet(const char *path)
 {
-- 
2.51.1


From 932623e317ed5fa34aac81d1b9058815a3e0fdf8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 10 Oct 2025 12:57:40 +0200
Subject: [PATCH 2/2] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If a client is joined to AD or IPA SSSD's localauth plugin can handle
the mapping of Kerberos principals to local accounts. In case it cannot
map the Kerberos principals libkrb5 is currently configured to fall back
to the default localauth plugins 'default', 'rule', 'names',
'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
All plugins except 'an2ln' require some explicit configuration by either
the administrator or the local user. To avoid some unexpected mapping is
done by the 'an2ln' plugin this patch disables it in the configuration
snippets for SSSD's localauth plugin.

Resolves: https://github.com/SSSD/sssd/issues/8021

:relnote: After startup SSSD already creates a Kerberos configuration
 snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
 if the AD or IPA providers are used. This enables SSSD's localauth plugin.
 Starting with this release the an2ln plugin is disabled in the
 configuration snippet as well. If this file or its content are included in
 the Kerberos configuration it will fix CVE-2025-11561.

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310)
---
 src/util/domain_info_utils.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 421e713b9..5c468e6aa 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -530,6 +530,7 @@ done:
 #define LOCALAUTH_PLUGIN_CONFIG \
 "[plugins]\n" \
 " localauth = {\n" \
+"  disable = an2ln\n" \
 "  module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
 " }\n"
 
-- 
2.51.1
openSUSE Build Service is sponsored by
Places