Overview

File 0062-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch of Package sssd.41685

From e5224f0cb684e61203d2cd8045266f7248696204 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 10 Oct 2025 12:57:40 +0200
Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If a client is joined to AD or IPA SSSD's localauth plugin can handle
the mapping of Kerberos principals to local accounts. In case it cannot
map the Kerberos principals libkrb5 is currently configured to fall back
to the default localauth plugins 'default', 'rule', 'names',
'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
All plugins except 'an2ln' require some explicit configuration by either
the administrator or the local user. To avoid some unexpected mapping is
done by the 'an2ln' plugin this patch disables it in the configuration
snippets for SSSD's localauth plugin.

Resolves: https://github.com/SSSD/sssd/issues/8021

:relnote: After startup SSSD already creates a Kerberos configuration
 snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
 if the AD or IPA providers are used. This enables SSSD's localauth plugin.
 Starting with this release the an2ln plugin is disabled in the
 configuration snippet as well. If this file or its content are included in
 the Kerberos configuration it will fix CVE-2025-11561.

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310)
---
 src/util/domain_info_utils.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index edaf967e1..5c1f05018 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -751,6 +751,7 @@ done:
 #define LOCALAUTH_PLUGIN_CONFIG \
 "[plugins]\n" \
 " localauth = {\n" \
+"  disable = an2ln\n" \
 "  module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
 " }\n"
 
-- 
2.51.1
openSUSE Build Service is sponsored by
Places