Skip to content

pac: fix issue with pac_check=no_check#8318

Merged
aplopez merged 1 commit intoSSSD:masterfrom
sumit-bose:pac_check_no_check_fix
Jan 5, 2026
Merged

pac: fix issue with pac_check=no_check#8318
aplopez merged 1 commit intoSSSD:masterfrom
sumit-bose:pac_check_no_check_fix

Conversation

@sumit-bose
Copy link
Contributor

@sumit-bose sumit-bose commented Dec 22, 2025

So far SSSD expected that the PAC contains the logon_info buffer even if PAC checks are disabled with the 'no_check' option. This causes issues with PACs issues by MIT Kerberos KDCs which do not contain this buffer. This patches makes sure that the logon_info is not expected if 'no_check' is set and adds some clarifications to the man page.

Resolves: #8300

gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 22, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly addresses an issue where SSSD would incorrectly require the logon_info buffer in a PAC even when PAC checks were disabled via pac_check=no_check. This caused authentication failures with PACs from non-AD KDCs like MIT Kerberos. The change in ad_pac_common.c wraps the logon_info check in a condition that respects the pac_check_opts, ensuring the check is only performed when PAC validation is active. The accompanying update to the sssd.conf man page provides valuable clarification for administrators regarding the scope of PAC checks. The changes are correct and well-implemented.

@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Dec 22, 2025

This is also a good fit for 'sssd-2-9', right?

@alexey-tikhonov alexey-tikhonov added the coverity Trigger a coverity scan label Dec 22, 2025
@sumit-bose
Copy link
Contributor Author

sumit-bose commented Dec 22, 2025

This is also a good fit for 'sssd-2-9', right?

Hi,

yes, this issue is present in 'sssd-2-9' as well.

bye,
Sumit

@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Dec 23, 2025

Note: Covscan is green.

@alexey-tikhonov alexey-tikhonov removed the coverity Trigger a coverity scan label Dec 23, 2025
alexey-tikhonov
alexey-tikhonov reviewed Dec 23, 2025
View reviewed changes
alexey-tikhonov
alexey-tikhonov reviewed Dec 23, 2025
View reviewed changes
@alexey-tikhonov alexey-tikhonov self-assigned this Dec 23, 2025
@sumit-bose sumit-bose force-pushed the pac_check_no_check_fix branch from 99891fd to 8126d15 Compare January 5, 2026 11:51
@aplopez aplopez self-assigned this Jan 5, 2026
@aplopez aplopez self-requested a review January 5, 2026 13:16
aplopez
aplopez approved these changes Jan 5, 2026
View reviewed changes
Copy link
Contributor

@aplopez aplopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aplopez
Copy link
Contributor

aplopez commented Jan 5, 2026

Failing tests are not related to this PR.

@sumit-bose @sssd-bot
pac: fix issue with pac_check=no_check
d4da1fa 
So far SSSD expected that the PAC contains the logon_info buffer even if
PAC checks are disabled with the 'no_check' option. This causes issues
with PACs issues by MIT Kerberos KDCs which do not contain this buffer.
This patches makes sure that the logon_info is not expected if
'no_check' is set and adds some clarifications to the man page.

Resolves: SSSD#8300
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Alejandro López <allopez@redhat.com>
@sssd-bot
Copy link
Contributor

sssd-bot commented Jan 5, 2026

The pull request was accepted by @aplopez with the following PR CI status:

🟢 CodeFactor (success)
🟢 CodeQL (success)
🟢 osh-diff-scan:fedora-rawhide-x86_64:upstream (success)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🟢 Build / freebsd (success)
🟢 Build / make-distcheck (success)
🟢 ci / intgcheck (centos-10) (success)
🟢 ci / intgcheck (fedora-42) (success)
🟢 ci / intgcheck (fedora-43) (success)
🟢 ci / intgcheck (fedora-44) (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-10) (success)
🟢 ci / system (fedora-42) (success)
🟢 ci / system (fedora-43) (success)
🔴 ci / system (fedora-44) (failure)
➖ Coverity scan / coverity (skipped)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.

@sssd-bot sssd-bot force-pushed the pac_check_no_check_fix branch from 8126d15 to d4da1fa Compare January 5, 2026 14:39
@aplopez aplopez merged commit c123201 into SSSD:master Jan 5, 2026
17 checks passed
@sssd-bot sssd-bot mentioned this pull request Jan 5, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aplopez aplopez aplopez approved these changes

@alexey-tikhonov alexey-tikhonov alexey-tikhonov approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@aplopez aplopez

@alexey-tikhonov alexey-tikhonov

Labels

Accepted backport-to-sssd-2-9

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SSSD checks PAC from MIT Kerberos and fails

4 participants

@sumit-bose @alexey-tikhonov @aplopez @sssd-bot