From c1264905aa8dacebeda2eccaba6303c434a826f9 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 10 Oct 2025 12:57:40 +0200 Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA If a client is joined to AD or IPA SSSD's localauth plugin can handle the mapping of Kerberos principals to local accounts. In case it cannot map the Kerberos principals libkrb5 is currently configured to fall back to the default localauth plugins 'default', 'rule', 'names', 'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details). All plugins except 'an2ln' require some explicit configuration by either the administrator or the local user. To avoid some unexpected mapping is done by the 'an2ln' plugin this patch disables it in the configuration snippets for SSSD's localauth plugin. Resolves: https://github.com/SSSD/sssd/issues/8021 :relnote: After startup SSSD already creates a Kerberos configuration snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin if the AD or IPA providers are used. This enables SSSD's localauth plugin. Starting with this release the an2ln plugin is disabled in the configuration snippet as well. If this file or its content are included in the Kerberos configuration it will fix CVE-2025-11561. --- src/util/domain_info_utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index 487145e3d58..e76189ef1b1 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -722,6 +722,7 @@ static errno_t sss_write_krb5_snippet_common(const char *file_name, #define LOCALAUTH_PLUGIN_CONFIG \ "[plugins]\n" \ " localauth = {\n" \ +" disable = an2ln\n" \ " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ " }\n"