Skip to content

[autobackport: sssd-2-9] pac: fix issue with pac_check=no_check #8327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
alexey-tikhonov merged 1 commit into from
Jan 6, 2026
Merged

[autobackport: sssd-2-9] pac: fix issue with pac_check=no_check #8327

alexey-tikhonov merged 1 commit into from
Jan 6, 2026
+19 −7

Conversation

@sssd-bot
Copy link

@sssd-bot sssd-bot commented Jan 5, 2026

This is an automatic backport of PR#8318 pac: fix issue with pac_check=no_check to branch sssd-2-9, created by @sumit-bose.

Please make sure this backport is correct.

Note

The commits were cherry-picked without conflicts.

You can push changes to this pull request

git remote add sssd-bot git@github.com:sssd-bot/sssd.git
git fetch sssd-bot refs/heads/SSSD-sssd-backport-pr8318-to-sssd-2-9
git checkout SSSD-sssd-backport-pr8318-to-sssd-2-9
git push sssd-bot SSSD-sssd-backport-pr8318-to-sssd-2-9 --force

Original commits
c123201 - pac: fix issue with pac_check=no_check

Backported commits

  • b2bd848 - pac: fix issue with pac_check=no_check

Original Pull Request Body

So far SSSD expected that the PAC contains the logon_info buffer even if PAC checks are disabled with the 'no_check' option. This causes issues with PACs issues by MIT Kerberos KDCs which do not contain this buffer. This patches makes sure that the logon_info is not expected if 'no_check' is set and adds some clarifications to the man page.

Resolves: #8300

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 5, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request is a backport of a fix for an issue where SSSD would incorrectly require the PAC LOGON_INFO buffer even when PAC checks were disabled via pac_check=no_check. This caused problems with PACs from MIT Kerberos KDCs. The change in src/providers/ad/ad_pac_common.c correctly skips the check for the LOGON_INFO buffer when pac_check_opts is 0, which aligns with the no_check setting. The documentation in src/man/sssd.conf.5.xml is also updated to clarify which KDCs are expected to provide the necessary PAC data for checks. The changes are correct and effectively resolve the issue.

aplopez
aplopez approved these changes Jan 5, 2026
View reviewed changes
Copy link
Contributor

@aplopez aplopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK

@alexey-tikhonov alexey-tikhonov added no-backport This should go to target branch only. Accepted labels Jan 5, 2026
@sumit-bose @sssd-bot
pac: fix issue with pac_check=no_check
c3dc404 
So far SSSD expected that the PAC contains the logon_info buffer even if
PAC checks are disabled with the 'no_check' option. This causes issues
with PACs issues by MIT Kerberos KDCs which do not contain this buffer.
This patches makes sure that the logon_info is not expected if
'no_check' is set and adds some clarifications to the man page.

Resolves: SSSD#8300
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Alejandro López <allopez@redhat.com>
(cherry picked from commit c123201)
@sssd-bot
Copy link
Author

sssd-bot commented Jan 6, 2026

The pull request was accepted by @alexey-tikhonov with the following PR CI status:

🟢 CodeQL (success)
🟢 rpm-build:centos-stream-9-x86_64:upstream (success)
🟢 Build / make-distcheck (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-9) (success)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.

@sssd-bot sssd-bot force-pushed the SSSD-sssd-backport-pr8318-to-sssd-2-9 branch from b2bd848 to c3dc404 Compare January 6, 2026 08:11
@alexey-tikhonov alexey-tikhonov merged commit 3a8ef73 into SSSD:sssd-2-9 Jan 6, 2026
7 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aplopez aplopez aplopez approved these changes

@alexey-tikhonov alexey-tikhonov alexey-tikhonov approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@aplopez aplopez

@alexey-tikhonov alexey-tikhonov

Labels

Accepted no-backport This should go to target branch only.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sssd-bot @aplopez @alexey-tikhonov @sumit-bose