Skip to content

[autobackport: sssd-2-12] krb5_child: fix enterprise principal parsing in keep-alive sessions#8401

Merged
ikerexxe merged 1 commit intoSSSD:sssd-2-12from
sssd-bot:SSSD-sssd-backport-pr8351-to-sssd-2-12
Jan 27, 2026
Merged

[autobackport: sssd-2-12] krb5_child: fix enterprise principal parsing in keep-alive sessions#8401
ikerexxe merged 1 commit intoSSSD:sssd-2-12from
sssd-bot:SSSD-sssd-backport-pr8351-to-sssd-2-12

Conversation

@sssd-bot
Copy link
Contributor

@sssd-bot sssd-bot commented Jan 26, 2026

This is an automatic backport of PR#8351 krb5_child: fix enterprise principal parsing in keep-alive sessions to branch sssd-2-12, created by @ikerexxe.

Please make sure this backport is correct.

Note

The commits were cherry-picked without conflicts.

You can push changes to this pull request

git remote add sssd-bot git@github.com:sssd-bot/sssd.git
git fetch sssd-bot refs/heads/SSSD-sssd-backport-pr8351-to-sssd-2-12
git checkout SSSD-sssd-backport-pr8351-to-sssd-2-12
git push sssd-bot SSSD-sssd-backport-pr8351-to-sssd-2-12 --force

Original commits
dd3cd95 - krb5_child: fix enterprise principal parsing in keep-alive sessions

Backported commits

  • 49c4b35 - krb5_child: fix enterprise principal parsing in keep-alive sessions

Original Pull Request Body

When keep-alive sessions transition between command types (e.g., from SSS_PAM_PREAUTH to SSS_PAM_AUTHENTICATE), enterprise principal settings were not being updated, causing parsing inconsistencies in complex AD environments.

This change ensures that when the backend sends updated enterprise principal settings for different command types, the principals are correctly re-parsed with the appropriate flags, fixing UPN handling in multi-domain AD environments.

@alexey-tikhonov alexey-tikhonov added the no-backport This should go to target branch only. label Jan 26, 2026
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 26, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses a critical issue where enterprise principal settings were not being correctly updated during keep-alive sessions, leading to parsing inconsistencies in complex Active Directory environments. The changes ensure that the Kerberos principal and credential data are properly re-parsed and managed when backend settings change between commands. The introduction of k5c_setup in the keep-alive message handling and the detailed updates to krb5_req_update and k5c_setup functions correctly propagate these settings, fixing UPN handling in multi-domain AD environments. The code appears robust and directly resolves the described problem without introducing new issues.

sumit-bose
sumit-bose approved these changes Jan 27, 2026
View reviewed changes
Copy link
Contributor

@sumit-bose sumit-bose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

backport matches the original version, ACK.

bye,
Sumit

aplopez
aplopez approved these changes Jan 27, 2026
View reviewed changes
Copy link
Contributor

@aplopez aplopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK

@ikerexxe @sssd-bot
krb5_child: fix enterprise principal parsing in keep-alive sessions
1928f1b 
When keep-alive sessions transition between command types (e.g., from
SSS_PAM_PREAUTH to SSS_PAM_AUTHENTICATE), enterprise principal settings
were not being updated, causing parsing inconsistencies in complex AD
environments.

This change ensures that when the backend sends updated enterprise
principal settings for different command types, the principals are
correctly re-parsed with the appropriate flags, fixing UPN handling in
multi-domain AD environments.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit dd3cd95)
@sssd-bot
Copy link
Contributor Author

sssd-bot commented Jan 27, 2026

The pull request was accepted by @aplopez with the following PR CI status:

🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Build / freebsd (success)
🟢 Build / make-distcheck (success)

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.

@sssd-bot sssd-bot force-pushed the SSSD-sssd-backport-pr8351-to-sssd-2-12 branch from 49c4b35 to 1928f1b Compare January 27, 2026 14:10
@ikerexxe ikerexxe merged commit 281a24a into SSSD:sssd-2-12 Jan 27, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sumit-bose sumit-bose sumit-bose approved these changes

@aplopez aplopez aplopez approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@sumit-bose sumit-bose

@aplopez aplopez

Labels

Accepted no-backport This should go to target branch only.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@sssd-bot @sumit-bose @aplopez @ikerexxe @alexey-tikhonov