Chapter 13. Strengthening Kerberos security with PAC information
You can use Identity Management (IdM) with Privilege Attribute Certificate (PAC) information by default since RHEL 8.5. You can also enable Security Identifiers (SIDs) in IdM deployments that were installed before RHEL 8.5.
13.1. Privilege Attribute Certificate (PAC) use in IdM
To increase security, Identity Management (IdM) issues Kerberos tickets with Privilege Attribute Certificate (PAC) information by default. A PAC has rich information about a Kerberos principal, including its Security Identifier (SID), group memberships, and home directory information.
SIDs, which Microsoft Active Directory (AD) uses by default, are globally unique identifiers that are never reused. SIDs express multiple namespaces: each domain has a SID, which is a prefix in the SID of each object.
Starting from RHEL 8.5, when you install an IdM server or replica, the installation script generates SIDs for users and groups by default. This allows IdM to work with PAC data. If you installed IdM before RHEL 8.5, and you have not configured a trust with an AD domain, you may not have generated SIDs for your IdM objects. For more information about generating SIDs for your IdM objects, see Enabling Security Identifiers (SIDs) in IdM.
				By evaluating PAC information in Kerberos tickets, you can control resource access with much greater detail. For example, the Administrator account in one domain has a uniquely different SID than the Administrator account in any other domain. In an IdM environment with a trust to an AD domain, you can set access controls based on globally unique SIDs rather than simple user names or UIDs that might repeat in different locations, such as every Linux root account having a UID of 0.
			
13.2. Enabling Security Identifiers (SIDs) in IdM
				If you installed IdM before RHEL 8.5, and you have not configured a trust with an AD domain, you might not have generated Security Identifiers (SIDs) for your IdM objects. This is because, before, the only way to generate SIDs was to run the ipa-adtrust-install command to add the Trust Controller role to an IdM server.
			
As of RHEL 8.6, Kerberos in IdM requires that your IdM objects have SIDs, which are necessary for security based on Privilege Access Certificate (PAC) information.
Prerequisites
- You installed IdM before RHEL 8.5.
- 
						You have not run the ipa-sidgentask, which is part of configuring a trust with an Active Directory domain.
- You can authenticate as the IdM admin account.
Procedure
- Enable SID usage and trigger the - SIDgentask to generate SIDs for existing users and groups. This task might be resource-intensive:- ipa config-mod --enable-sid --add-sids - [root@server ~]# ipa config-mod --enable-sid --add-sids- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Verify that the IdM - adminuser account entry has an- ipantsecurityidentifierattribute with a SID that ends with- -500, the SID reserved for the domain administrator:- ipa user-show admin --all | grep ipantsecurityidentifier - [root@server ~]# ipa user-show admin --all | grep ipantsecurityidentifier ipantsecurityidentifier: S-1-5-21-2633809701-976279387-419745629-500- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow