SSSD · sumit-bose · Mar 24, 2026 · Mar 25, 2026 · Mar 18, 2026
diff --git a/Makefile.am b/Makefile.am
@@ -1512,13 +1512,15 @@ sssd_pam_SOURCES = \
     src/responder/pam/pam_prompting_config.c \
     src/sss_client/pam_sss_prompt_config.c \
     src/responder/pam/pam_helpers.c \
+    src/providers/ad/ad_pac_common.c \
     $(SSSD_RESPONDER_OBJ)
 if BUILD_PASSKEY
     sssd_pam_SOURCES += src/responder/pam/pamsrv_passkey.c
 endif
 sssd_pam_CFLAGS = \
     $(AM_CFLAGS) \
     $(GSSAPI_KRB5_CFLAGS) \
+    $(NDR_KRB5PAC_CFLAGS) \
     $(NULL)
 sssd_pam_LDADD = \
     $(LIBADD_DL) \
@@ -1530,6 +1532,8 @@ sssd_pam_LDADD = \
     $(SSSD_INTERNAL_LTLIBS) \
     libsss_iface.la \
     libsss_sbus.la \
+    $(NDR_KRB5PAC_LIBS) \
+    libsss_idmap.la \
     $(NULL)
 
 if BUILD_SUDO
@@ -2554,13 +2558,15 @@ pam_srv_tests_SOURCES = \
     src/responder/pam/pamsrv_dp.c \
     src/responder/pam/pam_prompting_config.c \
     src/sss_client/pam_sss_prompt_config.c \
+    src/providers/ad/ad_pac_common.c \
     $(NULL)
 pam_srv_tests_CFLAGS = \
     -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \
     -I$(abs_builddir)/src \
     $(AM_CFLAGS) \
     $(CMOCKA_CFLAGS) \
     $(GSSAPI_KRB5_CFLAGS) \
+    $(NDR_KRB5PAC_CFLAGS) \
     $(NULL)
 pam_srv_tests_LDFLAGS = \
     -Wl,-wrap,sss_packet_get_body \
@@ -2582,6 +2588,7 @@ pam_srv_tests_LDADD = \
     libsss_certmap.la \
     libsss_iface.la \
     libsss_sbus.la \
+    $(NDR_KRB5PAC_LIBS) \
     $(NULL)
 if BUILD_PASSKEY
      pam_srv_tests_SOURCES += src/responder/pam/pamsrv_passkey.c
@@ -2598,6 +2605,7 @@ test_pamsrv_json_SOURCES = \
     src/responder/pam/pam_prompting_config.c \
     src/sss_client/pam_sss_prompt_config.c \
     src/tests/cmocka/test_pamsrv_json.c \
+    src/providers/ad/ad_pac_common.c \
     $(NULL)
 if BUILD_PASSKEY
     test_pamsrv_json_SOURCES += src/responder/pam/pamsrv_passkey.c
@@ -2622,6 +2630,7 @@ test_pamsrv_json_LDADD = \
     libsss_certmap.la \
     libsss_iface.la \
     libsss_sbus.la \
+    $(NDR_KRB5PAC_LIBS) \
     $(NULL)
 
 test_sss_pam_data_SOURCES = \

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
@@ -146,6 +146,7 @@
 #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services"
 #define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn"
 #define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map"
+#define CONFDB_PAM_GSSAPI_INDICATORS_APPLY "pam_gssapi_indicators_apply"
 #define CONFDB_PAM_PASSKEY_AUTH "pam_passkey_auth"
 #define CONFDB_PAM_PASSKEY_CHILD_TIMEOUT "passkey_child_timeout"
 #define CONFDB_PAM_PASSKEY_DEBUG_LIBFIDO2 "passkey_debug_libfido2"
@@ -446,6 +447,9 @@ struct sss_domain_info {
     char *gssapi_check_upn; /* true | false | NULL */
     /* List of indicators associated with the specific PAM service */
     char **gssapi_indicators_map;
+    /* List of addition Kerberos ticket data assigned to authentication
+     * indicators */
+    char **gssapi_indicators_apply;
 
     /* Counts how often the domain was not found during a refresh of the
      * domain list */

diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
@@ -110,6 +110,9 @@ def __init__(self):
         'pam_gssapi_check_upn': _('Whether to match authenticated UPN with target user'),
         'pam_gssapi_indicators_map': _('List of pairs <PAM service>:<authentication indicator> that '
                                        'must be enforced for PAM access with GSSAPI authentication'),
+        'pam_gssapi_indicators_apply': _('List of triples <type>:<value>:<authentication indicator> that '
+                                         'assigns additional information from the Kerberos ticket to an'
+                                         'authentication indicator.'),
         'pam_passkey_auth': _('Allow passkey device authentication.'),
         'passkey_child_timeout': _('How many seconds will pam_sss wait for passkey_child to finish'),
         'passkey_debug_libfido2': _('Enable debugging in the libfido2 library'),

diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
@@ -602,6 +602,7 @@ def testListOptions(self):
             'pam_gssapi_services',
             'pam_gssapi_check_upn',
             'pam_gssapi_indicators_map',
+            'pam_gssapi_indicators_apply',
             'refresh_expired_interval',
             'refresh_expired_interval_offset',
             'local_auth_policy']
@@ -966,6 +967,7 @@ def testRemoveProvider(self):
             'pam_gssapi_services',
             'pam_gssapi_check_upn',
             'pam_gssapi_indicators_map',
+            'pam_gssapi_indicators_apply',
             'refresh_expired_interval',
             'refresh_expired_interval_offset',
             'dyndns_refresh_interval',

diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
@@ -140,6 +140,7 @@ option = pam_initgroups_scheme
 option = pam_gssapi_services
 option = pam_gssapi_check_upn
 option = pam_gssapi_indicators_map
+option = pam_gssapi_indicators_apply
 option = pam_passkey_auth
 option = passkey_child_timeout
 option = passkey_debug_libfido2
@@ -414,6 +415,7 @@ option = auto_private_groups
 option = pam_gssapi_services
 option = pam_gssapi_check_upn
 option = pam_gssapi_indicators_map
+option = pam_gssapi_indicators_apply
 option = local_auth_policy
 
 #Entry cache timeouts
@@ -821,6 +823,7 @@ option = auto_private_groups
 option = pam_gssapi_services
 option = pam_gssapi_check_upn
 option = pam_gssapi_indicators_map
+option = pam_gssapi_indicators_apply
 
 [rule/sssd_checks]
 validator = sssd_checks

diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
@@ -83,6 +83,7 @@ pam_initgroups_scheme = str, None, false
 pam_gssapi_services = str, None, false
 pam_gssapi_check_upn = bool, None, false
 pam_gssapi_indicators_map = str, None, false
+pam_gssapi_indicators_apply = str, None, false
 pam_passkey_auth = bool, None, false
 passkey_child_timeout = int, None, false
 passkey_debug_libfido2 = bool, None, false
@@ -190,6 +191,7 @@ auto_private_groups = str, None, false
 pam_gssapi_services = str, None, false
 pam_gssapi_check_upn = bool, None, false
 pam_gssapi_indicators_map = str, None, false
+pam_gssapi_indicators_apply = str, None, false
 local_auth_policy = str, None, false
 
 #Entry cache timeouts

diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
@@ -202,6 +202,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
 
     dom->gssapi_services = parent->gssapi_services;
     dom->gssapi_indicators_map = parent->gssapi_indicators_map;
+    dom->gssapi_indicators_apply = parent->gssapi_indicators_apply;
 
     dom->not_found_counter = 0;
 
@@ -297,6 +298,17 @@ check_subdom_config_file(struct confdb_ctx *confdb,
         goto done;
     }
 
+    /* allow to set pam_gssapi_indicators_apply */
+    ret = confdb_get_string_as_list(confdb, subdomain, sd_conf_path,
+                                    CONFDB_PAM_GSSAPI_INDICATORS_APPLY,
+                                    &subdomain->gssapi_indicators_apply);
+    if (ret != EOK && ret != ENOENT) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Failed to get %s option for the subdomain: %s\n",
+              CONFDB_PAM_GSSAPI_INDICATORS_APPLY, subdomain->name);
+        goto done;
+    }
+
     /* case_sensitive=Preserving */
     ret = confdb_get_string(confdb, tmp_ctx, sd_conf_path,
                             CONFDB_DOMAIN_CASE_SENSITIVE, NULL,

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
@@ -1981,6 +1981,38 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
                         </para>
                     </listitem>
                 </varlistentry>
+                <varlistentry>
+                    <term>pam_gssapi_indicators_apply</term>
+                    <listitem>
+                        <para>
+                            Comma separated list of triples to assign
+                            additional information from the Kerberos ticket,
+                            e.g. a SID from the PAC, to authentication
+                            indicators.
+                        </para>
+                        <para>
+                            Currently supported is:
+                            <itemizedlist>
+                                <listitem>
+                                    <para>SID:S-1-5-[domain]-[RID]:[authentication indicator]</para>
+                                </listitem>
+                            </itemizedlist>
+                        </para>
+                        <para>
+                            Example: To assign a SID, which is e.g. set by
+                            Active Directory's Authentication Mechanism
+                            Assurance (AMA) if the AD user used a Smartcard
+                            for authentication, to the 'pkinit'
+                            authentication indicator use:
+                            <programlisting>
+pam_gssapi_indicators_apply = SID:S-1-5-12345-23456-34567-4321:pkinit
+                            </programlisting>
+                        </para>
+                        <para>
+                            Default: not set
+                        </para>
+                    </listitem>
+                </varlistentry>
                 <varlistentry condition="build_json_pam">
                     <term>pam_json_services (string)</term>
                     <listitem>