From 5638bdcb854b317f5bd890dd3fc225277246b67a Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 6 Apr 2022 12:23:56 +0300 Subject: [PATCH] ipa-pwd-extop: allow ipasam to request RC4-HMAC in Kerberos keys for trusted domain objects This is a problem since we added commit b5fbbd1 in 2019. Its logic allowed to add RC4-HMAC keys for cifs/.. service principal but it didn't account for the case when cifs/.. principal initiates the request. Since ipasam only uses GETKEYTAB control, provide this extension only here and don't allow the same for SETKEYTAB. At the point of check for the bind DN, we already have verified that the DN is allowed to write to the krbPrincipalKey attribute so there is no leap of faith to 'any cifs/... principal' here. A principal must be member of cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX to allow perform this operation Fixes: https://pagure.io/freeipa/issue/9134 Signed-off-by: Alexander Bokovoy Reviewed-By: Florence Blanc-Renaud --- .../ipa-pwd-extop/ipa_pwd_extop.c | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index b9cac762b..0d630ca04 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -96,6 +96,14 @@ void *ipapwd_get_plugin_id(void) return ipapwd_plugin_id; } +static bool is_nthash_allowed(const char *service_name, const char *bind_dn) +{ +#define CIFS_PRINCIPAL_PREFIX "krbprincipalname=cifs/" + return (0 == strncmp("cifs/", service_name, 5)) || + (0 == strncmp(CIFS_PRINCIPAL_PREFIX, bind_dn, + sizeof(CIFS_PRINCIPAL_PREFIX) - 1)); +} + static void filter_keys(struct ipapwd_krbcfg *krbcfg, struct ipapwd_keyset *kset, bool allow_nthash) @@ -1228,7 +1236,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) int kvno; char *svcname; bool allowed_access = false; - bool is_nthash_allowed = false; + bool nthash_allowed = false; struct berval *bvp = NULL; LDAPControl new_ctrl; @@ -1305,8 +1313,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) /* Only allow generating arcfour-hmac keys for cifs/.. services * unless the enctype is allowed by the IPA configuration for use * by the all principals */ - is_nthash_allowed = (0 == strncmp("cifs/", serviceName, 5)); - filter_keys(krbcfg, kset, is_nthash_allowed); + nthash_allowed = is_nthash_allowed(serviceName, bindDN); + filter_keys(krbcfg, kset, nthash_allowed); /* check if we have any left */ if (kset->num_keys == 0) { @@ -1615,7 +1623,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) struct berval *bvp = NULL; LDAPControl new_ctrl; bool wantold = false; - bool is_nthash_allowed = false; + bool nthash_allowed = false; /* Get Bind DN */ slapi_pblock_get(pb, SLAPI_CONN_DN, &bind_dn); @@ -1712,8 +1720,8 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) /* Only allow generating arcfour-hmac keys for cifs/.. services * unless the enctype is allowed by the IPA configuration for use * by the all principals */ - is_nthash_allowed = (0 == strncmp("cifs/", service_name, 5)); - filter_enctypes(krbcfg, kenctypes, &num_kenctypes, is_nthash_allowed); + nthash_allowed = is_nthash_allowed(service_name, bind_dn); + filter_enctypes(krbcfg, kenctypes, &num_kenctypes, nthash_allowed); /* check if we have any left */ if (num_kenctypes == 0 && kenctypes != NULL) {