ipa-pwd-extop: allow ipasam to request RC4-HMAC in Kerberos keys for trusted domain objects

This is a problem since we added commit b5fbbd1 in 2019. Its logic allowed to add RC4-HMAC keys for cifs/.. service principal but it didn't account for the case when cifs/.. principal initiates the request. Since ipasam only uses GETKEYTAB control, provide this extension only here and don't allow the same for SETKEYTAB. At the point of check for the bind DN, we already have verified that the DN is allowed to write to the krbPrincipalKey attribute so there is no leap of faith to 'any cifs/... principal' here. A principal must be member of cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX to allow perform this operation Fixes: https://pagure.io/freeipa/issue/9134 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2025-02-25 18:55:28 -06:00 · 2022-04-06 12:23:56 +03:00 · 2022-04-06 12:23:56 +03:00 · 5638bdcb85
commit 5638bdcb85
parent 10046ffb33
1 changed files with 14 additions and 6 deletions
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@ -96,6 +96,14 @@ void *ipapwd_get_plugin_id(void)
    return ipapwd_plugin_id;
 }
 static bool is_nthash_allowed(const char *service_name, const char *bind_dn)
 {
 #define CIFS_PRINCIPAL_PREFIX "krbprincipalname=cifs/"
        return (0 == strncmp("cifs/", service_name, 5)) ||
               (0 == strncmp(CIFS_PRINCIPAL_PREFIX, bind_dn,
                             sizeof(CIFS_PRINCIPAL_PREFIX) - 1));
 }
 static void filter_keys(struct ipapwd_krbcfg *krbcfg,
                        struct ipapwd_keyset *kset,
                        bool allow_nthash)
@ -1228,7 +1236,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
    int kvno;
    char *svcname;
    bool allowed_access = false;
-    bool is_nthash_allowed = false;
+    bool nthash_allowed = false;
    struct berval *bvp = NULL;
    LDAPControl new_ctrl;
@ -1305,8 +1313,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
    /* Only allow generating arcfour-hmac keys for cifs/.. services
     * unless the enctype is allowed by the IPA configuration for use
     * by the all principals */
-    is_nthash_allowed = (0 == strncmp("cifs/", serviceName, 5));
+    nthash_allowed = is_nthash_allowed(serviceName, bindDN);
-    filter_keys(krbcfg, kset, is_nthash_allowed);
+    filter_keys(krbcfg, kset, nthash_allowed);
 	/* check if we have any left */
 	if (kset->num_keys == 0) {
@ -1615,7 +1623,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
    struct berval *bvp = NULL;
    LDAPControl new_ctrl;
    bool wantold = false;
-    bool is_nthash_allowed = false;
+    bool nthash_allowed = false;
    /* Get Bind DN */
    slapi_pblock_get(pb, SLAPI_CONN_DN, &bind_dn);
@ -1712,8 +1720,8 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
        /* Only allow generating arcfour-hmac keys for cifs/.. services
         * unless the enctype is allowed by the IPA configuration for use
         * by the all principals */
-        is_nthash_allowed = (0 == strncmp("cifs/", service_name, 5));
+        nthash_allowed = is_nthash_allowed(service_name, bind_dn);
-        filter_enctypes(krbcfg, kenctypes, &num_kenctypes, is_nthash_allowed);
+        filter_enctypes(krbcfg, kenctypes, &num_kenctypes, nthash_allowed);
        /* check if we have any left */
        if (num_kenctypes == 0 && kenctypes != NULL) {