mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
ipa-kdb: Rework ipadb_reinit_mspac()
Modify ipadb_reinit_mspac() to allocate and initialize ipactx->mspac only if all its attributes can be set. If not, ipactx->mspac is set to NULL. This makes easier to determine if the KDC is able to generate PACs or not. Also ipadb_reinit_mspac() is now able to return a status message explaining why initialization of the PAC generator failed. This message is printed in KDC logs. Fixes: https://pagure.io/freeipa/issue/9535 Signed-off-by: Julien Rische <jrische@redhat.com> Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
This commit is contained in:
Julien Rische
Florence Blanc-Renaud
parent
e5bb0f392a
commit
835929353d
@ -449,6 +449,7 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
|
|||||||
struct timeval tv = { 5, 0 };
|
struct timeval tv = { 5, 0 };
|
||||||
LDAPMessage *res = NULL;
|
LDAPMessage *res = NULL;
|
||||||
LDAPMessage *first;
|
LDAPMessage *first;
|
||||||
|
const char *stmsg;
|
||||||
int ret;
|
int ret;
|
||||||
int v3;
|
int v3;
|
||||||
|
|
||||||
@ -528,16 +529,9 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* get adtrust options using default refresh interval */
|
/* get adtrust options using default refresh interval */
|
||||||
ret = ipadb_reinit_mspac(ipactx, false);
|
ret = ipadb_reinit_mspac(ipactx, false, &stmsg);
|
||||||
if (ret && ret != ENOENT) {
|
if (ret && stmsg)
|
||||||
/* TODO: log that there is an issue with adtrust settings */
|
krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg);
|
||||||
if (ipactx->lcontext == NULL) {
|
|
||||||
/* for some reason ldap connection was reset in ipadb_reinit_mspac
|
|
||||||
* and is no longer established => failure of ipadb_get_connection
|
|
||||||
*/
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = 0;
|
ret = 0;
|
||||||
|
|
||||||
|
|||||||
@ -371,7 +371,9 @@ krb5_error_code ipadb_v9_issue_pac(krb5_context context, unsigned int flags,
|
|||||||
krb5_data ***auth_indicators);
|
krb5_data ***auth_indicators);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit);
|
krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx,
|
||||||
|
bool force_reinit,
|
||||||
|
const char **stmsg);
|
||||||
|
|
||||||
void ipadb_mspac_struct_free(struct ipadb_mspac **mspac);
|
void ipadb_mspac_struct_free(struct ipadb_mspac **mspac);
|
||||||
krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
|
krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
|
||||||
|
|||||||
@ -793,16 +793,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!ipactx->mspac) {
|
||||||
|
/* can't give a PAC without server NetBIOS name or primary group RID */
|
||||||
|
return ENOENT;
|
||||||
|
}
|
||||||
|
|
||||||
if (info3->base.primary_gid == 0) {
|
if (info3->base.primary_gid == 0) {
|
||||||
if (is_host || is_service) {
|
if (is_host || is_service) {
|
||||||
info3->base.primary_gid = 515; /* Well known RID for domain computers group */
|
info3->base.primary_gid = 515; /* Well known RID for domain computers group */
|
||||||
} else {
|
} else {
|
||||||
if (ipactx->mspac->fallback_rid) {
|
info3->base.primary_gid = ipactx->mspac->fallback_rid;
|
||||||
info3->base.primary_gid = ipactx->mspac->fallback_rid;
|
|
||||||
} else {
|
|
||||||
/* can't give a pack without a primary group rid */
|
|
||||||
return ENOENT;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -812,26 +812,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|||||||
/* always zero out, not used for Krb, only NTLM */
|
/* always zero out, not used for Krb, only NTLM */
|
||||||
memset(&info3->base.key, '\0', sizeof(info3->base.key));
|
memset(&info3->base.key, '\0', sizeof(info3->base.key));
|
||||||
|
|
||||||
if (ipactx->mspac->flat_server_name) {
|
info3->base.logon_server.string =
|
||||||
info3->base.logon_server.string =
|
talloc_strdup(memctx, ipactx->mspac->flat_server_name);
|
||||||
talloc_strdup(memctx, ipactx->mspac->flat_server_name);
|
if (!info3->base.logon_server.string) {
|
||||||
if (!info3->base.logon_server.string) {
|
return ENOMEM;
|
||||||
return ENOMEM;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
/* can't give a pack without Server NetBIOS Name :-| */
|
|
||||||
return ENOENT;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ipactx->mspac->flat_domain_name) {
|
info3->base.logon_domain.string =
|
||||||
info3->base.logon_domain.string =
|
talloc_strdup(memctx, ipactx->mspac->flat_domain_name);
|
||||||
talloc_strdup(memctx, ipactx->mspac->flat_domain_name);
|
if (!info3->base.logon_domain.string) {
|
||||||
if (!info3->base.logon_domain.string) {
|
return ENOMEM;
|
||||||
return ENOMEM;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
/* can't give a pack without Domain NetBIOS Name :-| */
|
|
||||||
return ENOENT;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (is_host || is_service) {
|
if (is_host || is_service) {
|
||||||
@ -1044,6 +1034,11 @@ krb5_error_code ipadb_get_pac(krb5_context kcontext,
|
|||||||
return KRB5_KDB_DBNOTINITED;
|
return KRB5_KDB_DBNOTINITED;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Check if PAC generator is initialized */
|
||||||
|
if (!ipactx->mspac) {
|
||||||
|
return ENOENT;
|
||||||
|
}
|
||||||
|
|
||||||
ied = (struct ipadb_e_data *)client->e_data;
|
ied = (struct ipadb_e_data *)client->e_data;
|
||||||
if (ied->magic != IPA_E_DATA_MAGIC) {
|
if (ied->magic != IPA_E_DATA_MAGIC) {
|
||||||
return EINVAL;
|
return EINVAL;
|
||||||
@ -1626,14 +1621,14 @@ static struct ipadb_adtrusts *get_domain_from_realm(krb5_context context,
|
|||||||
{
|
{
|
||||||
struct ipadb_context *ipactx;
|
struct ipadb_context *ipactx;
|
||||||
struct ipadb_adtrusts *domain;
|
struct ipadb_adtrusts *domain;
|
||||||
int i;
|
size_t i;
|
||||||
|
|
||||||
ipactx = ipadb_get_context(context);
|
ipactx = ipadb_get_context(context);
|
||||||
if (!ipactx) {
|
if (!ipactx) {
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ipactx->mspac == NULL) {
|
if (!ipactx->mspac) {
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1655,6 +1650,7 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context,
|
|||||||
{
|
{
|
||||||
struct ipadb_context *ipactx;
|
struct ipadb_context *ipactx;
|
||||||
struct ipadb_adtrusts *domain;
|
struct ipadb_adtrusts *domain;
|
||||||
|
const char *stmsg = NULL;
|
||||||
krb5_error_code kerr;
|
krb5_error_code kerr;
|
||||||
|
|
||||||
ipactx = ipadb_get_context(context);
|
ipactx = ipadb_get_context(context);
|
||||||
@ -1663,8 +1659,10 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* re-init MS-PAC info using default update interval */
|
/* re-init MS-PAC info using default update interval */
|
||||||
kerr = ipadb_reinit_mspac(ipactx, false);
|
kerr = ipadb_reinit_mspac(ipactx, false, &stmsg);
|
||||||
if (kerr != 0) {
|
if (kerr != 0) {
|
||||||
|
if (stmsg)
|
||||||
|
krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
domain = get_domain_from_realm(context, realm);
|
domain = get_domain_from_realm(context, realm);
|
||||||
@ -1717,6 +1715,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
|||||||
struct ipadb_e_data *ied = NULL;
|
struct ipadb_e_data *ied = NULL;
|
||||||
int flags = 0;
|
int flags = 0;
|
||||||
struct dom_sid client_sid;
|
struct dom_sid client_sid;
|
||||||
|
const char *stmsg = NULL;
|
||||||
#ifdef KRB5_KDB_FLAG_ALIAS_OK
|
#ifdef KRB5_KDB_FLAG_ALIAS_OK
|
||||||
flags = KRB5_KDB_FLAG_ALIAS_OK;
|
flags = KRB5_KDB_FLAG_ALIAS_OK;
|
||||||
#endif
|
#endif
|
||||||
@ -1730,10 +1729,14 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
|||||||
* check that our own view on the PAC details is up to date */
|
* check that our own view on the PAC details is up to date */
|
||||||
if (ipactx->mspac->domsid.num_auths == 0) {
|
if (ipactx->mspac->domsid.num_auths == 0) {
|
||||||
/* Force re-init of KDB's view on our domain */
|
/* Force re-init of KDB's view on our domain */
|
||||||
kerr = ipadb_reinit_mspac(ipactx, true);
|
kerr = ipadb_reinit_mspac(ipactx, true, &stmsg);
|
||||||
if (kerr != 0) {
|
if (kerr != 0) {
|
||||||
krb5_klog_syslog(LOG_ERR,
|
if (stmsg) {
|
||||||
"PAC issue: unable to update realm's view on PAC info");
|
krb5_klog_syslog(LOG_ERR, "MS-PAC generator: %s", stmsg);
|
||||||
|
} else {
|
||||||
|
krb5_klog_syslog(LOG_ERR, "PAC issue: unable to update " \
|
||||||
|
"realm's view on PAC info");
|
||||||
|
}
|
||||||
return KRB5KDC_ERR_POLICY;
|
return KRB5KDC_ERR_POLICY;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1746,7 +1749,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
|||||||
if (is_s4u && (ipactx->mspac->trusts != NULL)) {
|
if (is_s4u && (ipactx->mspac->trusts != NULL)) {
|
||||||
/* Iterate through list of trusts and check if this SID belongs to
|
/* Iterate through list of trusts and check if this SID belongs to
|
||||||
* one of the domains we trust */
|
* one of the domains we trust */
|
||||||
for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
|
for(size_t i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
|
||||||
result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
|
result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
|
||||||
info->info->info3.base.domain_sid, true);
|
info->info->info3.base.domain_sid, true);
|
||||||
if (result) {
|
if (result) {
|
||||||
@ -1858,11 +1861,11 @@ krb5_error_code filter_logon_info(krb5_context context,
|
|||||||
struct ipadb_mspac *mspac_ctx = ipactx->mspac;
|
struct ipadb_mspac *mspac_ctx = ipactx->mspac;
|
||||||
result = FALSE;
|
result = FALSE;
|
||||||
/* Didn't match but perhaps the original PAC was issued by a child domain's DC? */
|
/* Didn't match but perhaps the original PAC was issued by a child domain's DC? */
|
||||||
for (k = 0; k < mspac_ctx->num_trusts; k++) {
|
for (size_t m = 0; m < mspac_ctx->num_trusts; m++) {
|
||||||
result = dom_sid_check(&mspac_ctx->trusts[k].domsid,
|
result = dom_sid_check(&mspac_ctx->trusts[m].domsid,
|
||||||
info->info->info3.base.domain_sid, true);
|
info->info->info3.base.domain_sid, true);
|
||||||
if (result) {
|
if (result) {
|
||||||
domain = &mspac_ctx->trusts[k];
|
domain = &mspac_ctx->trusts[m];
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -2091,10 +2094,10 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
|
|||||||
return KRB5_KDB_DBNOTINITED;
|
return KRB5_KDB_DBNOTINITED;
|
||||||
}
|
}
|
||||||
/* In S4U case we might be dealing with the PAC issued by the trusted domain */
|
/* In S4U case we might be dealing with the PAC issued by the trusted domain */
|
||||||
if ((ipactx->mspac->trusts != NULL)) {
|
if (ipactx->mspac->trusts) {
|
||||||
/* Iterate through list of trusts and check if this SID belongs to
|
/* Iterate through list of trusts and check if this SID belongs to
|
||||||
* one of the domains we trust */
|
* one of the domains we trust */
|
||||||
for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
|
for(size_t i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
|
||||||
result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
|
result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
|
||||||
&client_sid, false);
|
&client_sid, false);
|
||||||
if (result) {
|
if (result) {
|
||||||
@ -2634,7 +2637,7 @@ static char *get_server_netbios_name(struct ipadb_context *ipactx)
|
|||||||
|
|
||||||
void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
|
void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
|
||||||
{
|
{
|
||||||
int i, j;
|
size_t i, j;
|
||||||
|
|
||||||
if (!*mspac) return;
|
if (!*mspac) return;
|
||||||
|
|
||||||
@ -2789,7 +2792,8 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|||||||
LDAPDN dn = NULL;
|
LDAPDN dn = NULL;
|
||||||
char **sid_blocklist_incoming = NULL;
|
char **sid_blocklist_incoming = NULL;
|
||||||
char **sid_blocklist_outgoing = NULL;
|
char **sid_blocklist_outgoing = NULL;
|
||||||
int ret, n, i;
|
size_t i, n;
|
||||||
|
int ret;
|
||||||
|
|
||||||
ret = asprintf(&base, "cn=ad,cn=trusts,%s", ipactx->base);
|
ret = asprintf(&base, "cn=ad,cn=trusts,%s", ipactx->base);
|
||||||
if (ret == -1) {
|
if (ret == -1) {
|
||||||
@ -2874,7 +2878,7 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|||||||
|
|
||||||
t[n].upn_suffixes_len = NULL;
|
t[n].upn_suffixes_len = NULL;
|
||||||
if (t[n].upn_suffixes != NULL) {
|
if (t[n].upn_suffixes != NULL) {
|
||||||
int len = 0;
|
size_t len = 0;
|
||||||
|
|
||||||
for (; t[n].upn_suffixes[len] != NULL; len++);
|
for (; t[n].upn_suffixes[len] != NULL; len++);
|
||||||
|
|
||||||
@ -2989,108 +2993,114 @@ done:
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit)
|
krb5_error_code
|
||||||
|
ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit,
|
||||||
|
const char **stmsg)
|
||||||
{
|
{
|
||||||
char *dom_attrs[] = { "ipaNTFlatName",
|
char *dom_attrs[] = { "ipaNTFlatName",
|
||||||
"ipaNTFallbackPrimaryGroup",
|
"ipaNTFallbackPrimaryGroup",
|
||||||
"ipaNTSecurityIdentifier",
|
"ipaNTSecurityIdentifier",
|
||||||
NULL };
|
NULL };
|
||||||
char *grp_attrs[] = { "ipaNTSecurityIdentifier", NULL };
|
char *grp_attrs[] = { "ipaNTSecurityIdentifier", NULL };
|
||||||
krb5_error_code kerr;
|
|
||||||
LDAPMessage *result = NULL;
|
LDAPMessage *result = NULL;
|
||||||
LDAPMessage *lentry;
|
LDAPMessage *lentry;
|
||||||
struct dom_sid gsid;
|
struct dom_sid gsid, domsid;
|
||||||
char *resstr;
|
char *resstr = NULL;
|
||||||
int ret;
|
char *flat_domain_name = NULL;
|
||||||
|
char *flat_server_name = NULL;
|
||||||
|
char *fallback_group = NULL;
|
||||||
|
uint32_t fallback_rid;
|
||||||
time_t now;
|
time_t now;
|
||||||
|
const char *in_stmsg = NULL;
|
||||||
|
int err;
|
||||||
|
krb5_error_code trust_kerr = 0;
|
||||||
|
|
||||||
|
|
||||||
/* Do not update the mspac struct more than once a minute. This would
|
/* Do not update the mspac struct more than once a minute. This would
|
||||||
* avoid heavy load on the directory server if there are lots of requests
|
* avoid heavy load on the directory server if there are lots of requests
|
||||||
* from domains which we do not trust. */
|
* from domains which we do not trust. */
|
||||||
now = time(NULL);
|
now = time(NULL);
|
||||||
|
|
||||||
if (ipactx->mspac != NULL &&
|
if (ipactx->mspac) {
|
||||||
(force_reinit == false) &&
|
if (!force_reinit &&
|
||||||
(now > ipactx->mspac->last_update) &&
|
(now > ipactx->mspac->last_update) &&
|
||||||
(now - ipactx->mspac->last_update) < 60) {
|
(now - ipactx->mspac->last_update) < 60) {
|
||||||
return 0;
|
/* SKIP */
|
||||||
}
|
err = 0;
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
if (ipactx->mspac && ipactx->mspac->num_trusts == 0) {
|
if (ipactx->mspac->num_trusts == 0) {
|
||||||
/* Check if there is any trust configured. If not, just return
|
/* Check if there is any trust configured. If not, just return
|
||||||
* and do not re-initialize the MS-PAC structure. */
|
* and do not re-initialize the MS-PAC structure. */
|
||||||
kerr = ipadb_mspac_check_trusted_domains(ipactx);
|
err = ipadb_mspac_check_trusted_domains(ipactx);
|
||||||
if (kerr == KRB5_KDB_NOENTRY) {
|
if (err) {
|
||||||
kerr = 0;
|
if (err == KRB5_KDB_NOENTRY) {
|
||||||
goto done;
|
/* SKIP */
|
||||||
} else if (kerr != 0) {
|
err = 0;
|
||||||
goto done;
|
} else {
|
||||||
|
in_stmsg = "Failed to fetch trusted domains information";
|
||||||
|
}
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* clean up in case we had old values around */
|
err = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE,
|
||||||
ipadb_mspac_struct_free(&ipactx->mspac);
|
"(objectclass=ipaNTDomainAttrs)", dom_attrs,
|
||||||
|
&result);
|
||||||
ipactx->mspac = calloc(1, sizeof(struct ipadb_mspac));
|
if (err == KRB5_KDB_NOENTRY) {
|
||||||
if (!ipactx->mspac) {
|
err = ENOENT;
|
||||||
kerr = ENOMEM;
|
in_stmsg = "Local domain NT attributes not configured";
|
||||||
goto done;
|
goto end;
|
||||||
}
|
} else if (err) {
|
||||||
|
err = EIO;
|
||||||
ipactx->mspac->last_update = now;
|
in_stmsg = "Failed to fetch local domain NT attributes";
|
||||||
|
goto end;
|
||||||
kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE,
|
|
||||||
"(objectclass=ipaNTDomainAttrs)", dom_attrs,
|
|
||||||
&result);
|
|
||||||
if (kerr == KRB5_KDB_NOENTRY) {
|
|
||||||
return ENOENT;
|
|
||||||
} else if (kerr != 0) {
|
|
||||||
return EIO;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
lentry = ldap_first_entry(ipactx->lcontext, result);
|
lentry = ldap_first_entry(ipactx->lcontext, result);
|
||||||
if (!lentry) {
|
if (!lentry) {
|
||||||
kerr = ENOENT;
|
err = ENOENT;
|
||||||
goto done;
|
in_stmsg = "Local domain NT attributes not configured";
|
||||||
|
goto end;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
err = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "ipaNTFlatName",
|
||||||
"ipaNTFlatName",
|
&flat_domain_name);
|
||||||
&ipactx->mspac->flat_domain_name);
|
if (err) {
|
||||||
if (ret) {
|
in_stmsg = "Local domain NT flat name not configured";
|
||||||
kerr = ret;
|
goto end;
|
||||||
goto done;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
err = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
||||||
"ipaNTSecurityIdentifier",
|
"ipaNTSecurityIdentifier", &resstr);
|
||||||
&resstr);
|
if (err) {
|
||||||
if (ret) {
|
in_stmsg = "Local domain SID not configured";
|
||||||
kerr = ret;
|
goto end;
|
||||||
goto done;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = ipadb_string_to_sid(resstr, &ipactx->mspac->domsid);
|
err = ipadb_string_to_sid(resstr, &domsid);
|
||||||
if (ret) {
|
if (err) {
|
||||||
kerr = ret;
|
in_stmsg = "Malformed local domain SID";
|
||||||
free(resstr);
|
goto end;
|
||||||
goto done;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
free(resstr);
|
free(resstr);
|
||||||
|
|
||||||
free(ipactx->mspac->flat_server_name);
|
flat_server_name = get_server_netbios_name(ipactx);
|
||||||
ipactx->mspac->flat_server_name = get_server_netbios_name(ipactx);
|
if (!flat_server_name) {
|
||||||
if (!ipactx->mspac->flat_server_name) {
|
err = ENOMEM;
|
||||||
kerr = ENOMEM;
|
goto end;
|
||||||
goto done;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
err = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
||||||
"ipaNTFallbackPrimaryGroup",
|
"ipaNTFallbackPrimaryGroup", &fallback_group);
|
||||||
&ipactx->mspac->fallback_group);
|
if (err) {
|
||||||
if (ret && ret != ENOENT) {
|
in_stmsg = (err == ENOENT)
|
||||||
kerr = ret;
|
? "Local fallback primary group not configured"
|
||||||
goto done;
|
: "Failed to fetch local fallback primary group";
|
||||||
|
goto end;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* result and lentry not valid any more from here on */
|
/* result and lentry not valid any more from here on */
|
||||||
@ -3098,53 +3108,81 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_rein
|
|||||||
result = NULL;
|
result = NULL;
|
||||||
lentry = NULL;
|
lentry = NULL;
|
||||||
|
|
||||||
if (ret != ENOENT) {
|
err = ipadb_simple_search(ipactx, fallback_group, LDAP_SCOPE_BASE,
|
||||||
kerr = ipadb_simple_search(ipactx, ipactx->mspac->fallback_group,
|
"(objectclass=posixGroup)", grp_attrs, &result);
|
||||||
LDAP_SCOPE_BASE,
|
if (err) {
|
||||||
"(objectclass=posixGroup)",
|
in_stmsg = (err == KRB5_KDB_NOENTRY)
|
||||||
grp_attrs, &result);
|
? "Local fallback primary group has no POSIX definition"
|
||||||
if (kerr && kerr != KRB5_KDB_NOENTRY) {
|
: "Failed to fetch SID of POSIX group mapped as local fallback " \
|
||||||
kerr = ret;
|
"primary group";
|
||||||
goto done;
|
goto end;
|
||||||
}
|
|
||||||
|
|
||||||
lentry = ldap_first_entry(ipactx->lcontext, result);
|
|
||||||
if (!lentry) {
|
|
||||||
kerr = ENOENT;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (kerr == 0) {
|
|
||||||
ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
||||||
"ipaNTSecurityIdentifier",
|
|
||||||
&resstr);
|
|
||||||
if (ret && ret != ENOENT) {
|
|
||||||
kerr = ret;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
if (ret == 0) {
|
|
||||||
ret = ipadb_string_to_sid(resstr, &gsid);
|
|
||||||
if (ret) {
|
|
||||||
free(resstr);
|
|
||||||
kerr = ret;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
ret = sid_split_rid(&gsid, &ipactx->mspac->fallback_rid);
|
|
||||||
if (ret) {
|
|
||||||
free(resstr);
|
|
||||||
kerr = ret;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
free(resstr);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
kerr = ipadb_mspac_get_trusted_domains(ipactx);
|
lentry = ldap_first_entry(ipactx->lcontext, result);
|
||||||
|
if (!lentry) {
|
||||||
|
err = ENOENT;
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
done:
|
err = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
||||||
|
"ipaNTSecurityIdentifier", &resstr);
|
||||||
|
if (err) {
|
||||||
|
in_stmsg = (err == ENOENT)
|
||||||
|
? "The POSIX group set as fallback primary group has no SID " \
|
||||||
|
"configured"
|
||||||
|
: "Failed to fetch SID of POSIX group set as local fallback " \
|
||||||
|
"primary group";
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
err = ipadb_string_to_sid(resstr, &gsid);
|
||||||
|
if (err) {
|
||||||
|
in_stmsg = "Malformed SID of POSIX group set as local fallback " \
|
||||||
|
"primary group";
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
err = sid_split_rid(&gsid, &fallback_rid);
|
||||||
|
if (err) {
|
||||||
|
in_stmsg = "Malformed SID of POSIX group mapped as local fallback " \
|
||||||
|
"primary group";
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* clean up in case we had old values around */
|
||||||
|
ipadb_mspac_struct_free(&ipactx->mspac);
|
||||||
|
|
||||||
|
ipactx->mspac = calloc(1, sizeof(struct ipadb_mspac));
|
||||||
|
if (!ipactx->mspac) {
|
||||||
|
err = ENOMEM;
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
ipactx->mspac->last_update = now;
|
||||||
|
ipactx->mspac->flat_domain_name = flat_domain_name;
|
||||||
|
ipactx->mspac->flat_server_name = flat_server_name;
|
||||||
|
ipactx->mspac->domsid = domsid;
|
||||||
|
ipactx->mspac->fallback_group = fallback_group;
|
||||||
|
ipactx->mspac->fallback_rid = fallback_rid;
|
||||||
|
|
||||||
|
trust_kerr = ipadb_mspac_get_trusted_domains(ipactx);
|
||||||
|
if (trust_kerr)
|
||||||
|
in_stmsg = "Failed to assemble trusted domains information";
|
||||||
|
|
||||||
|
end:
|
||||||
|
if (stmsg)
|
||||||
|
*stmsg = in_stmsg;
|
||||||
|
|
||||||
|
if (resstr) free(resstr);
|
||||||
ldap_msgfree(result);
|
ldap_msgfree(result);
|
||||||
return kerr;
|
|
||||||
|
if (err) {
|
||||||
|
if (flat_domain_name) free(flat_domain_name);
|
||||||
|
if (flat_server_name) free(flat_server_name);
|
||||||
|
if (fallback_group) free(fallback_group);
|
||||||
|
}
|
||||||
|
|
||||||
|
return err ? (krb5_error_code)err : trust_kerr;
|
||||||
}
|
}
|
||||||
|
|
||||||
krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
|
krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
|
||||||
@ -3154,11 +3192,11 @@ krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
|
|||||||
{
|
{
|
||||||
struct ipadb_context *ipactx;
|
struct ipadb_context *ipactx;
|
||||||
bool has_transited_contents, has_client_realm, has_server_realm;
|
bool has_transited_contents, has_client_realm, has_server_realm;
|
||||||
int i;
|
size_t i;
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
|
|
||||||
ipactx = ipadb_get_context(kcontext);
|
ipactx = ipadb_get_context(kcontext);
|
||||||
if (!ipactx || !ipactx->mspac) {
|
if (!ipactx) {
|
||||||
return KRB5_KDB_DBNOTINITED;
|
return KRB5_KDB_DBNOTINITED;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -3220,7 +3258,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
|
|||||||
char **trusted_realm)
|
char **trusted_realm)
|
||||||
{
|
{
|
||||||
struct ipadb_context *ipactx;
|
struct ipadb_context *ipactx;
|
||||||
int i, j, length;
|
size_t i, j, length;
|
||||||
const char *name;
|
const char *name;
|
||||||
bool result = false;
|
bool result = false;
|
||||||
|
|
||||||
|
|||||||
@ -31,7 +31,7 @@ struct ipadb_mspac {
|
|||||||
char *fallback_group;
|
char *fallback_group;
|
||||||
uint32_t fallback_rid;
|
uint32_t fallback_rid;
|
||||||
|
|
||||||
int num_trusts;
|
size_t num_trusts;
|
||||||
struct ipadb_adtrusts *trusts;
|
struct ipadb_adtrusts *trusts;
|
||||||
time_t last_update;
|
time_t last_update;
|
||||||
};
|
};
|
||||||
|
|||||||
@ -233,6 +233,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
|
|||||||
krb5_db_entry *client_entry = NULL;
|
krb5_db_entry *client_entry = NULL;
|
||||||
krb5_boolean is_equal;
|
krb5_boolean is_equal;
|
||||||
bool force_reinit_mspac = false;
|
bool force_reinit_mspac = false;
|
||||||
|
const char *stmsg = NULL;
|
||||||
|
|
||||||
|
|
||||||
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
|
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
|
||||||
@ -309,7 +310,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
|
|||||||
force_reinit_mspac = true;
|
force_reinit_mspac = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
(void)ipadb_reinit_mspac(ipactx, force_reinit_mspac);
|
kerr = ipadb_reinit_mspac(ipactx, force_reinit_mspac, &stmsg);
|
||||||
|
if (kerr && stmsg)
|
||||||
|
krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg);
|
||||||
|
|
||||||
kerr = ipadb_get_pac(context, flags, client, server, NULL, authtime, &pac);
|
kerr = ipadb_get_pac(context, flags, client, server, NULL, authtime, &pac);
|
||||||
if (kerr != 0 && kerr != ENOENT) {
|
if (kerr != 0 && kerr != ENOENT) {
|
||||||
|
|||||||
@ -46,6 +46,7 @@ ipadb_v9_issue_pac(krb5_context context, unsigned int flags,
|
|||||||
bool with_pad;
|
bool with_pad;
|
||||||
krb5_error_code kerr = 0;
|
krb5_error_code kerr = 0;
|
||||||
bool is_as_req = flags & CLIENT_REFERRALS_FLAGS;
|
bool is_as_req = flags & CLIENT_REFERRALS_FLAGS;
|
||||||
|
const char *stmsg = NULL;
|
||||||
|
|
||||||
if (is_as_req) {
|
if (is_as_req) {
|
||||||
get_authz_data_types(context, client, &with_pac, &with_pad);
|
get_authz_data_types(context, client, &with_pac, &with_pad);
|
||||||
@ -110,12 +111,19 @@ ipadb_v9_issue_pac(krb5_context context, unsigned int flags,
|
|||||||
force_reinit_mspac = TRUE;
|
force_reinit_mspac = TRUE;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
(void)ipadb_reinit_mspac(ipactx, force_reinit_mspac);
|
|
||||||
|
|
||||||
/* MS-PAC needs proper configuration and if it is missing, we simply skip issuing one */
|
/* MS-PAC generator has to be initalized */
|
||||||
if (ipactx->mspac->flat_server_name == NULL) {
|
kerr = ipadb_reinit_mspac(ipactx, force_reinit_mspac, &stmsg);
|
||||||
|
if (kerr && stmsg)
|
||||||
|
krb5_klog_syslog(LOG_ERR, "MS-PAC generator: %s", stmsg);
|
||||||
|
|
||||||
|
/* Continue even if initilization of PAC generator failed.
|
||||||
|
* It may caused by the trust objects part only. */
|
||||||
|
|
||||||
|
/* At least the core part of the PAC generator is required. */
|
||||||
|
if (!ipactx->mspac)
|
||||||
return KRB5_PLUGIN_OP_NOTSUPP;
|
return KRB5_PLUGIN_OP_NOTSUPP;
|
||||||
}
|
|
||||||
kerr = ipadb_get_pac(context, flags,
|
kerr = ipadb_get_pac(context, flags,
|
||||||
client, server, replaced_reply_key,
|
client, server, replaced_reply_key,
|
||||||
authtime, &new_pac);
|
authtime, &new_pac);
|
||||||
|
|||||||
@ -1598,6 +1598,7 @@ static krb5_error_code dbget_alias(krb5_context kcontext,
|
|||||||
-1,
|
-1,
|
||||||
};
|
};
|
||||||
size_t i = 0;
|
size_t i = 0;
|
||||||
|
const char *stmsg = NULL;
|
||||||
|
|
||||||
/* For TGS-REQ server principal lookup, KDC asks with KRB5_KDB_FLAG_REFERRAL_OK
|
/* For TGS-REQ server principal lookup, KDC asks with KRB5_KDB_FLAG_REFERRAL_OK
|
||||||
* and client usually asks for an KRB5_NT_PRINCIPAL type principal. */
|
* and client usually asks for an KRB5_NT_PRINCIPAL type principal. */
|
||||||
@ -1685,8 +1686,11 @@ static krb5_error_code dbget_alias(krb5_context kcontext,
|
|||||||
if (kerr == KRB5_KDB_NOENTRY) {
|
if (kerr == KRB5_KDB_NOENTRY) {
|
||||||
/* If no trusted realm found, refresh trusted domain data and try again
|
/* If no trusted realm found, refresh trusted domain data and try again
|
||||||
* because it might be a freshly added trust to AD */
|
* because it might be a freshly added trust to AD */
|
||||||
kerr = ipadb_reinit_mspac(ipactx, false);
|
kerr = ipadb_reinit_mspac(ipactx, false, &stmsg);
|
||||||
if (kerr != 0) {
|
if (kerr != 0) {
|
||||||
|
if (stmsg)
|
||||||
|
krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s",
|
||||||
|
stmsg);
|
||||||
kerr = KRB5_KDB_NOENTRY;
|
kerr = KRB5_KDB_NOENTRY;
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user