The OpenDNSSec integration code requires:
/usr/sbin/dnssec-keyfromlabel-pkcs11
which is provided by bind-pkcs11-utils, but that package is
only available on RHEL<9.
With this change, freeipa-server-dns depends on bind-dnssec-utils
on all Fedora releases and RHEL==9+, and uses:
/usr/sbin/dnssec-keyfromlabel -E pkcs11
instead of dnssec-keyfromlabel-pkcs11.
Fixes: https://pagure.io/freeipa/issue/9026
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Antonio Torres Moríñigo <antorres@redhat.com>
When running IPA in locale de_DE.UTF-8 I got an internal error:
jochen@freeipa1:~$ ipa server-del freeipa4.example.org
Removing freeipa4.example.org from replication topology, please wait...
ipa: ERROR: Ein interner Fehler ist aufgetreten
This is not the complete messages. Using en_US.UTF-8 would be ok.
In the httpd error_log:
] ipa: ERROR: non-public: TypeError: unhashable type: 'Gettext'
] Traceback (most recent call last):
] File "/usr/lib/python3.10/site-packags/ipaserver/rpcserver.py", line 407, in wsgi_execute
] result = command(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 471, in __call__
] return self.__do_call(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 499, in __do_call
] ret = self.run(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 821, in run
] return self.execute(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1686, in execute] return self.execute(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1686, in execute
] delete_entry(pkey)
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1637, in delete_entry
] dn = callback(self, ldap, dn, *nkeys, **options)
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 755, in pre_callback
] self._ensure_last_of_role(
] File
"/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line
520, in _ensure_last_of_role
] handler(
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 482, in handler
] raise errors.ServerRemovalError(reason=_(msg))
] File "/usr/lib/python3.10/site-packages/ipalib/errors.py", line 269, in __init__
] messages.process_message_arguments(self, format, message, **kw)
] File "/usr/lib/python3.10/site-packages/ipalib/messages.py", line 55, in process_message_arguments
] kw[key] = unicode(value)
] File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 296, in __str__
] return unicode(self.as_unicode())
] File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 293, in as_unicode
] return t.gettext(self.msg)
] File "/usr/lib64/python3.10/gettext.py", line 498, in gettext
] tmsg = self._catalog.get(message, missing)
] TypeError: unhashable type: 'Gettext'
] ipa: INFO: [jsonserver_session] admin@EXAMPLE.ORG:
server_del/1(['freeipa4.example.org'], version='2.245'): InternalError
Alexander suggested to remove _() in local handler() function in
_ensure_last_of_role():
else:
raise errors.ServerRemovalError(reason=_(msg))
Looks like all the callers give already gettext-enabled message (wrapped
with _() already).
At least for my case I now get a complete error message.
Fixes: https://pagure.io/freeipa/issue/9046
Signed-off-by: Jochen Kellner <jochen@jochen.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The "is this the last KRA" test did a role-find including the
current server. This skewed the result if the server to be
removed has a KRA installed, it would always return "not allowed"
because len(roles) == 1 and the name matched, regardless of
whether other servers also provided a KRA.
https://pagure.io/freeipa/issue/8397
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
ipa pwpolicy-mod --minlife $min --maxlife $max
accepts $max >= $min, yet the error message says:
"Maximum password life must be greater than minimum."
Change the error message so that it conveys the
actual logic.
Fixes: https://pagure.io/freeipa/issue/9038
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
KDB driver extensively uses NDR parsing and marshalling code provided by
Samba libraries. Since these libraries are internal to Samba, they often
change structures without updating SONAME. Typical changes include
adding new structures, so we should require samba-client-libs we were
built against.
There used to be %requires_eq macros in RPM but it was removed from
Fedora some time ago. We need greater than or equal version of it, thus
%ipa_requires_gt is defined in the spec file.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Previously, ipadb_check_logon_info() was called only for cross-realm
case. Now we call it for both in-realm and cross-realm cases. In case of
the S4U2Proxy, we would be passed a PAC of the original caller which
might be a principal from the trusted realm. We cannot validate that PAC
against our local client DB entry because this is the proxy entry which
is guaranteed to have different SID.
In such case, validate the SID of the domain in PAC against our realm
and any trusted doman but skip an additional check of the DB entry in
the S4U2Proxy case.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
If the SID was explicitly set for the host or service entry, honor it
when issuing PAC. For normal services and hosts we don't allocate
individual SIDs but for cifs/... principals on domain members we do as
they need to login to Samba domain controller.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
As a part of CVE-2020-25717 mitigations, Samba now assumes 'CLASSIC
PRIMARY DOMAIN CONTROLLER' server role does not support Kerberos
operations. This is the role that IPA domain controller was using for
its hybrid NT4/AD-like operation.
Instead, 'IPA PRIMARY DOMAIN CONTROLLER' server role was introduced in
Samba. Switch to this role for new installations and during the upgrade
of servers running ADTRUST role.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
As part of CVE-2020-25717 mitigations, Samba expects correct user
account flags in the PAC. This means for services and host principals we
should be using ACB_WSTRUST or ACB_SVRTRUST depending on whether they
run on IPA clients ("workstation" or "domain member") or IPA servers
("domain controller").
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
PAC_ATTRIBUTES_INFO PAC buffer allows both client and KDC to tell
whether a PAC structure was requested by the client or it was provided
by the KDC implicitly. Kerberos service then can continue processing or
deny access in case client explicitly requested to operate without PAC.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
CVE-2020-25721 mitigation: KDC must provide the new PAC_REQUESTER_SID
buffer with ObjectSID value associated with the requester's principal.
The mitigation only works if NDR library supports the PAC_REQUESTER_SID
buffer type. In case we cannot detect it at compile time, a warning will
be displayed at configure stage.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
CVE-2020-25721 mitigation: KDC must provide the new HAS_SAM_NAME_AND_SID
buffer with sAMAccountName and ObjectSID values associated with the
principal.
The mitigation only works if NDR library supports the
PAC_UPN_DNS_INFO_EX buffer type. In case we cannot detect it at compile
time, a warning will be displayed at configure stage.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When working with aliased entries, we need a reliable way to detect
whether two principals reference the same database entry. This is
important in S4U checks.
Ideally, we should be using SIDs for these checks as S4U requires PAC
record presence which cannot be issued without a SID associated with an
entry. This is true for user principals and a number of host/service
principals associated with Samba. Other service principals do not have
SIDs because we do not allocate POSIX IDs to them in FreeIPA. When PAC
is issued for these principals, they get SID of a domain computer or
domain controller depending on their placement (IPA client or IPA
server).
Since 389-ds always returns unique entry DN for the same entry, rely on
this value instead. We could have used ipaUniqueID but for Kerberos
principals created through the KDB (kadmin/kdb5_util) we don't have
ipaUniqueID in the entry.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
If the principal entry in LDAP has SID associated with it, store it to
be able to quickly assess the SID when processing PAC.
Also rename string_to_sid to IPA-specific version as it uses different
prototype than Samba version.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Robert Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Because the sidgen plugin is a postop plugin, it is not
always triggered before the result of an ADD is returned
and the objectclasses of the user may / may not contain
ipantuserattrs.
Fix the get_user_result method to work in all the cases.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
where {id} is an unknown authority ID.
Test Steps:
1. Setup a freeipa server and a replica
2. Stop ipa-custodia service on replica
3. Create a LWCA on the replica
4. Verify LWCA is recognized on the server
5. Run `ipa ca-show <LWCA>`
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Fixture issue_and_expire_cert() kinit after moving the date to
expire certs. This fix is to rely on kinit from fixture.
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
