When creating Kerberos keys for trusted domain object account, ipasam
module requests to generate keys using a series of well-known encryption
types. In FIPS mode it is not possible to generate RC4-HMAC key:
MIT Kerberos is using openssl crypto backend and openssl does not allow
use of RC4 in FIPS mode.
Thus, we have to filter out RC4-HMAC encryption type when running in
FIPS mode. A side-effect is that a trust to Active Directory running
with Windows Server 2003 will not be possible anymore in FIPS mode.
Resolves: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Samba 4.7 tightens up smbldap API by making 'struct smbldap_state' an
opaque. This means ipa-sam module cannot anymore directly set its
LDAP bind callback.
Use new smbldap API to set the LDAP bind callback.
Fixes https://pagure.io/freeipa/issue/6877
Reviewed-By: Martin Basti <mbasti@redhat.com>
With Samba 4.7 access to ldapsam internal structures will not be
available for external applications. FreeIPA's ipasam module was using
those for own needs. Now it needs to migrate to proper own private
structure.
Given that we anyway need to implement many missing functions like
pdb_update_sam_account() callback with FreeIPA-specific logic,
piggybacking on ldapsam structures is not needed anymore.
Fixes https://pagure.io/freeipa/issue/6877
Reviewed-By: Martin Basti <mbasti@redhat.com>
Since ipa-sam is running as part of smbd is it safe to use the
E_md4hash() from Samba. This way ipa-sam does not depend on other crypto
libraries which might depend on other rules like e.g. FIPS mode.
Resolves https://pagure.io/freeipa/issue/7026
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When a trusted domain entry is created, the uidNumber attribute is created
but not the gidNumber attribute. This causes samba to log
Failed to find a Unix account for DOM-AD$
because the samu structure does not contain a group_sid and is not put
in the cache.
The fix creates the gidNumber attribute in the trusted domain entry,
and initialises the group_sid field in the samu structure returned
by ldapsam_getsampwnam. This ensures that the entry is put in the cache.
Note that this is only a partial fix for 6660 as it does not prevent
_netr_ServerAuthenticate3 from failing with the log
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com.
https://pagure.io/freeipa/issue/6827
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Automake manual section 13 What Gets Cleaned says that make maintainer-clean
should not remove files necessary for subsequent runs of ./configure.
It practically means that all usage of MAINTAINERCLEANFILES were incorrect
so I've removed them.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This is step forward working VPATH builds which cleanly separate sources
and build artifacts. It makes the system cleaner and easier to
understand.
Python and web UI likely require more work to make VPATH builds working.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This is autoconf way of doing things. It should allow us to enable
subdir-objects automake option and stay compatible with future versions
of automake.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Use package config instead of checking headers.
Package config is faster because it does not invoke compiler
and guarantees proper linking flags because these are provided
by package maintainer instead of hardcoded into build system.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.
This patch does not change the autogenerated files: asn1/asn1c/*.h.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The value of LDAP_PAGE_SIZE was changed in samba-4.4
and it caused warning because it's already defined
in samba header files
ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined
#define LDAP_PAGE_SIZE 1024
In file included from /usr/include/samba-4.0/smbldap.h:24:0,
from ipa_sam.c:31:
/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition
#define LDAP_PAGE_SIZE 1000
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
samba_util.h is not shipped with samba-4.4
and it was indirectly included by "ndr.h"
Some functions have prototypes in different header file
"util/talloc_stack.h" and other does not have declarations
in other header file. But they are still part of libsamba-util.so
sh$ objdump -T /usr/lib64/libsamba-util.so.0.0.1 | grep -E "trim_s|xstrdup"
0000000000022200 g DF .text 000000000000001f SAMBA_UTIL_0.0.1 smb_xstrdup
00000000000223b0 g DF .text 000000000000019d SAMBA_UTIL_0.0.1 trim_string
ipa_sam.c: In function 'ldapsam_uid_to_sid':
ipa_sam.c:836:24: warning: implicit declaration of function 'talloc_stackframe'
[-Wimplicit-function-declaration]
TALLOC_CTX *tmp_ctx = talloc_stackframe();
^
ipa_sam.c: In function 'pdb_init_ipasam':
ipa_sam.c:4493:2: warning: implicit declaration of function 'trim_string'
[-Wimplicit-function-declaration]
trim_string( uri, "\"", "\"" );
^
ipa_sam.c:4580:26: warning: implicit declaration of function 'smb_xstrdup'
[-Wimplicit-function-declaration]
ldap_state->domain_dn = smb_xstrdup(dn);
^
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Since endptr points to a location inside of dummy, dummy should be freed
only after dereferencing endptr.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Since we are interested in looking up the SID of a group it makes sense
to include the objectclass which contains the SID attribute in the
search filter. This makes sure the group is not accidentally found a
second time in the compat tree.
Related to https://fedorahosted.org/freeipa/ticket/5457
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When trust is established, ipasam module creates a number of objects in LDAP
to represent the trust information. Among them, for one-way trust we create
a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest
and AD is a realm of the trusted Active Directory forest root domain.
This principal is then used by SSSD on IPA masters to authenticate against
trusted Active Directory domain controllers and retrieve information about
user and group identities.
FreeIPA also uses this principal's credentials to retrieve domain topology.
The access to the keys of the principal should be well-protected. We only
allow to retrieve the keytab for it for members of cn=adtrust agents group.
This group is populated with host/ and cifs/ principals from IPA masters.
Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters
where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install
on the master which will be configured to be a domain controller (e.g.
run Samba with ipasam), and specify --add-agents option to trigger activation
of the interactive mode to specify which IPA masters to enable.
Fixes https://fedorahosted.org/freeipa/ticket/4962
Part of fixes for https://fedorahosted.org/freeipa/ticket/4546
Reviewed-By: Tomas Babej <tbabej@redhat.com>
1. Samba project renamed libpdb to libsamba-passdb
https://bugzilla.samba.org/show_bug.cgi?id=10355
2. With interface version 24, Samba removed uid_to_sid()/gid_to_sid()
from the PASSDB interface and united them as id_to_sid().
Make sure FreeIPA ipa_sam code supports new and old versions of
the PASSDB API.
https://fedorahosted.org/freeipa/ticket/4778
Reviewed-By: Sumit Bose <sbose@redhat.com>
Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the
directory service for gid/uid<->sid resolution.
Additionally, this patch further reduces number of queries by:
- fast fail on uidNumber=0 which doesn't exist in FreeIPA,
- return fallback group correctly when looking up user primary group as is
done during init,
- checking for group objectclass in case insensitive way
Patch by Jason Woods <devel@jasonwoods.me.uk>
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
https://fedorahosted.org/freeipa/ticket/4234
and
https://bugzilla.redhat.com/show_bug.cgi?id=1073829https://bugzilla.redhat.com/show_bug.cgi?id=1074314
Reviewed-By: Sumit Bose <sbose@redhat.com>
We don't store trust type, attributes, and direction for subdomains
of the existing trust. Since trust is always forest level, these parameters
can be added as defaults when they are missing.
We store Kerberos realm configuration in cn=REALM,cn=kerberos,$SUFFIX.
Along other configuration options, this container has list of default
supported encryption types, in krbDefaultEncSaltTypes.
Fetch krbDefaultEncSaltTypes value on ipa-sam initialization and convert
discovered list to the mask of supported encryption types according to
security.idl from Samba:
typedef [public,bitmap32bit] bitmap {
KERB_ENCTYPE_DES_CBC_CRC = 0x00000001,
KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002,
KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004,
KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
} kerb_EncTypes;
Part of https://fedorahosted.org/freeipa/ticket/3898
We used to handle some of code paths to free memory allocated by the LDAP library
but there are few more unhandled. In addition, search result wasn't freed on successful
initialization, leaking for long time.
https://fedorahosted.org/freeipa/ticket/3913
When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.
Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.
PASSDB API in Samba adds support for specifying UPN suffixes. The change
in ipasam will allow to pass through list of realm domains as UPN suffixes
so that Active Directory domain controller will be able to recognize
non-primary UPN suffixes as belonging to IPA and properly find our KDC
for cross-realm TGT.
Since Samba already returns primary DNS domain separately, filter it out
from list of UPN suffixes.
Also enclose provider of UPN suffixes into #ifdef to support both
Samba with and without pdb_enum_upn_suffixes().
Part of https://fedorahosted.org/freeipa/ticket/2848
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.
For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.
Tests included
https://fedorahosted.org/freeipa/ticket/2886
Since we use associatedDomain attribute to store information about UPN suffixes
and our own domain, searching subtree is going to return more than one entry.
Limit search for own domain by base scope as we only need to fetch our own
domain information here, not UPN suffixes.
Required for https://fedorahosted.org/freeipa/ticket/2945