Commit Graph

170 Commits

Author SHA1 Message Date
Simo Sorce
e88d5e815e Fix s4u2self with adtrust
When ADtrust is installed we add a PAC to all tickets, during protocol
transition we need to generate a new PAC for the requested user ticket,
not check the existing PAC on the requestor ticket.

https://pagure.io/freeipa/issue/6862

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-04-12 09:46:43 +02:00
Sumit Bose
6c2772dde5 IPA-KDB: use relative path in ipa-certmap config snippet
Architecture specific paths should be avoided in the global Kerberos
configuration because it is read e.g. by 32bit and 64bit libraries they
are installed in parallel.

Resolves https://pagure.io/freeipa/issue/6833

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-05 07:30:41 +00:00
Sumit Bose
0ba0c07813 ipa-kdb: do not depend on certauth_plugin.h
Related to https://pagure.io/freeipa/issue/4905

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-27 17:57:28 +02:00
Sumit Bose
c4156041fe IPA certauth plugin
This patch add a certauth plugin which allows the IPA server to support
PKINIT for certificates which do not include a special SAN extension
which contains a Kerberos principal but allow other mappings with the
help of SSSD's certmap library.

Related to https://pagure.io/freeipa/issue/4905

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-27 09:52:57 +02:00
Sumit Bose
da880decfe ipa-kdb: add ipadb_fetch_principals_with_extra_filter()
Additionally make ipadb_find_principal public.

Related to https://pagure.io/freeipa/issue/4905

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-27 09:52:57 +02:00
Simo Sorce
2e5cc369fd Add support for searching policies in cn=accounts
Use the new multibase search to collect policies from multiple subtrees.
The 'any' parameter is set to 'true' so the search stop when the first result
is found in any of the bases.

https://fedorahosted.org/freeipa/ticket/6568

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-10 09:17:28 +01:00
Simo Sorce
9f13b330aa Add code to retrieve results from multiple bases
Internally performs multiple seraches as needed based on the basedn
strings passed in and whether the caller indicated that any result is ok
or all results are needed.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-10 09:17:28 +01:00
Alexander Bokovoy
593ea7da9a ipa-kdb: support KDB DAL version 6.1
DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).

DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596

Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.

Use explicit KDB version dependency in Fedora 26+ via BuildRequires.

With new DAL version, freeipa package will fail to build and
we'll have to add a support for new DAL version explicitly.

https://fedorahosted.org/freeipa/ticket/6619

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2017-02-15 14:24:05 +01:00
Christian Heimes
d8343a96dd Clean / ignore make check artefact
In tree runs of make check leave some artifacts around. The patch adds
them to make clean and .gitignore.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-18 09:19:15 +01:00
Alexander Bokovoy
73f33569c8 ipa-kdb: search for password policies globally
With the CoS templates now used to create additional password policies
per object type that are placed under the object subtrees, DAL driver
needs to search for the policies in the whole tree.

Individual policies referenced by the krbPwdPolicyReference attribute
are always searched by their full DN and with the base scope. However,
when KDC asks a DAL driver to return a password policy by name, we don't
have any specific base to search. The original code did search by the
realm subtree.

Fixes https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-15 17:32:33 +01:00
Petr Spacek
d5683726d2 Build: remove incorrect use of MAINTAINERCLEANFILES
Automake manual section 13 What Gets Cleaned says that make maintainer-clean
should not remove files necessary for subsequent runs of ./configure.

It practically means that all usage of MAINTAINERCLEANFILES were incorrect
so I've removed them.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-16 09:12:07 +01:00
Simo Sorce
2775042787 Support DAL version 5 and version 6
https://fedorahosted.org/freeipa/ticket/6466

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2016-11-10 13:25:51 +01:00
Petr Spacek
125bf25577 Build: fix distribution of daemon/ipa-kdb files
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
24feae47f2 Build: fix Makefile.am files to separate source and build directories
This is step forward working VPATH builds which cleanly separate sources
and build artifacts. It makes the system cleaner and easier to
understand.

Python and web UI likely require more work to make VPATH builds working.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
b0cb6afa23 Build: transform util directory to libutil convenience library
This is autoconf way of doing things. It should allow us to enable
subdir-objects automake option and stay compatible with future versions
of automake.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-10-24 13:30:12 +02:00
Petr Spacek
41da873205 Build: adjust include paths in daemons/ipa-kdb/tests/ipa_kdb_tests.c
Fix include paths to prevent breakage when we move configure.ac from
daemons to the top-level.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-10-24 13:30:12 +02:00
Alexander Bokovoy
a14ebbea89 ipa-kdb: simplify trusted domain parent search
In terms of cross-forest trust parent domain is the root domain of
the forest because we only have trust established with the forest root.

In FreeIPA LDAP store all sub-domains stored in cn=<forest root>,
cn=ad,cn=trusts,... subtree. Thus, a first RDN after cn=ad is the
forest root domain. This allows us to simplify logic of finding
the parent domain.

For complex hierachical forests with more than two levels of
sub-domains, this will still be true because of the forest trust:
as forest trust is established to the forest root domain, any
communication to any sub-domain must traverse forest root domain's
domain controller.

Note that SSSD also generated incorrectly CA paths information
for forests with non-hierarchical tree-roots. In such cases
IPA KDC got confused and mistakenly assumed direct trust to the
non-hierarchical tree-root instead of going through the forest
root domain. See https://fedorahosted.org/sssd/ticket/3103 for
details.

Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 14:03:00 +02:00
Lukas Slebodnik
e7480bed27 ipa-kdb: Allow to build with samba 4.5
daemons/ipa-kdb/ipa_kdb_mspac.c: In function 'filter_logon_info':
daemons/ipa-kdb/ipa_kdb_mspac.c:1536:19: error: 'struct PAC_LOGON_INFO'
  has no member named 'res_group_dom_sid'
     if (info->info->res_group_dom_sid != NULL &&
                   ^~
daemons/ipa-kdb/ipa_kdb_mspac.c:1537:19: error: 'struct PAC_LOGON_INFO'
  has no member named 'res_groups'; did you mean 'resource_groups'?
         info->info->res_groups.count != 0) {
                   ^~
mv -f .deps/ipa_kdb_delegation.Tpo .deps/ipa_kdb_delegation.Plo
Makefile:806: recipe for target 'ipa_kdb_mspac.lo' failed
make[3]: *** [ipa_kdb_mspac.lo] Error 1
make[3]: *** Waiting for unfinished jobs....

Related change in samba
4406cf792a

Resolves:
https://fedorahosted.org/freeipa/ticket/6173

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-09 14:37:49 +02:00
Sumit Bose
6d6da6b281 kdb: check for local realm in enterprise principals
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2016-07-12 12:26:28 +02:00
David Kupka
d2cb9ed327 Allow unexpiring passwords
Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.

https://fedorahosted.org/freeipa/ticket/2795

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-07-01 11:22:02 +02:00
Martin Babinsky
7ed7a86511 ipa-kdb: set krbCanonicalName when creating new principals
Additionally, stop setting ipakrbprincipalalias attribute during principal
creation.

Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-06-23 09:48:06 +02:00
Martin Babinsky
e43231456d perform case-insensitive principal search when canonicalization is requested
When canonicalization is requested, the krbprincipalname attribute is searched
for case-insensitively.

In the case that krbcanonicalname is not set, the matched alias is returned
with the casing stored in backend, not the one input by client.

Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-06-23 09:48:06 +02:00
Alexander Bokovoy
bb75f5a583 adtrust: support UPNs for trusted domain users
Add support for additional user name principal suffixes from
trusted Active Directory forests. UPN suffixes are property
of the forest and as such are associated with the forest root
domain.

FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
attribute of ipaNTTrustedDomain object class.

In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.

For more details on UPN and naming in Active Directory see
https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx

https://fedorahosted.org/freeipa/ticket/5354

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-11 17:25:50 +02:00
Nathaniel McCallum
4bafba06f2 Migrate from #ifndef guards to #pragma once
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.

This patch does not change the autogenerated files: asn1/asn1c/*.h.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-05-29 14:04:45 +02:00
Nathaniel McCallum
8f356a4305 Enable authentication indicators for OTP and RADIUS
If the user is configured for OTP or RADIUS authentication, insert the
relevant authentication indicator.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-26 18:47:05 +02:00
Nathaniel McCallum
204200d73b Return password-only preauth if passwords are allowed
Before this patch, if either password or password+otp were permitted,
only the otp preauth mech would be returned to the client. Now, the
client will receive either enc_ts or enc_chl in addition to otp.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-26 18:47:05 +02:00
Matt Rogers
8a2afcafee ipa_kdb: add krbPrincipalAuthInd handling
Store and retrieve the authentication indicator "require_auth" string in
the krbPrincipalAuthInd attribute. Skip storing auth indicators to
krbExtraData.

https://fedorahosted.org/freeipa/ticket/5782

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-02 19:15:45 +02:00
Simo Sorce
7a20fc671b Allow to specify Kerberos authz data type per user
Like for services setting the ipaKrbAuthzData attribute on a user object will
allow us to control exactly what authz data is allowed for that user.
Setting NONE would allow no authz data, while setting MS-PAC would allow only
Active Directory compatible data.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/2579
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-03-09 19:00:43 +01:00
Simo Sorce
3e45c9be0a Allow admins to disable preauth for SPNs.
Some legacy softare is not able to properly cope with preauthentication,
allow the admins to disable the requirement to use preauthentication for
all Service Principal Names if they so desire. IPA Users are excluded,
for users, which use password of lessere entrpy, preauthentication is
always required by default.

This setting does NOT override explicit policies set on service principals
or in the global policy, it only affects the default.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/3860
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-03-08 18:48:40 +01:00
Sumit Bose
348c400484 ipa-kdb: map_groups() consider all results
Resolves https://fedorahosted.org/freeipa/ticket/5573

Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-02-02 18:15:19 +01:00
Sumit Bose
45b0148fcc ipa-kdb: get_authz_data_types() make sure entry can be NULL
This function determines which type of authorization data should be
added to the Kerberos ticket. There are global default and it is
possible to configure this per service as well. The second argument is
the data base entry of a service. If no service is given it makes sense
to return the global defaults and most parts of get_authz_data_types()
handle this case well and this patch fixes the remain issue and adds a
test for this as well.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2016-01-27 16:03:03 +01:00
Simo Sorce
2144b1eeb7 Always verify we have a valid ldap context.
LDAP calls just assert if an invalid (NULL) context is passed in,
so we need to be sure we have a valid connection context before
calling into LDAP APIs and fail outright if a context can't be obtained.

https://fedorahosted.org/freeipa/ticket/5577

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-01-13 16:09:38 +01:00
Martin Basti
21f7584f9f FIX: ipa_kdb_principals: add missing break statement
Needs a 'break' otherwise prevents correct reporting of data and it always overrides
it with the placeholder data.

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-11-30 17:34:02 +01:00
Simo Sorce
0f52eddd1d Return default TL_DATA is krbExtraData is missing
Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/937
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-11-25 14:12:11 +01:00
Lukas Slebodnik
73058af717 ipa_kdb_tests: Fix test with default krb5.conf
Default krb5.conf needn't have defined default_realm.
Unit tests should not rely on existing default value.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-18 12:55:42 +01:00
Lukas Slebodnik
75c26f9ec8 cmocka_tests: Do not use deprecated cmocka interface
The cmocka-1.0 introduced new interface for tests
which is not compatible with the old one.
And the old interface is deprecated which caused compiled warnings.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-18 12:54:43 +01:00
Lukas Slebodnik
2735db0d0e ipa_kdb_tests: Fix warning Wmissing-braces
tests/ipa_kdb_tests.c:254:9: warning: missing braces around initializer [-Wmissing-braces]
         {3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", BLACKLIST_SID"-1002"},
         ^
tests/ipa_kdb_tests.c:254:9: note: (near initialization for ‘test_data[6]’)
tests/ipa_kdb_tests.c:256:9: warning: missing braces around initializer [-Wmissing-braces]
         {0, NULL, 0 , NULL}
         ^
tests/ipa_kdb_tests.c:256:9: note: (near initialization for ‘test_data[7]’)
tests/ipa_kdb_tests.c:234:21: warning: missing braces around initializer [-Wmissing-braces]
     } test_data[] = {
                     ^

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-13 18:37:23 +01:00
Lukas Slebodnik
681afc4914 ipa_kdb_tests: Remove unused variables
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-13 18:37:23 +01:00
Alexander Bokovoy
766438aba0 client referral support for trusted domain principals
https://fedorahosted.org/freeipa/ticket/3559

Reviewed-By: Sumit Bose <sbose@redhat.com>
2015-10-08 13:52:16 +02:00
Sumit Bose
5017726eba ipa-kdb: add unit_tests for string_to_sid() and dom_sid_string()
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Sumit Bose
3f7481a220 ipa-kdb: make string_to_sid() and dom_sid_string() more robust
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Sumit Bose
7a1b4dcafc ipa-kdb: add unit-test for filter_logon_info()
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Sumit Bose
9d026ba824 ipa-kdb: convert test to cmocka
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
d3ccfefaa4 ipa-kdb: filter out group membership from MS-PAC for exact SID matches too
When incoming SID blacklist contains exact SIDs of users and groups,
attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.

Note that we treat user's SID and primary group RID filtering as violation
of the KDC policy because the resulting MS-PAC will have no user SID or
primary group and thus will be invalid.

For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1
it is OK to have empty group RIDs array as GroupCount SHOULD be
equal to Groups.MembershipCount returned by SamrGetGroupsForUser
[MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty.

Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
88c10dd975 ipa-kdb: use proper memory chunk size when moving sids
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Martin Babinsky
4d7b630992 ipa-kdb: common function to get key encodings/salt types
This patch moves duplicate code in `ipadb_get_connection` to get default and
supported key encodings/salt types from Kerberos container to a common
function handling this task.

It is actually a small cosmetic enhancement of the fix of
https://fedorahosted.org/freeipa/ticket/4914

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-29 17:15:00 +02:00
Simo Sorce
f530886193 Fix s4u2proxy README and add warning
The attribute mentioned was using an older name that was later changed
in the implementation.
Also add a prominent warning about the use of the kadmin flags.

Reviewed-by: Rob Crittenden <rcritten@redhat.com>
2015-06-08 14:37:29 -04:00
Simo Sorce
d5b6c83601 Detect default encsalts kadmin password change
When kadmin tries to change a password it will get the allowed keysalts
from the password policy. Failure to provide them will result in kadmin
using the defaults specified in the kdc.conf file or hardcoded defaults
(the default salt is then of type NORMAL).

This patch provides the supported values that have been read out of the
appropriate LDAP attribute when we read the server configuration.

Then at actual password change, check if kadmin is handing us back the exact
list of supported encsalts we sent it, and in that case replace it with the
real default encsalts.

Fixes https://fedorahosted.org/freeipa/ticket/4914

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
2015-05-27 09:45:56 -04:00
Alexander Bokovoy
373a04870d ipa-kdb: reject principals from disabled domains as a KDC policy
Fixes https://fedorahosted.org/freeipa/ticket/4788

Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-02-16 16:30:57 +01:00
Alexander Bokovoy
92c3a9f1fd ipa-kdb: when processing transitions, hand over unknown ones to KDC
When processing cross-realm trust transitions, let the KDC to handle
those we don't know about. Admins might define the transitions as
explicit [capaths] in krb5.conf.

https://fedorahosted.org/freeipa/ticket/4791

Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-02-16 16:29:59 +01:00