Commit Graph

214 Commits

Author SHA1 Message Date
Alexander Bokovoy
14c48ba6fb Recover from invalid cached kerberos credentials in ipasam
When developing and testing in the same environment, multiple re-installs
may be needed. This means previously issued and cached Kerberos credentials
will become invalid upon new install.

ipasam passdb module for Samba uses Kerberos authentication when talking to
IPA LDAP server. Obtained Kerberos credentials are cached during their lifetime.
However, the ccache is not removed automatically and if IPA setup is made
again, cached credentials are used, only to discover that they are invalid.

With this change invalid correctly obtained cached credentials are recognized
and, if LDAP SASL bind fails, new credentials are requested from the KDC.

https://fedorahosted.org/freeipa/ticket/3009
2012-08-22 17:20:56 +03:00
Sumit Bose
e8d4cc65f8 Use libsamba-security instead of libsecurity
In samba4-beta6 the name of a library was changed from libsecurity to
libsamba-security.
2012-08-22 17:18:07 +03:00
Sumit Bose
d815c3bc99 extdom: read ranges from LDAP 2012-08-15 23:41:06 -04:00
Simo Sorce
c58836f29d Add PAC filtering
This check the PAC we receive is consistent.
realm, flat name and domain sid must much our understanding or the trustd
realm and no additional sids beyond the own realm ones must be present.

Ticket #2849
2012-08-02 11:28:19 -04:00
Simo Sorce
754d0bea06 Split out manipulation of logon_info blob
This way multiple functions can manipulate the logon info structure until all
operations we want to do on it are done and then fold it back once.
2012-08-02 11:28:12 -04:00
Simo Sorce
1bb9eb7da3 Properly name function to add ipa external groups
The function filter_pac was not filtering the pac at all, it was merely
augmenting it with additional data relevant to the IPA server.

Change the name of the function to avoid confusion.
While there I also simplified and cleaed up the code a bit with regard to
variable names and usage.
2012-08-02 11:28:06 -04:00
Simo Sorce
4baf6ad21c Load list of trusted domain on connecting to ldap
This list is used to validate data in mspac filtering
2012-08-02 11:27:59 -04:00
Simo Sorce
560b9416f6 Move mspac structure to be a private pointer
By keeping it's definition in the mspac file it is easier to modify and make
sure any opertion on it is handled in the same file.
2012-08-02 11:27:52 -04:00
Alexander Bokovoy
051eb5f7e4 When ipaNTHash is missing, ask IPA to generate it from kerberos keys
Signed-off-by: Simo Sorce <ssorce@redhat.com>
2012-07-30 10:32:14 -04:00
Simo Sorce
38d98fd3aa Add special modify op to regen ipaNTHash
The NT Hash is the same thing as the RC4-HMAC key, so we add a function to
extract it from krb5 keys if they are available to avoid forcing a password
change when configuring trust relationships.
2012-07-30 10:31:59 -04:00
Simo Sorce
86d83654dc Improve loops around slapi mods
Avoid the need to allocate/free a Slapi_Mod and avoid checking for attribute
equvalence after a match (use if/else)
2012-07-30 10:31:55 -04:00
Simo Sorce
505bc85ec3 Move code into common krb5 utils
This moves the decoding function that reads the keys from the ber format
into a structure in the common krb5 util code right below the function
that encodes the same data structure into a ber format.
This way the 2 functions are in the same place and can be both used by
all ia components.
2012-07-30 10:31:47 -04:00
Simo Sorce
9d853483fe Do not check for DNA magic values
The DNA magic value can be arbitrarily changed by admins so we cannot use a
const value to check. And we relly do not need to check at all. If the DNA
plugin is broken and leaves magic values to reach the post-op stage we have
bigger problems. So just simply get rid of this check.
2012-07-26 14:30:39 -04:00
Alexander Bokovoy
61b2f0a5d0 Follow change in samba4 beta4 for sid_check_is_domain to sid_check_is_our_sam
With c43505b621725c9a754f0ee98318d451b093f2ed in samba git master
the function sid_check_is_domain() was renamed to sid_check_is_our_sam().

https://fedorahosted.org/freeipa/ticket/2929
2012-07-18 16:56:04 +03:00
Sumit Bose
0ffb2022fe Fix typo
Signed-off-by: Simo Sorce <ssorce@redhat.com>
2012-07-09 08:36:05 -04:00
Simo Sorce
6ffb35d0f5 Fix wrong check after allocation. 2012-07-07 16:30:22 -04:00
Alexander Bokovoy
8c5504d26a reduce redundant checks in ldapsam_search_users() to a single statement 2012-07-06 13:39:27 +03:00
Alexander Bokovoy
75cb9bb0e1 Use smb.conf 'dedicated keytab file' parameter instead of hard-coded value 2012-07-06 13:38:46 +03:00
Sumit Bose
76d809574b ipasam: replace testing code 2012-07-06 13:06:16 +03:00
Sumit Bose
abe40284cf ipasam: fixes for clang warnings 2012-07-06 13:06:16 +03:00
Sumit Bose
7fb9ca23a1 Allow silent build if available 2012-07-06 13:06:15 +03:00
Alexander Bokovoy
e88049ecee ipasam: improve SASL bind callback
SASL bind callback due to refactoring was referencing local variable which
didn't exist all the time. Fix that by including a copy of service principals
into ipasam long term private struct.

Rework ccache handling to avoid re-initing every time callback is called
2012-07-06 13:06:15 +03:00
Sumit Bose
bdb995194c Add range check preop plugin
To make sure that ID ranges do not overlap this plugin checks new
additions and changes for conflicts with existing ranges.

https://fedorahosted.org/freeipa/ticket/2185
2012-06-29 18:00:58 -04:00
Sumit Bose
876b1ec175 Use lower case names in LDAP to meet freeIPA convention 2012-06-29 11:59:39 +02:00
Sumit Bose
316aac5a8d Add external domain extop DS plugin
This extop can be used by clients of the IPA domain, e.g. sssd, to
retrieve data from trusted external domains. It can be used e.g. to map
Windows SIDs to user or groups names and back.
2012-06-28 13:08:26 +02:00
Sumit Bose
ac6afd31f7 Add configure check for C Unit-Test framework check
The framework can be found at http://check.sourceforge.net.
2012-06-28 08:13:22 +02:00
Sumit Bose
dc3491ea42 Filter groups in the PAC
If one or more of the external groups given in the PAC can be found in
the ipaExternalGroup objects and these objects are members of local
groups, the SIDs of the local groups are added to the PAC.
2012-06-28 08:05:34 +02:00
Sumit Bose
65ad261663 Add sidgen postop and task
A postop plugin is added to create the SID for new created users and
groups. A directory server task allows to set the SID for existing
users and groups.

Fixes https://fedorahosted.org/freeipa/ticket/2825
2012-06-28 08:02:05 +02:00
Alexander Bokovoy
63567479df Add error condition handling to the SASL bind callback in ipasam
https://fedorahosted.org/freeipa/ticket/2877
2012-06-28 08:00:58 +02:00
Alexander Bokovoy
761cb71838 Support requests for DOMAIN$ account for trusted domains in ipasam module
https://fedorahosted.org/freeipa/ticket/2870
2012-06-28 07:57:29 +02:00
Sumit Bose
20fce97dfa ipasam: remove unused struct elements 2012-06-11 12:03:09 +02:00
Sumit Bose
b367c9ee7e Use exop instead of kadmin.local 2012-06-11 09:40:59 +02:00
Simo Sorce
f602ad270d Add support for disabling KDC writes
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.

https://fedorahosted.org/freeipa/ticket/2734
2012-06-06 22:12:22 -04:00
Alexander Bokovoy
27c24ff7be ipa-sam: update sid_to_id() interface to follow passdb API changes in Samba
Commit a6e29f23f09ba5b6b6d362f7683ae8088bc0ba85 in Samba changed id mapping
API in passdb interface to use 'struct unixid'. The change replaced three arguments
(uid, gid, type) by one (struct unixid). As result, ipa-sam became broken.

Without this change ipa-sam introduces stack corruption in Samba post 4.0.0alpha18
leading to corrupted security context stack as well and then crashing in setgroups(3).
2012-06-07 09:39:10 +02:00
Alexander Bokovoy
bd0d858043 Add trust-related ACIs
A high-level description of the design and ACIs for trusts is available at
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html
and
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html

Ticket #1731
2012-06-07 09:39:10 +02:00
Simo Sorce
000bcfe34f ipa-kdb: Add MS-PAC on constrained delegation. 2012-06-07 09:39:10 +02:00
Alexander Bokovoy
cbb1d626b9 Perform case-insensitive searches for principals on TGS requests
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.

The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.

https://fedorahosted.org/freeipa/ticket/1577
2012-06-07 09:39:10 +02:00
Alexander Bokovoy
b32204fccc Add separate attribute to store trusted domain SID
We need two attributes in the ipaNTTrustedDomain objectclass to store different
kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID
of the trusted domain. A second attribute is needed to store the SID for the
trusted domain user. Since it cannot be derived safely from other values and
since it does not make sense to create a separate object for the user a new
attribute is needed.

https://fedorahosted.org/freeipa/ticket/2191
2012-06-07 09:39:09 +02:00
Simo Sorce
43701d2735 Fix setting domain_sid
'sid' is a stack variable, by assigning its address to the domain_sid pointer
we were later referencing grabage (whatever on the stack ha[ppened to be at
that address.
Properly copy the sid and allocate it on the provided memory context.
2012-05-29 18:01:21 -04:00
Rob Crittenden
74293426d9 Normalize uid to lower case in winsync.
This in effect fixes uid, krbPrincipalName and homeDir.

https://fedorahosted.org/freeipa/ticket/2756
2012-05-25 09:49:06 +02:00
Rob Crittenden
560f2ce8bd Check for locked-out user before incrementing lastfail.
If a user become locked due to too many failed logins and then were
unlocked by an administrator, the account would not lock again. This
was caused by two things:

 - We were incrementing the fail counter before checking to see if the
   account was already locked out.
 - The current fail count wasn't taken into consideration when
   deciding if the account is locked.

The sequence was this:

1. Unlocked account, set failcount to 0
2. Failed login, increment failcount
3. Within lastfailed + lockout_duration, still locked. This skips
   update the last_failed date.

So I reversed 2 and 3 and check to see if the fail count exceeds policy.

https://fedorahosted.org/freeipa/ticket/2765
2012-05-18 09:03:22 +02:00
Simo Sorce
46c6ff69ac Fix migration code password setting.
When we set a password we also need to make sure krbExtraData is set.
If not kadmin will later complain that the object is corrupted at password
change time.

Ticket: https://fedorahosted.org/freeipa/ticket/2764
2012-05-17 17:17:42 +02:00
Rob Crittenden
58732a83bc Return LDAP_SUCCESS on mods on a referral entry.
We currently return LDAP_REFERRAL which causes the mod to fail meaning
that referral entries cannot be changed.

All we really want to do is escape when we don't hvae an entry to modify.

https://fedorahosted.org/freeipa/ticket/2237
2012-05-11 08:37:41 +02:00
Simo Sorce
adf16a9b1c Fix theoretical leak discovered by coverity
This was introduced when we started checking the return from
ipadb_get_context() to silence another coverity report.
That condition can never be true in this function but whatever ... let's
silence Coverity once again :)
2012-04-17 15:40:58 -04:00
Simo Sorce
c007ac0d70 Fix MS-PAC checks when using s4u2proxy
We were using the wrong principal in the s4u2proxy case.

Fixes: https://fedorahosted.org/freeipa/ticket/2504
2012-04-03 09:28:50 -04:00
Rob Crittenden
56fa06fec4 Fix failure count interval attribute name in query for password policy.
This was causing the failure count interval to not be applied so
the failure count was never reset to 0.

https://fedorahosted.org/freeipa/ticket/2540
2012-03-29 00:52:25 -04:00
Simo Sorce
735618a1c6 Fix memleak and silence Coverity defects
Some of these are not real defects, because we are guaranteed to have valid
context in some functions, and checks are not necessary.
I added the checks anyway in order to silence Coverity on these issues.

One meleak on error condition was fixed in
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c

Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is
actually fine as we count before hand so we never actually use the wrong value
that is computed on the last pass when p == 0

Fixes: https://fedorahosted.org/freeipa/ticket/2488
2012-03-22 17:33:13 +01:00
Martin Kosek
51601ac794 Treat UPGs correctly in winsync replication
IPA winsync plugin failed to replicate users when default user group
was non-posix even though User Private Groups (UPG) were enabled
on the server. Both their uidNumber and gidNumber were empty and
they missed essential object classes. When the default user group
was made posix and UPG was disabled it did not set gidNumber to
the default group gidNumber.

This patch improves this behavior to set gidNumber correctly
according to UPG configuration and the default group status
(posix/non-posix). 4 situations can occur, the following list
specifies what value is assigned to user gidNumber:
 1) Default group posix, UPG enabled: gidNumber = UPG gidNumber
 2) Default group posix, UPG disabled: gidNumber = default
    group gidNumber
 3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber
 4) Default group non-posix, UPG disabled: an error is printed to
    the dirsrv log as the gidNumber cannot be retrieved. User
    is replicated in the same way as before this patch, i.e.
    without essential object classes.

https://fedorahosted.org/freeipa/ticket/2436
2012-03-15 09:57:37 +01:00
Simo Sorce
372d67ae81 ipa-kdb: fix delegation acl check
We need to check for a matching acl only if one match hasn't already been
found, otherwise results are unpredictable and order dependent.
2012-02-28 13:03:22 -05:00
Simo Sorce
9942a29cab policy: add function to check lockout policy
Fixes: https://fedorahosted.org/freeipa/ticket/2393
2012-02-19 20:43:45 -05:00