Commit Graph

9960 Commits

Author SHA1 Message Date
Christian Heimes
17bb9b9a9b Require httpd 2.4.6-31 with mod_proxy Unix socket support
httpd 2.4.6-6 does not support mod_proxy ProxyPass for Unix sockets. The
feature is provided by 2.4.7 upstream was backported to 2.4.6-31
(bz1168081). It's required to proxy Custodia.

https://bugzilla.redhat.com/show_bug.cgi?id=1168081
https://httpd.apache.org/docs/trunk/mod/mod_proxy.html#proxypass

https://fedorahosted.org/freeipa/ticket/6251

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-24 17:22:37 +02:00
Christian Heimes
d9ab0097e1 Secure permissions of Custodia server.keys
Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.

https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6056

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-24 16:59:43 +02:00
Lenka Doudova
9021b64966 Tests: Service tracker and tests don't recognize 'ipakrboktoauthasdelegate' attribute
Due to [1] being implemented, retrieve and search tests with --all option
specified fail due to extra attribute.

[1] https://fedorahosted.org/freeipa/ticket/5764

Ticket: https://fedorahosted.org/freeipa/ticket/6240
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
2016-08-24 16:00:25 +02:00
Lenka Doudova
3a555ece79 Tests: Host tracker does not recognize 'ipakrboktoauthasdelegate' attribute
Due to [1] being implemented, retrieve and search tests with --all option
specified fail due to extra attribute.

[1] https://fedorahosted.org/freeipa/ticket/5764

Ticket: https://fedorahosted.org/freeipa/ticket/6240
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
2016-08-24 16:00:25 +02:00
Abhijeet Kasurde
95a594af4c Handled empty hostname in server-del command
Fixes: https://fedorahosted.org/freeipa/ticket/6248

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-08-24 15:50:25 +02:00
Tomas Krizek
6f9a029bf5 Validate key in otptoken-add
Verify that key is not empty when adding otp token. If it is empty, raise an
appropriate error.

https://fedorahosted.org/freeipa/ticket/6200

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-24 15:16:27 +02:00
Christian Heimes
c346a2d1d1 Remove Custodia server keys from LDAP
The server-del plugin now removes the Custodia keys for encryption and
key signing from LDAP.

https://fedorahosted.org/freeipa/ticket/6015

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-24 14:26:57 +02:00
Lenka Doudova
775c37bb81 Tests: ID views tests do not recognize krbcanonicalname attribute
https://fedorahosted.org/freeipa/ticket/6242

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-24 14:20:53 +02:00
Abhijeet Kasurde
d5a3f10a85 Removed unwanted line break from RefererError Dialog message
Fixes: https://fedorahosted.org/freeipa/ticket/5932

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-23 13:28:24 +02:00
Lenka Doudova
fef4b95309 Tests: Duplicate declaration on variables in ID views tests
In ipatests/test_xmlrpc/test_idviews_plugin several variables are declared
twice, while never using the first declaration. The duplicate declaration is
hereby removed.

https://fedorahosted.org/freeipa/ticket/6246

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-23 12:31:52 +02:00
Petr Spacek
1142c3a280 Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup
https://fedorahosted.org/freeipa/ticket/6233

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-22 19:14:55 +02:00
Jan Cholasta
8006aa2106 tests: fix test_ipalib.test_frontend.test_Object
Update the fake API object to match the real API object interface including
the changes introduced with the API compatibility feature.

https://fedorahosted.org/freeipa/ticket/6188

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-22 18:58:27 +02:00
Martin Babinsky
a4f4cac993 add python-libsss_nss_idmap and python-sss to BuildRequires
This fixes pylint failing on import errors during 'lint' phase of build.

https://fedorahosted.org/freeipa/ticket/6244

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-22 18:55:37 +02:00
Petr Spacek
0f4df2f03d migrate-ds: Mention --enable-migration in error message about migration mode
https://fedorahosted.org/freeipa/ticket/6234

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-22 17:59:38 +02:00
Petr Spacek
3ac2709f4b config-mod: normalize attribute names for --usersearch/--groupsearch
https://fedorahosted.org/freeipa/ticket/6236

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-22 17:53:31 +02:00
Abhijeet Kasurde
c9419411c9 Corrected minor spell check in AD Trust information doc messages
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-22 17:15:11 +02:00
Lenka Doudova
3d159c39c7 Tests: ID views tests do not recognize ipakrboktoauthasdelegate sttribute
Due to implementation of [1], new attribute 'ipakrboktoauthasdelegate' was presented, but is not recognized by ID views tests, thus causing them to fail.

[1] https://fedorahosted.org/freeipa/ticket/5764

https://fedorahosted.org/freeipa/ticket/6241

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-22 14:11:16 +02:00
Alexander Bokovoy
a14ebbea89 ipa-kdb: simplify trusted domain parent search
In terms of cross-forest trust parent domain is the root domain of
the forest because we only have trust established with the forest root.

In FreeIPA LDAP store all sub-domains stored in cn=<forest root>,
cn=ad,cn=trusts,... subtree. Thus, a first RDN after cn=ad is the
forest root domain. This allows us to simplify logic of finding
the parent domain.

For complex hierachical forests with more than two levels of
sub-domains, this will still be true because of the forest trust:
as forest trust is established to the forest root domain, any
communication to any sub-domain must traverse forest root domain's
domain controller.

Note that SSSD also generated incorrectly CA paths information
for forests with non-hierarchical tree-roots. In such cases
IPA KDC got confused and mistakenly assumed direct trust to the
non-hierarchical tree-root instead of going through the forest
root domain. See https://fedorahosted.org/sssd/ticket/3103 for
details.

Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 14:03:00 +02:00
Alexander Bokovoy
62be554540 trust: make sure ID range is created for the child domain even if it exists
ID ranges for child domains of a forest trust were created incorrectly
in FreeIPA 4.4.0 due to refactoring of -- if the domain was already
existing, we never attempted to create the ID range for it.

At the same time, when domain was missing, we attempted to add ID range
and passed both forest root and the child domain names to add_range().
However, add_range() only looks at the first positional argument which
was the forest root name. That ID range always exists (it is created
before child domains are processed).

Modify the code to make sure child domain name is passed as the first
positional argument. In addition, the oddjob helper should explicitly
set context='server' so that idrange code will be able to see and use
ipaserver/dcerpc.py helpers.

Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 14:03:00 +02:00
Alexander Bokovoy
9b3819ea94 trust: make sure external trust topology is correctly rendered
When external trust is established, it is by definition is
non-transitive: it is not possible to obtain Kerberos tickets to any
service outside the trusted domain.

Reflect this reality by only accepting UPN suffixes from the external
trust -- since the trusted domain is a part of another forest and UPN
suffixes are forest-wide, there could be user accounts in the trusted
domain that use forest-wide UPN suffix but it will be impossible to
reach the forest root via the externally trusted domain.

Also, an argument to netr_DsRGetForestTrustInformation() has to be
either forest root domain name or None (NULL). Otherwise we'll get
an error as explained in MS-NRPC 3.5.4.7.5.

https://fedorahosted.org/freeipa/ticket/6021

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 13:38:18 +02:00
Alexander Bokovoy
6332cb3125 trust: automatically resolve DNS trust conflicts for triangle trusts
For configuration where:
  - AD example.com trusts IPA at ipa.example.com
  - AD example.org trusts AD example.com
  - a trust is tried to be established between ipa.example.com and
    example.org,

there will be a trust topology conflict detected by example.org domain
controller because ipa.example.com DNS namespace overlaps with
example.com DNS namespace.

This type of trust topology conflict is documented in MS-ADTS 6.1.6.9.3.2
"Building Well-Formed msDS-TrustForestTrustInfo Message". A similar
conflict can arise for SID and NetBIOS namespaces. However, unlike SID
and NetBIOS namespaces, we can solve DNS namespace conflict
automatically if there are administrative credentials for example.org
available.

A manual sequence to solve the DNS namespace conflict is described in
https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx.
This sequence boils down to the following steps:

   1. As an administrator of the example.org, you need to add an
exclusion entry for ipa.example.com in the properties of the trust to
example.com
   2. Establish trust between ipa.example.com and example.org

It is important to add the exclusion entry before step 4 or there will
be conflict recorded which cannot be cleared easily right now due to a
combination of bugs in both IPA and Active Directory.

This patchset implements automated solution for the case when we have
access to the example.org's administrator credentials:

   1. Attempt to establish trust and update trust topology information.
   2. If trust topology conflict is detected as result of (1):
   2.1. Fetch trust topology infromation for the conflicting forest
        trust
   2.2. Add exclusion entry to our domain to the trust topology obtained
        in (2.1)
   2.3. Update trust topology for the conflicting forest trust
   3. Re-establish trust between ipa.example.com and example.org

We cannot do the same for shared secret trust and for external trust,
though:

   1. For shared secret trust we don't have administrative credentials
      in the forest reporting the conflict

   2. For the external trust we cannot set topology information due to
      MS-LSAD 3.1.4.7.16 because external trust is non-transitive by
      definition and thus setting topology information will fail.

To test this logic one can use two Samba AD forests with FreeIPA
using a sub-domain of one of them.

Fixes: https://fedorahosted.org/freeipa/ticket/6076
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 13:31:47 +02:00
Alexander Bokovoy
c547d5567d ipaserver/dcerpc: reformat to make the code closer to pep8
Because Samba Python bindings provide long-named methods and constants,
sometimes it is impossible to fit into 80 columns without causing
damage to readability of the code. This patchset attempts to reduce
pep8 complaints to a minimum.

https://fedorahosted.org/freeipa/ticket/6076

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 13:31:47 +02:00
Petr Spacek
3cf80e747d adtrust-install: Mention AD GC port 3286 in list of required ports.
Port name "msft-gc" is taken form /etc/services file provided by package
setup-2.10.1-1.fc24.noarch.

https://fedorahosted.org/freeipa/ticket/6235

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-22 12:30:01 +02:00
Fraser Tweedale
cf74584d0f cert-revoke: fix permission check bypass (CVE-2016-5404)
The 'cert_revoke' command checks the 'revoke certificate'
permission, however, if an ACIError is raised, it then invokes the
'cert_show' command.  The rational was to re-use a "host manages
certificate" check that is part of the 'cert_show' command, however,
it is sufficient that 'cert_show' executes successfully for
'cert_revoke' to recover from the ACIError continue.  Therefore,
anyone with 'retrieve certificate' permission can revoke *any*
certificate and cause various kinds of DoS.

Fix the problem by extracting the "host manages certificate" check
to its own method and explicitly calling it from 'cert_revoke'.

Fixes: https://fedorahosted.org/freeipa/ticket/6232
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-22 07:19:03 +02:00
Alexander Bokovoy
7bec8a246d support schema files from third-party plugins
Allow upgrade process to include schema files from third-party plugins
installed in /usr/share/ipa/schema.d/*.schema.

The directory /usr/shar/eipa/schema.d is owned by the server-common
subpackage and therefore third-party plugins should depend on
freeipa-server-common (ipa-server-common) package in their package
dependencies.

Resolves: https://fedorahosted.org/freeipa/ticket/5864
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-19 15:34:26 +02:00
Martin Basti
86e156c3c5 Remove forgotten print from DN.__str__ implementation
These debug prints were forgotten there and should be removed, because
str(DN) is often operation and we may save time with handling exceptions
and printing unwanted debug

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-08-19 13:04:52 +02:00
Martin Basti
6b7d6417d4 Fix: container owner should be able to add vault
With recent change in DS (CVE fix), ds is not returging DuplicatedEntry
error in case that user is not permitted by ACI to write, but ACIError instead.

Is safe to ignore ACI error in container, because it will be raised
again later if user has no access to container.

https://fedorahosted.org/freeipa/ticket/6159

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-18 13:02:38 +02:00
David Kupka
b6d5ed139b schema cache: Fallback to 'en_us' when locale is not available
https://fedorahosted.org/freeipa/ticket/6204

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-18 12:12:51 +02:00
Lenka Doudova
44a2bdd8ea Tests: Fix failing tests in test_ipalib/test_frontend
Some tests in ipatests/test_ipalib/test_frontend.py are failing due to changes
related to thin client implementation. Providing fix for:
  ipa.test_ipalib.test_frontend.test_Attribute.test_init
  ipa.test_ipalib.test_frontend.test_LocalOrRemote.test_run

https://fedorahosted.org/freeipa/ticket/6188

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-08-17 17:41:08 +02:00
Lenka Doudova
380ffcc052 Tests: Fix failing tests in test_ipalib/test_parameters
Some of the tests are failing due to changes introduced because of thin client feature.

https://fedorahosted.org/freeipa/ticket/6187
https://fedorahosted.org/freeipa/ticket/6224

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-08-17 17:39:08 +02:00
Tiboris
d25a0725c0 Added new authentication method
Addressing ticket https://fedorahosted.org/freeipa/ticket/5764

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-08-17 16:55:49 +02:00
Pavel Vomacka
c36d721a01 Add 'trusted to auth as user' checkbox
Add new checkbox to host and service details page

Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-08-17 16:41:38 +02:00
Alexander Bokovoy
1c73ac91a4 service: add flag to allow S4U2Self
Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-08-17 16:41:38 +02:00
Jan Cholasta
4ee426a68e server install: do not prompt for cert file PIN repeatedly
Prompt for PIN only once in interactive mode.

This fixes ipa-server-install, ipa-server-certinstall and
ipa-replica-prepare prompting over and over when the PIN is empty.

https://fedorahosted.org/freeipa/ticket/6032

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-08-17 15:11:55 +02:00
Stanislav Laznicka
fea56fefff Fail on topology disconnect/last role removal
Disconnecting topology/removing last-role-host during server
uninstallation should raise error rather than just being logged
if the appropriate ignore settings are not present.

https://fedorahosted.org/freeipa/ticket/6168

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-17 14:58:11 +02:00
David Kupka
6e6cbda036 compat: Fix ping command call
Remove extra argument from client.forward call.

https://fedorahosted.org/freeipa/ticket/6095

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
4b43558b1c schema check: Check current client language against cached one
https://fedorahosted.org/freeipa/ticket/6204

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
f2c26119f5 schema cache: Read schema instead of rewriting it when SchemaUpToDate
https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
1b79ac67d7 client: Do not create instance just to check isinstance
Checking that classes are idenical gives the same result and
avoids unnecessary instantiation.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
87a6f746bc schema cache: Store API schema cache in memory
Read whole cache into memory and keep it there for lifetime of api
object. This removes the need to repetitively open/close the cache and
speeds up every access to it.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
6716aaedc8 schema cache: Read server info only once
Do not open/close the file with every access to plugins. Extensive
access to filesystem may cause significant slowdown.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
83b46238e7 frontent: Add summary class property to CommandOverride
Avoid creating instance of overriden command to get its summary.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
e45e29f337 Access data for help separately
To avoid the need to read all data for a plugin from cache and actualy
use the separately stored help data it must be requested and returned
separately.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
134fd235a2 schema cache: Do not read fingerprint and format from cache
Fingerprint can be obtained from schema filename of from ServerInfo
instance. Use FORMAT in path to avoid openening schema just to read its
format.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
ba16d99f37 schema cache: Do not reset ServerInfo dirty flag
Once dirty flag is set to True it must not be set back to False.
Otherwise changes are not written back to file.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
Pavel Vomacka
ff51e43a3e Set servers list as default facet in topology facet group
Since there is a new warning about only one CA server, the default facet
of topology facet group is set to servers list where the warning is.
So the warning will be shown right after clicking on Topology section.

Part of: https://fedorahosted.org/freeipa/ticket/5828

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-08-17 13:54:57 +02:00
Pavel Vomacka
d45b0efe5d Add warning about only one existing CA server
It is not safe to have only one CA server in topology. Therefore there is a check
and in case that there is only one CA server a warning is shown. The warning is
shown after each refreshing of servers facet.

https://fedorahosted.org/freeipa/ticket/5828

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-08-17 13:54:57 +02:00
Jan Cholasta
8ad03259fe cert: do not crash on invalid data in cert-find
https://fedorahosted.org/freeipa/ticket/6150

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-08-17 13:45:50 +02:00
Jan Cholasta
c718ef0588 cert: speed up cert-find
Use issuer+serial rather than raw DER blob to identify certificates in
cert-find's intermediate result.

Restructure the code to make it (hopefully) easier to follow.

https://fedorahosted.org/freeipa/ticket/6098

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-08-17 13:45:50 +02:00
Petr Spacek
b73ef3d7f9 DNS: allow to add forward zone to already broken sub-domain
Errors during DNS resolution might indicate that forwarder is the
necessary configuration which is missing. Now we disallow adding a
forwarder only if the zone is normally resolvable without the forwarder.

https://fedorahosted.org/freeipa/ticket/6062

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-17 12:28:56 +02:00