Commit Graph

333 Commits

Author SHA1 Message Date
Martin Kosek
5d8c02cfb8 Administrative password change does not respect password policy
When Directory Manager or a PassSync agent is changing a password,
it is not being expired, but standard expiration time should apply.
However, default expiration time was always applied (90 days)
even though administrator may have a custom policy for the user.

https://fedorahosted.org/freeipa/ticket/3968
2013-10-17 14:04:03 +02:00
Sumit Bose
091e8fac34 Use the right attribute with ipapwd_entry_checks for MagicRegen
There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos
key is available for the corresponding user. This is typically triggered
by samba via the ipa_sam passdb plugin. The principal used by samba to
connect to the IPA directory server has the right to modify ipaNTHash
but no other password attribute. This means that the current check on
the userPassword attribute is too strict for this case and leads to a
failure of the whole operation.

With this patch the access right on ipaNTHash are checked if no other
password operations are requested.
2013-10-08 09:18:57 +02:00
Alexander Bokovoy
d228b1bd70 ipa-kdb: Handle parent-child relationship for subdomains
When MS-PAC information is re-initialized, record also parent-child
relationship between trust root level domain and its subdomains.

Use parent incoming SID black list to check if child domain is not
allowed to access IPA realm.

We also should really use 'cn' of the entry as domain name.
ipaNTTrustPartner has different meaning on wire, it is an index
pointing to the parent domain of the domain and will be 0 for top
level domains or disjoint subdomains of the trust.

Finally, trustdomain-enable and trustdomain-disable commands should
force MS-PAC cache re-initalization in case of black list change.
Trigger that by asking for cross-realm TGT for HTTP service.
2013-10-04 10:25:31 +02:00
Alexander Bokovoy
749111e6c2 KDC: implement transition check for trusted domains
When client principal requests for a ticket for a server principal
and we have to perform transition, check that all three belong to either
our domain or the domains we trust through forest trusts.

In case all three realms (client, transition, and server) match
trusted domains and our domain, issue permission to transition from client
realm to server realm.

Part of https://fedorahosted.org/freeipa/ticket/3909
2013-10-04 10:25:31 +02:00
Alexander Bokovoy
0ab40cdf6b ipasam: for subdomains pick up defaults for missing values
We don't store trust type, attributes, and direction for subdomains
of the existing trust. Since trust is always forest level, these parameters
can be added as defaults when they are missing.
2013-10-04 10:25:31 +02:00
Nathaniel McCallum
1acd00487f Ensure credentials structure is initialized
https://fedorahosted.org/freeipa/ticket/3953
2013-10-02 14:38:13 +02:00
Sumit Bose
b1cfb47dc0 CLDAP: do not read IPA domain from hostname
Currently the CLDAP plugin determines the IPA domain name by reading
the current host name and splitting of the domain part. But since an IPA
server does not have to be in a DNS domain which has the same name as
the IPA domain this may fail. The domain name was used to search the
ipaNTDomainAttrs object, but since this object is unique in the tree it
is sufficient to use the objectclass in the search filter. Now the IPA
domain can be read from the ipaNTDomainAttrs object as well.

Fixes https://fedorahosted.org/freeipa/ticket/3941
2013-09-27 15:06:21 +02:00
Alexander Bokovoy
a9843d6918 ipa-sam: report supported enctypes based on Kerberos realm configuration
We store Kerberos realm configuration in cn=REALM,cn=kerberos,$SUFFIX.
Along other configuration options, this container has list of default
supported encryption types, in krbDefaultEncSaltTypes.

Fetch krbDefaultEncSaltTypes value on ipa-sam initialization and convert
discovered list to the mask of supported encryption types according to
security.idl from Samba:
        typedef [public,bitmap32bit] bitmap {
                KERB_ENCTYPE_DES_CBC_CRC             = 0x00000001,
                KERB_ENCTYPE_DES_CBC_MD5             = 0x00000002,
                KERB_ENCTYPE_RC4_HMAC_MD5            = 0x00000004,
                KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
                KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
        } kerb_EncTypes;

Part of https://fedorahosted.org/freeipa/ticket/3898
2013-09-20 09:59:02 +02:00
Alexander Bokovoy
860a3ff647 ipa-sam: do not leak LDAPMessage on ipa-sam initialization
We used to handle some of code paths to free memory allocated by the LDAP library
but there are few more unhandled. In addition, search result wasn't freed on successful
initialization, leaking for long time.

https://fedorahosted.org/freeipa/ticket/3913
2013-09-20 09:59:02 +02:00
Alexander Bokovoy
9cf8ec79c9 ipa-sam: do not modify objectclass when trust object already created
When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.

Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.
2013-09-20 09:59:02 +02:00
Krzysztof Klimonda
8c03b1dbcd Fix -Wformat-security warnings 2013-09-16 17:35:22 +02:00
Simo Sorce
5157fd450f Add Delegation Info to MS-PAC
https://fedorahosted.org/freeipa/ticket/3442
2013-09-13 18:03:53 +02:00
Jakub Hrozek
ec08458b65 EXTDOM: Do not overwrite domain_name for INP_SID 2013-08-29 15:30:38 +02:00
Sumit Bose
5c357b462d CLDAP: make sure an empty reply is returned on any error
If ipa_cldap_decode() reply is not initialized.

Fixes https://fedorahosted.org/freeipa/ticket/3885
2013-08-29 15:28:18 +02:00
Rob Crittenden
3940a574f9 Re-order NULL check in ipa_lockout.
There is no risk of crash here as slapi_valueset_first_value() can handle
the case where the valueset is NULL, but there is no point in calling that
if we know there are no values.

https://fedorahosted.org/freeipa/ticket/3880
2013-08-29 15:26:46 +02:00
Simo Sorce
bea533c69a kdb-princ: Fix memory leak
If we do not store the keys in the entry we need to free the array before
continuing or the data is leaked.

CoverityID: 11910

Fixes:
https://fedorahosted.org/freeipa/ticket/3884
2013-08-28 12:42:56 +02:00
Simo Sorce
f96257397e kdb-mspac: Fix out of bounds memset
This memset was harmless as the following data is then set again, but an
optimizing compiler might conceivably reorder instructions causing issues.

CoverityID: 11909

Fixes:
https://fedorahosted.org/freeipa/ticket/3883
2013-08-28 12:42:56 +02:00
Simo Sorce
b29ce20705 pwd-plugin: Fix ignored return error
CoverityID: 11904

Also remove 'inline', the compiler can do it on its own if needed.

Fixes:
https://fedorahosted.org/freeipa/ticket/3882
2013-08-28 12:42:56 +02:00
Martin Kosek
b9ec4d1a67 Prevent *.pyo and *.pyc multilib problems
Differences in the python byte code fails in a build validation
(rpmdiff) done on difference architecture of the same package.

This patch:
 1) Ensures that timestamps of generated *.pyo and *.pyc files match
 2) Python integer literals greater or equal 2^32 and lower than 2^64
    are converted to long right away to prevent different type of
    the integer on architectures with different size of int

https://fedorahosted.org/freeipa/ticket/3858
2013-08-13 15:31:46 +02:00
Lukas Slebodnik
6782a24ff1 Remove unused variable
Variable was set, but it was not used.
2013-07-25 13:21:30 +02:00
Lukas Slebodnik
905f835647 Remove unused variable 2013-07-25 13:21:30 +02:00
Lukas Slebodnik
c098435040 Use right function prototype for thread function
warning: passing argument from incompatible pointer type
2013-07-25 13:21:30 +02:00
Jakub Hrozek
4a5cbde4bb IPA KDB MS-PAC: remove unused variable 2013-07-23 16:25:26 +03:00
Jakub Hrozek
85b8c747bb IPA KDB MS-PAC: return ENOMEM if allocation fails 2013-07-23 16:25:20 +03:00
Alexander Bokovoy
84b2269589 ipa-kdb: reinit mspac on HTTP TGT acquisition to aid trust-add case
When trust is established, we also create idrange for the trusted domain.
With FreeIPA 3.3 these ranges can have different types, and in order to
detect which one is to create, we need to do lookup at AD LDAP server.

Such lookup requires authenticated bind. We cannot bind as user because
IPA framework operates under constrained delegation using the user's
credentials and allowing HTTP/ipa.server@REALM to impersonate the user
against trusted domain's services would require two major things:

  - first, as we don't really know exact AD LDAP server names (any AD DC
    can be used), constrained delegation would have to be defined against
    a wild-card

  - second, constrained delegation requires that target principal exists
    in IPA LDAP as DN.

These two together limit use of user's ticket for the purpose of IPA
framework looking up AD LDAP.

Additionally, immediately after trust is established, issuing TGT with
MS-PAC to HTTP/ipa.server@REALM may fail due to the fact that KDB driver
did not yet refreshed its list of trusted domains -- we have limited
refresh rate of 60 seconds by default.

This patch makes possible to force re-initialization of trusted domains'
view in KDB driver if we are asked for TGT for HTTP/ipa.server@REALM.

We will need to improve refresh of trusted domains' view in KDB driver
in future to notice changes in cn=etc,$SUFFIX tree automatically.

This improvement is tracked in https://fedorahosted.org/freeipa/ticket/1302 and
https://fedorahosted.org/freeipa/ticket/3626

Part of https://fedorahosted.org/freeipa/ticket/3649
2013-07-23 16:24:29 +03:00
Alexander Bokovoy
67bcbab897 ipa-kdb: cache KDC hostname on startup
We need KDC hostname for several purposes:
- short-circuit detection of principals on the same server as KDC
- generating NetBIOS name

Make sure we cache hostname information on startup and use it
instead of detecting the hostname in run-time. This will miss the
case that KDC hostname got changed but such cases are not supported
anyway without restarting KDC and making changes to principals.
2013-07-23 16:24:24 +03:00
Nathaniel McCallum
6c0b7f3389 Use libunistring ulc_casecmp() on unicode strings
https://fedorahosted.org/freeipa/ticket/3772
2013-07-18 18:08:53 +02:00
Lukas Slebodnik
0fa42af840 Use pkg-config to detect cmocka
https://fedorahosted.org/freeipa/ticket/3434
2013-07-15 16:42:46 +02:00
Jakub Hrozek
5db5d168d9 Remove unused variable 2013-07-15 15:40:43 +02:00
Alexander Bokovoy
8d6d8459eb Generate syntethic MS-PAC for all services running on IPA master
MS-PAC is required to be present in TGT if one wants to connect to
AD services using this TGT. Users get MS-PAC by default, SSSD in
ipa_server_mode uses host/fqdn@REALM principal to talk to AD LDAP.

This patch enables other services running on IPA master to connect
to AD services. This is required for IPA python code doing discovery
of remote AD domain settings shortly after IPA-AD trust has been
established.
2013-07-11 12:39:28 +03:00
Alexander Bokovoy
ad575f067c Fix extdom plugin to provide unqualified name in response as sssd expects
extdom plugin handles external operation over which SSSD asks IPA server about
trusted domain users not found through normal paths but detected to belong
to the trusted domains associated with IPA realm.

SSSD expects that user or group name in the response will be unqualified
because domain name for the user or group is also included in the response.
Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully
qualified name which includes the domain name we are asked to handle.

The code already expects that fully-qualified names are following user@domain
convention so we are simply tracking whether '@' symbol is present and is followed
by the domain name.
2013-07-11 12:39:28 +03:00
Alexander Bokovoy
fb62414e81 Make sure domain_name is also set when processing INP_NAME requests 2013-07-11 12:39:27 +03:00
Sumit Bose
912699ff58 Remove winbind client configure check
With the replacement of the winbind calls in the extdom plugin none of
the plugins is using the winbind client libraries anymore.
2013-07-11 12:39:27 +03:00
Sumit Bose
18c5e483db extdom: replace winbind calls with POSIX/SSSD calls
With the new ipa_server_mode SSSD is able to read user and group data
from trusted AD domains directly and makes this data available via the
NSS responder. With this mode enabled winbind is not needed anymore to
lookup users and groups of trusted domains.

This patch removed the calls to winbind from the extdom plugin and
replaces them with standard POSIX calls like getpwnam() and calls from
libsss_nss_idmap to lookup SIDs.

Fixes https://fedorahosted.org/freeipa/ticket/3637 because now the
extdom plugin does not need to handle idranges anymore, but everything
is done inside SSSD.
2013-07-11 12:39:27 +03:00
Sumit Bose
cf97590e97 Add PAC to master host TGTs
For a proper SASL bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.

We use the well know RID of the Domain Computers group (515) for the
primary gid element of the PAC, this is the same as AD uses for host
tickets.  The rid element of the PAC is set to the well know RID of the
Domain Controllers group (516). This is working for the SSSD use case
but might be improved later for more general use cases.

To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.

Fixes https://fedorahosted.org/freeipa/ticket/3651
2013-07-11 12:39:27 +03:00
Sumit Bose
9a83009d33 Fix type of printf argument 2013-06-10 10:56:59 +02:00
Sumit Bose
f497aafdca Fix format string typo 2013-06-03 15:41:24 +02:00
Diane Trout
517e475f61 Fix log format not a string literal.
This was to resolve a -Werror=format-security error.

  ipa_extdom_extop.c: In function 'ipa_extdom_extop':
  ipa_extdom_extop.c:144:9: error: format not a string literal and no format
arguments [-Werror=format-security]
2013-06-03 09:57:24 +02:00
Alexander Bokovoy
b21abc76ca Fix cldap parser to work with a single equality filter (NtVer=...)
https://fedorahosted.org/freeipa/ticket/3639
2013-05-30 12:39:45 +02:00
Simo Sorce
1e224c2ea0 CLDAP: Return empty reply on non-fatal errors
Windows DCs return an empty reply when a legal request cannot satisfied.
If we get EINVAL or ENOENT it means the information requested could not be
found or input parameters were bogus.
Always return an empty reply in these cases.

On any other internal error just return, the request may have been legit but we
can't really handle it right now, pretend we never saw it and hope the next
attempt will succeed.

Fixes: https://fedorahosted.org/freeipa/ticket/3639

Signed-off-by: Simo Sorce <simo@redhat.com>
2013-05-28 16:01:52 +02:00
Simo Sorce
b402b6d553 CLDAP: Fix domain handling in netlogon requests
1. Stop using getdomainname() as it is often not properly initialized
2. The code using getdomainname() was not working anyway it was trying to
look at the function call output in hostname which is always empty at that
point.
3. Always check the requested domain matches our own, we cannot reply to
anything else anyway.

Pre-requisite to fix: https://fedorahosted.org/freeipa/ticket/3639

Signed-off-by: Simo Sorce <simo@redhat.com>
2013-05-28 16:01:52 +02:00
Nathaniel McCallum
5b58348cd3 Add OTP support to ipa-pwd-extop
During LDAP bind, this now plugin determines if a user is enabled
for OTP authentication. If so, then the OTP is validated in addition
to the password. This allows 2FA during user binds.

    https://fedorahosted.org/freeipa/ticket/3367
    http://freeipa.org/page/V3/OTP
2013-05-17 09:30:51 +02:00
Nathaniel McCallum
1e1bab4edc Remove unnecessary prefixes from ipa-pwd-extop files 2013-05-17 09:30:51 +02:00
Nathaniel McCallum
203754691c Add the krb5/FreeIPA RADIUS companion daemon
This daemon listens for RADIUS packets on a well known
UNIX domain socket. When a packet is received, it queries
LDAP to see if the user is configured for RADIUS authentication.
If so, then the packet is forwarded to the 3rd party RADIUS server.
Otherwise, a bind is attempted against the LDAP server.

https://fedorahosted.org/freeipa/ticket/3366
http://freeipa.org/page/V3/OTP
2013-05-17 09:30:51 +02:00
Nathaniel McCallum
5d51ae50a5 ipa-kdb: Add OTP support
If OTP is enabled for a user, then:
  1. Long-term keys are not provided to KDB
  2. The user string 'otp' is defined to KDB

Since it is not secure to send radius configuration information
over krb5 user strings, we simply set the string to a known default
('[]') which enables the default configuration in the KDC.

https://fedorahosted.org/freeipa/ticket/3561
http://freeipa.org/page/V3/OTP
2013-05-17 09:30:51 +02:00
Sumit Bose
c152c9e7ff Allow ID-to-SID mappings in the extdom plugin
https://fedorahosted.org/freeipa/ticket/3596
2013-05-02 16:57:12 -04:00
Sumit Bose
0f43cd6ea0 Do not store SID string in a local buffer
https://fedorahosted.org/freeipa/ticket/3596
2013-05-02 16:57:12 -04:00
Sumit Bose
631b3cf7cd Do not lookup up the domain too early if only the SID is known
Request with a SID as input parameter do not contain the domain name,
hence is must be tried to resolve the SID first before the corresponding
domain can be looked up.

https://fedorahosted.org/freeipa/ticket/3596
2013-05-02 16:57:12 -04:00
Sumit Bose
7b45e33400 ipa-pwd-extop: do not use dn until it is really set
https://fedorahosted.org/freeipa/ticket/3539
2013-04-02 09:39:28 -04:00
Alexander Bokovoy
cc56723151 ipasam: add enumeration of UPN suffixes based on the realm domains
PASSDB API in Samba adds support for specifying UPN suffixes. The change
in ipasam will allow to pass through list of realm domains as UPN suffixes
so that Active Directory domain controller will be able to recognize
non-primary UPN suffixes as belonging to IPA and properly find our KDC
for cross-realm TGT.

Since Samba already returns primary DNS domain separately, filter it out
from list of UPN suffixes.

Also enclose provider of UPN suffixes into #ifdef to support both
Samba with and without pdb_enum_upn_suffixes().

Part of https://fedorahosted.org/freeipa/ticket/2848
2013-03-29 13:45:50 +01:00