Upgrade code had Kerberos principal names mixed up: instead of creating
krbtgt/LOCAL-FLAT@REMOTE and marking LOCAL-FLAT$@REMOTE as an alias to
it, it created LOCAL-FLAT$@REMOTE Kerberos principal and marked
krbtgt/LOCAL-FLAT@REMOTE as an alias.
This differs from what Active Directory expects and what is created by
ipasam plugin when trust is established. When upgrading such deployment,
an upgrade code then unexpectedly failed.
Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Replace the @PYTHONSHEBANG@ substitution with a valid #!/usr/bin/python3
shebang. This turns Python .in files into valid Python files. The files
can now be checked with pylint and IDEs recognize the files as Python
files.
The shebang is still replaced with "#!$(PYTHON) -E" to support
platform-python.
Related: https://pagure.io/freeipa/issue/7984
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
In 2012, ldbm backend in 389-ds started checking entry modification
after running betxnpreop plugins by comparing a number of modifications
before and after. If that number didn't change, it is considered that
plugins didn't modify the list.
ipa-pwd-extop actually removed and re-added modification to ipaNTHash if
it contained 'MagicRegen' value. This did not work since commit
https://pagure.io/389-ds-base/c/6c17ec56076d34540929acbcf2f3e65534060a43
but we were lucky nothing in FreeIPA code actually relied on that except
some code paths in ipasam Samba passdb driver. However, Samba didn't
reach the point where the code was triggered -- until now.
With support to run Samba as a domain member in IPA domain, that code
path is triggered for Kerberos service principals of domain members
(cifs/client.example.test, ...) and NT hash extraction from Kerberos
keys does not work.
Fix ipa-pwd-extop to follow recommendations in
https://pagure.io/389-ds-base/issue/387#comment-120145 and
https://pagure.io/389-ds-base/issue/50369#comment-570696
Fixes: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
With system-wide crypto policy in use, arcfour-hmac encryption type
might be removed from the list of permitted encryption types in the MIT
Kerberos library. Applications aren't prevented to use the arcfour-hmac
enctype if they operate on it directly.
Since FreeIPA supported and default encryption types stored in LDAP, on
the server side we don't directly use a set of permitted encryption
types provided by the MIT Kerberos library. However, this set will be
trimmed to disallow arcfour-hmac and other weaker types by default.
While the arcfour-hmac key can be generated and retrieved, MIT Kerberos
library will still not allow its use in Kerberos protocol if it is not
on the list of permitted encryption types. We only need this workaround
to allow setting up arcfour-hmac key for SMB services where arcfour-hmac
key is used to validate communication between a domain member and its
domain controller. Without this fix it will not be possible to request
setting up a machine account credential from the domain member side. The
latter is needed for Samba running on IPA client.
Thus, extend filtering facilities in ipa-pwd-extop plugin to explicitly
allow arcfour-hmac encryption type for SMB services (Kerberos principal
name starts with cifs/).
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This problem was discovered by pylint.
Fixes: https://pagure.io/freeipa/issue/7921
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
* ipa-dnskeysyncd now handles CONNECT_ERROR during bind
* ipa-dnskeysyncd no longer logs full traceback on connection error.
* ipa-dnskeysync-replica now handles SERVER_DOWN/CONNECT_ERROR
exceptions and turns them into pretty error messages.
Fixes: https://pagure.io/freeipa/issue/7905
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
Samba 4.10 moved away to private libraries two functions we used to
convert a binary SID structre to strings:
- sid_talloc_string()
- sid_string_dbg()
We already used libsss_idmap to convert textual representation of SIDs
to a binary one, use the reverse function too.
libsss_idmap code operates on talloc structures, so we need to adopt a
bit a place where sid_string_dbg() was used because it assumed a static
buffer was provided by sid_string_dbg().
Finally, sid_talloc_string()'s replacement moves allocated memory to the
right context so that a memory will be freed earlier. Our SSSD idmap
context is a long-living one while in all cases where we were using
sid_talloc_string() we free the context much earlier.
Resolves: https://pagure.io/freeipa/issue/7893
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Refactor ipa-sam code to generate principals with additional POSIX
information so that FreeIPA is capable to establish trust when using a
shared secret from Active Directory domain controller side.
Trust verification process from Samba AD DC or Microsoft Windows AD DC
side requires us to have a working local TDO object with POSIX
attributes so that smbd would be able to map incoming authenticated
Kerberos principal for the TDO to a local POSIX account.
Note that FreeIPA stores TDO objects in a subtree of cn=trusts,$SUFFIX
and thus SSSD is not able to see these POSIX accounts unless
specifically instructed to do so via multiple search bases. The support
for automatically enabling cn=trusts,$SUFFIX search base in IPA server
mode was added to SSSD 1.16.3 and 2.1.0 with the commit
14faec9cd9
Fixes: https://pagure.io/freeipa/issue/6077
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Coverity found the following issue:
Error: BAD_COMPARE (CWE-697): [#def1]
freeipa-4.6.5/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c:121: null_misuse: Comparing pointer "threadnumber" against "NULL" using anything besides "==" or "!=" is likely to be incorrect.
The comparison is using the pointer while it should use the pointed value.
Fixes: https://pagure.io/freeipa/issue/7884
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The user and group lookups done by the extdom plugin might need some
time depending on the state of the service (typically SSSD) handling the
requests.
To avoid that all worker threads are busy waiting on a connect or a
reply from SSSD and no other request can be handled this patch adds an
instance counter and an instance limit for the extdom plugin.
By default the limit will be around 80% of the number of worker threads.
It can be tuned further with the plugin option ipaExtdomMaxInstances
which must in set in ipaextdommaxinstances and should have an integer
value larger than 0 and lesser than the number of worker threads.
If the instance limit is reached the extdom plugin will return LDAP_BUSY
for every new request until the number of instance is again below the
limit.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Recent Samba versions removed some header files which did include
non-public APIs. As a result talloc_strackframe.h and memory.h (for
SAFE_FREE) are not available anymore. This patch replaces the use of the
non-public APIs with public ones.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
ipa_sam uses Samba's macro ZERO_STRUCT() to safely zero out a block in
memory. On F30 ZERO_STRUCT() is currently broken, because it uses the
undefined C11 function memset_s().
During investigation of the bug, it turned out that
ZERO_STRUCT(td->security_identifier) is not needed. The whole td struct
is allocated with talloc_zero(), so td->security_identifier is already
zeroed.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1672231
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
With 389-ds landing a change for
https://pagure.io/389-ds-base/issue/49950, fetch_attr() helper function
is exposed in slapi-plugin.h. However, in order to be able to build
FreeIPA plugins against older 389-ds versions, prefer using a local
variant of it.
Rename fetch_attr() to ipa_sidgen_fetch_attr() so that it doesn't
conflict at all.
Fixes: https://pagure.io/freeipa/issue/7811
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Since LDAP operations used by ipa-kdb driver are synchronous, the
timeout specified here is blocking entire KDC. It is worth reducing the
timeout and since AS REQ processing timeout in KDC is 1 minute, reducing
the timeout for LDAP operations down to 30 seconds allows KDC to
respond promptly in worst case scenario as well.
Fixes: https://pagure.io/freeipa/issue/7217
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
In ipapwd_pre_mod, check userpw for NULL before dereferencing its first
element.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix potential NULL pointer deref in ipadb_mspac_get_trusted_domains().
In theory, dn could be empty and rdn NULL. The man page for ldap_str2dn()
does not guarantee that it returns a non-empty result.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Set keys to NULL after free rder to avoid potential double free.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
On two occasions C code abused strncpy()'s length limitation to copy a
string of known length without the trailing NULL byte. Recent GCC is
raising the compiler warning:
warning: ‘strncpy’ output truncated before terminating nul copying as
many bytes from a string as its length [-Wstringop-truncation]
Use memcpy() instead if strncpy() to copy data of known size.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The leak happens due to using strndup in a for loop to create a temporary
string without freeing it in all cases.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Replace six.moves and six.StringIO/BytesIO imports with cannonical
Python 3 packages.
Note: six.moves.input behaves differently than builtin input function.
Therefore I left six.moves.input for now.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The ipa-otpd code occasionally removes elements from one queue,
inspects and modifies them, and then inserts them into
another (possibly identical, possibly different) queue. When the next
pointer isn't cleared, this can result in element membership in both
queues, leading to double frees, or even self-referential elements,
causing infinite loops at traversal time.
Rather than eliminating the pattern, make it safe by clearing the next
field any time an element enters or exits a queue.
Related https://pagure.io/freeipa/issue/7262
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Python scripts are now generated from templates. The scripts are marked
as nodist (no distribution) but install targets. The templates for the
scripts are extra distribution data, no installation (noinst).
Fixes: https://pagure.io/freeipa/issue/7680
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
All Python scripts are now generated from a template with a dynamic
shebang.
ipatests/i18n.py is no longer an executable script with shebang. The
module is not executed as script directly, but rather as
$(PYTHON) ipatests/i18n.py
Fixes: https://pagure.io/freeipa/issue/7680
All Python scripts are now template files with a dynamic shebang line.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When creating Kerberos keys for trusted domain object account, ipasam
module requests to generate keys using a series of well-known encryption
types. In FIPS mode it is not possible to generate RC4-HMAC key:
MIT Kerberos is using openssl crypto backend and openssl does not allow
use of RC4 in FIPS mode.
Thus, we have to filter out RC4-HMAC encryption type when running in
FIPS mode. A side-effect is that a trust to Active Directory running
with Windows Server 2003 will not be possible anymore in FIPS mode.
Resolves: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
The code in question was supposed to have the same license as the
rest of the plugin. Fix it by updating the comment header.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
When making ipa-pwd-extop TXN aware, some callbacks are call twice.
Particularily
ipapwd_pre_add is called during PRE_ADD and TXN_PRE_ADD
ipapwd_pre_mod is called during PRE_MOD and TXN_PRE_MOD
ipapwd_post_modadd is called during POST_ADD and TXN_POST_ADD
ipapwd_post_modadd is called during POST_MOD and TXN_POST_MOD
It is not the expected behavior and it results on some skipped updates krbPasswordExpiration
and krbLastPwdChange
https://pagure.io/freeipa/issue/7601
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
- Add missing executable bits to all scripts
- Remove executable bits from all files that are not scripts,
e.g. js, html, and Python libraries.
- Remove Python shebang from all Python library files.
It's frown upon to have executable library files in site-packages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
If the element being removed were not the queue head,
otpd_queue_pop_msgid() would not actually remove the element, leading
to potential double frees and request replays.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This was causing ns-slapd to segfault in the password plugin.
https://pagure.io/freeipa/issue/7561
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When a segment is deleted, the underlying replica agreement is also deleted.
An exception to this is if the status of the deleted segment is "obsolete" (i.e. merged segments)
The status should contain only one value, but to be protected against potential
bugs (like https://pagure.io/389-ds-base/issue/49619) this fix checks if
"obsolete" is in the status values.
https://pagure.io/freeipa/issue/7461
Reviewed-By: Christian Heimes <cheimes@redhat.com>
NSS doesn't allow keys to be loaded directly in FIPS mode. To work around
this, we encrypt the input key using an ephemeral key and then unwrap the
encrypted key.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
NSS_STATUS_RETURN is an internal value but GCC doesn't know that.
ipa_extdom_common.c:103:5: warning: enumeration value ‘NSS_STATUS_RETURN’ not handled in switch [-Wswitch]
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The ipadb_free() and ipadb_alloc() functions are only used with
KRB5_KDB_DAL_MAJOR_VERSION 5.
ipa_kdb.c:639:13: warning: ‘ipadb_free’ defined but not used [-Wunused-function]
ipa_kdb.c:634:14: warning: ‘ipadb_alloc’ defined but not used [-Wunused-function]
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The 389-ds plugin for OTP last token is performing data initialization
in its ipa_otp_lasttoken_init method, which is wrong according to
the Plug-in Guide:
> For example, the init function should not attempt to perform an
> internal search or other internal operation, because the all of
> the subsystems are not up and running during the init phase.
This init method fills a structure containing the configuration of
allowed authentication types. As the method is called too early, the
method does not find any suffix and leaves the structure empty.
Subsequent calls find an empty structure and take the default values
(for authentication methods, the default is 1 = password).
Because of that, the code consider that the global configuration defines
password authentication method, and in this case it is allowed to delete
a user's last otp token.
The fix implements a SLAPI_PLUGIN_START_FN method that will be called
when 389-ds is ready to initialize the plugin data, ensuring that the
structure is properly initialized.
Fixes:
https://pagure.io/freeipa/issue/7012
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
Currently there is already code to make sure that after trust is established an
AS-REQ of the local HTTP principal causes a refresh of the internal structures
holding the information about the trusted domains.
But this refreshes only the data of the current krb5kdc worker process on the
local host. Other workers and the KDCs on other hosts will update the data
eventually when a request with a principal from a trusted realm is handled.
During this phase, which might last quite long if remote principals are only
handled rarely, TGTs for local principals might or might not contain a PAC
because the decision if a PAC should be added or not is based on the
information about trusted domains. Since the PAC is needed to access services
on the AD side this access might fail intermittently depending which worker
process on which host is handling the request. This might e.g. affect SSSD
running on the IPA server with two-way trust.
To fix this this patch calls ipadb_reinit_mspac() whenever a PAC is needed but
without the 'force' flag so that the refresh will only happen if it wasn't
called recently (currently not more often than once a minute).
An alternative might be to do the refresh only when processing cross-realm TGT
requests. But this would be already too late because the local principal asking
for a cross-realm ticket would not have a PAC and hence the first attempt will
still fail due to the missing PAC. And injecting the PAC in the cross-realm TGT
while there is none in the requesting ticket does not sound right.
Related to https://pagure.io/freeipa/issue/7351
Reviewed-By: Simo Sorce <ssorce@redhat.com>
The certauth plugin is configured in /etc/krb5.conf independently form
the database module. As a result the IPA certauth plugin can be added to
the configuration without the IPA DAL driver. Since the IPA certauth
plugin depends on the presence of the IPA DAL driver this patch adds a
magic value at the beginning of struct ipadb_context which can be
checked to see if the IPA DAL driver is properly initialized.
Resolves https://pagure.io/freeipa/issue/7261
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Replace assert with proper check and exception.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ODS commands are ASCII strings, but socket.recv() returns bytes and
socket.send() expects bytes. Encode/decode values properly.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
hexlify returns bytes and needs to be casted to string before
printing it out.
Related: https://pagure.io/freeipa/issue/4985
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipa-ods-exporter uses systemd socket activation. The script uses
select() to check if the socket is readable. A timeout of 0 is a bit too
aggressive. Sometimes select() doesn't consider the systemd socket as
readable. This causes ODS to fail silently
A timeout of one second seems to remove the problem. A proper error code
also signals that something went wrong.
Closes: https://pagure.io/freeipa/issue/7378
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Refactor nsswitch operations in ipa-extdom-extop plugin to allow use
of timeout-enabled nsswitch calls provided by libsss_nss_idmap.
Standard POSIX nsswitch API has no way to cancel requests which may
cause ipa-extdom-extop requests to hang far too long and potentially
exhaust LDAP server workers. In addition, glibc nsswitch API iterates
through all nsswitch modules one by one and with multiple parallel
requests a lock up may happen in an unrelated nsswitch module like
nss_files.so.2.
A solution to the latter issue is to directly load nss_sss.so.2 plugin
and utilize it. This, however, does not solve a problem with lack of
cancellable API.
With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of
nsswitch API that is directly integrated with SSSD client side machinery
used by nss_sss.so.2. As result, this API can be used instead of loading
nss_sss.so.2 directly.
To support older SSSD version, both direct loading of nss_sss.so.2 and
new timeout-enabled API are supported by this changeset. An API to
abstract both is designed to be a mix between internal glibc nsswitch
API and external nsswitch API that libsss_nss_idmap mimics. API does not
expose per-call timeout. Instead, it allows to set a timeout per
nsswitch operation context to reduce requirements on information
a caller has to maintain.
A choice which API to use is made at configure time.
In order to test the API, a cmocka test is updated to explicitly load
nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always
depend on availablility of SSSD, predictable testing would not be
possible without it otherwise. Also, cmocka test does not use
nss_wrapper anymore because nss_wrapper overrides higher level glibc
nsswitch API while we are loading an individual nsswitch module
directly.
As result, cmocka test overrides fopen() call used by nss_files.so.2 to
load /etc/passwd and /etc/group. An overridden version changes paths to
/etc/passwd and /etc/group to a local test_data/passwd and
test_data/group. This way we can continue testing a backend API for
ipa-extdom-extop with the same data as with nss_wrapper.
Fixes https://pagure.io/freeipa/issue/5464
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
When testing KDC code in cmocka we rely on libkrb5 defaults.
libkrb5 would read /etc/krb5.conf by default and would load a KDB
module from there if it is defined for the test realm (EXAMPLE.COM).
Since EXAMPLE.COM is a common name used for test realms, make sure to
not using /etc/krb5.conf from the system. Instead, force KRB5_CONFIG to
/dev/null so that only libkrb5 compiled-in defaults are in use.
In such setup libkrb5 will attempt to load KDB driver db2 for our test
realm. db2 driver doesn't fail if its database is not available (unlike
FreeIPA's one), so it survives initialization.
As result, ipa-kdb-tests pass without unexpected breakage.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add dependency on external libraries after dependency on internal
objects so the linker can correctly pick up all symbols.
https://pagure.io/freeipa/issue/7189
Original patch by Rob Crittenden
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>