In terms of cross-forest trust parent domain is the root domain of
the forest because we only have trust established with the forest root.
In FreeIPA LDAP store all sub-domains stored in cn=<forest root>,
cn=ad,cn=trusts,... subtree. Thus, a first RDN after cn=ad is the
forest root domain. This allows us to simplify logic of finding
the parent domain.
For complex hierachical forests with more than two levels of
sub-domains, this will still be true because of the forest trust:
as forest trust is established to the forest root domain, any
communication to any sub-domain must traverse forest root domain's
domain controller.
Note that SSSD also generated incorrectly CA paths information
for forests with non-hierarchical tree-roots. In such cases
IPA KDC got confused and mistakenly assumed direct trust to the
non-hierarchical tree-root instead of going through the forest
root domain. See https://fedorahosted.org/sssd/ticket/3103 for
details.
Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
daemons/ipa-kdb/ipa_kdb_mspac.c: In function 'filter_logon_info':
daemons/ipa-kdb/ipa_kdb_mspac.c:1536:19: error: 'struct PAC_LOGON_INFO'
has no member named 'res_group_dom_sid'
if (info->info->res_group_dom_sid != NULL &&
^~
daemons/ipa-kdb/ipa_kdb_mspac.c:1537:19: error: 'struct PAC_LOGON_INFO'
has no member named 'res_groups'; did you mean 'resource_groups'?
info->info->res_groups.count != 0) {
^~
mv -f .deps/ipa_kdb_delegation.Tpo .deps/ipa_kdb_delegation.Plo
Makefile:806: recipe for target 'ipa_kdb_mspac.lo' failed
make[3]: *** [ipa_kdb_mspac.lo] Error 1
make[3]: *** Waiting for unfinished jobs....
Related change in samba
4406cf792a
Resolves:
https://fedorahosted.org/freeipa/ticket/6173
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When canonicalization is requested, the krbprincipalname attribute is searched
for case-insensitively.
In the case that krbcanonicalname is not set, the matched alias is returned
with the casing stored in backend, not the one input by client.
Part of https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Add support for additional user name principal suffixes from
trusted Active Directory forests. UPN suffixes are property
of the forest and as such are associated with the forest root
domain.
FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
attribute of ipaNTTrustedDomain object class.
In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.
For more details on UPN and naming in Active Directory see
https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspxhttps://fedorahosted.org/freeipa/ticket/5354
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.
This patch does not change the autogenerated files: asn1/asn1c/*.h.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Before this patch, if either password or password+otp were permitted,
only the otp preauth mech would be returned to the client. Now, the
client will receive either enc_ts or enc_chl in addition to otp.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Sumit Bose <sbose@redhat.com>
Store and retrieve the authentication indicator "require_auth" string in
the krbPrincipalAuthInd attribute. Skip storing auth indicators to
krbExtraData.
https://fedorahosted.org/freeipa/ticket/5782
Reviewed-By: Sumit Bose <sbose@redhat.com>
Like for services setting the ipaKrbAuthzData attribute on a user object will
allow us to control exactly what authz data is allowed for that user.
Setting NONE would allow no authz data, while setting MS-PAC would allow only
Active Directory compatible data.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/2579
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Some legacy softare is not able to properly cope with preauthentication,
allow the admins to disable the requirement to use preauthentication for
all Service Principal Names if they so desire. IPA Users are excluded,
for users, which use password of lessere entrpy, preauthentication is
always required by default.
This setting does NOT override explicit policies set on service principals
or in the global policy, it only affects the default.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/3860
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This function determines which type of authorization data should be
added to the Kerberos ticket. There are global default and it is
possible to configure this per service as well. The second argument is
the data base entry of a service. If no service is given it makes sense
to return the global defaults and most parts of get_authz_data_types()
handle this case well and this patch fixes the remain issue and adds a
test for this as well.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
LDAP calls just assert if an invalid (NULL) context is passed in,
so we need to be sure we have a valid connection context before
calling into LDAP APIs and fail outright if a context can't be obtained.
https://fedorahosted.org/freeipa/ticket/5577
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Needs a 'break' otherwise prevents correct reporting of data and it always overrides
it with the placeholder data.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Default krb5.conf needn't have defined default_realm.
Unit tests should not rely on existing default value.
Reviewed-By: Martin Basti <mbasti@redhat.com>
The cmocka-1.0 introduced new interface for tests
which is not compatible with the old one.
And the old interface is deprecated which caused compiled warnings.
Reviewed-By: Martin Basti <mbasti@redhat.com>
When incoming SID blacklist contains exact SIDs of users and groups,
attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.
Note that we treat user's SID and primary group RID filtering as violation
of the KDC policy because the resulting MS-PAC will have no user SID or
primary group and thus will be invalid.
For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1
it is OK to have empty group RIDs array as GroupCount SHOULD be
equal to Groups.MembershipCount returned by SamrGetGroupsForUser
[MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty.
Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This patch moves duplicate code in `ipadb_get_connection` to get default and
supported key encodings/salt types from Kerberos container to a common
function handling this task.
It is actually a small cosmetic enhancement of the fix of
https://fedorahosted.org/freeipa/ticket/4914
Reviewed-By: Martin Basti <mbasti@redhat.com>
The attribute mentioned was using an older name that was later changed
in the implementation.
Also add a prominent warning about the use of the kadmin flags.
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
When kadmin tries to change a password it will get the allowed keysalts
from the password policy. Failure to provide them will result in kadmin
using the defaults specified in the kdc.conf file or hardcoded defaults
(the default salt is then of type NORMAL).
This patch provides the supported values that have been read out of the
appropriate LDAP attribute when we read the server configuration.
Then at actual password change, check if kadmin is handing us back the exact
list of supported encsalts we sent it, and in that case replace it with the
real default encsalts.
Fixes https://fedorahosted.org/freeipa/ticket/4914
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
In this new MIT version the DAL interface changes slightly but
KRB5_KDB_DAL_MAJOR_VERSION was not changed.
Luckily KRB5_KDB_API_VERSION did change and that's enough to know
what to compile in.
Resolves: https://fedorahosted.org/freeipa/ticket/4861
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The patch addresses the following defect reported by covscan in FreeIPA
master:
"""
Error: FORWARD_NULL (CWE-476):
/daemons/ipa-kdb/ipa_kdb_principals.c:1886: assign_zero: Assigning:
"principal" = "NULL".
/daemons/ipa-kdb/ipa_kdb_principals.c:1929:
var_deref_model: Passing null pointer "principal" to "ipadb_entry_to_mods",
which dereferences it.
/daemons/ipa-kdb/ipa_kdb_principals.c:1491:9:
deref_parm_in_call: Function "ipadb_get_ldap_mod_str" dereferences
"principal".
/daemons/ipa-kdb/ipa_kdb_principals.c:1174:5:
deref_parm_in_call: Function "strdup" dereferences "value"
"""
This is a part of series of patches related to
https://fedorahosted.org/freeipa/ticket/4795
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This patch proposes a fix for the following defect reported by covscan in
FreeIPA master code:
"""
Error: DEADCODE (CWE-561):
/daemons/ipa-kdb/ipa_kdb_mspac.c:2013: assignment: Assigning: "client_entry" =
"NULL".
/daemons/ipa-kdb/ipa_kdb_mspac.c:2077: null: At condition
"client_entry", the value of "client_entry" must be "NULL".
/daemons/ipa-kdb/ipa_kdb_mspac.c:2077: dead_error_condition: The condition
"client_entry" cannot be true.
/daemons/ipa-kdb/ipa_kdb_mspac.c:2077:
dead_error_line: Execution cannot reach the expression "client_entry" inside
this statement: "kerr = ipadb_get_pac(contex...".
"""
This is a part of a series of patches related to
https://fedorahosted.org/freeipa/ticket/4795
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This patch is related this defect reported by covscan on FreeIPA master:
"""
Error: DEADCODE (CWE-561):
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code !=
-1765328353L", taking false branch. Now the value of "error_code" is equal to
-1765328353.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition
"error_code != -1765328360L", taking false branch. Now the value of
"error_code" is equal to -1765328360.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42:
cond_const: Condition "error_code != 0", taking false branch. Now the value of
"error_code" is equal to 0.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:71:
intervals: When switching on "error_code", the value of "error_code" must be
in one of the following intervals: {[-1765328360,-1765328360],
[-1765328353,-1765328353], [0,0]}.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:71:
dead_error_condition: The switch value "error_code" cannot reach the default
case.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:123: dead_error_begin: Execution
cannot reach this statement: "default:".
"""
This patch is a part of series related to
https://fedorahosted.org/freeipa/ticket/4795.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
We need to make sure we have a ld context before we can load the
configuration, otherwise ldap APIs will abort crashing the KDC.
If we have an issue connecting to LDAP the lcontext will be NULL, but
we are not checking that condition when we try to refresh the global
configuration.
https://fedorahosted.org/freeipa/ticket/4810
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Before this patch, ipa-kdb would load global configuration on startup and
never update it. This means that if global configuration is changed, the
KDC never receives the new configuration until it is restarted.
This patch enables caching of the global configuration with a timeout of
60 seconds.
https://fedorahosted.org/freeipa/ticket/4153
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When an entry has a krbCanonicalName, if KRB5_KDB_FLAG_ALIAS_OK is set,
rewrite the principal name to the canonical value, else error out,
instead of always returning an error if the requested name doesn't look
like the canonical one.
https://fedorahosted.org/freeipa/ticket/3966
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
If the KDC doesn't use the FreeIPA password for authentication, then it is
futile to provide this information. Doing so will only confuse the user. It
also causes password change dialogues when the password is irrelevant.
https://fedorahosted.org/freeipa/ticket/4299
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When client principal is the same as supplied client entry, don't fetch it
again.
Note that when client principal is not NULL, client entry might be NULL for
cross-realm case, so we need to make sure to not dereference NULL pointer here.
Also fix reverted condition for case when we didn't find the client principal
in the database, preventing a memory leak.
https://fedorahosted.org/freeipa/ticket/4223
Reviewed-By: Sumit Bose <sbose@redhat.com>
