With MIT krb5 1.20, a call to krb5_db_check_allowed_to_delegate()
and krb5_db_check_allowed_to_delegate_from() expects to return either
KRB5KDC_ERR_BADOPTION for a policy denial or KRB5_PLUGIN_OP_NOTSUPP in
case plugin does not handle the policy case. This is part of the MIT
krb5 commit a441fbe329ebbd7775eb5d4ccc4a05eef370f08b which added a
minimal MS-PAC generator.
Prior to MIT krb5 1.20, the same call was expected to return either
KRB5KDC_ERR_POLICY or KRB5_PLUGIN_OP_NOTSUPP errors.
Related: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
PAC requester check was incorrect for in-realm S4U operations. It casted
too wide check which denied some legitimate requests. Fix that by only
applying rejection to non-S4U unknown SIDs, otherwise S4U2Self request
issued by the in-realm service against a trusted domain's user would not
work.
Related: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
With krb5 1.20, S4U processing code uses a special case of passing an
empty S4U proxy to allowed_to_delegate() callback to identify if the
server cannot get forwardable S4U2Self tickets according to [MS-PAC]
3.2.5.1.2.
This means we need to ensure NULL proxy is a valid one and return an
appropriate response to that.
Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
For generating PAC we need to know SID of the object and a number of
required attributes. However, trusted domain objects do not have these
attributes. Luckily, IPA LDAP schema puts them under actual trust
objects which have all the additional (POSIX) attributes.
Refactor PAC generator to accept secondary LDAP entry and use that one
to pull up required attributes. We only use this for trusted domain
objects.
Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Currently if a certificate mapping and matching rule has a typo or is of
an unsupported type the whole rule processing is aborted and the IPA
certmap plugin works without any rules effectively disabling PKINIT for
users. Since each rule would only allow more certificates for PKINIT it
would be more user/admin friendly to just ignore the failed rules with a
log message and continue with what is left or use the default rule if
nothing is left.
This change is done to add more flexibility to define new mapping and
matching templates which are e.g. needed to cover changes planned by
Microsoft as explained in
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The command ipa otptoken-sync does not properly handle
errors happening during the synchronization step.
- Even if an error is detected (such as invalid password
provided), the command exits with return code = 0. An
error message is displayed but the exit code should be 1.
- When an invalid token is provided, the token is not
synchronized but the error is not reported back to the
ipa otptoken-sync command.
The first issue can be fixed by raising an exception when
the HTTP response contains an header with an error.
The second issue is fixed by returning LDAP_INVALID_CREDENTIALS
to ldap bind with the sync control if synchronization fails.
Fixes: https://pagure.io/freeipa/issue/9248
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
oauth2_on_child_readable() does not use the main verto context and used
to drop the argument name to signify that. This is a feature of C2X
standard by default and is not enabled in gcc before 11 by default (it
is enabled in RHEL 8's gcc 8.5).
Add a simple 'if the context is missing, get out' code to use 'ctx'.
This allows to avoid enabling C2X features.
Initialize local pointers to prevent use before initialization on exit
paths in abnormal situations as well.
Fixes: https://pagure.io/freeipa/issue/9230
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Originally the code treated 0 as disabled. This was
changed during the review process to -1 but one remnant
was missed effetively allowing gracelimit 0 to also mean
disabled.
Add explicit tests for testing with gracelimit = 0 and
gracelimit = -1.
Also remove some extranous "str(self.master.domain.basedn)"
lines from some of the tests.
Fixes: https://pagure.io/freeipa/issue/9206
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
The user's pwd expiration was retrieved but inadvertently was never
compared to current time. So any LDAP bind, including from the
IPA API, counted against the grace period. There is no need to go
through the graceperiod code for non-expired passwords.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This had been hardcoded to debug=True but it spams the logs
with a lot of unnecessary information.
Allow it to be enabled for troubleshooting purposes but keep it
disabled by default.
Enabling debug would involve created /etc/ipa/dns.conf:
[global]
debug = True
I didn't add a more generic mechanism because for now we only need
the value of debug and it introduces a lot of type conversion
headaches. ipalib handles this automatically but to duplicate this
would be corner-case city.
Fixes: https://pagure.io/freeipa/issue/9128
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06
389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.
passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.
passwordGraceUserTime is a count per-user of the number of binds.
When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.
If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.
Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.
Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.
The passwordGraceUserTime attribute is reset to 0 upon a password
reset.
user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.
Note that passwordGraceUserTime is an operational attribute.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For a well-known anonymous principal an Anonymous PKINIT method is used
which ignores the password set in the principal entry. For these
principals any defined user auth type is irrelevant, their use is
defined in RFC 6112. This gets confusing when a default user auth type
requires a particular authentication method.
When AS request for Anonymous PKINIT is used, a TGT would contain no
authentication indicator. It means we cannot apply any specific
indicator policy and must skip the checks.
Fixes: https://pagure.io/freeipa/issue/9165
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
In bind 9.17.2+ all dnssec utilities were moved to /usr/bin with
commit 4419606c9d2a52536a6dd0882ac0c7068ac27f30.
Since we only use those utilities in the specialized tool, do a fixup of
the paths in the tool.
Fixes: https://pagure.io/freeipa/issue/9157
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
This will allow custom hardened password policy to be applied.
Without this then the policy will be skipped because the UA
is not enabled.
The KDC and client will prefer SPAKE any time it is available.
For IPA this should mean we should choose hardened setting over a
default one any time SPAKE is used.
Related: https://pagure.io/freeipa/issue/9121
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When IdP configuration is provided, take it into account:
- idp-specific Kerberos ticket policy would be applied
- Presence of IdP link in a Kerberos principal entry would cause KDB to
enable `idp` pre-authentication method on KDC side.
The latter requires additional pre-authentication method supplied with
SSSD 2.7.0.
Fixes: https://pagure.io/freeipa/issue/8804
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
SSSD OIDC helper is used for negotiating with OAUTH2 or OIDC end points
of external identity providers (IdPs).
ipa-otpd daemon now is capable to take either Issuer URL or individual
endpoints and call SSSD OIDC helper accordingly.
Communication with SSSD OIDC helper can be debugged with the use of a
debug variable set in /etc/ipa/default.conf. Man page for
default.conf(5) has been updated to provide this information.
Fixes: https://pagure.io/freeipa/issue/8805
Signed-off-by: Sumit Bose <sbose@redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
When NRPC netr_ServerAuthenticate3 call is performed, a trusted AD DC
would use trusted domain account to authenticate to Samba. This means
that Samba would do internally samr_QueryUserInfo2 request with level 16
(UserControlInformation), coming to PDB module via pdb_getsampwsid()
call.
For normal user or workstation accounts we expect to have Kerberos keys
available and may be able to extract NTLM hash data from them. However,
trusted domain account is not a normal Kebreros principal. It stores TDO
credential in a different way. Since we never processed it through the
pdb_getsampwsid() call, it was not possible to retrieve the NTLM hash
for TDO account at all, hence netr_ServerAuthenticate3 call was failing.
NTLM hash is used internally in Samba. An external communication with AD
DC will use an AES-based session key that is derived from the TDO
credential. The credential itself can be treated as a plaintext here.
Fix it by adding a recognition of the trusted domain object account and
retrieve the NTLM hash from the correct attribute of the TDO.
Fixes: https://pagure.io/freeipa/issue/9134
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This is a problem since we added commit b5fbbd1 in 2019. Its logic
allowed to add RC4-HMAC keys for cifs/.. service principal but it didn't
account for the case when cifs/.. principal initiates the request.
Since ipasam only uses GETKEYTAB control, provide this extension only
here and don't allow the same for SETKEYTAB. At the point of check for
the bind DN, we already have verified that the DN is allowed to write to
the krbPrincipalKey attribute so there is no leap of faith to 'any
cifs/... principal' here.
A principal must be member of cn=adtrust
agents,cn=sysaccounts,cn=etc,$SUFFIX to allow perform this operation
Fixes: https://pagure.io/freeipa/issue/9134
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
New calls, getorigbyusername() and getorigbygroupname(), are added to
libsss_nss_idmap. They allow to query the AD specific attributes for a
user or a group directly. Besides a minor performance benefit it helps
to avoid issues if there are users and groups with the same name and the
group is not a user-private group but a real group with members.
Fixes: https://pagure.io/freeipa/issue/9127
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa_cldap_encode_netlogon() allocates memory to store binary data as part of
berval (bv_val) when processing a CLDAP packet request from a worker. The
data is used by ipa_cldap_respond() but bv_val is not freed later on.
This commit is adding the corresponding free() after ipa_cldap_respond()
is completed.
Discovered by LeakSanitizer
Fixes: https://pagure.io/freeipa/issue/9110
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Since 5d51ae5, principal keys were dropped in case user auth indicator
was not including password. Thereafter, the key removal behavior was
removed by 15ff9c8 in the context of the kdcpolicy plugin introduction.
Support for hardened pre-auth methods (FAST and SPAKE) was added in
d057040, and the removal of principal keys was restored afterwards by
f0d12b7, but not taking the new hardened auth indicator into account.
Fixes: https://pagure.io/freeipa/issue/9065
Related to: https://pagure.io/freeipa/issue/8001
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
MIT Kerberos 1.20 changes DAL interface around PAC record issuance:
sign_authdata callback is removed and replaced with issue_pac one.
The signatures are different and logic changed as well.
Prepare for KDB version 9 by moving PAC implementation into separate
source files. ipa_kdb_mspac.c is left with most of the common code.
FreeIPA supports sign_authdata callback since KDB version 6, move current
implementation to ipa_kdb_mspac_v6.c.
KDB version 8 actually changed sign_authdata interface and we accounted
to that in ipa_kdb.c with a stub that re-uses v6 version. Keep it as it
is right now.
Finally, add KDB version 9 stub files. Compiling against MIT Kerberos
1.20 does not work yet, thus explicit #error message in ipa_kdb.c. This
will be worked on later.
Related: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
New versions of MS-KILE and MS-SFU after Windows Server November 2021
security updates add PAC_REQUESTER_SID buffer check behavior:
- PAC_REQUESTER_SID should only be added for TGT requests
- if PAC_REQUESTER_SID is present, KDC must verify that the cname on
the ticket resolves to the account with the same SID as the
PAC_REQUESTER_SID. If it doesn't KDC must respond with
KDC_ERR_TKT_REVOKED
Change requester SID check to skip exact check for non-local
PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
we know about.
If requester SID is the same as in PAC, we already do cname vs PAC SID
verification.
With these changes FreeIPA works against Windows Server 2019 with
November 2021 security fixes in cross-realm S4U2Self operations.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
MS-KILE 3.3.5.6.4.8 in revision after Windows Server November 2021
security fixes added the following requirement:
- PAC_REQUESTER_SID is only added in TGT case (including referrals and
tickets to RODCs)
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Previously, ipadb_check_logon_info() was called only for cross-realm
case. Now we call it for both in-realm and cross-realm cases. In case of
the S4U2Proxy, we would be passed a PAC of the original caller which
might be a principal from the trusted realm. We cannot validate that PAC
against our local client DB entry because this is the proxy entry which
is guaranteed to have different SID.
In such case, validate the SID of the domain in PAC against our realm
and any trusted doman but skip an additional check of the DB entry in
the S4U2Proxy case.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
If the SID was explicitly set for the host or service entry, honor it
when issuing PAC. For normal services and hosts we don't allocate
individual SIDs but for cifs/... principals on domain members we do as
they need to login to Samba domain controller.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
As part of CVE-2020-25717 mitigations, Samba expects correct user
account flags in the PAC. This means for services and host principals we
should be using ACB_WSTRUST or ACB_SVRTRUST depending on whether they
run on IPA clients ("workstation" or "domain member") or IPA servers
("domain controller").
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
PAC_ATTRIBUTES_INFO PAC buffer allows both client and KDC to tell
whether a PAC structure was requested by the client or it was provided
by the KDC implicitly. Kerberos service then can continue processing or
deny access in case client explicitly requested to operate without PAC.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
CVE-2020-25721 mitigation: KDC must provide the new PAC_REQUESTER_SID
buffer with ObjectSID value associated with the requester's principal.
The mitigation only works if NDR library supports the PAC_REQUESTER_SID
buffer type. In case we cannot detect it at compile time, a warning will
be displayed at configure stage.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
CVE-2020-25721 mitigation: KDC must provide the new HAS_SAM_NAME_AND_SID
buffer with sAMAccountName and ObjectSID values associated with the
principal.
The mitigation only works if NDR library supports the
PAC_UPN_DNS_INFO_EX buffer type. In case we cannot detect it at compile
time, a warning will be displayed at configure stage.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When working with aliased entries, we need a reliable way to detect
whether two principals reference the same database entry. This is
important in S4U checks.
Ideally, we should be using SIDs for these checks as S4U requires PAC
record presence which cannot be issued without a SID associated with an
entry. This is true for user principals and a number of host/service
principals associated with Samba. Other service principals do not have
SIDs because we do not allocate POSIX IDs to them in FreeIPA. When PAC
is issued for these principals, they get SID of a domain computer or
domain controller depending on their placement (IPA client or IPA
server).
Since 389-ds always returns unique entry DN for the same entry, rely on
this value instead. We could have used ipaUniqueID but for Kerberos
principals created through the KDB (kadmin/kdb5_util) we don't have
ipaUniqueID in the entry.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
If the principal entry in LDAP has SID associated with it, store it to
be able to quickly assess the SID when processing PAC.
Also rename string_to_sid to IPA-specific version as it uses different
prototype than Samba version.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Robert Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
If a client sends a request to lookup an object from a given trusted
domain by UID or GID and an object with matching ID is only found in a
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
indicate to the client that the requested ID does not exists in the
given domain.
Resolves: https://pagure.io/freeipa/issue/8965
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When LDAP server disconnects ipa-otpd client connection due to a
timeout, ipa-otpd instance would stop and report an issue. This confuses
systemd service reporting, so for these situations we better to shut
down gracefully.
Fixes: https://pagure.io/freeipa/issue/6587
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
When dnssec role is removed from the local node, the uninstaller
creates a new replica key and marks the older replica keys as disabled
(both in the local HSM and in LDAP).
If ipa-ods-exporter runs in the middle of this operation, the old replica
key may be disabled in the local HSM but not yet in LDAP and
ipa-ods-exporter believes that it is a new replica key that needs to be
imported from LDAP to local hsm. The op fails as there is already the key
in the local HSM.
The error can be ignored, ipa-ods-exporter simply needs to log a warning.
Fixes: https://pagure.io/freeipa/issue/8654
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When a master key is missing from the local HSM, ipa-ods-exporter crashes.
This can happen when the DNSSEC master role is moved from one node to
another with the following scenario:
- install server1 with dns + dnssec
- install server2 without dns
- disable dnssec from server1
- install dns + dnssec on server2
With the above scenario, server2 never had the opportunity to get
the master key (this happens only when the replica is already
configured as DNS server and has put its public replica key in LDAP +
the current DNSSEC master wraps its master key with the replica key).
ipa-ods-exporter can only log an error instead of crashing.
Related: https://pagure.io/freeipa/issue/8654
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
