Commit Graph

3261 Commits

Author SHA1 Message Date
François Cami
c0cf65c4f7 Move ipa-client-automount.in and ipactl into modules
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-28 10:53:07 +02:00
Alexander Bokovoy
7af4c7d472 adtrust upgrade: fix wrong primary principal name, part 2
Second part of the trust principals upgrade

For existing LOCAL-FLAT$@REMOTE object, convert it to
krbtgt/LOCAL-FLAT@REMOTE and add LOCAL-FLAT$@REMOTE as an alias. To do
so we need to modify an entry content a bit so it is better to remove
the old entry and create a new one instead of renaming.

Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-06-27 16:50:15 +03:00
Alexander Bokovoy
34bfffd1be adtrust upgrade: fix wrong primary principal name
Upgrade code had Kerberos principal names mixed up: instead of creating
krbtgt/LOCAL-FLAT@REMOTE and marking LOCAL-FLAT$@REMOTE as an alias to
it, it created LOCAL-FLAT$@REMOTE Kerberos principal and marked
krbtgt/LOCAL-FLAT@REMOTE as an alias.

This differs from what Active Directory expects and what is created by
ipasam plugin when trust is established. When upgrading such deployment,
an upgrade code then unexpectedly failed.

Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-26 10:50:45 +02:00
Florence Blanc-Renaud
e9c4dcdb85 stageuser-find: fix search with non-posix user
ipa stageuser-find fails to return a staged user if it does not
contain the posixaccount objectclass.
The code is replacing the search filter (objectclass=posixaccount)
with (|(objectclass=posixaccount)(objectclass=inetorgperson)) so it
should work in theory.
The issue is that on python2 the filter has been hexlified before
reaching the stageuser plugin, hence filter.replace does not recognize
the pattern (objectclass=posixaccount).
The fix consists in creating the filter with a call to
ldap.make_filter_from_attr()
that will hexlify too, if needed.

Fixes: https://pagure.io/freeipa/issue/7983
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-25 11:02:59 -04:00
Rob Crittenden
0184e967e5 Log the raised message when DNS check_zone_overlap fails
The check can fail for a lot of other reasons than there is
overlap so the error should be logged.

This causes confusion when --auto-reverse is requested and
some lookup fails causing the reverse to not be created.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-06-24 14:04:03 +02:00
Stanislav Levin
d86b57c057 Make use of the single configuration point for the default shells
For now all the default shells of users and admin are hardcoded in
different parts of the project. This makes it impossible to run the
test suite against the setup, which has the default shell differed
from '/bin/sh'.

The single configuration point for the shell of users and admin is
added to overcome this limitation.

Fixes: https://pagure.io/freeipa/issue/7978
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-19 11:39:51 +02:00
Christian Heimes
c027b9334b Fix CustodiaClient ccache handling
A CustodiaClient object has to the process environment a bit, e.g. set
up GSSAPI credentials. To reuse the credentials in libldap connections,
it is also necessary to set up a custom ccache store and to set the
environment variable KRBCCNAME temporarily.

Fixes: https://pagure.io/freeipa/issue/7964
Co-Authored-By: Fraser Tweedale <ftweedal@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-06-18 10:36:24 +10:00
Fraser Tweedale
854d3053e2 Handle missing LWCA certificate or chain
If lightweight CA key replication has not completed, requests for
the certificate or chain will return 404**.  This can occur in
normal operation, and should be a temporary condition.  Detect this
case and handle it by simply omitting the 'certificate' and/or
'certificate_out' fields in the response, and add a warning message
to the response.

Also update the client-side plugin that handles the
--certificate-out option.  Because the CLI will automatically print
the warning message, if the expected field is missing from the
response, just ignore it and continue processing.

** after the Dogtag NullPointerException gets fixed!

Part of: https://pagure.io/freeipa/issue/7964

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-06-18 10:36:24 +10:00
Rob Crittenden
f606d82024 Stop using 389-ds legacy backup and restoration utilities
Use dsctl instead, the modern replacement for ldif2db, db2ldif,
bak2db and db2bak.

https://pagure.io/freeipa/issue/7965

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-05 13:18:45 -04:00
Fraser Tweedale
f30f040dca avoid realm_to_serverid deprecation warning
ipaserver.installutils.realm_to_serverid was deprecated.  Use
ipapython.ipaldap.realm_to_serverid instead.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
162dce1c70 ipa-cert-fix: fix spurious renewal master change
We only want to become the renewal master if we actually renewed a
shared certificate.  But there is a bug in the logic; even if the
only Dogtag certificate to be renewed is the 'sslserver' (a
non-shared certificate), the renewal master will be reset.  Fix the
bug.

A static type system would have excluded this bug.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
582cc7da1d ipa-cert-fix: handle 'pki-server cert-fix' failure
When DS cert is expired, 'pki-server cert-fix' will fail at the
final step (restart).  When this case arises, ignore the
CalledProcessError and continue.

We can't know for sure if the error was due to failure of final
restart, or something going wrong earlier.  But if it was a more
serious failure, the next step (installing the renewed IPA-specific
certificates) will fail.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
e41b7457f3 ipa-cert-fix: use customary exit statuses
It is customary to return 2 when IPA is not configured, and 1 when
other required bits are not installed or configured.  Update
ipa-cert-fix exit statuses accordingly.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
09aa3d1f76 Add ipa-cert-fix tool
The ipa-cert-fix tool wraps `pki-server cert-fix`, performing
additional certificate requests for non-Dogtag IPA certificates and
performing additional actions.  In particular:

- Run cert-fix with arguments particular to the IPA deployment.

- Update IPA RA certificate in the ipara user entry (if renewed).

- Add shared certificates (if renewed) to the ca_renewal LDAP
  container for replication.

- Become the CA renewal master if shared certificates were renewed.
  This ensures other CA replicas, including the previous CA renewal
  master if not the current host, pick up those new certificates
  when Certmonger attempts to renew them.

Fixes: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
a3becc76dd constants: add ca_renewal container
Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
c28a42e27e cainstance: add function to determine ca_renewal nickname
The ipa-cert-fix program needs to know where to put shared
certificates.  Extract the logic that computes the nickname from
dogtag-ipa-ca-renew-agent to new subroutine
cainstance.get_ca_renewal_nickname().

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
a2a006c746 Extract ca_renewal cert update subroutine
When the CA renewal master renews certificates that are shared
across CA replicas, it puts them in LDAP for the other CA replicas
to see.  The code to create/update these entries lives in the
dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for
the ipa-cert-fix program too.  Extract it to a subroutine in the
cainstance module.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Alexander Bokovoy
ef67dece52 ldap2.can_read: fix py3 compatibility
As with commit b37d18288d, can_read() method does not need to decode
a string in Python 3. can_read() wasn't used anywhere in the code,
apparently.

Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Alexander Bokovoy
53a0fa9130 LDAPCreate: allow callers to override objectclasses
LDAPCreate class explicitly allows use of --setattr/--addattr options to
pass-in additional configuration or override some of the framework
decisions. However, changes to objectclasses are ignored.

We have a number of plugins where additional attributes and their values
are generated at creation time. For example, ipa-sidgen plugin generates
ipaNTSecurityIdentifier value on LDAP ADD operation when objectclasses
include a specific object class and some other attributes (uidNumber,
gidNumber) do present in the LDAP mods.

Allow to override object-specific LDAP objectclasses by the
--setattr/--addattr option values.

Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Thierry Bordaz
67490acb04 Switch nsslapd-unhashed-pw-switch to nolog
389-ds will change the default value of nsslapd-unhashed-pw-switch from 'on' to 'off'
For new or upgraded IPA instance, in case of winsync deployment the attribute is set
to 'on' and a warning is displayed.  Else the attribute is set to 'nolog'

https://pagure.io/freeipa/issue/4812

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-24 12:42:51 +02:00
Tibor Dudlák
e3f35843dc
Moving prompt for NTP options to install_check
In a interactive installation of freeipa server a promt asks for NTP related
options after install_check has been called. As it may cause confusion to users
moving to install_check methods where the prompt for other options is being done.
Refactored sync_time() method to use passed parameters ntp_servers and ntp_pool.

Resolves: https://pagure.io/freeipa/issue/7930
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
2019-05-22 18:20:22 +02:00
Florence Blanc-Renaud
9cd88587e4 CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA
Commit fa50068 introduced a regression. Previously, the
upgrade plugin upload_cacrt was setting the attribute
ipaconfigstring: compatCA in the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN

After commit fa50068, the value is not set any more. As a
consequence, the LDAP entry is not identified as the CA and
CA renewal does not update the entry
cn=CAcert,cn=certificates,cn=ipa,cn=etc,BASEDN.

RHEL 6 client rely on this entry to retrieve the CA and
client install fails because cn=CAcert is out-of-date.

The fix makes sure that upload_cacrt plugin properly sets
ipaconfigstring: compatCA in the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN

Fixed: https://pagure.io/freeipa/issue/7928
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-22 17:53:13 +02:00
Rob Crittenden
6662e99e17 Add knob to limit hostname length
On Linux systems the length limit for hostnames is hardcoded
at 64 in MAXHOSTNAMELEN

Solaris, for example, allows 255 characters, and DNS allows the
total length to be up to 255 (with each label < 64).

Add a knob to allow configuring the maximum hostname length (FQDN)

The same validators are used between hosts and DNS to apply
the knob only when dealing with a FQDN as a hostname.

The maxlen option is included so installers can limit the length
of allowed hostnames when the --hostname option is used.

https://pagure.io/freeipa/issue/2018

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-16 14:38:43 -04:00
Florence Blanc-Renaud
a425448914 Fix expected file permissions for ghost files
File permissions from the rpm freeipa-server-common and
freeipa-client-common do not match the runtime permissions. This results
in mode failures on rpm -Va.
Fix the expected file permissions on rpm spec file for
/var/lib/ipa/pki-ca/publish
/var/named/dyndb-ldap/ipa
/etc/ipa/pwdfile.txt
/etc/pki/ca-trust/source/ipa.p11-kit
(new format SQLite)
/etc/ipa/nssdb/cert9.db
/etc/ipa/nssdb/key4.db
/etc/ipa/pkcs11.txt
(old format DBM)
/etc/ipa/cert8.db
/etc/ipa/key3.db
/etc/ipa/secmod.db

The commit also fixes the file permissions for
/etc/httpd/conf.d/ipa-pki-proxy.conf (644)
during server installation, and the group ownership.

Fixes: https://pagure.io/freeipa/issue/7934
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-16 14:28:00 +02:00
Alexander Bokovoy
98b4c710d9 upgrade: adtrust - catch empty result when retrieving list of trusts
Upgrade failure when ipa-server-upgrade is being run on a system with no
trust established but trust configured

Fixes: https://pagure.io/freeipa/issue/7939
Reviewed-By: François Cami <fcami@redhat.com>
2019-05-11 21:15:37 +02:00
François Cami
5331510eab ipa_backup.py: replace /var/lib/ipa/backup with paths.IPA_BACKUP_DIR
/var/lib/ipa/backup is defined in ipaplatform.paths as paths.IPA_BACKUP_DIR
Remove all instances of /var/lib/ipa/backup/ in ipa_backup.py.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-07 09:08:40 +02:00
François Cami
e6415ec321 ipa-backup: better error message if ENOSPC
When the destination directory cannot store the complete backup
ipa-backup fails but does not explain why.
This commit adds error-checking to db2ldif(), db2bak() and
finalize_backup() and enhances the error message.

Fixes: https://pagure.io/freeipa/issue/7647
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Tibor Dudlák <tdudlak@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-05-07 09:00:42 +02:00
Alexander Bokovoy
294aa3a333 Revert "Require a minimum SASL security factor of 56"
This reverts commit 3509545897.

We cannot force increase in minimum SASL security factor until our
consumers are ready to deal with it. Unfortunately, realmd uses
anonymous connection for discovery and validation of IPA LDAP server.

The way it is done is fragile (it doesn't take into account an
advertised IPA version, only checks that 'IPA' string exists in the info
field) but since bumping of minimum SSF prevents reading IPA info field
using anonymous connection, client enrollment fails.

We should get back to bumping minimum SSF after realmd and other
potential consumers are fixed.

Reviewed-By: François Cami <fcami@redhat.com>
2019-05-02 11:39:23 +02:00
Christian Heimes
3c98187988 Consider configured servers as valid
Under some conditions, ipa config-show and several other commands were
failing with error message:

  ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled

Amongst others the issue can be caused by a broken installation, when
some services are left in state 'configuredServices'. The problem even
block uninstallation or removal of replicas. Now configured servers are
also consider valid providers for associated roles.

A new test verifies that config-show works with hidden and configured HTTP
service.

Remark: The original intent of the sanity check is no longer clear to me. I
think it was used to very that all services can be started by ipactl.
Since ipactl starts hidden, configured, and enabled services, the new
logic reflect the fact, too.

Fixes: https://pagure.io/freeipa/issue/7929
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-29 16:51:40 +02:00
Christian Heimes
4f3c4f87a1 Guard dbus.start() with dbus.is_running()
Some platforms like Debian protect the dbus.service with
RefuseManualStart=True. "systemctl start dbus" fails with operation
refused (it is configured to refuse manual start/stop). On Fedora
"systemctl start dbus" is a no-op when dbus is already running.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:47:51 +02:00
Christian Heimes
beffa7bcda Move Custodia secrets handler to scripts
Implement the import and export handlers for Custodia keys as external
scripts. It's a prerequisite to drop DAC override permission and proper
SELinux rules for ipa-custodia.

Except for DMLDAP,  handlers no longer run as root but as handler
specific users with reduced privileges. The Dogtag-related handlers run
as pkiuser, which also help with HSM support.

The export and import handles are designed to be executed by sudo, too.
In the future, ipa-custodia could be executed as an unprivileged process
that runs the minimal helper scripts with higher privileges.

Fixes: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:09:22 +02:00
Christian Heimes
a22b4a35f2 chmod SYSTEMD_PKI_TOMCAT_IPA_CONF
Change the permission of the new config file
/etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf to 644.
This fixes the systemd warning

Configuration file /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 09:56:44 +02:00
Oleg Kozlov
23d5c05232 Check have packages for extra features been installed before restoring backup
`iparestore --full` should check that packages for extra features such as dns and adtrust are installed in the system before restoring a backup in case the backup includes content for these features. If the packages are not installed full backup should be refused and an error message with suggestions should be showed.

If corresponding packages for these features are not installed before the backup restoring, it may cause a situation when the packages are going to be installed after the restoring. In that case configuration files restored by `ipa-restore` will be replaced by default configuration files if the files are tracked by `rpm`. E.g. if `freeipa-server-trust-ad` is not installed before `ipa-restore --full` running, when the package will be installed it also will bring `samba` package according to the dependencies. At `samba` installation step exist correct `/etc/samba/smb.conf` is going to be replaced by the default one from the `samba` package.

Fixes: https://pagure.io/freeipa/issue/7630
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-25 14:47:09 +02:00
Christian Heimes
74e09087ed Globally disable softhsm2 in p11-kit-proxy
The p11-kit configuration injects p11-kit-proxy into all NSS databases.
Amongst other p11-kit loads SoftHSM2 PKCS#11 provider. This interferes
with 389-DS, certmonger, Dogtag and other services. For example certmonger
tries to open OpenDNSSEC's SoftHSM2 token, although it doesn't use it at
all. It also breaks Dogtag HSM support testing with SoftHSM2.

IPA server does neither need nor use SoftHSM2 proxied by p11-kit.

Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-25 12:53:08 +02:00
Christian Heimes
8686cd3b4b Pass token_name to certmonger
For HSM support, IPA has to pass the token name for CA and subsystem
certificates to certmonger. For now, only the default 'internal' token is
supported.

Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-25 08:57:58 +02:00
Alexander Bokovoy
b2c5691e73 Enforce SMBLoris attack protection in default Samba configuration
See https://access.redhat.com/security/vulnerabilities/smbloris for
details.

There is no recommended value but for IPA DC we can limit with 1000
concurrent connections from unrelated clients.

Related: https://pagure.io/freeipa/issue/6951
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 15:47:19 -04:00
Alexander Bokovoy
4ba888694b Set idmap config for Samba to follow IPA ranges and use SSSD
Implicit idmap configuration in Samba was changed in Samba 4.7 to always
require range definition. A default ('*') idmap configuration lacks any
range and thus is marked by testparm utility as invalid one.

Since we do not expect Samba allocating any IDs, idmap configuration
needs to be set in a such way that it is correct from Samba side and is
effectively disabling any allocation on those domains that we don't need
to handle.

Note that 'idmap config <domain> : range' parameter accepts range in a
special format with spaces 'begin - end', so we have to keep the
formatting of the range exact.

Related: https://pagure.io/freeipa/issue/6951
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 15:47:19 -04:00
Christian Heimes
d703f3dbcb Debian: Fix replicatio of light weight sub CAs
The path to ipa-pki-retrieve-key was hard-coded, which broke replication
of light weight sub CA keys.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
edaea8865f Add ODS manager abstraction to ipaplatform
OpenDNSSEC 1.4 and 2.x use different commands to initialize kasp.db and
manage zones. ipaplatform.tasks abstracts the commands.

Note: I added the logic to the base task instead of having different
implementations for Red Hat and Debian platforms. Eventually Fedora is
going to move to OpenDNSSEC 2.x, too. The design will make it easier to
support OpenDNSSEC 2.x on Fedora.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
750e658dba Debian: Add fixes for OpenDNSSEC 2.0
Debian/Ubuntu use OpenDNSSEC 2.0, which has different commands to manage
zones and keys.

Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
da2cf1c513 Debian: Add paths for open-sans and font-awesome
Debian has different paths and path suffix for font-awesome. Let's have
explicit paths for all our fonts.

Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
3f9e23f125 Add ExecStartPost hook to wait for Dogtag PKI
Dogtag PKI typically takes around 10 seconds to start and respond to
requests. Dogtag uses a simple systemd service, which means systemd is
unable to detect when Dogtag is ready. Commands like ``systemctl start``
and ``systemctl restart`` don't block and wait until the CA is up. There
have been various workarounds in Dogtag and IPA.

Systemd has an ExecStartPost hook to run programs after the main service
is started. The post hook blocks systemctl start and restart until all
post hooks report ready, too. The new ipa-pki-wait-running script polls
on port 8080 and waits until the CA subsystem returns ``running``.

Related: https://pagure.io/freeipa/issue/7916
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-24 09:09:28 +02:00
Christian Heimes
80928ba6f5 Use Network Manager to configure resolv.conf
IPA used to write a custom /etc/resolv.conf. On Fedora and RHEL,
NetworkManager is typically maintaining resolv.conf. On reboot or
restart of the service, NM overwrites the custom settings.

On systems with NM enabled, the DNS server installer now drops a config
file into NM's global config directory and delegates resolv.conf to NM.

On systems without NM, fall back to create /etc/resolv.conf directly.

Fixes: https://pagure.io/freeipa/issue/7900
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-04-16 10:45:59 +02:00
Florence Blanc-Renaud
b79ea6a6e9 Fix wrong evaluation of attributes in check_repl_update
The method check_repl_update in ipaserver/install/replication.py badly
handles the attributes nsds5ReplicaLastUpdateStart and
nsds5ReplicaLastUpdateEnd as it expects them to contain an int.
These attributes are defined as GeneralizedTime
(OID 1.3.6.1.4.1.1466.115.121.1.24, for instance
nsds5ReplicaLastUpdateEnd='20190412122523Z') but older versions of 389-ds can
also return the value 0 for uninitialized values (see 389-ds ticket 47836).
The code must be able to handle the generalized time format or the 0 value.

The fix removes the 'Z' from the GeneralizedTime and converts to an int,
or assigns 0.

Fixes: https://pagure.io/freeipa/issue/7909
Reviewed-By: François Cami <fcami@redhat.com>
2019-04-15 12:05:22 +02:00
François Cami
d68fe6b981 ipaserver/install/cainstance.py: unlink before creating new file in /tmp
When fs.protected_regular=1 root cannot open temp files that
are owned by other users read-write.
So unlink temporary file before shutil.copy to it.

Fixes: https://pagure.io/freeipa/issue/7907
Signed-off-by: François Cami fcami@redhat.com
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-11 13:56:15 +02:00
François Cami
cf42dc1f29 ipaserver/install/krainstance.py: chown after write
When fs.protected_regular=1 root cannot open temp files that
are owned by other users read-write.
So move os.chown after write.

Refactoring suggested by Christian Heimes.

Fixes: https://pagure.io/freeipa/issue/7906
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-11 10:04:00 +02:00
Christian Heimes
dba89712c6 Verify pki ini override early
ipa-server-install now verifies the pki ini override file earlier

Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-10 13:43:23 +02:00
Christian Heimes
94937424b1 Simplify and consolidate ipaca.ini
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-10 13:43:23 +02:00
Christian Heimes
dd47cfc75a Add pki.ini override option
Allow to specify a pki.ini overlay file on the command line. The override
file can be used to override pkispawn settings.

Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-10 13:43:23 +02:00
Christian Heimes
f847d7756f Use new pki_ipaca.ini to spawn instances
Note: Some configuration stanzas are deprecated and have been replaced
with new stanzas, e.g. pki_cert_chain_path instead of
pki_external_ca_cert_chain_path.

Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-10 13:43:23 +02:00
Christian Heimes
8a5dc1b375 Adapt cert-find performance workaround for users
ipa cert-find --users=NAME was slow on system with lots of certificates.
User certificates have CN=$username, therefore the performance tweak
from ticket 7835 also works for user certificates.

Related: https://pagure.io/freeipa/issue/7835
Fixes: https://pagure.io/freeipa/issue/7901
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-04-09 09:13:27 +02:00
Alexander Bokovoy
cb0f24bfe2 Bypass D-BUS interface definition deficiences for trust-fetch-domains
In oddjobd it is possible to pass arguments as command line or on the
stdin. We use command line to pass them but the way oddjobd registers
the D-BUS method signatures is by specifying all arguments as mandatory.

Internally, oddjobd simply ignores if you passed less arguments than
specified in the D-BUS defition. Unfortunately, it is not possible to
specify less than maximum due to D-BUS seeing all arguments in the
list (30 is defined for the trust-fetch-domains).

To pass options, have to pad a list of arguments to maximum with empty
strings and then filter out unneeded ones in the script. Option parser
already removes all options from the list of arguments so all we need to
do is to take our actual arguments. In case of trust-fetch-domains, it
is the name of the domain so we can only care about args[0].

Fixes: https://pagure.io/freeipa/issue/7903
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-04-08 17:51:38 +02:00
Alexander Bokovoy
0c50cc3956 Remove DsInstance.request_service_keytab as it is not needed anymore
DsInstance.request_service_keytab() used to configure
/etc/sysconfig/dirsrv which is not needed anymore with 389-ds-base
1.4.1.2. Thus, the method became indistinguishable from the parent and
can be removed completely.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-07 12:26:09 +02:00
Christian Heimes
3c354e74f3 Verify external CA's basic constraint pathlen
IPA no verifies that intermediate certs of external CAs have a basic
constraint path len of at least 1 and increasing.

Fixes: https://pagure.io/freeipa/issue/7877
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-04 10:05:10 +02:00
Christian Heimes
3509545897
Require a minimum SASL security factor of 56
SSF_MINX 56 level ensures data integrity and confidentiality for SASL
GSSAPI and SASL GSS SPNEGO connections.

Although at least AES128 is enforced pretty much everywhere, 56 is required
for backwards compatibility with systems that announce wrong SSF.

Related: https://pagure.io/freeipa/issue/7140
Related: https://pagure.io/freeipa/issue/4580
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-04-03 15:16:21 +02:00
Christian Heimes
1dfac4f5b7 Move DS's Kerberos env vars to unit file
The IPA specific env vars KRB5_KTNAME and KRB5CCNAME are now defined in
a instance specific ipa-env.conf unit file.

Fixes: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-02 19:35:38 +02:00
Christian Heimes
e4621f1204 Add tasks.systemd_daemon_reload()
systemd daemon must be reloaded after a config file is added, changed,
or removed. Provide a common API endpoint in ipaplatform.tasks.

Related: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-02 19:35:38 +02:00
Alexander Bokovoy
de4a9875d4 oddjob: allow to pass options to trust-fetch-domains
Refactor com.redhat.idm.trust-fetch.domains oddjob helper to allow
passing administrative credentials and a domain controller to talk to.

This approach allows to avoid rediscovering a domain controller in case
a user actually specified the domain controller when establishing trust.

It also allows to pass through admin credentials if user decides to do
so. The latter will be used later to allow updating trust topology in a
similar oddjob helper.

Resolves: https://pagure.io/freeipa/issue/7895
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-01 13:27:41 +02:00
Florence Blanc-Renaud
23ae171d97 ipa-setup-kra: fix python2 parameter
ipa-setup-kra is failing in python2 with
invalid 'role_servrole': must be Unicode text
because of a unicode conversion error.

The method api.Command.server_role_find is called with the parameter
role_servrole='IPA master' but it should rather be
role_servrole=u'IPA master'

Fixes: https://pagure.io/freeipa/issue/7897
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-01 12:55:46 +02:00
Florence Blanc-Renaud
d60122f9fb ipa-server-upgrade: fix add_systemd_user_hbac
During upgrade, the method add_systemd_user_hbac is creating
a hbacsvc and a hbacrule, but fails in python2 because of
unicode conversion errors.
The arguments should be defined as u'value'.

Fixes: https://pagure.io/freeipa/issue/7896
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-01 12:35:42 +02:00
Oleg Kozlov
5b337a54ee Show a notification that sssd needs restarting after idrange-mod
If the `ipa idrange-mod` command has been used show a notification that sssd.service needs restarting. It's needed for applying changes. E.g. after setup AD trust with a domain with more than 200000 objects (the highest RID > idm's default value, 200000) users with RIDs > 200000 are not able to login, the size needs to be increased via idrange-mod, but it makes an effect only after sssd restarting.

Implementation:
Notification was implemented via passing `ipalib.messages.ServiceRestartRequired` to `add_message` method in `ipaserver.plugins.idrange.idrange_mod.post_callback`.

Tests:
Added `messages` with sssd restart required (`ipalib.messages.ServiceRestartRequired`) to cases with idrange_mod where output is expected in `ipatests.test_xmlrpc.test_range_plugin.test_range'.

Fixes: https://pagure.io/freeipa/issue/7708
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-03-29 14:04:04 +01:00
Christian Heimes
713c9b0ce8 Don't fail if config-show does not return servers
When uninstalling a cluster and only hidden servers are left,
config-show can return a result set without ipa_master_server entry.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Christian Heimes
8b1bb211c4 Synchronize hidden state from IPA master role
ipa-{adtrust|ca|dns|kra}-install on a hidden replica also installs the
new service as hidden service.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Christian Heimes
e7e0f190bb Don't allow to hide last server for a role
DNSSec key master and CA renewal master can't be hidden. There must be
at least one enabled server available for each role, too.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Christian Heimes
56d97f942b Improve config-show to show hidden servers
config-show only used to show enabled servers. Now also show hidden
servers on separate lines. Additionally include information about
KRA and DNS servers.

The augmented config-show output makes it easier to diagnose a cluster
and simplifies sanity checks.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Christian Heimes
d810e1ff2f Consider hidden servers as role provider
Hidden services are now considered as associated role providers, too. This
fixes the issue of:

    invalid 'PKINIT enabled server': all masters must have IPA
    master role enabled

and similar issues with CA and DNS.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Christian Heimes
94b86354b5 Implement server-state --state=enabled/hidden
server-state modified the hidden / enabled flags of all configured
services of a server. Since the command does not directly modify the
server LDAP entry, the command has to be implemented as a dedicated plugin.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Christian Heimes
025facb85c Add hidden replica feature
A hidden replica is a replica that does not advertise its services via
DNS SRV records, ipa-ca DNS entry, or LDAP. Clients do not auto-select a
hidden replica, but are still free to explicitly connect to it.

Fixes: https://pagure.io/freeipa/issue/7892
Co-authored-by: Francois Cami <fcami@redhat.com>:
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Alexander Bokovoy
18cb30d463 upgrade: upgrade existing trust agreements to new layout
Existing trust agreements will lack required Kerberos principals and
POSIX attributes expected to allow Active Directory domain controllers
to query IPA master over LSA and NETLOGON RPC pipes.

Upgrade code is split into two parts:
 - upgrade trusted domain object to have proper POSIX attributes
 - generate required Kerberos principals for AD DC communication

Fixes: https://pagure.io/freeipa/issue/6077
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-03-28 14:08:19 +01:00
Christian Heimes
e9fd8adf59 Consolidate container_masters queries
Replace manual queries of container_masters with new APIs get_masters()
and is_service_enabled().

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-03-28 00:21:00 +01:00
Christian Heimes
d76dccc0b6 Use api.env.container_masters
Replace occurences of ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc')
with api.env.container_masters.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-03-28 00:21:00 +01:00
Christian Heimes
52e5ef81a5
replica install: acknowledge ca_host override
Fixup for commit c0fd5e39c7. Only set
ca_host to source master hostname if ca_host points to the local host.
This permits users to override ca_host in /etc/ipa/default.conf when
installing a replica.

Related: https://pagure.io/freeipa/issue/7744
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-03-27 15:09:30 +01:00
Stanislav Levin
e5244fbeda Completely drop /var/cache/ipa/sessions
This directory has been already dropped in @6d66e826c,
but not entirely.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-03-25 09:49:45 +01:00
Alexander Bokovoy
b9dc975777 domainlevel-get: fix various issues when running as non-admin
Use proper filter that is caught up by the ACI for 'permission:System:
Read Domain Level' to allow any authenticated user to see the domain
level.

If the server doesn't have domain level set, callers in replica
installer expect errors.NotFound but never get it.

Return the right exception here and change the other caller to follow
the same convention.

Inability to retrieve ipaDomainLevel attribute due to a filter mismatch
casues ipa-replica-install to fail if run as a replica host principal.

Use DOMAIN_LEVEL_0 constant instead of 0 as used by the rest of the code.

Fixes: https://pagure.io/freeipa/issue/7876
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-03-25 09:48:31 +01:00
Florence Blanc-Renaud
2e73c964e5 ipa server: prevent uninstallation if the server is CRL master
If ipa-server-install --uninstall is called on a server that
is CRL generation master, refuse uninstallation unless
--ignore-last-of-role is specified or (in interactive mode)
the admin is OK to force uninstallation.

Related to https://pagure.io/freeipa/issue/5803

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-03-14 09:39:55 +01:00
Florence Blanc-Renaud
0d23fa9278 CRL generation master: new utility to enable|disable
Implement a new command ipa-clrgen-manage to enable, disable, or check
the status of CRL generation on the localhost.
The command automates the manual steps described in the wiki
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

Fixes: https://pagure.io/freeipa/issue/5803
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-03-14 09:39:55 +01:00
François Cami
f90a4b9554 ipa-{server,replica}-install: add too-restritive mask detection
If the mask used during the installation is "too restrictive", ie.0027,
installing FreeIPA results in a broken server or replica.
Check for too-restrictive mask at install time and error out.

Fixes: https://pagure.io/freeipa/issue/7193
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-03-13 16:09:24 +01:00
Fraser Tweedale
8327e11b6b cert-request: handle missing zone
SAN IP address validation, while determining the zone for a DNS name
or IP address, does not handle missing zones.  The resulting
dns.resolver.NoNameservers exception is not caught.  As a result,
InternalError is returned to client.

Update cert-request IP address name validation to handle this case.

Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-03-08 18:17:36 +11:00
Fraser Tweedale
a65c12d042 cert-request: more specific errors in IP address validation
Update the IP address validation to raise different error messages
for:

- inability to reach IP address from a DNS name
- missing PTR records for IP address
- asymmetric PTR / forward records

If multiple scenarios apply, indicate the first error (from list
above).

The code should now be a bit easier to follow.  We first build dicts
of forward and reverse DNS relationships, keyed by IP address.  Then
we check that entries for each iPAddressName are present in both
dicts.  Finally we check for PTR-A/AAAA symmetry.

Update the tests to check that raised ValidationErrors indicate the
expected error.

Part of: https://pagure.io/freeipa/issue/7451

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-03-04 19:35:49 +01:00
Fraser Tweedale
e37c025dac cert-request: report all unmatched SAN IP addresses
During SAN validation, it is possible that more than one
iPAddressName does not match a known IP address for the DNS names in
the SAN.  But only one unmatched IP address is reported.  Update the
error message to mention all unmatched iPAddressName values.

Part of: https://pagure.io/freeipa/issue/7451

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-03-04 19:35:49 +01:00
Fraser Tweedale
9c750f0738 cert-request: generalise _san_dnsname_ips for arbitrary cname depth
Generalise _san_dnsname_ips to allow arbitrary cname depths.  This
also clarifies the code and avoids boolean blindness.  Update the
call site to maintain the existing behvaiour (one cname allowed).

Part of: https://pagure.io/freeipa/issue/7451

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-03-04 19:35:49 +01:00
Fraser Tweedale
eb70e64c0b cert-request: collect only qualified DNS names for IPAddress validation
Collect only qualified DNS names for IPAddress validation.  This is
necessary because it is undecidable whether the name 'ninja' refers
to 'ninja.my.domain.' or 'ninja.' (assuming both exist).  Remember
that even a TLD can have A records.

Now that we are only checking qualified names for the purpose of
IPAddressName validation, remove the name length hack from
_san_dnsname_ips().

Part of: https://pagure.io/freeipa/issue/7451

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-03-04 19:35:49 +01:00
Fraser Tweedale
8ec4868a64 cert-request: restrict IPAddress SAN to host/service principals
Part of: https://pagure.io/freeipa/issue/7451

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-03-04 19:35:49 +01:00
Ian Pilcher
dccb2e0eb8 Allow issuing certificates with IP addresses in subjectAltName
Allow issuing certificates with IP addresses in the subject
alternative name (SAN), if all of the following are true.

* One of the DNS names in the SAN resolves to the IP address
  (possibly through a CNAME).
* All of the DNS entries in the resolution chain are managed by
  this IPA instance.
* The IP address has a (correct) reverse DNS entry that is managed
  by this IPA instance

https://pagure.io/freeipa/issue/7451

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-03-04 19:35:49 +01:00
Florence Blanc-Renaud
658983794c pkinit setup: fix regression on master install
The commit 7785210 intended to fix ipa-pkinit-manage enable
on a replica without any CA but introduced a regression:
ipa-server-install fails to configure pkinit with the fix.

This commit provides a proper fix without the regression:
pkinit needs to contact Dogtag directly only in case there is
no CA instance yet (for ex. because we are installing the
first master).

Fixes: https://pagure.io/freeipa/issue/7795
Reviewed-By: François Cami <fcami@redhat.com>
2019-02-20 09:18:38 +01:00
François Cami
5525322817 ipa-server-install: fix ca setup when fs.protected_regular=1
/tmp is a sticky directory. When the OS is configured with
fs.protected_regular=1, this means that O_CREATE open is forbidden
for files in /tmp if the calling user is not owner of the file,
except if the file is owned by the owner of the directory.

The installer (executed as root) currently creates a file in /tmp,
then modifies its owner to pkiuser and finally writes the pki config
in the file. With fs.protected_regular=1, the write is denied because
root is not owner of the file at this point.
The fix performs the ownership change after the file has been written.

Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1677027

Fixes: https://pagure.io/freeipa/issue/7866
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-02-19 01:16:34 +01:00
Christian Heimes
3ec29a7f6a Disable dependency on dogtag-pki PyPI package
The dependency on 'dogtag-pki' PyPI package causes problems.

For one it's not the full pki package. It only provides the client part,
but ipaserver also needs the pki.server subpackage with pkispawn command.

The Fedora package dependency generator turns the requirement into a
package requirement, but python3-pki does not provide the package name
python3.7dist(dogtag-pki).

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-02-12 11:14:06 +01:00
Christian Heimes
e4fff90074 Use LDAPS when installing CA on replica
On a replica, 389-DS is already configured for secure connections when
the CA is installed.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-02-05 08:39:13 -05:00
Christian Heimes
a3934a211d Use new LDAPClient constructors
Replace get_ldap_uri() + LDAPClient() with new LDAPClient constructors
like LDAPClient.from_realm().

Some places now use LDAPI with external bind instead of LDAP with simple
bind. Although the FQDN *should* resolve to 127.0.0.1 / [::1], there is
no hard guarantee. The draft
https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-04#section-5.1
specifies that applications must verify that the resulting IP is a
loopback API. LDAPI is always local and a bit more efficient, too.

The simple_bind() method also prevents the caller from sending a
password over an insecure line.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-02-05 08:39:13 -05:00
Christian Heimes
5be9341fba Add constructors to ldap client
Add LDAPClient.from_realm(), LDAPClient.from_hostname_secure(), and
LDAPClient.from_hostname_plain() constructors.

The simple_bind() method now also refuses to transmit a password over a
plain, unencrypted line.

LDAPClient.from_hostname_secure() uses start_tls and FreeIPA's CA cert
by default. The constructor also automatically disables start_tls for
ldaps and ldapi connections.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-02-05 08:39:13 -05:00
Christian Heimes
d5d9233b7c Move realm_to_serverid/ldap_uri to ipaldap
The helper function realm_to_serverid() and realm_to_ldap_uri() are
useful outside the server installation framework. They are now in
ipapython.ipaldap along other helpers for LDAP handling in FreeIPA.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-02-05 08:39:13 -05:00
Christian Heimes
0b17ae905a Require 389-ds 1.4.0.21
1.4.0.21 fixes a problem with create_suffix_entry and uses
os.path.expanduser() instead of getenv('HOME').

See: https://pagure.io/389-ds-base/pull-request/50121
See: https://pagure.io/389-ds-base/issue/49984
See: https://pagure.io/389-ds-base/issue/50152
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-02-04 14:24:15 -05:00
Christian Heimes
6cd37542e6 Optimize cert remove case
The cert_remove and mod subcommands for service and host now pass in the
name to cert_find() to benefit from special cases.

See: https://pagure.io/freeipa/issue/7835
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-29 12:47:15 +01:00
Christian Heimes
ae74d348c3 Add workaround for slow host/service del
host-del and service-del are slow because cert revokation is implemented
inefficiently. The internal cert_find() call retrieves all certificates
from Dogtag.

The workaround special cases service and host find without additional RA
search options. A search for service and host certs limits the scope to
certificate with matching subject common name.

See: https://pagure.io/freeipa/issue/7835
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-29 12:47:15 +01:00
Christian Heimes
2ba969da07 Add workaround for lib389 HOME bug
lib389 <= 1.4.0.20 needs HOME env var. Temporary set env var until
lib389 is fixed.

See: https://pagure.io/389-ds-base/issue/50152
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-29 12:44:19 +01:00
Florence Blanc-Renaud
63fa87a36e replica installation: add master record only if in managed zone
Scenario: install a replica with DNS, whose IP address is part of a
forward zone.
Currently, the replica installation fails because the installer is
trying to add a A/AAAA record for the replica in the zone
when setting up the bind instance, and addition of records in a
forward zone is forbidden.

The bind installer should check if the IP address is in a master zone
(i.e. a DNS zone managed by IdM, not a forward zone), and avoid
creating the record if it's not the case.

During uninstallation, perform the same check before removing the
DNS record (if in a forward zone, no need to call dnsrecord-del).
Fixes: https://pagure.io/freeipa/issue/7369
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-01-22 16:38:59 +01:00
Stanislav Levin
e3f37960a0
Don't use cross-origin request
'Origin' for IPA login page is 'httpS://xxx'. But 'configured' link
has URL like 'http://xxx/ssbrowser.html'.

Since IPA web server doesn't use any kind of Access-Control-Allow-Origin
rules Mozilla Firefox blocks Cross-Origin request due to the Same Origin
policy violation.

So, just follow the Same Origin policy.

Fixes: https://pagure.io/freeipa/issue/7832
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2019-01-16 08:57:51 +01:00
Rob Crittenden
9b90ebf4c3 Remove 389-ds templates now that lib389 is used for installs
The templates created the inf files for calling the 389-ds
installer setup-ds.pl. Now that lib389 is being used for installation
these are no longer necessary.

Related: https://pagure.io/freeipa/issue/4491

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-01-15 09:41:22 +01:00
Christian Heimes
2ef6e14c5a Create systemd-user HBAC service and rule
authselect changed pam_systemd session from optional to required. When
the HBAC rule allow_all is disabled and replaced with more fine grained
rules, loginsi now to fail, because systemd's user@.service is able to
create a systemd session.

Add systemd-user HBAC service and a HBAC rule that allows systemd-user
to run on all hosts for all users by default. ipa-server-upgrade creates
the service and rule, too. In case the service already exists, no
attempt is made to create the rule. This allows admins to delete the
rule permanently.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-11 16:45:05 +01:00
Alexander Bokovoy
3c38aea6fc ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned
When looking through the topology of a trusted forest, we should support
all types of forest trust records. Since Samba Python bindings parse the
data into a typed structure, a type of the record has to be taken into
account or there will be type mismatch when accessing elements of the
union:

        typedef [switch_type(lsa_ForestTrustRecordType)] union {
                [case(LSA_FOREST_TRUST_TOP_LEVEL_NAME)] lsa_StringLarge top_level_name;
                [case(LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX)] lsa_StringLarge top_level_name_ex;
                [case(LSA_FOREST_TRUST_DOMAIN_INFO)] lsa_ForestTrustDomainInfo domain_info;
                [default] lsa_ForestTrustBinaryData data;
        } lsa_ForestTrustData;

        typedef struct {
                lsa_ForestTrustRecordFlags flags;
                lsa_ForestTrustRecordType type;
                NTTIME_hyper time;
                [switch_is(type)] lsa_ForestTrustData forest_trust_data;
        } lsa_ForestTrustRecord;

        typedef [public] struct {
                [range(0,4000)] uint32 count;
                [size_is(count)] lsa_ForestTrustRecord **entries;
        } lsa_ForestTrustInformation;

Each entry in the lsa_ForestTrustInformation has forest_trust_data
member but its content depends on the value of a type member
(forest_trust_data is a union of all possible structures).

Previously we assumed only TLN or TLN exclusion record which were
of the same type (lsa_StringLarge). Access to forest_trust_data.string
fails when forest_trust_data's type is lsa_ForestTrustDomainInfo as it
has no string member.

Fix the code by properly accessing the dns_domain_name from the
lsa_ForestTrustDomainInfo structure.

Fixes: https://pagure.io/freeipa/issue/7828
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-01-10 11:24:08 +01:00
Christian Heimes
3bed3d4ddb Use debug logger in ntpd_cleanup()
ipa-server-update shows spurious warnings when updating a server, e.g.

  No such file name in the index

  Warning: NTP service entry was not found in LDAP.

Lower all log levels in ntpd_cleanup() to debug to not confuse the user.

Fixes: https://pagure.io/freeipa/issue/7829
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-09 11:15:35 +01:00
Florence Blanc-Renaud
7785210533 pkinit enable: use local dogtag only if host has CA
ipa-pkinit-manage enable is failing if called on a master
that does not have a CA instance, because it is trying to
contact dogtag on the localhost.
The command should rather use certmonger in this case, and
let certmonger contact the right master to request the KDC
certificate.

Fixes: https://pagure.io/freeipa/issue/7795
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-01-09 09:51:31 +01:00
Oleg Kozlov
0e5a8fbb9b Remove stale kdc requests info files when upgrading IPA server
Added removing of stale /var/lib/sss/pubconf/kdcinfo.* and /var/lib/sss/pubconf/kpasswdinfo.* files generated by SSSD during IPA server upgrade.

Fixes: https://pagure.io/freeipa/issue/7578
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-21 15:54:00 +01:00
Florence Blanc-Renaud
c0fd5e39c7 replica install: set the same master as preferred source for domain and CA
During ipa-replica-install, the installer creates a ReplicaConfig
object that contains a config.ca_host_name attribute, built from
api.env.ca_host.
This attribute is used as preferred source when asking the DNS for a CA
master from which to initialize the CA instance
(see commit 8decef33 for master selection and preferred host).

In most of the cases, /etc/ipa/default.conf does not contain any
definition for ca_host. In this case, api.env.ca_host is set to
the local hostname.
As a consequence, replica install is trying to use the local host
as preferred source (which does not have any CA yet), and the method
to find the CA source randomly picks the CA in the DNS.

With the fix, the master picked for domain replication is also used as
preferred source for CA/KRA.

Fixes: https://pagure.io/freeipa/issue/7744
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-12-19 14:19:46 +01:00
Oleg Kozlov
f28a8177a9 Replace nss.conf with zero-length file instead of removing
Empty nss.conf avoids recreation of nss.conf in case `mod_nss` package is reinstalled. It is needed because by default (e.g. recreated) nss.conf has `Listen 8443` while this port is used by dogtag.

Fixes: https://pagure.io/freeipa/issue/7745
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-12-14 09:15:42 +01:00
Florence Blanc-Renaud
faa122a8b8 replication: check remote ds version before editing attributes
When the remote server has an old DS version, update of the
replication attributes nsds5ReplicaReleaseTimeout nsds5ReplicaBackoffMax
and nsDS5ReplicaBindDnGroupCheckInterval fails even if the remote
schema has been updated.

Check first the remote server version and update the attributes only if
the version is high enough.
A previous fix was already performing this check (commit 02f4a7a),
but not in all the cases. This fix also handles when the remote server
already has a cn=replica entry (for instance because it has already
established replication with another host).

Fixes https://pagure.io/freeipa/issue/7796

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-12-13 20:29:41 +01:00
Christian Heimes
a34d92d25c Create reindex task for ipaca DB
pkispawn sometimes does not run its indextasks. This leads to slow
unindexed filters on attributes such as description, which is used
to log in with a certificate. Explicitly reindex attribute that
should have been reindexed by CA's indextasks.ldif.

See: https://pagure.io/dogtagpki/issue/3083
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-13 17:04:00 +01:00
Christian Heimes
0fb87bfe82 LDAPUpdate: Batch index tasks
The LDAPUpdate framework now keeps record of all changed/added indices
and batches all changed attribute in a single index task. It makes
updates much faster when multiple indices are added or modified.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-13 17:04:00 +01:00
Christian Heimes
f330c59dd8 Add install/remove package helpers to advise
The smart card advise scripts assume that yum is installed. However
Fedora has dnf and the yum wrapper is not installed by default.
Installation and removal of packages is now provided by two helper
methods that detect the package manager.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 13:46:52 +01:00
Christian Heimes
0a2222ea26 Smart card auth advise: Allow Apache user
Modify the smard card auth advise script to use sssd_enable_ifp() in
order to allow Apache to access SSSD IFP.

See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 13:46:52 +01:00
Christian Heimes
917d81b832 Allow HTTPd user to access SSSD IFP
For smart card and certificate authentication, Apache's
mod_lookup_identity module must be able to acess SSSD IFP. The module
accesses IFP as Apache user, not as ipaapi user.

Apache is not allowed to use IFP by default. The update code uses the
service's ok-to-auth-as-delegate flag to detect smart card / cert auth.

See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 13:46:52 +01:00
Christian Heimes
d6fd2ad4f2 Remove dead code
set_sssd_domain_option() is no longer used. Changes are handled by
sssd_update().

See: https://pagure.io/freeipa/issue/7751
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 13:46:52 +01:00
Christian Heimes
c09927d16a Handle service_del with bad service name
The command 'ipa service-del badservice' used to fail with an internal
server error, because check_required_principal() could not handle a
principal that is not a service principal. All del commands have less
strict error checking of primary keys so they can reference any stored
key, even illegal ones.

check_required_principal() skips required principal check if the
principal is not a service principal. A non-service principal can never
be a required principal.

Fixes: https://pagure.io/freeipa/issue/7793
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 12:14:32 +01:00
Christian Heimes
97e9e009bf Resolve user/group names in idoverride*-find
ipa idoverrideuser-find and ...group-find have an --anchor argument. The
anchor argument used to support only anchor UUIDs like
':IPA:domain:UUID' or ':SID:S-sid'. The find commands now detect regular
user or group names and translate them to anchors.

Fixes: https://pagure.io/freeipa/issue/6594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-12-07 11:39:23 +01:00
Florence Blanc-Renaud
a230153837 PKINIT: fix ipa-pkinit-manage enable|disable
The command ipa-pkinit-manage enable|disable is reporting
success even though the PKINIT cert is not re-issued.
The command triggers the request of a new certificate
(signed by IPA CA when state=enable, selfsigned when disabled),
but as the cert file is still present, certmonger does not create
a new request and the existing certificate is kept.

The fix consists in deleting the cert and key file before calling
certmonger to request a new cert.

There was also an issue in the is_pkinit_enabled() function:
if no tracking request was found for the PKINIT cert,
is_pkinit_enabled() was returning True while it should not.

Fixes https://pagure.io/freeipa/issue/7200

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-05 11:06:21 +01:00
Florence Blanc-Renaud
800f2690f5 ipa upgrade: handle double-encoded certificates
Issue is linked to the ticket
 #3477 LDAP upload CA cert sometimes double-encodes the value
In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice
the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN.

The fix for 3477 is only partial as it prevents double-encoding when a
new cert is uploaded but does not fix wrong values already present in LDAP.

With this commit, the code first tries to read a der cert. If it fails,
it logs a debug message and re-writes the value caCertificate;binary
to repair the entry.

Fixes https://pagure.io/freeipa/issue/7775
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-30 11:05:17 +01:00
Christian Heimes
533a5b2633 pylint 2.2: Fix unnecessary pass statement
pylint 2.2.0 has a new checker for unnecessary pass statements. There is
no need to have a pass statement in functions or classes with a doc
string.

Fixes: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2018-11-26 16:54:43 +01:00
Christian Heimes
8decef33d3 Unify and simplify LDAP service discovery
Move LDAP service discovery and service definitions from
ipaserver.install to ipaserver. Simplify and unify different
implementations in favor of a single implementation.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-21 08:57:08 +01:00
Florence Blanc-Renaud
23306a28c9
ipa-replica-install: password and admin-password options mutually exclusive
Currently it is possible to run ipa-replica-install in one step,
and provide --password and --admin-password simultaneously.
This is confusing as --password is intended for one-time pwd
when the ipa-replica-install command is delegated to a user
who doesn't know the admin password.

The fix makes --password and --admin-password options
mutually exclusive.

Fixes https://pagure.io/freeipa/issue/6353

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-20 15:12:25 +01:00
sudharsanomprakash
0c0a392dd0 Don't use deprecated Apache Access options.
httpd-2.4+ has deprecated the Order, Allow and Deny directives. Use the Require directive instead.

Signed-off-by: Sudharsan Omprakash <sudharsan.omprakash@yahoo.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-15 17:52:10 -05:00
Fraser Tweedale
a2a293ed2f Print correct subject on CA cert verification failure
In load_external_cert(), if verification fails for a certificate in
the trust chain, the error message contains the last subject name
from a previous iteration of the trust chain, instead of the subject
name of the current certificate.

To report the correct subject, look it up using the current
nickname.

Part of: https://pagure.io/freeipa/issue/7761

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-13 14:19:18 +01:00
Christian Heimes
dc2c71bff8 Fix raising-format-tuple
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Florence Blanc-Renaud
5d603fce5d radiusproxy: add permission for reading radius proxy servers
A non-admin user which has the "User Administrator" role cannot
add a user with ipa user-add --radius=<proxy> because the
call needs to read the radius proxy server entries.

The fix adds a System permission for reading radius proxy server
entries (all attributes except the ipatokenradiussecret). This
permission is added to the already existing privileges "User
Administrators" and "Stage User Administrators", so that the role
"User Administrator" can call ipa [stage]user-add|mod --radius=<proxy>

Fixes: https://pagure.io/freeipa/issue/7570
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-13 12:40:44 +01:00
Florence Blanc-Renaud
19cd960387 ipa user-add: add optional objectclass for radius-username
The command "ipa user-add --radius-username" fails with
ipa: ERROR: attribute "ipatokenRadiusUserName" not allowed
because it does not add the objectclass ipatokenradiusproxyuser
that is required by the attribute ipatokenradiususername.

The issue happens with ipa user-add / stageuser-add / user-mod / stageuser-mod.

The fix adds the objectclass when needed in the pre_common_callback method
of baseuser_add and baseuser_mod (ensuring that user and stageuser commands
are fixed).

Fixes https://pagure.io/freeipa/issue/7569

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-13 12:40:44 +01:00
Stanislav Laznicka
e8342d414d DS install: don't fail if SSL already configured
DS now comes with certain SSL capabilities turned on after
installation. Previously, we did not expect this and were
blindly forcing everything on without checking, whether it
needs turning on. This would result in failures if the
config entries are already set the way we want. Relax this
configuration.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
Stanislav Laznicka
104ef413ed DS install: fix DS asking for NSS pin during install
DS now comes with nsslapd-security turned on and its own CA
cert in its NSS database. We're re-setting the NSS database
and setting our own CA cert to it, the DS pin file therefore
needs to be updated with the new password after this reset.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
Stanislav Laznicka
56f8e20013 DS uninstall: fix serverid missing in state restore
During uninstallation, we're using serverid which we get from
sysrestore.state. This was not set in the newer install,
return it back.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
Stanislav Laznicka
ed955d14d3 Move lib389 imports to module scope
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
Stanislav Laznicka
383311a17f Don't try legacy installs
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
Stanislav Laznicka
8f9b0fc1de Remove some basic pystyle and pylint errors
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
William Brown
f7511edbfb Support the 1.4.x python installer tools in 389-ds
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
Rob Crittenden
35d1d345c1 Add support for multiple certificates/formats to ipa-cacert-manage
Only a single cert in DER or PEM format would be loaded from the
provided file. Extend this to include PKCS#7 format and load all
certificates found in the file.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

https://pagure.io/freeipa/issue/7579

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-11-13 10:44:14 +01:00
Christian Heimes
4124743862 Replace messagebus with modern name dbus
"messagebus" is an old, archaic name for dbus. Upstream dbus has started
to move away from the old name. Let's use the modern term in FreeIPA,
too.

Fixes: https://pagure.io/freeipa/issue/7754
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-11-08 17:44:45 +01:00
Christian Heimes
816783a1b9 Copy-paste error in permssions plugin, CID 323649
Address a bug in the code block for attributeLevelRights for old clients.
The backward compatibility code for deprecated options was not triggered,
because the new name was checked against wrong dict.

Coverity Scan issue 323649, Copy-paste error

   The copied code will not have its intended effect.
   In postprocess_result: A copied piece of code is inconsistent with the
   original (CWE-398)

See: Fixes: https://pagure.io/freeipa/issue/7753
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-08 13:16:26 +01:00
Alexander Bokovoy
82af034023 ipaserver.install.adtrust: fix CID 323644
Fix Coverity finding CID 323644: logically dead code path

The code to determine whether NetBIOS name was already set or need to be
set after deriving it from a domain or asking a user for an interactive
input, was refactored at some point to avoid retrieving the whole LDAP
entry. Instead, it was provided with the actual NetBIOS name retrieved.

As result, a part of the code got neglected and was never executed.

Fix this code and provide a test that tries to test predefined,
interactively provided and automatically derived NetBIOS name depending
on how the installer is being run.

We mock up the actual execution so that no access to LDAP or Samba is
needed.

Fixes: https://pagure.io/freeipa/issue/7753
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-07 16:37:18 +01:00
Christian Heimes
8b0f3595fd Allow ipaapi user to access SSSD's info pipe
For smart card authentication, ipaapi must be able to access to sss-ifp.
During installation and upgrade, the ipaapi user is now added to
[ifp]allowed_uids.

The commit also fixes two related issues:

* The server upgrade code now enables ifp service in sssd.conf. The
  existing code modified sssd.conf but never wrote the changes to disk.
* sssd_enable_service() no longer fails after it has detected an
  unrecognized service.

Fixes: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-07 16:28:35 +01:00
Rob Crittenden
f4e37385b4 Enable replica install info logging to match ipa-server-install
Increase log level to info by setting verbose=True and adding
a console format.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

https://pagure.io/freeipa/issue/7408

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-01 13:08:58 +01:00
Rob Crittenden
4cde696d71 Demote log message in custodia _wait_keys to debug
This was previously suppressed because of the log level in
an installation was set to error so it was never displayed
Keeping consistency and demoting it to debug since the
log level is increased to info.

Related: https://pagure.io/freeipa/issue/7408

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-01 13:08:58 +01:00
Rob Crittenden
9b7a152e95 Pass a list of values into add_master_dns_records
During replica installation the local IP addresses should be
added to DNS but will fail because a string is being passed
to an argument expecting a list. Convert to a list before
passing in individual IPs.

Discovered when fixing https://pagure.io/freeipa/issue/7408

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-01 13:08:58 +01:00
Christian Heimes
ec54fa7712 Keep Dogtag's client db in external CA step 1
Don't remove /root/.dogtag/pki-tomcat when performing step 1 of external
CA installation process. Dogtag 10.6.7 changed behavior and no longer
re-creates the client database in step 2.

Fixes: https://pagure.io/freeipa/issue/7742
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 20:10:23 +02:00
Florence Blanc-Renaud
4de5ea0930 ipa-backup: restart services before compressing the backup
ipa-backup gathers all the files needed for the backup, then compresses
the file and finally restarts the IPA services. When the backup is a
large file, the compression may take time and widen the unavailabity
window.

This fix restarts the services as soon as all the required files are
gathered, and compresses after services are restarted.

Fixes: https://pagure.io/freeipa/issue/7632
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 17:21:07 +02:00
Christian Heimes
4de97f496d Replace hard-coded interpreter with sys.executable
Instead of hard-coding python3, the smart card advise script now uses
the current executable path from sys.executable as interpreter.

Fixes: https://pagure.io/freeipa/issue/7741
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-24 17:44:20 +02:00
Florence Blanc-Renaud
4600e62b6b ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad
When adding the option --setup-adtrust to ipa-replica-install,
we need to check that the package freeipa-server-trust-ad is
installed.
To avoid relying on OS-specific commands like yum, the check is instead
ensuring that the file /usr/share/ipa/smb.conf.empty is present
(this file is delivered by the package).
When the check is unsuccessful, ipa-replica-install exits with an error
message.

Fixes: https://pagure.io/freeipa/issue/7602
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-24 14:20:29 +02:00
Alexander Bokovoy
3b79deae53 net groupmap: force using empty config when mapping Guests
When we define a group mapping for BUILTIN\Guests to 'nobody' group in
we run 'net groupmap add ...' with a default /etc/samba/smb.conf which
is now configured to use ipasam passdb module. We authenticate to LDAP
with GSSAPI in ipasam passdb module initialization.

If GSSAPI authentication failed (KDC is offline, for example, during
server upgrade), 'net groupmap add' crashes after ~10 attempts to
re-authenticate. This is intended behavior in smbd/winbindd as they
cannot work anymore. However, for the command line tools there are
plenty of operations where passdb module is not needed.

Additionally, GSSAPI authentication uses the default ccache in the
environment and a key from /etc/samba/samba.keytab keytab. This means
that if you'd run 'net *' as root, it will replace whatever Kerberos
tickets you have with a TGT for cifs/`hostname` and a service ticket to
ldap/`hostname` of IPA master.

Apply a simple solution to avoid using /etc/samba/smb.conf when we
set up the group mapping by specifying '-s /dev/null' in 'net groupmap'
call.

For upgrade code this is enough as in
a678336b8b we enforce use of empty
credentials cache during upgrade to prevent tripping on individual
ccaches from KEYRING: or KCM: cache collections.

Related: https://pagure.io/freeipa/issue/7705
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-10-23 16:50:43 +02:00
Petr Vobornik
0e22314c9b ipa-advise: update url of cacerdir_rehash tool
On legacy systems which don't have cacerdir_rehash tool (provided by authconfig)
the generated advise script downloads this tool from project page and uses it.

After decommision of Fedorahosted and move of authconfig project to Pagure,
this url was not updated in FreeIPA project.

This patch updates the url.

https://pagure.io/freeipa/issue/7731

Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-23 10:23:16 +02:00
Rob Crittenden
2fba5acc52 Handle NTP configuration in a replica server installation
There were two separate issues:

1. If not enrolling on a pre-configured client then the ntp-server and
   ntp-pool options are not being passed down to the client installer
   invocation.
2. If the client is already enrolled then the ntp options are ignored
   altogether.

In the first case simply pass down the options to the client
installer invocation.

If the client is pre-enrolled and NTP options are provided then
raise an exception.

https://pagure.io/freeipa/issue/7723

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-10-19 11:53:32 -04:00
Alexander Bokovoy
1ef0fe8bb8 adtrust: define Guests mapping after creating cifs/ principal
All Samba utilities load passdb modules from the configuration file. As
result, 'net groupmap' call would try to initialize ipasam passdb module
and that one would try to connect to LDAP using Kerberos authentication.

We should be running it after cifs/ principal is actually created in
ipa-adtrust-install or otherwise setting up group mapping will fail.

This only affects new installations. For older ones 'net groupmap' would
work just fine because adtrust is already configured and all principals
exist already.

A re-run of 'ipa-server-upgrade' is a workaround too but better to fix
the initial setup.

Related: https://pagure.io/freeipa/issue/7705
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-10 11:36:00 +02:00
Thomas Woerner
7f507519d4 Find orphan automember rules
If groups or hostgroups have been removed after automember rules have been
created using them, then automember-rebuild, automember-add, host-add and
more commands could fail.

A new command has been added to the ipa tool:

  ipa automember-find-orphans --type={hostgroup,group} [--remove]

This command retuns the list of orphan automember rules in the same way as
automember-find. With the --remove option the orphan rules are also removed.

The IPA API version has been increased and a test case has been added.

Using ideas from a patch by: Rob Crittenden <rcritten@redhat.com>

See: https://pagure.io/freeipa/issue/6476
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2018-10-10 09:56:40 +02:00
Christian Heimes
341a12054a Fix zonemgr encoding issue
The zonemgr validator and handler performs additional encodings for IDNA
support. In Python 3, the extra steps are no longer necessary because
arguments are already proper text and stderr can handle text correctly.

This also fixes 'b' prefix in error messages like:

    option zonemgr: b'empty DNS label'

Fixes: https://pagure.io/freeipa/issue/7711
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-05 09:04:15 -04:00
Christian Heimes
15d5e44ee8 Py3: Replace six.moves imports
Replace six.moves and six.StringIO/BytesIO imports with cannonical
Python 3 packages.

Note: six.moves.input behaves differently than builtin input function.
Therefore I left six.moves.input for now.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-10-05 12:06:19 +02:00