The ipa-otpd code occasionally removes elements from one queue,
inspects and modifies them, and then inserts them into
another (possibly identical, possibly different) queue. When the next
pointer isn't cleared, this can result in element membership in both
queues, leading to double frees, or even self-referential elements,
causing infinite loops at traversal time.
Rather than eliminating the pattern, make it safe by clearing the next
field any time an element enters or exits a queue.
Related https://pagure.io/freeipa/issue/7262
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Python scripts are now generated from templates. The scripts are marked
as nodist (no distribution) but install targets. The templates for the
scripts are extra distribution data, no installation (noinst).
Fixes: https://pagure.io/freeipa/issue/7680
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
All Python scripts are now generated from a template with a dynamic
shebang.
ipatests/i18n.py is no longer an executable script with shebang. The
module is not executed as script directly, but rather as
$(PYTHON) ipatests/i18n.py
Fixes: https://pagure.io/freeipa/issue/7680
All Python scripts are now template files with a dynamic shebang line.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When creating Kerberos keys for trusted domain object account, ipasam
module requests to generate keys using a series of well-known encryption
types. In FIPS mode it is not possible to generate RC4-HMAC key:
MIT Kerberos is using openssl crypto backend and openssl does not allow
use of RC4 in FIPS mode.
Thus, we have to filter out RC4-HMAC encryption type when running in
FIPS mode. A side-effect is that a trust to Active Directory running
with Windows Server 2003 will not be possible anymore in FIPS mode.
Resolves: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
The code in question was supposed to have the same license as the
rest of the plugin. Fix it by updating the comment header.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
When making ipa-pwd-extop TXN aware, some callbacks are call twice.
Particularily
ipapwd_pre_add is called during PRE_ADD and TXN_PRE_ADD
ipapwd_pre_mod is called during PRE_MOD and TXN_PRE_MOD
ipapwd_post_modadd is called during POST_ADD and TXN_POST_ADD
ipapwd_post_modadd is called during POST_MOD and TXN_POST_MOD
It is not the expected behavior and it results on some skipped updates krbPasswordExpiration
and krbLastPwdChange
https://pagure.io/freeipa/issue/7601
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
- Add missing executable bits to all scripts
- Remove executable bits from all files that are not scripts,
e.g. js, html, and Python libraries.
- Remove Python shebang from all Python library files.
It's frown upon to have executable library files in site-packages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
If the element being removed were not the queue head,
otpd_queue_pop_msgid() would not actually remove the element, leading
to potential double frees and request replays.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This was causing ns-slapd to segfault in the password plugin.
https://pagure.io/freeipa/issue/7561
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When a segment is deleted, the underlying replica agreement is also deleted.
An exception to this is if the status of the deleted segment is "obsolete" (i.e. merged segments)
The status should contain only one value, but to be protected against potential
bugs (like https://pagure.io/389-ds-base/issue/49619) this fix checks if
"obsolete" is in the status values.
https://pagure.io/freeipa/issue/7461
Reviewed-By: Christian Heimes <cheimes@redhat.com>
NSS doesn't allow keys to be loaded directly in FIPS mode. To work around
this, we encrypt the input key using an ephemeral key and then unwrap the
encrypted key.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
NSS_STATUS_RETURN is an internal value but GCC doesn't know that.
ipa_extdom_common.c:103:5: warning: enumeration value ‘NSS_STATUS_RETURN’ not handled in switch [-Wswitch]
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The ipadb_free() and ipadb_alloc() functions are only used with
KRB5_KDB_DAL_MAJOR_VERSION 5.
ipa_kdb.c:639:13: warning: ‘ipadb_free’ defined but not used [-Wunused-function]
ipa_kdb.c:634:14: warning: ‘ipadb_alloc’ defined but not used [-Wunused-function]
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The 389-ds plugin for OTP last token is performing data initialization
in its ipa_otp_lasttoken_init method, which is wrong according to
the Plug-in Guide:
> For example, the init function should not attempt to perform an
> internal search or other internal operation, because the all of
> the subsystems are not up and running during the init phase.
This init method fills a structure containing the configuration of
allowed authentication types. As the method is called too early, the
method does not find any suffix and leaves the structure empty.
Subsequent calls find an empty structure and take the default values
(for authentication methods, the default is 1 = password).
Because of that, the code consider that the global configuration defines
password authentication method, and in this case it is allowed to delete
a user's last otp token.
The fix implements a SLAPI_PLUGIN_START_FN method that will be called
when 389-ds is ready to initialize the plugin data, ensuring that the
structure is properly initialized.
Fixes:
https://pagure.io/freeipa/issue/7012
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
Currently there is already code to make sure that after trust is established an
AS-REQ of the local HTTP principal causes a refresh of the internal structures
holding the information about the trusted domains.
But this refreshes only the data of the current krb5kdc worker process on the
local host. Other workers and the KDCs on other hosts will update the data
eventually when a request with a principal from a trusted realm is handled.
During this phase, which might last quite long if remote principals are only
handled rarely, TGTs for local principals might or might not contain a PAC
because the decision if a PAC should be added or not is based on the
information about trusted domains. Since the PAC is needed to access services
on the AD side this access might fail intermittently depending which worker
process on which host is handling the request. This might e.g. affect SSSD
running on the IPA server with two-way trust.
To fix this this patch calls ipadb_reinit_mspac() whenever a PAC is needed but
without the 'force' flag so that the refresh will only happen if it wasn't
called recently (currently not more often than once a minute).
An alternative might be to do the refresh only when processing cross-realm TGT
requests. But this would be already too late because the local principal asking
for a cross-realm ticket would not have a PAC and hence the first attempt will
still fail due to the missing PAC. And injecting the PAC in the cross-realm TGT
while there is none in the requesting ticket does not sound right.
Related to https://pagure.io/freeipa/issue/7351
Reviewed-By: Simo Sorce <ssorce@redhat.com>
The certauth plugin is configured in /etc/krb5.conf independently form
the database module. As a result the IPA certauth plugin can be added to
the configuration without the IPA DAL driver. Since the IPA certauth
plugin depends on the presence of the IPA DAL driver this patch adds a
magic value at the beginning of struct ipadb_context which can be
checked to see if the IPA DAL driver is properly initialized.
Resolves https://pagure.io/freeipa/issue/7261
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Replace assert with proper check and exception.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ODS commands are ASCII strings, but socket.recv() returns bytes and
socket.send() expects bytes. Encode/decode values properly.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
hexlify returns bytes and needs to be casted to string before
printing it out.
Related: https://pagure.io/freeipa/issue/4985
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipa-ods-exporter uses systemd socket activation. The script uses
select() to check if the socket is readable. A timeout of 0 is a bit too
aggressive. Sometimes select() doesn't consider the systemd socket as
readable. This causes ODS to fail silently
A timeout of one second seems to remove the problem. A proper error code
also signals that something went wrong.
Closes: https://pagure.io/freeipa/issue/7378
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Refactor nsswitch operations in ipa-extdom-extop plugin to allow use
of timeout-enabled nsswitch calls provided by libsss_nss_idmap.
Standard POSIX nsswitch API has no way to cancel requests which may
cause ipa-extdom-extop requests to hang far too long and potentially
exhaust LDAP server workers. In addition, glibc nsswitch API iterates
through all nsswitch modules one by one and with multiple parallel
requests a lock up may happen in an unrelated nsswitch module like
nss_files.so.2.
A solution to the latter issue is to directly load nss_sss.so.2 plugin
and utilize it. This, however, does not solve a problem with lack of
cancellable API.
With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of
nsswitch API that is directly integrated with SSSD client side machinery
used by nss_sss.so.2. As result, this API can be used instead of loading
nss_sss.so.2 directly.
To support older SSSD version, both direct loading of nss_sss.so.2 and
new timeout-enabled API are supported by this changeset. An API to
abstract both is designed to be a mix between internal glibc nsswitch
API and external nsswitch API that libsss_nss_idmap mimics. API does not
expose per-call timeout. Instead, it allows to set a timeout per
nsswitch operation context to reduce requirements on information
a caller has to maintain.
A choice which API to use is made at configure time.
In order to test the API, a cmocka test is updated to explicitly load
nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always
depend on availablility of SSSD, predictable testing would not be
possible without it otherwise. Also, cmocka test does not use
nss_wrapper anymore because nss_wrapper overrides higher level glibc
nsswitch API while we are loading an individual nsswitch module
directly.
As result, cmocka test overrides fopen() call used by nss_files.so.2 to
load /etc/passwd and /etc/group. An overridden version changes paths to
/etc/passwd and /etc/group to a local test_data/passwd and
test_data/group. This way we can continue testing a backend API for
ipa-extdom-extop with the same data as with nss_wrapper.
Fixes https://pagure.io/freeipa/issue/5464
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
When testing KDC code in cmocka we rely on libkrb5 defaults.
libkrb5 would read /etc/krb5.conf by default and would load a KDB
module from there if it is defined for the test realm (EXAMPLE.COM).
Since EXAMPLE.COM is a common name used for test realms, make sure to
not using /etc/krb5.conf from the system. Instead, force KRB5_CONFIG to
/dev/null so that only libkrb5 compiled-in defaults are in use.
In such setup libkrb5 will attempt to load KDB driver db2 for our test
realm. db2 driver doesn't fail if its database is not available (unlike
FreeIPA's one), so it survives initialization.
As result, ipa-kdb-tests pass without unexpected breakage.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add dependency on external libraries after dependency on internal
objects so the linker can correctly pick up all symbols.
https://pagure.io/freeipa/issue/7189
Original patch by Rob Crittenden
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Bug Description:
When adding an entry, ipa-uuid plugin may generate a unique value
for some of its attribute.
If the generated attribute is part of the RDN, the target DN
is replaced on the fly and the previous one freed.
Unfortunately, previous DN may be later used instead of
the new one.
Fix Description:
Make sure to use only the current DN of the operation
https://bugzilla.redhat.com/show_bug.cgi?id=1496226https://pagure.io/freeipa/issue/7227
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
krb5-1.16 includes DAL version 7, which changes the signature of
audit_as_req to include local and remote address parameters.
This patch just enables building against the new DAL version and bumps
the minimum in freeipa.spec.in, but doesn't use the new information
for anything.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
While processing enterprise principals the information about trusted domains
might not be up-to-date. With this patch ipadb_reinit_mspac() is called if an
unknown domain is part of the enterprise principal.
Resolves https://pagure.io/freeipa/issue/7172
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
KDC crashes on quite random interval while trying to reach LDAP
https://pagure.io/freeipa/issue/7017
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use the actual root logger (`logging.getLogger()`) rather than the `ipa`
logger (or the `root` logger in case of ipa-ods-exporter) as the root
logger.
Always configure logging on the root logger.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Do not configure stderr handler by default and let the application do the
configuration.
Fix ipa-dnskeysync-replica and ipa-dnskeysyncd not to add stderr handler
twice.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Samba 4.7 tightens up smbldap API by making 'struct smbldap_state' an
opaque. This means ipa-sam module cannot anymore directly set its
LDAP bind callback.
Use new smbldap API to set the LDAP bind callback.
Fixes https://pagure.io/freeipa/issue/6877
Reviewed-By: Martin Basti <mbasti@redhat.com>
With Samba 4.7 access to ldapsam internal structures will not be
available for external applications. FreeIPA's ipasam module was using
those for own needs. Now it needs to migrate to proper own private
structure.
Given that we anyway need to implement many missing functions like
pdb_update_sam_account() callback with FreeIPA-specific logic,
piggybacking on ldapsam structures is not needed anymore.
Fixes https://pagure.io/freeipa/issue/6877
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.
Do not rely on /etc/krb5.conf.d to enable the certauth plugin.
This fixes install on platforms which do not have /etc/krb5.conf.d.
https://pagure.io/freeipa/issue/6589
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is
detected we disable NT hashes even is the are allowed by IPA
configuration.
Resolves https://pagure.io/freeipa/issue/7026
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Since ipa-sam is running as part of smbd is it safe to use the
E_md4hash() from Samba. This way ipa-sam does not depend on other crypto
libraries which might depend on other rules like e.g. FIPS mode.
Resolves https://pagure.io/freeipa/issue/7026
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Currently the certauth plugin use the unmodified principal from the
request to lookup the user. This might fail if e.g. enterprise
principals are use. With this patch the canonical principal form the kdc
entry is used.
Resolves https://pagure.io/freeipa/issue/6993
Reviewed-By: David Kupka <dkupka@redhat.com>
We automatically add 'otp' and 'radius' authentication indicators when
pre-authentication with OTP or RADIUS did succeed. Do the same for
certauth-based pre-authentication (PKINIT).
A default PKINIT configuration does not add any authentication
indicators unless 'pkinit_indicator = pkinit' is set in kdc.conf.
Unfortunately, modifying kdc.conf automatically is a bit more
complicated than modifying krb5.conf. Given that we have 'otp' and
'radius' authentication indicators also defined in the code not in the
kdc.conf, this change is following an established trend.
SSSD certauth interface does not provide additional information about
which rule(s) succeeded in matching the incoming certificate. Thus,
there is not much information we can automatically provide in the
indicator. It would be good to generate indicators that include some
information from the certmapping rules in future but for now a single
'pkinit' indicator is enough.
Fixes https://pagure.io/freeipa/issue/6736
Reviewed-By: Simo Sorce <ssorce@redhat.com>
With this patch the certificate mapping rules are reloaded every 5
minutes.
Resolves https://pagure.io/freeipa/issue/6963
Reviewed-By: David Kupka <dkupka@redhat.com>
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.
Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).
Changelog:
* created method get_slot() that returns slot number from
used label
* replaces usage of slot in __init__ method of P11_Helper
with label
* slot is dynamically detected from token label before
session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
which uses first free slot (we don't care about slot numbers
anymore)
https://pagure.io/freeipa/issue/6692
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When ADtrust is installed we add a PAC to all tickets, during protocol
transition we need to generate a new PAC for the requested user ticket,
not check the existing PAC on the requestor ticket.
https://pagure.io/freeipa/issue/6862
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When a trusted domain entry is created, the uidNumber attribute is created
but not the gidNumber attribute. This causes samba to log
Failed to find a Unix account for DOM-AD$
because the samu structure does not contain a group_sid and is not put
in the cache.
The fix creates the gidNumber attribute in the trusted domain entry,
and initialises the group_sid field in the samu structure returned
by ldapsam_getsampwnam. This ensures that the entry is put in the cache.
Note that this is only a partial fix for 6660 as it does not prevent
_netr_ServerAuthenticate3 from failing with the log
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com.
https://pagure.io/freeipa/issue/6827
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Architecture specific paths should be avoided in the global Kerberos
configuration because it is read e.g. by 32bit and 64bit libraries they
are installed in parallel.
Resolves https://pagure.io/freeipa/issue/6833
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>