Commit Graph

11 Commits

Author SHA1 Message Date
Alexander Bokovoy
54e5ffc000 use a constant instead of /var/lib/sss/keytabs
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-22 12:21:33 -05:00
Alexander Bokovoy
ae7cd4702d trust-fetch-domains: use custom krb5.conf overlay for all trust operations
Operations in FIPS mode make impossible use of NTLMSSP when
authenticating to trusted Active Directory domain controllers because
RC4 cipher is not allowed. Instead, Kerberos authentication have to be
used. We switched to enforce Kerberos authentication when communicating
with trusted domains' domain controllers everywhere.

Kerberos library uses system wide configuration which in IPA defaults to
resolving location of KDCs via DNS SRV records. Once trust is
established, SSSD will populate a list of closest DCs and provide them
through the KDC locator plugin. But at the time the trust is established
performing DNS SRV-based discovery of Kerberos KDCs might fail due to
multiple reasons. It might also succeed but point to a DC that doesn't
know about the account we have to use to establish trust.

One edge case is when DNS SRV record points to an unreachable DC,
whether due to a firewall or a network topology limitations. In such
case an administrator would pass --server <server> option to
'ipa trust-add' or 'ipa trust-fetch-domains' commands.

'ipa trust-fetch-domains' runs a helper via oddjobd. This helper was
already modified to support --server option and generated custom
krb5.conf overlay to pin to a specific AD DC. However, this
configuration was removed as soon as we finished talking to AD DCs.

With switch to always use Kebreros to authenticate in retrieval of the
topology information, we have to use the overlay everywhere as well.

Convert the code that generated the overlay file into a context that
generates the overlay and sets environment. Reuse it in other
trust-related places where this matters.

Oddjob helper runs as root and can write to /run/ipa for the krb5.conf
overlay.

Server side of 'ipa trust-add' code calls into ipaserver/dcerpc.py and
runs under ipaapi so can only write to /tmp.  Since it is a part of the
Apache instance, it uses private /tmp mounted on tmpfs.

Fixes: https://pagure.io/freeipa/issue/8664
Related: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-22 12:21:33 -05:00
Christian Heimes
4e30a48d3c trust-add: Catch correct exception when chown SSSD
Commit 72fb4e6 introduced a regression. SSSD_USER.chown() raises
ValueError instead of KeyError when SSSD user does not exist.

Fixes: https://pagure.io/freeipa/issue/8516
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-09-26 10:41:32 +03:00
Christian Heimes
72fb4e60c8 Add user and group wrappers
New classes for user and group names provide a convenient way to access
the uid and primary gid of a user / gid of a group. The classes also
provide chown() and chgrp() methods to simplify common operations.

The wrappers are subclasses of builtin str type and behave like ordinary
strings with additional features. The pwd and grp structs are retrieved
once and then cached.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-22 09:23:18 -04:00
Rob Crittenden
d7a4756dac Create a common place to retrieve facts about an IPA installation
This is common to both client and server. Start with whether the
client or server is configured.

https://pagure.io/freeipa/issue/8384

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-08-06 14:11:27 +02:00
Christian Heimes
bdf1137169 Use /run and /run/lock instead of /var
Also add runstatedir autoconf var. IPA requires autoconf 2.59. The
variable will be available with autoconf 2.70.

Fixes: https://pagure.io/freeipa/issue/8272
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-04-15 18:48:50 +02:00
Alexander Bokovoy
6c9fcccfbc trust-fetch-domains: make sure we use right KDC when --server is specified
Since we are authenticating against AD DC before talking to it (by using
trusted domain object's credentials), we need to override krb5.conf
configuration in case --server option is specified.

The context is a helper which is launched out of process with the help
of oddjobd. The helper takes existing trusted domain object, uses its
credentials to authenticate and then runs LSA RPC calls against that
trusted domain's domain controller. Previous code directed Samba
bindings to use the correct domain controller. However, if a DC visible
to MIT Kerberos is not reachable, we would not be able to obtain TGT and
the whole process will fail.

trust_add.execute() was calling out to the D-Bus helper without passing
the options (e.g. --server) so there was no chance to get that option
visible by the oddjob helper.

Also we need to make errors in the oddjob helper more visible to
error_log. Thus, move error reporting for a normal communication up from
the exception catching.

Resolves: https://pagure.io/freeipa/issue/7895
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-06-28 13:30:59 +02:00
Christian Heimes
6d02eddd3e Replace PYTHONSHEBANG with valid shebang
Replace the @PYTHONSHEBANG@ substitution with a valid #!/usr/bin/python3
shebang. This turns Python .in files into valid Python files. The files
can now be checked with pylint and IDEs recognize the files as Python
files.

The shebang is still replaced with "#!$(PYTHON) -E" to support
platform-python.

Related: https://pagure.io/freeipa/issue/7984
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-06-24 09:35:57 +02:00
Alexander Bokovoy
cb0f24bfe2 Bypass D-BUS interface definition deficiences for trust-fetch-domains
In oddjobd it is possible to pass arguments as command line or on the
stdin. We use command line to pass them but the way oddjobd registers
the D-BUS method signatures is by specifying all arguments as mandatory.

Internally, oddjobd simply ignores if you passed less arguments than
specified in the D-BUS defition. Unfortunately, it is not possible to
specify less than maximum due to D-BUS seeing all arguments in the
list (30 is defined for the trust-fetch-domains).

To pass options, have to pad a list of arguments to maximum with empty
strings and then filter out unneeded ones in the script. Option parser
already removes all options from the list of arguments so all we need to
do is to take our actual arguments. In case of trust-fetch-domains, it
is the name of the domain so we can only care about args[0].

Fixes: https://pagure.io/freeipa/issue/7903
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-04-08 17:51:38 +02:00
Alexander Bokovoy
de4a9875d4 oddjob: allow to pass options to trust-fetch-domains
Refactor com.redhat.idm.trust-fetch.domains oddjob helper to allow
passing administrative credentials and a domain controller to talk to.

This approach allows to avoid rediscovering a domain controller in case
a user actually specified the domain controller when establishing trust.

It also allows to pass through admin credentials if user decides to do
so. The latter will be used later to allow updating trust topology in a
similar oddjob helper.

Resolves: https://pagure.io/freeipa/issue/7895
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-01 13:27:41 +02:00
Christian Heimes
a347c11650 Rename Python scripts and add dynamic shebang
All Python scripts are now generated from a template with a dynamic
shebang.

ipatests/i18n.py is no longer an executable script with shebang. The
module is not executed as script directly, but rather as

    $(PYTHON) ipatests/i18n.py

Fixes: https://pagure.io/freeipa/issue/7680
All Python scripts are now template files with a dynamic shebang line.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-08-23 14:49:06 +02:00