Commit Graph

67 Commits

Author SHA1 Message Date
Sumit Bose
d1f5ed64e1 ipa_sam: remove dependency to talloc_strackframe.h
Recent Samba versions removed some header files which did include
non-public APIs. As a result talloc_strackframe.h and memory.h (for
SAFE_FREE) are not available anymore. This patch replaces the use of the
non-public APIs with public ones.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
2019-02-19 15:36:55 +01:00
Christian Heimes
272837f1c0 Remove ZERO_STRUCT() call
ipa_sam uses Samba's macro ZERO_STRUCT() to safely zero out a block in
memory. On F30 ZERO_STRUCT() is currently broken, because it uses the
undefined C11 function memset_s().

During investigation of the bug, it turned out that
ZERO_STRUCT(td->security_identifier) is not needed. The whole td struct
is allocated with talloc_zero(), so td->security_identifier is already
zeroed.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1672231
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-02-07 13:38:34 +01:00
Alexander Bokovoy
6907a0cef7
ipasam: do not use RC4 in FIPS mode
When creating Kerberos keys for trusted domain object account, ipasam
module requests to generate keys using a series of well-known encryption
types. In FIPS mode it is not possible to generate RC4-HMAC key:
MIT Kerberos is using openssl crypto backend and openssl does not allow
use of RC4 in FIPS mode.

Thus, we have to filter out RC4-HMAC encryption type when running in
FIPS mode. A side-effect is that a trust to Active Directory running
with Windows Server 2003 will not be possible anymore in FIPS mode.

Resolves: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2018-08-13 14:42:16 +02:00
Alexander Bokovoy
3ab6a68e91 ipa-sam: use smbldap_set_bind_callback for Samba 4.7 or later
Samba 4.7 tightens up smbldap API by making 'struct smbldap_state' an
opaque. This means ipa-sam module cannot anymore directly set its
LDAP bind callback.

Use new smbldap API to set the LDAP bind callback.

Fixes https://pagure.io/freeipa/issue/6877

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-11 15:21:35 +02:00
Alexander Bokovoy
11d43a1603 ipa-sam: use own private structure, not ldapsam_privates
With Samba 4.7 access to ldapsam internal structures will not be
available for external applications. FreeIPA's ipasam module was using
those for own needs. Now it needs to migrate to proper own private
structure.

Given that we anyway need to implement many missing functions like
pdb_update_sam_account() callback with FreeIPA-specific logic,
piggybacking on ldapsam structures is not needed anymore.

Fixes https://pagure.io/freeipa/issue/6877

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-11 15:21:35 +02:00
Sumit Bose
f169481b55 ipa-sam: replace encode_nt_key() with E_md4hash()
Since ipa-sam is running as part of smbd is it safe to use the
E_md4hash() from Samba. This way ipa-sam does not depend on other crypto
libraries which might depend on other rules like e.g. FIPS mode.

Resolves https://pagure.io/freeipa/issue/7026

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-21 10:16:41 +02:00
Florence Blanc-Renaud
e052c2dce0 ipa-sam: create the gidNumber attribute in the trusted domain entry
When a trusted domain entry is created, the uidNumber attribute is created
but not the gidNumber attribute. This causes samba to log
	Failed to find a Unix account for DOM-AD$
because the samu structure does not contain a group_sid and is not put
in the cache.
The fix creates the gidNumber attribute in the trusted domain entry,
and initialises the group_sid field in the samu structure returned
by ldapsam_getsampwnam. This ensures that the entry is put in the cache.

Note that this is only a partial fix for 6660 as it does not prevent
_netr_ServerAuthenticate3 from failing with the log
	_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com.

https://pagure.io/freeipa/issue/6827

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-04-07 12:38:35 +02:00
Lukas Slebodnik
0906cc28b8 ipa-sam: Do not redefine LDAP_PAGE_SIZE
The value of LDAP_PAGE_SIZE was changed in samba-4.4
and it caused warning because it's already defined
in samba header files

ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined
 #define LDAP_PAGE_SIZE 1024

In file included from /usr/include/samba-4.0/smbldap.h:24:0,
                 from ipa_sam.c:31:
/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition
 #define LDAP_PAGE_SIZE 1000

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-03-09 18:59:29 +01:00
Lukas Slebodnik
017b343e13 IPA-SAM: Fix build with samba 4.4
samba_util.h is not shipped with samba-4.4
and it was indirectly included by "ndr.h"

Some functions have prototypes in different header file
"util/talloc_stack.h" and other does not have declarations
in other header file. But they are still part of libsamba-util.so

sh$ objdump -T /usr/lib64/libsamba-util.so.0.0.1 | grep -E "trim_s|xstrdup"
0000000000022200 g    DF .text  000000000000001f  SAMBA_UTIL_0.0.1 smb_xstrdup
00000000000223b0 g    DF .text  000000000000019d  SAMBA_UTIL_0.0.1 trim_string

ipa_sam.c: In function 'ldapsam_uid_to_sid':
ipa_sam.c:836:24: warning: implicit declaration of function 'talloc_stackframe'
                  [-Wimplicit-function-declaration]
  TALLOC_CTX *tmp_ctx = talloc_stackframe();
                        ^
ipa_sam.c: In function 'pdb_init_ipasam':
ipa_sam.c:4493:2: warning: implicit declaration of function 'trim_string'
                  [-Wimplicit-function-declaration]
  trim_string( uri, "\"", "\"" );
  ^
ipa_sam.c:4580:26: warning: implicit declaration of function 'smb_xstrdup'
                   [-Wimplicit-function-declaration]
  ldap_state->domain_dn = smb_xstrdup(dn);
                          ^

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-02-02 18:32:47 +01:00
Simo Sorce
f9ed0b6ff8 Convert ipa-sam to use the new getkeytab control
Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5495
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-02-01 13:28:39 +01:00
Sumit Bose
657cf958c6 ipasam: fix a use-after-free issue
Since endptr points to a location inside of dummy, dummy should be freed
only after dereferencing endptr.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-11-23 14:45:54 +01:00
Sumit Bose
99cfc979d5 ipasam: use more restrictive search filter for group lookup
Since we are interested in looking up the SID of a group it makes sense
to include the objectclass which contains the SID attribute in the
search filter. This makes sure the group is not accidentally found a
second time in the compat tree.

Related to https://fedorahosted.org/freeipa/ticket/5457

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-11-23 14:45:54 +01:00
Sumit Bose
3d6fdab904 ipasam: fix wrong usage of talloc_new()
Fixes https://fedorahosted.org/freeipa/ticket/5457

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-11-23 14:45:54 +01:00
Alexander Bokovoy
785f6593ca add one-way trust support to ipasam
When trust is established, ipasam module creates a number of objects in LDAP
to represent the trust information. Among them, for one-way trust we create
a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest
and AD is a realm of the trusted Active Directory forest root domain.

This principal is then used by SSSD on IPA masters to authenticate against
trusted Active Directory domain controllers and retrieve information about
user and group identities.

FreeIPA also uses this principal's credentials to retrieve domain topology.

The access to the keys of the principal should be well-protected. We only
allow to retrieve the keytab for it for members of cn=adtrust agents group.
This group is populated with host/ and cifs/ principals from IPA masters.

Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters
where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install
on the master which will be configured to be a domain controller (e.g.
run Samba with ipasam), and specify --add-agents option to trigger activation
of the interactive mode to specify which IPA masters to enable.

Fixes https://fedorahosted.org/freeipa/ticket/4962
Part of fixes for https://fedorahosted.org/freeipa/ticket/4546

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
d57efb74bb Support Samba PASSDB 0.2.0 aka interface version 24
1. Samba project renamed libpdb to libsamba-passdb
   https://bugzilla.samba.org/show_bug.cgi?id=10355

2. With interface version 24, Samba removed uid_to_sid()/gid_to_sid()
   from the PASSDB interface and united them as id_to_sid().

Make sure FreeIPA ipa_sam code supports new and old versions of
the PASSDB API.

https://fedorahosted.org/freeipa/ticket/4778

Reviewed-By: Sumit Bose <sbose@redhat.com>
2015-01-19 10:21:48 +01:00
Jan Cholasta
eed7fb6378 Fix Kerberos error handling in ipa-sam
https://fedorahosted.org/freeipa/ticket/4713

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-25 08:23:24 +00:00
Jason Woods
d6a7923f71 ipa-sam: cache gid to sid and uid to sid requests in idmap cache
Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the
directory service for gid/uid<->sid resolution.

Additionally, this patch further reduces number of queries by:
 - fast fail on uidNumber=0 which doesn't exist in FreeIPA,
 - return fallback group correctly when looking up user primary group as is
   done during init,
 - checking for group objectclass in case insensitive way

Patch by Jason Woods <devel@jasonwoods.me.uk>

Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

https://fedorahosted.org/freeipa/ticket/4234
and
https://bugzilla.redhat.com/show_bug.cgi?id=1073829
https://bugzilla.redhat.com/show_bug.cgi?id=1074314

Reviewed-By: Sumit Bose <sbose@redhat.com>
2014-03-12 12:19:06 +01:00
Alexander Bokovoy
c29211671c ipasam: delete trusted child domains before removing the trust
LDAP protocol doesn't allow deleting non-leaf entries. One needs to
remove all leaves first before removing the tree node.

https://fedorahosted.org/freeipa/ticket/4126
2014-01-21 12:31:54 +01:00
Sumit Bose
d876a22732 Remove generation and handling of LM hashes
https://fedorahosted.org/freeipa/ticket/3795
2013-11-01 09:28:35 +01:00
Alexander Bokovoy
0ab40cdf6b ipasam: for subdomains pick up defaults for missing values
We don't store trust type, attributes, and direction for subdomains
of the existing trust. Since trust is always forest level, these parameters
can be added as defaults when they are missing.
2013-10-04 10:25:31 +02:00
Alexander Bokovoy
a9843d6918 ipa-sam: report supported enctypes based on Kerberos realm configuration
We store Kerberos realm configuration in cn=REALM,cn=kerberos,$SUFFIX.
Along other configuration options, this container has list of default
supported encryption types, in krbDefaultEncSaltTypes.

Fetch krbDefaultEncSaltTypes value on ipa-sam initialization and convert
discovered list to the mask of supported encryption types according to
security.idl from Samba:
        typedef [public,bitmap32bit] bitmap {
                KERB_ENCTYPE_DES_CBC_CRC             = 0x00000001,
                KERB_ENCTYPE_DES_CBC_MD5             = 0x00000002,
                KERB_ENCTYPE_RC4_HMAC_MD5            = 0x00000004,
                KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
                KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
        } kerb_EncTypes;

Part of https://fedorahosted.org/freeipa/ticket/3898
2013-09-20 09:59:02 +02:00
Alexander Bokovoy
860a3ff647 ipa-sam: do not leak LDAPMessage on ipa-sam initialization
We used to handle some of code paths to free memory allocated by the LDAP library
but there are few more unhandled. In addition, search result wasn't freed on successful
initialization, leaking for long time.

https://fedorahosted.org/freeipa/ticket/3913
2013-09-20 09:59:02 +02:00
Alexander Bokovoy
9cf8ec79c9 ipa-sam: do not modify objectclass when trust object already created
When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.

Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.
2013-09-20 09:59:02 +02:00
Alexander Bokovoy
cc56723151 ipasam: add enumeration of UPN suffixes based on the realm domains
PASSDB API in Samba adds support for specifying UPN suffixes. The change
in ipasam will allow to pass through list of realm domains as UPN suffixes
so that Active Directory domain controller will be able to recognize
non-primary UPN suffixes as belonging to IPA and properly find our KDC
for cross-realm TGT.

Since Samba already returns primary DNS domain separately, filter it out
from list of UPN suffixes.

Also enclose provider of UPN suffixes into #ifdef to support both
Samba with and without pdb_enum_upn_suffixes().

Part of https://fedorahosted.org/freeipa/ticket/2848
2013-03-29 13:45:50 +01:00
Petr Viktorin
91606e6679 Change DNA magic value to -1 to make UID 999 usable
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.

For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.

Tests included

https://fedorahosted.org/freeipa/ticket/2886
2013-03-11 17:07:07 +01:00
Sumit Bose
caa218b6b8 ipa-sam: Array compared against 0 in ipasam_set_trusted_domain()
ipa_mspac_well_known_sids is a globally defined array so the check was
always true.

Fixes https://fedorahosted.org/freeipa/ticket/3423
2013-02-28 12:27:51 +01:00
Alexander Bokovoy
1c68c3edff ipasam: use base scope when fetching domain information about own domain
Since we use associatedDomain attribute to store information about UPN suffixes
and our own domain, searching subtree is going to return more than one entry.
Limit search for own domain by base scope as we only need to fetch our own
domain information here, not UPN suffixes.

Required for https://fedorahosted.org/freeipa/ticket/2945
2013-02-19 14:16:19 +02:00
Martin Kosek
994e2cda39 ipa-sam: Fill SID blacklist when trust is added
Fill incoming and outgoing trust LDAP entry with default SID
blacklist value.

https://fedorahosted.org/freeipa/ticket/3289
2013-02-12 10:37:52 +01:00
Alexander Bokovoy
2093007d4d ipasam: better Kerberos error handling in ipasam
If time is moved back on the IPA server, ipasam does not invalidate the
existing ticket.

https://fedorahosted.org/freeipa/ticket/3183
2012-11-21 13:18:26 +01:00
Sumit Bose
c1b922352f Fix various issues found by Coverity 2012-10-17 14:32:37 +02:00
Sumit Bose
0575e68013 ipasam: generate proper SID for trusted domain object 2012-10-04 22:15:36 -04:00
Sumit Bose
f5e839ef21 ipasam: add fallback primary group
https://fedorahosted.org/freeipa/ticket/2955
2012-10-04 22:15:36 -04:00
Sumit Bose
d491ba0289 ipasam: Fixes build with samba4 rc1 2012-09-14 16:50:52 +02:00
Sumit Bose
bd7f3e4b17 ipasam: replace trim_char() with trim_string() 2012-09-06 09:24:59 +02:00
Sumit Bose
931e890680 ipasam: remove fetch_ldap_pw() 2012-09-06 09:24:59 +02:00
Sumit Bose
260940ceb4 ipasam: replace get_global_sam_sid() 2012-09-06 09:24:59 +02:00
Sumit Bose
621b28a4a0 ipasam: add libsss_idmap context and replace string_to_sid() 2012-09-06 09:24:59 +02:00
Sumit Bose
dbd4cb51d3 ipasam: Replace global_sid_Builtin 2012-09-06 09:24:59 +02:00
Sumit Bose
af02b9e0a9 ipasam: Replace sid_peek_check_rid() 2012-09-06 09:24:59 +02:00
Sumit Bose
fa7f5a8327 ipasam: Replace sid_check_is_our_sam() 2012-09-06 09:24:59 +02:00
Sumit Bose
8697b70d6b ipasam: Replace dom_sid_compare_domain() 2012-09-06 09:24:59 +02:00
Sumit Bose
f864d766eb ipasam: Replace is_null_sid() 2012-09-06 09:24:59 +02:00
Sumit Bose
4f7af98571 ipasam: replace sid_compose() 2012-09-06 09:24:58 +02:00
Sumit Bose
454c2d4e8c ipasam: replace sid_copy() 2012-09-06 09:24:58 +02:00
Sumit Bose
885f4a6bb8 ipasam: remove talloc_asprintf_strupper_m() 2012-09-06 09:24:58 +02:00
Sumit Bose
2877cb4c0d ipasam: remove strlower_m() 2012-09-06 09:24:58 +02:00
Sumit Bose
33494689a2 ipasam: replace strnequal() 2012-09-06 09:24:58 +02:00
Sumit Bose
128257c68b ipasam: remove sid_peek_rid() 2012-09-06 09:24:58 +02:00
Sumit Bose
50a0b84176 ipasam: remove nt_lm_owf_gen() and dependency to libcliauth.so 2012-09-06 09:24:58 +02:00
Alexander Bokovoy
6171d0a01b Fix ipasam ipaNThash magic regen to actually fetch updated password
With this change ipasam is able to ask for ipaNTHash generation and if
corresponding Kerberos key is available, will be able to retrieve generated ipaNTHash.

Part 1 of https://fedorahosted.org/freeipa/ticket/3016
2012-08-22 17:21:11 +03:00