Commit Graph

45 Commits

Author SHA1 Message Date
Alexander Bokovoy
6195870e82 ipaserver/dcerpc: make sure to always return unicode SID of the trust domain
Trusted domain SID could be obtained through different means. When it is
fetched from the AD DC via LDAP, it needs to be extracted from a default
context and explicitly converted to unicode.

https://fedorahosted.org/freeipa/ticket/4246

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-12 18:16:52 +01:00
Alexander Bokovoy
3a7ba6013f ipaserver/dcerpc: catch the case of insuffient permissions when establishing trust
We attempt to delete the trust that might exist already. If there are not enough
privileges to do so, we wouldn't be able to create trust at the next step and it will fail.
However, failure to create trust will be due to the name collision as we already had
the trust with the same name before. Thus, raise access denied exception here
to properly indicate wrong access level instead of returning NT_STATUS_OBJECT_NAME_COLLISION.

https://fedorahosted.org/freeipa/ticket/4202

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-27 14:33:15 +01:00
Tomas Babej
96f87e548a trusts: Remove usage of deprecated LDAP API
Remove a reference to the old deprecated LDAP API invoked by
the usage of trust_add method.

https://fedorahosted.org/freeipa/ticket/4204

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-27 12:54:37 +01:00
Jan Cholasta
c2bd6f365d Convert remaining frontend code to LDAPEntry API. 2014-01-24 20:38:15 +01:00
Alexander Bokovoy
32df84f04b subdomains: Use AD admin credentials when trust is being established
When AD administrator credentials passed, they stored in realm_passwd,
not realm_password in the options.

When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure
to normalize them.

Additionally, force Samba auth module to use NTLMSSP in case we have
credentials because at the point when trust is established, KDC is not
yet ready to issue tickets to a service in the other realm due to
MS-PAC information caching effects. The logic is a bit fuzzy because
credentials code makes decisions on what to use based on the smb.conf
parameters and Python bindings to set parameters to smb.conf make it so
that auth module believes these parameters were overidden by the user
through the command line and ignore some of options. We have to do calls
in the right order to force NTLMSSP use instead of Kerberos.

Fixes https://fedorahosted.org/freeipa/ticket/4046
2013-11-29 13:13:55 +01:00
Alexander Bokovoy
3693b8e51a Map NT_STATUS_INVALID_PARAMETER to most likely error cause: clock skew
When we get NT_STATUS_INVALID_PARAMETER in response to establish
DCE RPC pipe with Kerberos, the most likely reason is clock skew.
Suggest that it is so in the error message.

https://fedorahosted.org/freeipa/ticket/4024
2013-11-13 12:28:48 +01:00
Alexander Bokovoy
f734988e24 trust: integrate subdomains support into trust-add 2013-10-04 10:25:31 +02:00
Alexander Bokovoy
a87813bf42 ipaserver/dcerpc: remove use of trust account authentication
Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal,
it is possible to use it when talking to the trusted AD DC.

Remove support for authenticating as trust account because it should not
really be used other than within Samba.
2013-10-04 10:25:31 +02:00
Alexander Bokovoy
0b29bfde0d trusts: support subdomains in a forest
Add IPA CLI to manage trust domains.

ipa trust-fetch-domains <trust>      -- fetch list of subdomains from AD side and add new ones to IPA
ipa trustdomain-find <trust>         -- show all available domains
ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust>
ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA
ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain

By default all discovered trust domains are allowed to access IPA resources

IPA KDC needs also information for authentication paths to subdomains in case they
are not hierarchical under AD forest trust root. This information is managed via capaths
section in krb5.conf. SSSD should be able to generate it once
ticket https://fedorahosted.org/sssd/ticket/2093 is resolved.

part of https://fedorahosted.org/freeipa/ticket/3909
2013-10-04 10:25:31 +02:00
Alexander Bokovoy
0637f590ed ipaserver/dcerpc.py: populate forest trust information using realmdomains
Use realmdomains information to prepopulate forest trust info. As result,
all additional domains should now be enabled from the beginning, unless they
really conflict with existing DNS domains on AD side.

https://fedorahosted.org/freeipa/ticket/3919
2013-10-04 10:25:31 +02:00
Alexander Bokovoy
9cf8ec79c9 ipa-sam: do not modify objectclass when trust object already created
When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.

Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.
2013-09-20 09:59:02 +02:00
Tomas Babej
a3d489443c Log proper error message when defaultNamingContext not found 2013-08-29 14:05:20 +02:00
Tomas Babej
8c8da71ea3 Remove overlapping use-cases of the same result variable 2013-08-06 13:44:32 +02:00
Tomas Babej
8122d74596 Use case-insensitive dict for trusted domain info
In DomainValidator, we store a dictionary containing information
for trusted domains. This is a case-sensitive dictionary keyed by
the domain name.

We need to use case-insensitive dictionary since domain names
are generally case-insensitive.

https://fedorahosted.org/freeipa/ticket/3816
2013-08-06 12:25:39 +02:00
Alexander Bokovoy
7b5cc3ed83 ipaserver/dcerpc: attempt to resolve SIDs through SSSD first
Attempt to resolve SIDs through SSSD first to avoid using trust
account password. This makes possible to run HBAC test requests
without being in 'trusted admins' group.

https://fedorahosted.org/freeipa/ticket/3803
2013-07-23 16:24:38 +03:00
Tomas Babej
17c7d46c25 Use AD LDAP probing to create trusted domain ID range
When creating a trusted domain ID range, probe AD DC to get
information about ID space leveraged by POSIX users already
defined in AD, and create an ID range with according parameters.

For more details:
http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD
https://fedorahosted.org/freeipa/ticket/3649
2013-07-23 16:24:33 +03:00
Ana Krivokapic
e5117bd995 Fail when adding a trust with a different range
When adding a trust, if an id range already exists for this trust,
and options --base-id/--range-size are provided with the trust-add command,
trust-add should fail.

https://fedorahosted.org/freeipa/ticket/3635
2013-06-24 14:20:01 +02:00
Tomas Babej
04a17f00b7 Enforce exact SID match when adding or modifying a ID range
SID validation in idrange.py now enforces exact match on SIDs, thus
one can no longer use SID of an object in a trusted domain as a
trusted domain SID.

https://fedorahosted.org/freeipa/ticket/3432
2013-03-14 15:20:30 +01:00
Petr Viktorin
91a63cce62 Remove ipaserver/ipaldap.py
In addition to removing the module, fix all places where it was imported.

Preparation for: https://fedorahosted.org/freeipa/ticket/3446
2013-03-13 12:36:33 +01:00
Jan Cholasta
9955ba0714 Disable schema retrieval and attribute decoding when talking to AD GC. 2013-03-08 14:47:52 +01:00
Alexander Bokovoy
c6fc0413b6 ipaserver/dcerpc: enforce search_s without schema checks for GC searching 2013-03-06 16:09:01 +02:00
Petr Viktorin
1ee66ffe03 Remove IPAdmin.sasl_interactive_bind_s
Also, rename remaining uses of SASL_AUTH to SASL_GSSAPI to better
reflect what it is.

Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
2013-03-01 16:59:46 +01:00
Martin Kosek
a41e10f0eb Avoid internal error when user is not Trust admin
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.

When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError. Also make sure that this exception is
properly processed in group-add-member post callback.

https://fedorahosted.org/freeipa/ticket/3390
2013-02-20 13:23:58 -05:00
Tomas Babej
559a87017a Add option to specify SID using domain name to idrange-add/mod
When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.

https://fedorahosted.org/freeipa/ticket/3133
2013-02-18 16:37:07 +01:00
Martin Kosek
85d16ad7de Add support for AD users to hbactest command
How this works:
  1. When a trusted domain user is tested, AD GC is searched
     for the user entry Distinguished Name
  2. The user entry is then read from AD GC and its SID and SIDs
     of all its assigned groups (tokenGroups attribute) are retrieved
  3. The SIDs are then used to search IPA LDAP database to find
     all external groups which have any of these SIDs as external
     members
  4. All these groups having these groups as direct or indirect
     members are added to hbactest allowing it to perform the search

LIMITATIONS:
- only Trusted Admins group members can use this function as it
  uses secret for IPA-Trusted domain link
- List of group SIDs does not contain group memberships outside
  of the trusted domain

https://fedorahosted.org/freeipa/ticket/2997
2013-02-14 08:38:11 +01:00
Martin Kosek
e60e80e2b6 Generalize AD GC search
Modify access methods to AD GC so that callers can specify a custom
basedn, filter, scope and attribute list, thus allowing it to perform
any LDAP search.

Error checking methodology in these functions was changed, so that it
rather raises an exception with a desription instead of simply returning
a None or False value which would made an investigation why something
does not work much more difficult. External membership method in
group-add-member command was updated to match this approach.

https://fedorahosted.org/freeipa/ticket/2997
2013-02-14 08:38:11 +01:00
Martin Kosek
4c4418fb9e Test NetBIOS name clash before creating a trust
Give a clear message about what is wrong with current Trust settings
before letting AD to return a confusing error message.

https://fedorahosted.org/freeipa/ticket/3193
2013-02-13 13:05:04 +01:00
Martin Kosek
d4d19ff423 Add SID blacklist attributes
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.

https://fedorahosted.org/freeipa/ticket/3289
2013-02-12 10:37:34 +01:00
Tomas Babej
0292ebd1e5 Add detection for users from trusted/invalid realms
When user from other realm than FreeIPA's tries to use Web UI
(login via forms-based auth or with valid trusted realm ticket),
the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
is returned.

Also, the support for usernames of the form user@SERVER.REALM
or user@server.realm was added.

https://fedorahosted.org/freeipa/ticket/3252
2012-12-06 10:34:23 -05:00
Alexander Bokovoy
ec20a74a59 Propagate kinit errors with trust account
When using Global Catalog for resolving users and groups, one needs
to authenticate against Active Directory DC using GSSAPI. Obtaining
Kerberos ticket might fail. Make sure the failure message is actually
returned to the user so that decision can be made about the source
of issue.

https://fedorahosted.org/freeipa/ticket/3265
2012-11-27 16:18:03 -05:00
Alexander Bokovoy
7960b5c67f trusts: replace use of python-crypto by m2crypto
python-crypto package is not available everywhere, use m2crypto instead.

Originally we thought to extend python-krbV to provide krb5_c_encrypt()
wrapper but m2crypto is readily available.

https://fedorahosted.org/freeipa/ticket/3271
2012-11-21 11:57:15 -05:00
Alexander Bokovoy
fc3834ca46 Resolve external members from trusted domain via Global Catalog
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller and preferred GC hosts
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
2012-11-01 15:46:58 -04:00
Simo Sorce
2d42737d01 Add support for using AES fo cross-realm TGTs 2012-10-17 13:55:11 +02:00
Simo Sorce
19a9376c72 Fix trust attributes for ipa trust-add
The RC4 flags in the trust attributes makes sense only fro trust type MIT
We are using the UPLEVEL trust type.
2012-10-09 10:33:04 +02:00
Alexander Bokovoy
459c83fb75 Support python-ldap 2.3 way of making LDAP control
This strange patch is to accomodate both python-ldap 2.3 and later versions.
There was refactoring in python-ldap support for LDAP controls that split
base class into two different, changing properties and method signatures.

Luckily, we don't use any values passed to encodeControlValue.
2012-10-04 17:00:56 +02:00
Alexander Bokovoy
fbfa3b56fa Change the way SID comparison is done for belonging to trusted domain
Fixes trust use on RHEL 6.
2012-09-27 14:00:40 +02:00
Alexander Bokovoy
7269687822 Add verification of the AD trust
Since we only can perform verification when AD admin credentials are available,
report that trust should be verified from the AD side in other cases,
including unsuccessful verification.

Once trust is added, status of it is never stored anywhere.

https://fedorahosted.org/freeipa/ticket/2763
2012-09-17 21:24:38 -04:00
Alexander Bokovoy
1baac3c29e Add internationalization to DCE RPC code
https://fedorahosted.org/freeipa/ticket/2964
2012-08-14 16:51:21 +02:00
John Dennis
94d457e83c Use DN objects instead of strings
* Convert every string specifying a DN into a DN object

* Every place a dn was manipulated in some fashion it was replaced by
  the use of DN operators

* Add new DNParam parameter type for parameters which are DN's

* DN objects are used 100% of the time throughout the entire data
  pipeline whenever something is logically a dn.

* Many classes now enforce DN usage for their attributes which are
  dn's. This is implmented via ipautil.dn_attribute_property(). The
  only permitted types for a class attribute specified to be a DN are
  either None or a DN object.

* Require that every place a dn is used it must be a DN object.
  This translates into lot of::

    assert isinstance(dn, DN)

  sprinkled through out the code. Maintaining these asserts is
  valuable to preserve DN type enforcement. The asserts can be
  disabled in production.

  The goal of 100% DN usage 100% of the time has been realized, these
  asserts are meant to preserve that.

  The asserts also proved valuable in detecting functions which did
  not obey their function signatures, such as the baseldap pre and
  post callbacks.

* Moved ipalib.dn to ipapython.dn because DN class is shared with all
  components, not just the server which uses ipalib.

* All API's now accept DN's natively, no need to convert to str (or
  unicode).

* Removed ipalib.encoder and encode/decode decorators. Type conversion
  is now explicitly performed in each IPASimpleLDAPObject method which
  emulates a ldap.SimpleLDAPObject method.

* Entity & Entry classes now utilize DN's

* Removed __getattr__ in Entity & Entity clases. There were two
  problems with it. It presented synthetic Python object attributes
  based on the current LDAP data it contained. There is no way to
  validate synthetic attributes using code checkers, you can't search
  the code to find LDAP attribute accesses (because synthetic
  attriutes look like Python attributes instead of LDAP data) and
  error handling is circumscribed. Secondly __getattr__ was hiding
  Python internal methods which broke class semantics.

* Replace use of methods inherited from ldap.SimpleLDAPObject via
  IPAdmin class with IPAdmin methods. Directly using inherited methods
  was causing us to bypass IPA logic. Mostly this meant replacing the
  use of search_s() with getEntry() or getList(). Similarly direct
  access of the LDAP data in classes using IPAdmin were replaced with
  calls to getValue() or getValues().

* Objects returned by ldap2.find_entries() are now compatible with
  either the python-ldap access methodology or the Entity/Entry access
  methodology.

* All ldap operations now funnel through the common
  IPASimpleLDAPObject giving us a single location where we interface
  to python-ldap and perform conversions.

* The above 4 modifications means we've greatly reduced the
  proliferation of multiple inconsistent ways to perform LDAP
  operations. We are well on the way to having a single API in IPA for
  doing LDAP (a long range goal).

* All certificate subject bases are now DN's

* DN objects were enhanced thusly:
  - find, rfind, index, rindex, replace and insert methods were added
  - AVA, RDN and DN classes were refactored in immutable and mutable
    variants, the mutable variants are EditableAVA, EditableRDN and
    EditableDN. By default we use the immutable variants preserving
    important semantics. To edit a DN cast it to an EditableDN and
    cast it back to DN when done editing. These issues are fully
    described in other documentation.
  - first_key_match was removed
  - DN equalty comparison permits comparison to a basestring

* Fixed ldapupdate to work with DN's. This work included:
  - Enhance test_updates.py to do more checking after applying
    update. Add test for update_from_dict(). Convert code to use
    unittest classes.
  - Consolidated duplicate code.
  - Moved code which should have been in the class into the class.
  - Fix the handling of the 'deleteentry' update action. It's no longer
    necessary to supply fake attributes to make it work. Detect case
    where subsequent update applies a change to entry previously marked
    for deletetion. General clean-up and simplification of the
    'deleteentry' logic.
  - Rewrote a couple of functions to be clearer and more Pythonic.
  - Added documentation on the data structure being used.
  - Simplfy the use of update_from_dict()

* Removed all usage of get_schema() which was being called prior to
  accessing the .schema attribute of an object. If a class is using
  internal lazy loading as an optimization it's not right to require
  users of the interface to be aware of internal
  optimization's. schema is now a property and when the schema
  property is accessed it calls a private internal method to perform
  the lazy loading.

* Added SchemaCache class to cache the schema's from individual
  servers. This was done because of the observation we talk to
  different LDAP servers, each of which may have it's own
  schema. Previously we globally cached the schema from the first
  server we connected to and returned that schema in all contexts. The
  cache includes controls to invalidate it thus forcing a schema
  refresh.

* Schema caching is now senstive to the run time context. During
  install and upgrade the schema can change leading to errors due to
  out-of-date cached schema. The schema cache is refreshed in these
  contexts.

* We are aware of the LDAP syntax of all LDAP attributes. Every
  attribute returned from an LDAP operation is passed through a
  central table look-up based on it's LDAP syntax. The table key is
  the LDAP syntax it's value is a Python callable that returns a
  Python object matching the LDAP syntax. There are a handful of LDAP
  attributes whose syntax is historically incorrect
  (e.g. DistguishedNames that are defined as DirectoryStrings). The
  table driven conversion mechanism is augmented with a table of
  hard coded exceptions.

  Currently only the following conversions occur via the table:

  - dn's are converted to DN objects

  - binary objects are converted to Python str objects (IPA
    convention).

  - everything else is converted to unicode using UTF-8 decoding (IPA
    convention).

  However, now that the table driven conversion mechanism is in place
  it would be trivial to do things such as converting attributes
  which have LDAP integer syntax into a Python integer, etc.

* Expected values in the unit tests which are a DN no longer need to
  use lambda expressions to promote the returned value to a DN for
  equality comparison. The return value is automatically promoted to
  a DN. The lambda expressions have been removed making the code much
  simpler and easier to read.

* Add class level logging to a number of classes which did not support
  logging, less need for use of root_logger.

* Remove ipaserver/conn.py, it was unused.

* Consolidated duplicate code wherever it was found.

* Fixed many places that used string concatenation to form a new
  string rather than string formatting operators. This is necessary
  because string formatting converts it's arguments to a string prior
  to building the result string. You can't concatenate a string and a
  non-string.

* Simplify logic in rename_managed plugin. Use DN operators to edit
  dn's.

* The live version of ipa-ldap-updater did not generate a log file.
  The offline version did, now both do.

https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-08-12 16:23:24 -04:00
Alexander Bokovoy
1be46b322f Handle exceptions when establishing trusts
Translate exceptions produced by DCERPC bindings when establishing trusts.
There are two types of errors that may be produced by DCERPC bindings:
- RuntimeError with a text (RuntimeError('NT_STATUS_OBJECT_NAME_NOT_FOUND')
- RuntimeError with a numeric code and 'friendly' message

Error codes could have two prefixes:
  - NT error codes, start with NT_STATUS_ prefix
  - Windows error codes, start with WERR_ prefix

Full list of errors is available in Samba source code:
  libcli/util/ntstatus.h: NT_STATUS error codes
  libcli/util/werror.h: Windows error codes

Majority of errors returned when dealing with trusts are of NT_STATUS type,
these also include all typical POSIX errors mapped to corresponding NT errors.

Unfortunately, in the textual RuntimeError case very little can be done to
get better clarification of the error. More error paths will need to be added
as they will be discovered -- DCERPC error messaging is complex.

https://fedorahosted.org/freeipa/ticket/2868
2012-08-03 11:00:54 +02:00
Alexander Bokovoy
dadfbf9d15 Handle various forms of admin accounts when establishing trusts
Realm administrator account may be specified using different form:
Administrator, DOM\Administrator, Administrator@DOMAIN

This patch introduces handling of the second two forms:
- In DOM\Administrator only user name is used, short domain name
  is then taken from a discovered record from the AD DC
- In Administrator@DOMAIN first DOMAIN is verified to be the same
  as the domain we are establishing trust to, and then user name
  is taken, together with short domain name taken from a discovered
  record from the AD DC

Note that we do not support using to-be-trusted domain's trusted domains'
accounts to establish trust as there is basically zero chance to verify
that things will work with them. In addition, in order to establish trust
one needs to belong to Enterprise Admins group in AD or have specially
delegated permissions. These permissions are unlikely delegated to the
ones in already trusted domain.

https://fedorahosted.org/freeipa/ticket/2864
2012-07-18 16:55:57 +03:00
Alexander Bokovoy
a6ff85f425 Add support for external group members
When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.

https://fedorahosted.org/freeipa/ticket/2664
2012-06-28 16:53:33 +02:00
Alexander Bokovoy
4c92d0e729 get_fqdn() moved to ipaserver.installutils 2012-06-07 09:39:10 +02:00
Alexander Bokovoy
27517c2008 Use fully qualified PDC name when contacting for extended DN information 2012-06-07 09:39:09 +02:00
Alexander Bokovoy
a7420c1e83 Add trust management for Active Directory trusts 2012-06-07 09:39:09 +02:00