This plugin prevents the deletion or deactivation of the last
valid token for a user. This prevents the user from migrating
back to single factor authentication once OTP has been enabled.
Thanks to Mark Reynolds for helping me with this patch.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
C99 is supported on all compilers we target and
provides some useful features, including:
* Standard struct initializers
* Compound literals
* For-loop declarations
* Standard bool type
* Variable arrays (use with caution)
* Too many others to mention...
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This handles the case where a user is configured for OTP in ipaUserAuthType,
but the user has not yet created any tokens. Until the user creates tokens,
the user should still be able to log in via password. This logic already
exists in LDAP, but ipa-kdb needs to perform the same validation to know
what data to return to the KDC.
https://fedorahosted.org/freeipa/ticket/4154
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When ipa-lockout plugin is started during FreeIPA server installation,
the default realm may not be available and plugin should then not end
with failure.
Similarly to other plugins, start in degraded mode in this situation.
Operation is fully restored during the final services restart.
https://fedorahosted.org/freeipa/ticket/4085
krbPwdPolicyReference is no longer filled default users. Instead, plugins
fallback to hardcoded global policy reference.
Fix ipa-lockout plugin to fallback to it instead of failing to apply
the policy.
https://fedorahosted.org/freeipa/ticket/4085
The KDB driver does not walk the tree back like the original password plugin.
Also we do not store the default policy in the base DN as we used to do in the
past anymore.
So doing a full subtree search and walking back the tree is just a waste of
time.
Instead hardcode the default policy like we do in the kdb driver.
Fixes: https://fedorahosted.org/freeipa/ticket/4085
For NETLOGON_NT_VERSION_5EX requests the prepended \\ is not expected in
the PDC NetBIOS name. In general AD seems to be smart enough to handle
the two \ signs. But if the NetBIOS name reaches the maximum of 15
character AD does not accept the responses anymore.
Fixes https://fedorahosted.org/freeipa/ticket/4028
The CLDAP DS plugin uses the uppercased first segment of the fully
qualified hostname as the NetBIOS name. We need to limit its size
to 15 characters.
https://fedorahosted.org/freeipa/ticket/4028
When Directory Manager or a PassSync agent is changing a password,
it is not being expired, but standard expiration time should apply.
However, default expiration time was always applied (90 days)
even though administrator may have a custom policy for the user.
https://fedorahosted.org/freeipa/ticket/3968
There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos
key is available for the corresponding user. This is typically triggered
by samba via the ipa_sam passdb plugin. The principal used by samba to
connect to the IPA directory server has the right to modify ipaNTHash
but no other password attribute. This means that the current check on
the userPassword attribute is too strict for this case and leads to a
failure of the whole operation.
With this patch the access right on ipaNTHash are checked if no other
password operations are requested.
When MS-PAC information is re-initialized, record also parent-child
relationship between trust root level domain and its subdomains.
Use parent incoming SID black list to check if child domain is not
allowed to access IPA realm.
We also should really use 'cn' of the entry as domain name.
ipaNTTrustPartner has different meaning on wire, it is an index
pointing to the parent domain of the domain and will be 0 for top
level domains or disjoint subdomains of the trust.
Finally, trustdomain-enable and trustdomain-disable commands should
force MS-PAC cache re-initalization in case of black list change.
Trigger that by asking for cross-realm TGT for HTTP service.
When client principal requests for a ticket for a server principal
and we have to perform transition, check that all three belong to either
our domain or the domains we trust through forest trusts.
In case all three realms (client, transition, and server) match
trusted domains and our domain, issue permission to transition from client
realm to server realm.
Part of https://fedorahosted.org/freeipa/ticket/3909
We don't store trust type, attributes, and direction for subdomains
of the existing trust. Since trust is always forest level, these parameters
can be added as defaults when they are missing.
Currently the CLDAP plugin determines the IPA domain name by reading
the current host name and splitting of the domain part. But since an IPA
server does not have to be in a DNS domain which has the same name as
the IPA domain this may fail. The domain name was used to search the
ipaNTDomainAttrs object, but since this object is unique in the tree it
is sufficient to use the objectclass in the search filter. Now the IPA
domain can be read from the ipaNTDomainAttrs object as well.
Fixes https://fedorahosted.org/freeipa/ticket/3941
We store Kerberos realm configuration in cn=REALM,cn=kerberos,$SUFFIX.
Along other configuration options, this container has list of default
supported encryption types, in krbDefaultEncSaltTypes.
Fetch krbDefaultEncSaltTypes value on ipa-sam initialization and convert
discovered list to the mask of supported encryption types according to
security.idl from Samba:
typedef [public,bitmap32bit] bitmap {
KERB_ENCTYPE_DES_CBC_CRC = 0x00000001,
KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002,
KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004,
KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
} kerb_EncTypes;
Part of https://fedorahosted.org/freeipa/ticket/3898
We used to handle some of code paths to free memory allocated by the LDAP library
but there are few more unhandled. In addition, search result wasn't freed on successful
initialization, leaking for long time.
https://fedorahosted.org/freeipa/ticket/3913
When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.
Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.
There is no risk of crash here as slapi_valueset_first_value() can handle
the case where the valueset is NULL, but there is no point in calling that
if we know there are no values.
https://fedorahosted.org/freeipa/ticket/3880
If we do not store the keys in the entry we need to free the array before
continuing or the data is leaked.
CoverityID: 11910
Fixes:
https://fedorahosted.org/freeipa/ticket/3884
This memset was harmless as the following data is then set again, but an
optimizing compiler might conceivably reorder instructions causing issues.
CoverityID: 11909
Fixes:
https://fedorahosted.org/freeipa/ticket/3883
Differences in the python byte code fails in a build validation
(rpmdiff) done on difference architecture of the same package.
This patch:
1) Ensures that timestamps of generated *.pyo and *.pyc files match
2) Python integer literals greater or equal 2^32 and lower than 2^64
are converted to long right away to prevent different type of
the integer on architectures with different size of int
https://fedorahosted.org/freeipa/ticket/3858
When trust is established, we also create idrange for the trusted domain.
With FreeIPA 3.3 these ranges can have different types, and in order to
detect which one is to create, we need to do lookup at AD LDAP server.
Such lookup requires authenticated bind. We cannot bind as user because
IPA framework operates under constrained delegation using the user's
credentials and allowing HTTP/ipa.server@REALM to impersonate the user
against trusted domain's services would require two major things:
- first, as we don't really know exact AD LDAP server names (any AD DC
can be used), constrained delegation would have to be defined against
a wild-card
- second, constrained delegation requires that target principal exists
in IPA LDAP as DN.
These two together limit use of user's ticket for the purpose of IPA
framework looking up AD LDAP.
Additionally, immediately after trust is established, issuing TGT with
MS-PAC to HTTP/ipa.server@REALM may fail due to the fact that KDB driver
did not yet refreshed its list of trusted domains -- we have limited
refresh rate of 60 seconds by default.
This patch makes possible to force re-initialization of trusted domains'
view in KDB driver if we are asked for TGT for HTTP/ipa.server@REALM.
We will need to improve refresh of trusted domains' view in KDB driver
in future to notice changes in cn=etc,$SUFFIX tree automatically.
This improvement is tracked in https://fedorahosted.org/freeipa/ticket/1302 and
https://fedorahosted.org/freeipa/ticket/3626
Part of https://fedorahosted.org/freeipa/ticket/3649
We need KDC hostname for several purposes:
- short-circuit detection of principals on the same server as KDC
- generating NetBIOS name
Make sure we cache hostname information on startup and use it
instead of detecting the hostname in run-time. This will miss the
case that KDC hostname got changed but such cases are not supported
anyway without restarting KDC and making changes to principals.
MS-PAC is required to be present in TGT if one wants to connect to
AD services using this TGT. Users get MS-PAC by default, SSSD in
ipa_server_mode uses host/fqdn@REALM principal to talk to AD LDAP.
This patch enables other services running on IPA master to connect
to AD services. This is required for IPA python code doing discovery
of remote AD domain settings shortly after IPA-AD trust has been
established.
extdom plugin handles external operation over which SSSD asks IPA server about
trusted domain users not found through normal paths but detected to belong
to the trusted domains associated with IPA realm.
SSSD expects that user or group name in the response will be unqualified
because domain name for the user or group is also included in the response.
Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully
qualified name which includes the domain name we are asked to handle.
The code already expects that fully-qualified names are following user@domain
convention so we are simply tracking whether '@' symbol is present and is followed
by the domain name.
With the new ipa_server_mode SSSD is able to read user and group data
from trusted AD domains directly and makes this data available via the
NSS responder. With this mode enabled winbind is not needed anymore to
lookup users and groups of trusted domains.
This patch removed the calls to winbind from the extdom plugin and
replaces them with standard POSIX calls like getpwnam() and calls from
libsss_nss_idmap to lookup SIDs.
Fixes https://fedorahosted.org/freeipa/ticket/3637 because now the
extdom plugin does not need to handle idranges anymore, but everything
is done inside SSSD.
For a proper SASL bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.
We use the well know RID of the Domain Computers group (515) for the
primary gid element of the PAC, this is the same as AD uses for host
tickets. The rid element of the PAC is set to the well know RID of the
Domain Controllers group (516). This is working for the SSSD use case
but might be improved later for more general use cases.
To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.
Fixes https://fedorahosted.org/freeipa/ticket/3651
This was to resolve a -Werror=format-security error.
ipa_extdom_extop.c: In function 'ipa_extdom_extop':
ipa_extdom_extop.c:144:9: error: format not a string literal and no format
arguments [-Werror=format-security]
Windows DCs return an empty reply when a legal request cannot satisfied.
If we get EINVAL or ENOENT it means the information requested could not be
found or input parameters were bogus.
Always return an empty reply in these cases.
On any other internal error just return, the request may have been legit but we
can't really handle it right now, pretend we never saw it and hope the next
attempt will succeed.
Fixes: https://fedorahosted.org/freeipa/ticket/3639
Signed-off-by: Simo Sorce <simo@redhat.com>
1. Stop using getdomainname() as it is often not properly initialized
2. The code using getdomainname() was not working anyway it was trying to
look at the function call output in hostname which is always empty at that
point.
3. Always check the requested domain matches our own, we cannot reply to
anything else anyway.
Pre-requisite to fix: https://fedorahosted.org/freeipa/ticket/3639
Signed-off-by: Simo Sorce <simo@redhat.com>
This daemon listens for RADIUS packets on a well known
UNIX domain socket. When a packet is received, it queries
LDAP to see if the user is configured for RADIUS authentication.
If so, then the packet is forwarded to the 3rd party RADIUS server.
Otherwise, a bind is attempted against the LDAP server.
https://fedorahosted.org/freeipa/ticket/3366http://freeipa.org/page/V3/OTP
If OTP is enabled for a user, then:
1. Long-term keys are not provided to KDB
2. The user string 'otp' is defined to KDB
Since it is not secure to send radius configuration information
over krb5 user strings, we simply set the string to a known default
('[]') which enables the default configuration in the KDC.
https://fedorahosted.org/freeipa/ticket/3561http://freeipa.org/page/V3/OTP
Request with a SID as input parameter do not contain the domain name,
hence is must be tried to resolve the SID first before the corresponding
domain can be looked up.
https://fedorahosted.org/freeipa/ticket/3596
PASSDB API in Samba adds support for specifying UPN suffixes. The change
in ipasam will allow to pass through list of realm domains as UPN suffixes
so that Active Directory domain controller will be able to recognize
non-primary UPN suffixes as belonging to IPA and properly find our KDC
for cross-realm TGT.
Since Samba already returns primary DNS domain separately, filter it out
from list of UPN suffixes.
Also enclose provider of UPN suffixes into #ifdef to support both
Samba with and without pdb_enum_upn_suffixes().
Part of https://fedorahosted.org/freeipa/ticket/2848
cmocka is a more advanced unit test framework for C-code than the
currently used check framework. This patch adds configure checks and
makefile variables so that new unit tests can use cmocka.
Fixes https://fedorahosted.org/freeipa/ticket/3434
The plugin is configured unconditionally (i.e. does not check if
IPA was configured with DNS) as the plugin is needed on all
replicas to prevent objectclass violations due to missing SOA
serial in idnsZone objectclass. The violation could happen if just
one replica configured DNS and added a new zone.
https://fedorahosted.org/freeipa/ticket/3347
Default value "1" is added to replicated idnsZone objects
if idnsSOASerial attribute is missing.
https://fedorahosted.org/freeipa/ticket/3347
Signed-off-by: Petr Spacek <pspacek@redhat.com>
There were several problems:
- A cut-n-paste error where the wrong value was being considered when
an account was administratively unlocked.
- An off-by-one error where LDAP got one extra bind attempt.
- krbPwdPolicyReference wasn't being retrieved as a virtual attribute so
only the global_policy was used.
- The lockout duration wasn't examined in the context of too many failed
logins so wasn't being applied properly.
- Lockout duration wasn't used properly so a user was effectively unlocked
when the failure interval expired.
- krbLastFailedAuth and krbLoginFailedCount are no longer updated past
max failures.
https://fedorahosted.org/freeipa/ticket/3433
The way how unhashed password is stored in the entry was changed in
389-ds-base-1.3.0, it is now stored in an entry extension rather than
in a magic attribute unhashed#user#password. New API using an entry
extension was introduced. ipa-pwd-extop should take advantage of the
new API as the old one will be removed in 389-ds-base-1.3.1.
https://fedorahosted.org/freeipa/ticket/3439
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.
For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.
Tests included
https://fedorahosted.org/freeipa/ticket/2886
Any of the following checks:
- overlap between primary RID range and secondary RID range
- overlap between secondary RID range and secondary RID range
is performed now only if both of the ranges involved are local
domain ranges.
https://fedorahosted.org/freeipa/ticket/3391
Instead of always adding a PAC to the Kerberos ticket the global default
for the authorization data and the authorization data of the service
entry is evaluated and the PAC is added accordingly.
https://fedorahosted.org/freeipa/ticket/2960
The ipaKrbAuthzData LDAP attribute is read together with the other data
of the requestedprincipal and the read value(s) are stored in the e-data
of the entry for later use.
https://fedorahosted.org/freeipa/ticket/2960
Since we use associatedDomain attribute to store information about UPN suffixes
and our own domain, searching subtree is going to return more than one entry.
Limit search for own domain by base scope as we only need to fetch our own
domain information here, not UPN suffixes.
Required for https://fedorahosted.org/freeipa/ticket/2945
Currently kdb5kdc crashes on exit if the ipadb KDB modules is loaded and trusts
are configured. The reason is the talloc autofree context which get initialised
during the ndr_push_union_blob() call. On exit the KDC module is unloaded an
later on atexit() tries to free the context, but all related symbols are
already unloaded with the module.
This patch frees the talloc autofree context during the cleanup routine of the
module. Since this is called only at exit and not during normal operations this
is safe even if other KDC plugins use the talloc autofree context, e.g. via
some Samba libraries, as well.
Fixes https://fedorahosted.org/freeipa/ticket/3410
This function retried an LDAP search when the result was OK due to
flawed logic of retry detection (ipadb_need_retry function which
returns true when we need retry and not 0).
https://fedorahosted.org/freeipa/ticket/3413
All known memory leaks caused by unfreed allocated memory or unfreed
LDAP results (which should be also done after unsuccessful searches)
are fixed.
https://fedorahosted.org/freeipa/ticket/3413
SIDs in incoming MS-PAC were checked and filtered with a fixed list of
well-known SIDs. Allow reading the SID blacklist from LDAP
(ipaNTSIDBlacklistIncoming and ipaNTSIDBlacklistOutgoing) and add the list
to mspac adtrust structure. Use the hardcoded SID list only if the LDAP
SID list is not configured.
LIMITATION: SID blacklist list is not used yet.
https://fedorahosted.org/freeipa/ticket/3289
ipa-kdb did not reinitialize trusted domain configuration when it
was loaded to ipa-kdb. However, admin then would have to restart
krb5kdc if he wanted to apply the change to running krb5kdc service.
Run ipadb_reinit_mspac unconditionally every time when trusted domain
is loaded. Among the already configured 1 minute grace time, also
add a quick check if there is at least one configured trusted domain
before reinitializing the mspac structure.
https://fedorahosted.org/freeipa/ticket/3289
When all SIDs in info3.sids structure were filtered out, we tried
to talloc_realloc to zero memory size. talloc_realloc then returned
NULL pointer and filter_login_info returned with ENOMEM.
The code now rather frees the SID array and set info3.sidcount to
correct value.
Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.
This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).
The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver.
https://fedorahosted.org/freeipa/ticket/3312https://fedorahosted.org/freeipa/ticket/3114
Windows 2012 Server changed procedure how KERB_VALIDATION_INFO ([MS-PAC]
section 2.5) is populated. Detailed description is available in [MS-KILE]
version 25.0 and above.
Refactor KERB_VALIDATION_INFO verification and ensure we filter out extra
SIDs in case they belong to our domain.
https://fedorahosted.org/freeipa/ticket/3231
Wrap the password change extop in a transaction.
Fix the case where a password is reset and then immediately used. If done
fast enough then the KDC may not detect that the password is expired and
grant access using the expired password rather than prompting for a reset.
https://fedorahosted.org/freeipa/ticket/1064
Ther3 are two global ipaConfig options to disable undesirable writes that
have performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.
https://fedorahosted.org/freeipa/ticket/2734
Currently only the group SIDs from a PAC are used to find out about the
membership in local groups. This patch adds the user SID to the list.
Fixes https://fedorahosted.org/freeipa/ticket/3257
The current Linux NFS server is severely limited when it comes to handling
kerberos tickets. Bsically any ticket bigger than 2k will cause it to fail
authentication due to kernel->userspace upcall interface restrictions.
Until we have additional support in IPA to indivdually mark principals to
opt out of getting PACs attached we always prevent PACs from being attached
to TGTs or Tickets where NFS is involved.
Commands ipa idrange-add / idrange-mod no longer allows the user
to enter primary or secondary rid range such that has non-zero
intersection with primary or secondary rid range of another
existing id range, as this could cause collision.
Unit tests added to test_range_plugin.py
https://fedorahosted.org/freeipa/ticket/3086
Currently the data about trusted domains is read once at startup. If a
new trust is added the KDC must be restarted to know about the new
trust. This patch reloads the trust data if there is a request from an
unknown domain. To make DOS attacks a bit harder the data can be updated
only once in a minute.
Fixes https://fedorahosted.org/freeipa/ticket/3156
If match_entry == NULL all principals should be iterated.
Additionally this patch adds a check in ipadb_filter_escape() to make
sure that the input is not NULL.
Fixes: https://fedorahosted.org/freeipa/ticket/3011
With this change ipasam is able to ask for ipaNTHash generation and if
corresponding Kerberos key is available, will be able to retrieve generated ipaNTHash.
Part 1 of https://fedorahosted.org/freeipa/ticket/3016
When developing and testing in the same environment, multiple re-installs
may be needed. This means previously issued and cached Kerberos credentials
will become invalid upon new install.
ipasam passdb module for Samba uses Kerberos authentication when talking to
IPA LDAP server. Obtained Kerberos credentials are cached during their lifetime.
However, the ccache is not removed automatically and if IPA setup is made
again, cached credentials are used, only to discover that they are invalid.
With this change invalid correctly obtained cached credentials are recognized
and, if LDAP SASL bind fails, new credentials are requested from the KDC.
https://fedorahosted.org/freeipa/ticket/3009
