Commit Graph

15981 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
81401e6c01 ipatests: increase the timeout for test_hsm.py::TestHSMInstall
The test is often failing on timeout. Add 15min to the test definitions.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-08-05 21:23:27 +02:00
Rob Crittenden
e83d949c7f Log errors reported by adtrustinstance.check_inst() using logger
It previously only printed the issue which made troubleshooting
after the fact difficult. Using logger.error() provides the same
visual functionality but also logs to the server install log.

Fixes: https://pagure.io/freeipa/issue/9637

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-08-05 14:52:12 +02:00
Rob Crittenden
ffba69648a Force a logout in KerberosSession if a login is needed
Remove the client side cookie if a user possesses an IPA session
cookie and the associated credentials can't be found on the
server.

This handles the case where the ccaches are removed for some reason
(maybe cleanup, maybe a container was restarted) and allows for
a successful SSO if the user's Kerberos ticket is still valid.

Without this change the user is always dropped into a the
username/password dialog. The only workaround is to remove
the cookie on the client side.

Fixes: https://pagure.io/freeipa/issue/9624

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-08-05 14:50:10 +02:00
Florence Blanc-Renaud
aadb8051d4 Replica CA installation: ignore time skew during initial replication
During a replica CA installation, the initial replication step may fail
if there is too much time skew between the server and replica.

The replica installer already takes care of this for the replication of
the domain suffix but the replica CA installer does not set
nssldapd-ignore-time-skew to on for o=ipaca suffix.

During a replica CA installation, read the initial value of
nssldapd-ignore-time-skew, force it to on, start replication and
revert to the initial value.

Apply the same logic to dsinstance and ipa-replica-manage force-sync.

Fixes: https://pagure.io/freeipa/issue/9635
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-08-01 09:51:11 +02:00
Alexander Bokovoy
7b5f3d7971 Get rid of unicode and long helpers in ipa-otptoken-import
Related: https://pagure.io/freeipa/issue/9641

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-31 16:20:31 -04:00
Alexander Bokovoy
fc02904340 ipalib/constants.py: factor out TripleDES use
Cryptography 43 started to warn that in version 48 it will remove
TripleDES support. Change the code to detect missing TripleDES algorithm
and do not fail.

Related: https://pagure.io/freeipa/issue/9641

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-31 16:20:31 -04:00
Alexander Bokovoy
7f9c890c04 ipalib/x509.py: get rid of unicode helper
Pylint started to complain that 'unicode' variable is accessed before
definition. This is clearly a bug in how 'six' and pylint are working
together.

Replace use of 'unicode()' by 'str()'.

Fixes: https://pagure.io/freeipa/issue/9644

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-31 16:20:31 -04:00
Alexander Bokovoy
531bd05de9 ipalib/x509.py: support Cryptography 43
Cryptography 43 added two new abstract methods to Certificate class of
which we are using one, public_key_algorithm_oid.

Fixes: https://pagure.io/freeipa/issue/9641

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-31 16:20:31 -04:00
Rob Crittenden
38b83c2b93 Run HSM validation as pkiuser to verify token permissions
Run all commands as pkiuser when validating that the HSM token
is available, that the token library path is correct and that
the password can read keys. This will avoid issues where the
initial validation is ok but the pkiuser is not granted read
access to some part of the token. This is very possible
when using softhsm2.

Fixes: https://pagure.io/freeipa/issue/9626

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-31 16:19:02 -04:00
Rob Crittenden
f03a96a7b9 ipatests: Fix usage of token_password_file
There were a few hardcoded places where it was set to
/tmp/token_passwd instead of using the class variable.

Don't rely on previous running tests installing the token
password file so they can be run individually.

Fixes: https://pagure.io/freeipa/issue/9603

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-31 16:17:27 -04:00
Mark Reynolds
0e4fbc3b0d ipa-migrate - properly handle invalid certificates
A ValueError is raised when an invalid certificate is used, so the tool
should handle this properly and not produce a stack trace.

Fixes: https://pagure.io/freeipa/issue/9642

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-31 16:14:49 -04:00
Florence Blanc-Renaud
2ddca5d5d5 spec file: do not use nodejs-22 on f39 and f40
Nodejs22 has been released on f39 and f40 and freeipa fails
to build with this version. Nodejs22 will be the default version
in f41+ and adds a symlink from /usr/bin/node-22 to /usr/bin/node
but on older fedora versions, the symlink is not created.
As our build is using /usr/bin/node command, it fails with
command not found.

Stick to Nodejs 20 on these older versions.

Fixes: https://pagure.io/freeipa/issue/9643

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-31 08:25:30 +02:00
Rob Crittenden
fdd471d55c Fix a copy/paste issue when detecting the HSM SELinux subpackage
I made a mistake when trying to detect which HSM is being used
to ensure that the appropriate SELinux subpackage is installed.

Fixes: https://pagure.io/freeipa/issue/9636

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-22 09:57:34 -04:00
Julien Rische
9f88188204 Remove RC4 and 3DES default encryption types on update
Fixes: https://pagure.io/freeipa/issue/9633

Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-19 08:44:49 -04:00
Julien Rische
d1a485a435 Unconditionally add MS-PAC to global config on update
Fixes: https://pagure.io/freeipa/issue/9632

Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-19 08:44:49 -04:00
Florence Blanc-Renaud
6eb6a92930 ipatests: remove xfail for test_ipa_migrate_stage_mode
The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1
::test_ipa_migrate_stage_mode is now passing, the issue has been fixed.

Related: https://pagure.io/freeipa/issue/9621

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
2024-07-19 08:39:21 -04:00
Florence Blanc-Renaud
de940802bb ipatests: remove xfail for test_ipa_migrate_version_option
The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1::
test_ipa_migrate_version_option is now passing, issue has been fixed.
The -V option has been removed.

Related: https://pagure.io/freeipa/issue/9620

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
2024-07-19 08:39:21 -04:00
Mark Reynolds
85a853ba93 Issue 9621 - ipa-migrate - should not update mapped attributes in managed entries
We should not migrate mmapped attributes (uidNumber, gidNumber) from
managed entries

We should also not migrate DNA ranges in staging mode

Fixes: https://pagure.io/freeipa/issue/9621

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-17 09:17:17 +02:00
Anuja More
8b703150a4 ipatests: Test replica installation using AD admin.
Test to verify that replica connection check is not failing when
the AD administrator Administrator@AD.EXAMPLE.COM is
used for the deployment or promotion of a replica

Related: https://pagure.io/freeipa/issue/9542

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-07-17 09:11:13 +02:00
Alexander Bokovoy
051d61fdc3 ipa-pwd-extop: differentiate OTP requirements in LDAP binds
For users who has no OTP tokens defined (yet), a missing token should
not be seen as a failure. This is needed to allow a basic password
change.

The logic around enforcement of OTP over LDAP bind is the following:
----------------------------------------------------------------------
- when LDAP OTP control is requested by the LDAP client, OTP is
  explicitly required
- when EnforceLDAPOTP is set in the IPA configuration, OTP is implicitly
  required, regardless of the state of LDAP client

In either case, only users with 'user-auth-type: otp' are allowed to
authenticate.

If these users have no OTP token associated yet, they will be allowed to
authenticate with their password. This is to allow initial password
change and adding an OTP token.
----------------------------------------------------------------------

Implement test that simulates lifecycle for new user who get to change
their password before adding an OTP token.

Related: https://pagure.io/freeipa/issue/5169

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-17 09:06:14 +02:00
Sudhir Menon
ab47696fa6 Added new testsuite(ipa_ipa_migration) in prci definitions
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-15 17:26:53 -04:00
Mark Reynolds
eeade50933 ipa-migrate - starttls does not work
We were previousily taking the provided ca cert and creating a temporary
file from it. This was incorrect and caused the secure connection to
fail.  Instead just use the file path provided.

Fixes: https://pagure.io/freeipa/issue/9619

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-15 17:22:19 -04:00
Rob Crittenden
6c53a22a2c Include token password options in ipa-kra-install man page
Related: https://pagure.io/freeipa/issue/9603

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-15 10:26:54 -04:00
Mohammad Rizwan
4ea1ad6aca ipatests: tests related to --token-password-file
Test automation added around the --token-password-file
option for server/replica/kra install.

Related: https://pagure.io/freeipa/issue/9603

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-15 10:26:54 -04:00
Rob Crittenden
7ab1bcb2d3 Re-organize HSM validation to be more consistent/less duplication
hsm_validator() was more or less bolted in place late in the
development cycle in in order to catch some of the more common
problems: bad token name, bad password, etc.

There was a fair bit of duplication and had the side-effect of not
reading in the token password from the --token-password-file option
in some cases.

This patch also re-adds a lost feature where an exception is raised if
both the --token-password and --token-password-file options are passed
in.

This also needs to be enforced on initial server, replica and when
called by ipa-kra-install. Given that each has a unique subject of
options some duplication remains.

Fixes: https://pagure.io/freeipa/issue/9603

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-15 10:26:54 -04:00
Rob Crittenden
1b278de4ab Fix syntax error in the selinux-luna %postun script
It was missing a trailing fi.

This bad syntax was preventing cleanup of the
{free}ipa-selinux-luna SELinux module:

Running scriptlet: freeipa-selinux-luna-4.12.0.dev202402211727+git0ee   34/44
/var/tmp/rpm-tmp.qoCDFi: line 16: syntax error: unexpected end of file
warning: %postun(freeipa-selinux-luna-4.12.0.dev202402211727+git0eeecdcec-0.fc37.noarch) scriptlet failed, exit status

Fixes: https://pagure.io/freeipa/issue/9629

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-07-12 08:32:35 +02:00
Mark Reynolds
efa5719363 ipa-migrate - remove -V option
The versioning in ipa-migrate was removed, but the "-V" option to display the version was not removed.

Fixes: https://pagure.io/freeipa/issue/9620

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-11 13:59:16 +02:00
Shunsuke matsumoto
06c02f5f2c The -d option of the ipa-advise command was able to used.
The -d option of the ipa-advise command was unavailable, so the default value was changed to True to enable its use.

Fixes: https://pagure.io/freeipa/issue/9625
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-07-11 10:30:59 +02:00
Thomas Woerner
a8e75bbb77 ipa_sidgen: Allow sidgen_task to continue after finding issues
find_sid_for_ldap_entry could fail in several ways if a Posix ID can not
be converted to an unused SID. This could happen for example for ducplicate
IDs or user/group out of range.

This change enables ipa_sidgen_task to continue in the error case to try
to convert the entries without errors. The error messages have been
extended to additionally show the DN string for the bad entries.

Fixes: https://pagure.io/freeipa/issue/9618

Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-07-08 16:39:16 +02:00
Florence Blanc-Renaud
d635d70110 test_replica_install_after_restore: kinit after restore
After uninstall and restore, kinit is required before
launching any ipa command.

Related: https://pagure.io/freeipa/issue/9613
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-08 15:26:24 +02:00
Florence Blanc-Renaud
6fe268af5b Uninstall: stop sssd-kcm before removing KCM ccaches database
The service is socket-activated and will be restarted whenever
needed. It must be stopped before the database is removed
otherwise it fails to recreate the file.

Fixes: https://pagure.io/freeipa/issue/9616
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-08 15:26:24 +02:00
Florence Blanc-Renaud
2f902efd0e ipa-ods-enforcer: stop must also stop the socket
ipa-ods-enforcer is a socket-activated service. In order to fully stop
the service, IPA needs to call
systemctl stop ipa-ods-enforcer.service ipa-ods-enforcer.socket
otherwise the socket remains active (listening) and can restart the
service.

A consequence of the issue is the backup / uninstall / restore
scenario that is failing to sign the zones. The uninstaller removes
the socket /run/opendnssec/engine.sock but leaves the ipa-ods-enforcer.socket
active. A subsequent restore or install will not re-create the socket.

Fixes: https://pagure.io/freeipa/issue/9613
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-08 15:26:24 +02:00
Sudhir Menon
90b22ff888 ipatests: Tests for ipa-ipa migration tool
This patch includes tests for ipa-ipa migration
tool

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mark Reynolds <mreynolds@redhat.com>
2024-07-08 15:21:04 +02:00
TAKAHASHI Masatsuna
52ea4ad46e ipa-advise ipa-backup ipa-restore: Fix --v option of the manual.
Specifying the --v option results in an error.
The --v option is incorrect and should be -v.

Fixes: https://pagure.io/freeipa/issue/9617
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-07-04 17:48:04 +02:00
Florence Blanc-Renaud
48ff7da5cb ipatests: fix / permissions for test_nested_group_members
The test test_nested_group_members is performing a ssh login
with a private key and this command may fail if the root directory
does not have the right permissions on the ssh server
(see https://access.redhat.com/solutions/6798261)

Ensure that / has 755 before launching the test.

Fixes: https://pagure.io/freeipa/issue/9615
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2024-07-02 08:53:03 +02:00
Rob Crittenden
9e364910f5 Clean up more files and directories created by the installer(s)
Ideally all files created during an IPA server installation are
removed by the uninstaller. Some files are purposefully left,
like token passwords, private keys, logs and more. Add an
allow list for those files.

Include a test to catch any additional files that may be created
and left behind.

Fixes: https://pagure.io/freeipa/issue/8080

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-06-26 13:30:48 +02:00
Florence Blanc-Renaud
60c127d197 ipatests: fix / permissions to allow ssh with private key
The test test_ssh_key_connection is performing a ssh login
with a private and this command may fail if the root directory
does not have the right permissions on the ssh server
(see https://access.redhat.com/solutions/6798261)

Ensure that / has 755 before launching the test.

Fixes: https://pagure.io/freeipa/issue/9607

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2024-06-26 09:50:34 +02:00
Florence Blanc-Renaud
4521fe5f91 ipatests: mark test_ca_show_error_handling as xfail
With PKI 11.5.0, the test
 test_cert.py::TestCAShowErrorHandling::test_ca_show_error_handling
is failing with an exception and a different error message.
Mark as xfail until PKI provides a fix

Related: https://pagure.io/freeipa/issue/9606
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2024-06-26 09:50:34 +02:00
Florence Blanc-Renaud
58154be74f ipatests: configure gating and nightly tests on ipa-4-12 branch
Update the pipelines for ipa-4-12 branch:
- run tests on fedora 40
- use the vagrant image freeipa/ci-ipa-4-12-f40

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2024-06-26 09:50:34 +02:00
Florence Blanc-Renaud
467ec04f93 ipatests: add test for PKINIT renewal on hidden replica
Test scenario: on a hidden replica, force the renewal of
PKINIT cert by calling getcert resubmit.

Related: https://pagure.io/freeipa/issue/9611
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-06-26 07:36:53 +02:00
Florence Blanc-Renaud
c8e3fdeb00 PKINIT certificate: fix renewal on hidden replica
The renewal of PKINIT cert on hidden replica is failing because
of a test ensuring that the KDC service is either enabled or
configured. The test needs to be extended and allow hidden, too.

Fixes: https://pagure.io/freeipa/issue/9611
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-06-26 07:36:53 +02:00
Florence Blanc-Renaud
4d51446bd3 ipatests: add test for ticket 9610
Test scenario:
- ensure there is no /etc/ssh/ssh_config.orig file
- force ipa-client package reinstallation
- ensure no backup file is created in /etc/ssh/ssh_config.orig

Related: https://pagure.io/freeipa/issue/9610
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2024-06-24 14:51:38 +02:00
Florence Blanc-Renaud
09e66dc936 spec file: do not create /etc/ssh/ssh_config.orig if unchanged
The upgrade removes the line
HostKeyAlgorithms ssh-rsa,ssh-dss
if present in /etc/ssh/ssh_config and creates a backup in
/etc/ssh/ssh_config.orig, even if no change was applied.

Create the backup file only if the file was changed.

Fixes: https://pagure.io/freeipa/issue/9610

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2024-06-24 14:51:38 +02:00
Florence Blanc-Renaud
9de053ef02 ipa-otptoken-import: open the key file in binary mode
ipa-otptoken-import provides an option (-k KEYFILE) to import
an encrypted PSKC file but this option does not work with python3
in RHEL8 and above, because the key should be passed in binary
format to the cryptography functions instead of string format.

Open the keyfile in binary mode to pass the expected format.

Fixes: https://pagure.io/freeipa/issue/9609
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-06-18 08:46:14 +02:00
Rob Crittenden
ebccaac3cf Add iparepltopoconf objectclass to topology permissions
The domain and ca objects were unreadable which caused
the conneciton lines between nodes in the UI to not be
visible.

Also add a manual ACI to allow reading the min/max
domain level.

Fixes: https://pagure.io/freeipa/issue/9594

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2024-06-12 16:43:25 -04:00
Rob Crittenden
584d0cecbc Use a unique task name for each backend in ipa-backup
The name used to be "export_%Y_%m_%d_%H_%M_%S" so if the tasks
were added within the same second the second backend would fail.

Add the backend name to the task name to ensure uniqueness.
export_{backend}_%Y_%m_%d_%H_%M_%S

Fixes: https://pagure.io/freeipa/issue/9584

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mark Reynolds <mreynolds@redhat.com>
2024-06-10 14:59:18 -04:00
Antonio Torres
5b3735b09d
Bump minor version number
Signed-off-by: Antonio Torres <antorres@redhat.com>
2024-06-10 12:46:37 +02:00
Julien Rische
4a61184da6
kdb: apply combinatorial logic for ticket flags
The initial design for ticket flags was implementing this logic:
* If a ticket policy is defined for the principal entry, use flags from
  this policy if they are set. Otherwise, use default ticket flags.
* If no ticket policy is defined for the principal entry, but there is a
  global one, use flags from the global ticket policy if they are set.
  Otherwise, use default ticket flags.
* If no policy (principal nor global) is defined, use default ticket
  flags.

However, this logic was broken by a1165ffb which introduced creation of
a principal-level ticket policy in case the ticket flag set is modified.
This was typically the case for the -allow_tix flag, which was set
virtually by the KDB driver when a user was locked until they initialize
their password on first kinit pre-authentication.

This was causing multiple issues, which are mitigated by the new
approach:

Now flags from each level are combined together. There flags like
+requires_preauth which are set systematically by the KDB diver, as
well as -allow_tix which is set based on the value of "nsAccountLock".
This commit also adds the implicit -allow_svr ticket flag for user
principals to protect users against Kerberoast-type attacks. None of
these flags are stored in the LDAP database, they are hard-coded in the
KDB driver.

In addition to these "virtual" ticket flags, flags from both global and
principal ticket policies are applied (if these policies exist).

Principal ticket policies are not supported for hosts and services, but
this is only an HTTP API limitation. The "krbTicketPolicyAux" object
class is supported for all account types. This is required for ticket
flags like +ok_to_auth_as_delegate. Such flags can be set using "ipa
host-mod" and "ipa serivce-mod", or using kadmin's "modprinc".

It is possible to ignore flags from the global ticket policy or default
flags like -allow_svr for a user principal by setting the
"final_user_tkt_flags" string attribute to "true" in kadmin. In this
case, any ticket flag can be configured in the principal ticket policy,
except requires_preauth and allow_tix.

When in IPA setup mode (using the "ipa-setup-override-restrictions" KDB
argument), all the system described above is disabled and ticket flags
are written in the principal ticket policy as they are provided. This is
required to initialize the Kerberos LDAP container during IPA server
installation.

This fixes CVE-2024-3183

Signed-off-by: Julien Rische <jrische@redhat.com>
2024-06-10 12:46:05 +02:00
Julien Rische
f77c0a573c
kdb: fix vulnerability in GCD rules handling
The initial implementation of MS-SFU by MIT Kerberos was missing a
condition for granting the "forwardable" flag on S4U2Self tickets.
Fixing this mistake required adding special case for the
check_allowed_to_delegate() function: if the target service argument is
NULL, then it means the KDC is probing for general constrained
delegation rules, not actually checking a specific S4U2Proxy request.

In commit e86807b5, the behavior of ipadb_match_acl() was modified to
match the changes from upstream MIT Kerberos a441fbe3. However, a
mistake resulted in this mechanism to apply in cases where target
service argument is set AND unset. This results in S4U2Proxy requests to
be accepted regardless of the fact there is a matching service
delegation rule or not.

This vulnerability does not affect services having RBCD (resource-based
constrained delegation) rules.

This fixes CVE-2024-2698

Signed-off-by: Julien Rische <jrische@redhat.com>
2024-06-10 12:46:05 +02:00
Antonio Torres
ea37593786
Back to git snapshots
Signed-off-by: Antonio Torres <antorres@redhat.com>
2024-05-28 16:26:57 +02:00