This was to resolve a -Werror=format-security error.
ipa_extdom_extop.c: In function 'ipa_extdom_extop':
ipa_extdom_extop.c:144:9: error: format not a string literal and no format
arguments [-Werror=format-security]
Windows DCs return an empty reply when a legal request cannot satisfied.
If we get EINVAL or ENOENT it means the information requested could not be
found or input parameters were bogus.
Always return an empty reply in these cases.
On any other internal error just return, the request may have been legit but we
can't really handle it right now, pretend we never saw it and hope the next
attempt will succeed.
Fixes: https://fedorahosted.org/freeipa/ticket/3639
Signed-off-by: Simo Sorce <simo@redhat.com>
1. Stop using getdomainname() as it is often not properly initialized
2. The code using getdomainname() was not working anyway it was trying to
look at the function call output in hostname which is always empty at that
point.
3. Always check the requested domain matches our own, we cannot reply to
anything else anyway.
Pre-requisite to fix: https://fedorahosted.org/freeipa/ticket/3639
Signed-off-by: Simo Sorce <simo@redhat.com>
Request with a SID as input parameter do not contain the domain name,
hence is must be tried to resolve the SID first before the corresponding
domain can be looked up.
https://fedorahosted.org/freeipa/ticket/3596
The plugin is configured unconditionally (i.e. does not check if
IPA was configured with DNS) as the plugin is needed on all
replicas to prevent objectclass violations due to missing SOA
serial in idnsZone objectclass. The violation could happen if just
one replica configured DNS and added a new zone.
https://fedorahosted.org/freeipa/ticket/3347
Default value "1" is added to replicated idnsZone objects
if idnsSOASerial attribute is missing.
https://fedorahosted.org/freeipa/ticket/3347
Signed-off-by: Petr Spacek <pspacek@redhat.com>
There were several problems:
- A cut-n-paste error where the wrong value was being considered when
an account was administratively unlocked.
- An off-by-one error where LDAP got one extra bind attempt.
- krbPwdPolicyReference wasn't being retrieved as a virtual attribute so
only the global_policy was used.
- The lockout duration wasn't examined in the context of too many failed
logins so wasn't being applied properly.
- Lockout duration wasn't used properly so a user was effectively unlocked
when the failure interval expired.
- krbLastFailedAuth and krbLoginFailedCount are no longer updated past
max failures.
https://fedorahosted.org/freeipa/ticket/3433
The way how unhashed password is stored in the entry was changed in
389-ds-base-1.3.0, it is now stored in an entry extension rather than
in a magic attribute unhashed#user#password. New API using an entry
extension was introduced. ipa-pwd-extop should take advantage of the
new API as the old one will be removed in 389-ds-base-1.3.1.
https://fedorahosted.org/freeipa/ticket/3439
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.
For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.
Tests included
https://fedorahosted.org/freeipa/ticket/2886
Any of the following checks:
- overlap between primary RID range and secondary RID range
- overlap between secondary RID range and secondary RID range
is performed now only if both of the ranges involved are local
domain ranges.
https://fedorahosted.org/freeipa/ticket/3391
Wrap the password change extop in a transaction.
Fix the case where a password is reset and then immediately used. If done
fast enough then the KDC may not detect that the password is expired and
grant access using the expired password rather than prompting for a reset.
https://fedorahosted.org/freeipa/ticket/1064
Ther3 are two global ipaConfig options to disable undesirable writes that
have performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.
https://fedorahosted.org/freeipa/ticket/2734
Commands ipa idrange-add / idrange-mod no longer allows the user
to enter primary or secondary rid range such that has non-zero
intersection with primary or secondary rid range of another
existing id range, as this could cause collision.
Unit tests added to test_range_plugin.py
https://fedorahosted.org/freeipa/ticket/3086
The NT Hash is the same thing as the RC4-HMAC key, so we add a function to
extract it from krb5 keys if they are available to avoid forcing a password
change when configuring trust relationships.
The DNA magic value can be arbitrarily changed by admins so we cannot use a
const value to check. And we relly do not need to check at all. If the DNA
plugin is broken and leaves magic values to reach the post-op stage we have
bigger problems. So just simply get rid of this check.
This extop can be used by clients of the IPA domain, e.g. sssd, to
retrieve data from trusted external domains. It can be used e.g. to map
Windows SIDs to user or groups names and back.
A postop plugin is added to create the SID for new created users and
groups. A directory server task allows to set the SID for existing
users and groups.
Fixes https://fedorahosted.org/freeipa/ticket/2825
When we set a password we also need to make sure krbExtraData is set.
If not kadmin will later complain that the object is corrupted at password
change time.
Ticket: https://fedorahosted.org/freeipa/ticket/2764
We currently return LDAP_REFERRAL which causes the mod to fail meaning
that referral entries cannot be changed.
All we really want to do is escape when we don't hvae an entry to modify.
https://fedorahosted.org/freeipa/ticket/2237
IPA winsync plugin failed to replicate users when default user group
was non-posix even though User Private Groups (UPG) were enabled
on the server. Both their uidNumber and gidNumber were empty and
they missed essential object classes. When the default user group
was made posix and UPG was disabled it did not set gidNumber to
the default group gidNumber.
This patch improves this behavior to set gidNumber correctly
according to UPG configuration and the default group status
(posix/non-posix). 4 situations can occur, the following list
specifies what value is assigned to user gidNumber:
1) Default group posix, UPG enabled: gidNumber = UPG gidNumber
2) Default group posix, UPG disabled: gidNumber = default
group gidNumber
3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber
4) Default group non-posix, UPG disabled: an error is printed to
the dirsrv log as the gidNumber cannot be retrieved. User
is replicated in the same way as before this patch, i.e.
without essential object classes.
https://fedorahosted.org/freeipa/ticket/2436
User always receives the same error message if he changes his password
via "ipa passwd" command and the new password fails configured
password policy. He then has to investigate on his own the actual
reason why was the policy violated. This patch improves our SLAPI PWD
plugins to provide a better error message explaining the violation
reason.
https://fedorahosted.org/freeipa/ticket/2067
Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.
https://fedorahosted.org/freeipa/ticket/1877
Prevent the ipa-pwd-extop plugin from re-generating keys when kadimn is storing
a new set of keys. Only generate the userPassword and sambaXXPassword hashes.
Also avoid checking policies in this case and if history is provided avoid
regenerating the passwordHistory too.
Setting 0 will work as MIT KDCs assume the current master key when that is
found. But it is a legacy compatibility mode and we should instead set the
proper mkvno number on keys so changeing master key becomes possible w/o
having to do a dump reload and stopping the service. This is especially
important in replicated environments.
This can cause problems if a host is enrolled, unenrolled and a password
set. The password will be marked as expired like all new passwords are.
https://fedorahosted.org/freeipa/ticket/1526
We have no visibility into whether an entry has a keytab or not so
krbLastPwdChange is used as a rough guide.
If this value exists during enrollment then it fails because the host
is considered already joined. This was getting set when a OTP was
added to a host that had already been enrolled (e.g. you enroll a host,
unenroll it, set a OTP, then try to re-enroll). The second enrollment
was failing because the enrollment plugin thought it was still
enrolled becaused krbLastPwdChange was set.
https://fedorahosted.org/freeipa/ticket/1357
https://fedorahosted.org/freeipa/ticket/1382
crash in winsync if replaying a MOD and user does not exist in AD
If the AD entry is deleted before the deletion can be synced back to IPA,
and in the meantime an operation is performed on the corresponding
entry in IPA that should be synced to AD, winsync attempts to get the
AD entry and it is empty. This just means the operation will not go
through, and the entry will be deleted when the sync from AD happens.
The IPA winsync plugin needs to handle the case when the ad_entry
is NULL.
https://fedorahosted.org/freeipa/ticket/1379
winsync enables disabled users in AD when the AD entry changes
This was likely broken when ipa switched from using CoS/groups for account
inactivation to using nsAccountLock directly. The code that handled the
account sync in the from AD direction was broken, but was never found before
now because it had not been used. The fix is to correctly set or remove
nsAccountLock.
We need to set uidNumber and gidNumber to the magic values so that DNA can
assign appropriate Ids, otherwise the synchronization of users from AD will
fail with an error about posixAccount requiring a missing (uidNumber)
attribute.
Fixes: https://fedorahosted.org/freeipa/ticket/1020
When the UUID plug-in generates a value that is used in the RDN
of the entry being added, the old DN is free'd and replaced with
the new DN. The problem is that the operation in the pblock holds
a pointer to the old DN address. This can cause other plug-ins to
reference garbage, leading to incorrect results or crashes. This
was causing the attribute uniqueness plug-in to not work correctly,
resulting in duplicate netgroup entries.
The fix is to have the UUID plug-in reset the target DN after
changing the DN of the entry to be added.
ticket 963
Apparently we forgot to check OID consistency between the schema and the
extensions, and we got duplicates.
Technically the schema was done later but it is easier to change the extensions
OIDs than to change the schema of current beta2/rc1 installations.
The only side effect is that older ipa-getkeytab and ipa-join binaries will
fail. So all the admin/client tools must be upgraded at the same time as well
as all the masters (otherwise some will show/accept the new OID while others
won't).
Fixes: https://fedorahosted.org/freeipa/ticket/976
The situation is if during installation /etc/krb5.conf either doesn't
exist or configures no realms then 389-ds won't start up at all, causing
the installation to fail. This will let the server start up in a degraded
mode.
Also need to make the sub_dict in ldapupdate.py handle no realm otherwise
the installation will abort enabling the compat plugin.
ticket 606
The 389-ds replication plugin may not be installed on all platforms
and our replication version plugin will cause 389-ds to not start
if it is loaded and the replication plugin is not. So disable by
default.
When a replica is prepared we check for the replication plugin.
If it exists we will enable the replication version plugin.
Likewise on installation of a replica we check for existence of
the repliation plugin and if it is there then we enable the version
plugin before replication begins.
ticket 918
On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth
and will potentially fail the bind altogether.
On a successful bind it will zero krbLoginFailedCount and set
krbLastSuccessfulAuth.
This will also enforce locked-out accounts.
See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on
kerberos lockout.
ticket 343
Mozldap code removed from all sources and configure source script.
Now, IPA will compile even when package mozldap-devel is not
installed on the system.
https://fedorahosted.org/freeipa/ticket/756
This patch fixes several potential memory leaks in ipa-pwd-extop
SLAPI plugin.
Common function ipapwd_gen_hashes() now cleans after itself when
it fails. Other changes are local and self-explanatory.
https://fedorahosted.org/freeipa/ticket/715