Verify that there is at least 1.6Gb of usable RAM on the system. Swap
is not considered. While swap would allow a user to minimally install
IPA it would not be a great experience.
Using any proc-based method to check for available RAM does not
work in containers unless /proc is re-mounted so use cgroups
instead. This also handles the case if the container has memory
constraints on it (-m).
There are envs which mount 'proc' with enabled hidepid option 1
so don't assume that is readable.
Add a switch to skip this memory test if the user is sure they
know what they are doing.
is_hidepid() contributed by Stanislav Levin <slev@altlinux.org>
https://pagure.io/freeipa/issue/8404
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
This will ensure uniqueuess and that the ACI has the right
datatype without the caller worrying about it.
https://pagure.io/freeipa/issue/8443
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
--name-from-ip will generate a zone name so there is no point in
the user providing one. If one is provided and doesn't match the
generated name then a validation exception is raised.
https://pagure.io/freeipa/issue/8446
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
The update_fix_duplicate_cacrt_in_ldap plugin no longer restarts DS when
CA is disabled or no duplicate cacrt entry was dedected.
Related: https://pagure.io/freeipa/issue/7125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
ipa-server-certinstall goes through a slightly different code path
if the replacement certificate is issued by IPA. This was setting
the subject using cert.subject which is a Name object and not the
string representation of that object. This was failing in the
dbus call to certmonger.
https://pagure.io/freeipa/issue/8204
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The command dnsforwardzone-add is assuming that the dns.rrset.RRset
type stores "items" as a list. With dnspython 2.0 this is not true
as a dict is used instead.
As a consequence, in order to get the first record, it is not possible
to use items[0]. As dict and list are both iterables, next(iter(items))
can be used in order to be compatible with dnspython 1.16 and 2.0.
Fixes: https://pagure.io/freeipa/issue/8481
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Perform a small refactor to the installer code that chooses and
verifies the hostname. In particular:
- choice of hostname is separate from validation
- read_host_name no longer performs validation
- verify_fqdn is now called from one place
- if/else branches are now "balanced"
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Commit a42a711394, from September
2018, removed the only call site of installutils.get_host_name().
Delete the definition.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
`dnspython` 2.0.0 has many changes and several deprecations like:
```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.
> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```
The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
to spend trying to get an answer to the question)
Fixes: https://pagure.io/freeipa/issue/8383
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
On platforms which have system-wide crypto policy the latter has
to be included in openssl config.
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Custom options can be supplied by a vendor via 'OPTIONS' env
variable(platform specific) and IPA installer will override them
in this case. Thus, at least, the base parsing of existing options
is required.
Current named command line options:
NS_MAIN_ARGS "46A:c:C:d:D:E:fFgi:lL:MⓂ️n:N:p:P:sS:t:T:U:u:vVx:X:"
If there are several same options the last passed wins.
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
For now Debian, Fedora, RHEL, etc. build BIND with 'native PKCS11'
support. Till recently, that was the strict requirement of DNSSEC.
The problem is that this restricts cross-platform features of FreeIPA.
With the help of libp11, which provides `pkcs11` engine plugin for
the OpenSSL library for accessing PKCS11 modules in a semi-
transparent way, FreeIPA could utilize OpenSSL version of BIND.
BIND in turn provides ability to specify the OpenSSL engine on the
command line of `named` and all the BIND `dnssec-*` tools by using
the `-E engine_name`.
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
A long time ago the DS team recommended that the changelog trimming interval be set to 7 days. However, more recently we tend to see more time skews on certain platforms, and issues where it appears changes were trimmed too early (which can break replication).
It would be better to set the trimming interval to 30 days. This still prevents the changelog from getting too large, and it should help with some of the other issues we are now seeing.
Fixes: https://pagure.io/freeipa/issue/8464
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
A couple of places still used the deprecated installutils version.
https://pagure.io/freeipa/issue/8458
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
If there is no installation section the the install pre-dated
this new method of detecting a successful installation, fall back
to that.
https://pagure.io/freeipa/issue/8458
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
The `_server_trust_ad_installed` was added as a flag which
indicates that `freeipa-server-trust-ad` package is installed.
Later, `ipaserver/install/adtrustinstance.py` module was moved out
into `freeipa-server` package and the import became unconditionally
successful.
Fixes: https://pagure.io/freeipa/issue/8461
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
On some distros freeipa-server package may not depend on
`/var/lib/samba` directory. In this case an uninstallation of
ipaserver fails.
Fixes: https://pagure.io/freeipa/issue/8461
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Description: We need a read and a write aci for the new changelog location,
which was moved from cn=changelog5,cn=config to
cn=changelog,cn=BACKEND,cn=ldbm database,cn=plguins,cn=config
The read aci allows the replica hostgroup entry to find and
read the changelog confguration, and the write allows the replica
to update the changelog with a proper trimming settings.
Fixes: https://pagure.io/freeipa/issue/8456
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-server-upgrade does not like platform mismatches. Upgrade from an
old container to recent container fails with error message:
```
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
("Unable to execute IPA upgrade: platform mismatch (expected 'fedora', current 'fedora_container')", 1)
```
Upgrade state now treats a container subplatform like its main platform.
``fedora_container`` is really a ``fedora`` platform with some paths
redirected to ``/data`` partition.
The patch also enhances debug logging for installer and upgrader.
Related: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use the is_ipa_configure() and is_ipa_client_configured() utilities
instead which are much more robust.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
This is common to both client and server. Start with whether the
client or server is configured.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
When asking the quesiton "is my IPA server configured?" right now
we look at whether the installation backed up any files and set
any state. This isn't exactly precise.
Instead set a new state, installation, to True as soon as IPA
is restarted at the end of the installer.
On upgrades existing installations will automatically get this
state.
This relies on the fact that get_state returns None if no state
at all is set. This indicates that this "new" option isn't available
and when upgrading an existing installation we can assume the
install at least partly works.
The value is forced to False at the beginning of a fresh install
so if it fails, or is in a transient state like with an external
CA, we know that the installation is not complete.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
It was previously being set to 0444 which triggered a warning
in freeipa-healthcheck.
Even root needs DAC_OVERRIDE capability to write to a 0o444 file
which may not be available in some environments.
https://pagure.io/freeipa/issue/8441
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Description: Add support for both the old and new replication changelogs.
First try to get and update the new entry, if it's not found
then we know we need to update the old global changelog entry.
Fixes: https://pagure.io/freeipa/issue/8407
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Fix missing self, and missing arg
Fix copy/paste error
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In CA less installation, the KDC certificate file does not have
the expected 644 permissions. As a consequence, WebUI login
fails.
The fix makes sure that the KDC cert file is saved with 644 perms.
Fixes: https://pagure.io/freeipa/issue/8440
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
smb.conf now sets state and cache directory, then includes the registry.
This also allows us to write the final smb.conf before importing
remaining settings into the Samba registry.
Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Container platforms for Fedora and RHEL simplify FreeIPA container
effort. Paths are based on patches from
https://github.com/freeipa/freeipa-container
Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
This exception was added in python 3.7. Use CertificateError
instead which is an alias and will work with older python releases.
https://bugzilla.redhat.com/show_bug.cgi?id=1858318
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
After upgrading a deployment from CA-less to CA-ful it is necessary
to install the RA Agent credential on non-CA servers. To facilitate
this, extract this behaviour from CAInstance so that it is callable
from other code.
Several other methods became @staticmethod as a result of this
change. This makes those methods callable without an instance of
CAInstance and also documents that those methods do not use 'self'.
Part of: https://pagure.io/freeipa/issue/7188
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Enhance cainstance.update_ipa_conf() to allow specifying the
ca_host. This will be used to update replica configurations when a
CA-less deployment gets promoted to CA-ful.
Part of: https://pagure.io/freeipa/issue/7188
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
ipa-server-install executes ipa-client-install with the --on-master
flag set, which causes the ipaclient.install.client.sssd_enable_ifp()
function to be called. This function configures sssd so that the
ipaapi user is allowed to access ifp. Any FreeIPA replica should also
have sssd configured like this, but in that case we cannot simply pass
the --on-master flag to ipa-client-install because it has other side
effects. The solution is to call the
ipaclient.install.client.sssd_enable_ifp() function from inside the
ipaserver.install.server.replicainstall.promote_sssd() function.
https://pagure.io/freeipa/issue/8403
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
For each CA server, a Dogtag user account is created for the ACME
service to use to authenticate to the CA subsystem. This commit
cleans up the Dogtag account upon server uninstallation.
The user deletion behaviour is extracted to a common method used for
both ACME RA account deletion (on uninstall) and removal of the
temporary admin account (during replica install).
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
pki-server-10.9.0-0.3 relocates the ACME schema LDIF file. Look for
the file in both the old and new locations to smooth the transition.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add the ipa-acme-manage command which can be used to enable or
disable the IPA ACME service. It must be used on each server. In
the future we will implement deployment-wide configuration
(including enable/disable) of the ACME service via IPA API, with
configuration stored in and replicated by LDAP. But until then, we
need a simple command for administrators to use.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When deploying ACME set up configsources.conf to retrieve engine
configuration from engine.conf. In the initial configuration, the
ACME service is disabled (i.e. it will refuse to service requests).
A subsequent commit will add command(s) for flipping the ACME
service on or off (on a per-server basis). Later we will move to
LDAP configuration so that management of the ACME service is
deployment-wide.
The default configuration also disables issuance of wildcard
certificates.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add a default certificate profile to be used with the ACME service.
The profile requires the (Dogtag) user interacting with the CA to be
a member of the (Dogtag) "ACME Agents" group. For each CA server we
create a dedicated ACME agent account, make it a member of this
group, and configure the ACME issuer component to use that account.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add an ACL to allow ACME agents to revoke certificates. Although
the operation "execute" sounds quite scary (as though it would have
a wide scope), in fact it only allows revocation (and unrevocation).
See CertResource.java and base/ca/shared/conf/acl.properties in the
Dogtag source.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The ACME certificate profile will require the (Dogtag) user
interacting with the CA to be a member of the (Dogtag) "ACME Agents"
group. Therefore for each CA server, as part of the ACME setup
routine create a dedicated ACME agent account and make it a member
of this group.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add a method for creating a group (if it does not exist). This will
be used to create a group for ACME RA accounts.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Extract the user and group membership creation behaviour from
DogtagInstance.setup_admin to its own method, 'create_user'. The
ACME setup routine will use it to create ACME RA accounts.
The @staticmethod decorator documents that 'create_user' does not
use 'self' or 'cls'. I preferred not to lift to a top-level def
because it is very much a "DogtagInstance" behaviour.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When configuring the CA, create, configure and deploy the PKI ACME
service instance. This includes creation (if necessary) of the LDAP
container object heirarchy in which ACME-related objects will be
stored.
Dogtag ACME RA account management will be added in a subsequent
commit, removing the use of the 'uid=admin' account (which as of
this commit just has a bogus password).
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
PKIConnection now defaults to specifying verify=True. We've introduced
a new parameter, cert_paths, to specify additional paths (directories or
files) to load as certificates. Specify the IPA CA certificate file so
we can guarantee connections succeed and validate the peer's certificate.
Point to IPA CA certificate during pkispawn
Bump pki_version to 10.9.0-0.4 (aka -b2)
Fixes: https://pagure.io/freeipa/issue/8379
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155
Related: https://github.com/dogtagpki/pki/pull/443
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Update 'ca' plugin doc to mention which permissions are required for
the various commands. Also mention that CAs must first be disabled
before they can be deleted.
Part of: https://fedorahosted.org/freeipa/ticket/5011
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Currently ca-del disables the target CA before deleting it.
Conceptually, this involves two separate permissions: modify and
delete. A user with delete permission does not necessarily have
modify permission.
As we head toward enforcing IPA permissions in Dogtag, it is
necessary to decouple disablement from deletion, otherwise the
disable operation shall fail if the user does not have modify
permission. Although it introduces an additional step for
administrators, the process is consistent, required permissions map
1:1 to the operations, and the error messages make it clear what
needs to happen (i.e. disable first).
Part of: https://fedorahosted.org/freeipa/ticket/5011
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
A failed ipa-ca-install left my installation in an inconsistent
state. Then, 'ipa-server-install --uninstall' also failed when
is_crlgen_enabled() tried to read ipa-pki-proxy.conf, which was
missing.
Update is_crlgen_enabled() to handle missing ipa-pki-proxy.conf, by
raising InconsistentCRLGenConfigException instead of RuntimeError.
As a result, missing ipa-pki-proxy.conf is handled gracefully
because the calling code already catches
InconsistentCRLGenConfigException.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
ipa cert-show wrongly displays all certs as Revoked.
The dogtag plugin code is checking if the JSON data received
from dogtag contains a RevocationReason with:
if 'RevocationReason' in resp:
but the value can be None.
Replace the check with
if 'RevocationReason' in resp and esp['RevocationReason'] is not None:
as this will execute the code only if there is a value
and it is not None.
Fixes: https://pagure.io/freeipa/issue/8394
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Update ra.get_certificate to use the Dogtag REST API. This change
is being done as part of the Dogtag GSS-API authentication effort
because the servlet-based method expects an internal Dogtag user.
It is less intrusive to just change FreeIPA to call the REST API
instead (which is also part of an existing ticket).
Depends on https://pagure.io/dogtagpki/issue/2601 (which was merged
and released long ago).
Part of: https://pagure.io/freeipa/issue/3473
Part of: https://pagure.io/freeipa/issue/5011
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Outside of virtual commands themselves there is no way to evaluate
access to perform a virtual operation. Such a capability will be
needed for Dogtag-based certificate request validation using
Kerberos proxy credentials.
Add the 'check_operation_access' method for explicit virtual
operation access checks. Refactor 'VirtualCommand.check_access()'
to use it.
Part of: https://pagure.io/freeipa/issue/5011
Part of: https://pagure.io/freeipa/issue/6423
Reviewed-By: Christian Heimes <cheimes@redhat.com>
According to datetime.utcfromtimestamp() method documentation[1],
this and similar methods fail for dates past 2038 and can be replaced by
the following expression on the POSIX compliant systems:
datetime(1970, 1, 1, tzinfo=timezone.utc) + timedelta(seconds=timestamp)
Make sure to use a method that at least allows to import the timestamps
properly to datetime objects on 32-bit platforms.
[1] https://docs.python.org/3/library/datetime.html#datetime.datetime.utcfromtimestamp
Fixes: https://pagure.io/freeipa/issue/8378
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
sshd 8.2+ now supports the "Include" keyword in sshd_config and
ships by default /etc/ssh/sshd_config with
"Include /etc/ssh/sshd_config.d/*"
As fedora 32 provides a config file in that directory (05-redhat.conf) with
ChallengeResponseAuthentication no
that is conflicting with IPA client config, ipa-client-install now needs
to make its config changes in a drop-in file read before 05-redhat.conf
(the files are read in lexicographic order and the first setting wins).
There is no need to handle upgrades from sshd < 8.2: if openssh-server
detects a customisation in /etc/ssh/sshd_config, it will not update
the file but create /etc/ssh/sshd_config.rpmnew and ask the admin
to manually handle the config upgrade.
Fixes: https://pagure.io/freeipa/issue/8304
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Some places have to use the old name because it's part of the stable API
or stable LDAP attributes.
See: https://tools.ietf.org/id/draft-knodel-terminology-01.html
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The term "CA renewal master" is a fixed term in FreeIPA and cannot
easily be replaced with an alternative term. At least we should use the
term consistently.
See: https://tools.ietf.org/id/draft-knodel-terminology-01.html
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The message displayed before is now limited to the OTP
sync form, for which it was written originally.
A new message is introduced for the PW reset form,
which clarifies the usage of the OTP field.
Fixes: https://pagure.io/freeipa/issue/5628
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
We do two things:
1. Fix the xpath for AJP connector verification. An AJP connector is
one which has protocol="AJP/1.3", NOT one that has port="8009". An
AJP connector can exist on any port and port 8009 can have any
protocol. Secrets only make sense on AJP connectors, so make the
xpath match the existing comment.
2. Add some background in-line documentation about AJP secret
provisioning. This should help future developers understand why this
was added to IPA and what limitations there are in what PKI or IPA
can do. Most notably, explain why Dogtag can't upgrade the AJP
connector to have a secret in the general case.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The 'cert_request' command accumulates DNS names from the CSR,
before checking that all IP addresses in the CSR are reachable from
those DNS names. Before adding a DNS name to the set, we check that
that it corresponds to the FQDN of a known host/service principal
(including principal aliases). When a DNS name maps to a
"alternative" principal (i.e. not the one given via the 'principal'
argument), this check was not being performed correctly.
Specifically, we were looking for the 'krbprincipalname' field on
the RPC response object directly, instead of its 'result' field.
To resolve the issue, dereference the RPC response to its 'result'
field before invoking the '_dns_name_matches_principal' subroutine.
Fixes: https://pagure.io/freeipa/issue/8368
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add builder for association adder dialog which allows to override behavior of the component.
Replace default implementation with a custom one for idoverrideuser.
Replace text filter with 'ID view' select box in the idoverrideuser dialog.
Ticket: https://pagure.io/freeipa/issue/8335
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
It should be ipanthomedirectorydrive and not ipanthomedirectoryrive.
This fixes showing the field in Web UI and also should fix CLI as it
probably never worked.
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Under some search conditions (in particular, when user is
specified), the CA sub-search of cert-find command throws an error
on CA-less deployments. Do not execute the CA sub-search on CA-less
deployments.
Fixes: https://pagure.io/freeipa/issue/8369
Reviewed-By: Christian Heimes <cheimes@redhat.com>
It was found that if an account was created with a name corresponding to
an account local to a system, such as 'root', was created via IPA, such
account could access any enrolled machine with that account, and the local
system privileges. This also bypass the absence of explicit HBAC rules.
root principal alias
-------------------
The principal "root@REALM" is now a Kerberos principal alias for
"admin". This prevent user with "User Administrator" role or
"System: Add User" privilege to create an account with "root" principal
name.
Modified user permissions
-------------------------
Several user permissions no longer apply to admin users and filter on
posixaccount object class. This prevents user managers from modifying admin
acounts.
- System: Manage User Certificates
- System: Manage User Principals
- System: Manage User SSH Public Keys
- System: Modify Users
- System: Remove Users
- System: Unlock user
``System: Unlock User`` is restricted because the permission also allow a
user manager to lock an admin account. ``System: Modify Users`` is restricted
to prevent user managers from changing login shell or notification channels
(mail, mobile) of admin accounts.
New user permission
-------------------
- System: Change Admin User password
The new permission allows manipulation of admin user password fields. By
default only the ``PassSync Service`` privilege is allowed to modify
admin user password fields.
Modified group permissions
--------------------------
Group permissions are now restricted as well. Group admins can no longer
modify the admins group and are limited to groups with object class
``ipausergroup``.
- System: Modify Groups
- System: Remove Groups
The permission ``System: Modify Group Membership`` was already limited.
Notes
-----
Admin users are mostly unaffected by the new restrictions, except for
the fact that admins can no longer change krbPrincipalAlias of another
admin or manipulate password fields directly. Commands like ``ipa passwd
otheradmin`` still work, though. The ACI ``Admin can manage any entry``
allows admins to modify other entries and most attributes.
Managed permissions don't install ``obj.permission_filter_objectclasses``
when ``ipapermtargetfilter`` is set. Group and user objects now have a
``permission_filter_objectclasses_string`` attribute that is used
by new target filters.
Misc changes
------------
Also add new exception AlreadyContainsValueError. BaseLDAPAddAttribute
was raising a generic base class for LDAP execution errors.
Fixes: https://pagure.io/freeipa/issue/8326
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1810160
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
ipa-replica-install currently accepts both --setup-ca and *-cert-file
even though the options should be mutually exclusive (either install
CA-less with *-cert-file options or with a CA).
Add a check enforcing the options are mutually exclusive.
Fixes: https://pagure.io/freeipa/issue/8366
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
/etc/named.conf is now owned by IPA. The file is overwritten on
installation and all subsequent updates. All user modification will be
lost. Config file creation and update use the same code paths.
This simplifies upgrade process a lot. There is no errprone fiddling
with config settings any more.
During upgrade there is a one-time backup of named.conf to
named.conf.ipa-backup. It allows users to salvage their customization
and move them to one of two user config files which are included by
named.conf.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The upgrade step used to add "dnssec-validation no" to named.conf IFF
named.conf did not contain "dnssec-validation" option at all. The
option has been moved to 'ipa-options-ext.conf' in IPA 4.8.7. The function
only removes the upgrade state.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Commit a5cbdb57e5 introduced a bug when
updating IPA from 4.8.6 to 4.8.7. NAMED_DNSSEC_VALIDATION template
variable was not declared.
Fixes: https://pagure.io/freeipa/issue/8363
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
During upgrade, if discrepancies are detected in Certmonger tracking
request configuration we remove and re-create tracking requests.
The default behaviour of the CAInstance and KRAInstance
stop_tracking_certificates() method is to stop certmonger after the
requests have been removed. This behaviour results in an
unnecessary restart of certmonger and has also been observed to
cause problems. For example, subsequent certmonger operations have
to start the certmonger process and can fail because certmonger is
not yet properly initialised (manifesting as D-Bus errors).
Suppress the unnecessary restart(s) of certmonger during tracking
request update.
Related: https://pagure.io/freeipa/issue/8186
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
In the migration case of replica installation, if the CA server is
an older version it may not support the ipa-ca.$DOMAIN dnsName in
the HTTP cert (it is a special case in the cert_request command).
Therefore if the request fails, try it again without the
ipa-ca.$DOMAIN dnsName.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Second part of adding support to manage IPA as a user from a trusted
Active Directory forest.
Treat user ID overrides as members of groups and roles.
For example, adding an Active Directory user ID override as a member of
'admins' group would make it equivalent to built-in FreeIPA 'admin'
user.
We already support self-service operations by Active Directory users if
their user ID override does exist. When Active Directory user
authenticates with GSSAPI against the FreeIPA LDAP server, its Kerberos
principal is automatically mapped to the user's ID override in the
Default Trust View. LDAP server's access control plugin uses membership
information of the corresponding LDAP entry to decide how access can be
allowed.
With the change, users from trusted Active Directory forests can
manage FreeIPA resources if the groups are part of appropriate roles or
their ID overrides are members of the roles themselves.
Fixes: https://pagure.io/freeipa/issue/7255
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
First part of the required changes to merge a plugin to manage IPA as
a trusted Active Directory user.
It is not possible to omit ID view in IPA API but a client might specify
empty ID view. Up right now the empty view was considered an error. This
prevented Web UI from resolving ID overrides in a group member adder
dialog.
Default to 'Default Trust View' if the ID view is None or empty string
(''). Do this only for user ID overrides, as we do not support adding
group ID overrides as group members in a plugin to manage IPA as a
trusted Active Directory user[1].
Being a group member means an object in LDAP must have an object class
that allows 'memberOf' attribute because 389-ds 'memberof' plugin will
attempt to link back to the object from the group. Allow use of
'nsMemberOf' object class in ID overrides.
Fixes: https://pagure.io/freeipa/issue/7255
[1] https://github.com/abbra/freeipa-adusers-admins
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When using `ipa -e in_server=True console` on IPA master, the whole IPA
framework is loaded in the same process ('ipa console'). The context
defined for this configuration is 'cli'. Some trust-related operations
need to load Samba bindings and guard itself to 'lite' and 'server'
contexts.
Upon reviewing these cases I came to conclusion that these guards are
unnecessary. It is enough to require that the context is in the server
code.
Allow these operations if we are operating in server mode. This allows
to debug trust-related issued directly in the IPA console on IPA trust
controllers.
Signed-of-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Upgrade path to add additional include to named.conf is not handled.
Remove bindkeys-file directive from named config
The ISC DVL service was shut down (https://www.isc.org/bind-keys/).
BIND versions since April 2017 (i.e. 9.9.10, 9.10.5, 9.11.1 and later)
include a hard-coded copy of the root KSK which gets updates automatically
according to RFC 5011.
Move dnssec-enable directive to custom named config
Move comment named config being managed by FreeIPA to the top
Move settings which could be changed by administrators to
ipa-options-ext.conf. Settings defined there are sole responsibility of the
administrator. We do not check if they might collide with our settings in
named.conf.
Fixes: https://pagure.io/freeipa/issue/8287
Co-authored-by: Peter Keresztes Schmidt <carbenium@outlook.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
DatabaseError exceptions with 'account inactivated' message are turned
into 401 Unauthorized errors. The problem occurs when a user is disabled
but has a valid cookie.
Other DatabaseErrors are turned into 503 Service Unavailable. They
usually occur when LDAP server is not available or broken.
Fixes: https://pagure.io/freeipa/issue/8352
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The code in ipaldap got changed with df4ed77 but ldapupdate was never updated.
Closes: https://pagure.io/freeipa/issue/7610
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Make it possible to create a managed permission with
ipapermbindruletype="self". The ACI will have bind rule
'(userdn = "ldap:///self")'.
Example
-------
Allow users to modify their own fasTimezone and fasIRCNick attributes:
```
managed_permissions = {
"System: Self-Modify FAS user attributes": {
"ipapermright": {"write"},
"ipapermtargetfilter": ["(objectclass=fasuser)"],
"ipapermbindruletype": "self",
"ipapermdefaultattr": ["fasTimezone", "fasIRCNick"],
}
}
```
See: https://github.com/fedora-infra/freeipa-fas/pull/107
Fixes: https://pagure.io/freeipa/issue/8348
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
``dnssec-enable`` is obsolete in 9.16 and raises a warning. The option
defaults to ``yes`` in all supported versions of bind. The option is
removed when set to ``yes`` and a warning is emitted when the value is
``no``.
DNSSEC lookaside validation has been deprecated by RFC 8749 and the
feature removed from Bind 9.16. The only available lookaside provider
dlv.isc.org no longer provides DLV information since 2017.
Fixes: https://pagure.io/freeipa/issue/8349
Fixes: https://pagure.io/freeipa/issue/8350
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
See: https://pagure.io/freeipa/issue/8317
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
LDAP attribute options aren't enforced in the schema, thus we strip them
when checking attribute conformance with the schema. This, however, can
leave us with a situation when multiple base LDAP attribute names are
present in the list of attribute names to check.
Use set of attribute names to deduplicate the list.
Fixes: https://pagure.io/freeipa/issue/8328
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Changing default group on automember rules page is too easy.
Add a confirmation dialog to avoid misclick in the case.
Ticket: https://pagure.io/freeipa/issue/8322
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The ``--setup-dns`` knob and interactive installer now check for
presence of freeipa-server-dns early and stop the installer with an
error.
```
$ ipa-server-install
...
Do you want to configure integrated DNS (BIND)? [no]: yes
Integrated DNS requires 'freeipa-server-dns' package
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
```
```
$ ipa-server-install --setup-dns
Usage: ipa-server-install [options]
ipa-server-install: error: option setup-dns: Integrated DNS requires 'freeipa-server-dns' package
The ipa-server-install command failed.
```
Fixes: https://pagure.io/freeipa/issue/7577
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Service delegation rules and targets deal with Kerberos principals.
As FreeIPA has separate service objects for hosts and Kerberos services,
it is not possible to specify host principal in the service delegation
rule or a target because the code assumes it always operates on Kerberos
service objects.
Simplify the code to add and remove members from delegation rules and
targets. New code looks up a name of the principal in cn=accounts,$BASEDN
as a krbPrincipalName attribute of an object with krbPrincipalAux object
class. This search path is optimized already for Kerberos KDC driver.
To support host principals, the specified principal name is checked to
have only one component (a host name). Service principals have more than
one component, typically service name and a host name, separated by '/'
sign. If the principal name has only one component, the name is
prepended with 'host/' to be able to find a host principal.
The logic described above allows to capture also aliases of both
Kerberos service and host principals. Additional check was added to
allow specifying single-component aliases ending with '$' sign. These
are typically used for Active Directory-related services like databases
or file services.
RN: service delegation rules and targets now allow to specify hosts as
RN: a rule or a target's member principal.
Fixes: https://pagure.io/freeipa/issue/8289
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Fix is to display the proper principal in error message
while attempting to delete required principal.
related: https://pagure.io/freeipa/issue/7695
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
when ipa-advise generates a script to configure a client for smart card
auth, the script calls python3 to configure SSSD. The issue happens
if the server (when ipa-advise is run) and the client do not have
the same path for python3 command.
By default, try to use python3 but if the command is not found, fallback
to /usr/libexec/platform-python (which is the python3 path on RHEL8).
Fixes: https://pagure.io/freeipa/issue/8311
Reviewed-By: Christian Heimes <cheimes@redhat.com>
service-del deletes services by DN and LDAP DNs are compared
case-insensitive. Make check_required_principal() compare the
service name case insensitive.
Fixes: https://pagure.io/freeipa/issue/8308
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Refactor code to use api.env.container_sysaccounts instead of
('cn', 'sysaccounts'), ('cn', 'etc')
Related: https://pagure.io/freeipa/issue/8276
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The definition of servrole.takes_params was missing a comma.
Related: https://pagure.io/freeipa/issue/8290
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-backup does not check whether the IPA master it is running on has
all used roles installed. This can lead into situations where backups
are done on a CAless or KRAless host while these roles are used in the
IPA cluster. These backups cannot be used to restore a complete cluster.
With this change, ipa-backup refuses to execute if the roles installed
on the current host do not match the list of roles used in the cluster.
A --disable-role-check knob is provided to restore the previous behavior.
Fixes: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
RN: host groups can now be renamed with IPA CLI:
RN: 'ipa hostgroup-mod group-name --rename new-name'.
RN: Protected hostgroups ('ipaservers') cannot be renamed.
Fixes: https://pagure.io/freeipa/issue/6783
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~3`.
If the HTTP certificate does not have the ipa-ca.$DOMAIN dNSName,
resubmit the certificate request to add the name. This action is
performed after the tracking request has already been updated.
Note: due to https://pagure.io/certmonger/issue/143, the resubmitted
request, if it does not immediately succeed (fairly likely during
ipa-server-upgrade) and if the notAfter date of the current cert is
still far off (also likely), then Certmonger will wait 7 days before
trying again (unless restarted). There is not much we can do about
that in the middle of ipa-server-upgrade.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~2`.
For new server/replica installation, issue the HTTP server
certificate with the 'ipa-ca.$DOMAIN' SAN dNSName. This is
accomplished by adding the name to the Certmonger tracking request.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~1`.
ACME support requires TLS and we want ACME clients to access the
service via the ipa-ca.$DOMAIN DNS name. So we need to add the
ipa-ca.$DOMAIN dNSName to IPA servers' HTTP certificates. To
facilitiate this, add a special case to the cert-request command
processing. The rule is:
- if the dnsName being validated is "ipa-ca.$DOMAIN"
- and the subject principal is an "HTTP/..." service
- and the subject principal's hostname is an IPA server
Then that name (i.e. "ipa-ca.$DOMAIN") is immediately allowed.
Otherwise continue with the usual dnsName validation.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
BACKGROUND:
We are implementing ACME support in FreeIPA (umbrella ticket:
https://pagure.io/freeipa/issue/4751). ACME is defined in RFC 8555.
HTTPS is REQUIRED (https://tools.ietf.org/html/rfc8555#section-6.1).
Therefore, every FreeIPA server that provides the ACME service
capability must be reachable by HTTPS.
RFC 8555 does not say anything about which port to use for ACME.
The default HTTPS port of 443 is implied. Therefore, the FreeIPA
ACME service will be reached via the Apache httpd server, which will
be the TLS server endpoint.
As a usability affordance for ACME clients, and as a maintainability
consideration i.e. to allow the topology to change without having to
reconfigure ACME clients, there should be a a single DNS name used
to reach the IPA ACME service.
The question then, is which DNS name to use.
REQUIREMENTS:
Each FreeIPA server that is also an ACME server must:
1. Be reachable via a common DNS name
2. Have an HTTP service certificate with that DNS name as a SAN
dNSName value
DESIGN CONSIDERATION - WHAT DNS NAME TO USE?:
Some unrelated FreeIPA ACME design decisions provide important
context for the DNS name decision:
- The ACME service will be automatically and unconditionally
deployed (but not necessarily *enabled*) on all CA servers.
- Enabling or disabling the ACME service will have topology-wide
effect, i.e. the ACME service is either enabled on all CA
servers, or disabled on all CA servers.
In a CA-ful FreeIPA deployment there is already a DNS name that
resolves to all CA servers: ``ipa-ca.$DOMAIN``, e.g.
``ipa-ca.example.com``. It is expected to point to all CA servers
in the deployment, and *only* to CA servers. If internal DNS is
deployed, the DNS records for ``ipa-ca.$DOMAIN`` are created and
updated automatically. If internal DNS is not deployed,
administrators are required to maintain these DNS records
themselves.
The ``ipa-ca.$DOMAIN`` alias is currently used for OCSP and CRL
access. TLS is not required for these applications (and it can
actually be problematic for OCSP). Enabling TLS for this name
presents some risk of confusion for operators. For example, if they
see that TLS is available and alter the certificate profiles to
include an HTTPS OCSP URL in the Authority Information Access (AIA)
extension, OCSP-using clients may fail to validate such
certificates. But it is possible for administrators to make such a
change to the profile, whether or not HTTPS is available.
One big advantage to using the ``ipa-ca.$DOMAIN`` DNS name is that
there are no new DNS records to manage, either in the FreeIPA
implementation or for administrators in external DNS systems.
The alternative approach is to define a new DNS name, e.g.
``ipa-acme.$DOMAIN``, that ACME clients would use. For internal
DNS, this means the FreeIPA implementation must manage the DNS
records. This is straightforward; whenever we add or remove an
``ipa-ca.$DOMAIN`` record, also add/remove the ``ipa-acme.$DOMAIN``
record. But for CA-ful deployments using external DNS, it is
additional work for adminstrators and, unless automated, additional
room for error.
An advantage of using a different DNS name is ``ipa-ca.$DOMAIN`` can
remain inaccessible over HTTPS. This possibly reduces the risk of
administrator confusion or creation of invalid AIA configuration in
certificate profiles.
Weighing up the advantages and disadvantages, I decided to use the
``ipa-ca.$DOMAIN`` DNS name.
DESIGN CONSIDERATION - CA SERVERS, OR ALL SERVERS?:
A separate decision from which name to use is whether to include it
on the HTTP service certificate for ACME servers (i.e. CA servers)
only, or on all IPA servers.
Combined with the assumption that the chosen DNS name points to CA
servers *only*, there does not seem to be any harm in adding it to
the certificates on all IPA servers.
The alternative is to only include the chosen DNS name on the HTTP
service certificates of CA servers. This approach entails some
additional complexity:
- If a non-CA replica gets promoted to CA replica (i.e. via
``ipa-ca-install``), its HTTP certificate must be re-issued with
the relevant name.
- ipa-server-upgrade code must consider whether the server is a CA
replica when validating (and if necessary re-creating) Certmonger
tracking requests
- IPA Health Check must be made aware of this factor when checking
certificates and Certmonger tracking requests.
Weighing up the options, I decided to add the common DNS name to the
HTTP service certificate on all IPA servers. This avoids the
implementation complexity discussed above.
CHANGES IN THIS COMMIT
When (re-)tracking the HTTP certificate, explicitly add the server
FQDN and ipa-ca.$DOMAIN DNS names to the Certmonger tracking request.
Related changes follow in subsequent commits.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The purpose of external groups in FreeIPA is to be able to reference
objects only existing in trusted domains. These members get resolved
through SSSD interfaces but there is nothing that prevents SSSD from
resolving any IPA user or group if they have security identifiers
associated.
Enforce a check that a SID returned by SSSD does not belong to IPA
domain and raise a validation error if this is the case. This would
prevent adding IPA users or groups as external members of an external
group.
RN: Command 'ipa group-add-member' allowed to specify any user or group
RN: for '--external' option. A stricter check is added to verify that
RN: a group or user to be added as an external member does not come
RN: from IPA domain.
Fixes: https://pagure.io/freeipa/issue/8236
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Custom IDViews should not be applied to IPA master nodes. Add a
check enforcing this rule in idview_apply command.
Fixes: https://pagure.io/freeipa/issue/5662
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This partially restores the pre-ec73de969f state of `http_proxy`,
which fails to restart the apache service during master
installation. The failure happens because of apache is not
configured yet on 'pki-tomcatd' installation phase. The mentioned
code and proposed one relies on the installer which bootstraps the
master.
Fixes: https://pagure.io/freeipa/issue/8233
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When IPA was not installed on the restore target host, and
when httpd was already running, "ipactl stop" does not stop
httpd. "ipactl start" at the end of the restore tool will
therefore not restart httpd either.
Calling "ipactl restart" at the end of the restore fixes the
issue, and as an added bonus, makes sure IPA can restart itself
properly.
Fixes: https://pagure.io/freeipa/issue/8226
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Move all the routines run_ods* from tasks to _ods14 or _ods21 module
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When migrating the DNSSec Master to a replica, the setup of
opendnssec is re-using the database and needs to call zonelist
export.
With opendnssec 1.4 this call is done with ods-ksmutil while
opendnssec 2.1 uses ods-enforcer that communicates with
odsenforcerd that is not started yet.
Move the call after ods-enforcerd is started.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The communication between ods-signer and the socket-activated process
has changed with OpenDNSSEC 2.1. Adapt ipa-ods-exporter to support also
the new protocol.
The internal database was also modified. Add a wrapper calling the
right code (table names hab=ve changed, as well as table columns).
With OpenDNSSEC the policy also needs to be explicitely loaded after
ods-enforcer-db-setup has been run, with
ods-enforcer policy import
The command ods-ksmutil notify must be replace with ods-enforce flush.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
With OpenDNSSEC 1.4, the code was using the command
$ ods-ksmutil zonelist export
which printed the zonelist as XML in its output.
With OpenDNSSEC 2, the code is using the command
$ ods-enforcer zonelist export
which prints a message instead:
"Exported zonelist to /etc/opendnssec/zonelist.xml successfully"
The code needs to extract the zonelist file name and read the XML
from the file.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
In opendnssec 2.1.6, the <Interval> element is not supported in the
configuration file.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
AJP implementation in Tomcat is vulnerable to CVE-2020-1938 if used
without shared secret. Set up a shared secret between localhost
connector and Apache mod_proxy_ajp pass-through.
For existing secured AJP pass-through make sure the option used for
configuration on the tomcat side is up to date. Tomcat 9.0.31.0
deprecated 'requiredSecret' option name in favor of 'secret'. Details
can be found at https://tomcat.apache.org/migration-9.html#Upgrading_9.0.x
Fixes: https://pagure.io/freeipa/issue/8221
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
As we need to store credentials for AJP protocol comminucation,
ensure only root can read the configuration file.
Related: https://pagure.io/freeipa/issue/8221
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When the command ipa-adtrust-install --add-agents is run, it executes
remotely the command trust_enable_agent. This command does not require
the package ipa-server-trust-ad to be installed on the remote node, but
fails if it's not the case because dbus is not imported.
Need to move the "import dbus" outside of the try/except related to
dcerpc import.
Related: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When ipa-adtrust-install is run, the tool detects masters that are
not enabled as trust agents and propose to configure them. With the
current code, the Schema Compat plugin is not enabled on these new
trust agents and a manual restart of LDAP server + SSSD is required.
With this commit, ipa-adtrust-install now calls remote code on the new
agents through JSON RPC api, in order to configure the missing parts.
On the remote agent, the command is using DBus and oddjob to launch
a new command,
/usr/libexec/ipa/oddjob/org.freeipa.server.trust-enable-agent [--enable-compat]
This command configures the Schema Compat plugin if --enable-compat is
provided, then restarts LDAP server and SSSD.
If the remote agent is an older version and does not support remote
enablement, or if the remote server is not responding, the tool
ipa-adtrust-install prints a WARNING explaining the steps that need
to be manually executed in order to complete the installation, and
exits successfully (keeping the current behavior).
Fixes: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
server_conncheck is ensuring that the caller has the expected privilege.
Move the code to a common place in ipaserver/plugins/privilege.py
Related: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
The relative service weight output tries to show the relative
chance that any given master in a locaiton will be picked. This
didn't account for all masters having a weight of 0 which would
result in a divide-by-zero error.
Implement the following rules:
1. If all masters have weight == 0 then all are equally
weighted.
2. If any masters have weight == 0 then they have an
extremely small chance of being chosen, percentage is
0.1.
3. Otherwise it's percentage change is based on the sum of
the weights of non-zero masters.
https://pagure.io/freeipa/issue/8135
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The web page ssbrowser.html is displayed when the browser doesn't
enable javascript. When js is enabled, the content is taken from
ipaserver/plugins/internal.py.
The commit e4966f9 fixed a string in ssbrowser.html but did not
fix the corresponding string in ipaserver/plugins/internal.py,
resulting in a different page depending on javascript enabled/not
enabled.
This commit makes both contents consistent.
Fixes: https://pagure.io/freeipa/issue/8201
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
The labels for memberservice_hbacsvc and memberservice_hbacsvcgroup are
only "Services" and "Service Groups" but they should be "HBAC Services"
and "HBAC Service Groups".
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
dnsrecord_del fails when one of the record arguments is an empty list:
AttrValueNotFound("AAAA record does not contain 'None'",)
The problem is caused by the fact that LDAPEntry.__getitem__ returns None
for empty lists. The code in the plugin considers None as a single entry
and maps it to vals = [None].
The patch maps None to empty list.
Fixes: https://pagure.io/freeipa/issue/8196
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
We cannot gather information about required DNS records before "ADTrust
Controller" role is enabled on this server. As result, we need to call
the step to add DNS records after the role was enabled.
Fixes: https://pagure.io/freeipa/issue/8192
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This is the first time running Pylint-2.4 over the whole IPA codebase.
```
Pylint on /usr/bin/python is running, please wait ...
internal error with sending report for module ['ipaserver/plugins/serverroles.py']
maximum recursion depth exceeded while calling a Python object
************* Module ipatests.test_integration.base
ipatests/test_integration/base.py:84: [W0125(using-constant-test), IntegrationTest.install] Using a conditional statement with a constant value)
************* Module ipaserver.install.ipa_cacert_manage
ipaserver/install/ipa_cacert_manage.py:522: [R1724(no-else-continue), CACertManage.delete] Unnecessary "elif" after "continue")
```
The latest Pylint (via the Tox task) checks only:
```
{envsitepackagesdir}/ipaclient \
{envsitepackagesdir}/ipalib \
{envsitepackagesdir}/ipapython
```
, while the distro-Pylint runs over all project but it is not fresh.
That's why these warnings/errors weren't exposed before now.
Concerning `internal error`: a fix was accepted by upstream:
https://github.com/PyCQA/pylint/issues/3245, but wasn't released yet.
Until that is done, Pylint just warns.
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Previously in order to enable the LDAP profile subsystem
the ca_enable_ldap_profile_subsystem() would check the
current value of the profile subsystem class parameter in
CS.cfg. If the parameter was still set to the default value
(i.e. ProfileSubsystem), the code would change it to
LDAPProfileSubsystem.
There is a effort in PKI to clean up the profile subsystem
classes which may require changing the default value for
this parameter. However, this improvement is blocked since
the ca_enable_ldap_profile_subsystem() is implicitly assuming
that the default value will always be ProfileSubsystem.
This patch modifies the code such that instead of checking
for a specific value that needs to be changed, it will check
whether it has the desired value already. This mechanism
will reduce potential conflicts with future PKI improvements.
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Commit 49cf5ec64b fixed a bug that
prevented migration from externally-signed to self-signed IPA CA.
But it introduced a subtle new issue: certmonger-initiated renewal
renews an externally-signed IPA CA as a self-signed CA.
To resolve this issue, introduce the `--force-self-signed' flag for
the dogtag-ipa-ca-renew-agent script. Add another certmonger CA
definition that calls this script with the `--force-self-signed'
flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed
CA certificate if the existing certificate is self-signed or if
`--force-self-signed' was given. Update `ipa-cacert-manage renew'
to supply `--force-self-signed' when appropriate.
As a result of these changes, certmonger-initiated renewal of an
externally-signed IPA CA certificate will not issue a self-signed
certificate.
Fixes: https://pagure.io/freeipa/issue/8176
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Before removing a CA re-verify all the other CAs to ensure that
the chain is not broken. Provide a force option to handle cases
where the CA is expired or verification fails for some other
reason, or you really just want them gone.
https://pagure.io/freeipa/issue/8124
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
When ipa commands are used by an Active Directory user that
does not have any idoverride-user set, they return the
following error message which can be misleading:
$ kinit aduser@ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Internal Server Error
The fix properly handles ACIError exception received when
creating the context, and now the following message can be seen:
$ kinit aduser@ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Unauthorized
with the following log in /var/log/httpd/error_log:
ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials
Fixes: https://pagure.io/freeipa/issue/8163
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Displaying "Dynamic Update" and "Bind update policy" by default
when 'ipa dnszone-show/find' are used would make client dns update
failures easier to diagnose, so display them.
Fixes: https://pagure.io/freeipa/issue/7938
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When 'ipa krbtpolicy-reset' is called, we need to reset all policy
settings, including per-indicator ones. Per-indicator policy uses
subtyped attributes (foo;bar), the current krbtpolicy-reset code does
not deal with those.
Add support for per-indicator policy reset. It is a bit tricky, as we
need to drop the values to defaults but avoid adding non-per-indicator
variants of the same attributes.
Add test to check that policy has been resetted by observing a new
Kerberos TGT for the user after its policy reset.
Fixes: https://pagure.io/freeipa/issue/8153
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The change to allow overlapping zone to be from the master itself has
introduced two issues: The check for the master itself should only executed
if options.force and options.allow_zone_overlap are both false and the
reverse zone check later on was still handling ValueError instead of
dnsutil.DNSZoneAlreadyExists.
Both issues have been fixed and the deployment with existing name servers
is properly working again.
Fixes: https://pagure.io/freeipa/issue/8150
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
When re-running `ipa-server-install --setup-dns` on already installed
server, we do not get to the check of being already installed because
DNS zone overlap forces us to fail earlier.
Change exception returned for this case from check_zone_overlap() to
return structured information that allows to understand whether we are
finding a conflict with ourselves.
Use the returned information to only fail DNS check at this point if DNS
zone overlap is generated by a different name server than ourselves.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
DomainValidator.get_trusted_domain_object_from_sid() was using
escape_filter_chars() with bytes. The function only works with text.
This caused idview to fail under some circumstances. Reimplement
backslash hex quoting for bytes.
Fixes: https://pagure.io/freeipa/issue/7958
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
After adding a replica to AD trust agent, the warning
message does not mention that restarting sssd is mantatory
for the trust agent to work. Fix the string.
Fixes: https://pagure.io/freeipa/issue/8148
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix comparison bug that prevents ldap_disable to actually disable a
service.
Fixes: https://pagure.io/freeipa/issue/8143
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-server-install fails if idstart is set to 0. There might be
additional issues when idstart overlaps with local users. Ensure that
idstart is larger than UID_MAX or GID_MAX from /etc/login.defs.
Fixes: https://pagure.io/freeipa/issue/8137
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The method has_upg returns if user private groups are enabled or
disabled. has_upg() is called three times by user-add. The setting is
now cached on the request local variable context to speed up batch
processing of user imports.
context is cleared after every request.
Related: https://pagure.io/freeipa/issue/8134
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
After an upgrade, the group cn=adtrust agents may be missing some members.
Each ad trust controller must appear twice as member:
- krbprincipalname=cifs/hostname@realm,cn=services,cn=accounts,basedn
- fqdn=hostname,cn=computers,cn=accounts,basedn
Add an upgrade plugin that builds a list of hostnames from the cifs
principals and adds if needed fqdn=hostname...
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1778777
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
urllib3 now supports post-handshake authentication with TLS 1.3. Enable
TLS 1.3 support for Apache HTTPd.
The update depends on bug fixes for TLS 1.3 PHA support in urllib3 and
Apache HTTPd. New builds are available in freeipa-master COPR and in
F30/F31.
Overwrite crypto-policy on Fedora only. Fedora 31 and earlier have TLS
1.0 and 1.1 still enabled by default.
Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
A raw batch request was fully logged which could expose parameters
we don't want logged, like passwords.
Override _repr_iter to use the individual commands to log the
values so that values are properly obscured.
In case of errors log the full value on when the server is in
debug mode.
Reported by Jamison Bennett from Cloudera
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Florence Blanc-Renaud <frenaud@redhat.com>
For the authentication indicators 'otp', 'radius', 'pkinit', and
'hardened', allow specifying maximum ticket life and maximum renewable
age in Kerberos ticket policy.
The policy extensions are now loaded when a Kerberos principal data is
requested by the KDC and evaluated in AS_REQ KDC policy check. If one of
the authentication indicators mentioned above is present in the AS_REQ,
corresponding policy is applied to the ticket.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
LDAP attribute options aren't enforced in the LDAP schema. They
represent server- and client-side treatment of attribute values but the
schema definition knows nothing about them.
When we check attribute presence in the entry, we should strip options
before comparing attribute names with the schema.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Commands like ipa group-add-member-manager now show permission
errors on failed operations.
Fixes: https://pagure.io/freeipa/issue/8122
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
If a replica has no Samba bindings but there are trust agreements
configured on some trust controller, skip trust upgrade code on this
replica.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
While [1] did open recursion, it also opened widely a security flaw.
This patch intends to close it back, while allowing operators to easily
add their open configuration within Bind9.
In order to allow operators to still open Bind recursion, a new file is
introduced, "ipa-ext.conf" (path might change according to the OS). This
file is not managed by the installer, meaning changes to it won't be
overridden.
Since it's included at the very end of the main configuration file, it
also allows to override some defaults - of course, operators have to be
careful with that.
Related-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1754530
Fixes: https://pagure.io/freeipa/issue/8079
[1] 5f4c75eb28
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
A group membership manager is a user or a group that can add members to
a group or remove members from a group or host group.
Fixes: https://pagure.io/freeipa/issue/8114
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
"ipa-advise config-client-for-smart-card-auth" is run on a server and
creates a script that needs to be copied and executed on a client.
The client may be of a different version and use authconfig instead of
authselect. The generated script must be able to handle both cases
(client using authselect or client using authconfig).
The patch checks whether authselect is available and calls the proper
configuration command (authselect or authconfig) depending on its
availability on the client.
Fixes: https://pagure.io/freeipa/issue/8113
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
LDAP updater now ignores commented out lines after substitution.
Fixes: https://pagure.io/freeipa/issue/8111
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add FIPS conditional to updates to prevent updater from adding camellia
encsalttypes.
Fixes: https://pagure.io/freeipa/issue/8111
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
New Pylint (2.4.3) catches several new 'true problems'. At the same
time, it warns about things that are massively and reasonably
employed in FreeIPA.
list of fixed:
- no-else-continue
- redeclared-assigned-name
- no-else-break
- unnecessary-comprehension
- using-constant-test (false positive)
list of ignored (responsibility of contributors and reviewers):
- import-outside-toplevel
Fixes: https://pagure.io/freeipa/issue/8102
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Python2 and python3 have different interfaces for os.mkdir:
python2: os.mkdir(path[, mode])
python3: os.mkdir(path, mode=0o777, *, dir_fd=None)
ipa-backup is using the python3 format, which breaks deployments using
python2. The fix consists in using os.mkdir(path, 0o700) instead of
os.mkdir(path, mode=0o700).
Fixes: https://pagure.io/freeipa/issue/8099
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Add an upgrade script to detect when ipakra people entry has
incorrect 'description' attribute and fix it.
Part of: https://pagure.io/freeipa/issue/8084
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
If IPA CA has custom subject DN (not "CN=Certificate
Authority,{subject_base}"), the uid=ipakra people entry gets an
incorrect 'description' attribute. The issuer DN in the
'description' attribute is based on the aforementioned pattern,
instead of the actual IPA CA subject DN.
Update KRAInstance.configure_instance() to require the CA subject DN
argument. Update ipaserver.install.kra.install() to pass the CA
subject DN.
Fixes: https://pagure.io/freeipa/issue/8084
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The UPG plugin is used to create a user private group when a new
IPA user is created, with the same name as the user. When this plugin
is enabled, the user creation must ensure that no group exists with
the same name.
When the UPG plugin is disabled, or when the user is created with the
--noprivate option, there is no need to perform this check as the
private group will not get created.
Currently, the --noprivate option correctly skips the test, but a
disabled UPG plugin does not skip the test. The fix ensures that
UPG plugin status is checked.
Fixes: https://pagure.io/freeipa/issue/4972
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Dogtag had only one switch, ca.publish.enable, for both CRLs and certs.
Since cert publishing is not used in IPA it should be disabled to
avoid false positives in the logs.
https://pagure.io/freeipa/issue/7522
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add support for Custodia ca_wrapped clients to specify the desired
symmetric encryption algorithm for exporting the wrapped signing key
(this mechanism is used for LWCA key replication). If not
specified, we must assume that the client has an older Dogtag
version that can only import keys wrapped with DES-EDE3-CBC
encryption.
The selected algorithm gets passed to the 'nsswrappedcert' handler,
which in turn passes it to the 'pki ca-authority-key-export' command
(which is part of Dogtag).
Client-side changes will occur in a subsequent commit.
Part of: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
To support lightweight CA key replication using AES, while retaining
backwards compatibility with old servers, it is necessary to signal
support for AES. Whereas we currently request a key with the path:
/keys/ca_wrapped/<nickname>
and whereas paths with > 3 components are unsupported, add support
for handlers to signal that they support extra arguments (defaulting
to False), those arguments being conveyed as additional path
components, e.g.:
# 2.16.840.1.101.3.4.1.2 = aes128-cbc
/keys/ca_wrapped/<nickname>/2.16.840.1.101.3.4.1.2
This commit only adds the Custodia support for extra handler
arguments. Work to support LWCA key replication with AES wrapping
will continue in subsequent commits.
Part of: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Helper scripts now use api.bootstrap(log=None) to avoid the creation of
log files. Helper scripts are typically executed from daemons which
perform their own logging. The helpers still log to stderr/stdout.
This also gets rid of some SELinux AVCs when the script tries to write
to /root/.ipa/.
Fixes: https://pagure.io/freeipa/issue/8075
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Previously it would end up being owned by root:root mode 0755
instead of dirsrv:dirsrv mode 0770.
https://pagure.io/freeipa/issue/7725
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
When the --server option is provided to ipa-replica-install (1-step
install), make sure that the server offers all the required roles
(CA, KRA). If it's not the case, refuse the installation.
Note that the --server option is ignored when promoting from client to
replica (2-step install with ipa-client-install and ipa-replica-install),
meaning that the existing behavior is not changed in this use case:
by default the host specified in default.conf as server is used for
enrollment, but if it does not provide a required role, another host can
be picked for CA or KRA setup.
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
ipa installer creates /etc/pkcs11/modules/softhsm2.module in order
to disable global p11-kit configuration for NSS.
This file was not included in the backups, and not restored.
The fix adds the file to the list of files to include in a backup.
Fixes: https://pagure.io/freeipa/issue/8073
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
It was executed after restore_all_files() so PKCS11_MODULES was
already restored so that part was a no-op, but the redhat
restore_pkcs11_modules() also calls unlink() on each restored
file so basically the file would be restored, unlinked, then
since it was already restored, skipped.
By moving the call to restore_pkcs11_modules() earlier it can
do the expected restoration properly.
https://pagure.io/freeipa/issue/8034
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The host password was defined as a Str type so would be
logged in cleartext in the Apache log.
A new class, HostPassword, was defined to only override
safe_value() so it always returns an obfuscated value.
The Password class cannot be used because it has special treatment
in the frontend to manage prompting and specifically doesn't
allow a value to be passed into it. This breaks backwards
compatibility with older clients. Since this class is derived
from Str old clients treat it as a plain string value.
This also removes the search option from passwords.
https://pagure.io/freeipa/issue/8017
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Inside the container environment master's IP address
does not resolve to its name.
Resolves: https://pagure.io/freeipa/issue/6210
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
attribute values, it cannot be used by SSSD to retrieve TDO keys and the
whole communication with Active Directory domain controllers will not be
possible.
This seems to affect trusts which were created before
ipaAllowedToPerform;read_keys permission granting was introduced
(FreeIPA 4.2). Add back the default setting for the permissions which
grants access to trust agents and trust admins.
Resolves: https://pagure.io/freeipa/issue/8067
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
It looks like for some cases we do not have proper set up keytab
retrieval configuration in the old trusted domain object. This mostly
affects two-way trust cases. In such cases, create default configuration
as ipasam would have created when trust was established.
Resolves: https://pagure.io/freeipa/issue/8067
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Given the changes in IPA server API changes, whebUI is modified to
utilize new authentication indicators, and disabled custom indicators
for services' white list.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
As new authentication indicators implemented, we also modified server
API to support those new values. Also, "krbprincipalauthind" attribute
is modified to use a pre-defined set of values instead of arbitrary
strings.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
When parsing a keytab to copy keys to a different keytab, we don't need
the timestamp, so don't ask klist to output it. In some locales (en_IN,
for example), the timestamp is output in a single field without a space
between date and time. In other locales it can be represented with date
and time separated by a space.
Fixes: https://pagure.io/freeipa/issue/8066
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
There is a loop which keeps trying to bind as the admin user
which will fail until it is replicated.
In the case where there is a lot to replicate the default
5 minute timeout may be insufficient. Provide a hint for
tuning.
Fixes: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The variable is intended to control the timeout for replication
events. If someone had significantly reduced it via configuration
then it could have caused certmogner requests to fail due to timeouts.
Add replication_wait_timeout, certmonger_wait_timeout and
http_timeout to the default.conf man page.
Related: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Since python3.8, identity checks with literal produce syntax warnings.
Replace the check 'if .. is 0' with 'if .. == 0'
Related: https://pagure.io/freeipa/issue/8057
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This will let us call it from ipaplatform.
Mark the original location as deprecated.
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixup for commit eb2313920e.
configparser's set() method does not convert boolean to string
automatically. Use string '"False"', which is then interpreted as
boolean 'False' by getboolean().
Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The HSM state is stored in fstore, so that CA and KRA installer use the
correct token names for internal certificates. The default token is
"internal", meaning the keys are stored in a NSSDB as usual.
Related: https://pagure.io/freeipa/issue/5608
Co-authored-by: Magnus K Karlsson <magnus-ka.karlsson@polisen.se>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Commit 5be9341fba disallowed simple bind
over an insecure connection. Password logins were only allowed over LDAPS
or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases.
This commit lifts the restriction and permits insecure binds over plain
LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA
certificate is configured with a plain LDAP connection.
Fixes: https://pagure.io/freeipa/issue/8040
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
The CA_BACKUP_KEYS_P12 file is not enabled when pki_backup_keys is
set to False. It's the case when FreeIPA is configured with HSM support.
Related: https://pagure.io/freeipa/issue/7677
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The user-stage command is internally implemented as:
- user_show(all=True) in order to read the user attributes
- loop on the attributes defined as possible to add using stageuser-add and
transform them into new options for stageuser_add (for instance stageuser-add
provides the option --shell for the attribute loginshell, but there is no
option for the attribute businesscategory).
- call stageuser_add in order to create a new entry in the active users subtree
- user-del to remove the previous entry in the staged users subtree
The issue is in the 2nd step. Only the attributes with a stageuser-add option
are processed.
The logic of the code should be slightly modified, so that all the attributes
read in the first step are processed:
- if they correspond to an option of stageuser-add, process them like it's
currently done. For instance if the entry contains displayname, then it
should be processed as --displayName=value in the stageuser-add cmd
- if they do not correspond to an option of stageuser-add, add them with
--setattr=<attrname>=<attrvalue>
Note that some attributes may need to be filtered, for instance user-show
returns has_password or has_keytab, which do not correspond to attributes
in the LDAP entry.
Fixes: https://pagure.io/freeipa/issue/7597
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
- Add 'Server Options' section to the page
- Add 'IPA master capable of PKINIT' field to the 'Server Options'
Ticket: https://pagure.io/freeipa/issue/7305
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The p11helper module now includes the name of the PKCS#11 shared library
in error messages.
Fixes: https://pagure.io/freeipa/issue/8015
Co-Authored-By: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When the DS certificate gets untracked then tracked again (via
dsinstance.start_tracking_certificate()), it loses its profile
configuration. Although it is the default profile, we want to
retain the explicit reference. Ensure we add the profile when
re-tracking the DS certificate.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When the HTTP certificate gets untracked then tracked again, it
loses its pin file. Ensure we add the pin file when (re-)tracking
the HTTP certificate.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Replace renewal CA and profile name literals with corresponding
symbols from ipalib.constants.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Profile-based renewal means we should always explicitly specify the
profile in tracking requests that use the dogtag-ipa-ca-renew-agent
renewal helper. This includes the IPA RA agent certificate. Update
CAInstance.configure_agent_renewal() to add the profile to the
tracking request. This also covers the upgrade scenario (because
the same method gets invoked).
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The search for the HTTP Certmonger tracking request uses an
incorrect parameter ('key-storage'), triggering removal and
recreation of tracking requests on every upgrade. Replace
'key-storage' with the correct parameter, 'key-file'.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
For better diagnostics during upgrade, log the Certmonger tracking
requests that were not found (either because they do not exist, or
do not have the expected configuration).
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The upgrade routine checks tracking requests for CA system
certificates, IPA RA and HTTP/LDAP/KDC service certificates. If a
tracking request matching our expectations is not found, we stop
tracking all certificates, then create new tracking requests with
the correct configuration.
But the KRA was left out. Add checks for KRA certificates, and
remove/recreate KRA tracking requests when appropriate.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The profile for every Dogtag system cert tracking request is now
explicitly specified. So remove the code that handled unspecified
profiles.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The Dogtag "Server-Cert cert-pki-ca" certificate is treated
specially, with its own track_servercert() method and other special
casing. But there is no real need for this - the only (potential)
difference is the token name. Account for the token name difference
with a lookup method and treat all Dogtag system certs equally
w.r.t. tracking request creation and removal.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
To use profile-based renewal (rather than "renewal existing cert"
renewal which is brittle against database corruption or deleted
certificate / request objects), Certmonger tracking requests for
Dogtag system certs must record the profile to be used.
Update the upgrade method that checks tracking requests to look for
the profile. Tracking requests will be recreated if the expected
data are not found. The code that actually adds the tracking
requests was updated in a previous commit.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Enabling "fresh" renewals (c.f. "renewal"-based renewals that
reference the expired certificate and its associated request object)
will improve renewal robustness.
To use fresh renewals the tracking request must record the profile
to be used. Make dogtaginstance record the profile when creating
tracking requests for both CA and KRA.
Note that 'Server-Cert cert-pki-ca' and the 'IPA RA' both use
profile 'caServerCert', which is the default (according to
dogtag-ipa-renew-agent which is part of Certmonger). So we do not
need any special handling for those certificates.
This commit does not handle upgrade. It will be handled in a
subsequent commit.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This will allow cifs principals to be found. They were suppressed
because they include objectclass=posixAccount.
This is a bit of a historical anomaly. This was included in the
filter from the initial commit (though it was person, not
posixAccount). I believe it was a mistake from the beginning but
it wasn't noticed because it didn't cause any obvious issues.
https://pagure.io/freeipa/issue/8013
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
As we expand the integration tests for external CA functionality, it
is helpful (and avoids duplication) to use the MSCSTemplate*
classes. These currently live in ipaserver.install.cainstance, but
ipatests is no longer permitted to import from ipaserver (see commit
81714976e5e13131654c78eb734746a20237c933). So move these classes to
ipalib.
Part of: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
IPA LDAP has no altSecurityIdentities in use, it only should apply to
identities in trusted Active Directory domains.
Add checks to enforce proper certmap rule attribution for specific
Active Directory domains.
Related: https://pagure.io/freeipa/issue/7932
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
With ipa 4.5+, the RA cert is stored in files in
/var/lib/ipa/ra-agent.{key|pem}. The upgrade code handles
the move from /etc/httpd/alias to the files but does not remove
the private key from /etc/httpd/alias.
The fix calls certutil -F -n ipaCert to remove cert and key,
instead of -D -n ipaCert which removes only the cert.
Fixes: https://pagure.io/freeipa/issue/7329
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
A previous refactoring of SELinux tests has have a wrong
assumption about the user field separator within
ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.
Actually, '.ldif' and '.update' files are passed through
Python template string substitution:
> $$ is an escape; it is replaced with a single $.
> $identifier names a substitution placeholder matching
> a mapping key of "identifier"
This means that the text to be substituted on should not be escaped.
The wrong ipaSELinuxUserMapOrder previously set will be replaced on
upgrade.
Fixes: https://pagure.io/freeipa/issue/7996
Fixes: https://pagure.io/freeipa/issue/8005
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The only permitted ciphers are the AES family (called aes, which
is the combination of: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and
aes128-cts-hmac-sha256-128).
DES, RC4, and Camellia are not permitted in FIPS mode. While 3DES
is permitted, the KDF used for it in krb5 is not, and Microsoft
doesn't implement 3DES anyway.
This is only applied on new installations because we don't
allow converting a non-FIPS install into a FIPS one.
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Drop the SSLProtocol directive for Fedora and RHEL systems. mod_ssl
will use crypto policies for the set of protocols.
For Debian systems configure a similar set of protocols for what
was previously configured, but do it in a different way. Rather than
iterating the allowed protocols just include the ones not allowed.
Fixes: https://pagure.io/freeipa/issue/7667
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.
This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER
and applies corresponding changes to the test code.
Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
SMB attributes are used by Samba domain controller when reporting
details about IPA users via LSA DCE RPC calls.
Based on the initial work from the external plugin:
https://github.com/abbra/freeipa-user-trust-attributes
Related: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Tibor Dudlák <tdudlak@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Introduces new utility to configure Samba on an IPA domain member.
The tool sets up Samba configuration and internal databases, creates
cifs/... Kerberos service and makes sure that a keytab for this service
contains the key with the same randomly generated password that is set
in the internal Samba databases.
Samba configuration is created by querying an IPA master about details
of trust to Active Directory configuration. All known identity ranges
added to the configuration to allow Samba to properly handle them
(read-only) via idmap_sss.
Resulting configuration allows connection with both NTLMSSP and Kerberos
authentication for IPA users. Access controls for the shared content
should be set by utilizing POSIX ACLs on the file system under a
specific share.
The utility is packaged as freeipa-client-samba package to allow pulling
in all required dependencies for Samba and cifs.ko (smb3.ko) kernel
module. This allows an IPA client to become both an SMB server and an
SMB client.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
SMB service has a number of predefined properties that must be set at a
creation time. Thus, we provide a special command that handles all the
needed changes. In addition, since SMB principal name is predefined, it
is generated automatically based on the machine hostname.
Since we generate the service's object primary key, its argument/option
should be removed from the list of the command's arguments and options.
We also remove those options that make no sense in the context of SMB
service.
Most controversial would probably be a lack of the authentication
indicator that could be associated with the service. However, this is
intended: SMB service on the domain member is used by both humans and
other SMB services in the domain. Thus, it is not possible to require a
specific authentication indicator to be present: automated acquisition
of the credentials by a domain controller or other domain member machine
accounts is based on a single factor creds and cannot be changed.
Access to SMB service should be regulated on the SMB protocol level,
with access controls in share ACLs.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When DCERPC clients use Kerberos authentication, they use a service
ticket to host/domain.controller because in Active Directory any
service on the host is an alias to the machine account object.
In FreeIPA each Kerberos service has own keys so host/.. and cifs/..
do not share the same keys. It means Samba suite needs to have access to
host/.. keytab entries to validate incoming DCERPC requests.
Unfortunately, MIT Kerberos has no means to operate on multiple keytabs
at the same time and Samba doesn't implement this either. We cannot use
GSS-Proxy as well because Samba daemons are running under root.
As a workaround, copy missing aes256 and aes128 keys from the host
keytab. SMB protocol doesn't use other encryption types and we don't
have rc4-hmac for the host either.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When creating ipa-client-samba tool, few common routines from the server
installer code became useful for the client code as well.
Move them to ipapython.ipautil and update references as well.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Since we are authenticating against AD DC before talking to it (by using
trusted domain object's credentials), we need to override krb5.conf
configuration in case --server option is specified.
The context is a helper which is launched out of process with the help
of oddjobd. The helper takes existing trusted domain object, uses its
credentials to authenticate and then runs LSA RPC calls against that
trusted domain's domain controller. Previous code directed Samba
bindings to use the correct domain controller. However, if a DC visible
to MIT Kerberos is not reachable, we would not be able to obtain TGT and
the whole process will fail.
trust_add.execute() was calling out to the D-Bus helper without passing
the options (e.g. --server) so there was no chance to get that option
visible by the oddjob helper.
Also we need to make errors in the oddjob helper more visible to
error_log. Thus, move error reporting for a normal communication up from
the exception catching.
Resolves: https://pagure.io/freeipa/issue/7895
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Updating ipa_client_automount.py and ipactl.py's codestyle is
mandatory to make pylint pass as these are considered new files.
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Second part of the trust principals upgrade
For existing LOCAL-FLAT$@REMOTE object, convert it to
krbtgt/LOCAL-FLAT@REMOTE and add LOCAL-FLAT$@REMOTE as an alias. To do
so we need to modify an entry content a bit so it is better to remove
the old entry and create a new one instead of renaming.
Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Upgrade code had Kerberos principal names mixed up: instead of creating
krbtgt/LOCAL-FLAT@REMOTE and marking LOCAL-FLAT$@REMOTE as an alias to
it, it created LOCAL-FLAT$@REMOTE Kerberos principal and marked
krbtgt/LOCAL-FLAT@REMOTE as an alias.
This differs from what Active Directory expects and what is created by
ipasam plugin when trust is established. When upgrading such deployment,
an upgrade code then unexpectedly failed.
Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa stageuser-find fails to return a staged user if it does not
contain the posixaccount objectclass.
The code is replacing the search filter (objectclass=posixaccount)
with (|(objectclass=posixaccount)(objectclass=inetorgperson)) so it
should work in theory.
The issue is that on python2 the filter has been hexlified before
reaching the stageuser plugin, hence filter.replace does not recognize
the pattern (objectclass=posixaccount).
The fix consists in creating the filter with a call to
ldap.make_filter_from_attr()
that will hexlify too, if needed.
Fixes: https://pagure.io/freeipa/issue/7983
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The check can fail for a lot of other reasons than there is
overlap so the error should be logged.
This causes confusion when --auto-reverse is requested and
some lookup fails causing the reverse to not be created.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
For now all the default shells of users and admin are hardcoded in
different parts of the project. This makes it impossible to run the
test suite against the setup, which has the default shell differed
from '/bin/sh'.
The single configuration point for the shell of users and admin is
added to overcome this limitation.
Fixes: https://pagure.io/freeipa/issue/7978
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
A CustodiaClient object has to the process environment a bit, e.g. set
up GSSAPI credentials. To reuse the credentials in libldap connections,
it is also necessary to set up a custom ccache store and to set the
environment variable KRBCCNAME temporarily.
Fixes: https://pagure.io/freeipa/issue/7964
Co-Authored-By: Fraser Tweedale <ftweedal@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
If lightweight CA key replication has not completed, requests for
the certificate or chain will return 404**. This can occur in
normal operation, and should be a temporary condition. Detect this
case and handle it by simply omitting the 'certificate' and/or
'certificate_out' fields in the response, and add a warning message
to the response.
Also update the client-side plugin that handles the
--certificate-out option. Because the CLI will automatically print
the warning message, if the expected field is missing from the
response, just ignore it and continue processing.
** after the Dogtag NullPointerException gets fixed!
Part of: https://pagure.io/freeipa/issue/7964
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Use dsctl instead, the modern replacement for ldif2db, db2ldif,
bak2db and db2bak.
https://pagure.io/freeipa/issue/7965
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipaserver.installutils.realm_to_serverid was deprecated. Use
ipapython.ipaldap.realm_to_serverid instead.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
We only want to become the renewal master if we actually renewed a
shared certificate. But there is a bug in the logic; even if the
only Dogtag certificate to be renewed is the 'sslserver' (a
non-shared certificate), the renewal master will be reset. Fix the
bug.
A static type system would have excluded this bug.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
When DS cert is expired, 'pki-server cert-fix' will fail at the
final step (restart). When this case arises, ignore the
CalledProcessError and continue.
We can't know for sure if the error was due to failure of final
restart, or something going wrong earlier. But if it was a more
serious failure, the next step (installing the renewed IPA-specific
certificates) will fail.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
It is customary to return 2 when IPA is not configured, and 1 when
other required bits are not installed or configured. Update
ipa-cert-fix exit statuses accordingly.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The ipa-cert-fix tool wraps `pki-server cert-fix`, performing
additional certificate requests for non-Dogtag IPA certificates and
performing additional actions. In particular:
- Run cert-fix with arguments particular to the IPA deployment.
- Update IPA RA certificate in the ipara user entry (if renewed).
- Add shared certificates (if renewed) to the ca_renewal LDAP
container for replication.
- Become the CA renewal master if shared certificates were renewed.
This ensures other CA replicas, including the previous CA renewal
master if not the current host, pick up those new certificates
when Certmonger attempts to renew them.
Fixes: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The ipa-cert-fix program needs to know where to put shared
certificates. Extract the logic that computes the nickname from
dogtag-ipa-ca-renew-agent to new subroutine
cainstance.get_ca_renewal_nickname().
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
When the CA renewal master renews certificates that are shared
across CA replicas, it puts them in LDAP for the other CA replicas
to see. The code to create/update these entries lives in the
dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for
the ipa-cert-fix program too. Extract it to a subroutine in the
cainstance module.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
As with commit b37d18288d, can_read() method does not need to decode
a string in Python 3. can_read() wasn't used anywhere in the code,
apparently.
Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
LDAPCreate class explicitly allows use of --setattr/--addattr options to
pass-in additional configuration or override some of the framework
decisions. However, changes to objectclasses are ignored.
We have a number of plugins where additional attributes and their values
are generated at creation time. For example, ipa-sidgen plugin generates
ipaNTSecurityIdentifier value on LDAP ADD operation when objectclasses
include a specific object class and some other attributes (uidNumber,
gidNumber) do present in the LDAP mods.
Allow to override object-specific LDAP objectclasses by the
--setattr/--addattr option values.
Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
389-ds will change the default value of nsslapd-unhashed-pw-switch from 'on' to 'off'
For new or upgraded IPA instance, in case of winsync deployment the attribute is set
to 'on' and a warning is displayed. Else the attribute is set to 'nolog'
https://pagure.io/freeipa/issue/4812
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
In a interactive installation of freeipa server a promt asks for NTP related
options after install_check has been called. As it may cause confusion to users
moving to install_check methods where the prompt for other options is being done.
Refactored sync_time() method to use passed parameters ntp_servers and ntp_pool.
Resolves: https://pagure.io/freeipa/issue/7930
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>