When trust is established, we also create idrange for the trusted domain.
With FreeIPA 3.3 these ranges can have different types, and in order to
detect which one is to create, we need to do lookup at AD LDAP server.
Such lookup requires authenticated bind. We cannot bind as user because
IPA framework operates under constrained delegation using the user's
credentials and allowing HTTP/ipa.server@REALM to impersonate the user
against trusted domain's services would require two major things:
- first, as we don't really know exact AD LDAP server names (any AD DC
can be used), constrained delegation would have to be defined against
a wild-card
- second, constrained delegation requires that target principal exists
in IPA LDAP as DN.
These two together limit use of user's ticket for the purpose of IPA
framework looking up AD LDAP.
Additionally, immediately after trust is established, issuing TGT with
MS-PAC to HTTP/ipa.server@REALM may fail due to the fact that KDB driver
did not yet refreshed its list of trusted domains -- we have limited
refresh rate of 60 seconds by default.
This patch makes possible to force re-initialization of trusted domains'
view in KDB driver if we are asked for TGT for HTTP/ipa.server@REALM.
We will need to improve refresh of trusted domains' view in KDB driver
in future to notice changes in cn=etc,$SUFFIX tree automatically.
This improvement is tracked in https://fedorahosted.org/freeipa/ticket/1302 and
https://fedorahosted.org/freeipa/ticket/3626
Part of https://fedorahosted.org/freeipa/ticket/3649
We need KDC hostname for several purposes:
- short-circuit detection of principals on the same server as KDC
- generating NetBIOS name
Make sure we cache hostname information on startup and use it
instead of detecting the hostname in run-time. This will miss the
case that KDC hostname got changed but such cases are not supported
anyway without restarting KDC and making changes to principals.
MS-PAC is required to be present in TGT if one wants to connect to
AD services using this TGT. Users get MS-PAC by default, SSSD in
ipa_server_mode uses host/fqdn@REALM principal to talk to AD LDAP.
This patch enables other services running on IPA master to connect
to AD services. This is required for IPA python code doing discovery
of remote AD domain settings shortly after IPA-AD trust has been
established.
extdom plugin handles external operation over which SSSD asks IPA server about
trusted domain users not found through normal paths but detected to belong
to the trusted domains associated with IPA realm.
SSSD expects that user or group name in the response will be unqualified
because domain name for the user or group is also included in the response.
Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully
qualified name which includes the domain name we are asked to handle.
The code already expects that fully-qualified names are following user@domain
convention so we are simply tracking whether '@' symbol is present and is followed
by the domain name.
With the new ipa_server_mode SSSD is able to read user and group data
from trusted AD domains directly and makes this data available via the
NSS responder. With this mode enabled winbind is not needed anymore to
lookup users and groups of trusted domains.
This patch removed the calls to winbind from the extdom plugin and
replaces them with standard POSIX calls like getpwnam() and calls from
libsss_nss_idmap to lookup SIDs.
Fixes https://fedorahosted.org/freeipa/ticket/3637 because now the
extdom plugin does not need to handle idranges anymore, but everything
is done inside SSSD.
For a proper SASL bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.
We use the well know RID of the Domain Computers group (515) for the
primary gid element of the PAC, this is the same as AD uses for host
tickets. The rid element of the PAC is set to the well know RID of the
Domain Controllers group (516). This is working for the SSSD use case
but might be improved later for more general use cases.
To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.
Fixes https://fedorahosted.org/freeipa/ticket/3651
This was to resolve a -Werror=format-security error.
ipa_extdom_extop.c: In function 'ipa_extdom_extop':
ipa_extdom_extop.c:144:9: error: format not a string literal and no format
arguments [-Werror=format-security]
Windows DCs return an empty reply when a legal request cannot satisfied.
If we get EINVAL or ENOENT it means the information requested could not be
found or input parameters were bogus.
Always return an empty reply in these cases.
On any other internal error just return, the request may have been legit but we
can't really handle it right now, pretend we never saw it and hope the next
attempt will succeed.
Fixes: https://fedorahosted.org/freeipa/ticket/3639
Signed-off-by: Simo Sorce <simo@redhat.com>
1. Stop using getdomainname() as it is often not properly initialized
2. The code using getdomainname() was not working anyway it was trying to
look at the function call output in hostname which is always empty at that
point.
3. Always check the requested domain matches our own, we cannot reply to
anything else anyway.
Pre-requisite to fix: https://fedorahosted.org/freeipa/ticket/3639
Signed-off-by: Simo Sorce <simo@redhat.com>
This daemon listens for RADIUS packets on a well known
UNIX domain socket. When a packet is received, it queries
LDAP to see if the user is configured for RADIUS authentication.
If so, then the packet is forwarded to the 3rd party RADIUS server.
Otherwise, a bind is attempted against the LDAP server.
https://fedorahosted.org/freeipa/ticket/3366http://freeipa.org/page/V3/OTP
If OTP is enabled for a user, then:
1. Long-term keys are not provided to KDB
2. The user string 'otp' is defined to KDB
Since it is not secure to send radius configuration information
over krb5 user strings, we simply set the string to a known default
('[]') which enables the default configuration in the KDC.
https://fedorahosted.org/freeipa/ticket/3561http://freeipa.org/page/V3/OTP
Request with a SID as input parameter do not contain the domain name,
hence is must be tried to resolve the SID first before the corresponding
domain can be looked up.
https://fedorahosted.org/freeipa/ticket/3596
PASSDB API in Samba adds support for specifying UPN suffixes. The change
in ipasam will allow to pass through list of realm domains as UPN suffixes
so that Active Directory domain controller will be able to recognize
non-primary UPN suffixes as belonging to IPA and properly find our KDC
for cross-realm TGT.
Since Samba already returns primary DNS domain separately, filter it out
from list of UPN suffixes.
Also enclose provider of UPN suffixes into #ifdef to support both
Samba with and without pdb_enum_upn_suffixes().
Part of https://fedorahosted.org/freeipa/ticket/2848
cmocka is a more advanced unit test framework for C-code than the
currently used check framework. This patch adds configure checks and
makefile variables so that new unit tests can use cmocka.
Fixes https://fedorahosted.org/freeipa/ticket/3434
The plugin is configured unconditionally (i.e. does not check if
IPA was configured with DNS) as the plugin is needed on all
replicas to prevent objectclass violations due to missing SOA
serial in idnsZone objectclass. The violation could happen if just
one replica configured DNS and added a new zone.
https://fedorahosted.org/freeipa/ticket/3347
Default value "1" is added to replicated idnsZone objects
if idnsSOASerial attribute is missing.
https://fedorahosted.org/freeipa/ticket/3347
Signed-off-by: Petr Spacek <pspacek@redhat.com>
There were several problems:
- A cut-n-paste error where the wrong value was being considered when
an account was administratively unlocked.
- An off-by-one error where LDAP got one extra bind attempt.
- krbPwdPolicyReference wasn't being retrieved as a virtual attribute so
only the global_policy was used.
- The lockout duration wasn't examined in the context of too many failed
logins so wasn't being applied properly.
- Lockout duration wasn't used properly so a user was effectively unlocked
when the failure interval expired.
- krbLastFailedAuth and krbLoginFailedCount are no longer updated past
max failures.
https://fedorahosted.org/freeipa/ticket/3433
The way how unhashed password is stored in the entry was changed in
389-ds-base-1.3.0, it is now stored in an entry extension rather than
in a magic attribute unhashed#user#password. New API using an entry
extension was introduced. ipa-pwd-extop should take advantage of the
new API as the old one will be removed in 389-ds-base-1.3.1.
https://fedorahosted.org/freeipa/ticket/3439
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.
For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.
Tests included
https://fedorahosted.org/freeipa/ticket/2886
Any of the following checks:
- overlap between primary RID range and secondary RID range
- overlap between secondary RID range and secondary RID range
is performed now only if both of the ranges involved are local
domain ranges.
https://fedorahosted.org/freeipa/ticket/3391
Instead of always adding a PAC to the Kerberos ticket the global default
for the authorization data and the authorization data of the service
entry is evaluated and the PAC is added accordingly.
https://fedorahosted.org/freeipa/ticket/2960
The ipaKrbAuthzData LDAP attribute is read together with the other data
of the requestedprincipal and the read value(s) are stored in the e-data
of the entry for later use.
https://fedorahosted.org/freeipa/ticket/2960
