Add support for additional user name principal suffixes from
trusted Active Directory forests. UPN suffixes are property
of the forest and as such are associated with the forest root
domain.
FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
attribute of ipaNTTrustedDomain object class.
In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.
For more details on UPN and naming in Active Directory see
https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspxhttps://fedorahosted.org/freeipa/ticket/5354
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Like for services setting the ipaKrbAuthzData attribute on a user object will
allow us to control exactly what authz data is allowed for that user.
Setting NONE would allow no authz data, while setting MS-PAC would allow only
Active Directory compatible data.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/2579
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This function determines which type of authorization data should be
added to the Kerberos ticket. There are global default and it is
possible to configure this per service as well. The second argument is
the data base entry of a service. If no service is given it makes sense
to return the global defaults and most parts of get_authz_data_types()
handle this case well and this patch fixes the remain issue and adds a
test for this as well.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
When incoming SID blacklist contains exact SIDs of users and groups,
attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.
Note that we treat user's SID and primary group RID filtering as violation
of the KDC policy because the resulting MS-PAC will have no user SID or
primary group and thus will be invalid.
For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1
it is OK to have empty group RIDs array as GroupCount SHOULD be
equal to Groups.MembershipCount returned by SamrGetGroupsForUser
[MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty.
Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475
Reviewed-By: Tomas Babej <tbabej@redhat.com>
When processing cross-realm trust transitions, let the KDC to handle
those we don't know about. Admins might define the transitions as
explicit [capaths] in krb5.conf.
https://fedorahosted.org/freeipa/ticket/4791
Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This patch proposes a fix for the following defect reported by covscan in
FreeIPA master code:
"""
Error: DEADCODE (CWE-561):
/daemons/ipa-kdb/ipa_kdb_mspac.c:2013: assignment: Assigning: "client_entry" =
"NULL".
/daemons/ipa-kdb/ipa_kdb_mspac.c:2077: null: At condition
"client_entry", the value of "client_entry" must be "NULL".
/daemons/ipa-kdb/ipa_kdb_mspac.c:2077: dead_error_condition: The condition
"client_entry" cannot be true.
/daemons/ipa-kdb/ipa_kdb_mspac.c:2077:
dead_error_line: Execution cannot reach the expression "client_entry" inside
this statement: "kerr = ipadb_get_pac(contex...".
"""
This is a part of a series of patches related to
https://fedorahosted.org/freeipa/ticket/4795
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This patch is related this defect reported by covscan on FreeIPA master:
"""
Error: DEADCODE (CWE-561):
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code !=
-1765328353L", taking false branch. Now the value of "error_code" is equal to
-1765328353.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition
"error_code != -1765328360L", taking false branch. Now the value of
"error_code" is equal to -1765328360.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42:
cond_const: Condition "error_code != 0", taking false branch. Now the value of
"error_code" is equal to 0.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:71:
intervals: When switching on "error_code", the value of "error_code" must be
in one of the following intervals: {[-1765328360,-1765328360],
[-1765328353,-1765328353], [0,0]}.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:71:
dead_error_condition: The switch value "error_code" cannot reach the default
case.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:123: dead_error_begin: Execution
cannot reach this statement: "default:".
"""
This patch is a part of series related to
https://fedorahosted.org/freeipa/ticket/4795.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Before this patch, ipa-kdb would load global configuration on startup and
never update it. This means that if global configuration is changed, the
KDC never receives the new configuration until it is restarted.
This patch enables caching of the global configuration with a timeout of
60 seconds.
https://fedorahosted.org/freeipa/ticket/4153
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When string is not terminated, queries with corrupted base may be sent
to LDAP:
... cn=ipa1.example.com<garbage>,cn=masters...
https://fedorahosted.org/freeipa/ticket/4214
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When client principal is the same as supplied client entry, don't fetch it
again.
Note that when client principal is not NULL, client entry might be NULL for
cross-realm case, so we need to make sure to not dereference NULL pointer here.
Also fix reverted condition for case when we didn't find the client principal
in the database, preventing a memory leak.
https://fedorahosted.org/freeipa/ticket/4223
Reviewed-By: Sumit Bose <sbose@redhat.com>
When admin clears authdata flag for the service principal, KDC will pass
NULL client pointer (service proxy) to the DAL driver.
Make sure we bail out correctly.
Reviewed-By: Tomáš Babej <tbabej@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
When MS-PAC information is re-initialized, record also parent-child
relationship between trust root level domain and its subdomains.
Use parent incoming SID black list to check if child domain is not
allowed to access IPA realm.
We also should really use 'cn' of the entry as domain name.
ipaNTTrustPartner has different meaning on wire, it is an index
pointing to the parent domain of the domain and will be 0 for top
level domains or disjoint subdomains of the trust.
Finally, trustdomain-enable and trustdomain-disable commands should
force MS-PAC cache re-initalization in case of black list change.
Trigger that by asking for cross-realm TGT for HTTP service.
When client principal requests for a ticket for a server principal
and we have to perform transition, check that all three belong to either
our domain or the domains we trust through forest trusts.
In case all three realms (client, transition, and server) match
trusted domains and our domain, issue permission to transition from client
realm to server realm.
Part of https://fedorahosted.org/freeipa/ticket/3909
This memset was harmless as the following data is then set again, but an
optimizing compiler might conceivably reorder instructions causing issues.
CoverityID: 11909
Fixes:
https://fedorahosted.org/freeipa/ticket/3883
When trust is established, we also create idrange for the trusted domain.
With FreeIPA 3.3 these ranges can have different types, and in order to
detect which one is to create, we need to do lookup at AD LDAP server.
Such lookup requires authenticated bind. We cannot bind as user because
IPA framework operates under constrained delegation using the user's
credentials and allowing HTTP/ipa.server@REALM to impersonate the user
against trusted domain's services would require two major things:
- first, as we don't really know exact AD LDAP server names (any AD DC
can be used), constrained delegation would have to be defined against
a wild-card
- second, constrained delegation requires that target principal exists
in IPA LDAP as DN.
These two together limit use of user's ticket for the purpose of IPA
framework looking up AD LDAP.
Additionally, immediately after trust is established, issuing TGT with
MS-PAC to HTTP/ipa.server@REALM may fail due to the fact that KDB driver
did not yet refreshed its list of trusted domains -- we have limited
refresh rate of 60 seconds by default.
This patch makes possible to force re-initialization of trusted domains'
view in KDB driver if we are asked for TGT for HTTP/ipa.server@REALM.
We will need to improve refresh of trusted domains' view in KDB driver
in future to notice changes in cn=etc,$SUFFIX tree automatically.
This improvement is tracked in https://fedorahosted.org/freeipa/ticket/1302 and
https://fedorahosted.org/freeipa/ticket/3626
Part of https://fedorahosted.org/freeipa/ticket/3649
We need KDC hostname for several purposes:
- short-circuit detection of principals on the same server as KDC
- generating NetBIOS name
Make sure we cache hostname information on startup and use it
instead of detecting the hostname in run-time. This will miss the
case that KDC hostname got changed but such cases are not supported
anyway without restarting KDC and making changes to principals.
MS-PAC is required to be present in TGT if one wants to connect to
AD services using this TGT. Users get MS-PAC by default, SSSD in
ipa_server_mode uses host/fqdn@REALM principal to talk to AD LDAP.
This patch enables other services running on IPA master to connect
to AD services. This is required for IPA python code doing discovery
of remote AD domain settings shortly after IPA-AD trust has been
established.
For a proper SASL bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.
We use the well know RID of the Domain Computers group (515) for the
primary gid element of the PAC, this is the same as AD uses for host
tickets. The rid element of the PAC is set to the well know RID of the
Domain Controllers group (516). This is working for the SSSD use case
but might be improved later for more general use cases.
To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.
Fixes https://fedorahosted.org/freeipa/ticket/3651
Instead of always adding a PAC to the Kerberos ticket the global default
for the authorization data and the authorization data of the service
entry is evaluated and the PAC is added accordingly.
https://fedorahosted.org/freeipa/ticket/2960
All known memory leaks caused by unfreed allocated memory or unfreed
LDAP results (which should be also done after unsuccessful searches)
are fixed.
https://fedorahosted.org/freeipa/ticket/3413
SIDs in incoming MS-PAC were checked and filtered with a fixed list of
well-known SIDs. Allow reading the SID blacklist from LDAP
(ipaNTSIDBlacklistIncoming and ipaNTSIDBlacklistOutgoing) and add the list
to mspac adtrust structure. Use the hardcoded SID list only if the LDAP
SID list is not configured.
LIMITATION: SID blacklist list is not used yet.
https://fedorahosted.org/freeipa/ticket/3289
ipa-kdb did not reinitialize trusted domain configuration when it
was loaded to ipa-kdb. However, admin then would have to restart
krb5kdc if he wanted to apply the change to running krb5kdc service.
Run ipadb_reinit_mspac unconditionally every time when trusted domain
is loaded. Among the already configured 1 minute grace time, also
add a quick check if there is at least one configured trusted domain
before reinitializing the mspac structure.
https://fedorahosted.org/freeipa/ticket/3289
When all SIDs in info3.sids structure were filtered out, we tried
to talloc_realloc to zero memory size. talloc_realloc then returned
NULL pointer and filter_login_info returned with ENOMEM.
The code now rather frees the SID array and set info3.sidcount to
correct value.
Windows 2012 Server changed procedure how KERB_VALIDATION_INFO ([MS-PAC]
section 2.5) is populated. Detailed description is available in [MS-KILE]
version 25.0 and above.
Refactor KERB_VALIDATION_INFO verification and ensure we filter out extra
SIDs in case they belong to our domain.
https://fedorahosted.org/freeipa/ticket/3231
Currently only the group SIDs from a PAC are used to find out about the
membership in local groups. This patch adds the user SID to the list.
Fixes https://fedorahosted.org/freeipa/ticket/3257
The current Linux NFS server is severely limited when it comes to handling
kerberos tickets. Bsically any ticket bigger than 2k will cause it to fail
authentication due to kernel->userspace upcall interface restrictions.
Until we have additional support in IPA to indivdually mark principals to
opt out of getting PACs attached we always prevent PACs from being attached
to TGTs or Tickets where NFS is involved.
Currently the data about trusted domains is read once at startup. If a
new trust is added the KDC must be restarted to know about the new
trust. This patch reloads the trust data if there is a request from an
unknown domain. To make DOS attacks a bit harder the data can be updated
only once in a minute.
Fixes https://fedorahosted.org/freeipa/ticket/3156
This check the PAC we receive is consistent.
realm, flat name and domain sid must much our understanding or the trustd
realm and no additional sids beyond the own realm ones must be present.
Ticket #2849
The function filter_pac was not filtering the pac at all, it was merely
augmenting it with additional data relevant to the IPA server.
Change the name of the function to avoid confusion.
While there I also simplified and cleaed up the code a bit with regard to
variable names and usage.
If one or more of the external groups given in the PAC can be found in
the ipaExternalGroup objects and these objects are members of local
groups, the SIDs of the local groups are added to the PAC.
