Commit Graph

9941 Commits

Author SHA1 Message Date
Alexander Bokovoy
9b3819ea94 trust: make sure external trust topology is correctly rendered
When external trust is established, it is by definition is
non-transitive: it is not possible to obtain Kerberos tickets to any
service outside the trusted domain.

Reflect this reality by only accepting UPN suffixes from the external
trust -- since the trusted domain is a part of another forest and UPN
suffixes are forest-wide, there could be user accounts in the trusted
domain that use forest-wide UPN suffix but it will be impossible to
reach the forest root via the externally trusted domain.

Also, an argument to netr_DsRGetForestTrustInformation() has to be
either forest root domain name or None (NULL). Otherwise we'll get
an error as explained in MS-NRPC 3.5.4.7.5.

https://fedorahosted.org/freeipa/ticket/6021

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 13:38:18 +02:00
Alexander Bokovoy
6332cb3125 trust: automatically resolve DNS trust conflicts for triangle trusts
For configuration where:
  - AD example.com trusts IPA at ipa.example.com
  - AD example.org trusts AD example.com
  - a trust is tried to be established between ipa.example.com and
    example.org,

there will be a trust topology conflict detected by example.org domain
controller because ipa.example.com DNS namespace overlaps with
example.com DNS namespace.

This type of trust topology conflict is documented in MS-ADTS 6.1.6.9.3.2
"Building Well-Formed msDS-TrustForestTrustInfo Message". A similar
conflict can arise for SID and NetBIOS namespaces. However, unlike SID
and NetBIOS namespaces, we can solve DNS namespace conflict
automatically if there are administrative credentials for example.org
available.

A manual sequence to solve the DNS namespace conflict is described in
https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx.
This sequence boils down to the following steps:

   1. As an administrator of the example.org, you need to add an
exclusion entry for ipa.example.com in the properties of the trust to
example.com
   2. Establish trust between ipa.example.com and example.org

It is important to add the exclusion entry before step 4 or there will
be conflict recorded which cannot be cleared easily right now due to a
combination of bugs in both IPA and Active Directory.

This patchset implements automated solution for the case when we have
access to the example.org's administrator credentials:

   1. Attempt to establish trust and update trust topology information.
   2. If trust topology conflict is detected as result of (1):
   2.1. Fetch trust topology infromation for the conflicting forest
        trust
   2.2. Add exclusion entry to our domain to the trust topology obtained
        in (2.1)
   2.3. Update trust topology for the conflicting forest trust
   3. Re-establish trust between ipa.example.com and example.org

We cannot do the same for shared secret trust and for external trust,
though:

   1. For shared secret trust we don't have administrative credentials
      in the forest reporting the conflict

   2. For the external trust we cannot set topology information due to
      MS-LSAD 3.1.4.7.16 because external trust is non-transitive by
      definition and thus setting topology information will fail.

To test this logic one can use two Samba AD forests with FreeIPA
using a sub-domain of one of them.

Fixes: https://fedorahosted.org/freeipa/ticket/6076
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 13:31:47 +02:00
Alexander Bokovoy
c547d5567d ipaserver/dcerpc: reformat to make the code closer to pep8
Because Samba Python bindings provide long-named methods and constants,
sometimes it is impossible to fit into 80 columns without causing
damage to readability of the code. This patchset attempts to reduce
pep8 complaints to a minimum.

https://fedorahosted.org/freeipa/ticket/6076

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 13:31:47 +02:00
Petr Spacek
3cf80e747d adtrust-install: Mention AD GC port 3286 in list of required ports.
Port name "msft-gc" is taken form /etc/services file provided by package
setup-2.10.1-1.fc24.noarch.

https://fedorahosted.org/freeipa/ticket/6235

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-22 12:30:01 +02:00
Fraser Tweedale
cf74584d0f cert-revoke: fix permission check bypass (CVE-2016-5404)
The 'cert_revoke' command checks the 'revoke certificate'
permission, however, if an ACIError is raised, it then invokes the
'cert_show' command.  The rational was to re-use a "host manages
certificate" check that is part of the 'cert_show' command, however,
it is sufficient that 'cert_show' executes successfully for
'cert_revoke' to recover from the ACIError continue.  Therefore,
anyone with 'retrieve certificate' permission can revoke *any*
certificate and cause various kinds of DoS.

Fix the problem by extracting the "host manages certificate" check
to its own method and explicitly calling it from 'cert_revoke'.

Fixes: https://fedorahosted.org/freeipa/ticket/6232
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-22 07:19:03 +02:00
Alexander Bokovoy
7bec8a246d support schema files from third-party plugins
Allow upgrade process to include schema files from third-party plugins
installed in /usr/share/ipa/schema.d/*.schema.

The directory /usr/shar/eipa/schema.d is owned by the server-common
subpackage and therefore third-party plugins should depend on
freeipa-server-common (ipa-server-common) package in their package
dependencies.

Resolves: https://fedorahosted.org/freeipa/ticket/5864
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-19 15:34:26 +02:00
Martin Basti
86e156c3c5 Remove forgotten print from DN.__str__ implementation
These debug prints were forgotten there and should be removed, because
str(DN) is often operation and we may save time with handling exceptions
and printing unwanted debug

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-08-19 13:04:52 +02:00
Martin Basti
6b7d6417d4 Fix: container owner should be able to add vault
With recent change in DS (CVE fix), ds is not returging DuplicatedEntry
error in case that user is not permitted by ACI to write, but ACIError instead.

Is safe to ignore ACI error in container, because it will be raised
again later if user has no access to container.

https://fedorahosted.org/freeipa/ticket/6159

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-18 13:02:38 +02:00
David Kupka
b6d5ed139b schema cache: Fallback to 'en_us' when locale is not available
https://fedorahosted.org/freeipa/ticket/6204

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-18 12:12:51 +02:00
Lenka Doudova
44a2bdd8ea Tests: Fix failing tests in test_ipalib/test_frontend
Some tests in ipatests/test_ipalib/test_frontend.py are failing due to changes
related to thin client implementation. Providing fix for:
  ipa.test_ipalib.test_frontend.test_Attribute.test_init
  ipa.test_ipalib.test_frontend.test_LocalOrRemote.test_run

https://fedorahosted.org/freeipa/ticket/6188

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-08-17 17:41:08 +02:00
Lenka Doudova
380ffcc052 Tests: Fix failing tests in test_ipalib/test_parameters
Some of the tests are failing due to changes introduced because of thin client feature.

https://fedorahosted.org/freeipa/ticket/6187
https://fedorahosted.org/freeipa/ticket/6224

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-08-17 17:39:08 +02:00
Tiboris
d25a0725c0 Added new authentication method
Addressing ticket https://fedorahosted.org/freeipa/ticket/5764

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-08-17 16:55:49 +02:00
Pavel Vomacka
c36d721a01 Add 'trusted to auth as user' checkbox
Add new checkbox to host and service details page

Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-08-17 16:41:38 +02:00
Alexander Bokovoy
1c73ac91a4 service: add flag to allow S4U2Self
Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-08-17 16:41:38 +02:00
Jan Cholasta
4ee426a68e server install: do not prompt for cert file PIN repeatedly
Prompt for PIN only once in interactive mode.

This fixes ipa-server-install, ipa-server-certinstall and
ipa-replica-prepare prompting over and over when the PIN is empty.

https://fedorahosted.org/freeipa/ticket/6032

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-08-17 15:11:55 +02:00
Stanislav Laznicka
fea56fefff Fail on topology disconnect/last role removal
Disconnecting topology/removing last-role-host during server
uninstallation should raise error rather than just being logged
if the appropriate ignore settings are not present.

https://fedorahosted.org/freeipa/ticket/6168

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-17 14:58:11 +02:00
David Kupka
6e6cbda036 compat: Fix ping command call
Remove extra argument from client.forward call.

https://fedorahosted.org/freeipa/ticket/6095

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
4b43558b1c schema check: Check current client language against cached one
https://fedorahosted.org/freeipa/ticket/6204

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
f2c26119f5 schema cache: Read schema instead of rewriting it when SchemaUpToDate
https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
1b79ac67d7 client: Do not create instance just to check isinstance
Checking that classes are idenical gives the same result and
avoids unnecessary instantiation.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
87a6f746bc schema cache: Store API schema cache in memory
Read whole cache into memory and keep it there for lifetime of api
object. This removes the need to repetitively open/close the cache and
speeds up every access to it.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
6716aaedc8 schema cache: Read server info only once
Do not open/close the file with every access to plugins. Extensive
access to filesystem may cause significant slowdown.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
83b46238e7 frontent: Add summary class property to CommandOverride
Avoid creating instance of overriden command to get its summary.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
e45e29f337 Access data for help separately
To avoid the need to read all data for a plugin from cache and actualy
use the separately stored help data it must be requested and returned
separately.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
134fd235a2 schema cache: Do not read fingerprint and format from cache
Fingerprint can be obtained from schema filename of from ServerInfo
instance. Use FORMAT in path to avoid openening schema just to read its
format.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
ba16d99f37 schema cache: Do not reset ServerInfo dirty flag
Once dirty flag is set to True it must not be set back to False.
Otherwise changes are not written back to file.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
Pavel Vomacka
ff51e43a3e Set servers list as default facet in topology facet group
Since there is a new warning about only one CA server, the default facet
of topology facet group is set to servers list where the warning is.
So the warning will be shown right after clicking on Topology section.

Part of: https://fedorahosted.org/freeipa/ticket/5828

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-08-17 13:54:57 +02:00
Pavel Vomacka
d45b0efe5d Add warning about only one existing CA server
It is not safe to have only one CA server in topology. Therefore there is a check
and in case that there is only one CA server a warning is shown. The warning is
shown after each refreshing of servers facet.

https://fedorahosted.org/freeipa/ticket/5828

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-08-17 13:54:57 +02:00
Jan Cholasta
8ad03259fe cert: do not crash on invalid data in cert-find
https://fedorahosted.org/freeipa/ticket/6150

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-08-17 13:45:50 +02:00
Jan Cholasta
c718ef0588 cert: speed up cert-find
Use issuer+serial rather than raw DER blob to identify certificates in
cert-find's intermediate result.

Restructure the code to make it (hopefully) easier to follow.

https://fedorahosted.org/freeipa/ticket/6098

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-08-17 13:45:50 +02:00
Petr Spacek
b73ef3d7f9 DNS: allow to add forward zone to already broken sub-domain
Errors during DNS resolution might indicate that forwarder is the
necessary configuration which is missing. Now we disallow adding a
forwarder only if the zone is normally resolvable without the forwarder.

https://fedorahosted.org/freeipa/ticket/6062

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-17 12:28:56 +02:00
Stanislav Laznicka
5776f1e900 Remove sys.exit from install modules and scripts
sys.exit() calls sometimes make it hard to find bugs and mask code that
does not always work properly.

https://fedorahosted.org/freeipa/ticket/5750

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 18:22:44 +02:00
Petr Spacek
d461f42f95 server upgrade: do not start BIND if it was not running before the upgrade
https://fedorahosted.org/freeipa/ticket/6206

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 14:33:17 +02:00
Petr Spacek
f2fe357219 DNS server upgrade: do not fail when DNS server did not respond
Previously, update_dnsforward_emptyzones failed with an exeception if
DNS query failed for some reason. Now the error is logged and upgrade
continues.

I assume that this is okay because the DNS query is used as heuristics
of last resort in the upgrade logic and failure to do so should not have
catastrophics consequences: In the worst case, the admin needs to
manually change forwarding policy from 'first' to 'only'.

In the end I have decided not to auto-start BIND because BIND depends on
GSSAPI for authentication, which in turn depends on KDC ... Alternative
like reconfiguring BIND to use LDAPI+EXTERNAL and reconfiguring DS to
accept LDAP external bind from named user are too complicated.

https://fedorahosted.org/freeipa/ticket/6205

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 14:23:30 +02:00
Ganna Kaihorodova
64c5340329 Fix for integration tests replication layouts
Domain level 0 doesn't allow to create replica file on CA-less master, testcases were skipped with Domain level 0

[https://fedorahosted.org/freeipa/ticket/6134]

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-08-16 12:55:40 +02:00
Simo Sorce
cf0816f415 Additional coverity fixes.
This are manual fixes for patches submitted upstream, and should be
picked up once a new asn1c is available.
They will be overridden if the code is regenerated before then.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 12:33:27 +02:00
Simo Sorce
512aa90bec Regenerate asn1 code
Regenerate the code with asn1c 0.9.27, this allows us to pick up a few
fixes for problems identified by coverity as well as other general bugfixes.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 12:33:27 +02:00
Ben Lipton
58d28b7410 Silence sshd messages during install
Fix for accidentally pushed commit c15ba1f9e8

During install we call sshd with no config file, sometimes leading to it
complaining about missing files or bad config options. Since we're just
looking for the return code to see if the options are correct, we can
discard these error messages.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-16 12:17:05 +02:00
Milan Kubík
b92b1d7d7f ipatests: Fix wrong fixture in kerberos principal alias test
https://fedorahosted.org/freeipa/ticket/6197

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 12:13:30 +02:00
Lenka Doudova
425291dc19 Fix malformed or missing docstrings in ipalib/messages
Some of the docstrings in ipalib/messages.py are malformed or missing
entirely. This causes test_ipalib/test_messages to fail due to non-matching
regex.

https://fedorahosted.org/freeipa/ticket/6215

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 11:59:35 +02:00
Lenka Doudova
f75735b16a Tests: test_ipalib/test_output fails due to change of Output behaviour
https://fedorahosted.org/freeipa/ticket/6189

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 11:56:49 +02:00
Lenka Doudova
71d0bc7c10 Tests: Add data attribute to messages
Tests test_ipalib/test_messages.py are failing because messages now contain
also 'data' attribute, which is not yet reflected in tests.

https://fedorahosted.org/freeipa/ticket/6185

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 11:56:49 +02:00
Stanislav Laznicka
0745c5d0f9 Don't show --force-ntpd option in replica install
Always run the client installation script with --no-ntp
option so that it does not show the message about --force-ntpd
option that does not exist in ipa-replica-install. The time
synchronization is done elsewhere anyway.

https://fedorahosted.org/freeipa/ticket/6046

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-11 15:33:35 +02:00
Peter Lacko
019f3611c2 Test URIs in certificate.
Test that CRL URI and OCSP URI are present and correct in generated certificate.

https://fedorahosted.org/freeipa/ticket/5881

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-11 15:07:46 +02:00
Petr Vobornik
6217d680da ca-less tests: fix getting cert in pem format from nssdb
usage of ipautil.run in  get_pem methond of ca-less tests was not
refactored when the ipautil.run was refactored in
099cf98307

This results in failure of all CA-less test.

https://fedorahosted.org/freeipa/ticket/6177

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-10 16:53:33 +02:00
Stanislav Laznicka
9f26e395e5 Removed objectclass from LDAP*ReverseMember based tests
Some tests were broken because of the recent changes in baseldap (#5892)
as they were wrongly expecting an objectclass attribute.

https://fedorahosted.org/freeipa/ticket/6198

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-10 13:53:55 +02:00
Petr Spacek
80e544e7a9 install: Call hostnamectl set-hostname only if --hostname option is used
This commit also splits hostname backup and configuration into two separate
functions. This allows us to backup hostname without setting it at the
same time.

https://fedorahosted.org/freeipa/ticket/6071

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-10 10:48:05 +02:00
Petr Spacek
a83523e37e server-install: Fix --hostname option to always override api.env values
Attempts to compare local hostname with user-provided values are error
prone as we found out in #5794. This patch removes comparison and makes
the env values deterministic.

https://fedorahosted.org/freeipa/ticket/6071

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-10 10:48:05 +02:00
Jan Cholasta
20ee4a73e7 client: add missing output params to client-side commands
Add output params for the otptoken-add-yubikey, vault-add, vault-mod,
vault-archive and vault-retrieve commands.

This fixes the commands not having any output in CLI.

https://fedorahosted.org/freeipa/ticket/6182

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-08-10 10:27:00 +02:00
Jan Cholasta
e9c1d21b9f parameters: move the confirm kwarg to Param
Whether a parameter is treated like password is determined by the
`password` class attribute defined in the Param class. Whether the CLI will
asks for confirmation of a password parameter depends on the value of the
`confirm` kwarg of the Password class.

Move the `confirm` kwarg from the Password class to the Param class, so
that it can be used by any Param subclass which has the `password` class
attribute set to True.

This fixes confirmation of the --key option of otptoken-add, which is a
Bytes subclass with `password` set to True.

https://fedorahosted.org/freeipa/ticket/6174

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-08-10 08:51:39 +02:00