This is step forward working VPATH builds which cleanly separate sources
and build artifacts. It makes the system cleaner and easier to
understand.
Python and web UI likely require more work to make VPATH builds working.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Version information is now in VERSION.m4 instead of VERSION.
Makefile target version-update was minimized and configure can be run
before make. Makefile temporarily contains hardcoded version which has
to match the one specified in VERSION.m4.
This is preparatory step which will allow us to replace hand-made
Makefile with one generated by Automake.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This is autoconf way of doing things. It should allow us to enable
subdir-objects automake option and stay compatible with future versions
of automake.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Top-level Makefile is still not managed by Automake (e.g. hand-made).
This is preparatory work. Other configure.ac files will be gradually
merged into the top-level one. After that we will be able to throw-away
the hand-made top-level Makefile and use Automake for everything.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Fix include paths to prevent breakage when we move configure.ac from
daemons to the top-level.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Interestingly, the new macro AC_HEADER_STDC is alredy present.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The Python detection logic will be improved later when we start to use
top-level configure.ac to manage build completely. For now simple bump
is enough.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Mozldap is not used for some time now. We can remove
all traces of it.
AFAIK the complex logic for OpenLDAP detection should not be
necessary and -lldap_r -llber options should suffice.
Unfortunatelly OpenLDAP package does not ship
package config files so we have to hardcode flags.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use package config instead of checking headers.
Package config is faster because it does not invoke compiler
and guarantees proper linking flags because these are provided
by package maintainer instead of hardcoded into build system.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use package config instead of checking headers.
Package config is faster because it does not invoke compiler
and guarantees proper linking flags because these are provided
by package maintainer instead of hardcoded into build system.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use package config instead of checking headers.
Package config is faster because it does not invoke compiler
and guarantees proper linking flags because these are provided
by package maintainer instead of hardcoded into build system.
libkrad does not have package config file so we keep the old way here.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
It was working accidentally because krb5 libs are part of OPENLDAP_LIBS.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In at least one case, when an LDAP socket closes, a read event is fired
rather than an error event. Without this patch, ipa-otpd silently
ignores this event and enters a state where all bind auths fail.
To remedy this problem, we pass error events along the same path as read
events. Should the actual read fail, we exit.
https://bugzilla.redhat.com/show_bug.cgi?id=1377858https://fedorahosted.org/freeipa/ticket/6368
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.
This covers only cases where fix was easy or only one unused variable
was in a module
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
the global keyword should be used only when variable from outside is
assigned inside, otherwise it has no effect and just confuses developers
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
During an extend op password update, there is a test if the
user is changing the password is himself. It uses local Slapi_SDN
variable that are not freed
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In terms of cross-forest trust parent domain is the root domain of
the forest because we only have trust established with the forest root.
In FreeIPA LDAP store all sub-domains stored in cn=<forest root>,
cn=ad,cn=trusts,... subtree. Thus, a first RDN after cn=ad is the
forest root domain. This allows us to simplify logic of finding
the parent domain.
For complex hierachical forests with more than two levels of
sub-domains, this will still be true because of the forest trust:
as forest trust is established to the forest root domain, any
communication to any sub-domain must traverse forest root domain's
domain controller.
Note that SSSD also generated incorrectly CA paths information
for forests with non-hierarchical tree-roots. In such cases
IPA KDC got confused and mistakenly assumed direct trust to the
non-hierarchical tree-root instead of going through the forest
root domain. See https://fedorahosted.org/sssd/ticket/3103 for
details.
Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
daemons/ipa-kdb/ipa_kdb_mspac.c: In function 'filter_logon_info':
daemons/ipa-kdb/ipa_kdb_mspac.c:1536:19: error: 'struct PAC_LOGON_INFO'
has no member named 'res_group_dom_sid'
if (info->info->res_group_dom_sid != NULL &&
^~
daemons/ipa-kdb/ipa_kdb_mspac.c:1537:19: error: 'struct PAC_LOGON_INFO'
has no member named 'res_groups'; did you mean 'resource_groups'?
info->info->res_groups.count != 0) {
^~
mv -f .deps/ipa_kdb_delegation.Tpo .deps/ipa_kdb_delegation.Plo
Makefile:806: recipe for target 'ipa_kdb_mspac.lo' failed
make[3]: *** [ipa_kdb_mspac.lo] Error 1
make[3]: *** Waiting for unfinished jobs....
Related change in samba
4406cf792a
Resolves:
https://fedorahosted.org/freeipa/ticket/6173
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use a helper function to perform operations on dates in LDAP attributes.
Related to #2795
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: David Kupka <dkupka@redhat.com>
ipapwd_encrypt_encode_key allocates 'kset' on the heap but
with num_keys and keys not being initialized.
Then ipa_krb5_generate_key_data initializes them with the
generated keys.
If ipa_krb5_generate_key_data fails (here EINVAL meaning no
principal->realm.data), num_keys and keys are left uninitialized.
Upon failure, ipapwd_keyset_free is called to free 'kset'
that contains random num_keys and keys.
allocates kset with calloc so that kset->num_keys==0 and
kset->keys==NULL
https://fedorahosted.org/freeipa/ticket/6030
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.
https://fedorahosted.org/freeipa/ticket/2795
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
ipapwd_extop allows to update the password on a specific entry, identified by its DN.
It can be usefull to support virtual DN in the extop so that update of a virtual entry
would land into the proper real entry.
If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value
of TARGET_DN, instead of using the original one (in the ber req)
There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955)
https://fedorahosted.org/freeipa/ticket/5946
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Additionally, stop setting ipakrbprincipalalias attribute during principal
creation.
Part of https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
When canonicalization is requested, the krbprincipalname attribute is searched
for case-insensitively.
In the case that krbcanonicalname is not set, the matched alias is returned
with the casing stored in backend, not the one input by client.
Part of https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
A managed host may handle several ipaReplTopoManagedSuffix.
Removing (from the topology) such host, loops over the replicated
suffixes array to retrieve, in the hosts list, the host record and delete it.
The problem is that a variable used to manage a hosts list is not reset
when looking at the next suffix. That will messup the lists, keeping
freed elements in the lists.
The fix is to reset the variable inside the replicated suffix loop
https://fedorahosted.org/freeipa/ticket/5977
Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com>
ticket #5928
prevent a crash when dereferncing a NULL hostnam, log an error to help debugging
fix an incorrect order of statement when freeing a host list
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Add support for additional user name principal suffixes from
trusted Active Directory forests. UPN suffixes are property
of the forest and as such are associated with the forest root
domain.
FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
attribute of ipaNTTrustedDomain object class.
In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.
For more details on UPN and naming in Active Directory see
https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspxhttps://fedorahosted.org/freeipa/ticket/5354
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.
This patch does not change the autogenerated files: asn1/asn1c/*.h.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
If the user is configured for OTP or RADIUS authentication, insert the
relevant authentication indicator.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Sumit Bose <sbose@redhat.com>
Before this patch, if either password or password+otp were permitted,
only the otp preauth mech would be returned to the client. Now, the
client will receive either enc_ts or enc_chl in addition to otp.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Sumit Bose <sbose@redhat.com>
Before this patch, if the user was configured for either OTP or password
it was possible to do a 1FA authentication through ipa-otpd. Because this
correctly respected the configuration, it is not a security error.
However, once we begin to insert authentication indicators into the
Kerberos tickets, we cannot allow 1FA authentications through this
code path. Otherwise the ticket would contain a 2FA indicator when
only 1FA was actually performed.
To solve this problem, we have ipa-otpd send a critical control during
the bind operation which informs the LDAP server that it *MUST* validate
an OTP token for authentication to be successful. Next, we implement
support for this control in the ipa-pwd-extop plugin. The end result is
that the bind operation will always fail if the control is present and
no OTP is validated.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Sumit Bose <sbose@redhat.com>
This gives us a place to handle all OTP related controls. Also,
genericize otpctrl_present() so that the OID can be specified as an
argument to the function call.
These changes are preparatory for the subsequent patches.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Sumit Bose <sbose@redhat.com>
Store and retrieve the authentication indicator "require_auth" string in
the krbPrincipalAuthInd attribute. Skip storing auth indicators to
krbExtraData.
https://fedorahosted.org/freeipa/ticket/5782
Reviewed-By: Sumit Bose <sbose@redhat.com>
The unit test framework check has not been used in freeipa for long time
(if ever) but there was still conditional check for this framework.
It just produced confusing warning:
Without the 'CHECK' library, you will be unable
to run all tests in the 'make check' suite
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Like for services setting the ipaKrbAuthzData attribute on a user object will
allow us to control exactly what authz data is allowed for that user.
Setting NONE would allow no authz data, while setting MS-PAC would allow only
Active Directory compatible data.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/2579
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The value of LDAP_PAGE_SIZE was changed in samba-4.4
and it caused warning because it's already defined
in samba header files
ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined
#define LDAP_PAGE_SIZE 1024
In file included from /usr/include/samba-4.0/smbldap.h:24:0,
from ipa_sam.c:31:
/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition
#define LDAP_PAGE_SIZE 1000
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Some legacy softare is not able to properly cope with preauthentication,
allow the admins to disable the requirement to use preauthentication for
all Service Principal Names if they so desire. IPA Users are excluded,
for users, which use password of lessere entrpy, preauthentication is
always required by default.
This setting does NOT override explicit policies set on service principals
or in the global policy, it only affects the default.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/3860
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
samba_util.h is not shipped with samba-4.4
and it was indirectly included by "ndr.h"
Some functions have prototypes in different header file
"util/talloc_stack.h" and other does not have declarations
in other header file. But they are still part of libsamba-util.so
sh$ objdump -T /usr/lib64/libsamba-util.so.0.0.1 | grep -E "trim_s|xstrdup"
0000000000022200 g DF .text 000000000000001f SAMBA_UTIL_0.0.1 smb_xstrdup
00000000000223b0 g DF .text 000000000000019d SAMBA_UTIL_0.0.1 trim_string
ipa_sam.c: In function 'ldapsam_uid_to_sid':
ipa_sam.c:836:24: warning: implicit declaration of function 'talloc_stackframe'
[-Wimplicit-function-declaration]
TALLOC_CTX *tmp_ctx = talloc_stackframe();
^
ipa_sam.c: In function 'pdb_init_ipasam':
ipa_sam.c:4493:2: warning: implicit declaration of function 'trim_string'
[-Wimplicit-function-declaration]
trim_string( uri, "\"", "\"" );
^
ipa_sam.c:4580:26: warning: implicit declaration of function 'smb_xstrdup'
[-Wimplicit-function-declaration]
ldap_state->domain_dn = smb_xstrdup(dn);
^
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Whe requesting a keytab the salt used is the NORMAL type (for backwards and AD
compatibility), however since we added alias support we need to search for the
krbCanonicalName in preference, hen nothing is specified, and for the requested
principal name when a getkeytab operation is performed. This is so that the
correct salt can be applied. (Windows AD uses some peculiar aliases for some
special accounts to generate the salt).
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This function determines which type of authorization data should be
added to the Kerberos ticket. There are global default and it is
possible to configure this per service as well. The second argument is
the data base entry of a service. If no service is given it makes sense
to return the global defaults and most parts of get_authz_data_types()
handle this case well and this patch fixes the remain issue and adds a
test for this as well.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
LDAP calls just assert if an invalid (NULL) context is passed in,
so we need to be sure we have a valid connection context before
calling into LDAP APIs and fail outright if a context can't be obtained.
https://fedorahosted.org/freeipa/ticket/5577
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Remove des3 and arcfour from the defaults for new installs.
NOTE: the ipasam/dcerpc code sill uses arcfour
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/4740
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
We always have to call find_base() in order to force libldap to open
the socket. However, if no base is actually required then there is
no reason to error out if find_base() fails. This condition can arise
when anonymous binds are disabled.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Command "ldap-cleanup <zone name>" will remove all key metadata from
LDAP. This can be used manually in sequence like:
ldap-cleanup <zone name>
update <zone name>
to delete all key metadata from LDAP and re-export them from OpenDNSSEC.
ldap-cleanup command should be called when disabling DNSSEC on a DNS
zone to remove stale key metadata from LDAP.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
Key purging has to be only only after key metadata purging so
ipa-dnskeysyncd on replices does not fail while dereferencing
non-existing keys.
https://fedorahosted.org/freeipa/ticket/5334
Reviewed-By: Martin Basti <mbasti@redhat.com>
Previously we published timestamps of planned state changes in LDAP.
This led to situations where state transition in OpenDNSSEC was blocked
by an additional condition (or unavailability of OpenDNSSEC) but BIND
actually did the transition as planned.
Additionally key state mapping was incorrect for KSK so sometimes KSK
was not used for signing when it should.
Example (for code without this fix):
- Add a zone and let OpenDNSSEC to generate keys.
- Wait until keys are in state "published" and next state is "inactive".
- Shutdown OpenDNSSEC or break replication from DNSSEC key master.
- See that keys on DNS replicas will transition to state "inactive" even
though it should not happen because OpenDNSSEC is not available
(i.e. new keys may not be available).
- End result is that affected zone will not be signed anymore, even
though it should stay signed with the old keys.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
Needs a 'break' otherwise prevents correct reporting of data and it always overrides
it with the placeholder data.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Since endptr points to a location inside of dummy, dummy should be freed
only after dereferencing endptr.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Since we are interested in looking up the SID of a group it makes sense
to include the objectclass which contains the SID attribute in the
search filter. This makes sure the group is not accidentally found a
second time in the compat tree.
Related to https://fedorahosted.org/freeipa/ticket/5457
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Default krb5.conf needn't have defined default_realm.
Unit tests should not rely on existing default value.
Reviewed-By: Martin Basti <mbasti@redhat.com>
The cmocka-1.0 introduced new interface for tests
which is not compatible with the old one.
And the old interface is deprecated which caused compiled warnings.
Reviewed-By: Martin Basti <mbasti@redhat.com>
In file included from ipa_extdom_extop.c:41:0:
ipa_extdom_extop.c: In function ‘ipa_extdom_init_ctx’:
ipa_extdom_extop.c:203:9: warning: format ‘%d’ expects argument of type ‘int’,
but argument 4 has type ‘size_t {aka long unsigned int}’ [-Wformat=]
LOG("Maximal nss buffer size set to [%d]!\n", ctx->max_nss_buf_size);
^
../common/util.h:53:21: note: in definition of macro ‘LOG_PLUGIN_NAME’
fmt, ##__VA_ARGS__)
^
ipa_extdom_extop.c:203:5: note: in expansion of macro ‘LOG’
Reviewed-By: Martin Basti <mbasti@redhat.com>
topology_pre.c: In function ‘ipa_topo_pre_add’:
topology_pre.c:509:15: warning: declaration of ‘errtxt’ shadows a previous local [-Wshadow]
char *errtxt;
^
topology_pre.c:494:11: note: shadowed declaration is here
char *errtxt = NULL;
^
Reviewed-By: Martin Basti <mbasti@redhat.com>
when a suffix becomes managed for a host, the host needs to
be added to the managed servers, otherwise connectivity check would fail
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
the creation or deletion of a replication agreemet is rejected if the
servers are managed for the suffix. But bot endpoints need to checked
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
After removing a server the replicaid needs to be cleared in the ruv entry and
in the changelog.
This was triggere by initiating a cleanallruv task in "ipa-replica-manage del",
but the removal of a master already triggers a cleanup of segments and replication
agreement by the topology plugin, so this could be handled by the plugin as well.
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
trigger topology updaet if suffix entry is added
trigger topology update if managedSuffix is modified in host entry
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ldap2 internally does LDAP search to find out what LDAP search limits
should be used (!). The problem is that this internal search has hardcoded
limits and throws LimitExceeded exception when DS is too slow.
DNSSEC daemons do not need any abstractions from ldap2 so we are going
to use ipaldap directly. This will avoid the unnecessary search and
associated risks.
https://fedorahosted.org/freeipa/ticket/5342
Reviewed-By: Martin Basti <mbasti@redhat.com>
The StringIO class was moved to the io module.
(In Python 2, io.StringIO is available, but is Unicode-only.)
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Temporarily storing the offset time in an unsigned integer causes the
value of the offset to underflow when a (valid) negative offset value
is generated. Using a signed variable avoids this problem.
https://fedorahosted.org/freeipa/ticket/5333
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Incorrect SQL join condition could lead to situation where metadata from
ZSK and KSK were interchanged.
https://fedorahosted.org/freeipa/ticket/5273
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
It might happen that systemd will restart the service even if there is
no incomming connection to service socket. In that case we want to exit
because HSM synchronization is done before socket.accept() and we want
to synchronize HSM and DNS zones at the same time.
https://fedorahosted.org/freeipa/ticket/5273
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
Reusing old ccache after reinstall causes authentication error. And
prevents DNSSEC from working.
Related to ticket: https://fedorahosted.org/freeipa/ticket/5273
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.
- Removed Backend.krb and KRB5_CCache classes
They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
Using api.env.realm instead of krbV call
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
ipa-dnskeysync* and ipa-ods-exporter handle kerberos errors more gracefully
instead of crashing with tracebacks.
https://fedorahosted.org/freeipa/ticket/5229
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use Python-3 compatible syntax, without breaking compatibility with py 2.7
- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
strict type checking checking, e.g. type(0).
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
<ame> -> <name>
overriden -> overridden
ablity -> ability
enties -> entries
the the -> the
https://fedorahosted.org/freeipa/ticket/5109
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When retrieving keytab, it is useful to know what user was attempting
to fetch the keyts and failed. This is useful to debug one-way trust
where SSSD forks out a process of ipa-getkeytab and it might be using
a wrong credentials cache for authentication purposes.
Part of https://fedorahosted.org/freeipa/ticket/4959
Reviewed-By: Tomas Babej <tbabej@redhat.com>
To support AD trust agents, we need to run sidgen and extdom plugins
on every IPA master. Lack of working configuration, thus, is not a
failure so reduce log level to normal as sidgen plugin will not
be active if domain SID is missing but it can certainly be kept
enabled.
Part of https://fedorahosted.org/freeipa/ticket/4951
Reviewed-By: Tomas Babej <tbabej@redhat.com>
When trust is established, ipasam module creates a number of objects in LDAP
to represent the trust information. Among them, for one-way trust we create
a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest
and AD is a realm of the trusted Active Directory forest root domain.
This principal is then used by SSSD on IPA masters to authenticate against
trusted Active Directory domain controllers and retrieve information about
user and group identities.
FreeIPA also uses this principal's credentials to retrieve domain topology.
The access to the keys of the principal should be well-protected. We only
allow to retrieve the keytab for it for members of cn=adtrust agents group.
This group is populated with host/ and cifs/ principals from IPA masters.
Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters
where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install
on the master which will be configured to be a domain controller (e.g.
run Samba with ipasam), and specify --add-agents option to trigger activation
of the interactive mode to specify which IPA masters to enable.
Fixes https://fedorahosted.org/freeipa/ticket/4962
Part of fixes for https://fedorahosted.org/freeipa/ticket/4546
Reviewed-By: Tomas Babej <tbabej@redhat.com>
When incoming SID blacklist contains exact SIDs of users and groups,
attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.
Note that we treat user's SID and primary group RID filtering as violation
of the KDC policy because the resulting MS-PAC will have no user SID or
primary group and thus will be invalid.
For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1
it is OK to have empty group RIDs array as GroupCount SHOULD be
equal to Groups.MembershipCount returned by SamrGetGroupsForUser
[MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty.
Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475
Reviewed-By: Tomas Babej <tbabej@redhat.com>
in the preop check do not reject the deletion of a segment, if not both endpoints
are managed servers for the suffix
thisis part of work for ticlet #5072
Reviewed-By: Simo Sorce <ssorce@redhat.com>
reject attempts to add segments to suffixes, which do not exist or are not configured.
check completenes and validity of segment attributes
cf ticket 5088: https://fedorahosted.org/freeipa/ticket/5088
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
OpenDNSSEC stores key metadata in local time zone but BIND needs
timestamps in UTC. UTC will be stored in LDAP.
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Martin Basti <mbasti@redhat.com>
Online initialization can be triggered by setting "nsds5BeginReplicaRefresh[;left|;right]": start to a
segment. But this field remained in the segment and after restart the init would be executed again.
see Ticket #5065
To fix this the field is cleared:
- after a backend comes back online after being initialized
- since there is a delay and the sending server could be restarted in between,
the field is also scheced and renḿoved at startup
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
This patch moves duplicate code in `ipadb_get_connection` to get default and
supported key encodings/salt types from Kerberos container to a common
function handling this task.
It is actually a small cosmetic enhancement of the fix of
https://fedorahosted.org/freeipa/ticket/4914
Reviewed-By: Martin Basti <mbasti@redhat.com>
New exporter's command 'ipa-full-update' will resynchronize all zone
keys from ODS database to LDAP.
This command holds database lock for the whole time to avoid race
conditions so it should be used only in special cases, e.g. during
master server migration.
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Martin Basti <mbasti@redhat.com>
Previously only systemd socket activation was supported.
Ability to call the command directly is handy in special cases,
e.g. for debugging or moving key master role from one server to another.
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Martin Basti <mbasti@redhat.com>
this patch contains the following improvements:
check for existing segments works for all combinations of one directional and bidirectional segments
rdns of replication agreements generated from one directional segments are preserves after
merging of segments, so that deletion of the segment deletes the corresponding replication
agreements
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
The attribute mentioned was using an older name that was later changed
in the implementation.
Also add a prominent warning about the use of the kadmin flags.
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
when a server is removed from the topology the plugin tries to remove the
credentials from the replica and the bind dn group.
It performs an internal search for the ldap principal, but can fail if it was already removed
Due to an unitialized variable in this case it can eitehr crash or erroneously remove all
principals.
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
when updating an replication agreement from a toplogy segment an incorrect default value was used for bindmethod.
Only attributes explicitely set in the segment should be applied.
At shutdown the server could crash because the plugin was called after it was stopped.
https://fedorahosted.org/freeipa/ticket/5035
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
When kadmin tries to change a password it will get the allowed keysalts
from the password policy. Failure to provide them will result in kadmin
using the defaults specified in the kdc.conf file or hardcoded defaults
(the default salt is then of type NORMAL).
This patch provides the supported values that have been read out of the
appropriate LDAP attribute when we read the server configuration.
Then at actual password change, check if kadmin is handing us back the exact
list of supported encsalts we sent it, and in that case replace it with the
real default encsalts.
Fixes https://fedorahosted.org/freeipa/ticket/4914
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
Add plugin commands to stageuser plugin:
stageuser_activate: activate entries created by IPA CLIs
https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: David Kupka <dkupka@redhat.com>
This bug caused negative token windows to wrap-around, causing issues
with TOTP authentication and (especially) synchronization.
https://fedorahosted.org/freeipa/ticket/4990
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ipa-dnskeysyncd, ipa-dnskeysync-replica, and ipa-ods-exporter use a generic
'ccache' filename for credential storage, making debugging Kerberos-related
errors unnecessarily complicated. This patch renames the ccache files so that
each of these daemons now has its own credenital cache.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Calls to ipautil.run using kinit were replaced with calls
kinit_keytab/kinit_password functions implemented in the PATCH 0015.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
IPA UUID should not generate ipaUniqueID for entries under 'cn=provisioning,SUFFIX'
Add in the configuration the ability to set (optional) 'ipaUuidExcludeSubtree'
https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Besides moving the existing tests to cmocka two new tests are added
which were missing from the old tests.
Related to https://fedorahosted.org/freeipa/ticket/4922
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
The get*_r_wrapper() calls expect a maximum buffer size to avoid memory
shortage if too many threads try to allocate buffers e.g. for large
groups. With this patch this size can be configured by setting
ipaExtdomMaxNssBufSize in the plugin config object
cn=ipa_extdom_extop,cn=plugins,cn=config.
Related to https://fedorahosted.org/freeipa/ticket/4908
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The getXXYYY_r() calls require a buffer to store the variable data of
the passwd and group structs. If the provided buffer is too small ERANGE
is returned and the caller can try with a larger buffer again.
Cmocka/cwrap based unit-tests for get*_r_wrapper() are added.
Resolves https://fedorahosted.org/freeipa/ticket/4908
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Currently only nss-wrapper is checked, checks for other crwap libraries
can be added e.g. as
AM_CHECK_WRAPPER(uid_wrapper, HAVE_UID_WRAPPER)
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Currently the range check plugin will return a 'Range Check error'
message if a ldapmodify operation tries to change a non-existing object.
Since the range check plugin does not need to care about non-existing
objects we can just return 0 indicating that the range check plugin has
done its work.
Resolves https://fedorahosted.org/freeipa/ticket/4924
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Since we dropped support for LANMAN hashes we do not need DES from OpenSSL
anymore. Stop including an testing for it.
Test for the MD4 algorythm instead whichis still used for the NT Hashes.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
All FreeIPA original code should be licensed to GPL v3+ license,
update the respective files:
- daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c
Remove GPL v2.0 license files from LDIFs or template to keep
consistency.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
When processing cross-realm trust transitions, let the KDC to handle
those we don't know about. Admins might define the transitions as
explicit [capaths] in krb5.conf.
https://fedorahosted.org/freeipa/ticket/4791
Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
In this new MIT version the DAL interface changes slightly but
KRB5_KDB_DAL_MAJOR_VERSION was not changed.
Luckily KRB5_KDB_API_VERSION did change and that's enough to know
what to compile in.
Resolves: https://fedorahosted.org/freeipa/ticket/4861
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Additionally, fix a small bug in ipa-kdb so that the disabled User
Auth Type is properly handled.
https://fedorahosted.org/freeipa/ticket/4720
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
This patch proposes a fix to the following defect found by covscan of FreeIPA
master code:
"""
Error: CHECKED_RETURN (CWE-252):
/daemons/ipa-slapi-plugins/libotp/otp_config.c:239: check_return: Calling
"slapi_search_internal_get_entry" without checking return value (as is done
elsewhere 14 out of 16 times).
/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:402:
example_checked: Example 1: "slapi_search_internal_get_entry(sdn, NULL,
&config_entry, ipaenrollment_plugin_id)" has its value checked in "(rc =
slapi_search_internal_get_entry(sdn, NULL, &config_entry,
ipaenrollment_plugin_id)) != 0".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:207: example_assign:
Example 2: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(sdn, NULL, &config_entry, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:212: example_checked:
Example 2 (cont.): "ret" has its value checked in "ret".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:651: example_assign: Example
3: Assigning: "search_result" = return value from
"slapi_search_internal_get_entry(sdn, attrlist, e2, ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:653: example_checked:
Example 3 (cont.): "search_result" has its value checked in "search_result !=
0". /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1035: example_assign:
Example 4: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(tmp_dn, NULL, &pwdop->pwdata.target,
ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1039:
example_checked: Example 4 (cont.): "ret" has its value checked in "ret != 0".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:817: example_assign: Example 5:
Assigning: "ret" = return value from "slapi_search_internal_get_entry(tmp_dn,
NULL, &e, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:820: example_checked: Example 5
(cont.): "ret" has its value checked in "ret == 10".
"""
The patch is a part of series related to
https://fedorahosted.org/freeipa/ticket/4795
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This patch is related to the following defect reported by covscan of FreeIPA
master code:
"""
Error: DEADCODE (CWE-561): /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:796:
cond_const: Condition "modtype != 1", taking false branch. Now the value of
"modtype" is equal to 1.
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:796:
cond_const: Condition "modtype != 4", taking false branch. Now the value of
"modtype" is equal to 4.
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:941:
equality_cond: Jumping to case "1".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:957: equality_cond: Jumping to
case "4".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:940: intervals: When
switching on "modtype", the value of "modtype" must be in one of the following
intervals: {[1,1], [4,4]}.
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:940: dead_error_condition: The
switch value "modtype" cannot reach the default case.
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:1031: dead_error_begin:
Execution cannot reach this statement: "default:".
"""
The patch is a part of series related to
https://fedorahosted.org/freeipa/ticket/4795
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This patch is related to this defect reported by covscan in FreeIPA code:
"""
Error: MISSING_BREAK (CWE-484):
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:631: unterminated_case: The
case for value "2" is not terminated by a 'break' statement.
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:638: fallthrough: The above
case falls through to this one.
"""
Added a comment informing about intentional falltrough in this place, so that
future generations reading the code don't get confused.
The patch is the part of a series related to
https://fedorahosted.org/freeipa/ticket/4795
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This patch fixes the following defect reported by covscan:
"""
Error: CHECKED_RETURN (CWE-252):
/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c:119:
check_return: Calling "slapi_search_internal_get_entry" without checking
return value (as is done elsewhere 14 out of 16 times).
/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:402:
example_checked: Example 1: "slapi_search_internal_get_entry(sdn, NULL,
&config_entry, ipaenrollment_plugin_id)" has its value checked in "(rc =
slapi_search_internal_get_entry(sdn, NULL, &config_entry,
ipaenrollment_plugin_id)) != 0".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:207:
example_assign: Example 2: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(sdn, NULL, &config_entry, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:212:
example_checked: Example 2 (cont.): "ret" has its value checked in "ret".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:651:
example_assign: Example 3: Assigning: "search_result" = return value from
"slapi_search_internal_get_entry(sdn, attrlist, e2, ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:653:
example_checked: Example 3 (cont.): "search_result" has its value checked in
"search_result != 0".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1035:
example_assign: Example 4: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(tmp_dn, NULL, &pwdop->pwdata.target,
ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1039:
example_checked: Example 4 (cont.): "ret" has its value checked in "ret != 0".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:817:
example_assign: Example 5: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(tmp_dn, NULL, &e, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:820:
example_checked: Example 5 (cont.): "ret" has its value checked in "ret ==
10".
"""
this patch is a part of a series related to
https://fedorahosted.org/freeipa/ticket/4795
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The patch addresses the following defect reported by covscan in FreeIPA
master:
"""
Error: FORWARD_NULL (CWE-476):
/daemons/ipa-kdb/ipa_kdb_principals.c:1886: assign_zero: Assigning:
"principal" = "NULL".
/daemons/ipa-kdb/ipa_kdb_principals.c:1929:
var_deref_model: Passing null pointer "principal" to "ipadb_entry_to_mods",
which dereferences it.
/daemons/ipa-kdb/ipa_kdb_principals.c:1491:9:
deref_parm_in_call: Function "ipadb_get_ldap_mod_str" dereferences
"principal".
/daemons/ipa-kdb/ipa_kdb_principals.c:1174:5:
deref_parm_in_call: Function "strdup" dereferences "value"
"""
This is a part of series of patches related to
https://fedorahosted.org/freeipa/ticket/4795
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This patch proposes a fix for the following defect reported by covscan in
FreeIPA master code:
"""
Error: DEADCODE (CWE-561):
/daemons/ipa-kdb/ipa_kdb_mspac.c:2013: assignment: Assigning: "client_entry" =
"NULL".
/daemons/ipa-kdb/ipa_kdb_mspac.c:2077: null: At condition
"client_entry", the value of "client_entry" must be "NULL".
/daemons/ipa-kdb/ipa_kdb_mspac.c:2077: dead_error_condition: The condition
"client_entry" cannot be true.
/daemons/ipa-kdb/ipa_kdb_mspac.c:2077:
dead_error_line: Execution cannot reach the expression "client_entry" inside
this statement: "kerr = ipadb_get_pac(contex...".
"""
This is a part of a series of patches related to
https://fedorahosted.org/freeipa/ticket/4795
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This patch is related this defect reported by covscan on FreeIPA master:
"""
Error: DEADCODE (CWE-561):
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code !=
-1765328353L", taking false branch. Now the value of "error_code" is equal to
-1765328353.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition
"error_code != -1765328360L", taking false branch. Now the value of
"error_code" is equal to -1765328360.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42:
cond_const: Condition "error_code != 0", taking false branch. Now the value of
"error_code" is equal to 0.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:71:
intervals: When switching on "error_code", the value of "error_code" must be
in one of the following intervals: {[-1765328360,-1765328360],
[-1765328353,-1765328353], [0,0]}.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:71:
dead_error_condition: The switch value "error_code" cannot reach the default
case.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:123: dead_error_begin: Execution
cannot reach this statement: "default:".
"""
This patch is a part of series related to
https://fedorahosted.org/freeipa/ticket/4795.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
According to MS-ADTS 6.3.3.2, "Domain Controller Response to an LDAP Ping",
if NETLOGON_NT_VERSION_5EX_WITH_IP is requested in NtVer, we should fill the
socket address of the server and set the NtVer of the response accordingly.
The behavior is a bit unclear from 6.3.3.2 but Samba expects LDAP ping to behave
the same way as a mailslot ping, described in 6.3.5, where socket address of the
server is included only if _WITH_IP variant was requested in NtVer. If NtVer
only contains NETLOGON_NT_VERSION_5EX (without _WITH_IP bit), socket
address should not be filled in.
Additionally, this means we should use special variant of
ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX helper named
ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags to properly handle optional
existence of the socket address in the response.
https://fedorahosted.org/freeipa/ticket/4827
Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
1. Samba project renamed libpdb to libsamba-passdb
https://bugzilla.samba.org/show_bug.cgi?id=10355
2. With interface version 24, Samba removed uid_to_sid()/gid_to_sid()
from the PASSDB interface and united them as id_to_sid().
Make sure FreeIPA ipa_sam code supports new and old versions of
the PASSDB API.
https://fedorahosted.org/freeipa/ticket/4778
Reviewed-By: Sumit Bose <sbose@redhat.com>
We need to make sure we have a ld context before we can load the
configuration, otherwise ldap APIs will abort crashing the KDC.
If we have an issue connecting to LDAP the lcontext will be NULL, but
we are not checking that condition when we try to refresh the global
configuration.
https://fedorahosted.org/freeipa/ticket/4810
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This introduces two new CLI commands:
* otpconfig-show
* otpconfig-mod
https://fedorahosted.org/freeipa/ticket/4511
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Also, ensure that the last token check only executes on DNs/entries that
are tokens. This resolves a large performance issue where a query was
being performed to load all the user's tokens on every del/mod operation.
https://fedorahosted.org/freeipa/ticket/4697https://fedorahosted.org/freeipa/ticket/4719
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
This enables plugins to share authentication configuration cache code.
Additionally, update the caching mechanism to be declarative and faster.
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
There are no major changes in this commit other than changing filenames
and symbols to have consistent namespaces. This prepares for larger
changes to come in subsequent commits.
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
The filtering was incorrect and would result in always discarding all values.
Also make sure there are no duplicates in the list.
Partial fix for:
https://fedorahosted.org/freeipa/ticket/4718
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.
This patch resolves CVE-2014-7828.
https://fedorahosted.org/freeipa/ticket/4690
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Also remove dead code and explicitly mark an ignored return value to prevent
false positives in static code analysis.
https://fedorahosted.org/freeipa/ticket/4651
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This plugin ensures that all counter/watermark operations are atomic
and never decrement. Also, deletion is not permitted.
Because this plugin also ensures internal operations behave properly,
this also gives ipa-pwd-extop the appropriate behavior for OTP
authentication.
https://fedorahosted.org/freeipa/ticket/4493https://fedorahosted.org/freeipa/ticket/4494
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Currently the extdom plugin is basically used to translate SIDs of AD
users and groups to names and POSIX IDs.
With this patch a new version is added which will return the full member
list for groups and the full list of group memberships for a user.
Additionally the gecos field, the home directory and the login shell of a
user are returned and an optional list of key-value pairs which
currently will contain the SID of the requested object if available.
https://fedorahosted.org/freeipa/ticket/4031
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
This prevents the reuse of TOTP tokens by recording the last token
interval that was used. This will be replicated as normal. However,
this patch does not increase the number of writes to the database
in the standard authentication case. This is because it also
eliminates an unnecessary write during authentication. Hence, this
patch should be write-load neutral with the existing code.
Further performance enhancement is desired, but is outside the
scope of this patch.
https://fedorahosted.org/freeipa/ticket/4410
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Wrong error message would be used for in case of
RANGE_CHECK_DIFFERENT_TYPE_IN_DOMAIN. Missing break will cause fall through to
the default section.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
A mixture of implicit and explicit tagging was being used and this caused
a bug in retrieving the enctype number due to the way ber_scanf() loosely
treat sequences and explicit tagging.
The ASN.1 notation used to describe the getkeytab operation uses implicit
tagging, so by changing the code we simply follow to the specified encoding.
Resolves: https://fedorahosted.org/freeipa/ticket/4404
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.
Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.
For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:
(targetattr="ipaProtectedOperation;read_keys") ...
... userattr=ipaAllowedToPerform;read_keys#USERDN)
This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.
Resolves:
https://fedorahosted.org/freeipa/ticket/3859
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Make it available outside of the encoding.c file for use in a follow-up
patch. Add option to not pass a password and generate a random key
instead.
Related:
https://fedorahosted.org/freeipa/ticket/3859
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
In preparation of adding another function to avoid code duplication.
Related:
https://fedorahosted.org/freeipa/ticket/3859
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
This change has two motivations:
1. Clients don't have to parse the string.
2. Future token types may have new formats.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Before this patch, ipa-kdb would load global configuration on startup and
never update it. This means that if global configuration is changed, the
KDC never receives the new configuration until it is restarted.
This patch enables caching of the global configuration with a timeout of
60 seconds.
https://fedorahosted.org/freeipa/ticket/4153
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This reverts commit bfdbd3b6ad.
Forceful validation of password expiration date in a BIND pre-callback
breaks LDAP password change extended operation as the password change
is only allowed via authenticated (bound) channel. Passwords could be
only changed via kadmin protocol. This change would thus break
LDAP-only clients and Web UI password change hook.
This patch will need to be revisited so that unauthenicated corner
cases are also revisited.
https://fedorahosted.org/freeipa/ticket/1539
If the password is expired fail a password bind.
Resolves: https://fedorahosted.org/freeipa/ticket/1539
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
When an entry has a krbCanonicalName, if KRB5_KDB_FLAG_ALIAS_OK is set,
rewrite the principal name to the canonical value, else error out,
instead of always returning an error if the requested name doesn't look
like the canonical one.
https://fedorahosted.org/freeipa/ticket/3966
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
If the entry's krbPrincipalName attribute is multi-valued, accept any of
the values, not just the last one we happen to examine.
https://fedorahosted.org/freeipa/ticket/3966
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
If the KDC doesn't use the FreeIPA password for authentication, then it is
futile to provide this information. Doing so will only confuse the user. It
also causes password change dialogues when the password is irrelevant.
https://fedorahosted.org/freeipa/ticket/4299
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Adds a check for krbprincipalexpiration attribute to pre_bind operation
in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is
denied and LDAP_UNWILLING_TO_PERFORM along with the error message is
sent back to the client. Since krbprincipalexpiration attribute is not
mandatory, if there is no value set, the check is passed.
https://fedorahosted.org/freeipa/ticket/3305
Reviewed-By: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Using integers for return values that are used for complex casing can be fragile
and typo-prone. Change range_check function to return range_check_result_t enum,
whose values properly describes each of the range_check results.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When building the domain to forest root map, we need to take the case
of IPA server having no trusted domains configured at all. Do not abort
the checks, but return an empty map instead.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Not making a new copy of this attribute creates multiple frees caused by multiple
pointers to the same forest_root_id from all the range_info structs for all the
domains belonging to given forest.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The slapi_entry_attr_get_ulong which is used to get value of the RID base
attributes returns 0 in case the attribute is not set at all. We need
to distinguish this situation from the situation where RID base attributes
are present, but deliberately set to 0.
Otherwise this can cause false negative results of checks in the range_check
plugin.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The ipa-range-check plugin used to determine the range type depending
on the value of the attributes such as RID or secondary RID base. This
approached caused variety of issues since the portfolio of ID range
types expanded.
The patch makes sure the following rules are implemented:
* No ID range pair can overlap on base ranges, with exception
of two ipa-ad-trust-posix ranges belonging to the same forest
* For any ID range pair of ranges belonging to the same domain:
* Both ID ranges must be of the same type
* For ranges of ipa-ad-trust type or ipa-local type:
* Primary RID ranges can not overlap
* For ranges of ipa-local type:
* Primary and secondary RID ranges can not overlap
* Secondary RID ranges cannot overlap
For the implementation part, the plugin was extended with a domain ID
to forest root domain ID mapping derivation capabilities.
https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When cleaning the range_info struct, simple free of the struct
is not enough, we have to free contents of char pointers in the
struct as well.
https://fedorahosted.org/freeipa/ticket/4276
Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the
directory service for gid/uid<->sid resolution.
Additionally, this patch further reduces number of queries by:
- fast fail on uidNumber=0 which doesn't exist in FreeIPA,
- return fallback group correctly when looking up user primary group as is
done during init,
- checking for group objectclass in case insensitive way
Patch by Jason Woods <devel@jasonwoods.me.uk>
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
https://fedorahosted.org/freeipa/ticket/4234
and
https://bugzilla.redhat.com/show_bug.cgi?id=1073829https://bugzilla.redhat.com/show_bug.cgi?id=1074314
Reviewed-By: Sumit Bose <sbose@redhat.com>
When string is not terminated, queries with corrupted base may be sent
to LDAP:
... cn=ipa1.example.com<garbage>,cn=masters...
https://fedorahosted.org/freeipa/ticket/4214
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When client principal is the same as supplied client entry, don't fetch it
again.
Note that when client principal is not NULL, client entry might be NULL for
cross-realm case, so we need to make sure to not dereference NULL pointer here.
Also fix reverted condition for case when we didn't find the client principal
in the database, preventing a memory leak.
https://fedorahosted.org/freeipa/ticket/4223
Reviewed-By: Sumit Bose <sbose@redhat.com>
When admin clears authdata flag for the service principal, KDC will pass
NULL client pointer (service proxy) to the DAL driver.
Make sure we bail out correctly.
Reviewed-By: Tomáš Babej <tbabej@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This plugin prevents the deletion or deactivation of the last
valid token for a user. This prevents the user from migrating
back to single factor authentication once OTP has been enabled.
Thanks to Mark Reynolds for helping me with this patch.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
C99 is supported on all compilers we target and
provides some useful features, including:
* Standard struct initializers
* Compound literals
* For-loop declarations
* Standard bool type
* Variable arrays (use with caution)
* Too many others to mention...
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This handles the case where a user is configured for OTP in ipaUserAuthType,
but the user has not yet created any tokens. Until the user creates tokens,
the user should still be able to log in via password. This logic already
exists in LDAP, but ipa-kdb needs to perform the same validation to know
what data to return to the KDC.
https://fedorahosted.org/freeipa/ticket/4154
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When ipa-lockout plugin is started during FreeIPA server installation,
the default realm may not be available and plugin should then not end
with failure.
Similarly to other plugins, start in degraded mode in this situation.
Operation is fully restored during the final services restart.
https://fedorahosted.org/freeipa/ticket/4085
krbPwdPolicyReference is no longer filled default users. Instead, plugins
fallback to hardcoded global policy reference.
Fix ipa-lockout plugin to fallback to it instead of failing to apply
the policy.
https://fedorahosted.org/freeipa/ticket/4085
The KDB driver does not walk the tree back like the original password plugin.
Also we do not store the default policy in the base DN as we used to do in the
past anymore.
So doing a full subtree search and walking back the tree is just a waste of
time.
Instead hardcode the default policy like we do in the kdb driver.
Fixes: https://fedorahosted.org/freeipa/ticket/4085
For NETLOGON_NT_VERSION_5EX requests the prepended \\ is not expected in
the PDC NetBIOS name. In general AD seems to be smart enough to handle
the two \ signs. But if the NetBIOS name reaches the maximum of 15
character AD does not accept the responses anymore.
Fixes https://fedorahosted.org/freeipa/ticket/4028
The CLDAP DS plugin uses the uppercased first segment of the fully
qualified hostname as the NetBIOS name. We need to limit its size
to 15 characters.
https://fedorahosted.org/freeipa/ticket/4028
