Commit Graph

742 Commits

Author SHA1 Message Date
Petr Spacek
4fb2f535ca Build: fix distribution of daemons/ipa-slapi-plugins/ipa-cldap files
All the headers are now listed in _SOURCES variable.
It seems weird but this is what GNU Automake manual suggests in section
9.2 Header files:
  Headers used by programs or convenience libraries are not installed.
  The noinst_HEADERS variable can be used for such headers.
  However when the header actually belongs to a single convenience library
  or program, we recommend listing it in the program’s or library’s
  _SOURCES variable (see Program Sources) instead of in noinst_HEADERS.
  This is clearer for the Makefile.am reader.
  noinst_HEADERS would be the right variable to use in a directory containing
  only headers and no associated library or program.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
684a2c6a58 Build: fix distribution of ipa-slapi-plugins/common files
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
125bf25577 Build: fix distribution of daemon/ipa-kdb files
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
b8d81ba3a1 Build: remove non-existing README files from Makefile.am
Some Makefile.am files were apparently created by copy-pasting other
files. As a result, some Makefiles require non-existing README files.
Remove this to fix dist target.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
24feae47f2 Build: fix Makefile.am files to separate source and build directories
This is step forward working VPATH builds which cleanly separate sources
and build artifacts. It makes the system cleaner and easier to
understand.

Python and web UI likely require more work to make VPATH builds working.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
c48e5fd811 Build: move version handling from Makefile to configure
Version information is now in VERSION.m4 instead of VERSION.
Makefile target version-update was minimized and configure can be run
before make. Makefile temporarily contains hardcoded version which has
to match the one specified in VERSION.m4.

This is preparatory step which will allow us to replace hand-made
Makefile with one generated by Automake.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
b0cb6afa23 Build: transform util directory to libutil convenience library
This is autoconf way of doing things. It should allow us to enable
subdir-objects automake option and stay compatible with future versions
of automake.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-10-24 13:30:12 +02:00
Petr Spacek
25dab77301 Build: promote daemons/configure.ac to top-level configure.ac
Top-level Makefile is still not managed by Automake (e.g. hand-made).
This is preparatory work. Other configure.ac files will be gradually
merged into the top-level one. After that we will be able to throw-away
the hand-made top-level Makefile and use Automake for everything.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-10-24 13:30:12 +02:00
Petr Spacek
41da873205 Build: adjust include paths in daemons/ipa-kdb/tests/ipa_kdb_tests.c
Fix include paths to prevent breakage when we move configure.ac from
daemons to the top-level.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-10-24 13:30:12 +02:00
Petr Spacek
7de597425f Build: remove deprecated AC_STDC_HEADERS macro
Interestingly, the new macro AC_HEADER_STDC is alredy present.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-18 10:47:59 +02:00
Petr Spacek
8b458ce4de Build: require Python >= 2.7
The Python detection logic will be improved later when we start to use
top-level configure.ac to manage build completely. For now simple bump
is enough.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-18 10:47:59 +02:00
Petr Spacek
2ea6648379 Build: remove traces of mozldap library
Mozldap is not used for some time now. We can remove
all traces of it.

AFAIK the complex logic for OpenLDAP detection should not be
necessary and -lldap_r -llber options should suffice.

Unfortunatelly OpenLDAP package does not ship
package config files so we have to hardcode flags.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-18 10:47:59 +02:00
Petr Spacek
01072fc8f2 Build: modernize crypto library detection
Use package config instead of checking headers.
Package config is faster because it does not invoke compiler
and guarantees proper linking flags because these are provided
by package maintainer instead of hardcoded into build system.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-18 10:47:59 +02:00
Petr Spacek
7b801682a6 Build: modernize UUID library detection
Use package config instead of checking headers.
Package config is faster because it does not invoke compiler
and guarantees proper linking flags because these are provided
by package maintainer instead of hardcoded into build system.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-18 10:47:59 +02:00
Petr Spacek
651f1acac8 Build: modernize Kerberos library detection
Use package config instead of checking headers.
Package config is faster because it does not invoke compiler
and guarantees proper linking flags because these are provided
by package maintainer instead of hardcoded into build system.

libkrad does not have package config file so we keep the old way here.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-18 10:47:59 +02:00
Petr Spacek
152ed75ff6 Build: add missing KRB5_LIBS to daemons/ipa-otpd
It was working accidentally because krb5 libs are part of OPENLDAP_LIBS.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-18 10:47:59 +02:00
Timo Aaltonen
6c09d6f878 Move ipa-otpd to $libexecdir/ipa
This is more consistent with the other daemons.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-13 20:55:14 +02:00
Martin Basti
d937588146 Pylint: remove unused variables from installers and scripts
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-10-06 10:43:36 +02:00
Nathaniel McCallum
0756ce7d53 Properly handle LDAP socket closures in ipa-otpd
In at least one case, when an LDAP socket closes, a read event is fired
rather than an error event. Without this patch, ipa-otpd silently
ignores this event and enters a state where all bind auths fail.

To remedy this problem, we pass error events along the same path as read
events. Should the actual read fail, we exit.

https://bugzilla.redhat.com/show_bug.cgi?id=1377858
https://fedorahosted.org/freeipa/ticket/6368

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-06 10:35:25 +02:00
Martin Basti
45e3aee352 Pylint: enable check for unused-variables
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors

Enabled check should prevent to leave unused variable in code

Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Martin Basti
0f88f8fe88 Remove unused variables in the code
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.

This covers only cases where fix was easy or only one unused variable
was in a module

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Martin Basti
9b68d2a1f8 Pylint: enable global-variable-not-assigned check
the global keyword should be used only when variable from outside is
assigned inside, otherwise it has no effect and just confuses developers

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-09-23 09:23:41 +02:00
Thierry Bordaz
b942b00ac7 ipa-pwd-extop memory leak during passord update
During an extend op password update, there is a test if the
user is changing the password is himself. It uses local Slapi_SDN
variable that are not freed

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-31 12:08:03 +02:00
Alexander Bokovoy
a14ebbea89 ipa-kdb: simplify trusted domain parent search
In terms of cross-forest trust parent domain is the root domain of
the forest because we only have trust established with the forest root.

In FreeIPA LDAP store all sub-domains stored in cn=<forest root>,
cn=ad,cn=trusts,... subtree. Thus, a first RDN after cn=ad is the
forest root domain. This allows us to simplify logic of finding
the parent domain.

For complex hierachical forests with more than two levels of
sub-domains, this will still be true because of the forest trust:
as forest trust is established to the forest root domain, any
communication to any sub-domain must traverse forest root domain's
domain controller.

Note that SSSD also generated incorrectly CA paths information
for forests with non-hierarchical tree-roots. In such cases
IPA KDC got confused and mistakenly assumed direct trust to the
non-hierarchical tree-root instead of going through the forest
root domain. See https://fedorahosted.org/sssd/ticket/3103 for
details.

Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 14:03:00 +02:00
Lukas Slebodnik
e7480bed27 ipa-kdb: Allow to build with samba 4.5
daemons/ipa-kdb/ipa_kdb_mspac.c: In function 'filter_logon_info':
daemons/ipa-kdb/ipa_kdb_mspac.c:1536:19: error: 'struct PAC_LOGON_INFO'
  has no member named 'res_group_dom_sid'
     if (info->info->res_group_dom_sid != NULL &&
                   ^~
daemons/ipa-kdb/ipa_kdb_mspac.c:1537:19: error: 'struct PAC_LOGON_INFO'
  has no member named 'res_groups'; did you mean 'resource_groups'?
         info->info->res_groups.count != 0) {
                   ^~
mv -f .deps/ipa_kdb_delegation.Tpo .deps/ipa_kdb_delegation.Plo
Makefile:806: recipe for target 'ipa_kdb_mspac.lo' failed
make[3]: *** [ipa_kdb_mspac.lo] Error 1
make[3]: *** Waiting for unfinished jobs....

Related change in samba
4406cf792a

Resolves:
https://fedorahosted.org/freeipa/ticket/6173

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-09 14:37:49 +02:00
Lukas Slebodnik
50c53395de ipa-pwd-extop: Fix warning assignment discards ‘const’ qualifier from pointer
ipa_pwd_extop.c: In function ‘ipapwd_chpwop’:
ipa_pwd_extop.c:337:13: warning: assignment discards ‘const’ qualifier
  from pointer target type [-Wdiscarded-qualifiers]
   target_dn = slapi_sdn_get_ndn(target_sdn);
             ^

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2016-08-08 14:35:11 +02:00
Lukas Slebodnik
7e1898bd01 ipa_pwd_extop: Fix warning declaration shadows previous local
ipa_pwd_extop.c:397:19: warning: declaration of ‘target_sdn’
  shadows a previous local [-Wshadow]
         Slapi_DN *target_sdn;
                   ^~~~~~~~~~
ipa_pwd_extop.c:212:16: note: shadowed declaration is here
  Slapi_DN     *target_sdn = NULL;
                ^~~~~~~~~~

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2016-08-08 14:33:39 +02:00
Simo Sorce
ab4fcb0fe2 Simplify date manipulation in pwd plugin
Use a helper function to perform operations on dates in LDAP attributes.

Related to #2795

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: David Kupka <dkupka@redhat.com>
2016-07-25 05:08:55 -04:00
Thierry Bordaz
b04f617803 Heap corruption in ipapwd plugin
ipapwd_encrypt_encode_key allocates 'kset' on the heap but
with num_keys and keys not being initialized.
Then ipa_krb5_generate_key_data initializes them with the
generated keys.
If ipa_krb5_generate_key_data fails (here EINVAL meaning no
principal->realm.data), num_keys and keys are left uninitialized.
Upon failure, ipapwd_keyset_free is called to free 'kset'
that contains random num_keys and keys.

allocates kset with calloc so that kset->num_keys==0 and
kset->keys==NULL

https://fedorahosted.org/freeipa/ticket/6030

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-07-19 13:17:37 +02:00
Sumit Bose
6d6da6b281 kdb: check for local realm in enterprise principals
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2016-07-12 12:26:28 +02:00
David Kupka
d2cb9ed327 Allow unexpiring passwords
Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.

https://fedorahosted.org/freeipa/ticket/2795

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-07-01 11:22:02 +02:00
Martin Basti
a635135ba3 Bump SSSD version in requires
This is required by commit aa734da494 for
function sss_nss_getnamebycert()

https://fedorahosted.org/freeipa/ticket/4955

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-07-01 10:20:36 +02:00
Thierry Bordaz
1ce8d32fd6 ipapwd_extop should use TARGET_DN defined by a pre-extop plugin
ipapwd_extop allows to update the password on a specific entry, identified by its DN.
It can be usefull to support virtual DN in the extop so that update of a virtual entry
would land into the proper real entry.

If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value
of TARGET_DN, instead of using the original one (in the ber req)
There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955)

https://fedorahosted.org/freeipa/ticket/5946

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-06-24 14:51:15 +02:00
Martin Babinsky
b169a72735 ipa-enrollment: set krbCanonicalName attribute on enrolled host entry
Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-06-23 09:48:06 +02:00
Martin Babinsky
7ed7a86511 ipa-kdb: set krbCanonicalName when creating new principals
Additionally, stop setting ipakrbprincipalalias attribute during principal
creation.

Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-06-23 09:48:06 +02:00
Martin Babinsky
e43231456d perform case-insensitive principal search when canonicalization is requested
When canonicalization is requested, the krbprincipalname attribute is searched
for case-insensitively.

In the case that krbcanonicalname is not set, the matched alias is returned
with the casing stored in backend, not the one input by client.

Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-06-23 09:48:06 +02:00
root
a76d4402a6 Topology plugins sigsev/heap corruption when adding a managed host
A managed host may handle several ipaReplTopoManagedSuffix.
Removing (from the topology) such host, loops over the replicated
suffixes array to retrieve, in the hosts list, the host record and delete it.
The problem is that a variable used to manage a hosts list is not reset
when looking at the next suffix. That will messup the lists, keeping
freed elements in the lists.

The fix is to reset the variable inside the replicated suffix loop

https://fedorahosted.org/freeipa/ticket/5977

Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com>
2016-06-22 17:51:53 +02:00
David Kupka
45bb2ad045 Remove unused locking "context manager"
Class ods_db_lock is unused since August 2015.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-17 18:27:22 +02:00
Ludwig Krispenz
0b11b36bf2 v2 - avoid crash in topology plugin when host list contains host with no hostname
ticket #5928

prevent a crash when dereferncing a NULL hostnam, log an error to help debugging
fix an incorrect order of statement when freeing a host list

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2016-06-13 16:25:03 +02:00
Alexander Bokovoy
bb75f5a583 adtrust: support UPNs for trusted domain users
Add support for additional user name principal suffixes from
trusted Active Directory forests. UPN suffixes are property
of the forest and as such are associated with the forest root
domain.

FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
attribute of ipaNTTrustedDomain object class.

In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.

For more details on UPN and naming in Active Directory see
https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx

https://fedorahosted.org/freeipa/ticket/5354

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-11 17:25:50 +02:00
Sumit Bose
aa734da494 extdom: add certificate request
Related to https://fedorahosted.org/freeipa/ticket/4955

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2016-06-09 14:28:47 +02:00
Nathaniel McCallum
4bafba06f2 Migrate from #ifndef guards to #pragma once
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.

This patch does not change the autogenerated files: asn1/asn1c/*.h.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-05-29 14:04:45 +02:00
Nathaniel McCallum
8f356a4305 Enable authentication indicators for OTP and RADIUS
If the user is configured for OTP or RADIUS authentication, insert the
relevant authentication indicator.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-26 18:47:05 +02:00
Nathaniel McCallum
204200d73b Return password-only preauth if passwords are allowed
Before this patch, if either password or password+otp were permitted,
only the otp preauth mech would be returned to the client. Now, the
client will receive either enc_ts or enc_chl in addition to otp.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-26 18:47:05 +02:00
Nathaniel McCallum
168a6c7d47 Ensure that ipa-otpd bind auths validate an OTP
Before this patch, if the user was configured for either OTP or password
it was possible to do a 1FA authentication through ipa-otpd. Because this
correctly respected the configuration, it is not a security error.

However, once we begin to insert authentication indicators into the
Kerberos tickets, we cannot allow 1FA authentications through this
code path. Otherwise the ticket would contain a 2FA indicator when
only 1FA was actually performed.

To solve this problem, we have ipa-otpd send a critical control during
the bind operation which informs the LDAP server that it *MUST* validate
an OTP token for authentication to be successful. Next, we implement
support for this control in the ipa-pwd-extop plugin. The end result is
that the bind operation will always fail if the control is present and
no OTP is validated.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-26 18:47:05 +02:00
Nathaniel McCallum
cd9bc84240 Rename syncreq.[ch] to otpctrl.[ch]
This gives us a place to handle all OTP related controls. Also,
genericize otpctrl_present() so that the OID can be specified as an
argument to the function call.

These changes are preparatory for the subsequent patches.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-26 18:47:05 +02:00
Matt Rogers
8a2afcafee ipa_kdb: add krbPrincipalAuthInd handling
Store and retrieve the authentication indicator "require_auth" string in
the krbPrincipalAuthInd attribute. Skip storing auth indicators to
krbExtraData.

https://fedorahosted.org/freeipa/ticket/5782

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-02 19:15:45 +02:00
Lukas Slebodnik
dbc3a75110 BUILD: Remove detection of libcheck
The unit test framework check has not been used in freeipa for long time
(if ever) but there was still conditional check for this framework.
It just produced confusing warning:
    Without the 'CHECK' library, you will be unable
    to run all tests in the 'make check' suite

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-04-22 13:21:26 +02:00
Alexander Bokovoy
3208a09384 extdom: do not fail to process error case when no request is specified
Coverity CID 13130

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-03-10 19:24:55 +01:00
Simo Sorce
7a20fc671b Allow to specify Kerberos authz data type per user
Like for services setting the ipaKrbAuthzData attribute on a user object will
allow us to control exactly what authz data is allowed for that user.
Setting NONE would allow no authz data, while setting MS-PAC would allow only
Active Directory compatible data.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/2579
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-03-09 19:00:43 +01:00
Lukas Slebodnik
0906cc28b8 ipa-sam: Do not redefine LDAP_PAGE_SIZE
The value of LDAP_PAGE_SIZE was changed in samba-4.4
and it caused warning because it's already defined
in samba header files

ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined
 #define LDAP_PAGE_SIZE 1024

In file included from /usr/include/samba-4.0/smbldap.h:24:0,
                 from ipa_sam.c:31:
/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition
 #define LDAP_PAGE_SIZE 1000

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-03-09 18:59:29 +01:00
Lukas Slebodnik
ebbb2eba5b CONFIGURE: Replace obsolete macros
The AC_PROG_LIBTOOL macro is obsoleted by since libtool-2.0
which is already in rhel6+

https://fedorahosted.org/FedoraReview/wiki/AutoTools

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-08 20:02:27 +01:00
Simo Sorce
3e45c9be0a Allow admins to disable preauth for SPNs.
Some legacy softare is not able to properly cope with preauthentication,
allow the admins to disable the requirement to use preauthentication for
all Service Principal Names if they so desire. IPA Users are excluded,
for users, which use password of lessere entrpy, preauthentication is
always required by default.

This setting does NOT override explicit policies set on service principals
or in the global policy, it only affects the default.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/3860
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-03-08 18:48:40 +01:00
Lukas Slebodnik
017b343e13 IPA-SAM: Fix build with samba 4.4
samba_util.h is not shipped with samba-4.4
and it was indirectly included by "ndr.h"

Some functions have prototypes in different header file
"util/talloc_stack.h" and other does not have declarations
in other header file. But they are still part of libsamba-util.so

sh$ objdump -T /usr/lib64/libsamba-util.so.0.0.1 | grep -E "trim_s|xstrdup"
0000000000022200 g    DF .text  000000000000001f  SAMBA_UTIL_0.0.1 smb_xstrdup
00000000000223b0 g    DF .text  000000000000019d  SAMBA_UTIL_0.0.1 trim_string

ipa_sam.c: In function 'ldapsam_uid_to_sid':
ipa_sam.c:836:24: warning: implicit declaration of function 'talloc_stackframe'
                  [-Wimplicit-function-declaration]
  TALLOC_CTX *tmp_ctx = talloc_stackframe();
                        ^
ipa_sam.c: In function 'pdb_init_ipasam':
ipa_sam.c:4493:2: warning: implicit declaration of function 'trim_string'
                  [-Wimplicit-function-declaration]
  trim_string( uri, "\"", "\"" );
  ^
ipa_sam.c:4580:26: warning: implicit declaration of function 'smb_xstrdup'
                   [-Wimplicit-function-declaration]
  ldap_state->domain_dn = smb_xstrdup(dn);
                          ^

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-02-02 18:32:47 +01:00
Sumit Bose
348c400484 ipa-kdb: map_groups() consider all results
Resolves https://fedorahosted.org/freeipa/ticket/5573

Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-02-02 18:15:19 +01:00
Simo Sorce
f9ed0b6ff8 Convert ipa-sam to use the new getkeytab control
Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5495
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-02-01 13:28:39 +01:00
Simo Sorce
e011b376a5 Improve keytab code to select the right principal.
Whe requesting a keytab the salt used is the NORMAL type (for backwards and AD
compatibility), however since we added alias support we need to search for the
krbCanonicalName in preference, hen nothing is specified, and for the requested
principal name when a getkeytab operation is performed. This is so that the
correct salt can be applied. (Windows AD uses some peculiar aliases for some
special accounts to generate the salt).

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-02-01 13:28:39 +01:00
Lukas Slebodnik
4bef7577b7 extdom: Remove unused macro
Last usage of the macre SSSD_SYSDB_SID_STR was removed
in the commit 0ee8fe11ae

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-01-29 16:04:59 +01:00
Sumit Bose
45b0148fcc ipa-kdb: get_authz_data_types() make sure entry can be NULL
This function determines which type of authorization data should be
added to the Kerberos ticket. There are global default and it is
possible to configure this per service as well. The second argument is
the data base entry of a service. If no service is given it makes sense
to return the global defaults and most parts of get_authz_data_types()
handle this case well and this patch fixes the remain issue and adds a
test for this as well.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2016-01-27 16:03:03 +01:00
Ludwig Krispenz
c152e10075 prevent moving of topology entries out of managed scope by modrdn operations
Ticket: https://fedorahosted.org/freeipa/ticket/5536
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2016-01-21 12:52:08 +01:00
Simo Sorce
2144b1eeb7 Always verify we have a valid ldap context.
LDAP calls just assert if an invalid (NULL) context is passed in,
so we need to be sure we have a valid connection context before
calling into LDAP APIs and fail outright if a context can't be obtained.

https://fedorahosted.org/freeipa/ticket/5577

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-01-13 16:09:38 +01:00
Simo Sorce
58ab032f1a Use only AES enctypes by default
Remove des3 and arcfour from the defaults for new installs.

NOTE: the ipasam/dcerpc code sill uses arcfour

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/4740
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-01-13 15:24:53 +01:00
Nathaniel McCallum
563bddce6d Don't error when find_base() fails if a base is not required
We always have to call find_base() in order to force libldap to open
the socket. However, if no base is actually required then there is
no reason to error out if find_base() fails. This condition can arise
when anonymous binds are disabled.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-12 12:28:44 +01:00
Petr Spacek
ae2462738b DNSSEC: Log debug messages at log level DEBUG
https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-07 14:13:23 +01:00
Petr Spacek
9fbbe3e574 DNSSEC: ipa-ods-exporter: add ldap-cleanup command
Command "ldap-cleanup <zone name>" will remove all key metadata from
LDAP. This can be used manually in sequence like:
ldap-cleanup <zone name>
update <zone name>
to delete all key metadata from LDAP and re-export them from OpenDNSSEC.

ldap-cleanup command should be called when disabling DNSSEC on a DNS
zone to remove stale key metadata from LDAP.

https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-07 14:13:23 +01:00
Petr Spacek
ddf7397a4b DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
Key purging has to be only only after key metadata purging so
ipa-dnskeysyncd on replices does not fail while dereferencing
non-existing keys.

https://fedorahosted.org/freeipa/ticket/5334

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-07 14:13:23 +01:00
Petr Spacek
6bdc18d0c5 DNSSEC: logging improvements in ipa-ods-exporter
https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-07 14:13:23 +01:00
Petr Spacek
9ff1c0ac29 DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP
Previously we published timestamps of planned state changes in LDAP.
This led to situations where state transition in OpenDNSSEC was blocked
by an additional condition (or unavailability of OpenDNSSEC) but BIND
actually did the transition as planned.

Additionally key state mapping was incorrect for KSK so sometimes KSK
was not used for signing when it should.

Example (for code without this fix):
- Add a zone and let OpenDNSSEC to generate keys.
- Wait until keys are in state "published" and next state is "inactive".
- Shutdown OpenDNSSEC or break replication from DNSSEC key master.
- See that keys on DNS replicas will transition to state "inactive" even
  though it should not happen because OpenDNSSEC is not available
  (i.e. new keys may not be available).
- End result is that affected zone will not be signed anymore, even
  though it should stay signed with the old keys.

https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-07 14:13:23 +01:00
Petr Spacek
9bcb9887ea DNSSEC: Improve error reporting from ipa-ods-exporter
https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-07 14:13:23 +01:00
Martin Basti
e4075b1fe2 Remove unused imports
This patch removes unused imports, alse pylint has been configured to
check unused imports.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:59:22 +01:00
Martin Basti
21f7584f9f FIX: ipa_kdb_principals: add missing break statement
Needs a 'break' otherwise prevents correct reporting of data and it always overrides
it with the placeholder data.

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-11-30 17:34:02 +01:00
Simo Sorce
0f52eddd1d Return default TL_DATA is krbExtraData is missing
Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/937
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-11-25 14:12:11 +01:00
Sumit Bose
657cf958c6 ipasam: fix a use-after-free issue
Since endptr points to a location inside of dummy, dummy should be freed
only after dereferencing endptr.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-11-23 14:45:54 +01:00
Sumit Bose
99cfc979d5 ipasam: use more restrictive search filter for group lookup
Since we are interested in looking up the SID of a group it makes sense
to include the objectclass which contains the SID attribute in the
search filter. This makes sure the group is not accidentally found a
second time in the compat tree.

Related to https://fedorahosted.org/freeipa/ticket/5457

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-11-23 14:45:54 +01:00
Sumit Bose
3d6fdab904 ipasam: fix wrong usage of talloc_new()
Fixes https://fedorahosted.org/freeipa/ticket/5457

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-11-23 14:45:54 +01:00
Lukas Slebodnik
73058af717 ipa_kdb_tests: Fix test with default krb5.conf
Default krb5.conf needn't have defined default_realm.
Unit tests should not rely on existing default value.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-18 12:55:42 +01:00
Lukas Slebodnik
75c26f9ec8 cmocka_tests: Do not use deprecated cmocka interface
The cmocka-1.0 introduced new interface for tests
which is not compatible with the old one.
And the old interface is deprecated which caused compiled warnings.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-18 12:54:43 +01:00
Lukas Slebodnik
be6ecac220 ipa-extdom-extop: Fix warning Wformat
In file included from ipa_extdom_extop.c:41:0:
ipa_extdom_extop.c: In function ‘ipa_extdom_init_ctx’:
ipa_extdom_extop.c:203:9: warning: format ‘%d’ expects argument of type ‘int’,
                          but argument 4 has type ‘size_t {aka long unsigned int}’ [-Wformat=]
     LOG("Maximal nss buffer size set to [%d]!\n", ctx->max_nss_buf_size);
         ^
../common/util.h:53:21: note: in definition of macro ‘LOG_PLUGIN_NAME’
                     fmt, ##__VA_ARGS__)
                     ^
ipa_extdom_extop.c:203:5: note: in expansion of macro ‘LOG’

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-13 18:37:23 +01:00
Lukas Slebodnik
08d65f54e7 topology: Fix warning Wshadow
topology_pre.c: In function ‘ipa_topo_pre_add’:
topology_pre.c:509:15: warning: declaration of ‘errtxt’ shadows a previous local [-Wshadow]
         char *errtxt;
               ^
topology_pre.c:494:11: note: shadowed declaration is here
     char *errtxt  = NULL;
           ^

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-13 18:37:23 +01:00
Lukas Slebodnik
2735db0d0e ipa_kdb_tests: Fix warning Wmissing-braces
tests/ipa_kdb_tests.c:254:9: warning: missing braces around initializer [-Wmissing-braces]
         {3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", BLACKLIST_SID"-1002"},
         ^
tests/ipa_kdb_tests.c:254:9: note: (near initialization for ‘test_data[6]’)
tests/ipa_kdb_tests.c:256:9: warning: missing braces around initializer [-Wmissing-braces]
         {0, NULL, 0 , NULL}
         ^
tests/ipa_kdb_tests.c:256:9: note: (near initialization for ‘test_data[7]’)
tests/ipa_kdb_tests.c:234:21: warning: missing braces around initializer [-Wmissing-braces]
     } test_data[] = {
                     ^

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-13 18:37:23 +01:00
Lukas Slebodnik
681afc4914 ipa_kdb_tests: Remove unused variables
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-13 18:37:23 +01:00
Ludwig Krispenz
3f70c9aed7 update list of managed servers when a suffix becomes managed
when a suffix becomes managed for a host, the host needs to
    be added to the managed servers, otherwise connectivity check would fail

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2015-10-30 13:47:25 +01:00
Ludwig Krispenz
22a999267c reject agreement only if both ends are managed
the creation or deletion of a replication agreemet is rejected if the
servers are managed for the suffix. But bot endpoints need to checked

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2015-10-30 13:47:25 +01:00
Ludwig Krispenz
26bfc914d9 handle cleaning of RUV in the topology plugin
After removing a server the replicaid needs to be cleared in the ruv entry and
    in the changelog.
    This was triggere by initiating a cleanallruv task in "ipa-replica-manage del",
    but the removal of a master already triggers a cleanup of segments and replication
    agreement by the topology plugin, so this could be handled by the plugin as well.

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2015-10-26 18:11:32 +01:00
Ludwig Krispenz
102651b10a prevent operation on tombstones
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Ludwig Krispenz
fcb9854dcb handle multiple managed suffixes
trigger topology updaet if suffix entry is added
    trigger topology update if managedSuffix is modified in host entry

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Petr Vobornik
80e11d2469 topology plugin configuration workaround
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Alexander Bokovoy
766438aba0 client referral support for trusted domain principals
https://fedorahosted.org/freeipa/ticket/3559

Reviewed-By: Sumit Bose <sbose@redhat.com>
2015-10-08 13:52:16 +02:00
Petr Spacek
0b797da560 Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding LDAP limits
ldap2 internally does LDAP search to find out what LDAP search limits
should be used (!). The problem is that this internal search has hardcoded
limits and throws LimitExceeded exception when DS is too slow.

DNSSEC daemons do not need any abstractions from ldap2 so we are going
to use ipaldap directly. This will avoid the unnecessary search and
associated risks.

https://fedorahosted.org/freeipa/ticket/5342

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-10-07 14:28:50 +02:00
Petr Viktorin
65e3b9edc6 Use six.Stringio instead of StringIO.StringIO
The StringIO class was moved to the io module.
(In Python 2, io.StringIO is available, but is Unicode-only.)

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-10-07 10:27:20 +02:00
Nathaniel McCallum
9e3eeadeb3 Fix an integer underflow bug in libotp
Temporarily storing the offset time in an unsigned integer causes the
value of the offset to underflow when a (valid) negative offset value
is generated. Using a signed variable avoids this problem.

https://fedorahosted.org/freeipa/ticket/5333

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-09-29 15:16:09 +02:00
Petr Spacek
ecf796e9c0 DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5.
https://fedorahosted.org/freeipa/ticket/5273

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-09-03 18:22:53 +02:00
Petr Spacek
e840061176 DNSSEC: Fix key metadata export
Incorrect SQL join condition could lead to situation where metadata from
ZSK and KSK were interchanged.

https://fedorahosted.org/freeipa/ticket/5273

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
2015-09-03 18:20:36 +02:00
Petr Spacek
d24db5d921 DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction
https://fedorahosted.org/freeipa/ticket/5273

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
2015-09-03 18:20:36 +02:00
Petr Spacek
f1436c4ed8 DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart
It might happen that systemd will restart the service even if there is
no incomming connection to service socket. In that case we want to exit
because HSM synchronization is done before socket.accept() and we want
to synchronize HSM and DNS zones at the same time.

https://fedorahosted.org/freeipa/ticket/5273

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
2015-09-03 18:20:36 +02:00
Martin Basti
e7a876d88a DNSSEC: remove ccache and keytab of ipa-ods-exporter
Reusing old ccache after reinstall causes authentication error. And
prevents DNSSEC from working.

Related to ticket: https://fedorahosted.org/freeipa/ticket/5273

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-09-03 18:15:58 +02:00
Petr Viktorin
8de13bd7dd Use the print function
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-01 11:42:01 +02:00
Petr Viktorin
3bf91eab25 Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.

Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.

When iterating through the entire dict, without modifying the dict,
 the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.

In other cases, helpers like six.itervalues are used.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-01 11:42:01 +02:00
Michael Simacek
aad73fad60 Port from python-krbV to python-gssapi
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.

- Removed Backend.krb and KRB5_CCache classes
  They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
  in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
  Using api.env.realm instead of krbV call

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-08-26 09:41:36 +02:00
Martin Babinsky
3506938a75 improve the handling of krb5-related errors in dnssec daemons
ipa-dnskeysync* and ipa-ods-exporter handle kerberos errors more gracefully
instead of crashing with tracebacks.

https://fedorahosted.org/freeipa/ticket/5229

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-08-18 21:11:58 +02:00
Petr Viktorin
27dabb4528 Modernize 'except' clauses
The 'as' syntax works from Python 2 on, and Python 3 will
drop the "comma" syntax.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
Petr Viktorin
b8c46f2a32 Modernize number literals
Use Python-3 compatible syntax, without breaking compatibility with py 2.7

- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
  long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
  strict type checking checking, e.g. type(0).

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-31 15:22:19 +02:00
Yuri Chornoivan
75fde43491 Fix minor typos
<ame> -> <name>
overriden -> overridden
ablity -> ability
enties -> entries
the the -> the

https://fedorahosted.org/freeipa/ticket/5109

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2015-07-17 14:33:30 +02:00
Sumit Bose
5017726eba ipa-kdb: add unit_tests for string_to_sid() and dom_sid_string()
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Sumit Bose
3f7481a220 ipa-kdb: make string_to_sid() and dom_sid_string() more robust
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Sumit Bose
7a1b4dcafc ipa-kdb: add unit-test for filter_logon_info()
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Sumit Bose
9d026ba824 ipa-kdb: convert test to cmocka
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Sumit Bose
7b524e7835 extdom: add unit-test for get_user_grouplist()
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
a9570e8ea3 ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab
When retrieving keytab, it is useful to know what user was attempting
to fetch the keyts and failed. This is useful to debug one-way trust
where SSSD forks out a process of ipa-getkeytab and it might be using
a wrong credentials cache for authentication purposes.

Part of https://fedorahosted.org/freeipa/ticket/4959

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
aa21600822 ipa-sidgen: reduce log level to normal if domain SID is not available
To support AD trust agents, we need to run sidgen and extdom plugins
on every IPA master. Lack of working configuration, thus, is not a
failure so reduce log level to normal as sidgen plugin will not
be active if domain SID is missing but it can certainly be kept
enabled.

Part of https://fedorahosted.org/freeipa/ticket/4951

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
785f6593ca add one-way trust support to ipasam
When trust is established, ipasam module creates a number of objects in LDAP
to represent the trust information. Among them, for one-way trust we create
a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest
and AD is a realm of the trusted Active Directory forest root domain.

This principal is then used by SSSD on IPA masters to authenticate against
trusted Active Directory domain controllers and retrieve information about
user and group identities.

FreeIPA also uses this principal's credentials to retrieve domain topology.

The access to the keys of the principal should be well-protected. We only
allow to retrieve the keytab for it for members of cn=adtrust agents group.
This group is populated with host/ and cifs/ principals from IPA masters.

Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters
where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install
on the master which will be configured to be a domain controller (e.g.
run Samba with ipasam), and specify --add-agents option to trigger activation
of the interactive mode to specify which IPA masters to enable.

Fixes https://fedorahosted.org/freeipa/ticket/4962
Part of fixes for https://fedorahosted.org/freeipa/ticket/4546

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
d3ccfefaa4 ipa-kdb: filter out group membership from MS-PAC for exact SID matches too
When incoming SID blacklist contains exact SIDs of users and groups,
attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.

Note that we treat user's SID and primary group RID filtering as violation
of the KDC policy because the resulting MS-PAC will have no user SID or
primary group and thus will be invalid.

For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1
it is OK to have empty group RIDs array as GroupCount SHOULD be
equal to Groups.MembershipCount returned by SamrGetGroupsForUser
[MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty.

Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
88c10dd975 ipa-kdb: use proper memory chunk size when moving sids
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Ludwig Krispenz
6f916b0ac9 allow deletion of segment if endpoint is not managed
in the preop check do not reject the deletion of a segment, if not both endpoints
are managed servers for the suffix

thisis part of work for ticlet #5072

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-07-02 11:54:01 +02:00
Jan Cholasta
fe2accf776 ipalib: Load ipaserver plugins when api.env.in_server is True
https://fedorahosted.org/freeipa/ticket/3090
https://fedorahosted.org/freeipa/ticket/5073

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-01 13:05:30 +00:00
Ludwig Krispenz
5b76df4e73 v2 improve processing of invalid data.
reject attempts to add segments to suffixes, which do not exist or are not configured.
    check completenes and validity of segment attributes

    cf ticket 5088: https://fedorahosted.org/freeipa/ticket/5088

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2015-07-01 12:29:24 +02:00
Petr Spacek
fe6819eb9d DNSSEC: Store time & date key metadata in UTC.
OpenDNSSEC stores key metadata in local time zone but BIND needs
timestamps in UTC. UTC will be stored in LDAP.

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-01 12:25:52 +02:00
Ludwig Krispenz
bb1f45b7f0 v2 clear start attr from segment after initialization
Online initialization can be triggered by setting "nsds5BeginReplicaRefresh[;left|;right]": start to a
    segment. But this field remained in the segment and after restart the init would be executed again.
    see Ticket #5065

    To fix this the field is cleared:
    - after a backend comes back online after being initialized
    - since there is a delay and the sending server could be restarted in between,
        the field is also scheced and renḿoved at startup

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2015-06-30 12:47:50 +02:00
Ludwig Krispenz
5e92c981b0 fix coverity issues
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-29 17:17:29 +02:00
Martin Babinsky
4d7b630992 ipa-kdb: common function to get key encodings/salt types
This patch moves duplicate code in `ipadb_get_connection` to get default and
supported key encodings/salt types from Kerberos container to a common
function handling this task.

It is actually a small cosmetic enhancement of the fix of
https://fedorahosted.org/freeipa/ticket/4914

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-29 17:15:00 +02:00
Petr Spacek
f9cbdd4915 DNSSEC: Improve ipa-ods-exporter log messages with key metadata.
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-29 14:32:26 +02:00
Petr Spacek
579d30571b DNSSEC: Add ability to trigger full data synchronization to ipa-ods-exporter.
New exporter's command 'ipa-full-update' will resynchronize all zone
keys from ODS database to LDAP.

This command holds database lock for the whole time to avoid race
conditions so it should be used only in special cases, e.g. during
master server migration.

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-29 14:32:26 +02:00
Petr Spacek
6a8fb04460 DNSSEC: log ipa-ods-exporter file lock operations into debug log
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-29 14:32:26 +02:00
Petr Spacek
fd2340649f DNSSEC: ipa-ods-exporter: move zone synchronization into separate function
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-29 14:32:26 +02:00
Petr Spacek
68d0f641ba DNSSEC: Accept ipa-ods-exporter commands from command line.
Previously only systemd socket activation was supported.
Ability to call the command directly is handy in special cases,
e.g. for debugging or moving key master role from one server to another.

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-29 14:32:26 +02:00
Petr Spacek
c37e83f4b3 DNSSEC: Detect invalid master keys in LDAP.
This should never happen ...

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-29 14:32:26 +02:00
Ludwig Krispenz
a86f2b3c62 correct management of one directional segments
this patch contains the following improvements:
    check for existing segments works for all combinations of one directional and bidirectional segments
    rdns of replication agreements generated from one directional segments are preserves after
        merging of segments, so that deletion of the segment deletes the corresponding replication
        agreements

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2015-06-29 13:52:34 +02:00
Petr Spacek
33bc9e7fac Hide traceback in ipa-dnskeysyncd if kinit failed.
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-06-24 14:25:40 +02:00
Martin Basti
f763b137ee DNSSEC: fix traceback during shutdown phase
ipa-dnskeysyncd causes traceback when receive SIGTERM, SIGINT

Ticket: https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-06-15 09:43:51 +02:00
Ludwig Krispenz
056518ab1a v2-reject modifications of endpoints and connectivity of a segment
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2015-06-11 13:58:02 +02:00
Ludwig Krispenz
b3c2a4b810 make sure the agremment rdn match the rdn used in the segment
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2015-06-11 13:58:02 +02:00
Petr Vobornik
7cf82cf9aa move replications managers group to cn=sysaccounts,cn=etc,$SUFFIX
https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-06-11 12:10:40 +02:00
Ludwig Krispenz
777a9500ce check for existing and self referential segments
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-06-10 14:32:26 +02:00
Simo Sorce
f530886193 Fix s4u2proxy README and add warning
The attribute mentioned was using an older name that was later changed
in the implementation.
Also add a prominent warning about the use of the kadmin flags.

Reviewed-by: Rob Crittenden <rcritten@redhat.com>
2015-06-08 14:37:29 -04:00
Ludwig Krispenz
f87324df54 crash when removing a replica
when a server is removed from the topology the plugin tries to remove the
credentials from the replica and the bind dn group.
It performs an internal search for the ldap principal, but can fail if it was already removed
Due to an unitialized variable in this case it can eitehr crash or erroneously remove all
principals.

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-06-04 11:42:44 +02:00
Ludwig Krispenz
4e05ffa22c plugin uses 1 as minimum domain level to become active no calculation based on plugin version
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-06-04 11:42:44 +02:00
Ludwig Krispenz
faa4d0b6ea replica install fails with domain level 1
when updating an replication agreement from a toplogy segment an incorrect default value was used for bindmethod.
    Only attributes explicitely set in the segment should be applied.
    At shutdown the server could crash because the plugin was called after it was stopped.

    https://fedorahosted.org/freeipa/ticket/5035

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2015-06-02 14:05:32 +02:00
Simo Sorce
d5b6c83601 Detect default encsalts kadmin password change
When kadmin tries to change a password it will get the allowed keysalts
from the password policy. Failure to provide them will result in kadmin
using the defaults specified in the kdc.conf file or hardcoded defaults
(the default salt is then of type NORMAL).

This patch provides the supported values that have been read out of the
appropriate LDAP attribute when we read the server configuration.

Then at actual password change, check if kadmin is handing us back the exact
list of supported encsalts we sent it, and in that case replace it with the
real default encsalts.

Fixes https://fedorahosted.org/freeipa/ticket/4914

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
2015-05-27 09:45:56 -04:00
Ludwig Krispenz
25bf0c6e78 ds plugin - manage replication topology in the shared tree
Implementation of ticket: https://fedorahosted.org/freeipa/ticket/4302
        Design page: http://www.freeipa.org/page/V4/Manage_replication_topology

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2015-05-26 10:40:29 +02:00
Thierry Bordaz
0ebcc5b922 User life cycle: new stageuser commands activate
Add plugin commands to stageuser plugin:
stageuser_activate: activate entries created by IPA CLIs

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-05-18 09:37:21 +02:00
Nathaniel McCallum
978298882b Fix a signedness bug in OTP code
This bug caused negative token windows to wrap-around, causing issues
with TOTP authentication and (especially) synchronization.

https://fedorahosted.org/freeipa/ticket/4990

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-05-05 11:50:20 +02:00
Martin Babinsky
528e9503ed use separate ccache filename for each IPA DNSSEC daemon
ipa-dnskeysyncd, ipa-dnskeysync-replica, and ipa-ods-exporter use a generic
'ccache' filename for credential storage, making debugging Kerberos-related
errors unnecessarily complicated. This patch renames the ccache files so that
each of these daemons now has its own credenital cache.

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-04-24 15:56:12 +02:00
Martin Babinsky
3d2feac0e4 Adopted kinit_keytab and kinit_password for kerberos auth
Calls to ipautil.run using kinit were replaced with calls
kinit_keytab/kinit_password functions implemented in the PATCH 0015.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-04-20 08:27:35 +00:00
Thierry bordaz (tbordaz)
c3ede5f1e9 User Life Cycle: Exclude subtree for ipaUniqueID generation
IPA UUID should not generate ipaUniqueID for entries under 'cn=provisioning,SUFFIX'

Add in the configuration the ability to set (optional) 'ipaUuidExcludeSubtree'

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-04-08 08:19:09 +02:00
Martin Babinsky
4192cce80e do not log BINDs to non-existent users as errors
https://fedorahosted.org/freeipa/ticket/4889

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-04-02 08:59:25 +00:00
Martin Basti
1216da8b9f DNSSEC: Do not log into files
We want to log DNSSEC daemons only into console (journald)

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-04-02 08:45:08 +00:00
Sumit Bose
c1114ef825 extdom: fix wrong realloc size
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
2015-03-26 14:58:37 +01:00
Alexander Bokovoy
704c79d91d fix Makefile.am for daemons
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
2015-03-26 14:58:37 +01:00
Sumit Bose
d0d79ada37 extdom: migrate check-based test to cmocka
Besides moving the existing tests to cmocka two new tests are added
which were missing from the old tests.

Related to https://fedorahosted.org/freeipa/ticket/4922

Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2015-03-18 13:33:38 +01:00
Sumit Bose
6cc6a3ceec extdom: add selected error messages
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2015-03-18 12:57:54 +01:00
Sumit Bose
02bd676939 extdom: add add_err_msg() with test
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2015-03-18 12:57:54 +01:00
Sumit Bose
5bf0592505 extdom: add err_msg member to request context
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2015-03-18 12:57:54 +01:00
Sumit Bose
8dac096ae3 extdom: fix memory leak
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-10 12:13:43 +01:00
Sumit Bose
024463804c extdom: return LDAP_NO_SUCH_OBJECT to the client
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-10 11:56:36 +01:00
Sumit Bose
c15a407cbf extdom: make nss buffer configurable
The get*_r_wrapper() calls expect a maximum buffer size to avoid memory
shortage if too many threads try to allocate buffers e.g. for large
groups. With this patch this size can be configured by setting
ipaExtdomMaxNssBufSize in the plugin config object
cn=ipa_extdom_extop,cn=plugins,cn=config.

Related to https://fedorahosted.org/freeipa/ticket/4908

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-09 14:48:08 +01:00
Sumit Bose
50c8f0c801 extdom: handle ERANGE return code for getXXYYY_r() calls
The getXXYYY_r() calls require a buffer to store the variable data of
the passwd and group structs. If the provided buffer is too small ERANGE
is returned and the caller can try with a larger buffer again.

Cmocka/cwrap based unit-tests for get*_r_wrapper() are added.

Resolves https://fedorahosted.org/freeipa/ticket/4908

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-09 14:48:08 +01:00
Sumit Bose
8c89807b11 Add configure check for cwrap libraries
Currently only nss-wrapper is checked, checks for other crwap libraries
can be added e.g. as

AM_CHECK_WRAPPER(uid_wrapper, HAVE_UID_WRAPPER)

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-09 14:48:08 +01:00
Sumit Bose
1a37822c3a ipa-range-check: do not treat missing objects as error
Currently the range check plugin will return a 'Range Check error'
message if a ldapmodify operation tries to change a non-existing object.
Since the range check plugin does not need to care about non-existing
objects we can just return 0 indicating that the range check plugin has
done its work.

Resolves https://fedorahosted.org/freeipa/ticket/4924

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-02-24 22:47:36 +01:00
Simo Sorce
8b199b813d Stop including the DES algorythm from openssl.
Since we dropped support for LANMAN hashes we do not need DES from OpenSSL
anymore. Stop including an testing for it.
Test for the MD4 algorythm instead whichis still used for the NT Hashes.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2015-02-23 16:27:22 +01:00
Martin Kosek
ffb9a09a0d Remove references to GPL v2.0 license
All FreeIPA original code should be licensed to GPL v3+ license,
update the respective files:

- daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c

Remove GPL v2.0 license files from LDIFs or template to keep
consistency.

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-02-20 15:40:42 +01:00
Alexander Bokovoy
373a04870d ipa-kdb: reject principals from disabled domains as a KDC policy
Fixes https://fedorahosted.org/freeipa/ticket/4788

Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-02-16 16:30:57 +01:00
Alexander Bokovoy
92c3a9f1fd ipa-kdb: when processing transitions, hand over unknown ones to KDC
When processing cross-realm trust transitions, let the KDC to handle
those we don't know about. Admins might define the transitions as
explicit [capaths] in krb5.conf.

https://fedorahosted.org/freeipa/ticket/4791

Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-02-16 16:29:59 +01:00
Simo Sorce
5247c0c4e2 Handle DAL ABI change in MIT 1.13
In this new MIT version the DAL interface changes slightly but
KRB5_KDB_DAL_MAJOR_VERSION was not changed.

Luckily KRB5_KDB_API_VERSION did change and that's enough to know
what to compile in.

Resolves: https://fedorahosted.org/freeipa/ticket/4861

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-02-13 08:54:34 +01:00
Nathaniel McCallum
9549a5984b Expose the disabled User Auth Type
Additionally, fix a small bug in ipa-kdb so that the disabled User
Auth Type is properly handled.

https://fedorahosted.org/freeipa/ticket/4720

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-02-12 10:31:24 +01:00
Martin Babinsky
782ad36639 OTP: emit a log message when LDAP entry for config record is not found
This patch proposes a fix to the following defect found by covscan of FreeIPA
master code:

"""
Error: CHECKED_RETURN (CWE-252):
/daemons/ipa-slapi-plugins/libotp/otp_config.c:239: check_return: Calling
"slapi_search_internal_get_entry" without checking return value (as is done
elsewhere 14 out of 16 times).
/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:402:
example_checked: Example 1: "slapi_search_internal_get_entry(sdn, NULL,
&config_entry, ipaenrollment_plugin_id)" has its value checked in "(rc =
slapi_search_internal_get_entry(sdn, NULL, &config_entry,
ipaenrollment_plugin_id)) != 0".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:207: example_assign:
Example 2: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(sdn, NULL, &config_entry, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:212: example_checked:
Example 2 (cont.): "ret" has its value checked in "ret".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:651: example_assign: Example
3: Assigning: "search_result" = return value from
"slapi_search_internal_get_entry(sdn, attrlist, e2, ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:653: example_checked:
Example 3 (cont.): "search_result" has its value checked in "search_result !=
0".  /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1035: example_assign:
Example 4: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(tmp_dn, NULL, &pwdop->pwdata.target,
ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1039:
example_checked: Example 4 (cont.): "ret" has its value checked in "ret != 0".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:817: example_assign: Example 5:
Assigning: "ret" = return value from "slapi_search_internal_get_entry(tmp_dn,
NULL, &e, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:820: example_checked: Example 5
(cont.): "ret" has its value checked in "ret == 10".
"""

The patch is a part of series related to
https://fedorahosted.org/freeipa/ticket/4795

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-01-30 11:02:16 +01:00
Martin Babinsky
d0fbfaf582 ipa-uuid: emit a message when unexpected mod type is encountered
This patch is related to the following defect reported by covscan of FreeIPA
master code:

"""
Error: DEADCODE (CWE-561): /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:796:
cond_const: Condition "modtype != 1", taking false branch. Now the value of
"modtype" is equal to 1.
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:796:
cond_const: Condition "modtype != 4", taking false branch. Now the value of
"modtype" is equal to 4.
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:941:
equality_cond: Jumping to case "1".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:957: equality_cond: Jumping to
case "4".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:940: intervals: When
switching on "modtype", the value of "modtype" must be in one of the following
intervals: {[1,1], [4,4]}.
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:940: dead_error_condition: The
switch value "modtype" cannot reach the default case.
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:1031: dead_error_begin:
Execution cannot reach this statement: "default:".
"""

The patch is a part of series related to
https://fedorahosted.org/freeipa/ticket/4795

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-01-30 11:02:16 +01:00
Martin Babinsky
b0611bc6c3 ipa-pwd-extop: added an informational comment about intentional fallthrough
This patch is related to this defect reported by covscan in FreeIPA code:

"""
Error: MISSING_BREAK (CWE-484):
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:631: unterminated_case: The
case for value "2" is not terminated by a 'break' statement.
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:638: fallthrough: The above
case falls through to this one.
"""

Added a comment informing about intentional falltrough in this place, so that
future generations reading the code don't get confused.

The patch is the part of a series related to
https://fedorahosted.org/freeipa/ticket/4795

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-01-30 11:02:16 +01:00
Martin Babinsky
d800ac867b OTP: failed search for the user of last token emits an error message
This patch fixes the following defect reported by covscan:

"""
Error: CHECKED_RETURN (CWE-252):
/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c:119:
check_return: Calling "slapi_search_internal_get_entry" without checking
return value (as is done elsewhere 14 out of 16 times).
/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:402:
example_checked: Example 1: "slapi_search_internal_get_entry(sdn, NULL,
&config_entry, ipaenrollment_plugin_id)" has its value checked in "(rc =
slapi_search_internal_get_entry(sdn, NULL, &config_entry,
ipaenrollment_plugin_id)) != 0".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:207:
example_assign: Example 2: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(sdn, NULL, &config_entry, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:212:
example_checked: Example 2 (cont.): "ret" has its value checked in "ret".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:651:
example_assign: Example 3: Assigning: "search_result" = return value from
"slapi_search_internal_get_entry(sdn, attrlist, e2, ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:653:
example_checked: Example 3 (cont.): "search_result" has its value checked in
"search_result != 0".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1035:
example_assign: Example 4: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(tmp_dn, NULL, &pwdop->pwdata.target,
ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1039:
example_checked: Example 4 (cont.): "ret" has its value checked in "ret != 0".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:817:
example_assign: Example 5: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(tmp_dn, NULL, &e, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:820:
example_checked: Example 5 (cont.): "ret" has its value checked in "ret ==
10".
"""

this patch is a part of a series related to
https://fedorahosted.org/freeipa/ticket/4795

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-01-30 11:02:16 +01:00
Martin Babinsky
13fb2b9067 ipa-kdb: more robust handling of principal addition/editing
The patch addresses the following defect reported by covscan in FreeIPA
master:

"""
Error: FORWARD_NULL (CWE-476):
/daemons/ipa-kdb/ipa_kdb_principals.c:1886: assign_zero: Assigning:
"principal" = "NULL".
/daemons/ipa-kdb/ipa_kdb_principals.c:1929:
var_deref_model: Passing null pointer "principal" to "ipadb_entry_to_mods",
which dereferences it.
/daemons/ipa-kdb/ipa_kdb_principals.c:1491:9:
deref_parm_in_call: Function "ipadb_get_ldap_mod_str" dereferences
"principal".
/daemons/ipa-kdb/ipa_kdb_principals.c:1174:5:
deref_parm_in_call: Function "strdup" dereferences "value"
"""

This is a part of series of patches related to
https://fedorahosted.org/freeipa/ticket/4795

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-01-30 11:02:16 +01:00
Martin Babinsky
eb09e77f16 always get PAC for client principal if AS_REQ is true
This patch proposes a fix for the following defect reported by covscan in
FreeIPA master code:

"""
Error: DEADCODE (CWE-561):
/daemons/ipa-kdb/ipa_kdb_mspac.c:2013: assignment: Assigning: "client_entry" =
"NULL".
/daemons/ipa-kdb/ipa_kdb_mspac.c:2077: null: At condition
"client_entry", the value of "client_entry" must be "NULL".
/daemons/ipa-kdb/ipa_kdb_mspac.c:2077: dead_error_condition: The condition
"client_entry" cannot be true.
/daemons/ipa-kdb/ipa_kdb_mspac.c:2077:
dead_error_line: Execution cannot reach the expression "client_entry" inside
this statement: "kerr = ipadb_get_pac(contex...".
"""

This is a part of a series of patches related to
https://fedorahosted.org/freeipa/ticket/4795

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-01-30 11:02:16 +01:00
Martin Babinsky
98b1690a0e ipa-kdb: unexpected error code in 'ipa_kdb_audit_as_req' triggers a message
This patch is related this defect reported by covscan on FreeIPA master:

"""
Error: DEADCODE (CWE-561):
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code !=
-1765328353L", taking false branch. Now the value of "error_code" is equal to
-1765328353.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition
"error_code != -1765328360L", taking false branch. Now the value of
"error_code" is equal to -1765328360.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42:
cond_const: Condition "error_code != 0", taking false branch. Now the value of
"error_code" is equal to 0.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:71:
intervals: When switching on "error_code", the value of "error_code" must be
in one of the following intervals: {[-1765328360,-1765328360],
[-1765328353,-1765328353], [0,0]}.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:71:
dead_error_condition: The switch value "error_code" cannot reach the default
case.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:123: dead_error_begin: Execution
cannot reach this statement: "default:".
"""

This patch is a part of series related to
https://fedorahosted.org/freeipa/ticket/4795.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-01-30 11:02:16 +01:00
Tomas Babej
f30865c5f0 ipapython: Fix incorrect python shebangs
Make sure shebangs explicitly reference python2.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-01-26 13:03:24 +01:00
Martin Basti
0758cf9de6 DNSSEC catch ldap exceptions in ipa-dnskeysyncd
Server down exception causes lot of false positive abrt reports.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-01-23 09:26:55 +00:00
Alexander Bokovoy
5672eb14de ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly
According to MS-ADTS 6.3.3.2, "Domain Controller Response to an LDAP Ping",
if NETLOGON_NT_VERSION_5EX_WITH_IP is requested in NtVer, we should fill the
socket address of the server and set the NtVer of the response accordingly.

The behavior is a bit unclear from 6.3.3.2 but Samba expects LDAP ping to behave
the same way as a mailslot ping, described in 6.3.5, where socket address of the
server is included only if _WITH_IP variant was requested in NtVer.  If NtVer
only contains NETLOGON_NT_VERSION_5EX (without _WITH_IP bit), socket
address should not be filled in.

Additionally, this means we should use special variant of
ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX helper named
ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags to properly handle optional
existence of the socket address in the response.

https://fedorahosted.org/freeipa/ticket/4827

Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-01-19 12:05:52 +01:00
Alexander Bokovoy
d57efb74bb Support Samba PASSDB 0.2.0 aka interface version 24
1. Samba project renamed libpdb to libsamba-passdb
   https://bugzilla.samba.org/show_bug.cgi?id=10355

2. With interface version 24, Samba removed uid_to_sid()/gid_to_sid()
   from the PASSDB interface and united them as id_to_sid().

Make sure FreeIPA ipa_sam code supports new and old versions of
the PASSDB API.

https://fedorahosted.org/freeipa/ticket/4778

Reviewed-By: Sumit Bose <sbose@redhat.com>
2015-01-19 10:21:48 +01:00
Simo Sorce
730b472db1 Avoid calling ldap functions without a context
We need to make sure we have a ld context before we can load the
configuration, otherwise ldap APIs will abort crashing the KDC.

If we have an issue connecting to LDAP the lcontext will be NULL, but
we are not checking that condition when we try to refresh the global
configuration.

https://fedorahosted.org/freeipa/ticket/4810

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2015-01-08 11:55:25 +01:00
Nathaniel McCallum
9baa93da1c Make token auth and sync windows configurable
This introduces two new CLI commands:
  * otpconfig-show
  * otpconfig-mod

https://fedorahosted.org/freeipa/ticket/4511

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-12-05 13:42:19 +01:00
Nathaniel McCallum
08f8acd88c Enable last token deletion when password auth type is configured
Also, ensure that the last token check only executes on DNs/entries that
are tokens. This resolves a large performance issue where a query was
being performed to load all the user's tokens on every del/mod operation.

https://fedorahosted.org/freeipa/ticket/4697
https://fedorahosted.org/freeipa/ticket/4719

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2014-12-03 08:48:56 +01:00
Nathaniel McCallum
953c6846b7 Move authentication configuration cache into libotp
This enables plugins to share authentication configuration cache code.

Additionally, update the caching mechanism to be declarative and faster.

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2014-12-03 08:48:56 +01:00
Nathaniel McCallum
bdccb0c721 Preliminary refactoring of libotp files
There are no major changes in this commit other than changing filenames
and symbols to have consistent namespaces. This prepares for larger
changes to come in subsequent commits.

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2014-12-03 08:48:56 +01:00
Jan Cholasta
8b13c30dc2 Fix unchecked return values in ipa-winsync
https://fedorahosted.org/freeipa/ticket/4713

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-25 08:23:24 +00:00
Jan Cholasta
c8bc6b8818 Fix unchecked return value in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4713

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-25 08:23:24 +00:00
Jan Cholasta
eed7fb6378 Fix Kerberos error handling in ipa-sam
https://fedorahosted.org/freeipa/ticket/4713

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-25 08:23:24 +00:00
Jan Cholasta
313da898bb Remove redefinition of LOG from ipa-otp-lasttoken
https://fedorahosted.org/freeipa/ticket/4713

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-25 08:23:24 +00:00
Simo Sorce
b1a30bff04 Use asn1c helpers to encode/decode the getkeytab control
Replaces manual encoding with automatically generated code.

Fixes:
https://fedorahosted.org/freeipa/ticket/4718
https://fedorahosted.org/freeipa/ticket/4728

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-11-20 10:52:13 -05:00
Simo Sorce
b170851058 Fix filtering of enctypes in server code.
The filtering was incorrect and would result in always discarding all values.
Also make sure there are no duplicates in the list.

Partial fix for:
https://fedorahosted.org/freeipa/ticket/4718

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-11-20 10:52:13 -05:00
Nathaniel McCallum
79df668b5d Ensure that a password exists after OTP validation
Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.

This patch resolves CVE-2014-7828.

https://fedorahosted.org/freeipa/ticket/4690

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-06 10:56:19 +01:00
Jan Cholasta
4e49f39e1a Fix memory leak in ipa-pwd-extop
Also remove dead code and explicitly mark an ignored return value to prevent
false positives in static code analysis.

https://fedorahosted.org/freeipa/ticket/4651

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-05 15:28:27 +01:00
Jan Cholasta
9062dcada4 Fix various bugs in ipa-opt-counter and ipa-otp-lasttoken
Fixes a wrong sizeof argument and unchecked return values.

https://fedorahosted.org/freeipa/ticket/4651

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-05 15:28:27 +01:00
Jan Cholasta
701dde3cb3 Fix memory leaks in ipa-extdom-extop
https://fedorahosted.org/freeipa/ticket/4651

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-05 15:28:27 +01:00
Jan Cholasta
08ee4a2e6f Fix possible NULL dereference in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4651

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-05 15:28:27 +01:00
Jan Cholasta
2a4ba3d3cc DNSSEC: remove container_dnssec_keys
Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-10-21 12:23:39 +02:00
Petr Spacek
276e69de87 DNSSEC: add ipa dnssec daemons
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Sumit Bose
43f8de0c76 extdom: remove unused dependency to libsss_idmap
https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2014-10-21 10:17:54 +02:00
Sumit Bose
0ee8fe11ae extdom: add support for sss_nss_getorigbyname()
https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2014-10-21 10:17:54 +02:00
Nathaniel McCallum
68825e7ac6 Configure IPA OTP Last Token plugin on upgrade
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-20 10:18:47 +02:00
Nathaniel McCallum
41bf0ba940 Create ipa-otp-counter 389DS plugin
This plugin ensures that all counter/watermark operations are atomic
and never decrement. Also, deletion is not permitted.

Because this plugin also ensures internal operations behave properly,
this also gives ipa-pwd-extop the appropriate behavior for OTP
authentication.

https://fedorahosted.org/freeipa/ticket/4493
https://fedorahosted.org/freeipa/ticket/4494

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-20 10:12:36 +02:00
Nathaniel McCallum
915837c14a Move OTP synchronization step to after counter writeback
This prevents synchronization when an authentication collision occurs.

https://fedorahosted.org/freeipa/ticket/4493

Reviewed-By: Thierry bordaz (tbordaz) <tbordaz@redhat.com>
2014-09-30 16:19:06 +02:00
Sumit Bose
3c75b9171e extdom: add support for new version
Currently the extdom plugin is basically used to translate SIDs of AD
users and groups to names and POSIX IDs.

With this patch a new version is added which will return the full member
list for groups and the full list of group memberships for a user.
Additionally the gecos field, the home directory and the login shell of a
user are returned and an optional list of key-value pairs which
currently will contain the SID of the requested object if available.

https://fedorahosted.org/freeipa/ticket/4031

Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2014-09-30 08:29:59 +02:00
Nathaniel McCallum
35ec0f7e3d Use stack allocation when writing values during otp auth
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2014-09-30 08:27:47 +02:00