Commit Graph

253 Commits

Author SHA1 Message Date
Alexander Bokovoy
32916d444b ipa-kdb: Support Windows 2012 Server
Windows 2012 Server changed procedure how KERB_VALIDATION_INFO ([MS-PAC]
section 2.5) is populated. Detailed description is available in [MS-KILE]
version 25.0 and above.

Refactor KERB_VALIDATION_INFO verification and ensure we filter out extra
SIDs in case they belong to our domain.

https://fedorahosted.org/freeipa/ticket/3231
2012-12-07 13:21:52 -05:00
Martin Kosek
6cb7441d15 Bump 389-ds-base minimum in our spec file
Our code needs both Requires and BuildRequires set to 389-ds-base
which supports transactions. Also add the requires to configure.ac.
2012-12-07 13:59:59 +01:00
Rob Crittenden
bf77679909 Password change in a transaction, ensure passwords are truly expired
Wrap the password change extop in a transaction.

Fix the case where a password is reset and then immediately used. If done
fast enough then the KDC may not detect that the password is expired and
grant access using the expired password rather than prompting for a reset.

https://fedorahosted.org/freeipa/ticket/1064
2012-12-07 10:30:33 +01:00
Rob Crittenden
146da1b326 Honor the kdb options disabling KDC writes in ipa_lockout plugin
Ther3 are two global ipaConfig options to disable undesirable writes that
have performance impact.

The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)

The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.

https://fedorahosted.org/freeipa/ticket/2734
2012-12-05 10:40:50 -05:00
Sumit Bose
c5e055ae00 Lookup the user SID in external group as well
Currently only the group SIDs from a PAC are used to find out about the
membership in local groups. This patch adds the user SID to the list.

Fixes https://fedorahosted.org/freeipa/ticket/3257
2012-11-30 16:39:07 -05:00
Simo Sorce
5269458f55 MS-PAC: Special case NFS services
The current Linux NFS server is severely limited when it comes to handling
kerberos tickets. Bsically any ticket bigger than 2k will cause it to fail
authentication due to kernel->userspace upcall interface restrictions.

Until we have additional support in IPA to indivdually mark principals to
opt out of getting PACs attached we always prevent PACs from being attached
to TGTs or Tickets where NFS is involved.
2012-11-30 16:30:10 -05:00
Rob Crittenden
f1f1b4e7f2 Enable transactions by default, make password and modrdn TXN-aware
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.

Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).

Fix some unit tests that are failing because we actually get the data
now due to transactions.

Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.

Deprecate wait_for_attr code.

Add a memberof fixup task for roles.

https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
2012-11-21 14:55:12 +01:00
Alexander Bokovoy
2093007d4d ipasam: better Kerberos error handling in ipasam
If time is moved back on the IPA server, ipasam does not invalidate the
existing ticket.

https://fedorahosted.org/freeipa/ticket/3183
2012-11-21 13:18:26 +01:00
Tomas Babej
27a8f93178 Forbid overlapping primary and secondary rid ranges
Commands ipa idrange-add / idrange-mod no longer allows the user
to enter primary or secondary rid range such that has non-zero
intersection with primary or secondary rid range of another
existing id range, as this could cause collision.

Unit tests added to test_range_plugin.py

https://fedorahosted.org/freeipa/ticket/3086
2012-10-19 09:02:50 +02:00
Sumit Bose
89e315d639 extdom: handle INP_POSIX_UID and INP_POSIX_GID requests
Fixes https://fedorahosted.org/freeipa/ticket/3166
2012-10-18 10:57:54 +02:00
Sumit Bose
c1b922352f Fix various issues found by Coverity 2012-10-17 14:32:37 +02:00
Sumit Bose
70d7ec587a ipadb: reload trust information if domain is not known
Currently the data about trusted domains is read once at startup. If a
new trust is added the KDC must be restarted to know about the new
trust. This patch reloads the trust data if there is a request from an
unknown domain. To make DOS attacks a bit harder the data can be updated
only once in a minute.

Fixes https://fedorahosted.org/freeipa/ticket/3156
2012-10-09 10:28:11 +02:00
Sumit Bose
0575e68013 ipasam: generate proper SID for trusted domain object 2012-10-04 22:15:36 -04:00
Sumit Bose
58a99dd5ac Add SIDs for existing users and groups at the end of ipa-adtrust-install
Fixes https://fedorahosted.org/freeipa/ticket/3104
2012-10-04 22:15:36 -04:00
Sumit Bose
f5e839ef21 ipasam: add fallback primary group
https://fedorahosted.org/freeipa/ticket/2955
2012-10-04 22:15:36 -04:00
Sumit Bose
d491ba0289 ipasam: Fixes build with samba4 rc1 2012-09-14 16:50:52 +02:00
Rob Crittenden
71f9008906 Support the new Winsync POSIX API.
This will sync down the POSIX attributes from AD so we need to be careful
to not mess with them when they are already set. This includes
uidNumber, gidNumber, homeDirectory, loginShell and gecos.

http://port389.org/wiki/WinSync_Posix
http://port389.org/wiki/Windows_Sync_Plugin_API#Version_3_API_functions

https://fedorahosted.org/freeipa/ticket/3007
2012-09-06 14:29:14 +02:00
Sumit Bose
bd7f3e4b17 ipasam: replace trim_char() with trim_string() 2012-09-06 09:24:59 +02:00
Sumit Bose
931e890680 ipasam: remove fetch_ldap_pw() 2012-09-06 09:24:59 +02:00
Sumit Bose
260940ceb4 ipasam: replace get_global_sam_sid() 2012-09-06 09:24:59 +02:00
Sumit Bose
621b28a4a0 ipasam: add libsss_idmap context and replace string_to_sid() 2012-09-06 09:24:59 +02:00
Sumit Bose
dbd4cb51d3 ipasam: Replace global_sid_Builtin 2012-09-06 09:24:59 +02:00
Sumit Bose
af02b9e0a9 ipasam: Replace sid_peek_check_rid() 2012-09-06 09:24:59 +02:00
Sumit Bose
fa7f5a8327 ipasam: Replace sid_check_is_our_sam() 2012-09-06 09:24:59 +02:00
Sumit Bose
8697b70d6b ipasam: Replace dom_sid_compare_domain() 2012-09-06 09:24:59 +02:00
Sumit Bose
f864d766eb ipasam: Replace is_null_sid() 2012-09-06 09:24:59 +02:00
Sumit Bose
4f7af98571 ipasam: replace sid_compose() 2012-09-06 09:24:58 +02:00
Sumit Bose
454c2d4e8c ipasam: replace sid_copy() 2012-09-06 09:24:58 +02:00
Sumit Bose
885f4a6bb8 ipasam: remove talloc_asprintf_strupper_m() 2012-09-06 09:24:58 +02:00
Sumit Bose
2877cb4c0d ipasam: remove strlower_m() 2012-09-06 09:24:58 +02:00
Sumit Bose
33494689a2 ipasam: replace strnequal() 2012-09-06 09:24:58 +02:00
Sumit Bose
128257c68b ipasam: remove sid_peek_rid() 2012-09-06 09:24:58 +02:00
Sumit Bose
50a0b84176 ipasam: remove nt_lm_owf_gen() and dependency to libcliauth.so 2012-09-06 09:24:58 +02:00
Sumit Bose
973aad9db3 Make encode_ntlm_keys() public 2012-09-06 09:24:58 +02:00
Sumit Bose
d90fb0a590 ipasam: cleanup explicit dependencies to samba libs 2012-09-06 09:24:58 +02:00
Sumit Bose
83245bc8c9 ipadb_iterate(): handle match_entry == NULL
If match_entry == NULL all principals should be iterated.

Additionally this patch adds a check in ipadb_filter_escape() to make
sure that the input is not NULL.

Fixes: https://fedorahosted.org/freeipa/ticket/3011
2012-09-05 14:20:29 +02:00
Tomas Babej
ed44de17ff Change slapi_mods_init in ipa_winsync_pre_ad_mod_user_mods_cb
https://fedorahosted.org/freeipa/ticket/2953
2012-09-04 18:06:44 +02:00
Rob Crittenden
3eadcdf123 Don't generate password history error if history is set to 0.
https://fedorahosted.org/freeipa/ticket/2805
2012-08-27 15:21:03 +02:00
Alexander Bokovoy
6171d0a01b Fix ipasam ipaNThash magic regen to actually fetch updated password
With this change ipasam is able to ask for ipaNTHash generation and if
corresponding Kerberos key is available, will be able to retrieve generated ipaNTHash.

Part 1 of https://fedorahosted.org/freeipa/ticket/3016
2012-08-22 17:21:11 +03:00
Alexander Bokovoy
14c48ba6fb Recover from invalid cached kerberos credentials in ipasam
When developing and testing in the same environment, multiple re-installs
may be needed. This means previously issued and cached Kerberos credentials
will become invalid upon new install.

ipasam passdb module for Samba uses Kerberos authentication when talking to
IPA LDAP server. Obtained Kerberos credentials are cached during their lifetime.
However, the ccache is not removed automatically and if IPA setup is made
again, cached credentials are used, only to discover that they are invalid.

With this change invalid correctly obtained cached credentials are recognized
and, if LDAP SASL bind fails, new credentials are requested from the KDC.

https://fedorahosted.org/freeipa/ticket/3009
2012-08-22 17:20:56 +03:00
Sumit Bose
e8d4cc65f8 Use libsamba-security instead of libsecurity
In samba4-beta6 the name of a library was changed from libsecurity to
libsamba-security.
2012-08-22 17:18:07 +03:00
Sumit Bose
d815c3bc99 extdom: read ranges from LDAP 2012-08-15 23:41:06 -04:00
Simo Sorce
c58836f29d Add PAC filtering
This check the PAC we receive is consistent.
realm, flat name and domain sid must much our understanding or the trustd
realm and no additional sids beyond the own realm ones must be present.

Ticket #2849
2012-08-02 11:28:19 -04:00
Simo Sorce
754d0bea06 Split out manipulation of logon_info blob
This way multiple functions can manipulate the logon info structure until all
operations we want to do on it are done and then fold it back once.
2012-08-02 11:28:12 -04:00
Simo Sorce
1bb9eb7da3 Properly name function to add ipa external groups
The function filter_pac was not filtering the pac at all, it was merely
augmenting it with additional data relevant to the IPA server.

Change the name of the function to avoid confusion.
While there I also simplified and cleaed up the code a bit with regard to
variable names and usage.
2012-08-02 11:28:06 -04:00
Simo Sorce
4baf6ad21c Load list of trusted domain on connecting to ldap
This list is used to validate data in mspac filtering
2012-08-02 11:27:59 -04:00
Simo Sorce
560b9416f6 Move mspac structure to be a private pointer
By keeping it's definition in the mspac file it is easier to modify and make
sure any opertion on it is handled in the same file.
2012-08-02 11:27:52 -04:00
Alexander Bokovoy
051eb5f7e4 When ipaNTHash is missing, ask IPA to generate it from kerberos keys
Signed-off-by: Simo Sorce <ssorce@redhat.com>
2012-07-30 10:32:14 -04:00
Simo Sorce
38d98fd3aa Add special modify op to regen ipaNTHash
The NT Hash is the same thing as the RC4-HMAC key, so we add a function to
extract it from krb5 keys if they are available to avoid forcing a password
change when configuring trust relationships.
2012-07-30 10:31:59 -04:00
Simo Sorce
86d83654dc Improve loops around slapi mods
Avoid the need to allocate/free a Slapi_Mod and avoid checking for attribute
equvalence after a match (use if/else)
2012-07-30 10:31:55 -04:00