Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.
https://fedorahosted.org/freeipa/ticket/2734
Commit a6e29f23f09ba5b6b6d362f7683ae8088bc0ba85 in Samba changed id mapping
API in passdb interface to use 'struct unixid'. The change replaced three arguments
(uid, gid, type) by one (struct unixid). As result, ipa-sam became broken.
Without this change ipa-sam introduces stack corruption in Samba post 4.0.0alpha18
leading to corrupted security context stack as well and then crashing in setgroups(3).
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.
The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.
https://fedorahosted.org/freeipa/ticket/1577
We need two attributes in the ipaNTTrustedDomain objectclass to store different
kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID
of the trusted domain. A second attribute is needed to store the SID for the
trusted domain user. Since it cannot be derived safely from other values and
since it does not make sense to create a separate object for the user a new
attribute is needed.
https://fedorahosted.org/freeipa/ticket/2191
'sid' is a stack variable, by assigning its address to the domain_sid pointer
we were later referencing grabage (whatever on the stack ha[ppened to be at
that address.
Properly copy the sid and allocate it on the provided memory context.
If a user become locked due to too many failed logins and then were
unlocked by an administrator, the account would not lock again. This
was caused by two things:
- We were incrementing the fail counter before checking to see if the
account was already locked out.
- The current fail count wasn't taken into consideration when
deciding if the account is locked.
The sequence was this:
1. Unlocked account, set failcount to 0
2. Failed login, increment failcount
3. Within lastfailed + lockout_duration, still locked. This skips
update the last_failed date.
So I reversed 2 and 3 and check to see if the fail count exceeds policy.
https://fedorahosted.org/freeipa/ticket/2765
When we set a password we also need to make sure krbExtraData is set.
If not kadmin will later complain that the object is corrupted at password
change time.
Ticket: https://fedorahosted.org/freeipa/ticket/2764
We currently return LDAP_REFERRAL which causes the mod to fail meaning
that referral entries cannot be changed.
All we really want to do is escape when we don't hvae an entry to modify.
https://fedorahosted.org/freeipa/ticket/2237
This was introduced when we started checking the return from
ipadb_get_context() to silence another coverity report.
That condition can never be true in this function but whatever ... let's
silence Coverity once again :)
Some of these are not real defects, because we are guaranteed to have valid
context in some functions, and checks are not necessary.
I added the checks anyway in order to silence Coverity on these issues.
One meleak on error condition was fixed in
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is
actually fine as we count before hand so we never actually use the wrong value
that is computed on the last pass when p == 0
Fixes: https://fedorahosted.org/freeipa/ticket/2488
IPA winsync plugin failed to replicate users when default user group
was non-posix even though User Private Groups (UPG) were enabled
on the server. Both their uidNumber and gidNumber were empty and
they missed essential object classes. When the default user group
was made posix and UPG was disabled it did not set gidNumber to
the default group gidNumber.
This patch improves this behavior to set gidNumber correctly
according to UPG configuration and the default group status
(posix/non-posix). 4 situations can occur, the following list
specifies what value is assigned to user gidNumber:
1) Default group posix, UPG enabled: gidNumber = UPG gidNumber
2) Default group posix, UPG disabled: gidNumber = default
group gidNumber
3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber
4) Default group non-posix, UPG disabled: an error is printed to
the dirsrv log as the gidNumber cannot be retrieved. User
is replicated in the same way as before this patch, i.e.
without essential object classes.
https://fedorahosted.org/freeipa/ticket/2436
These definitions were needed during development to be a le to build against
krb5 version < 1.10
These function headers and defintions are now available in 1.10 that is a hard
dependency for freeipa 3.0, so we can safely drop them.
User always receives the same error message if he changes his password
via "ipa passwd" command and the new password fails configured
password policy. He then has to investigate on his own the actual
reason why was the policy violated. This patch improves our SLAPI PWD
plugins to provide a better error message explaining the violation
reason.
https://fedorahosted.org/freeipa/ticket/2067
This patch requires a forthcoming change in MIT libraries which allows to pass
NULL for the server_key to the krb5_pac_verify() function.
In most cases we should always only check the KDC checksum to verify the PAC
validity.
The only exception is when we are releasing a ticket to a client from another
realm. In this case the only signature we can check is the server checksum, and
we use the cross-realm key to validate in this case.
The previous code was working for normal cases because the kdc uses the same
key to create the server and the kdc checksum for a TGT, but that is not true
for evidence tickets (s4u2proxy) or cross-realm TGTs.
Fixes: https://fedorahosted.org/freeipa/ticket/2169
We were not searching for objectclass so the test to se if a user had the
posixAccount attribute was failing and the user was not marked as ipa_user.
This in turn caused us to not synchronize legacy hashes by not trying to store
the userPassword attribute.
Fixes: https://fedorahosted.org/freeipa/ticket/1820
Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.
https://fedorahosted.org/freeipa/ticket/1877
Expiration time should be enforced as per policy only for users and only when a
password change occurs, ina ll other cases we should just let kadmin decide
whther it is going to set a password expiration time or just leave it empty.
In general service tickts have strong random passwords so they do not need a
password policy or expiration at all.
https://fedorahosted.org/freeipa/ticket/1839
Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.
Although the proper values for booleans from LDAP should be only uppercase,
389ds does allow wrong cased values without complaining. And we still have some
places where the wrong case is used.
Avoid getting frustrating errors when reading these values out.
Prevent the ipa-pwd-extop plugin from re-generating keys when kadimn is storing
a new set of keys. Only generate the userPassword and sambaXXPassword hashes.
Also avoid checking policies in this case and if history is provided avoid
regenerating the passwordHistory too.
Setting 0 will work as MIT KDCs assume the current master key when that is
found. But it is a legacy compatibility mode and we should instead set the
proper mkvno number on keys so changeing master key becomes possible w/o
having to do a dump reload and stopping the service. This is especially
important in replicated environments.
This can cause problems if a host is enrolled, unenrolled and a password
set. The password will be marked as expired like all new passwords are.
https://fedorahosted.org/freeipa/ticket/1526
We have no visibility into whether an entry has a keytab or not so
krbLastPwdChange is used as a rough guide.
If this value exists during enrollment then it fails because the host
is considered already joined. This was getting set when a OTP was
added to a host that had already been enrolled (e.g. you enroll a host,
unenroll it, set a OTP, then try to re-enroll). The second enrollment
was failing because the enrollment plugin thought it was still
enrolled becaused krbLastPwdChange was set.
https://fedorahosted.org/freeipa/ticket/1357
https://fedorahosted.org/freeipa/ticket/1382
crash in winsync if replaying a MOD and user does not exist in AD
If the AD entry is deleted before the deletion can be synced back to IPA,
and in the meantime an operation is performed on the corresponding
entry in IPA that should be synced to AD, winsync attempts to get the
AD entry and it is empty. This just means the operation will not go
through, and the entry will be deleted when the sync from AD happens.
The IPA winsync plugin needs to handle the case when the ad_entry
is NULL.
https://fedorahosted.org/freeipa/ticket/1379
winsync enables disabled users in AD when the AD entry changes
This was likely broken when ipa switched from using CoS/groups for account
inactivation to using nsAccountLock directly. The code that handled the
account sync in the from AD direction was broken, but was never found before
now because it had not been used. The fix is to correctly set or remove
nsAccountLock.
We need to set uidNumber and gidNumber to the magic values so that DNA can
assign appropriate Ids, otherwise the synchronization of users from AD will
fail with an error about posixAccount requiring a missing (uidNumber)
attribute.
Fixes: https://fedorahosted.org/freeipa/ticket/1020
When the UUID plug-in generates a value that is used in the RDN
of the entry being added, the old DN is free'd and replaced with
the new DN. The problem is that the operation in the pblock holds
a pointer to the old DN address. This can cause other plug-ins to
reference garbage, leading to incorrect results or crashes. This
was causing the attribute uniqueness plug-in to not work correctly,
resulting in duplicate netgroup entries.
The fix is to have the UUID plug-in reset the target DN after
changing the DN of the entry to be added.
ticket 963
Apparently we forgot to check OID consistency between the schema and the
extensions, and we got duplicates.
Technically the schema was done later but it is easier to change the extensions
OIDs than to change the schema of current beta2/rc1 installations.
The only side effect is that older ipa-getkeytab and ipa-join binaries will
fail. So all the admin/client tools must be upgraded at the same time as well
as all the masters (otherwise some will show/accept the new OID while others
won't).
Fixes: https://fedorahosted.org/freeipa/ticket/976
The situation is if during installation /etc/krb5.conf either doesn't
exist or configures no realms then 389-ds won't start up at all, causing
the installation to fail. This will let the server start up in a degraded
mode.
Also need to make the sub_dict in ldapupdate.py handle no realm otherwise
the installation will abort enabling the compat plugin.
ticket 606
The 389-ds replication plugin may not be installed on all platforms
and our replication version plugin will cause 389-ds to not start
if it is loaded and the replication plugin is not. So disable by
default.
When a replica is prepared we check for the replication plugin.
If it exists we will enable the replication version plugin.
Likewise on installation of a replica we check for existence of
the repliation plugin and if it is there then we enable the version
plugin before replication begins.
ticket 918
On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth
and will potentially fail the bind altogether.
On a successful bind it will zero krbLoginFailedCount and set
krbLastSuccessfulAuth.
This will also enforce locked-out accounts.
See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on
kerberos lockout.
ticket 343
Mozldap code removed from all sources and configure source script.
Now, IPA will compile even when package mozldap-devel is not
installed on the system.
https://fedorahosted.org/freeipa/ticket/756
This patch fixes 2 situations where a pointer to allocated error
string could be overwritten - which could have resulted in
a memory leak.
https://fedorahosted.org/freeipa/ticket/716
This patch fixes several potential memory leaks in ipa-pwd-extop
SLAPI plugin.
Common function ipapwd_gen_hashes() now cleans after itself when
it fails. Other changes are local and self-explanatory.
https://fedorahosted.org/freeipa/ticket/715
Omiting return value of calloc in ipa_pwd_extop.c could lead to
memory access issues when memory is full. This patch adds return
value check.
https://fedorahosted.org/freeipa/ticket/717
Remove the LDAP_DEPRECATED constant and do not use functions that are
marked as deprecated in recent OpenLDAP releases. Also always define
WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that
depend on that constant.
https://fedorahosted.org/freeipa/ticket/576
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
Constant values were assigned to variables gthat would later be freed
with slapi_ch_free_string(). Make copies instead so the free doesn't
blow. Also remove useless tests, as these functions already check for
NULL on their own.
Fixes: https://fedorahosted.org/freeipa/ticket/529
Don't use KRB5_PRIVATE.
The patch implements and uses the following krb5 functions that are
otherwise private in recent MIT Kerberos releases:
* krb5_principal2salt_norealm
* krb5_free_ktypes
Signed-off-by: Simo Sorce <ssorce@redhat.com>
Use a little stricter compilation flags, in particular -Wall and treat
implicit function declarations as errors.
Signed-off-by: Simo Sorce <ssorce@redhat.com>
Consolidate the common logging macros into common/util.h and use them
in SLAPI plugins instead of calling slapi_log_error() directly.
https://fedorahosted.org/freeipa/ticket/408
Signed-off-by: Simo Sorce <ssorce@redhat.com>
The DS guys decided not to expose the DS inetrnal functions used to generate
UUIDs for DS. This means the interface is not guaranteed to be available.
Switch the ipa_uuid plugin to use the system libuuid plugin instead.
NOTE: This causes once again a change in the tring format used for UUIDs.
fixes: https://fedorahosted.org/freeipa/ticket/465
This should make renamed users able to keep using old credentials as the salt
is not derived from the principal name but is always a random quantity.
https://fedorahosted.org/freeipa/ticket/412
If a modify operation does not specify our attribute then we need to short
circuit the loop, otherwise on enforcing we will return an error by mistake if
we are not Directory Manager because generate is false if the attr is not
found.
By setting the enforce flag in the configuration we prevent anyone from storing
arbitrary values and allow only Directory Manager to override the plugin.
Users can only set the value to the magic value (usually 0) to have the uuid
regenerated, and nothing else.
Remove one level of indentation from the main function by jumping
to the end immediately if the configuration list is empty.
Other minor style cleanups.
This attribute is required for samba to properly identify a user has changed
it's password and doesn't need to change it again at next login.
At the same time, if we are forcing a pssword reset we also need to let samba
know the user must change its password.
Slapi plugins must use mozldap because 389 ds is compiled against that.
ipa_kpasswd, instead, should be linked against openldap.
So always make sure both are available.
We were mistakenly removeing the latest password from the passwordHistory
once the max history values were reached. Make sure we remove the oldest one
instead.
Use __func__ in log functions instead of the explicit function name
so that if the function need to be renamed later logs reflect the
change automatically w/o the need to change all occurrences.
Also makes a grep for the function name less noisy avoiding tons of
false positives.
The plugin was getting difficult to read and maintain.
Split it (and apply cosmetic cleanups to some functions) in smaller
pieces that perform specific tasks.
This addresses some problems trying to build on non-Fedora/RHEL
distributions, notably Gentoo and Ubuntu/Debian.
Patch contributed by Ian Kumlien <pomac@vapor.com>
The migration plugin uses a pre-op function to automatically create
kerberos credentials when binding using a password.
The problem is that we do a simple bind when doing password-base
host enrollment. This was causing krbPasswordExpiration to be set
which isn't what we want for hosts. They really shouldn't go through
this code at all.
Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.
Use a Class of Service template to do per-group password policy. The
design calls for non-overlapping groups but with cospriority we can
still make sense of things.
The password policy entries stored under the REALM are keyed only on
the group name because the MIT ldap plugin can't handle quotes in the
DN. It also can't handle spaces between elements in the DN.
This will create a host service principal and may create a host entry (for
admins). A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.
This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
I have only tested the all, rpms and *clean targets directly.
install may work but the rpm moves a lot of things around for us.
The Apache configuration file isn't in its final state but it works
with the new mod_python configuration.
