Commit Graph

276 Commits

Author SHA1 Message Date
Rafael Guterres Jeffman
fd0fd487df Fix "no entry" condition when searching PAC info
Fix Covscan-discovered DEADCODE block when searching for PAC info,
caused by a wrong condition being evaluated when entry is a trusted
domain object.

Fixes: https://pagure.io/freeipa/issue/9368

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-04-28 10:11:30 -04:00
Alexander Bokovoy
f78dc0b163 kdb: implement RBCD handling in KDB driver
Resource-based constrained delegation (RBCD) is implemented with a new
callback used by the KDC. This callback is called when a server asks for
S4U2Proxy TGS request and passes a ticket that contains RBCD PAC
options.

The callback is supposed to take a client and a server principals, a PAC and a target
service database entry. Using the target service database entry it then
needs to decide whether a server principal is allowed to delegate the
client credentials to the target service.

The callback can also cross-check whether the client principal can be
limited in delegating own tickets but this is not implemented in the
current version.

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-05 14:55:22 -04:00
Alexander Bokovoy
adc9609ff3 ipa-kdb: search S4U2Proxy ACLs in cn=s4u2proxy,cn=etc,$BASEDN subtree only
Confine search for S4U2Proxy access control lists to the subtree where
they created. This will allow to use a similar method to describe RBCD
access controls.

Related: https://pagure.io/freeipa/issue/5444

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-05 14:55:22 -04:00
Alexander Bokovoy
0c32ebf858 ipa-kdb: PAC consistency checker needs to handle child domains as well
When PAC check is performed, we might get a signing TGT instead of the
client DB entry. This means it is a principal from a trusted domain but
we don't know which one exactly because we only have a krbtgt for the
forest root. This happens in MIT Kerberos 1.20 or later where KDB's
issue_pac() callback never gets the original client principal directly.

Look into known child domains as well and make pass the check if both
NetBIOS name and SID correspond to one of the trusted domains under this
forest root. Move check for the SID before NetBIOS name check because we
can use SID of the domain in PAC to find out the right child domain in
our trusted domains' topology list.

Fixes: https://pagure.io/freeipa/issue/9316

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-02-09 14:29:38 -05:00
Alexander Bokovoy
21d99b457d ipa-kdb: for delegation check, use different error codes before and after krb5 1.20
With MIT krb5 1.20, a call to krb5_db_check_allowed_to_delegate()
and krb5_db_check_allowed_to_delegate_from() expects to return either
KRB5KDC_ERR_BADOPTION for a policy denial or KRB5_PLUGIN_OP_NOTSUPP in
case plugin does not handle the policy case. This is part of the MIT
krb5 commit a441fbe329ebbd7775eb5d4ccc4a05eef370f08b which added a
minimal MS-PAC generator.

Prior to MIT krb5 1.20, the same call was expected to return either
KRB5KDC_ERR_POLICY or KRB5_PLUGIN_OP_NOTSUPP errors.

Related: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-14 10:12:42 -05:00
Alexander Bokovoy
ce05e5fd40 ipa-kdb: fix comment to make sure we talk about krb5 1.20 or later
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-02 11:03:04 +02:00
Alexander Bokovoy
0c67f0e607 ipa-kdb: fix PAC requester check
PAC requester check was incorrect for in-realm S4U operations. It casted
too wide check which denied some legitimate requests. Fix that by only
applying rejection to non-S4U unknown SIDs, otherwise S4U2Self request
issued by the in-realm service against a trusted domain's user would not
work.

Related: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-02 11:03:04 +02:00
Alexander Bokovoy
e86807b58c ipa-kdb: handle empty S4U proxy in allowed_to_delegate
With krb5 1.20, S4U processing code uses a special case of passing an
empty S4U proxy to allowed_to_delegate() callback to identify if the
server cannot get forwardable S4U2Self tickets according to [MS-PAC]
3.2.5.1.2.

This means we need to ensure NULL proxy is a valid one and return an
appropriate response to that.

Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-02 11:03:04 +02:00
Alexander Bokovoy
a9018da90d ipa-kdb: handle cross-realm TGT entries when generating PAC
For generating PAC we need to know SID of the object and a number of
required attributes. However, trusted domain objects do not have these
attributes. Luckily, IPA LDAP schema puts them under actual trust
objects which have all the additional (POSIX) attributes.

Refactor PAC generator to accept secondary LDAP entry and use that one
to pull up required attributes. We only use this for trusted domain
objects.

Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-02 11:03:04 +02:00
Alexander Bokovoy
c1582bd322 ipa-kdb: add krb5 1.20 support
Add basic krb5 1.20 integration without RBCD support. RBCD will come in
a separate series.

Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-02 11:03:04 +02:00
Alexander Bokovoy
5e7590981b ipa-kdb: refactor MS-PAC processing to prepare for krb5 1.20
Make sure both krb5 pre 1.20 and 1.20 or later would call into the same
PAC generation code while driven by different API callbacks from the
krb5 KDB interface.

Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-02 11:03:04 +02:00
Sumit Bose
0ce3ab36b4 ipa-kdb: do not fail if certmap rule cannot be added
Currently if a certificate mapping and matching rule has a typo or is of
an unsupported type the whole rule processing is aborted and the IPA
certmap plugin works without any rules effectively disabling PKINIT for
users. Since each rule would only allow more certificates for PKINIT it
would be more user/admin friendly to just ignore the failed rules with a
log message and continue with what is left or use the default rule if
nothing is left.

This change is done to add more flexibility to define new mapping and
matching templates which are e.g. needed to cover changes planned by
Microsoft as explained in
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-07 17:02:43 +02:00
Alexander Bokovoy
0e6d9edd5d ipa-kdb: avoid additional checks for a well-known anonymous principal
For a well-known anonymous principal an Anonymous PKINIT method is used
which ignores the password set in the principal entry. For these
principals any defined user auth type is irrelevant, their use is
defined in RFC 6112. This gets confusing when a default user auth type
requires a particular authentication method.

When AS request for Anonymous PKINIT is used, a TGT would contain no
authentication indicator. It means we cannot apply any specific
indicator policy and must skip the checks.

Fixes: https://pagure.io/freeipa/issue/9165

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-05-30 12:12:44 +03:00
Rob Crittenden
706a5b8731 If the password auth type is enabled also enable the hardened policy
This will allow custom hardened password policy to be applied.
Without this then the policy will be skipped because the UA
is not enabled.

The KDC and client will prefer SPAKE any time it is available.
For IPA this should mean we should choose hardened setting over a
default one any time SPAKE is used.

Related: https://pagure.io/freeipa/issue/9121

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-25 08:08:36 +03:00
Rob Crittenden
62807654a0 kdb: The jitter offset should always be positive
Otherwise the resulting value could be outside the valid
bounds of the time value.

Related: https://pagure.io/freeipa/issue/9121

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-25 08:08:36 +03:00
Alexander Bokovoy
2282509934 ipa-kdb: apply per-indicator settings from inherited ticket policy
Fixes: https://pagure.io/freeipa/issue/9121

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-25 08:08:36 +03:00
Alexander Bokovoy
a1be4fc863 KDB: support external IdP configuration
When IdP configuration is provided, take it into account:

 - idp-specific Kerberos ticket policy would be applied

 - Presence of IdP link in a Kerberos principal entry would cause KDB to
   enable `idp` pre-authentication method on KDC side.

The latter requires additional pre-authentication method supplied with
SSSD 2.7.0.

Fixes: https://pagure.io/freeipa/issue/8804

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
2022-05-10 15:52:41 +03:00
Sumit Bose
f91e9d3fd4 ipa-kdb: fix make check
The recent refactoring split out code into two new files which are
needed for the test binary as well.

Related: https://pagure.io/freeipa/issue/9083
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-03-29 14:01:29 -04:00
Julien Rische
35e94bee0e ipa-kdb: do not remove keys for hardened auth-enabled users
Since 5d51ae5, principal keys were dropped in case user auth indicator
was not including password. Thereafter, the key removal behavior was
removed by 15ff9c8 in the context of the kdcpolicy plugin introduction.
Support for hardened pre-auth methods (FAST and SPAKE) was added in
d057040, and the removal of principal keys was restored afterwards by
f0d12b7, but not taking the new hardened auth indicator into account.

Fixes: https://pagure.io/freeipa/issue/9065
Related to: https://pagure.io/freeipa/issue/8001

Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-02-02 15:42:45 +01:00
Alexander Bokovoy
2dc752018c ipa-kdb: refactor KDB driver to prepare for KDB version 9
MIT Kerberos 1.20 changes DAL interface around PAC record issuance:
sign_authdata callback is removed and replaced with issue_pac one.
The signatures are different and logic changed as well.

Prepare for KDB version 9 by moving PAC implementation into separate
source files. ipa_kdb_mspac.c is left with most of the common code.

FreeIPA supports sign_authdata callback since KDB version 6, move current
implementation to ipa_kdb_mspac_v6.c.

KDB version 8 actually changed sign_authdata interface and we accounted
to that in ipa_kdb.c with a stub that re-uses v6 version. Keep it as it
is right now.

Finally, add KDB version 9 stub files. Compiling against MIT Kerberos
1.20 does not work yet, thus explicit #error message in ipa_kdb.c. This
will be worked on later.

Related: https://pagure.io/freeipa/issue/9083

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-01-24 17:38:24 -05:00
Alexander Bokovoy
637412acfd ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates
New versions of MS-KILE and MS-SFU after Windows Server November 2021
security updates add PAC_REQUESTER_SID buffer check behavior:

 - PAC_REQUESTER_SID should only be added for TGT requests

 - if PAC_REQUESTER_SID is present, KDC must verify that the cname on
   the ticket resolves to the account with the same SID as the
   PAC_REQUESTER_SID. If it doesn't KDC must respond with
   KDC_ERR_TKT_REVOKED

Change requester SID check to skip exact check for non-local
PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
we know about.

If requester SID is the same as in PAC, we already do cname vs PAC SID
verification.

With these changes FreeIPA works against Windows Server 2019 with
November 2021 security fixes in cross-realm S4U2Self operations.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-29 21:00:42 +02:00
Alexander Bokovoy
bda59110f1 ipa-kdb: issue PAC_REQUESTER_SID only for TGTs
MS-KILE 3.3.5.6.4.8 in revision after Windows Server November 2021
security fixes added the following requirement:

- PAC_REQUESTER_SID is only added in TGT case (including referrals and
  tickets to RODCs)

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-29 21:00:42 +02:00
Alexander Bokovoy
9043b8d534 Fix use of comparison functions to avoid GCC bug 95189
Due to a bug in GCC 9 and GCC 10 optimizing code, all C library
comparison functions should be used with explicit result comparison in
the code to avoid problems described in

http://r6.ca/blog/20200929T023701Z.html

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189

The code below is affected:

```
    if (strcmp(a, b) || !strcmp(c, d)) ...
```

while the code below is not affected:

```
    if (strcmp(a, b) != 0 || strcmp(c, d)) == 0
```

for all C library cmp functions and related:

 - strcmp(), strncmp()
 - strcasecmp(), strncasecmp()
 - stricmp(), strnicmp()
 - memcmp()

This PR idea is based on the pull request by 'Nicolas Williams <nico@twosigma.com>'
to Heimdal Kerberos: https://github.com/heimdal/heimdal/pull/855

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-23 10:31:34 +01:00
Alexander Bokovoy
0c08faf3c1 ipa-kdb: validate domain SID in incoming PAC for trusted domains for S4U
Previously, ipadb_check_logon_info() was called only for cross-realm
case. Now we call it for both in-realm and cross-realm cases. In case of
the S4U2Proxy, we would be passed a PAC of the original caller which
might be a principal from the trusted realm. We cannot validate that PAC
against our local client DB entry because this is the proxy entry which
is guaranteed to have different SID.

In such case, validate the SID of the domain in PAC against our realm
and any trusted doman but skip an additional check of the DB entry in
the S4U2Proxy case.

Related: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-11 16:13:56 -05:00
Alexander Bokovoy
4062e7b963 ipa-kdb: honor SID from the host or service entry
If the SID was explicitly set for the host or service entry, honor it
when issuing PAC. For normal services and hosts we don't allocate
individual SIDs but for cifs/... principals on domain members we do as
they need to login to Samba domain controller.

Related: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-11 16:13:56 -05:00
Alexander Bokovoy
3042a1d544 ipa-kdb: Use proper account flags for Kerberos principal in PAC
As part of CVE-2020-25717 mitigations, Samba expects correct user
account flags in the PAC. This means for services and host principals we
should be using ACB_WSTRUST or ACB_SVRTRUST depending on whether they
run on IPA clients ("workstation" or "domain member") or IPA servers
("domain controller").

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-10 15:00:27 -05:00
Alexander Bokovoy
0022bd70d9 ipa-kdb: add PAC_ATTRIBUTES_INFO PAC buffer support
PAC_ATTRIBUTES_INFO PAC buffer allows both client and KDC to tell
whether a PAC structure was requested by the client or it was provided
by the KDC implicitly. Kerberos service then can continue processing or
deny access in case client explicitly requested to operate without PAC.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-10 15:00:27 -05:00
Alexander Bokovoy
9a0bcbbe82 ipa-kdb: add support for PAC_REQUESTER_SID buffer
CVE-2020-25721 mitigation: KDC must provide the new PAC_REQUESTER_SID
buffer with ObjectSID value associated with the requester's principal.

The mitigation only works if NDR library supports the PAC_REQUESTER_SID
buffer type. In case we cannot detect it at compile time, a warning will
be displayed at configure stage.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-10 15:00:27 -05:00
Alexander Bokovoy
23336160f2 ipa-kdb: add support for PAC_UPN_DNS_INFO_EX
CVE-2020-25721 mitigation: KDC must provide the new HAS_SAM_NAME_AND_SID
buffer with sAMAccountName and ObjectSID values associated with the
principal.

The mitigation only works if NDR library supports the
PAC_UPN_DNS_INFO_EX buffer type. In case we cannot detect it at compile
time, a warning will be displayed at configure stage.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-10 15:00:27 -05:00
Alexander Bokovoy
6828273b56 ipa-kdb: S4U2Proxy target should use a service name without realm
According to new Samba Kerberos tests and [MS-SFU] 3.2.5.2.4
'KDC Replies with Service Ticket', the target should not include the
realm.

Fixes: https://pagure.io/freeipa/issue/9031

Pair-programmed-with: Andreas Schneider <asn@redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Andreas Schneider <asn@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-10 15:00:27 -05:00
Alexander Bokovoy
443a99060c ipa-kdb: use entry DN to compare aliased entries in S4U operations
When working with aliased entries, we need a reliable way to detect
whether two principals reference the same database entry. This is
important in S4U checks.

Ideally, we should be using SIDs for these checks as S4U requires PAC
record presence which cannot be issued without a SID associated with an
entry. This is true for user principals and a number of host/service
principals associated with Samba. Other service principals do not have
SIDs because we do not allocate POSIX IDs to them in FreeIPA. When PAC
is issued for these principals, they get SID of a domain computer or
domain controller depending on their placement (IPA client or IPA
server).

Since 389-ds always returns unique entry DN for the same entry, rely on
this value instead. We could have used ipaUniqueID but for Kerberos
principals created through the KDB (kadmin/kdb5_util) we don't have
ipaUniqueID in the entry.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-10 15:00:27 -05:00
Alexander Bokovoy
637653a533 ipa-kdb: enforce SID checks when generating PAC
Check that a domain SID and a user SID in the PAC passed to us are what
they should be for the local realm's principal.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Robert Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-10 15:00:27 -05:00
Alexander Bokovoy
6cfb9b7193 ipa-kdb: store SID in the principal entry
If the principal entry in LDAP has SID associated with it, store it to
be able to quickly assess the SID when processing PAC.

Also rename string_to_sid to IPA-specific version as it uses different
prototype than Samba version.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Robert Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-10 15:00:27 -05:00
Pavel Březina
7a9301c5f9 kdb: fix typo in ipa_kdcpolicy_check_as
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-09-22 09:36:39 +02:00
Alexander Bokovoy
3fc75b15fa ipa-kdb: mark test functions as static
No need to define missing prototypes to single use test functions.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-01 10:44:25 -05:00
Alexander Bokovoy
3037de2820 ipa-kdb: reformat ipa_kdb_certauth
Add prototype to the exported function

Replace few tabs by spaces and mark static code as static.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-01 10:44:25 -05:00
Alexander Bokovoy
f996c21edb ipa-kdb: add missing prototypes
On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings
about function prototypes missing. If -Werror is specified, this breaks
compilation.

We also default to -Werror=implicit-function-declaration

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-01 10:44:25 -05:00
Alexander Bokovoy
1d2a14a2d2 ipa-kdb: fix compiler warnings
There are few fields in KDB structures that have 'conflicting' types but
need to be compared. They come from MIT Kerberos and we have no choice
here.

In the same way, SID structures have own requirements.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-01 10:44:25 -05:00
Alexander Bokovoy
47d49aa7b7 ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
Calling to ipadb_get_connection() will remove LDAP context if any error
happens. This means upper layers must always verify that LDAP context
exists after such calls.

ipadb_get_user_auth() may re-read global configuration and that may fail
and cause IPA context to have NULL LDAP context.

Fixes: https://pagure.io/freeipa/issue/8681

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-01 10:44:25 -05:00
Alexander Bokovoy
968f8ada65 ipa-kdb: provide correct logon time in MS-PAC from authentication time
When MS-PAC structure is created, we get passed the time of
authentication from KDC. Use this to record logon time in MS-PAC
structure.

Set allow password change time to the last password change. We need to
refer to the actual password policy here in future.

Also use INT64_MAX to represent the resulting value for logoff
and kickoff times according to MS-PAC 2.6.

Fixes: https://pagure.io/freeipa/issue/8659
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-22 12:21:33 -05:00
Rob Crittenden
a129e6f042 ipa_kdb: Fix memory leak
ipadb_get_principal() allocates client_actual. Call
ipadb_free_principal to release it.

Rather than spreading the free() amongst the code introduce
done as a target to match behavior in similar functions.

Discovered by coverity.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-15 10:01:28 +01:00
Rob Crittenden
6f46fac264 ipa-kdb: Fix logic to prevent NULL pointer dereference
Discovered by coverity

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-15 10:01:28 +01:00
Rob Crittenden
0096f4b985 ipa-kdb: Change mspac base RID logic from OR to AND
The purpose is to set a default if the RID doesn't match
expectations.

Discovered by coverity

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-15 10:01:28 +01:00
Rob Crittenden
cbf7bcbed5 Add missing break statement to password quality switch
Discovered by coverity.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-15 10:01:28 +01:00
Slava Aseev
4c0398433e ipa-kdb: handle dates up to 2106-02-07 06:28:16
krb5 uses the negative part of krb5_timestamp to store time values
after 2038:
https://k5wiki.kerberos.org/wiki/Projects/Timestamps_after_2038
In other words, krb5 uses krb5_timestamp (signed int) with
unsigned arithmetic for expanding the timestamp's upper bound.

This commit:
  - adds some helper functions for working with krb5_timestamp as
    unsigned (actually copied from
    https://github.com/krb5/krb5/blob/master/src/include/k5-int.h)
  - replaces operations with krb5_timestamp's by these new functions

Fixes: https://pagure.io/freeipa/issue/8028
Signed-off-by: Slava Aseev <ptrnine@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2020-12-18 20:38:40 +02:00
Alexander Bokovoy
35362d3033 ipa-kdb: use predefined filters for a wild-card searches
In case we've got a principal name as '*', we don't need to specify
the principal itself, use pre-defined filter for a wild-card search.

Previously, we had to escape the '*' as specifying it with an explicit
matching rule would have violated RFC 4515 section 3. However, since we
don't really need to specify a different matching rule for a wild-card
search, we can remove this part completely.

Use this change as an opportunity to simplify the code and reduce
number of duplicated filter constants -- if extra filter is NULL, we can
simply pass "" and use _EXTRA filter constants to format the final
filter.

Fixes: https://pagure.io/freeipa/issue/8624

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2020-12-18 13:32:34 +02:00
Alexander Bokovoy
0da6a57b40 ad trust: accept subordinate domains of the forest trust root
Commit 8b6d1ab854 added support for
subordinate UPN suffixes but missed the case where subordinate UPN is a
subdomain of the forest root domain and not mentioned in the UPN
suffixes list.

Correct this situation by applying the same check to the trusted domain
name as well.

Fixes: https://pagure.io/freeipa/issue/8554
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-26 12:00:57 +02:00
Alexander Bokovoy
fc11c56544 ipa-kdb: fix gcc complaints in kdb tests
We use string_to_sid() from internal Samba libraries, so we have to link
to it properly.

In addition, size_t is (long unsigned int), just cast to (int) in
asprintf.

Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Alexander Bokovoy
f513a55ded ipa-kdb: fix gcc complaints
In file included from /usr/include/string.h:519,
                 from /usr/include/lber.h:30,
                 from /usr/include/ldap.h:30,
                 from ipa_kdb.h:37,
                 from ipa_kdb_mspac.c:26:
In function 'strncpy',
    inlined from 'get_server_netbios_name' at ipa_kdb_mspac.c:2358:5,
    inlined from 'ipadb_reinit_mspac' at ipa_kdb_mspac.c:2813:39:
/usr/include/bits/string_fortified.h:91:10: warning: 'strncpy' specified bound 255 equals destination size [-Wstringop-truncation]
   91 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Robbie Harwood
0d67180f7d ipa-kdb: implement AS-REQ lifetime jitter
Jitter is always enabled, so there is no additional configuration.

An earlier version of this patch was authored by Becky Shanley.

Fixes: https://pagure.io/freeipa/issue/8010

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:27:28 +02:00