diff options
| -rw-r--r-- | daemons/ipa-sam/ipa_sam.c | 112 | ||||
| -rw-r--r-- | install/updates/60-trusts.update | 1 | ||||
| -rw-r--r-- | ipaserver/dcerpc.py | 9 |
3 files changed, 81 insertions, 41 deletions
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 4a2fca563..cf39bb91a 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -2229,11 +2229,14 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, LDAPMod **mods; bool res; char *trusted_dn = NULL; - int ret, i; + int ret, i, count; NTSTATUS status; TALLOC_CTX *tmp_ctx; char *trustpw; char *sid; + char **in_blacklist = NULL; + char **out_blacklist = NULL; + uint32_t enctypes, trust_offset; DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain)); @@ -2250,10 +2253,12 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, } mods = NULL; - smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass", - LDAP_OBJ_TRUSTED_DOMAIN); - smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass", - LDAP_OBJ_ID_OBJECT); + if (entry == NULL) { + smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass", + LDAP_OBJ_TRUSTED_DOMAIN); + smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass", + LDAP_OBJ_ID_OBJECT); + } if (entry != NULL) { sid = get_single_attribute(tmp_ctx, priv2ld(ldap_state), entry, @@ -2314,26 +2319,37 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, } } + trust_offset = 0; if (td->trust_posix_offset != NULL) { - res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry, - &mods, - LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET, - *td->trust_posix_offset); - if (!res) { - status = NT_STATUS_UNSUCCESSFUL; - goto done; - } + trust_offset = *td->trust_posix_offset; } + res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry, + &mods, + LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET, + trust_offset); + if (!res) { + status = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + enctypes = KERB_ENCTYPE_DES_CBC_CRC | + KERB_ENCTYPE_DES_CBC_MD5 | + KERB_ENCTYPE_RC4_HMAC_MD5 | + KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 | + KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96; + if (td->supported_enc_type != NULL) { - res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry, - &mods, - LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE, - *td->supported_enc_type); - if (!res) { - status = NT_STATUS_UNSUCCESSFUL; - goto done; - } + enctypes = *td->supported_enc_type; + } + + res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry, + &mods, + LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE, + enctypes); + if (!res) { + status = NT_STATUS_UNSUCCESSFUL; + goto done; } if (td->trust_auth_outgoing.data != NULL) { @@ -2354,31 +2370,45 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, &td->trust_forest_trust_info); } + + /* Only add default blacklists for incoming and outgoing SIDs but don't modify existing ones */ + in_blacklist = get_attribute_values(tmp_ctx, ldap_state->smbldap_state->ldap_struct, entry, + LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING, &count); + out_blacklist = get_attribute_values(tmp_ctx, ldap_state->smbldap_state->ldap_struct, entry, + LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING, &count); + for (i = 0; ipa_mspac_well_known_sids[i]; i++) { - smbldap_make_mod(priv2ld(ldap_state), entry, &mods, - LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING, - ipa_mspac_well_known_sids[i]); - smbldap_make_mod(priv2ld(ldap_state), entry, &mods, - LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING, - ipa_mspac_well_known_sids[i]); + if (in_blacklist == NULL) { + smbldap_make_mod(priv2ld(ldap_state), entry, &mods, + LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING, + ipa_mspac_well_known_sids[i]); + } + if (out_blacklist == NULL) { + smbldap_make_mod(priv2ld(ldap_state), entry, &mods, + LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING, + ipa_mspac_well_known_sids[i]); + } } smbldap_talloc_autofree_ldapmod(tmp_ctx, mods); - trusted_dn = trusted_domain_dn(tmp_ctx, ldap_state, domain); - if (trusted_dn == NULL) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - if (entry == NULL) { - ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods); - } else { - ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods); - } - if (ret != LDAP_SUCCESS) { - DEBUG(1, ("error writing trusted domain data!\n")); - status = NT_STATUS_UNSUCCESSFUL; - goto done; + if (mods != NULL) { + trusted_dn = trusted_domain_dn(tmp_ctx, ldap_state, domain); + if (trusted_dn == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + if (entry == NULL) { + ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods); + } else { + ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods); + } + if (ret != LDAP_SUCCESS) { + DEBUG(1, ("error writing trusted domain data!\n")); + status = NT_STATUS_UNSUCCESSFUL; + goto done; + } } if (entry == NULL) { /* FIXME: allow password updates here */ diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update index 1b2511540..46de01a5c 100644 --- a/install/updates/60-trusts.update +++ b/install/updates/60-trusts.update @@ -54,6 +54,7 @@ default: cn: trusts # 2. cn=trust admins,cn=groups,cn=accounts,$SUFFIX can manage trusts (via ipa tools) dn: cn=trusts,$SUFFIX add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)' +replace:aci:'(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)' replace:aci:'(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)' add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)' diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index a27a64d2f..bd8f5aadb 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -912,12 +912,21 @@ class TrustDomainInstance(object): raise assess_dcerpc_exception(num=num, message=message) try: + # We should use proper trustdom handle in order to modify the + # trust settings. Samba insists this has to be done with LSA + # OpenTrustedDomain* calls, it is not enough to have a handle + # returned by the CreateTrustedDomainEx2 call. + trustdom_handle = self._pipe.OpenTrustedDomainByName(self._policy_handle, dname, security.SEC_FLAG_MAXIMUM_ALLOWED) infoclass = lsa.TrustDomainInfoSupportedEncTypes() infoclass.enc_types = security.KERB_ENCTYPE_RC4_HMAC_MD5 infoclass.enc_types |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 infoclass.enc_types |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES, infoclass) except RuntimeError, e: + # We can ignore the error here -- changing enctypes is for + # improved security but the trust will work with default values as + # well. In particular, the call may fail against Windows 2003 + # server as that one doesn't support AES encryption types pass def verify_trust(self, another_domain): |