summaryrefslogtreecommitdiffstats
path: root/daemons/ipa-kdb
Commit message (Collapse)AuthorAgeFilesLines
* ipa-kdb: add unit_tests for string_to_sid() and dom_sid_string()Sumit Bose2015-07-081-0/+60
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-kdb: make string_to_sid() and dom_sid_string() more robustSumit Bose2015-07-081-1/+10
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-kdb: add unit-test for filter_logon_info()Sumit Bose2015-07-083-50/+323
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-kdb: convert test to cmockaSumit Bose2015-07-082-88/+49
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-kdb: filter out group membership from MS-PAC for exact SID matches tooAlexander Bokovoy2015-07-081-1/+99
| | | | | | | | | | | | | | | | | | When incoming SID blacklist contains exact SIDs of users and groups, attempt to filter them out as well, according to [MS-PAC] 4.1.1.2. Note that we treat user's SID and primary group RID filtering as violation of the KDC policy because the resulting MS-PAC will have no user SID or primary group and thus will be invalid. For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1 it is OK to have empty group RIDs array as GroupCount SHOULD be equal to Groups.MembershipCount returned by SamrGetGroupsForUser [MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty. Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-kdb: use proper memory chunk size when moving sidsAlexander Bokovoy2015-07-081-3/+17
| | | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-kdb: common function to get key encodings/salt typesMartin Babinsky2015-06-292-70/+62
| | | | | | | | | | | This patch moves duplicate code in `ipadb_get_connection` to get default and supported key encodings/salt types from Kerberos container to a common function handling this task. It is actually a small cosmetic enhancement of the fix of https://fedorahosted.org/freeipa/ticket/4914 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix s4u2proxy README and add warningSimo Sorce2015-06-081-2/+14
| | | | | | | | The attribute mentioned was using an older name that was later changed in the implementation. Also add a prominent warning about the use of the kadmin flags. Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Detect default encsalts kadmin password changeSimo Sorce2015-05-275-0/+144
| | | | | | | | | | | | | | | | | | | When kadmin tries to change a password it will get the allowed keysalts from the password policy. Failure to provide them will result in kadmin using the defaults specified in the kdc.conf file or hardcoded defaults (the default salt is then of type NORMAL). This patch provides the supported values that have been read out of the appropriate LDAP attribute when we read the server configuration. Then at actual password change, check if kadmin is handing us back the exact list of supported encsalts we sent it, and in that case replace it with the real default encsalts. Fixes https://fedorahosted.org/freeipa/ticket/4914 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
* ipa-kdb: reject principals from disabled domains as a KDC policyAlexander Bokovoy2015-02-161-1/+1
| | | | | | | Fixes https://fedorahosted.org/freeipa/ticket/4788 Reviewed-By: Sumit Bose <sbose@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipa-kdb: when processing transitions, hand over unknown ones to KDCAlexander Bokovoy2015-02-161-1/+2
| | | | | | | | | | | When processing cross-realm trust transitions, let the KDC to handle those we don't know about. Admins might define the transitions as explicit [capaths] in krb5.conf. https://fedorahosted.org/freeipa/ticket/4791 Reviewed-By: Sumit Bose <sbose@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Handle DAL ABI change in MIT 1.13Simo Sorce2015-02-132-0/+14
| | | | | | | | | | | | | In this new MIT version the DAL interface changes slightly but KRB5_KDB_DAL_MAJOR_VERSION was not changed. Luckily KRB5_KDB_API_VERSION did change and that's enough to know what to compile in. Resolves: https://fedorahosted.org/freeipa/ticket/4861 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Expose the disabled User Auth TypeNathaniel McCallum2015-02-121-6/+7
| | | | | | | | | Additionally, fix a small bug in ipa-kdb so that the disabled User Auth Type is properly handled. https://fedorahosted.org/freeipa/ticket/4720 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* ipa-kdb: more robust handling of principal addition/editingMartin Babinsky2015-01-301-23/+47
| | | | | | | | | | | | | | | | | | | | | | | | The patch addresses the following defect reported by covscan in FreeIPA master: """ Error: FORWARD_NULL (CWE-476): /daemons/ipa-kdb/ipa_kdb_principals.c:1886: assign_zero: Assigning: "principal" = "NULL". /daemons/ipa-kdb/ipa_kdb_principals.c:1929: var_deref_model: Passing null pointer "principal" to "ipadb_entry_to_mods", which dereferences it. /daemons/ipa-kdb/ipa_kdb_principals.c:1491:9: deref_parm_in_call: Function "ipadb_get_ldap_mod_str" dereferences "principal". /daemons/ipa-kdb/ipa_kdb_principals.c:1174:5: deref_parm_in_call: Function "strdup" dereferences "value" """ This is a part of series of patches related to https://fedorahosted.org/freeipa/ticket/4795 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* always get PAC for client principal if AS_REQ is trueMartin Babinsky2015-01-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | This patch proposes a fix for the following defect reported by covscan in FreeIPA master code: """ Error: DEADCODE (CWE-561): /daemons/ipa-kdb/ipa_kdb_mspac.c:2013: assignment: Assigning: "client_entry" = "NULL". /daemons/ipa-kdb/ipa_kdb_mspac.c:2077: null: At condition "client_entry", the value of "client_entry" must be "NULL". /daemons/ipa-kdb/ipa_kdb_mspac.c:2077: dead_error_condition: The condition "client_entry" cannot be true. /daemons/ipa-kdb/ipa_kdb_mspac.c:2077: dead_error_line: Execution cannot reach the expression "client_entry" inside this statement: "kerr = ipadb_get_pac(contex...". """ This is a part of a series of patches related to https://fedorahosted.org/freeipa/ticket/4795 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-kdb: unexpected error code in 'ipa_kdb_audit_as_req' triggers a messageMartin Babinsky2015-01-302-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch is related this defect reported by covscan on FreeIPA master: """ Error: DEADCODE (CWE-561): /daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code != -1765328353L", taking false branch. Now the value of "error_code" is equal to -1765328353. /daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code != -1765328360L", taking false branch. Now the value of "error_code" is equal to -1765328360. /daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code != 0", taking false branch. Now the value of "error_code" is equal to 0. /daemons/ipa-kdb/ipa_kdb_audit_as.c:71: intervals: When switching on "error_code", the value of "error_code" must be in one of the following intervals: {[-1765328360,-1765328360], [-1765328353,-1765328353], [0,0]}. /daemons/ipa-kdb/ipa_kdb_audit_as.c:71: dead_error_condition: The switch value "error_code" cannot reach the default case. /daemons/ipa-kdb/ipa_kdb_audit_as.c:123: dead_error_begin: Execution cannot reach this statement: "default:". """ This patch is a part of series related to https://fedorahosted.org/freeipa/ticket/4795. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Avoid calling ldap functions without a contextSimo Sorce2015-01-081-3/+16
| | | | | | | | | | | | | | We need to make sure we have a ld context before we can load the configuration, otherwise ldap APIs will abort crashing the KDC. If we have an issue connecting to LDAP the lcontext will be NULL, but we are not checking that condition when we try to refresh the global configuration. https://fedorahosted.org/freeipa/ticket/4810 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix unchecked return value in ipa-kdbJan Cholasta2014-11-251-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix possible NULL dereference in ipa-kdbJan Cholasta2014-11-051-3/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-kdb: fix unit testsSumit Bose2014-09-262-1/+4
| | | | Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
* Periodically refresh global ipa-kdb configurationNathaniel McCallum2014-06-195-45/+86
| | | | | | | | | | | | | Before this patch, ipa-kdb would load global configuration on startup and never update it. This means that if global configuration is changed, the KDC never receives the new configuration until it is restarted. This patch enables caching of the global configuration with a timeout of 60 seconds. https://fedorahosted.org/freeipa/ticket/4153 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Restore krbCanonicalName handlingNalin Dahyabhai2014-05-301-5/+1
| | | | | | | | | | | When an entry has a krbCanonicalName, if KRB5_KDB_FLAG_ALIAS_OK is set, rewrite the principal name to the canonical value, else error out, instead of always returning an error if the requested name doesn't look like the canonical one. https://fedorahosted.org/freeipa/ticket/3966 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Accept any alias, not just the last valueNalin Dahyabhai2014-05-301-0/+3
| | | | | | | | | If the entry's krbPrincipalName attribute is multi-valued, accept any of the values, not just the last one we happen to examine. https://fedorahosted.org/freeipa/ticket/3966 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* kdb: Don't provide password expiration when using only RADIUSNathaniel McCallum2014-05-221-0/+4
| | | | | | | | | | If the KDC doesn't use the FreeIPA password for authentication, then it is futile to provide this information. Doing so will only confuse the user. It also causes password change dialogues when the password is irrelevant. https://fedorahosted.org/freeipa/ticket/4299 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Avoid passing non-terminated string to is_master_hostMartin Kosek2014-03-111-1/+2
| | | | | | | | | | | When string is not terminated, queries with corrupted base may be sent to LDAP: ... cn=ipa1.example.com<garbage>,cn=masters... https://fedorahosted.org/freeipa/ticket/4214 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-kdb: do not fetch client principal if it is the same as existing entryAlexander Bokovoy2014-03-061-6/+13
| | | | | | | | | | | | | | | When client principal is the same as supplied client entry, don't fetch it again. Note that when client principal is not NULL, client entry might be NULL for cross-realm case, so we need to make sure to not dereference NULL pointer here. Also fix reverted condition for case when we didn't find the client principal in the database, preventing a memory leak. https://fedorahosted.org/freeipa/ticket/4223 Reviewed-By: Sumit Bose <sbose@redhat.com>
* fix filtering of subdomain-based trust usersAlexander Bokovoy2014-03-051-9/+32
| | | | | | https://fedorahosted.org/freeipa/ticket/4207 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipa-kdb: make sure we don't produce MS-PAC in case of authdata flag cleared ↵Alexander Bokovoy2014-02-261-0/+8
| | | | | | | | | | | | by admin When admin clears authdata flag for the service principal, KDC will pass NULL client pointer (service proxy) to the DAL driver. Make sure we bail out correctly. Reviewed-By: Tomáš Babej <tbabej@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipa-kdb: in case of delegation use original client's database entry, not the ↵Alexander Bokovoy2014-02-261-2/+7
| | | | | | | | | proxy https://fedorahosted.org/freeipa/ticket/4195 Reviewed-By: Tomáš Babej <tbabej@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Add support to ipa-kdb for keyless principalsNathaniel McCallum2014-02-191-0/+18
| | | | | | https://fedorahosted.org/freeipa/ticket/3779 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-kdb: validate that an OTP user has tokensNathaniel McCallum2014-02-143-25/+135
| | | | | | | | | | | | This handles the case where a user is configured for OTP in ipaUserAuthType, but the user has not yet created any tokens. Until the user creates tokens, the user should still be able to log in via password. This logic already exists in LDAP, but ipa-kdb needs to perform the same validation to know what data to return to the KDC. https://fedorahosted.org/freeipa/ticket/4154 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* BUILD: Fix portability of NSS in file ipa_pwd.cLukas Slebodnik2014-01-281-1/+3
| | | | Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
* Add krbticketPolicyAux objectclass if neededSimo Sorce2013-11-262-0/+35
| | | | | | When modifying ticket flags add the objectclass to the object if it is missing. https://fedorahosted.org/freeipa/ticket/3901
* ipa-kdb: Handle parent-child relationship for subdomainsAlexander Bokovoy2013-10-041-10/+99
| | | | | | | | | | | | | | | | | When MS-PAC information is re-initialized, record also parent-child relationship between trust root level domain and its subdomains. Use parent incoming SID black list to check if child domain is not allowed to access IPA realm. We also should really use 'cn' of the entry as domain name. ipaNTTrustPartner has different meaning on wire, it is an index pointing to the parent domain of the domain and will be 0 for top level domains or disjoint subdomains of the trust. Finally, trustdomain-enable and trustdomain-disable commands should force MS-PAC cache re-initalization in case of black list change. Trigger that by asking for cross-realm TGT for HTTP service.
* KDC: implement transition check for trusted domainsAlexander Bokovoy2013-10-043-2/+68
| | | | | | | | | | | | When client principal requests for a ticket for a server principal and we have to perform transition, check that all three belong to either our domain or the domains we trust through forest trusts. In case all three realms (client, transition, and server) match trusted domains and our domain, issue permission to transition from client realm to server realm. Part of https://fedorahosted.org/freeipa/ticket/3909
* Add Delegation Info to MS-PACSimo Sorce2013-09-131-2/+160
| | | | https://fedorahosted.org/freeipa/ticket/3442
* kdb-princ: Fix memory leakSimo Sorce2013-08-281-0/+1
| | | | | | | | | | If we do not store the keys in the entry we need to free the array before continuing or the data is leaked. CoverityID: 11910 Fixes: https://fedorahosted.org/freeipa/ticket/3884
* kdb-mspac: Fix out of bounds memsetSimo Sorce2013-08-281-1/+1
| | | | | | | | | | This memset was harmless as the following data is then set again, but an optimizing compiler might conceivably reorder instructions causing issues. CoverityID: 11909 Fixes: https://fedorahosted.org/freeipa/ticket/3883
* IPA KDB MS-PAC: remove unused variableJakub Hrozek2013-07-231-1/+0
|
* IPA KDB MS-PAC: return ENOMEM if allocation failsJakub Hrozek2013-07-231-0/+1
|
* ipa-kdb: reinit mspac on HTTP TGT acquisition to aid trust-add caseAlexander Bokovoy2013-07-233-6/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When trust is established, we also create idrange for the trusted domain. With FreeIPA 3.3 these ranges can have different types, and in order to detect which one is to create, we need to do lookup at AD LDAP server. Such lookup requires authenticated bind. We cannot bind as user because IPA framework operates under constrained delegation using the user's credentials and allowing HTTP/ipa.server@REALM to impersonate the user against trusted domain's services would require two major things: - first, as we don't really know exact AD LDAP server names (any AD DC can be used), constrained delegation would have to be defined against a wild-card - second, constrained delegation requires that target principal exists in IPA LDAP as DN. These two together limit use of user's ticket for the purpose of IPA framework looking up AD LDAP. Additionally, immediately after trust is established, issuing TGT with MS-PAC to HTTP/ipa.server@REALM may fail due to the fact that KDB driver did not yet refreshed its list of trusted domains -- we have limited refresh rate of 60 seconds by default. This patch makes possible to force re-initialization of trusted domains' view in KDB driver if we are asked for TGT for HTTP/ipa.server@REALM. We will need to improve refresh of trusted domains' view in KDB driver in future to notice changes in cn=etc,$SUFFIX tree automatically. This improvement is tracked in https://fedorahosted.org/freeipa/ticket/1302 and https://fedorahosted.org/freeipa/ticket/3626 Part of https://fedorahosted.org/freeipa/ticket/3649
* ipa-kdb: cache KDC hostname on startupAlexander Bokovoy2013-07-233-6/+19
| | | | | | | | | | | We need KDC hostname for several purposes: - short-circuit detection of principals on the same server as KDC - generating NetBIOS name Make sure we cache hostname information on startup and use it instead of detecting the hostname in run-time. This will miss the case that KDC hostname got changed but such cases are not supported anyway without restarting KDC and making changes to principals.
* Use libunistring ulc_casecmp() on unicode stringsNathaniel McCallum2013-07-184-7/+26
| | | | https://fedorahosted.org/freeipa/ticket/3772
* Generate syntethic MS-PAC for all services running on IPA masterAlexander Bokovoy2013-07-111-6/+73
| | | | | | | | | | | MS-PAC is required to be present in TGT if one wants to connect to AD services using this TGT. Users get MS-PAC by default, SSSD in ipa_server_mode uses host/fqdn@REALM principal to talk to AD LDAP. This patch enables other services running on IPA master to connect to AD services. This is required for IPA python code doing discovery of remote AD domain settings shortly after IPA-AD trust has been established.
* Add PAC to master host TGTsSumit Bose2013-07-111-39/+115
| | | | | | | | | | | | | | | | | | | | For a proper SASL bind with GSSAPI against an AD LDAP server a PAC is needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server of a trusted domain with the credentials of a FreeIPA server host a PAC must be added to the TGT for the host. We use the well know RID of the Domain Computers group (515) for the primary gid element of the PAC, this is the same as AD uses for host tickets. The rid element of the PAC is set to the well know RID of the Domain Controllers group (516). This is working for the SSSD use case but might be improved later for more general use cases. To determine if a host is a FreeIPA server or not it is checked if there is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately this requires an additional LDAP lookup. But since TGS-REQs for hosts should be rare I think it is acceptable for the time being. Fixes https://fedorahosted.org/freeipa/ticket/3651
* ipa-kdb: Add OTP supportNathaniel McCallum2013-05-173-1/+78
| | | | | | | | | | | | | If OTP is enabled for a user, then: 1. Long-term keys are not provided to KDB 2. The user string 'otp' is defined to KDB Since it is not secure to send radius configuration information over krb5 user strings, we simply set the string to a known default ('[]') which enables the default configuration in the KDC. https://fedorahosted.org/freeipa/ticket/3561 http://freeipa.org/page/V3/OTP
* Remove build warningsMartin Kosek2013-03-291-1/+1
| | | | | | Fix rpm build warnings report in Fedora 19 build. https://fedorahosted.org/freeipa/ticket/3500
* Add unit test for get_authz_data_types()Sumit Bose2013-03-082-0/+246
| | | | https://fedorahosted.org/freeipa/ticket/2960
* ipa-kdb: add PAC only if requestedSumit Bose2013-03-081-2/+140
| | | | | | | | Instead of always adding a PAC to the Kerberos ticket the global default for the authorization data and the authorization data of the service entry is evaluated and the PAC is added accordingly. https://fedorahosted.org/freeipa/ticket/2960
* ipa-kdb: Read ipaKrbAuthzData with other principal dataSumit Bose2013-03-082-0/+18
| | | | | | | | The ipaKrbAuthzData LDAP attribute is read together with the other data of the requestedprincipal and the read value(s) are stored in the e-data of the entry for later use. https://fedorahosted.org/freeipa/ticket/2960
generated by cgit (git 2.34.1) at 2024-05-30 18:17:07 +0000