summaryrefslogtreecommitdiffstats
path: root/ipaserver/dcerpc.py
Commit message (Collapse)AuthorAgeFilesLines
* Convert remaining frontend code to LDAPEntry API.Jan Cholasta2014-01-241-9/+9
|
* subdomains: Use AD admin credentials when trust is being establishedAlexander Bokovoy2013-11-291-14/+28
| | | | | | | | | | | | | | | | | | | | When AD administrator credentials passed, they stored in realm_passwd, not realm_password in the options. When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure to normalize them. Additionally, force Samba auth module to use NTLMSSP in case we have credentials because at the point when trust is established, KDC is not yet ready to issue tickets to a service in the other realm due to MS-PAC information caching effects. The logic is a bit fuzzy because credentials code makes decisions on what to use based on the smb.conf parameters and Python bindings to set parameters to smb.conf make it so that auth module believes these parameters were overidden by the user through the command line and ignore some of options. We have to do calls in the right order to force NTLMSSP use instead of Kerberos. Fixes https://fedorahosted.org/freeipa/ticket/4046
* Map NT_STATUS_INVALID_PARAMETER to most likely error cause: clock skewAlexander Bokovoy2013-11-131-0/+3
| | | | | | | | When we get NT_STATUS_INVALID_PARAMETER in response to establish DCE RPC pipe with Kerberos, the most likely reason is clock skew. Suggest that it is so in the error message. https://fedorahosted.org/freeipa/ticket/4024
* trust: integrate subdomains support into trust-addAlexander Bokovoy2013-10-041-33/+47
|
* ipaserver/dcerpc: remove use of trust account authenticationAlexander Bokovoy2013-10-041-70/+6
| | | | | | | | Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal, it is possible to use it when talking to the trusted AD DC. Remove support for authenticating as trust account because it should not really be used other than within Samba.
* trusts: support subdomains in a forestAlexander Bokovoy2013-10-041-0/+54
| | | | | | | | | | | | | | | | | | | Add IPA CLI to manage trust domains. ipa trust-fetch-domains <trust> -- fetch list of subdomains from AD side and add new ones to IPA ipa trustdomain-find <trust> -- show all available domains ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust> ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain By default all discovered trust domains are allowed to access IPA resources IPA KDC needs also information for authentication paths to subdomains in case they are not hierarchical under AD forest trust root. This information is managed via capaths section in krb5.conf. SSSD should be able to generate it once ticket https://fedorahosted.org/sssd/ticket/2093 is resolved. part of https://fedorahosted.org/freeipa/ticket/3909
* ipaserver/dcerpc.py: populate forest trust information using realmdomainsAlexander Bokovoy2013-10-041-18/+95
| | | | | | | | Use realmdomains information to prepopulate forest trust info. As result, all additional domains should now be enabled from the beginning, unless they really conflict with existing DNS domains on AD side. https://fedorahosted.org/freeipa/ticket/3919
* ipa-sam: do not modify objectclass when trust object already createdAlexander Bokovoy2013-09-201-0/+9
| | | | | | | | | | | When trust is established, last step done by IPA framework is to set encryption types associated with the trust. This operation fails due to ipa-sam attempting to modify object classes in trust object entry which is not allowed by ACI. Additionally, wrong handle was used by dcerpc.py code when executing SetInformationTrustedDomain() against IPA smbd which prevented even to reach the point where ipa-sam would be asked to modify the trust object.
* Log proper error message when defaultNamingContext not foundTomas Babej2013-08-291-1/+7
|
* Remove overlapping use-cases of the same result variableTomas Babej2013-08-061-4/+4
|
* Use case-insensitive dict for trusted domain infoTomas Babej2013-08-061-12/+24
| | | | | | | | | | | In DomainValidator, we store a dictionary containing information for trusted domains. This is a case-sensitive dictionary keyed by the domain name. We need to use case-insensitive dictionary since domain names are generally case-insensitive. https://fedorahosted.org/freeipa/ticket/3816
* ipaserver/dcerpc: attempt to resolve SIDs through SSSD firstAlexander Bokovoy2013-07-231-1/+44
| | | | | | | | Attempt to resolve SIDs through SSSD first to avoid using trust account password. This makes possible to run HBAC test requests without being in 'trusted admins' group. https://fedorahosted.org/freeipa/ticket/3803
* Use AD LDAP probing to create trusted domain ID rangeTomas Babej2013-07-231-37/+127
| | | | | | | | | | When creating a trusted domain ID range, probe AD DC to get information about ID space leveraged by POSIX users already defined in AD, and create an ID range with according parameters. For more details: http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD https://fedorahosted.org/freeipa/ticket/3649
* Fail when adding a trust with a different rangeAna Krivokapic2013-06-241-3/+12
| | | | | | | | When adding a trust, if an id range already exists for this trust, and options --base-id/--range-size are provided with the trust-add command, trust-add should fail. https://fedorahosted.org/freeipa/ticket/3635
* Enforce exact SID match when adding or modifying a ID rangeTomas Babej2013-03-141-13/+37
| | | | | | | | SID validation in idrange.py now enforces exact match on SIDs, thus one can no longer use SID of an object in a trusted domain as a trusted domain SID. https://fedorahosted.org/freeipa/ticket/3432
* Remove ipaserver/ipaldap.pyPetr Viktorin2013-03-131-1/+2
| | | | | | In addition to removing the module, fix all places where it was imported. Preparation for: https://fedorahosted.org/freeipa/ticket/3446
* Disable schema retrieval and attribute decoding when talking to AD GC.Jan Cholasta2013-03-081-5/+2
|
* ipaserver/dcerpc: enforce search_s without schema checks for GC searchingAlexander Bokovoy2013-03-061-1/+1
|
* Remove IPAdmin.sasl_interactive_bind_sPetr Viktorin2013-03-011-4/+1
| | | | | | | Also, rename remaining uses of SASL_AUTH to SASL_GSSAPI to better reflect what it is. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Avoid internal error when user is not Trust adminMartin Kosek2013-02-201-4/+23
| | | | | | | | | | | | | | | When user tries to perform any action requiring communication with trusted domain, IPA server tries to retrieve a trust secret on his behalf to be able to establish the connection. This happens for example during group-add-member command when external user is being resolved in the AD. When user is not member of Trust admins group, the retrieval crashes and reports internal error. Catch this exception and rather report properly formatted ACIError. Also make sure that this exception is properly processed in group-add-member post callback. https://fedorahosted.org/freeipa/ticket/3390
* Add option to specify SID using domain name to idrange-add/modTomas Babej2013-02-181-0/+10
| | | | | | | | | | When adding/modifying an ID range for a trusted domain, the newly added option --dom-name can be used. This looks up SID of the trusted domain in LDAP and therefore the user is not required to write it down in CLI. If the lookup fails, error message asking the user to specify the SID manually is shown. https://fedorahosted.org/freeipa/ticket/3133
* Add support for AD users to hbactest commandMartin Kosek2013-02-141-0/+56
| | | | | | | | | | | | | | | | | | | | | How this works: 1. When a trusted domain user is tested, AD GC is searched for the user entry Distinguished Name 2. The user entry is then read from AD GC and its SID and SIDs of all its assigned groups (tokenGroups attribute) are retrieved 3. The SIDs are then used to search IPA LDAP database to find all external groups which have any of these SIDs as external members 4. All these groups having these groups as direct or indirect members are added to hbactest allowing it to perform the search LIMITATIONS: - only Trusted Admins group members can use this function as it uses secret for IPA-Trusted domain link - List of group SIDs does not contain group memberships outside of the trusted domain https://fedorahosted.org/freeipa/ticket/2997
* Generalize AD GC searchMartin Kosek2013-02-141-50/+95
| | | | | | | | | | | | | | Modify access methods to AD GC so that callers can specify a custom basedn, filter, scope and attribute list, thus allowing it to perform any LDAP search. Error checking methodology in these functions was changed, so that it rather raises an exception with a desription instead of simply returning a None or False value which would made an investigation why something does not work much more difficult. External membership method in group-add-member command was updated to match this approach. https://fedorahosted.org/freeipa/ticket/2997
* Test NetBIOS name clash before creating a trustMartin Kosek2013-02-131-0/+6
| | | | | | | Give a clear message about what is wrong with current Trust settings before letting AD to return a confusing error message. https://fedorahosted.org/freeipa/ticket/3193
* Add SID blacklist attributesMartin Kosek2013-02-121-0/+8
| | | | | | | | Update our LDAP schema and add 2 new attributes for SID blacklist definition. These new attributes can now be set per-trust with trustconfig command. https://fedorahosted.org/freeipa/ticket/3289
* Add detection for users from trusted/invalid realmsTomas Babej2012-12-061-16/+3
| | | | | | | | | | | | When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied is returned. Also, the support for usernames of the form user@SERVER.REALM or user@server.realm was added. https://fedorahosted.org/freeipa/ticket/3252
* Propagate kinit errors with trust accountAlexander Bokovoy2012-11-271-0/+4
| | | | | | | | | | When using Global Catalog for resolving users and groups, one needs to authenticate against Active Directory DC using GSSAPI. Obtaining Kerberos ticket might fail. Make sure the failure message is actually returned to the user so that decision can be made about the source of issue. https://fedorahosted.org/freeipa/ticket/3265
* trusts: replace use of python-crypto by m2cryptoAlexander Bokovoy2012-11-211-3/+3
| | | | | | | | | python-crypto package is not available everywhere, use m2crypto instead. Originally we thought to extend python-krbV to provide krb5_c_encrypt() wrapper but m2crypto is readily available. https://fedorahosted.org/freeipa/ticket/3271
* Resolve external members from trusted domain via Global CatalogAlexander Bokovoy2012-11-011-4/+231
| | | | | | | | | | | | A sequence is following: 1. Match external member against existing trusted domain 2. Find trusted domain's domain controller and preferred GC hosts 3. Fetch trusted domain account auth info 4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain 5. Do LDAP SASL interactive bind using the ccache 6. Search for the member's SID 7. Decode SID 8. Replace external member name by SID
* Add support for using AES fo cross-realm TGTsSimo Sorce2012-10-171-1/+10
|
* Fix trust attributes for ipa trust-addSimo Sorce2012-10-091-1/+1
| | | | | The RC4 flags in the trust attributes makes sense only fro trust type MIT We are using the UPLEVEL trust type.
* Support python-ldap 2.3 way of making LDAP controlAlexander Bokovoy2012-10-041-3/+11
| | | | | | | | This strange patch is to accomodate both python-ldap 2.3 and later versions. There was refactoring in python-ldap support for LDAP controls that split base class into two different, changing properties and method signatures. Luckily, we don't use any values passed to encodeControlValue.
* Change the way SID comparison is done for belonging to trusted domainAlexander Bokovoy2012-09-271-16/+12
| | | | Fixes trust use on RHEL 6.
* Add verification of the AD trustAlexander Bokovoy2012-09-171-3/+28
| | | | | | | | | | Since we only can perform verification when AD admin credentials are available, report that trust should be verified from the AD side in other cases, including unsuccessful verification. Once trust is added, status of it is never stored anywhere. https://fedorahosted.org/freeipa/ticket/2763
* Add internationalization to DCE RPC codeAlexander Bokovoy2012-08-141-10/+20
| | | | https://fedorahosted.org/freeipa/ticket/2964
* Use DN objects instead of stringsJohn Dennis2012-08-121-4/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Convert every string specifying a DN into a DN object * Every place a dn was manipulated in some fashion it was replaced by the use of DN operators * Add new DNParam parameter type for parameters which are DN's * DN objects are used 100% of the time throughout the entire data pipeline whenever something is logically a dn. * Many classes now enforce DN usage for their attributes which are dn's. This is implmented via ipautil.dn_attribute_property(). The only permitted types for a class attribute specified to be a DN are either None or a DN object. * Require that every place a dn is used it must be a DN object. This translates into lot of:: assert isinstance(dn, DN) sprinkled through out the code. Maintaining these asserts is valuable to preserve DN type enforcement. The asserts can be disabled in production. The goal of 100% DN usage 100% of the time has been realized, these asserts are meant to preserve that. The asserts also proved valuable in detecting functions which did not obey their function signatures, such as the baseldap pre and post callbacks. * Moved ipalib.dn to ipapython.dn because DN class is shared with all components, not just the server which uses ipalib. * All API's now accept DN's natively, no need to convert to str (or unicode). * Removed ipalib.encoder and encode/decode decorators. Type conversion is now explicitly performed in each IPASimpleLDAPObject method which emulates a ldap.SimpleLDAPObject method. * Entity & Entry classes now utilize DN's * Removed __getattr__ in Entity & Entity clases. There were two problems with it. It presented synthetic Python object attributes based on the current LDAP data it contained. There is no way to validate synthetic attributes using code checkers, you can't search the code to find LDAP attribute accesses (because synthetic attriutes look like Python attributes instead of LDAP data) and error handling is circumscribed. Secondly __getattr__ was hiding Python internal methods which broke class semantics. * Replace use of methods inherited from ldap.SimpleLDAPObject via IPAdmin class with IPAdmin methods. Directly using inherited methods was causing us to bypass IPA logic. Mostly this meant replacing the use of search_s() with getEntry() or getList(). Similarly direct access of the LDAP data in classes using IPAdmin were replaced with calls to getValue() or getValues(). * Objects returned by ldap2.find_entries() are now compatible with either the python-ldap access methodology or the Entity/Entry access methodology. * All ldap operations now funnel through the common IPASimpleLDAPObject giving us a single location where we interface to python-ldap and perform conversions. * The above 4 modifications means we've greatly reduced the proliferation of multiple inconsistent ways to perform LDAP operations. We are well on the way to having a single API in IPA for doing LDAP (a long range goal). * All certificate subject bases are now DN's * DN objects were enhanced thusly: - find, rfind, index, rindex, replace and insert methods were added - AVA, RDN and DN classes were refactored in immutable and mutable variants, the mutable variants are EditableAVA, EditableRDN and EditableDN. By default we use the immutable variants preserving important semantics. To edit a DN cast it to an EditableDN and cast it back to DN when done editing. These issues are fully described in other documentation. - first_key_match was removed - DN equalty comparison permits comparison to a basestring * Fixed ldapupdate to work with DN's. This work included: - Enhance test_updates.py to do more checking after applying update. Add test for update_from_dict(). Convert code to use unittest classes. - Consolidated duplicate code. - Moved code which should have been in the class into the class. - Fix the handling of the 'deleteentry' update action. It's no longer necessary to supply fake attributes to make it work. Detect case where subsequent update applies a change to entry previously marked for deletetion. General clean-up and simplification of the 'deleteentry' logic. - Rewrote a couple of functions to be clearer and more Pythonic. - Added documentation on the data structure being used. - Simplfy the use of update_from_dict() * Removed all usage of get_schema() which was being called prior to accessing the .schema attribute of an object. If a class is using internal lazy loading as an optimization it's not right to require users of the interface to be aware of internal optimization's. schema is now a property and when the schema property is accessed it calls a private internal method to perform the lazy loading. * Added SchemaCache class to cache the schema's from individual servers. This was done because of the observation we talk to different LDAP servers, each of which may have it's own schema. Previously we globally cached the schema from the first server we connected to and returned that schema in all contexts. The cache includes controls to invalidate it thus forcing a schema refresh. * Schema caching is now senstive to the run time context. During install and upgrade the schema can change leading to errors due to out-of-date cached schema. The schema cache is refreshed in these contexts. * We are aware of the LDAP syntax of all LDAP attributes. Every attribute returned from an LDAP operation is passed through a central table look-up based on it's LDAP syntax. The table key is the LDAP syntax it's value is a Python callable that returns a Python object matching the LDAP syntax. There are a handful of LDAP attributes whose syntax is historically incorrect (e.g. DistguishedNames that are defined as DirectoryStrings). The table driven conversion mechanism is augmented with a table of hard coded exceptions. Currently only the following conversions occur via the table: - dn's are converted to DN objects - binary objects are converted to Python str objects (IPA convention). - everything else is converted to unicode using UTF-8 decoding (IPA convention). However, now that the table driven conversion mechanism is in place it would be trivial to do things such as converting attributes which have LDAP integer syntax into a Python integer, etc. * Expected values in the unit tests which are a DN no longer need to use lambda expressions to promote the returned value to a DN for equality comparison. The return value is automatically promoted to a DN. The lambda expressions have been removed making the code much simpler and easier to read. * Add class level logging to a number of classes which did not support logging, less need for use of root_logger. * Remove ipaserver/conn.py, it was unused. * Consolidated duplicate code wherever it was found. * Fixed many places that used string concatenation to form a new string rather than string formatting operators. This is necessary because string formatting converts it's arguments to a string prior to building the result string. You can't concatenate a string and a non-string. * Simplify logic in rename_managed plugin. Use DN operators to edit dn's. * The live version of ipa-ldap-updater did not generate a log file. The offline version did, now both do. https://fedorahosted.org/freeipa/ticket/1670 https://fedorahosted.org/freeipa/ticket/1671 https://fedorahosted.org/freeipa/ticket/1672 https://fedorahosted.org/freeipa/ticket/1673 https://fedorahosted.org/freeipa/ticket/1674 https://fedorahosted.org/freeipa/ticket/1392 https://fedorahosted.org/freeipa/ticket/2872
* Handle exceptions when establishing trustsAlexander Bokovoy2012-08-031-15/+60
| | | | | | | | | | | | | | | | | | | | | | | | Translate exceptions produced by DCERPC bindings when establishing trusts. There are two types of errors that may be produced by DCERPC bindings: - RuntimeError with a text (RuntimeError('NT_STATUS_OBJECT_NAME_NOT_FOUND') - RuntimeError with a numeric code and 'friendly' message Error codes could have two prefixes: - NT error codes, start with NT_STATUS_ prefix - Windows error codes, start with WERR_ prefix Full list of errors is available in Samba source code: libcli/util/ntstatus.h: NT_STATUS error codes libcli/util/werror.h: Windows error codes Majority of errors returned when dealing with trusts are of NT_STATUS type, these also include all typical POSIX errors mapped to corresponding NT errors. Unfortunately, in the textual RuntimeError case very little can be done to get better clarification of the error. More error paths will need to be added as they will be discovered -- DCERPC error messaging is complex. https://fedorahosted.org/freeipa/ticket/2868
* Handle various forms of admin accounts when establishing trustsAlexander Bokovoy2012-07-181-0/+5
| | | | | | | | | | | | | | | | | | | | | | Realm administrator account may be specified using different form: Administrator, DOM\Administrator, Administrator@DOMAIN This patch introduces handling of the second two forms: - In DOM\Administrator only user name is used, short domain name is then taken from a discovered record from the AD DC - In Administrator@DOMAIN first DOMAIN is verified to be the same as the domain we are establishing trust to, and then user name is taken, together with short domain name taken from a discovered record from the AD DC Note that we do not support using to-be-trusted domain's trusted domains' accounts to establish trust as there is basically zero chance to verify that things will work with them. In addition, in order to establish trust one needs to belong to Enterprise Admins group in AD or have specially delegated permissions. These permissions are unlikely delegated to the ones in already trusted domain. https://fedorahosted.org/freeipa/ticket/2864
* Add support for external group membersAlexander Bokovoy2012-06-281-8/+85
| | | | | | | | | When using ipaExternalGroup/ipaExternalMember attributes it is possible to add group members which don't exist in IPA database. This is primarily is required for AD trusts support and therefore validation is accepting only secure identifier (SID) format. https://fedorahosted.org/freeipa/ticket/2664
* get_fqdn() moved to ipaserver.installutilsAlexander Bokovoy2012-06-071-2/+2
|
* Use fully qualified PDC name when contacting for extended DN informationAlexander Bokovoy2012-06-071-1/+1
|
* Add trust management for Active Directory trustsAlexander Bokovoy2012-06-071-0/+324