ipa-kdb: reinit mspac on HTTP TGT acquisition to aid trust-add case

When trust is established, we also create idrange for the trusted domain.
With FreeIPA 3.3 these ranges can have different types, and in order to
detect which one is to create, we need to do lookup at AD LDAP server.

Such lookup requires authenticated bind. We cannot bind as user because
IPA framework operates under constrained delegation using the user's
credentials and allowing HTTP/ipa.server@REALM to impersonate the user
against trusted domain's services would require two major things:

  - first, as we don't really know exact AD LDAP server names (any AD DC
    can be used), constrained delegation would have to be defined against
    a wild-card

  - second, constrained delegation requires that target principal exists
    in IPA LDAP as DN.

These two together limit use of user's ticket for the purpose of IPA
framework looking up AD LDAP.

Additionally, immediately after trust is established, issuing TGT with
MS-PAC to HTTP/ipa.server@REALM may fail due to the fact that KDB driver
did not yet refreshed its list of trusted domains -- we have limited
refresh rate of 60 seconds by default.

This patch makes possible to force re-initialization of trusted domains'
view in KDB driver if we are asked for TGT for HTTP/ipa.server@REALM.

We will need to improve refresh of trusted domains' view in KDB driver
in future to notice changes in cn=etc,$SUFFIX tree automatically.

This improvement is tracked in https://fedorahosted.org/freeipa/ticket/1302 and
https://fedorahosted.org/freeipa/ticket/3626

Part of https://fedorahosted.org/freeipa/ticket/3649

3 files changed, 29 insertions, 6 deletions

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 51b879ca..5e4d0474 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -393,8 +393,8 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
         goto done;
     }
 
-    /* get adtrust options */
-    ret = ipadb_reinit_mspac(ipactx);
+    /* get adtrust options using default refresh interval */
+    ret = ipadb_reinit_mspac(ipactx, false);
     if (ret && ret != ENOENT) {
         /* TODO: log that there is an issue with adtrust settings */
     }
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index a611bc28..f4d35554 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -250,7 +250,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
                                     krb5_authdata **tgt_auth_data,
                                     krb5_authdata ***signed_auth_data);
 
-krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx);
+krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit);
 
 void ipadb_mspac_struct_free(struct ipadb_mspac **mspac);
 
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index d6c4f9a6..6ffab459 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -24,6 +24,7 @@
 #include "ipa_mspac.h"
 #include <talloc.h>
 #include <syslog.h>
+#include <unicase.h>
 #include "util/time.h"
 #include "gen_ndr/ndr_krb5pac.h"
 
@@ -1282,7 +1283,8 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context,
         return NULL;
     }
 
-    kerr = ipadb_reinit_mspac(ipactx);
+    /* re-init MS-PAC info using default update interval */
+    kerr = ipadb_reinit_mspac(ipactx, false);
     if (kerr != 0) {
         return NULL;
     }
@@ -1805,8 +1807,10 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
     krb5_error_code kerr;
     krb5_pac pac = NULL;
     krb5_data pac_data;
+    struct ipadb_context *ipactx;
     bool with_pac;
     bool with_pad;
+    int result;
 
     /* When using s4u2proxy client_princ actually refers to the proxied user
      * while client->princ to the proxy service asking for the TGS on behalf
@@ -1831,6 +1835,22 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
     is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
 
     if (is_as_req && with_pac && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
+        /* Be aggressive here: special case for discovering range type
+         * immediately after establishing the trust by IPA framework */
+        if ((krb5_princ_size(context, ks_client_princ) == 2) &&
+            (strncmp(krb5_princ_component(context, ks_client_princ, 0)->data, "HTTP",
+                     krb5_princ_component(context, ks_client_princ, 0)->length) == 0)) {
+            ipactx = ipadb_get_context(context);
+            if (!ipactx) {
+                goto done;
+            }
+            if (ulc_casecmp(krb5_princ_component(context, ks_client_princ, 1)->data,
+                            krb5_princ_component(context, ks_client_princ, 1)->length,
+                            ipactx->kdc_hostname, strlen(ipactx->kdc_hostname),
+                            NULL, NULL, &result) == 0) {
+                kerr = ipadb_reinit_mspac(ipactx, true);
+            }
+        }
 
         kerr = ipadb_get_pac(context, client, &pac);
         if (kerr != 0 && kerr != ENOENT) {
@@ -2155,7 +2175,7 @@ done:
     return ret;
 }
 
-krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
+krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit)
 {
     char *dom_attrs[] = { "ipaNTFlatName",
                           "ipaNTFallbackPrimaryGroup",
@@ -2174,7 +2194,10 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
      * avoid heavy load on the directory server if there are lots of requests
      * from domains which we do not trust. */
     now = time(NULL);
-    if (ipactx->mspac != NULL && now > ipactx->mspac->last_update &&
+
+    if (ipactx->mspac != NULL &&
+        (force_reinit == false) &&
+        (now > ipactx->mspac->last_update) &&
         (now - ipactx->mspac->last_update) < 60) {
         return 0;
     }