summaryrefslogtreecommitdiffstats
path: root/daemons/ipa-kdb
Commit message (Collapse)AuthorAgeFilesLines
* ipa-kdb: Add OTP supportNathaniel McCallum2013-05-173-1/+78
| | | | | | | | | | | | | If OTP is enabled for a user, then: 1. Long-term keys are not provided to KDB 2. The user string 'otp' is defined to KDB Since it is not secure to send radius configuration information over krb5 user strings, we simply set the string to a known default ('[]') which enables the default configuration in the KDC. https://fedorahosted.org/freeipa/ticket/3561 http://freeipa.org/page/V3/OTP
* Remove build warningsMartin Kosek2013-03-291-1/+1
| | | | | | Fix rpm build warnings report in Fedora 19 build. https://fedorahosted.org/freeipa/ticket/3500
* Add unit test for get_authz_data_types()Sumit Bose2013-03-082-0/+246
| | | | https://fedorahosted.org/freeipa/ticket/2960
* ipa-kdb: add PAC only if requestedSumit Bose2013-03-081-2/+140
| | | | | | | | Instead of always adding a PAC to the Kerberos ticket the global default for the authorization data and the authorization data of the service entry is evaluated and the PAC is added accordingly. https://fedorahosted.org/freeipa/ticket/2960
* ipa-kdb: Read ipaKrbAuthzData with other principal dataSumit Bose2013-03-082-0/+18
| | | | | | | | The ipaKrbAuthzData LDAP attribute is read together with the other data of the requestedprincipal and the read value(s) are stored in the e-data of the entry for later use. https://fedorahosted.org/freeipa/ticket/2960
* ipa-kdb: Read global defaul ipaKrbAuthzDataSumit Bose2013-03-082-1/+29
| | | | | | | The ipaKrbAuthzData LDAP attribute is read from the ipaConfig object and the read value(s) are stored in the ipadb context. https://fedorahosted.org/freeipa/ticket/2960
* Revert "MS-PAC: Special case NFS services"Sumit Bose2013-03-081-35/+1
| | | | | | | | This reverts commit 5269458f552380759c86018cd1f30b64761be92e. With the implementation of https://fedorahosted.org/freeipa/ticket/2960 a special hardcoded handling of NFS service tickets is not needed anymore.
* ipa-kdb: Dereference after null check in ipa_kdb_mspac.cSumit Bose2013-02-281-1/+1
| | | | | | A wrong logic was used to check ipactx. Fixes https://fedorahosted.org/freeipa/ticket/3424
* ipa-kdb: Uninitialized scalar variable in ipadb_reinit_mspac()Sumit Bose2013-02-281-5/+4
| | | | | | | There was a code path where ret was used instead of kerr to save a return value. Fixes https://fedorahosted.org/freeipa/ticket/3422
* ipa-kdb: remove unused variableSumit Bose2013-02-281-1/+1
|
* ipa-kdb: Free talloc autofree context when module is closedsbose2013-02-141-0/+3
| | | | | | | | | | | | | | | Currently kdb5kdc crashes on exit if the ipadb KDB modules is loaded and trusts are configured. The reason is the talloc autofree context which get initialised during the ndr_push_union_blob() call. On exit the KDC module is unloaded an later on atexit() tries to free the context, but all related symbols are already unloaded with the module. This patch frees the talloc autofree context during the cleanup routine of the module. Since this is called only at exit and not during normal operations this is safe even if other KDC plugins use the talloc autofree context, e.g. via some Samba libraries, as well. Fixes https://fedorahosted.org/freeipa/ticket/3410
* ipa-kdb: fix retry logic in ipadb_deref_searchMartin Kosek2013-02-141-1/+1
| | | | | | | | This function retried an LDAP search when the result was OK due to flawed logic of retry detection (ipadb_need_retry function which returns true when we need retry and not 0). https://fedorahosted.org/freeipa/ticket/3413
* ipa-kdb: remove memory leaksMartin Kosek2013-02-144-2/+25
| | | | | | | | All known memory leaks caused by unfreed allocated memory or unfreed LDAP results (which should be also done after unsuccessful searches) are fixed. https://fedorahosted.org/freeipa/ticket/3413
* ipa-kdb: read SID blacklist from LDAPMartin Kosek2013-02-122-54/+104
| | | | | | | | | | | | SIDs in incoming MS-PAC were checked and filtered with a fixed list of well-known SIDs. Allow reading the SID blacklist from LDAP (ipaNTSIDBlacklistIncoming and ipaNTSIDBlacklistOutgoing) and add the list to mspac adtrust structure. Use the hardcoded SID list only if the LDAP SID list is not configured. LIMITATION: SID blacklist list is not used yet. https://fedorahosted.org/freeipa/ticket/3289
* ipa-kdb: reinitialize LDAP configuration for known realmsMartin Kosek2013-02-121-12/+45
| | | | | | | | | | | | | ipa-kdb did not reinitialize trusted domain configuration when it was loaded to ipa-kdb. However, admin then would have to restart krb5kdc if he wanted to apply the change to running krb5kdc service. Run ipadb_reinit_mspac unconditionally every time when trusted domain is loaded. Among the already configured 1 minute grace time, also add a quick check if there is at least one configured trusted domain before reinitializing the mspac structure. https://fedorahosted.org/freeipa/ticket/3289
* ipa-kdb: avoid ENOMEM when all SIDs are filtered outMartin Kosek2013-02-121-4/+14
| | | | | | | | | When all SIDs in info3.sids structure were filtered out, we tried to talloc_realloc to zero memory size. talloc_realloc then returned NULL pointer and filter_login_info returned with ENOMEM. The code now rather frees the SID array and set info3.sidcount to correct value.
* ipa-kdb: add sentinel for LDAPDerefSpec allocationMartin Kosek2013-02-121-5/+6
| | | | | Without sentinel in place, ldap_create_deref_control_value executed an invalid read in unallocated memory.
* Prevent integer overflow when setting krbPasswordExpirationTomas Babej2013-02-084-13/+47
| | | | | | | | | | | | | | | | Since in Kerberos V5 are used 32-bit unix timestamps, setting maxlife in pwpolicy to values such as 9999 days would cause integer overflow in krbPasswordExpiration attribute. This would result into unpredictable behaviour such as users not being able to log in after password expiration if password policy was changed (#3114) or new users not being able to log in at all (#3312). The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver. https://fedorahosted.org/freeipa/ticket/3312 https://fedorahosted.org/freeipa/ticket/3114
* ipa-kdb: Support Windows 2012 ServerAlexander Bokovoy2012-12-071-15/+253
| | | | | | | | | | | Windows 2012 Server changed procedure how KERB_VALIDATION_INFO ([MS-PAC] section 2.5) is populated. Detailed description is available in [MS-KILE] version 25.0 and above. Refactor KERB_VALIDATION_INFO verification and ensure we filter out extra SIDs in case they belong to our domain. https://fedorahosted.org/freeipa/ticket/3231
* Lookup the user SID in external group as wellSumit Bose2012-11-301-5/+14
| | | | | | | Currently only the group SIDs from a PAC are used to find out about the membership in local groups. This patch adds the user SID to the list. Fixes https://fedorahosted.org/freeipa/ticket/3257
* MS-PAC: Special case NFS servicesSimo Sorce2012-11-301-1/+35
| | | | | | | | | | The current Linux NFS server is severely limited when it comes to handling kerberos tickets. Bsically any ticket bigger than 2k will cause it to fail authentication due to kernel->userspace upcall interface restrictions. Until we have additional support in IPA to indivdually mark principals to opt out of getting PACs attached we always prevent PACs from being attached to TGTs or Tickets where NFS is involved.
* ipadb: reload trust information if domain is not knownSumit Bose2012-10-091-1/+39
| | | | | | | | | | Currently the data about trusted domains is read once at startup. If a new trust is added the KDC must be restarted to know about the new trust. This patch reloads the trust data if there is a request from an unknown domain. To make DOS attacks a bit harder the data can be updated only once in a minute. Fixes https://fedorahosted.org/freeipa/ticket/3156
* ipadb_iterate(): handle match_entry == NULLSumit Bose2012-09-052-0/+10
| | | | | | | | | If match_entry == NULL all principals should be iterated. Additionally this patch adds a check in ipadb_filter_escape() to make sure that the input is not NULL. Fixes: https://fedorahosted.org/freeipa/ticket/3011
* Add PAC filteringSimo Sorce2012-08-021-8/+100
| | | | | | | | This check the PAC we receive is consistent. realm, flat name and domain sid must much our understanding or the trustd realm and no additional sids beyond the own realm ones must be present. Ticket #2849
* Split out manipulation of logon_info blobSimo Sorce2012-08-021-40/+69
| | | | | This way multiple functions can manipulate the logon info structure until all operations we want to do on it are done and then fold it back once.
* Properly name function to add ipa external groupsSimo Sorce2012-08-021-35/+39
| | | | | | | | | The function filter_pac was not filtering the pac at all, it was merely augmenting it with additional data relevant to the IPA server. Change the name of the function to avoid confusion. While there I also simplified and cleaed up the code a bit with regard to variable names and usage.
* Load list of trusted domain on connecting to ldapSimo Sorce2012-08-021-6/+104
| | | | This list is used to validate data in mspac filtering
* Move mspac structure to be a private pointerSimo Sorce2012-08-022-25/+33
| | | | | By keeping it's definition in the mspac file it is easier to modify and make sure any opertion on it is handled in the same file.
* Move code into common krb5 utilsSimo Sorce2012-07-301-141/+7
| | | | | | | | This moves the decoding function that reads the keys from the ber format into a structure in the common krb5 util code right below the function that encodes the same data structure into a ber format. This way the 2 functions are in the same place and can be both used by all ia components.
* Fix typoSumit Bose2012-07-091-1/+1
| | | | Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Filter groups in the PACSumit Bose2012-06-281-1/+452
| | | | | | If one or more of the external groups given in the PAC can be found in the ipaExternalGroup objects and these objects are members of local groups, the SIDs of the local groups are added to the PAC.
* Add support for disabling KDC writesSimo Sorce2012-06-063-0/+75
| | | | | | | | | | | Add two global ipaConfig options to disable undesirable writes that have performance impact. The "KDC:Disable Last Success" will disable writing back to ldap the last successful AS Request time (successful kinit) The "KDC:Disable Lockout" will disable completely writing back lockout related data. This means lockout policies will stop working. https://fedorahosted.org/freeipa/ticket/2734
* ipa-kdb: Add MS-PAC on constrained delegation.Simo Sorce2012-06-071-22/+26
|
* Perform case-insensitive searches for principals on TGS requestsAlexander Bokovoy2012-06-071-21/+52
| | | | | | | | | | We want to always resolve TGS requests even if the user mistakenly sends a request for a service ticket where the fqdn part contain upper case letters. The actual implementation follows hints set by KDC. When AP_REQ is done, KDC sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests. https://fedorahosted.org/freeipa/ticket/1577
* Fix setting domain_sidSimo Sorce2012-05-291-1/+1
| | | | | | | 'sid' is a stack variable, by assigning its address to the domain_sid pointer we were later referencing grabage (whatever on the stack ha[ppened to be at that address. Properly copy the sid and allocate it on the provided memory context.
* Check for locked-out user before incrementing lastfail.Rob Crittenden2012-05-181-4/+6
| | | | | | | | | | | | | | | | | | | | | | If a user become locked due to too many failed logins and then were unlocked by an administrator, the account would not lock again. This was caused by two things: - We were incrementing the fail counter before checking to see if the account was already locked out. - The current fail count wasn't taken into consideration when deciding if the account is locked. The sequence was this: 1. Unlocked account, set failcount to 0 2. Failed login, increment failcount 3. Within lastfailed + lockout_duration, still locked. This skips update the last_failed date. So I reversed 2 and 3 and check to see if the fail count exceeds policy. https://fedorahosted.org/freeipa/ticket/2765
* Fix theoretical leak discovered by coveritySimo Sorce2012-04-171-0/+1
| | | | | | | This was introduced when we started checking the return from ipadb_get_context() to silence another coverity report. That condition can never be true in this function but whatever ... let's silence Coverity once again :)
* Fix MS-PAC checks when using s4u2proxySimo Sorce2012-04-031-4/+6
| | | | | | We were using the wrong principal in the s4u2proxy case. Fixes: https://fedorahosted.org/freeipa/ticket/2504
* Fix failure count interval attribute name in query for password policy.Rob Crittenden2012-03-291-1/+1
| | | | | | | This was causing the failure count interval to not be applied so the failure count was never reset to 0. https://fedorahosted.org/freeipa/ticket/2540
* Fix memleak and silence Coverity defectsSimo Sorce2012-03-223-0/+9
| | | | | | | | | | | | | | | Some of these are not real defects, because we are guaranteed to have valid context in some functions, and checks are not necessary. I added the checks anyway in order to silence Coverity on these issues. One meleak on error condition was fixed in daemons/ipa-kdb/ipa_kdb_pwdpolicy.c Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is actually fine as we count before hand so we never actually use the wrong value that is computed on the last pass when p == 0 Fixes: https://fedorahosted.org/freeipa/ticket/2488
* ipa-kdb: fix delegation acl checkSimo Sorce2012-02-281-2/+4
| | | | | We need to check for a matching acl only if one match hasn't already been found, otherwise results are unpredictable and order dependent.
* policy: add function to check lockout policySimo Sorce2012-02-193-1/+62
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2393
* ipa-kdb: Fix ACL evaluatorSimo Sorce2012-02-201-1/+4
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2343
* Remove compat definesSimo Sorce2012-02-161-32/+0
| | | | | | | These definitions were needed during development to be a le to build against krb5 version < 1.10 These function headers and defintions are now available in 1.10 that is a hard dependency for freeipa 3.0, so we can safely drop them.
* ipa-kdb: set krblastpwdchange only when keys have been effectively changedSimo Sorce2012-02-151-2/+4
|
* ipa-kdb: Avoid lookup on modify if possibleSimo Sorce2012-02-151-19/+27
| | | | This avoids one useless search if we already have the entry_dn.
* ipa-kdb: add AS auditing supportSimo Sorce2012-02-147-91/+254
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2334
* ipa-kdb: Create PAC's KDC checksum with right keySimo Sorce2012-01-111-2/+89
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2170
* ipa-kdb: Verify the correct checksum in PAC validationSimo Sorce2012-01-111-5/+45
| | | | | | | | | | | | | | | | | | This patch requires a forthcoming change in MIT libraries which allows to pass NULL for the server_key to the krb5_pac_verify() function. In most cases we should always only check the KDC checksum to verify the PAC validity. The only exception is when we are releasing a ticket to a client from another realm. In this case the only signature we can check is the server checksum, and we use the cross-realm key to validate in this case. The previous code was working for normal cases because the kdc uses the same key to create the server and the kdc checksum for a TGT, but that is not true for evidence tickets (s4u2proxy) or cross-realm TGTs. Fixes: https://fedorahosted.org/freeipa/ticket/2169
* ipa-kdb: return properly when no PAC is availableSimo Sorce2011-12-091-10/+3
|
generated by cgit (git 2.34.1) at 2024-06-09 17:04:32 +0000