freeipa.git/daemons/ipa-sam, branch fix_ber_scanf FreeIPA patches ipasam: add handling of machine accounts 2019-06-29T08:00:28+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-03-01T16:55:29+00:00 91abd1f67ad86ecdaf3100e282b045a6be7de591 Domain member is represented for SMB as a machine account with NetBIOS name ending with '$', e.g. 'FILESERVER$'. Such name will need to be resolved as a POSIX account by smbd at some point but first we need to make sure it is returned as a machine account through PASSDB layer. In addition to that, machine accounts are normal Kerberos services, named as 'cifs/<hostname>@REALM'. This name also will need to be resolved as a POSIX account by smbd on the domain controller. These two factors mean that LDAP entry for SMB kerberos service has to have multiple 'uid' values. This is allowed by the LDAP schema and we need to support it in ipasam. Fixes: https://pagure.io/freeipa/issue/3999 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Domain member is represented for SMB as a machine account with
NetBIOS name ending with '$', e.g. 'FILESERVER$'. Such name will need to
be resolved as a POSIX account by smbd at some point but first we need
to make sure it is returned as a machine account through PASSDB layer.

In addition to that, machine accounts are normal Kerberos services,
named as 'cifs/<hostname>@REALM'. This name also will need to be
resolved as a POSIX account by smbd on the domain controller.

These two factors mean that LDAP entry for SMB kerberos service has to
have multiple 'uid' values. This is allowed by the LDAP schema and we
need to support it in ipasam.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipasam: add lookup of an account by SID 2019-06-29T08:00:28+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-03-01T16:51:04+00:00 a42352628df6ac4a9a174bee89032c356fac4801 Samba may ask for an account based on a SID value. Implement a callback to return a result of such lookup since we should have SID for every domain account that is supposed to be usable through SMB protocol. Fixes: https://pagure.io/freeipa/issue/3999 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Samba may ask for an account based on a SID value. Implement a callback
to return a result of such lookup since we should have SID for every
domain account that is supposed to be usable through SMB protocol.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
adtrust upgrade: fix wrong primary principal name 2019-06-26T08:50:45+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-06-25T12:22:57+00:00 34bfffd1bed4ecd11fbcfe54904e0ac7e3f609e7 Upgrade code had Kerberos principal names mixed up: instead of creating krbtgt/LOCAL-FLAT@REMOTE and marking LOCAL-FLAT$@REMOTE as an alias to it, it created LOCAL-FLAT$@REMOTE Kerberos principal and marked krbtgt/LOCAL-FLAT@REMOTE as an alias. This differs from what Active Directory expects and what is created by ipasam plugin when trust is established. When upgrading such deployment, an upgrade code then unexpectedly failed. Resolves: https://pagure.io/freeipa/issue/7992 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Upgrade code had Kerberos principal names mixed up: instead of creating
krbtgt/LOCAL-FLAT@REMOTE and marking LOCAL-FLAT$@REMOTE as an alias to
it, it created LOCAL-FLAT$@REMOTE Kerberos principal and marked
krbtgt/LOCAL-FLAT@REMOTE as an alias.

This differs from what Active Directory expects and what is created by
ipasam plugin when trust is established. When upgrading such deployment,
an upgrade code then unexpectedly failed.

Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipasam: use SID formatting calls to libsss_idmap 2019-04-01T10:08:12+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-03-31T09:37:21+00:00 ffcbb835089c8fb71eadd48230e3c034d7ecda96 Samba 4.10 moved away to private libraries two functions we used to convert a binary SID structre to strings: - sid_talloc_string() - sid_string_dbg() We already used libsss_idmap to convert textual representation of SIDs to a binary one, use the reverse function too. libsss_idmap code operates on talloc structures, so we need to adopt a bit a place where sid_string_dbg() was used because it assumed a static buffer was provided by sid_string_dbg(). Finally, sid_talloc_string()'s replacement moves allocated memory to the right context so that a memory will be freed earlier. Our SSSD idmap context is a long-living one while in all cases where we were using sid_talloc_string() we free the context much earlier. Resolves: https://pagure.io/freeipa/issue/7893 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Samba 4.10 moved away to private libraries two functions we used to
convert a binary SID structre to strings:
 - sid_talloc_string()
 - sid_string_dbg()

We already used libsss_idmap to convert textual representation of SIDs
to a binary one, use the reverse function too.

libsss_idmap code operates on talloc structures, so we need to adopt a
bit a place where sid_string_dbg() was used because it assumed a static
buffer was provided by sid_string_dbg().

Finally, sid_talloc_string()'s replacement moves allocated memory to the
right context so that a memory will be freed earlier. Our SSSD idmap
context is a long-living one while in all cases where we were using
sid_talloc_string() we free the context much earlier.

Resolves: https://pagure.io/freeipa/issue/7893
Reviewed-By: Christian Heimes <cheimes@redhat.com>
trusts: add support for one-way shared secret trust 2019-03-28T13:08:19+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-03-22T16:56:52+00:00 dc8f074cc7ba647644b96785590f1645e5661a93 Refactor ipa-sam code to generate principals with additional POSIX information so that FreeIPA is capable to establish trust when using a shared secret from Active Directory domain controller side. Trust verification process from Samba AD DC or Microsoft Windows AD DC side requires us to have a working local TDO object with POSIX attributes so that smbd would be able to map incoming authenticated Kerberos principal for the TDO to a local POSIX account. Note that FreeIPA stores TDO objects in a subtree of cn=trusts,$SUFFIX and thus SSSD is not able to see these POSIX accounts unless specifically instructed to do so via multiple search bases. The support for automatically enabling cn=trusts,$SUFFIX search base in IPA server mode was added to SSSD 1.16.3 and 2.1.0 with the commit https://pagure.io/SSSD/sssd/c/14faec9cd9437ef116ae054412d25ec2e820e409 Fixes: https://pagure.io/freeipa/issue/6077 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Refactor ipa-sam code to generate principals with additional POSIX
information so that FreeIPA is capable to establish trust when using a
shared secret from Active Directory domain controller side.

Trust verification process from Samba AD DC or Microsoft Windows AD DC
side requires us to have a working local TDO object with POSIX
attributes so that smbd would be able to map incoming authenticated
Kerberos principal for the TDO to a local POSIX account.

Note that FreeIPA stores TDO objects in a subtree of cn=trusts,$SUFFIX
and thus SSSD is not able to see these POSIX accounts unless
specifically instructed to do so via multiple search bases. The support
for automatically enabling cn=trusts,$SUFFIX search base in IPA server
mode was added to SSSD 1.16.3 and 2.1.0 with the commit
https://pagure.io/SSSD/sssd/c/14faec9cd9437ef116ae054412d25ec2e820e409

Fixes: https://pagure.io/freeipa/issue/6077
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa_sam: remove dependency to talloc_strackframe.h 2019-02-19T14:36:55+00:00 Sumit Bose sbose@redhat.com 2019-02-19T11:30:40+00:00 d1f5ed64e16d65b9df45cc0eac7d2724dcae7b67 Recent Samba versions removed some header files which did include non-public APIs. As a result talloc_strackframe.h and memory.h (for SAFE_FREE) are not available anymore. This patch replaces the use of the non-public APIs with public ones. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: François Cami <fcami@redhat.com> 
Recent Samba versions removed some header files which did include
non-public APIs. As a result talloc_strackframe.h and memory.h (for
SAFE_FREE) are not available anymore. This patch replaces the use of the
non-public APIs with public ones.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Remove ZERO_STRUCT() call 2019-02-07T12:38:34+00:00 Christian Heimes cheimes@redhat.com 2019-02-07T11:11:42+00:00 272837f1c07729392cdbc88b99a221390d01e70d ipa_sam uses Samba's macro ZERO_STRUCT() to safely zero out a block in memory. On F30 ZERO_STRUCT() is currently broken, because it uses the undefined C11 function memset_s(). During investigation of the bug, it turned out that ZERO_STRUCT(td->security_identifier) is not needed. The whole td struct is allocated with talloc_zero(), so td->security_identifier is already zeroed. See: https://bugzilla.redhat.com/show_bug.cgi?id=1672231 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
ipa_sam uses Samba's macro ZERO_STRUCT() to safely zero out a block in
memory. On F30 ZERO_STRUCT() is currently broken, because it uses the
undefined C11 function memset_s().

During investigation of the bug, it turned out that
ZERO_STRUCT(td->security_identifier) is not needed. The whole td struct
is allocated with talloc_zero(), so td->security_identifier is already
zeroed.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1672231
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipasam: do not use RC4 in FIPS mode 2018-08-13T12:42:16+00:00 Alexander Bokovoy abokovoy@redhat.com 2018-08-08T10:04:04+00:00 6907a0cef7f22293c16df17aa486f7ec2d8a0899 When creating Kerberos keys for trusted domain object account, ipasam module requests to generate keys using a series of well-known encryption types. In FIPS mode it is not possible to generate RC4-HMAC key: MIT Kerberos is using openssl crypto backend and openssl does not allow use of RC4 in FIPS mode. Thus, we have to filter out RC4-HMAC encryption type when running in FIPS mode. A side-effect is that a trust to Active Directory running with Windows Server 2003 will not be possible anymore in FIPS mode. Resolves: https://pagure.io/freeipa/issue/7659 Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
When creating Kerberos keys for trusted domain object account, ipasam
module requests to generate keys using a series of well-known encryption
types. In FIPS mode it is not possible to generate RC4-HMAC key:
MIT Kerberos is using openssl crypto backend and openssl does not allow
use of RC4 in FIPS mode.

Thus, we have to filter out RC4-HMAC encryption type when running in
FIPS mode. A side-effect is that a trust to Active Directory running
with Windows Server 2003 will not be possible anymore in FIPS mode.

Resolves: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
ipa-sam: use smbldap_set_bind_callback for Samba 4.7 or later 2017-07-11T13:21:35+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-07-03T11:38:05+00:00 3ab6a68e91a4fad5af037a910fd4f6b6d8f7611f Samba 4.7 tightens up smbldap API by making 'struct smbldap_state' an opaque. This means ipa-sam module cannot anymore directly set its LDAP bind callback. Use new smbldap API to set the LDAP bind callback. Fixes https://pagure.io/freeipa/issue/6877 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Samba 4.7 tightens up smbldap API by making 'struct smbldap_state' an
opaque. This means ipa-sam module cannot anymore directly set its
LDAP bind callback.

Use new smbldap API to set the LDAP bind callback.

Fixes https://pagure.io/freeipa/issue/6877

Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa-sam: use own private structure, not ldapsam_privates 2017-07-11T13:21:35+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-04-19T12:16:15+00:00 11d43a16035d9ce7970ddf757f17025289ec4854 With Samba 4.7 access to ldapsam internal structures will not be available for external applications. FreeIPA's ipasam module was using those for own needs. Now it needs to migrate to proper own private structure. Given that we anyway need to implement many missing functions like pdb_update_sam_account() callback with FreeIPA-specific logic, piggybacking on ldapsam structures is not needed anymore. Fixes https://pagure.io/freeipa/issue/6877 Reviewed-By: Martin Basti <mbasti@redhat.com> 
With Samba 4.7 access to ldapsam internal structures will not be
available for external applications. FreeIPA's ipasam module was using
those for own needs. Now it needs to migrate to proper own private
structure.

Given that we anyway need to implement many missing functions like
pdb_update_sam_account() callback with FreeIPA-specific logic,
piggybacking on ldapsam structures is not needed anymore.

Fixes https://pagure.io/freeipa/issue/6877

Reviewed-By: Martin Basti <mbasti@redhat.com>