freeipa.git/daemons/ipa-slapi-plugins/ipa-pwd-extop, branch fix_ber_scanf FreeIPA patches ipa-pwd-extop: do not remove MagicRegen mod, replace it 2019-05-28T06:55:51+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-05-16T10:12:38+00:00 a9bcf531a69b8a39ee2df86b4eb783023b33928e In 2012, ldbm backend in 389-ds started checking entry modification after running betxnpreop plugins by comparing a number of modifications before and after. If that number didn't change, it is considered that plugins didn't modify the list. ipa-pwd-extop actually removed and re-added modification to ipaNTHash if it contained 'MagicRegen' value. This did not work since commit https://pagure.io/389-ds-base/c/6c17ec56076d34540929acbcf2f3e65534060a43 but we were lucky nothing in FreeIPA code actually relied on that except some code paths in ipasam Samba passdb driver. However, Samba didn't reach the point where the code was triggered -- until now. With support to run Samba as a domain member in IPA domain, that code path is triggered for Kerberos service principals of domain members (cifs/client.example.test, ...) and NT hash extraction from Kerberos keys does not work. Fix ipa-pwd-extop to follow recommendations in https://pagure.io/389-ds-base/issue/387#comment-120145 and https://pagure.io/389-ds-base/issue/50369#comment-570696 Fixes: https://pagure.io/freeipa/issue/7953 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
In 2012, ldbm backend in 389-ds started checking entry modification
after running betxnpreop plugins by comparing a number of modifications
before and after. If that number didn't change, it is considered that
plugins didn't modify the list.

ipa-pwd-extop actually removed and re-added modification to ipaNTHash if
it contained 'MagicRegen' value. This did not work since commit
https://pagure.io/389-ds-base/c/6c17ec56076d34540929acbcf2f3e65534060a43
but we were lucky nothing in FreeIPA code actually relied on that except
some code paths in ipasam Samba passdb driver. However, Samba didn't
reach the point where the code was triggered -- until now.

With support to run Samba as a domain member in IPA domain, that code
path is triggered for Kerberos service principals of domain members
(cifs/client.example.test, ...) and NT hash extraction from Kerberos
keys does not work.

Fix ipa-pwd-extop to follow recommendations in
https://pagure.io/389-ds-base/issue/387#comment-120145 and
https://pagure.io/389-ds-base/issue/50369#comment-570696

Fixes: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Keytab retrieval: allow requesting arcfour-hmac for SMB services 2019-05-28T06:55:51+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-04-12T13:30:07+00:00 b5fbbd1957873207afc2542a9d32246bccca0556 With system-wide crypto policy in use, arcfour-hmac encryption type might be removed from the list of permitted encryption types in the MIT Kerberos library. Applications aren't prevented to use the arcfour-hmac enctype if they operate on it directly. Since FreeIPA supported and default encryption types stored in LDAP, on the server side we don't directly use a set of permitted encryption types provided by the MIT Kerberos library. However, this set will be trimmed to disallow arcfour-hmac and other weaker types by default. While the arcfour-hmac key can be generated and retrieved, MIT Kerberos library will still not allow its use in Kerberos protocol if it is not on the list of permitted encryption types. We only need this workaround to allow setting up arcfour-hmac key for SMB services where arcfour-hmac key is used to validate communication between a domain member and its domain controller. Without this fix it will not be possible to request setting up a machine account credential from the domain member side. The latter is needed for Samba running on IPA client. Thus, extend filtering facilities in ipa-pwd-extop plugin to explicitly allow arcfour-hmac encryption type for SMB services (Kerberos principal name starts with cifs/). Reviewed-By: Christian Heimes <cheimes@redhat.com> 
With system-wide crypto policy in use, arcfour-hmac encryption type
might be removed from the list of permitted encryption types in the MIT
Kerberos library. Applications aren't prevented to use the arcfour-hmac
enctype if they operate on it directly.

Since FreeIPA supported and default encryption types stored in LDAP, on
the server side we don't directly use a set of permitted encryption
types provided by the MIT Kerberos library. However, this set will be
trimmed to disallow arcfour-hmac and other weaker types by default.

While the arcfour-hmac key can be generated and retrieved, MIT Kerberos
library will still not allow its use in Kerberos protocol if it is not
on the list of permitted encryption types. We only need this workaround
to allow setting up arcfour-hmac key for SMB services where arcfour-hmac
key is used to validate communication between a domain member and its
domain controller. Without this fix it will not be possible to request
setting up a machine account credential from the domain member side. The
latter is needed for Samba running on IPA client.

Thus, extend filtering facilities in ipa-pwd-extop plugin to explicitly
allow arcfour-hmac encryption type for SMB services (Kerberos principal
name starts with cifs/).

Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipapwd_pre_mod: NULL ptr deref 2018-11-01T12:56:31+00:00 Christian Heimes cheimes@redhat.com 2018-11-01T10:41:47+00:00 da2078bc6075b69a7bb52e18ab68cea4e1ecd346 In ipapwd_pre_mod, check userpw for NULL before dereferencing its first element. See: https://pagure.io/freeipa/issue/7738 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
In ipapwd_pre_mod, check userpw for NULL before dereferencing its first
element.

See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
has_krbprincipalkey: avoid double free 2018-11-01T12:56:31+00:00 Christian Heimes cheimes@redhat.com 2018-11-01T10:41:29+00:00 aa261ba5b1c7594b3314fb606d46ec51f29f31a7 Set keys to NULL after free rder to avoid potential double free. See: https://pagure.io/freeipa/issue/7738 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Set keys to NULL after free rder to avoid potential double free.

See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Don't abuse strncpy() length limitation 2018-10-24T14:11:55+00:00 Christian Heimes cheimes@redhat.com 2018-10-24T08:19:14+00:00 5fe3198d808346dfb36a45c89784f0e3214a88f1 On two occasions C code abused strncpy()'s length limitation to copy a string of known length without the trailing NULL byte. Recent GCC is raising the compiler warning: warning: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation] Use memcpy() instead if strncpy() to copy data of known size. See: https://pagure.io/freeipa/issue/7738 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
On two occasions C code abused strncpy()'s length limitation to copy a
string of known length without the trailing NULL byte. Recent GCC is
raising the compiler warning:

  warning: ‘strncpy’ output truncated before terminating nul copying as
  many bytes from a string as its length [-Wstringop-truncation]

Use memcpy() instead if strncpy() to copy data of known size.

See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Move fips_enabled to a common library to share across different plugins 2018-08-13T12:42:16+00:00 Alexander Bokovoy abokovoy@redhat.com 2018-08-08T09:28:53+00:00 de8f969f2d40722b590f43ab9bb31eada58ec4b3 Related: https://pagure.io/freeipa/issue/7659 Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
Related: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
In IPA 4.4 when updating userpassword with ldapmodify does not update krbPasswordExpiration nor krbLastPwdChange 2018-08-03T12:39:11+00:00 Thierry Bordaz tbordaz@redhat.com 2018-07-24T10:16:35+00:00 a71729cc01b83916b5e362a38ce3d65e129b1815 When making ipa-pwd-extop TXN aware, some callbacks are call twice. Particularily ipapwd_pre_add is called during PRE_ADD and TXN_PRE_ADD ipapwd_pre_mod is called during PRE_MOD and TXN_PRE_MOD ipapwd_post_modadd is called during POST_ADD and TXN_POST_ADD ipapwd_post_modadd is called during POST_MOD and TXN_POST_MOD It is not the expected behavior and it results on some skipped updates krbPasswordExpiration and krbLastPwdChange https://pagure.io/freeipa/issue/7601 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
When making ipa-pwd-extop TXN aware, some callbacks are call twice.
Particularily
	ipapwd_pre_add is called during PRE_ADD and TXN_PRE_ADD
	ipapwd_pre_mod is called during PRE_MOD and TXN_PRE_MOD
	ipapwd_post_modadd is called during POST_ADD and TXN_POST_ADD
	ipapwd_post_modadd is called during POST_MOD and TXN_POST_MOD
It is not the expected behavior and it results on some skipped updates krbPasswordExpiration
and krbLastPwdChange

https://pagure.io/freeipa/issue/7601

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Don't try to set Kerberos extradata when there is no principal 2018-05-27T14:08:21+00:00 Rob Crittenden rcritten@redhat.com 2018-05-23T20:30:09+00:00 45d776a7bf05f3495dee078c7dd58ed0db13f64a This was causing ns-slapd to segfault in the password plugin. https://pagure.io/freeipa/issue/7561 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
This was causing ns-slapd to segfault in the password plugin.

https://pagure.io/freeipa/issue/7561

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa_pwd_extop: do not generate NT hashes in FIPS mode 2017-06-21T08:16:41+00:00 Sumit Bose sbose@redhat.com 2017-06-16T15:49:44+00:00 1f0ca6aafd966e086692007a0df76e3c3276915f In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is detected we disable NT hashes even is the are allowed by IPA configuration. Resolves https://pagure.io/freeipa/issue/7026 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is
detected we disable NT hashes even is the are allowed by IPA
configuration.

Resolves https://pagure.io/freeipa/issue/7026

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
slapi plugins: fix CFLAGS 2017-03-15T08:55:12+00:00 Jan Cholasta jcholast@redhat.com 2017-03-15T05:14:25+00:00 b7329e31f5c985b9721e3a21b1cd1bec6430129d Add explicit NSPR_CFLAGS and NSS_CFLAGS where NSPR_LIBS and NSS_LIBS is used. Use DIRSRV_CFLAGS rather than hardcode -I/usr/include/dirsrv. Append NSPR_CFLAGS to DIRSRV_CFLAGS in ./configure as slapi-plugin.h includes nspr.h. Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> 
Add explicit NSPR_CFLAGS and NSS_CFLAGS where NSPR_LIBS and NSS_LIBS is
used.

Use DIRSRV_CFLAGS rather than hardcode -I/usr/include/dirsrv.

Append NSPR_CFLAGS to DIRSRV_CFLAGS in ./configure as slapi-plugin.h
includes nspr.h.

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>