freeipa.git/daemons/ipa-slapi-plugins, branch fix_ber_scanf FreeIPA patches extdom: use sss_nss_*_timeout calls 2019-09-12T07:48:13+00:00 Tomas Halman thalman@redhat.com 2019-09-10T11:46:08+00:00 84b6c0f53b9ebdd4c01181898499bb6992aa9e8a Use nss calls with timeout in extdom plugin Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Use nss calls with timeout in extdom plugin

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
extdom: plugin doesn't use timeout in blocking call 2019-09-12T07:48:13+00:00 Tomas Halman thalman@redhat.com 2019-09-10T11:32:45+00:00 5f898c3c614f4165f0eb15c3aad2157689fbbcfe Expose nss timeout parameter. Use sss_nss_getorigbyname_timeout instead of sss_nss_getorigbyname Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Expose nss timeout parameter. Use sss_nss_getorigbyname_timeout
instead of sss_nss_getorigbyname

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
extdom: plugin doesn't allow @ in group name 2019-09-12T07:48:13+00:00 Tomas Halman thalman@redhat.com 2019-09-03T14:33:54+00:00 e5f04258b5b3fb6c04c28ddd38ae251c822e80bc Old implementation handles username and group names with one common call. Character @ is used in the call to detect UPN. Group name can legaly contain this character and therefore the common approach doesn't work in such case. Also the original call is less efficient because it tries to resolv username allways then it fallback to group resolution. Here we implement two new separate calls for resolving users and groups. Fixes: https://bugzilla.redhat.com/1746951 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Old implementation handles username and group names with
one common call. Character @ is used in the call to detect UPN.

Group name can legaly contain this character and therefore the
common approach doesn't work in such case.

Also the original call is less efficient because it tries to resolv
username allways then it fallback to group resolution.

Here we implement two new separate calls for resolving users and
groups.

Fixes: https://bugzilla.redhat.com/1746951
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-extdom-extop: test timed out getgrgid_r 2019-08-19T08:20:57+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-08-19T07:15:50+00:00 c78cb9404e4fad9a8f4f778cee59c1c2b9038a49 Simulate getgrgid_r() timeout when packing list of groups user is a member of in pack_ber_user(). Related: https://pagure.io/freeipa/issue/8044 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Simulate getgrgid_r() timeout when packing list of groups user is a
member of in pack_ber_user().

Related: https://pagure.io/freeipa/issue/8044
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT 2019-08-19T08:20:57+00:00 Sumit Bose sbose@redhat.com 2019-06-14T09:13:54+00:00 9fe984fed7a7091bd1366be95fdfa2f56f777bb8 A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to remove the searched object from the cache. As a consequence LDAP_NO_SUCH_OBJECT should only be returned if the object really does not exists otherwise the data of existing objects might be removed form the cache of the clients causing unexpected behaviour like authentication errors. Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code. With this patch LDAP_NO_SUCH_OBJECT is only returned if the related lookup functions return ENOENT. Timeout related error code will lead to LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default error code. Fixes: https://pagure.io/freeipa/issue/8044 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to
remove the searched object from the cache. As a consequence
LDAP_NO_SUCH_OBJECT should only be returned if the object really does
not exists otherwise the data of existing objects might be removed form
the cache of the clients causing unexpected behaviour like
authentication errors.

Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code.
With this patch LDAP_NO_SUCH_OBJECT is only returned if the related
lookup functions return ENOENT. Timeout related error code will lead to
LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default
error code.

Fixes: https://pagure.io/freeipa/issue/8044
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-pwd-extop: do not remove MagicRegen mod, replace it 2019-05-28T06:55:51+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-05-16T10:12:38+00:00 a9bcf531a69b8a39ee2df86b4eb783023b33928e In 2012, ldbm backend in 389-ds started checking entry modification after running betxnpreop plugins by comparing a number of modifications before and after. If that number didn't change, it is considered that plugins didn't modify the list. ipa-pwd-extop actually removed and re-added modification to ipaNTHash if it contained 'MagicRegen' value. This did not work since commit https://pagure.io/389-ds-base/c/6c17ec56076d34540929acbcf2f3e65534060a43 but we were lucky nothing in FreeIPA code actually relied on that except some code paths in ipasam Samba passdb driver. However, Samba didn't reach the point where the code was triggered -- until now. With support to run Samba as a domain member in IPA domain, that code path is triggered for Kerberos service principals of domain members (cifs/client.example.test, ...) and NT hash extraction from Kerberos keys does not work. Fix ipa-pwd-extop to follow recommendations in https://pagure.io/389-ds-base/issue/387#comment-120145 and https://pagure.io/389-ds-base/issue/50369#comment-570696 Fixes: https://pagure.io/freeipa/issue/7953 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
In 2012, ldbm backend in 389-ds started checking entry modification
after running betxnpreop plugins by comparing a number of modifications
before and after. If that number didn't change, it is considered that
plugins didn't modify the list.

ipa-pwd-extop actually removed and re-added modification to ipaNTHash if
it contained 'MagicRegen' value. This did not work since commit
https://pagure.io/389-ds-base/c/6c17ec56076d34540929acbcf2f3e65534060a43
but we were lucky nothing in FreeIPA code actually relied on that except
some code paths in ipasam Samba passdb driver. However, Samba didn't
reach the point where the code was triggered -- until now.

With support to run Samba as a domain member in IPA domain, that code
path is triggered for Kerberos service principals of domain members
(cifs/client.example.test, ...) and NT hash extraction from Kerberos
keys does not work.

Fix ipa-pwd-extop to follow recommendations in
https://pagure.io/389-ds-base/issue/387#comment-120145 and
https://pagure.io/389-ds-base/issue/50369#comment-570696

Fixes: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Keytab retrieval: allow requesting arcfour-hmac for SMB services 2019-05-28T06:55:51+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-04-12T13:30:07+00:00 b5fbbd1957873207afc2542a9d32246bccca0556 With system-wide crypto policy in use, arcfour-hmac encryption type might be removed from the list of permitted encryption types in the MIT Kerberos library. Applications aren't prevented to use the arcfour-hmac enctype if they operate on it directly. Since FreeIPA supported and default encryption types stored in LDAP, on the server side we don't directly use a set of permitted encryption types provided by the MIT Kerberos library. However, this set will be trimmed to disallow arcfour-hmac and other weaker types by default. While the arcfour-hmac key can be generated and retrieved, MIT Kerberos library will still not allow its use in Kerberos protocol if it is not on the list of permitted encryption types. We only need this workaround to allow setting up arcfour-hmac key for SMB services where arcfour-hmac key is used to validate communication between a domain member and its domain controller. Without this fix it will not be possible to request setting up a machine account credential from the domain member side. The latter is needed for Samba running on IPA client. Thus, extend filtering facilities in ipa-pwd-extop plugin to explicitly allow arcfour-hmac encryption type for SMB services (Kerberos principal name starts with cifs/). Reviewed-By: Christian Heimes <cheimes@redhat.com> 
With system-wide crypto policy in use, arcfour-hmac encryption type
might be removed from the list of permitted encryption types in the MIT
Kerberos library. Applications aren't prevented to use the arcfour-hmac
enctype if they operate on it directly.

Since FreeIPA supported and default encryption types stored in LDAP, on
the server side we don't directly use a set of permitted encryption
types provided by the MIT Kerberos library. However, this set will be
trimmed to disallow arcfour-hmac and other weaker types by default.

While the arcfour-hmac key can be generated and retrieved, MIT Kerberos
library will still not allow its use in Kerberos protocol if it is not
on the list of permitted encryption types. We only need this workaround
to allow setting up arcfour-hmac key for SMB services where arcfour-hmac
key is used to validate communication between a domain member and its
domain controller. Without this fix it will not be possible to request
setting up a machine account credential from the domain member side. The
latter is needed for Samba running on IPA client.

Thus, extend filtering facilities in ipa-pwd-extop plugin to explicitly
allow arcfour-hmac encryption type for SMB services (Kerberos principal
name starts with cifs/).

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Coverity: fix issue in ipa_extdom_extop.c 2019-03-21T14:18:56+00:00 Florence Blanc-Renaud flo@redhat.com 2019-03-21T12:59:32+00:00 3ae38973c5961c17bd95b6831ab7a8469a4bfc5c Coverity found the following issue: Error: BAD_COMPARE (CWE-697): [#def1] freeipa-4.6.5/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c:121: null_misuse: Comparing pointer "threadnumber" against "NULL" using anything besides "==" or "!=" is likely to be incorrect. The comparison is using the pointer while it should use the pointed value. Fixes: https://pagure.io/freeipa/issue/7884 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Coverity found the following issue:
Error: BAD_COMPARE (CWE-697): [#def1]
freeipa-4.6.5/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c:121: null_misuse: Comparing pointer "threadnumber" against "NULL" using anything besides "==" or "!=" is likely to be incorrect.

The comparison is using the pointer while it should use the pointed value.

Fixes: https://pagure.io/freeipa/issue/7884
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-extdom-exop: add instance counter and limit 2019-03-14T13:42:35+00:00 Sumit Bose sbose@redhat.com 2019-03-08T15:07:56+00:00 33af8c75b334b847c59ee67f33f9777f58eba41f The user and group lookups done by the extdom plugin might need some time depending on the state of the service (typically SSSD) handling the requests. To avoid that all worker threads are busy waiting on a connect or a reply from SSSD and no other request can be handled this patch adds an instance counter and an instance limit for the extdom plugin. By default the limit will be around 80% of the number of worker threads. It can be tuned further with the plugin option ipaExtdomMaxInstances which must in set in ipaextdommaxinstances and should have an integer value larger than 0 and lesser than the number of worker threads. If the instance limit is reached the extdom plugin will return LDAP_BUSY for every new request until the number of instance is again below the limit. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
The user and group lookups done by the extdom plugin might need some
time depending on the state of the service (typically SSSD) handling the
requests.

To avoid that all worker threads are busy waiting on a connect or a
reply from SSSD and no other request can be handled this patch adds an
instance counter and an instance limit for the extdom plugin.

By default the limit will be around 80% of the number of worker threads.
It can be tuned further with the plugin option ipaExtdomMaxInstances
which must in set in ipaextdommaxinstances and should have an integer
value larger than 0 and lesser than the number of worker threads.

If the instance limit is reached the extdom plugin will return LDAP_BUSY
for every new request until the number of instance is again below the
limit.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Compile IPA modules with C11 extensions 2019-02-07T11:33:45+00:00 Christian Heimes cheimes@redhat.com 2019-02-06T12:47:01+00:00 93fb037d8409d9d46606c31d8a240e3963b72651 - define __STDC_WANT_LIB_EXT1__ to get C11 extensions like memset_s() for Samba's ZERO_STRUCT() macro, see https://en.cppreference.com/w/c/string/byte/memset - _DEFAULT_SOURCE enables features like htole16() from endian.h, see http://man7.org/linux/man-pages/man3/endian.3.html - _POSIX_C_SOURCE >= 200809 enables features like strndup() from string.h, see http://man7.org/linux/man-pages/man3/strndup.3.html - time_t is no longer implicitly defined, include time.h - typeof() is only available as GNU extension. Use explicit types instead of generic __typeof__(). Fixes: https://pagure.io/freeipa/issue/7858 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
- define __STDC_WANT_LIB_EXT1__ to get C11 extensions like memset_s() for
  Samba's ZERO_STRUCT() macro, see
  https://en.cppreference.com/w/c/string/byte/memset
- _DEFAULT_SOURCE enables features like htole16() from endian.h, see
  http://man7.org/linux/man-pages/man3/endian.3.html
- _POSIX_C_SOURCE >= 200809 enables features like strndup() from string.h,
  see http://man7.org/linux/man-pages/man3/strndup.3.html
- time_t is no longer implicitly defined, include time.h
- typeof() is only available as GNU extension. Use explicit types
  instead of generic __typeof__().

Fixes: https://pagure.io/freeipa/issue/7858
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>