freeipa.git/install/updates, branch fix_ber_scanf FreeIPA patches adtrust: add default read_keys permission for TDO objects 2019-09-12T14:17:53+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-09-12T08:21:51+00:00 0be98884991ff14720dfce428e4f23ebc4a42311 If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys attribute values, it cannot be used by SSSD to retrieve TDO keys and the whole communication with Active Directory domain controllers will not be possible. This seems to affect trusts which were created before ipaAllowedToPerform;read_keys permission granting was introduced (FreeIPA 4.2). Add back the default setting for the permissions which grants access to trust agents and trust admins. Resolves: https://pagure.io/freeipa/issue/8067 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
attribute values, it cannot be used by SSSD to retrieve TDO keys and the
whole communication with Active Directory domain controllers will not be
possible.

This seems to affect trusts which were created before
ipaAllowedToPerform;read_keys permission granting was introduced
(FreeIPA 4.2). Add back the default setting for the permissions which
grants access to trust agents and trust admins.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
install: Add missing scripts to app_DATA. 2019-08-11T08:37:29+00:00 Timo Aaltonen tjaalton@debian.org 2019-08-09T20:03:25+00:00 0000fe0502e75fcc68c6b9a8bc5b2b5a79fb4888 Signed-off-by: Timo Aaltonen <tjaalton@debian.org> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Create indexes for altSecurityIdentities and ipaCertmapData attributes 2019-07-17T14:50:07+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-05-03T06:00:09+00:00 725899595f42b607989db96d849e1b4f01de7faa During an investigation into filter optimisation in 389DS it was discovered that two attributes of the certmap query are unindexed. Due to the nature of LDAP filters, if any member of an OR query is unindexed, the entire OR becomes unindexed. This is then basically a full-table scan, which applies the filter test to the contained members. Fixes: https://pagure.io/freeipa/issue/7932 Fixes: https://pagure.io/freeipa/issue/7933 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
During an investigation into filter optimisation in 389DS it was
discovered that two attributes of the certmap query are unindexed.
Due to the nature of LDAP filters, if any member of an OR query is
unindexed, the entire OR becomes unindexed.

This is then basically a full-table scan, which applies the filter test
to the contained members.

Fixes: https://pagure.io/freeipa/issue/7932
Fixes: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Add altSecurityIdentities attribute from MS-WSPP schema definition 2019-07-17T14:50:07+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-05-03T05:57:07+00:00 5a83eea20bdd0c1c6302eada774ef3d8cfa04e36 Active Directory schema includes altSecurityIdentities attribute which presents alternative security identities for a bindable object in Active Directory. FreeIPA doesn't currently use this attribute. However, SSSD certmap library may generate searches referencing the attribute if it is specified in the certificate mapping rule. Such search might be considered unindexed in 389-ds. Define altSecurityIdentities attribute to allow specifying indexing rules for it. Fixes: https://pagure.io/freeipa/issue/7932 Related: https://pagure.io/freeipa/issue/7933 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
Active Directory schema includes altSecurityIdentities attribute
which presents alternative security identities for a bindable object in
Active Directory.

FreeIPA doesn't currently use this attribute. However, SSSD certmap
library may generate searches referencing the attribute if it is
specified in the certificate mapping rule. Such search might be
considered unindexed in 389-ds.

Define altSecurityIdentities attribute to allow specifying indexing
rules for it.

Fixes: https://pagure.io/freeipa/issue/7932
Related: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Fix `test_webui.test_selinuxusermap` 2019-07-15T11:41:23+00:00 Stanislav Levin slev@altlinux.org 2019-07-05T11:39:17+00:00 ac1ea0ec6710f40adffc3f04b39422f3043c6554 A previous refactoring of SELinux tests has have a wrong assumption about the user field separator within ipaSELinuxUserMapOrder. That was '$$', but should be just '$'. Actually, '.ldif' and '.update' files are passed through Python template string substitution: > $$ is an escape; it is replaced with a single $. > $identifier names a substitution placeholder matching > a mapping key of "identifier" This means that the text to be substituted on should not be escaped. The wrong ipaSELinuxUserMapOrder previously set will be replaced on upgrade. Fixes: https://pagure.io/freeipa/issue/7996 Fixes: https://pagure.io/freeipa/issue/8005 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
A previous refactoring of SELinux tests has have a wrong
assumption about the user field separator within
ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.

Actually, '.ldif' and '.update' files are passed through
Python template string substitution:

> $$ is an escape; it is replaced with a single $.
> $identifier names a substitution placeholder matching
> a mapping key of "identifier"

This means that the text to be substituted on should not be escaped.
The wrong ipaSELinuxUserMapOrder previously set will be replaced on
upgrade.

Fixes: https://pagure.io/freeipa/issue/7996
Fixes: https://pagure.io/freeipa/issue/8005
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Make use of single configuration point for SELinux 2019-07-01T11:44:57+00:00 Stanislav Levin slev@altlinux.org 2019-06-27T08:52:40+00:00 b2acd65013348c0f5d91582f240714b0f3357678 For now, FreeIPA supports SELinux things as they are in RedHat/Fedora. But different distributions may have their own SELinux customizations. This moves SELinux configuration out to platform constants: - SELINUX_MCS_MAX - SELINUX_MCS_REGEX - SELINUX_MLS_MAX - SELINUX_MLS_REGEX - SELINUX_USER_REGEX - SELINUX_USERMAP_DEFAULT - SELINUX_USERMAP_ORDER and applies corresponding changes to the test code. Fixes: https://pagure.io/freeipa/issue/7996 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.

This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER

and applies corresponding changes to the test code.

Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix a typo in `replace` rule of 50-ipaconfig.update 2019-07-01T11:44:57+00:00 Stanislav Levin slev@altlinux.org 2019-06-27T08:51:36+00:00 215e8f768c47261d78043dcea23add3da12f364e According to ipaserver/install/ldapupdate.py, the format of `replace` action (during a parsing of update files) should be `old::new`. By now, the value to be replaced on is 'ipaSELinuxUserMapOrder: guest_u$$...', while it should be 'guest_u$$...'. Fixes: https://pagure.io/freeipa/issue/7996 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
According to ipaserver/install/ldapupdate.py, the format of `replace`
action (during a parsing of update files) should be `old::new`.

By now, the value to be replaced on is 'ipaSELinuxUserMapOrder: guest_u$$...',
while it should be 'guest_u$$...'.

Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add SMB attributes for users 2019-07-01T11:21:21+00:00 Tibor Dudlák tdudlak@redhat.com 2019-04-02T14:23:09+00:00 c18ee9b641ddc1e6b52d0413caa1fb98ac13785d SMB attributes are used by Samba domain controller when reporting details about IPA users via LSA DCE RPC calls. Based on the initial work from the external plugin: https://github.com/abbra/freeipa-user-trust-attributes Related: https://pagure.io/freeipa/issue/3999 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Signed-off-by: Tibor Dudlák <tdudlak@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Tibor Dudlak <tdudlak@redhat.com> 
SMB attributes are used by Samba domain controller when reporting
details about IPA users via LSA DCE RPC calls.

Based on the initial work from the external plugin:
https://github.com/abbra/freeipa-user-trust-attributes

Related: https://pagure.io/freeipa/issue/3999

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Tibor Dudlák <tdudlak@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
adtrust: update Samba domain controller keytab with host keys 2019-06-29T08:00:28+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-06-16T13:19:21+00:00 d631e008ccec6827ca0c4b8d442469b0f0c994a8 When DCERPC clients use Kerberos authentication, they use a service ticket to host/domain.controller because in Active Directory any service on the host is an alias to the machine account object. In FreeIPA each Kerberos service has own keys so host/.. and cifs/.. do not share the same keys. It means Samba suite needs to have access to host/.. keytab entries to validate incoming DCERPC requests. Unfortunately, MIT Kerberos has no means to operate on multiple keytabs at the same time and Samba doesn't implement this either. We cannot use GSS-Proxy as well because Samba daemons are running under root. As a workaround, copy missing aes256 and aes128 keys from the host keytab. SMB protocol doesn't use other encryption types and we don't have rc4-hmac for the host either. Fixes: https://pagure.io/freeipa/issue/3999 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
When DCERPC clients use Kerberos authentication, they use a service
ticket to host/domain.controller because in Active Directory any
service on the host is an alias to the machine account object.

In FreeIPA each Kerberos service has own keys so host/.. and cifs/..
do not share the same keys. It means Samba suite needs to have access to
host/.. keytab entries to validate incoming DCERPC requests.

Unfortunately, MIT Kerberos has no means to operate on multiple keytabs
at the same time and Samba doesn't implement this either. We cannot use
GSS-Proxy as well because Samba daemons are running under root.

As a workaround, copy missing aes256 and aes128 keys from the host
keytab. SMB protocol doesn't use other encryption types and we don't
have rc4-hmac for the host either.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Keytab retrieval: allow requesting arcfour-hmac for SMB services 2019-05-28T06:55:51+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-04-12T13:30:07+00:00 b5fbbd1957873207afc2542a9d32246bccca0556 With system-wide crypto policy in use, arcfour-hmac encryption type might be removed from the list of permitted encryption types in the MIT Kerberos library. Applications aren't prevented to use the arcfour-hmac enctype if they operate on it directly. Since FreeIPA supported and default encryption types stored in LDAP, on the server side we don't directly use a set of permitted encryption types provided by the MIT Kerberos library. However, this set will be trimmed to disallow arcfour-hmac and other weaker types by default. While the arcfour-hmac key can be generated and retrieved, MIT Kerberos library will still not allow its use in Kerberos protocol if it is not on the list of permitted encryption types. We only need this workaround to allow setting up arcfour-hmac key for SMB services where arcfour-hmac key is used to validate communication between a domain member and its domain controller. Without this fix it will not be possible to request setting up a machine account credential from the domain member side. The latter is needed for Samba running on IPA client. Thus, extend filtering facilities in ipa-pwd-extop plugin to explicitly allow arcfour-hmac encryption type for SMB services (Kerberos principal name starts with cifs/). Reviewed-By: Christian Heimes <cheimes@redhat.com> 
With system-wide crypto policy in use, arcfour-hmac encryption type
might be removed from the list of permitted encryption types in the MIT
Kerberos library. Applications aren't prevented to use the arcfour-hmac
enctype if they operate on it directly.

Since FreeIPA supported and default encryption types stored in LDAP, on
the server side we don't directly use a set of permitted encryption
types provided by the MIT Kerberos library. However, this set will be
trimmed to disallow arcfour-hmac and other weaker types by default.

While the arcfour-hmac key can be generated and retrieved, MIT Kerberos
library will still not allow its use in Kerberos protocol if it is not
on the list of permitted encryption types. We only need this workaround
to allow setting up arcfour-hmac key for SMB services where arcfour-hmac
key is used to validate communication between a domain member and its
domain controller. Without this fix it will not be possible to request
setting up a machine account credential from the domain member side. The
latter is needed for Samba running on IPA client.

Thus, extend filtering facilities in ipa-pwd-extop plugin to explicitly
allow arcfour-hmac encryption type for SMB services (Kerberos principal
name starts with cifs/).

Reviewed-By: Christian Heimes <cheimes@redhat.com>