freeipa.git/ipaserver/install/plugins, branch fix_ber_scanf FreeIPA patches adtrust: add default read_keys permission for TDO objects 2019-09-12T14:17:53+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-09-12T08:21:51+00:00 0be98884991ff14720dfce428e4f23ebc4a42311 If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys attribute values, it cannot be used by SSSD to retrieve TDO keys and the whole communication with Active Directory domain controllers will not be possible. This seems to affect trusts which were created before ipaAllowedToPerform;read_keys permission granting was introduced (FreeIPA 4.2). Add back the default setting for the permissions which grants access to trust agents and trust admins. Resolves: https://pagure.io/freeipa/issue/8067 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
attribute values, it cannot be used by SSSD to retrieve TDO keys and the
whole communication with Active Directory domain controllers will not be
possible.

This seems to affect trusts which were created before
ipaAllowedToPerform;read_keys permission granting was introduced
(FreeIPA 4.2). Add back the default setting for the permissions which
grants access to trust agents and trust admins.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
add default access control when migrating trust objects 2019-09-12T14:17:53+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-09-10T10:39:39+00:00 9aeb6bae23dc21b97dbd784f8d954ee0dcde1d8f It looks like for some cases we do not have proper set up keytab retrieval configuration in the old trusted domain object. This mostly affects two-way trust cases. In such cases, create default configuration as ipasam would have created when trust was established. Resolves: https://pagure.io/freeipa/issue/8067 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
It looks like for some cases we do not have proper set up keytab
retrieval configuration in the old trusted domain object. This mostly
affects two-way trust cases. In such cases, create default configuration
as ipasam would have created when trust was established.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
adtrust: avoid using timestamp in klist output 2019-09-10T09:25:07+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-09-09T08:02:29+00:00 80e4c18b75af989d5839aba7e6a1efc06da16f81 When parsing a keytab to copy keys to a different keytab, we don't need the timestamp, so don't ask klist to output it. In some locales (en_IN, for example), the timestamp is output in a single field without a space between date and time. In other locales it can be represented with date and time separated by a space. Fixes: https://pagure.io/freeipa/issue/8066 Reviewed-By: Thomas Woerner <twoerner@redhat.com> 
When parsing a keytab to copy keys to a different keytab, we don't need
the timestamp, so don't ask klist to output it. In some locales (en_IN,
for example), the timestamp is output in a single field without a space
between date and time. In other locales it can be represented with date
and time separated by a space.

Fixes: https://pagure.io/freeipa/issue/8066
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
upgrade: remove ipaCert and key from /etc/httpd/alias 2019-07-15T14:08:21+00:00 Florence Blanc-Renaud flo@redhat.com 2019-07-08T09:25:13+00:00 ef39e1b02a2ef965997d38fc7b72d5ee1542d44b With ipa 4.5+, the RA cert is stored in files in /var/lib/ipa/ra-agent.{key|pem}. The upgrade code handles the move from /etc/httpd/alias to the files but does not remove the private key from /etc/httpd/alias. The fix calls certutil -F -n ipaCert to remove cert and key, instead of -D -n ipaCert which removes only the cert. Fixes: https://pagure.io/freeipa/issue/7329 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 
With ipa 4.5+, the RA cert is stored in files in
/var/lib/ipa/ra-agent.{key|pem}. The upgrade code handles
the move from /etc/httpd/alias to the files but does not remove
the private key from /etc/httpd/alias.

The fix calls certutil -F -n ipaCert to remove cert and key,
instead of -D -n ipaCert which removes only the cert.

Fixes: https://pagure.io/freeipa/issue/7329
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
ipa-client-samba: a tool to configure Samba domain member on IPA client 2019-06-29T08:00:28+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-05-18T11:54:48+00:00 814592cf2218956893baa2272101fffa93abb465 Introduces new utility to configure Samba on an IPA domain member. The tool sets up Samba configuration and internal databases, creates cifs/... Kerberos service and makes sure that a keytab for this service contains the key with the same randomly generated password that is set in the internal Samba databases. Samba configuration is created by querying an IPA master about details of trust to Active Directory configuration. All known identity ranges added to the configuration to allow Samba to properly handle them (read-only) via idmap_sss. Resulting configuration allows connection with both NTLMSSP and Kerberos authentication for IPA users. Access controls for the shared content should be set by utilizing POSIX ACLs on the file system under a specific share. The utility is packaged as freeipa-client-samba package to allow pulling in all required dependencies for Samba and cifs.ko (smb3.ko) kernel module. This allows an IPA client to become both an SMB server and an SMB client. Fixes: https://pagure.io/freeipa/issue/3999 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Introduces new utility to configure Samba on an IPA domain member.

The tool sets up Samba configuration and internal databases, creates
cifs/... Kerberos service and makes sure that a keytab for this service
contains the key with the same randomly generated password that is set
in the internal Samba databases.

Samba configuration is created by querying an IPA master about details
of trust to Active Directory configuration. All known identity ranges
added to the configuration to allow Samba to properly handle them
(read-only) via idmap_sss.

Resulting configuration allows connection with both NTLMSSP and Kerberos
authentication for IPA users. Access controls for the shared content
should be set by utilizing POSIX ACLs on the file system under a
specific share.

The utility is packaged as freeipa-client-samba package to allow pulling
in all required dependencies for Samba and cifs.ko (smb3.ko) kernel
module. This allows an IPA client to become both an SMB server and an
SMB client.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
adtrust: update Samba domain controller keytab with host keys 2019-06-29T08:00:28+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-06-16T13:19:21+00:00 d631e008ccec6827ca0c4b8d442469b0f0c994a8 When DCERPC clients use Kerberos authentication, they use a service ticket to host/domain.controller because in Active Directory any service on the host is an alias to the machine account object. In FreeIPA each Kerberos service has own keys so host/.. and cifs/.. do not share the same keys. It means Samba suite needs to have access to host/.. keytab entries to validate incoming DCERPC requests. Unfortunately, MIT Kerberos has no means to operate on multiple keytabs at the same time and Samba doesn't implement this either. We cannot use GSS-Proxy as well because Samba daemons are running under root. As a workaround, copy missing aes256 and aes128 keys from the host keytab. SMB protocol doesn't use other encryption types and we don't have rc4-hmac for the host either. Fixes: https://pagure.io/freeipa/issue/3999 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
When DCERPC clients use Kerberos authentication, they use a service
ticket to host/domain.controller because in Active Directory any
service on the host is an alias to the machine account object.

In FreeIPA each Kerberos service has own keys so host/.. and cifs/..
do not share the same keys. It means Samba suite needs to have access to
host/.. keytab entries to validate incoming DCERPC requests.

Unfortunately, MIT Kerberos has no means to operate on multiple keytabs
at the same time and Samba doesn't implement this either. We cannot use
GSS-Proxy as well because Samba daemons are running under root.

As a workaround, copy missing aes256 and aes128 keys from the host
keytab. SMB protocol doesn't use other encryption types and we don't
have rc4-hmac for the host either.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
adtrust upgrade: fix wrong primary principal name, part 2 2019-06-27T13:50:15+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-06-27T08:56:08+00:00 7af4c7d4720227b5bff037a128061bf616e27096 Second part of the trust principals upgrade For existing LOCAL-FLAT$@REMOTE object, convert it to krbtgt/LOCAL-FLAT@REMOTE and add LOCAL-FLAT$@REMOTE as an alias. To do so we need to modify an entry content a bit so it is better to remove the old entry and create a new one instead of renaming. Resolves: https://pagure.io/freeipa/issue/7992 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
Second part of the trust principals upgrade

For existing LOCAL-FLAT$@REMOTE object, convert it to
krbtgt/LOCAL-FLAT@REMOTE and add LOCAL-FLAT$@REMOTE as an alias. To do
so we need to modify an entry content a bit so it is better to remove
the old entry and create a new one instead of renaming.

Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
adtrust upgrade: fix wrong primary principal name 2019-06-26T08:50:45+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-06-25T12:22:57+00:00 34bfffd1bed4ecd11fbcfe54904e0ac7e3f609e7 Upgrade code had Kerberos principal names mixed up: instead of creating krbtgt/LOCAL-FLAT@REMOTE and marking LOCAL-FLAT$@REMOTE as an alias to it, it created LOCAL-FLAT$@REMOTE Kerberos principal and marked krbtgt/LOCAL-FLAT@REMOTE as an alias. This differs from what Active Directory expects and what is created by ipasam plugin when trust is established. When upgrading such deployment, an upgrade code then unexpectedly failed. Resolves: https://pagure.io/freeipa/issue/7992 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Upgrade code had Kerberos principal names mixed up: instead of creating
krbtgt/LOCAL-FLAT@REMOTE and marking LOCAL-FLAT$@REMOTE as an alias to
it, it created LOCAL-FLAT$@REMOTE Kerberos principal and marked
krbtgt/LOCAL-FLAT@REMOTE as an alias.

This differs from what Active Directory expects and what is created by
ipasam plugin when trust is established. When upgrading such deployment,
an upgrade code then unexpectedly failed.

Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Switch nsslapd-unhashed-pw-switch to nolog 2019-05-24T10:42:51+00:00 Thierry Bordaz tbordaz@redhat.com 2019-03-27T16:36:57+00:00 67490acb045697302cc16d34cac3a81bc1f909ba 389-ds will change the default value of nsslapd-unhashed-pw-switch from 'on' to 'off' For new or upgraded IPA instance, in case of winsync deployment the attribute is set to 'on' and a warning is displayed. Else the attribute is set to 'nolog' https://pagure.io/freeipa/issue/4812 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
389-ds will change the default value of nsslapd-unhashed-pw-switch from 'on' to 'off'
For new or upgraded IPA instance, in case of winsync deployment the attribute is set
to 'on' and a warning is displayed.  Else the attribute is set to 'nolog'

https://pagure.io/freeipa/issue/4812

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA 2019-05-22T15:53:13+00:00 Florence Blanc-Renaud flo@redhat.com 2019-05-21T19:19:29+00:00 9cd88587e45c4a588b4cbd9ce1eb31d4a0c711b0 Commit fa50068 introduced a regression. Previously, the upgrade plugin upload_cacrt was setting the attribute ipaconfigstring: compatCA in the entry cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN After commit fa50068, the value is not set any more. As a consequence, the LDAP entry is not identified as the CA and CA renewal does not update the entry cn=CAcert,cn=certificates,cn=ipa,cn=etc,BASEDN. RHEL 6 client rely on this entry to retrieve the CA and client install fails because cn=CAcert is out-of-date. The fix makes sure that upload_cacrt plugin properly sets ipaconfigstring: compatCA in the entry cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN Fixed: https://pagure.io/freeipa/issue/7928 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Commit fa50068 introduced a regression. Previously, the
upgrade plugin upload_cacrt was setting the attribute
ipaconfigstring: compatCA in the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN

After commit fa50068, the value is not set any more. As a
consequence, the LDAP entry is not identified as the CA and
CA renewal does not update the entry
cn=CAcert,cn=certificates,cn=ipa,cn=etc,BASEDN.

RHEL 6 client rely on this entry to retrieve the CA and
client install fails because cn=CAcert is out-of-date.

The fix makes sure that upload_cacrt plugin properly sets
ipaconfigstring: compatCA in the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN

Fixed: https://pagure.io/freeipa/issue/7928
Reviewed-By: Rob Crittenden <rcritten@redhat.com>