diff options
author | Simo Sorce <simo@redhat.com> | 2015-12-01 13:43:35 -0500 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2015-12-03 08:19:14 -0500 |
commit | b384d65b20f88c11ac9dd637ea54ea35bbe636a6 (patch) | |
tree | 6a1af65093b62a4012824dff7e0fef4fc8959b79 | |
parent | e13bb47a9e3673bb7af627bfb2bc59476552947e (diff) | |
download | freeipa-ipasam_getkeytab.tar.gz freeipa-ipasam_getkeytab.tar.xz freeipa-ipasam_getkeytab.zip |
Convert ipa-sam to use the new getkeytab controlipasam_getkeytab
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/5495
-rw-r--r-- | daemons/ipa-sam/Makefile.am | 3 | ||||
-rw-r--r-- | daemons/ipa-sam/ipa_sam.c | 81 | ||||
-rw-r--r-- | install/updates/60-trusts.update | 1 |
3 files changed, 33 insertions, 52 deletions
diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am index 46c813af5..ea14661b6 100644 --- a/daemons/ipa-sam/Makefile.am +++ b/daemons/ipa-sam/Makefile.am @@ -8,10 +8,12 @@ SAMBA40EXTRA_LIBS = $(SAMBA40EXTRA_LIBPATH) \ KRB5_UTIL_DIR=../../util KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c $(KRB5_UTIL_DIR)/ipa_pwd_ntlm.c +ASN1_UTIL_DIR=../../asn1 AM_CPPFLAGS = \ -I. \ -I$(srcdir) \ + -I$(ASN1_UTIL_DIR) \ -I/usr/include/samba-4.0 \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ @@ -54,6 +56,7 @@ ipasam_la_LIBADD = \ $(NDR_LIBS) \ $(SAMBA40EXTRA_LIBS) \ $(SSSIDMAP_LIBS) \ + $(ASN1_UTIL_DIR)/libipaasn1.la \ $(NULL) EXTRA_DIST = \ diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 7274d600b..ff053813f 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -31,7 +31,7 @@ #include <sasl/sasl.h> #include <krb5/krb5.h> #include <sss_idmap.h> -#include "ipa_krb5.h" +#include "ipa_asn1.h" #include "ipa_pwd.h" #include "ipa_mspac.h" @@ -146,6 +146,7 @@ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_i #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal" #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux" #define LDAP_OBJ_KRB_TICKET_POLICY_AUX "krbTicketPolicyAux" +#define LDAP_ATTRIBUTE_KRB_CANONICAL "krbCanonicalName" #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName" #define LDAP_ATTRIBUTE_KRB_TICKET_FLAGS "krbTicketFlags" #define LDAP_ATTRIBUTE_IPAOPALLOW "ipaAllowedToPerform;read_keys" @@ -1686,66 +1687,41 @@ static bool search_krb_princ(struct ldapsam_privates *ldap_state, return true; } -#define KRB_PRINC_DEFAULT_ENCTYPES "aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,arcfour-hmac" +#define DEF_ENCTYPE_NUM 3 +long default_enctypes[DEF_ENCTYPE_NUM] = { + ENCTYPE_AES256_CTS_HMAC_SHA1_96, + ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_ARCFOUR_HMAC +}; static int set_cross_realm_pw(struct ldapsam_privates *ldap_state, - TALLOC_CTX *mem_ctx, const char *princ, - const char *saltprinc, - const char *pwd, - const char *base_dn) + const char *pwd) { - int ret; - krb5_error_code krberr; - krb5_context krbctx; - krb5_principal service_princ; - struct keys_container keys = {0, NULL}; - char *err_msg; - struct berval *reqdata = NULL; + size_t buflen; + void *buffer = NULL; + struct berval reqdata = { 0 }; struct berval *retdata = NULL; char *retoid; - krberr = krb5_init_context(&krbctx); - if (krberr != 0) { - DEBUG(1, ("krb5_init_context failed.\n")); - ret = krberr; - goto done; - } - - krberr = krb5_parse_name(krbctx, (saltprinc != NULL) ? saltprinc : princ, &service_princ); - if (krberr != 0) { - DEBUG(1, ("Invalid Service Principal Name [%s]\n", princ)); - ret = krberr; - goto done; - } - - ret = create_keys(krbctx, service_princ, discard_const(pwd), KRB_PRINC_DEFAULT_ENCTYPES, - &keys, &err_msg); - krb5_free_principal(krbctx, service_princ); - if (!ret) { - if (err_msg != NULL) { - DEBUG(1, ("create_keys returned [%s]\n", err_msg)); - } - goto done; - } + ret = ipaasn1_enc_getkt(true, princ, pwd, + default_enctypes, DEF_ENCTYPE_NUM, + &buffer, &buflen); + if (!ret) goto done; - reqdata = create_key_control(&keys, princ); - if (reqdata == NULL) { - DEBUG(1, ("Failed to create reqdata!\n")); - ret= ENOMEM; - goto done; - } + reqdata.bv_len = buflen; + reqdata.bv_val = buffer; ret = smbldap_extended_operation(ldap_state->smbldap_state, - KEYTAB_SET_OID, reqdata, NULL, NULL, + KEYTAB_GET_OID, &reqdata, NULL, NULL, &retoid, &retdata); if (ret != LDAP_SUCCESS) { DEBUG(1, ("smbldap_extended_operation failed!\n")); goto done; } - /* So far we do not care abot the result */ + /* So far we do not care about the result */ ldap_memfree(retoid); if (retdata != NULL) { ber_bvfree(retdata); @@ -1753,12 +1729,7 @@ static int set_cross_realm_pw(struct ldapsam_privates *ldap_state, ret = 0; done: - if (reqdata != NULL) { - ber_bvfree(reqdata); - } - free_keys_contents(krbctx, &keys); - krb5_free_context(krbctx); - + free(buffer); return ret; } @@ -1822,8 +1793,14 @@ static bool set_krb_princ(struct ldapsam_privates *ldap_state, LDAP_OBJ_KRB_TICKET_POLICY_AUX); } - smbldap_make_mod(priv2ld(ldap_state), entry, &mods, + smbldap_set_mod(&mods, LDAP_MOD_ADD, + LDAP_ATTRIBUTE_KRB_CANONICAL, princ); + smbldap_set_mod(&mods, LDAP_MOD_ADD, LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ); + if (saltprinc) { + smbldap_set_mod(&mods, LDAP_MOD_ADD, + LDAP_ATTRIBUTE_KRB_PRINCIPAL, saltprinc); + } if ((create_flags & KRB_PRINC_CREATE_DISABLED)) { smbldap_make_mod(priv2ld(ldap_state), entry, &mods, @@ -1862,7 +1839,7 @@ static bool set_krb_princ(struct ldapsam_privates *ldap_state, return false; } - ret = set_cross_realm_pw(ldap_state, mem_ctx, princ, saltprinc, pwd, base_dn); + ret = set_cross_realm_pw(ldap_state, saltprinc ? saltprinc : princ, pwd); if (ret != 0) { DEBUG(1, ("set_cross_realm_pw failed.\n")); return false; diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update index df9468e40..04c85ba77 100644 --- a/install/updates/60-trusts.update +++ b/install/updates/60-trusts.update @@ -28,6 +28,7 @@ default: cn: trusts # 2. cn=trust admins,cn=groups,cn=accounts,$SUFFIX can manage trusts (via ipa tools) dn: cn=trusts,$SUFFIX add:aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow trust agents to retrieve keytab keys for cross realm principals"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";) +add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Allow trust agents to set keys for cross realm principals"; allow(write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";) add:aci: (target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";) replace:aci:(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";) replace:aci:(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";) |