Convert ipa-sam to use the new getkeytab control

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5495

3 files changed, 25 insertions, 51 deletions

diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am
index 46c813af5..ea14661b6 100644
--- a/daemons/ipa-sam/Makefile.am
+++ b/daemons/ipa-sam/Makefile.am
@@ -8,10 +8,12 @@ SAMBA40EXTRA_LIBS = $(SAMBA40EXTRA_LIBPATH)	\
 
 KRB5_UTIL_DIR=../../util
 KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c $(KRB5_UTIL_DIR)/ipa_pwd_ntlm.c
+ASN1_UTIL_DIR=../../asn1
 
 AM_CPPFLAGS =						\
 	-I.						\
 	-I$(srcdir)					\
+	-I$(ASN1_UTIL_DIR)				\
 	-I/usr/include/samba-4.0			\
 	-DPREFIX=\""$(prefix)"\" 			\
 	-DBINDIR=\""$(bindir)"\"			\
@@ -54,6 +56,7 @@ ipasam_la_LIBADD = 		\
 	$(NDR_LIBS)		\
 	$(SAMBA40EXTRA_LIBS)	\
 	$(SSSIDMAP_LIBS)	\
+	$(ASN1_UTIL_DIR)/libipaasn1.la  \
 	$(NULL)
 
 EXTRA_DIST =			\
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 7274d600b..f21fcc3db 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -31,7 +31,7 @@
 #include <sasl/sasl.h>
 #include <krb5/krb5.h>
 #include <sss_idmap.h>
-#include "ipa_krb5.h"
+#include "ipa_asn1.h"
 #include "ipa_pwd.h"
 #include "ipa_mspac.h"
 
@@ -1686,66 +1686,41 @@ static bool search_krb_princ(struct ldapsam_privates *ldap_state,
 	return true;
 }
 
-#define KRB_PRINC_DEFAULT_ENCTYPES "aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,arcfour-hmac"
+#define DEF_ENCTYPE_NUM 3
+long default_enctypes[DEF_ENCTYPE_NUM] = {
+    ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+    ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+    ENCTYPE_ARCFOUR_HMAC
+};
 
 static int set_cross_realm_pw(struct ldapsam_privates *ldap_state,
-			      TALLOC_CTX *mem_ctx,
 			      const char *princ,
-			      const char *saltprinc,
-			      const char *pwd,
-			      const char *base_dn)
+			      const char *pwd)
 {
-
 	int ret;
-	krb5_error_code krberr;
-	krb5_context krbctx;
-	krb5_principal service_princ;
-	struct keys_container keys = {0, NULL};
-	char *err_msg;
-	struct berval *reqdata = NULL;
+        size_t buflen;
+        void *buffer = NULL;
+	struct berval reqdata = { 0 };
 	struct berval *retdata = NULL;
         char *retoid;
 
-	krberr = krb5_init_context(&krbctx);
-	if (krberr != 0) {
-		DEBUG(1, ("krb5_init_context failed.\n"));
-		ret = krberr;
-		goto done;
-	}
+        ret = ipaasn1_enc_getkt(true, princ, pwd,
+                                default_enctypes, DEF_ENCTYPE_NUM,
+                                &buffer, &buflen);
+        if (!ret) goto done;
 
-	krberr = krb5_parse_name(krbctx, (saltprinc != NULL) ? saltprinc : princ, &service_princ);
-	if (krberr != 0) {
-		DEBUG(1, ("Invalid Service Principal Name [%s]\n", princ));
-		ret = krberr;
-		goto done;
-	}
-
-	ret = create_keys(krbctx, service_princ, discard_const(pwd), KRB_PRINC_DEFAULT_ENCTYPES,
-                          &keys, &err_msg);
-	krb5_free_principal(krbctx, service_princ);
-	if (!ret) {
-		if (err_msg != NULL) {
-			DEBUG(1, ("create_keys returned [%s]\n", err_msg));
-		}
-		goto done;
-	}
-
-	reqdata = create_key_control(&keys, princ);
-	if (reqdata == NULL) {
-		DEBUG(1, ("Failed to create reqdata!\n"));
-		ret= ENOMEM;
-		goto done;
-	}
+        reqdata.bv_len = buflen;
+        reqdata.bv_val = buffer;
 
 	ret = smbldap_extended_operation(ldap_state->smbldap_state,
-					 KEYTAB_SET_OID, reqdata, NULL, NULL,
+					 KEYTAB_GET_OID, &reqdata, NULL, NULL,
 					 &retoid, &retdata);
 	if (ret != LDAP_SUCCESS) {
 		DEBUG(1, ("smbldap_extended_operation failed!\n"));
 		goto done;
 	}
 
-	/* So far we do not care abot the result */
+	/* So far we do not care about the result */
 	ldap_memfree(retoid);
 	if (retdata != NULL) {
 		ber_bvfree(retdata);
@@ -1753,12 +1728,7 @@ static int set_cross_realm_pw(struct ldapsam_privates *ldap_state,
 
 	ret = 0;
 done:
-	if (reqdata != NULL) {
-	    ber_bvfree(reqdata);
-	}
-	free_keys_contents(krbctx, &keys);
-	krb5_free_context(krbctx);
-
+        free(buffer);
 	return ret;
 }
 
@@ -1862,7 +1832,7 @@ static bool set_krb_princ(struct ldapsam_privates *ldap_state,
 		return false;
 	}
 
-	ret = set_cross_realm_pw(ldap_state, mem_ctx, princ, saltprinc, pwd, base_dn);
+	ret = set_cross_realm_pw(ldap_state, saltprinc ? saltprinc : princ, pwd);
 	if (ret != 0) {
 		DEBUG(1, ("set_cross_realm_pw failed.\n"));
 		return false;
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index df9468e40..04c85ba77 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -28,6 +28,7 @@ default: cn: trusts
 # 2. cn=trust admins,cn=groups,cn=accounts,$SUFFIX can manage trusts (via ipa tools)
 dn: cn=trusts,$SUFFIX
 add:aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow trust agents to retrieve keytab keys for cross realm principals"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";)
+add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Allow trust agents to set keys for cross realm principals"; allow(write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
 add:aci: (target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
 replace:aci:(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
 replace:aci:(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)