| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When trust is established, we also create idrange for the trusted domain.
With FreeIPA 3.3 these ranges can have different types, and in order to
detect which one is to create, we need to do lookup at AD LDAP server.
Such lookup requires authenticated bind. We cannot bind as user because
IPA framework operates under constrained delegation using the user's
credentials and allowing HTTP/ipa.server@REALM to impersonate the user
against trusted domain's services would require two major things:
- first, as we don't really know exact AD LDAP server names (any AD DC
can be used), constrained delegation would have to be defined against
a wild-card
- second, constrained delegation requires that target principal exists
in IPA LDAP as DN.
These two together limit use of user's ticket for the purpose of IPA
framework looking up AD LDAP.
Additionally, immediately after trust is established, issuing TGT with
MS-PAC to HTTP/ipa.server@REALM may fail due to the fact that KDB driver
did not yet refreshed its list of trusted domains -- we have limited
refresh rate of 60 seconds by default.
This patch makes possible to force re-initialization of trusted domains'
view in KDB driver if we are asked for TGT for HTTP/ipa.server@REALM.
We will need to improve refresh of trusted domains' view in KDB driver
in future to notice changes in cn=etc,$SUFFIX tree automatically.
This improvement is tracked in https://fedorahosted.org/freeipa/ticket/1302 and
https://fedorahosted.org/freeipa/ticket/3626
Part of https://fedorahosted.org/freeipa/ticket/3649
|
| |
|
|
|
|
|
|
|
|
|
| |
We need KDC hostname for several purposes:
- short-circuit detection of principals on the same server as KDC
- generating NetBIOS name
Make sure we cache hostname information on startup and use it
instead of detecting the hostname in run-time. This will miss the
case that KDC hostname got changed but such cases are not supported
anyway without restarting KDC and making changes to principals.
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3772
|
| |
|
|
|
|
|
|
|
|
|
| |
MS-PAC is required to be present in TGT if one wants to connect to
AD services using this TGT. Users get MS-PAC by default, SSSD in
ipa_server_mode uses host/fqdn@REALM principal to talk to AD LDAP.
This patch enables other services running on IPA master to connect
to AD services. This is required for IPA python code doing discovery
of remote AD domain settings shortly after IPA-AD trust has been
established.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For a proper SASL bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.
We use the well know RID of the Domain Computers group (515) for the
primary gid element of the PAC, this is the same as AD uses for host
tickets. The rid element of the PAC is set to the well know RID of the
Domain Controllers group (516). This is working for the SSSD use case
but might be improved later for more general use cases.
To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.
Fixes https://fedorahosted.org/freeipa/ticket/3651
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If OTP is enabled for a user, then:
1. Long-term keys are not provided to KDB
2. The user string 'otp' is defined to KDB
Since it is not secure to send radius configuration information
over krb5 user strings, we simply set the string to a known default
('[]') which enables the default configuration in the KDC.
https://fedorahosted.org/freeipa/ticket/3561
http://freeipa.org/page/V3/OTP
|
| |
|
|
|
|
| |
Fix rpm build warnings report in Fedora 19 build.
https://fedorahosted.org/freeipa/ticket/3500
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2960
|
| |
|
|
|
|
|
|
| |
Instead of always adding a PAC to the Kerberos ticket the global default
for the authorization data and the authorization data of the service
entry is evaluated and the PAC is added accordingly.
https://fedorahosted.org/freeipa/ticket/2960
|
| |
|
|
|
|
|
|
| |
The ipaKrbAuthzData LDAP attribute is read together with the other data
of the requestedprincipal and the read value(s) are stored in the e-data
of the entry for later use.
https://fedorahosted.org/freeipa/ticket/2960
|
| |
|
|
|
|
|
| |
The ipaKrbAuthzData LDAP attribute is read from the ipaConfig object
and the read value(s) are stored in the ipadb context.
https://fedorahosted.org/freeipa/ticket/2960
|
| |
|
|
|
|
|
|
| |
This reverts commit 5269458f552380759c86018cd1f30b64761be92e.
With the implementation of https://fedorahosted.org/freeipa/ticket/2960
a special hardcoded handling of NFS service tickets is not needed
anymore.
|
| |
|
|
|
|
| |
A wrong logic was used to check ipactx.
Fixes https://fedorahosted.org/freeipa/ticket/3424
|
| |
|
|
|
|
|
| |
There was a code path where ret was used instead of kerr to save a
return value.
Fixes https://fedorahosted.org/freeipa/ticket/3422
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently kdb5kdc crashes on exit if the ipadb KDB modules is loaded and trusts
are configured. The reason is the talloc autofree context which get initialised
during the ndr_push_union_blob() call. On exit the KDC module is unloaded an
later on atexit() tries to free the context, but all related symbols are
already unloaded with the module.
This patch frees the talloc autofree context during the cleanup routine of the
module. Since this is called only at exit and not during normal operations this
is safe even if other KDC plugins use the talloc autofree context, e.g. via
some Samba libraries, as well.
Fixes https://fedorahosted.org/freeipa/ticket/3410
|
| |
|
|
|
|
|
|
| |
This function retried an LDAP search when the result was OK due to
flawed logic of retry detection (ipadb_need_retry function which
returns true when we need retry and not 0).
https://fedorahosted.org/freeipa/ticket/3413
|
| |
|
|
|
|
|
|
| |
All known memory leaks caused by unfreed allocated memory or unfreed
LDAP results (which should be also done after unsuccessful searches)
are fixed.
https://fedorahosted.org/freeipa/ticket/3413
|
| |
|
|
|
|
|
|
|
|
|
|
| |
SIDs in incoming MS-PAC were checked and filtered with a fixed list of
well-known SIDs. Allow reading the SID blacklist from LDAP
(ipaNTSIDBlacklistIncoming and ipaNTSIDBlacklistOutgoing) and add the list
to mspac adtrust structure. Use the hardcoded SID list only if the LDAP
SID list is not configured.
LIMITATION: SID blacklist list is not used yet.
https://fedorahosted.org/freeipa/ticket/3289
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
ipa-kdb did not reinitialize trusted domain configuration when it
was loaded to ipa-kdb. However, admin then would have to restart
krb5kdc if he wanted to apply the change to running krb5kdc service.
Run ipadb_reinit_mspac unconditionally every time when trusted domain
is loaded. Among the already configured 1 minute grace time, also
add a quick check if there is at least one configured trusted domain
before reinitializing the mspac structure.
https://fedorahosted.org/freeipa/ticket/3289
|
| |
|
|
|
|
|
|
|
| |
When all SIDs in info3.sids structure were filtered out, we tried
to talloc_realloc to zero memory size. talloc_realloc then returned
NULL pointer and filter_login_info returned with ENOMEM.
The code now rather frees the SID array and set info3.sidcount to
correct value.
|
| |
|
|
|
| |
Without sentinel in place, ldap_create_deref_control_value executed
an invalid read in unallocated memory.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.
This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).
The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver.
https://fedorahosted.org/freeipa/ticket/3312
https://fedorahosted.org/freeipa/ticket/3114
|
| |
|
|
|
|
|
|
|
|
|
| |
Windows 2012 Server changed procedure how KERB_VALIDATION_INFO ([MS-PAC]
section 2.5) is populated. Detailed description is available in [MS-KILE]
version 25.0 and above.
Refactor KERB_VALIDATION_INFO verification and ensure we filter out extra
SIDs in case they belong to our domain.
https://fedorahosted.org/freeipa/ticket/3231
|
| |
|
|
|
|
|
| |
Currently only the group SIDs from a PAC are used to find out about the
membership in local groups. This patch adds the user SID to the list.
Fixes https://fedorahosted.org/freeipa/ticket/3257
|
| |
|
|
|
|
|
|
|
|
| |
The current Linux NFS server is severely limited when it comes to handling
kerberos tickets. Bsically any ticket bigger than 2k will cause it to fail
authentication due to kernel->userspace upcall interface restrictions.
Until we have additional support in IPA to indivdually mark principals to
opt out of getting PACs attached we always prevent PACs from being attached
to TGTs or Tickets where NFS is involved.
|
| |
|
|
|
|
|
|
|
|
| |
Currently the data about trusted domains is read once at startup. If a
new trust is added the KDC must be restarted to know about the new
trust. This patch reloads the trust data if there is a request from an
unknown domain. To make DOS attacks a bit harder the data can be updated
only once in a minute.
Fixes https://fedorahosted.org/freeipa/ticket/3156
|
| |
|
|
|
|
|
|
|
| |
If match_entry == NULL all principals should be iterated.
Additionally this patch adds a check in ipadb_filter_escape() to make
sure that the input is not NULL.
Fixes: https://fedorahosted.org/freeipa/ticket/3011
|
| |
|
|
|
|
|
|
| |
This check the PAC we receive is consistent.
realm, flat name and domain sid must much our understanding or the trustd
realm and no additional sids beyond the own realm ones must be present.
Ticket #2849
|
| |
|
|
|
| |
This way multiple functions can manipulate the logon info structure until all
operations we want to do on it are done and then fold it back once.
|
| |
|
|
|
|
|
|
|
| |
The function filter_pac was not filtering the pac at all, it was merely
augmenting it with additional data relevant to the IPA server.
Change the name of the function to avoid confusion.
While there I also simplified and cleaed up the code a bit with regard to
variable names and usage.
|
| |
|
|
| |
This list is used to validate data in mspac filtering
|
| |
|
|
|
| |
By keeping it's definition in the mspac file it is easier to modify and make
sure any opertion on it is handled in the same file.
|
| |
|
|
|
|
|
|
| |
This moves the decoding function that reads the keys from the ber format
into a structure in the common krb5 util code right below the function
that encodes the same data structure into a ber format.
This way the 2 functions are in the same place and can be both used by
all ia components.
|
| |
|
|
| |
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
| |
If one or more of the external groups given in the PAC can be found in
the ipaExternalGroup objects and these objects are members of local
groups, the SIDs of the local groups are added to the PAC.
|
| |
|
|
|
|
|
|
|
|
|
| |
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.
https://fedorahosted.org/freeipa/ticket/2734
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.
The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.
https://fedorahosted.org/freeipa/ticket/1577
|
| |
|
|
|
|
|
| |
'sid' is a stack variable, by assigning its address to the domain_sid pointer
we were later referencing grabage (whatever on the stack ha[ppened to be at
that address.
Properly copy the sid and allocate it on the provided memory context.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a user become locked due to too many failed logins and then were
unlocked by an administrator, the account would not lock again. This
was caused by two things:
- We were incrementing the fail counter before checking to see if the
account was already locked out.
- The current fail count wasn't taken into consideration when
deciding if the account is locked.
The sequence was this:
1. Unlocked account, set failcount to 0
2. Failed login, increment failcount
3. Within lastfailed + lockout_duration, still locked. This skips
update the last_failed date.
So I reversed 2 and 3 and check to see if the fail count exceeds policy.
https://fedorahosted.org/freeipa/ticket/2765
|
| |
|
|
|
|
|
| |
This was introduced when we started checking the return from
ipadb_get_context() to silence another coverity report.
That condition can never be true in this function but whatever ... let's
silence Coverity once again :)
|
| |
|
|
|
|
| |
We were using the wrong principal in the s4u2proxy case.
Fixes: https://fedorahosted.org/freeipa/ticket/2504
|
| |
|
|
|
|
|
| |
This was causing the failure count interval to not be applied so
the failure count was never reset to 0.
https://fedorahosted.org/freeipa/ticket/2540
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some of these are not real defects, because we are guaranteed to have valid
context in some functions, and checks are not necessary.
I added the checks anyway in order to silence Coverity on these issues.
One meleak on error condition was fixed in
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is
actually fine as we count before hand so we never actually use the wrong value
that is computed on the last pass when p == 0
Fixes: https://fedorahosted.org/freeipa/ticket/2488
|
| |
|
|
|
| |
We need to check for a matching acl only if one match hasn't already been
found, otherwise results are unpredictable and order dependent.
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/2393
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/2343
|
