On Thu, Jun 07, 2012 at 12:09:32PM +0200, Sumit Bose wrote:
> now with patches :-)
> On Thu, Jun 07, 2012 at 12:07:13PM +0200, Sumit Bose wrote:
> > Hi,
> > 
> > this patch fixes https://fedorahosted.org/freeipa/ticket/2513 and as a
> > consequence makes https://fedorahosted.org/freeipa/ticket/2516 obsolete.
> > 
> > This first patch is just a minor cleanup which is not related to the
> > ticket. The second make create_keys() a public function so the it can be
> > called by the ipasam plugin as well. Finally the third patch removes the
> > kadmin.local call and calls the KEYTAB_SET_OID extented operation
> > instead.
> > 
> > bye,
> > Sumit

Alexander asked to merge the ACI into the existing ACI for the adtrust
agents. New version attached.

bye,
Sumit
From 21fb092ec76e3241e2aeb5aeffa065bcc39c63ea Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 13 Mar 2012 14:06:02 +0100
Subject: [PATCH] Use exop instead of kadmin.local

---
 daemons/ipa-sam/Makefile.am      |    6 +++
 daemons/ipa-sam/ipa_sam.c        |  101 ++++++++++++++++++++++++++++----------
 install/updates/60-trusts.update |    2 +-
 3 Dateien geändert, 81 Zeilen hinzugefügt(+), 28 Zeilen entfernt(-)

diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am
index 
b5b9b0b75b276ac14b01ce35bae63af539e596fc..275cce629385b1719544a7832a00e9ee6664b739
 100644
--- a/daemons/ipa-sam/Makefile.am
+++ b/daemons/ipa-sam/Makefile.am
@@ -7,6 +7,9 @@ SAMBA40EXTRA_LIBS = $(SAMBA40EXTRA_LIBPATH)     \
                        -lsmbconf               \
                        $(NULL)
 
+KRB5_UTIL_DIR=../../util
+KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c
+
 INCLUDES =                                             \
        -I.                                             \
        -I$(srcdir)                                     \
@@ -18,6 +21,7 @@ INCLUDES =                                            \
        -DDATADIR=\""$(datadir)"\"                      \
        -DLDAPIDIR=\""$(localstatedir)/run"\"           \
        -DHAVE_LDAP                                     \
+       -I $(KRB5_UTIL_DIR)                             \
        $(AM_CFLAGS)                                    \
        $(LDAP_CFLAGS)                                  \
        $(KRB5_CFLAGS)                                  \
@@ -34,6 +38,7 @@ plugin_LTLIBRARIES =          \
 
 ipasam_la_SOURCES =            \
        ipa_sam.c               \
+       $(KRB5_UTIL_SRCS)       \
        $(NULL)
 
 ipasam_la_LDFLAGS =            \
@@ -43,6 +48,7 @@ ipasam_la_LDFLAGS =           \
 
 ipasam_la_LIBADD =             \
        $(LDAP_LIBS)            \
+       $(KRB5_LIBS)            \
        $(TALLOC_LIBS)          \
        $(SAMBAUTIL_LIBS)       \
        $(NDR_LIBS)             \
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 
2627025a8f2f757ca62c58b541c002f46e7c3be1..851df8c62f0ffb159610ce0ac311463233eea497
 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -9,6 +9,7 @@
 #include <pwd.h>
 #include <errno.h>
 #include <ldap.h>
+#include <krb5/krb5.h>
 
 #include <talloc.h>
 
@@ -28,17 +29,7 @@
 
 #include <sasl/sasl.h>
 #include <krb5/krb5.h>
-#include <time.h>
-
-/* TODO: remove if smbrunsecret() is removed */
-typedef struct connection_structi {} connection_struct;
-struct current_user {
-       connection_struct *conn;
-       uint16_t vuid;
-       struct security_unix_token ut;
-       struct security_token *nt_user_token;
-};
-extern struct current_user current_user;
+#include "ipa_krb5.h"
 
 /* from drsblobs.h */
 struct AuthInfoNone {
@@ -104,7 +95,6 @@ char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct 
dom_sid *sid); /* avai
 char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so 
*/
 bool is_null_sid(const struct dom_sid *sid); /* available in libsecurity.so */
 bool strnequal(const char *s1,const char *s2,size_t n); /* available in 
libutil_str.so */
-int smbrunsecret(const char *cmd, const char *secret); /* available in 
libsmbconf.so */
 bool trim_char(char *s,char cfront,char cback); /* available in libutil_str.so 
*/
 bool sid_peek_check_rid(const struct dom_sid *exp_dom_sid, const struct 
dom_sid *sid, uint32_t *rid); /* available in libsecurity.so */
 char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in 
libsmbconf.so */
@@ -1382,6 +1372,76 @@ static bool search_krb_princ(struct ldapsam_privates 
*ldap_state,
        return true;
 }
 
+static int set_cross_realm_pw(struct ldapsam_privates *ldap_state,
+                             TALLOC_CTX *mem_ctx,
+                             const char *princ, const char *pwd,
+                             const char *base_dn)
+{
+       int ret;
+       krb5_error_code krberr;
+       krb5_context krbctx;
+       krb5_principal service_princ;
+       struct keys_container keys;
+       char *err_msg;
+       struct berval *reqdata = NULL;
+       struct berval *retdata = NULL;
+        char *retoid;
+
+       krberr = krb5_init_context(&krbctx);
+       if (krberr != 0) {
+               DEBUG(1, ("krb5_init_context failed.\n"));
+               ret = krberr;
+               goto done;
+       }
+
+       krberr = krb5_parse_name(krbctx, princ, &service_princ);
+       if (krberr != 0) {
+               DEBUG(1, ("Invalid Service Principal Name [%s]\n", princ));
+               ret = krberr;
+               goto done;
+       }
+
+       ret = create_keys(krbctx, service_princ, discard_const(pwd), NULL, 
&keys, &err_msg);
+       if (!ret) {
+               if (err_msg != NULL) {
+                       DEBUG(1, ("create_keys returned [%s]\n", err_msg));
+               }
+               goto done;
+       }
+
+       reqdata = create_key_control(&keys, princ);
+       if (reqdata == NULL) {
+               DEBUG(1, ("Failed to create reqdata!\n"));
+               ret= ENOMEM;
+               goto done;
+       }
+
+       ret = smbldap_extended_operation(ldap_state->smbldap_state,
+                                        KEYTAB_SET_OID, reqdata, NULL, NULL,
+                                        &retoid, &retdata);
+       if (ret != LDAP_SUCCESS) {
+               DEBUG(1, ("smbldap_extended_operation failed!\n"));
+               goto done;
+       }
+
+       /* So far we do not care abot the result */
+       ldap_memfree(retoid);
+       if (retdata != NULL) {
+               ber_bvfree(retdata);
+       }
+
+       ret = 0;
+done:
+       if (reqdata != NULL) {
+           ber_bvfree(reqdata);
+       }
+       free_keys_contents(krbctx, &keys);
+       krb5_free_principal(krbctx, service_princ);
+       krb5_free_context(krbctx);
+
+       return ret;
+}
+
 static bool set_krb_princ(struct ldapsam_privates *ldap_state,
                          TALLOC_CTX *mem_ctx,
                          const char *princ, const char *pwd,
@@ -1450,22 +1510,9 @@ static bool set_krb_princ(struct ldapsam_privates 
*ldap_state,
                return false;
        }
 
-       /* TODO: Call the appropriate expo if ipasam is part of the FreeIPA
-        * source tree */
-       inp = talloc_asprintf(mem_ctx, "change_password -pw %s %s", pwd, princ);
-       if (inp == NULL) {
-               return false;
-       }
-
-       uid_t save_uid = current_user.ut.uid;
-       gid_t save_gid = current_user.ut.gid;
-       current_user.ut.uid = 0;
-       current_user.ut.gid = 0;
-       ret = smbrunsecret("kadmin.local", inp);
-       current_user.ut.uid = save_uid;
-       current_user.ut.gid = save_gid;
+       ret = set_cross_realm_pw(ldap_state, mem_ctx, princ, pwd, base_dn);
        if (ret != 0) {
-               DEBUG(1, ("calling kadmin.local failed.\n"));
+               DEBUG(1, ("set_cross_realm_pw failed.\n"));
                return false;
        }
 
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 
cfd1ad7e5f83bd64c5934d270090754bbe9e9e36..82d78315d773a4cc1f25a420e5171270504730a3
 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -54,7 +54,7 @@ default: cn: trusts
 # 1. cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX can manage trusts, to 
allow modification via CIFS
 # 2. cn=trust admins,cn=groups,cn=accounts,$SUFFIX can manage trusts (via ipa 
tools)
 dn: cn=trusts,$SUFFIX
-add:aci: '(target = "ldap:///cn=trusts,$SUFFIX";)(targetattr = "ipaNTTrustType 
|| ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || 
ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || 
ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset 
|| ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust system user to 
create and delete trust accounts"; allow (read,write,add,delete) 
groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
+add:aci: '(target = "ldap:///cn=trusts,$SUFFIX";)(targetattr = "ipaNTTrustType 
|| ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || 
ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || 
ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset 
|| ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || 
krbTicketFlags || krbLoginFailedCount || krbExtraData || 
krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete 
trust accounts and cross realm principals"; allow (read,write,add,delete) 
groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
 add:aci: '(target = "ldap:///cn=trusts,$SUFFIX";)(targetattr = "ipaNTTrustType 
|| ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || 
ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || 
ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset 
|| ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage 
trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust 
admins,cn=groups,cn=accounts,$SUFFIX";)'
 
 # Samba user should be able to read NT passwords to authenticate
-- 
1.7.10.2

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to