Hi, I finally managed to get all ends together for magic regen of ipaNTHash based on availability of RC4 key in Kerberos keys.
The patch should be applied after 0071 and can be tested by following: 0. run ipa-adtrust-install 1. ipa user-add foo 2. ipa passwd foo 3. Remember current ipaNTHash value: # ldapsearch -H ldapi://%2fvar%2frun%2fslapd-IPA-LOCAL.socket 'uid=foo' ipaNTHash > foo.current.ldif 4. Remove generated ipaNThash with ldapmodify: removal.ldif: ---8<---8<---- dn: uid=foo,cn=users,cn=accounts,dc=ipa,dc=local delete:ipaNtHash --->8--->8---- # ldapmodify -H ldapi://%2fvar%2frun%2fslapd-IPA-LOCAL.socket -f removal.ldif 5. Use 'wbinfo -i foo' (from samba4-winbind-clients) to trigger regeneration 6. Retrieve new ipaNTHash value: # ldapsearch -H ldapi://%2fvar%2frun%2fslapd-IPA-LOCAL.socket 'uid=foo' ipaNTHash > foo.regen.ldif 7. Check foo.current.ldif and foo.regen.ldif, there should be no difference. https://fedorahosted.org/freeipa/ticket/3016 -- / Alexander Bokovoy
From db693373270ab2129406c90d49efb62ffa112d1b Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Tue, 21 Aug 2012 12:05:28 +0300 Subject: [PATCH 4/4] Add ACI to allow regenerating ipaNTHash from ipasam and fix ipaNTHash retrieval ACI was lacking to allow actually writing MagicRegen into ipaNTHash attribute, and empty filter wasn't picked up as libldap library default for (objectclass=*). With this change ipasam is able to ask for ipaNTHash generation and if corresponding Kerberos key is available, will be able to retrieve generated ipaNTHash. https://fedorahosted.org/freeipa/ticket/3016 --- daemons/ipa-sam/ipa_sam.c | 22 +++++++++------------- install/updates/60-trusts.update | 1 + 2 files changed, 10 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 059109374bd0e1aa1de118b4767b5692d0e483a2..8a4a08bc7a5951553a463805a8aedb82ee887936 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -2417,7 +2417,7 @@ static bool ipasam_nthash_retrieve(struct ldapsam_privates *ldap_state, }; ret = smbldap_search(smbldap_state, entry_dn, - LDAP_SCOPE_BASE, "", attr_list, 0, + LDAP_SCOPE_BASE, "(objectclass=*)", attr_list, 0, &result); if (ret != LDAP_SUCCESS) { DEBUG(1, ("Failed to get NT hash: %s\n", @@ -2453,15 +2453,13 @@ static bool ipasam_nthash_regen(struct ldapsam_privates *ldap_state, TALLOC_CTX *mem_ctx, char * entry_dn) { - LDAPMod **mods; + LDAPMod **mods = NULL; int ret; - mods = NULL; - smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, - NULL, &mods, LDAP_ATTRIBUTE_NTHASH, "MagicRegen"); - + smbldap_set_mod(&mods, LDAP_MOD_ADD, LDAP_ATTRIBUTE_NTHASH, "MagicRegen"); talloc_autofree_ldapmod(mem_ctx, mods); - ret = smbldap_add(ldap_state->smbldap_state, entry_dn, mods); + + ret = smbldap_modify(ldap_state->smbldap_state, entry_dn, mods); if (ret != LDAP_SUCCESS) { DEBUG(5, ("ipasam: attempt to regen ipaNTHash failed\n")); } @@ -2585,13 +2583,11 @@ static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state, * */ temp = smbldap_talloc_dn(tmp_ctx, ldap_state->smbldap_state->ldap_struct, entry); if (temp) { - retval = ipasam_nthash_regen(tmp_ctx, - ldap_state->smbldap_state->ldap_struct, - temp); + retval = ipasam_nthash_regen(ldap_state, + tmp_ctx, temp); if (retval) { - retval = ipasam_nthash_retrieve(tmp_ctx, - ldap_state->smbldap_state->ldap_struct, - temp, &nthash); + retval = ipasam_nthash_retrieve(ldap_state, + tmp_ctx, temp, &nthash); } } } diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update index 0e40ca4d16133f0c1e93300fc13a08dd5ba4ddf7..61013287d3e96079e041f1cb109274b4ab409b27 100644 --- a/install/updates/60-trusts.update +++ b/install/updates/60-trusts.update @@ -61,6 +61,7 @@ add:aci: '(target = "ldap:///cn=trusts,$SUFFIX";)(targetattr = "ipaNTTrustType || # Add ipaNTHash to global ACIs, leave DNS tree out of global allow access rule dn: $SUFFIX add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)' +add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can write NT passwords"; allow (write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)' replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)::(target != "ldap:///idnsname=*,cn=dns,$SUFFIX";)(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)' replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)::(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)' replace:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)::(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)' -- 1.7.11.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
