On Tue, 21 Aug 2012, Alexander Bokovoy wrote:
Hi,

I finally managed to get all ends together for magic regen of ipaNTHash
based on availability of RC4 key in Kerberos keys.

The patch should be applied after 0071 and can be tested by following:

0. run ipa-adtrust-install

1. ipa user-add foo

2. ipa passwd foo

3. Remember current ipaNTHash value:
# ldapsearch -H ldapi://%2fvar%2frun%2fslapd-IPA-LOCAL.socket 'uid=foo' ipaNTHash 
> foo.current.ldif

4. Remove generated ipaNThash with ldapmodify:

removal.ldif:
---8<---8<----
dn: uid=foo,cn=users,cn=accounts,dc=ipa,dc=local
delete:ipaNtHash
--->8--->8----
# ldapmodify -H ldapi://%2fvar%2frun%2fslapd-IPA-LOCAL.socket -f removal.ldif

5. Use 'wbinfo -i foo' (from samba4-winbind-clients) to trigger regeneration

6. Retrieve new ipaNTHash value:
# ldapsearch -H ldapi://%2fvar%2frun%2fslapd-IPA-LOCAL.socket 'uid=foo' ipaNTHash 
> foo.regen.ldif

7. Check foo.current.ldif and foo.regen.ldif, there should be no difference.

https://fedorahosted.org/freeipa/ticket/3016
Patch split into two and ACI change is merged into a single ACI for read
and write. Originally Simo wanted me to have them separate but later he
decided to follow my original plan. :)

Since we have 3.0 beta versions in the wild which already have 'read'
ACI, I'm explicitly removing the old ACI and adding a new one to help
with cases of 2.x -> 3.x upgrades.




--
/ Alexander Bokovoy
From 22176f6382b2a16b5d10f2a5e605246964e02a96 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Wed, 22 Aug 2012 14:24:33 +0300
Subject: [PATCH 5/5] Add ACI to allow regenerating ipaNTHash from ipasam

ACI was lacking to allow actually writing MagicRegen into ipaNTHash attribute,

Part 2 of https://fedorahosted.org/freeipa/ticket/3016
---
 install/updates/60-trusts.update | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 
0e40ca4d16133f0c1e93300fc13a08dd5ba4ddf7..cc9a771df901a90b457357c570dc06d34c0db4c8
 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -60,7 +60,8 @@ add:aci: '(target = "ldap:///cn=trusts,$SUFFIX";)(targetattr = 
"ipaNTTrustType ||
 # Samba user should be able to read NT passwords to authenticate
 # Add ipaNTHash to global ACIs, leave DNS tree out of global allow access rule
 dn: $SUFFIX
-add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals 
can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust 
agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
+add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals 
can read and write NT passwords"; allow (read,write) 
groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
+remove:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system 
principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust 
agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
 replace:aci:'(targetattr != "userPassword || krbPrincipalKey || 
sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || 
userPKCS12")(version 3.0; acl "Enable Anonymous access"; allow (read, search, 
compare) userdn = "ldap:///anyone";;)::(target != 
"ldap:///idnsname=*,cn=dns,$SUFFIX";)(targetattr != "userPassword || 
krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || 
krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous 
access"; allow (read, search, compare) userdn = "ldap:///anyone";;)'
 replace:aci:'(targetattr != "userPassword || krbPrincipalKey || 
sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || 
krbPrincipalName || krbCanonicalName || krbUPEnabled || 
krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || 
krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange 
|| krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || 
krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || 
memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage 
any entry"; allow (all) groupdn = 
"ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)::(targetattr != 
"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || 
passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || 
krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || 
krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || 
krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || 
krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || 
krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || 
ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn 
= "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)'
 replace:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword 
|| sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write 
passwords"; allow (add,delete,write) 
groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)::(targetattr = 
"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || 
passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; 
allow (add,delete,write) 
groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)'
-- 
1.7.11.4

>From c9f743c986e2af749d51152c0678ca77392e36b2 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Wed, 22 Aug 2012 14:19:54 +0300
Subject: [PATCH 4/5] Fix ipasam ipaNThash magic regen to actually fetch
 updated password

With this change ipasam is able to ask for ipaNTHash generation and if
corresponding Kerberos key is available, will be able to retrieve generated 
ipaNTHash.

Part 1 of https://fedorahosted.org/freeipa/ticket/3016
---
 daemons/ipa-sam/ipa_sam.c | 22 +++++++++-------------
 1 file changed, 9 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 
059109374bd0e1aa1de118b4767b5692d0e483a2..8a4a08bc7a5951553a463805a8aedb82ee887936
 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -2417,7 +2417,7 @@ static bool ipasam_nthash_retrieve(struct 
ldapsam_privates *ldap_state,
                                  };
 
        ret = smbldap_search(smbldap_state, entry_dn,
-                            LDAP_SCOPE_BASE, "", attr_list, 0,
+                            LDAP_SCOPE_BASE, "(objectclass=*)", attr_list, 0,
                             &result);
        if (ret != LDAP_SUCCESS) {
                DEBUG(1, ("Failed to get NT hash: %s\n",
@@ -2453,15 +2453,13 @@ static bool ipasam_nthash_regen(struct ldapsam_privates 
*ldap_state,
                                TALLOC_CTX *mem_ctx,
                                char * entry_dn)
 {
-       LDAPMod **mods;
+       LDAPMod **mods = NULL;
        int ret;
 
-       mods = NULL;
-       smbldap_make_mod(ldap_state->smbldap_state->ldap_struct,
-                        NULL, &mods, LDAP_ATTRIBUTE_NTHASH, "MagicRegen");
-
+       smbldap_set_mod(&mods, LDAP_MOD_ADD, LDAP_ATTRIBUTE_NTHASH, 
"MagicRegen");
        talloc_autofree_ldapmod(mem_ctx, mods);
-       ret = smbldap_add(ldap_state->smbldap_state, entry_dn, mods);
+
+       ret = smbldap_modify(ldap_state->smbldap_state, entry_dn, mods);
        if (ret != LDAP_SUCCESS) {
                DEBUG(5, ("ipasam: attempt to regen ipaNTHash failed\n"));
        }
@@ -2585,13 +2583,11 @@ static bool init_sam_from_ldap(struct ldapsam_privates 
*ldap_state,
                 * */
                temp = smbldap_talloc_dn(tmp_ctx, 
ldap_state->smbldap_state->ldap_struct, entry);
                if (temp) {
-                       retval = ipasam_nthash_regen(tmp_ctx,
-                                                    
ldap_state->smbldap_state->ldap_struct,
-                                                    temp);
+                       retval = ipasam_nthash_regen(ldap_state,
+                                                    tmp_ctx, temp);
                        if (retval) {
-                               retval = ipasam_nthash_retrieve(tmp_ctx,
-                                                       
ldap_state->smbldap_state->ldap_struct,
-                                                       temp, &nthash);
+                               retval = ipasam_nthash_retrieve(ldap_state,
+                                                               tmp_ctx, temp, 
&nthash);
                        }
                }
        }
-- 
1.7.11.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to