Sending patches according to RFE:
http://www.freeipa.org/page/V3/Configurable_SID_Blacklists
How this works:
1) Trust is added, SID blacklist is filled with default list (by ipa-sam
plugin). When SID blacklist attribute is missing (e.g. for current trusts),
ipa-kdb will use the hardcoded list.
# echo password | ipa trust-add MKAD2012.TEST --admin="Administrator" --password
----------------------------------------------
Re-established trust to domain "MKAD2012.TEST"
----------------------------------------------
Realm name: MKAD2012.TEST
Domain NetBIOS name: MKAD2012
Domain Security Identifier: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
S-1-5-3, S-1-5-4, S-1-5-5,
S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
S-1-5-11, S-1-5-12, S-1-5-13,
S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18,
S-1-5-19, S-1-5-20
SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
S-1-5-3, S-1-5-4, S-1-5-5,
S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
S-1-5-11, S-1-5-12, S-1-5-13,
S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18,
S-1-5-19, S-1-5-20
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Established and verified
2) Incoming SID blacklist is updated (I added S-1-18-1 to the list as it is
included in MS-PAC when I log from AD 2012):
# ipa trust-mod MKAD2012.TEST --sid-blacklist-incoming
S-1-0,S-1-1,S-1-2,S-1-3,S-1-5-1,S-1-5-2,S-1-5-3,S-1-5-4,S-1-5-5,S-1-5-6,S-1-5-7,S-1-5-8,S-1-5-9,S-1-5-10,S-1-5-11,S-1-5-12,S-1-5-13,S-1-5-14,S-1-5-15,S-1-5-16,S-1-5-17,S-1-5-18,S-1-5-19,S-1-5-20,S-1-18-1
3) When I now login from AD2012 to my IPA machine, I get error message in
krb5kdc.log about the filtered SID I configured in LDAP:
...
Feb 08 04:11:33 ipa.linux.mkad2012.test krb5kdc[6493](Error): PAC filtering
issue: SID [S-1-18-1] is not allowed from a trusted source and will be excluded.
...
NOTE:
When coding and testing this feature I fixed several related bugs I found in
ipa-kdb, see description of patches 363-365.
Martin
From b8e5b74aba5412c4eec254bdcf9b3b11ad555a09 Mon Sep 17 00:00:00 2001
From: Martin Kosek <[email protected]>
Date: Thu, 7 Feb 2013 12:14:41 +0100
Subject: [PATCH 1/6] ipa-kdb: add sentinel for LDAPDerefSpec allocation
Without sentinel in place, ldap_create_deref_control_value executed
an invalid read in unallocated memory.
---
daemons/ipa-kdb/ipa_kdb_common.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c
index 71df9634c4e25378494b165db9a9381f2b8fc206..247a38301295f159aced2ad7baa1534555d5fe0d 100644
--- a/daemons/ipa-kdb/ipa_kdb_common.c
+++ b/daemons/ipa-kdb/ipa_kdb_common.c
@@ -282,21 +282,22 @@ krb5_error_code ipadb_deref_search(struct ipadb_context *ipactx,
krb5_error_code kerr;
int times;
int ret;
- int c;
+ int c, i;
for (c = 0; deref_attr_names[c]; c++) {
/* count */ ;
}
- ds = calloc(c, sizeof(LDAPDerefSpec));
+ ds = calloc(c+1, sizeof(LDAPDerefSpec));
if (!ds) {
return ENOMEM;
}
- for (c = 0; deref_attr_names[c]; c++) {
- ds[c].derefAttr = deref_attr_names[c];
- ds[c].attributes = deref_attrs;
+ for (i = 0; deref_attr_names[i]; i++) {
+ ds[i].derefAttr = deref_attr_names[i];
+ ds[i].attributes = deref_attrs;
}
+ ds[c].derefAttr = NULL;
ret = ldap_create_deref_control_value(ipactx->lcontext, ds, &derefval);
if (ret != LDAP_SUCCESS) {
--
1.8.1
From f1f9add4ccf7a99fcabc98d898e600df73e911f0 Mon Sep 17 00:00:00 2001
From: Martin Kosek <[email protected]>
Date: Thu, 7 Feb 2013 13:17:28 +0100
Subject: [PATCH 2/6] ipa-kdb: avoid ENOMEM when all SIDs are filtered out
When all SIDs in info3.sids structure were filtered out, we tried
to talloc_realloc to zero memory size. talloc_realloc then returned
NULL pointer and filter_login_info returned with ENOMEM.
The code now rather frees the SID array and set info3.sidcount to
correct value.
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index ee1c6124f8d04cb10d091f11883834620c5c35ea..7307071a0d2562ca9ff5e4a5511ccdd6248ced4a 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1288,11 +1288,21 @@ static krb5_error_code filter_logon_info(krb5_context context,
} while (i < count);
if (j != 0) {
- info->info->info3.sids = talloc_realloc(memctx, info->info->info3.sids, struct netr_SidAttr, count-j);
- info->info->info3.sidcount = count-j;
- if (!info->info->info3.sids) {
+ count = count-j;
+ if (count == 0) {
+ /* All SIDs were filtered out */
info->info->info3.sidcount = 0;
- return ENOMEM;
+ talloc_free(info->info->info3.sids);
+ info->info->info3.sids = NULL;
+ } else {
+ info->info->info3.sids = talloc_realloc(memctx,
+ info->info->info3.sids,
+ struct netr_SidAttr, count);
+ if (!info->info->info3.sids) {
+ info->info->info3.sidcount = 0;
+ return ENOMEM;
+ }
+ info->info->info3.sidcount = count;
}
}
}
--
1.8.1
From 14ddfea4046817e2db35d8838c4706ee5356b71b Mon Sep 17 00:00:00 2001
From: Martin Kosek <[email protected]>
Date: Thu, 7 Feb 2013 15:45:46 +0100
Subject: [PATCH 3/6] ipa-kdb: reinitialize LDAP configuration for known realms
ipa-kdb did not reinitialize trusted domain configuration when it
was loaded to ipa-kdb. However, admin then would have to restart
krb5kdc if he wanted to apply the change to running krb5kdc service.
Run ipadb_reinit_mspac unconditionally every time when trusted domain
is loaded. Among the already configured 1 minute grace time, also
add a quick check if there is at least one configured trusted domain
before reinitializing the mspac structure.
https://fedorahosted.org/freeipa/ticket/3289
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 59 ++++++++++++++++++++++++++++++++---------
1 file changed, 46 insertions(+), 13 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 7307071a0d2562ca9ff5e4a5511ccdd6248ced4a..4417696001eb97caf4a7477069270f9a6150ead2 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1173,20 +1173,16 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context,
struct ipadb_adtrusts *domain;
krb5_error_code kerr;
+ ipactx = ipadb_get_context(context);
+ if (!ipactx) {
+ return NULL;
+ }
+
+ kerr = ipadb_reinit_mspac(ipactx);
+ if (kerr != 0) {
+ return NULL;
+ }
domain = get_domain_from_realm(context, realm);
- if (domain == NULL) {
- ipactx = ipadb_get_context(context);
- if (!ipactx) {
- return NULL;
- }
-
- kerr = ipadb_reinit_mspac(ipactx);
- if (kerr != 0) {
- return NULL;
- }
-
- domain = get_domain_from_realm(context, realm);
- }
return domain;
}
@@ -1753,6 +1749,30 @@ krb5_error_code ipadb_mspac_fill_well_known_sids(struct ipadb_mspac *mspac)
return 0;
}
+krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
+{
+ char *attrs[] = { NULL };
+ char *filter = "(objectclass=ipaNTTrustedDomain)";
+ char *base = NULL;
+ LDAPMessage *result = NULL;
+ int ret;
+
+ ret = asprintf(&base, "cn=ad,cn=trusts,%s", ipactx->base);
+ if (ret == -1) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ /* Run a quick search if there is any trust defined */
+ ret = ipadb_simple_search(ipactx, base, LDAP_SCOPE_SUBTREE,
+ filter, attrs, &result);
+
+done:
+ ldap_msgfree(result);
+ free(base);
+ return ret;
+}
+
krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
{
struct ipadb_adtrusts *t;
@@ -1856,6 +1876,19 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
return 0;
}
+ if (ipactx->mspac && ipactx->mspac->num_trusts == 0) {
+ /* Check if there is any trust configured. If not, just return
+ * and do not re-initialize the MS-PAC structure. */
+ ret = ipadb_mspac_check_trusted_domains(ipactx);
+ if (ret == KRB5_KDB_NOENTRY) {
+ ret = 0;
+ goto done;
+ } else if (ret != 0) {
+ ret = EIO;
+ goto done;
+ }
+ }
+
/* clean up in case we had old values around */
ipadb_mspac_struct_free(&ipactx->mspac);
--
1.8.1
From a6ceca9475c743b808e75d5affa469f9feaf5947 Mon Sep 17 00:00:00 2001
From: Martin Kosek <[email protected]>
Date: Thu, 7 Feb 2013 14:59:00 +0100
Subject: [PATCH 4/6] Add SID blacklist attributes
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.
https://fedorahosted.org/freeipa/ticket/3289
---
API.txt | 10 ++++++++--
VERSION | 2 +-
install/share/60basev3.ldif | 4 +++-
install/updates/60-trusts.update | 7 +++++--
ipalib/plugins/trust.py | 25 ++++++++++++++++++++-----
5 files changed, 37 insertions(+), 11 deletions(-)
diff --git a/API.txt b/API.txt
index 8fbfe6f5d8da44e991b8d1a36725fc6ace1f0616..28eca3a87fa1dfa30186f78fb6db89308ffe96df 100644
--- a/API.txt
+++ b/API.txt
@@ -3226,10 +3226,14 @@ output: Output('result', <type 'dict'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('value', <type 'unicode'>, None)
command: trust_find
-args: 1,7,4
+args: 1,11,4
arg: Str('criteria?', noextrawhitespace=False)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('cn', attribute=True, autofill=False, cli_name='realm', multivalue=False, primary_key=True, query=True, required=False)
+option: Str('ipantflatname', attribute=True, autofill=False, cli_name='flat_name', multivalue=False, query=True, required=False)
+option: Str('ipantsidblacklistincoming', attribute=True, autofill=False, cli_name='sid_blacklist_incoming', csv=True, multivalue=True, query=True, required=False)
+option: Str('ipantsidblacklistoutgoing', attribute=True, autofill=False, cli_name='sid_blacklist_outgoing', csv=True, multivalue=True, query=True, required=False)
+option: Str('ipanttrusteddomainsid', attribute=True, autofill=False, cli_name='sid', multivalue=False, query=True, required=False)
option: Flag('pkey_only?', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Int('sizelimit?', autofill=False, minvalue=0)
@@ -3240,11 +3244,13 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('truncated', <type 'bool'>, None)
command: trust_mod
-args: 1,7,3
+args: 1,9,3
arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, query=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('delattr*', cli_name='delattr', exclude='webui')
+option: Str('ipantsidblacklistincoming', attribute=True, autofill=False, cli_name='sid_blacklist_incoming', csv=True, multivalue=True, required=False)
+option: Str('ipantsidblacklistoutgoing', attribute=True, autofill=False, cli_name='sid_blacklist_outgoing', csv=True, multivalue=True, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Flag('rights', autofill=True, default=False)
option: Str('setattr*', cli_name='setattr', exclude='webui')
diff --git a/VERSION b/VERSION
index 61f578dbfc9415f6f94a6612f198218c5a5e0c9a..37af5ef73b74500e0cd7397fb2c109332c049bc6 100644
--- a/VERSION
+++ b/VERSION
@@ -89,4 +89,4 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=47
+IPA_API_VERSION_MINOR=48
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 18b23a3d2d00d03424df1c1cd4a5e9ddeba0f6d4..1564f7bd12bb1906239adc3e5bc38c94279b73a6 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -34,11 +34,13 @@ attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of
attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
# 2.16.840.1.113730.3.8.11.37 ipaKrbAuthzData
+attributeTypes: (2.16.840.1.113730.3.8.11.38 NAME 'ipaNTSIDBlacklistIncoming' DESC 'Extra SIDs filtered out from incoming MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
+attributeTypes: (2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DESC 'Extra SIDs filtered out from outgoing MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $ ipaNTFlatName $ ipaNTDomainGUID ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' )
-objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTTrustedDomainSID $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes) )
+objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTTrustedDomainSID $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes $ ipaNTSIDBlacklistIncoming $ ipaNTSIDBlacklistOutgoing) )
objectClasses: (2.16.840.1.113730.3.8.12.6 NAME 'groupOfPrincipals' SUP top AUXILIARY MUST ( cn ) MAY ( memberPrincipal ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP groupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $ ipaAllowedTarget ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.10 NAME 'ipaSELinuxUserMap' SUP ipaAssociation STRUCTURAL MUST ipaSELinuxUser MAY ( accessTime $ seeAlso ) X-ORIGIN 'IPA v3')
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index bf2c58daa9bc6abb2bbcefecec98d0dca9a89d60..868546e850eb8a67e6f3b8afbf071f8c6836af8b 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -21,8 +21,11 @@ add:attributeTypes: ( 2.16.840.1.113730.3.8.11.19 NAME 'ipaNTSupportedEncryption
add:objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $$ ipaNTLogonScript $$ ipaNTProfilePath $$ ipaNTHomeDirectory $$ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $$ ipaNTFlatName $$ ipaNTDomainGUID ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' )
-replace:objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTSecurityIdentifier $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )::objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )
-add:objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )
+add:attributeTypes: ( 2.16.840.1.113730.3.8.11.38 NAME 'ipaNTSIDBlacklistIncoming' DESC 'Extra SIDs filtered out from incoming MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' )
+add:attributeTypes: ( 2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DESC 'Extra SIDs filtered out from outgoing MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' )
+replace:objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTSecurityIdentifier $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )::(2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes $$ ipaNTSIDBlacklistIncoming $$ ipaNTSIDBlacklistOutgoing) )
+replace:objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )::(2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes $$ ipaNTSIDBlacklistIncoming $$ ipaNTSIDBlacklistOutgoing) )
+add:objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes $$ ipaNTSIDBlacklistIncoming $$ ipaNTSIDBlacklistOutgoing) )
dn: cn=trust admins,cn=groups,cn=accounts,$SUFFIX
default: objectClass: top
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 2019d910b18ea507b9d05f5b6165e7b6d9a43e4e..11b94388d2339e7b85bc8ed3f5595df789a65446 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -98,10 +98,6 @@ Example:
""")
trust_output_params = (
- Str('ipantflatname',
- label=_('Domain NetBIOS name')),
- Str('ipanttrusteddomainsid',
- label=_('Domain Security Identifier')),
Str('trustdirection',
label=_('Trust direction')),
Str('trusttype',
@@ -168,6 +164,24 @@ class trust(LDAPObject):
label=_('Realm name'),
primary_key=True,
),
+ Str('ipantflatname',
+ cli_name='flat_name',
+ label=_('Domain NetBIOS name'),
+ flags=['no_create', 'no_update']),
+ Str('ipanttrusteddomainsid',
+ cli_name='sid',
+ label=_('Domain Security Identifier'),
+ flags=['no_create', 'no_update']),
+ Str('ipantsidblacklistincoming*',
+ csv=True,
+ cli_name='sid_blacklist_incoming',
+ label=_('SID blacklist incoming'),
+ flags=['no_create']),
+ Str('ipantsidblacklistoutgoing*',
+ csv=True,
+ cli_name='sid_blacklist_outgoing',
+ label=_('SID blacklist outgoing'),
+ flags=['no_create']),
)
def make_trust_dn(env, trust_type, dn):
@@ -410,7 +424,8 @@ class trust_mod(LDAPUpdate):
available. More specific options will be added in coming releases.
""")
- msg_summary = _('Modified trust "%(value)s"')
+ msg_summary = _('Modified trust "%(value)s" '
+ '(change will be effective in 60 seconds)')
def pre_callback(self, ldap, dn, *keys, **options):
assert isinstance(dn, DN)
--
1.8.1
From 64c2aec6299b79683844fff8ad554eef50de373e Mon Sep 17 00:00:00 2001
From: Martin Kosek <[email protected]>
Date: Thu, 7 Feb 2013 14:52:35 +0100
Subject: [PATCH 5/6] ipa-kdb: read SID blacklist from LDAP
SIDs in incoming MS-PAC were checked and filtered with a fixed list of
well-known SIDs. Allow reading the SID blacklist from LDAP
(ipaNTSIDBlacklistIncoming and ipaNTSIDBlacklistOutgoing) and add the list
to mspac adtrust structure. Use the hardcoded SID list only if the LDAP
SID list is not configured.
LIMITATION: SID blacklist list is not used yet.
https://fedorahosted.org/freeipa/ticket/3289
---
daemons/ipa-kdb/Makefile.am | 2 +
daemons/ipa-kdb/ipa_kdb_mspac.c | 156 ++++++++++++++++++++++++++--------------
util/ipa_mspac.h | 32 +++++++++
3 files changed, 136 insertions(+), 54 deletions(-)
create mode 100644 util/ipa_mspac.h
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 17c090418ec5a0e2a39d948dc385d509c5d05321..5f4e6e2a6a940486a0c904f737f28c476df98773 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -1,6 +1,7 @@
NULL =
KRB5_UTIL_DIR = ../../util
+IPA_UTIL_DIR = ../../../util
KRB5_UTIL_SRCS = $(KRB5_UTIL_DIR)/ipa_krb5.c \
$(KRB5_UTIL_DIR)/ipa_pwd.c
@@ -8,6 +9,7 @@ INCLUDES = \
-I. \
-I$(srcdir) \
-I$(KRB5_UTIL_DIR) \
+ -I$(IPA_UTIL_DIR) \
-DPREFIX=\""$(prefix)"\" \
-DBINDIR=\""$(bindir)"\" \
-DLIBDIR=\""$(libdir)"\" \
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 4417696001eb97caf4a7477069270f9a6150ead2..0780e81cb5507ed590cc9b0646ba5919c0084523 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -21,6 +21,7 @@
*/
#include "ipa_kdb.h"
+#include "ipa_mspac.h"
#include <talloc.h>
#include <syslog.h>
#include "util/time.h"
@@ -31,13 +32,16 @@ struct ipadb_adtrusts {
char *flat_name;
char *domain_sid;
struct dom_sid domsid;
+ struct dom_sid *sid_blacklist_incoming;
+ int len_sid_blacklist_incoming;
+ struct dom_sid *sid_blacklist_outgoing;
+ int len_sid_blacklist_outgoing;
};
struct ipadb_mspac {
char *flat_domain_name;
char *flat_server_name;
struct dom_sid domsid;
- struct dom_sid *well_known_sids;
char *fallback_group;
uint32_t fallback_rid;
@@ -88,36 +92,6 @@ static char *memberof_pac_attrs[] = {
NULL
};
-static char *mspac_well_known_sids[] = {
- "S-1-0",
- "S-1-1",
- "S-1-2",
- "S-1-3",
- "S-1-5-1",
- "S-1-5-2",
- "S-1-5-3",
- "S-1-5-4",
- "S-1-5-5",
- "S-1-5-6",
- "S-1-5-7",
- "S-1-5-8",
- "S-1-5-9",
- "S-1-5-10",
- "S-1-5-11",
- "S-1-5-12",
- "S-1-5-13",
- "S-1-5-14",
- "S-1-5-15",
- "S-1-5-16",
- "S-1-5-17",
- "S-1-5-18",
- "S-1-5-19",
- "S-1-5-20",
-};
-
-#define LEN_WELL_KNOWN_SIDS (sizeof(mspac_well_known_sids)/sizeof(char*))
-
-
#define SID_ID_AUTHS 6
#define SID_SUB_AUTHS 15
#define MAX(a,b) (((a)>(b))?(a):(b))
@@ -1268,8 +1242,8 @@ static krb5_error_code filter_logon_info(krb5_context context,
if (result) {
filter_logon_info_log_message(info->info->info3.sids[i].sid);
} else {
- for(k = 0; k < LEN_WELL_KNOWN_SIDS; k++) {
- result = dom_sid_is_prefix(&ipactx->mspac->well_known_sids[k], info->info->info3.sids[i].sid);
+ for(k = 0; k < domain->len_sid_blacklist_incoming; k++) {
+ result = dom_sid_is_prefix(&domain->sid_blacklist_incoming[k], info->info->info3.sids[i].sid);
if (result) {
filter_logon_info_log_message(info->info->info3.sids[i].sid);
break;
@@ -1712,6 +1686,7 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
if (!*mspac) return;
free((*mspac)->flat_domain_name);
+ free((*mspac)->flat_server_name);
free((*mspac)->fallback_group);
if ((*mspac)->num_trusts) {
@@ -1719,31 +1694,65 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
free((*mspac)->trusts[i].domain_name);
free((*mspac)->trusts[i].flat_name);
free((*mspac)->trusts[i].domain_sid);
+ free((*mspac)->trusts[i].sid_blacklist_incoming);
+ free((*mspac)->trusts[i].sid_blacklist_outgoing);
}
}
- if ((*mspac)->well_known_sids) {
- free((*mspac)->well_known_sids);
- }
-
*mspac = NULL;
}
-#define LEN_WELL_KNOWN_SIDS (sizeof(mspac_well_known_sids)/sizeof(char*))
-krb5_error_code ipadb_mspac_fill_well_known_sids(struct ipadb_mspac *mspac)
+krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
+ struct dom_sid **result_sids,
+ int *result_length)
{
- int i;
+ int len, i;
+ char **source;
+ struct dom_sid *sid_blacklist;
- mspac->well_known_sids = calloc(LEN_WELL_KNOWN_SIDS, sizeof(struct dom_sid));
+ if (source_sid_blacklist) {
+ source = source_sid_blacklist;
+ } else {
+ /* Use default hardcoded list */
+ source = ipa_mspac_well_known_sids;
+ }
+ len = 0;
+ for (i = 0; source && source[i]; i++) {
+ len++;
+ }
- if (mspac->well_known_sids == NULL) {
+ sid_blacklist = calloc(len, sizeof(struct dom_sid));
+ if (sid_blacklist == NULL) {
return ENOMEM;
}
- for (i = 0; i < LEN_WELL_KNOWN_SIDS; i++) {
- if (mspac_well_known_sids[i] != NULL) {
- (void) string_to_sid(mspac_well_known_sids[i], &(mspac->well_known_sids[i]));
- }
+ for (i = 0; i < len; i++) {
+ (void) string_to_sid(source[i], &sid_blacklist[i]);
+ }
+
+ *result_sids = sid_blacklist;
+ *result_length = len;
+ return 0;
+}
+
+krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
+ char **sid_blacklist_incoming,
+ char **sid_blacklist_outgoing)
+{
+ krb5_error_code kerr;
+
+ kerr = ipadb_adtrusts_fill_sid_blacklist(sid_blacklist_incoming,
+ &adtrust->sid_blacklist_incoming,
+ &adtrust->len_sid_blacklist_incoming);
+ if (kerr) {
+ return kerr;
+ }
+
+ kerr = ipadb_adtrusts_fill_sid_blacklist(sid_blacklist_outgoing,
+ &adtrust->sid_blacklist_outgoing,
+ &adtrust->len_sid_blacklist_outgoing);
+ if (kerr) {
+ return kerr;
}
return 0;
@@ -1778,13 +1787,16 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
struct ipadb_adtrusts *t;
LDAP *lc = ipactx->lcontext;
char *attrs[] = { "ipaNTTrustPartner", "ipaNTFlatName",
- "ipaNTTrustedDomainSID", NULL };
+ "ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
+ "ipaNTSIDBlacklistOutgoing", NULL };
char *filter = "(objectclass=ipaNTTrustedDomain)";
krb5_error_code kerr;
LDAPMessage *res = NULL;
LDAPMessage *le;
char *base = NULL;
- int ret, n;
+ char **sid_blacklist_incoming = NULL;
+ char **sid_blacklist_outgoing = NULL;
+ int ret, n, i;
ret = asprintf(&base, "cn=ad,cn=trusts,%s", ipactx->base);
if (ret == -1) {
@@ -1840,6 +1852,39 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
ret = EINVAL;
goto done;
}
+
+ ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTSIDBlacklistIncoming",
+ &sid_blacklist_incoming);
+
+ if (ret) {
+ if (ret == ENOENT) {
+ /* This attribute is optional */
+ ret = 0;
+ } else {
+ ret = EINVAL;
+ goto done;
+ }
+ }
+
+ ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTSIDBlacklistOutgoing",
+ &sid_blacklist_outgoing);
+
+ if (ret) {
+ if (ret == ENOENT) {
+ /* This attribute is optional */
+ ret = 0;
+ } else {
+ ret = EINVAL;
+ goto done;
+ }
+ }
+
+ ret = ipadb_adtrusts_fill_sid_blacklists(&t[n],
+ sid_blacklist_incoming,
+ sid_blacklist_outgoing);
+ if (ret) {
+ goto done;
+ }
}
ret = 0;
@@ -1849,6 +1894,15 @@ done:
krb5_klog_syslog(LOG_ERR, "Failed to read list of trusted domains");
}
free(base);
+ for (i = 0; sid_blacklist_incoming && sid_blacklist_incoming[i]; i++) {
+ free(sid_blacklist_incoming[i]);
+ }
+ free(sid_blacklist_incoming);
+ for (i = 0; sid_blacklist_outgoing && sid_blacklist_outgoing[i]; i++) {
+ free(sid_blacklist_outgoing[i]);
+ }
+ free(sid_blacklist_outgoing);
+ ldap_msgfree(res);
return ret;
}
@@ -2000,12 +2054,6 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
kerr = ipadb_mspac_get_trusted_domains(ipactx);
- if (kerr) {
- goto done;
- }
-
- kerr = ipadb_mspac_fill_well_known_sids(ipactx->mspac);
-
done:
ldap_msgfree(result);
return kerr;
diff --git a/util/ipa_mspac.h b/util/ipa_mspac.h
new file mode 100644
index 0000000000000000000000000000000000000000..152317b182bec655b01132809ee5ecd8a1cf2e31
--- /dev/null
+++ b/util/ipa_mspac.h
@@ -0,0 +1,32 @@
+#ifndef __IPA_MSPAC_H_
+#define __IPA_MSPAC_H_
+
+char *ipa_mspac_well_known_sids[] = {
+ "S-1-0",
+ "S-1-1",
+ "S-1-2",
+ "S-1-3",
+ "S-1-5-1",
+ "S-1-5-2",
+ "S-1-5-3",
+ "S-1-5-4",
+ "S-1-5-5",
+ "S-1-5-6",
+ "S-1-5-7",
+ "S-1-5-8",
+ "S-1-5-9",
+ "S-1-5-10",
+ "S-1-5-11",
+ "S-1-5-12",
+ "S-1-5-13",
+ "S-1-5-14",
+ "S-1-5-15",
+ "S-1-5-16",
+ "S-1-5-17",
+ "S-1-5-18",
+ "S-1-5-19",
+ "S-1-5-20",
+ NULL
+};
+
+#endif /* __IPA_MSPAC_H_ */
--
1.8.1
From 4abbfef5bfd0e2d720efe4eab530fca1698ec5ac Mon Sep 17 00:00:00 2001
From: Martin Kosek <[email protected]>
Date: Fri, 8 Feb 2013 10:13:35 +0100
Subject: [PATCH 6/6] ipa-sam: Fill SID blacklist when trust is added
Fill incoming and outgoing trust LDAP entry with default SID
blacklist value.
https://fedorahosted.org/freeipa/ticket/3289
---
daemons/ipa-sam/ipa_sam.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 3c4c97cd19a9937756013eab69b047d0df80ecad..adf482221ef504d651f80d5322fe710a4b4232cb 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -32,6 +32,7 @@
#include <sss_idmap.h>
#include "ipa_krb5.h"
#include "ipa_pwd.h"
+#include "ipa_mspac.h"
/* from drsblobs.h */
struct AuthInfoNone {
@@ -121,6 +122,8 @@ bool secrets_store(const char *key, const void *data, size_t size); /* available
#define LDAP_ATTRIBUTE_HOME_PATH "ipaNTHomeDirectory"
#define LDAP_ATTRIBUTE_LOGON_SCRIPT "ipaNTLogonScript"
#define LDAP_ATTRIBUTE_PROFILE_PATH "ipaNTProfilePath"
+#define LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING "ipaNTSIDBlacklistIncoming"
+#define LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING "ipaNTSIDBlacklistOutgoing"
#define LDAP_ATTRIBUTE_NTHASH "ipaNTHash"
#define LDAP_ATTRIBUTE_UIDNUMBER "uidnumber"
#define LDAP_ATTRIBUTE_GIDNUMBER "gidnumber"
@@ -2165,7 +2168,7 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
LDAPMod **mods;
bool res;
char *trusted_dn = NULL;
- int ret;
+ int ret, i;
NTSTATUS status;
TALLOC_CTX *tmp_ctx;
char *trustpw;
@@ -2290,6 +2293,15 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
&td->trust_forest_trust_info);
}
+ for (i = 0; ipa_mspac_well_known_sids && ipa_mspac_well_known_sids[i]; i++) {
+ smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+ LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING,
+ ipa_mspac_well_known_sids[i]);
+ smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+ LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING,
+ ipa_mspac_well_known_sids[i]);
+ }
+
smbldap_talloc_autofree_ldapmod(tmp_ctx, mods);
trusted_dn = trusted_domain_dn(tmp_ctx, ldap_state, domain);
--
1.8.1
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
