On 02/08/2013 10:47 AM, Martin Kosek wrote:
> Sending patches according to RFE:
> http://www.freeipa.org/page/V3/Configurable_SID_Blacklists
>
> How this works:
>
> 1) Trust is added, SID blacklist is filled with default list (by ipa-sam
> plugin). When SID blacklist attribute is missing (e.g. for current trusts),
> ipa-kdb will use the hardcoded list.
>
> # echo password | ipa trust-add MKAD2012.TEST --admin="Administrator"
> --password
> ----------------------------------------------
> Re-established trust to domain "MKAD2012.TEST"
> ----------------------------------------------
> Realm name: MKAD2012.TEST
> Domain NetBIOS name: MKAD2012
> Domain Security Identifier: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
> SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
> S-1-5-3, S-1-5-4, S-1-5-5,
> S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
> S-1-5-11, S-1-5-12, S-1-5-13,
> S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18,
> S-1-5-19, S-1-5-20
> SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
> S-1-5-3, S-1-5-4, S-1-5-5,
> S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
> S-1-5-11, S-1-5-12, S-1-5-13,
> S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18,
> S-1-5-19, S-1-5-20
> Trust direction: Two-way trust
> Trust type: Active Directory domain
> Trust status: Established and verified
>
> 2) Incoming SID blacklist is updated (I added S-1-18-1 to the list as it is
> included in MS-PAC when I log from AD 2012):
>
> # ipa trust-mod MKAD2012.TEST --sid-blacklist-incoming
> S-1-0,S-1-1,S-1-2,S-1-3,S-1-5-1,S-1-5-2,S-1-5-3,S-1-5-4,S-1-5-5,S-1-5-6,S-1-5-7,S-1-5-8,S-1-5-9,S-1-5-10,S-1-5-11,S-1-5-12,S-1-5-13,S-1-5-14,S-1-5-15,S-1-5-16,S-1-5-17,S-1-5-18,S-1-5-19,S-1-5-20,S-1-18-1
>
> 3) When I now login from AD2012 to my IPA machine, I get error message in
> krb5kdc.log about the filtered SID I configured in LDAP:
>
> ...
> Feb 08 04:11:33 ipa.linux.mkad2012.test krb5kdc[6493](Error): PAC filtering
> issue: SID [S-1-18-1] is not allowed from a trusted source and will be
> excluded.
> ...
>
> NOTE:
> When coding and testing this feature I fixed several related bugs I found in
> ipa-kdb, see description of patches 363-365.
>
> Martin
>
I forgot to update ACI allowing Trust Admins to modify the blacklist. I also
added a validator for SIDs to help catching invalid SIDs.
Updated patches attached.
Martin
From b8e5b74aba5412c4eec254bdcf9b3b11ad555a09 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Thu, 7 Feb 2013 12:14:41 +0100
Subject: [PATCH 1/6] ipa-kdb: add sentinel for LDAPDerefSpec allocation
Without sentinel in place, ldap_create_deref_control_value executed
an invalid read in unallocated memory.
---
daemons/ipa-kdb/ipa_kdb_common.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c
index 71df9634c4e25378494b165db9a9381f2b8fc206..247a38301295f159aced2ad7baa1534555d5fe0d 100644
--- a/daemons/ipa-kdb/ipa_kdb_common.c
+++ b/daemons/ipa-kdb/ipa_kdb_common.c
@@ -282,21 +282,22 @@ krb5_error_code ipadb_deref_search(struct ipadb_context *ipactx,
krb5_error_code kerr;
int times;
int ret;
- int c;
+ int c, i;
for (c = 0; deref_attr_names[c]; c++) {
/* count */ ;
}
- ds = calloc(c, sizeof(LDAPDerefSpec));
+ ds = calloc(c+1, sizeof(LDAPDerefSpec));
if (!ds) {
return ENOMEM;
}
- for (c = 0; deref_attr_names[c]; c++) {
- ds[c].derefAttr = deref_attr_names[c];
- ds[c].attributes = deref_attrs;
+ for (i = 0; deref_attr_names[i]; i++) {
+ ds[i].derefAttr = deref_attr_names[i];
+ ds[i].attributes = deref_attrs;
}
+ ds[c].derefAttr = NULL;
ret = ldap_create_deref_control_value(ipactx->lcontext, ds, &derefval);
if (ret != LDAP_SUCCESS) {
--
1.8.1
From f1f9add4ccf7a99fcabc98d898e600df73e911f0 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Thu, 7 Feb 2013 13:17:28 +0100
Subject: [PATCH 2/6] ipa-kdb: avoid ENOMEM when all SIDs are filtered out
When all SIDs in info3.sids structure were filtered out, we tried
to talloc_realloc to zero memory size. talloc_realloc then returned
NULL pointer and filter_login_info returned with ENOMEM.
The code now rather frees the SID array and set info3.sidcount to
correct value.
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index ee1c6124f8d04cb10d091f11883834620c5c35ea..7307071a0d2562ca9ff5e4a5511ccdd6248ced4a 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1288,11 +1288,21 @@ static krb5_error_code filter_logon_info(krb5_context context,
} while (i < count);
if (j != 0) {
- info->info->info3.sids = talloc_realloc(memctx, info->info->info3.sids, struct netr_SidAttr, count-j);
- info->info->info3.sidcount = count-j;
- if (!info->info->info3.sids) {
+ count = count-j;
+ if (count == 0) {
+ /* All SIDs were filtered out */
info->info->info3.sidcount = 0;
- return ENOMEM;
+ talloc_free(info->info->info3.sids);
+ info->info->info3.sids = NULL;
+ } else {
+ info->info->info3.sids = talloc_realloc(memctx,
+ info->info->info3.sids,
+ struct netr_SidAttr, count);
+ if (!info->info->info3.sids) {
+ info->info->info3.sidcount = 0;
+ return ENOMEM;
+ }
+ info->info->info3.sidcount = count;
}
}
}
--
1.8.1
From 14ddfea4046817e2db35d8838c4706ee5356b71b Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Thu, 7 Feb 2013 15:45:46 +0100
Subject: [PATCH 3/6] ipa-kdb: reinitialize LDAP configuration for known realms
ipa-kdb did not reinitialize trusted domain configuration when it
was loaded to ipa-kdb. However, admin then would have to restart
krb5kdc if he wanted to apply the change to running krb5kdc service.
Run ipadb_reinit_mspac unconditionally every time when trusted domain
is loaded. Among the already configured 1 minute grace time, also
add a quick check if there is at least one configured trusted domain
before reinitializing the mspac structure.
https://fedorahosted.org/freeipa/ticket/3289
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 59 ++++++++++++++++++++++++++++++++---------
1 file changed, 46 insertions(+), 13 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 7307071a0d2562ca9ff5e4a5511ccdd6248ced4a..4417696001eb97caf4a7477069270f9a6150ead2 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1173,20 +1173,16 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context,
struct ipadb_adtrusts *domain;
krb5_error_code kerr;
+ ipactx = ipadb_get_context(context);
+ if (!ipactx) {
+ return NULL;
+ }
+
+ kerr = ipadb_reinit_mspac(ipactx);
+ if (kerr != 0) {
+ return NULL;
+ }
domain = get_domain_from_realm(context, realm);
- if (domain == NULL) {
- ipactx = ipadb_get_context(context);
- if (!ipactx) {
- return NULL;
- }
-
- kerr = ipadb_reinit_mspac(ipactx);
- if (kerr != 0) {
- return NULL;
- }
-
- domain = get_domain_from_realm(context, realm);
- }
return domain;
}
@@ -1753,6 +1749,30 @@ krb5_error_code ipadb_mspac_fill_well_known_sids(struct ipadb_mspac *mspac)
return 0;
}
+krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
+{
+ char *attrs[] = { NULL };
+ char *filter = "(objectclass=ipaNTTrustedDomain)";
+ char *base = NULL;
+ LDAPMessage *result = NULL;
+ int ret;
+
+ ret = asprintf(&base, "cn=ad,cn=trusts,%s", ipactx->base);
+ if (ret == -1) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ /* Run a quick search if there is any trust defined */
+ ret = ipadb_simple_search(ipactx, base, LDAP_SCOPE_SUBTREE,
+ filter, attrs, &result);
+
+done:
+ ldap_msgfree(result);
+ free(base);
+ return ret;
+}
+
krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
{
struct ipadb_adtrusts *t;
@@ -1856,6 +1876,19 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
return 0;
}
+ if (ipactx->mspac && ipactx->mspac->num_trusts == 0) {
+ /* Check if there is any trust configured. If not, just return
+ * and do not re-initialize the MS-PAC structure. */
+ ret = ipadb_mspac_check_trusted_domains(ipactx);
+ if (ret == KRB5_KDB_NOENTRY) {
+ ret = 0;
+ goto done;
+ } else if (ret != 0) {
+ ret = EIO;
+ goto done;
+ }
+ }
+
/* clean up in case we had old values around */
ipadb_mspac_struct_free(&ipactx->mspac);
--
1.8.1
From 94fec9284e0cbb837f18ce664a6df107164f562e Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Thu, 7 Feb 2013 14:59:00 +0100
Subject: [PATCH 4/6] Add SID blacklist attributes
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.
https://fedorahosted.org/freeipa/ticket/3289
---
API.txt | 10 +++++++--
VERSION | 2 +-
install/share/60basev3.ldif | 4 +++-
install/updates/60-trusts.update | 10 ++++++---
ipalib/plugins/trust.py | 44 ++++++++++++++++++++++++++++++++++------
ipaserver/dcerpc.py | 8 ++++++++
6 files changed, 65 insertions(+), 13 deletions(-)
diff --git a/API.txt b/API.txt
index 8fbfe6f5d8da44e991b8d1a36725fc6ace1f0616..28eca3a87fa1dfa30186f78fb6db89308ffe96df 100644
--- a/API.txt
+++ b/API.txt
@@ -3226,10 +3226,14 @@ output: Output('result', <type 'dict'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('value', <type 'unicode'>, None)
command: trust_find
-args: 1,7,4
+args: 1,11,4
arg: Str('criteria?', noextrawhitespace=False)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('cn', attribute=True, autofill=False, cli_name='realm', multivalue=False, primary_key=True, query=True, required=False)
+option: Str('ipantflatname', attribute=True, autofill=False, cli_name='flat_name', multivalue=False, query=True, required=False)
+option: Str('ipantsidblacklistincoming', attribute=True, autofill=False, cli_name='sid_blacklist_incoming', csv=True, multivalue=True, query=True, required=False)
+option: Str('ipantsidblacklistoutgoing', attribute=True, autofill=False, cli_name='sid_blacklist_outgoing', csv=True, multivalue=True, query=True, required=False)
+option: Str('ipanttrusteddomainsid', attribute=True, autofill=False, cli_name='sid', multivalue=False, query=True, required=False)
option: Flag('pkey_only?', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Int('sizelimit?', autofill=False, minvalue=0)
@@ -3240,11 +3244,13 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('truncated', <type 'bool'>, None)
command: trust_mod
-args: 1,7,3
+args: 1,9,3
arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, query=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('delattr*', cli_name='delattr', exclude='webui')
+option: Str('ipantsidblacklistincoming', attribute=True, autofill=False, cli_name='sid_blacklist_incoming', csv=True, multivalue=True, required=False)
+option: Str('ipantsidblacklistoutgoing', attribute=True, autofill=False, cli_name='sid_blacklist_outgoing', csv=True, multivalue=True, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Flag('rights', autofill=True, default=False)
option: Str('setattr*', cli_name='setattr', exclude='webui')
diff --git a/VERSION b/VERSION
index 61f578dbfc9415f6f94a6612f198218c5a5e0c9a..37af5ef73b74500e0cd7397fb2c109332c049bc6 100644
--- a/VERSION
+++ b/VERSION
@@ -89,4 +89,4 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=47
+IPA_API_VERSION_MINOR=48
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 18b23a3d2d00d03424df1c1cd4a5e9ddeba0f6d4..1564f7bd12bb1906239adc3e5bc38c94279b73a6 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -34,11 +34,13 @@ attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of
attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
# 2.16.840.1.113730.3.8.11.37 ipaKrbAuthzData
+attributeTypes: (2.16.840.1.113730.3.8.11.38 NAME 'ipaNTSIDBlacklistIncoming' DESC 'Extra SIDs filtered out from incoming MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
+attributeTypes: (2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DESC 'Extra SIDs filtered out from outgoing MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $ ipaNTFlatName $ ipaNTDomainGUID ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' )
-objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTTrustedDomainSID $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes) )
+objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTTrustedDomainSID $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes $ ipaNTSIDBlacklistIncoming $ ipaNTSIDBlacklistOutgoing) )
objectClasses: (2.16.840.1.113730.3.8.12.6 NAME 'groupOfPrincipals' SUP top AUXILIARY MUST ( cn ) MAY ( memberPrincipal ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP groupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $ ipaAllowedTarget ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.10 NAME 'ipaSELinuxUserMap' SUP ipaAssociation STRUCTURAL MUST ipaSELinuxUser MAY ( accessTime $ seeAlso ) X-ORIGIN 'IPA v3')
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index bf2c58daa9bc6abb2bbcefecec98d0dca9a89d60..cacaeb98f2251e9177c394f1c1414fff8dcd1165 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -21,8 +21,11 @@ add:attributeTypes: ( 2.16.840.1.113730.3.8.11.19 NAME 'ipaNTSupportedEncryption
add:objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $$ ipaNTLogonScript $$ ipaNTProfilePath $$ ipaNTHomeDirectory $$ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $$ ipaNTFlatName $$ ipaNTDomainGUID ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' )
-replace:objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTSecurityIdentifier $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )::objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )
-add:objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )
+add:attributeTypes: ( 2.16.840.1.113730.3.8.11.38 NAME 'ipaNTSIDBlacklistIncoming' DESC 'Extra SIDs filtered out from incoming MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' )
+add:attributeTypes: ( 2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DESC 'Extra SIDs filtered out from outgoing MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' )
+replace:objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTSecurityIdentifier $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )::(2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes $$ ipaNTSIDBlacklistIncoming $$ ipaNTSIDBlacklistOutgoing) )
+replace:objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )::(2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes $$ ipaNTSIDBlacklistIncoming $$ ipaNTSIDBlacklistOutgoing) )
+add:objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes $$ ipaNTSIDBlacklistIncoming $$ ipaNTSIDBlacklistOutgoing) )
dn: cn=trust admins,cn=groups,cn=accounts,$SUFFIX
default: objectClass: top
@@ -51,7 +54,8 @@ default: cn: trusts
# 2. cn=trust admins,cn=groups,cn=accounts,$SUFFIX can manage trusts (via ipa tools)
dn: cn=trusts,$SUFFIX
add:aci: '(target = "ldap:///cn=trusts,$SUFFIX";)(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
-add:aci: '(target = "ldap:///cn=trusts,$SUFFIX";)(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)'
+replace:aci:'(target = "ldap:///cn=trusts,$SUFFIX";)(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX";)(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)'
+add:aci: '(target = "ldap:///cn=trusts,$SUFFIX";)(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)'
# Samba user should be able to read NT passwords to authenticate
# Add ipaNTHash to global ACIs, leave DNS tree out of global allow access rule
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 2019d910b18ea507b9d05f5b6165e7b6d9a43e4e..3268fcab8ba17b822451bce234dc64257ad766ff 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -98,10 +98,6 @@ Example:
""")
trust_output_params = (
- Str('ipantflatname',
- label=_('Domain NetBIOS name')),
- Str('ipanttrusteddomainsid',
- label=_('Domain Security Identifier')),
Str('trustdirection',
label=_('Trust direction')),
Str('trusttype',
@@ -168,8 +164,41 @@ class trust(LDAPObject):
label=_('Realm name'),
primary_key=True,
),
+ Str('ipantflatname',
+ cli_name='flat_name',
+ label=_('Domain NetBIOS name'),
+ flags=['no_create', 'no_update']),
+ Str('ipanttrusteddomainsid',
+ cli_name='sid',
+ label=_('Domain Security Identifier'),
+ flags=['no_create', 'no_update']),
+ Str('ipantsidblacklistincoming*',
+ csv=True,
+ cli_name='sid_blacklist_incoming',
+ label=_('SID blacklist incoming'),
+ flags=['no_create']),
+ Str('ipantsidblacklistoutgoing*',
+ csv=True,
+ cli_name='sid_blacklist_outgoing',
+ label=_('SID blacklist outgoing'),
+ flags=['no_create']),
)
+ def validate_sid_blacklists(self, entry_attrs):
+ if not _bindings_installed:
+ # SID validator is not available, return
+ # Even if invalid SID gets in the trust entry, it won't crash
+ # the validation process as it is translated to SID S-0-0
+ return
+ for attr in ('ipantsidblacklistincoming', 'ipantsidblacklistoutgoing'):
+ values = entry_attrs.get(attr)
+ if not values:
+ continue
+ for value in values:
+ if not ipaserver.dcerpc.is_sid_valid(value):
+ raise errors.ValidationError(name=attr,
+ error=_("invalid SID: %(value)s") % dict(value=value))
+
def make_trust_dn(env, trust_type, dn):
assert isinstance(dn, DN)
if trust_type in trust.trust_types:
@@ -410,9 +439,10 @@ class trust_mod(LDAPUpdate):
available. More specific options will be added in coming releases.
""")
- msg_summary = _('Modified trust "%(value)s"')
+ msg_summary = _('Modified trust "%(value)s" '
+ '(change will be effective in 60 seconds)')
- def pre_callback(self, ldap, dn, *keys, **options):
+ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
result = None
try:
@@ -420,6 +450,8 @@ class trust_mod(LDAPUpdate):
except errors.NotFound, e:
self.obj.handle_not_found(*keys)
+ self.obj.validate_sid_blacklists(entry_attrs)
+
# TODO: we found the trust object, now modify it
return result['result']['dn']
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 54a70defc9df52db58054d29c1c9f9189a88cabb..bff435f71223a73a986d74457dd7018020720a87 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -60,6 +60,14 @@ The code in this module relies heavily on samba4-python package
and Samba4 python bindings.
""")
+def is_sid_valid(sid):
+ try:
+ security.dom_sid(sid)
+ except TypeError:
+ return False
+ else:
+ return True
+
access_denied_error = errors.ACIError(info=_('CIFS server denied your credentials'))
dcerpc_error_codes = {
-1073741823:
--
1.8.1
From b63943eab1748490ba7b9a7211205c5fbf84f619 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Thu, 7 Feb 2013 14:52:35 +0100
Subject: [PATCH 5/6] ipa-kdb: read SID blacklist from LDAP
SIDs in incoming MS-PAC were checked and filtered with a fixed list of
well-known SIDs. Allow reading the SID blacklist from LDAP
(ipaNTSIDBlacklistIncoming and ipaNTSIDBlacklistOutgoing) and add the list
to mspac adtrust structure. Use the hardcoded SID list only if the LDAP
SID list is not configured.
LIMITATION: SID blacklist list is not used yet.
https://fedorahosted.org/freeipa/ticket/3289
---
daemons/ipa-kdb/Makefile.am | 2 +
daemons/ipa-kdb/ipa_kdb_mspac.c | 156 ++++++++++++++++++++++++++--------------
util/ipa_mspac.h | 32 +++++++++
3 files changed, 136 insertions(+), 54 deletions(-)
create mode 100644 util/ipa_mspac.h
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 17c090418ec5a0e2a39d948dc385d509c5d05321..5f4e6e2a6a940486a0c904f737f28c476df98773 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -1,6 +1,7 @@
NULL =
KRB5_UTIL_DIR = ../../util
+IPA_UTIL_DIR = ../../../util
KRB5_UTIL_SRCS = $(KRB5_UTIL_DIR)/ipa_krb5.c \
$(KRB5_UTIL_DIR)/ipa_pwd.c
@@ -8,6 +9,7 @@ INCLUDES = \
-I. \
-I$(srcdir) \
-I$(KRB5_UTIL_DIR) \
+ -I$(IPA_UTIL_DIR) \
-DPREFIX=\""$(prefix)"\" \
-DBINDIR=\""$(bindir)"\" \
-DLIBDIR=\""$(libdir)"\" \
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 4417696001eb97caf4a7477069270f9a6150ead2..0780e81cb5507ed590cc9b0646ba5919c0084523 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -21,6 +21,7 @@
*/
#include "ipa_kdb.h"
+#include "ipa_mspac.h"
#include <talloc.h>
#include <syslog.h>
#include "util/time.h"
@@ -31,13 +32,16 @@ struct ipadb_adtrusts {
char *flat_name;
char *domain_sid;
struct dom_sid domsid;
+ struct dom_sid *sid_blacklist_incoming;
+ int len_sid_blacklist_incoming;
+ struct dom_sid *sid_blacklist_outgoing;
+ int len_sid_blacklist_outgoing;
};
struct ipadb_mspac {
char *flat_domain_name;
char *flat_server_name;
struct dom_sid domsid;
- struct dom_sid *well_known_sids;
char *fallback_group;
uint32_t fallback_rid;
@@ -88,36 +92,6 @@ static char *memberof_pac_attrs[] = {
NULL
};
-static char *mspac_well_known_sids[] = {
- "S-1-0",
- "S-1-1",
- "S-1-2",
- "S-1-3",
- "S-1-5-1",
- "S-1-5-2",
- "S-1-5-3",
- "S-1-5-4",
- "S-1-5-5",
- "S-1-5-6",
- "S-1-5-7",
- "S-1-5-8",
- "S-1-5-9",
- "S-1-5-10",
- "S-1-5-11",
- "S-1-5-12",
- "S-1-5-13",
- "S-1-5-14",
- "S-1-5-15",
- "S-1-5-16",
- "S-1-5-17",
- "S-1-5-18",
- "S-1-5-19",
- "S-1-5-20",
-};
-
-#define LEN_WELL_KNOWN_SIDS (sizeof(mspac_well_known_sids)/sizeof(char*))
-
-
#define SID_ID_AUTHS 6
#define SID_SUB_AUTHS 15
#define MAX(a,b) (((a)>(b))?(a):(b))
@@ -1268,8 +1242,8 @@ static krb5_error_code filter_logon_info(krb5_context context,
if (result) {
filter_logon_info_log_message(info->info->info3.sids[i].sid);
} else {
- for(k = 0; k < LEN_WELL_KNOWN_SIDS; k++) {
- result = dom_sid_is_prefix(&ipactx->mspac->well_known_sids[k], info->info->info3.sids[i].sid);
+ for(k = 0; k < domain->len_sid_blacklist_incoming; k++) {
+ result = dom_sid_is_prefix(&domain->sid_blacklist_incoming[k], info->info->info3.sids[i].sid);
if (result) {
filter_logon_info_log_message(info->info->info3.sids[i].sid);
break;
@@ -1712,6 +1686,7 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
if (!*mspac) return;
free((*mspac)->flat_domain_name);
+ free((*mspac)->flat_server_name);
free((*mspac)->fallback_group);
if ((*mspac)->num_trusts) {
@@ -1719,31 +1694,65 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
free((*mspac)->trusts[i].domain_name);
free((*mspac)->trusts[i].flat_name);
free((*mspac)->trusts[i].domain_sid);
+ free((*mspac)->trusts[i].sid_blacklist_incoming);
+ free((*mspac)->trusts[i].sid_blacklist_outgoing);
}
}
- if ((*mspac)->well_known_sids) {
- free((*mspac)->well_known_sids);
- }
-
*mspac = NULL;
}
-#define LEN_WELL_KNOWN_SIDS (sizeof(mspac_well_known_sids)/sizeof(char*))
-krb5_error_code ipadb_mspac_fill_well_known_sids(struct ipadb_mspac *mspac)
+krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
+ struct dom_sid **result_sids,
+ int *result_length)
{
- int i;
+ int len, i;
+ char **source;
+ struct dom_sid *sid_blacklist;
- mspac->well_known_sids = calloc(LEN_WELL_KNOWN_SIDS, sizeof(struct dom_sid));
+ if (source_sid_blacklist) {
+ source = source_sid_blacklist;
+ } else {
+ /* Use default hardcoded list */
+ source = ipa_mspac_well_known_sids;
+ }
+ len = 0;
+ for (i = 0; source && source[i]; i++) {
+ len++;
+ }
- if (mspac->well_known_sids == NULL) {
+ sid_blacklist = calloc(len, sizeof(struct dom_sid));
+ if (sid_blacklist == NULL) {
return ENOMEM;
}
- for (i = 0; i < LEN_WELL_KNOWN_SIDS; i++) {
- if (mspac_well_known_sids[i] != NULL) {
- (void) string_to_sid(mspac_well_known_sids[i], &(mspac->well_known_sids[i]));
- }
+ for (i = 0; i < len; i++) {
+ (void) string_to_sid(source[i], &sid_blacklist[i]);
+ }
+
+ *result_sids = sid_blacklist;
+ *result_length = len;
+ return 0;
+}
+
+krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
+ char **sid_blacklist_incoming,
+ char **sid_blacklist_outgoing)
+{
+ krb5_error_code kerr;
+
+ kerr = ipadb_adtrusts_fill_sid_blacklist(sid_blacklist_incoming,
+ &adtrust->sid_blacklist_incoming,
+ &adtrust->len_sid_blacklist_incoming);
+ if (kerr) {
+ return kerr;
+ }
+
+ kerr = ipadb_adtrusts_fill_sid_blacklist(sid_blacklist_outgoing,
+ &adtrust->sid_blacklist_outgoing,
+ &adtrust->len_sid_blacklist_outgoing);
+ if (kerr) {
+ return kerr;
}
return 0;
@@ -1778,13 +1787,16 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
struct ipadb_adtrusts *t;
LDAP *lc = ipactx->lcontext;
char *attrs[] = { "ipaNTTrustPartner", "ipaNTFlatName",
- "ipaNTTrustedDomainSID", NULL };
+ "ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
+ "ipaNTSIDBlacklistOutgoing", NULL };
char *filter = "(objectclass=ipaNTTrustedDomain)";
krb5_error_code kerr;
LDAPMessage *res = NULL;
LDAPMessage *le;
char *base = NULL;
- int ret, n;
+ char **sid_blacklist_incoming = NULL;
+ char **sid_blacklist_outgoing = NULL;
+ int ret, n, i;
ret = asprintf(&base, "cn=ad,cn=trusts,%s", ipactx->base);
if (ret == -1) {
@@ -1840,6 +1852,39 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
ret = EINVAL;
goto done;
}
+
+ ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTSIDBlacklistIncoming",
+ &sid_blacklist_incoming);
+
+ if (ret) {
+ if (ret == ENOENT) {
+ /* This attribute is optional */
+ ret = 0;
+ } else {
+ ret = EINVAL;
+ goto done;
+ }
+ }
+
+ ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTSIDBlacklistOutgoing",
+ &sid_blacklist_outgoing);
+
+ if (ret) {
+ if (ret == ENOENT) {
+ /* This attribute is optional */
+ ret = 0;
+ } else {
+ ret = EINVAL;
+ goto done;
+ }
+ }
+
+ ret = ipadb_adtrusts_fill_sid_blacklists(&t[n],
+ sid_blacklist_incoming,
+ sid_blacklist_outgoing);
+ if (ret) {
+ goto done;
+ }
}
ret = 0;
@@ -1849,6 +1894,15 @@ done:
krb5_klog_syslog(LOG_ERR, "Failed to read list of trusted domains");
}
free(base);
+ for (i = 0; sid_blacklist_incoming && sid_blacklist_incoming[i]; i++) {
+ free(sid_blacklist_incoming[i]);
+ }
+ free(sid_blacklist_incoming);
+ for (i = 0; sid_blacklist_outgoing && sid_blacklist_outgoing[i]; i++) {
+ free(sid_blacklist_outgoing[i]);
+ }
+ free(sid_blacklist_outgoing);
+ ldap_msgfree(res);
return ret;
}
@@ -2000,12 +2054,6 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
kerr = ipadb_mspac_get_trusted_domains(ipactx);
- if (kerr) {
- goto done;
- }
-
- kerr = ipadb_mspac_fill_well_known_sids(ipactx->mspac);
-
done:
ldap_msgfree(result);
return kerr;
diff --git a/util/ipa_mspac.h b/util/ipa_mspac.h
new file mode 100644
index 0000000000000000000000000000000000000000..152317b182bec655b01132809ee5ecd8a1cf2e31
--- /dev/null
+++ b/util/ipa_mspac.h
@@ -0,0 +1,32 @@
+#ifndef __IPA_MSPAC_H_
+#define __IPA_MSPAC_H_
+
+char *ipa_mspac_well_known_sids[] = {
+ "S-1-0",
+ "S-1-1",
+ "S-1-2",
+ "S-1-3",
+ "S-1-5-1",
+ "S-1-5-2",
+ "S-1-5-3",
+ "S-1-5-4",
+ "S-1-5-5",
+ "S-1-5-6",
+ "S-1-5-7",
+ "S-1-5-8",
+ "S-1-5-9",
+ "S-1-5-10",
+ "S-1-5-11",
+ "S-1-5-12",
+ "S-1-5-13",
+ "S-1-5-14",
+ "S-1-5-15",
+ "S-1-5-16",
+ "S-1-5-17",
+ "S-1-5-18",
+ "S-1-5-19",
+ "S-1-5-20",
+ NULL
+};
+
+#endif /* __IPA_MSPAC_H_ */
--
1.8.1
From a41c2cba727a0ad502707a3035f56492c253fb76 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Fri, 8 Feb 2013 10:13:35 +0100
Subject: [PATCH 6/6] ipa-sam: Fill SID blacklist when trust is added
Fill incoming and outgoing trust LDAP entry with default SID
blacklist value.
https://fedorahosted.org/freeipa/ticket/3289
---
daemons/ipa-sam/ipa_sam.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 3c4c97cd19a9937756013eab69b047d0df80ecad..adf482221ef504d651f80d5322fe710a4b4232cb 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -32,6 +32,7 @@
#include <sss_idmap.h>
#include "ipa_krb5.h"
#include "ipa_pwd.h"
+#include "ipa_mspac.h"
/* from drsblobs.h */
struct AuthInfoNone {
@@ -121,6 +122,8 @@ bool secrets_store(const char *key, const void *data, size_t size); /* available
#define LDAP_ATTRIBUTE_HOME_PATH "ipaNTHomeDirectory"
#define LDAP_ATTRIBUTE_LOGON_SCRIPT "ipaNTLogonScript"
#define LDAP_ATTRIBUTE_PROFILE_PATH "ipaNTProfilePath"
+#define LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING "ipaNTSIDBlacklistIncoming"
+#define LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING "ipaNTSIDBlacklistOutgoing"
#define LDAP_ATTRIBUTE_NTHASH "ipaNTHash"
#define LDAP_ATTRIBUTE_UIDNUMBER "uidnumber"
#define LDAP_ATTRIBUTE_GIDNUMBER "gidnumber"
@@ -2165,7 +2168,7 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
LDAPMod **mods;
bool res;
char *trusted_dn = NULL;
- int ret;
+ int ret, i;
NTSTATUS status;
TALLOC_CTX *tmp_ctx;
char *trustpw;
@@ -2290,6 +2293,15 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
&td->trust_forest_trust_info);
}
+ for (i = 0; ipa_mspac_well_known_sids && ipa_mspac_well_known_sids[i]; i++) {
+ smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+ LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING,
+ ipa_mspac_well_known_sids[i]);
+ smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+ LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING,
+ ipa_mspac_well_known_sids[i]);
+ }
+
smbldap_talloc_autofree_ldapmod(tmp_ctx, mods);
trusted_dn = trusted_domain_dn(tmp_ctx, ldap_state, domain);
--
1.8.1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
