On 02/11/2013 03:34 PM, Alexander Bokovoy wrote:
> On Fri, 08 Feb 2013, Martin Kosek wrote:
>> On 02/08/2013 10:47 AM, Martin Kosek wrote:
>>> Sending patches according to RFE:
>>> http://www.freeipa.org/page/V3/Configurable_SID_Blacklists
>>>
>>> How this works:
>>>
>>> 1) Trust is added, SID blacklist is filled with default list (by ipa-sam
>>> plugin). When SID blacklist attribute is missing (e.g. for current trusts),
>>> ipa-kdb will use the hardcoded list.
>>>
>>> # echo password | ipa trust-add MKAD2012.TEST --admin="Administrator"
>>> --password
>>> ----------------------------------------------
>>> Re-established trust to domain "MKAD2012.TEST"
>>> ----------------------------------------------
>>> Realm name: MKAD2012.TEST
>>> Domain NetBIOS name: MKAD2012
>>> Domain Security Identifier: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
>>> SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>>> S-1-5-3, S-1-5-4, S-1-5-5,
>>> S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
>>> S-1-5-11, S-1-5-12, S-1-5-13,
>>> S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18,
>>> S-1-5-19, S-1-5-20
>>> SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>>> S-1-5-3, S-1-5-4, S-1-5-5,
>>> S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
>>> S-1-5-11, S-1-5-12, S-1-5-13,
>>> S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18,
>>> S-1-5-19, S-1-5-20
>>> Trust direction: Two-way trust
>>> Trust type: Active Directory domain
>>> Trust status: Established and verified
>>>
>>> 2) Incoming SID blacklist is updated (I added S-1-18-1 to the list as it is
>>> included in MS-PAC when I log from AD 2012):
>>>
>>> # ipa trust-mod MKAD2012.TEST --sid-blacklist-incoming
>>> S-1-0,S-1-1,S-1-2,S-1-3,S-1-5-1,S-1-5-2,S-1-5-3,S-1-5-4,S-1-5-5,S-1-5-6,S-1-5-7,S-1-5-8,S-1-5-9,S-1-5-10,S-1-5-11,S-1-5-12,S-1-5-13,S-1-5-14,S-1-5-15,S-1-5-16,S-1-5-17,S-1-5-18,S-1-5-19,S-1-5-20,S-1-18-1
>>>
>>>
>>> 3) When I now login from AD2012 to my IPA machine, I get error message in
>>> krb5kdc.log about the filtered SID I configured in LDAP:
>>>
>>> ...
>>> Feb 08 04:11:33 ipa.linux.mkad2012.test krb5kdc[6493](Error): PAC filtering
>>> issue: SID [S-1-18-1] is not allowed from a trusted source and will be
>>> excluded.
>>> ...
>>>
>>> NOTE:
>>> When coding and testing this feature I fixed several related bugs I found in
>>> ipa-kdb, see description of patches 363-365.
>>>
>>> Martin
>>>
>>
>> I forgot to update ACI allowing Trust Admins to modify the blacklist. I also
>> added a validator for SIDs to help catching invalid SIDs.
>>
>> Updated patches attached.
> Work for me fine against Windows 2012 server.
>
> However, I'd like you to rebase on top of your previous patches. VERSION
> file is causing conflict since your patchset for trustconfig command
> increments to the same version as this one.
>
I pushed previous acked patch to master. Attaching patches 363-368 rebased on
top of that.
Martin
From 5bd05dd4d513a4b8540603458b427f19c4a9b088 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Thu, 7 Feb 2013 12:14:41 +0100
Subject: [PATCH 1/6] ipa-kdb: add sentinel for LDAPDerefSpec allocation
Without sentinel in place, ldap_create_deref_control_value executed
an invalid read in unallocated memory.
---
daemons/ipa-kdb/ipa_kdb_common.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c
index 18e15909039ba78987185553c6168aa457a969be..e04bae6673ddc97325883708d2bca2805f6ae4fa 100644
--- a/daemons/ipa-kdb/ipa_kdb_common.c
+++ b/daemons/ipa-kdb/ipa_kdb_common.c
@@ -282,21 +282,22 @@ krb5_error_code ipadb_deref_search(struct ipadb_context *ipactx,
krb5_error_code kerr;
int times;
int ret;
- int c;
+ int c, i;
for (c = 0; deref_attr_names[c]; c++) {
/* count */ ;
}
- ds = calloc(c, sizeof(LDAPDerefSpec));
+ ds = calloc(c+1, sizeof(LDAPDerefSpec));
if (!ds) {
return ENOMEM;
}
- for (c = 0; deref_attr_names[c]; c++) {
- ds[c].derefAttr = deref_attr_names[c];
- ds[c].attributes = deref_attrs;
+ for (i = 0; deref_attr_names[i]; i++) {
+ ds[i].derefAttr = deref_attr_names[i];
+ ds[i].attributes = deref_attrs;
}
+ ds[c].derefAttr = NULL;
ret = ldap_create_deref_control_value(ipactx->lcontext, ds, &derefval);
if (ret != LDAP_SUCCESS) {
--
1.8.1.2
From dc0cdddf7a800ba03f0c5700c4dbf00cf55aedcb Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Thu, 7 Feb 2013 13:17:28 +0100
Subject: [PATCH 2/6] ipa-kdb: avoid ENOMEM when all SIDs are filtered out
When all SIDs in info3.sids structure were filtered out, we tried
to talloc_realloc to zero memory size. talloc_realloc then returned
NULL pointer and filter_login_info returned with ENOMEM.
The code now rather frees the SID array and set info3.sidcount to
correct value.
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index ee1c6124f8d04cb10d091f11883834620c5c35ea..7307071a0d2562ca9ff5e4a5511ccdd6248ced4a 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1288,11 +1288,21 @@ static krb5_error_code filter_logon_info(krb5_context context,
} while (i < count);
if (j != 0) {
- info->info->info3.sids = talloc_realloc(memctx, info->info->info3.sids, struct netr_SidAttr, count-j);
- info->info->info3.sidcount = count-j;
- if (!info->info->info3.sids) {
+ count = count-j;
+ if (count == 0) {
+ /* All SIDs were filtered out */
info->info->info3.sidcount = 0;
- return ENOMEM;
+ talloc_free(info->info->info3.sids);
+ info->info->info3.sids = NULL;
+ } else {
+ info->info->info3.sids = talloc_realloc(memctx,
+ info->info->info3.sids,
+ struct netr_SidAttr, count);
+ if (!info->info->info3.sids) {
+ info->info->info3.sidcount = 0;
+ return ENOMEM;
+ }
+ info->info->info3.sidcount = count;
}
}
}
--
1.8.1.2
From cf01efb699176fd706917b85ee709da1c5a386db Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Thu, 7 Feb 2013 15:45:46 +0100
Subject: [PATCH 3/6] ipa-kdb: reinitialize LDAP configuration for known realms
ipa-kdb did not reinitialize trusted domain configuration when it
was loaded to ipa-kdb. However, admin then would have to restart
krb5kdc if he wanted to apply the change to running krb5kdc service.
Run ipadb_reinit_mspac unconditionally every time when trusted domain
is loaded. Among the already configured 1 minute grace time, also
add a quick check if there is at least one configured trusted domain
before reinitializing the mspac structure.
https://fedorahosted.org/freeipa/ticket/3289
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 59 ++++++++++++++++++++++++++++++++---------
1 file changed, 46 insertions(+), 13 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 7307071a0d2562ca9ff5e4a5511ccdd6248ced4a..4417696001eb97caf4a7477069270f9a6150ead2 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1173,20 +1173,16 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context,
struct ipadb_adtrusts *domain;
krb5_error_code kerr;
+ ipactx = ipadb_get_context(context);
+ if (!ipactx) {
+ return NULL;
+ }
+
+ kerr = ipadb_reinit_mspac(ipactx);
+ if (kerr != 0) {
+ return NULL;
+ }
domain = get_domain_from_realm(context, realm);
- if (domain == NULL) {
- ipactx = ipadb_get_context(context);
- if (!ipactx) {
- return NULL;
- }
-
- kerr = ipadb_reinit_mspac(ipactx);
- if (kerr != 0) {
- return NULL;
- }
-
- domain = get_domain_from_realm(context, realm);
- }
return domain;
}
@@ -1753,6 +1749,30 @@ krb5_error_code ipadb_mspac_fill_well_known_sids(struct ipadb_mspac *mspac)
return 0;
}
+krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
+{
+ char *attrs[] = { NULL };
+ char *filter = "(objectclass=ipaNTTrustedDomain)";
+ char *base = NULL;
+ LDAPMessage *result = NULL;
+ int ret;
+
+ ret = asprintf(&base, "cn=ad,cn=trusts,%s", ipactx->base);
+ if (ret == -1) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ /* Run a quick search if there is any trust defined */
+ ret = ipadb_simple_search(ipactx, base, LDAP_SCOPE_SUBTREE,
+ filter, attrs, &result);
+
+done:
+ ldap_msgfree(result);
+ free(base);
+ return ret;
+}
+
krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
{
struct ipadb_adtrusts *t;
@@ -1856,6 +1876,19 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
return 0;
}
+ if (ipactx->mspac && ipactx->mspac->num_trusts == 0) {
+ /* Check if there is any trust configured. If not, just return
+ * and do not re-initialize the MS-PAC structure. */
+ ret = ipadb_mspac_check_trusted_domains(ipactx);
+ if (ret == KRB5_KDB_NOENTRY) {
+ ret = 0;
+ goto done;
+ } else if (ret != 0) {
+ ret = EIO;
+ goto done;
+ }
+ }
+
/* clean up in case we had old values around */
ipadb_mspac_struct_free(&ipactx->mspac);
--
1.8.1.2
From b8184f0cc74d0b9bbe35169d70779a724d826a90 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Thu, 7 Feb 2013 14:59:00 +0100
Subject: [PATCH 4/6] Add SID blacklist attributes
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.
https://fedorahosted.org/freeipa/ticket/3289
---
API.txt | 10 +++++++--
VERSION | 2 +-
install/share/60basev3.ldif | 4 +++-
install/updates/60-trusts.update | 10 ++++++---
ipalib/plugins/trust.py | 44 ++++++++++++++++++++++++++++++++++------
ipaserver/dcerpc.py | 8 ++++++++
6 files changed, 65 insertions(+), 13 deletions(-)
diff --git a/API.txt b/API.txt
index 6e5c8c5871bcfd320289291114c3c1534c400a54..d1913022b180cd0922f98931ad6030cb0555a6c0 100644
--- a/API.txt
+++ b/API.txt
@@ -3226,10 +3226,14 @@ output: Output('result', <type 'dict'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('value', <type 'unicode'>, None)
command: trust_find
-args: 1,7,4
+args: 1,11,4
arg: Str('criteria?', noextrawhitespace=False)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('cn', attribute=True, autofill=False, cli_name='realm', multivalue=False, primary_key=True, query=True, required=False)
+option: Str('ipantflatname', attribute=True, autofill=False, cli_name='flat_name', multivalue=False, query=True, required=False)
+option: Str('ipantsidblacklistincoming', attribute=True, autofill=False, cli_name='sid_blacklist_incoming', csv=True, multivalue=True, query=True, required=False)
+option: Str('ipantsidblacklistoutgoing', attribute=True, autofill=False, cli_name='sid_blacklist_outgoing', csv=True, multivalue=True, query=True, required=False)
+option: Str('ipanttrusteddomainsid', attribute=True, autofill=False, cli_name='sid', multivalue=False, query=True, required=False)
option: Flag('pkey_only?', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Int('sizelimit?', autofill=False, minvalue=0)
@@ -3240,11 +3244,13 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('truncated', <type 'bool'>, None)
command: trust_mod
-args: 1,7,3
+args: 1,9,3
arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, query=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('delattr*', cli_name='delattr', exclude='webui')
+option: Str('ipantsidblacklistincoming', attribute=True, autofill=False, cli_name='sid_blacklist_incoming', csv=True, multivalue=True, required=False)
+option: Str('ipantsidblacklistoutgoing', attribute=True, autofill=False, cli_name='sid_blacklist_outgoing', csv=True, multivalue=True, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Flag('rights', autofill=True, default=False)
option: Str('setattr*', cli_name='setattr', exclude='webui')
diff --git a/VERSION b/VERSION
index 37af5ef73b74500e0cd7397fb2c109332c049bc6..7bcfe6f9628b8193f44faa9d399e3295e3204c1f 100644
--- a/VERSION
+++ b/VERSION
@@ -89,4 +89,4 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=48
+IPA_API_VERSION_MINOR=49
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 18b23a3d2d00d03424df1c1cd4a5e9ddeba0f6d4..1564f7bd12bb1906239adc3e5bc38c94279b73a6 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -34,11 +34,13 @@ attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of
attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
# 2.16.840.1.113730.3.8.11.37 ipaKrbAuthzData
+attributeTypes: (2.16.840.1.113730.3.8.11.38 NAME 'ipaNTSIDBlacklistIncoming' DESC 'Extra SIDs filtered out from incoming MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
+attributeTypes: (2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DESC 'Extra SIDs filtered out from outgoing MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $ ipaNTFlatName $ ipaNTDomainGUID ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' )
-objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTTrustedDomainSID $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes) )
+objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTTrustedDomainSID $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes $ ipaNTSIDBlacklistIncoming $ ipaNTSIDBlacklistOutgoing) )
objectClasses: (2.16.840.1.113730.3.8.12.6 NAME 'groupOfPrincipals' SUP top AUXILIARY MUST ( cn ) MAY ( memberPrincipal ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP groupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $ ipaAllowedTarget ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.10 NAME 'ipaSELinuxUserMap' SUP ipaAssociation STRUCTURAL MUST ipaSELinuxUser MAY ( accessTime $ seeAlso ) X-ORIGIN 'IPA v3')
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index bf2c58daa9bc6abb2bbcefecec98d0dca9a89d60..cacaeb98f2251e9177c394f1c1414fff8dcd1165 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -21,8 +21,11 @@ add:attributeTypes: ( 2.16.840.1.113730.3.8.11.19 NAME 'ipaNTSupportedEncryption
add:objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $$ ipaNTLogonScript $$ ipaNTProfilePath $$ ipaNTHomeDirectory $$ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $$ ipaNTFlatName $$ ipaNTDomainGUID ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' )
-replace:objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTSecurityIdentifier $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )::objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )
-add:objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )
+add:attributeTypes: ( 2.16.840.1.113730.3.8.11.38 NAME 'ipaNTSIDBlacklistIncoming' DESC 'Extra SIDs filtered out from incoming MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' )
+add:attributeTypes: ( 2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DESC 'Extra SIDs filtered out from outgoing MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' )
+replace:objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTSecurityIdentifier $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )::(2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes $$ ipaNTSIDBlacklistIncoming $$ ipaNTSIDBlacklistOutgoing) )
+replace:objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )::(2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes $$ ipaNTSIDBlacklistIncoming $$ ipaNTSIDBlacklistOutgoing) )
+add:objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes $$ ipaNTSIDBlacklistIncoming $$ ipaNTSIDBlacklistOutgoing) )
dn: cn=trust admins,cn=groups,cn=accounts,$SUFFIX
default: objectClass: top
@@ -51,7 +54,8 @@ default: cn: trusts
# 2. cn=trust admins,cn=groups,cn=accounts,$SUFFIX can manage trusts (via ipa tools)
dn: cn=trusts,$SUFFIX
add:aci: '(target = "ldap:///cn=trusts,$SUFFIX";)(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
-add:aci: '(target = "ldap:///cn=trusts,$SUFFIX";)(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)'
+replace:aci:'(target = "ldap:///cn=trusts,$SUFFIX";)(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX";)(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)'
+add:aci: '(target = "ldap:///cn=trusts,$SUFFIX";)(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)'
# Samba user should be able to read NT passwords to authenticate
# Add ipaNTHash to global ACIs, leave DNS tree out of global allow access rule
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index a5211bfab105de437e10d41f14b66fa6d45900fc..acb73aa3ef1f0beacebf56fd0a5408a52f9cf09a 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -123,10 +123,6 @@ particular type.
""")
trust_output_params = (
- Str('ipantflatname',
- label=_('Domain NetBIOS name')),
- Str('ipanttrusteddomainsid',
- label=_('Domain Security Identifier')),
Str('trustdirection',
label=_('Trust direction')),
Str('trusttype',
@@ -201,8 +197,41 @@ class trust(LDAPObject):
label=_('Realm name'),
primary_key=True,
),
+ Str('ipantflatname',
+ cli_name='flat_name',
+ label=_('Domain NetBIOS name'),
+ flags=['no_create', 'no_update']),
+ Str('ipanttrusteddomainsid',
+ cli_name='sid',
+ label=_('Domain Security Identifier'),
+ flags=['no_create', 'no_update']),
+ Str('ipantsidblacklistincoming*',
+ csv=True,
+ cli_name='sid_blacklist_incoming',
+ label=_('SID blacklist incoming'),
+ flags=['no_create']),
+ Str('ipantsidblacklistoutgoing*',
+ csv=True,
+ cli_name='sid_blacklist_outgoing',
+ label=_('SID blacklist outgoing'),
+ flags=['no_create']),
)
+ def validate_sid_blacklists(self, entry_attrs):
+ if not _bindings_installed:
+ # SID validator is not available, return
+ # Even if invalid SID gets in the trust entry, it won't crash
+ # the validation process as it is translated to SID S-0-0
+ return
+ for attr in ('ipantsidblacklistincoming', 'ipantsidblacklistoutgoing'):
+ values = entry_attrs.get(attr)
+ if not values:
+ continue
+ for value in values:
+ if not ipaserver.dcerpc.is_sid_valid(value):
+ raise errors.ValidationError(name=attr,
+ error=_("invalid SID: %(value)s") % dict(value=value))
+
def make_trust_dn(env, trust_type, dn):
assert isinstance(dn, DN)
if trust_type in trust.trust_types:
@@ -437,9 +466,10 @@ class trust_mod(LDAPUpdate):
available. More specific options will be added in coming releases.
""")
- msg_summary = _('Modified trust "%(value)s"')
+ msg_summary = _('Modified trust "%(value)s" '
+ '(change will be effective in 60 seconds)')
- def pre_callback(self, ldap, dn, *keys, **options):
+ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
result = None
try:
@@ -447,6 +477,8 @@ class trust_mod(LDAPUpdate):
except errors.NotFound, e:
self.obj.handle_not_found(*keys)
+ self.obj.validate_sid_blacklists(entry_attrs)
+
# TODO: we found the trust object, now modify it
return result['result']['dn']
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 54a70defc9df52db58054d29c1c9f9189a88cabb..bff435f71223a73a986d74457dd7018020720a87 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -60,6 +60,14 @@ The code in this module relies heavily on samba4-python package
and Samba4 python bindings.
""")
+def is_sid_valid(sid):
+ try:
+ security.dom_sid(sid)
+ except TypeError:
+ return False
+ else:
+ return True
+
access_denied_error = errors.ACIError(info=_('CIFS server denied your credentials'))
dcerpc_error_codes = {
-1073741823:
--
1.8.1.2
From bf06c0f2fbff2707afb345e461bfdc0aefcc98fa Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Thu, 7 Feb 2013 14:52:35 +0100
Subject: [PATCH 5/6] ipa-kdb: read SID blacklist from LDAP
SIDs in incoming MS-PAC were checked and filtered with a fixed list of
well-known SIDs. Allow reading the SID blacklist from LDAP
(ipaNTSIDBlacklistIncoming and ipaNTSIDBlacklistOutgoing) and add the list
to mspac adtrust structure. Use the hardcoded SID list only if the LDAP
SID list is not configured.
LIMITATION: SID blacklist list is not used yet.
https://fedorahosted.org/freeipa/ticket/3289
---
daemons/ipa-kdb/Makefile.am | 2 +
daemons/ipa-kdb/ipa_kdb_mspac.c | 156 ++++++++++++++++++++++++++--------------
util/ipa_mspac.h | 32 +++++++++
3 files changed, 136 insertions(+), 54 deletions(-)
create mode 100644 util/ipa_mspac.h
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 17c090418ec5a0e2a39d948dc385d509c5d05321..5f4e6e2a6a940486a0c904f737f28c476df98773 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -1,6 +1,7 @@
NULL =
KRB5_UTIL_DIR = ../../util
+IPA_UTIL_DIR = ../../../util
KRB5_UTIL_SRCS = $(KRB5_UTIL_DIR)/ipa_krb5.c \
$(KRB5_UTIL_DIR)/ipa_pwd.c
@@ -8,6 +9,7 @@ INCLUDES = \
-I. \
-I$(srcdir) \
-I$(KRB5_UTIL_DIR) \
+ -I$(IPA_UTIL_DIR) \
-DPREFIX=\""$(prefix)"\" \
-DBINDIR=\""$(bindir)"\" \
-DLIBDIR=\""$(libdir)"\" \
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 4417696001eb97caf4a7477069270f9a6150ead2..0780e81cb5507ed590cc9b0646ba5919c0084523 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -21,6 +21,7 @@
*/
#include "ipa_kdb.h"
+#include "ipa_mspac.h"
#include <talloc.h>
#include <syslog.h>
#include "util/time.h"
@@ -31,13 +32,16 @@ struct ipadb_adtrusts {
char *flat_name;
char *domain_sid;
struct dom_sid domsid;
+ struct dom_sid *sid_blacklist_incoming;
+ int len_sid_blacklist_incoming;
+ struct dom_sid *sid_blacklist_outgoing;
+ int len_sid_blacklist_outgoing;
};
struct ipadb_mspac {
char *flat_domain_name;
char *flat_server_name;
struct dom_sid domsid;
- struct dom_sid *well_known_sids;
char *fallback_group;
uint32_t fallback_rid;
@@ -88,36 +92,6 @@ static char *memberof_pac_attrs[] = {
NULL
};
-static char *mspac_well_known_sids[] = {
- "S-1-0",
- "S-1-1",
- "S-1-2",
- "S-1-3",
- "S-1-5-1",
- "S-1-5-2",
- "S-1-5-3",
- "S-1-5-4",
- "S-1-5-5",
- "S-1-5-6",
- "S-1-5-7",
- "S-1-5-8",
- "S-1-5-9",
- "S-1-5-10",
- "S-1-5-11",
- "S-1-5-12",
- "S-1-5-13",
- "S-1-5-14",
- "S-1-5-15",
- "S-1-5-16",
- "S-1-5-17",
- "S-1-5-18",
- "S-1-5-19",
- "S-1-5-20",
-};
-
-#define LEN_WELL_KNOWN_SIDS (sizeof(mspac_well_known_sids)/sizeof(char*))
-
-
#define SID_ID_AUTHS 6
#define SID_SUB_AUTHS 15
#define MAX(a,b) (((a)>(b))?(a):(b))
@@ -1268,8 +1242,8 @@ static krb5_error_code filter_logon_info(krb5_context context,
if (result) {
filter_logon_info_log_message(info->info->info3.sids[i].sid);
} else {
- for(k = 0; k < LEN_WELL_KNOWN_SIDS; k++) {
- result = dom_sid_is_prefix(&ipactx->mspac->well_known_sids[k], info->info->info3.sids[i].sid);
+ for(k = 0; k < domain->len_sid_blacklist_incoming; k++) {
+ result = dom_sid_is_prefix(&domain->sid_blacklist_incoming[k], info->info->info3.sids[i].sid);
if (result) {
filter_logon_info_log_message(info->info->info3.sids[i].sid);
break;
@@ -1712,6 +1686,7 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
if (!*mspac) return;
free((*mspac)->flat_domain_name);
+ free((*mspac)->flat_server_name);
free((*mspac)->fallback_group);
if ((*mspac)->num_trusts) {
@@ -1719,31 +1694,65 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
free((*mspac)->trusts[i].domain_name);
free((*mspac)->trusts[i].flat_name);
free((*mspac)->trusts[i].domain_sid);
+ free((*mspac)->trusts[i].sid_blacklist_incoming);
+ free((*mspac)->trusts[i].sid_blacklist_outgoing);
}
}
- if ((*mspac)->well_known_sids) {
- free((*mspac)->well_known_sids);
- }
-
*mspac = NULL;
}
-#define LEN_WELL_KNOWN_SIDS (sizeof(mspac_well_known_sids)/sizeof(char*))
-krb5_error_code ipadb_mspac_fill_well_known_sids(struct ipadb_mspac *mspac)
+krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
+ struct dom_sid **result_sids,
+ int *result_length)
{
- int i;
+ int len, i;
+ char **source;
+ struct dom_sid *sid_blacklist;
- mspac->well_known_sids = calloc(LEN_WELL_KNOWN_SIDS, sizeof(struct dom_sid));
+ if (source_sid_blacklist) {
+ source = source_sid_blacklist;
+ } else {
+ /* Use default hardcoded list */
+ source = ipa_mspac_well_known_sids;
+ }
+ len = 0;
+ for (i = 0; source && source[i]; i++) {
+ len++;
+ }
- if (mspac->well_known_sids == NULL) {
+ sid_blacklist = calloc(len, sizeof(struct dom_sid));
+ if (sid_blacklist == NULL) {
return ENOMEM;
}
- for (i = 0; i < LEN_WELL_KNOWN_SIDS; i++) {
- if (mspac_well_known_sids[i] != NULL) {
- (void) string_to_sid(mspac_well_known_sids[i], &(mspac->well_known_sids[i]));
- }
+ for (i = 0; i < len; i++) {
+ (void) string_to_sid(source[i], &sid_blacklist[i]);
+ }
+
+ *result_sids = sid_blacklist;
+ *result_length = len;
+ return 0;
+}
+
+krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
+ char **sid_blacklist_incoming,
+ char **sid_blacklist_outgoing)
+{
+ krb5_error_code kerr;
+
+ kerr = ipadb_adtrusts_fill_sid_blacklist(sid_blacklist_incoming,
+ &adtrust->sid_blacklist_incoming,
+ &adtrust->len_sid_blacklist_incoming);
+ if (kerr) {
+ return kerr;
+ }
+
+ kerr = ipadb_adtrusts_fill_sid_blacklist(sid_blacklist_outgoing,
+ &adtrust->sid_blacklist_outgoing,
+ &adtrust->len_sid_blacklist_outgoing);
+ if (kerr) {
+ return kerr;
}
return 0;
@@ -1778,13 +1787,16 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
struct ipadb_adtrusts *t;
LDAP *lc = ipactx->lcontext;
char *attrs[] = { "ipaNTTrustPartner", "ipaNTFlatName",
- "ipaNTTrustedDomainSID", NULL };
+ "ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
+ "ipaNTSIDBlacklistOutgoing", NULL };
char *filter = "(objectclass=ipaNTTrustedDomain)";
krb5_error_code kerr;
LDAPMessage *res = NULL;
LDAPMessage *le;
char *base = NULL;
- int ret, n;
+ char **sid_blacklist_incoming = NULL;
+ char **sid_blacklist_outgoing = NULL;
+ int ret, n, i;
ret = asprintf(&base, "cn=ad,cn=trusts,%s", ipactx->base);
if (ret == -1) {
@@ -1840,6 +1852,39 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
ret = EINVAL;
goto done;
}
+
+ ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTSIDBlacklistIncoming",
+ &sid_blacklist_incoming);
+
+ if (ret) {
+ if (ret == ENOENT) {
+ /* This attribute is optional */
+ ret = 0;
+ } else {
+ ret = EINVAL;
+ goto done;
+ }
+ }
+
+ ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTSIDBlacklistOutgoing",
+ &sid_blacklist_outgoing);
+
+ if (ret) {
+ if (ret == ENOENT) {
+ /* This attribute is optional */
+ ret = 0;
+ } else {
+ ret = EINVAL;
+ goto done;
+ }
+ }
+
+ ret = ipadb_adtrusts_fill_sid_blacklists(&t[n],
+ sid_blacklist_incoming,
+ sid_blacklist_outgoing);
+ if (ret) {
+ goto done;
+ }
}
ret = 0;
@@ -1849,6 +1894,15 @@ done:
krb5_klog_syslog(LOG_ERR, "Failed to read list of trusted domains");
}
free(base);
+ for (i = 0; sid_blacklist_incoming && sid_blacklist_incoming[i]; i++) {
+ free(sid_blacklist_incoming[i]);
+ }
+ free(sid_blacklist_incoming);
+ for (i = 0; sid_blacklist_outgoing && sid_blacklist_outgoing[i]; i++) {
+ free(sid_blacklist_outgoing[i]);
+ }
+ free(sid_blacklist_outgoing);
+ ldap_msgfree(res);
return ret;
}
@@ -2000,12 +2054,6 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
kerr = ipadb_mspac_get_trusted_domains(ipactx);
- if (kerr) {
- goto done;
- }
-
- kerr = ipadb_mspac_fill_well_known_sids(ipactx->mspac);
-
done:
ldap_msgfree(result);
return kerr;
diff --git a/util/ipa_mspac.h b/util/ipa_mspac.h
new file mode 100644
index 0000000000000000000000000000000000000000..152317b182bec655b01132809ee5ecd8a1cf2e31
--- /dev/null
+++ b/util/ipa_mspac.h
@@ -0,0 +1,32 @@
+#ifndef __IPA_MSPAC_H_
+#define __IPA_MSPAC_H_
+
+char *ipa_mspac_well_known_sids[] = {
+ "S-1-0",
+ "S-1-1",
+ "S-1-2",
+ "S-1-3",
+ "S-1-5-1",
+ "S-1-5-2",
+ "S-1-5-3",
+ "S-1-5-4",
+ "S-1-5-5",
+ "S-1-5-6",
+ "S-1-5-7",
+ "S-1-5-8",
+ "S-1-5-9",
+ "S-1-5-10",
+ "S-1-5-11",
+ "S-1-5-12",
+ "S-1-5-13",
+ "S-1-5-14",
+ "S-1-5-15",
+ "S-1-5-16",
+ "S-1-5-17",
+ "S-1-5-18",
+ "S-1-5-19",
+ "S-1-5-20",
+ NULL
+};
+
+#endif /* __IPA_MSPAC_H_ */
--
1.8.1.2
From 231c831b404ffcdac5cb5d435afcbd96d846e513 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Fri, 8 Feb 2013 10:13:35 +0100
Subject: [PATCH 6/6] ipa-sam: Fill SID blacklist when trust is added
Fill incoming and outgoing trust LDAP entry with default SID
blacklist value.
https://fedorahosted.org/freeipa/ticket/3289
---
daemons/ipa-sam/ipa_sam.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 3c4c97cd19a9937756013eab69b047d0df80ecad..adf482221ef504d651f80d5322fe710a4b4232cb 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -32,6 +32,7 @@
#include <sss_idmap.h>
#include "ipa_krb5.h"
#include "ipa_pwd.h"
+#include "ipa_mspac.h"
/* from drsblobs.h */
struct AuthInfoNone {
@@ -121,6 +122,8 @@ bool secrets_store(const char *key, const void *data, size_t size); /* available
#define LDAP_ATTRIBUTE_HOME_PATH "ipaNTHomeDirectory"
#define LDAP_ATTRIBUTE_LOGON_SCRIPT "ipaNTLogonScript"
#define LDAP_ATTRIBUTE_PROFILE_PATH "ipaNTProfilePath"
+#define LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING "ipaNTSIDBlacklistIncoming"
+#define LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING "ipaNTSIDBlacklistOutgoing"
#define LDAP_ATTRIBUTE_NTHASH "ipaNTHash"
#define LDAP_ATTRIBUTE_UIDNUMBER "uidnumber"
#define LDAP_ATTRIBUTE_GIDNUMBER "gidnumber"
@@ -2165,7 +2168,7 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
LDAPMod **mods;
bool res;
char *trusted_dn = NULL;
- int ret;
+ int ret, i;
NTSTATUS status;
TALLOC_CTX *tmp_ctx;
char *trustpw;
@@ -2290,6 +2293,15 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
&td->trust_forest_trust_info);
}
+ for (i = 0; ipa_mspac_well_known_sids && ipa_mspac_well_known_sids[i]; i++) {
+ smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+ LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING,
+ ipa_mspac_well_known_sids[i]);
+ smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+ LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING,
+ ipa_mspac_well_known_sids[i]);
+ }
+
smbldap_talloc_autofree_ldapmod(tmp_ctx, mods);
trusted_dn = trusted_domain_dn(tmp_ctx, ldap_state, domain);
--
1.8.1.2
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
