On Wed, 10 Jul 2013, Simo Sorce wrote:
On Tue, 2013-07-09 at 22:39 +0200, Jakub Hrozek wrote:
On Tue, Jul 09, 2013 at 02:12:33PM +0300, Alexander Bokovoy wrote:
> On Tue, 09 Jul 2013, Jakub Hrozek wrote:
> >On Wed, Jul 03, 2013 at 02:53:55PM +0200, Sumit Bose wrote:
> >>On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote:
> >>> On Mon, 01 Jul 2013, Sumit Bose wrote:
> >>> >Hi,
> >>> >
> >>> >this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only
> >>> >to allow SSSD running on a FreeIPA server to access the AD LDAP server.
> >>> >In the ticket a more generic solution is described but since there is no
> >>> >other use case so far I think this patch is sufficient for the time
> >>> >being.
> >>> >
> >>> >bye,
> >>> >Sumit
> >>>
> >>> >From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001
> >>> >From: Sumit Bose <sb...@redhat.com>
> >>> >Date: Mon, 1 Jul 2013 13:47:22 +0200
> >>> >Subject: [PATCH] Add PAC to master host TGTs
> >>> >
> >>> >For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is
> >>> >needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
> >>> >of a trusted domain with the credentials of a FreeIPA server host a
> >>> >PAC must be added to the TGT for the host.
> >>> s/SALS/SASL/
> >>
> >>Thank you for the review, I've fixed the typo and added the numerical
> >>values for the well-known RIDs to the commit message.
> >>
> >>>
> >>>
> >>> >To determine if a host is a FreeIPA server or not it is checked if there
> >>> >is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
> >>> >this requires an additional LDAP lookup. But since TGS-REQs for hosts
> >>> >should be rare I think it is acceptable for the time being.
> >>> I think it is better to change this lookup to
> >>> "cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX", it would
> >>> explicitly limit us to the IPA masters running AD trusts.
> >>
> >>I'm not sure if this restriction is needed. With SSSD's ipa_server_mode
> >>any IPA master (which networkwise can access an AD server of the trusted
> >>domain) can read AD user and group data, no running smbd or winbind is
> >>required. So it would be possible to run the extdom plugin or the compat
> >>plugin for the legacy clients on any IPA server which would allow a much
> >>better load balancing.
> >>
> >>If there are other concerns I'm happy to add the restriction.
> >>
> >>bye,
> >>Sumit
> >
> >I don't think I know the code good enough to provide a full review, but
> >the patch enables the lookups from an IPA master without any additional
> >hacks. So ack on functionality at least.
> Ok.
>
> I've extended this functionality to generate MS-PAC also for services
> running on IPA masters. Patch attached.
>
> This is needed to finally get rid of access to trust auth material for
> IPA python code. HTTP/fqdn@REALM will now be able to authenticate
> against AD LDAP server and look up needed information directly, without
> elevating privileges to trust admins.
>
> This should also help for AD range discovery Tomas is working on.
>

Hi,

The patch looks good to me so I'm giving my +1. I would appreciate other
review too before a full ack, though.

I've nacked the approach, although the results are as expected.
Alexander will send a simplified patch that avoids the extra search and
use of managedby which is not ok.
New patch attached.

--
/ Alexander Bokovoy
>From e150e2abd67538db1b53d5b5dd096bd15e2ffe58 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Tue, 9 Jul 2013 14:05:02 +0300
Subject: [PATCH 15/15] Generate syntethic MS-PAC for all services running on
 IPA master

MS-PAC is required to be present in TGT if one wants to connect to
AD services using this TGT. Users get MS-PAC by default, SSSD in
ipa_server_mode uses host/fqdn@REALM principal to talk to AD LDAP.

This patch enables other services running on IPA master to connect
to AD services. This is required for IPA python code doing discovery
of remote AD domain settings shortly after IPA-AD trust has been
established.
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 56 +++++++++++++++++++++++++++++++++++------
 1 file changed, 49 insertions(+), 7 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 92dc8dd..4944bb8 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -392,13 +392,14 @@ static krb5_error_code ipadb_fill_info3(struct 
ipadb_context *ipactx,
     struct dom_sid sid;
     gid_t prigid = -1;
     time_t timeres;
-    char *strres;
+    char *strres, *strhost, *strat;
     int intres;
     int ret;
     char **objectclasses = NULL;
     size_t c;
     bool is_host = false;
     bool is_user = false;
+    bool is_service = false;
 
     ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
                                      &objectclasses);
@@ -407,6 +408,9 @@ static krb5_error_code ipadb_fill_info3(struct 
ipadb_context *ipactx,
             if (strcasecmp(objectclasses[c], "ipaHost") == 0) {
                 is_host = true;
             }
+            if (strcasecmp(objectclasses[c], "ipaService") == 0) {
+                is_service = true;
+            }
             if (strcasecmp(objectclasses[c], "ipaNTUserAttrs") == 0) {
                 is_user = true;
             }
@@ -415,8 +419,8 @@ static krb5_error_code ipadb_fill_info3(struct 
ipadb_context *ipactx,
     }
     free(objectclasses);
 
-    if (!is_host && !is_user) {
-        /* We only handle users and hosts */
+    if (!is_host && !is_user && !is_service) {
+        /* We only handle users and hosts, and services */
         return ENOENT;
     }
 
@@ -433,6 +437,44 @@ static krb5_error_code ipadb_fill_info3(struct 
ipadb_context *ipactx,
             free(strres);
             return ENOENT;
         }
+    } else if (is_service) {
+        ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbPrincipalName", 
&strres);
+        if (ret) {
+            /* krbPrincipalName is mandatory for services */
+            return ret;
+        }
+
+        /* krbPrincipalName is foo/fqdn@REALM, we need fqdn only */
+        strhost = strchr(strres, '/');
+        if (strhost == NULL) {
+            free(strres);
+            return ENOENT;
+        }
+
+        strhost++;
+        strat = strchr(strhost, '@');
+        if (strat != NULL) {
+            strat[0] = '\0';
+        }
+
+        /* Only add PAC to TGT to services on IPA masters to allow querying
+         * AD LDAP server */
+        if (!is_master_host(ipactx, strhost)) {
+            free(strres);
+            return ENOENT;
+        }
+
+        if (strat != NULL) {
+                strat[0] = '@';
+        }
+
+        strhost = strdup(strhost);
+        free(strres);
+
+        if (strhost == NULL) {
+            return ENOENT;
+        }
+        strres = strhost;
     } else {
         ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
         if (ret) {
@@ -444,7 +486,7 @@ static krb5_error_code ipadb_fill_info3(struct 
ipadb_context *ipactx,
     info3->base.account_name.string = talloc_strdup(memctx, strres);
     free(strres);
 
-    if (is_host) {
+    if (is_host || is_service) {
         prigid = 515; /* Well known RID for domain computers group */
     } else {
         ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
@@ -567,7 +609,7 @@ static krb5_error_code ipadb_fill_info3(struct 
ipadb_context *ipactx,
     info3->base.logon_count = 0; /* we do not have this info yet */
     info3->base.bad_password_count = 0; /* we do not have this info yet */
 
-    if (is_host) {
+    if (is_host || is_service) {
         /* Well know RID of domain controllers group */
         info3->base.rid = 516;
     } else {
@@ -658,7 +700,7 @@ static krb5_error_code ipadb_fill_info3(struct 
ipadb_context *ipactx,
     }
 
     if (info3->base.primary_gid == 0) {
-        if (is_host) {
+        if (is_host || is_service) {
             info3->base.primary_gid = 515;  /* Well known RID for domain 
computers group */
         } else {
             if (ipactx->mspac->fallback_rid) {
@@ -698,7 +740,7 @@ static krb5_error_code ipadb_fill_info3(struct 
ipadb_context *ipactx,
         return ENOENT;
     }
 
-    if (is_host) {
+    if (is_host || is_service) {
         info3->base.domain_sid = talloc_memdup(memctx, &ipactx->mspac->domsid,
                                                sizeof(ipactx->mspac->domsid));
     } else {
-- 
1.8.3.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to