Re: [Freeipa-devel] [PATCHES][RFC] Implement special operation to revoer NT hash for a user
On Wed, 11 Jul 2012, Simo Sorce wrote: On Wed, 2012-07-11 at 16:40 +0300, Alexander Bokovoy wrote: On Wed, 11 Jul 2012, Simo Sorce wrote: On Wed, 2012-07-11 at 15:41 +0300, Alexander Bokovoy wrote: If users don't have RC4-HMAC key and don't have ipaNTHash set, they can't log in into smbd anyway until they change their password. Yes the point is that you may have users you do not want to give a password to. No need to keep retrying to generate a hash. My idea was that when the ipa trust-add operation is run we execute a magicregen op for the user that run it. Then we can run a process that adds ipaNThash via magicregen for all users we want it to. So we get to the same issue of a task run against potentially unbound number of users, including replication interaction. Instead, a scheme with ipasam-based generator would mean we: 1. Fetch the user attributes from LDAP 2. Notice ipaNTHash is missing and not disabled 3. Issue ipaNTHash update request if (2) is true. Maybe we can turn off ipaNTHash from your pre-mod code if there is no RC4-HMAC key and ipaNTHash wasn't set? Password change op will get that overriden, of course. Then we can rely on it in (2) above. Not sure what you mean by 'turn off ipaNTHash from your pre-mod code'. Set ipaNTHash value to '0', for example. I.e. not 16 bytes and not missing. If we decide to use it in ipasam, extended operation will be simpliest thing -- contrary to other approaches which would require two LDAP requests. It also allows to return the key in the same go. True, but it is still required only once per user, in normal course of action you should always get the ipaNTHash back. Even in the race condition case the worst that can happen is that you fail auth once. Given it is not that critical as it can happen only once per user I am not sure it is worth optimizing for this case and create a whole new extended operation for it. As per discussion with Simo on IRC, NACK for current approach with LDAP_MOD_REPLACE, NACK for extended operation as well. Please replace LDAP_MOD_REPLACE with LDAP_MOD_ADD detection. smbldap code in smbd uses LDAP_MOD_DELETE/LDAP_MOD_ADD combination as replacement of LDAP_MOD_REPLACE to avoid some nasty bugs with Novell Directory so we have to live with this approach. Attached patch that changes REPLACE - ADD It still doesn't give you much, there are 2 cases: 1) For users that are supposed to have the ipaNTHash, you will go through this operation *once* in the lifetime of a pre-existing user (new users get ipaNTHash immediately). 2) For users that will never get the ipaNTHash will simply never have it, you only keep repeating this operation and then fail authentication as you won't get back a valid hash, I do not think optimizing this failure case is worth a full extop. My point was to get pre-mod code to set ipaNTHash to invalid (non-16 byte) value to signify that they are 'disabled' for NTLM operations. This way I can get ipaNTHash on user fetch but can locally detect that the user is without password and therefore avoid the whole process. Do you still want to do this ? We could store the value 'DISABLED' instead of the hash, but then I'd have to change the password plugin to respect it. If you want that I think we need to open a new bug and treat it as a separate feature. Yes, I think it could be good optimization. I've made following ticket: https://fedorahosted.org/freeipa/ticket/2921 -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES][RFC] Implement special operation to revoer NT hash for a user
On Wed, 11 Jul 2012, Simo Sorce wrote: From 84ef09a1193ff42fc301fb71354055c5039f51a5 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Fri, 6 Jul 2012 16:18:29 -0400 Subject: [PATCH] Add special modify op to regen ipaNTHash The NT Hash is the same thing as the RC4-HMAC key, so we add a function to extract it from krb5 keys if they are available to avoid forcing a password change when configuring trust relationships. --- .../ipa-pwd-extop/ipapwd_prepost.c | 147 +++- 1 file changed, 144 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c index deae642f82edcc4674a1c9580661c3dae94b..24fa52eb9ac92004576ccdba4f576162c358770d 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c @@ -41,7 +41,12 @@ # include config.h #endif -#define _XOPEN_SOURCE /* strptime needs this */ +/* strptime needs _XOPEN_SOURCE and endian.h needs __USE_BSD + * _GNU_SOURCE imply both, and we use it elsewhere, so use this */ +#ifndef _GNU_SOURCE +#define _GNU_SOURCE 1 +#endif + #include stdio.h #include string.h #include strings.h @@ -53,6 +58,7 @@ #include dirsrv/slapi-plugin.h #include lber.h #include time.h +#include endian.h #include ipapwd.h #include util.h @@ -379,6 +385,12 @@ done: return 0; } +#define NTHASH_REGEN_VAL MagicRegen +#define NTHASH_REGEN_LEN sizeof(NTHASH_REGEN_VAL) +static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods, + char *dn, struct slapi_entry *entry, + struct ipapwd_krbcfg *krbcfg); + /* PRE MOD Operation: * Gets the clean text password (fail the operation if the password came * pre-hashed, unless this is a replicated operation). @@ -407,6 +419,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) int has_krb_keys = 0; int has_history = 0; int gen_krb_keys = 0; +int is_magic_regen = 0; int ret, rc; LOG_TRACE( =\n); @@ -447,6 +460,27 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) default: break; } +} else if (slapi_attr_types_equivalent(lmod-mod_type, ipaNTHash)) { +/* check op filtering out LDAP_MOD_BVALUES */ +switch (lmod-mod_op 0x0f) { +case LDAP_MOD_REPLACE: This is still LDAP_MOD_REPLACE, not LDAP_MOD_ADD. +if (!lmod-mod_bvalues || +!lmod-mod_bvalues[0]) { +rc = LDAP_OPERATIONS_ERROR; +goto done; +} +bv = lmod-mod_bvalues[0]; +if ((bv-bv_len = NTHASH_REGEN_LEN -1) +(bv-bv_len = NTHASH_REGEN_LEN) +(strncmp(NTHASH_REGEN_VAL, + bv-bv_val, bv-bv_len) == 0)) { +is_magic_regen = 1; +/* make sure the database will later ignore this mod */ +slapi_mods_remove(smods); +} +default: +break; +} } else if (slapi_attr_types_equivalent(lmod-mod_type, unhashed#user#password)) { /* we check for unahsehd password here so that we are sure to @@ -472,8 +506,9 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) lmod = slapi_mods_get_next_mod(smods); } -/* If userPassword is not modified we are done here */ -if (! is_pwd_op) { +/* If userPassword is not modified check if this is a request to generate + * NT hashes otherwise we are done here */ +if (!is_pwd_op !is_magic_regen) { rc = LDAP_SUCCESS; goto done; } @@ -522,6 +557,22 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) goto done; } +if (!is_pwd_op) { +/* This may be a magic op to ask us to generate the NT hashes */ +if (is_magic_regen) { +/* Make sense to call only if this entry has krb keys to source + * the nthash from */ +if (is_krb) { +rc = ipapwd_regen_nthash(pb, smods, dn, e, krbcfg); +} else { +rc = LDAP_UNWILLING_TO_PERFORM; +} +} else { +rc = LDAP_OPERATIONS_ERROR; +} +goto done; +} + /* run through the mods again and adjust flags if operations affect them */ lmod = slapi_mods_get_first_mod(smods); while (lmod) { @@ -831,6 +882,96 @@ done: return 0; } +static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods, + char *dn, struct slapi_entry *entry, + struct ipapwd_krbcfg *krbcfg) +{ +Slapi_Attr *attr; +Slapi_Value *value; +const struct berval *val; +struct berval *ntvals[2] = { NULL, NULL }; +struct berval bval; +krb5_key_data *keys; +int
[Freeipa-devel] [PATCH] Adding exit status 3 4 to ipa-client-install man page
ACK for shank's patch for ipa-client-install man page (attached). Pushed to master. Martin From a9eac9048ab5e4ceeb1a5f0626281888b14675b1 Mon Sep 17 00:00:00 2001 From: Gowrishankar Rajaiyan g...@redhat.com Date: Thu, 12 Jul 2012 15:09:08 +0530 Subject: [PATCH] Adding exit status 3 4 to ipa-client-install man page --- ipa-client/man/ipa-client-install.1 |4 1 file changed, 4 insertions(+) diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 2ee5a1a04d45ef2e85db708c2ae0786cca363991..c3ec6de5270ea9be6fd707b758deb89371915fe6 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -161,3 +161,7 @@ Files updated, existing content is maintained: 1 if an error occurred 2 if uninstalling and the client is not configured + +3 if installing and the client is already configured + +4 if an uninstall error occurred -- 1.7.10.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0020] Separate LDAP result from LDAP connection, fix deadlock.
On 05/15/2012 02:32 PM, Adam Tkac wrote: On Mon, May 14, 2012 at 04:44:42PM +0200, Petr Spacek wrote: On 05/11/2012 12:26 PM, Adam Tkac wrote: On Mon, May 07, 2012 at 02:49:07PM +0200, Petr Spacek wrote: Hello, this patch fixes https://fedorahosted.org/bind-dyndb-ldap/ticket/66: Plugin deadlocks during new zone load when connections == 1. It fixes structural problem, when LDAP query result was tied with LDAP connection up. It wasn't possible to release connection and work with query result after that. Described deadlock is consequence of this problematic design. Now LDAP connection is separated from LDAP result. Next planed patch will avoid manual connection management, so possibility of deadlock should be next to zero. Petr^2 Spacek Hello Peter, good work, please check my comments below. Regards, Adam From 8ee1fd607531ef71369e99c9228456baea45b65d Mon Sep 17 00:00:00 2001 From: Petr Spacekpspa...@redhat.com Date: Mon, 7 May 2012 12:51:09 +0200 Subject: [PATCH] Separate LDAP result from LDAP connection, fix deadlock. https://fedorahosted.org/bind-dyndb-ldap/ticket/66 Signed-off-by: Petr Spacekpspa...@redhat.com Hello Adam, thanks for ideas/improvements! Reworked patch is attached. I did all proposed changes except this one: @ ldap_psearch_watcher: restart: (... snip ...) soft_err: - - ldap_msgfree(conn-result); - ldap_entrylist_destroy(conn-mctx, - conn-ldap_entries); + ; Empty label soft_err: is useless, please remove it and use continue; on appropriate places; I think continue in this place can lead to memory leak, so I removed soft_err by other way. Thanks for the patch, now it looks fine to me, except that it doesn't apply on the current master: [atkac@drtic bind-dyndb-ldap]$ git am ../bind-dyndb-ldap-pspacek-0020-2-Separate-LDAP-result-from-LDAP-connection-fix-deadlo.patch Applying: Separate LDAP result from LDAP connection, fix deadlock. https://fedorahosted.org/bind-dyndb-ldap/ticket/66 Signed-off-by: Petr Spacek pspa...@redhat.com error: patch failed: src/ldap_helper.c:271 error: src/ldap_helper.c: patch does not apply Patch failed at 0001 Separate LDAP result from LDAP connection, fix deadlock. https://fedorahosted.org/bind-dyndb-ldap/ticket/66 Signed-off-by: Petr Spacek pspa...@redhat.com When you have resolved this problem run git am --resolved. If you would prefer to skip this patch, instead run git am --skip. To restore the original branch and stop patching run git am --abort. Please rebase the patch and then push it, you don't have to resend it here. Regards, Adam Finally, I rebased the patch and pushed it to the master. Sorry for delay, I forgot to this ticket completely. Rebased version is attached. https://fedorahosted.org/bind-dyndb-ldap/changeset/88dcade344af6e71503b85c4d2630343dbf7d7c0 Petr^2 Spacek From 08238cb150b909979dd005374df5fe0f1c874675 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Mon, 7 May 2012 12:51:09 +0200 Subject: [PATCH] Separate LDAP result from LDAP connection and fix deadlock. This affects operation without persistent search with connections == 1. https://fedorahosted.org/bind-dyndb-ldap/ticket/66 Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_helper.c | 240 - 1 files changed, 146 insertions(+), 94 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 7f0a6f4b37171a6fa4db79cd32fdd8bc62288e0f..aa7f97664d3fd6de43b0ee7b7e6caa0fc0e25dde 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -109,6 +109,7 @@ * must acquire the semaphore and the lock. */ +typedef struct ldap_qresult ldap_qresult_t; typedef struct ldap_connection ldap_connection_t; typedef struct ldap_pool ldap_pool_t; typedef struct ldap_auth_pair ldap_auth_pair_t; @@ -186,31 +187,29 @@ struct ldap_pool { struct ldap_connection { isc_mem_t *mctx; isc_mutex_t lock; - ld_string_t *query_string; LDAP *handle; - LDAPMessage *result; LDAPControl *serverctrls[2]; /* psearch/NULL or NULL/NULL */ int msgid; /* Parsing. */ isc_lex_t *lex; isc_buffer_t rdata_target; unsigned char *rdata_target_mem; - /* Cache. */ - ldap_entrylist_t ldap_entries; - /* For reconnection logic. */ isc_time_t next_reconnect; unsigned int tries; +}; - /* Temporary stuff. */ - LDAPMessage *entry; - BerElement *ber; - char *attribute; - char **values; - char *dn; +/** + * Result from single LDAP query. + */ +struct ldap_qresult { + isc_mem_t *mctx; + ld_string_t *query_string; + LDAPMessage *result; + ldap_entrylist_t ldap_entries; }; /* @@ -271,9 +270,10 @@ static isc_result_t ldap_reconnect(ldap_instance_t *ldap_inst, static isc_result_t handle_connection_error(ldap_instance_t *ldap_inst, ldap_connection_t *ldap_conn, isc_boolean_t force); static isc_result_t ldap_query(ldap_instance_t *ldap_inst,
Re: [Freeipa-devel] [PATCH] 286-288 Warn when ID range with incorrect size was created
On 07/12/2012 07:46 AM, Martin Kosek wrote: On 07/11/2012 09:27 PM, Rob Crittenden wrote: Martin Kosek wrote: IPA 3.0 introduced range ID objects in replicated space which specify a range of IDs assigned via DNA plugin. ipa-ldap-updater generates the default ID range which should correspond with IDs assigned to IPA users. However, since correct range size is not known, we should at least warn that a range with invalid size was created so that user can amend it. I created 2 new tickets to add further improve this area: 1) #2918: [doc] Upgrade procedure section should mention ipa-ldap-updater 2) #2919: Improve safety checks in range command To test this patch, you can: 1) Install unpatched IPA server (and you may install replicas too) with custom --idstart and --idmax options where difference is greater then 20 2) Remove default range with range-del command (will be restored during upgrade) 3) Run RPM upgrade with RPMs built from patched sources - ERROR should now be printed during update stating that a new range was created but its size is not right I don't understand step 2, why would someone remove their range before upgrading? I installed with a 50k range, didn't remove it, then upgraded with no warning. I deleted the range and re-installed the packages again, still no warning but a new 200k range was created for me. rob The step 2 is artificial and is only done to force the default_range update plugin to create/restore the default IPA range. The plugin would just be skipped otherwise. We can only detect ranges larger than 200k - judging just from the number of free IDs. Thus, 50k range will pass without any warning or error. If you create a bigger range (this can be detected unless you deplete all IDs below 200k mark), you will receive the warning. All this procedure will not handle all situations ATM, its just heuristics to cover most cases... Martin Sending an updated patch with 2 small changes: 1) Console error formatting was changed similar to ipa-client-install 2) ipa-ldap-updater does not print information message when IPA is not configured to stderr so that rpm update output stays clean when updating rpms in machine without IPA installed This is the output of RPM with the new patch set: # ipa range-del IDM.LAB.BOS.REDHAT.COM_id_range -- Deleted ID range IDM.LAB.BOS.REDHAT.COM_id_range -- # rpm -Uvh --force freeipa-* Preparing...### [100%] 1:freeipa-python ### [ 14%] 2:freeipa-client ### [ 29%] 3:freeipa-admintools ### [ 43%] 4:freeipa-server ### [ 57%] 5:freeipa-server-selinux ### [ 71%] 6:freeipa-server-trust-ad### [ 86%] 7:freeipa-debuginfo ### [100%] ERROR: default_range: could not verify default ID range size Please use the following command to set correct ID range size $ ipa range-mod IDM.LAB.BOS.REDHAT.COM_id_range --range-size=RANGE_SIZE RANGE_SIZE may be computed from --idstart and --idmax options used during IPA server installation: RANGE_SIZE = (--idmax) - (--idstart) + 1 Martin From a61488b5fa77ed983c8de11d211ebb56d2337fee Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Wed, 11 Jul 2012 14:09:17 +0200 Subject: [PATCH 1/3] Add range-mod command range plugin was missing range-mod command that could be used for example to fix a size for a range generated during upgrades. The range should be updated with a caution though, a misconfiguration could break trusts. iparangetype is now also handled better and filled in all commands instead of just range-show. objectclass attribute is deleted only when really needed now. --- API.txt| 19 +++ VERSION|2 +- ipalib/plugins/range.py| 41 +++- tests/test_xmlrpc/test_range_plugin.py | 23 -- 4 files changed, 76 insertions(+), 9 deletions(-) diff --git a/API.txt b/API.txt index 54313404142129a863792c67b706262973a268d6..691a9c4dec69f1006e52eafd3a94e351750165b7 100644 --- a/API.txt +++ b/API.txt @@ -2411,6 +2411,25 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None) output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) output: Output('count', type 'int', None) output: Output('truncated', type 'bool', None) +command: range_mod +args: 1,13,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True,
Re: [Freeipa-devel] [PATCHES][RFC] Implement special operation to revoer NT hash for a user
On Thu, 2012-07-12 at 10:48 +0300, Alexander Bokovoy wrote: On Wed, 11 Jul 2012, Simo Sorce wrote: From 84ef09a1193ff42fc301fb71354055c5039f51a5 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Fri, 6 Jul 2012 16:18:29 -0400 Subject: [PATCH] Add special modify op to regen ipaNTHash The NT Hash is the same thing as the RC4-HMAC key, so we add a function to extract it from krb5 keys if they are available to avoid forcing a password change when configuring trust relationships. --- .../ipa-pwd-extop/ipapwd_prepost.c | 147 +++- 1 file changed, 144 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c index deae642f82edcc4674a1c9580661c3dae94b..24fa52eb9ac92004576ccdba4f576162c358770d 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c @@ -41,7 +41,12 @@ # include config.h #endif -#define _XOPEN_SOURCE /* strptime needs this */ +/* strptime needs _XOPEN_SOURCE and endian.h needs __USE_BSD + * _GNU_SOURCE imply both, and we use it elsewhere, so use this */ +#ifndef _GNU_SOURCE +#define _GNU_SOURCE 1 +#endif + #include stdio.h #include string.h #include strings.h @@ -53,6 +58,7 @@ #include dirsrv/slapi-plugin.h #include lber.h #include time.h +#include endian.h #include ipapwd.h #include util.h @@ -379,6 +385,12 @@ done: return 0; } +#define NTHASH_REGEN_VAL MagicRegen +#define NTHASH_REGEN_LEN sizeof(NTHASH_REGEN_VAL) +static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods, + char *dn, struct slapi_entry *entry, + struct ipapwd_krbcfg *krbcfg); + /* PRE MOD Operation: * Gets the clean text password (fail the operation if the password came * pre-hashed, unless this is a replicated operation). @@ -407,6 +419,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) int has_krb_keys = 0; int has_history = 0; int gen_krb_keys = 0; +int is_magic_regen = 0; int ret, rc; LOG_TRACE( =\n); @@ -447,6 +460,27 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) default: break; } +} else if (slapi_attr_types_equivalent(lmod-mod_type, ipaNTHash)) { +/* check op filtering out LDAP_MOD_BVALUES */ +switch (lmod-mod_op 0x0f) { +case LDAP_MOD_REPLACE: This is still LDAP_MOD_REPLACE, not LDAP_MOD_ADD. This is because I resent the old patch :( Hopefully the correct patch is now attached. Simo. -- Simo Sorce * Red Hat, Inc * New York From 00e2aa83eabf5e4f60fd662d7ecd4e91f4209103 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Fri, 6 Jul 2012 16:18:29 -0400 Subject: [PATCH] Add special modify op to regen ipaNTHash The NT Hash is the same thing as the RC4-HMAC key, so we add a function to extract it from krb5 keys if they are available to avoid forcing a password change when configuring trust relationships. --- .../ipa-pwd-extop/ipapwd_prepost.c | 146 +++- 1 file changed, 143 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c index deae642f82edcc4674a1c9580661c3dae94b..e4909c94585b6fac6b7f8347b806a8841107f3d0 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c @@ -41,7 +41,12 @@ # include config.h #endif -#define _XOPEN_SOURCE /* strptime needs this */ +/* strptime needs _XOPEN_SOURCE and endian.h needs __USE_BSD + * _GNU_SOURCE imply both, and we use it elsewhere, so use this */ +#ifndef _GNU_SOURCE +#define _GNU_SOURCE 1 +#endif + #include stdio.h #include string.h #include strings.h @@ -53,6 +58,7 @@ #include dirsrv/slapi-plugin.h #include lber.h #include time.h +#include endian.h #include ipapwd.h #include util.h @@ -379,6 +385,12 @@ done: return 0; } +#define NTHASH_REGEN_VAL MagicRegen +#define NTHASH_REGEN_LEN sizeof(NTHASH_REGEN_VAL) +static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods, + char *dn, struct slapi_entry *entry, + struct ipapwd_krbcfg *krbcfg); + /* PRE MOD Operation: * Gets the clean text password (fail the operation if the password came * pre-hashed, unless this is a replicated operation). @@ -407,6 +419,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) int has_krb_keys = 0; int has_history = 0; int gen_krb_keys = 0; +int is_magic_regen = 0; int ret, rc; LOG_TRACE( =\n); @@ -447,6 +460,27 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) default: break; } +} else if
Re: [Freeipa-devel] [PATCHES][RFC] Implement special operation to revoer NT hash for a user
On Thu, 12 Jul 2012, Simo Sorce wrote: On Thu, 2012-07-12 at 10:48 +0300, Alexander Bokovoy wrote: On Wed, 11 Jul 2012, Simo Sorce wrote: From 84ef09a1193ff42fc301fb71354055c5039f51a5 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Fri, 6 Jul 2012 16:18:29 -0400 Subject: [PATCH] Add special modify op to regen ipaNTHash The NT Hash is the same thing as the RC4-HMAC key, so we add a function to extract it from krb5 keys if they are available to avoid forcing a password change when configuring trust relationships. --- .../ipa-pwd-extop/ipapwd_prepost.c | 147 +++- 1 file changed, 144 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c index deae642f82edcc4674a1c9580661c3dae94b..24fa52eb9ac92004576ccdba4f576162c358770d 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c @@ -41,7 +41,12 @@ # include config.h #endif -#define _XOPEN_SOURCE /* strptime needs this */ +/* strptime needs _XOPEN_SOURCE and endian.h needs __USE_BSD + * _GNU_SOURCE imply both, and we use it elsewhere, so use this */ +#ifndef _GNU_SOURCE +#define _GNU_SOURCE 1 +#endif + #include stdio.h #include string.h #include strings.h @@ -53,6 +58,7 @@ #include dirsrv/slapi-plugin.h #include lber.h #include time.h +#include endian.h #include ipapwd.h #include util.h @@ -379,6 +385,12 @@ done: return 0; } +#define NTHASH_REGEN_VAL MagicRegen +#define NTHASH_REGEN_LEN sizeof(NTHASH_REGEN_VAL) +static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods, + char *dn, struct slapi_entry *entry, + struct ipapwd_krbcfg *krbcfg); + /* PRE MOD Operation: * Gets the clean text password (fail the operation if the password came * pre-hashed, unless this is a replicated operation). @@ -407,6 +419,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) int has_krb_keys = 0; int has_history = 0; int gen_krb_keys = 0; +int is_magic_regen = 0; int ret, rc; LOG_TRACE( =\n); @@ -447,6 +460,27 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) default: break; } +} else if (slapi_attr_types_equivalent(lmod-mod_type, ipaNTHash)) { +/* check op filtering out LDAP_MOD_BVALUES */ +switch (lmod-mod_op 0x0f) { +case LDAP_MOD_REPLACE: This is still LDAP_MOD_REPLACE, not LDAP_MOD_ADD. This is because I resent the old patch :( Hopefully the correct patch is now attached. Yes, now it is updated, thanks. I'm going to experiment a bit with these patches, adding ipasam responder to test them. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 170 Differentiation of widget type and text_widget input type
There was a clash of 'type' attribute in widget's spec. Usually 'type' is used for telling a builder which field and widget to build. Text widget used this attribute also for definion of html input type. It was problematic for some special widgets, which defined own field and used text_widget, like service_type or dnszone_name. In those and possibly other cases it used widget type for specifying input type which lead to execution error in Internet Explorer. Firefox and Chrome took it. This patch is changing text_widget's 'type' to 'input_type' which removes the collision and hence fixes the problem. https://fedorahosted.org/freeipa/ticket/2806 and half of: https://fedorahosted.org/freeipa/ticket/2834 -- Petr Vobornik From f2ed7294fb558895ea9d84d30b010f56069d88a8 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 12 Jul 2012 14:43:47 +0200 Subject: [PATCH] Differentiation of widget type and text_widget input type There was a clash of 'type' attribute in widget's spec. Usually 'type' is used for telling a builder which field and widget to build. Text widget used this attribute also for definion of html input type. It was problematic for some special widgets, which defined own field and used text_widget, like service_type or dnszone_name. In those and possibly other cases it used widget type for specifying input type which lead to execution error in Internet Explorer. Firefox and Chrome took it. This patch is changing text_widget's 'type' to 'input_type' which removes the collision and hence fixes the problem. https://fedorahosted.org/freeipa/ticket/2806 and half of: https://fedorahosted.org/freeipa/ticket/2834 --- install/ui/widget.js |6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/install/ui/widget.js b/install/ui/widget.js index 64547da7d439cb622c03d6f73afb310be83a6338..6864d88f5f08a4064b9b5b1cded527d5e99504ff 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -231,7 +231,7 @@ IPA.text_widget = function(spec) { var that = IPA.input_widget(spec); that.size = spec.size || 30; -that.type = spec.type || 'text'; +that.input_type = spec.input_type || 'text'; that.select_range = function(start, end){ IPA.select_range(that.input, start, end); @@ -249,7 +249,7 @@ IPA.text_widget = function(spec) { }).appendTo(container); that.input = $('input/', { -type: that.type, +type: that.input_type, name: that.name, disabled: that.disabled, size: that.size, @@ -330,7 +330,7 @@ IPA.text_widget = function(spec) { IPA.password_widget = function(spec) { spec = spec || {}; -spec.type = 'password'; +spec.input_type = 'password'; var that = IPA.text_widget(spec); return that; -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 289 Fix ipa-managed-entries man page typo
Extra new line in .TH section of the man page caused invalid wrapping. Pushed to master as one-liner. From 3b24477208e0accfdbea0f95ac78d1d9fa89e50a Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 12 Jul 2012 15:07:53 +0200 Subject: [PATCH] Fix ipa-managed-entries man page typo Extra new line in .TH section of the man page caused invalid wrapping. --- install/tools/man/ipa-managed-entries.1 |3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/install/tools/man/ipa-managed-entries.1 b/install/tools/man/ipa-managed-entries.1 index e46b693176d87d772853e3254b664403d386e4c8..3d5ca22b87846d2b46122c7171016019aa07028e 100644 --- a/install/tools/man/ipa-managed-entries.1 +++ b/install/tools/man/ipa-managed-entries.1 @@ -16,8 +16,7 @@ .\ .\ Author: Jr Aquino jr.aqu...@citrix.com .\ -.TH ipa-managed-entries 1 Feb 06 2012 FreeIPA FreeIPA Manual -Pages +.TH ipa-managed-entries 1 Feb 06 2012 FreeIPA FreeIPA Manual Pages .SH NAME ipa\-managed\-entries \- Enables or disables the schema Managed Entry plugins .SH SYNOPSIS -- 1.7.10.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 281 Enable SOA serial autoincrement
On 07/02/2012 08:45 AM, Martin Kosek wrote: On 06/29/2012 09:00 PM, Rob Crittenden wrote: Martin Kosek wrote: This patch enables currently developed SOA serial autoincrement feature in bind-dyndb-ldap. The patch may be updated if any assumptions about this feature are changed (or somebody finds a bug). --- SOA serial autoincrement is a requirement for major DNS features, e.g. zone transfers or DNSSEC. Enable it by default in named.conf both for new and upgraded installations. Name of the bind-dyndb-ldap option is serial_autoincrement. From now on, idnsSOAserial attribute also has to be put to replication agreement exclude list as serial will be incremented on each DNS server separately and won't be shared. Exclude list has to be updated both for new replication agreements and the current ones. https://fedorahosted.org/freeipa/ticket/2554 What version of bind/bind-dyndb-ldap is needed for serial_autoincrement? rob Such version is not ready yet, there is only a semi-working patch from Petr Spacek on freeipa-devel list. When a working version of bind-dyndb-ldap package with working serial_autoincrement feature, it should be enough to simply bump package version in bind-dyndb-ldap (that's why I tagged this patch as [WIP]). But otherwise, this patch is reviewable, it should prepare our install tools for the new feature, turn it on in named.conf on upgrades and also update replication agreements to not replicate SOA serial from now on. Martin Sending a rebased and updated patch with few more fixes: 1) Minimum number of connections has been rised to 4 to cover the most recent requirements for bind-dyndb-ldap's serial_automember feature 2) ipa-upgradeconfig named.conf has been fixed to not crash when the updated options are not in the file I think that we can choose to push this patch earlier before bind-dyndb-ldap with serial_automember released. We just need to make sure this patch sets serial_automember option in named.conf correctly + does the right thing with replication agreement exclude list update. Later on, we would just need to bump bind-dyndb-ldap version in our spec file when that's released. Martin From 2fe5e798d116f608e58e85097bb1652229851b70 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 28 Jun 2012 16:46:48 +0200 Subject: [PATCH] Enable SOA serial autoincrement SOA serial autoincrement is a requirement for major DNS features, e.g. zone transfers or DNSSEC. Enable it by default in named.conf both for new and upgraded installations. Name of the bind-dyndb-ldap option is serial_autoincrement. From now on, idnsSOAserial attribute also has to be put to replication agreement exclude list as serial will be incremented on each DNS server separately and won't be shared. Exclude list has to be updated both for new replication agreements and the current ones. Minimum number of connections for bind-dyndb-ldap has been rised to 4 connections, the setting will be updated during package upgrade. https://fedorahosted.org/freeipa/ticket/2554 --- install/share/bind.named.conf.template|1 + install/tools/ipa-dns-install | 10 ++- install/tools/ipa-server-install | 12 +++- install/tools/ipa-upgradeconfig | 68 +++-- install/tools/man/ipa-dns-install.1 |5 +- install/tools/man/ipa-server-install.1|5 +- ipalib/plugins/dns.py | 11 +++- ipaserver/install/bindinstance.py | 11 +++- ipaserver/install/plugins/fix_replica_memberof.py | 51 ipaserver/install/replication.py | 22 +++ 10 files changed, 145 insertions(+), 51 deletions(-) diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template index f133b089a9eb428e9ad76b66a3ff162b45e5a779..9fdd91319947f6cfd3034f8d2a4fe8bb60d1af77 100644 --- a/install/share/bind.named.conf.template +++ b/install/share/bind.named.conf.template @@ -46,4 +46,5 @@ dynamic-db ipa { arg sasl_user DNS/$FQDN; arg zone_refresh $ZONE_REFRESH; arg psearch $PERSISTENT_SEARCH; + arg serial_autoincrement $SERIAL_AUTOINCREMENT; }; diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 6e9b9989792aba6f7607348da4693cf605dc0b76..47bffdf8354fa509d64af0ba0e15d5880010e425 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -62,6 +62,9 @@ def parse_options(): default=0, type=int, help=When set to non-zero the name server will use DNS zone detection based on polling instead of a persistent search) +parser.add_option(--no-serial-autoincrement, dest=serial_autoincrement, + default=True, action=store_false, + help=Do not enable SOA serial autoincrement) parser.add_option(-U, --unattended, dest=unattended,
[Freeipa-devel] [PATCH 0031] Prevent crashes in ldap_pool_*() function family
Hello, this patch fixes occasional crashes caused by incorrect error handling in ldap_pool_*() functions. https://fedorahosted.org/bind-dyndb-ldap/ticket/84 It can be caused by memory allocation error OR timeout during connection establishing phase. To trigger this problem first connection has to be established properly and some other connection has to fail. It is not enough to timeout at first connection/try, that case was handled properly. Petr^2 Spacek From 7ef5c14ffa69cc4d60a76c9db63b8e3ce065d27b Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 12 Jul 2012 17:10:58 +0200 Subject: [PATCH] Prevent crashes in ldap_pool_*() function family. https://fedorahosted.org/bind-dyndb-ldap/ticket/84 Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_helper.c | 18 +++--- 1 files changed, 11 insertions(+), 7 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index aa7f97664d3fd6de43b0ee7b7e6caa0fc0e25dde..dc18d8d51c4980448fa78ae1604c78782d601113 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -538,6 +538,7 @@ destroy_ldap_instance(ldap_instance_t **ldap_instp) dns_rbtnodechain_invalidate(chain); + /* TODO: Terminate psearch watcher sooner? */ if (ldap_inst-psearch ldap_inst-watcher != 0) { ldap_inst-exiting = ISC_TRUE; /* @@ -628,9 +629,12 @@ destroy_ldap_connection(ldap_pool_t *pool, ldap_connection_t **ldap_connp) { ldap_connection_t *ldap_conn; - REQUIRE(ldap_connp != NULL *ldap_connp != NULL); + REQUIRE(ldap_connp != NULL); ldap_conn = *ldap_connp; + if (ldap_conn == NULL) + return; + DESTROYLOCK(ldap_conn-lock); if (ldap_conn-handle != NULL) ldap_unbind_ext_s(ldap_conn-handle, NULL, NULL); @@ -2603,20 +2607,21 @@ ldap_pool_create(isc_mem_t *mctx, unsigned int connections, ldap_pool_t **poolp) return ISC_R_SUCCESS; cleanup: - if (pool != NULL) - ldap_pool_destroy(pool); + ldap_pool_destroy(pool); return result; } static void ldap_pool_destroy(ldap_pool_t **poolp) { ldap_pool_t *pool; ldap_connection_t *ldap_conn; unsigned int i; - REQUIRE(poolp != NULL *poolp != NULL); + REQUIRE(poolp != NULL); pool = *poolp; + if (pool == NULL) + return; for (i = 0; i pool-connections; i++) { ldap_conn = pool-conns[i]; @@ -2630,6 +2635,7 @@ ldap_pool_destroy(ldap_pool_t **poolp) semaphore_destroy(pool-conn_semaphore); MEM_PUT_AND_DETACH(pool); + *poolp = NULL; } static isc_result_t @@ -2701,9 +2707,7 @@ ldap_pool_connect(ldap_pool_t *pool, ldap_instance_t *ldap_inst) cleanup: for (i = 0; i pool-connections; i++) { - ldap_conn = pool-conns[i]; - if (ldap_conn != NULL) - destroy_ldap_connection(pool, ldap_conn); + destroy_ldap_connection(pool, pool-conns[i]); } return result; } -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] 495 Fix ipa-replica-manage issues
These 2 patches fix issues found with ipa-replica-manage and connect/disconnect commands. Fixes ticket #2925 Simo. -- Simo Sorce * Red Hat, Inc * New York From e83ea2fb1d66213db40fbc6b33b6164906041c6b Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Thu, 12 Jul 2012 14:27:55 -0400 Subject: [PATCH 1/2] Fix safety checks to prevent orphaning replicas This is just a typo, we were checking one side twice and never the other side. So depending on which side you run the command you'd be able or not to remove the replication agreement even if it was the last one. First part of ticket: #2925 --- install/tools/ipa-replica-manage |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index e2378173821457ed05dae273d148266ef822..a039ccaa26976262d8f05ac068403b73c6ca735b 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -211,7 +211,7 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False): try: repl2 = replication.ReplicationManager(realm, replica2, dirman_passwd) -repl_list = repl1.find_ipa_replication_agreements() +repl_list = repl2.find_ipa_replication_agreements() if not force and len(repl_list) = 1: print Cannot remove the last replication link of '%s' % replica2 print Please use the 'del' command to remove it from the domain -- 1.7.10.4 From 00a1ccadccff82d96e0af9cf86c8ad8da1ddd657 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Thu, 12 Jul 2012 15:04:03 -0400 Subject: [PATCH 2/2] Fix detection of deleted masters When setting up agreements we need to be careful in not allowing to 'reconnect' a master that was previously completely deleted as it would misses entries that are vital for proper functioning. This change in code fixes 2 problems with the current approach. 1) it removes false positives when we are tryig to reconnect a replica that was previosuly merely disconnected but was still part of the domain and just replicating via a different topology and not a direct link 2) adds checks for entries that are deleted when an actual removal is performed. so that we cannot 'reconnect' previously unrelated replicas when one of the 2 has been permanently deleted from the masters tree. Second part of ticket #2925 --- install/tools/ipa-replica-manage | 24 +++- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index a039ccaa26976262d8f05ac068403b73c6ca735b..b095daf03aa0dfd7dd93f4809496467c83cfc5e3 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -401,18 +401,24 @@ def add_link(realm, replica1, replica2, dirman_passwd, options): options.passsync, options.win_subtree, options.cacert) else: -# First see if we already exist on the remote master. If so this was -# a previously deleted connection. +# Check if the master entry exists for both servers. +# If one of the tree misses one of the entries, it means one of the +# replicas was fully deleted previously and needs to be reinstalled +# from scratch try: +masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), (api.env.basedn)) +master1_dn = str(DN(('cn', replica1), masters_dn)) +master2_dn = str(DN(('cn', replica2), masters_dn)) + +repl1.conn.getEntry(master1_dn, ldap.SCOPE_BASE) +repl1.conn.getEntry(master2_dn, ldap.SCOPE_BASE) + repl2 = replication.ReplicationManager(realm, replica2, dirman_passwd) -master_dn = repl2.replica_dn() -binddn = str(DN(('krbprincipalname','ldap/%s@%s' % (replica1, api.env.realm)),(api.env.container_service),(api.env.basedn))) -master = repl2.conn.getEntry(master_dn, ldap.SCOPE_BASE) -binddns = master.getValues('nsDS5ReplicaBindDN') -if binddns and binddn in binddns: -sys.exit(You cannot connect to a previously deleted master) +repl2.conn.getEntry(master1_dn, ldap.SCOPE_BASE) +repl2.conn.getEntry(master2_dn, ldap.SCOPE_BASE) + except errors.NotFound: -pass +sys.exit(You cannot connect to a previously deleted master) repl1.setup_gssapi_replication(replica2, cn=Directory Manager, dirman_passwd) print Connected '%s' to '%s' % (replica1, replica2) -- 1.7.10.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel