subject:"\[Freeipa\-devel\] \[PATCHES\] #1791 Tust Effort\: Add support for generating MS\-PAC"

Re: [Freeipa-devel] [PATCHES] #1791 Tust Effort: Add support for generating MS-PAC

2011-11-07 Thread Simo Sorce

On Fri, 2011-11-04 at 23:31 +0100, Sumit Bose wrote:
 On Fri, Nov 04, 2011 at 10:49:40AM -0400, Simo Sorce wrote:
  The attached patches are for master and concern the effort of creating
  trust relationships between IPA and AD domains.
  
  With these patches if you have run ipa-adtrust-install the IPA kdc will
  be able to create a MS-PAC if the user has the right attributes
  ipaNTSecurityIdentifier on the user entry and on the primary group entry
  are required (or a fallback primary group).
  If the objects are not in place the MS-PAC generation is silently
  skipped and no MS-PAC will be attached to the tickets.
  
  The MS-PAC is always generated if all data is available, in future we
  may think of making this conditional, but that is not in the scope of
  this patches. 
  
  In order to apply these patches you need the coverity fix patches #2036
  #2037 I sent yesterday.
  
  In order to build this code you need samba 4 experimental packages with
  the libndr_krb5pac.so librray, header files and pkgconfig configuration
  files.
 
 Please add these dependencies to the BuildRequires in the spec file.
 Otherwise the patch looks fine.

Added BuildRequires: samba-4.0-devel, tested and pushed to master.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCHES] #1791 Tust Effort: Add support for generating MS-PAC

2011-11-04 Thread Simo Sorce

The attached patches are for master and concern the effort of creating
trust relationships between IPA and AD domains.

With these patches if you have run ipa-adtrust-install the IPA kdc will
be able to create a MS-PAC if the user has the right attributes
ipaNTSecurityIdentifier on the user entry and on the primary group entry
are required (or a fallback primary group).
If the objects are not in place the MS-PAC generation is silently
skipped and no MS-PAC will be attached to the tickets.

The MS-PAC is always generated if all data is available, in future we
may think of making this conditional, but that is not in the scope of
this patches. 

In order to apply these patches you need the coverity fix patches #2036
#2037 I sent yesterday.

In order to build this code you need samba 4 experimental packages with
the libndr_krb5pac.so librray, header files and pkgconfig configuration
files.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
From 02cd0398a18ae489dec5ea83bdad55dbb0ab5587 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Mon, 10 Oct 2011 15:42:11 -0400
Subject: [PATCH 1/2] Add support for generating PAC for AS requests for user
 principals

---
 daemons/configure.ac |   10 +
 daemons/ipa-kdb/Makefile.am  |3 +
 daemons/ipa-kdb/ipa_kdb.c|7 +-
 daemons/ipa-kdb/ipa_kdb.h|   38 ++
 daemons/ipa-kdb/ipa_kdb_common.c |   85 
 daemons/ipa-kdb/ipa_kdb_mspac.c  |  756 ++
 daemons/ipa-kdb/ipa_kdb_principals.c |7 +
 7 files changed, 905 insertions(+), 1 deletions(-)
 create mode 100644 daemons/ipa-kdb/ipa_kdb_mspac.c

diff --git a/daemons/configure.ac b/daemons/configure.ac
index e238d8b15901e7b46882cddd7d8621969d794039..f89c50d62a3d59c33439f285fe6e5d9b89ee 100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -227,6 +227,16 @@ if test x$PYTHON = x ; then
 fi
 
 dnl ---
+dnl Check for ndr_krb5pac
+dnl ---
+
+PKG_PROG_PKG_CONFIG()
+PKG_CHECK_MODULES([TALLOC], [talloc])
+PKG_CHECK_MODULES([TEVENT], [tevent])
+PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac])
+
+
+dnl ---
 dnl - Set the data install directory since we don't use pkgdatadir
 dnl ---
 
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 036074f437bdf8e177cd26018c7f611cf553c505..b29f60171116640d0f2b350111017fd8d6bbce59 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -19,6 +19,7 @@ INCLUDES =		\
 	$(KRB5_CFLAGS)	\
 	$(SSL_CFLAGS)	\
 	$(WARN_CFLAGS)	\
+	$(NDRPAC_CFLAGS)\
 	$(NULL)
 
 plugindir = $(libdir)/krb5/plugins/kdb
@@ -33,6 +34,7 @@ ipadb_la_SOURCES = 		\
 	ipa_kdb_passwords.c	\
 	ipa_kdb_principals.c	\
 	ipa_kdb_pwdpolicy.c	\
+	ipa_kdb_mspac.c		\
 	$(KRB5_UTIL_SRCS)	\
 	$(NULL)
 
@@ -45,6 +47,7 @@ ipadb_la_LIBADD = 		\
 	$(KRB5_LIBS)		\
 	$(SSL_LIBS)		\
 	$(LDAP_LIBS)		\
+	$(NDRPAC_LIBS)		\
 	$(NULL)
 
 dist_noinst_DATA = ipa_kdb.exports
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 481b1f392766498c5d7c6333fe73bafefde87dae..05ee18720a11fc6b8579fd00206d1cbb9d5a1a34 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -259,6 +259,11 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
 ipactx-supp_encs = kst;
 ipactx-n_supp_encs = n_kst;
 
+ret = ipadb_reinit_mspac(ipactx);
+if (ret  ret != ENOENT) {
+/* TODO: log that there is an issue with adtrust settings */
+}
+
 ret = 0;
 
 done:
@@ -447,7 +452,7 @@ kdb_vftabl kdb_function_table = {
 NULL,   /* promote_db */
 NULL,   /* decrypt_key_data */
 NULL,   /* encrypt_key_data */
-NULL,   /* sign_authdata */
+ipadb_sign_authdata,/* sign_authdata */
 NULL,   /* check_transited_realms */
 NULL,   /* check_policy_as */
 NULL,   /* check_policy_tgs */
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index cfcaca6493fd3f4657fd9f1839b6f3ac9f22546d..8c907c448d0f497786f7b66fb4e17e6590d4cc29 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -39,10 +39,15 @@
 #include ctype.h
 #include arpa/inet.h
 #include endian.h
+#include unistd.h
 
 #include ipa_krb5.h
 #include ipa_pwd.h
 
+#ifndef MAXHOSTNAMELEN
+#define MAXHOSTNAMELEN 64
+#endif
+
 /* easier to copy the defines here than to mess with kadm5/admin.h
  * for now */
 #define KMASK_PRINCIPAL 0x01
@@ -69,6 +74,13 @@
 
 #define IPA_SETUP ipa-setup-override-restrictions
 
+struct ipadb_wincompat {
+

Re: [Freeipa-devel] [PATCHES] #1791 Tust Effort: Add support for generating MS-PAC

2011-11-04 Thread Sumit Bose

On Fri, Nov 04, 2011 at 10:49:40AM -0400, Simo Sorce wrote:
 The attached patches are for master and concern the effort of creating
 trust relationships between IPA and AD domains.
 
 With these patches if you have run ipa-adtrust-install the IPA kdc will
 be able to create a MS-PAC if the user has the right attributes
 ipaNTSecurityIdentifier on the user entry and on the primary group entry
 are required (or a fallback primary group).
 If the objects are not in place the MS-PAC generation is silently
 skipped and no MS-PAC will be attached to the tickets.
 
 The MS-PAC is always generated if all data is available, in future we
 may think of making this conditional, but that is not in the scope of
 this patches. 
 
 In order to apply these patches you need the coverity fix patches #2036
 #2037 I sent yesterday.
 
 In order to build this code you need samba 4 experimental packages with
 the libndr_krb5pac.so librray, header files and pkgconfig configuration
 files.

Please add these dependencies to the BuildRequires in the spec file.
Otherwise the patch looks fine.

bye,
Sumit

 
 Simo.
 
 -- 
 Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] #1791 Tust Effort: Add support for generating MS-PAC

[Freeipa-devel] [PATCHES] #1791 Tust Effort: Add support for generating MS-PAC

Re: [Freeipa-devel] [PATCHES] #1791 Tust Effort: Add support for generating MS-PAC

3 matches

Site Navigation

Mail list logo

Footer information