[Freeipa-devel] [freeipa PR#879][comment] FIPS mode and NT hashes

[sumit-bose via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/879
Title: #879: FIPS mode and NT hashes

sumit-bose commented:
"""
I just pushed a new version which include the upstream ticket reference in the 
commit message, there are no changes to the code.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/879#issuecomment-309683850
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#879][synchronized] FIPS mode and NT hashes

[sumit-bose via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/879
Author: sumit-bose
 Title: #879: FIPS mode and NT hashes
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/879/head:pr879
git checkout pr879
From 4d7f9b07832da3a4caa1f7d34b2e1cbab2e5a195 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 16 Jun 2017 16:26:41 +0200
Subject: [PATCH 1/2] ipa-sam: replace encode_nt_key() with E_md4hash()

Since ipa-sam is running as part of smbd is it safe to use the
E_md4hash() from Samba. This way ipa-sam does not depend on other crypto
libraries which might depend on other rules like e.g. FIPS mode.

Resolves https://pagure.io/freeipa/issue/7026
---
 daemons/ipa-sam/ipa_sam.c | 27 ++-
 1 file changed, 2 insertions(+), 25 deletions(-)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 6a29e8e10b..59d92f37c9 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -110,6 +110,7 @@ char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so *
 char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */
 bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */
 void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */
+bool E_md4hash(const char *passwd, uint8_t p16[16]); /* available in libcliauth-samba4.so */
 
 #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs"
 #define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain"
@@ -2836,11 +2837,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 	struct dom_sid *g_sid;
 	char *name;
 	char *trustpw = NULL;
-	char *trustpw_utf8 = NULL;
-	char *tmp_str = NULL;
-	int ret;
 	uint8_t nt_key[16];
-	size_t converted_size;
 	bool res;
 	char *sid_str;
 	enum idmap_error_code err;
@@ -2899,19 +2896,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 		return false;
 	}
 
-	if (!push_utf8_talloc(user, _utf8, trustpw, _size)) {
-		res = false;
-		goto done;
-	}
-
-	tmp_str = talloc_strdup_upper(user, trustpw);
-	if (tmp_str == NULL) {
-		res = false;
-		goto done;
-	}
-
-	ret = encode_nt_key(trustpw_utf8, nt_key);
-	if (ret != 0) {
+	if (!E_md4hash(trustpw, nt_key)) {
 		res = false;
 		goto done;
 	}
@@ -2927,14 +2912,6 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 		memset(trustpw, 0, strlen(trustpw));
 		talloc_free(trustpw);
 	}
-	if (trustpw_utf8 != NULL) {
-		memset(trustpw_utf8, 0, strlen(trustpw_utf8));
-		talloc_free(trustpw_utf8);
-	}
-	if (tmp_str != NULL) {
-		memset(tmp_str, 0, strlen(tmp_str));
-		talloc_free(tmp_str);
-	}
 
 	return res;
 }

From f5ca91d8dc5528f7f0f2f7edbb9a07cc01de8bfd Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 16 Jun 2017 17:49:44 +0200
Subject: [PATCH 2/2] ipa_pwd_extop: do not generate NT hashes in FIPS mode

In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is
detected we disable NT hashes even is the are allowed by IPA
configuration.

Resolves https://pagure.io/freeipa/issue/7026
---
 daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 53 ++--
 1 file changed, 40 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 761f7a8e3e..5efadac5b1 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -46,6 +46,8 @@
 /* Type of connection for this operation;*/
 #define LDAP_EXTOP_PASSMOD_CONN_SECURE
 
+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
+
 /* Uncomment the following #undef FOR TESTING:
  * allows non-SSL connections to use the password change extended op */
 /* #undef LDAP_EXTOP_PASSMOD_CONN_SECURE */
@@ -62,6 +64,27 @@ static const char *ipapwd_def_encsalts[] = {
 NULL
 };
 
+static bool fips_enabled(void)
+{
+int fd;
+ssize_t len;
+char buf[8];
+
+fd = open(PROC_SYS_FIPS, O_RDONLY);
+if (fd != -1) {
+len = read(fd, buf, sizeof(buf));
+close(fd);
+/* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value
+ * similar to the is_fips_enabled() check in
+ * ipaplatform/redhat/tasks.py */
+if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {
+return true;
+}
+}
+
+return false;
+}
+
 static struct ipapwd_krbcfg *ipapwd_getConfig(void)
 {
 krb5_error_code krberr;
@@ -232,23 +255,27 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
 
 /* get the ipa etc/ipaConfig entry */
 config->allow_nt_hash = false;
-ret = ipapwd_getEntry(ipa_etc_config_dn, _entry, NULL);
-if (ret != LDAP_SUCCESS) {
-LOG_FATAL("No config Entry?\n");
-goto free_and_error;
+if (fips_enabled()) {
+   

[Freeipa-devel] [freeipa PR#879][opened] FIPS mode and NT hashes

[sumit-bose via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/879
Author: sumit-bose
 Title: #879: FIPS mode and NT hashes
Action: opened

PR body:
"""
In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is detected we
disable NT hashes in the password plugin even is they are allowed by IPA
configuration.

Since ipa-sam is running as part of smbd is it safe to use the E_md4hash()
from Samba. This way ipa-sam does not depend on other crypto libraries
which might depend on other rules like e.g. FIPS mode.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/879/head:pr879
git checkout pr879
From 21e740d2ca6ebdfcf5d30b8468846e0e1c546de8 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 16 Jun 2017 16:26:41 +0200
Subject: [PATCH 1/2] ipa-sam: replace encode_nt_key() with E_md4hash()

Since ipa-sam is running as part of smbd is it safe to use the
E_md4hash() from Samba. This way ipa-sam does not depend on other crypto
libraries which might depend on other rules like e.g. FIPS mode.
---
 daemons/ipa-sam/ipa_sam.c | 27 ++-
 1 file changed, 2 insertions(+), 25 deletions(-)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 6a29e8e10b..59d92f37c9 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -110,6 +110,7 @@ char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so *
 char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */
 bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */
 void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */
+bool E_md4hash(const char *passwd, uint8_t p16[16]); /* available in libcliauth-samba4.so */
 
 #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs"
 #define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain"
@@ -2836,11 +2837,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 	struct dom_sid *g_sid;
 	char *name;
 	char *trustpw = NULL;
-	char *trustpw_utf8 = NULL;
-	char *tmp_str = NULL;
-	int ret;
 	uint8_t nt_key[16];
-	size_t converted_size;
 	bool res;
 	char *sid_str;
 	enum idmap_error_code err;
@@ -2899,19 +2896,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 		return false;
 	}
 
-	if (!push_utf8_talloc(user, _utf8, trustpw, _size)) {
-		res = false;
-		goto done;
-	}
-
-	tmp_str = talloc_strdup_upper(user, trustpw);
-	if (tmp_str == NULL) {
-		res = false;
-		goto done;
-	}
-
-	ret = encode_nt_key(trustpw_utf8, nt_key);
-	if (ret != 0) {
+	if (!E_md4hash(trustpw, nt_key)) {
 		res = false;
 		goto done;
 	}
@@ -2927,14 +2912,6 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 		memset(trustpw, 0, strlen(trustpw));
 		talloc_free(trustpw);
 	}
-	if (trustpw_utf8 != NULL) {
-		memset(trustpw_utf8, 0, strlen(trustpw_utf8));
-		talloc_free(trustpw_utf8);
-	}
-	if (tmp_str != NULL) {
-		memset(tmp_str, 0, strlen(tmp_str));
-		talloc_free(tmp_str);
-	}
 
 	return res;
 }

From fef8e13d0c6c453d2849c2edc3743bf6fc614e1d Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 16 Jun 2017 17:49:44 +0200
Subject: [PATCH 2/2] ipa_pwd_extop: do not generate NT hashes in FIPS mode

In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is
detected we disable NT hashes even is the are allowed by IPA
configuration.
---
 daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 53 ++--
 1 file changed, 40 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 761f7a8e3e..5efadac5b1 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -46,6 +46,8 @@
 /* Type of connection for this operation;*/
 #define LDAP_EXTOP_PASSMOD_CONN_SECURE
 
+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
+
 /* Uncomment the following #undef FOR TESTING:
  * allows non-SSL connections to use the password change extended op */
 /* #undef LDAP_EXTOP_PASSMOD_CONN_SECURE */
@@ -62,6 +64,27 @@ static const char *ipapwd_def_encsalts[] = {
 NULL
 };
 
+static bool fips_enabled(void)
+{
+int fd;
+ssize_t len;
+char buf[8];
+
+fd = open(PROC_SYS_FIPS, O_RDONLY);
+if (fd != -1) {
+len = read(fd, buf, sizeof(buf));
+close(fd);
+/* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value
+ * similar to the is_fips_enabled() check in
+ * ipaplatform/redhat/tasks.py */
+if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {
+return true;
+}
+}
+
+return false;
+}
+
 static struct ipapwd_krbcfg *ipapwd_getConfig(void)
 {
 krb5_error_code krberr;
@@ -232,23 +255,27 @@ static struct ipapwd_krbcfg 

[Freeipa-devel] [freeipa PR#823][opened] ipa-kdb: reload certificate mapping rules periodically

[sumit-bose via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/823
Author: sumit-bose
 Title: #823: ipa-kdb: reload certificate mapping rules periodically
Action: opened

PR body:
"""
With this patch the certificate mapping rules are reloaded every 5
minutes.

Resolves https://pagure.io/freeipa/issue/6963
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/823/head:pr823
git checkout pr823
From 5f62a9bf427a3b12b56e8641fda2832680b04a70 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 26 May 2017 18:19:48 +0200
Subject: [PATCH] ipa-kdb: reload certificate mapping rules periodically

With this patch the certificate mapping rules are reloaded every 5
minutes.

Resolves https://pagure.io/freeipa/issue/6963
---
 daemons/ipa-kdb/ipa_kdb_certauth.c | 153 -
 1 file changed, 81 insertions(+), 72 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
index a53a2ce4e7..dbe7a04437 100644
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
@@ -58,6 +58,8 @@
 #define CERTMAP_FILTER "(&("OBJECTCLASS"="IPA_OC_CERTMAP_RULE")" \
   "("IPA_ENABLED_FLAG"="IPA_TRUE_VALUE"))"
 
+#define DEFAULT_CERTMAP_LIFETIME 300
+
 #ifndef discard_const
 #define discard_const(ptr) ((void *)((uintptr_t)(ptr)))
 #endif
@@ -67,6 +69,7 @@ struct krb5_certauth_moddata_st {
 char *local_domain;
 struct sss_certmap_ctx *sss_certmap_ctx;
 struct ipadb_context *ipactx;
+time_t valid_until;
 };
 
 void ipa_certmap_debug(void *private,
@@ -133,95 +136,101 @@ static krb5_error_code ipa_get_init_data(krb5_context kcontext,
 }
 
 if (ipactx->certauth_moddata == NULL) {
-ret = asprintf(, "cn=certmap,%s", ipactx->base);
-if (ret == -1) {
-return ENOMEM;
-}
+ipactx->certauth_moddata = moddata_out;
 
-kerr = ipadb_simple_search(ipactx,basedn, LDAP_SCOPE_SUBTREE,
-   CERTMAP_FILTER, discard_const(certmap_attrs),
-   );
-if (kerr != 0 && kerr != KRB5_KDB_NOENTRY) {
-goto done;
+if (ipactx->realm != NULL) {
+ipactx->certauth_moddata->local_domain = strdup(ipactx->realm);
+if (ipactx->certauth_moddata->local_domain == NULL) {
+free(ipactx->certauth_moddata);
+ipactx->certauth_moddata = NULL;
+ret = ENOMEM;
+goto done;
+}
 }
 
-ret = sss_certmap_init(NULL, ipa_certmap_debug, NULL, );
+ipactx->certauth_moddata->ipactx = ipactx;
+
+}
+
+ret = asprintf(, "cn=certmap,%s", ipactx->base);
+if (ret == -1) {
+return ENOMEM;
+}
+
+kerr = ipadb_simple_search(ipactx,basedn, LDAP_SCOPE_SUBTREE,
+   CERTMAP_FILTER, discard_const(certmap_attrs),
+   );
+if (kerr != 0 && kerr != KRB5_KDB_NOENTRY) {
+goto done;
+}
+
+ret = sss_certmap_init(NULL, ipa_certmap_debug, NULL, );
+if (ret != 0) {
+return ret;
+}
+
+if (kerr == KRB5_KDB_NOENTRY) {
+ret = sss_certmap_add_rule(ctx, SSS_CERTMAP_MIN_PRIO,
+   NULL, NULL, NULL);
 if (ret != 0) {
-return ret;
+goto done;
 }
-
-if (kerr == KRB5_KDB_NOENTRY) {
-ret = sss_certmap_add_rule(ctx, SSS_CERTMAP_MIN_PRIO,
-   NULL, NULL, NULL);
-if (ret != 0) {
+} else {
+lc = ipactx->lcontext;
+
+for (le = ldap_first_entry(lc, result); le;
+ le = ldap_next_entry(lc, le)) {
+prio = SSS_CERTMAP_MIN_PRIO;
+ret = ipadb_ldap_attr_to_uint32(lc, le, IPA_CERTMAP_PRIORITY,
+);
+if (ret != 0 && ret != ENOENT) {
 goto done;
 }
-} else {
-lc = ipactx->lcontext;
-
-for (le = ldap_first_entry(lc, result); le;
- le = ldap_next_entry(lc, le)) {
-prio = SSS_CERTMAP_MIN_PRIO;
-ret = ipadb_ldap_attr_to_uint32(lc, le, IPA_CERTMAP_PRIORITY,
-);
-if (ret != 0 && ret != ENOENT) {
-goto done;
-}
-
-free(map_rule);
-map_rule = NULL;
-ret = ipadb_ldap_attr_to_str(lc, le, IPA_CERTMAP_MAPRULE,
- _rule);
-if (ret != 0 && ret != ENOENT) {
-goto done;
-}
 
-free(match_rule);
-match_rule = NULL;
-ret = ipadb_ldap_attr_to_str(lc, le, IPA_CERTMAP_MATCHRULE,

[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

[sumit-bose via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

sumit-bose commented:
"""
> @sumit-bose I got confused by "periodically" in title and "every 5 minutes" 
> in description. It works as expected.

ah, yes, I'm sorry the wording is misleading. Please let me know if I should 
fix the commit message before the patch is pushed?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305778177
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

[sumit-bose via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

sumit-bose commented:
"""
@dkupka, the reload only happens during processing the PKINIT request if the 
rules are older than 5 minutes. It is not a timed event which runs all the time 
every 5 minutes.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305523652
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

[sumit-bose via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

sumit-bose commented:
"""
@dkupka, ah, this is a side effect of having multiple workers (3907-3912). The 
IPA context is not share between the workers so each will load the certificate 
mapping rule on its own.

If I checked the reload times of the different workers correctly none does it 
more often then once in 5 minutes.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305487292
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1115][opened] ipa-kdb: reinit trusted domain data for enterprise principals

[sumit-bose via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1115
Author: sumit-bose
 Title: #1115: ipa-kdb: reinit trusted domain data for enterprise principals
Action: opened

PR body:
"""
While processing enterprise principals the information about trusted domains
might not be up-to-date. With this patch ipadb_reinit_mspac() is called if an
unknown domain is part of the enterprise principal.

Resolves https://pagure.io/freeipa/issue/7172
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1115/head:pr1115
git checkout pr1115
From 26120d3fe97841890f08b59a37a2c58183d2d9ad Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 27 Sep 2017 14:17:49 +0200
Subject: [PATCH] ipa-kdb: reinit trusted domain data for enterprise principals

While processing enterprise principals the information about trusted domains
might not be up-to-date. With this patch ipadb_reinit_mspac() is called if an
unknown domain is part of the enterprise principal.

Resolves https://pagure.io/freeipa/issue/7172
---
 daemons/ipa-kdb/ipa_kdb_principals.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 82c857430b..7935ad58d5 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1259,6 +1259,16 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
  realm,
  upn->length - (realm - upn->data),
  _realm);
+if (kerr == KRB5_KDB_NOENTRY) {
+/* try to refresh trusted domain data and try again */
+kerr = ipadb_reinit_mspac(ipactx, false);
+if (kerr != 0) {
+goto done;
+}
+kerr = ipadb_is_princ_from_trusted_realm(kcontext, realm,
+  upn->length - (realm - upn->data),
+  _realm);
+}
 if (kerr == 0) {
 kentry = calloc(1, sizeof(krb5_db_entry));
 if (!kentry) {
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Testing extdom plugin directly

[Sumit Bose via FreeIPA-devel]

Hi,

please find attached a small python class (generated with asn1ate) which
might help to generate the needed data to send a request to the extdom
plugin directly. This might be useful to write tests.

To generate the base64 encoded data needed e.g. for the ldapexop command
I used:

from pyasn1.codec.der.encoder import encode as der_encoder
from base64 import b64encode
from pyasn1.codec.native.decoder import decode
from s2n_req import ExtdomRequestValue

ad_user = 'aduser'
ad_domain = 'ad.domain'
request_type = 'full'

name = { 'domainname' : ad_domain, 'objectname' : ad_user }
data = { 'name' : name }
r = { 'inputType' : 'name' , 'requestType' : request_type, 'data' : data }

req = decode(r, asn1Spec=ExtdomRequestValue())
der_serialisation = der_encoder(req)
print b64encode(der_serialisation)

(sorry for the bad python)

$ python my_req.py 
MBsKAQIKAQIwEwQJYWQuZG9tYWluBAZhZHVzZXI=

Now you can send the request to the extdom plugin by calling:

ldapexop -x 
2.16.840.1.113730.3.8.10.4.1::MBsKAQIKAQIwEwQJYWQuZG9tYWluBAZhZHVzZXI=

If the user was found ldapexop will return a base64 encoded reply. So
far using e.g. dumpasn1 was sufficient for me to look at the reply
because I mainly used the requests to generate load for the extdom
plugin and didn't cared much about the reply. But if I'll find some time
I might add a class to decode the reply properly later.

HTH

bye,
Sumit
# Auto-generated by asn1ate v.0.6.1.dev0 from s2n_req.asn1
# (last modified on 2018-01-15 15:15:47.250042)

from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful


class NameDomainData(univ.Sequence):
pass


NameDomainData.componentType = namedtype.NamedTypes(
namedtype.NamedType('domainname', univ.OctetString()),
namedtype.NamedType('objectname', univ.OctetString())
)


class PosixGid(univ.Sequence):
pass


PosixGid.componentType = namedtype.NamedTypes(
namedtype.NamedType('domainname', univ.OctetString()),
namedtype.NamedType('gid', univ.Integer())
)


class PosixUid(univ.Sequence):
pass


PosixUid.componentType = namedtype.NamedTypes(
namedtype.NamedType('domainname', univ.OctetString()),
namedtype.NamedType('uid', univ.Integer())
)


class InputData(univ.Choice):
pass


InputData.componentType = namedtype.NamedTypes(
namedtype.NamedType('sid', univ.OctetString()),
namedtype.NamedType('name', NameDomainData()),
namedtype.NamedType('uid', PosixUid()),
namedtype.NamedType('gid', PosixGid())
)


class ExtdomRequestValue(univ.Sequence):
pass


ExtdomRequestValue.componentType = namedtype.NamedTypes(
namedtype.NamedType('inputType', 
univ.Enumerated(namedValues=namedval.NamedValues(('sid', 1), ('name', 2), 
('posixuid', 3), ('posixgid', 4,
namedtype.NamedType('requestType', 
univ.Enumerated(namedValues=namedval.NamedValues(('simple', 1), ('full', 2), 
('fullwithmembers', 3,
namedtype.NamedType('data', InputData())
)


___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1529][opened] ipa-kdb: update trust information in all workers

[sumit-bose via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1529
Author: sumit-bose
 Title: #1529: ipa-kdb: update trust information in all workers
Action: opened

PR body:
"""
Currently there is already code to make sure that after trust is established an
AS-REQ of the local HTTP principal causes a refresh of the internal structures
holding the information about the trusted domains.

But this refreshes only the data of the current krb5kdc worker process on the
local host. Other workers and the KDCs on other hosts will update the data
eventually when a request with a principal from a trusted realm is handled.

During this phase, which might last quite long if remote principals are only
handled rarely, TGTs for local principals might or might not contain a PAC
because the decision if a PAC should be added or not is based on the
information about trusted domains. Since the PAC is needed to access services
on the AD side this access might fail intermittently depending which worker
process on which host is handling the request. This might e.g. affect SSSD
running on the IPA server with two-way trust.

To fix this this patch calls ipadb_reinit_mspac() whenever a PAC is needed but
without the 'force' flag so that the refresh will only happen if it wasn't
called recently (currently not more often than once a minute).

An alternative might be to do the refresh only when processing cross-realm TGT
requests. But this would be already too late because the local principal asking
for a cross-realm ticket would not have a PAC and hence the first attempt will
still fail due to the missing PAC. And injecting the PAC in the cross-realm TGT
while there is none in the requesting ticket does not sound right.

Related to https://pagure.io/freeipa/issue/7351
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1529/head:pr1529
git checkout pr1529
From e2d6e693329146d180bb577604373d4f0a4ae3dc Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Mon, 4 Dec 2017 16:57:31 +0100
Subject: [PATCH] ipa-kdb: update trust information in all workers

Currently there is already code to make sure that after trust is established an
AS-REQ of the local HTTP principal causes a refresh of the internal structures
holding the information about the trusted domains.

But this refreshes only the data of the current krb5kdc worker process on the
local host. Other workers and the KDCs on other hosts will update the data
eventually when a request with a principal from a trusted realm is handled.

During this phase, which might last quite long if remote principals are only
handled rarely, TGTs for local principals might or might not contain a PAC
because the decision if a PAC should be added or not is based on the
information about trusted domains. Since the PAC is needed to access services
on the AD side this access might fail intermittently depending which worker
process on which host is handling the request. This might e.g. affect SSSD
running on the IPA server with two-way trust.

To fix this this patch calls ipadb_reinit_mspac() whenever a PAC is needed but
without the 'force' flag so that the refresh will only happen if it wasn't
called recently (currently not more often than once a minute).

An alternative might be to do the refresh only when processing cross-realm TGT
requests. But this would be already too late because the local principal asking
for a cross-realm ticket would not have a PAC and hence the first attempt will
still fail due to the missing PAC. And injecting the PAC in the cross-realm TGT
while there is none in the requesting ticket does not sound right.

Related to https://pagure.io/freeipa/issue/7351
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 33 -
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 00cc19ca1e..11e036986a 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2121,6 +2121,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
 int result;
 krb5_db_entry *client_entry = NULL;
 krb5_boolean is_equal;
+bool force_reinit_mspac = false;
 
 
 is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
@@ -2174,24 +2175,30 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
 }
 
 if (with_pac && make_ad) {
+
+ipactx = ipadb_get_context(context);
+if (!ipactx) {
+kerr = ENOMEM;
+goto done;
+}
+
 /* Be aggressive here: special case for discovering range type
- * immediately after establishing the trust by IPA framework */
+ * immediately after establishing the trust by IPA framework. For all
+ * other cases call ipadb_reinit_mspac() with force_reinit_mspac set
+ * to 'false' to make sure the information about trusted domains is
+ * updated on a regular basis for all 

[Freeipa-devel] [freeipa PR#1537][opened] ipa-kdb: use magic value to check if ipadb is used

[sumit-bose via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1537
Author: sumit-bose
 Title: #1537: ipa-kdb: use magic value to check if ipadb is used
Action: opened

PR body:
"""
The certauth plugin is configured in /etc/krb5.conf independently form
the database module. As a result the IPA certauth plugin can be added to
the configuration without the IPA DAL driver. Since the IPA certauth
plugin depends on the presence of the IPA DAL driver this patch adds a
magic value at the beginning of struct ipadb_context which can be
checked to see if the IPA DAL driver is properly initialized.

Resolves https://pagure.io/freeipa/issue/7261
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1537/head:pr1537
git checkout pr1537
From 86347cdaec7bb67335251d9ea3c718533584590a Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 7 Feb 2018 17:10:08 +0100
Subject: [PATCH] ipa-kdb: use magic value to check if ipadb is used

The certauth plugin is configured in /etc/krb5.conf independently form
the database module. As a result the IPA certauth plugin can be added to
the configuration without the IPA DAL driver. Since the IPA certauth
plugin depends on the presence of the IPA DAL driver this patch adds a
magic value at the beginning of struct ipadb_context which can be
checked to see if the IPA DAL driver is properly initialized.

Resolves https://pagure.io/freeipa/issue/7261
---
 daemons/ipa-kdb/ipa_kdb.c  | 1 +
 daemons/ipa-kdb/ipa_kdb.h  | 2 ++
 daemons/ipa-kdb/ipa_kdb_certauth.c | 2 +-
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index b11153eccd..222900ae7a 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -522,6 +522,7 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
 if (!ipactx) {
 return ENOMEM;
 }
+ipactx->magic = IPA_CONTEXT_MAGIC;
 
 /* only check for unsupported 'temporary' value for now */
 for (i = 0; db_args != NULL && db_args[i] != NULL; i++) {
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index be2f457522..d187d969f5 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -101,7 +101,9 @@ struct ipadb_global_config {
 bool disable_preauth_for_spns;
 };
 
+#define IPA_CONTEXT_MAGIC 0x0c027ea7
 struct ipadb_context {
+int magic;
 char *uri;
 char *base;
 char *realm;
diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
index 35e5e7d086..82589f2f92 100644
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
@@ -131,7 +131,7 @@ static krb5_error_code ipa_get_init_data(krb5_context kcontext,
 krb5_klog_syslog(LOG_INFO, "Initializing IPA certauth plugin.");
 
 ipactx = ipadb_get_context(kcontext);
-if (ipactx == NULL) {
+if (ipactx == NULL || ipactx->magic != IPA_CONTEXT_MAGIC) {
 return KRB5_KDB_DBNOTINITED;
 }
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#2846][opened] ipa_sam: remove dependency to talloc_strackframe.h

[sumit-bose via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/2846
Author: sumit-bose
 Title: #2846: ipa_sam: remove dependency to talloc_strackframe.h
Action: opened

PR body:
"""
Recent Samba versions removed some header files which did include
non-public APIs. As a result talloc_strackframe.h and memory.h (for
SAFE_FREE) are not available anymore. This patch replaces the use of the
non-public APIs with public ones.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2846/head:pr2846
git checkout pr2846
From dcc855ee5745ba0e265bf355d76b6941ce2cc439 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Tue, 19 Feb 2019 12:30:40 +0100
Subject: [PATCH] ipa_sam: remove dependency to talloc_strackframe.h

Recent Samba versions removed some header files which did include
non-public APIs. As a result talloc_strackframe.h and memory.h (for
SAFE_FREE) are not available anymore. This patch replaces the use of the
non-public APIs with public ones.
---
 daemons/ipa-sam/ipa_sam.c | 16 
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index b1e0294e34..ac0aa48f18 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -19,7 +19,6 @@
 #include 
 #include 
 #include 
-#include 
 
 #ifndef _SAMBA_UTIL_H_
 bool trim_string(char *s, const char *front, const char *back);
@@ -880,9 +879,13 @@ static bool ipasam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
 	struct dom_sid *user_sid = NULL;
 	int rc;
 	enum idmap_error_code err;
-	TALLOC_CTX *tmp_ctx = talloc_stackframe();
 	struct unixid id;
 
+	TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+	if (tmp_ctx == NULL) {
+		goto done;
+	}
+
 	/* Fast fail if we get a request for uidNumber=0 because it currently
 	 * will never exist in the directory
 	 * Saves an expensive LDAP call of which failure will never be cached
@@ -967,9 +970,13 @@ static bool ipasam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
 	size_t c;
 	int rc;
 	enum idmap_error_code err;
-	TALLOC_CTX *tmp_ctx = talloc_stackframe();
 	struct unixid id;
 
+	TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+	if (tmp_ctx == NULL) {
+		goto done;
+	}
+
 	filter = talloc_asprintf(tmp_ctx,
  "(|(&(gidNumber=%u)"
  "(objectClass=%s))"
@@ -3620,7 +3627,8 @@ static void ipasam_free_private_data(void **vp)
 		(*ipasam_state)->result = NULL;
 	}
 	if ((*ipasam_state)->domain_dn != NULL) {
-		SAFE_FREE((*ipasam_state)->domain_dn);
+		free((*ipasam_state)->domain_dn);
+		(*ipasam_state)->domain_dn = NULL;
 	}
 
 	*ipasam_state = NULL;
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#2891][opened] ipa-extdom-exop: add instance counter and limit

[sumit-bose via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/2891
Author: sumit-bose
 Title: #2891: ipa-extdom-exop: add instance counter and limit
Action: opened

PR body:
"""
The user and group lookups done by the extdom plugin might need some
time depending on the state of the service (typically SSSD) handling the
requests.

To avoid that all worker threads are busy waiting on a connect or a
reply from SSSD and no other request can be handled this patch adds an
instance counter and an instance limit for the extdom plugin.

By default the limit will be around 80% of the number of worker threads.
It can be tuned further with the plugin option ipaExtdomMaxInstances
which must in set in ipaextdommaxinstances and should have an integer
value larger than 0 and lesser than the number of worker threads.

If the instance limit is reached the extdom plugin will return LDAP_BUSY
for every new request until the number of instance is again below the
limit.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2891/head:pr2891
git checkout pr2891
From 7c137695b23226237d531043f20eed9f5f04ba12 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 8 Mar 2019 16:07:56 +0100
Subject: [PATCH] ipa-extdom-exop: add instance counter and limit

The user and group lookups done by the extdom plugin might need some
time depending on the state of the service (typically SSSD) handling the
requests.

To avoid that all worker threads are busy waiting on a connect or a
reply from SSSD and no other request can be handled this patch adds an
instance counter and an instance limit for the extdom plugin.

By default the limit will be around 80% of the number of worker threads.
It can be tuned further with the plugin option ipaExtdomMaxInstances
which must in set in ipaextdommaxinstances and should have an integer
value larger than 0 and lesser than the number of worker threads.

If the instance limit is reached the extdom plugin will return LDAP_BUSY
for every new request until the number of instance is again below the
limit.
---
 .../ipa-extdom-extop/ipa_extdom.h |   2 +
 .../ipa-extdom-extop/ipa_extdom_extop.c   | 133 ++
 2 files changed, 135 insertions(+)

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
index bbc574747e..e01e74ca59 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
@@ -157,6 +157,8 @@ struct ipa_extdom_ctx {
 char *base_dn;
 size_t max_nss_buf_size;
 struct nss_ops_ctx *nss_ctx;
+Slapi_Counter *extdom_instance_counter;
+size_t extdom_max_instances;
 };
 
 struct domain_info {
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
index 83c30e7e6a..3abaa411d2 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
@@ -62,8 +62,112 @@ static char *ipa_extdom_name_list[] = {
 NULL
 };
 
+#define NSSLAPD_THREADNUMBER "nsslapd-threadnumber"
+static int ipa_get_threadnumber(Slapi_ComponentId *plugin_id, size_t *threadnumber)
+{
+Slapi_PBlock *search_pb = NULL;
+int search_result;
+Slapi_Entry **search_entries = NULL;
+int ret;
+char *attrs[] = { NSSLAPD_THREADNUMBER, NULL };
+
+search_pb = slapi_pblock_new();
+if (search_pb == NULL) {
+LOG_FATAL("Failed to create new pblock.\n");
+ret = LDAP_OPERATIONS_ERROR;
+goto done;
+}
+
+slapi_search_internal_set_pb(search_pb, "cn=config",
+ LDAP_SCOPE_BASE, "objectclass=*",
+ attrs, 0, NULL, NULL, plugin_id, 0);
+
+ret = slapi_search_internal_pb(search_pb);
+if (ret != 0) {
+LOG_FATAL("Starting internal search failed.\n");
+goto done;
+}
+
+ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT,
+   _result);
+if (ret != 0 || search_result != LDAP_SUCCESS) {
+LOG_FATAL("Internal search failed [%d][%d].\n", ret, search_result);
+ret = LDAP_OPERATIONS_ERROR;
+goto done;
+}
+
+ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES,
+   _entries);
+if (ret != 0) {
+LOG_FATAL("Failed to read searched entries.\n");
+goto done;
+}
+
+if (search_entries == NULL || search_entries[0] == NULL) {
+LOG("No existing entries.\n");
+ret = LDAP_NO_SUCH_OBJECT;
+goto done;
+}
+
+if (search_entries[1] != NULL) {
+LOG("Too many results found.\n");
+ret = LDAP_OPERATIONS_ERROR;
+goto done;
+}
+
+*threadnumber = slapi_entry_attr_get_uint(search_entries[0],
+  NSSLAPD_THREADNUMBER);
+
+

[Freeipa-devel] [freeipa PR#3542][opened] extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT

[sumit-bose via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/3542
Author: sumit-bose
 Title: #3542: extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT
Action: opened

PR body:
"""
A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to
remove the searched object from the cache. As a consequence
LDAP_NO_SUCH_OBJECT should only be returned if the object really does
not exists otherwise the data of existing objects might be removed form
the cache of the clients causing unexpected behaviour like
authentication errors.

Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code.
With this patch LDAP_NO_SUCH_OBJECT is only returned if the related
lookup functions return ENOENT. Timeout related error code will lead to
LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default
error code.

Related to https://pagure.io/freeipa/issue/8044
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3542/head:pr3542
git checkout pr3542
From 8f1f89858c48da27ce1b9f7c46281b61c744b4f1 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 14 Jun 2019 11:13:54 +0200
Subject: [PATCH] extdom: unify error code handling especially
 LDAP_NO_SUCH_OBJECT

A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to
remove the searched object from the cache. As a consequence
LDAP_NO_SUCH_OBJECT should only be returned if the object really does
not exists otherwise the data of existing objects might be removed form
the cache of the clients causing unexpected behaviour like
authentication errors.

Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code.
With this patch LDAP_NO_SUCH_OBJECT is only returned if the related
lookup functions return ENOENT. Timeout related error code will lead to
LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default
error code.

Related to https://pagure.io/freeipa/issue/8044
---
 .../ipa-extdom-extop/back_extdom_sss_idmap.c  |  4 +-
 .../ipa-extdom-extop/ipa_extdom_common.c  | 77 ++-
 .../ipa-extdom-extop/ipa_extdom_extop.c   |  2 +
 3 files changed, 61 insertions(+), 22 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c
index ef552a9a37..163e8e1371 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c
@@ -62,10 +62,10 @@ static enum nss_status __convert_sss_nss2nss_status(int errcode) {
 return NSS_STATUS_SUCCESS;
 case ENOENT:
 return NSS_STATUS_NOTFOUND;
-case ETIME:
-/* fall-through */
 case ERANGE:
 return NSS_STATUS_TRYAGAIN;
+case ETIME:
+/* fall-through */
 case ETIMEDOUT:
 /* fall-through */
 default:
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 525487c9e4..65c723ce65 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -523,7 +523,7 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
 if (strcasecmp(locat+1, domain_name) == 0  ) {
 locat[0] = '\0';
 } else {
-ret = LDAP_NO_SUCH_OBJECT;
+ret = LDAP_INVALID_SYNTAX;
 goto done;
 }
 }
@@ -568,10 +568,12 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
 ret = getgrgid_r_wrapper(ctx,
  groups[c], , , _len);
 if (ret != 0) {
-if (ret == ENOMEM || ret == ERANGE) {
-ret = LDAP_OPERATIONS_ERROR;
-} else {
+if (ret == ENOENT) {
 ret = LDAP_NO_SUCH_OBJECT;
+} else if (ret == ETIMEDOUT) {
+ret = LDAP_TIMELIMIT_EXCEEDED;
+} else {
+ret = LDAP_OPERATIONS_ERROR;
 }
 goto done;
 }
@@ -634,7 +636,7 @@ int pack_ber_group(enum response_types response_type,
 if (strcasecmp(locat+1, domain_name) == 0  ) {
 locat[0] = '\0';
 } else {
-ret = LDAP_NO_SUCH_OBJECT;
+ret = LDAP_INVALID_SYNTAX;
 goto done;
 }
 }
@@ -836,6 +838,8 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx,
 || id_type == SSS_ID_TYPE_BOTH)) {
 if (ret == ENOENT) {
 ret = LDAP_NO_SUCH_OBJECT;
+} else if (ret == ETIMEDOUT || ret == ETIME) {
+ret = LDAP_TIMELIMIT_EXCEEDED;
 } else {
 set_err_msg(req, "Failed to lookup SID by UID");
 ret = LDAP_OPERATIONS_ERROR;
@@ -847,10 +851,12 @@ static int handle_uid_request(struct ipa_extdom_ctx 

[Freeipa-devel] [freeipa PR#4015][opened] ipa-kdd: Remove keys password auth is disabled

[sumit-bose via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/4015
Author: sumit-bose
 Title: #4015: ipa-kdd: Remove keys password auth is disabled
Action: opened

PR body:
"""
With commit 15ff9c8 a check was removed and as a result Kerberos keys
are unconditionally added to the user entry struct if they are
available. As a result the password related pre-authentication methods
PA-ENC-TIMESTAMP and PA-ETYPE-INFO2 are advertised in the NEEDED_PREAUTH
reply to an AS_REQ.

With respect to the KDC policies this does not matter much because if
password authentication is disabled for the given principal the policy
will reject the AS_REQ if the user tries password authentication. This
is possible because with commit 15ff9c8 kinit will ask for a password if
called without any additional options (e.g. armor ticket or PKINIT
identity). Before 15ff9c8 was committed it just failed with 'kinit:
Pre-authentication failed: Invalid argument while getting initial
credentials' because no suitable pre-authentication method was
available. This is the same behavior as if no password was set for the
given principal.

But with this change SSSD fails to detect the available authentication
types for the given principal properly. As described in
https://docs.pagure.org/SSSD.sssd/design_pages/prompting_for_multiple_authentication_types.html
SSSD uses the MIT Kerberos responder interface to determine the
available authentication methods for the principal and does not check
the ipaUserAuthType LDAP attribute. As a result if a user has 2FA (otp)
authentication configured, which implies that a password is set as the
first factor, the responder interface will always indicate that password
authentication is available even if only opt is enabled for the user.

In this case SSSD will use a prompting which indicates that the second
factor might be optional. Additionally if prompting the user directly is
not possible (e.g. ssh with ChallengeResponseAuthentication /
KbdInteractiveAuthentication disabled) the single string entered by the
user will always be assumed as a password and not as a combination of
password and otp-token value. As a consequence authentication will
always fail because password authentication is disabled for the user and
since SSSD does not do try-and-error 2FA is not tried.

This patch add back the check so that if password authentication is not
available for the principal the Kerberos will not be added to the entry
struct and the KDC will not advertise PA-ENC-TIMESTAMP or
PA-ETYPE-INFO2. If you think this is wrong and the behavior added by
15ff9c8 should be preferred SSSD handing of the available authentication
types must be extended to read ipaUserAuthType as well to restore the
user experience with respect to 2FA prompting and ssh behavior.

Related to https://pagure.io/freeipa/issue/8001
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4015/head:pr4015
git checkout pr4015
From a29c424a3144c939bfa0c4dc5e96519f493fae8f Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 11 Dec 2019 10:47:33 +0100
Subject: [PATCH] ipa-kdd: Remove keys password auth is disabled

With commit 15ff9c8 a check was removed and as a result Kerberos keys
are unconditionally added to the user entry struct if they are
available. As a result the password related pre-authentication methods
PA-ENC-TIMESTAMP and PA-ETYPE-INFO2 are advertised in the NEEDED_PREAUTH
reply to an AS_REQ.

With respect to the KDC policies this does not matter much because if
password authentication is disabled for the given principal the policy
will reject the AS_REQ if the user tries password authentication. This
is possible because with commit 15ff9c8 kinit will ask for a password if
called without any additional options (e.g. armor ticket or PKINIT
identity). Before 15ff9c8 was committed it just failed with 'kinit:
Pre-authentication failed: Invalid argument while getting initial
credentials' because no suitable pre-authentication method was
available. This is the same behavior as if no password was set for the
given principal.

But with this change SSSD fails to detect the available authentication
types for the given principal properly. As described in
https://docs.pagure.org/SSSD.sssd/design_pages/prompting_for_multiple_authentication_types.html
SSSD uses the MIT Kerberos responder interface to determine the
available authentication methods for the principal and does not check
the ipaUserAuthType LDAP attribute. As a result if a user has 2FA (otp)
authentication configured, which implies that a password is set as the
first factor, the responder interface will always indicate that password
authentication is available even if only opt is enabled for the user.

In this case SSSD will use a prompting which indicates that the second
factor might be optional. Additionally if prompting the user directly is
not possible (e.g. ssh with ChallengeResponseAuthentication /
KbdInteractiveAuthentication disabled) the single 

[Freeipa-devel] [freeipa PR#5991][opened] extdom: return LDAP_NO_SUCH_OBJECT if domains differ

[sumit-bose via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/5991
Author: sumit-bose
 Title: #5991: extdom: return LDAP_NO_SUCH_OBJECT if domains differ
Action: opened

PR body:
"""
If a client sends a request to lookup an object from a given trusted
domain by UID or GID and an object with matching ID is only found in a
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
indicate to the client that the requested ID does not exists in the
given domain.

Resolves: https://pagure.io/freeipa/issue/8965
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5991/head:pr5991
git checkout pr5991
From 78fc4aba2dc7f5278e53e8ad5faeb1869731b5b7 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 25 Aug 2021 17:10:29 +0200
Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ

If a client sends a request to lookup an object from a given trusted
domain by UID or GID and an object with matching ID is only found in a
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
indicate to the client that the requested ID does not exists in the
given domain.

Resolves: https://pagure.io/freeipa/issue/8965
---
 .../ipa-extdom-extop/ipa_extdom_common.c  | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 5d97ff6137d..6f646b9f49e 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
 if (strcasecmp(locat+1, domain_name) == 0  ) {
 locat[0] = '\0';
 } else {
-ret = LDAP_INVALID_SYNTAX;
+/* The found object is from a different domain than requested,
+ * that means it does not exist in the requested domain */
+ret = LDAP_NO_SUCH_OBJECT;
 goto done;
 }
 }
@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type,
 if (strcasecmp(locat+1, domain_name) == 0  ) {
 locat[0] = '\0';
 } else {
-ret = LDAP_INVALID_SYNTAX;
+/* The found object is from a different domain than requested,
+ * that means it does not exist in the requested domain */
+ret = LDAP_NO_SUCH_OBJECT;
 goto done;
 }
 }
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure