[Freeipa-devel] [freeipa PR#879][comment] FIPS mode and NT hashes
URL: https://github.com/freeipa/freeipa/pull/879 Title: #879: FIPS mode and NT hashes sumit-bose commented: """ I just pushed a new version which include the upstream ticket reference in the commit message, there are no changes to the code. """ See the full comment at https://github.com/freeipa/freeipa/pull/879#issuecomment-309683850 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#879][synchronized] FIPS mode and NT hashes
URL: https://github.com/freeipa/freeipa/pull/879 Author: sumit-bose Title: #879: FIPS mode and NT hashes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/879/head:pr879 git checkout pr879 From 4d7f9b07832da3a4caa1f7d34b2e1cbab2e5a195 Mon Sep 17 00:00:00 2001 From: Sumit BoseDate: Fri, 16 Jun 2017 16:26:41 +0200 Subject: [PATCH 1/2] ipa-sam: replace encode_nt_key() with E_md4hash() Since ipa-sam is running as part of smbd is it safe to use the E_md4hash() from Samba. This way ipa-sam does not depend on other crypto libraries which might depend on other rules like e.g. FIPS mode. Resolves https://pagure.io/freeipa/issue/7026 --- daemons/ipa-sam/ipa_sam.c | 27 ++- 1 file changed, 2 insertions(+), 25 deletions(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 6a29e8e10b..59d92f37c9 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -110,6 +110,7 @@ char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so * char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */ bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */ +bool E_md4hash(const char *passwd, uint8_t p16[16]); /* available in libcliauth-samba4.so */ #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs" #define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain" @@ -2836,11 +2837,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, struct dom_sid *g_sid; char *name; char *trustpw = NULL; - char *trustpw_utf8 = NULL; - char *tmp_str = NULL; - int ret; uint8_t nt_key[16]; - size_t converted_size; bool res; char *sid_str; enum idmap_error_code err; @@ -2899,19 +2896,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, return false; } - if (!push_utf8_talloc(user, _utf8, trustpw, _size)) { - res = false; - goto done; - } - - tmp_str = talloc_strdup_upper(user, trustpw); - if (tmp_str == NULL) { - res = false; - goto done; - } - - ret = encode_nt_key(trustpw_utf8, nt_key); - if (ret != 0) { + if (!E_md4hash(trustpw, nt_key)) { res = false; goto done; } @@ -2927,14 +2912,6 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, memset(trustpw, 0, strlen(trustpw)); talloc_free(trustpw); } - if (trustpw_utf8 != NULL) { - memset(trustpw_utf8, 0, strlen(trustpw_utf8)); - talloc_free(trustpw_utf8); - } - if (tmp_str != NULL) { - memset(tmp_str, 0, strlen(tmp_str)); - talloc_free(tmp_str); - } return res; } From f5ca91d8dc5528f7f0f2f7edbb9a07cc01de8bfd Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 16 Jun 2017 17:49:44 +0200 Subject: [PATCH 2/2] ipa_pwd_extop: do not generate NT hashes in FIPS mode In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is detected we disable NT hashes even is the are allowed by IPA configuration. Resolves https://pagure.io/freeipa/issue/7026 --- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 53 ++-- 1 file changed, 40 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index 761f7a8e3e..5efadac5b1 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -46,6 +46,8 @@ /* Type of connection for this operation;*/ #define LDAP_EXTOP_PASSMOD_CONN_SECURE +#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled" + /* Uncomment the following #undef FOR TESTING: * allows non-SSL connections to use the password change extended op */ /* #undef LDAP_EXTOP_PASSMOD_CONN_SECURE */ @@ -62,6 +64,27 @@ static const char *ipapwd_def_encsalts[] = { NULL }; +static bool fips_enabled(void) +{ +int fd; +ssize_t len; +char buf[8]; + +fd = open(PROC_SYS_FIPS, O_RDONLY); +if (fd != -1) { +len = read(fd, buf, sizeof(buf)); +close(fd); +/* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value + * similar to the is_fips_enabled() check in + * ipaplatform/redhat/tasks.py */ +if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) { +return true; +} +} + +return false; +} + static struct ipapwd_krbcfg *ipapwd_getConfig(void) { krb5_error_code krberr; @@ -232,23 +255,27 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) /* get the ipa etc/ipaConfig entry */ config->allow_nt_hash = false; -ret = ipapwd_getEntry(ipa_etc_config_dn, _entry, NULL); -if (ret != LDAP_SUCCESS) { -LOG_FATAL("No config Entry?\n"); -goto free_and_error; +if (fips_enabled()) { +
[Freeipa-devel] [freeipa PR#879][opened] FIPS mode and NT hashes
URL: https://github.com/freeipa/freeipa/pull/879 Author: sumit-bose Title: #879: FIPS mode and NT hashes Action: opened PR body: """ In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is detected we disable NT hashes in the password plugin even is they are allowed by IPA configuration. Since ipa-sam is running as part of smbd is it safe to use the E_md4hash() from Samba. This way ipa-sam does not depend on other crypto libraries which might depend on other rules like e.g. FIPS mode. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/879/head:pr879 git checkout pr879 From 21e740d2ca6ebdfcf5d30b8468846e0e1c546de8 Mon Sep 17 00:00:00 2001 From: Sumit BoseDate: Fri, 16 Jun 2017 16:26:41 +0200 Subject: [PATCH 1/2] ipa-sam: replace encode_nt_key() with E_md4hash() Since ipa-sam is running as part of smbd is it safe to use the E_md4hash() from Samba. This way ipa-sam does not depend on other crypto libraries which might depend on other rules like e.g. FIPS mode. --- daemons/ipa-sam/ipa_sam.c | 27 ++- 1 file changed, 2 insertions(+), 25 deletions(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 6a29e8e10b..59d92f37c9 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -110,6 +110,7 @@ char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so * char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */ bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */ +bool E_md4hash(const char *passwd, uint8_t p16[16]); /* available in libcliauth-samba4.so */ #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs" #define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain" @@ -2836,11 +2837,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, struct dom_sid *g_sid; char *name; char *trustpw = NULL; - char *trustpw_utf8 = NULL; - char *tmp_str = NULL; - int ret; uint8_t nt_key[16]; - size_t converted_size; bool res; char *sid_str; enum idmap_error_code err; @@ -2899,19 +2896,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, return false; } - if (!push_utf8_talloc(user, _utf8, trustpw, _size)) { - res = false; - goto done; - } - - tmp_str = talloc_strdup_upper(user, trustpw); - if (tmp_str == NULL) { - res = false; - goto done; - } - - ret = encode_nt_key(trustpw_utf8, nt_key); - if (ret != 0) { + if (!E_md4hash(trustpw, nt_key)) { res = false; goto done; } @@ -2927,14 +2912,6 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, memset(trustpw, 0, strlen(trustpw)); talloc_free(trustpw); } - if (trustpw_utf8 != NULL) { - memset(trustpw_utf8, 0, strlen(trustpw_utf8)); - talloc_free(trustpw_utf8); - } - if (tmp_str != NULL) { - memset(tmp_str, 0, strlen(tmp_str)); - talloc_free(tmp_str); - } return res; } From fef8e13d0c6c453d2849c2edc3743bf6fc614e1d Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 16 Jun 2017 17:49:44 +0200 Subject: [PATCH 2/2] ipa_pwd_extop: do not generate NT hashes in FIPS mode In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is detected we disable NT hashes even is the are allowed by IPA configuration. --- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 53 ++-- 1 file changed, 40 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index 761f7a8e3e..5efadac5b1 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -46,6 +46,8 @@ /* Type of connection for this operation;*/ #define LDAP_EXTOP_PASSMOD_CONN_SECURE +#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled" + /* Uncomment the following #undef FOR TESTING: * allows non-SSL connections to use the password change extended op */ /* #undef LDAP_EXTOP_PASSMOD_CONN_SECURE */ @@ -62,6 +64,27 @@ static const char *ipapwd_def_encsalts[] = { NULL }; +static bool fips_enabled(void) +{ +int fd; +ssize_t len; +char buf[8]; + +fd = open(PROC_SYS_FIPS, O_RDONLY); +if (fd != -1) { +len = read(fd, buf, sizeof(buf)); +close(fd); +/* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value + * similar to the is_fips_enabled() check in + * ipaplatform/redhat/tasks.py */ +if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) { +return true; +} +} + +return false; +} + static struct ipapwd_krbcfg *ipapwd_getConfig(void) { krb5_error_code krberr; @@ -232,23 +255,27 @@ static struct ipapwd_krbcfg
[Freeipa-devel] [freeipa PR#823][opened] ipa-kdb: reload certificate mapping rules periodically
URL: https://github.com/freeipa/freeipa/pull/823 Author: sumit-bose Title: #823: ipa-kdb: reload certificate mapping rules periodically Action: opened PR body: """ With this patch the certificate mapping rules are reloaded every 5 minutes. Resolves https://pagure.io/freeipa/issue/6963 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/823/head:pr823 git checkout pr823 From 5f62a9bf427a3b12b56e8641fda2832680b04a70 Mon Sep 17 00:00:00 2001 From: Sumit BoseDate: Fri, 26 May 2017 18:19:48 +0200 Subject: [PATCH] ipa-kdb: reload certificate mapping rules periodically With this patch the certificate mapping rules are reloaded every 5 minutes. Resolves https://pagure.io/freeipa/issue/6963 --- daemons/ipa-kdb/ipa_kdb_certauth.c | 153 - 1 file changed, 81 insertions(+), 72 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c index a53a2ce4e7..dbe7a04437 100644 --- a/daemons/ipa-kdb/ipa_kdb_certauth.c +++ b/daemons/ipa-kdb/ipa_kdb_certauth.c @@ -58,6 +58,8 @@ #define CERTMAP_FILTER "(&("OBJECTCLASS"="IPA_OC_CERTMAP_RULE")" \ "("IPA_ENABLED_FLAG"="IPA_TRUE_VALUE"))" +#define DEFAULT_CERTMAP_LIFETIME 300 + #ifndef discard_const #define discard_const(ptr) ((void *)((uintptr_t)(ptr))) #endif @@ -67,6 +69,7 @@ struct krb5_certauth_moddata_st { char *local_domain; struct sss_certmap_ctx *sss_certmap_ctx; struct ipadb_context *ipactx; +time_t valid_until; }; void ipa_certmap_debug(void *private, @@ -133,95 +136,101 @@ static krb5_error_code ipa_get_init_data(krb5_context kcontext, } if (ipactx->certauth_moddata == NULL) { -ret = asprintf(, "cn=certmap,%s", ipactx->base); -if (ret == -1) { -return ENOMEM; -} +ipactx->certauth_moddata = moddata_out; -kerr = ipadb_simple_search(ipactx,basedn, LDAP_SCOPE_SUBTREE, - CERTMAP_FILTER, discard_const(certmap_attrs), - ); -if (kerr != 0 && kerr != KRB5_KDB_NOENTRY) { -goto done; +if (ipactx->realm != NULL) { +ipactx->certauth_moddata->local_domain = strdup(ipactx->realm); +if (ipactx->certauth_moddata->local_domain == NULL) { +free(ipactx->certauth_moddata); +ipactx->certauth_moddata = NULL; +ret = ENOMEM; +goto done; +} } -ret = sss_certmap_init(NULL, ipa_certmap_debug, NULL, ); +ipactx->certauth_moddata->ipactx = ipactx; + +} + +ret = asprintf(, "cn=certmap,%s", ipactx->base); +if (ret == -1) { +return ENOMEM; +} + +kerr = ipadb_simple_search(ipactx,basedn, LDAP_SCOPE_SUBTREE, + CERTMAP_FILTER, discard_const(certmap_attrs), + ); +if (kerr != 0 && kerr != KRB5_KDB_NOENTRY) { +goto done; +} + +ret = sss_certmap_init(NULL, ipa_certmap_debug, NULL, ); +if (ret != 0) { +return ret; +} + +if (kerr == KRB5_KDB_NOENTRY) { +ret = sss_certmap_add_rule(ctx, SSS_CERTMAP_MIN_PRIO, + NULL, NULL, NULL); if (ret != 0) { -return ret; +goto done; } - -if (kerr == KRB5_KDB_NOENTRY) { -ret = sss_certmap_add_rule(ctx, SSS_CERTMAP_MIN_PRIO, - NULL, NULL, NULL); -if (ret != 0) { +} else { +lc = ipactx->lcontext; + +for (le = ldap_first_entry(lc, result); le; + le = ldap_next_entry(lc, le)) { +prio = SSS_CERTMAP_MIN_PRIO; +ret = ipadb_ldap_attr_to_uint32(lc, le, IPA_CERTMAP_PRIORITY, +); +if (ret != 0 && ret != ENOENT) { goto done; } -} else { -lc = ipactx->lcontext; - -for (le = ldap_first_entry(lc, result); le; - le = ldap_next_entry(lc, le)) { -prio = SSS_CERTMAP_MIN_PRIO; -ret = ipadb_ldap_attr_to_uint32(lc, le, IPA_CERTMAP_PRIORITY, -); -if (ret != 0 && ret != ENOENT) { -goto done; -} - -free(map_rule); -map_rule = NULL; -ret = ipadb_ldap_attr_to_str(lc, le, IPA_CERTMAP_MAPRULE, - _rule); -if (ret != 0 && ret != ENOENT) { -goto done; -} -free(match_rule); -match_rule = NULL; -ret = ipadb_ldap_attr_to_str(lc, le, IPA_CERTMAP_MATCHRULE,
[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically
URL: https://github.com/freeipa/freeipa/pull/823 Title: #823: ipa-kdb: reload certificate mapping rules periodically sumit-bose commented: """ > @sumit-bose I got confused by "periodically" in title and "every 5 minutes" > in description. It works as expected. ah, yes, I'm sorry the wording is misleading. Please let me know if I should fix the commit message before the patch is pushed? """ See the full comment at https://github.com/freeipa/freeipa/pull/823#issuecomment-305778177 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically
URL: https://github.com/freeipa/freeipa/pull/823 Title: #823: ipa-kdb: reload certificate mapping rules periodically sumit-bose commented: """ @dkupka, the reload only happens during processing the PKINIT request if the rules are older than 5 minutes. It is not a timed event which runs all the time every 5 minutes. """ See the full comment at https://github.com/freeipa/freeipa/pull/823#issuecomment-305523652 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically
URL: https://github.com/freeipa/freeipa/pull/823 Title: #823: ipa-kdb: reload certificate mapping rules periodically sumit-bose commented: """ @dkupka, ah, this is a side effect of having multiple workers (3907-3912). The IPA context is not share between the workers so each will load the certificate mapping rule on its own. If I checked the reload times of the different workers correctly none does it more often then once in 5 minutes. """ See the full comment at https://github.com/freeipa/freeipa/pull/823#issuecomment-305487292 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1115][opened] ipa-kdb: reinit trusted domain data for enterprise principals
URL: https://github.com/freeipa/freeipa/pull/1115 Author: sumit-bose Title: #1115: ipa-kdb: reinit trusted domain data for enterprise principals Action: opened PR body: """ While processing enterprise principals the information about trusted domains might not be up-to-date. With this patch ipadb_reinit_mspac() is called if an unknown domain is part of the enterprise principal. Resolves https://pagure.io/freeipa/issue/7172 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1115/head:pr1115 git checkout pr1115 From 26120d3fe97841890f08b59a37a2c58183d2d9ad Mon Sep 17 00:00:00 2001 From: Sumit BoseDate: Wed, 27 Sep 2017 14:17:49 +0200 Subject: [PATCH] ipa-kdb: reinit trusted domain data for enterprise principals While processing enterprise principals the information about trusted domains might not be up-to-date. With this patch ipadb_reinit_mspac() is called if an unknown domain is part of the enterprise principal. Resolves https://pagure.io/freeipa/issue/7172 --- daemons/ipa-kdb/ipa_kdb_principals.c | 10 ++ 1 file changed, 10 insertions(+) diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 82c857430b..7935ad58d5 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -1259,6 +1259,16 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext, realm, upn->length - (realm - upn->data), _realm); +if (kerr == KRB5_KDB_NOENTRY) { +/* try to refresh trusted domain data and try again */ +kerr = ipadb_reinit_mspac(ipactx, false); +if (kerr != 0) { +goto done; +} +kerr = ipadb_is_princ_from_trusted_realm(kcontext, realm, + upn->length - (realm - upn->data), + _realm); +} if (kerr == 0) { kentry = calloc(1, sizeof(krb5_db_entry)); if (!kentry) { ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Testing extdom plugin directly
Hi, please find attached a small python class (generated with asn1ate) which might help to generate the needed data to send a request to the extdom plugin directly. This might be useful to write tests. To generate the base64 encoded data needed e.g. for the ldapexop command I used: from pyasn1.codec.der.encoder import encode as der_encoder from base64 import b64encode from pyasn1.codec.native.decoder import decode from s2n_req import ExtdomRequestValue ad_user = 'aduser' ad_domain = 'ad.domain' request_type = 'full' name = { 'domainname' : ad_domain, 'objectname' : ad_user } data = { 'name' : name } r = { 'inputType' : 'name' , 'requestType' : request_type, 'data' : data } req = decode(r, asn1Spec=ExtdomRequestValue()) der_serialisation = der_encoder(req) print b64encode(der_serialisation) (sorry for the bad python) $ python my_req.py MBsKAQIKAQIwEwQJYWQuZG9tYWluBAZhZHVzZXI= Now you can send the request to the extdom plugin by calling: ldapexop -x 2.16.840.1.113730.3.8.10.4.1::MBsKAQIKAQIwEwQJYWQuZG9tYWluBAZhZHVzZXI= If the user was found ldapexop will return a base64 encoded reply. So far using e.g. dumpasn1 was sufficient for me to look at the reply because I mainly used the requests to generate load for the extdom plugin and didn't cared much about the reply. But if I'll find some time I might add a class to decode the reply properly later. HTH bye, Sumit # Auto-generated by asn1ate v.0.6.1.dev0 from s2n_req.asn1 # (last modified on 2018-01-15 15:15:47.250042) from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful class NameDomainData(univ.Sequence): pass NameDomainData.componentType = namedtype.NamedTypes( namedtype.NamedType('domainname', univ.OctetString()), namedtype.NamedType('objectname', univ.OctetString()) ) class PosixGid(univ.Sequence): pass PosixGid.componentType = namedtype.NamedTypes( namedtype.NamedType('domainname', univ.OctetString()), namedtype.NamedType('gid', univ.Integer()) ) class PosixUid(univ.Sequence): pass PosixUid.componentType = namedtype.NamedTypes( namedtype.NamedType('domainname', univ.OctetString()), namedtype.NamedType('uid', univ.Integer()) ) class InputData(univ.Choice): pass InputData.componentType = namedtype.NamedTypes( namedtype.NamedType('sid', univ.OctetString()), namedtype.NamedType('name', NameDomainData()), namedtype.NamedType('uid', PosixUid()), namedtype.NamedType('gid', PosixGid()) ) class ExtdomRequestValue(univ.Sequence): pass ExtdomRequestValue.componentType = namedtype.NamedTypes( namedtype.NamedType('inputType', univ.Enumerated(namedValues=namedval.NamedValues(('sid', 1), ('name', 2), ('posixuid', 3), ('posixgid', 4, namedtype.NamedType('requestType', univ.Enumerated(namedValues=namedval.NamedValues(('simple', 1), ('full', 2), ('fullwithmembers', 3, namedtype.NamedType('data', InputData()) ) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1529][opened] ipa-kdb: update trust information in all workers
URL: https://github.com/freeipa/freeipa/pull/1529 Author: sumit-bose Title: #1529: ipa-kdb: update trust information in all workers Action: opened PR body: """ Currently there is already code to make sure that after trust is established an AS-REQ of the local HTTP principal causes a refresh of the internal structures holding the information about the trusted domains. But this refreshes only the data of the current krb5kdc worker process on the local host. Other workers and the KDCs on other hosts will update the data eventually when a request with a principal from a trusted realm is handled. During this phase, which might last quite long if remote principals are only handled rarely, TGTs for local principals might or might not contain a PAC because the decision if a PAC should be added or not is based on the information about trusted domains. Since the PAC is needed to access services on the AD side this access might fail intermittently depending which worker process on which host is handling the request. This might e.g. affect SSSD running on the IPA server with two-way trust. To fix this this patch calls ipadb_reinit_mspac() whenever a PAC is needed but without the 'force' flag so that the refresh will only happen if it wasn't called recently (currently not more often than once a minute). An alternative might be to do the refresh only when processing cross-realm TGT requests. But this would be already too late because the local principal asking for a cross-realm ticket would not have a PAC and hence the first attempt will still fail due to the missing PAC. And injecting the PAC in the cross-realm TGT while there is none in the requesting ticket does not sound right. Related to https://pagure.io/freeipa/issue/7351 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1529/head:pr1529 git checkout pr1529 From e2d6e693329146d180bb577604373d4f0a4ae3dc Mon Sep 17 00:00:00 2001 From: Sumit BoseDate: Mon, 4 Dec 2017 16:57:31 +0100 Subject: [PATCH] ipa-kdb: update trust information in all workers Currently there is already code to make sure that after trust is established an AS-REQ of the local HTTP principal causes a refresh of the internal structures holding the information about the trusted domains. But this refreshes only the data of the current krb5kdc worker process on the local host. Other workers and the KDCs on other hosts will update the data eventually when a request with a principal from a trusted realm is handled. During this phase, which might last quite long if remote principals are only handled rarely, TGTs for local principals might or might not contain a PAC because the decision if a PAC should be added or not is based on the information about trusted domains. Since the PAC is needed to access services on the AD side this access might fail intermittently depending which worker process on which host is handling the request. This might e.g. affect SSSD running on the IPA server with two-way trust. To fix this this patch calls ipadb_reinit_mspac() whenever a PAC is needed but without the 'force' flag so that the refresh will only happen if it wasn't called recently (currently not more often than once a minute). An alternative might be to do the refresh only when processing cross-realm TGT requests. But this would be already too late because the local principal asking for a cross-realm ticket would not have a PAC and hence the first attempt will still fail due to the missing PAC. And injecting the PAC in the cross-realm TGT while there is none in the requesting ticket does not sound right. Related to https://pagure.io/freeipa/issue/7351 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 33 - 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 00cc19ca1e..11e036986a 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2121,6 +2121,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, int result; krb5_db_entry *client_entry = NULL; krb5_boolean is_equal; +bool force_reinit_mspac = false; is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); @@ -2174,24 +2175,30 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, } if (with_pac && make_ad) { + +ipactx = ipadb_get_context(context); +if (!ipactx) { +kerr = ENOMEM; +goto done; +} + /* Be aggressive here: special case for discovering range type - * immediately after establishing the trust by IPA framework */ + * immediately after establishing the trust by IPA framework. For all + * other cases call ipadb_reinit_mspac() with force_reinit_mspac set + * to 'false' to make sure the information about trusted domains is + * updated on a regular basis for all
[Freeipa-devel] [freeipa PR#1537][opened] ipa-kdb: use magic value to check if ipadb is used
URL: https://github.com/freeipa/freeipa/pull/1537 Author: sumit-bose Title: #1537: ipa-kdb: use magic value to check if ipadb is used Action: opened PR body: """ The certauth plugin is configured in /etc/krb5.conf independently form the database module. As a result the IPA certauth plugin can be added to the configuration without the IPA DAL driver. Since the IPA certauth plugin depends on the presence of the IPA DAL driver this patch adds a magic value at the beginning of struct ipadb_context which can be checked to see if the IPA DAL driver is properly initialized. Resolves https://pagure.io/freeipa/issue/7261 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1537/head:pr1537 git checkout pr1537 From 86347cdaec7bb67335251d9ea3c718533584590a Mon Sep 17 00:00:00 2001 From: Sumit BoseDate: Wed, 7 Feb 2018 17:10:08 +0100 Subject: [PATCH] ipa-kdb: use magic value to check if ipadb is used The certauth plugin is configured in /etc/krb5.conf independently form the database module. As a result the IPA certauth plugin can be added to the configuration without the IPA DAL driver. Since the IPA certauth plugin depends on the presence of the IPA DAL driver this patch adds a magic value at the beginning of struct ipadb_context which can be checked to see if the IPA DAL driver is properly initialized. Resolves https://pagure.io/freeipa/issue/7261 --- daemons/ipa-kdb/ipa_kdb.c | 1 + daemons/ipa-kdb/ipa_kdb.h | 2 ++ daemons/ipa-kdb/ipa_kdb_certauth.c | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index b11153eccd..222900ae7a 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -522,6 +522,7 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext, if (!ipactx) { return ENOMEM; } +ipactx->magic = IPA_CONTEXT_MAGIC; /* only check for unsupported 'temporary' value for now */ for (i = 0; db_args != NULL && db_args[i] != NULL; i++) { diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index be2f457522..d187d969f5 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -101,7 +101,9 @@ struct ipadb_global_config { bool disable_preauth_for_spns; }; +#define IPA_CONTEXT_MAGIC 0x0c027ea7 struct ipadb_context { +int magic; char *uri; char *base; char *realm; diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c index 35e5e7d086..82589f2f92 100644 --- a/daemons/ipa-kdb/ipa_kdb_certauth.c +++ b/daemons/ipa-kdb/ipa_kdb_certauth.c @@ -131,7 +131,7 @@ static krb5_error_code ipa_get_init_data(krb5_context kcontext, krb5_klog_syslog(LOG_INFO, "Initializing IPA certauth plugin."); ipactx = ipadb_get_context(kcontext); -if (ipactx == NULL) { +if (ipactx == NULL || ipactx->magic != IPA_CONTEXT_MAGIC) { return KRB5_KDB_DBNOTINITED; } ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#2846][opened] ipa_sam: remove dependency to talloc_strackframe.h
URL: https://github.com/freeipa/freeipa/pull/2846 Author: sumit-bose Title: #2846: ipa_sam: remove dependency to talloc_strackframe.h Action: opened PR body: """ Recent Samba versions removed some header files which did include non-public APIs. As a result talloc_strackframe.h and memory.h (for SAFE_FREE) are not available anymore. This patch replaces the use of the non-public APIs with public ones. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2846/head:pr2846 git checkout pr2846 From dcc855ee5745ba0e265bf355d76b6941ce2cc439 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 19 Feb 2019 12:30:40 +0100 Subject: [PATCH] ipa_sam: remove dependency to talloc_strackframe.h Recent Samba versions removed some header files which did include non-public APIs. As a result talloc_strackframe.h and memory.h (for SAFE_FREE) are not available anymore. This patch replaces the use of the non-public APIs with public ones. --- daemons/ipa-sam/ipa_sam.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index b1e0294e34..ac0aa48f18 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -19,7 +19,6 @@ #include #include #include -#include #ifndef _SAMBA_UTIL_H_ bool trim_string(char *s, const char *front, const char *back); @@ -880,9 +879,13 @@ static bool ipasam_uid_to_sid(struct pdb_methods *methods, uid_t uid, struct dom_sid *user_sid = NULL; int rc; enum idmap_error_code err; - TALLOC_CTX *tmp_ctx = talloc_stackframe(); struct unixid id; + TALLOC_CTX *tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + goto done; + } + /* Fast fail if we get a request for uidNumber=0 because it currently * will never exist in the directory * Saves an expensive LDAP call of which failure will never be cached @@ -967,9 +970,13 @@ static bool ipasam_gid_to_sid(struct pdb_methods *methods, gid_t gid, size_t c; int rc; enum idmap_error_code err; - TALLOC_CTX *tmp_ctx = talloc_stackframe(); struct unixid id; + TALLOC_CTX *tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + goto done; + } + filter = talloc_asprintf(tmp_ctx, "(|(&(gidNumber=%u)" "(objectClass=%s))" @@ -3620,7 +3627,8 @@ static void ipasam_free_private_data(void **vp) (*ipasam_state)->result = NULL; } if ((*ipasam_state)->domain_dn != NULL) { - SAFE_FREE((*ipasam_state)->domain_dn); + free((*ipasam_state)->domain_dn); + (*ipasam_state)->domain_dn = NULL; } *ipasam_state = NULL; ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#2891][opened] ipa-extdom-exop: add instance counter and limit
URL: https://github.com/freeipa/freeipa/pull/2891 Author: sumit-bose Title: #2891: ipa-extdom-exop: add instance counter and limit Action: opened PR body: """ The user and group lookups done by the extdom plugin might need some time depending on the state of the service (typically SSSD) handling the requests. To avoid that all worker threads are busy waiting on a connect or a reply from SSSD and no other request can be handled this patch adds an instance counter and an instance limit for the extdom plugin. By default the limit will be around 80% of the number of worker threads. It can be tuned further with the plugin option ipaExtdomMaxInstances which must in set in ipaextdommaxinstances and should have an integer value larger than 0 and lesser than the number of worker threads. If the instance limit is reached the extdom plugin will return LDAP_BUSY for every new request until the number of instance is again below the limit. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2891/head:pr2891 git checkout pr2891 From 7c137695b23226237d531043f20eed9f5f04ba12 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 8 Mar 2019 16:07:56 +0100 Subject: [PATCH] ipa-extdom-exop: add instance counter and limit The user and group lookups done by the extdom plugin might need some time depending on the state of the service (typically SSSD) handling the requests. To avoid that all worker threads are busy waiting on a connect or a reply from SSSD and no other request can be handled this patch adds an instance counter and an instance limit for the extdom plugin. By default the limit will be around 80% of the number of worker threads. It can be tuned further with the plugin option ipaExtdomMaxInstances which must in set in ipaextdommaxinstances and should have an integer value larger than 0 and lesser than the number of worker threads. If the instance limit is reached the extdom plugin will return LDAP_BUSY for every new request until the number of instance is again below the limit. --- .../ipa-extdom-extop/ipa_extdom.h | 2 + .../ipa-extdom-extop/ipa_extdom_extop.c | 133 ++ 2 files changed, 135 insertions(+) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h index bbc574747e..e01e74ca59 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -157,6 +157,8 @@ struct ipa_extdom_ctx { char *base_dn; size_t max_nss_buf_size; struct nss_ops_ctx *nss_ctx; +Slapi_Counter *extdom_instance_counter; +size_t extdom_max_instances; }; struct domain_info { diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c index 83c30e7e6a..3abaa411d2 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c @@ -62,8 +62,112 @@ static char *ipa_extdom_name_list[] = { NULL }; +#define NSSLAPD_THREADNUMBER "nsslapd-threadnumber" +static int ipa_get_threadnumber(Slapi_ComponentId *plugin_id, size_t *threadnumber) +{ +Slapi_PBlock *search_pb = NULL; +int search_result; +Slapi_Entry **search_entries = NULL; +int ret; +char *attrs[] = { NSSLAPD_THREADNUMBER, NULL }; + +search_pb = slapi_pblock_new(); +if (search_pb == NULL) { +LOG_FATAL("Failed to create new pblock.\n"); +ret = LDAP_OPERATIONS_ERROR; +goto done; +} + +slapi_search_internal_set_pb(search_pb, "cn=config", + LDAP_SCOPE_BASE, "objectclass=*", + attrs, 0, NULL, NULL, plugin_id, 0); + +ret = slapi_search_internal_pb(search_pb); +if (ret != 0) { +LOG_FATAL("Starting internal search failed.\n"); +goto done; +} + +ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, + _result); +if (ret != 0 || search_result != LDAP_SUCCESS) { +LOG_FATAL("Internal search failed [%d][%d].\n", ret, search_result); +ret = LDAP_OPERATIONS_ERROR; +goto done; +} + +ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, + _entries); +if (ret != 0) { +LOG_FATAL("Failed to read searched entries.\n"); +goto done; +} + +if (search_entries == NULL || search_entries[0] == NULL) { +LOG("No existing entries.\n"); +ret = LDAP_NO_SUCH_OBJECT; +goto done; +} + +if (search_entries[1] != NULL) { +LOG("Too many results found.\n"); +ret = LDAP_OPERATIONS_ERROR; +goto done; +} + +*threadnumber = slapi_entry_attr_get_uint(search_entries[0], + NSSLAPD_THREADNUMBER); + +
[Freeipa-devel] [freeipa PR#3542][opened] extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT
URL: https://github.com/freeipa/freeipa/pull/3542 Author: sumit-bose Title: #3542: extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT Action: opened PR body: """ A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to remove the searched object from the cache. As a consequence LDAP_NO_SUCH_OBJECT should only be returned if the object really does not exists otherwise the data of existing objects might be removed form the cache of the clients causing unexpected behaviour like authentication errors. Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code. With this patch LDAP_NO_SUCH_OBJECT is only returned if the related lookup functions return ENOENT. Timeout related error code will lead to LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default error code. Related to https://pagure.io/freeipa/issue/8044 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3542/head:pr3542 git checkout pr3542 From 8f1f89858c48da27ce1b9f7c46281b61c744b4f1 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 14 Jun 2019 11:13:54 +0200 Subject: [PATCH] extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to remove the searched object from the cache. As a consequence LDAP_NO_SUCH_OBJECT should only be returned if the object really does not exists otherwise the data of existing objects might be removed form the cache of the clients causing unexpected behaviour like authentication errors. Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code. With this patch LDAP_NO_SUCH_OBJECT is only returned if the related lookup functions return ENOENT. Timeout related error code will lead to LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default error code. Related to https://pagure.io/freeipa/issue/8044 --- .../ipa-extdom-extop/back_extdom_sss_idmap.c | 4 +- .../ipa-extdom-extop/ipa_extdom_common.c | 77 ++- .../ipa-extdom-extop/ipa_extdom_extop.c | 2 + 3 files changed, 61 insertions(+), 22 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c index ef552a9a37..163e8e1371 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c @@ -62,10 +62,10 @@ static enum nss_status __convert_sss_nss2nss_status(int errcode) { return NSS_STATUS_SUCCESS; case ENOENT: return NSS_STATUS_NOTFOUND; -case ETIME: -/* fall-through */ case ERANGE: return NSS_STATUS_TRYAGAIN; +case ETIME: +/* fall-through */ case ETIMEDOUT: /* fall-through */ default: diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 525487c9e4..65c723ce65 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -523,7 +523,7 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx, if (strcasecmp(locat+1, domain_name) == 0 ) { locat[0] = '\0'; } else { -ret = LDAP_NO_SUCH_OBJECT; +ret = LDAP_INVALID_SYNTAX; goto done; } } @@ -568,10 +568,12 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx, ret = getgrgid_r_wrapper(ctx, groups[c], , , _len); if (ret != 0) { -if (ret == ENOMEM || ret == ERANGE) { -ret = LDAP_OPERATIONS_ERROR; -} else { +if (ret == ENOENT) { ret = LDAP_NO_SUCH_OBJECT; +} else if (ret == ETIMEDOUT) { +ret = LDAP_TIMELIMIT_EXCEEDED; +} else { +ret = LDAP_OPERATIONS_ERROR; } goto done; } @@ -634,7 +636,7 @@ int pack_ber_group(enum response_types response_type, if (strcasecmp(locat+1, domain_name) == 0 ) { locat[0] = '\0'; } else { -ret = LDAP_NO_SUCH_OBJECT; +ret = LDAP_INVALID_SYNTAX; goto done; } } @@ -836,6 +838,8 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx, || id_type == SSS_ID_TYPE_BOTH)) { if (ret == ENOENT) { ret = LDAP_NO_SUCH_OBJECT; +} else if (ret == ETIMEDOUT || ret == ETIME) { +ret = LDAP_TIMELIMIT_EXCEEDED; } else { set_err_msg(req, "Failed to lookup SID by UID"); ret = LDAP_OPERATIONS_ERROR; @@ -847,10 +851,12 @@ static int handle_uid_request(struct ipa_extdom_ctx
[Freeipa-devel] [freeipa PR#4015][opened] ipa-kdd: Remove keys password auth is disabled
URL: https://github.com/freeipa/freeipa/pull/4015 Author: sumit-bose Title: #4015: ipa-kdd: Remove keys password auth is disabled Action: opened PR body: """ With commit 15ff9c8 a check was removed and as a result Kerberos keys are unconditionally added to the user entry struct if they are available. As a result the password related pre-authentication methods PA-ENC-TIMESTAMP and PA-ETYPE-INFO2 are advertised in the NEEDED_PREAUTH reply to an AS_REQ. With respect to the KDC policies this does not matter much because if password authentication is disabled for the given principal the policy will reject the AS_REQ if the user tries password authentication. This is possible because with commit 15ff9c8 kinit will ask for a password if called without any additional options (e.g. armor ticket or PKINIT identity). Before 15ff9c8 was committed it just failed with 'kinit: Pre-authentication failed: Invalid argument while getting initial credentials' because no suitable pre-authentication method was available. This is the same behavior as if no password was set for the given principal. But with this change SSSD fails to detect the available authentication types for the given principal properly. As described in https://docs.pagure.org/SSSD.sssd/design_pages/prompting_for_multiple_authentication_types.html SSSD uses the MIT Kerberos responder interface to determine the available authentication methods for the principal and does not check the ipaUserAuthType LDAP attribute. As a result if a user has 2FA (otp) authentication configured, which implies that a password is set as the first factor, the responder interface will always indicate that password authentication is available even if only opt is enabled for the user. In this case SSSD will use a prompting which indicates that the second factor might be optional. Additionally if prompting the user directly is not possible (e.g. ssh with ChallengeResponseAuthentication / KbdInteractiveAuthentication disabled) the single string entered by the user will always be assumed as a password and not as a combination of password and otp-token value. As a consequence authentication will always fail because password authentication is disabled for the user and since SSSD does not do try-and-error 2FA is not tried. This patch add back the check so that if password authentication is not available for the principal the Kerberos will not be added to the entry struct and the KDC will not advertise PA-ENC-TIMESTAMP or PA-ETYPE-INFO2. If you think this is wrong and the behavior added by 15ff9c8 should be preferred SSSD handing of the available authentication types must be extended to read ipaUserAuthType as well to restore the user experience with respect to 2FA prompting and ssh behavior. Related to https://pagure.io/freeipa/issue/8001 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4015/head:pr4015 git checkout pr4015 From a29c424a3144c939bfa0c4dc5e96519f493fae8f Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 11 Dec 2019 10:47:33 +0100 Subject: [PATCH] ipa-kdd: Remove keys password auth is disabled With commit 15ff9c8 a check was removed and as a result Kerberos keys are unconditionally added to the user entry struct if they are available. As a result the password related pre-authentication methods PA-ENC-TIMESTAMP and PA-ETYPE-INFO2 are advertised in the NEEDED_PREAUTH reply to an AS_REQ. With respect to the KDC policies this does not matter much because if password authentication is disabled for the given principal the policy will reject the AS_REQ if the user tries password authentication. This is possible because with commit 15ff9c8 kinit will ask for a password if called without any additional options (e.g. armor ticket or PKINIT identity). Before 15ff9c8 was committed it just failed with 'kinit: Pre-authentication failed: Invalid argument while getting initial credentials' because no suitable pre-authentication method was available. This is the same behavior as if no password was set for the given principal. But with this change SSSD fails to detect the available authentication types for the given principal properly. As described in https://docs.pagure.org/SSSD.sssd/design_pages/prompting_for_multiple_authentication_types.html SSSD uses the MIT Kerberos responder interface to determine the available authentication methods for the principal and does not check the ipaUserAuthType LDAP attribute. As a result if a user has 2FA (otp) authentication configured, which implies that a password is set as the first factor, the responder interface will always indicate that password authentication is available even if only opt is enabled for the user. In this case SSSD will use a prompting which indicates that the second factor might be optional. Additionally if prompting the user directly is not possible (e.g. ssh with ChallengeResponseAuthentication / KbdInteractiveAuthentication disabled) the single
[Freeipa-devel] [freeipa PR#5991][opened] extdom: return LDAP_NO_SUCH_OBJECT if domains differ
URL: https://github.com/freeipa/freeipa/pull/5991 Author: sumit-bose Title: #5991: extdom: return LDAP_NO_SUCH_OBJECT if domains differ Action: opened PR body: """ If a client sends a request to lookup an object from a given trusted domain by UID or GID and an object with matching ID is only found in a different domain the extdom should return LDAP_NO_SUCH_OBJECT to indicate to the client that the requested ID does not exists in the given domain. Resolves: https://pagure.io/freeipa/issue/8965 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5991/head:pr5991 git checkout pr5991 From 78fc4aba2dc7f5278e53e8ad5faeb1869731b5b7 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 25 Aug 2021 17:10:29 +0200 Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ If a client sends a request to lookup an object from a given trusted domain by UID or GID and an object with matching ID is only found in a different domain the extdom should return LDAP_NO_SUCH_OBJECT to indicate to the client that the requested ID does not exists in the given domain. Resolves: https://pagure.io/freeipa/issue/8965 --- .../ipa-extdom-extop/ipa_extdom_common.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 5d97ff6137d..6f646b9f49e 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx, if (strcasecmp(locat+1, domain_name) == 0 ) { locat[0] = '\0'; } else { -ret = LDAP_INVALID_SYNTAX; +/* The found object is from a different domain than requested, + * that means it does not exist in the requested domain */ +ret = LDAP_NO_SUCH_OBJECT; goto done; } } @@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type, if (strcasecmp(locat+1, domain_name) == 0 ) { locat[0] = '\0'; } else { -ret = LDAP_INVALID_SYNTAX; +/* The found object is from a different domain than requested, + * that means it does not exist in the requested domain */ +ret = LDAP_NO_SUCH_OBJECT; goto done; } } ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure