URL: https://github.com/freeipa/freeipa/pull/3657 Author: abbra Title: #3657: [Backport][ipa-4-8] add default access control when migrating trust objects Action: opened
PR body: """ This PR was opened automatically because PR #3643 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3657/head:pr3657 git checkout pr3657
From ebc1c22c0c197c9c45517da78099c954e284064c Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Tue, 10 Sep 2019 13:39:39 +0300 Subject: [PATCH 1/2] add default access control when migrating trust objects It looks like for some cases we do not have proper set up keytab retrieval configuration in the old trusted domain object. This mostly affects two-way trust cases. In such cases, create default configuration as ipasam would have created when trust was established. Resolves: https://pagure.io/freeipa/issue/8067 Signed-off-by: Alexander Bokovoy <aboko...@redhat.com> --- ipaserver/install/plugins/adtrust.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py index 3b2e49bc05..7e6b5c3084 100644 --- a/ipaserver/install/plugins/adtrust.py +++ b/ipaserver/install/plugins/adtrust.py @@ -29,6 +29,9 @@ def ndr_unpack(x): register = Registry() DEFAULT_ID_RANGE_SIZE = 200000 +trust_read_keys_template = \ + ["cn=adtrust agents,cn=sysaccounts,cn=etc,{basedn}", + "cn=trust admins,cn=groups,cn=accounts,{basedn}"] @register() @@ -576,8 +579,15 @@ def set_krb_principal(self, principals, password, trustdn, flags=None): 'krbprincipalkey') entry_data['krbextradata'] = en.single_value.get( 'krbextradata') - entry_data['ipaAllowedToPerform;read_keys'] = en.get( - 'ipaAllowedToPerform;read_keys', []) + read_keys = en.get('ipaAllowedToPerform;read_keys', []) + if not read_keys: + # Old style, no ipaAllowedToPerform;read_keys in the entry, + # use defaults that ipasam should have set when creating a + # trust + read_keys = list(map( + lambda x: x.format(basedn=self.api.env.basedn), + trust_read_keys_template)) + entry_data['ipaAllowedToPerform;read_keys'] = read_keys entry.update(entry_data) try: From bc9283a7a43dedf1fbc809cdb80b36c905fe39dc Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Thu, 12 Sep 2019 11:21:51 +0300 Subject: [PATCH 2/2] adtrust: add default read_keys permission for TDO objects If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys attribute values, it cannot be used by SSSD to retrieve TDO keys and the whole communication with Active Directory domain controllers will not be possible. This seems to affect trusts which were created before ipaAllowedToPerform;read_keys permission granting was introduced (FreeIPA 4.2). Add back the default setting for the permissions which grants access to trust agents and trust admins. Resolves: https://pagure.io/freeipa/issue/8067 Signed-off-by: Alexander Bokovoy <aboko...@redhat.com> --- .../updates/90-post_upgrade_plugins.update | 1 + ipaserver/install/plugins/adtrust.py | 56 +++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index f5f428dd0b..8eb197739e 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -13,6 +13,7 @@ plugin: update_default_trust_view plugin: update_tdo_gidnumber plugin: update_tdo_to_new_layout plugin: update_host_cifs_keytabs +plugin: update_tdo_default_read_keys_permissions plugin: update_ca_renewal_master plugin: update_idrange_type plugin: update_pacs diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py index 7e6b5c3084..386fe53387 100644 --- a/ipaserver/install/plugins/adtrust.py +++ b/ipaserver/install/plugins/adtrust.py @@ -821,3 +821,59 @@ def execute(self, **options): self.copy_key(paths.SAMBA_KEYTAB, hostkey) return False, [] + + +@register() +class update_tdo_default_read_keys_permissions(Updater): + trust_filter = \ + "(&(objectClass=krbPrincipal)(krbPrincipalName=krbtgt/{nbt}@*))" + + def execute(self, **options): + ldap = self.api.Backend.ldap2 + + # First, see if trusts are enabled on the server + if not self.api.Command.adtrust_is_enabled()['result']: + logger.debug('AD Trusts are not enabled on this server') + return False, [] + + result = self.api.Command.trustconfig_show()['result'] + our_nbt_name = result.get('ipantflatname', [None])[0] + if not our_nbt_name: + return False, [] + + trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn + trust_filter = self.trust_filter.format(nbt=our_nbt_name) + + # We might be in a situation when no trusts exist yet + # In such case there is nothing to upgrade but we have to catch + # an exception or it will abort the whole upgrade process + try: + tdos = ldap.get_entries( + base_dn=trusts_dn, + scope=ldap.SCOPE_SUBTREE, + filter=trust_filter, + attrs_list=['*']) + except errors.EmptyResult: + tdos = [] + + for tdo in tdos: + updates = dict() + oc = tdo.get('objectClass', []) + if 'ipaAllowedOperations' not in oc: + updates['objectClass'] = oc + ['ipaAllowedOperations'] + + read_keys = tdo.get('ipaAllowedToPerform;read_keys', []) + if not read_keys: + read_keys_values = list(map( + lambda x: x.format(basedn=self.api.env.basedn), + trust_read_keys_template)) + updates['ipaAllowedToPerform;read_keys'] = read_keys_values + + tdo.update(updates) + try: + ldap.update_entry(tdo) + except errors.EmptyModlist: + logger.debug("No update was required for TDO %s", + tdo.single_value.get('krbCanonicalName')) + + return False, []
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
