Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches
On 07/07/2015 04:31 PM, Alexander Bokovoy wrote: On Tue, 07 Jul 2015, Alexander Bokovoy wrote: Hi, attached are patches to introduce one-way trust support and few more to fix currently outstanding trust-related bugs. More details are in the commit messages. For oddjobd-activated helper, if you want to test the one-way trust setup, you need to put SELinux into permissive. We have bugs for both Fedora and RHEL to add the policy (https://bugzilla.redhat.com/show_bug.cgi?id=1238163 for RHEL7), it is in works. Updated patch 0181 after discussion with Simo and Sumit about empty rid array. Works fine for me, thanks. ACK. Pushed to master: 5017726ebaf6eea3dedb1325efe00c0d6c4b6187 During review, I also pushed the attached oneliner. Tomas From d011ca36f1db5d0cb76ab53ef07a33bec54d9003 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 8 Jul 2015 01:24:10 +0200 Subject: [PATCH] dcerpc: Raise ACIError correctly --- ipaserver/dcerpc.py | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index bc75a60265de241f01b7e22c0274dc8a8523eeec..a1da0a641064f59a79639d97489ff73181787a4a 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -1093,9 +1093,11 @@ class TrustDomainInstance(object): if self.validation_attempts 10: sleep(5) return self.verify_trust(another_domain) -raise errors.ACIError(reason=_('IPA master denied trust validation requests from AD DC ' - '%(count)d times. Most likely AD DC contacted a replica ' - 'that has no trust information replicated yet.' % (self.validation_attempts))) +raise errors.ACIError( +info=_('IPA master denied trust validation requests from AD DC ' + '%(count)d times. Most likely AD DC contacted a replica ' + 'that has no trust information replicated yet.') + % dict(count=self.validation_attempts)) raise assess_dcerpc_exception(*result.pdc_connection_status) return True return False -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches
On Tue, 07 Jul 2015, Alexander Bokovoy wrote: From 4a856d8ff597ec516cc1eb05f06e062bb4ecca5b Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 28 May 2015 11:49:58 + Subject: [PATCH 05/11] trusts: pass AD DC hostname if specified explicitly Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047 This is upstream ticket https://fedorahosted.org/freeipa/ticket/5031 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches
On Tue, 07 Jul 2015, Alexander Bokovoy wrote: From b7a3b206deb3257b3a78939f0d2a6a114e48b758 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 26 Mar 2015 14:34:06 +0200 Subject: [PATCH 01/11] add one-way trust support to ipasam When trust is established, ipasam module creates a number of objects in LDAP to represent the trust information. Among them, for one-way trust we create a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest and AD is a realm of the trusted Active Directory forest root domain. This principal is then used by SSSD on IPA masters to authenticate against trusted Active Directory domain controllers and retrieve information about user and group identities. FreeIPA also uses this principal's credentials to retrieve domain topology. The access to the keys of the principal should be well-protected. We only allow to retrieve the keytab for it for members of cn=adtrust agents group. This group is populated with host/ and cifs/ principals from IPA masters. Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install on the master which will be configured to be a domain controller (e.g. run Samba with ipasam), and specify --add-agents option to trigger activation of the interactive mode to specify which IPA masters to enable. Fixes https://fedorahosted.org/freeipa/ticket/4962 Part of fixes for https://fedorahosted.org/freeipa/ticket/4546 ... and fixes ticket https://fedorahosted.org/freeipa/ticket/5005 too -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches
Hi, attached are patches to introduce one-way trust support and few more to fix currently outstanding trust-related bugs. More details are in the commit messages. For oddjobd-activated helper, if you want to test the one-way trust setup, you need to put SELinux into permissive. We have bugs for both Fedora and RHEL to add the policy (https://bugzilla.redhat.com/show_bug.cgi?id=1238163 for RHEL7), it is in works. -- / Alexander Bokovoy From 0e252fb1f8455daa87dccbc6dcba61b08570b444 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 20 May 2015 18:24:52 +0300 Subject: [PATCH 03/11] ipa-kdb: use proper memory chunk size when moving sids Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 20 +--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 0e53a80..390111f 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1394,7 +1394,15 @@ static krb5_error_code filter_logon_info(krb5_context context, if (result) { filter_logon_info_log_message(info-info-info3.sids[i].sid); } else { +/* Go over incoming SID blacklist */ for(k = 0; k domain-len_sid_blacklist_incoming; k++) { +/* if SID is an exact match, filter it out */ +result = dom_sid_check(domain-sid_blacklist_incoming[k], info-info-info3.sids[i].sid, true); +if (result) { + filter_logon_info_log_message(info-info-info3.sids[i].sid); +break; +} +/* if SID is a suffix of the blacklist element, filter it out*/ result = dom_sid_is_prefix(domain-sid_blacklist_incoming[k], info-info-info3.sids[i].sid); if (result) { filter_logon_info_log_message(info-info-info3.sids[i].sid); @@ -1403,11 +1411,17 @@ static krb5_error_code filter_logon_info(krb5_context context, } } if (result) { +k = count - i - j - 1; +if (k != 0) { +memmove(info-info-info3.sids+i, +info-info-info3.sids+i+1, +sizeof(struct netr_SidAttr)*k); +} j++; -memmove(info-info-info3.sids+i, info-info-info3.sids+i+1, count-i-1); +} else { +i++; } -i++; -} while (i count); +} while ((i + j) count); if (j != 0) { count = count-j; -- 2.4.3 From a797874359544e431bdd96dd11e26f404c578db0 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 28 May 2015 08:33:51 + Subject: [PATCH 04/11] ipa-kdb: filter out group membership from MS-PAC for exact SID matches too When incoming SID blacklist contains exact SIDs of users and groups, attempt to filter them out as well, according to [MS-PAC] 4.1.1.2. Note that we treat user's SID and primary group RID filtering as violation of the KDC policy because the resulting MS-PAC will have no user SID or primary group and thus will be invalid. For group RIDs we filter them out and in unlikely event of empty list of groups treat that as violation of the KDC policy as well. Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 102 +++- 1 file changed, 101 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 390111f..df19880 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1317,6 +1317,22 @@ static void filter_logon_info_log_message(struct dom_sid *sid) } } +static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid) +{ +char *domstr = NULL; + +domstr = dom_sid_string(NULL, sid); +if (domstr) { +krb5_klog_syslog(LOG_ERR, PAC filtering issue: SID [%s-%d] is not allowed + from a trusted source and will be excluded., domstr, rid); +talloc_free(domstr); +} else { +krb5_klog_syslog(LOG_ERR, PAC filtering issue: SID is not allowed + from a trusted source and will be excluded. + Unable to allocate memory to display SID.); +} +} + static krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx, krb5_data realm, @@ -1328,9 +1344,21 @@ static krb5_error_code filter_logon_info(krb5_context context, * attempt at getting us to sign fake credentials with the help of a * compromised trusted realm
Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches
On Tue, 07 Jul 2015, Alexander Bokovoy wrote: Hi, attached are patches to introduce one-way trust support and few more to fix currently outstanding trust-related bugs. More details are in the commit messages. For oddjobd-activated helper, if you want to test the one-way trust setup, you need to put SELinux into permissive. We have bugs for both Fedora and RHEL to add the policy (https://bugzilla.redhat.com/show_bug.cgi?id=1238163 for RHEL7), it is in works. Attached is a rebase of two patches that modified VERSION as it conflicted with last minute push that Tomas did. -- / Alexander Bokovoy From 07bd53b528abd39aac6f11f47eec38ff5a73c5e3 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 28 May 2015 11:49:58 + Subject: [PATCH 05/11] trusts: pass AD DC hostname if specified explicitly Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047 --- API.txt | 3 ++- VERSION | 4 ++-- ipalib/plugins/trust.py | 9 - ipaserver/dcerpc.py | 10 +++--- 4 files changed, 19 insertions(+), 7 deletions(-) diff --git a/API.txt b/API.txt index 99fa528..a76458b 100644 --- a/API.txt +++ b/API.txt @@ -4998,10 +4998,11 @@ output: Output('result', type 'dict', None) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: ListOfPrimaryKeys('value', None, None) command: trust_fetch_domains -args: 1,4,4 +args: 1,5,4 arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('realm_server?', cli_name='server') option: Flag('rights', autofill=True, default=False) option: Str('version?', exclude='webui') output: Output('count', type 'int', None) diff --git a/VERSION b/VERSION index 2d9ad26..bf68be2 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=139 -# Last change: edewata - added ipaVaultPublicKey attribute +IPA_API_VERSION_MINOR=140 +# Last change: ab - trusts: pass AD DC hostname if specified explicitly diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 5b884ca..13ac52d 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -1302,9 +1302,10 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): sp.insert(0, trustinstance.remote_domain.info['name']) creds = u{name}%{password}.format(name=\\.join(sp), password=password) +server = options.get('realm_server', None) domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, - trust_name, creds=creds) + trust_name, creds=creds, server=server) result = [] if not domains: return result @@ -1342,6 +1343,12 @@ class trust_fetch_domains(LDAPRetrieve): __doc__ = _('Refresh list of the domains associated with the trust') has_output = output.standard_list_of_entries +takes_options = LDAPRetrieve.takes_options + ( +Str('realm_server?', +cli_name='server', +label=_('Domain controller for the Active Directory domain (optional)'), +), +) def execute(self, *keys, **options): if not _bindings_installed: diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 725b2cd..753e10e 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -1046,7 +1046,7 @@ class TrustDomainInstance(object): return False -def fetch_domains(api, mydomain, trustdomain, creds=None): +def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): trust_flags = dict( NETR_TRUST_FLAG_IN_FOREST = 0x0001, NETR_TRUST_FLAG_OUTBOUND = 0x0002, @@ -1087,8 +1087,12 @@ def fetch_domains(api, mydomain, trustdomain, creds=None): cr.set_workstation(domain_validator.flatname) netrc = net.Net(creds=cr, lp=td.parm) try: -result = netrc.finddc(domain=trustdomain, - flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) +if server: +result = netrc.finddc(address=server, + flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) +else: +result = netrc.finddc(domain=trustdomain, + flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) except RuntimeError, e: raise assess_dcerpc_exception(message=str(e)) -- 2.4.3 From 850566818840e5aa37a08ff0cc50d503d78c3b63 Mon Sep 17 00:00:00 2001 From:
Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches
On Tue, 07 Jul 2015, Alexander Bokovoy wrote: From a4e2034028d64a8b2b533af9541e698a68388fb2 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 4 Jun 2015 21:29:36 + Subject: [PATCH 07/11] ipa-adtrust-install: allow configuring of trust agents Trust agents are IPA master without Samba which can serve information about users from trusted forests. Such IPA masters cannot be used to configure trust but they can resolve AD users and groups for IPA clients enrolled to them. Since support from both FreeIPA and SSSD is needed to enable trust agent support, we currently only consider those IPA masters which have been upgraded to FreeIPA 4.2 or later. Part of https://fedorahosted.org/freeipa/ticket/4951 And also fixes https://fedorahosted.org/freeipa/ticket/5004 which is more specific ticket for host principals. -- / Alexander Bokovoy signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches
On Tue, 07 Jul 2015, Alexander Bokovoy wrote: Hi, attached are patches to introduce one-way trust support and few more to fix currently outstanding trust-related bugs. More details are in the commit messages. For oddjobd-activated helper, if you want to test the one-way trust setup, you need to put SELinux into permissive. We have bugs for both Fedora and RHEL to add the policy (https://bugzilla.redhat.com/show_bug.cgi?id=1238163 for RHEL7), it is in works. Updated patch 0181 after discussion with Simo and Sumit about empty rid array. -- / Alexander Bokovoy From e5b073d0a4cb75ef79eb199352f95f29594a4740 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 28 May 2015 08:33:51 + Subject: [PATCH 02/11] ipa-kdb: filter out group membership from MS-PAC for exact SID matches too When incoming SID blacklist contains exact SIDs of users and groups, attempt to filter them out as well, according to [MS-PAC] 4.1.1.2. Note that we treat user's SID and primary group RID filtering as violation of the KDC policy because the resulting MS-PAC will have no user SID or primary group and thus will be invalid. For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1 it is OK to have empty group RIDs array as GroupCount SHOULD be equal to Groups.MembershipCount returned by SamrGetGroupsForUser [MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty. Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 100 +++- 1 file changed, 99 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 390111f..b1490ef 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1317,6 +1317,22 @@ static void filter_logon_info_log_message(struct dom_sid *sid) } } +static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid) +{ +char *domstr = NULL; + +domstr = dom_sid_string(NULL, sid); +if (domstr) { +krb5_klog_syslog(LOG_ERR, PAC filtering issue: SID [%s-%d] is not allowed + from a trusted source and will be excluded., domstr, rid); +talloc_free(domstr); +} else { +krb5_klog_syslog(LOG_ERR, PAC filtering issue: SID is not allowed + from a trusted source and will be excluded. + Unable to allocate memory to display SID.); +} +} + static krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx, krb5_data realm, @@ -1328,9 +1344,21 @@ static krb5_error_code filter_logon_info(krb5_context context, * attempt at getting us to sign fake credentials with the help of a * compromised trusted realm */ +/* NOTE: there are two outcomes from filtering: + * REJECT TICKET -- ticket is rejected if domain SID of + * the principal with MS-PAC is filtered out or + * its primary group RID is filtered out + * + * REMOVE SID-- SIDs are removed from the list of SIDs associated + * with the principal if they are filtered out + * This applies also to secondary RIDs of the principal + * if domain_sid-secondary RID is filtered out + */ + struct ipadb_context *ipactx; struct ipadb_adtrusts *domain; -int i, j, k, count; +int i, j, k, l, count; +uint32_t rid; bool result; char *domstr = NULL; @@ -1377,6 +1405,76 @@ static krb5_error_code filter_logon_info(krb5_context context, } } +/* Check if this user's SIDs membership is filtered too */ +for(k = 0; k domain-len_sid_blacklist_incoming; k++) { +/* Short-circuit if there are no RIDs. This may happen if we filtered everything already. + * In normal situation there would be at least primary gid as RID in the RIDs array + * but if we filtered out the primary RID, this MS-PAC is invalid */ +count = info-info-info3.base.groups.count; +result = dom_sid_is_prefix(info-info-info3.base.domain_sid, + domain-sid_blacklist_incoming[k]); +if (result) { +i = 0; +j = 0; +if (domain-sid_blacklist_incoming[k].num_auths - info-info-info3.base.domain_sid-num_auths != 1) { +krb5_klog_syslog(LOG_ERR, Incoming SID blacklist element matching domain [%s with SID %s] + has more than one RID component. Invalid check skipped., + domain-domain_name, domain-domain_sid); +break; +} +rid = domain-sid_blacklist_incoming[k].sub_auths[domain-sid_blacklist_incoming[k].num_auths - 1]; +if (rid ==