[Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs

2013-07-01 Thread Sumit Bose 
Hi,

this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only
to allow SSSD running on a FreeIPA server to access the AD LDAP server.
In the ticket a more generic solution is described but since there is no
other use case so far I think this patch is sufficient for the time
being.

bye,
Sumit
From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Mon, 1 Jul 2013 13:47:22 +0200
Subject: [PATCH] Add PAC to master host TGTs

For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.

We use the well know RID for the Domain Computers group for the primary
gid element of the PAC, this is the same as AD uses for host tickets.
The rid element of the PAC is set to the well know RID of the Domain
Controllers group. This is working for the SSSD use case but might be
improved later for more general use cases.

To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.

Fixes https://fedorahosted.org/freeipa/ticket/3651
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 154 ++--
 1 file changed, 115 insertions(+), 39 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 
2662b947bd589074faa1acf6a9bb97748161cb05..92dc8dd7fa6c51d9edfc4d73cef23b3129c01192
 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -58,6 +58,7 @@ static char *user_pac_attrs[] = {
 "objectClass",
 "uid",
 "cn",
+"fqdn",
 "gidNumber",
 "krbPrincipalName",
 "krbCanonicalName",
@@ -358,6 +359,29 @@ static int sid_split_rid(struct dom_sid *sid, uint32_t 
*rid)
 return 0;
 }
 
+static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
+{
+int ret;
+char *master_host_base = NULL;
+LDAPMessage *result = NULL;
+krb5_error_code err;
+
+ret = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
+  fqdn, ipactx->base);
+if (ret == -1) {
+return false;
+}
+err = ipadb_simple_search(ipactx, master_host_base, LDAP_SCOPE_BASE,
+  NULL, NULL, &result);
+free(master_host_base);
+ldap_msgfree(result);
+if (err == 0) {
+return true;
+}
+
+return false;
+}
+
 static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
 LDAPMessage *lentry,
 TALLOC_CTX *memctx,
@@ -371,13 +395,65 @@ static krb5_error_code ipadb_fill_info3(struct 
ipadb_context *ipactx,
 char *strres;
 int intres;
 int ret;
+char **objectclasses = NULL;
+size_t c;
+bool is_host = false;
+bool is_user = false;
 
-ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
-if (ret) {
-/* gidNumber is mandatory */
-return ret;
+ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
+ &objectclasses);
+if (ret == 0 && objectclasses != NULL) {
+for (c = 0; objectclasses[c] != NULL; c++) {
+if (strcasecmp(objectclasses[c], "ipaHost") == 0) {
+is_host = true;
+}
+if (strcasecmp(objectclasses[c], "ipaNTUserAttrs") == 0) {
+is_user = true;
+}
+free(objectclasses[c]);
+}
+}
+free(objectclasses);
+
+if (!is_host && !is_user) {
+/* We only handle users and hosts */
+return ENOENT;
+}
+
+if (is_host) {
+ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres);
+if (ret) {
+/* fqdn is mandatory for hosts */
+return ret;
+}
+
+/* Currently we only add a PAC to TGTs for IPA servers to allow SSSD in
+ * ipa_server_mode to access the AD LDAP server */
+if (!is_master_host(ipactx, strres)) {
+free(strres);
+return ENOENT;
+}
+} else {
+ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
+if (ret) {
+/* uid is mandatory */
+return ret;
+}
+}
+
+info3->base.account_name.string = talloc_strdup(memctx, strres);
+free(strres);
+
+if (is_host) {
+prigid = 515; /* Well known RID for domain computers group */
+} else {
+ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
+if (ret) {
+/* gidNumber is mandatory */
+return ret;
+}
+prigid = intres;
 }
-prigid

Re: [Freeipa-devel] [PATCH] Permit reads to ipatokenRadiusProxyUser objects

2013-07-01 Thread Nathaniel McCallum 
On Thu, 2013-06-20 at 12:21 +0200, Martin Kosek wrote:
> On 06/18/2013 08:27 PM, Nathaniel McCallum wrote:
> > Patch attached.
> > 
> 
> Hello Nathaniel,
> 
> Thanks for the patch! I have just few general procedural comments with
> submitting patch:
> 
> 1. As you are doing a work on an upstream ticket, please assign the upstream
> Trac ticket to yourself and accept it. When the patch is sent to the list, you
> should also mark the ticket as "patch sent".
> 
> 2. Please follow our patch format:
> - https://fedorahosted.org/freeipa/wiki/PatchFormat
> 
> This is just a short excerpt of our Development process:
> http://www.freeipa.org/page/Contribute#Development_Process

Patch is attached with proper formatting. The ticket is properly
assigned and flagged. No code has changed since the last patch.


>From 14ba1309f1523c87efa9f70824b2cd85891bcaa4 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum 
Date: Tue, 18 Jun 2013 14:21:25 -0400
Subject: [PATCH] Permit reads to ipatokenRadiusProxyUser objects

This fixes an outstanding permissions issue from the OTP work.

https://fedorahosted.org/freeipa/ticket/3693
---
 install/share/default-aci.ldif| 2 +-
 ipaserver/install/plugins/update_anonymous_aci.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 18881ece4c4ccd97701a1e5bf23459915b3194c4..8a0fa60e370c152d89198a0a1c3e41a8ef1f2a13 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -3,7 +3,7 @@
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX";)(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)
+aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX";)(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)
 aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";;)
 aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
 aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";;)
diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py
index 1e75113fc433784ddb5a348dd58dc9cd0699a97c..af4196a681b163986b0b42c4d8be3e649b2026ac 100644
--- a/ipaserver/install/plugins/update_anonymous_aci.py
+++ b/ipaserver/install/plugins/update_anonymous_aci.py
@@ -35,7 +35,7 @@ class update_anonymous_aci(PostUpdate):
 aciname = u'Enable Anonymous access'
 aciprefix = u'none'
 ldap = self.obj.backend
-targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))'
+targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))'
 filter = None
 
 (dn, entry_attrs) = ldap.get_entry(api.env.basedn, ['aci'])
-- 
1.8.3.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel