Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Mon, 01 Jul 2013, Sumit Bose wrote:
Hi,
this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only
to allow SSSD running on a FreeIPA server to access the AD LDAP server.
In the ticket a more generic solution is described but since there is no
other use case so far I think this patch is sufficient for the time
being.
bye,
Sumit
From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Mon, 1 Jul 2013 13:47:22 +0200
Subject: [PATCH] Add PAC to master host TGTs
For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.
s/SALS/SASL/
To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.
I think it is better to change this lookup to
cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX, it would
explicitly limit us to the IPA masters running AD trusts.
+static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
+{
+int ret;
+char *master_host_base = NULL;
+LDAPMessage *result = NULL;
+krb5_error_code err;
+
+ret = asprintf(master_host_base, cn=%s,cn=masters,cn=ipa,cn=etc,%s,
+ fqdn, ipactx-base);
here: cn=ADTRUST,cn=%s,cn=masters,cn=ipa,cn=etc,%s
+if (is_host) {
+prigid = 515; /* Well known RID for domain computers group */
Could you please mention this fact in the commit message as well?
+if (is_host) {
+/* Well know RID of domain controllers group */
+info3-base.rid = 516;
Same here.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote:
On Mon, 01 Jul 2013, Sumit Bose wrote:
Hi,
this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only
to allow SSSD running on a FreeIPA server to access the AD LDAP server.
In the ticket a more generic solution is described but since there is no
other use case so far I think this patch is sufficient for the time
being.
bye,
Sumit
From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Mon, 1 Jul 2013 13:47:22 +0200
Subject: [PATCH] Add PAC to master host TGTs
For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.
s/SALS/SASL/
Thank you for the review, I've fixed the typo and added the numerical
values for the well-known RIDs to the commit message.
To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.
I think it is better to change this lookup to
cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX, it would
explicitly limit us to the IPA masters running AD trusts.
I'm not sure if this restriction is needed. With SSSD's ipa_server_mode
any IPA master (which networkwise can access an AD server of the trusted
domain) can read AD user and group data, no running smbd or winbind is
required. So it would be possible to run the extdom plugin or the compat
plugin for the legacy clients on any IPA server which would allow a much
better load balancing.
If there are other concerns I'm happy to add the restriction.
bye,
Sumit
+static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
+{
+int ret;
+char *master_host_base = NULL;
+LDAPMessage *result = NULL;
+krb5_error_code err;
+
+ret = asprintf(master_host_base, cn=%s,cn=masters,cn=ipa,cn=etc,%s,
+ fqdn, ipactx-base);
here: cn=ADTRUST,cn=%s,cn=masters,cn=ipa,cn=etc,%s
+if (is_host) {
+prigid = 515; /* Well known RID for domain computers group */
Could you please mention this fact in the commit message as well?
+if (is_host) {
+/* Well know RID of domain controllers group */
+info3-base.rid = 516;
Same here.
--
/ Alexander Bokovoy
From 76b1be5d8331c92e5837e6e0f7f19fab2876be9b Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Mon, 1 Jul 2013 13:47:22 +0200
Subject: [PATCH] Add PAC to master host TGTs
For a proper SASL bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.
We use the well know RID of the Domain Computers group (515) for the
primary gid element of the PAC, this is the same as AD uses for host
tickets. The rid element of the PAC is set to the well know RID of the
Domain Controllers group (516). This is working for the SSSD use case
but might be improved later for more general use cases.
To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.
Fixes https://fedorahosted.org/freeipa/ticket/3651
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 154 ++--
1 file changed, 115 insertions(+), 39 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index
2662b947bd589074faa1acf6a9bb97748161cb05..92dc8dd7fa6c51d9edfc4d73cef23b3129c01192
100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -58,6 +58,7 @@ static char *user_pac_attrs[] = {
objectClass,
uid,
cn,
+fqdn,
gidNumber,
krbPrincipalName,
krbCanonicalName,
@@ -358,6 +359,29 @@ static int sid_split_rid(struct dom_sid *sid, uint32_t
*rid)
return 0;
}
+static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
+{
+int ret;
+char *master_host_base = NULL;
+LDAPMessage *result = NULL;
+krb5_error_code err;
+
+ret = asprintf(master_host_base, cn=%s,cn=masters,cn=ipa,cn=etc,%s,
+ fqdn, ipactx-base);
+if (ret == -1) {
+return false;
+}
+err = ipadb_simple_search(ipactx, master_host_base, LDAP_SCOPE_BASE,
+ NULL, NULL, result);
+free(master_host_base);
+ldap_msgfree(result);
+if (err == 0) {
+return
[Freeipa-devel] [PATCH] 117 extdom: replace winbind calls with POSIX/SSSD calls
Hi,
with this patch the extdom plugin, the LDAP extended operation that
allows IPA clients with recent SSSD to lookup AD users and groups, will
not use winbind for the lookup anymore but will use SSSD running in
ipa_server_mode.
Since now no plugin uses the winbind client libraries anymore, the
second patch removes the related configures checks.
I think for the time being we cannot remove winbind completely because
it might be needed for msbd to work properly in a trusted environment.
bye,
Sumit
From 14c5947a73a7c61de2b71b338ce1c7c1f6771f13 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Wed, 3 Jul 2013 14:27:14 +0200
Subject: [PATCH 117/118] extdom: replace winbind calls with POSIX/SSSD calls
With the new ipa_server_mode SSSD is able to read user and group data
from trusted AD domains directly and makes this data available via the
NSS responder. With this mode enabled winbind is not needed anymore to
lookup users and groups of trusted domains.
This patch removed the calls to winbind from the extdom plugin and
replaces them with standard POSIX calls like getpwnam() and calls from
libsss_nss_idmap to lookup SIDs.
Fixes https://fedorahosted.org/freeipa/ticket/3637 because now the
extdom plugin does not need to handle idranges anymore, but everything
is done inside SSSD.
---
daemons/configure.ac | 1 +
.../ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 6 +-
.../ipa-extdom-extop/ipa_extdom.h | 34 +-
.../ipa-extdom-extop/ipa_extdom_common.c | 505 +
.../ipa-extdom-extop/ipa_extdom_extop.c| 4 +-
.../ipa-extdom-extop/ipa_extdom_tests.c| 12 +-
6 files changed, 261 insertions(+), 301 deletions(-)
diff --git a/daemons/configure.ac b/daemons/configure.ac
index
21d4e7a77c98e3dc7c630724b1124f1c213d0e6f..62722d554a685e6a13642fb7171a62f7a4e38fda
100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -240,6 +240,7 @@ dnl -- dirsrv is needed for the extdom unit tests --
PKG_CHECK_MODULES([DIRSRV], [dirsrv = 1.3.0])
dnl -- sss_idmap is needed by the extdom exop --
PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap])
+PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap])
dnl ---
dnl - Check for systemd unit directory
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
index
67b556a4ac6e2ca8ef72901c0d9bcaef428aeca0..df0c30562f09bf0e29464c9bb05f7befbd3997e1
100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
@@ -15,9 +15,9 @@ AM_CPPFLAGS =
\
-DDATADIR=\$(datadir)\ \
$(AM_CFLAGS)\
$(LDAP_CFLAGS) \
- $(WBCLIENT_CFLAGS) \
$(WARN_CFLAGS) \
$(SSSIDMAP_CFLAGS) \
+ $(SSSNSSIDMAP_CFLAGS) \
$(NULL)
plugindir = $(libdir)/dirsrv/plugins
@@ -34,8 +34,8 @@ libipa_extdom_extop_la_LDFLAGS = -avoid-version
libipa_extdom_extop_la_LIBADD =\
$(LDAP_LIBS)\
- $(WBCLIENT_LIBS)\
$(SSSIDMAP_LIBS)\
+ $(SSSNSSIDMAP_LIBS) \
$(NULL)
if HAVE_CHECK
@@ -54,9 +54,9 @@ extdom_tests_LDFLAGS =\
extdom_tests_LDADD = \
$(CHECK_LIBS) \
$(LDAP_LIBS)\
- $(WBCLIENT_LIBS)\
$(DIRSRV_LIBS) \
$(SSSIDMAP_LIBS)\
+ $(SSSNSSIDMAP_LIBS) \
$(NULL)
appdir = $(IPA_DATA_DIR)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
index
5c2eeddceb3983fa5793c1a7fa86c5001c47beba..5f834a047a579104cd2589ce417c580c1c5388d3
100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
@@ -53,14 +53,15 @@
#include stdbool.h
#include stdlib.h
#include stdint.h
-
-#include samba-4.0/wbclient.h
+#include pwd.h
+#include grp.h
#include dirsrv/slapi-plugin.h
#include lber.h
#include time.h
#include sss_idmap.h
+#include sss_nss_idmap.h
#define EXOP_EXTDOM_OID 2.16.840.1.113730.3.8.10.4
@@ -114,18 +115,18 @@ struct extdom_res {
union {
char *sid;
struct {
-const char *domain_name;
-const char *object_name;
+char *domain_name;
+char *object_name;
} name;
struct {
-const char *domain_name;
-const char *user_name;
+char *domain_name;
+char
[Freeipa-devel] [PATCH] Fix client install exception if /etc/ssh is missing
https://fedorahosted.org/freeipa/ticket/3766
From 4754bab56c0438a7b735c1473f9199ad7f2ced0a Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Wed, 3 Jul 2013 15:52:15 -0400
Subject: [PATCH] Fix client install exception if /etc/ssh is missing
https://fedorahosted.org/freeipa/ticket/3766
---
ipa-client/ipa-install/ipa-client-install | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index b1881619d46c6e2e2beadd5130c92947e9c59aa3..bb846ec34122bf03a7bb68fc4b04f1f3de377fd3 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1412,7 +1412,11 @@ def client_dns(server, hostname, dns_updates=False):
def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
pubkeys = []
-for basename in os.listdir(ssh_dir):
+try:
+filenames = os.listdir(ssh_dir)
+except OSError:
+filenames = []
+for basename in filenames:
if not basename.endswith('.pub'):
continue
filename = os.path.join(ssh_dir, basename)
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
