[SSSD] [sssd PR#5847][comment] pam_sss: Allow offline authentication against non-ipa-desktopprofiles aware DC
URL: https://github.com/SSSD/sssd/pull/5847 Title: #5847: pam_sss: Allow offline authentication against non-ipa-desktopprofiles aware DC abbra commented: """ In FreeIPA, if desktop profiles' support is enabled, the data is in replicated tree. This means you should be able to retrieve all the data from any IPA server. If desktop profiles' support is not enabled, nothing will be available at any server. In both cases lack of fetched rules or missing desktop profiles support have the same meaning for the client. Probably not worth storing this difference. """ See the full comment at https://github.com/SSSD/sssd/pull/5847#issuecomment-960937327 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5498][comment] Covscan fixes
URL: https://github.com/SSSD/sssd/pull/5498 Title: #5498: Covscan fixes abbra commented: """ @alexey-tikhonov thanks for handling this. I am OK with dropping the remaining patch. """ See the full comment at https://github.com/SSSD/sssd/pull/5498#issuecomment-792686243 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5498][comment] Covscan fixes
URL: https://github.com/SSSD/sssd/pull/5498 Title: #5498: Covscan fixes abbra commented: """ I did receive them but had no time to fix. If you have some time, please feel free to overtake this PR. I don't think I'll have much time until maybe mid March. """ See the full comment at https://github.com/SSSD/sssd/pull/5498#issuecomment-789576996 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5494][comment] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Title: #5494: pam_sss_gss: support authentication indicators abbra commented: """ @sumit-bose thank you! I added this one line and re-pushed. """ See the full comment at https://github.com/SSSD/sssd/pull/5494#issuecomment-776927996 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5494][synchronized] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Author: abbra Title: #5494: pam_sss_gss: support authentication indicators Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5494/head:pr5494 git checkout pr5494 From c15cd84dd151d084dda7d176d8921c77e7145276 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Feb 2021 20:36:27 +0200 Subject: [PATCH] pam_sss_gss: support authentication indicators MIT Kerberos allows to associate authentication indicators with the issued ticket based on the way how the TGT was obtained. The indicators present in the TGT then copied to service tickets. There are two ways to check the authentication indicators: - when KDC issues a service ticket, a policy at KDC side can reject the ticket issuance based on a lack of certain indicator - when a server application presented with a service ticket from a client, it can verify that this ticket contains intended authentication indicators before authorizing access from the client. Add support to validate presence of a specific (set of) authentication indicator(s) in pam_sss_gss when validating a user's TGT. This concept can be used to only allow access to a PAM service when user is in possession of a ticket obtained using some of pre-authentication mechanisms that require multiple factors: smart-cards (PKINIT), 2FA tokens (otp/radius), etc. Resolves: https://github.com/SSSD/sssd/issues/5482 Signed-off-by: Alexander Bokovoy --- src/confdb/confdb.c | 13 ++ src/confdb/confdb.h | 3 + src/config/SSSDConfig/sssdoptions.py | 2 + src/config/SSSDConfigTest.py | 6 +- src/config/cfg_rules.ini | 3 + src/config/etc/sssd.api.conf | 2 + src/db/sysdb_subdomains.c| 12 ++ src/man/pam_sss_gss.8.xml| 13 ++ src/man/sssd.conf.5.xml | 64 +++ src/responder/pam/pamsrv.c | 21 +++ src/responder/pam/pamsrv.h | 2 + src/responder/pam/pamsrv_gssapi.c| 250 +++ 12 files changed, 389 insertions(+), 2 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index befcfff2db..cca76159bc 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } } +tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_PAM_GSSAPI_INDICATORS_MAP, + NULL); +if (tmp != NULL && tmp[0] != '\0') { +ret = split_on_separator(domain, tmp, ',', true, true, + >gssapi_indicators_map, NULL); +if (ret != 0) { +DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP); +goto done; +} +} + domain->has_views = false; domain->view_name = NULL; diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 036f9ecadf..a2be227ddd 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -146,6 +146,7 @@ #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" #define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn" +#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" @@ -437,6 +438,8 @@ struct sss_domain_info { /* List of PAM services that are allowed to authenticate with GSSAPI. */ char **gssapi_services; char *gssapi_check_upn; /* true | false | NULL */ +/* List of indicators associated with the specific PAM service */ +char **gssapi_indicators_map; }; /** diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py index fb9a9aa43c..5d9946ba8f 100644 --- a/src/config/SSSDConfig/sssdoptions.py +++ b/src/config/SSSDConfig/sssdoptions.py @@ -106,6 +106,8 @@ def __init__(self): 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'), +'pam_gssapi_indicators_map' : _('List of pairs : that ' +'must be enforced for PAM access with GSSAPI authentication'), # [sudo] 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 6a95e63dd1..04c4b35baa 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -655,7 +655,8 @@ def testListOptions(self): 'cached_auth_timeout', 'auto_private
[SSSD] [sssd PR#5494][comment] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Title: #5494: pam_sss_gss: support authentication indicators abbra commented: """ Moved the covscan fixes to PR https://github.com/SSSD/sssd/pull/5498 """ See the full comment at https://github.com/SSSD/sssd/pull/5494#issuecomment-776655139 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5498][opened] Covscan fixes
URL: https://github.com/SSSD/sssd/pull/5498 Author: abbra Title: #5498: Covscan fixes Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5498/head:pr5498 git checkout pr5498 From 7a6cc2f05bd33b43d27e02489290f8d217e8ab36 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 9 Feb 2021 21:52:19 +0200 Subject: [PATCH 1/4] prompt config: fix covscan errors Covscan is confused by dangling pointers in arrays after freeing. Its analyzer may decide to visit already visited list elements and since they weren't NULL-ed, it may consider double-free to happen in the code. Signed-off-by: Alexander Bokovoy --- src/sss_client/pam_sss_prompt_config.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/src/sss_client/pam_sss_prompt_config.c b/src/sss_client/pam_sss_prompt_config.c index 35094b4068..1c67fb18fd 100644 --- a/src/sss_client/pam_sss_prompt_config.c +++ b/src/sss_client/pam_sss_prompt_config.c @@ -98,6 +98,7 @@ static void pc_free_password(struct prompt_config *pc) { if (pc != NULL && pc_get_type(pc) == PC_TYPE_PASSWORD) { free(pc->data.password.prompt); +pc->data.password.prompt = NULL; } return; } @@ -106,7 +107,9 @@ static void pc_free_2fa(struct prompt_config *pc) { if (pc != NULL && pc_get_type(pc) == PC_TYPE_2FA) { free(pc->data.two_fa.prompt_1st); +pc->data.two_fa.prompt_1st = NULL; free(pc->data.two_fa.prompt_2nd); +pc->data.two_fa.prompt_2nd = NULL; } return; } @@ -115,6 +118,7 @@ static void pc_free_2fa_single(struct prompt_config *pc) { if (pc != NULL && pc_get_type(pc) == PC_TYPE_2FA_SINGLE) { free(pc->data.two_fa_single.prompt); +pc->data.two_fa_single.prompt = NULL; } return; } @@ -123,6 +127,7 @@ static void pc_free_sc_pin(struct prompt_config *pc) { if (pc != NULL && pc_get_type(pc) == PC_TYPE_SC_PIN) { free(pc->data.sc_pin.prompt); +pc->data.sc_pin.prompt = NULL; } return; } @@ -153,6 +158,7 @@ void pc_list_free(struct prompt_config **pc_list) return; } free(pc_list[c]); +pc_list[c] = NULL; } free(pc_list); } @@ -541,6 +547,7 @@ errno_t pc_list_from_response(int size, uint8_t *buf, done: if (ret != EOK) { pc_list_free(pl); +pl = NULL; } return ret; From 0f65a3900c0695598203484f1f3f92bef3f1f604 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 9 Feb 2021 22:02:46 +0200 Subject: [PATCH 2/4] pam_sss: free env_item when not needed Signed-off-by: Alexander Bokovoy --- src/sss_client/pam_sss.c | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index fa5a9694b8..aa0234c3ae 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -996,7 +996,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, { int ret; size_t p=0; -char *env_item; +char *env_item = NULL; int32_t c; int32_t type; int32_t len; @@ -1020,6 +1020,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, while(c>0) { if (buflen < (p+2*sizeof(int32_t))) { D(("response buffer is too small")); +free(env_item); return PAM_BUF_ERR; } @@ -1031,6 +1032,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, if (buflen < (p + len)) { D(("response buffer is too small")); +free(env_item); return PAM_BUF_ERR; } @@ -1207,6 +1209,9 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, p += len; --c; + +free(env_item); +env_item = NULL; } return PAM_SUCCESS; @@ -2139,7 +2144,7 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, static int prompt_by_config(pam_handle_t *pamh, struct pam_items *pi) { size_t c; -int ret; +int ret = PAM_SYSTEM_ERR; if (pi->pc == NULL || *pi->pc == NULL) { return PAM_SYSTEM_ERR; From 2eeb2337d812abc4b88c563078c7256f68a767ea Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 10 Feb 2021 09:17:08 +0200 Subject: [PATCH 3/4] covscan: initialize ret variable before use covscan does consider 'ret' unitialized even though GET_ATTR/GET_ATTR_ARRAY macros have explicit and unconditional assignment to ret. This is confusing but causing actual failures in covscan runs. Signed-off-by: Alexander Bokovoy --- src/lib/sifp/sss_sifp_attrs.c | 32 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/src/lib/sifp/sss_sifp_attrs.c b/src/lib/sifp/sss_sifp_att
[SSSD] [sssd PR#5494][synchronized] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Author: abbra Title: #5494: pam_sss_gss: support authentication indicators Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5494/head:pr5494 git checkout pr5494 From b48633f72f997a3674cf5ea8bcd453ff18191edf Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Feb 2021 20:36:27 +0200 Subject: [PATCH] pam_sss_gss: support authentication indicators MIT Kerberos allows to associate authentication indicators with the issued ticket based on the way how the TGT was obtained. The indicators present in the TGT then copied to service tickets. There are two ways to check the authentication indicators: - when KDC issues a service ticket, a policy at KDC side can reject the ticket issuance based on a lack of certain indicator - when a server application presented with a service ticket from a client, it can verify that this ticket contains intended authentication indicators before authorizing access from the client. Add support to validate presence of a specific (set of) authentication indicator(s) in pam_sss_gss when validating a user's TGT. This concept can be used to only allow access to a PAM service when user is in possession of a ticket obtained using some of pre-authentication mechanisms that require multiple factors: smart-cards (PKINIT), 2FA tokens (otp/radius), etc. Resolves: https://github.com/SSSD/sssd/issues/5482 Signed-off-by: Alexander Bokovoy --- src/confdb/confdb.c | 13 ++ src/confdb/confdb.h | 3 + src/config/SSSDConfig/sssdoptions.py | 2 + src/config/SSSDConfigTest.py | 6 +- src/config/cfg_rules.ini | 3 + src/config/etc/sssd.api.conf | 2 + src/db/sysdb_subdomains.c| 11 ++ src/man/pam_sss_gss.8.xml| 13 ++ src/man/sssd.conf.5.xml | 64 +++ src/responder/pam/pamsrv.c | 21 +++ src/responder/pam/pamsrv.h | 2 + src/responder/pam/pamsrv_gssapi.c| 250 +++ 12 files changed, 388 insertions(+), 2 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index befcfff2db..cca76159bc 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } } +tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_PAM_GSSAPI_INDICATORS_MAP, + NULL); +if (tmp != NULL && tmp[0] != '\0') { +ret = split_on_separator(domain, tmp, ',', true, true, + >gssapi_indicators_map, NULL); +if (ret != 0) { +DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP); +goto done; +} +} + domain->has_views = false; domain->view_name = NULL; diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 036f9ecadf..a2be227ddd 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -146,6 +146,7 @@ #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" #define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn" +#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" @@ -437,6 +438,8 @@ struct sss_domain_info { /* List of PAM services that are allowed to authenticate with GSSAPI. */ char **gssapi_services; char *gssapi_check_upn; /* true | false | NULL */ +/* List of indicators associated with the specific PAM service */ +char **gssapi_indicators_map; }; /** diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py index fb9a9aa43c..5d9946ba8f 100644 --- a/src/config/SSSDConfig/sssdoptions.py +++ b/src/config/SSSDConfig/sssdoptions.py @@ -106,6 +106,8 @@ def __init__(self): 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'), +'pam_gssapi_indicators_map' : _('List of pairs : that ' +'must be enforced for PAM access with GSSAPI authentication'), # [sudo] 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 6a95e63dd1..04c4b35baa 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -655,7 +655,8 @@ def testListOptions(self): 'cached_auth_timeout', 'auto_private
[SSSD] [sssd PR#5494][comment] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Title: #5494: pam_sss_gss: support authentication indicators abbra commented: """ I'll move covscan fixes to a separate PR. """ See the full comment at https://github.com/SSSD/sssd/pull/5494#issuecomment-776650660 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5494][comment] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Title: #5494: pam_sss_gss: support authentication indicators abbra commented: """ @alexey-tikhonov so I looked closer to covscan failure that prevents the clean run. It is due to the following problem: ``` RPM build errors: error: Empty %files file /builddir/build/BUILD/sssd-2.4.2/sssd_client.lang Empty %files file /builddir/build/BUILD/sssd-2.4.2/sssd_client.lang [WARNING] Build command sh -c unset XML_CATALOG_FILES; sh -c "rpmbuild -bi --nodeps --short-circuit /builddir/build/SPECS/sssd.spec '--define' '_without_testsuite 1' '--define' 'apidocs 0' '--define' 'libguestfs_runtests 0' '--define' 'runselftest 0' '--define' 'with_publican 0' '--without' 'binfilter' '--without' 'docs' '--without' 'langpacks' '--define' '_smp_mflags -j13' '--nocheck'" exited with code 1. Please verify that the build completed successfully. [WARNING] No files were emitted. This may be due to a problem with your configuration or because no files were actually compiled by your build command. Please make sure you have configured the compilers actually used in the compilation. For more details, please look at: /builddir/cov/build-log.txt Finish: chroot ['/bin/su mockbuild -l -c "PATH=/usr/lib64/csclng:/usr/lib64/cscppc:/usr/lib64/csgcca:/usr/lib64/cswrap:\\$PATH CSWRAP_DEL_CXXFLAGS=\\$\'-Werror*:-fdiagnostics-color*:-no-canonical-prefixes:-Wno-error=deprecated-register\' CSWRAP_DEL_CFLAGS=\\$\'-Werror*:-fdiagnostics-color*:-no-canonical-prefixes:-Wno-error=deprecated-register\' CSWRAP_ADD_CFLAGS=\\$\'-Wno-unknown-pragmas\' CSWRAP_ADD_CXXFLAGS=\\$\'\' CSWRAP_TIMEOUT_FOR=\\$\'::cppcheck:clang:clang++:gcc\' COVERITY_UNSUPPORTED_COMPILER_INVOCATION=\\$\'1\' CSWRAP_TIMEOUT=\\$\'30\' CSWRAP_CAP_FILE=\\$\'/builddir/cswrap-capture.err\' sh -c \\"/opt/coverity/bin/cov-build --dir /builddir/cov --append-log sh -c \\"unset XML_CATALOG_FILES; sh -c \\"rpmbuild -bi --nodeps --short-circuit /builddir/build/SPECS/sssd.spec \'--define\' \'_without_testsuite 1\' \'--define\' \'apidocs 0\' \'--define\' \'libguestfs_runtests 0\' \'--define\' \'runselftest 0\' \'--define\' \'with_publican 0\' \'--without\' \'binfilter\' \'--without\' \'docs\' \'--without\' \'langpacks\' \'--define\' \'_smp_mflags -j13\' \'--nocheck\'\\"\\"\\""'] !!! 2021-02-10 09:35:08 error: %install failed ``` I saw this issue myself and reported it to @pbrezina already. This is definitely a difference between 2.4.1 release and current git master because when I am adding the patches from this PR to 2.4.1, there is no failure in rebuilds. """ See the full comment at https://github.com/SSSD/sssd/pull/5494#issuecomment-776542413 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5494][comment] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Title: #5494: pam_sss_gss: support authentication indicators abbra commented: """ Added few more covscan fixes. @sumit-bose asked on IRC to add a way to 'cancel' authentication indicator check in a subdomain. I added support for `-` to achieve that, so it can be specified in a `pam_gssapi_indicators_map` in a subdomain configuration directly or per PAM service, e.g. `service:-`. """ See the full comment at https://github.com/SSSD/sssd/pull/5494#issuecomment-776520408 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5494][synchronized] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Author: abbra Title: #5494: pam_sss_gss: support authentication indicators Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5494/head:pr5494 git checkout pr5494 From b48633f72f997a3674cf5ea8bcd453ff18191edf Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Feb 2021 20:36:27 +0200 Subject: [PATCH 1/5] pam_sss_gss: support authentication indicators MIT Kerberos allows to associate authentication indicators with the issued ticket based on the way how the TGT was obtained. The indicators present in the TGT then copied to service tickets. There are two ways to check the authentication indicators: - when KDC issues a service ticket, a policy at KDC side can reject the ticket issuance based on a lack of certain indicator - when a server application presented with a service ticket from a client, it can verify that this ticket contains intended authentication indicators before authorizing access from the client. Add support to validate presence of a specific (set of) authentication indicator(s) in pam_sss_gss when validating a user's TGT. This concept can be used to only allow access to a PAM service when user is in possession of a ticket obtained using some of pre-authentication mechanisms that require multiple factors: smart-cards (PKINIT), 2FA tokens (otp/radius), etc. Resolves: https://github.com/SSSD/sssd/issues/5482 Signed-off-by: Alexander Bokovoy --- src/confdb/confdb.c | 13 ++ src/confdb/confdb.h | 3 + src/config/SSSDConfig/sssdoptions.py | 2 + src/config/SSSDConfigTest.py | 6 +- src/config/cfg_rules.ini | 3 + src/config/etc/sssd.api.conf | 2 + src/db/sysdb_subdomains.c| 11 ++ src/man/pam_sss_gss.8.xml| 13 ++ src/man/sssd.conf.5.xml | 64 +++ src/responder/pam/pamsrv.c | 21 +++ src/responder/pam/pamsrv.h | 2 + src/responder/pam/pamsrv_gssapi.c| 250 +++ 12 files changed, 388 insertions(+), 2 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index befcfff2db..cca76159bc 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } } +tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_PAM_GSSAPI_INDICATORS_MAP, + NULL); +if (tmp != NULL && tmp[0] != '\0') { +ret = split_on_separator(domain, tmp, ',', true, true, + >gssapi_indicators_map, NULL); +if (ret != 0) { +DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP); +goto done; +} +} + domain->has_views = false; domain->view_name = NULL; diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 036f9ecadf..a2be227ddd 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -146,6 +146,7 @@ #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" #define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn" +#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" @@ -437,6 +438,8 @@ struct sss_domain_info { /* List of PAM services that are allowed to authenticate with GSSAPI. */ char **gssapi_services; char *gssapi_check_upn; /* true | false | NULL */ +/* List of indicators associated with the specific PAM service */ +char **gssapi_indicators_map; }; /** diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py index fb9a9aa43c..5d9946ba8f 100644 --- a/src/config/SSSDConfig/sssdoptions.py +++ b/src/config/SSSDConfig/sssdoptions.py @@ -106,6 +106,8 @@ def __init__(self): 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'), +'pam_gssapi_indicators_map' : _('List of pairs : that ' +'must be enforced for PAM access with GSSAPI authentication'), # [sudo] 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 6a95e63dd1..04c4b35baa 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -655,7 +655,8 @@ def testListOptions(self): 'cached_auth
[SSSD] [sssd PR#5494][comment] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Title: #5494: pam_sss_gss: support authentication indicators abbra commented: """ @alexey-tikhonov I ran covscan for my patches and while it still failed, at least two issues addressed by the separate patches here were fixed. I seem few more, though. They are the same as in 2.4.0/2.4.1 runs, so auth-indicators support didn't add anything new. """ See the full comment at https://github.com/SSSD/sssd/pull/5494#issuecomment-776492748 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5494][comment] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Title: #5494: pam_sss_gss: support authentication indicators abbra commented: """ @alexey-tikhonov I fixed couple covscan-reported issues. There are others which are due to covscan not finishing its analysis in the limited time and thus killing its child process by timeout. """ See the full comment at https://github.com/SSSD/sssd/pull/5494#issuecomment-776206479 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5494][synchronized] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Author: abbra Title: #5494: pam_sss_gss: support authentication indicators Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5494/head:pr5494 git checkout pr5494 From 227ffb3c6d205048a905a1523bb4961767542476 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Feb 2021 20:36:27 +0200 Subject: [PATCH 1/3] pam_sss_gss: support authentication indicators MIT Kerberos allows to associate authentication indicators with the issued ticket based on the way how the TGT was obtained. The indicators present in the TGT then copied to service tickets. There are two ways to check the authentication indicators: - when KDC issues a service ticket, a policy at KDC side can reject the ticket issuance based on a lack of certain indicator - when a server application presented with a service ticket from a client, it can verify that this ticket contains intended authentication indicators before authorizing access from the client. Add support to validate presence of a specific (set of) authentication indicator(s) in pam_sss_gss when validating a user's TGT. This concept can be used to only allow access to a PAM service when user is in possession of a ticket obtained using some of pre-authentication mechanisms that require multiple factors: smart-cards (PKINIT), 2FA tokens (otp/radius), etc. Resolves: https://github.com/SSSD/sssd/issues/5482 Signed-off-by: Alexander Bokovoy --- src/confdb/confdb.c | 13 ++ src/confdb/confdb.h | 3 + src/config/SSSDConfig/sssdoptions.py | 2 + src/config/SSSDConfigTest.py | 6 +- src/config/cfg_rules.ini | 3 + src/config/etc/sssd.api.conf | 2 + src/db/sysdb_subdomains.c| 11 ++ src/man/pam_sss_gss.8.xml| 13 ++ src/man/sssd.conf.5.xml | 59 +++ src/responder/pam/pamsrv.c | 21 +++ src/responder/pam/pamsrv.h | 2 + src/responder/pam/pamsrv_gssapi.c| 235 +++ 12 files changed, 368 insertions(+), 2 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index befcfff2db..cca76159bc 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } } +tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_PAM_GSSAPI_INDICATORS_MAP, + NULL); +if (tmp != NULL && tmp[0] != '\0') { +ret = split_on_separator(domain, tmp, ',', true, true, + >gssapi_indicators_map, NULL); +if (ret != 0) { +DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP); +goto done; +} +} + domain->has_views = false; domain->view_name = NULL; diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 036f9ecadf..a2be227ddd 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -146,6 +146,7 @@ #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" #define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn" +#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" @@ -437,6 +438,8 @@ struct sss_domain_info { /* List of PAM services that are allowed to authenticate with GSSAPI. */ char **gssapi_services; char *gssapi_check_upn; /* true | false | NULL */ +/* List of indicators associated with the specific PAM service */ +char **gssapi_indicators_map; }; /** diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py index fb9a9aa43c..5d9946ba8f 100644 --- a/src/config/SSSDConfig/sssdoptions.py +++ b/src/config/SSSDConfig/sssdoptions.py @@ -106,6 +106,8 @@ def __init__(self): 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'), +'pam_gssapi_indicators_map' : _('List of pairs : that ' +'must be enforced for PAM access with GSSAPI authentication'), # [sudo] 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 6a95e63dd1..04c4b35baa 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -655,7 +655,8 @@ def testListOptions(self): 'cached_auth
[SSSD] [sssd PR#5494][synchronized] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Author: abbra Title: #5494: pam_sss_gss: support authentication indicators Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5494/head:pr5494 git checkout pr5494 From 227ffb3c6d205048a905a1523bb4961767542476 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Feb 2021 20:36:27 +0200 Subject: [PATCH 1/2] pam_sss_gss: support authentication indicators MIT Kerberos allows to associate authentication indicators with the issued ticket based on the way how the TGT was obtained. The indicators present in the TGT then copied to service tickets. There are two ways to check the authentication indicators: - when KDC issues a service ticket, a policy at KDC side can reject the ticket issuance based on a lack of certain indicator - when a server application presented with a service ticket from a client, it can verify that this ticket contains intended authentication indicators before authorizing access from the client. Add support to validate presence of a specific (set of) authentication indicator(s) in pam_sss_gss when validating a user's TGT. This concept can be used to only allow access to a PAM service when user is in possession of a ticket obtained using some of pre-authentication mechanisms that require multiple factors: smart-cards (PKINIT), 2FA tokens (otp/radius), etc. Resolves: https://github.com/SSSD/sssd/issues/5482 Signed-off-by: Alexander Bokovoy --- src/confdb/confdb.c | 13 ++ src/confdb/confdb.h | 3 + src/config/SSSDConfig/sssdoptions.py | 2 + src/config/SSSDConfigTest.py | 6 +- src/config/cfg_rules.ini | 3 + src/config/etc/sssd.api.conf | 2 + src/db/sysdb_subdomains.c| 11 ++ src/man/pam_sss_gss.8.xml| 13 ++ src/man/sssd.conf.5.xml | 59 +++ src/responder/pam/pamsrv.c | 21 +++ src/responder/pam/pamsrv.h | 2 + src/responder/pam/pamsrv_gssapi.c| 235 +++ 12 files changed, 368 insertions(+), 2 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index befcfff2db..cca76159bc 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } } +tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_PAM_GSSAPI_INDICATORS_MAP, + NULL); +if (tmp != NULL && tmp[0] != '\0') { +ret = split_on_separator(domain, tmp, ',', true, true, + >gssapi_indicators_map, NULL); +if (ret != 0) { +DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP); +goto done; +} +} + domain->has_views = false; domain->view_name = NULL; diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 036f9ecadf..a2be227ddd 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -146,6 +146,7 @@ #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" #define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn" +#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" @@ -437,6 +438,8 @@ struct sss_domain_info { /* List of PAM services that are allowed to authenticate with GSSAPI. */ char **gssapi_services; char *gssapi_check_upn; /* true | false | NULL */ +/* List of indicators associated with the specific PAM service */ +char **gssapi_indicators_map; }; /** diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py index fb9a9aa43c..5d9946ba8f 100644 --- a/src/config/SSSDConfig/sssdoptions.py +++ b/src/config/SSSDConfig/sssdoptions.py @@ -106,6 +106,8 @@ def __init__(self): 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'), +'pam_gssapi_indicators_map' : _('List of pairs : that ' +'must be enforced for PAM access with GSSAPI authentication'), # [sudo] 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 6a95e63dd1..04c4b35baa 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -655,7 +655,8 @@ def testListOptions(self): 'cached_auth
[SSSD] [sssd PR#5494][synchronized] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Author: abbra Title: #5494: pam_sss_gss: support authentication indicators Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5494/head:pr5494 git checkout pr5494 From 227ffb3c6d205048a905a1523bb4961767542476 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Feb 2021 20:36:27 +0200 Subject: [PATCH] pam_sss_gss: support authentication indicators MIT Kerberos allows to associate authentication indicators with the issued ticket based on the way how the TGT was obtained. The indicators present in the TGT then copied to service tickets. There are two ways to check the authentication indicators: - when KDC issues a service ticket, a policy at KDC side can reject the ticket issuance based on a lack of certain indicator - when a server application presented with a service ticket from a client, it can verify that this ticket contains intended authentication indicators before authorizing access from the client. Add support to validate presence of a specific (set of) authentication indicator(s) in pam_sss_gss when validating a user's TGT. This concept can be used to only allow access to a PAM service when user is in possession of a ticket obtained using some of pre-authentication mechanisms that require multiple factors: smart-cards (PKINIT), 2FA tokens (otp/radius), etc. Resolves: https://github.com/SSSD/sssd/issues/5482 Signed-off-by: Alexander Bokovoy --- src/confdb/confdb.c | 13 ++ src/confdb/confdb.h | 3 + src/config/SSSDConfig/sssdoptions.py | 2 + src/config/SSSDConfigTest.py | 6 +- src/config/cfg_rules.ini | 3 + src/config/etc/sssd.api.conf | 2 + src/db/sysdb_subdomains.c| 11 ++ src/man/pam_sss_gss.8.xml| 13 ++ src/man/sssd.conf.5.xml | 59 +++ src/responder/pam/pamsrv.c | 21 +++ src/responder/pam/pamsrv.h | 2 + src/responder/pam/pamsrv_gssapi.c| 235 +++ 12 files changed, 368 insertions(+), 2 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index befcfff2db..cca76159bc 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } } +tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_PAM_GSSAPI_INDICATORS_MAP, + NULL); +if (tmp != NULL && tmp[0] != '\0') { +ret = split_on_separator(domain, tmp, ',', true, true, + >gssapi_indicators_map, NULL); +if (ret != 0) { +DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP); +goto done; +} +} + domain->has_views = false; domain->view_name = NULL; diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 036f9ecadf..a2be227ddd 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -146,6 +146,7 @@ #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" #define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn" +#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" @@ -437,6 +438,8 @@ struct sss_domain_info { /* List of PAM services that are allowed to authenticate with GSSAPI. */ char **gssapi_services; char *gssapi_check_upn; /* true | false | NULL */ +/* List of indicators associated with the specific PAM service */ +char **gssapi_indicators_map; }; /** diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py index fb9a9aa43c..5d9946ba8f 100644 --- a/src/config/SSSDConfig/sssdoptions.py +++ b/src/config/SSSDConfig/sssdoptions.py @@ -106,6 +106,8 @@ def __init__(self): 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'), +'pam_gssapi_indicators_map' : _('List of pairs : that ' +'must be enforced for PAM access with GSSAPI authentication'), # [sudo] 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 6a95e63dd1..04c4b35baa 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -655,7 +655,8 @@ def testListOptions(self): 'cached_auth_timeout', 'auto_private
[SSSD] [sssd PR#5494][synchronized] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Author: abbra Title: #5494: pam_sss_gss: support authentication indicators Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5494/head:pr5494 git checkout pr5494 From f205957f777c5b1bff779e742e4dc9134052d7ce Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Feb 2021 20:36:27 +0200 Subject: [PATCH] pam_sss_gss: support authentication indicators MIT Kerberos allows to associate authentication indicators with the issued ticket based on the way how the TGT was obtained. The indicators present in the TGT then copied to service tickets. There are two ways to check the authentication indicators: - when KDC issues a service ticket, a policy at KDC side can reject the ticket issuance based on a lack of certain indicator - when a server application presented with a service ticket from a client, it can verify that this ticket contains intended authentication indicators before authorizing access from the client. Add support to validate presence of a specific (set of) authentication indicator(s) in pam_sss_gss when validating a user's TGT. This concept can be used to only allow access to a PAM service when user is in possession of a ticket obtained using some of pre-authentication mechanisms that require multiple factors: smart-cards (PKINIT), 2FA tokens (otp/radius), etc. Resolves: https://github.com/SSSD/sssd/issues/5482 Signed-off-by: Alexander Bokovoy --- src/confdb/confdb.c | 13 ++ src/confdb/confdb.h | 3 + src/config/SSSDConfig/sssdoptions.py | 2 + src/config/SSSDConfigTest.py | 6 +- src/config/cfg_rules.ini | 3 + src/config/etc/sssd.api.conf | 2 + src/db/sysdb_subdomains.c| 11 ++ src/man/pam_sss_gss.8.xml| 13 ++ src/man/sssd.conf.5.xml | 59 +++ src/responder/pam/pamsrv_gssapi.c| 228 +++ 10 files changed, 338 insertions(+), 2 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index befcfff2db..4f00034044 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } } +tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_PAM_GSSAPI_INDICATORS_MAP, + NULL); +if (tmp != NULL) { +ret = split_on_separator(domain, tmp, ',', true, true, + >gssapi_indicators_map, NULL); +if (ret != 0) { +DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP); +goto done; +} +} + domain->has_views = false; domain->view_name = NULL; diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 036f9ecadf..a2be227ddd 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -146,6 +146,7 @@ #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" #define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn" +#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" @@ -437,6 +438,8 @@ struct sss_domain_info { /* List of PAM services that are allowed to authenticate with GSSAPI. */ char **gssapi_services; char *gssapi_check_upn; /* true | false | NULL */ +/* List of indicators associated with the specific PAM service */ +char **gssapi_indicators_map; }; /** diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py index fb9a9aa43c..5d9946ba8f 100644 --- a/src/config/SSSDConfig/sssdoptions.py +++ b/src/config/SSSDConfig/sssdoptions.py @@ -106,6 +106,8 @@ def __init__(self): 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'), +'pam_gssapi_indicators_map' : _('List of pairs : that ' +'must be enforced for PAM access with GSSAPI authentication'), # [sudo] 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 6a95e63dd1..04c4b35baa 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -655,7 +655,8 @@ def testListOptions(self): 'cached_auth_timeout', 'auto_private_groups', 'pam_gssapi_services', -'pam_gssapi_check_upn'] +'pam_gssapi_check_up
[SSSD] [sssd PR#5494][comment] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Title: #5494: pam_sss_gss: support authentication indicators abbra commented: """ Thanks, @frozencemetery, I updated the code according to the suggestions. I also decided to unify a bit the man page example language -- I do talk about x.509-based certificates when describing authentication indicators in `sssd.conf(5)` right before the example where it is stated that these certificates can be stored in files or on smart cards. """ See the full comment at https://github.com/SSSD/sssd/pull/5494#issuecomment-775385675 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5494][synchronized] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Author: abbra Title: #5494: pam_sss_gss: support authentication indicators Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5494/head:pr5494 git checkout pr5494 From f81a3718e04076dd40eb9b206b34d19f59d6e54e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Feb 2021 20:36:27 +0200 Subject: [PATCH] pam_sss_gss: support authentication indicators MIT Kerberos allows to associate authentication indicators with the issued ticket based on the way how the TGT was obtained. The indicators present in the TGT then copied to service tickets. There are two ways to check the authentication indicators: - when KDC issues a service ticket, a policy at KDC side can reject the ticket issuance based on a lack of certain indicator - when a server application presented with a service ticket from a client, it can verify that this ticket contains intended authentication indicators before authorizing access from the client. Add support to validate presence of a specific (set of) authentication indicator(s) in pam_sss_gss when validating a user's TGT. This concept can be used to only allow access to a PAM service when user is in possession of a ticket obtained using some of pre-authentication mechanisms that require multiple factors: smart-cards (PKINIT), 2FA tokens (otp/radius), etc. Resolves: https://github.com/SSSD/sssd/issues/5482 Signed-off-by: Alexander Bokovoy --- src/confdb/confdb.c | 13 ++ src/confdb/confdb.h | 3 + src/config/SSSDConfig/sssdoptions.py | 2 + src/config/SSSDConfigTest.py | 6 +- src/config/cfg_rules.ini | 3 + src/config/etc/sssd.api.conf | 2 + src/db/sysdb_subdomains.c| 11 ++ src/man/pam_sss_gss.8.xml| 13 ++ src/man/sssd.conf.5.xml | 53 +++ src/responder/pam/pamsrv_gssapi.c| 214 +++ 10 files changed, 318 insertions(+), 2 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index befcfff2db..4f00034044 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } } +tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_PAM_GSSAPI_INDICATORS_MAP, + NULL); +if (tmp != NULL) { +ret = split_on_separator(domain, tmp, ',', true, true, + >gssapi_indicators_map, NULL); +if (ret != 0) { +DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP); +goto done; +} +} + domain->has_views = false; domain->view_name = NULL; diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 036f9ecadf..a2be227ddd 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -146,6 +146,7 @@ #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" #define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn" +#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" @@ -437,6 +438,8 @@ struct sss_domain_info { /* List of PAM services that are allowed to authenticate with GSSAPI. */ char **gssapi_services; char *gssapi_check_upn; /* true | false | NULL */ +/* List of indicators associated with the specific PAM service */ +char **gssapi_indicators_map; }; /** diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py index fb9a9aa43c..5d9946ba8f 100644 --- a/src/config/SSSDConfig/sssdoptions.py +++ b/src/config/SSSDConfig/sssdoptions.py @@ -106,6 +106,8 @@ def __init__(self): 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'), +'pam_gssapi_indicators_map' : _('List of pairs : that ' +'must be enforced for PAM access with GSSAPI authentication'), # [sudo] 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 6a95e63dd1..04c4b35baa 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -655,7 +655,8 @@ def testListOptions(self): 'cached_auth_timeout', 'auto_private_groups', 'pam_gssapi_services', -'pam_gssapi_check_upn'] +'pam_gssapi_check_up
[SSSD] [sssd PR#5494][comment] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Title: #5494: pam_sss_gss: support authentication indicators abbra commented: """ It now works for me. Here is a test on Fedora 33: ``` [admin@master ~]$ export KRB5CCNAME=/tmp/admin.cc [admin@master ~]$ sudo -l pam_sss_gss: Initializing GSSAPI authentication with SSSD pam_sss_gss: Switching euid from 0 to 116980 pam_sss_gss: Trying to establish security context pam_sss_gss: SSSD User name: ad...@ipa.test pam_sss_gss: User domain: ipa.test pam_sss_gss: User principal: pam_sss_gss: Target name: h...@master.ipa.test pam_sss_gss: Using ccache: /tmp/admin.cc pam_sss_gss: Acquiring credentials, principal name will be derived pam_sss_gss: Switching euid from 116980 to 0 pam_sss_gss: Authentication successful Matching Defaults entries for admin on master: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/var/lib/snapd/snap/bin User admin may run the following commands on master: (root) ALL [admin@master ~]$ logout [root@master ~]# grep pam_gssapi /etc/sssd/sssd.conf pam_gssapi_services = sudo, sudo-i pam_gssapi_indicators_map = hardened, sudo:pkinit, sudo-i:otp [root@master ~]# fgrep gssapi_ /var/log/sssd/sssd_pam.log |tail -10 (2021-02-08 17:18:50): [pam] [pam_cmd_gssapi_init_done] (0x0400): Trying GSSAPI auth: User[ad...@ipa.test], Domain[ipa.test], UPN[], Target[h...@master.ipa.test] (2021-02-08 17:18:50): [pam] [pam_cmd_gssapi_init_done] (0x0400): Returning [0]: Success (2021-02-08 17:18:50): [pam] [gssapi_handshake] (0x0400): Security context established with [ad...@ipa.test] (2021-02-08 17:18:50): [pam] [gssapi_get_indicators] (0x0400): attribute's [auth-indicators] value [hardened] authenticated (2021-02-08 17:18:50): [pam] [gssapi_get_indicators] (0x0400): authentication indicators: [hardened] (2021-02-08 17:18:50): [pam] [pam_gssapi_check_indicators] (0x0400): indicator [hardened] is allowed for PAM service [sudo] (2021-02-08 17:18:50): [pam] [pam_cmd_gssapi_sec_ctx] (0x0400): Check if acquired service ticket has req. indicators: 0 (2021-02-08 17:18:50): [pam] [pam_cmd_gssapi_sec_ctx] (0x0400): Checking that target user matches UPN (2021-02-08 17:18:50): [pam] [pam_cmd_gssapi_sec_ctx_done] (0x0400): User [ad...@ipa.test] match UPN [ad...@ipa.test]. Authentication was successful. (2021-02-08 17:18:50): [pam] [pam_cmd_gssapi_sec_ctx_done] (0x0400): Returning [0]: Success ``` """ See the full comment at https://github.com/SSSD/sssd/pull/5494#issuecomment-775308547 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5494][synchronized] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Author: abbra Title: #5494: pam_sss_gss: support authentication indicators Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5494/head:pr5494 git checkout pr5494 From 49c3ce894d3cd725e97c3bb2f1006dc7a471ad44 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Feb 2021 20:36:27 +0200 Subject: [PATCH] pam_sss_gss: support authentication indicators MIT Kerberos allows to associate authentication indicators with the issued ticket based on the way how the TGT was obtained. The indicators present in the TGT then copied to service tickets. There are two ways to check the authentication indicators: - when KDC issues a service ticket, a policy at KDC side can reject the ticket issuance based on a lack of certain indicator - when a server application presented with a service ticket from a client, it can verify that this ticket contains intended authentication indicators before authorizing access from the client. Add support to validate presence of a specific (set of) authentication indicator(s) in pam_sss_gss when validating a user's TGT. This concept can be used to only allow access to a PAM service when user is in possession of a ticket obtained using some of pre-authentication mechanisms that require multiple factors: smart-cards (PKINIT), 2FA tokens (otp/radius), etc. Resolves: https://github.com/SSSD/sssd/issues/5482 Signed-off-by: Alexander Bokovoy --- src/confdb/confdb.c | 13 ++ src/confdb/confdb.h | 3 + src/config/SSSDConfig/sssdoptions.py | 2 + src/config/SSSDConfigTest.py | 6 +- src/config/cfg_rules.ini | 3 + src/config/etc/sssd.api.conf | 2 + src/db/sysdb_subdomains.c| 11 ++ src/man/pam_sss_gss.8.xml| 6 + src/man/sssd.conf.5.xml | 44 ++ src/responder/pam/pamsrv_gssapi.c| 218 +++ 10 files changed, 306 insertions(+), 2 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index befcfff2db..4f00034044 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } } +tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_PAM_GSSAPI_INDICATORS_MAP, + NULL); +if (tmp != NULL) { +ret = split_on_separator(domain, tmp, ',', true, true, + >gssapi_indicators_map, NULL); +if (ret != 0) { +DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP); +goto done; +} +} + domain->has_views = false; domain->view_name = NULL; diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 036f9ecadf..a2be227ddd 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -146,6 +146,7 @@ #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" #define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn" +#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" @@ -437,6 +438,8 @@ struct sss_domain_info { /* List of PAM services that are allowed to authenticate with GSSAPI. */ char **gssapi_services; char *gssapi_check_upn; /* true | false | NULL */ +/* List of indicators associated with the specific PAM service */ +char **gssapi_indicators_map; }; /** diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py index fb9a9aa43c..5d9946ba8f 100644 --- a/src/config/SSSDConfig/sssdoptions.py +++ b/src/config/SSSDConfig/sssdoptions.py @@ -106,6 +106,8 @@ def __init__(self): 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'), +'pam_gssapi_indicators_map' : _('List of pairs : that ' +'must be enforced for PAM access with GSSAPI authentication'), # [sudo] 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 6a95e63dd1..04c4b35baa 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -655,7 +655,8 @@ def testListOptions(self): 'cached_auth_timeout', 'auto_private_groups', 'pam_gssapi_services', -'pam_gssapi_check_upn'] +'pam_gssapi_check_upn', +
[SSSD] [sssd PR#5494][synchronized] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Author: abbra Title: #5494: pam_sss_gss: support authentication indicators Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5494/head:pr5494 git checkout pr5494 From ac0b67bb0e9a5489f9cde36cf24fc44fc3889d2d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Feb 2021 20:36:27 +0200 Subject: [PATCH] pam_sss_gss: support authentication indicators MIT Kerberos allows to associate authentication indicators with the issued ticket based on the way how the TGT was obtained. The indicators present in the TGT then copied to service tickets. There are two ways to check the authentication indicators: - when KDC issues a service ticket, a policy at KDC side can reject the ticket issuance based on a lack of certain indicator - when a server application presented with a service ticket from a client, it can verify that this ticket contains intended authentication indicators before authorizing access from the client. Add support to validate presence of a specific (set of) authentication indicator(s) in pam_sss_gss when validating a user's TGT. This concept can be used to only allow access to a PAM service when user is in possession of a ticket obtained using some of pre-authentication mechanisms that require multiple factors: smart-cards (PKINIT), 2FA tokens (otp/radius), etc. Resolves: https://github.com/SSSD/sssd/issues/5482 Signed-off-by: Alexander Bokovoy --- src/confdb/confdb.c | 13 ++ src/confdb/confdb.h | 3 + src/config/SSSDConfig/sssdoptions.py | 2 + src/config/SSSDConfigTest.py | 6 +- src/config/cfg_rules.ini | 3 + src/config/etc/sssd.api.conf | 2 + src/db/sysdb_subdomains.c| 11 ++ src/man/pam_sss_gss.8.xml| 6 + src/man/sssd.conf.5.xml | 44 +++ src/responder/pam/pamsrv_gssapi.c| 170 +++ 10 files changed, 258 insertions(+), 2 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index befcfff2db..4f00034044 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } } +tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_PAM_GSSAPI_INDICATORS_MAP, + NULL); +if (tmp != NULL) { +ret = split_on_separator(domain, tmp, ',', true, true, + >gssapi_indicators_map, NULL); +if (ret != 0) { +DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP); +goto done; +} +} + domain->has_views = false; domain->view_name = NULL; diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 036f9ecadf..a2be227ddd 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -146,6 +146,7 @@ #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" #define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn" +#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" @@ -437,6 +438,8 @@ struct sss_domain_info { /* List of PAM services that are allowed to authenticate with GSSAPI. */ char **gssapi_services; char *gssapi_check_upn; /* true | false | NULL */ +/* List of indicators associated with the specific PAM service */ +char **gssapi_indicators_map; }; /** diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py index fb9a9aa43c..5d9946ba8f 100644 --- a/src/config/SSSDConfig/sssdoptions.py +++ b/src/config/SSSDConfig/sssdoptions.py @@ -106,6 +106,8 @@ def __init__(self): 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'), +'pam_gssapi_indicators_map' : _('List of pairs : that ' +'must be enforced for PAM access with GSSAPI authentication'), # [sudo] 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 6a95e63dd1..04c4b35baa 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -655,7 +655,8 @@ def testListOptions(self): 'cached_auth_timeout', 'auto_private_groups', 'pam_gssapi_services', -'pam_gssapi_check_upn'] +'pam_gssapi_check_upn', +
[SSSD] [sssd PR#5494][comment] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Title: #5494: pam_sss_gss: support authentication indicators abbra commented: """ This is a draft implementation of https://github.com/SSSD/sssd/issues/5482. I haven't tested it yet myself. """ See the full comment at https://github.com/SSSD/sssd/pull/5494#issuecomment-774269929 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5494][opened] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Author: abbra Title: #5494: pam_sss_gss: support authentication indicators Action: opened PR body: """ MIT Kerberos allows to associate authentication indicators with the issued ticket based on the way how the TGT was obtained. The indicators present in the TGT then copied to service tickets. There are two ways to check the authentication indicators: - when KDC issues a service ticket, a policy at KDC side can reject the ticket issuance based on a lack of certain indicator - when a server application presented with a service ticket from a client, it can verify that this ticket contains intended authentication indicators before authorizing access from the client. Add support to validate presence of a specific (set of) authentication indicator(s) in pam_sss_gss when validating a user's TGT. This concept can be used to only allow access to a PAM service when user is in possession of a ticket obtained using some of pre-authentication mechanisms that require multiple factors: smart-cards (PKINIT), 2FA tokens (otp/radius), etc. Resolves: https://github.com/SSSD/sssd/issues/5482 Signed-off-by: Alexander Bokovoy """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5494/head:pr5494 git checkout pr5494 From a2185e7e100fc7ca8792f538cb5aa8cc08e7dc74 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Feb 2021 20:36:27 +0200 Subject: [PATCH] pam_sss_gss: support authentication indicators MIT Kerberos allows to associate authentication indicators with the issued ticket based on the way how the TGT was obtained. The indicators present in the TGT then copied to service tickets. There are two ways to check the authentication indicators: - when KDC issues a service ticket, a policy at KDC side can reject the ticket issuance based on a lack of certain indicator - when a server application presented with a service ticket from a client, it can verify that this ticket contains intended authentication indicators before authorizing access from the client. Add support to validate presence of a specific (set of) authentication indicator(s) in pam_sss_gss when validating a user's TGT. This concept can be used to only allow access to a PAM service when user is in possession of a ticket obtained using some of pre-authentication mechanisms that require multiple factors: smart-cards (PKINIT), 2FA tokens (otp/radius), etc. Resolves: https://github.com/SSSD/sssd/issues/5482 Signed-off-by: Alexander Bokovoy --- src/confdb/confdb.c | 13 +++ src/confdb/confdb.h | 3 + src/man/pam_sss_gss.8.xml | 6 ++ src/man/sssd.conf.5.xml | 44 src/responder/pam/pamsrv_gssapi.c | 170 ++ 5 files changed, 236 insertions(+) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index befcfff2db..4f00034044 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } } +tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_PAM_GSSAPI_INDICATORS_MAP, + NULL); +if (tmp != NULL) { +ret = split_on_separator(domain, tmp, ',', true, true, + >gssapi_indicators_map, NULL); +if (ret != 0) { +DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP); +goto done; +} +} + domain->has_views = false; domain->view_name = NULL; diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 036f9ecadf..a2be227ddd 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -146,6 +146,7 @@ #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" #define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn" +#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" @@ -437,6 +438,8 @@ struct sss_domain_info { /* List of PAM services that are allowed to authenticate with GSSAPI. */ char **gssapi_services; char *gssapi_check_upn; /* true | false | NULL */ +/* List of indicators associated with the specific PAM service */ +char **gssapi_indicators_map; }; /** diff --git a/src/man/pam_sss_gss.8.xml b/src/man/pam_sss_gss.8.xml index ce5b11bff0..da89d27e02 100644 --- a/src/man/pam_sss_gss.8.xml +++ b/src/man/pam_sss_gss.8.xml @@ -70,6 +70,12 @@ 5 for more details on these options. + +Some Kerberos deployments allow to assocate authentication indicators with a particular pre-authentication method used
[SSSD] [sssd PR#5484][comment] sudo: do not search by low usn value to improve performance
URL: https://github.com/SSSD/sssd/pull/5484 Title: #5484: sudo: do not search by low usn value to improve performance abbra commented: """ Please fix the commit description: `no we omit` """ See the full comment at https://github.com/SSSD/sssd/pull/5484#issuecomment-769835080 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5476][synchronized] sudo runas: do not add '%' to external groups in IPA
URL: https://github.com/SSSD/sssd/pull/5476 Author: abbra Title: #5476: sudo runas: do not add '%' to external groups in IPA Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5476/head:pr5476 git checkout pr5476 From 3b9ad323d25cf8a20f1beafbe33a4bb37c307ff3 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 25 Jan 2021 15:14:05 +0200 Subject: [PATCH] sudo runas: do not add '%' to external groups in IPA When IPA allows to add AD users and groups directly to sudo rules (FreeIPA 4.9.1 or later), external groups will already have '%' prefix. Thus, we don't need to add additional '%'. Fixes: https://github.com/SSSD/sssd/issues/5475 Signed-off-by: Alexander Bokovoy --- src/providers/ipa/ipa_sudo_conversion.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c index cfb41d8b02..1bfee096d0 100644 --- a/src/providers/ipa/ipa_sudo_conversion.c +++ b/src/providers/ipa/ipa_sudo_conversion.c @@ -939,6 +939,12 @@ convert_runasextusergroup(TALLOC_CTX *mem_ctx, const char *value, bool *skip_entry) { +if (value == NULL) +return NULL; + +if (value[0] == '%') +return talloc_strdup(mem_ctx, value); + return talloc_asprintf(mem_ctx, "%%%s", value); } ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5476][opened] sudo runas: do not add '%' to external groups in IPA
URL: https://github.com/SSSD/sssd/pull/5476 Author: abbra Title: #5476: sudo runas: do not add '%' to external groups in IPA Action: opened PR body: """ When IPA allows to add AD users and groups directly to sudo rules (FreeIPA 4.9.1 or later), external groups will already have '%' prefix. Thus, we don't need to add additional '%'. Fixes: https://github.com/SSSD/sssd/issues/5475 Signed-off-by: Alexander Bokovoy """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5476/head:pr5476 git checkout pr5476 From 0544e25469a113b9030d4dfe3aa4471ced5993d3 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 25 Jan 2021 15:14:05 +0200 Subject: [PATCH] sudo runas: do not add '%' to external groups in IPA When IPA allows to add AD users and groups directly to sudo rules (FreeIPA 4.9.1 or later), external groups will already have '%' prefix. Thus, we don't need to add additional '%'. Fixes: https://github.com/SSSD/sssd/issues/5475 Signed-off-by: Alexander Bokovoy --- src/providers/ipa/ipa_sudo_conversion.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c index cfb41d8b02..1d5fb99750 100644 --- a/src/providers/ipa/ipa_sudo_conversion.c +++ b/src/providers/ipa/ipa_sudo_conversion.c @@ -939,6 +939,12 @@ convert_runasextusergroup(TALLOC_CTX *mem_ctx, const char *value, bool *skip_entry) { +if (value == NULL) +return NULL; + +if (value[0] == '%') +return value; + return talloc_asprintf(mem_ctx, "%%%s", value); } ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5251][comment] subdomains: allow to inherit case_sensitive=Preserving
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving abbra commented: """ For what it worth, IPA always lowcases user and group names when storing in LDAP, there is no way to avoid it. """ See the full comment at https://github.com/SSSD/sssd/pull/5251#issuecomment-762395780 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication abbra commented: """ > While testing I came across a behavior which can be a bug or a feature and we > should decide how to handle and/or document it. > > Currently authentication will be successful if you have a TGT in the > credential cache which can be used to successfully request a host ticket. > This TGT does not have to be associated with the user calling `sudo`. > libkrbr5 provides `krb5_aname_to_localname` to translate the Kerberos > principal to a local user name, SSSD provides the localauth plugin for this > but inside of SSSD we can just do a `CACHE_REQ_USER_BY_UPN` to check if the > principal relates to the user trying to authenticate. There are two aspects here. `pam_sss_gss` needs to verify the principal maps properly to a user allowed to authenticate. In ksu it is done with `~/.k5login` or `~/.k5users` in the target's user home directory, e.g. by checking the permission on the target's side. In our case we cannot really do this but all we are verifying here is that TGT in the entry is issued in the name of the user who we are impersonating here, e.g. the same user. So you are right that it should be the same check as SSSD does. It would not allow mapping other principals to the same user in terms of sudo acces (e.g. it would not allow a service principal to impersonate user over sudo). This would be a notable difference to ksu behavior but perhaps we cannot do anything here. Still, it should be documented in my opinion. > A related item are ccache types which can handle multiple TGTs. Currently the > 'active' TGT is used and if the PAM responder would check if the principal > matches the user `pam_sss_gss` should either have a way to select the proper > TGT if more than one are available or iterate through the available TGTs > (which I guess should be avoided). However, I'm not sure if GSSAPI can do > this of if plain libkrb5 calls must be used for this. As an alternative an > error message can be shown to the user which can point the user to the > `kswitch` utility. GSSAPI implementation in MIT Kerberos treats ccache collections as a whole and attempts to pick up the TGT or a service ticket from the ccache closest to the target service realm. It means you don't need to perform anything on GSSAPI level to pick up a TGT from the ccache with the target realm but if that one exists, a different ccache will not be considered, unlike raw Kerberos case where you have to manually choose the active ccache. """ See the full comment at https://github.com/SSSD/sssd/pull/5367#issuecomment-738753037 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication abbra commented: """ You can pass `ccache` in client creds store you pass to `gss_acquire_cred_from()`. You are already using `keytab` there, passing `ccache` will make use of the ccache. """ See the full comment at https://github.com/SSSD/sssd/pull/5367#issuecomment-734328099 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5300][comment] ad: use parallel cldap ping for site discovery
URL: https://github.com/SSSD/sssd/pull/5300 Title: #5300: ad: use parallel cldap ping for site discovery abbra commented: """ @pbrezina I see linking failures: ``` /usr/bin/ld: /tmp/nss-srv-tests.hGpNig.ltrans0.ltrans.o: in function `__wrap_sss_packet_get_body': /builddir/build/BUILD/sssd-2.3.2/src/tests/cmocka/test_nss_srv.c:103: undefined reference to `sss_packet_get_body' /usr/bin/ld: /tmp/nss-srv-tests.hGpNig.ltrans1.ltrans.o: in function `__wrap_sss_cmd_done': /builddir/build/BUILD/sssd-2.3.2/src/tests/cmocka/test_nss_srv.c:139: undefined reference to `sss_packet_get_body' /usr/bin/ld: /tmp/nss-srv-tests.hGpNig.ltrans1.ltrans.o: in function `__wrap_sss_ncache_check_user': /builddir/build/BUILD/sssd-2.3.2/src/tests/cmocka/test_nss_srv.c:170: undefined reference to `sss_ncache_check_user' /usr/bin/ld: /tmp/nss-srv-tests.hGpNig.ltrans1.ltrans.o: in function `__wrap_sss_ncache_check_upn': /builddir/build/BUILD/sssd-2.3.2/src/tests/cmocka/test_nss_srv.c:185: undefined reference to `sss_ncache_check_upn' /usr/bin/ld: /tmp/nss-srv-tests.hGpNig.ltrans1.ltrans.o: in function `__wrap_sss_ncache_check_uid': /builddir/build/BUILD/sssd-2.3.2/src/tests/cmocka/test_nss_srv.c:200: undefined reference to `sss_ncache_check_uid' /usr/bin/ld: /tmp/nss-srv-tests.hGpNig.ltrans1.ltrans.o: in function `__wrap_sss_ncache_check_sid': /builddir/build/BUILD/sssd-2.3.2/src/tests/cmocka/test_nss_srv.c:213: undefined reference to `sss_ncache_check_sid' /usr/bin/ld: /tmp/nss-srv-tests.hGpNig.ltrans1.ltrans.o: in function `__wrap_sss_ncache_check_cert': /builddir/build/BUILD/sssd-2.3.2/src/tests/cmocka/test_nss_srv.c:226: undefined reference to `sss_ncache_check_cert' collect2: error: ld returned 1 exit status ``` """ See the full comment at https://github.com/SSSD/sssd/pull/5300#issuecomment-694177356 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#905][comment] Don't ignore host entries in Group Policy security filters
URL: https://github.com/SSSD/sssd/pull/905 Title: #905: Don't ignore host entries in Group Policy security filters abbra commented: """ @dmulder they need to be reviewed by SSSD core team (I'm not the one ;)), so we need a review from @pbrezina and @sumit-bose, at least. """ See the full comment at https://github.com/SSSD/sssd/pull/905#issuecomment-553492150 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#905][comment] WIP: Don't ignore host entries in Group Policy security filters
URL: https://github.com/SSSD/sssd/pull/905 Title: #905: WIP: Don't ignore host entries in Group Policy security filters abbra commented: """ Sure, David. See src/lib/idmap/sss_idmap.h for SID-related functions. For accessing `ad_hostname`, you have it already in the `struct ad_gpo_access_state`, prepopulated by the `ad_gpo_access_send()`. """ See the full comment at https://github.com/SSSD/sssd/pull/905#issuecomment-545499635 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#905][comment] WIP: Don't ignore host entries in Group Policy security filters
URL: https://github.com/SSSD/sssd/pull/905 Title: #905: WIP: Don't ignore host entries in Group Policy security filters abbra commented: """ Few observations: - we already have code to translate between string/structure for SIDs, why there is a need for another one? - may be you can simplify the code by passing the structure you have instead of doing conversion? - please don't use explicit `gethostname()` to retrieve the name of the machine. Instead, use SSSD configuration as `ad_hostname` can be used to redefine your real hostname """ See the full comment at https://github.com/SSSD/sssd/pull/905#issuecomment-543558005 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#850][+Accepted] sudo: use proper datetime for default modifyTimestamp value
URL: https://github.com/SSSD/sssd/pull/850 Title: #850: sudo: use proper datetime for default modifyTimestamp value Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#850][comment] sudo: use proper datetime for default modifyTimestamp value
URL: https://github.com/SSSD/sssd/pull/850 Title: #850: sudo: use proper datetime for default modifyTimestamp value abbra commented: """ Thanks. Please push. """ See the full comment at https://github.com/SSSD/sssd/pull/850#issuecomment-512724413 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#850][comment] sudo: use proper datetime for default modifyTimestamp value
URL: https://github.com/SSSD/sssd/pull/850 Title: #850: sudo: use proper datetime for default modifyTimestamp value abbra commented: """ LGTM but could you please add a comment to the commit message about a particular format of the timestamp (the fact that month and day cannot be zeroes, etc). """ See the full comment at https://github.com/SSSD/sssd/pull/850#issuecomment-512194056 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#798][comment] ipa: ipa_getkeytab don't call libnss_sss
URL: https://github.com/SSSD/sssd/pull/798 Title: #798: ipa: ipa_getkeytab don't call libnss_sss abbra commented: """ Looks nice to me too. In this environment and execution flow we do not expect to resolve any of non-system users because the only user we would need to care about should be the user under which sssd itself is executed (root, in this case, or non-root system user) which should not be stored in sssd for obvious reasons. Another data point is that a ccache used by the ipa-getkeytab is the one set already by SSSD to a static predefined path so there is no need to resolve any of the modifiers supported by libkrb5. """ See the full comment at https://github.com/SSSD/sssd/pull/798#issuecomment-478682250 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#683][comment] PYSSS: Re-add the pysss.getgrouplist() interface
URL: https://github.com/SSSD/sssd/pull/683 Title: #683: PYSSS: Re-add the pysss.getgrouplist() interface abbra commented: """ Looks good to me. Thank you, @jhrozek """ See the full comment at https://github.com/SSSD/sssd/pull/683#issuecomment-432550376 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#620][comment] Add pam_cert_pam_services option
URL: https://github.com/SSSD/sssd/pull/620 Title: #620: Add pam_cert_pam_services option abbra commented: """ I'm also fine with @lslebodn patch """ See the full comment at https://github.com/SSSD/sssd/pull/620#issuecomment-411374966 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/MPF3INOXJJOD5POI4KUCQHGW5ZUYCZNH/
[SSSD] [sssd PR#620][comment] Add pam_cert_pam_services option
URL: https://github.com/SSSD/sssd/pull/620 Title: #620: Add pam_cert_pam_services option abbra commented: """ I think +service style is better. Sorry for slow answers, I'm at the conference this week. """ See the full comment at https://github.com/SSSD/sssd/pull/620#issuecomment-411373283 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/2ARQBAUHUKZXS47FDXWIFQLAN55ET7W2/
[SSSD] [sssd PR#620][opened] Add pam_cert_pam_services option
URL: https://github.com/SSSD/sssd/pull/620 Author: abbra Title: #620: Add pam_cert_pam_services option Action: opened PR body: """ Allow customizing which PAM services are allowed to perform smartcard authentication. Fixes: https://pagure.io/SSSD/sssd/issue/3775 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/620/head:pr620 git checkout pr620 From fcd0db246fb1279d6ffb470d3749d50f1e345aaf Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 20 Jul 2018 12:06:48 +0300 Subject: [PATCH] Add pam_cert_pam_services option Allow customizing which PAM services are allowed to perform smartcard authentication. Fixes: https://pagure.io/SSSD/sssd/issue/3775 Signed-off-by: Alexander Bokovoy --- src/confdb/confdb.h | 1 + src/config/SSSDConfig/__init__.py.in | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.conf | 1 + src/man/sssd.conf.5.xml | 14 ++ src/responder/pam/pamsrv_p11.c | 33 +++-- 6 files changed, 45 insertions(+), 6 deletions(-) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 8af625f01..7e1116d97 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -131,6 +131,7 @@ #define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path" #define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout" #define CONFDB_PAM_APP_SERVICES "pam_app_services" +#define CONFDB_PAM_CERT_PAM_SERVICES "pam_cert_pam_services" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 32b74e4c7..ee08765e0 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -103,6 +103,7 @@ option_strings = { 'pam_cert_db_path' : _('Path to certificate database with PKCS#11 modules.'), 'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'), 'pam_app_services' : _('Which PAM services are permitted to contact application domains'), +'pam_cert_pam_services' : _('Which PAM services are permitted to perform smart card authentication'), # [sudo] 'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 551322780..1673abe8d 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -126,6 +126,7 @@ option = pam_cert_auth option = pam_cert_db_path option = p11_child_timeout option = pam_app_services +option = pam_cert_pam_services [rule/allowed_sudo_options] validator = ini_allowed_options diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 2be2e3e68..67b55674e 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -75,6 +75,7 @@ pam_cert_auth = bool, None, false pam_cert_db_path = str, None, false p11_child_timeout = int, None, false pam_app_services = str, None, false +pam_cert_pam_services = list, str, false [sudo] # sudo service diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index ed3c10012..5873a4ce2 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1389,6 +1389,20 @@ pam_account_locked_message = Account locked, please contact help desk. + +pam_cert_pam_services (list) + + +Which PAM services are permitted to perform +certificate based Smartcard authentication. + + +Default: login, su, su-l, gdm-smartcard, + gdm-password, kdm, sudo, sudo-i, + gnome-screensaver + + + diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c index 0b6a162a4..83f99132a 100644 --- a/src/responder/pam/pamsrv_p11.c +++ b/src/responder/pam/pamsrv_p11.c @@ -230,6 +230,10 @@ bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd) const char *sc_services[] = { "login", "su", "su-l", "gdm-smartcard", "gdm-password", "kdm", "sudo", "sudo-i", "gnome-screensaver", NULL }; +char **pam_cert_pam_services = NULL; +int ret; +bool result; + if (!pctx->cert_auth) { return false; } @@ -244,23 +248,40 @@ bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd) return false; } -/* TODO: make services configurable */ if (pd-&g
[SSSD] [sssd PR#522][comment] Prepare SSSD to support IPA in trust to Samba AD
URL: https://github.com/SSSD/sssd/pull/522 Title: #522: Prepare SSSD to support IPA in trust to Samba AD abbra commented: """ @jhrozek ping, is it possible to review this pull request? """ See the full comment at https://github.com/SSSD/sssd/pull/522#issuecomment-403373886 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/YDW5PF3PPFKXIMZP4DZB6Y4CQUA55HS6/
[SSSD] [sssd PR#522][comment] Prepare SSSD to support IPA in trust to Samba AD
URL: https://github.com/SSSD/sssd/pull/522 Title: #522: Prepare SSSD to support IPA in trust to Samba AD abbra commented: """ @jhrozek, @sumit-bose I've updated this pull request with a new code that adds a missing `cn=trusts,$SUFFIX` base after a user base is parsed. I find this approach cleaner than the previous one and it also avoids issues with parsing the option. To test it, you need my https://github.com/abbra/freeipa/tree/trust-one-way-improvements FreeIPA branch. With the SSSD changes from this pull request and FreeIPA patches from trust-one-way-improvements branch I'm able to establish: - one way trust with shared secret from Windows Server side - trust to Samba AD So I guess this is actually a good start. A draft design page is https://cloud.vda.li/hackmd/s/Sy-rkrU-7 """ See the full comment at https://github.com/SSSD/sssd/pull/522#issuecomment-401338875 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/WTKYBWQUZAAKABV43EVDBHU5ALI4GPYC/
[SSSD] [sssd PR#522][synchronized] Prepare SSSD to support IPA in trust to Samba AD
URL: https://github.com/SSSD/sssd/pull/522 Author: abbra Title: #522: Prepare SSSD to support IPA in trust to Samba AD Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/522/head:pr522 git checkout pr522 From b12919a842838b791e72b0862733a65653ead444 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 22 Feb 2018 14:45:16 +0200 Subject: [PATCH 1/2] ipa provider: always use a special keytab to talk to a trusted DC When FreeIPA is set up to trust an Active Directory forest, we should be using trusted domain object credentials regardless of the trust direction. Previously, SSSD relied on FreeIPA KDC issuing a cross-realm referral towards a trusted domain. However, this does not work currently with Samba AD and in general we want to move away to use TDO in all cases as it is guaranteed to have correct permissions on AD side. Signed-of-by: Alexander Bokovoy --- src/providers/ipa/ipa_subdomains_server.c | 25 ++- src/tests/cmocka/test_ipa_subdomains_server.c | 44 +-- 2 files changed, 31 insertions(+), 38 deletions(-) diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c index 02577c921..e5ea4bd02 100644 --- a/src/providers/ipa/ipa_subdomains_server.c +++ b/src/providers/ipa/ipa_subdomains_server.c @@ -33,6 +33,7 @@ */ #define LSA_TRUST_DIRECTION_INBOUND 0x0001 #define LSA_TRUST_DIRECTION_OUTBOUND 0x0002 +#define LSA_TRUST_DIRECTION_MASK (LSA_TRUST_DIRECTION_INBOUND | LSA_TRUST_DIRECTION_OUTBOUND) static char *forest_keytab(TALLOC_CTX *mem_ctx, const char *forest) { @@ -183,16 +184,11 @@ static struct ad_options *ipa_ad_options_new(struct be_ctx *be_ctx, return NULL; } -if (direction & LSA_TRUST_DIRECTION_OUTBOUND) { -ad_options = ad_create_2way_trust_options(id_ctx, - be_ctx->cdb, - subdom_conf_path, - be_ctx->provider, - id_ctx->server_mode->realm, - subdom, - id_ctx->server_mode->hostname, - NULL); -} else if (direction & LSA_TRUST_DIRECTION_INBOUND) { +/* In both inbound and outbound trust cases we should be + * using trusted domain object in a trusted domain space, + * thus we always should be initializing principals/keytabs + * as if we are running one-way trust */ +if (direction & LSA_TRUST_DIRECTION_MASK) { ad_options = ipa_create_1way_trust_ctx(id_ctx, be_ctx, subdom_conf_path, forest, forest_realm, subdom); @@ -677,11 +673,10 @@ ipa_server_trusted_dom_setup_send(TALLOC_CTX *mem_ctx, subdom->name, state->forest, ipa_trust_dir2str(state->direction)); -if (state->direction & LSA_TRUST_DIRECTION_OUTBOUND) { -/* Use system keytab, nothing to do here */ -ret = EOK; -goto immediate; -} else if (state->direction & LSA_TRUST_DIRECTION_INBOUND) { +/* For both inbound and outbound trusts use a special keytab + * as this allows us to reuse the same logic in FreeIPA for + * both Microsoft AD and Samba AD */ +if (state->direction & LSA_TRUST_DIRECTION_MASK) { /* Need special keytab */ ret = ipa_server_trusted_dom_setup_1way(req); if (ret == EAGAIN) { diff --git a/src/tests/cmocka/test_ipa_subdomains_server.c b/src/tests/cmocka/test_ipa_subdomains_server.c index 65a13de7f..11cec6721 100644 --- a/src/tests/cmocka/test_ipa_subdomains_server.c +++ b/src/tests/cmocka/test_ipa_subdomains_server.c @@ -420,7 +420,7 @@ static void assert_trust_object(struct ipa_ad_server_ctx *trust, assert_null(s); } -/* the system keytab is always used with two-way trusts */ +/* both one-way and two-way trust uses specialized keytab */ s = dp_opt_get_string(trust->ad_id_ctx->ad_options->id->basic, SDAP_KRB5_KEYTAB); if (keytab != NULL) { @@ -474,23 +474,22 @@ static void test_ipa_server_create_trusts_twoway(struct tevent_req *req) s_trust = test_ctx->ipa_ctx->server_mode->trusts->next; c_trust = test_ctx->ipa_ctx->server_mode->trusts; } -/* Two-way trusts should use the system realm */ assert_trust_object(c_trust, CHILD_NAME, -DOM_REALM, +CHILD_REALM, CHILD_SID, -NULL, -TEST_AUTHID, -
[SSSD] [sssd PR#522][synchronized] Prepare SSSD to support IPA in trust to Samba AD
URL: https://github.com/SSSD/sssd/pull/522 Author: abbra Title: #522: Prepare SSSD to support IPA in trust to Samba AD Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/522/head:pr522 git checkout pr522 From 150f410045944bfbb23830a912f0548e1b1bf6f2 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Thu, 22 Feb 2018 14:38:51 +0200 Subject: [PATCH 1/2] ipa provider: expand search base to cover trusted domain objects In case of a two-way trust between FreeIPA and an Active Directory, domain controller would use a TDO object in the trusting domain to authenticate. Due to how trusted domain objects are used in Active Directory, a domain controller from the trusted domain will synthesize a Kerberos ticket for the TDO in the trusting domain. This ticket will lack MS-PAC information because a trusted DC has no idea what to put there. On IPA master smbd process will attempt to validate successfully authenticated TDO principal by looking at its MS-PAC structure, only to find it is missing. As result, smbd will revert to a direct getpwnam(). Because TDO objects are stored under cn=trusts,$SUFFIX in FreeIPA, they couldn't be found by SSSD which uses cn=accounts,$SUFFIX by default. Add second search base to look up cn=trusts,$SUFFX to allow TDO objects to be queried. On FreeIPA side access controls are put in place so that only AD trust agents are able to see a content of the cn=trusts,$SUFFIX subtree. Signed-of-by: Alexander Bokovoy <aboko...@redhat.com> --- src/providers/ipa/ipa_common.c | 36 +++- 1 file changed, 31 insertions(+), 5 deletions(-) diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 2b81d7f3f..d91ba1c8e 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -176,9 +176,10 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, TALLOC_CTX *tmpctx; char *basedn; char *realm; -char *value; +char *value, *user_base; int ret; int i; +bool server_mode; tmpctx = talloc_new(ipa_opts); if (!tmpctx) { @@ -272,11 +273,36 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, ipa_opts->id->schema_type = SDAP_SCHEMA_IPA_V1; /* set user/group search bases if they are not specified */ -if (NULL == dp_opt_get_string(ipa_opts->id->basic, - SDAP_USER_SEARCH_BASE)) { +user_base = dp_opt_get_string(ipa_opts->id->basic, SDAP_USER_SEARCH_BASE); + +/* In server mode we need to search both cn=accounts,$SUFFIX and + * cn=trusts,$SUFFIX to allow trusted domain object accounts to be found. + * Update user base if it wasn't set explicitly to multiple base DNs + */ +server_mode = dp_opt_get_bool(ipa_opts->basic, IPA_SERVER_MODE); +if (server_mode != false) { +if ((NULL == user_base) || (NULL == strstr(user_base, "?cn=trusts,"))) { +/* Search both cn=accounts,$SUFFIX and cn=trusts,$SUFFIX. This allows + * to catch trusted domain objects used by trusted AD DCs to talk to + * Samba on IPA master */ +value = talloc_asprintf(tmpctx, +"%s?cn=trusts,%s??(objectclass=ipaIDObject)", +user_base ? user_base : +dp_opt_get_string(ipa_opts->id->basic, + SDAP_SEARCH_BASE), +basedn); +} +} else { +value = dp_opt_get_string(ipa_opts->id->basic, SDAP_SEARCH_BASE); +} + +if (NULL == user_base) { +if (!value) { +ret = ENOMEM; +goto done; +} ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_USER_SEARCH_BASE, -dp_opt_get_string(ipa_opts->id->basic, - SDAP_SEARCH_BASE)); +value); if (ret != EOK) { goto done; } From d311450a1e45f5123db6ccd3083391f607b540f6 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Thu, 22 Feb 2018 14:45:16 +0200 Subject: [PATCH 2/2] ipa provider: always use a special keytab to talk to a trusted DC When FreeIPA is set up to trust an Active Directory forest, we should be using trusted domain object credentials regardless of the trust direction. Previously, SSSD relied on FreeIPA KDC issuing a cross-realm referral towards a trusted domain. However, this does not work currently with Samba AD and in general we want to move away to use TDO in all cases as it is guaranteed to have correct permissions on AD side. Signed-of-by: Alexander Bokovoy <aboko...@redhat.com> --- src/providers/ipa/ipa_subdoma
[SSSD] [sssd PR#522][comment] Prepare SSSD to support IPA in trust to Samba AD
URL: https://github.com/SSSD/sssd/pull/522 Title: #522: Prepare SSSD to support IPA in trust to Samba AD abbra commented: """ @jhrozek @sumit-bose I've updated the patches to address Jakub's comments.TDO lookup should only be performed in the server mode, so I added that. At the server side there will be ACIs limiting this access to `cn=adtrust agents` members (e.g. SSSD and smbd on IPA masters) only. I also added a filter `(objectclass=ipaIDObject)` which will be used by the TDO objects. I'm going to test it more extensively today. """ See the full comment at https://github.com/SSSD/sssd/pull/522#issuecomment-369189670 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#522][synchronized] Prepare SSSD to support IPA in trust to Samba AD
URL: https://github.com/SSSD/sssd/pull/522 Author: abbra Title: #522: Prepare SSSD to support IPA in trust to Samba AD Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/522/head:pr522 git checkout pr522 From 150f410045944bfbb23830a912f0548e1b1bf6f2 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Thu, 22 Feb 2018 14:38:51 +0200 Subject: [PATCH 1/2] ipa provider: expand search base to cover trusted domain objects In case of a two-way trust between FreeIPA and an Active Directory, domain controller would use a TDO object in the trusting domain to authenticate. Due to how trusted domain objects are used in Active Directory, a domain controller from the trusted domain will synthesize a Kerberos ticket for the TDO in the trusting domain. This ticket will lack MS-PAC information because a trusted DC has no idea what to put there. On IPA master smbd process will attempt to validate successfully authenticated TDO principal by looking at its MS-PAC structure, only to find it is missing. As result, smbd will revert to a direct getpwnam(). Because TDO objects are stored under cn=trusts,$SUFFIX in FreeIPA, they couldn't be found by SSSD which uses cn=accounts,$SUFFIX by default. Add second search base to look up cn=trusts,$SUFFX to allow TDO objects to be queried. On FreeIPA side access controls are put in place so that only AD trust agents are able to see a content of the cn=trusts,$SUFFIX subtree. Signed-of-by: Alexander Bokovoy <aboko...@redhat.com> --- src/providers/ipa/ipa_common.c | 36 +++- 1 file changed, 31 insertions(+), 5 deletions(-) diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 2b81d7f3f..d91ba1c8e 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -176,9 +176,10 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, TALLOC_CTX *tmpctx; char *basedn; char *realm; -char *value; +char *value, *user_base; int ret; int i; +bool server_mode; tmpctx = talloc_new(ipa_opts); if (!tmpctx) { @@ -272,11 +273,36 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, ipa_opts->id->schema_type = SDAP_SCHEMA_IPA_V1; /* set user/group search bases if they are not specified */ -if (NULL == dp_opt_get_string(ipa_opts->id->basic, - SDAP_USER_SEARCH_BASE)) { +user_base = dp_opt_get_string(ipa_opts->id->basic, SDAP_USER_SEARCH_BASE); + +/* In server mode we need to search both cn=accounts,$SUFFIX and + * cn=trusts,$SUFFIX to allow trusted domain object accounts to be found. + * Update user base if it wasn't set explicitly to multiple base DNs + */ +server_mode = dp_opt_get_bool(ipa_opts->basic, IPA_SERVER_MODE); +if (server_mode != false) { +if ((NULL == user_base) || (NULL == strstr(user_base, "?cn=trusts,"))) { +/* Search both cn=accounts,$SUFFIX and cn=trusts,$SUFFIX. This allows + * to catch trusted domain objects used by trusted AD DCs to talk to + * Samba on IPA master */ +value = talloc_asprintf(tmpctx, +"%s?cn=trusts,%s??(objectclass=ipaIDObject)", +user_base ? user_base : +dp_opt_get_string(ipa_opts->id->basic, + SDAP_SEARCH_BASE), +basedn); +} +} else { +value = dp_opt_get_string(ipa_opts->id->basic, SDAP_SEARCH_BASE); +} + +if (NULL == user_base) { +if (!value) { +ret = ENOMEM; +goto done; +} ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_USER_SEARCH_BASE, -dp_opt_get_string(ipa_opts->id->basic, - SDAP_SEARCH_BASE)); +value); if (ret != EOK) { goto done; } From d064c50e5319c2d5e633df8e9a595b0a96a1089d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Thu, 22 Feb 2018 14:45:16 +0200 Subject: [PATCH 2/2] ipa provider: always use a special keytab to talk to a trusted DC When FreeIPA is set up to trust an Active Directory forest, we should be using trusted domain object credentials regardless of the trust direction. Previously, SSSD relied on FreeIPA KDC issuing a cross-realm referral towards a trusted domain. However, this does not work currently with Samba AD and in general we want to move away to use TDO in all cases as it is guaranteed to have correct permissions on AD side. Signed-of-by: Alexander Bokovoy <aboko...@redhat.com> --- src/providers/ipa/ipa_subdomains_server.c | 10 ++
[SSSD] [sssd PR#522][synchronized] Prepare SSSD to support IPA in trust to Samba AD
URL: https://github.com/SSSD/sssd/pull/522 Author: abbra Title: #522: Prepare SSSD to support IPA in trust to Samba AD Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/522/head:pr522 git checkout pr522 From d40451f709c9104cacd8ca77864785d05d068485 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Thu, 22 Feb 2018 14:38:51 +0200 Subject: [PATCH 1/2] ipa provider: expand search base to cover trusted domain objects In case of a two-way trust between FreeIPA and an Active Directory, domain controller would use a TDO object in the trusting domain to authenticate. Due to how trusted domain objects are used in Active Directory, a domain controller from the trusted domain will synthesize a Kerberos ticket for the TDO in the trusting domain. This ticket will lack MS-PAC information because a trusted DC has no idea what to put there. On IPA master smbd process will attempt to validate successfully authenticated TDO principal by looking at its MS-PAC structure, only to find it is missing. As result, smbd will revert to a direct getpwnam(). Because TDO objects are stored under cn=trusts,$SUFFIX in FreeIPA, they couldn't be found by SSSD which uses cn=accounts,$SUFFIX by default. Add second search base to look up cn=trusts,$SUFFX to allow TDO objects to be queried. On FreeIPA side access controls are put in place so that only AD trust agents are able to see a content of the cn=trusts,$SUFFIX subtree. Signed-of-by: Alexander Bokovoy <aboko...@redhat.com> --- src/providers/ipa/ipa_common.c | 36 +++- 1 file changed, 31 insertions(+), 5 deletions(-) diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 2b81d7f3f..6599943da 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -176,9 +176,10 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, TALLOC_CTX *tmpctx; char *basedn; char *realm; -char *value; +char *value, *user_base; int ret; int i; +bool server_mode; tmpctx = talloc_new(ipa_opts); if (!tmpctx) { @@ -272,11 +273,36 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, ipa_opts->id->schema_type = SDAP_SCHEMA_IPA_V1; /* set user/group search bases if they are not specified */ -if (NULL == dp_opt_get_string(ipa_opts->id->basic, - SDAP_USER_SEARCH_BASE)) { +user_base = dp_opt_get_string(ipa_opts->id->basic, SDAP_USER_SEARCH_BASE); + +/* In server mode we need to search both cn=accounts,$SUFFIX and + * cn=trusts,$SUFFIX to allow trusted domain object accounts to be found. + * Update user base if it wasn't set explicitly to multiple base DNs + */ +server_mode = dp_opt_get_bool(ipa_opts->basic, IPA_SERVER_MODE); +if (server_mode != false) { +if ((NULL == user_base) || (NULL == strstr(user_base, "?cn=trusts,"))) { +/* Search both cn=accounts,$SUFFIX and cn=trusts,$SUFFIX. This allows + * to catch trusted domain objects used by trusted AD DCs to talk to + * Samba on IPA master */ +value = talloc_asprintf(tmpctx, +"%s???cn=trusts,%s??(objectclass=ipaIDObject)", +user_base ? user_base : +dp_opt_get_string(ipa_opts->id->basic, + SDAP_SEARCH_BASE), +basedn); +} +} else { +value = dp_opt_get_string(ipa_opts->id->basic, SDAP_SEARCH_BASE); +} + +if (NULL == user_base) { +if (!value) { +ret = ENOMEM; +goto done; +} ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_USER_SEARCH_BASE, -dp_opt_get_string(ipa_opts->id->basic, - SDAP_SEARCH_BASE)); +value); if (ret != EOK) { goto done; } From 6b9403f373e19dabf2a1763e12fe139f51ac5dda Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Thu, 22 Feb 2018 14:45:16 +0200 Subject: [PATCH 2/2] ipa provider: always use a special keytab to talk to a trusted DC When FreeIPA is set up to trust an Active Directory forest, we should be using trusted domain object credentials regardless of the trust direction. Previously, SSSD relied on FreeIPA KDC issuing a cross-realm referral towards a trusted domain. However, this does not work currently with Samba AD and in general we want to move away to use TDO in all cases as it is guaranteed to have correct permissions on AD side. Signed-of-by: Alexander Bokovoy <aboko...@redhat.com> --- src/providers/ipa/ipa_subdomains_server.c | 10 ++
[SSSD] [sssd PR#522][opened] Prepare SSSD to support IPA in trust to Samba AD
URL: https://github.com/SSSD/sssd/pull/522 Author: abbra Title: #522: Prepare SSSD to support IPA in trust to Samba AD Action: opened PR body: """ This pull request prepares SSSD ipa provider to support IPA in trust to Samba AD but the same changes are needed for a properly working bi-directional trust against Microsoft AD as well. To make everything fully working, one needs patches against FreeIPA too but SSSD changes are isolated. @sumit-bose @jhrozek please review. 1. When IPA establishes a trust to an Active Directory forest, a number of special objects is created in a subtree of `cn=trusts,$SUFFIX`. These objects represent Kerberos principals for trusted domain objects (TDOs) used for both incoming and outgoing trusts. For bi-directional trust there is a requirement that one of them (`$@`) must have a POSIX identity because a remote domain controller will use it to authenticate against smbd running on IPA master. SSSD only looks for user accounts in `cn=accounts,$SUFFIX`, so an attempt by smbd to resolve this principal name as a POSIX user via `getpwnam()` will fail. And the reason why smbd behaves this way is due to the fact that a Kerberos ticket used for authentication contains no MS-PAC record, thus not allowing Samba to build a local security token it needs. This is expected for the authentication using TDO account as it is used for bootstrapping reasons (AD DC couldn't create and sign MS-PAC record for an account in IPA realm) but the side effect is that TDO object must be known as a POSIX account on IPA master. Thus, we extend user search base in IPA provider to search in both `cn=accounts,$SUFFIX` and `cn=trusts,$SUFFIX`. Changes on FreeIPA side will handle access controls and generation of the POSIX information for the TDO accounts. 2. For long time we relied on using cross-realm TGTs to talk to Active Directory domain controllers (LDAP and GC services) in case of bi-directional trust. Unfortunately, this is not something we can continue using as there are multiple reasons such access can be denied by a trusted AD side, including SID filtering and other security measurements. It also happens that right now Samba AD in Fedora has a bug in handling a cross-realm TGT generated by the FreeIPA KDC. As result, while technically IPA could establish a bi-directional trust to Samba AD, it does not work as any SSSD attempt to connect to AD DCs via LDAP with GSSAPI will fail (Samba AD DC answers error with PROCESS_TGS message on Kerberos level and authentication fails). For this reason, we should remove any distinction when using bi-directional trust and simply always use a special keytab with a TDO object as we do in uni-directional trust case. While a more generic Kerberos authentication will not work in the outbound direction, SSSD will be able to resolve users/groups. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/522/head:pr522 git checkout pr522 From a401512caac7d9d60887cc286bda215efdf68b83 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Thu, 22 Feb 2018 14:38:51 +0200 Subject: [PATCH 1/2] ipa provider: expand search base to cover trusted domain objects In case of a two-way trust between FreeIPA and an Active Directory, domain controller would use a TDO object in the trusting domain to authenticate. Due to how trusted domain objects are used in Active Directory, a domain controller from the trusted domain will synthesize a Kerberos ticket for the TDO in the trusting domain. This ticket will lack MS-PAC information because a trusted DC has no idea what to put there. On IPA master smbd process will attempt to validate successfully authenticated TDO principal by looking at its MS-PAC structure, only to find it is missing. As result, smbd will revert to a direct getpwnam(). Because TDO objects are stored under cn=trusts,$SUFFIX in FreeIPA, they couldn't be found by SSSD which uses cn=accounts,$SUFFIX by default. Add second search base to look up cn=trusts,$SUFFX to allow TDO objects to be queried. On FreeIPA side access controls are put in place so that only AD trust agents are able to see a content of the cn=trusts,$SUFFIX subtree. Signed-of-by: Alexander Bokovoy <aboko...@redhat.com> --- src/providers/ipa/ipa_common.c | 24 ++-- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 2b81d7f3f..a120dbf8d 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -176,7 +176,7 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, TALLOC_CTX *tmpctx; char *basedn; char *realm; -char *value; +char *value, *value2; int ret; int i; @@ -271,12 +271,24 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, /* fix schema to IPAv1 for now */ ipa_opts->id->
[SSSD] [sssd PR#467][comment] nss-idmap: allow NULL result in *_timeout calls
URL: https://github.com/SSSD/sssd/pull/467 Title: #467: nss-idmap: allow NULL result in *_timeout calls abbra commented: """ I just did a test with slapi-nis that evicts users/groups from cache in case ID overrides did change and everything worked with this pull request while without it ns-slapd has crashed. """ See the full comment at https://github.com/SSSD/sssd/pull/467#issuecomment-350220711 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#268][comment] pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT
URL: https://github.com/SSSD/sssd/pull/268 Title: #268: pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT abbra commented: """ I opened RFE https://pagure.io/SSSD/sssd/issue/3396 to discuss details of this. I believe "sending potentially bogus data to SSSD" is not an argument -- any process can open a socket to SSSD and talk nonsense there if they wanted to spam you with bogus data. Let's discuss actual limitations that prevent you from implementing SSSD-side processing in the RFE ticket. """ See the full comment at https://github.com/SSSD/sssd/pull/268#issuecomment-300748868 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#268][comment] pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT
URL: https://github.com/SSSD/sssd/pull/268 Title: #268: pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT abbra commented: """ Still, why you cannot make that decision without an option's help? Sorry, I don't see a difference -- why by seeing a certificate `pam_sss` cannot defer decision to decide whether to accept missing name or not to a backend (SSSD) and then act correspondingly? """ See the full comment at https://github.com/SSSD/sssd/pull/268#issuecomment-300717514 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#193][comment] UTIL: Use max 15 characters for AD host UPN
URL: https://github.com/SSSD/sssd/pull/193 Title: #193: UTIL: Use max 15 characters for AD host UPN abbra commented: """ I think the requirement for computer accounts comes from NT compatibility where it is based on NetBIOS spec. Note that samAccountName is not limited by 20 characters but recommended to be less than 20 characters. This is only for users and groups. For machine accounts the real limit is a NetBIOS name limit. Thus, 15+$. """ See the full comment at https://github.com/SSSD/sssd/pull/193#issuecomment-290509971 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#60][comment] Document ad_access_filter search for nested groups
URL: https://github.com/SSSD/sssd/pull/60 Title: #60: Document ad_access_filter search for nested groups abbra commented: """ Please use this URL: https://msdn.microsoft.com/en-us/library/cc223367.aspx """ See the full comment at https://github.com/SSSD/sssd/pull/60#issuecomment-256004734 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org