[Freeipa-devel] [PATCH] 0072 Add ACI to allow magic regen of ipaNThash

Alexander Bokovoy abokovoy at redhat.com
Tue Aug 21 14:27:33 UTC 2012


Hi,

I finally managed to get all ends together for magic regen of ipaNTHash
based on availability of RC4 key in Kerberos keys.

The patch should be applied after 0071 and can be tested by following:

0. run ipa-adtrust-install

1. ipa user-add foo

2. ipa passwd foo

3. Remember current ipaNTHash value:
# ldapsearch -H ldapi://%2fvar%2frun%2fslapd-IPA-LOCAL.socket 'uid=foo' ipaNTHash > foo.current.ldif

4. Remove generated ipaNThash with ldapmodify:

removal.ldif:
---8<---8<----
dn: uid=foo,cn=users,cn=accounts,dc=ipa,dc=local
delete:ipaNtHash
--->8--->8----
# ldapmodify -H ldapi://%2fvar%2frun%2fslapd-IPA-LOCAL.socket -f removal.ldif

5. Use 'wbinfo -i foo' (from samba4-winbind-clients) to trigger regeneration

6. Retrieve new ipaNTHash value:
# ldapsearch -H ldapi://%2fvar%2frun%2fslapd-IPA-LOCAL.socket 'uid=foo' ipaNTHash > foo.regen.ldif

7. Check foo.current.ldif and foo.regen.ldif, there should be no difference.

https://fedorahosted.org/freeipa/ticket/3016


-- 
/ Alexander Bokovoy
-------------- next part --------------
From db693373270ab2129406c90d49efb62ffa112d1b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 21 Aug 2012 12:05:28 +0300
Subject: [PATCH 4/4] Add ACI to allow regenerating ipaNTHash from ipasam and
 fix ipaNTHash retrieval

ACI was lacking to allow actually writing MagicRegen into ipaNTHash attribute,
and empty filter wasn't picked up as libldap library default for (objectclass=*).

With this change ipasam is able to ask for ipaNTHash generation and if
corresponding Kerberos key is available, will be able to retrieve generated ipaNTHash.

https://fedorahosted.org/freeipa/ticket/3016
---
 daemons/ipa-sam/ipa_sam.c        | 22 +++++++++-------------
 install/updates/60-trusts.update |  1 +
 2 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 059109374bd0e1aa1de118b4767b5692d0e483a2..8a4a08bc7a5951553a463805a8aedb82ee887936 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -2417,7 +2417,7 @@ static bool ipasam_nthash_retrieve(struct ldapsam_privates *ldap_state,
 				  };
 
 	ret = smbldap_search(smbldap_state, entry_dn,
-			     LDAP_SCOPE_BASE, "", attr_list, 0,
+			     LDAP_SCOPE_BASE, "(objectclass=*)", attr_list, 0,
 			     &result);
 	if (ret != LDAP_SUCCESS) {
 		DEBUG(1, ("Failed to get NT hash: %s\n",
@@ -2453,15 +2453,13 @@ static bool ipasam_nthash_regen(struct ldapsam_privates *ldap_state,
 				TALLOC_CTX *mem_ctx,
 				char * entry_dn)
 {
-	LDAPMod **mods;
+	LDAPMod **mods = NULL;
 	int ret;
 
-	mods = NULL;
-	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct,
-			 NULL, &mods, LDAP_ATTRIBUTE_NTHASH, "MagicRegen");
-
+	smbldap_set_mod(&mods, LDAP_MOD_ADD, LDAP_ATTRIBUTE_NTHASH, "MagicRegen");
 	talloc_autofree_ldapmod(mem_ctx, mods);
-	ret = smbldap_add(ldap_state->smbldap_state, entry_dn, mods);
+
+	ret = smbldap_modify(ldap_state->smbldap_state, entry_dn, mods);
 	if (ret != LDAP_SUCCESS) {
 		DEBUG(5, ("ipasam: attempt to regen ipaNTHash failed\n"));
 	}
@@ -2585,13 +2583,11 @@ static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state,
 		 * */
 		temp = smbldap_talloc_dn(tmp_ctx, ldap_state->smbldap_state->ldap_struct, entry);
 		if (temp) {
-			retval = ipasam_nthash_regen(tmp_ctx,
-						     ldap_state->smbldap_state->ldap_struct,
-						     temp);
+			retval = ipasam_nthash_regen(ldap_state,
+						     tmp_ctx, temp);
 			if (retval) {
-				retval = ipasam_nthash_retrieve(tmp_ctx,
-							ldap_state->smbldap_state->ldap_struct,
-							temp, &nthash);
+				retval = ipasam_nthash_retrieve(ldap_state,
+								tmp_ctx, temp, &nthash);
 			}
 		}
 	}
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 0e40ca4d16133f0c1e93300fc13a08dd5ba4ddf7..61013287d3e96079e041f1cb109274b4ab409b27 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -61,6 +61,7 @@ add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType ||
 # Add ipaNTHash to global ACIs, leave DNS tree out of global allow access rule
 dn: $SUFFIX
 add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
+add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can write NT passwords"; allow (write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
 replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)::(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)'
 replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)::(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
 replace:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)::(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
-- 
1.7.11.4



More information about the Freeipa-devel mailing list