[Freeipa-devel] [PATCH] 0072 Add ACI to allow magic regen of ipaNThash

Alexander Bokovoy abokovoy at redhat.com
Wed Aug 22 12:31:25 UTC 2012 

On Tue, 21 Aug 2012, Alexander Bokovoy wrote:
> Hi,
> 
> I finally managed to get all ends together for magic regen of ipaNTHash
> based on availability of RC4 key in Kerberos keys.
> 
> The patch should be applied after 0071 and can be tested by following:
> 
> 0. run ipa-adtrust-install
> 
> 1. ipa user-add foo
> 
> 2. ipa passwd foo
> 
> 3. Remember current ipaNTHash value:
> # ldapsearch -H ldapi://%2fvar%2frun%2fslapd-IPA-LOCAL.socket 'uid=foo' ipaNTHash > foo.current.ldif
> 
> 4. Remove generated ipaNThash with ldapmodify:
> 
> removal.ldif:
> ---8<---8<----
> dn: uid=foo,cn=users,cn=accounts,dc=ipa,dc=local
> delete:ipaNtHash
> --->8--->8----
> # ldapmodify -H ldapi://%2fvar%2frun%2fslapd-IPA-LOCAL.socket -f removal.ldif
> 
> 5. Use 'wbinfo -i foo' (from samba4-winbind-clients) to trigger regeneration
> 
> 6. Retrieve new ipaNTHash value:
> # ldapsearch -H ldapi://%2fvar%2frun%2fslapd-IPA-LOCAL.socket 'uid=foo' ipaNTHash > foo.regen.ldif
> 
> 7. Check foo.current.ldif and foo.regen.ldif, there should be no difference.
> 
> https://fedorahosted.org/freeipa/ticket/3016
Patch split into two and ACI change is merged into a single ACI for read
and write. Originally Simo wanted me to have them separate but later he
decided to follow my original plan. :)

Since we have 3.0 beta versions in the wild which already have 'read'
ACI, I'm explicitly removing the old ACI and adding a new one to help
with cases of 2.x -> 3.x upgrades.




-- 
/ Alexander Bokovoy
-------------- next part --------------
From 22176f6382b2a16b5d10f2a5e605246964e02a96 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 22 Aug 2012 14:24:33 +0300
Subject: [PATCH 5/5] Add ACI to allow regenerating ipaNTHash from ipasam

ACI was lacking to allow actually writing MagicRegen into ipaNTHash attribute,

Part 2 of https://fedorahosted.org/freeipa/ticket/3016
---
 install/updates/60-trusts.update | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 0e40ca4d16133f0c1e93300fc13a08dd5ba4ddf7..cc9a771df901a90b457357c570dc06d34c0db4c8 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -60,7 +60,8 @@ add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType ||
 # Samba user should be able to read NT passwords to authenticate
 # Add ipaNTHash to global ACIs, leave DNS tree out of global allow access rule
 dn: $SUFFIX
-add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
+add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
+remove:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
 replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)::(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)'
 replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)::(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
 replace:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)::(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
-- 
1.7.11.4

-------------- next part --------------
>From c9f743c986e2af749d51152c0678ca77392e36b2 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 22 Aug 2012 14:19:54 +0300
Subject: [PATCH 4/5] Fix ipasam ipaNThash magic regen to actually fetch
 updated password

With this change ipasam is able to ask for ipaNTHash generation and if
corresponding Kerberos key is available, will be able to retrieve generated ipaNTHash.

Part 1 of https://fedorahosted.org/freeipa/ticket/3016
---
 daemons/ipa-sam/ipa_sam.c | 22 +++++++++-------------
 1 file changed, 9 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 059109374bd0e1aa1de118b4767b5692d0e483a2..8a4a08bc7a5951553a463805a8aedb82ee887936 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -2417,7 +2417,7 @@ static bool ipasam_nthash_retrieve(struct ldapsam_privates *ldap_state,
 				  };
 
 	ret = smbldap_search(smbldap_state, entry_dn,
-			     LDAP_SCOPE_BASE, "", attr_list, 0,
+			     LDAP_SCOPE_BASE, "(objectclass=*)", attr_list, 0,
 			     &result);
 	if (ret != LDAP_SUCCESS) {
 		DEBUG(1, ("Failed to get NT hash: %s\n",
@@ -2453,15 +2453,13 @@ static bool ipasam_nthash_regen(struct ldapsam_privates *ldap_state,
 				TALLOC_CTX *mem_ctx,
 				char * entry_dn)
 {
-	LDAPMod **mods;
+	LDAPMod **mods = NULL;
 	int ret;
 
-	mods = NULL;
-	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct,
-			 NULL, &mods, LDAP_ATTRIBUTE_NTHASH, "MagicRegen");
-
+	smbldap_set_mod(&mods, LDAP_MOD_ADD, LDAP_ATTRIBUTE_NTHASH, "MagicRegen");
 	talloc_autofree_ldapmod(mem_ctx, mods);
-	ret = smbldap_add(ldap_state->smbldap_state, entry_dn, mods);
+
+	ret = smbldap_modify(ldap_state->smbldap_state, entry_dn, mods);
 	if (ret != LDAP_SUCCESS) {
 		DEBUG(5, ("ipasam: attempt to regen ipaNTHash failed\n"));
 	}
@@ -2585,13 +2583,11 @@ static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state,
 		 * */
 		temp = smbldap_talloc_dn(tmp_ctx, ldap_state->smbldap_state->ldap_struct, entry);
 		if (temp) {
-			retval = ipasam_nthash_regen(tmp_ctx,
-						     ldap_state->smbldap_state->ldap_struct,
-						     temp);
+			retval = ipasam_nthash_regen(ldap_state,
+						     tmp_ctx, temp);
 			if (retval) {
-				retval = ipasam_nthash_retrieve(tmp_ctx,
-							ldap_state->smbldap_state->ldap_struct,
-							temp, &nthash);
+				retval = ipasam_nthash_retrieve(ldap_state,
+								tmp_ctx, temp, &nthash);
 			}
 		}
 	}
-- 
1.7.11.4

More information about the Freeipa-devel mailing list