[Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
Alexander Bokovoy
abokovoy at redhat.com
Tue Jul 9 11:12:33 UTC 2013
On Tue, 09 Jul 2013, Jakub Hrozek wrote:
>On Wed, Jul 03, 2013 at 02:53:55PM +0200, Sumit Bose wrote:
>> On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote:
>> > On Mon, 01 Jul 2013, Sumit Bose wrote:
>> > >Hi,
>> > >
>> > >this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only
>> > >to allow SSSD running on a FreeIPA server to access the AD LDAP server.
>> > >In the ticket a more generic solution is described but since there is no
>> > >other use case so far I think this patch is sufficient for the time
>> > >being.
>> > >
>> > >bye,
>> > >Sumit
>> >
>> > >From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001
>> > >From: Sumit Bose <sbose at redhat.com>
>> > >Date: Mon, 1 Jul 2013 13:47:22 +0200
>> > >Subject: [PATCH] Add PAC to master host TGTs
>> > >
>> > >For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is
>> > >needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
>> > >of a trusted domain with the credentials of a FreeIPA server host a
>> > >PAC must be added to the TGT for the host.
>> > s/SALS/SASL/
>>
>> Thank you for the review, I've fixed the typo and added the numerical
>> values for the well-known RIDs to the commit message.
>>
>> >
>> >
>> > >To determine if a host is a FreeIPA server or not it is checked if there
>> > >is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
>> > >this requires an additional LDAP lookup. But since TGS-REQs for hosts
>> > >should be rare I think it is acceptable for the time being.
>> > I think it is better to change this lookup to
>> > "cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX", it would
>> > explicitly limit us to the IPA masters running AD trusts.
>>
>> I'm not sure if this restriction is needed. With SSSD's ipa_server_mode
>> any IPA master (which networkwise can access an AD server of the trusted
>> domain) can read AD user and group data, no running smbd or winbind is
>> required. So it would be possible to run the extdom plugin or the compat
>> plugin for the legacy clients on any IPA server which would allow a much
>> better load balancing.
>>
>> If there are other concerns I'm happy to add the restriction.
>>
>> bye,
>> Sumit
>
>I don't think I know the code good enough to provide a full review, but
>the patch enables the lookups from an IPA master without any additional
>hacks. So ack on functionality at least.
Ok.
I've extended this functionality to generate MS-PAC also for services
running on IPA masters. Patch attached.
This is needed to finally get rid of access to trust auth material for
IPA python code. HTTP/fqdn at REALM will now be able to authenticate
against AD LDAP server and look up needed information directly, without
elevating privileges to trust admins.
This should also help for AD range discovery Tomas is working on.
--
/ Alexander Bokovoy
-------------- next part --------------
>From 0d377b563edbc31342f1a026deac660b55322f86 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 9 Jul 2013 14:05:02 +0300
Subject: [PATCH 17/17] Generate syntethic MS-PAC for all services running on
IPA master
MS-PAC is required to be present in TGT if one wants to connect to
AD services using this TGT. Users get MS-PAC by default, SSSD in
ipa_server_mode uses host/fqdn at REALM principal to talk to AD LDAP.
This patch enables other services running on IPA master to connect
to AD services. This is required for IPA python code doing discovery
of remote AD domain settings shortly after IPA-AD trust has been
established.
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 56 +++++++++++++++++++++++++++++++++--------
1 file changed, 46 insertions(+), 10 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 92dc8dd..f1df022 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -60,6 +60,7 @@ static char *user_pac_attrs[] = {
"cn",
"fqdn",
"gidNumber",
+ "managedBy",
"krbPrincipalName",
"krbCanonicalName",
"krbTicketPolicyReference",
@@ -359,15 +360,33 @@ static int sid_split_rid(struct dom_sid *sid, uint32_t *rid)
return 0;
}
-static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
+static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn, bool managedby)
{
int ret;
char *master_host_base = NULL;
+ char *master_fqdn = NULL;
LDAPMessage *result = NULL;
krb5_error_code err;
- ret = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
- fqdn, ipactx->base);
+ if (managedby) {
+ err = ipadb_simple_search(ipactx, (char*) fqdn, LDAP_SCOPE_BASE,
+ NULL, NULL, &result);
+ if (err == 0) {
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, result, "fqdn", &master_fqdn);
+ if (ret == 0) {
+ ret = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
+ master_fqdn, ipactx->base);
+ }
+ free(master_fqdn);
+ ldap_msgfree(result);
+ } else {
+ ldap_msgfree(result);
+ return false;
+ }
+ } else {
+ ret = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
+ fqdn, ipactx->base);
+ }
if (ret == -1) {
return false;
}
@@ -399,6 +418,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
size_t c;
bool is_host = false;
bool is_user = false;
+ bool is_service = false;
ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
&objectclasses);
@@ -407,6 +427,9 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
if (strcasecmp(objectclasses[c], "ipaHost") == 0) {
is_host = true;
}
+ if (strcasecmp(objectclasses[c], "ipaService") == 0) {
+ is_service = true;
+ }
if (strcasecmp(objectclasses[c], "ipaNTUserAttrs") == 0) {
is_user = true;
}
@@ -415,8 +438,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
}
free(objectclasses);
- if (!is_host && !is_user) {
- /* We only handle users and hosts */
+ if (!is_host && !is_user && !is_service) {
+ /* We only handle users and hosts, and services */
return ENOENT;
}
@@ -429,7 +452,20 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
/* Currently we only add a PAC to TGTs for IPA servers to allow SSSD in
* ipa_server_mode to access the AD LDAP server */
- if (!is_master_host(ipactx, strres)) {
+ if (!is_master_host(ipactx, strres, false)) {
+ free(strres);
+ return ENOENT;
+ }
+ } else if (is_service) {
+ ret = ipadb_ldap_attr_to_str(lcontext, lentry, "managedBy", &strres);
+ if (ret) {
+ /* managedby is mandatory for services */
+ return ret;
+ }
+
+ /* Only add PAC to TGT to services on IPA masters to allow querying
+ * AD LDAP server */
+ if (!is_master_host(ipactx, strres, true)) {
free(strres);
return ENOENT;
}
@@ -444,7 +480,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.account_name.string = talloc_strdup(memctx, strres);
free(strres);
- if (is_host) {
+ if (is_host || is_service) {
prigid = 515; /* Well known RID for domain computers group */
} else {
ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
@@ -567,7 +603,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.logon_count = 0; /* we do not have this info yet */
info3->base.bad_password_count = 0; /* we do not have this info yet */
- if (is_host) {
+ if (is_host || is_service) {
/* Well know RID of domain controllers group */
info3->base.rid = 516;
} else {
@@ -658,7 +694,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
}
if (info3->base.primary_gid == 0) {
- if (is_host) {
+ if (is_host || is_service) {
info3->base.primary_gid = 515; /* Well known RID for domain computers group */
} else {
if (ipactx->mspac->fallback_rid) {
@@ -698,7 +734,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ENOENT;
}
- if (is_host) {
+ if (is_host || is_service) {
info3->base.domain_sid = talloc_memdup(memctx, &ipactx->mspac->domsid,
sizeof(ipactx->mspac->domsid));
} else {
--
1.8.3.1
More information about the Freeipa-devel
mailing list