From 4ced5cbefbd3d602546a4a16a38ce24fbae6aee8 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Mon, 12 Feb 2024 20:27:29 -0300 Subject: [PATCH] IPA build for ITM 24 - kdb: PAC generator: do not fail if canonical principal is missing Resolves: RHEL-23630 - ipa-kdb: Fix memory leak during PAC verification Resolves: RHEL-22644 - Fix session cookie access Resolves: RHEL-23622 - Do not ignore staged users in sidgen plugin\ Resovlves: RHEL-23626 - ipa-kdb: Disable Bronze-Bit check if PAC not available Resolves: RHEL-22313 - krb5kdc: Fix start when pkinit and otp auth type are enabled Resolves: RHEL-4874 - hbactest was not collecting or returning messages Resolvez: RHEL-12780 Signed-off-by: Rafael Guterres Jeffman --- ...ical-principal-is-missing_rhel#23630.patch | 45 +++ ...k-during-PAC-verification_rhel#22644.patch | 89 ++++++ ...Fix-session-cookie-access_rhel#23622.patch | 238 +++++++++++++++ ...ed-users-in-sidgen-plugin_rhel#23626.patch | 109 +++++++ ...heck-if-PAC-not-available_rhel#22313.patch | 244 ++++++++++++++++ ...-otp-auth-type-are-enabled_rhel#4874.patch | 272 ++++++++++++++++++ ...ing-or-returning-messages_rhel#12780.patch | 139 +++++++++ ipa.spec | 25 +- 8 files changed, 1160 insertions(+), 1 deletion(-) create mode 100644 0009-kdb-PAC-generator-do-not-fail-if-canonical-principal-is-missing_rhel#23630.patch create mode 100644 0010-ipa-kdb-Fix-memory-leak-during-PAC-verification_rhel#22644.patch create mode 100644 0011-Fix-session-cookie-access_rhel#23622.patch create mode 100644 0012-Do-not-ignore-staged-users-in-sidgen-plugin_rhel#23626.patch create mode 100644 0013-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel#22313.patch create mode 100644 0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch create mode 100644 0015-hbactest-was-not-collecting-or-returning-messages_rhel#12780.patch diff --git a/0009-kdb-PAC-generator-do-not-fail-if-canonical-principal-is-missing_rhel#23630.patch b/0009-kdb-PAC-generator-do-not-fail-if-canonical-principal-is-missing_rhel#23630.patch new file mode 100644 index 0000000..e37ead8 --- /dev/null +++ b/0009-kdb-PAC-generator-do-not-fail-if-canonical-principal-is-missing_rhel#23630.patch @@ -0,0 +1,45 @@ +From dcb9d6edc7ae4278cd552e87f644705faa13d558 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Jan 31 2024 08:31:13 +0000 +Subject: kdb: PAC generator: do not fail if canonical principal is missing + + +krbCanonicalName is mandatory for services but IPA services created +before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no normalization done +to set krbCanonicalName; services created after that version were +upgraded to do have krbCanonicalName. + +Accept krbPrincipalName alone since they have no alias either */ + +Fixes: https://pagure.io/freeipa/issue/9465 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Thierry Bordaz + +--- + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 9e1431c..8035036 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -496,8 +496,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, + "krbCanonicalName", &strres); + if (ret) { +- /* krbCanonicalName is mandatory for services */ +- return ret; ++ /* krbCanonicalName is mandatory for services but IPA services ++ * created before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no ++ * normalization to set krbCanonicalName; services created after ++ * that version were upgraded to do have krbCanonicalName. ++ * ++ * Accept krbPrincipalName alone since they have no alias either */ ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, ++ "krbPrincipalName", &strres); ++ if (ret) ++ return ret; + } + + ret = krb5_parse_name(ipactx->kcontext, strres, &princ); + diff --git a/0010-ipa-kdb-Fix-memory-leak-during-PAC-verification_rhel#22644.patch b/0010-ipa-kdb-Fix-memory-leak-during-PAC-verification_rhel#22644.patch new file mode 100644 index 0000000..d4ba709 --- /dev/null +++ b/0010-ipa-kdb-Fix-memory-leak-during-PAC-verification_rhel#22644.patch @@ -0,0 +1,89 @@ +From bac601b7f35827236a106f7137f378e4888260da Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Jan 30 2024 15:17:44 +0000 +Subject: ipa-kdb: Fix memory leak during PAC verification + + +Commit 0022bd70d93708d325855d5271516d6cd894d6e8 introduced a memory leak +during the copy of some PAC buffers, because of an unfreed memory +allocation context. + +Fixes: https://pagure.io/freeipa/issue/9520 + +Signed-off-by: Julien Rische +Reviewed-By: Alexander Bokovoy + +--- + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index a18beff..9e1431c 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -2316,6 +2316,7 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context, + size_t i; + struct dom_sid *requester_sid = NULL; + struct dom_sid req_sid; ++ TALLOC_CTX *tmpctx = NULL; + + if (signing_krbtgt != NULL && + ipadb_is_cross_realm_krbtgt(signing_krbtgt->princ)) { +@@ -2371,6 +2372,12 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context, + goto done; + } + ++ tmpctx = talloc_new(NULL); ++ if (tmpctx == NULL) { ++ kerr = ENOMEM; ++ goto done; ++ } ++ + for (i = 0; i < num_buffers; i++) { + if (types[i] == KRB5_PAC_SERVER_CHECKSUM || + types[i] == KRB5_PAC_PRIVSVR_CHECKSUM || +@@ -2395,32 +2402,21 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context, + DATA_BLOB pac_attrs_data; + krb5_boolean pac_requested; + +- TALLOC_CTX *tmpctx = talloc_new(NULL); +- if (tmpctx == NULL) { +- kerr = ENOMEM; +- goto done; +- } +- + kerr = ipadb_client_requested_pac(context, old_pac, tmpctx, &pac_requested); +- if (kerr != 0) { +- talloc_free(tmpctx); ++ if (kerr) + goto done; +- } + + kerr = ipadb_get_pac_attrs_blob(tmpctx, &pac_requested, &pac_attrs_data); +- if (kerr) { +- talloc_free(tmpctx); ++ if (kerr) + goto done; +- } ++ + data.magic = KV5M_DATA; + data.data = (char *)pac_attrs_data.data; + data.length = pac_attrs_data.length; + + kerr = krb5_pac_add_buffer(context, new_pac, PAC_TYPE_ATTRIBUTES_INFO, &data); +- if (kerr) { +- talloc_free(tmpctx); ++ if (kerr) + goto done; +- } + + continue; + } +@@ -2467,6 +2463,8 @@ done: + if (kerr != 0 && (new_pac != *pac)) { + krb5_pac_free(context, new_pac); + } ++ if (tmpctx) ++ talloc_free(tmpctx); + krb5_free_data_contents(context, &pac_blob); + free(types); + return kerr; + diff --git a/0011-Fix-session-cookie-access_rhel#23622.patch b/0011-Fix-session-cookie-access_rhel#23622.patch new file mode 100644 index 0000000..87a33f0 --- /dev/null +++ b/0011-Fix-session-cookie-access_rhel#23622.patch @@ -0,0 +1,238 @@ +From 381af470779ea87335f57038dcbe72cd042ae6bb Mon Sep 17 00:00:00 2001 +From: Stanislav Levin +Date: Jan 30 2024 15:11:05 +0000 +Subject: ipapython: Clean up krb5_error + + +`krb5_error` has different definition in MIT krb. +https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/types/krb5_error.html + +> Error message structure. +> +> Declaration: +> typedef struct _krb5_error krb5_error + +While `krb5_error_code` +https://web.mit.edu/kerberos/www/krb5-latest/doc/appdev/refs/types/krb5_error_code.html#c.krb5_error_code + +> krb5_error_code +> Used to convey an operation status. +> +> The value 0 indicates success; any other values are com_err codes. Use krb5_get_error_message() to obtain a string describing the error. +> +> Declaration +> typedef krb5_int32 krb5_error_code + +And this is what was actually used. + +To prevent confusion of types `krb5_error` was replaced with +`krb5_error_code`. + +Fixes: https://pagure.io/freeipa/issue/9519 +Signed-off-by: Stanislav Levin +Reviewed-By: Alexander Bokovoy + +--- + +diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py +index c43ef7d..371cf15 100644 +--- a/ipapython/session_storage.py ++++ b/ipapython/session_storage.py +@@ -111,7 +111,7 @@ class KRB5Error(Exception): + + + def krb5_errcheck(result, func, arguments): +- """Error checker for krb5_error return value""" ++ """Error checker for krb5_error_code return value""" + if result != 0: + raise KRB5Error(result, func.__name__, arguments) + +@@ -119,14 +119,13 @@ def krb5_errcheck(result, func, arguments): + krb5_context = ctypes.POINTER(_krb5_context) + krb5_ccache = ctypes.POINTER(_krb5_ccache) + krb5_data_p = ctypes.POINTER(_krb5_data) +-krb5_error = ctypes.c_int32 + krb5_creds = _krb5_creds + krb5_pointer = ctypes.c_void_p + krb5_cc_cursor = krb5_pointer + + krb5_init_context = LIBKRB5.krb5_init_context + krb5_init_context.argtypes = (ctypes.POINTER(krb5_context), ) +-krb5_init_context.restype = krb5_error ++krb5_init_context.restype = krb5_error_code + krb5_init_context.errcheck = krb5_errcheck + + krb5_free_context = LIBKRB5.krb5_free_context +@@ -143,30 +142,30 @@ krb5_free_data_contents.restype = None + + krb5_cc_default = LIBKRB5.krb5_cc_default + krb5_cc_default.argtypes = (krb5_context, ctypes.POINTER(krb5_ccache), ) +-krb5_cc_default.restype = krb5_error ++krb5_cc_default.restype = krb5_error_code + krb5_cc_default.errcheck = krb5_errcheck + + krb5_cc_close = LIBKRB5.krb5_cc_close + krb5_cc_close.argtypes = (krb5_context, krb5_ccache, ) +-krb5_cc_close.restype = krb5_error ++krb5_cc_close.restype = krb5_error_code + krb5_cc_close.errcheck = krb5_errcheck + + krb5_parse_name = LIBKRB5.krb5_parse_name + krb5_parse_name.argtypes = (krb5_context, ctypes.c_char_p, + ctypes.POINTER(krb5_principal), ) +-krb5_parse_name.restype = krb5_error ++krb5_parse_name.restype = krb5_error_code + krb5_parse_name.errcheck = krb5_errcheck + + krb5_cc_set_config = LIBKRB5.krb5_cc_set_config + krb5_cc_set_config.argtypes = (krb5_context, krb5_ccache, krb5_principal, + ctypes.c_char_p, krb5_data_p, ) +-krb5_cc_set_config.restype = krb5_error ++krb5_cc_set_config.restype = krb5_error_code + krb5_cc_set_config.errcheck = krb5_errcheck + + krb5_cc_get_principal = LIBKRB5.krb5_cc_get_principal + krb5_cc_get_principal.argtypes = (krb5_context, krb5_ccache, + ctypes.POINTER(krb5_principal), ) +-krb5_cc_get_principal.restype = krb5_error ++krb5_cc_get_principal.restype = krb5_error_code + krb5_cc_get_principal.errcheck = krb5_errcheck + + # krb5_build_principal is a variadic function but that can't be expressed +@@ -177,26 +176,26 @@ krb5_build_principal.argtypes = (krb5_context, ctypes.POINTER(krb5_principal), + ctypes.c_uint, ctypes.c_char_p, + ctypes.c_char_p, ctypes.c_char_p, + ctypes.c_char_p, ctypes.c_char_p, ) +-krb5_build_principal.restype = krb5_error ++krb5_build_principal.restype = krb5_error_code + krb5_build_principal.errcheck = krb5_errcheck + + krb5_cc_start_seq_get = LIBKRB5.krb5_cc_start_seq_get + krb5_cc_start_seq_get.argtypes = (krb5_context, krb5_ccache, + ctypes.POINTER(krb5_cc_cursor), ) +-krb5_cc_start_seq_get.restype = krb5_error ++krb5_cc_start_seq_get.restype = krb5_error_code + krb5_cc_start_seq_get.errcheck = krb5_errcheck + + krb5_cc_next_cred = LIBKRB5.krb5_cc_next_cred + krb5_cc_next_cred.argtypes = (krb5_context, krb5_ccache, + ctypes.POINTER(krb5_cc_cursor), + ctypes.POINTER(krb5_creds), ) +-krb5_cc_next_cred.restype = krb5_error ++krb5_cc_next_cred.restype = krb5_error_code + krb5_cc_next_cred.errcheck = krb5_errcheck + + krb5_cc_end_seq_get = LIBKRB5.krb5_cc_end_seq_get + krb5_cc_end_seq_get.argtypes = (krb5_context, krb5_ccache, + ctypes.POINTER(krb5_cc_cursor), ) +-krb5_cc_end_seq_get.restype = krb5_error ++krb5_cc_end_seq_get.restype = krb5_error_code + krb5_cc_end_seq_get.errcheck = krb5_errcheck + + krb5_free_cred_contents = LIBKRB5.krb5_free_cred_contents +@@ -212,7 +211,7 @@ krb5_principal_compare.restype = krb5_boolean + krb5_unparse_name = LIBKRB5.krb5_unparse_name + krb5_unparse_name.argtypes = (krb5_context, krb5_principal, + ctypes.POINTER(ctypes.c_char_p), ) +-krb5_unparse_name.restype = krb5_error ++krb5_unparse_name.restype = krb5_error_code + krb5_unparse_name.errcheck = krb5_errcheck + + krb5_free_unparsed_name = LIBKRB5.krb5_free_unparsed_name + +From 2a4bad8bb3295c5c0f5a760ecd41871c4c5a0c56 Mon Sep 17 00:00:00 2001 +From: Stanislav Levin +Date: Jan 30 2024 15:11:05 +0000 +Subject: ipapython: Correct return type of krb5_free_cred_contents + + +According to https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_free_cred_contents.html + +> krb5_free_cred_contents - Free the contents of a krb5_creds structure. +> +> void krb5_free_cred_contents(krb5_context context, krb5_creds * val) +> param: +> [in] context - Library context +> +> [in] val - Credential structure to free contents of +> +> This function frees the contents of val , but not the structure itself. + +https://github.com/krb5/krb5/blob/5b00197227231943bd2305328c8260dd0b0dbcf0/src/lib/krb5/krb/kfree.c#L166 + +This leads to undefined behavior and `krb5_free_cred_contents` can +raise KRB5Error (because of garbage data) while actually its foreign +function doesn't. + +Fixes: https://pagure.io/freeipa/issue/9519 +Signed-off-by: Stanislav Levin +Reviewed-By: Alexander Bokovoy + +--- + +diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py +index 371cf15..dc36f54 100644 +--- a/ipapython/session_storage.py ++++ b/ipapython/session_storage.py +@@ -200,8 +200,7 @@ krb5_cc_end_seq_get.errcheck = krb5_errcheck + + krb5_free_cred_contents = LIBKRB5.krb5_free_cred_contents + krb5_free_cred_contents.argtypes = (krb5_context, ctypes.POINTER(krb5_creds)) +-krb5_free_cred_contents.restype = krb5_error +-krb5_free_cred_contents.errcheck = krb5_errcheck ++krb5_free_cred_contents.restype = None + + krb5_principal_compare = LIBKRB5.krb5_principal_compare + krb5_principal_compare.argtypes = (krb5_context, krb5_principal, + +From beb402afdbf32c01eed860e9416356f7b492ad74 Mon Sep 17 00:00:00 2001 +From: Stanislav Levin +Date: Jan 30 2024 15:11:05 +0000 +Subject: ipapython: Propagate KRB5Error exceptions on iterating ccache + + +`ipapython.session_storage.get_data` iterates over +credentials in a credential cache till `krb5_cc_next_cred` returns +an error. This function doesn't expect any error on calling +other kerberos foreign functions during iteration. But that can +actually happen and KRB5Error exceptions stop an iteration while +they should be propagated. + +With this change iteration will exactly stop on `krb5_cc_next_cred` +error as it was supposed to be. + +Fixes: https://pagure.io/freeipa/issue/9519 +Signed-off-by: Stanislav Levin +Reviewed-By: Alexander Bokovoy + +--- + +diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py +index dc36f54..e890dc9 100644 +--- a/ipapython/session_storage.py ++++ b/ipapython/session_storage.py +@@ -312,8 +312,12 @@ def get_data(princ_name, key): + checkcreds = krb5_creds() + # the next function will throw an error and break out of the + # while loop when we try to access past the last cred +- krb5_cc_next_cred(context, ccache, ctypes.byref(cursor), +- ctypes.byref(checkcreds)) ++ try: ++ krb5_cc_next_cred(context, ccache, ctypes.byref(cursor), ++ ctypes.byref(checkcreds)) ++ except KRB5Error: ++ break ++ + if (krb5_principal_compare(context, principal, + checkcreds.client) == 1 and + krb5_principal_compare(context, srv_princ, +@@ -328,8 +332,6 @@ def get_data(princ_name, key): + else: + krb5_free_cred_contents(context, + ctypes.byref(checkcreds)) +- except KRB5Error: +- pass + finally: + krb5_cc_end_seq_get(context, ccache, ctypes.byref(cursor)) + + diff --git a/0012-Do-not-ignore-staged-users-in-sidgen-plugin_rhel#23626.patch b/0012-Do-not-ignore-staged-users-in-sidgen-plugin_rhel#23626.patch new file mode 100644 index 0000000..b5eb5be --- /dev/null +++ b/0012-Do-not-ignore-staged-users-in-sidgen-plugin_rhel#23626.patch @@ -0,0 +1,109 @@ +From b56a80581ef388e19d5761020454e51463036cd6 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 23 Jan 2024 14:47:50 +0200 +Subject: [PATCH] sidgen: ignore staged users when generating SIDs + +Staged users have + + uidNumber: -1 + gidNumber: -1 + ipaUniqueID: autogenerate + +We cannot generate ipaSecurityIdentifier based on those UID/GID numbers. +However, '-1' value will trigger an error + + find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 483]: ID value too large. + +And that, in turn, will cause stopping SID generation for all users. + +Detect 'ipaUniqueID: autogenerate' situation and ignore these entries. + +Fixes: https://pagure.io/freeipa/issue/9517 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Thierry Bordaz +--- + daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h | 2 ++ + .../ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c | 12 ++++++++++++ + 2 files changed, 14 insertions(+) + +diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h +index 0feff7eec..bd46982d0 100644 +--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h ++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h +@@ -45,6 +45,8 @@ + #define UID_NUMBER "uidnumber" + #define GID_NUMBER "gidnumber" + #define IPA_SID "ipantsecurityidentifier" ++#define IPA_UNIQUEID "ipauniqueid" ++#define IPA_UNIQUEID_AUTOGENERATE "autogenerate" + #define DOM_ATTRS_FILTER OBJECTCLASS"=ipantdomainattrs" + #define DOMAIN_ID_RANGE_FILTER OBJECTCLASS"=ipadomainidrange" + #define POSIX_ACCOUNT "posixaccount" +diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c +index 6f784804c..cb763ebf8 100644 +--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c ++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c +@@ -454,6 +454,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, + uint32_t id; + char *sid = NULL; + char **objectclasses = NULL; ++ char *uniqueid = NULL; + Slapi_PBlock *mod_pb = NULL; + Slapi_Mods *smods = NULL; + int result; +@@ -479,6 +480,16 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, + goto done; + } + ++ uniqueid = slapi_entry_attr_get_charptr(entry, IPA_UNIQUEID); ++ if (uniqueid != NULL && ++ strncmp(IPA_UNIQUEID_AUTOGENERATE, uniqueid, ++ sizeof(IPA_UNIQUEID_AUTOGENERATE)) == 0) { ++ LOG("Staged entry [%s] does not have Posix IDs, nothing to do.\n", ++ dn_str); ++ ret = 0; ++ goto done; ++ } ++ + if (uid_number >= UINT32_MAX || gid_number >= UINT32_MAX) { + LOG_FATAL("ID value too large.\n"); + ret = LDAP_CONSTRAINT_VIOLATION; +@@ -554,6 +565,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, + } + + done: ++ slapi_ch_free_string(&uniqueid); + slapi_ch_free_string(&sid); + slapi_pblock_destroy(mod_pb); + slapi_mods_free(&smods); +-- +2.43.0 + +From 07150b71537744f491d022c737ef04775c72a10a Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 23 Jan 2024 14:53:39 +0200 +Subject: [PATCH] sidgen: fix missing prototypes + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Thierry Bordaz +--- + daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h +index bd46982d0..aec862796 100644 +--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h ++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h +@@ -106,3 +106,6 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, + const char *base_dn, + const char *dom_sid, + struct range_info **ranges); ++ ++int sidgen_task_init(Slapi_PBlock *pb); ++int ipa_sidgen_init(Slapi_PBlock *pb); +-- +2.43.0 + diff --git a/0013-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel#22313.patch b/0013-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel#22313.patch new file mode 100644 index 0000000..831e195 --- /dev/null +++ b/0013-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel#22313.patch @@ -0,0 +1,244 @@ +From 67ca47ba4092811029eec02f8af9c34ba7662924 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Mon, 9 Oct 2023 15:47:03 +0200 +Subject: [PATCH] ipa-kdb: Ensure Bronze-Bit check can be enabled + +MIT krb5 1.19 and older do not implement support for PAC ticket +signature to protect the encrypted part of tickets. This is the cause of +the Bronze-Bit vulnerability (CVE-2020-17043). The Bronze-Bit attack +detection mechanism introduced in a847e248 relies on the content of the +PAC. + +However, since CVE-2022-37967, the content of the PAC can no longer be +trusted if the KDC does not support PAC extended KDC signature (aka. +PAC full checksum). This signature is supported in MIT krb5 since +version 1.21. + +Support for the PAC extended KDC signature was backported downstream to +krb5 1.18.2 for CentOS 8 Stream (dist-git commit 7d215a54). This makes +the content of the PAC still trustworthy there. + +This commit disables the Bronze-Bit attack detection mechanism at build +time in case krb5 does not provide the krb5_pac_full_sign_compat() +function. + +Reviewed-By: Alexander Bokovoy +--- + daemons/ipa-kdb/ipa_kdb.h | 4 ++++ + daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 7 +++++++ + daemons/ipa-kdb/ipa_kdb_mspac.c | 4 ++++ + 3 files changed, 15 insertions(+) + +diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h +index 02b2cb631..c6926f7d5 100644 +--- a/daemons/ipa-kdb/ipa_kdb.h ++++ b/daemons/ipa-kdb/ipa_kdb.h +@@ -367,6 +367,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, + const char *test_realm, size_t size, + char **trusted_realm); + ++#if KRB5_KDB_DAL_MAJOR_VERSION <= 8 ++# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT + /* Try to detect a Bronze-Bit attack based on the content of the request and + * data from the KDB. + * +@@ -379,6 +381,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, + krb5_error_code + ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, + bool *detected, const char **status); ++# endif ++#endif + + /* DELEGATION CHECKS */ + +diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c +index 1032dff0b..ee0546c01 100644 +--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c ++++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c +@@ -185,11 +185,18 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata, + const char **status, krb5_deltat *lifetime_out, + krb5_deltat *renew_lifetime_out) + { ++#if KRB5_KDB_DAL_MAJOR_VERSION <= 8 ++# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT + krb5_error_code kerr; + + kerr = ipadb_check_for_bronze_bit_attack(context, request, NULL, status); + if (kerr) + return KRB5KDC_ERR_POLICY; ++# else ++# warning Support for Kerberos PAC extended KDC signature is missing.\ ++ This makes FreeIPA vulnerable to the Bronze-Bit exploit (CVE-2020-17049). ++# endif ++#endif + + *status = NULL; + *lifetime_out = 0; +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index b4e22d431..05d5b407d 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -3299,6 +3299,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, + return KRB5_KDB_NOENTRY; + } + ++#if KRB5_KDB_DAL_MAJOR_VERSION <= 8 ++# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT + krb5_error_code + ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, + bool *detected, const char **status) +@@ -3471,3 +3473,5 @@ end: + ipadb_free_principal(context, proxy_entry); + return kerr; + } ++# endif ++#endif +-- +2.43.0 + +From 27b96c17dd51d076e04d97662b7c788658a5094a Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Jan 26 2024 09:35:57 +0000 +Subject: ipa-kdb: Disable Bronze-Bit check if PAC not available + + +The Bronze-Bit check introduced in commit +a847e2483b4c4832ee5129901da169f4eb0d1392 requires the MS-PAC to be +present in the evidence ticket in order for S4U2Proxy requests to be +accepted. This actually requires SIDs to be set. + +However, domains that were initialized before commit +e527857d000e558b3288a7a210400abaf2171237 may still not have SIDs +configured. This would results in all S4U2Proxy requests to fail +(including all the HTTP API requests). + +This present commit disables the check for the Bronze-Bit exploit +(CVE-2020-17049) in case the domain is not able to generate PACs. +Instead, it prints a warning message in the KDC logs each time a +S4U2Proxy request is processed. + +Fixes: https://pagure.io/freeipa/issue/9521 + +Signed-off-by: Julien Rische +Reviewed-By: Alexander Bokovoy + +--- + +diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h +index c6926f7..621c235 100644 +--- a/daemons/ipa-kdb/ipa_kdb.h ++++ b/daemons/ipa-kdb/ipa_kdb.h +@@ -370,17 +370,21 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, + #if KRB5_KDB_DAL_MAJOR_VERSION <= 8 + # ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT + /* Try to detect a Bronze-Bit attack based on the content of the request and +- * data from the KDB. ++ * data from the KDB. This check will work only if the domain supports MS-PAC. + * + * context krb5 context + * request KDB request +- * detected Set to "true" if a bronze bit attack is detected and the +- * pointer is not NULL. Remains unset otherwise. ++ * supported If not NULL, set to "false" in case the Bronze-Bit exploit ++ * detection process silently failed to complete because the ++ * domain does not meet requirements. Set to "true" otherwise. ++ * detected If not NULL, set to "true" if a Bronze-Bit attack is detected. ++ * Set to "false" otherwise. + * status If the call fails and the pointer is not NULL, set it with a + * message describing the cause of the failure. */ + krb5_error_code + ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, +- bool *detected, const char **status); ++ bool *supported, bool *detected, ++ const char **status); + # endif + #endif + +diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c +index ee0546c..713e9a0 100644 +--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c ++++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c +@@ -188,10 +188,18 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata, + #if KRB5_KDB_DAL_MAJOR_VERSION <= 8 + # ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT + krb5_error_code kerr; ++ bool supported; + +- kerr = ipadb_check_for_bronze_bit_attack(context, request, NULL, status); ++ kerr = ipadb_check_for_bronze_bit_attack(context, request, supported, NULL, ++ status); + if (kerr) + return KRB5KDC_ERR_POLICY; ++ ++ if (!supported) ++ krb5_klog_syslog(LOG_WARNING, "MS-PAC not available. This makes " ++ "FreeIPA vulnerable to the Bronze-Bit exploit " ++ "(CVE-2020-17049). Please generate SIDs to enable " ++ "PAC support."); + # else + # warning Support for Kerberos PAC extended KDC signature is missing.\ + This makes FreeIPA vulnerable to the Bronze-Bit exploit (CVE-2020-17049). +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 05d5b40..a18beff 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -3303,11 +3303,14 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, + # ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT + krb5_error_code + ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, +- bool *detected, const char **status) ++ bool *supported, bool *detected, ++ const char **status) + { + krb5_error_code kerr; + const char *st = NULL; + size_t i, j; ++ bool in_supported = true, in_detected = false; ++ struct ipadb_context *ipactx; + krb5_ticket *evidence_tkt; + krb5_authdata **authdata, **ifrel = NULL; + krb5_pac pac = NULL; +@@ -3327,6 +3330,21 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, + goto end; + } + ++ ipactx = ipadb_get_context(context); ++ if (!ipactx) { ++ kerr = KRB5_KDB_DBNOTINITED; ++ goto end; ++ } ++ ++ /* Handle the case where the domain is not able to generate PACs (probably ++ * because SIDs are not set). In this case, we just skip the Bronze-Bit ++ * check. */ ++ if (!ipactx->mspac) { ++ in_supported = false; ++ kerr = 0; ++ goto end; ++ } ++ + evidence_tkt = request->second_ticket[0]; + + /* No need to check the Forwardable flag. If it was not set, this request +@@ -3451,8 +3469,7 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, + /* This evidence ticket cannot be forwardable given the privileges + * of the proxy principal. + * This is a Bronze Bit attack. */ +- if (detected) +- *detected = true; ++ in_detected = true; + st = "S4U2PROXY_BRONZE_BIT_ATTACK_DETECTED"; + kerr = EBADE; + goto end; +@@ -3464,6 +3481,10 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, + end: + if (st && status) + *status = st; ++ if (supported) ++ *supported = in_supported; ++ if (detected) ++ *detected = in_detected; + + krb5_free_authdata(context, ifrel); + krb5_pac_free(context, pac); + diff --git a/0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch b/0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch new file mode 100644 index 0000000..e0d2386 --- /dev/null +++ b/0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch @@ -0,0 +1,272 @@ +From 00f8ddbfd2795228b343e1c39c1944b44d482c18 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 24 Nov 2023 11:46:19 +0200 +Subject: [PATCH 1/4] ipa-kdb: add better detection of allowed user auth type + +If default user authentication type is set to a list that does not +include a password or a hardened credential, the resulting configuration +might be incorrect for special service principals, including a krbtgt/.. +one. + +Add detection of special principals to avoid these situations and always +allow password or hardened for services. + +Special handling is needed for the following principals: + + - krbtgt/.. -- TGT service principals + - K/M -- master key principal + - kadmin/changepw -- service for changing passwords + - kadmin/kadmin -- kadmin service principal + - kadmin/history -- key used to encrypt history + +Additionally, implicitly allow password or hardened credential use for +IPA services and IPA hosts since applications typically use keytabs for +that purpose. + +Fixes: https://pagure.io/freeipa/issue/9485 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Francisco Trivino +--- + daemons/ipa-kdb/ipa_kdb.c | 62 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 54 insertions(+), 8 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c +index 06d511c76..dbb98dba6 100644 +--- a/daemons/ipa-kdb/ipa_kdb.c ++++ b/daemons/ipa-kdb/ipa_kdb.c +@@ -26,6 +26,7 @@ + #include "ipa_kdb.h" + #include "ipa_krb5.h" + #include "ipa_hostname.h" ++#include + + #define IPADB_GLOBAL_CONFIG_CACHE_TIME 60 + +@@ -207,6 +208,19 @@ static const struct { + { "idp", IPADB_USER_AUTH_IDP }, + { "passkey", IPADB_USER_AUTH_PASSKEY }, + { } ++}, ++ objclass_table[] = { ++ { "ipaservice", IPADB_USER_AUTH_PASSWORD }, ++ { "ipahost", IPADB_USER_AUTH_PASSWORD }, ++ { } ++}, ++ princname_table[] = { ++ { KRB5_TGS_NAME, IPADB_USER_AUTH_PASSWORD }, ++ { KRB5_KDB_M_NAME, IPADB_USER_AUTH_PASSWORD }, ++ { KADM5_ADMIN_SERVICE, IPADB_USER_AUTH_PASSWORD }, ++ { KADM5_CHANGEPW_SERVICE, IPADB_USER_AUTH_PASSWORD }, ++ { KADM5_HIST_PRINCIPAL, IPADB_USER_AUTH_PASSWORD }, ++ { } + }; + + void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le, +@@ -217,17 +231,49 @@ void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le, + + *userauth = IPADB_USER_AUTH_NONE; + vals = ldap_get_values_len(lcontext, le, IPA_USER_AUTH_TYPE); +- if (!vals) +- return; +- +- for (i = 0; vals[i]; i++) { +- for (j = 0; userauth_table[j].name; j++) { +- if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) { +- *userauth |= userauth_table[j].flag; +- break; ++ if (!vals) { ++ /* if there is no explicit ipaUserAuthType set, use objectclass */ ++ vals = ldap_get_values_len(lcontext, le, "objectclass"); ++ if (!vals) ++ return; ++ ++ for (i = 0; vals[i]; i++) { ++ for (j = 0; objclass_table[j].name; j++) { ++ if (strcasecmp(vals[i]->bv_val, objclass_table[j].name) == 0) { ++ *userauth |= objclass_table[j].flag; ++ break; ++ } ++ } ++ } ++ } else { ++ for (i = 0; vals[i]; i++) { ++ for (j = 0; userauth_table[j].name; j++) { ++ if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) { ++ *userauth |= userauth_table[j].flag; ++ break; ++ } + } + } + } ++ ++ /* If neither ipaUserAuthType nor objectClass were definitive, ++ * check the krbPrincipalName to see if it is krbtgt/ or K/M one */ ++ if (*userauth == IPADB_USER_AUTH_NONE) { ++ ldap_value_free_len(vals); ++ vals = ldap_get_values_len(lcontext, le, "krbprincipalname"); ++ if (!vals) ++ return; ++ for (i = 0; vals[i]; i++) { ++ for (j = 0; princname_table[j].name; j++) { ++ if (strncmp(vals[i]->bv_val, princname_table[j].name, ++ strlen(princname_table[j].name)) == 0) { ++ *userauth |= princname_table[j].flag; ++ break; ++ } ++ } ++ } ++ ++ } + /* If password auth is enabled, enable hardened policy too. */ + if (*userauth & IPADB_USER_AUTH_PASSWORD) { + *userauth |= IPADB_USER_AUTH_HARDENED; +-- +2.43.0 + + +From 69ae9febfb4462766b3bfe3e07e76550ece97b42 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 24 Nov 2023 11:54:04 +0200 +Subject: [PATCH 2/4] ipa-kdb: when applying ticket policy, do not deny PKINIT + +PKINIT differs from other pre-authentication methods by the fact that it +can be matched indepedently of the user authentication types via certmap +plugin in KDC. + +Since PKINIT is a strong authentication method, allow its authentication +indicator and only apply the ticket policy. + +Fixes: https://pagure.io/freeipa/issue/9485 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Francisco Trivino +--- + daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c +index 436ee0e62..2802221c7 100644 +--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c ++++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c +@@ -119,11 +119,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, + pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_RADIUS]); + } else if (strcmp(auth_indicator, "pkinit") == 0) { + valid_auth_indicators++; +- if (!(ua & IPADB_USER_AUTH_PKINIT)) { +- *status = "PKINIT pre-authentication not allowed for this user."; +- kerr = KRB5KDC_ERR_POLICY; +- goto done; +- } ++ /* allow PKINIT unconditionally -- it has passed already at this ++ * point so some certificate was useful, only apply the limits */ + pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_PKINIT]); + } else if (strcmp(auth_indicator, "hardened") == 0) { + valid_auth_indicators++; +-- +2.43.0 + + +From 62c44c9e69aa2721990ca3628434713e1af6f59b Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 24 Nov 2023 12:20:55 +0200 +Subject: [PATCH 3/4] ipa-kdb: clarify user auth table mapping use of + _AUTH_PASSWORD + +Related: https://pagure.io/freeipa/issue/9485 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Francisco Trivino +--- + daemons/ipa-kdb/ipa_kdb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c +index dbb98dba6..4e6cacf24 100644 +--- a/daemons/ipa-kdb/ipa_kdb.c ++++ b/daemons/ipa-kdb/ipa_kdb.c +@@ -195,6 +195,9 @@ done: + return base; + } + ++/* In this table all _AUTH_PASSWORD entries will be ++ * expanded to include _AUTH_HARDENED in ipadb_parse_user_auth() ++ * which means there is no need to explicitly add it here */ + static const struct { + const char *name; + enum ipadb_user_auth flag; +-- +2.43.0 + + +From c3bc938650b19a51706d8ccd98cdf8deaa26dc28 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 24 Nov 2023 13:00:48 +0200 +Subject: [PATCH 4/4] ipatests: make sure PKINIT enrollment works with a strict + policy + +Previously, for a global policy which does not include +'password', krb5kdc restart was failing. Now it should succeed. + +We set admin user authentication type to PASSWORD to simplify +configuration in the test. + +What matters here is that global policy does not include PKINIT and that +means a code in the ticket policy check will allow PKINIT implicitly +rather than explicitly. + +Related: https://pagure.io/freeipa/issue/9485 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Francisco Trivino +--- + .../test_integration/test_pkinit_install.py | 26 +++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/ipatests/test_integration/test_pkinit_install.py b/ipatests/test_integration/test_pkinit_install.py +index caa0e6a34..5c2e7af02 100644 +--- a/ipatests/test_integration/test_pkinit_install.py ++++ b/ipatests/test_integration/test_pkinit_install.py +@@ -23,6 +23,24 @@ class TestPkinitClientInstall(IntegrationTest): + def install(cls, mh): + tasks.install_master(cls.master) + ++ def enforce_password_and_otp(self): ++ """enforce otp by default and password for admin """ ++ self.master.run_command( ++ [ ++ "ipa", ++ "config-mod", ++ "--user-auth-type=otp", ++ ] ++ ) ++ self.master.run_command( ++ [ ++ "ipa", ++ "user-mod", ++ "admin", ++ "--user-auth-type=password", ++ ] ++ ) ++ + def add_certmaperule(self): + """add certmap rule to map SAN dNSName to host entry""" + self.master.run_command( +@@ -86,6 +104,14 @@ class TestPkinitClientInstall(IntegrationTest): + cabundle = self.master.get_file_contents(paths.KDC_CA_BUNDLE_PEM) + client.put_file_contents(self.tmpbundle, cabundle) + ++ def test_restart_krb5kdc(self): ++ tasks.kinit_admin(self.master) ++ self.enforce_password_and_otp() ++ self.master.run_command(['systemctl', 'stop', 'krb5kdc.service']) ++ self.master.run_command(['systemctl', 'start', 'krb5kdc.service']) ++ self.master.run_command(['systemctl', 'stop', 'kadmin.service']) ++ self.master.run_command(['systemctl', 'start', 'kadmin.service']) ++ + def test_client_install_pkinit(self): + tasks.kinit_admin(self.master) + self.add_certmaperule() +-- +2.43.0 + diff --git a/0015-hbactest-was-not-collecting-or-returning-messages_rhel#12780.patch b/0015-hbactest-was-not-collecting-or-returning-messages_rhel#12780.patch new file mode 100644 index 0000000..1adc33f --- /dev/null +++ b/0015-hbactest-was-not-collecting-or-returning-messages_rhel#12780.patch @@ -0,0 +1,139 @@ +From 48846e98e5e988d600ddf81c937f353fcecdea1a Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 27 Nov 2023 16:11:08 -0500 +Subject: [PATCH 1/2] hbactest was not collecting or returning messages + +hbactest does a number of internal searches, one of which +can exceed the configured sizelimit: hbacrule-find + +Collect any messages returned from thsi call and display them +to the user on the cli. + +Fixes: https://pagure.io/freeipa/issue/9486 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipaclient/plugins/hbactest.py | 2 ++ + ipaserver/plugins/hbactest.py | 14 +++++++++++--- + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/ipaclient/plugins/hbactest.py b/ipaclient/plugins/hbactest.py +index 1b54530b2..e0f93b9c2 100644 +--- a/ipaclient/plugins/hbactest.py ++++ b/ipaclient/plugins/hbactest.py +@@ -38,6 +38,8 @@ class hbactest(CommandOverride): + # Note that we don't actually use --detail below to see if details need + # to be printed as our execute() method will return None for corresponding + # entries and None entries will be skipped. ++ self.log_messages(output) ++ + for o in self.output: + if o == 'value': + continue +diff --git a/ipaserver/plugins/hbactest.py b/ipaserver/plugins/hbactest.py +index 887a35b7e..568c13174 100644 +--- a/ipaserver/plugins/hbactest.py ++++ b/ipaserver/plugins/hbactest.py +@@ -24,6 +24,8 @@ from ipalib import Command, Str, Flag, Int + from ipalib import _ + from ipapython.dn import DN + from ipalib.plugable import Registry ++from ipalib.messages import VersionMissing ++ + if api.env.in_server: + try: + import ipaserver.dcerpc +@@ -323,6 +325,9 @@ class hbactest(Command): + # 2. Required options are (user, target host, service) + # 3. Options: rules to test (--rules, --enabled, --disabled), request for detail output + rules = [] ++ result = { ++ 'warning':None, 'matched':None, 'notmatched':None, 'error':None ++ } + + # Use all enabled IPA rules by default + all_enabled = True +@@ -351,8 +356,12 @@ class hbactest(Command): + + hbacset = [] + if len(testrules) == 0: +- hbacset = self.api.Command.hbacrule_find( +- sizelimit=sizelimit, no_members=False)['result'] ++ hbacrules = self.api.Command.hbacrule_find( ++ sizelimit=sizelimit, no_members=False) ++ hbacset = hbacrules['result'] ++ for message in hbacrules['messages']: ++ if message['code'] != VersionMissing.errno: ++ result.setdefault('messages', []).append(message) + else: + for rule in testrules: + try: +@@ -469,7 +478,6 @@ class hbactest(Command): + error_rules = [] + warning_rules = [] + +- result = {'warning':None, 'matched':None, 'notmatched':None, 'error':None} + if not options['nodetail']: + # Validate runs rules one-by-one and reports failed ones + for ipa_rule in rules: +-- +2.43.0 + + +From d1e09c68af8ac77f656dd639af5d9a7f07c41f9d Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 28 Nov 2023 13:35:13 -0500 +Subject: [PATCH 2/2] ipatests: Verify that hbactest will return messages + +Limit the sizelimit of the hbactest request to confirm that +the output includes a SearchResultTruncated message. + +Fixes: https://pagure.io/freeipa/issue/9486 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_xmlrpc/test_hbactest_plugin.py | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_xmlrpc/test_hbactest_plugin.py b/ipatests/test_xmlrpc/test_hbactest_plugin.py +index 73c4ce232..e2e66c759 100644 +--- a/ipatests/test_xmlrpc/test_hbactest_plugin.py ++++ b/ipatests/test_xmlrpc/test_hbactest_plugin.py +@@ -134,6 +134,7 @@ class test_hbactest(XMLRPC_test): + assert ret['value'] + assert ret['error'] is None + assert ret['matched'] is None ++ assert 'messages' not in ret + assert ret['notmatched'] is None + + def test_c_hbactest_check_rules_enabled_detail(self): +@@ -200,7 +201,23 @@ class test_hbactest(XMLRPC_test): + nodetail=True + ) + +- def test_g_hbactest_clear_testing_data(self): ++ def test_g_hbactest_searchlimit_message(self): ++ """ ++ Test running 'ipa hbactest' with limited --sizelimit ++ ++ We know there are at least 6 rules, 4 created here + 2 default. ++ """ ++ ret = api.Command['hbactest']( ++ user=self.test_user, ++ targethost=self.test_host, ++ service=self.test_service, ++ nodetail=True, ++ sizelimit=2, ++ ) ++ ++ assert ret['messages'] is not None ++ ++ def test_h_hbactest_clear_testing_data(self): + """ + Clear data for HBAC test plugin testing. + """ +-- +2.43.0 + diff --git a/ipa.spec b/ipa.spec index c148dca..e64edad 100644 --- a/ipa.spec +++ b/ipa.spec @@ -189,7 +189,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 4%{?rc_version:.%rc_version}%{?dist} +Release: 5%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -216,6 +216,13 @@ Patch0005: 0005-Improve-server-affinity-for-ca-less-deployments_rhel#22283. Patch0006: 0006-host-update-System-Manage-Host-Keytab-permission_rhel#22286.patch Patch0007: 0007-adtrustinstance-make-sure-NetBIOS-name-defaults-are-set-properly_rhel#21938.patch Patch0008: 0008-ipatests-Fix-healthcheck-report-when-nsslapd-accesslog-logbuffering-is-set-to-off_rhel#19672.patch +Patch0009: 0009-kdb-PAC-generator-do-not-fail-if-canonical-principal-is-missing_rhel#23630.patch +Patch0010: 0010-ipa-kdb-Fix-memory-leak-during-PAC-verification_rhel#22644.patch +Patch0011: 0011-Fix-session-cookie-access_rhel#23622.patch +Patch0012: 0012-Do-not-ignore-staged-users-in-sidgen-plugin_rhel#23626.patch +Patch0013: 0013-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel#22313.patch +Patch0014: 0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch +Patch0015: 0015-hbactest-was-not-collecting-or-returning-messages_rhel#12780.patch %if 0%{?rhel} >= 8 Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch @@ -1731,6 +1738,22 @@ fi %endif %changelog +* Mon Feb 12 2024 Rafael Jeffman - 4.9.13-5 +- kdb: PAC generator: do not fail if canonical principal is missing + Resolves: RHEL-23630 +- ipa-kdb: Fix memory leak during PAC verification + Resolves: RHEL-22644 +- Fix session cookie access + Resolves: RHEL-23622 +- Do not ignore staged users in sidgen plugin\ + Resovlves: RHEL-23626 +- ipa-kdb: Disable Bronze-Bit check if PAC not available + Resolves: RHEL-22313 +- krb5kdc: Fix start when pkinit and otp auth type are enabled + Resolves: RHEL-4874 +- hbactest was not collecting or returning messages + Resolvez: RHEL-12780 + * Tue Jan 23 2024 Rafael Jeffman - 4.9.13-4 - Improve server affinity for CA-less deployments Resolves: RHEL-22283