sssd/0005-AD-IPA-Create-kdcinfo-file-for-sub-domains.patch
Fabiano Fidêncio 68ef824a5f Resolves: upstream#3766 - CVE-2018-10852: information leak from the sssd-sudo responder
And also ...

- Related: upstream#941 - return multiple server addresses to the Kerberos
                          locator plugin
- Related: upstream#3652 - kdcinfo doesn't get populated for other domains
- Resolves: upstream#3747 - sss_ssh_authorizedkeys exits abruptly if SSHD
                            closes its end of the pipe before reading all the
                            SSH keys
- Resolves: upstream#3607 - Handle conflicting e-mail addresses more gracefully
- Resolves: upstream#3754 - SSSD AD uses LDAP filter to detect POSIX attributes
                            stored in AD GC also for regular AD DC queries
- Related: upstream#3219 - [RFE] Regular expression used in sssd.conf not being
                           able to consume an @-sign in the user/group name.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2018-06-25 09:38:16 +02:00

149 lines
6.8 KiB
Diff

From 660ef95e36ad73b4715656a4207aeb499ac96d16 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 24 May 2018 17:15:38 +0200
Subject: [PATCH] AD/IPA: Create kdcinfo file for sub-domains
With this patch kdcinfo files are created for sub-domains by the AD
provider and by the IPA provider on the IPA servers
(ipa_server_mode=True).
Related to https://pagure.io/SSSD/sssd/issue/3652
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit cc7922755dac53c69558ba060b309ac48ae82783)
---
src/providers/ad/ad_common.c | 9 +++++++++
src/providers/ad/ad_common.h | 1 +
src/providers/ad/ad_init.c | 1 +
src/providers/ad/ad_subdomains.c | 17 ++++++++++++++---
src/providers/ipa/ipa_subdomains_server.c | 16 ++++++++++++++--
5 files changed, 39 insertions(+), 5 deletions(-)
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index be7791e6cc2527d45d3e2ff50294f9b98106ffae..0aea985e00faa996643fd7e7630d4264fb6cf233 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -727,6 +727,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
const char *ad_service,
const char *ad_gc_service,
const char *ad_domain,
+ bool use_kdcinfo,
struct ad_service **_service)
{
errno_t ret;
@@ -762,6 +763,14 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
goto done;
}
+ /* Set flag that controls whether we want to write the
+ * kdcinfo files at all
+ */
+ service->krb5_service->write_kdcinfo = use_kdcinfo;
+ DEBUG(SSSDBG_CONF_SETTINGS, "write_kdcinfo for realm %s set to %s\n",
+ krb5_realm,
+ service->krb5_service->write_kdcinfo ? "true" : "false");
+
ret = be_fo_add_service(bectx, ad_service, ad_user_data_cmp);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create failover service!\n");
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index 6eb2ba7e9a7350d1924c45d33d8c332073767a34..dd440da33d48a5820c665f43908d1e1fb18171a6 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -144,6 +144,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *ctx,
const char *ad_service,
const char *ad_gc_service,
const char *ad_domain,
+ bool use_kdcinfo,
struct ad_service **_service);
errno_t
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index b19624782000c5c7c65e766e3e01ff6ac3ab7adb..637efb761c1cf87b0a2c2b1c19b00ea0bbbe161f 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -159,6 +159,7 @@ static errno_t ad_init_options(TALLOC_CTX *mem_ctx,
ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
ad_realm, AD_SERVICE_NAME, AD_GC_SERVICE_NAME,
dp_opt_get_string(ad_options->basic, AD_DOMAIN),
+ false, /* will be set in ad_get_auth_options() */
&ad_options->service);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to init AD failover service: "
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 74b9f075174b1eaa6c5b5dcbaf609600ef197b52..84886e920b37f8803d85ce0903b74e6c809a8904 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -249,6 +249,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
const char *hostname;
const char *keytab;
char *subdom_conf_path;
+ bool use_kdcinfo = false;
realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM);
hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME);
@@ -296,9 +297,19 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
- ret = ad_failover_init(ad_options, be_ctx, servers, backup_servers, realm,
- service_name, gc_service_name,
- subdom->name, &ad_options->service);
+ if (id_ctx->ad_options->auth_ctx != NULL
+ && id_ctx->ad_options->auth_ctx->opts != NULL) {
+ use_kdcinfo = dp_opt_get_bool(id_ctx->ad_options->auth_ctx->opts,
+ KRB5_USE_KDCINFO);
+ }
+
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Init failover for [%s][%s] with use_kdcinfo [%s].\n",
+ subdom->name, subdom->realm, use_kdcinfo ? "true" : "false");
+
+ ret = ad_failover_init(ad_options, be_ctx, servers, backup_servers,
+ subdom->realm, service_name, gc_service_name,
+ subdom->name, use_kdcinfo, &ad_options->service);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD failover\n");
talloc_free(ad_options);
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index 1e53e7a951189120fcf3f438362e902a5a8f6d97..02577c92159d099a04cbd5cee80064309466db93 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -228,6 +228,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
struct sdap_domain *sdom;
errno_t ret;
const char *extra_attrs;
+ bool use_kdcinfo = false;
ad_domain = subdom->name;
DEBUG(SSSDBG_TRACE_LIBS, "Setting up AD subdomain %s\n", subdom->name);
@@ -284,12 +285,23 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
+ if (id_ctx->ipa_options != NULL && id_ctx->ipa_options->auth != NULL) {
+ use_kdcinfo = dp_opt_get_bool(id_ctx->ipa_options->auth,
+ KRB5_USE_KDCINFO);
+ }
+
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Init failover for [%s][%s] with use_kdcinfo [%s].\n",
+ subdom->name, subdom->realm, use_kdcinfo ? "true" : "false");
+
/* Set KRB5 realm to same as the one of IPA when IPA
* is able to attach PAC. For testing, use hardcoded. */
+ /* Why? */
ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
- id_ctx->server_mode->realm,
+ subdom->realm,
service_name, gc_service_name,
- subdom->name, &ad_options->service);
+ subdom->name, use_kdcinfo,
+ &ad_options->service);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD failover\n");
talloc_free(ad_options);
--
2.17.1