[Freeipa-devel] [PATCH] 0118 add support for subdomains
Alexander Bokovoy
abokovoy at redhat.com
Mon Sep 30 10:11:12 UTC 2013
On Mon, 30 Sep 2013, Sumit Bose wrote:
>On Sat, Sep 28, 2013 at 11:01:34PM +0300, Alexander Bokovoy wrote:
>> On Fri, 27 Sep 2013, Sumit Bose wrote:
>> >On Fri, Sep 27, 2013 at 03:53:08PM +0300, Alexander Bokovoy wrote:
>> >>On Mon, 23 Sep 2013, Alexander Bokovoy wrote:
>> >>>On Mon, 23 Sep 2013, Alexander Bokovoy wrote:
>> >>>>On Mon, 23 Sep 2013, Alexander Bokovoy wrote:
>> >>>>>On Mon, 23 Sep 2013, Martin Kosek wrote:
>> >>>>>>>>However, we don't have trust type available so it needs to discovered
>> >>>>>>>>every time. This doesn't play well with the framework, it is simply not
>> >>>>>>>>expecting dynamic containers.
>> >>>>>>>
>> >>>>>>>This doesn't sound like a big obstacle to me. Right now the trust_type lookup
>> >>>>>>>is done in trust_show.execute() for some reason, which is not the best place to
>> >>>>>>>do it IMHO. Doing it in trust.get_dn() instead should simplify things enough to
>> >>>>>>>make parent_object work.
>> >>>>>>
>> >>>>>>Yup, get_dn() is the method where object DN lookup should be done. See for
>> >>>>>>example host.py plugin get_dn method, we also do a dynamic lookup for correct
>> >>>>>>host name.
>> >>>>>I'll see if that would work.
>> >>>>>
>> >>>>>>the best way to implement dynamic DN gathering is the get_dn() method. That
>> >>>>>>way, it could be implemented in one place and all commands could take advantage
>> >>>>>>of it instead of re-implementing it several times in pre_callback - this is
>> >>>>>>just hackish.
>> >>>>>I'd suggest you look into the code. The commands use pre_callback for a
>> >>>>>different purpose than implementing dynamic DN gathering.
>> >>>>>
>> >>>>>>I think it would have been very useful to have a design page before sending a
>> >>>>>>patch. It is then easier to make design decisions without having to dig into
>> >>>>>>the patch.
>> >>>>>The design page is there for long time:
>> >>>>>http://www.freeipa.org/page/V3/Transitive_Trusts
>> >>>>Ok, here is new version of the patch and updated version of my 0117
>> >>>>patch as Sumit noticed I've sent wrong version.
>> >>>Ok, here is updated 0118 which fixes API.txt change for trustdomain_add
>> >>>-- I renamed trustdomain_create to trustdomain_add but forgot to rerun
>> >>>makeapi.
>> >>New edition attached for all subdomain-related patches:
>> >
>> >I did some tests and all is working as expected.
>> >
>> >>
>> >>freeipa-abbra-0117-ipaserver-dcerpc.py-populate-forest-trust-informatio-3.patch
>> >> Use realmdomains to report name suffix routes at the time we establish trust
>> >>
>> >>freeipa-abbra-0118-trusts-support-subdomains-in-a-forest-3.patch
>> >> Introduce trustdomain-* commands to fetch list of domains associated
>> >> with a forest trust and allow filtering them off
>> >
>> >We talked on irc that ipaNTSupportedEncryptionTypes in the filter
>> >for the trusted domains should be replace by a different attribute.
>> >Because of an error in ipasam the ipaNTSupportedEncryptionTypes is only
>> >set in recent versions and might not be present in the directory trees of
>> >older versions.
>> Fixed in the attached patch 0118 version 4.
>>
>> Also attached first attempt to implement transiting through trusted
>> domains, as patch 0123. In this patch we grant transition only if all
>> three realms (client, transited realm, and server realm) match any of
>> our trusted domains and our domain. This is probably a bit wider but it
>> worked for me bidirectionally, from a child domain to a service in IPA,
>> and from IPA realm to a service in a child domain of a forest trust.
>>
>> --
>> / Alexander Bokovoy
>
>
>...
>> +
>> + return (has_client_realm && has_transited_contents && has_server_realm) == false;
>
>I would prefer real krb5 error codes here. 0 and
>KRB5KRB_AP_ERR_ILL_CR_TKT are used in the core code which evaluates
>[capaths].
Fixed. Also tightened checks for our domain as it couldn't be the
transited domain.
--
/ Alexander Bokovoy
-------------- next part --------------
commit 16472f38f9ad7b7b86c3dee3ed6021d75880d30f
Author: Alexander Bokovoy <abokovoy at redhat.com>
Date: Sat Sep 28 21:49:57 2013 +0200
KDC: implement transition check for trusted domains
When client principal requests for a ticket for a server principal
and we have to perform transition, check that all three belong to either
our domain or the domains we trust through forest trusts.
In case all three realms (client, transition, and server) match
trusted domains and our domain, issue permission to transition from client
realm to server realm.
Part of https://fedorahosted.org/freeipa/ticket/3909
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 5e4d047..c807bbc 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -602,7 +602,7 @@ kdb_vftabl kdb_function_table = {
NULL, /* decrypt_key_data */
NULL, /* encrypt_key_data */
ipadb_sign_authdata, /* sign_authdata */
- NULL, /* check_transited_realms */
+ ipadb_check_transited_realms, /* check_transited_realms */
ipadb_check_policy_as, /* check_policy_as */
NULL, /* check_policy_tgs */
ipadb_audit_as_req, /* audit_as_req */
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index f4d3555..1c2aefc 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -253,7 +253,10 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit);
void ipadb_mspac_struct_free(struct ipadb_mspac **mspac);
-
+krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
+ const krb5_data *tr_contents,
+ const krb5_data *client_realm,
+ const krb5_data *server_realm);
/* DELEGATION CHECKS */
krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 08b55af..e9d742e 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2490,3 +2490,56 @@ done:
ldap_msgfree(result);
return kerr;
}
+
+krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
+ const krb5_data *tr_contents,
+ const krb5_data *client_realm,
+ const krb5_data *server_realm)
+{
+ struct ipadb_context *ipactx;
+ bool has_transited_contents, has_client_realm, has_server_realm;
+ int i;
+ krb5_error_code ret;
+
+ ipactx = ipadb_get_context(kcontext);
+ if (!ipactx || !ipactx->mspac) {
+ return KRB5_KDB_DBNOTINITED;
+ }
+
+ if (!ipactx->mspac || !ipactx->mspac->trusts) {
+ return KRB5_PLUGIN_NO_HANDLE;
+ }
+
+ has_transited_contents = false;
+ has_client_realm = false;
+ has_server_realm = false;
+
+ /* First, compare client or server realm with ours */
+ if (strncasecmp(client_realm->data, ipactx->realm, client_realm->length) == 0) {
+ has_client_realm = true;
+ }
+ if (strncasecmp(server_realm->data, ipactx->realm, server_realm->length) == 0) {
+ has_server_realm = true;
+ }
+ /* Iterate through list of trusts and check if any of input belongs to any of the trust */
+ for(i=0; i < ipactx->mspac->num_trusts ; i++) {
+ if (!has_transited_contents &&
+ (strncasecmp(tr_contents->data, ipactx->mspac->trusts[i].domain_name, tr_contents->length) == 0)) {
+ has_transited_contents = true;
+ }
+ if (!has_client_realm &&
+ (strncasecmp(client_realm->data, ipactx->mspac->trusts[i].domain_name, client_realm->length) == 0)) {
+ has_client_realm = true;
+ }
+ if (!has_server_realm &&
+ (strncasecmp(server_realm->data, ipactx->mspac->trusts[i].domain_name, server_realm->length) == 0)) {
+ has_server_realm = true;
+ }
+ }
+
+ ret = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ if (has_client_realm && has_transited_contents && has_server_realm) {
+ ret = 0;
+ }
+ return ret;
+}
More information about the Freeipa-devel
mailing list