websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.7.2-3

Browse Source
This commit is contained in:
Timo Aaltonen
2019-05-06 08:43:34 +03:00
committed by Mario Fetka
parent 27edeba051
commit 8bc559c5a1
917 changed files with 1068993 additions and 1184676 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
daemons/ipa-kdb/Makefile.am
View File

@@ -11,12 +11,13 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
-DLDAPIDIR=\""$(runstatedir)"\" \
-DLDAPIDIR=\""$(localstatedir)/run"\" \
$(AM_CFLAGS) \
$(LDAP_CFLAGS) \
$(KRB5_CFLAGS) \
$(WARN_CFLAGS) \
$(NDRPAC_CFLAGS) \
$(NSS_CFLAGS) \
$(SSSCERTMAP_CFLAGS) \
$(NULL)
@@ -45,10 +46,6 @@ if BUILD_IPA_CERTAUTH_PLUGIN
ipadb_la_SOURCES += ipa_kdb_certauth.c
endif
if BUILD_IPA_KDCPOLICY_PLUGIN
ipadb_la_SOURCES += ipa_kdb_kdcpolicy.c
endif
ipadb_la_LDFLAGS = \
-avoid-version \
-module \
@@ -59,6 +56,7 @@ ipadb_la_LIBADD = \
$(LDAP_LIBS) \
$(NDRPAC_LIBS) \
$(UNISTRING_LIBS) \
$(NSS_LIBS) \
$(SSSCERTMAP_LIBS) \
$(top_builddir)/util/libutil.la \
$(NULL)
@@ -87,10 +85,6 @@ if BUILD_IPA_CERTAUTH_PLUGIN
ipa_kdb_tests_SOURCES += ipa_kdb_certauth.c
endif
if BUILD_IPA_KDCPOLICY_PLUGIN
ipa_kdb_tests_SOURCES += ipa_kdb_kdcpolicy.c
endif
ipa_kdb_tests_CFLAGS = $(CMOCKA_CFLAGS)
ipa_kdb_tests_LDADD = \
$(CMOCKA_LIBS) \
@@ -98,41 +92,13 @@ ipa_kdb_tests_LDADD = \
$(LDAP_LIBS) \
$(NDRPAC_LIBS) \
$(UNISTRING_LIBS) \
$(NSS_LIBS) \
$(SSSCERTMAP_LIBS) \
$(top_builddir)/util/libutil.la \
-lkdb5 \
-lsss_idmap \
$(NULL)
appdir = $(libexecdir)/ipa
app_PROGRAMS = ipa-print-pac
ipa_print_pac_SOURCES = ipa-print-pac.c \
$(NULL)
ipa_print_pac_CFLAGS = \
-I$(srcdir) \
-I$(top_srcdir)/util \
-DPREFIX=\""$(prefix)"\" \
-DBINDIR=\""$(bindir)"\" \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\"\
-DDATADIR=\""$(datadir)"\" \
-DLDAPIDIR=\""$(runstatedir)"\" \
$(AM_CFLAGS) \
$(POPT_CFLAGS) \
$(KRB5_CFLAGS) \
$(KRB5_GSSAPI_CFLAGS) \
$(WARN_CFLAGS) \
$(NDRPAC_CFLAGS) \
$(NULL)
ipa_print_pac_LDADD = \
$(KRB5_GSSAPI_LIBS) \
$(KRB5_LIBS) \
$(NDRPAC_LIBS) \
$(POPT_LIBS) \
$(NULL)
clean-local:
rm -f tests/.dirstamp

218
daemons/ipa-kdb/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,6 @@
@SET_MAKE@
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
@@ -91,12 +90,9 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
@BUILD_IPA_CERTAUTH_PLUGIN_TRUE@am__append_1 = ipa_kdb_certauth.c
@BUILD_IPA_KDCPOLICY_PLUGIN_TRUE@am__append_2 = ipa_kdb_kdcpolicy.c
@HAVE_CMOCKA_TRUE@TESTS = ipa_kdb_tests$(EXEEXT)
@HAVE_CMOCKA_TRUE@check_PROGRAMS = ipa_kdb_tests$(EXEEXT)
@BUILD_IPA_CERTAUTH_PLUGIN_TRUE@am__append_3 = ipa_kdb_certauth.c
@BUILD_IPA_KDCPOLICY_PLUGIN_TRUE@am__append_4 = ipa_kdb_kdcpolicy.c
app_PROGRAMS = ipa-print-pac$(EXEEXT)
@BUILD_IPA_CERTAUTH_PLUGIN_TRUE@am__append_2 = ipa_kdb_certauth.c
subdir = daemons/ipa-kdb
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
@@ -116,8 +112,6 @@ mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
am__installdirs = "$(DESTDIR)$(appdir)" "$(DESTDIR)$(plugindir)"
PROGRAMS = $(app_PROGRAMS)
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -145,25 +139,23 @@ am__uninstall_files_from_dir = { \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(plugindir)"
LTLIBRARIES = $(plugin_LTLIBRARIES)
am__DEPENDENCIES_1 =
ipadb_la_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(top_builddir)/util/libutil.la \
$(am__DEPENDENCIES_1)
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(top_builddir)/util/libutil.la $(am__DEPENDENCIES_1)
am__ipadb_la_SOURCES_DIST = ipa_kdb.c ipa_kdb.h ipa_kdb_common.c \
ipa_kdb_mkey.c ipa_kdb_passwords.c ipa_kdb_principals.c \
ipa_kdb_pwdpolicy.c ipa_kdb_mspac.c ipa_kdb_mspac_private.h \
ipa_kdb_delegation.c ipa_kdb_audit_as.c ipa_kdb_certauth.c \
ipa_kdb_kdcpolicy.c
ipa_kdb_delegation.c ipa_kdb_audit_as.c ipa_kdb_certauth.c
am__objects_1 =
@BUILD_IPA_CERTAUTH_PLUGIN_TRUE@am__objects_2 = ipa_kdb_certauth.lo
@BUILD_IPA_KDCPOLICY_PLUGIN_TRUE@am__objects_3 = ipa_kdb_kdcpolicy.lo
am_ipadb_la_OBJECTS = ipa_kdb.lo ipa_kdb_common.lo ipa_kdb_mkey.lo \
ipa_kdb_passwords.lo ipa_kdb_principals.lo \
ipa_kdb_pwdpolicy.lo ipa_kdb_mspac.lo ipa_kdb_delegation.lo \
ipa_kdb_audit_as.lo $(am__objects_1) $(am__objects_2) \
$(am__objects_3)
ipa_kdb_audit_as.lo $(am__objects_1) $(am__objects_2)
ipadb_la_OBJECTS = $(am_ipadb_la_OBJECTS)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -172,23 +164,12 @@ am__v_lt_1 =
ipadb_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
$(ipadb_la_LDFLAGS) $(LDFLAGS) -o $@
am_ipa_print_pac_OBJECTS = ipa_print_pac-ipa-print-pac.$(OBJEXT) \
$(am__objects_1)
ipa_print_pac_OBJECTS = $(am_ipa_print_pac_OBJECTS)
ipa_print_pac_DEPENDENCIES = $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
ipa_print_pac_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(ipa_print_pac_CFLAGS) \
$(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
am__ipa_kdb_tests_SOURCES_DIST = tests/ipa_kdb_tests.c ipa_kdb.c \
ipa_kdb_common.c ipa_kdb_mkey.c ipa_kdb_passwords.c \
ipa_kdb_principals.c ipa_kdb_pwdpolicy.c ipa_kdb_mspac.c \
ipa_kdb_delegation.c ipa_kdb_audit_as.c ipa_kdb_certauth.c \
ipa_kdb_kdcpolicy.c
ipa_kdb_delegation.c ipa_kdb_audit_as.c ipa_kdb_certauth.c
am__dirstamp = $(am__leading_dot)dirstamp
@BUILD_IPA_CERTAUTH_PLUGIN_TRUE@am__objects_4 = ipa_kdb_tests-ipa_kdb_certauth.$(OBJEXT)
@BUILD_IPA_KDCPOLICY_PLUGIN_TRUE@am__objects_5 = ipa_kdb_tests-ipa_kdb_kdcpolicy.$(OBJEXT)
@BUILD_IPA_CERTAUTH_PLUGIN_TRUE@am__objects_3 = ipa_kdb_tests-ipa_kdb_certauth.$(OBJEXT)
am_ipa_kdb_tests_OBJECTS = \
tests/ipa_kdb_tests-ipa_kdb_tests.$(OBJEXT) \
ipa_kdb_tests-ipa_kdb.$(OBJEXT) \
@@ -200,7 +181,7 @@ am_ipa_kdb_tests_OBJECTS = \
ipa_kdb_tests-ipa_kdb_mspac.$(OBJEXT) \
ipa_kdb_tests-ipa_kdb_delegation.$(OBJEXT) \
ipa_kdb_tests-ipa_kdb_audit_as.$(OBJEXT) $(am__objects_1) \
$(am__objects_4) $(am__objects_5)
$(am__objects_3)
am__dist_ipa_kdb_tests_SOURCES_DIST = tests/test_setup.sh
dist_ipa_kdb_tests_OBJECTS =
ipa_kdb_tests_OBJECTS = $(am_ipa_kdb_tests_OBJECTS) \
@@ -208,8 +189,8 @@ ipa_kdb_tests_OBJECTS = $(am_ipa_kdb_tests_OBJECTS) \
ipa_kdb_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(top_builddir)/util/libutil.la \
$(am__DEPENDENCIES_1)
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(top_builddir)/util/libutil.la $(am__DEPENDENCIES_1)
ipa_kdb_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(ipa_kdb_tests_CFLAGS) \
$(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
@@ -233,8 +214,7 @@ am__depfiles_remade = ./$(DEPDIR)/ipa_kdb.Plo \
./$(DEPDIR)/ipa_kdb_certauth.Plo \
./$(DEPDIR)/ipa_kdb_common.Plo \
./$(DEPDIR)/ipa_kdb_delegation.Plo \
./$(DEPDIR)/ipa_kdb_kdcpolicy.Plo ./$(DEPDIR)/ipa_kdb_mkey.Plo \
./$(DEPDIR)/ipa_kdb_mspac.Plo \
./$(DEPDIR)/ipa_kdb_mkey.Plo ./$(DEPDIR)/ipa_kdb_mspac.Plo \
./$(DEPDIR)/ipa_kdb_passwords.Plo \
./$(DEPDIR)/ipa_kdb_principals.Plo \
./$(DEPDIR)/ipa_kdb_pwdpolicy.Plo \
@@ -243,13 +223,11 @@ am__depfiles_remade = ./$(DEPDIR)/ipa_kdb.Plo \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_common.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_delegation.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mkey.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mspac.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_passwords.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_principals.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_pwdpolicy.Po \
./$(DEPDIR)/ipa_print_pac-ipa-print-pac.Po \
tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
@@ -270,9 +248,9 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
SOURCES = $(ipadb_la_SOURCES) $(ipa_print_pac_SOURCES) \
$(ipa_kdb_tests_SOURCES) $(dist_ipa_kdb_tests_SOURCES)
DIST_SOURCES = $(am__ipadb_la_SOURCES_DIST) $(ipa_print_pac_SOURCES) \
SOURCES = $(ipadb_la_SOURCES) $(ipa_kdb_tests_SOURCES) \
$(dist_ipa_kdb_tests_SOURCES)
DIST_SOURCES = $(am__ipadb_la_SOURCES_DIST) \
$(am__ipa_kdb_tests_SOURCES_DIST) \
$(am__dist_ipa_kdb_tests_SOURCES_DIST)
am__can_run_installinfo = \
@@ -537,8 +515,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -581,10 +557,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -605,6 +582,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -692,9 +671,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@@ -715,12 +692,13 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
-DLDAPIDIR=\""$(runstatedir)"\" \
-DLDAPIDIR=\""$(localstatedir)/run"\" \
$(AM_CFLAGS) \
$(LDAP_CFLAGS) \
$(KRB5_CFLAGS) \
$(WARN_CFLAGS) \
$(NDRPAC_CFLAGS) \
$(NSS_CFLAGS) \
$(SSSCERTMAP_CFLAGS) \
$(NULL)
@@ -732,7 +710,7 @@ plugin_LTLIBRARIES = \
ipadb_la_SOURCES = ipa_kdb.c ipa_kdb.h ipa_kdb_common.c ipa_kdb_mkey.c \
ipa_kdb_passwords.c ipa_kdb_principals.c ipa_kdb_pwdpolicy.c \
ipa_kdb_mspac.c ipa_kdb_mspac_private.h ipa_kdb_delegation.c \
ipa_kdb_audit_as.c $(NULL) $(am__append_1) $(am__append_2)
ipa_kdb_audit_as.c $(NULL) $(am__append_1)
dist_noinst_DATA = ipa_kdb.exports
ipadb_la_LDFLAGS = \
-avoid-version \
@@ -744,6 +722,7 @@ ipadb_la_LIBADD = \
$(LDAP_LIBS) \
$(NDRPAC_LIBS) \
$(UNISTRING_LIBS) \
$(NSS_LIBS) \
$(SSSCERTMAP_LIBS) \
$(top_builddir)/util/libutil.la \
$(NULL)
@@ -754,7 +733,7 @@ ipa_kdb_tests_SOURCES = tests/ipa_kdb_tests.c ipa_kdb.c \
ipa_kdb_common.c ipa_kdb_mkey.c ipa_kdb_passwords.c \
ipa_kdb_principals.c ipa_kdb_pwdpolicy.c ipa_kdb_mspac.c \
ipa_kdb_delegation.c ipa_kdb_audit_as.c $(NULL) \
$(am__append_3) $(am__append_4)
$(am__append_2)
ipa_kdb_tests_CFLAGS = $(CMOCKA_CFLAGS)
ipa_kdb_tests_LDADD = \
$(CMOCKA_LIBS) \
@@ -762,40 +741,13 @@ ipa_kdb_tests_LDADD = \
$(LDAP_LIBS) \
$(NDRPAC_LIBS) \
$(UNISTRING_LIBS) \
$(NSS_LIBS) \
$(SSSCERTMAP_LIBS) \
$(top_builddir)/util/libutil.la \
-lkdb5 \
-lsss_idmap \
$(NULL)
appdir = $(libexecdir)/ipa
ipa_print_pac_SOURCES = ipa-print-pac.c \
$(NULL)
ipa_print_pac_CFLAGS = \
-I$(srcdir) \
-I$(top_srcdir)/util \
-DPREFIX=\""$(prefix)"\" \
-DBINDIR=\""$(bindir)"\" \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\"\
-DDATADIR=\""$(datadir)"\" \
-DLDAPIDIR=\""$(runstatedir)"\" \
$(AM_CFLAGS) \
$(POPT_CFLAGS) \
$(KRB5_CFLAGS) \
$(KRB5_GSSAPI_CFLAGS) \
$(WARN_CFLAGS) \
$(NDRPAC_CFLAGS) \
$(NULL)
ipa_print_pac_LDADD = \
$(KRB5_GSSAPI_LIBS) \
$(KRB5_LIBS) \
$(NDRPAC_LIBS) \
$(POPT_LIBS) \
$(NULL)
EXTRA_DIST = \
README \
README.s4u2proxy.txt \
@@ -834,55 +786,6 @@ $(top_srcdir)/configure: $(am__configure_deps)
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
install-appPROGRAMS: $(app_PROGRAMS)
@$(NORMAL_INSTALL)
@list='$(app_PROGRAMS)'; test -n "$(appdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(appdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(appdir)" || exit 1; \
fi; \
for p in $$list; do echo "$$p $$p"; done | \
sed 's/$(EXEEXT)$$//' | \
while read p p1; do if test -f $$p \
|| test -f $$p1 \
; then echo "$$p"; echo "$$p"; else :; fi; \
done | \
sed -e 'p;s,.*/,,;n;h' \
-e 's|.*|.|' \
-e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
sed 'N;N;N;s,\n, ,g' | \
$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
{ d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
if ($$2 == $$4) files[d] = files[d] " " $$1; \
else { print "f", $$3 "/" $$4, $$1; } } \
END { for (d in files) print "f", d, files[d] }' | \
while read type dir files; do \
if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
test -z "$$files" || { \
echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(appdir)$$dir'"; \
$(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(appdir)$$dir" || exit $$?; \
} \
; done
uninstall-appPROGRAMS:
@$(NORMAL_UNINSTALL)
@list='$(app_PROGRAMS)'; test -n "$(appdir)" || list=; \
files=`for p in $$list; do echo "$$p"; done | \
sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-e 's/$$/$(EXEEXT)/' \
`; \
test -n "$$list" || exit 0; \
echo " ( cd '$(DESTDIR)$(appdir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(appdir)" && rm -f $$files
clean-appPROGRAMS:
@list='$(app_PROGRAMS)'; test -n "$$list" || exit 0; \
echo " rm -f" $$list; \
rm -f $$list || exit $$?; \
test -n "$(EXEEXT)" || exit 0; \
list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
echo " rm -f" $$list; \
rm -f $$list
clean-checkPROGRAMS:
@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
@@ -930,10 +833,6 @@ clean-pluginLTLIBRARIES:
ipadb.la: $(ipadb_la_OBJECTS) $(ipadb_la_DEPENDENCIES) $(EXTRA_ipadb_la_DEPENDENCIES)
$(AM_V_CCLD)$(ipadb_la_LINK) -rpath $(plugindir) $(ipadb_la_OBJECTS) $(ipadb_la_LIBADD) $(LIBS)
ipa-print-pac$(EXEEXT): $(ipa_print_pac_OBJECTS) $(ipa_print_pac_DEPENDENCIES) $(EXTRA_ipa_print_pac_DEPENDENCIES)
@rm -f ipa-print-pac$(EXEEXT)
$(AM_V_CCLD)$(ipa_print_pac_LINK) $(ipa_print_pac_OBJECTS) $(ipa_print_pac_LDADD) $(LIBS)
tests/$(am__dirstamp):
@$(MKDIR_P) tests
@: > tests/$(am__dirstamp)
@@ -959,7 +858,6 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_certauth.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_common.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_delegation.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_kdcpolicy.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_mkey.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_mspac.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_passwords.Plo@am__quote@ # am--include-marker
@@ -970,13 +868,11 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_common.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_delegation.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mkey.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mspac.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_passwords.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_principals.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_pwdpolicy.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_print_pac-ipa-print-pac.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po@am__quote@ # am--include-marker
$(am__depfiles_remade):
@@ -1009,20 +905,6 @@ am--depfiles: $(am__depfiles_remade)
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
ipa_print_pac-ipa-print-pac.o: ipa-print-pac.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_print_pac_CFLAGS) $(CFLAGS) -MT ipa_print_pac-ipa-print-pac.o -MD -MP -MF $(DEPDIR)/ipa_print_pac-ipa-print-pac.Tpo -c -o ipa_print_pac-ipa-print-pac.o `test -f 'ipa-print-pac.c' || echo '$(srcdir)/'`ipa-print-pac.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_print_pac-ipa-print-pac.Tpo $(DEPDIR)/ipa_print_pac-ipa-print-pac.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipa-print-pac.c' object='ipa_print_pac-ipa-print-pac.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_print_pac_CFLAGS) $(CFLAGS) -c -o ipa_print_pac-ipa-print-pac.o `test -f 'ipa-print-pac.c' || echo '$(srcdir)/'`ipa-print-pac.c
ipa_print_pac-ipa-print-pac.obj: ipa-print-pac.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_print_pac_CFLAGS) $(CFLAGS) -MT ipa_print_pac-ipa-print-pac.obj -MD -MP -MF $(DEPDIR)/ipa_print_pac-ipa-print-pac.Tpo -c -o ipa_print_pac-ipa-print-pac.obj `if test -f 'ipa-print-pac.c'; then $(CYGPATH_W) 'ipa-print-pac.c'; else $(CYGPATH_W) '$(srcdir)/ipa-print-pac.c'; fi`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_print_pac-ipa-print-pac.Tpo $(DEPDIR)/ipa_print_pac-ipa-print-pac.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipa-print-pac.c' object='ipa_print_pac-ipa-print-pac.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_print_pac_CFLAGS) $(CFLAGS) -c -o ipa_print_pac-ipa-print-pac.obj `if test -f 'ipa-print-pac.c'; then $(CYGPATH_W) 'ipa-print-pac.c'; else $(CYGPATH_W) '$(srcdir)/ipa-print-pac.c'; fi`
tests/ipa_kdb_tests-ipa_kdb_tests.o: tests/ipa_kdb_tests.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -MT tests/ipa_kdb_tests-ipa_kdb_tests.o -MD -MP -MF tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Tpo -c -o tests/ipa_kdb_tests-ipa_kdb_tests.o `test -f 'tests/ipa_kdb_tests.c' || echo '$(srcdir)/'`tests/ipa_kdb_tests.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Tpo tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po
@@ -1177,20 +1059,6 @@ ipa_kdb_tests-ipa_kdb_certauth.obj: ipa_kdb_certauth.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -c -o ipa_kdb_tests-ipa_kdb_certauth.obj `if test -f 'ipa_kdb_certauth.c'; then $(CYGPATH_W) 'ipa_kdb_certauth.c'; else $(CYGPATH_W) '$(srcdir)/ipa_kdb_certauth.c'; fi`
ipa_kdb_tests-ipa_kdb_kdcpolicy.o: ipa_kdb_kdcpolicy.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -MT ipa_kdb_tests-ipa_kdb_kdcpolicy.o -MD -MP -MF $(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Tpo -c -o ipa_kdb_tests-ipa_kdb_kdcpolicy.o `test -f 'ipa_kdb_kdcpolicy.c' || echo '$(srcdir)/'`ipa_kdb_kdcpolicy.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Tpo $(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipa_kdb_kdcpolicy.c' object='ipa_kdb_tests-ipa_kdb_kdcpolicy.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -c -o ipa_kdb_tests-ipa_kdb_kdcpolicy.o `test -f 'ipa_kdb_kdcpolicy.c' || echo '$(srcdir)/'`ipa_kdb_kdcpolicy.c
ipa_kdb_tests-ipa_kdb_kdcpolicy.obj: ipa_kdb_kdcpolicy.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -MT ipa_kdb_tests-ipa_kdb_kdcpolicy.obj -MD -MP -MF $(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Tpo -c -o ipa_kdb_tests-ipa_kdb_kdcpolicy.obj `if test -f 'ipa_kdb_kdcpolicy.c'; then $(CYGPATH_W) 'ipa_kdb_kdcpolicy.c'; else $(CYGPATH_W) '$(srcdir)/ipa_kdb_kdcpolicy.c'; fi`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Tpo $(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipa_kdb_kdcpolicy.c' object='ipa_kdb_tests-ipa_kdb_kdcpolicy.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -c -o ipa_kdb_tests-ipa_kdb_kdcpolicy.obj `if test -f 'ipa_kdb_kdcpolicy.c'; then $(CYGPATH_W) 'ipa_kdb_kdcpolicy.c'; else $(CYGPATH_W) '$(srcdir)/ipa_kdb_kdcpolicy.c'; fi`
mostlyclean-libtool:
-rm -f *.lo
@@ -1449,9 +1317,9 @@ check-am: all-am
$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
$(MAKE) $(AM_MAKEFLAGS) check-TESTS
check: check-am
all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(DATA)
all-am: Makefile $(LTLIBRARIES) $(DATA)
installdirs:
for dir in "$(DESTDIR)$(appdir)" "$(DESTDIR)$(plugindir)"; do \
for dir in "$(DESTDIR)$(plugindir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
@@ -1491,9 +1359,8 @@ maintainer-clean-generic:
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
clean-am: clean-appPROGRAMS clean-checkPROGRAMS clean-generic \
clean-libtool clean-local clean-pluginLTLIBRARIES \
mostlyclean-am
clean-am: clean-checkPROGRAMS clean-generic clean-libtool clean-local \
clean-pluginLTLIBRARIES mostlyclean-am
distclean: distclean-am
-rm -f ./$(DEPDIR)/ipa_kdb.Plo
@@ -1501,7 +1368,6 @@ distclean: distclean-am
-rm -f ./$(DEPDIR)/ipa_kdb_certauth.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_common.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_delegation.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_kdcpolicy.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_mkey.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_mspac.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_passwords.Plo
@@ -1512,13 +1378,11 @@ distclean: distclean-am
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_common.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_delegation.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mkey.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mspac.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_passwords.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_principals.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_pwdpolicy.Po
-rm -f ./$(DEPDIR)/ipa_print_pac-ipa-print-pac.Po
-rm -f tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
@@ -1536,7 +1400,7 @@ info: info-am
info-am:
install-data-am: install-appPROGRAMS install-pluginLTLIBRARIES
install-data-am: install-pluginLTLIBRARIES
install-dvi: install-dvi-am
@@ -1570,7 +1434,6 @@ maintainer-clean: maintainer-clean-am
-rm -f ./$(DEPDIR)/ipa_kdb_certauth.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_common.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_delegation.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_kdcpolicy.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_mkey.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_mspac.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_passwords.Plo
@@ -1581,13 +1444,11 @@ maintainer-clean: maintainer-clean-am
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_common.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_delegation.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mkey.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mspac.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_passwords.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_principals.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_pwdpolicy.Po
-rm -f ./$(DEPDIR)/ipa_print_pac-ipa-print-pac.Po
-rm -f tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
@@ -1605,17 +1466,16 @@ ps: ps-am
ps-am:
uninstall-am: uninstall-appPROGRAMS uninstall-pluginLTLIBRARIES
uninstall-am: uninstall-pluginLTLIBRARIES
.MAKE: check-am install-am install-strip
.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \
check-am clean clean-appPROGRAMS clean-checkPROGRAMS \
clean-generic clean-libtool clean-local \
clean-pluginLTLIBRARIES cscopelist-am ctags ctags-am distclean \
distclean-compile distclean-generic distclean-libtool \
distclean-tags distdir dvi dvi-am html html-am info info-am \
install install-am install-appPROGRAMS install-data \
check-am clean clean-checkPROGRAMS clean-generic clean-libtool \
clean-local clean-pluginLTLIBRARIES cscopelist-am ctags \
ctags-am distclean distclean-compile distclean-generic \
distclean-libtool distclean-tags distdir dvi dvi-am html \
html-am info info-am install install-am install-data \
install-data-am install-dvi install-dvi-am install-exec \
install-exec-am install-html install-html-am install-info \
install-info-am install-man install-pdf install-pdf-am \
@@ -1624,7 +1484,7 @@ uninstall-am: uninstall-appPROGRAMS uninstall-pluginLTLIBRARIES
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
pdf pdf-am ps ps-am recheck tags tags-am uninstall \
uninstall-am uninstall-appPROGRAMS uninstall-pluginLTLIBRARIES
uninstall-am uninstall-pluginLTLIBRARIES
.PRECIOUS: Makefile

18
daemons/ipa-kdb/README
View File

@@ -1,19 +1 @@
This is the ipa krb5kdc database backend.
As the KDB interfaces heavily with krb5, we inherit its code style as well.
However, note the following changes:
- no modelines (and different file preamble)
- return types don't require their own line
- single-statement blocks may optionally be braced
- /* and */ do not ever get their own line
- C99 for-loops are permitted (and encouraged)
- a restricted set of other C99 features are permitted
In particular, variable-length arrays, flexible array members, compound
literals, universal character names, and //-style comments are not permitted.
Use of regular malloc/free is preferred over talloc for new code.
By and large, existing code mostly conforms to these requirements. New code
must conform to them.

723
daemons/ipa-kdb/ipa-print-pac.c
View File

@@ -1,723 +0,0 @@
/*
* Copyright (C) 2020 FreeIPA Contributors see COPYING for license
*/
#include <gen_ndr/ndr_krb5pac.h>
#include <gssapi/gssapi_ext.h>
#include <gssapi/gssapi_krb5.h>
#include <ndr.h>
#include <popt.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <strings.h>
#define IPAPWD_PASSWORD_MAX_LEN 1024
typedef enum {
OP_SERVICE_TICKET,
OP_IMPERSONATE
} pac_operation_t;
pac_operation_t operation = OP_SERVICE_TICKET;
char *keytab_path = NULL;
char *ccache_path = NULL;
bool init_tgt = true;
const gss_OID *import_name_oid = &GSS_C_NT_USER_NAME;
TALLOC_CTX *frame = NULL;
gss_OID_desc mech_krb5 = {9, "\052\206\110\206\367\022\001\002\002"};
/* NDR printing interface passes flags but the actual public print function
* does not accept flags. Generated ndr helpers actually have a small wrapper
* but since it is a static to the generated C code unit, we have to reimplement
* it here.
*/
static void
print_flags_PAC_DATA(struct ndr_print *ndr,
const char *name,
int unused,
const struct PAC_DATA *r)
{
ndr_print_PAC_DATA(ndr, name, r);
}
/*
* Print content of a PAC buffer, annotated by the libndr helpers
*/
static void
print_pac(gss_buffer_desc *pac, gss_buffer_desc *display)
{
struct ndr_print *ndr = NULL;
DATA_BLOB blob;
struct ndr_pull *ndr_pull = NULL;
void *st = NULL;
int flags = NDR_SCALARS | NDR_BUFFERS;
enum ndr_err_code ndr_err;
struct ndr_interface_call ndr_call = {
.name = "PAC_DATA",
.struct_size = sizeof(struct PAC_DATA),
.ndr_push = (ndr_push_flags_fn_t)ndr_push_PAC_DATA,
.ndr_pull = (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA,
.ndr_print = (ndr_print_function_t)print_flags_PAC_DATA,
};
ndr = talloc_zero(frame, struct ndr_print);
ndr->print = ndr_print_string_helper;
ndr->depth = 0;
blob = data_blob_const(pac->value, pac->length);
ndr_pull = ndr_pull_init_blob(&blob, ndr);
ndr_pull->flags = LIBNDR_FLAG_REF_ALLOC;
st = talloc_zero_size(ndr, ndr_call.struct_size);
ndr_err = ndr_call.ndr_pull(ndr_pull, flags, st);
if (ndr_err) {
fprintf(stderr,
"Error parsing buffer '%.*s': %s\n",
(int)display->length,
(char *)display->value,
ndr_map_error2string(ndr_err));
return;
}
ndr_call.ndr_print(ndr, ndr_call.name, flags, st);
printf("%s\n", (char *)ndr->private_data);
talloc_free(ndr);
}
static void
display_error(int type, OM_uint32 code)
{
OM_uint32 min, ctx = 0;
gss_buffer_desc status;
do {
(void)gss_display_status(&min, code, type, GSS_C_NO_OID, &ctx, &status);
fprintf(stderr, "%.*s\n", (int)status.length, (char *)status.value);
gss_release_buffer(&min, &status);
} while (ctx != 0);
}
static void
log_error(const char *fn, uint32_t maj, uint32_t min)
{
fprintf(stderr, "%s: ", fn);
display_error(GSS_C_GSS_CODE, maj);
display_error(GSS_C_MECH_CODE, min);
}
static gss_name_t
import_name(const char *name)
{
OM_uint32 maj, min;
gss_name_t gss_name;
gss_name = GSS_C_NO_NAME;
gss_buffer_desc buff = GSS_C_EMPTY_BUFFER;
buff.value = (void *)name;
buff.length = strlen(name);
maj = gss_import_name(&min, &buff, *import_name_oid, &gss_name);
if (GSS_ERROR(maj)) {
log_error("gss_import_name()", maj, min);
return GSS_C_NO_NAME;
}
return gss_name;
}
static bool
store_creds_into_cache(gss_cred_id_t creds, const char *cache)
{
OM_uint32 maj, min;
gss_key_value_element_desc store_elm = {"ccache", cache};
gss_key_value_set_desc store = {1, &store_elm};
maj = gss_store_cred_into(
&min, creds, GSS_C_INITIATE, GSS_C_NO_OID, 1, 1, &store, NULL, NULL);
if (maj != GSS_S_COMPLETE) {
log_error("gss_store_cred_into()", maj, min);
return false;
}
return true;
}
static void
dump_attribute(gss_name_t name, gss_buffer_t attribute)
{
OM_uint32 major, minor;
gss_buffer_desc value;
gss_buffer_desc display_value;
int authenticated = 0;
int complete = 0;
int more = -1;
int whole_pac = 0;
whole_pac = attribute->length == strlen("urn:mspac:");
while (more != 0) {
value.value = NULL;
display_value.value = NULL;
major = gss_get_name_attribute(&minor,
name,
attribute,
&authenticated,
&complete,
&value,
&display_value,
&more);
if (GSS_ERROR(major)) {
log_error("gss_get_name_attribute()", major, minor);
return;
}
if (whole_pac) {
print_pac(&value, attribute);
}
(void)gss_release_buffer(&minor, &value);
(void)gss_release_buffer(&minor, &display_value);
}
}
static void
enumerate_attributes(gss_name_t name)
{
OM_uint32 major, minor;
int is_mechname;
gss_buffer_set_t attrs = GSS_C_NO_BUFFER_SET;
size_t i;
major = gss_inquire_name(&minor, name, &is_mechname, NULL, &attrs);
if (GSS_ERROR(major)) {
log_error("gss_inquire_name()", major, minor);
return;
}
if (GSS_ERROR(major)) {
printf("gss_inquire_name: (%d, %d)\n", major, minor);
return;
}
if (attrs != GSS_C_NO_BUFFER_SET) {
for (i = 0; i < attrs->count; i++)
dump_attribute(name, &attrs->elements[i]);
}
(void)gss_release_buffer_set(&minor, &attrs);
}
static bool
establish_contexts(gss_OID imech,
gss_cred_id_t icred,
gss_cred_id_t acred,
gss_name_t tname,
OM_uint32 flags,
gss_ctx_id_t *ictx,
gss_ctx_id_t *actx,
gss_name_t *src_name,
gss_OID *amech,
gss_cred_id_t *deleg_cred)
{
OM_uint32 minor, imaj, amaj;
gss_buffer_desc itok, atok;
*ictx = *actx = GSS_C_NO_CONTEXT;
imaj = amaj = GSS_S_CONTINUE_NEEDED;
itok.value = atok.value = NULL;
itok.length = atok.length = 0;
for (;;) {
(void)gss_release_buffer(&minor, &itok);
imaj = gss_init_sec_context(&minor,
icred,
ictx,
tname,
imech,
flags,
GSS_C_INDEFINITE,
GSS_C_NO_CHANNEL_BINDINGS,
&atok,
NULL,
&itok,
NULL,
NULL);
if (GSS_ERROR(imaj)) {
log_error("gss_init_sec_context()", imaj, minor);
return false;
}
if (amaj == GSS_S_COMPLETE)
break;
(void)gss_release_buffer(&minor, &atok);
amaj = gss_accept_sec_context(&minor,
actx,
acred,
&itok,
GSS_C_NO_CHANNEL_BINDINGS,
src_name,
amech,
&atok,
NULL,
NULL,
deleg_cred);
if (GSS_ERROR(amaj)) {
log_error("gss_accept_sec_context()", amaj, minor);
return false;
}
(void)gss_release_buffer(&minor, &itok);
if (imaj == GSS_S_COMPLETE) {
break;
}
}
if (imaj != GSS_S_COMPLETE || amaj != GSS_S_COMPLETE) {
printf("One side wants to continue after the other is done");
return false;
}
(void)gss_release_buffer(&minor, &itok);
(void)gss_release_buffer(&minor, &atok);
return true;
}
static bool
init_accept_sec_context(gss_cred_id_t claimant_cred_handle,
gss_cred_id_t verifier_cred_handle,
gss_cred_id_t *deleg_cred_handle)
{
OM_uint32 maj, min, flags;
gss_name_t source_name = GSS_C_NO_NAME, target_name = GSS_C_NO_NAME;
gss_ctx_id_t initiator_context, acceptor_context;
gss_OID mech = &mech_krb5;
bool success = false;
maj = gss_inquire_cred(
&min, verifier_cred_handle, &target_name, NULL, NULL, NULL);
if (GSS_ERROR(maj)) {
log_error("gss_inquire_cred()", maj, min);
goto done;
}
flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
success = establish_contexts(mech,
claimant_cred_handle,
verifier_cred_handle,
target_name,
flags,
&initiator_context,
&acceptor_context,
&source_name,
&mech,
deleg_cred_handle);
if (success)
enumerate_attributes(source_name);
done:
if (source_name != GSS_C_NO_NAME)
(void)gss_release_name(&min, &source_name);
if (target_name != GSS_C_NO_NAME)
(void)gss_release_name(&min, &target_name);
if (initiator_context != NULL)
(void)gss_delete_sec_context(&min, &initiator_context, NULL);
if (acceptor_context != NULL)
(void)gss_delete_sec_context(&min, &acceptor_context, NULL);
return success;
}
static bool
init_creds(gss_cred_id_t *service_creds, gss_cred_usage_t intent)
{
OM_uint32 maj, min;
gss_key_value_element_desc keytab_elm = {"keytab", keytab_path};
gss_key_value_set_desc store = {1, &keytab_elm};
maj = gss_acquire_cred_from(&min,
GSS_C_NO_NAME,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
intent,
(keytab_path != NULL) ? &store : NULL,
service_creds,
NULL,
NULL);
if (GSS_ERROR(maj)) {
log_error("gss_acquire_cred", maj, min);
return false;
}
return true;
}
static bool
impersonate(const char *name)
{
OM_uint32 maj, min;
gss_name_t desired_principal = GSS_C_NO_NAME;
gss_cred_id_t client_creds = GSS_C_NO_CREDENTIAL;
gss_cred_id_t service_creds = GSS_C_NO_CREDENTIAL;
gss_cred_id_t delegated_creds = GSS_C_NO_CREDENTIAL;
bool success = false;
if (!init_creds(&service_creds, GSS_C_BOTH)) {
goto done;
}
desired_principal = import_name(name);
if (desired_principal == GSS_C_NO_NAME) {
goto done;
}
maj = gss_acquire_cred_impersonate_name(&min,
service_creds,
desired_principal,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_INITIATE,
&client_creds,
NULL,
NULL);
if (GSS_ERROR(maj)) {
log_error("gss_acquire_cred_impersonate_name()", maj, min);
goto done;
}
if (ccache_path != NULL) {
if (!store_creds_into_cache(client_creds, ccache_path)) {
fprintf(stderr, "Failed to store credentials in cache\n");
goto done;
}
}
fprintf(stderr, "Acquired credentials for %s\n", name);
init_accept_sec_context(client_creds, service_creds, &delegated_creds);
if (delegated_creds != GSS_C_NO_CREDENTIAL) {
gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET;
/* Inquire impersonator status. */
maj = gss_inquire_cred_by_oid(
&min, client_creds, GSS_KRB5_GET_CRED_IMPERSONATOR, &bufset);
if (GSS_ERROR(maj)) {
log_error("gss_inquire_cred_by_oid()", maj, min);
goto done;
}
if (bufset->count == 0) {
log_error("gss_inquire_cred_by_oid(user) returned NO impersonator", 0, 0);
goto done;
}
(void)gss_release_buffer_set(&min, &bufset);
maj = gss_inquire_cred_by_oid(
&min, service_creds, GSS_KRB5_GET_CRED_IMPERSONATOR, &bufset);
if (GSS_ERROR(maj)) {
log_error("gss_inquire_cred_by_oid()", maj, min);
goto done;
}
if (bufset->count != 0) {
log_error("gss_inquire_cred_by_oid(svc) returned an impersonator", 0, 0);
goto done;
}
(void)gss_release_buffer_set(&min, &bufset);
success = true;
}
done:
if (desired_principal != GSS_C_NO_NAME)
gss_release_name(&min, &desired_principal);
if (client_creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&min, &client_creds);
if (service_creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&min, &service_creds);
if (delegated_creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&min, &delegated_creds);
return success;
}
static bool
init_with_password(const char *name, const char *password)
{
OM_uint32 maj, min;
gss_name_t desired_principal = GSS_C_NO_NAME;
gss_cred_id_t client_creds = GSS_C_NO_CREDENTIAL;
gss_cred_id_t service_creds = GSS_C_NO_CREDENTIAL;
gss_buffer_desc pwd_buf;
bool success = false;
if (!init_creds(&service_creds, GSS_C_ACCEPT)) {
goto done;
}
desired_principal = import_name(name);
if (desired_principal == GSS_C_NO_NAME) {
goto done;
}
if (init_tgt && password != NULL) {
pwd_buf.value = (void *)password;
pwd_buf.length = strlen(password);
maj = gss_acquire_cred_with_password(&min,
desired_principal,
&pwd_buf,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_INITIATE,
&client_creds,
NULL,
NULL);
if (GSS_ERROR(maj)) {
log_error("gss_acquire_cred_with_password()", maj, min);
goto done;
}
}
if ((ccache_path != NULL) && (client_creds != GSS_C_NO_CREDENTIAL)) {
if (!store_creds_into_cache(client_creds, ccache_path)) {
fprintf(stderr, "Failed to store credentials in cache\n");
goto done;
}
}
if (client_creds != GSS_C_NO_CREDENTIAL)
fprintf(stderr, "Acquired credentials for %s\n", name);
success = init_accept_sec_context(client_creds, service_creds, NULL);
done:
if (service_creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&min, &client_creds);
if (client_creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&min, &client_creds);
if (desired_principal != GSS_C_NO_NAME)
gss_release_name(&min, &desired_principal);
return success;
}
struct poptOption popt_options[] = {
{
.longName = "enterprise",
.shortName = 'E',
.argInfo = POPT_ARG_NONE | POPT_ARGFLAG_OPTIONAL,
.val = 'E',
.descrip = "Treat the user principal as an enterprise name",
},
{
.longName = "ccache",
.shortName = 'c',
.argInfo = POPT_ARG_STRING | POPT_ARGFLAG_OPTIONAL,
.val = 'c',
.descrip = "Credentials cache file to save acquired tickets to. "
"Tickets aren't saved by default",
.argDescrip = "CCACHE-PATH",
},
{
.longName = "keytab",
.shortName = 'k',
.argInfo = POPT_ARG_STRING | POPT_ARGFLAG_OPTIONAL,
.val = 'k',
.descrip = "Keytab for a service key to acquire service ticket for. "
"Default keytab is used if omitted",
.argDescrip = "KEYTAB-PATH",
},
{
.longName = "reuse",
.shortName = 'r',
.argInfo = POPT_ARG_NONE | POPT_ARGFLAG_OPTIONAL,
.val = 'r',
.descrip = "Re-use user principal's TGT from a default ccache",
},
{
.longName = "help",
.shortName = 'h',
.argInfo = POPT_ARG_NONE | POPT_ARGFLAG_OPTIONAL,
.val = 'h',
.descrip = "Show this help message",
},
POPT_TABLEEND};
static void
print_help(poptContext pc, const char *name)
{
const char *help = ""
"Usage: %s [options] {impersonate|ticket} user@realm\n\n"
"Print MS-PAC structure from a service ticket.\n\n"
"Operation 'impersonate':\n"
"\tExpects a TGT for a service in the default ccache and attempts to "
"obtain a service\n"
"\tticket to itself by performing a protocol transition for the specified "
"user (S4U2Self).\n\n"
"Operation 'ticket':\n"
"\tExpects a user password to be provided, acquires ticket granting ticket "
"and attempts to \n"
"\tobtain a service ticket to the specified service.\n\n"
"Resulting service ticket can be stored in the credential cache file "
"specified by '-c file' option.\n\n"
"Defaults to the host principal service name and the host keytab.\n\n";
fprintf(stderr, help, name);
poptPrintHelp(pc, stderr, 0);
}
static char *
ask_password(TALLOC_CTX *context, char *prompt1, char *prompt2, bool match)
{
krb5_prompt ap_prompts[2];
krb5_data k5d_pw0;
krb5_data k5d_pw1;
#define MAX(a, b) (((a) > (b)) ? (a) : (b))
#define PWD_BUFFER_SIZE MAX((IPAPWD_PASSWORD_MAX_LEN + 2), 1024)
char pw0[PWD_BUFFER_SIZE];
char pw1[PWD_BUFFER_SIZE];
char *password;
int num_prompts = match ? 2 : 1;
k5d_pw0.length = sizeof(pw0);
k5d_pw0.data = pw0;
ap_prompts[0].prompt = prompt1;
ap_prompts[0].hidden = 1;
ap_prompts[0].reply = &k5d_pw0;
if (match) {
k5d_pw1.length = sizeof(pw1);
k5d_pw1.data = pw1;
ap_prompts[1].prompt = prompt2;
ap_prompts[1].hidden = 1;
ap_prompts[1].reply = &k5d_pw1;
}
/* krb5_prompter_posix does not use krb5_context internally */
krb5_prompter_posix(NULL, NULL, NULL, NULL, num_prompts, ap_prompts);
if (match && (strcmp(pw0, pw1))) {
fprintf(stderr, "Passwords do not match!\n");
return NULL;
}
if (k5d_pw0.length > IPAPWD_PASSWORD_MAX_LEN) {
fprintf(stderr, "%s\n", "Password is too long!\n");
return NULL;
}
password = talloc_strndup(context, pw0, k5d_pw0.length);
if (!password)
return NULL;
return password;
}
int main(int argc, char *argv[])
{
int ret = 0, c = 0;
const char **argv_const = discard_const_p(const char *, argv);
const char **args = NULL;
char *password = NULL;
poptContext pc;
frame = talloc_init("printpac");
pc = poptGetContext(
"printpac", argc, argv_const, popt_options, POPT_CONTEXT_KEEP_FIRST);
while ((c = poptGetNextOpt(pc)) >= 0) {
switch (c) {
case 'c':
ccache_path = talloc_strdup(frame, poptGetOptArg(pc));
break;
case 'E':
import_name_oid = &GSS_KRB5_NT_ENTERPRISE_NAME;
break;
case 'k':
keytab_path = talloc_strdup(frame, poptGetOptArg(pc));
break;
case 'r':
init_tgt = false;
break;
case 'h':
print_help(pc, argv[0]);
ret = 0;
goto done;
}
}
if (c < -1) {
fprintf(stderr,
"%s: %s\n",
poptBadOption(pc, POPT_BADOPTION_NOALIAS),
poptStrerror(c));
ret = 1;
goto done;
}
args = poptGetArgs(pc);
for (c = 0; args && args[c]; c++)
;
if (c < 3) {
print_help(pc, args[0]);
ret = 1;
goto done;
}
c -= 2;
if (strncasecmp("ticket", args[1], strlen("ticket")) == 0) {
operation = OP_SERVICE_TICKET;
if (init_tgt) {
switch (c) {
case 1:
password = ask_password(frame, "Password", NULL, false);
break;
case 2:
password = talloc_strdup(frame, args[3]);
break;
default:
fprintf(stderr,
"Service ticket needs user principal and password\n\n");
print_help(pc, args[0]);
ret = 1;
goto done;
break;
}
} else {
if (c != 1) {
fprintf(stderr, "Service ticket needs user principal and password\n\n");
print_help(pc, args[0]);
ret = 1;
goto done;
}
}
} else if (strncasecmp("impersonate", args[1], strlen("impersonate")) == 0) {
operation = OP_IMPERSONATE;
if (c != 1) {
fprintf(stderr, "Impersonation ticket needs user principal\n\n");
print_help(pc, args[0]);
ret = 1;
goto done;
}
} else {
fprintf(stderr, "Wrong request type: %s\n\n", args[1]);
print_help(pc, args[0]);
ret = 1;
goto done;
}
switch (operation) {
case OP_IMPERSONATE:
ret = impersonate(args[2]) != true;
break;
case OP_SERVICE_TICKET:
ret = init_with_password(args[2], password) != true;
break;
}
done:
poptFreeContext(pc);
talloc_free(frame);
return ret;
}

152
daemons/ipa-kdb/ipa_kdb.c
View File

@@ -24,7 +24,6 @@
#include <sys/utsname.h>
#include "ipa_kdb.h"
#include "ipa_krb5.h"
#define IPADB_GLOBAL_CONFIG_CACHE_TIME 60
@@ -60,7 +59,6 @@ static void ipadb_context_free(krb5_context kcontext,
free((*ctx)->supp_encs);
free((*ctx)->def_encs);
ipadb_mspac_struct_free(&(*ctx)->mspac);
krb5_free_principal(kcontext, (*ctx)->local_tgs);
krb5_free_default_realm(kcontext, (*ctx)->realm);
cfg = &(*ctx)->config;
@@ -195,8 +193,6 @@ static const struct {
{ "password", IPADB_USER_AUTH_PASSWORD },
{ "radius", IPADB_USER_AUTH_RADIUS },
{ "otp", IPADB_USER_AUTH_OTP },
{ "pkinit", IPADB_USER_AUTH_PKINIT },
{ "hardened", IPADB_USER_AUTH_HARDENED },
{ }
};
@@ -496,27 +492,6 @@ done:
return 0;
}
static krb5_principal ipadb_create_local_tgs(krb5_context kcontext,
struct ipadb_context *ipactx)
{
krb5_principal tgtp;
unsigned int length = strlen(ipactx->realm);
krb5_error_code kerr = 0;
kerr = krb5_build_principal_ext(kcontext, &tgtp,
length,
ipactx->realm,
KRB5_TGS_NAME_SIZE,
KRB5_TGS_NAME,
length,
ipactx->realm, 0);
if (kerr != 0) {
return NULL;
}
return tgtp;
}
/* INTERFACE */
static krb5_error_code ipadb_init_library(void)
@@ -578,12 +553,6 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
goto fail;
}
ipactx->local_tgs = ipadb_create_local_tgs(kcontext, ipactx);
if (!ipactx->local_tgs) {
ret = ENOMEM;
goto fail;
}
ipactx->base = ipadb_get_base_from_realm(kcontext);
if (!ipactx->base) {
ret = ENOMEM;
@@ -617,9 +586,8 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
ret = ipadb_get_connection(ipactx);
if (ret != 0) {
/* Not a fatal failure, as the LDAP server may be temporarily down. */
krb5_klog_syslog(LOG_INFO,
"Didn't connect to LDAP on startup: %d", ret);
/* not a fatal failure, as the LDAP server may be temporarily down */
/* TODO: spam syslog with this error */
}
kerr = krb5_db_set_context(kcontext, ipactx);
@@ -663,11 +631,57 @@ static krb5_error_code ipadb_get_age(krb5_context kcontext,
return 0;
}
#if KRB5_KDB_DAL_MAJOR_VERSION == 5
static void *ipadb_alloc(krb5_context context, void *ptr, size_t size)
{
return realloc(ptr, size);
}
static void ipadb_free(krb5_context context, void *ptr)
{
free(ptr);
}
#endif
/* KDB Virtual Table */
/* We explicitly want to keep different ABI tables below separate. */
/* Do not merge them together. Older ABI does not need to be updated */
#if KRB5_KDB_DAL_MAJOR_VERSION == 5
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
.min_ver = 0,
.init_library = ipadb_init_library,
.fini_library = ipadb_fini_library,
.init_module = ipadb_init_module,
.fini_module = ipadb_fini_module,
.create = ipadb_create,
.get_age = ipadb_get_age,
.get_principal = ipadb_get_principal,
.free_principal = ipadb_free_principal,
.put_principal = ipadb_put_principal,
.delete_principal = ipadb_delete_principal,
.iterate = ipadb_iterate,
.create_policy = ipadb_create_pwd_policy,
.get_policy = ipadb_get_pwd_policy,
.put_policy = ipadb_put_pwd_policy,
.iter_policy = ipadb_iterate_pwd_policy,
.delete_policy = ipadb_delete_pwd_policy,
.free_policy = ipadb_free_pwd_policy,
.alloc = ipadb_alloc,
.free = ipadb_free,
.fetch_master_key = ipadb_fetch_master_key,
.store_master_key_list = ipadb_store_master_key_list,
.change_pwd = ipadb_change_pwd,
.sign_authdata = ipadb_sign_authdata,
.check_transited_realms = ipadb_check_transited_realms,
.check_policy_as = ipadb_check_policy_as,
.audit_as_req = ipadb_audit_as_req,
.check_allowed_to_delegate = ipadb_check_allowed_to_delegate
};
#endif
#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
@@ -733,72 +747,8 @@ kdb_vftabl kdb_function_table = {
};
#endif
#if (KRB5_KDB_DAL_MAJOR_VERSION == 8)
/* Version 8 adds several arguments here. However, if we want to actually use
* them in mspac, we really ought to drop support for older DAL versions. */
static inline krb5_error_code
stub_sign_authdata(krb5_context context, unsigned int flags,
krb5_const_principal client_princ,
krb5_const_principal server_princ, krb5_db_entry *client,
krb5_db_entry *server, krb5_db_entry *header_server,
krb5_db_entry *local_tgt, krb5_keyblock *client_key,
krb5_keyblock *server_key, krb5_keyblock *header_key,
krb5_keyblock *local_tgt_key, krb5_keyblock *session_key,
krb5_timestamp authtime, krb5_authdata **tgt_auth_data,
void *ad_info, krb5_data ***auth_indicators,
krb5_authdata ***signed_auth_data)
{
krb5_db_entry *krbtgt = header_server ? header_server : local_tgt;
krb5_keyblock *krbtgt_key = header_key ? header_key : local_tgt_key;
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
client = header_server;
krbtgt = local_tgt;
krbtgt_key = local_tgt_key;
}
return ipadb_sign_authdata(context, flags, client_princ, client, server,
krbtgt, client_key, server_key, krbtgt_key,
session_key, authtime, tgt_auth_data,
signed_auth_data);
}
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
.min_ver = 0,
.init_library = ipadb_init_library,
.fini_library = ipadb_fini_library,
.init_module = ipadb_init_module,
.fini_module = ipadb_fini_module,
.create = ipadb_create,
.get_age = ipadb_get_age,
.get_principal = ipadb_get_principal,
.put_principal = ipadb_put_principal,
.delete_principal = ipadb_delete_principal,
.iterate = ipadb_iterate,
.create_policy = ipadb_create_pwd_policy,
.get_policy = ipadb_get_pwd_policy,
.put_policy = ipadb_put_pwd_policy,
.iter_policy = ipadb_iterate_pwd_policy,
.delete_policy = ipadb_delete_pwd_policy,
.fetch_master_key = ipadb_fetch_master_key,
.store_master_key_list = ipadb_store_master_key_list,
.change_pwd = ipadb_change_pwd,
.sign_authdata = stub_sign_authdata,
.check_transited_realms = ipadb_check_transited_realms,
.check_policy_as = ipadb_check_policy_as,
.audit_as_req = ipadb_audit_as_req,
.check_allowed_to_delegate = ipadb_check_allowed_to_delegate,
.free_principal_e_data = ipadb_free_principal_e_data,
.get_s4u_x509_principal = NULL,
.allowed_to_delegate_from = NULL,
.get_authdata_info = NULL,
.free_authdata_info = NULL,
};
#endif
#if (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
(KRB5_KDB_DAL_MAJOR_VERSION != 7) && \
(KRB5_KDB_DAL_MAJOR_VERSION != 8)
#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \
(KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
(KRB5_KDB_DAL_MAJOR_VERSION != 7)
#error unsupported DAL major version
#endif

1
daemons/ipa-kdb/ipa_kdb.exports
View File

@@ -4,7 +4,6 @@ EXPORTED {
global:
kdb_function_table;
certauth_ipakdb_initvt;
kdcpolicy_ipakdb_initvt;
# everything else is local
local:

21
daemons/ipa-kdb/ipa_kdb.h
View File

@@ -90,16 +90,6 @@ enum ipadb_user_auth {
IPADB_USER_AUTH_PASSWORD = 1 << 1,
IPADB_USER_AUTH_RADIUS = 1 << 2,
IPADB_USER_AUTH_OTP = 1 << 3,
IPADB_USER_AUTH_PKINIT = 1 << 4,
IPADB_USER_AUTH_HARDENED = 1 << 5,
};
enum ipadb_user_auth_idx {
IPADB_USER_AUTH_IDX_OTP = 0,
IPADB_USER_AUTH_IDX_RADIUS,
IPADB_USER_AUTH_IDX_PKINIT,
IPADB_USER_AUTH_IDX_HARDENED,
IPADB_USER_AUTH_IDX_MAX,
};
struct ipadb_global_config {
@@ -134,13 +124,6 @@ struct ipadb_context {
/* Don't access this directly, use ipadb_get_global_config(). */
struct ipadb_global_config config;
krb5_principal local_tgs;
};
struct ipadb_e_pol_limits {
krb5_deltat max_life;
krb5_deltat max_renewable_life;
};
#define IPA_E_DATA_MAGIC 0x0eda7a
@@ -156,8 +139,6 @@ struct ipadb_e_data {
time_t last_admin_unlock;
char **authz_data;
bool has_tktpolaux;
enum ipadb_user_auth user_auth;
struct ipadb_e_pol_limits pol_limits[IPADB_USER_AUTH_IDX_MAX];
};
struct ipadb_context *ipadb_get_context(krb5_context kcontext);
@@ -347,7 +328,7 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
void ipadb_audit_as_req(krb5_context kcontext,
krb5_kdc_req *request,
#if (KRB5_KDB_DAL_MAJOR_VERSION >= 7)
#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
const krb5_address *local_addr,
const krb5_address *remote_addr,
#endif

3
daemons/ipa-kdb/ipa_kdb_audit_as.c
View File

@@ -20,12 +20,13 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <syslog.h>
#include "ipa_kdb.h"
#include "ipa_pwd.h"
void ipadb_audit_as_req(krb5_context kcontext,
krb5_kdc_req *request,
#if (KRB5_KDB_DAL_MAJOR_VERSION >= 7)
#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
const krb5_address *local_addr,
const krb5_address *remote_addr,
#endif

22
daemons/ipa-kdb/ipa_kdb_certauth.c
View File

@@ -39,6 +39,7 @@
#include <errno.h>
//#include <krb5/certauth_plugin.h>
#include <syslog.h>
#include <sss_certmap.h>
#include "ipa_krb5.h"
@@ -261,18 +262,16 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
const krb5_db_entry *db_entry,
char ***authinds_out)
{
char *cert_filter = NULL, **domains = NULL;
int ret, flags = 0;
char *cert_filter = NULL;
char **domains = NULL;
int ret;
size_t c;
char *principal = NULL, **auth_inds = NULL;
char *principal = NULL;
char **auth_inds = NULL;
LDAPMessage *res = NULL;
krb5_error_code kerr;
LDAPMessage *lentry;
#ifdef KRB5_KDB_FLAG_ALIAS_OK
flags = KRB5_KDB_FLAG_ALIAS_OK;
#endif
if (moddata == NULL) {
return KRB5_PLUGIN_NO_HANDLE;
}
@@ -329,8 +328,10 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
}
}
kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx, flags,
principal, cert_filter,
kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx,
KRB5_KDB_FLAG_ALIAS_OK,
principal,
cert_filter,
&res);
if (kerr != 0) {
krb5_klog_syslog(LOG_ERR, "Search failed [%d]", kerr);
@@ -338,7 +339,8 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
goto done;
}
kerr = ipadb_find_principal(context, flags, res, &principal, &lentry);
kerr = ipadb_find_principal(context, KRB5_KDB_FLAG_ALIAS_OK, res,
&principal, &lentry);
if (kerr == KRB5_KDB_NOENTRY) {
krb5_klog_syslog(LOG_INFO, "No matching entry found");
ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;

154
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
View File

@@ -1,154 +0,0 @@
/*
* Copyright (C) 2018 FreeIPA Contributors see COPYING for license
*/
#include <errno.h>
#include <syslog.h>
#include <krb5/kdcpolicy_plugin.h>
#include "ipa_krb5.h"
#include "ipa_kdb.h"
static krb5_error_code
ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
const krb5_kdc_req *request,
const krb5_db_entry *client,
const krb5_db_entry *server,
const char *const *auth_indicators,
const char **status, krb5_deltat *lifetime_out,
krb5_deltat *renew_lifetime_out)
{
krb5_error_code kerr;
enum ipadb_user_auth ua;
struct ipadb_e_data *ied;
struct ipadb_e_pol_limits *pol_limits = NULL;
int valid_auth_indicators = 0, flags = 0;
krb5_db_entry *client_actual = NULL;
#ifdef KRB5_KDB_FLAG_ALIAS_OK
flags = KRB5_KDB_FLAG_ALIAS_OK;
#endif
*status = NULL;
*lifetime_out = 0;
*renew_lifetime_out = 0;
ied = (struct ipadb_e_data *)client->e_data;
if (ied == NULL || ied->magic != IPA_E_DATA_MAGIC) {
/* e-data is not availble, getting user auth from LDAP */
krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: client e_data not availble. Try fetching...");
kerr = ipadb_get_principal(context, request->client, flags,
&client_actual);
if (kerr != 0) {
krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: ipadb_find_principal failed.");
return kerr;
}
ied = (struct ipadb_e_data *)client_actual->e_data;
if (ied == NULL && ied->magic != IPA_E_DATA_MAGIC) {
krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: client e_data fetching failed.");
return EINVAL;
}
}
ua = ied->user_auth;
/* If no mechanisms are set, allow every auth method */
if (ua == IPADB_USER_AUTH_NONE) {
return 0;
}
/* For each auth indicator, see if it is allowed for that user */
for (int i = 0; auth_indicators[i] != NULL; i++) {
const char *auth_indicator = auth_indicators[i];
if (strcmp(auth_indicator, "otp") == 0) {
valid_auth_indicators++;
if (!(ua & IPADB_USER_AUTH_OTP)) {
*status = "OTP pre-authentication not allowed for this user.";
return KRB5KDC_ERR_POLICY;
}
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_OTP]);
} else if (strcmp(auth_indicator, "radius") == 0) {
valid_auth_indicators++;
if (!(ua & IPADB_USER_AUTH_RADIUS)) {
*status = "OTP pre-authentication not allowed for this user.";
return KRB5KDC_ERR_POLICY;
}
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_RADIUS]);
} else if (strcmp(auth_indicator, "pkinit") == 0) {
valid_auth_indicators++;
if (!(ua & IPADB_USER_AUTH_PKINIT)) {
*status = "PKINIT pre-authentication not allowed for this user.";
return KRB5KDC_ERR_POLICY;
}
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_PKINIT]);
} else if (strcmp(auth_indicator, "hardened") == 0) {
valid_auth_indicators++;
/* Allow hardened even if only password pre-auth is allowed */
if (!(ua & (IPADB_USER_AUTH_HARDENED | IPADB_USER_AUTH_PASSWORD))) {
*status = "Password pre-authentication not not allowed for this user.";
return KRB5KDC_ERR_POLICY;
}
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_HARDENED]);
}
}
/* There is no auth indicator assigned for non-hardened password authentication
* so we assume password is used when no supported indicator exists */
if (!valid_auth_indicators) {
if (!(ua & IPADB_USER_AUTH_PASSWORD)) {
*status = "Non-hardened password authentication not allowed for this user.";
return KRB5KDC_ERR_POLICY;
}
}
/* If there were policy limits associated with the authentication indicators,
* apply them */
if (pol_limits != NULL) {
if (pol_limits->max_life != 0) {
*lifetime_out = pol_limits->max_life;
}
if (pol_limits->max_renewable_life != 0) {
*renew_lifetime_out = pol_limits->max_renewable_life;
}
}
return 0;
}
static krb5_error_code
ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
const krb5_kdc_req *request,
const krb5_db_entry *server,
const krb5_ticket *ticket,
const char *const *auth_indicators,
const char **status, krb5_deltat *lifetime_out,
krb5_deltat *renew_lifetime_out)
{
*status = NULL;
*lifetime_out = 0;
*renew_lifetime_out = 0;
return 0;
}
krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context,
int maj_ver, int min_ver,
krb5_plugin_vtable vtable)
{
krb5_kdcpolicy_vtable vt;
if (maj_ver != 1)
return KRB5_PLUGIN_VER_NOTSUPP;
vt = (krb5_kdcpolicy_vtable)vtable;
vt->name = "ipakdb";
vt->init = NULL;
vt->fini = NULL;
vt->check_as = ipa_kdcpolicy_check_as;
vt->check_tgs = ipa_kdcpolicy_check_tgs;
return 0;
}

220
daemons/ipa-kdb/ipa_kdb_mspac.c
View File

@@ -25,6 +25,7 @@
#include "ipa_kdb.h"
#include "ipa_mspac.h"
#include <talloc.h>
#include <syslog.h>
#include <unicase.h>
#include "util/time.h"
#include "gen_ndr/ndr_krb5pac.h"
@@ -70,6 +71,17 @@ static char *memberof_pac_attrs[] = {
NULL
};
static struct {
char *service;
int length;
} supported_services[] = {
{"cifs", sizeof("cifs")},
{"HTTP", sizeof("HTTP")},
{NULL, 0}
};
#define SID_ID_AUTHS 6
#define SID_SUB_AUTHS 15
#define MAX(a,b) (((a)>(b))?(a):(b))
@@ -347,46 +359,6 @@ static int sid_split_rid(struct dom_sid *sid, uint32_t *rid)
return 0;
}
/* Add Asserted Identity SID */
static krb5_error_code ipadb_add_asserted_identity(struct ipadb_context *ipactx,
unsigned int flags,
TALLOC_CTX *memctx,
struct netr_SamInfo3 *info3)
{
struct netr_SidAttr *arr = NULL;
uint32_t sidcount = info3->sidcount;
krb5_error_code ret = 0;
arr = talloc_realloc(memctx,
info3->sids,
struct netr_SidAttr,
sidcount + 1);
if (!arr) {
return ENOMEM;
}
arr[sidcount].sid = talloc_zero(arr, struct dom_sid2);
if (!arr[sidcount].sid) {
return ENOMEM;
}
/* For S4U2Self, add Service Asserted Identity SID
* otherwise, add Authentication Authority Asserted Identity SID */
ret = string_to_sid((flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
"S-1-18-2" : "S-1-18-1",
arr[sidcount].sid);
if (ret) {
return ret;
}
arr[sidcount].attributes = SE_GROUP_MANDATORY |
SE_GROUP_ENABLED |
SE_GROUP_ENABLED_BY_DEFAULT;
info3->sids = arr;
info3->sidcount = sidcount + 1;
info3->base.user_flags |= NETLOGON_EXTRA_SIDS;
return 0;
}
static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
{
int ret;
@@ -412,7 +384,6 @@ static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
LDAPMessage *lentry,
unsigned int flags,
TALLOC_CTX *memctx,
struct netr_SamInfo3 *info3)
{
@@ -424,14 +395,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
char *strres;
int intres;
int ret;
int i;
char **objectclasses = NULL;
size_t c;
bool is_host = false;
bool is_user = false;
bool is_service = false;
bool is_ipauser = false;
bool is_idobject = false;
krb5_principal princ;
krb5_data *data;
ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
&objectclasses);
@@ -446,24 +417,11 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
if (strcasecmp(objectclasses[c], "ipaNTUserAttrs") == 0) {
is_user = true;
}
if (strcasecmp(objectclasses[c], "ipaIDObject") == 0) {
is_idobject = true;
}
if (strcasecmp(objectclasses[c], "ipaUser") == 0) {
is_ipauser = true;
}
free(objectclasses[c]);
}
}
free(objectclasses);
/* SMB service on IPA domain member will have both ipaIDOjbect and ipaUser
* object classes. Such service will have to be treated as a user in order
* to issue MS-PAC record for it. */
if (is_idobject && is_ipauser) {
is_user = true;
}
if (!is_host && !is_user && !is_service) {
/* We only handle users and hosts, and services */
return ENOENT;
@@ -475,10 +433,17 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
/* fqdn is mandatory for hosts */
return ret;
}
/* Currently we only add a PAC to TGTs for IPA servers to allow SSSD in
* ipa_server_mode to access the AD LDAP server */
if (!is_master_host(ipactx, strres)) {
free(strres);
return ENOENT;
}
} else if (is_service) {
ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres);
ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbPrincipalName", &strres);
if (ret) {
/* krbCanonicalName is mandatory for services */
/* krbPrincipalName is mandatory for services */
return ret;
}
@@ -489,10 +454,39 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ENOENT;
}
ret = krb5_unparse_name_flags(ipactx->kcontext,
princ, KRB5_PRINCIPAL_UNPARSE_SHORT,
&strres);
if (ret) {
if (krb5_princ_size(ipactx->kcontext, princ) != 2) {
krb5_free_principal(ipactx->kcontext, princ);
return ENOENT;
}
data = krb5_princ_component(ipactx->context, princ, 0);
for (i = 0; supported_services[i].service; i++) {
if (0 == memcmp(data->data, supported_services[i].service,
MIN(supported_services[i].length, data->length))) {
break;
}
}
if (supported_services[i].service == NULL) {
krb5_free_principal(ipactx->kcontext, princ);
return ENOENT;
}
data = krb5_princ_component(ipactx->context, princ, 1);
strres = malloc(data->length+1);
if (strres == NULL) {
krb5_free_principal(ipactx->kcontext, princ);
return ENOENT;
}
memcpy(strres, data->data, data->length);
strres[data->length] = '\0';
krb5_free_principal(ipactx->kcontext, princ);
/* Only add PAC to TGT to services on IPA masters to allow querying
* AD LDAP server */
if (!is_master_host(ipactx, strres)) {
free(strres);
return ENOENT;
}
} else {
@@ -629,19 +623,9 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.logon_count = 0; /* we do not have this info yet */
info3->base.bad_password_count = 0; /* we do not have this info yet */
if ((is_host || is_service)) {
/* it is either host or service, so get the hostname first */
char *sep = strchr(info3->base.account_name.string, '/');
bool is_master = is_master_host(
ipactx,
sep ? sep + 1 : info3->base.account_name.string);
if (is_master) {
/* Well know RID of domain controllers group */
info3->base.rid = 516;
} else {
/* Well know RID of domain computers group */
info3->base.rid = 515;
}
if (is_host || is_service) {
/* Well know RID of domain controllers group */
info3->base.rid = 516;
} else {
ret = ipadb_ldap_attr_to_str(lcontext, lentry,
"ipaNTSecurityIdentifier", &strres);
@@ -707,6 +691,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
}
if (tgid == prigid) {
info3->base.primary_gid = trid;
continue;
}
info3->base.groups.rids[count].rid = trid;
info3->base.groups.rids[count].attributes =
@@ -789,13 +774,11 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.failed_logon_count = 0; /* We do not have it */
info3->base.reserved = 0; /* Reserved */
ret = ipadb_add_asserted_identity(ipactx, flags, memctx, info3);
return ret;
return 0;
}
static krb5_error_code ipadb_get_pac(krb5_context kcontext,
krb5_db_entry *client,
unsigned int flags,
krb5_pac *pac)
{
TALLOC_CTX *tmpctx;
@@ -808,8 +791,6 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
union PAC_INFO pac_info;
krb5_error_code kerr;
enum ndr_err_code ndr_err;
union PAC_INFO pac_upn;
char *principal = NULL;
/* When no client entry is there, we cannot generate MS-PAC */
if (!client) {
@@ -858,7 +839,7 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
}
/* == Fill Info3 == */
kerr = ipadb_fill_info3(ipactx, lentry, flags, tmpctx,
kerr = ipadb_fill_info3(ipactx, lentry, tmpctx,
&pac_info.logon_info.info->info3);
if (kerr) {
goto done;
@@ -884,46 +865,6 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
kerr = krb5_pac_add_buffer(kcontext, *pac, KRB5_PAC_LOGON_INFO, &data);
/* == Package UPN_DNS_LOGON_INFO == */
memset(&pac_upn, 0, sizeof(pac_upn));
kerr = krb5_unparse_name(kcontext, client->princ, &principal);
if (kerr) {
goto done;
}
pac_upn.upn_dns_info.upn_name = talloc_strdup(tmpctx, principal);
krb5_free_unparsed_name(kcontext, principal);
if (pac_upn.upn_dns_info.upn_name == NULL) {
kerr = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
pac_upn.upn_dns_info.dns_domain_name = talloc_strdup(tmpctx, ipactx->realm);
if (pac_upn.upn_dns_info.dns_domain_name == NULL) {
kerr = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
/* IPA user principals are all constructed */
if ((pac_info.logon_info.info->info3.base.rid != 515) ||
(pac_info.logon_info.info->info3.base.rid != 516)) {
pac_upn.upn_dns_info.flags |= PAC_UPN_DNS_FLAG_CONSTRUCTED;
}
ndr_err = ndr_push_union_blob(&pac_data, tmpctx, &pac_upn,
PAC_TYPE_UPN_DNS_INFO,
(ndr_push_flags_fn_t)ndr_push_PAC_INFO);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
kerr = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
data.magic = KV5M_DATA;
data.data = (char *)pac_data.data;
data.length = pac_data.length;
kerr = krb5_pac_add_buffer(kcontext, *pac, KRB5_PAC_UPN_DNS_INFO, &data);
done:
ldap_msgfree(results);
talloc_free(tmpctx);
@@ -1843,12 +1784,8 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
priv_key = krbtgt_key;
}
/* only pass with_realm TRUE when it is cross-realm ticket and S4U
* extension (S4U2Self or S4U2Proxy (RBCD)) was requested */
kerr = krb5_pac_verify_ext(context, old_pac, authtime,
client_princ, srv_key, priv_key,
(is_cross_realm &&
(flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)));
kerr = krb5_pac_verify(context, old_pac, authtime,
client_princ, srv_key, priv_key);
if (kerr) {
goto done;
}
@@ -1882,8 +1819,7 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
for (i = 0; i < num_buffers; i++) {
if (types[i] == KRB5_PAC_SERVER_CHECKSUM ||
types[i] == KRB5_PAC_PRIVSVR_CHECKSUM ||
types[i] == KRB5_PAC_CLIENT_INFO) {
types[i] == KRB5_PAC_PRIVSVR_CHECKSUM) {
continue;
}
@@ -1941,7 +1877,6 @@ done:
}
static krb5_error_code ipadb_sign_pac(krb5_context context,
unsigned int flags,
krb5_const_principal client_princ,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -1957,7 +1892,6 @@ static krb5_error_code ipadb_sign_pac(krb5_context context,
krb5_principal krbtgt_princ = NULL;
krb5_error_code kerr;
char *princ = NULL;
bool is_issuing_referral = false;
int ret;
/* for cross realm trusts cases we need to sign with the right key.
@@ -2016,17 +1950,8 @@ static krb5_error_code ipadb_sign_pac(krb5_context context,
right_krbtgt_signing_key = krbtgt_key;
}
#ifdef KRB5_KDB_FLAG_ISSUING_REFERRAL
is_issuing_referral = (flags & KRB5_KDB_FLAG_ISSUING_REFERRAL) != 0;
#endif
/* only pass with_realm TRUE when it is cross-realm ticket and S4U2Self
* was requested */
kerr = krb5_pac_sign_ext(context, pac, authtime, client_princ, server_key,
right_krbtgt_signing_key,
(is_issuing_referral &&
(flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)),
pac_data);
kerr = krb5_pac_sign(context, pac, authtime, client_princ,
server_key, right_krbtgt_signing_key, pac_data);
done:
free(princ);
@@ -2243,10 +2168,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
}
/* we need to create a PAC if we are requested one and this is an AS REQ,
* or we are doing protocol transition (S4USelf) but not over cross-realm
*/
* or we are doing protocol transition (s4u2self) */
if ((is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) ||
((flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) && (client != NULL))) {
(flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
make_ad = true;
}
@@ -2275,7 +2199,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
(void)ipadb_reinit_mspac(ipactx, force_reinit_mspac);
kerr = ipadb_get_pac(context, client, flags, &pac);
kerr = ipadb_get_pac(context, client, &pac);
if (kerr != 0 && kerr != ENOENT) {
goto done;
}
@@ -2289,7 +2213,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
/* check or generate pac data */
if ((pac_auth_data == NULL) || (pac_auth_data[0] == NULL)) {
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
kerr = ipadb_get_pac(context, client_entry, flags, &pac);
kerr = ipadb_get_pac(context, client_entry, &pac);
if (kerr != 0 && kerr != ENOENT) {
goto done;
}
@@ -2316,7 +2240,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
goto done;
}
kerr = ipadb_sign_pac(context, flags, ks_client_princ, server, krbtgt,
kerr = ipadb_sign_pac(context, ks_client_princ, server, krbtgt,
server_key, krbtgt_key, authtime, pac, &pac_data);
if (kerr != 0) {
goto done;

6
daemons/ipa-kdb/ipa_kdb_passwords.c
View File

@@ -80,12 +80,6 @@ static krb5_error_code ipadb_check_pw_policy(krb5_context context,
return EINVAL;
}
if (strlen(passwd) > IPAPWD_PASSWORD_MAX_LEN) {
krb5_set_error_message(context, E2BIG, "%s",
ipapwd_password_max_len_errmsg);
return E2BIG;
}
ied->passwd = strdup(passwd);
if (!ied->passwd) {
return ENOMEM;

651
daemons/ipa-kdb/ipa_kdb_principals.c
View File

@@ -21,7 +21,6 @@
*/
#include "ipa_kdb.h"
#include "ipa_krb5.h"
#include <unicase.h>
/*
@@ -79,8 +78,6 @@ static char *std_principal_attrs[] = {
IPA_KRB_AUTHZ_DATA_ATTR,
IPA_USER_AUTH_TYPE,
"ipatokenRadiusConfigLink",
"krbAuthIndMaxTicketLife",
"krbAuthIndMaxRenewableAge",
"objectClass",
NULL
@@ -90,8 +87,6 @@ static char *std_tktpolicy_attrs[] = {
"krbmaxticketlife",
"krbmaxrenewableage",
"krbticketflags",
"krbauthindmaxticketlife",
"krbauthindmaxrenewableage",
NULL
};
@@ -323,6 +318,15 @@ static void ipadb_validate_radius(struct ipadb_context *ipactx,
ldap_value_free_len(vals);
}
static void ipadb_validate_password(struct ipadb_context *ipactx,
LDAPMessage *lentry,
enum ipadb_user_auth *ua)
{
/* If no mechanisms are set, use password. */
if (*ua == IPADB_USER_AUTH_NONE)
*ua |= IPADB_USER_AUTH_PASSWORD;
}
static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
LDAPMessage *lentry)
{
@@ -350,6 +354,7 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
/* Perform flag validation. */
ipadb_validate_otp(ipactx, lentry, &ua);
ipadb_validate_radius(ipactx, lentry, &ua);
ipadb_validate_password(ipactx, lentry, &ua);
return ua;
}
@@ -510,66 +515,6 @@ cleanup:
return ret;
}
static void ipadb_parse_authind_policies(krb5_context kcontext,
LDAP *lcontext,
LDAPMessage *lentry,
krb5_db_entry *entry,
enum ipadb_user_auth ua)
{
int result;
int ret;
struct ipadb_e_data *ied;
const struct {
char *attribute;
enum ipadb_user_auth flag;
enum ipadb_user_auth_idx idx;
} life_authind_map[] = {
{"krbAuthIndMaxTicketLife;otp",
IPADB_USER_AUTH_OTP, IPADB_USER_AUTH_IDX_OTP},
{"krbAuthIndMaxTicketLife;radius",
IPADB_USER_AUTH_RADIUS, IPADB_USER_AUTH_IDX_RADIUS},
{"krbAuthIndMaxTicketLife;pkinit",
IPADB_USER_AUTH_PKINIT, IPADB_USER_AUTH_IDX_PKINIT},
{"krbAuthIndMaxTicketLife;hardened",
IPADB_USER_AUTH_HARDENED, IPADB_USER_AUTH_IDX_HARDENED},
{NULL, IPADB_USER_AUTH_NONE, IPADB_USER_AUTH_IDX_MAX},
}, age_authind_map[] = {
{"krbAuthIndMaxRenewableAge;otp",
IPADB_USER_AUTH_OTP, IPADB_USER_AUTH_IDX_OTP},
{"krbAuthIndMaxRenewableAge;radius",
IPADB_USER_AUTH_RADIUS, IPADB_USER_AUTH_IDX_RADIUS},
{"krbAuthIndMaxRenewableAge;pkinit",
IPADB_USER_AUTH_PKINIT, IPADB_USER_AUTH_IDX_PKINIT},
{"krbAuthIndMaxRenewableAge;hardened",
IPADB_USER_AUTH_HARDENED, IPADB_USER_AUTH_IDX_HARDENED},
{NULL, IPADB_USER_AUTH_NONE, IPADB_USER_AUTH_IDX_MAX},
};
ied = (struct ipadb_e_data *)entry->e_data;
if (ied == NULL) {
return;
}
for (size_t i = 0; life_authind_map[i].attribute != NULL; i++) {
if (ua & life_authind_map[i].flag) {
ret = ipadb_ldap_attr_to_int(lcontext, lentry,
life_authind_map[i].attribute,
&result);
if (ret == 0) {
ied->pol_limits[life_authind_map[i].idx].max_life = result;
}
ret = ipadb_ldap_attr_to_int(lcontext, lentry,
age_authind_map[i].attribute,
&result);
if (ret == 0) {
ied->pol_limits[age_authind_map[i].idx].max_renewable_life = result;
}
}
}
}
static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
char *principal,
LDAPMessage *lentry,
@@ -609,17 +554,6 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
return KRB5_KDB_DBNOTINITED;
}
lcontext = ipactx->lcontext;
if (!lcontext) {
krb5_klog_syslog(LOG_INFO,
"No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
ret = ipadb_get_connection(ipactx);
if (ret != 0) {
krb5_klog_syslog(LOG_ERR,
"No LDAP connection on retry in ipadb_parse_ldap_entry()!\n");
kerr = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
}
entry->magic = KRB5_KDB_MAGIC_NUMBER;
entry->len = KRB5_KDB_V1_BASE_LENGTH;
@@ -774,17 +708,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
&res_key_data, &result, &mkvno);
switch (ret) {
case 0:
/* Only set a principal's key if password auth can be used. Otherwise
* the KDC would add pre-authentication methods to the NEEDED_PREAUTH
* reply for AS-REQs which indicate the password authentication is
* available. This might confuse applications like e.g. SSSD which try
* to determine suitable authentication methods and corresponding
* prompts with the help of MIT Kerberos' responder interface which
* acts on the returned pre-authentication methods. A typical example
* is enforced OTP authentication where of course keys are available
* for the first factor but password authentication should not be
* advertised by the KDC. */
if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
/* Only set a principal's key if password auth should be used. */
if (!(ua & IPADB_USER_AUTH_PASSWORD)) {
/* This is the same behavior as ENOENT below. */
ipa_krb5_free_key_data(res_key_data, result);
break;
@@ -926,8 +851,6 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
ied->authz_data = authz_data_list;
}
ied->user_auth = ua;
/* If enabled, set the otp user string, enabling otp. */
if (ua & IPADB_USER_AUTH_OTP) {
kerr = ipadb_set_tl_data(entry, KRB5_TL_STRING_ATTRS,
@@ -941,10 +864,6 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
goto done;
}
if (ua & ~IPADB_USER_AUTH_NONE) {
ipadb_parse_authind_policies(kcontext, lcontext, lentry, entry, ua);
}
kerr = 0;
done:
@@ -964,9 +883,9 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
LDAPMessage **result)
{
krb5_error_code kerr;
char *src_filter = NULL, *esc_original_princ = NULL;
char *src_filter = NULL;
char *esc_original_princ = NULL;
int ret;
int len = 0;
if (!ipactx->lcontext) {
ret = ipadb_get_connection(ipactx);
@@ -976,48 +895,29 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
}
}
/* Escape filter but do not touch '*' as this function accepts
* wildcards in names. */
/* escape filter but do not touch '*' as this function accepts
* wildcards in names */
esc_original_princ = ipadb_filter_escape(principal, false);
if (!esc_original_princ) {
kerr = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
len = strlen(esc_original_princ);
/* Starting in DAL 8.0, aliases are always okay. */
#ifdef KRB5_KDB_FLAG_ALIAS_OK
if (!(flags & KRB5_KDB_FLAG_ALIAS_OK)) {
if (filter == NULL) {
ret = asprintf(&src_filter, PRINC_SEARCH_FILTER,
esc_original_princ);
if (filter == NULL) {
if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
esc_original_princ, esc_original_princ);
} else {
ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
}
} else {
if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
esc_original_princ, esc_original_princ, filter);
} else {
ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
esc_original_princ, filter);
}
} else
#endif
{
/* In case we've got a principal name as '*' we have to
* follow RFC 4515 section 3 and reencode it using
* <valueencoding> rule from RFC 4511 section 4.1.6 but
* only to the part of the filter that does use assertion
* value. */
const char *asterisk = "%x2A";
char *assertion_value = esc_original_princ;
if ((len == 1) && (esc_original_princ[0] == '*')) {
assertion_value = asterisk;
}
if (filter == NULL) {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
esc_original_princ, assertion_value);
} else {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
esc_original_princ, assertion_value, filter);
}
}
if (ret == -1) {
@@ -1025,8 +925,11 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
goto done;
}
kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE,
src_filter, std_principal_attrs, result);
kerr = ipadb_simple_search(ipactx,
ipactx->base, LDAP_SCOPE_SUBTREE,
src_filter, std_principal_attrs,
result);
done:
free(src_filter);
free(esc_original_princ);
@@ -1051,109 +954,100 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
struct ipadb_context *ipactx;
bool found = false;
LDAPMessage *le = NULL;
struct berval **vals = NULL;
int result;
krb5_error_code ret;
size_t princ_len = 0;
struct berval **vals;
int i, result;
ipactx = ipadb_get_context(kcontext);
if (!ipactx) {
ret = KRB5_KDB_DBNOTINITED;
goto done;
return KRB5_KDB_DBNOTINITED;
}
princ_len = strlen(*principal);
for (le = ldap_first_entry(ipactx->lcontext, res); le != NULL;
le = ldap_next_entry(ipactx->lcontext, le)) {
vals = ldap_get_values_len(ipactx->lcontext, le, "krbprincipalname");
if (vals == NULL)
continue;
while (!found) {
/* We need to check for a strict match as a '*' in the name may have
* caused the ldap server to return multiple entries. */
for (int i = 0; vals[i]; i++) {
#ifdef KRB5_KDB_FLAG_ALIAS_OK
if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
found = ((vals[i]->bv_len == princ_len) &&
strncmp(vals[i]->bv_val, *principal, vals[i]->bv_len) == 0);
if (found)
break;
continue;
}
#endif
/* The KDC will accept aliases when doing TGT lookup
* (ref_tgt_again in do_tgs_req.c), so use case-insensitive
* comparison. */
if (ulc_casecmp(vals[i]->bv_val, vals[i]->bv_len, *principal,
princ_len, NULL, NULL, &result) != 0) {
ret = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
if (result != 0)
continue;
/* Fix case on the incoming principal to ensure that a valid
* name/alias is returned even if krbCanonicalName is not
* present. */
free(*principal);
*principal = strndup(vals[i]->bv_val, vals[i]->bv_len);
if (!*principal) {
ret = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
princ_len = strlen(*principal);
found = true;
if (!le) {
le = ldap_first_entry(ipactx->lcontext, res);
} else {
le = ldap_next_entry(ipactx->lcontext, le);
}
if (!le) {
break;
}
vals = ldap_get_values_len(ipactx->lcontext, le, "krbprincipalname");
if (vals == NULL) {
continue;
}
/* we need to check for a strict match as a '*' in the name may have
* caused the ldap server to return multiple entries */
for (i = 0; vals[i]; i++) {
/* KDC will accept aliases when doing TGT lookup (ref_tgt_again in do_tgs_req.c */
/* Use case-insensitive comparison in such cases */
if ((flags & KRB5_KDB_FLAG_ALIAS_OK) != 0) {
if (ulc_casecmp(vals[i]->bv_val, vals[i]->bv_len,
(*principal), strlen(*principal),
NULL, NULL, &result) != 0)
return KRB5_KDB_INTERNAL_ERROR;
found = (result == 0);
if (found) {
/* replace the incoming principal with the value having
* the correct case. This ensures that valid name/alias
* is returned even if krbCanonicalName is not present
*/
free(*principal);
*principal = strdup(vals[i]->bv_val);
if (!(*principal)) {
return KRB5_KDB_INTERNAL_ERROR;
}
}
} else {
found = (strcmp(vals[i]->bv_val, (*principal)) == 0);
}
if (found) {
break;
}
}
ldap_value_free_len(vals);
vals = NULL;
if (!found) {
continue;
}
/* We need to check if this is the canonical name. */
/* we need to check if this is the canonical name */
vals = ldap_get_values_len(ipactx->lcontext, le, "krbcanonicalname");
if (vals == NULL)
break;
#ifdef KRB5_KDB_FLAG_ALIAS_OK
/* If aliases aren't accepted by the KDC, use case-sensitive
* comparison. */
if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
found = ((vals[0]->bv_len == strlen(*principal)) &&
strncmp(vals[0]->bv_val, *principal, vals[0]->bv_len) == 0);
if (!found) {
ldap_value_free_len(vals);
vals = NULL;
continue;
}
if (vals == NULL) {
continue;
}
/* Again, if aliases are accepted by KDC, use case-insensitive comparison */
if ((flags & KRB5_KDB_FLAG_ALIAS_OK) != 0) {
found = true;
} else {
found = (strcmp(vals[0]->bv_val, (*principal)) == 0);
}
if (!found) {
/* search does not allow aliases */
ldap_value_free_len(vals);
continue;
}
#endif
free(*principal);
*principal = strndup(vals[0]->bv_val, vals[0]->bv_len);
if (!*principal) {
ret = KRB5_KDB_INTERNAL_ERROR;
goto done;
*principal = strdup(vals[0]->bv_val);
if (!(*principal)) {
return KRB5_KDB_INTERNAL_ERROR;
}
break;
ldap_value_free_len(vals);
}
if (!found || !le) {
ret = KRB5_KDB_NOENTRY;
goto done;
return KRB5_KDB_NOENTRY;
}
ret = 0;
*entry = le;
done:
if (vals)
ldap_value_free_len(vals);
return ret;
return 0;
}
static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx,
@@ -1163,7 +1057,7 @@ static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx,
struct ipadb_e_data *ied;
config = ipadb_get_global_config(ipactx);
if (config && config->disable_preauth_for_spns) {
if (config->disable_preauth_for_spns) {
ied = (struct ipadb_e_data *)entry->e_data;
if (ied && ied->ipa_user != true) {
/* not a user, assume SPN */
@@ -1273,67 +1167,32 @@ done:
return kerr;
}
static krb5_boolean is_request_for_us(krb5_context kcontext,
krb5_principal local_tgs,
krb5_const_principal search_for)
{
krb5_boolean for_us;
/* TODO: handle case where main object and krbprincipal data are not
* the same object but linked objects ?
* (by way of krbprincipalaux being in a separate object from krbprincipal).
* Currently we only support objcts with both objectclasses present at the
* same time. */
for_us = krb5_realm_compare(kcontext, local_tgs, search_for) ||
krb5_principal_compare_any_realm(kcontext,
local_tgs, search_for);
return for_us;
}
static krb5_error_code dbget_princ(krb5_context kcontext,
struct ipadb_context *ipactx,
krb5_const_principal search_for,
unsigned int flags,
krb5_db_entry **entry)
krb5_error_code ipadb_get_principal(krb5_context kcontext,
krb5_const_principal search_for,
unsigned int flags,
krb5_db_entry **entry)
{
struct ipadb_context *ipactx;
krb5_error_code kerr;
char *principal = NULL;
char *trusted_realm = NULL;
LDAPMessage *res = NULL;
LDAPMessage *lentry;
krb5_db_entry *kentry = NULL;
uint32_t pol;
if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0 &&
(flags & KRB5_KDB_FLAG_CANONICALIZE) != 0) {
/* AS_REQ with canonicalization*/
krb5_principal norm_princ = NULL;
/* unparse the Kerberos principal without (our) outer realm. */
kerr = krb5_unparse_name_flags(kcontext, search_for,
KRB5_PRINCIPAL_UNPARSE_NO_REALM |
KRB5_PRINCIPAL_UNPARSE_DISPLAY,
&principal);
if (kerr != 0) {
goto done;
}
/* Re-parse the principal to normalize it. Innner realm becomes
* the realm if present. If no inner realm, our default realm
* will be used instead (as it was before). */
kerr = krb5_parse_name(kcontext, principal, &norm_princ);
if (kerr != 0) {
goto done;
}
/* Unparse without escaping '@' and '/' because we are going to use them
* in LDAP filters where escaping character '\' will be escaped and the
* result will never match. */
kerr = krb5_unparse_name_flags(kcontext, norm_princ,
KRB5_PRINCIPAL_UNPARSE_DISPLAY, &principal);
krb5_free_principal(kcontext, norm_princ);
} else {
/* Unparse without escaping '@' and '/' because we are going to use them
* in LDAP filters where escaping character '\' will be escaped and the
* result will never match. */
kerr = krb5_unparse_name_flags(kcontext, search_for,
KRB5_PRINCIPAL_UNPARSE_DISPLAY, &principal);
ipactx = ipadb_get_context(kcontext);
if (!ipactx) {
return KRB5_KDB_DBNOTINITED;
}
kerr = krb5_unparse_name(kcontext, search_for, &principal);
if (kerr != 0) {
goto done;
}
@@ -1345,7 +1204,95 @@ static krb5_error_code dbget_princ(krb5_context kcontext,
kerr = ipadb_find_principal(kcontext, flags, res, &principal, &lentry);
if (kerr != 0) {
goto done;
if ((kerr == KRB5_KDB_NOENTRY) &&
((flags & (KRB5_KDB_FLAG_CANONICALIZE |
KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY)) != 0)) {
/* First check if we got enterprise principal which looks like
* username\@enterprise_realm@REALM */
char *realm;
krb5_data *upn;
upn = krb5_princ_component(kcontext, search_for,
krb5_princ_size(kcontext, search_for) - 1);
if (upn == NULL) {
kerr = KRB5_KDB_NOENTRY;
goto done;
}
realm = memrchr(upn->data, '@', upn->length);
if (realm == NULL) {
kerr = KRB5_KDB_NOENTRY;
goto done;
}
/* skip '@' and use part after '@' as an enterprise realm for comparison */
realm++;
/* check for our realm */
if (strncasecmp(ipactx->realm, realm,
upn->length - (realm - upn->data)) == 0) {
/* it looks like it is ok to use malloc'ed strings as principal */
krb5_free_unparsed_name(kcontext, principal);
principal = strndup((const char *) upn->data, upn->length);
if (principal == NULL) {
kerr = ENOMEM;
goto done;
}
ldap_msgfree(res);
res = NULL;
kerr = ipadb_fetch_principals(ipactx, flags, principal, &res);
if (kerr != 0) {
goto done;
}
kerr = ipadb_find_principal(kcontext, flags, res, &principal,
&lentry);
if (kerr != 0) {
goto done;
}
} else {
kerr = ipadb_is_princ_from_trusted_realm(kcontext,
realm,
upn->length - (realm - upn->data),
&trusted_realm);
if (kerr == KRB5_KDB_NOENTRY) {
/* try to refresh trusted domain data and try again */
kerr = ipadb_reinit_mspac(ipactx, false);
if (kerr != 0) {
kerr = KRB5_KDB_NOENTRY;
goto done;
}
kerr = ipadb_is_princ_from_trusted_realm(kcontext, realm,
upn->length - (realm - upn->data),
&trusted_realm);
}
if (kerr == 0) {
kentry = calloc(1, sizeof(krb5_db_entry));
if (!kentry) {
kerr = ENOMEM;
goto done;
}
kerr = krb5_parse_name(kcontext, principal,
&kentry->princ);
if (kerr != 0) {
goto done;
}
kerr = krb5_set_principal_realm(kcontext, kentry->princ, trusted_realm);
if (kerr != 0) {
goto done;
}
*entry = kentry;
}
goto done;
}
} else {
goto done;
}
}
kerr = ipadb_parse_ldap_entry(kcontext, principal, lentry, entry, &pol);
@@ -1361,187 +1308,15 @@ static krb5_error_code dbget_princ(krb5_context kcontext,
}
done:
free(trusted_realm);
if ((kerr != 0) && (kentry != NULL)) {
ipadb_free_principal(kcontext, kentry);
}
ldap_msgfree(res);
krb5_free_unparsed_name(kcontext, principal);
return kerr;
}
static krb5_error_code dbget_alias(krb5_context kcontext,
struct ipadb_context *ipactx,
krb5_const_principal search_for,
unsigned int flags,
krb5_db_entry **entry)
{
krb5_error_code kerr = 0;
char *principal = NULL;
krb5_principal norm_princ = NULL;
char *trusted_realm = NULL;
krb5_db_entry *kentry = NULL;
krb5_data *realm;
/* TODO: also support hostbased aliases */
/* Enterprise principal name type is for potential aliases or principals
* from trusted realms. The logic below only applies to this type */
if (krb5_princ_type(kcontext, search_for) != KRB5_NT_ENTERPRISE_PRINCIPAL) {
return KRB5_KDB_NOENTRY;
}
/* enterprise principal can only have single component in the name
* according to RFC6806 section 5. */
if (krb5_princ_size(kcontext, search_for) != 1) {
return KRB5_KDB_NOENTRY;
}
/* unparse the Kerberos principal without (our) outer realm. */
kerr = krb5_unparse_name_flags(kcontext, search_for,
KRB5_PRINCIPAL_UNPARSE_NO_REALM |
KRB5_PRINCIPAL_UNPARSE_DISPLAY,
&principal);
if (kerr != 0) {
goto done;
}
/* Re-parse the principal to normalize it. Innner realm becomes
* the realm if present. If no inner realm, our default realm
* will be used instead (as it was before). */
kerr = krb5_parse_name(kcontext, principal, &norm_princ);
if (kerr != 0) {
goto done;
}
if (krb5_realm_compare(kcontext, ipactx->local_tgs, norm_princ)) {
/* In realm alias, try to retrieve it and let the caller handle it. */
kerr = dbget_princ(kcontext, ipactx, norm_princ, flags, entry);
goto done;
}
/* The request is out of realm starting from here */
/*
* Per RFC6806 section 7 and 8, the canonicalize flag is required for
* both client and server referrals. But it is more useful to ignore it
* like Windows KDC does for client referrals.
*/
if (((flags & KRB5_KDB_FLAG_CANONICALIZE) == 0) &&
((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0)) {
kerr = KRB5_KDB_NOENTRY;
goto done;
}
/* Determine the trusted realm to refer to. We don't need the principal
* itself, only its realm */
realm = krb5_princ_realm(kcontext, norm_princ);
kerr = ipadb_is_princ_from_trusted_realm(kcontext,
realm->data,
realm->length,
&trusted_realm);
if (kerr == KRB5_KDB_NOENTRY) {
/* If no trusted realm found, refresh trusted domain data and try again
* because it might be a freshly added trust to AD */
kerr = ipadb_reinit_mspac(ipactx, false);
if (kerr != 0) {
kerr = KRB5_KDB_NOENTRY;
goto done;
}
kerr = ipadb_is_princ_from_trusted_realm(kcontext,
realm->data,
realm->length,
&trusted_realm);
}
if (kerr != 0) {
goto done;
}
/* This is a known trusted realm. Issue a referral depending on whether this
* is client or server referral request */
if (flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) {
/* client referral out of realm, set next realm. */
kerr = krb5_set_principal_realm(kcontext, norm_princ, trusted_realm);
if (kerr != 0) {
goto done;
}
kentry = calloc(1, sizeof(krb5_db_entry));
if (!kentry) {
kerr = ENOMEM;
goto done;
}
kentry->princ = norm_princ;
norm_princ = NULL;
*entry = kentry;
goto done;
}
if (flags & KRB5_KDB_FLAG_INCLUDE_PAC) {
/* TGS request where KDC wants to generate PAC
* but the principal is out of our realm */
kerr = KRB5_KDB_NOENTRY;
goto done;
}
/* server referrals: lookup krbtgt/next_realm@our_realm */
krb5_free_principal(kcontext, norm_princ);
norm_princ = NULL;
kerr = krb5_build_principal_ext(kcontext, &norm_princ,
strlen(ipactx->realm),
ipactx->realm,
KRB5_TGS_NAME_SIZE,
KRB5_TGS_NAME,
strlen(trusted_realm),
trusted_realm, 0);
if (kerr != 0) {
goto done;
}
kerr = dbget_princ(kcontext, ipactx, norm_princ, flags, entry);
done:
free(trusted_realm);
krb5_free_principal(kcontext, norm_princ);
krb5_free_unparsed_name(kcontext, principal);
return kerr;
}
/* TODO: handle case where main object and krbprincipal data are not
* the same object but linked objects ?
* (by way of krbprincipalaux being in a separate object from krbprincipal).
* Currently we only support objcts with both objectclasses present at the
* same time. */
krb5_error_code ipadb_get_principal(krb5_context kcontext,
krb5_const_principal search_for,
unsigned int flags,
krb5_db_entry **entry)
{
struct ipadb_context *ipactx;
krb5_error_code kerr;
*entry = NULL;
ipactx = ipadb_get_context(kcontext);
if (!ipactx) {
return KRB5_KDB_DBNOTINITED;
}
if (!is_request_for_us(kcontext, ipactx->local_tgs, search_for)) {
return KRB5_KDB_NOENTRY;
}
/* Lookup local names and aliases first. */
kerr = dbget_princ(kcontext, ipactx, search_for, flags, entry);
if (kerr != KRB5_KDB_NOENTRY) {
return kerr;
}
return dbget_alias(kcontext, ipactx, search_for, flags, entry);
}
void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data)
{
struct ipadb_e_data *ied;
@@ -2722,7 +2497,7 @@ krb5_error_code ipadb_delete_principal(krb5_context kcontext,
char *canonicalized = NULL;
LDAPMessage *res = NULL;
LDAPMessage *lentry;
unsigned int flags = 0;
unsigned int flags;
ipactx = ipadb_get_context(kcontext);
if (!ipactx) {
@@ -2749,9 +2524,7 @@ krb5_error_code ipadb_delete_principal(krb5_context kcontext,
goto done;
}
#ifdef KRB5_KDB_FLAG_ALIAS_OK
flags = KRB5_KDB_FLAG_ALIAS_OK;
#endif
kerr = ipadb_find_principal(kcontext, flags, res, &canonicalized, &lentry);
if (kerr != 0) {
goto done;