From 741f64f4b5428ccfa8105c61a91de8e0fab37bc3 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: May 27 2020 19:19:49 +0000 Subject: ipa-kdb: Always allow services to get PAC if needed Previously, FreeIPA only allowed to issue PAC record in a ticket for the following principal types: - for IPA users - for a host principal of one of IPA masters - for a cifs/ or HTTP/ service on one of IPA masters To allow S4U2Self operations over trust to AD, an impersonating service must have PAC record in its TGT to be able to ask AD DCs for a S4U2Self ticket. It means any IPA service performing S4U2Self would need to have PAC record and the constraints above prevent it from doing so. However, depending on whether the service or host principal belongs to one of IPA masters, we need to set proper primary RID to 516 (domain controllers) or 515 (domain computers). Fixes: https://pagure.io/freeipa/issue/8319 Signed-off-by: Alexander Bokovoy Reviewed-By: Isaac Boukris Reviewed-By: Florence Blanc-Renaud --- diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 75b370f..54bfbf9 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -70,17 +70,6 @@ static char *memberof_pac_attrs[] = { NULL }; - -static struct { - char *service; - int length; -} supported_services[] = { - {"cifs", sizeof("cifs")}, - {"HTTP", sizeof("HTTP")}, - {NULL, 0} -}; - - #define SID_ID_AUTHS 6 #define SID_SUB_AUTHS 15 #define MAX(a,b) (((a)>(b))?(a):(b)) @@ -435,7 +424,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, char *strres; int intres; int ret; - int i; char **objectclasses = NULL; size_t c; bool is_host = false; @@ -444,7 +432,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, bool is_ipauser = false; bool is_idobject = false; krb5_principal princ; - krb5_data *data; ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass", &objectclasses); @@ -488,17 +475,10 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, /* fqdn is mandatory for hosts */ return ret; } - - /* Currently we only add a PAC to TGTs for IPA servers to allow SSSD in - * ipa_server_mode to access the AD LDAP server */ - if (!is_master_host(ipactx, strres)) { - free(strres); - return ENOENT; - } } else if (is_service) { - ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbPrincipalName", &strres); + ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres); if (ret) { - /* krbPrincipalName is mandatory for services */ + /* krbCanonicalName is mandatory for services */ return ret; } @@ -509,39 +489,10 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, return ENOENT; } - if (krb5_princ_size(ipactx->kcontext, princ) != 2) { - krb5_free_principal(ipactx->kcontext, princ); - return ENOENT; - } - - data = krb5_princ_component(ipactx->context, princ, 0); - for (i = 0; supported_services[i].service; i++) { - if (0 == memcmp(data->data, supported_services[i].service, - MIN(supported_services[i].length, data->length))) { - break; - } - } - - if (supported_services[i].service == NULL) { - krb5_free_principal(ipactx->kcontext, princ); - return ENOENT; - } - - data = krb5_princ_component(ipactx->context, princ, 1); - strres = malloc(data->length+1); - if (strres == NULL) { - krb5_free_principal(ipactx->kcontext, princ); - return ENOENT; - } - - memcpy(strres, data->data, data->length); - strres[data->length] = '\0'; - krb5_free_principal(ipactx->kcontext, princ); - - /* Only add PAC to TGT to services on IPA masters to allow querying - * AD LDAP server */ - if (!is_master_host(ipactx, strres)) { - free(strres); + ret = krb5_unparse_name_flags(ipactx->kcontext, + princ, KRB5_PRINCIPAL_UNPARSE_SHORT, + &strres); + if (ret) { return ENOENT; } } else { @@ -678,9 +629,19 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, info3->base.logon_count = 0; /* we do not have this info yet */ info3->base.bad_password_count = 0; /* we do not have this info yet */ - if (is_host || is_service) { - /* Well know RID of domain controllers group */ - info3->base.rid = 516; + if ((is_host || is_service)) { + /* it is either host or service, so get the hostname first */ + char *sep = strchr(info3->base.account_name.string, '/'); + bool is_master = is_master_host( + ipactx, + sep ? sep + 1 : info3->base.account_name.string); + if (is_master) { + /* Well know RID of domain controllers group */ + info3->base.rid = 516; + } else { + /* Well know RID of domain computers group */ + info3->base.rid = 515; + } } else { ret = ipadb_ldap_attr_to_str(lcontext, lentry, "ipaNTSecurityIdentifier", &strres);