The Identity, Policy and Audit system
CentOS Sources
2015-08-05 190a2ac68ba282d1db11200667628ae6118a5db4
import ipa-4.1.0-18.el7_1.4
2 files added
1 files deleted
1 files modified
279 ■■■■ changed files
SOURCES/0127-ipa-kdb-use-proper-memory-chunk-size-when-moving-sid.patch 55 ●●●●● patch | view | raw | blame | history
SOURCES/0128-ipa-kdb-filter-out-group-membership-from-MS-PAC-for-.patch 155 ●●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 38 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 31 ●●●●● patch | view | raw | blame | history
SOURCES/0127-ipa-kdb-use-proper-memory-chunk-size-when-moving-sid.patch
New file
@@ -0,0 +1,55 @@
From 3a4057a37254d6dbb0191da32cd110f7cd50d4e4 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 20 May 2015 18:24:52 +0300
Subject: [PATCH] ipa-kdb: use proper memory chunk size when moving sids
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index e3215db4ea11632dce8f039fc6b89c4a09acd87a..74ee2f3fd4b81bd3433c9ff9c77f7434b72e7f4d 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1397,7 +1397,15 @@ static krb5_error_code filter_logon_info(krb5_context context,
             if (result) {
                 filter_logon_info_log_message(info->info->info3.sids[i].sid);
             } else {
+                /* Go over incoming SID blacklist */
                 for(k = 0; k < domain->len_sid_blacklist_incoming; k++) {
+                    /* if SID is an exact match, filter it out */
+                    result = dom_sid_check(&domain->sid_blacklist_incoming[k], info->info->info3.sids[i].sid, true);
+                    if (result) {
+                        filter_logon_info_log_message(info->info->info3.sids[i].sid);
+                        break;
+                    }
+                    /* if SID is a suffix of the blacklist element, filter it out*/
                     result = dom_sid_is_prefix(&domain->sid_blacklist_incoming[k], info->info->info3.sids[i].sid);
                     if (result) {
                         filter_logon_info_log_message(info->info->info3.sids[i].sid);
@@ -1406,11 +1414,17 @@ static krb5_error_code filter_logon_info(krb5_context context,
                 }
             }
             if (result) {
+                k = count - i - j - 1;
+                if (k != 0) {
+                    memmove(info->info->info3.sids+i,
+                            info->info->info3.sids+i+1,
+                            sizeof(struct netr_SidAttr)*k);
+                }
                 j++;
-                memmove(info->info->info3.sids+i, info->info->info3.sids+i+1, count-i-1);
+            } else {
+                i++;
             }
-            i++;
-        } while (i < count);
+        } while ((i + j) < count);
         if (j != 0) {
             count = count-j;
--
2.1.0
SOURCES/0128-ipa-kdb-filter-out-group-membership-from-MS-PAC-for-.patch
New file
@@ -0,0 +1,155 @@
From 32b7c1d012a0904420edc61bf94be66253a6c84a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 28 May 2015 08:33:51 +0000
Subject: [PATCH] ipa-kdb: filter out group membership from MS-PAC for exact
 SID matches too
When incoming SID blacklist contains exact SIDs of users and groups,
attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.
Note that we treat user's SID and primary group RID filtering as violation
of the KDC policy because the resulting MS-PAC will have no user SID or
primary group and thus will be invalid.
For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1
it is OK to have empty group RIDs array as GroupCount SHOULD be
equal to Groups.MembershipCount returned by SamrGetGroupsForUser
[MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty.
Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 100 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 99 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 74ee2f3fd4b81bd3433c9ff9c77f7434b72e7f4d..3e6024f55071e95c6d40869e31d879baf627a3b9 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1320,6 +1320,22 @@ static void filter_logon_info_log_message(struct dom_sid *sid)
     }
 }
+static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid)
+{
+    char *domstr = NULL;
+
+    domstr = dom_sid_string(NULL, sid);
+    if (domstr) {
+        krb5_klog_syslog(LOG_ERR, "PAC filtering issue: SID [%s-%d] is not allowed "
+                                  "from a trusted source and will be excluded.", domstr, rid);
+        talloc_free(domstr);
+    } else {
+        krb5_klog_syslog(LOG_ERR, "PAC filtering issue: SID is not allowed "
+                                  "from a trusted source and will be excluded."
+                                  "Unable to allocate memory to display SID.");
+    }
+}
+
 static krb5_error_code filter_logon_info(krb5_context context,
                                          TALLOC_CTX *memctx,
                                          krb5_data realm,
@@ -1331,9 +1347,21 @@ static krb5_error_code filter_logon_info(krb5_context context,
      * attempt at getting us to sign fake credentials with the help of a
      * compromised trusted realm */
+    /* NOTE: there are two outcomes from filtering:
+     * REJECT TICKET -- ticket is rejected if domain SID of
+     *                  the principal with MS-PAC is filtered out or
+     *                  its primary group RID is filtered out
+     *
+     * REMOVE SID    -- SIDs are removed from the list of SIDs associated
+     *                  with the principal if they are filtered out
+     *                  This applies also to secondary RIDs of the principal
+     *                  if domain_sid-<secondary RID> is filtered out
+     */
+
     struct ipadb_context *ipactx;
     struct ipadb_adtrusts *domain;
-    int i, j, k, count;
+    int i, j, k, l, count;
+    uint32_t rid;
     bool result;
     char *domstr = NULL;
@@ -1380,6 +1408,76 @@ static krb5_error_code filter_logon_info(krb5_context context,
         }
     }
+    /* Check if this user's SIDs membership is filtered too */
+    for(k = 0; k < domain->len_sid_blacklist_incoming; k++) {
+        /* Short-circuit if there are no RIDs. This may happen if we filtered everything already.
+         * In normal situation there would be at least primary gid as RID in the RIDs array
+         * but if we filtered out the primary RID, this MS-PAC is invalid */
+        count = info->info->info3.base.groups.count;
+        result = dom_sid_is_prefix(info->info->info3.base.domain_sid,
+                                   &domain->sid_blacklist_incoming[k]);
+        if (result) {
+            i = 0;
+            j = 0;
+            if (domain->sid_blacklist_incoming[k].num_auths - info->info->info3.base.domain_sid->num_auths != 1) {
+                krb5_klog_syslog(LOG_ERR, "Incoming SID blacklist element matching domain [%s with SID %s] "
+                                          "has more than one RID component. Invalid check skipped.",
+                                 domain->domain_name, domain->domain_sid);
+                break;
+            }
+            rid = domain->sid_blacklist_incoming[k].sub_auths[domain->sid_blacklist_incoming[k].num_auths - 1];
+            if (rid == info->info->info3.base.rid) {
+                filter_logon_info_log_message_rid(info->info->info3.base.domain_sid, rid);
+                /* Actual user's SID is filtered out */
+                return KRB5KDC_ERR_POLICY;
+            }
+            if (rid == info->info->info3.base.primary_gid) {
+                /* User's primary group SID is filtered out */
+                return KRB5KDC_ERR_POLICY;
+            }
+            if (count == 0) {
+                /* Having checked actual user's SID and primary group SID, and having no other RIDs,
+                 * skip checks below and continue to next blacklist element */
+                continue;
+            }
+
+            do {
+                if (rid == info->info->info3.base.groups.rids[i].rid) {
+                    filter_logon_info_log_message_rid(info->info->info3.base.domain_sid, rid);
+                    /* If this is just a non-primary RID, we simply remove it from the array of RIDs */
+                    l = count - i - j - 1;
+                    if (l != 0) {
+                         memmove(info->info->info3.base.groups.rids+i,
+                                 info->info->info3.base.groups.rids+i+1,
+                                 sizeof(struct samr_RidWithAttribute)*l);
+                    }
+                    j++;
+                } else {
+                    i++;
+                }
+            } while ((i + j) < count);
+
+            if (j != 0) {
+                count = count-j;
+                if (count == 0) {
+                    /* All RIDs were filtered out. Unusual but MS-KILE 3.3.5.6.3.1 says SHOULD, not MUST for GroupCount */
+                    info->info->info3.base.groups.count = 0;
+                    talloc_free(info->info->info3.base.groups.rids);
+                    info->info->info3.base.groups.rids = NULL;
+                } else {
+                    info->info->info3.base.groups.rids = talloc_realloc(memctx,
+                                                                        info->info->info3.base.groups.rids,
+                                                                        struct samr_RidWithAttribute, count);
+                    if (!info->info->info3.base.groups.rids) {
+                        info->info->info3.base.groups.count = 0;
+                        return ENOMEM;
+                    }
+                    info->info->info3.base.groups.count = count;
+                }
+            }
+        }
+    }
+
     /* According to MS-KILE 25.0, info->info->info3.sids may be non zero, so check
      * should include different possibilities into account
      * */
--
2.1.0
SOURCES/ipa-centos-branding.patch
File was deleted
SPECS/ipa.spec
@@ -32,7 +32,7 @@
Name:           ipa
Version:        4.1.0
Release:        18%{?dist}.3
Release:        18%{?dist}.4
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -40,10 +40,10 @@
URL:            http://www.freeipa.org/
Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
#Source1:        header-logo.png
#Source2:        login-screen-background.jpg
#Source3:        login-screen-logo.png
#Source4:        product-name.png
Source1:        header-logo.png
Source2:        login-screen-background.jpg
Source3:        login-screen-logo.png
Source4:        product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -174,6 +174,8 @@
Patch0124:      0124-client-install-Do-not-crash-on-invalid-CA-certificat.patch
Patch0125:      0125-client-Fix-ca_is_enabled-calls.patch
Patch0126:      0126-upload_cacrt-Fix-empty-cACertificate-in-cn-CAcert.patch
Patch0127:      0127-ipa-kdb-use-proper-memory-chunk-size-when-moving-sid.patch
Patch0128:      0128-ipa-kdb-filter-out-group-membership-from-MS-PAC-for-.patch
Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -189,7 +191,6 @@
Patch1012:      1012-Expand-the-token-auth-sync-windows.patch
Patch1013:      1013-extdom-fix-wrong-realloc-size.patch
Patch1014:      1014-fix-Makefile.am-for-daemons.patch
Patch1015:      ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -292,6 +293,9 @@
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.54-2
Requires: pki-ca >= 10.1.2-5
%if 0%{?rhel}
Requires: subscription-manager
%endif
Requires(preun): python systemd-units
Requires(postun): python systemd-units
Requires: python-dns >= 1.11.1-2
@@ -304,7 +308,7 @@
Requires: open-sans-fonts
# RHEL spec file only: DELETED: Disable DNSSEC support
# RHEL spec file only: START
# Requires: redhat-access-plugin-ipa
Requires: redhat-access-plugin-ipa
# RHEL spec file only: END
Conflicts: %{alt_name}-server
@@ -478,10 +482,10 @@
done
# Red Hat's Identity Management branding
# cp %SOURCE1 install/ui/images/header-logo.png
# cp %SOURCE2 install/ui/images/login-screen-background.jpg
# cp %SOURCE3 install/ui/images/login-screen-logo.png
# cp %SOURCE4 install/ui/images/product-name.png
cp %SOURCE1 install/ui/images/header-logo.png
cp %SOURCE2 install/ui/images/login-screen-background.jpg
cp %SOURCE3 install/ui/images/login-screen-logo.png
cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
%build
@@ -1031,8 +1035,9 @@
# RHEL spec file only: DELETED: Do not build tests
%changelog
* Thu Mar 26 2015 CentOS Sources <bugs@centos.org> - 4.1.0-18.el7.centos.3
- Roll in CentOS Branding
* Tue Jul 21 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-18.4
- krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp 00007fffd68b2340 error 6 in
  libc-2.17.so (#1245097)
* Thu Mar 19 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-18.3
- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: