|
 |
0d01fb |
From f0c2f5fdce0ae5dde20abdcf964e3825bb8939c6 Mon Sep 17 00:00:00 2001
|
|
|
0d01fb |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
0d01fb |
Date: Sat, 30 Oct 2021 10:49:37 +0300
|
|
|
0d01fb |
Subject: [PATCH] SMB: switch IPA domain controller role
|
|
|
0d01fb |
|
|
|
0d01fb |
As a part of CVE-2020-25717 mitigations, Samba now assumes 'CLASSIC
|
|
|
0d01fb |
PRIMARY DOMAIN CONTROLLER' server role does not support Kerberos
|
|
|
0d01fb |
operations. This is the role that IPA domain controller was using for
|
|
|
0d01fb |
its hybrid NT4/AD-like operation.
|
|
|
0d01fb |
|
|
|
0d01fb |
Instead, 'IPA PRIMARY DOMAIN CONTROLLER' server role was introduced in
|
|
|
0d01fb |
Samba. Switch to this role for new installations and during the upgrade
|
|
|
0d01fb |
of servers running ADTRUST role.
|
|
|
0d01fb |
|
|
|
0d01fb |
Fixes: https://pagure.io/freeipa/issue/9031
|
|
|
0d01fb |
|
|
|
0d01fb |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
0d01fb |
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
0d01fb |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
0d01fb |
---
|
|
|
0d01fb |
install/share/smb.conf.template | 1 +
|
|
|
0d01fb |
ipaserver/install/adtrustinstance.py | 16 ++++++++++++++--
|
|
|
0d01fb |
ipaserver/install/server/upgrade.py | 14 ++++++++++++++
|
|
|
0d01fb |
3 files changed, 29 insertions(+), 2 deletions(-)
|
|
|
0d01fb |
|
|
|
0d01fb |
diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template
|
|
|
0d01fb |
index 1370b1e144174f08ad8bc8024e825176d4c74860..1d1d12161661a19c1cc7fc3f74889acace738a79 100644
|
|
|
0d01fb |
--- a/install/share/smb.conf.template
|
|
|
0d01fb |
+++ b/install/share/smb.conf.template
|
|
|
0d01fb |
@@ -5,6 +5,7 @@ realm = $REALM
|
|
|
0d01fb |
kerberos method = dedicated keytab
|
|
|
0d01fb |
dedicated keytab file = /etc/samba/samba.keytab
|
|
|
0d01fb |
create krb5 conf = no
|
|
|
0d01fb |
+server role = $SERVER_ROLE
|
|
|
0d01fb |
security = user
|
|
|
0d01fb |
domain master = yes
|
|
|
0d01fb |
domain logons = yes
|
|
|
0d01fb |
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
|
|
|
0d01fb |
index 67dadf9b9c26af30f5b75b513d4d9f845379f4c9..8202de25ed32f42c751f79f2a5709e5642301c24 100644
|
|
|
0d01fb |
--- a/ipaserver/install/adtrustinstance.py
|
|
|
0d01fb |
+++ b/ipaserver/install/adtrustinstance.py
|
|
|
0d01fb |
@@ -148,6 +148,8 @@ class ADTRUSTInstance(service.Service):
|
|
|
0d01fb |
OBJC_GROUP = "ipaNTGroupAttrs"
|
|
|
0d01fb |
OBJC_DOMAIN = "ipaNTDomainAttrs"
|
|
|
0d01fb |
FALLBACK_GROUP_NAME = u'Default SMB Group'
|
|
|
0d01fb |
+ SERVER_ROLE_OLD = "CLASSIC PRIMARY DOMAIN CONTROLLER"
|
|
|
0d01fb |
+ SERVER_ROLE_NEW = "IPA PRIMARY DOMAIN CONTROLLER"
|
|
|
0d01fb |
|
|
|
0d01fb |
def __init__(self, fstore=None):
|
|
|
0d01fb |
self.netbios_name = None
|
|
|
0d01fb |
@@ -548,7 +550,16 @@ class ADTRUSTInstance(service.Service):
|
|
|
0d01fb |
with tempfile.NamedTemporaryFile(mode='w') as tmp_conf:
|
|
|
0d01fb |
tmp_conf.write(conf)
|
|
|
0d01fb |
tmp_conf.flush()
|
|
|
0d01fb |
- ipautil.run([paths.NET, "conf", "import", tmp_conf.name])
|
|
|
0d01fb |
+ try:
|
|
|
0d01fb |
+ ipautil.run([paths.NET, "conf", "import", tmp_conf.name])
|
|
|
0d01fb |
+ except ipautil.CalledProcessError as e:
|
|
|
0d01fb |
+ if e.returncode == 255:
|
|
|
0d01fb |
+ # We have old Samba that doesn't support IPA DC server role
|
|
|
0d01fb |
+ # re-try again with the older variant, upgrade code will
|
|
|
0d01fb |
+ # take care to change the role later when Samba is upgraded
|
|
|
0d01fb |
+ # as well.
|
|
|
0d01fb |
+ self.sub_dict['SERVER_ROLE'] = self.SERVER_ROLE_OLD
|
|
|
0d01fb |
+ self.__write_smb_registry()
|
|
|
0d01fb |
|
|
|
0d01fb |
def __map_Guests_to_nobody(self):
|
|
|
0d01fb |
map_Guests_to_nobody()
|
|
|
0d01fb |
@@ -783,7 +794,8 @@ class ADTRUSTInstance(service.Service):
|
|
|
0d01fb |
HOST_NETBIOS_NAME = self.host_netbios_name,
|
|
|
0d01fb |
SMB_DN = self.smb_dn,
|
|
|
0d01fb |
LDAPI_SOCKET = self.ldapi_socket,
|
|
|
0d01fb |
- FQDN = self.fqdn)
|
|
|
0d01fb |
+ FQDN = self.fqdn,
|
|
|
0d01fb |
+ SERVER_ROLE=self.SERVER_ROLE_NEW)
|
|
|
0d01fb |
|
|
|
0d01fb |
def setup(self, fqdn, realm_name, netbios_name,
|
|
|
0d01fb |
reset_netbios_name, rid_base, secondary_rid_base,
|
|
|
0d01fb |
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
|
|
0d01fb |
index e6ff2b27bfca0377d27b8cd91d7f065a8f62010c..065399eef29ab0a1009cd047443c0a0a5a4dddfe 100644
|
|
|
0d01fb |
--- a/ipaserver/install/server/upgrade.py
|
|
|
0d01fb |
+++ b/ipaserver/install/server/upgrade.py
|
|
|
0d01fb |
@@ -367,6 +367,20 @@ def upgrade_adtrust_config():
|
|
|
0d01fb |
else:
|
|
|
0d01fb |
logger.warning("Error updating Samba registry: %s", e)
|
|
|
0d01fb |
|
|
|
0d01fb |
+ logger.info("[Set 'server role' "
|
|
|
0d01fb |
+ "to 'IPA PRIMARY DOMAIN CONTROLLER' in Samba configuration]")
|
|
|
0d01fb |
+
|
|
|
0d01fb |
+ args = [paths.NET, "conf", "setparm", "global",
|
|
|
0d01fb |
+ "server role", "IPA PRIMARY DOMAIN CONTROLLER"]
|
|
|
0d01fb |
+
|
|
|
0d01fb |
+ try:
|
|
|
0d01fb |
+ ipautil.run(args)
|
|
|
0d01fb |
+ except ipautil.CalledProcessError as e:
|
|
|
0d01fb |
+ # Only report an error if return code is not 255
|
|
|
0d01fb |
+ # which indicates that the new server role is not supported
|
|
|
0d01fb |
+ # and we don't need to do anything
|
|
|
0d01fb |
+ if e.returncode != 255:
|
|
|
0d01fb |
+ logger.warning("Error updating Samba registry: %s", e)
|
|
|
0d01fb |
|
|
|
0d01fb |
def ca_configure_profiles_acl(ca):
|
|
|
0d01fb |
logger.info('[Authorizing RA Agent to modify profiles]')
|
|
|
0d01fb |
--
|
|
|
0d01fb |
2.31.1
|
|
|
0d01fb |
|