From f0c2f5fdce0ae5dde20abdcf964e3825bb8939c6 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sat, 30 Oct 2021 10:49:37 +0300
Subject: [PATCH] SMB: switch IPA domain controller role
As a part of CVE-2020-25717 mitigations, Samba now assumes 'CLASSIC
PRIMARY DOMAIN CONTROLLER' server role does not support Kerberos
operations. This is the role that IPA domain controller was using for
its hybrid NT4/AD-like operation.
Instead, 'IPA PRIMARY DOMAIN CONTROLLER' server role was introduced in
Samba. Switch to this role for new installations and during the upgrade
of servers running ADTRUST role.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
install/share/smb.conf.template | 1 +
ipaserver/install/adtrustinstance.py | 16 ++++++++++++++--
ipaserver/install/server/upgrade.py | 14 ++++++++++++++
3 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template
index 1370b1e144174f08ad8bc8024e825176d4c74860..1d1d12161661a19c1cc7fc3f74889acace738a79 100644
--- a/install/share/smb.conf.template
+++ b/install/share/smb.conf.template
@@ -5,6 +5,7 @@ realm = $REALM
kerberos method = dedicated keytab
dedicated keytab file = /etc/samba/samba.keytab
create krb5 conf = no
+server role = $SERVER_ROLE
security = user
domain master = yes
domain logons = yes
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 67dadf9b9c26af30f5b75b513d4d9f845379f4c9..8202de25ed32f42c751f79f2a5709e5642301c24 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -148,6 +148,8 @@ class ADTRUSTInstance(service.Service):
OBJC_GROUP = "ipaNTGroupAttrs"
OBJC_DOMAIN = "ipaNTDomainAttrs"
FALLBACK_GROUP_NAME = u'Default SMB Group'
+ SERVER_ROLE_OLD = "CLASSIC PRIMARY DOMAIN CONTROLLER"
+ SERVER_ROLE_NEW = "IPA PRIMARY DOMAIN CONTROLLER"
def __init__(self, fstore=None):
self.netbios_name = None
@@ -548,7 +550,16 @@ class ADTRUSTInstance(service.Service):
with tempfile.NamedTemporaryFile(mode='w') as tmp_conf:
tmp_conf.write(conf)
tmp_conf.flush()
- ipautil.run([paths.NET, "conf", "import", tmp_conf.name])
+ try:
+ ipautil.run([paths.NET, "conf", "import", tmp_conf.name])
+ except ipautil.CalledProcessError as e:
+ if e.returncode == 255:
+ # We have old Samba that doesn't support IPA DC server role
+ # re-try again with the older variant, upgrade code will
+ # take care to change the role later when Samba is upgraded
+ # as well.
+ self.sub_dict['SERVER_ROLE'] = self.SERVER_ROLE_OLD
+ self.__write_smb_registry()
def __map_Guests_to_nobody(self):
map_Guests_to_nobody()
@@ -783,7 +794,8 @@ class ADTRUSTInstance(service.Service):
HOST_NETBIOS_NAME = self.host_netbios_name,
SMB_DN = self.smb_dn,
LDAPI_SOCKET = self.ldapi_socket,
- FQDN = self.fqdn)
+ FQDN = self.fqdn,
+ SERVER_ROLE=self.SERVER_ROLE_NEW)
def setup(self, fqdn, realm_name, netbios_name,
reset_netbios_name, rid_base, secondary_rid_base,
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index e6ff2b27bfca0377d27b8cd91d7f065a8f62010c..065399eef29ab0a1009cd047443c0a0a5a4dddfe 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -367,6 +367,20 @@ def upgrade_adtrust_config():
else:
logger.warning("Error updating Samba registry: %s", e)
+ logger.info("[Set 'server role' "
+ "to 'IPA PRIMARY DOMAIN CONTROLLER' in Samba configuration]")
+
+ args = [paths.NET, "conf", "setparm", "global",
+ "server role", "IPA PRIMARY DOMAIN CONTROLLER"]
+
+ try:
+ ipautil.run(args)
+ except ipautil.CalledProcessError as e:
+ # Only report an error if return code is not 255
+ # which indicates that the new server role is not supported
+ # and we don't need to do anything
+ if e.returncode != 255:
+ logger.warning("Error updating Samba registry: %s", e)
def ca_configure_profiles_acl(ca):
logger.info('[Authorizing RA Agent to modify profiles]')
--
2.31.1