From d45545807106958d924d0b92b3e275ac75c3a6fd Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 12 Sep 2019 11:21:51 +0300 Subject: [PATCH] adtrust: add default read_keys permission for TDO objects If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys attribute values, it cannot be used by SSSD to retrieve TDO keys and the whole communication with Active Directory domain controllers will not be possible. This seems to affect trusts which were created before ipaAllowedToPerform;read_keys permission granting was introduced (FreeIPA 4.2). Add back the default setting for the permissions which grants access to trust agents and trust admins. Resolves: https://pagure.io/freeipa/issue/8067 Signed-off-by: Alexander Bokovoy Reviewed-By: Florence Blanc-Renaud Reviewed-By: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- .../updates/90-post_upgrade_plugins.update | 1 + ipaserver/install/plugins/adtrust.py | 56 +++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index a9f5f6a924d330b924d9adb8b7eee728258f27c6..77b910fc26858611e44a5ba3f4f4c18f4895c95e 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -12,6 +12,7 @@ plugin: update_default_range plugin: update_default_trust_view plugin: update_tdo_gidnumber plugin: update_tdo_to_new_layout +plugin: update_tdo_default_read_keys_permissions plugin: update_ca_renewal_master plugin: update_idrange_type plugin: update_pacs diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py index 0dd2c840899abe3b51b9308d38a9d0f4d1fb2f9b..fca83aa6df2cc3fafca91f2ed55339dba016a1fa 100644 --- a/ipaserver/install/plugins/adtrust.py +++ b/ipaserver/install/plugins/adtrust.py @@ -727,3 +727,59 @@ class update_tdo_to_new_layout(Updater): self.KRB_PRINC_CREATE_DISABLED) return False, [] + + +@register() +class update_tdo_default_read_keys_permissions(Updater): + trust_filter = \ + "(&(objectClass=krbPrincipal)(krbPrincipalName=krbtgt/{nbt}@*))" + + def execute(self, **options): + ldap = self.api.Backend.ldap2 + + # First, see if trusts are enabled on the server + if not self.api.Command.adtrust_is_enabled()['result']: + logger.debug('AD Trusts are not enabled on this server') + return False, [] + + result = self.api.Command.trustconfig_show()['result'] + our_nbt_name = result.get('ipantflatname', [None])[0] + if not our_nbt_name: + return False, [] + + trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn + trust_filter = self.trust_filter.format(nbt=our_nbt_name) + + # We might be in a situation when no trusts exist yet + # In such case there is nothing to upgrade but we have to catch + # an exception or it will abort the whole upgrade process + try: + tdos = ldap.get_entries( + base_dn=trusts_dn, + scope=ldap.SCOPE_SUBTREE, + filter=trust_filter, + attrs_list=['*']) + except errors.EmptyResult: + tdos = [] + + for tdo in tdos: + updates = dict() + oc = tdo.get('objectClass', []) + if 'ipaAllowedOperations' not in oc: + updates['objectClass'] = oc + ['ipaAllowedOperations'] + + read_keys = tdo.get('ipaAllowedToPerform;read_keys', []) + if not read_keys: + read_keys_values = list(map( + lambda x: x.format(basedn=self.api.env.basedn), + trust_read_keys_template)) + updates['ipaAllowedToPerform;read_keys'] = read_keys_values + + tdo.update(updates) + try: + ldap.update_entry(tdo) + except errors.EmptyModlist: + logger.debug("No update was required for TDO %s", + tdo.single_value.get('krbCanonicalName')) + + return False, [] -- 2.20.1