diff --git a/SOURCES/0127-ipa-kdb-use-proper-memory-chunk-size-when-moving-sid.patch b/SOURCES/0127-ipa-kdb-use-proper-memory-chunk-size-when-moving-sid.patch new file mode 100644 index 0000000..f1497b5 --- /dev/null +++ b/SOURCES/0127-ipa-kdb-use-proper-memory-chunk-size-when-moving-sid.patch @@ -0,0 +1,55 @@ +From 3a4057a37254d6dbb0191da32cd110f7cd50d4e4 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 20 May 2015 18:24:52 +0300 +Subject: [PATCH] ipa-kdb: use proper memory chunk size when moving sids + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475 +Reviewed-By: Tomas Babej +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index e3215db4ea11632dce8f039fc6b89c4a09acd87a..74ee2f3fd4b81bd3433c9ff9c77f7434b72e7f4d 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -1397,7 +1397,15 @@ static krb5_error_code filter_logon_info(krb5_context context, + if (result) { + filter_logon_info_log_message(info->info->info3.sids[i].sid); + } else { ++ /* Go over incoming SID blacklist */ + for(k = 0; k < domain->len_sid_blacklist_incoming; k++) { ++ /* if SID is an exact match, filter it out */ ++ result = dom_sid_check(&domain->sid_blacklist_incoming[k], info->info->info3.sids[i].sid, true); ++ if (result) { ++ filter_logon_info_log_message(info->info->info3.sids[i].sid); ++ break; ++ } ++ /* if SID is a suffix of the blacklist element, filter it out*/ + result = dom_sid_is_prefix(&domain->sid_blacklist_incoming[k], info->info->info3.sids[i].sid); + if (result) { + filter_logon_info_log_message(info->info->info3.sids[i].sid); +@@ -1406,11 +1414,17 @@ static krb5_error_code filter_logon_info(krb5_context context, + } + } + if (result) { ++ k = count - i - j - 1; ++ if (k != 0) { ++ memmove(info->info->info3.sids+i, ++ info->info->info3.sids+i+1, ++ sizeof(struct netr_SidAttr)*k); ++ } + j++; +- memmove(info->info->info3.sids+i, info->info->info3.sids+i+1, count-i-1); ++ } else { ++ i++; + } +- i++; +- } while (i < count); ++ } while ((i + j) < count); + + if (j != 0) { + count = count-j; +-- +2.1.0 + diff --git a/SOURCES/0128-ipa-kdb-filter-out-group-membership-from-MS-PAC-for-.patch b/SOURCES/0128-ipa-kdb-filter-out-group-membership-from-MS-PAC-for-.patch new file mode 100644 index 0000000..18009ed --- /dev/null +++ b/SOURCES/0128-ipa-kdb-filter-out-group-membership-from-MS-PAC-for-.patch @@ -0,0 +1,155 @@ +From 32b7c1d012a0904420edc61bf94be66253a6c84a Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 28 May 2015 08:33:51 +0000 +Subject: [PATCH] ipa-kdb: filter out group membership from MS-PAC for exact + SID matches too + +When incoming SID blacklist contains exact SIDs of users and groups, +attempt to filter them out as well, according to [MS-PAC] 4.1.1.2. + +Note that we treat user's SID and primary group RID filtering as violation +of the KDC policy because the resulting MS-PAC will have no user SID or +primary group and thus will be invalid. + +For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1 +it is OK to have empty group RIDs array as GroupCount SHOULD be +equal to Groups.MembershipCount returned by SamrGetGroupsForUser +[MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty. + +Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475 + +Reviewed-By: Tomas Babej +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 100 +++++++++++++++++++++++++++++++++++++++- + 1 file changed, 99 insertions(+), 1 deletion(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 74ee2f3fd4b81bd3433c9ff9c77f7434b72e7f4d..3e6024f55071e95c6d40869e31d879baf627a3b9 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -1320,6 +1320,22 @@ static void filter_logon_info_log_message(struct dom_sid *sid) + } + } + ++static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid) ++{ ++ char *domstr = NULL; ++ ++ domstr = dom_sid_string(NULL, sid); ++ if (domstr) { ++ krb5_klog_syslog(LOG_ERR, "PAC filtering issue: SID [%s-%d] is not allowed " ++ "from a trusted source and will be excluded.", domstr, rid); ++ talloc_free(domstr); ++ } else { ++ krb5_klog_syslog(LOG_ERR, "PAC filtering issue: SID is not allowed " ++ "from a trusted source and will be excluded." ++ "Unable to allocate memory to display SID."); ++ } ++} ++ + static krb5_error_code filter_logon_info(krb5_context context, + TALLOC_CTX *memctx, + krb5_data realm, +@@ -1331,9 +1347,21 @@ static krb5_error_code filter_logon_info(krb5_context context, + * attempt at getting us to sign fake credentials with the help of a + * compromised trusted realm */ + ++ /* NOTE: there are two outcomes from filtering: ++ * REJECT TICKET -- ticket is rejected if domain SID of ++ * the principal with MS-PAC is filtered out or ++ * its primary group RID is filtered out ++ * ++ * REMOVE SID -- SIDs are removed from the list of SIDs associated ++ * with the principal if they are filtered out ++ * This applies also to secondary RIDs of the principal ++ * if domain_sid- is filtered out ++ */ ++ + struct ipadb_context *ipactx; + struct ipadb_adtrusts *domain; +- int i, j, k, count; ++ int i, j, k, l, count; ++ uint32_t rid; + bool result; + char *domstr = NULL; + +@@ -1380,6 +1408,76 @@ static krb5_error_code filter_logon_info(krb5_context context, + } + } + ++ /* Check if this user's SIDs membership is filtered too */ ++ for(k = 0; k < domain->len_sid_blacklist_incoming; k++) { ++ /* Short-circuit if there are no RIDs. This may happen if we filtered everything already. ++ * In normal situation there would be at least primary gid as RID in the RIDs array ++ * but if we filtered out the primary RID, this MS-PAC is invalid */ ++ count = info->info->info3.base.groups.count; ++ result = dom_sid_is_prefix(info->info->info3.base.domain_sid, ++ &domain->sid_blacklist_incoming[k]); ++ if (result) { ++ i = 0; ++ j = 0; ++ if (domain->sid_blacklist_incoming[k].num_auths - info->info->info3.base.domain_sid->num_auths != 1) { ++ krb5_klog_syslog(LOG_ERR, "Incoming SID blacklist element matching domain [%s with SID %s] " ++ "has more than one RID component. Invalid check skipped.", ++ domain->domain_name, domain->domain_sid); ++ break; ++ } ++ rid = domain->sid_blacklist_incoming[k].sub_auths[domain->sid_blacklist_incoming[k].num_auths - 1]; ++ if (rid == info->info->info3.base.rid) { ++ filter_logon_info_log_message_rid(info->info->info3.base.domain_sid, rid); ++ /* Actual user's SID is filtered out */ ++ return KRB5KDC_ERR_POLICY; ++ } ++ if (rid == info->info->info3.base.primary_gid) { ++ /* User's primary group SID is filtered out */ ++ return KRB5KDC_ERR_POLICY; ++ } ++ if (count == 0) { ++ /* Having checked actual user's SID and primary group SID, and having no other RIDs, ++ * skip checks below and continue to next blacklist element */ ++ continue; ++ } ++ ++ do { ++ if (rid == info->info->info3.base.groups.rids[i].rid) { ++ filter_logon_info_log_message_rid(info->info->info3.base.domain_sid, rid); ++ /* If this is just a non-primary RID, we simply remove it from the array of RIDs */ ++ l = count - i - j - 1; ++ if (l != 0) { ++ memmove(info->info->info3.base.groups.rids+i, ++ info->info->info3.base.groups.rids+i+1, ++ sizeof(struct samr_RidWithAttribute)*l); ++ } ++ j++; ++ } else { ++ i++; ++ } ++ } while ((i + j) < count); ++ ++ if (j != 0) { ++ count = count-j; ++ if (count == 0) { ++ /* All RIDs were filtered out. Unusual but MS-KILE 3.3.5.6.3.1 says SHOULD, not MUST for GroupCount */ ++ info->info->info3.base.groups.count = 0; ++ talloc_free(info->info->info3.base.groups.rids); ++ info->info->info3.base.groups.rids = NULL; ++ } else { ++ info->info->info3.base.groups.rids = talloc_realloc(memctx, ++ info->info->info3.base.groups.rids, ++ struct samr_RidWithAttribute, count); ++ if (!info->info->info3.base.groups.rids) { ++ info->info->info3.base.groups.count = 0; ++ return ENOMEM; ++ } ++ info->info->info3.base.groups.count = count; ++ } ++ } ++ } ++ } ++ + /* According to MS-KILE 25.0, info->info->info3.sids may be non zero, so check + * should include different possibilities into account + * */ +-- +2.1.0 + diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index ad0fdfa..401c99c 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -32,7 +32,7 @@ Name: ipa Version: 4.1.0 -Release: 18%{?dist}.3 +Release: 18%{?dist}.4 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -40,10 +40,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity-Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity-Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -174,6 +174,8 @@ Patch0123: 0123-certstore-Make-certificate-retrieval-more-robust.patch Patch0124: 0124-client-install-Do-not-crash-on-invalid-CA-certificat.patch Patch0125: 0125-client-Fix-ca_is_enabled-calls.patch Patch0126: 0126-upload_cacrt-Fix-empty-cACertificate-in-cn-CAcert.patch +Patch0127: 0127-ipa-kdb-use-proper-memory-chunk-size-when-moving-sid.patch +Patch0128: 0128-ipa-kdb-filter-out-group-membership-from-MS-PAC-for-.patch Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch Patch1002: 1002-Remove-pkinit-plugin.patch @@ -189,7 +191,6 @@ Patch1011: 1011-Disable-TLS-1.2-in-nss.conf-until-mod_nss-supports-i.patch Patch1012: 1012-Expand-the-token-auth-sync-windows.patch Patch1013: 1013-extdom-fix-wrong-realloc-size.patch Patch1014: 1014-fix-Makefile.am-for-daemons.patch -Patch1015: ipa-centos-branding.patch # RHEL spec file only: END %if ! %{ONLY_CLIENT} @@ -292,6 +293,9 @@ Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base Requires: slapi-nis >= 0.54-2 Requires: pki-ca >= 10.1.2-5 +%if 0%{?rhel} +Requires: subscription-manager +%endif Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns >= 1.11.1-2 @@ -304,7 +308,7 @@ Requires: fontawesome-fonts Requires: open-sans-fonts # RHEL spec file only: DELETED: Disable DNSSEC support # RHEL spec file only: START -# Requires: redhat-access-plugin-ipa +Requires: redhat-access-plugin-ipa # RHEL spec file only: END Conflicts: %{alt_name}-server @@ -478,10 +482,10 @@ for p in %patches ; do done # Red Hat's Identity Management branding -# cp %SOURCE1 install/ui/images/header-logo.png -# cp %SOURCE2 install/ui/images/login-screen-background.jpg -# cp %SOURCE3 install/ui/images/login-screen-logo.png -# cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END %build @@ -1031,8 +1035,9 @@ fi # RHEL spec file only: DELETED: Do not build tests %changelog -* Thu Mar 26 2015 CentOS Sources - 4.1.0-18.el7.centos.3 -- Roll in CentOS Branding +* Tue Jul 21 2015 Jan Cholasta - 4.1.0-18.4 +- krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp 00007fffd68b2340 error 6 in + libc-2.17.so (#1245097) * Thu Mar 19 2015 Jan Cholasta - 4.1.0-18.3 - [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: