From f0c2f5fdce0ae5dde20abdcf964e3825bb8939c6 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Sat, 30 Oct 2021 10:49:37 +0300 Subject: [PATCH] SMB: switch IPA domain controller role As a part of CVE-2020-25717 mitigations, Samba now assumes 'CLASSIC PRIMARY DOMAIN CONTROLLER' server role does not support Kerberos operations. This is the role that IPA domain controller was using for its hybrid NT4/AD-like operation. Instead, 'IPA PRIMARY DOMAIN CONTROLLER' server role was introduced in Samba. Switch to this role for new installations and during the upgrade of servers running ADTRUST role. Fixes: https://pagure.io/freeipa/issue/9031 Signed-off-by: Alexander Bokovoy Reviewed-by: Rob Crittenden Reviewed-By: Rob Crittenden --- install/share/smb.conf.template | 1 + ipaserver/install/adtrustinstance.py | 16 ++++++++++++++-- ipaserver/install/server/upgrade.py | 14 ++++++++++++++ 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template index 1370b1e144174f08ad8bc8024e825176d4c74860..1d1d12161661a19c1cc7fc3f74889acace738a79 100644 --- a/install/share/smb.conf.template +++ b/install/share/smb.conf.template @@ -5,6 +5,7 @@ realm = $REALM kerberos method = dedicated keytab dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no +server role = $SERVER_ROLE security = user domain master = yes domain logons = yes diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 67dadf9b9c26af30f5b75b513d4d9f845379f4c9..8202de25ed32f42c751f79f2a5709e5642301c24 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -148,6 +148,8 @@ class ADTRUSTInstance(service.Service): OBJC_GROUP = "ipaNTGroupAttrs" OBJC_DOMAIN = "ipaNTDomainAttrs" FALLBACK_GROUP_NAME = u'Default SMB Group' + SERVER_ROLE_OLD = "CLASSIC PRIMARY DOMAIN CONTROLLER" + SERVER_ROLE_NEW = "IPA PRIMARY DOMAIN CONTROLLER" def __init__(self, fstore=None): self.netbios_name = None @@ -548,7 +550,16 @@ class ADTRUSTInstance(service.Service): with tempfile.NamedTemporaryFile(mode='w') as tmp_conf: tmp_conf.write(conf) tmp_conf.flush() - ipautil.run([paths.NET, "conf", "import", tmp_conf.name]) + try: + ipautil.run([paths.NET, "conf", "import", tmp_conf.name]) + except ipautil.CalledProcessError as e: + if e.returncode == 255: + # We have old Samba that doesn't support IPA DC server role + # re-try again with the older variant, upgrade code will + # take care to change the role later when Samba is upgraded + # as well. + self.sub_dict['SERVER_ROLE'] = self.SERVER_ROLE_OLD + self.__write_smb_registry() def __map_Guests_to_nobody(self): map_Guests_to_nobody() @@ -783,7 +794,8 @@ class ADTRUSTInstance(service.Service): HOST_NETBIOS_NAME = self.host_netbios_name, SMB_DN = self.smb_dn, LDAPI_SOCKET = self.ldapi_socket, - FQDN = self.fqdn) + FQDN = self.fqdn, + SERVER_ROLE=self.SERVER_ROLE_NEW) def setup(self, fqdn, realm_name, netbios_name, reset_netbios_name, rid_base, secondary_rid_base, diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index e6ff2b27bfca0377d27b8cd91d7f065a8f62010c..065399eef29ab0a1009cd047443c0a0a5a4dddfe 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -367,6 +367,20 @@ def upgrade_adtrust_config(): else: logger.warning("Error updating Samba registry: %s", e) + logger.info("[Set 'server role' " + "to 'IPA PRIMARY DOMAIN CONTROLLER' in Samba configuration]") + + args = [paths.NET, "conf", "setparm", "global", + "server role", "IPA PRIMARY DOMAIN CONTROLLER"] + + try: + ipautil.run(args) + except ipautil.CalledProcessError as e: + # Only report an error if return code is not 255 + # which indicates that the new server role is not supported + # and we don't need to do anything + if e.returncode != 255: + logger.warning("Error updating Samba registry: %s", e) def ca_configure_profiles_acl(ca): logger.info('[Authorizing RA Agent to modify profiles]') -- 2.31.1