3692a1c trusts: harden trust-fetch-domains oddjobd-based script

2 files Authored by abbra 8 years ago, Committed by mbasti 8 years ago,
    trusts: harden trust-fetch-domains oddjobd-based script
    
    When ipa-getkeytab is used to fetch trusted domain object credentials,
    the fetched entry has always kvno 1. ipa-getkeytab always adds a key to
    keytab which means older key versions will be in the SSSD keytab and
    will confuse libkrb5 ccache initialization code as all kvno values are
    equal to 1. Wrong key is picked up then and kinit fails.
    
    To solve this problem, always remove existing
    /var/lib/sss/keytabs/forest.keytab before retrieving a new one.
    
    To make sure script's input cannot be used to define what should be
    removed (by passing a relative path), make sure we retrieve trusted
    forest name from LDAP. If it is not possible to retrieve, the script
    will issue an exception and quit. If abrtd is running, this will be
    recorded as a 'crash' and an attempt to use script by malicious user
    would be recorded as well in the abrtd journal.
    
    Additionally, as com.redhat.idm.trust-fetch-domains will create
    ID ranges for the domains of the trusted forest if they don't exist,
    it needs permissions to do so. The permission should be granted only
    to cifs/ipa.master@IPA.REALM services which means they must have
    krbprincipalname=cifs/*@IPA.REALM,cn=services,... DN and be members of
    cn=adtrust agents,cn=sysaccounts,... group.
    
    Solves https://bugzilla.redhat.com/show_bug.cgi?id=1250190
    
    Ticket https://fedorahosted.org/freeipa/ticket/5182
    
    Reviewed-By: Tomas Babej <tbabej@redhat.com>