Add detection of wrong SIDs in accounts after 'ipa migrate-ds'

[abbra]

With hardening against CVE-2020-25717, FreeIPA KDC now performs a number of checks for SIDs of user accounts. Namely:

• domain SID of a user account SID must correspond to the IPA domain SID
• ticket requested using cross-realm TGT will have to have either SID from IPA domain or from any domain we have trust with

On freeipa-users@ there it was already reported that if users were migrated from an old installation with the help of ipa migrate-ds, they would have SIDs generated in the older IPA deployment and thus would be different to the SID in the current IPA setup. Reference: https://lists.fedorahosted.org/archives/list/[email protected]/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/

Add a check for that.

It is possible to fix this issue by removing SID attribute and an object class that requires it and then calling ipa config-mod --add-sids --enable-sids to regenerate missing SIDs. Since old SIDs are invalid in the new environment and IPA does not have SID history, they can be removed unless SIDs were used on Windows side to assign permissions. We don't generally support that yet without Global Catalog feature, though.

[rcritten]

So I guess a query for SIDs that don't match the domain SID would be the best way to find errant entries. How can I determine the domain SID for the IPA install?

[abbra]

You can retrieve local domain SID in trustconfig_show:

>>> api.Command.trustconfig_show()
{'result': {'ipantfallbackprimarygroup': ('Default SMB Group',), 'ipantsecurityidentifier': ('S-1-5-21-some-id-value',), 'ipantflatname': ('EXAMPLE',), 'ipantdomainguid': ('1234567-b448-48cb-9cba-1267878536bb',), 'cn': ('example.test',), 'ad_trust_agent_server': ('dc.example.test',), 'ad_trust_controller_server': ('dc.example.test',), 'dn': 'cn=example.test,cn=ad,cn=etc,dc=example,dc=test'}, 'value': 'ad', 'summary': None}
>