From ffd6fae9cbd390db82c4a5df69cadea016a04ec2 Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Fri, 20 Feb 2015 22:21:13 +0100
Subject: [PATCH] Disable automatic AD joins by default

We only offer them as an option to clients if they have been configured
in the realmd.conf file.

This is because automatic AD joins do not have the mutual authentication
we usually expect with kerberos. The computer account secret is
predictable and not secure enough to be on by default.

https://bugs.freedesktop.org/show_bug.cgi?id=89205
---
 doc/manual/realm.xml                         |  5 ++---
 doc/manual/realmd-guide-active-directory.xml |  1 -
 doc/manual/realmd.conf.xml                   | 20 ++++++++++++++++++++
 service/realm-options.c                      | 13 +++++++++++++
 service/realm-options.h                      |  2 ++
 service/realm-sssd-ad.c                      | 13 ++++++++++++-
 6 files changed, 49 insertions(+), 5 deletions(-)

diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index 4b19766..aa79ec6 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -160,9 +160,8 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
 	must have a supported mechanism for joining from a client machine, such
 	as Active Directory or IPA.</para>
 
-	<para>Unless a <literal>--user</literal> is explicitly specified, an
-	automatic join is attempted first. Automatic joins require pre-configuration
-	on the domain side, and may not be supported by all domains.</para>
+	<para>If the domain has been preconfigured, and unless <literal>--user</literal>
+	is explicitly specified, an automatic join is attempted first.</para>
 
 	<para>Note that the <literal>--user </literal>, <literal>--no-password</literal>,
 	and <literal>--one-time-password </literal> options are mutually exclusive.
diff --git a/doc/manual/realmd-guide-active-directory.xml b/doc/manual/realmd-guide-active-directory.xml
index 401d299..9b4535d 100644
--- a/doc/manual/realmd-guide-active-directory.xml
+++ b/doc/manual/realmd-guide-active-directory.xml
@@ -139,7 +139,6 @@ $ <command>realm join --verbose domain.example.com</command>
 		<itemizedlist>
 			<listitem><para>Discovers information about the domain.</para></listitem>
 			<listitem><para>Installs the necessary software to join the domain, such as SSSD or Winbind.</para></listitem>
-			<listitem><para>Tries to join the domain automatically, without administrative credentials.</para></listitem>
 			<listitem><para>If administrative credentials are required, a password will be prompted for.</para></listitem>
 			<listitem><para>A computer account in the domain will be created, and or updated.</para></listitem>
 			<listitem><para>A host keytab file at <filename>/etc/krb5.keytab</filename> is created.</para></listitem>
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index b85c057..7f969fa 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -339,6 +339,26 @@ user-principal = yes
 	</varlistentry>
 
 	<varlistentry>
+	<term><option>automatic-join</option></term>
+	<listitem>
+		<para>This option only applies to Active Directory realms. This option
+		is off by default. In Active Directory domains, a computer account can
+		be preset with a known computer account password. This can be used for
+		automatic joins without authentication.</para>
+
+		<para>When automatic joins are used there is no mutual authentication
+		between the machine and the domain during the join process.</para>
+
+		<informalexample>
+<programlisting>
+[domain.example.com]
+automatic-join = yes
+</programlisting>
+		</informalexample>
+	</listitem>
+	</varlistentry>
+
+	<varlistentry>
 	<term><option>automatic-id-mapping</option></term>
 	<listitem>
 		<para>This option is on by default for Active Directory realms.
diff --git a/service/realm-options.c b/service/realm-options.c
index f7a473c..6f7d915 100644
--- a/service/realm-options.c
+++ b/service/realm-options.c
@@ -96,6 +96,19 @@ realm_options_automatic_mapping (const gchar *realm_name)
 }
 
 gboolean
+realm_options_automatic_join (const gchar *realm_name)
+{
+	gchar *section;
+	gboolean mapping;
+
+	section = g_utf8_casefold (realm_name, -1);
+	mapping = realm_settings_boolean (realm_name, "automatic-join", FALSE);
+	g_free (section);
+
+	return mapping;
+}
+
+gboolean
 realm_options_qualify_names (const gchar *realm_name)
 {
 	gchar *section;
diff --git a/service/realm-options.h b/service/realm-options.h
index 4c95927..10af386 100644
--- a/service/realm-options.h
+++ b/service/realm-options.h
@@ -26,6 +26,8 @@ gboolean       realm_options_manage_system            (GVariant *options,
 
 gboolean       realm_options_automatic_install        (GVariant *options);
 
+gboolean       realm_options_automatic_join           (const gchar *realm_name);
+
 const gchar *  realm_options_computer_ou              (GVariant *options,
                                                        const gchar *realm_name);
 
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index c5e4b35..abd7fa7 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -445,7 +445,18 @@ realm_sssd_ad_join_creds (RealmKerberosMembership *membership)
 		{ 0, },
 	};
 
-	return creds;
+	static const RealmCredential creds_no_auto[] = {
+		{ REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_ADMIN, },
+		{ REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_USER, },
+		{ REALM_CREDENTIAL_CCACHE, REALM_CREDENTIAL_OWNER_ADMIN, },
+		{ REALM_CREDENTIAL_SECRET, REALM_CREDENTIAL_OWNER_NONE, },
+		{ 0, }
+	};
+
+	const gchar *name;
+
+	name = realm_kerberos_get_name (REALM_KERBEROS (membership));
+	return realm_options_automatic_join (name) ? creds : creds_no_auto;
 }
 
 typedef struct {
-- 
2.1.0