Feature/inv1 peap rework (#7891)

* update ntlm_auth_wrapper for to support curl API calls

* remove logs

* remove logs

* changing Makefile used to compile ntlm_auth_wrapper

* clean up

* add form fields in domains

* change form

* add store module example, add test button to password

* remove binary options for ntlm_auth_wrapper.

* adds error handling for ntlm auth backend api

* adds ntlm_auth backend api
adds docker wrapper and systemd configs

* change migration script to handle multiple AD sections

* clean up

* adds perl dependencies in SPEC

* adds machine account test endpoint
adds last active time for connection dropping and re-establishing

* change docker wrapper to kill all ntlm-auth-api containers

* mschap auth flow changes: adds PacketFence-NTLM-Auth-Host, PacketFence-NTLM-Auth-Port to be passed to ntlm_auth

* mschap auth flow changes: adds PacketFence-NTLM-Auth-Host, PacketFence-NTLM-Auth-Port to be passed to ntlm_auth

* ntlm auth backend will read from domains.conf

* adds error handling for migration script

* adds rewrite resolv.conf in containers

* changes docker wrapper to run multiple containers

* change build process for dev scenario.

* test machine account

* removes machine account

* clean up, adds services that requires a restart

* clean up, removes lint errors

* UI change, adds domain admin user and password field for domain join and update

* machine account test

* change create / delete domain logic

* change domain admin username and password back to bind_dn and bind_pass

* change method to POST

* fix a run multiple image failure issue

* adds label for machine account password
changes function name to a proper one

* update domain.pm for better error handling

* update domain config UI, show test button in machine account field only when editing a domain conf.

* - adds http test alive router for service health check
- change ntlm-auth-api service status logic to service unhealthy if any API is not available.

* backups old config files before running migration script

* change machine account password to "password" section by default

* ntlm-auth-dockerwrapper will block

* show message instead of http response in ntlm-auth-test

* collect ntlm auth api using syslog

* removes save and join option when editing domain

* fix no "ntlm-auth-api" not shown in pfcmd

* add isManaged status to fix "service not required / pfcmd service broken"

* add domain validator to enforce unique workgroup and dns_name

* adjust wording

* remove join/rejoin/unjoin artifacts, lint cleanup

* fix typos and bugs

* remove winbindd

* transfer ntlm-auth-api logs to packetfence.log

* removes winbindd
fix pfcmd

* add new container in ci

* wake up gitlab

* Revert "wake up gitlab"

This reverts commit 763aecc.

* fix systemd services

* removes winbindd from spec

* Updated rpm packaging

* Temp patch for missing libdigest-md4-perl package

* fix ntlm machine account test check supports both plain text password and nt hash

* remove services temporarily

* add back

* split ad_server into separate ip/fqdn fields, deprecate gethostbyaddr where external DNS is used and rDNS is not possible

* fix password not being passed to python api for validation

* adjust validations

* adjust validations

* remove generatedomainconfig and samba related

* Removed winbindd from admin ui

* Fixed packaging issue after rebase

* Fix for rhel packaging

* adds dns_resolve to pf util

* change typos, form field labels

* Updated dns lookup

* Fixed missing impacket-addcomputer

* Fixed typo

* change typos, adds fallback option for dns resolve and gethostbyname

* removes unused join unjoin stuff
adds rejoin capability if machine account is deleted on AD without notifying Packetfence

* change fqdn resolv logic

* update required packetfence-perl version

* resolve ad IP using util

* remove NTLMv2 support

* adds extra logs for troubleshooting purpose

* address PR comments

* address PR comments

---------

Co-authored-by: Darren Satkunas <[email protected]>
Co-authored-by: JeGoi <[email protected]>
Co-authored-by: Durand Fabrice <[email protected]>

.gitlab-ci.yml

@@ -642,6 +642,7 @@ pfdeb_based_dev:
           - "proxysql"
           - "pfldapexplorer"
           - "kafka"
+          - "ntlm-auth-api"
 
 img_dev:
   extends:
@@ -724,6 +725,7 @@ pfdeb_based_br_maint:
           - "proxysql"
           - "pfldapexplorer"
           - "kafka"
+          - "ntlm-auth-api"
 
 img_br_maint:
   extends:
@@ -806,6 +808,7 @@ pfdeb_based_cloud_nac:
           - "proxysql"
           - "pfldapexplorer"
           - "kafka"
+          - "ntlm-auth-api"
 
 img_cloud_nac:
   extends:
@@ -888,6 +891,7 @@ pfdeb_based_rel:
           - "proxysql"
           - "pfldapexplorer"
           - "kafka"
+          - "ntlm-auth-api"
 
 img_rel:
   extends:

Makefile

@@ -110,7 +110,7 @@ bin/pfcmd: src/pfcmd.c
 	$(CC) -O2 -g -std=c99  -Wall $< -o $@
 
 bin/ntlm_auth_wrapper: src/ntlm_auth_wrap.c
-	$(CC) -g -std=c99 -Wall $< -o $@
+	$(CC) -g -std=c99 -Wall $< -o $@ -lcurl -lcjson
 
 src/mariadb_udf/pf_udf.so: src/mariadb_udf/pf_udf.c $(PF_UDF_OBJ)
 	$(CC) -O2 -Wall -g $$(pkg-config libmariadb --cflags) -fPIC -shared -o $@ $< $(PF_UDF_OBJ)

addons/monit/monit_build_configuration.pl

@@ -26,7 +26,6 @@ BEGIN
     'portsec'           => '10_packetfence-portsec',
     'drbd'              => '20_packetfence-drbd',
     'active-active'     => '30_packetfence-activeactive',
-    'os-winbind'        => '40_OS-winbind',
     'os-checks'         => '50_OS-checks',
 );
 
@@ -44,7 +43,6 @@ BEGIN
     print "  - portsec: Will add some checks for port-security related services\n";
     print "  - drbd: Will add some checks for DRBD\n";
     print "  - active-active: Will add some checks for active-active clustering related services\n";
-    print "  - os-winbind: Will add a check for the operating system winbindd process. Use it when the winbind/samba configuration is made outside PacketFence\n";
     print "  - os-checks: Will add some OS best-practices checks\n";
     print "mailserver: IP or resolvable FQDN of the mail server to use to send alerts (optional)\n";
     die "\n";
@@ -136,23 +134,18 @@ sub generate_specific_configurations {
         my $destination_file = catfile($MONIT_PATH,$CONFIGURATION_TO_TEMPLATE{$configuration} . $CONF_FILE_EXTENSION);
         print " - $destination_file\n";
 
-        # Handling domains (winbind configuration)
-        my $domains = handle_domains();
 
         my $tt = Template->new(ABSOLUTE => 1);
         my $freeradius_bin = ( $OS eq "rhel" ) ? "radiusd" : "freeradius";
         my $mail_bin = ( $OS eq "rhel" ) ? "/bin/mail" : "/usr/bin/mail";
         my $service_bin = ( $OS eq "rhel" ) ? "/sbin/service" : "/usr/sbin/service";
-        my $winbindd_pid = ( $OS eq "rhel" ) ? "/var/run/winbindd.pid" : "/var/run/samba/winbindd.pid";
         my $vars = {
             FREERADIUS_BIN      => $freeradius_bin,
             EMAILS              => \@emails,
             SUBJECT_IDENTIFIER  => $subject_identifier,
             MAILSERVER          => $mailserver,
-            DOMAINS             => $domains,
             MAIL_BIN            => $mail_bin,
             SERVICE_BIN         => $service_bin,
-            WINBINDD_PID        => $winbindd_pid,
             ACTIVE_ACTIVE       => (any { $_ eq 'active-active' } @configurations),
             FINGERBANK_ENABLED  => $fingerbank_enabled,
         };
@@ -161,21 +154,6 @@ sub generate_specific_configurations {
 }
 
 
-=head2 handle_domains
-
-Generate the managed by PacketFence domain list array to be used in configuration templates
-
-=cut
-
-sub handle_domains {
-    use pf::config;
-    use pf::file_paths;
-    my %domains = ();
-    foreach my $domain ( keys(%pf::config::ConfigDomain) ) {
-        $domains{$domain} = "$pf::file_paths::var_dir/run/$domain/winbindd.pid";
-    }
-    return \%domains;
-}
 
 
 1;

addons/monit/monit_checks_configurations/00_packetfence.tt

@@ -208,29 +208,6 @@ CHECK PROCESS packetfence-pfpki MATCHING "pfpki"
     stop program  = "/usr/local/pf/bin/pfcmd service pfpki stop"
     if 3 restarts within 10 cycles then alert
 
-[% IF DOMAINS.size > 0 %]
-CHECK PROCESS packetfence-winbind MATCHING "winbindd-wrapper"
-    group PacketFence
-    start program = "/usr/local/pf/bin/pfcmd service winbindd restart" with timeout 60 seconds
-    stop program = "/usr/local/pf/bin/pfcmd service winbindd stop"
-    if 3 restarts within 10 cycles then alert
-
-[% FOREACH domain IN DOMAINS.keys %]
-CHECK PROCESS packetfence-winbind-[% domain %] MATCHING "/usr/sbin/winbindd -s /etc/samba/[% domain %].conf -l /var/log/samba[% domain %] --foreground"
-    group PacketFence
-    if changed ppid then alert
-    depends on packetfence-winbind
-
-CHECK PROGRAM packetfence-ntlm-[% domain %] with path "/usr/bin/timeout 5 /usr/sbin/ip netns exec [% domain %] /usr/sbin/chroot /chroots/[% domain %]/ /usr/bin/wbinfo -P"
-    group PacketFence
-    # There is no need to start the program, the winbindd-wrapper takes care of it if this gets stopped
-    start program = "/bin/true" with timeout 60 seconds
-    stop program  = "/bin/bash -c 'export pid=`cat /usr/local/pf/var/run/[% domain %]/winbindd.pid` ; pkill -9 -P $pid ; kill -9 $pid'"
-    if status == 124 for 3 cycles then restart # (30 seconds being down)
-    every 5 cycles # every 10 seconds (if 1 cycle is 2 seconds)
-[% END %]
-
-[% END %]
 
 check program monitoring-mysql-connections with path /usr/local/pf/addons/monit/monitoring-scripts/monitor_mysql_connections.pl
     group OS