freeipa.git, branch oneway-trust FreeIPA project trust: support retrieving POSIX IDs with one-way trust during trust-add 2015-07-07T08:09:03+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-07-06T14:46:24+00:00 52e2ec266a293891819682487e37644ffcf11e4a With one-way trust we cannot rely on cross-realm TGT as there will be none. Thus, if we have AD administrator credentials we should reuse them. Additionally, such use should be done over Kerberos. Fixes: https://fedorahosted.org/freeipa/ticket/4960 https://fedorahosted.org/freeipa/ticket/4959 
With one-way trust we cannot rely on cross-realm TGT as there will be none.
Thus, if we have AD administrator credentials we should reuse them.
Additionally, such use should be done over Kerberos.

Fixes:
 https://fedorahosted.org/freeipa/ticket/4960
 https://fedorahosted.org/freeipa/ticket/4959
trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs 2015-07-07T08:09:03+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-06-05T17:56:12+00:00 a985b1792325e24584b2a0af27d88a494ef9c513 Part of https://fedorahosted.org/freeipa/ticket/4959 
Part of https://fedorahosted.org/freeipa/ticket/4959
ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab 2015-07-07T08:09:03+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-06-05T15:31:32+00:00 98c640cf0917ca22b60e6ac4ad70a2da7aa11e7b When retrieving keytab, it is useful to know what user was attempting to fetch the keyts and failed. This is useful to debug one-way trust where SSSD forks out a process of ipa-getkeytab and it might be using a wrong credentials cache for authentication purposes. Part of https://fedorahosted.org/freeipa/ticket/4959 
When retrieving keytab, it is useful to know what user was attempting
to fetch the keyts and failed. This is useful to debug one-way trust
where SSSD forks out a process of ipa-getkeytab and it might be using
a wrong credentials cache for authentication purposes.

Part of https://fedorahosted.org/freeipa/ticket/4959
trusts: add support for one-way trust and switch to it by default 2015-07-07T08:09:03+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-06-05T12:57:02+00:00 3d975c104be2bd68df53617bc82883aa1a001833 One-way trust is the default now, use 'trust add --two-way ' to force bidirectional trust https://fedorahosted.org/freeipa/ticket/4959 In case of one-way trust we cannot authenticate using cross-realm TGT against an AD DC. We have to use trusted domain object from within AD domain and access to this object is limited to avoid compromising the whole trust configuration. Instead, IPA framework can call out to oddjob daemon and ask it to run the script which can have access to the TDO object. This script (com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal to retrieve TDO object credentials from IPA LDAP if needed and then authenticate against AD DCs using the TDO object credentials. The script pulls the trust topology out of AD DCs and updates IPA LDAP store. Then IPA framework can pick the updated data from the IPA LDAP under normal access conditions. Part of https://fedorahosted.org/freeipa/ticket/4546 
One-way trust is the default now, use 'trust add --two-way ' to
force bidirectional trust

https://fedorahosted.org/freeipa/ticket/4959

In case of one-way trust we cannot authenticate using cross-realm TGT
against an AD DC. We have to use trusted domain object from within AD
domain and access to this object is limited to avoid compromising the whole
trust configuration.

Instead, IPA framework can call out to oddjob daemon and ask it to
run the script which can have access to the TDO object. This script
(com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal
to retrieve TDO object credentials from IPA LDAP if needed and then
authenticate against AD DCs using the TDO object credentials.

The script pulls the trust topology out of AD DCs and updates IPA LDAP
store. Then IPA framework can pick the updated data from the IPA LDAP
under normal access conditions.

Part of https://fedorahosted.org/freeipa/ticket/4546
ipa-adtrust-install: allow configuring of trust agents 2015-07-07T08:05:48+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-06-04T21:29:36+00:00 65422777e6721bcf7708805f001eb39016495830 Trust agents are IPA master without Samba which can serve information about users from trusted forests. Such IPA masters cannot be used to configure trust but they can resolve AD users and groups for IPA clients enrolled to them. Since support from both FreeIPA and SSSD is needed to enable trust agent support, we currently only consider those IPA masters which have been upgraded to FreeIPA 4.2 or later. Part of https://fedorahosted.org/freeipa/ticket/4951 
Trust agents are IPA master without Samba which can serve
information about users from trusted forests. Such IPA masters
cannot be used to configure trust but they can resolve AD users and groups
for IPA clients enrolled to them.

Since support from both FreeIPA and SSSD is needed to enable
trust agent support, we currently only consider those IPA masters
which have been upgraded to FreeIPA 4.2 or later.

Part of https://fedorahosted.org/freeipa/ticket/4951
ipa-sidgen: reduce log level to normal if domain SID is not available 2015-07-07T08:05:48+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-06-04T17:36:32+00:00 c6b834931193b66063c982078dac7bfaeacb950a To support AD trust agents, we need to run sidgen and extdom plugins on every IPA master. Lack of working configuration, thus, is not a failure so reduce log level to normal as sidgen plugin will not be active if domain SID is missing but it can certainly be kept enabled. Part of https://fedorahosted.org/freeipa/ticket/4951 
To support AD trust agents, we need to run sidgen and extdom plugins
on every IPA master. Lack of working configuration, thus, is not a
failure so reduce log level to normal as sidgen plugin will not
be active if domain SID is missing but it can certainly be kept
enabled.

Part of https://fedorahosted.org/freeipa/ticket/4951
trusts: pass AD DC hostname if specified explicitly 2015-07-07T08:05:48+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-05-28T11:49:58+00:00 4a856d8ff597ec516cc1eb05f06e062bb4ecca5b Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047 
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047
ipa-kdb: filter out group membership from MS-PAC for exact SID matches too 2015-07-07T07:33:53+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-05-28T08:33:51+00:00 a797874359544e431bdd96dd11e26f404c578db0 When incoming SID blacklist contains exact SIDs of users and groups, attempt to filter them out as well, according to [MS-PAC] 4.1.1.2. Note that we treat user's SID and primary group RID filtering as violation of the KDC policy because the resulting MS-PAC will have no user SID or primary group and thus will be invalid. For group RIDs we filter them out and in unlikely event of empty list of groups treat that as violation of the KDC policy as well. Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475 
When incoming SID blacklist contains exact SIDs of users and groups,
attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.

Note that we treat user's SID and primary group RID filtering as violation
of the KDC policy because the resulting MS-PAC will have no user SID or
primary group and thus will be invalid.

For group RIDs we filter them out and in unlikely event of empty
list of groups treat that as violation of the KDC policy as well.

Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475
ipa-kdb: use proper memory chunk size when moving sids 2015-07-07T07:33:53+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-05-20T15:24:52+00:00 0e252fb1f8455daa87dccbc6dcba61b08570b444 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475 
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475
ipa-adtrust-install: add IPA master host principal to adtrust agents 2015-07-07T07:33:53+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-05-12T12:31:46+00:00 b850385e6bdfd727cb5a801ae4f341dbd93331fe Fixes https://fedorahosted.org/freeipa/ticket/4951 
Fixes https://fedorahosted.org/freeipa/ticket/4951