freeipa.git, branch trusts-master FreeIPA project ipasam: add enumeration of UPN suffixes based on the realm domains 2013-03-25T16:45:22+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-03-22T15:30:41+00:00 f400d55eaec99b3e5440e90b6a6d055e26529e7e PASSDB API in Samba adds support for specifying UPN suffixes. The change in ipasam will allow to pass through list of realm domains as UPN suffixes so that Active Directory domain controller will be able to recognize non-primary UPN suffixes as belonging to IPA and properly find our KDC for cross-realm TGT. Since Samba already returns primary DNS domain separately, filter it out from list of UPN suffixes. Also enclose provider of UPN suffixes into #ifdef to support both Samba with and without pdb_enum_upn_suffixes(). Part of https://fedorahosted.org/freeipa/ticket/2848 
PASSDB API in Samba adds support for specifying UPN suffixes. The change
in ipasam will allow to pass through list of realm domains as UPN suffixes
so that Active Directory domain controller will be able to recognize
non-primary UPN suffixes as belonging to IPA and properly find our KDC
for cross-realm TGT.

Since Samba already returns primary DNS domain separately, filter it out
from list of UPN suffixes.

Also enclose provider of UPN suffixes into #ifdef to support both
Samba with and without pdb_enum_upn_suffixes().

Part of https://fedorahosted.org/freeipa/ticket/2848
Enhance ipa-adtrust-install for domains with multiple IPA server 2013-03-25T13:10:17+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-03-06T08:12:40+00:00 e6e37187fe2fb0f16abba94671931791c73ef177 As described on http://www.freeipa.org/page/V3/MultipleTrustServers, notice if FreeIPA server is a replica and adtrust agents contains members corresponding to the cifs/ services from replication partners. If so, increase priority field and add normal SRV records with increased priority. https://fedorahosted.org/freeipa/ticket/2189 
As described on http://www.freeipa.org/page/V3/MultipleTrustServers,
notice if FreeIPA server is a replica and adtrust agents contains members
corresponding to the cifs/ services from replication partners. If so, increase
priority field and add normal SRV records with increased priority.

https://fedorahosted.org/freeipa/ticket/2189
Add logging to join command 2013-03-25T09:58:23+00:00 Tomas Babej tbabej@redhat.com 2013-03-13T13:47:03+00:00 2f0c7d6e233f3f9ed5559bf760f274c33c42be3d The following is mentioned in the log now: - existence of host entry (if it already does exist) - missing krbprincipalname and its new value (if there was no principal name set) https://fedorahosted.org/freeipa/ticket/3481 
The following is mentioned in the log now:
  - existence of host entry (if it already does exist)
  - missing krbprincipalname and its new value (if there was no
    principal name set)

https://fedorahosted.org/freeipa/ticket/3481
Allow host re-enrollment using delegation 2013-03-25T09:53:25+00:00 Tomas Babej tbabej@redhat.com 2013-03-18T10:06:22+00:00 a7ccc198a731d0e48319a73bcb2dd98c34de262a A new option --force-join has been added to ipa-client-install. It forces the host enrollment even if the host entry exists. Old certificate is revoked, new certificate and ssh key pair generated. See the relevant design for the re-enrollment part: http://freeipa.org/page/V3/Forced_client_re-enrollment https://fedorahosted.org/freeipa/ticket/3482 
A new option --force-join has been added to ipa-client-install.
It forces the host enrollment even if the host entry exists.
Old certificate is revoked, new certificate and ssh key pair
generated. See the relevant design for the re-enrollment part:
http://freeipa.org/page/V3/Forced_client_re-enrollment

https://fedorahosted.org/freeipa/ticket/3482
Fix structured DNS record output 2013-03-22T14:10:03+00:00 Martin Kosek mkosek@redhat.com 2013-03-21T13:54:46+00:00 322458b5b2f80e179ef43b904c2665254c0a3763 Recent LDAP refactoring replaced entry_attrs regular dict with normalized keys (i.e. lowercase) with LDAPEntry instance which keys may not be normalized. This broke CND command output when --structured and --all options were used. Force lowercase normalization of the LDAPEntry keys in DNS plugin structured format postprocessing. Also add a missing test for DNS record structured output. https://fedorahosted.org/freeipa/ticket/3526 
Recent LDAP refactoring replaced entry_attrs regular dict with
normalized keys (i.e. lowercase) with LDAPEntry instance which keys
may not be normalized. This broke CND command output when
--structured and --all options were used.

Force lowercase normalization of the LDAPEntry keys in DNS plugin
structured format postprocessing. Also add a missing test for
DNS record structured output.

https://fedorahosted.org/freeipa/ticket/3526
Use default NETBIOS name in unattended ipa-adtrust-install 2013-03-22T14:05:59+00:00 Ana Krivokapic akrivoka@redhat.com 2013-03-12T15:12:56+00:00 c2034805d323dcf505042d03dbd801561aa64ed3 Unattended ipa-adtrust-install used to fail if --netbios option was not provided. This patches fixes this, so that instead of failing the default NETBIOS name is used. https://fedorahosted.org/freeipa/ticket/3497 
Unattended ipa-adtrust-install used to fail if --netbios option
was not provided. This patches fixes this, so that instead of
failing the default NETBIOS name is used.

https://fedorahosted.org/freeipa/ticket/3497
Configure ipa_dns DS plugin on install and upgrade 2013-03-22T13:31:22+00:00 Martin Kosek mkosek@redhat.com 2013-03-13T14:15:41+00:00 b5b040e68f571a858dfe85b65b58687ffc816649 The plugin is configured unconditionally (i.e. does not check if IPA was configured with DNS) as the plugin is needed on all replicas to prevent objectclass violations due to missing SOA serial in idnsZone objectclass. The violation could happen if just one replica configured DNS and added a new zone. https://fedorahosted.org/freeipa/ticket/3347 
The plugin is configured unconditionally (i.e. does not check if
IPA was configured with DNS) as the plugin is needed on all
replicas to prevent objectclass violations due to missing SOA
serial in idnsZone objectclass. The violation could happen if just
one replica configured DNS and added a new zone.

https://fedorahosted.org/freeipa/ticket/3347
Add 389 DS plugin for special idnsSOASerial attribute handling 2013-03-22T13:31:22+00:00 Petr Spacek pspacek@redhat.com 2013-03-08T17:54:58+00:00 952a7ac9f55e09eeaa7a24400957aac684a616fb Default value "1" is added to replicated idnsZone objects if idnsSOASerial attribute is missing. https://fedorahosted.org/freeipa/ticket/3347 Signed-off-by: Petr Spacek <pspacek@redhat.com> 
Default value "1" is added to replicated idnsZone objects
if idnsSOASerial attribute is missing.

https://fedorahosted.org/freeipa/ticket/3347

Signed-off-by: Petr Spacek <pspacek@redhat.com>
Fix lockout of LDAP bind. 2013-03-21T19:44:53+00:00 Rob Crittenden rcritten@redhat.com 2013-02-15T16:51:59+00:00 797baef1a433d14694fcb234c24828c1ad4019dc There were several problems: - A cut-n-paste error where the wrong value was being considered when an account was administratively unlocked. - An off-by-one error where LDAP got one extra bind attempt. - krbPwdPolicyReference wasn't being retrieved as a virtual attribute so only the global_policy was used. - The lockout duration wasn't examined in the context of too many failed logins so wasn't being applied properly. - Lockout duration wasn't used properly so a user was effectively unlocked when the failure interval expired. - krbLastFailedAuth and krbLoginFailedCount are no longer updated past max failures. https://fedorahosted.org/freeipa/ticket/3433 
There were several problems:

- A cut-n-paste error where the wrong value was being considered when
  an account was administratively unlocked.
- An off-by-one error where LDAP got one extra bind attempt.
- krbPwdPolicyReference wasn't being retrieved as a virtual attribute so
  only the global_policy was used.
- The lockout duration wasn't examined in the context of too many failed
  logins so wasn't being applied properly.
- Lockout duration wasn't used properly so a user was effectively unlocked
  when the failure interval expired.
- krbLastFailedAuth and krbLoginFailedCount are no longer updated past
  max failures.

https://fedorahosted.org/freeipa/ticket/3433
Process exceptions when talking to Dogtag 2013-03-21T16:14:55+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-03-06T08:17:58+00:00 41031fe121d6ec8bc9a6bb48b62068a9af905dc3 The problem is the ca_status() uses an HTTP GET operation to check Dogtag's status. Under some circumstances Dogtag may take a long time to respond, so the HTTP GET may time out much earlier than 2 minutes. And since the above code doesn't catch the exception, the whole loop fails immediately, so it doesn't wait for a full 2 minutes as expected. https://fedorahosted.org/freeipa/ticket/3492 
The problem is the ca_status() uses an HTTP GET operation to check Dogtag's
status. Under some circumstances Dogtag may take a long time to respond, so the
HTTP GET may time out much earlier than 2 minutes. And since the above code
doesn't catch the exception, the whole loop fails immediately, so it doesn't
wait for a full 2 minutes as expected.

https://fedorahosted.org/freeipa/ticket/3492