freeipa.git/daemons/ipa-kdb, branch ad-work FreeIPA project WIP: reinit mspac on HTTP TGT acquisition to aid trust-add case 2013-07-18T14:16:49+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-07-18T10:32:42+00:00 219dc85533a310b21c92b0a99502375435b82a33 






ipa-kdb: cache KDC hostname on startup
2013-07-18T14:16:48+00:00

Alexander Bokovoy
abokovoy@redhat.com

2013-07-18T14:10:01+00:00

8e17f1e9579b9171639c109be51ada9032c52df7

We need KDC hostname for several purposes:
- short-circuit detection of principals on the same server as KDC
- generating NetBIOS name

Make sure we cache hostname information on startup and use it
instead of detecting the hostname in run-time. This will miss the
case that KDC hostname got changed but such cases are not supported
anyway without restarting KDC and making changes to principals.





We need KDC hostname for several purposes:
- short-circuit detection of principals on the same server as KDC
- generating NetBIOS name

Make sure we cache hostname information on startup and use it
instead of detecting the hostname in run-time. This will miss the
case that KDC hostname got changed but such cases are not supported
anyway without restarting KDC and making changes to principals.







Generate syntethic MS-PAC for all services running on IPA master
2013-07-11T09:39:28+00:00

Alexander Bokovoy
abokovoy@redhat.com

2013-07-09T11:05:02+00:00

8d6d8459ebaef42959cbbaa771163976439f00bc

MS-PAC is required to be present in TGT if one wants to connect to
AD services using this TGT. Users get MS-PAC by default, SSSD in
ipa_server_mode uses host/fqdn@REALM principal to talk to AD LDAP.

This patch enables other services running on IPA master to connect
to AD services. This is required for IPA python code doing discovery
of remote AD domain settings shortly after IPA-AD trust has been
established.





MS-PAC is required to be present in TGT if one wants to connect to
AD services using this TGT. Users get MS-PAC by default, SSSD in
ipa_server_mode uses host/fqdn@REALM principal to talk to AD LDAP.

This patch enables other services running on IPA master to connect
to AD services. This is required for IPA python code doing discovery
of remote AD domain settings shortly after IPA-AD trust has been
established.







Add PAC to master host TGTs
2013-07-11T09:39:27+00:00

Sumit Bose
sbose@redhat.com

2013-07-01T11:47:22+00:00

cf97590e979b680ee34ecbdb504d601ad45fb50a

For a proper SASL bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.

We use the well know RID of the Domain Computers group (515) for the
primary gid element of the PAC, this is the same as AD uses for host
tickets.  The rid element of the PAC is set to the well know RID of the
Domain Controllers group (516). This is working for the SSSD use case
but might be improved later for more general use cases.

To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.

Fixes https://fedorahosted.org/freeipa/ticket/3651





For a proper SASL bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.

We use the well know RID of the Domain Computers group (515) for the
primary gid element of the PAC, this is the same as AD uses for host
tickets.  The rid element of the PAC is set to the well know RID of the
Domain Controllers group (516). This is working for the SSSD use case
but might be improved later for more general use cases.

To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.

Fixes https://fedorahosted.org/freeipa/ticket/3651







ipa-kdb: Add OTP support
2013-05-17T07:30:51+00:00

Nathaniel McCallum
npmccallum@redhat.com

2013-04-11T17:50:42+00:00

5d51ae50a59466fa2d6d230d7f2879de34210f0c

If OTP is enabled for a user, then:
  1. Long-term keys are not provided to KDB
  2. The user string 'otp' is defined to KDB

Since it is not secure to send radius configuration information
over krb5 user strings, we simply set the string to a known default
('[]') which enables the default configuration in the KDC.

https://fedorahosted.org/freeipa/ticket/3561
http://freeipa.org/page/V3/OTP





If OTP is enabled for a user, then:
  1. Long-term keys are not provided to KDB
  2. The user string 'otp' is defined to KDB

Since it is not secure to send radius configuration information
over krb5 user strings, we simply set the string to a known default
('[]') which enables the default configuration in the KDC.

https://fedorahosted.org/freeipa/ticket/3561
http://freeipa.org/page/V3/OTP







Remove build warnings
2013-03-29T07:59:36+00:00

Martin Kosek
mkosek@redhat.com

2013-03-12T14:28:58+00:00

13b1028ac832c29656c6711834f05f7b34c75cfa

Fix rpm build warnings report in Fedora 19 build.

https://fedorahosted.org/freeipa/ticket/3500





Fix rpm build warnings report in Fedora 19 build.

https://fedorahosted.org/freeipa/ticket/3500







Add unit test for get_authz_data_types()
2013-03-08T09:46:00+00:00

Sumit Bose
sbose@redhat.com

2013-02-19T11:16:37+00:00

efd4d80827a24794245327ce8b74b47e735f5b16

https://fedorahosted.org/freeipa/ticket/2960





https://fedorahosted.org/freeipa/ticket/2960







ipa-kdb: add PAC only if requested
2013-03-08T09:46:00+00:00

Sumit Bose
sbose@redhat.com

2013-02-12T13:02:27+00:00

4e3468211e37f71ca9d434512b68a4caddb2b314

Instead of always adding a PAC to the Kerberos ticket the global default
for the authorization data and the authorization data of the service
entry is evaluated and the PAC is added accordingly.

https://fedorahosted.org/freeipa/ticket/2960





Instead of always adding a PAC to the Kerberos ticket the global default
for the authorization data and the authorization data of the service
entry is evaluated and the PAC is added accordingly.

https://fedorahosted.org/freeipa/ticket/2960







ipa-kdb: Read ipaKrbAuthzData with other principal data
2013-03-08T09:46:00+00:00

Sumit Bose
sbose@redhat.com

2013-02-12T08:44:32+00:00

3eb64f0a5c1968c97af5bfb4718c36b9f824ea8f

The ipaKrbAuthzData LDAP attribute is read together with the other data
of the requestedprincipal and the read value(s) are stored in the e-data
of the entry for later use.

https://fedorahosted.org/freeipa/ticket/2960





The ipaKrbAuthzData LDAP attribute is read together with the other data
of the requestedprincipal and the read value(s) are stored in the e-data
of the entry for later use.

https://fedorahosted.org/freeipa/ticket/2960







ipa-kdb: Read global defaul ipaKrbAuthzData
2013-03-08T09:46:00+00:00

Sumit Bose
sbose@redhat.com

2013-02-12T10:01:11+00:00

d5216d5428dc9653c382656bd5187f1e49b3fe02

The ipaKrbAuthzData LDAP attribute is read from the ipaConfig object
and the read value(s) are stored in the ipadb context.

https://fedorahosted.org/freeipa/ticket/2960





The ipaKrbAuthzData LDAP attribute is read from the ipaConfig object
and the read value(s) are stored in the ipadb context.

https://fedorahosted.org/freeipa/ticket/2960