freeipa.git/daemons, branch ad-work

WIP: reinit mspac on HTTP TGT acquisition to aid trust-add case

2013-07-18T14:16:49+00:00

ipa-kdb: cache KDC hostname on startup

2013-07-18T14:16:48+00:00

We need KDC hostname for several purposes:
- short-circuit detection of principals on the same server as KDC
- generating NetBIOS name

Make sure we cache hostname information on startup and use it
instead of detecting the hostname in run-time. This will miss the
case that KDC hostname got changed but such cases are not supported
anyway without restarting KDC and making changes to principals.

Use pkg-config to detect cmocka

2013-07-15T14:42:46+00:00

https://fedorahosted.org/freeipa/ticket/3434

Remove unused variable

2013-07-15T13:40:43+00:00

Generate syntethic MS-PAC for all services running on IPA master

2013-07-11T09:39:28+00:00

MS-PAC is required to be present in TGT if one wants to connect to
AD services using this TGT. Users get MS-PAC by default, SSSD in
ipa_server_mode uses host/fqdn@REALM principal to talk to AD LDAP.

This patch enables other services running on IPA master to connect
to AD services. This is required for IPA python code doing discovery
of remote AD domain settings shortly after IPA-AD trust has been
established.

Fix extdom plugin to provide unqualified name in response as sssd expects

2013-07-11T09:39:28+00:00

extdom plugin handles external operation over which SSSD asks IPA server about
trusted domain users not found through normal paths but detected to belong
to the trusted domains associated with IPA realm.

SSSD expects that user or group name in the response will be unqualified
because domain name for the user or group is also included in the response.
Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully
qualified name which includes the domain name we are asked to handle.

The code already expects that fully-qualified names are following user@domain
convention so we are simply tracking whether '@' symbol is present and is followed
by the domain name.

Make sure domain_name is also set when processing INP_NAME requests

2013-07-11T09:39:27+00:00

Remove winbind client configure check

2013-07-11T09:39:27+00:00

With the replacement of the winbind calls in the extdom plugin none of
the plugins is using the winbind client libraries anymore.

extdom: replace winbind calls with POSIX/SSSD calls

2013-07-11T09:39:27+00:00

With the new ipa_server_mode SSSD is able to read user and group data
from trusted AD domains directly and makes this data available via the
NSS responder. With this mode enabled winbind is not needed anymore to
lookup users and groups of trusted domains.

This patch removed the calls to winbind from the extdom plugin and
replaces them with standard POSIX calls like getpwnam() and calls from
libsss_nss_idmap to lookup SIDs.

Fixes https://fedorahosted.org/freeipa/ticket/3637 because now the
extdom plugin does not need to handle idranges anymore, but everything
is done inside SSSD.

Add PAC to master host TGTs

2013-07-11T09:39:27+00:00

For a proper SASL bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.

We use the well know RID of the Domain Computers group (515) for the
primary gid element of the PAC, this is the same as AD uses for host
tickets.  The rid element of the PAC is set to the well know RID of the
Domain Controllers group (516). This is working for the SSSD use case
but might be improved later for more general use cases.

To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.

Fixes https://fedorahosted.org/freeipa/ticket/3651