diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2015-06-05 12:57:02 +0000 |
---|---|---|
committer | Alexander Bokovoy <abokovoy@redhat.com> | 2015-07-07 11:09:03 +0300 |
commit | 3d975c104be2bd68df53617bc82883aa1a001833 (patch) | |
tree | 66023bd0ad5aa4c413764688cc392dabe9afad6b /freeipa.spec.in | |
parent | 65422777e6721bcf7708805f001eb39016495830 (diff) | |
download | freeipa-3d975c104be2bd68df53617bc82883aa1a001833.tar.gz freeipa-3d975c104be2bd68df53617bc82883aa1a001833.tar.xz freeipa-3d975c104be2bd68df53617bc82883aa1a001833.zip |
trusts: add support for one-way trust and switch to it by default
One-way trust is the default now, use 'trust add --two-way ' to
force bidirectional trust
https://fedorahosted.org/freeipa/ticket/4959
In case of one-way trust we cannot authenticate using cross-realm TGT
against an AD DC. We have to use trusted domain object from within AD
domain and access to this object is limited to avoid compromising the whole
trust configuration.
Instead, IPA framework can call out to oddjob daemon and ask it to
run the script which can have access to the TDO object. This script
(com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal
to retrieve TDO object credentials from IPA LDAP if needed and then
authenticate against AD DCs using the TDO object credentials.
The script pulls the trust topology out of AD DCs and updates IPA LDAP
store. Then IPA framework can pick the updated data from the IPA LDAP
under normal access conditions.
Part of https://fedorahosted.org/freeipa/ticket/4546
Diffstat (limited to 'freeipa.spec.in')
-rw-r--r-- | freeipa.spec.in | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 52af50dd0..46586ed71 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -204,6 +204,7 @@ Requires: samba >= %{samba_version} Requires: samba-winbind Requires: libsss_idmap Requires: libsss_nss_idmap-python +Requires: oddjob %if (0%{?fedora} >= 22) Requires: python-sss %endif @@ -581,6 +582,8 @@ fi %post server-trust-ad %{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ winbind_krb5_locator.so /dev/null 90 +/bin/systemctl reload-or-try-restart dbus +/bin/systemctl reload-or-try-restart oddjobd %posttrans server-trust-ad python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 @@ -593,6 +596,8 @@ fi %preun server-trust-ad if [ $1 -eq 0 ]; then %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null + /bin/systemctl reload-or-try-restart dbus + /bin/systemctl reload-or-try-restart oddjobd fi %endif # ONLY_CLIENT @@ -830,6 +835,9 @@ fi %attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so %attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so %attr(755,root,root) %{plugin_dir}/libtopology.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so +%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so %dir %{_localstatedir}/lib/ipa %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore @@ -864,15 +872,15 @@ fi %files server-trust-ad %{_sbindir}/ipa-adtrust-install -%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so %{_usr}/share/ipa/smb.conf.empty %attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so -%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so -%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so %{_mandir}/man1/ipa-adtrust-install.1.gz %{python_sitelib}/ipaserver/dcerpc* %{python_sitelib}/ipaserver/install/adtrustinstance* %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so +%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf +%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf +%%attr(755,root,root) %{_libexecdir}/ipa/com.redhat.idm.trust-fetch-domains %endif # ONLY_CLIENT |