| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Commit a6e29f23f09ba5b6b6d362f7683ae8088bc0ba85 in Samba changed id mapping
API in passdb interface to use 'struct unixid'. The change replaced three arguments
(uid, gid, type) by one (struct unixid). As result, ipa-sam became broken.
Without this change ipa-sam introduces stack corruption in Samba post 4.0.0alpha18
leading to corrupted security context stack as well and then crashing in setgroups(3).
|
| | |
|
| |
|
|
|
|
|
|
|
| |
A high-level description of the design and ACIs for trusts is available at
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html
and
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html
Ticket #1731
|
| | |
|
| |
|
|
|
|
|
|
| |
Also make sure all exceptions are captured when creating CIFS service
record. The one we care about is duplicate entry and we do nothing
in that case anyway.
Also make uniform use of action descriptors.
|
| |
|
|
|
|
|
|
| |
resolve_host() function returns a list of IP addresses. Handle it all rather
than expecting that there is a single address.
It wouldn't hurt to make a common function that takes --ip-address into account
when resolving host addresses and use it everywhere.
|
| |
|
|
|
|
|
|
|
|
| |
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.
The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.
https://fedorahosted.org/freeipa/ticket/1577
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Samba just needs the cifs/ key on the ipa server. Configure samba to use a
different keytab file so that we do not risk samba commands (net, or similar)
to mess up the system keytab.
https://fedorahosted.org/freeipa/ticket/2168
|
| |
|
|
|
|
|
|
|
|
|
| |
We need two attributes in the ipaNTTrustedDomain objectclass to store different
kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID
of the trusted domain. A second attribute is needed to store the SID for the
trusted domain user. Since it cannot be derived safely from other values and
since it does not make sense to create a separate object for the user a new
attribute is needed.
https://fedorahosted.org/freeipa/ticket/2191
|
| |
|
|
|
|
|
| |
Help should not point to global forwarders but rather to per-zone
conditional forwarders.
https://fedorahosted.org/freeipa/ticket/2717
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When no user/group was found, migration plugin reported an ambiguous
error about invalid container. But the root cause may be for example
in a wrong list of user/group objectclasses. Report both in the error
message to avoid user confusion.
User/group objectclass attribute is now also marked as required.
Without the list of objectclasses, an invalid LDAP search is
produced.
https://fedorahosted.org/freeipa/ticket/2206
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For security reasons, dynamic updates are not enabled for new DNS
zones. In order to enable the dynamic zone securely, user needs to
allow dynamic updates and create a zone update policy.
The policy is not easy to construct for regular users, we should
rather fill it by default and let users just switch the policy
on or off.
https://fedorahosted.org/freeipa/ticket/2441
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
on_value_changed event in textboxes and textareas was raised only on keyboard input. If user used different input method such as paste or browser undo and redo functions widget's on_value_changed event wasn't raised and so dirty state wasn't changed as well.
This patch adds listener to text's and textarea's 'input' event. Input is a HTML 5 event which is raises on user initiated action.
Some of user initiated actions :
* Cut
* Copy
* Paste
* Undo
* Redo
* Clear
* Typing (like keyup)
* Form AutoFill
* User-invoked spellcheck corrections
* Input from Input Method Editor
It should be supported by all recent versions of major browsers. IE doesn't support it up to version 8.
Listener for 'keyup' event was left in implementation for backward compatibility with older browsers. This may cause firing on_value_change twice but so far it shouldn't cause troubles.
https://fedorahosted.org/freeipa/ticket/2647
|
| |
|
|
|
|
| |
Tables with members in netgroup were missing links for navigation to associated details pages. This patch adds these links.
https://fedorahosted.org/freeipa/ticket/2670
|
| |
|
|
|
|
|
|
|
|
| |
Ticket https://fedorahosted.org/freeipa/ticket/2509 bans using non existent options. If such option is supplied command ends with error. It uncovered several cases in Web UI. This patch is fixing these cases.
Automember, Self-service and Delegation don't support 'pkey-only', 'size-limit' and 'rights' option. Pagination and rights check were disabled for them.
Automount map adder dialog was sending options for indirect map even if chosen type was direct (when those for indirect was filled earlier), also it was sending non-existant 'method' option.
https://fedorahosted.org/freeipa/ticket/2760
|
| |
|
|
|
|
| |
Service unprovision dialog was missing a cancel button. The button was added.
https://fedorahosted.org/freeipa/ticket/1811
|
| |
|
|
|
|
|
|
| |
This patch creates state_evaluator which creates permission states for defined attribute. The state format is: attributeName_permissionChar.
This evaluator is used for user_password attribute and it control enabling/disabling of related action in user account action panel.
https://fedorahosted.org/freeipa/ticket/2318
|
| |
|
|
|
|
| |
This patch adds shadow to dialog used in Web UI. It looks cooler.
https://fedorahosted.org/freeipa/ticket/2248
|
| |
|
|
|
|
| |
This patch adds strings to internal.py which were not translated in action list/panel patches.
https://fedorahosted.org/freeipa/ticket/2248
|
| |
|
|
|
|
| |
This patch adds action panel to user account section. The panel contain an action for reseting user password.
https://fedorahosted.org/freeipa/ticket/2248
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the user password is shown as follows in the details page:
Password: Reset Password
This is inconsistent with the rest of the page because the 'Reset Password' is an action, not the value of the password.
Now password is shown as follows:
Password: ******* (if set)
Password: (if not set)
Reset password link was removed as well the dialog for reset password was removed from password widget. The dialog was moved to its own object and can be now showed independently. An action for showing this dialog should be created.
https://fedorahosted.org/freeipa/ticket/2248
|
| |
|
|
|
|
|
|
| |
This patch implements action panel. Action panel is a box located in facet details section which contains actions related to that object/section.
In spec file can be configured actions and title used in action panel. Default title is 'Actions'. Actions are specified by their name. They have to be defined in action collection in facet.
https://fedorahosted.org/freeipa/ticket/2248
|
| |
|
|
|
|
| |
It's continuation of previous refactoring effort. This part is changing specs in entities to used changed concept.
https://fedorahosted.org/freeipa/ticket/2248
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a first step for implementing action panels which will also use the shared list of actions.
This effor changes the way how action list and control buttons are defined. First all actions are defined on facet level - attribute 'actions' in spec file. Implementation of action list widget is not specified on facet level. It is left in facet header. A list of action names used in action list can be now specified in facet spec in 'header_actions' attribute.
Control buttons use similar concept. Facet by default is using control_buttons_widget. Details and search facet are defining their own default actions (refresh/add/remove/update/reset). Additional buttons can be defined as array of action names on facet level in control_buttons attribute.
state_evaluators and state_listeners were united. They are called state_evaluators but they uses state_listener concept, they are attached to an event. For former state_evaluator the event is post_load. They are defined in spec in state attribute. State object purpose is to aggregate states from all state evaluators. It offers changed event to which can other objects subscribe. It also has summary evaluator which evaluation conditions. Summary evaluator creates summary status with human readable description. It can be used by facet header.
https://fedorahosted.org/freeipa/ticket/2248
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds tests for the automountlocation_tofiles and
automountlocation_import commands, and to automountmap_add_indirect
with the --parentmap option.
The tofiles test checks not only the XML-RPC output, but also the
output_for_cli method.
The import tests load data from tofiles output to the directory
and check that tofiles output matches.
This only works when all maps are connected to auto.master.
Two minor touches to the automount plugin itself: remove an extra
space, and don't hide the traceback when re-raising an exception.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Precallback validator was failing when a zone-relative name was
used as a NS record (for example record "ns" in a zone "example.com").
However, this is valid in BIND and we should allow it as well.
Imports in dns module had to be switched to absolute imports
(available from Python 2.5) to deal with a conflict of IPA dns
module and dnspython module.
https://fedorahosted.org/freeipa/ticket/2630
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When permission-find post callback detected a --pkey-only option,
it just terminated. However, this way the results that could have
been added from aci_find matches were not included.
Fix the post callback to go through the entire matching process.
Also make sure that DNS permissions have a correct objectclass
(ipapermission), otherwise such objects are not matched by the
permission LDAP search.
https://fedorahosted.org/freeipa/ticket/2658
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
All of our install/admin scripts had a try/except block calling the
main function and handling common exceptions. These were copy-pasted
from each other and modified to various levels of sophistication.
This refactors them out of installers to a single function, which
includes a final pass/fail message for all of the scripts.
Non-install scripts that set up the same log handler levels for
stderr and log file are not changed, as it's not possible to log
to only the logfile without changing the logger configuration.
https://fedorahosted.org/freeipa/ticket/2071
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We don't have a specific requires on the policycoreutils package. It
gets pulled in as a dependency on the server anyway, but checking
there is like a belt and suspenders.
On the client we don't require SELinux at all. If SELinux is enabled
however we need to set things up properly. This is provided by the
policycoreutils package so fail if that isn't available.
https://fedorahosted.org/freeipa/ticket/2368
|
| |
|
|
|
|
|
| |
This option will make renaming DNS records much easier.
Add a unit test for this new functionality.
https://fedorahosted.org/freeipa/ticket/2600
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We actually perform two searches in permission-find. The first looks
for matches within the permission object itself. The second looks at
matches in the underlying aci.
We need to break out in two places. The first is if we find enough
matches in the permission itself. The second when we are appending
matches from acis.
The post_callback() definition needed to be modified to return
the truncated value so a plugin author can modify that value.
https://fedorahosted.org/freeipa/ticket/2322
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the
latter has been deprecated in OpenSSH 5.9.
If DNS host key verification is enabled, restrict the set of allowed host
public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only
these algorithms.
Make sure public key user authentication is enabled in both ssh and sshd.
ticket 2769
|
| |
|
|
|
|
|
| |
'sid' is a stack variable, by assigning its address to the domain_sid pointer
we were later referencing grabage (whatever on the stack ha[ppened to be at
that address.
Properly copy the sid and allocate it on the provided memory context.
|
| |
|
|
|
|
|
|
|
| |
If --delattr is used on an attribute that's not present on an entry,
and --{set,add}attr isn't being used on that same attribute,
say that there's "no such attribute" instead of "<attribute> does
not contain <value>".
https://fedorahosted.org/freeipa/ticket/2699
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Make --{set,add,del}attr fail on parameters with the no_update/no_create
flag for the respective command.
For attributes that can be modified, but we just don't want to display
in the CLI, use the 'no_option' flag. These are "locking" attributes
(ipaenabledflag, nsaccountlock) and externalhost.
Document the 'no_option' flag. Add some tests.
https://fedorahosted.org/freeipa/ticket/2580
|
| |
|
|
|
|
|
|
|
|
| |
Kerberos ticket maximum life was being set to 1 hour which then
affected lifetime of Kerberos tickets returned by IPA server under
the test.
Make sure that the policy is reset before and after the unit test to
keep the IPA server settings clean and not to disrupt development
environment.
|
| |
|
|
|
|
|
| |
ipa-client-install will always set ipa_hostname for sssd.conf in order
to prevent the client from getting into weird state.
https://fedorahosted.org/freeipa/ticket/2527
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Always call convert_time_for_output so time gets reported correctly.
That method has its own checks for whether the attributes are present;
an additional check is unnecessary.
Use a key function for sorting; cmp is deprecated, slower and
more complicated.
Add a test
https://fedorahosted.org/freeipa/ticket/2726
|
| |
|
|
|
|
| |
This in effect fixes uid, krbPrincipalName and homeDir.
https://fedorahosted.org/freeipa/ticket/2756
|
| |
|
|
|
|
| |
When default server was being parsed from IPA's default.conf
configuration file, the parsed server was not appended correctly to
the default_server list.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
but but rather C-like interface based on functions and
structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
authconfig and thus can break without notice
Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
in installutils to make the whole DNS check simpler and
less error-prone. Logging was improves for the remaining
checks
- improved logging for ipa-client-install DNS discovery
https://fedorahosted.org/freeipa/ticket/2730
https://fedorahosted.org/freeipa/ticket/1837
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We've seen on a few occassions where one side or the other is missing
the ldap principal. This causes replication to fail when trying to
convert to using GSSAPI. If this happens force a synchronization again
and try the retrieval again, up to 10 times.
This should also make the error report clearer if even after the retries
one of the principals doesn't exist.
https://fedorahosted.org/freeipa/ticket/2737
|
| |
|
|
|
|
|
| |
Output message of the 'read_domain_name' function in ipa-server-install
was reworded.
https://fedorahosted.org/freeipa/ticket/2704
|
| |
|
|
|
|
|
|
|
|
|
|
| |
bind-dyndb-ldap persistent search queries LDAP for all DNS records.
The LDAP connection must have no size or time limits to work
properly.
This patch updates limits both for existing service principal
on updated machine and for new service principals added
as a part of DNS installation.
https://fedorahosted.org/freeipa/ticket/2531
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
python-ldap add_s method raises a NO_SUCH_OBJECT exception when
a parent entry of the entry being added does not exist. This may
not be an error, for example NIS entries are only added when NIS
is enabled and thus the NIS entry container exists.
The exception raised by python-ldap is also incorrectly processed
in ipaldap's addEntry function and an irrelevant exception is
re-raised instead.
Fix LDAP updater to just log an information when an object cannot
be added due to missing parent object. Also make sure that the
addEntry function exception processing provides the right exception
with a useful description.
https://fedorahosted.org/freeipa/ticket/2520
https://fedorahosted.org/freeipa/ticket/2743
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a user become locked due to too many failed logins and then were
unlocked by an administrator, the account would not lock again. This
was caused by two things:
- We were incrementing the fail counter before checking to see if the
account was already locked out.
- The current fail count wasn't taken into consideration when
deciding if the account is locked.
The sequence was this:
1. Unlocked account, set failcount to 0
2. Failed login, increment failcount
3. Within lastfailed + lockout_duration, still locked. This skips
update the last_failed date.
So I reversed 2 and 3 and check to see if the fail count exceeds policy.
https://fedorahosted.org/freeipa/ticket/2765
|
| |
|
|
|
|
|
|
| |
When we set a password we also need to make sure krbExtraData is set.
If not kadmin will later complain that the object is corrupted at password
change time.
Ticket: https://fedorahosted.org/freeipa/ticket/2764
|
| |
|
|
|
|
|
|
| |
We were inferring that an agreement existed if the host was present
as an IPA host. This was not enough if the replica installation failed
early enough.
https://fedorahosted.org/freeipa/ticket/2030
|
