| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This will sync down the POSIX attributes from AD so we need to be careful
to not mess with them when they are already set. This includes
uidNumber, gidNumber, homeDirectory, loginShell and gecos.
http://port389.org/wiki/WinSync_Posix
http://port389.org/wiki/Windows_Sync_Plugin_API#Version_3_API_functions
https://fedorahosted.org/freeipa/ticket/3007
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
If match_entry == NULL all principals should be iterated.
Additionally this patch adds a check in ipadb_filter_escape() to make
sure that the input is not NULL.
Fixes: https://fedorahosted.org/freeipa/ticket/3011
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2953
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2805
|
|
|
|
|
|
|
| |
With this change ipasam is able to ask for ipaNTHash generation and if
corresponding Kerberos key is available, will be able to retrieve generated ipaNTHash.
Part 1 of https://fedorahosted.org/freeipa/ticket/3016
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When developing and testing in the same environment, multiple re-installs
may be needed. This means previously issued and cached Kerberos credentials
will become invalid upon new install.
ipasam passdb module for Samba uses Kerberos authentication when talking to
IPA LDAP server. Obtained Kerberos credentials are cached during their lifetime.
However, the ccache is not removed automatically and if IPA setup is made
again, cached credentials are used, only to discover that they are invalid.
With this change invalid correctly obtained cached credentials are recognized
and, if LDAP SASL bind fails, new credentials are requested from the KDC.
https://fedorahosted.org/freeipa/ticket/3009
|
|
|
|
|
| |
In samba4-beta6 the name of a library was changed from libsecurity to
libsamba-security.
|
| |
|
|
|
|
|
|
|
|
| |
This check the PAC we receive is consistent.
realm, flat name and domain sid must much our understanding or the trustd
realm and no additional sids beyond the own realm ones must be present.
Ticket #2849
|
|
|
|
|
| |
This way multiple functions can manipulate the logon info structure until all
operations we want to do on it are done and then fold it back once.
|
|
|
|
|
|
|
|
|
| |
The function filter_pac was not filtering the pac at all, it was merely
augmenting it with additional data relevant to the IPA server.
Change the name of the function to avoid confusion.
While there I also simplified and cleaed up the code a bit with regard to
variable names and usage.
|
|
|
|
| |
This list is used to validate data in mspac filtering
|
|
|
|
|
| |
By keeping it's definition in the mspac file it is easier to modify and make
sure any opertion on it is handled in the same file.
|
|
|
|
| |
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
|
|
|
|
|
| |
The NT Hash is the same thing as the RC4-HMAC key, so we add a function to
extract it from krb5 keys if they are available to avoid forcing a password
change when configuring trust relationships.
|
|
|
|
|
| |
Avoid the need to allocate/free a Slapi_Mod and avoid checking for attribute
equvalence after a match (use if/else)
|
|
|
|
|
|
|
|
| |
This moves the decoding function that reads the keys from the ber format
into a structure in the common krb5 util code right below the function
that encodes the same data structure into a ber format.
This way the 2 functions are in the same place and can be both used by
all ia components.
|
|
|
|
|
|
|
| |
The DNA magic value can be arbitrarily changed by admins so we cannot use a
const value to check. And we relly do not need to check at all. If the DNA
plugin is broken and leaves magic values to reach the post-op stage we have
bigger problems. So just simply get rid of this check.
|
|
|
|
|
|
|
| |
With c43505b621725c9a754f0ee98318d451b093f2ed in samba git master
the function sid_check_is_domain() was renamed to sid_check_is_our_sam().
https://fedorahosted.org/freeipa/ticket/2929
|
|
|
|
| |
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
SASL bind callback due to refactoring was referencing local variable which
didn't exist all the time. Fix that by including a copy of service principals
into ipasam long term private struct.
Rework ccache handling to avoid re-initing every time callback is called
|
|
|
|
|
|
|
| |
To make sure that ID ranges do not overlap this plugin checks new
additions and changes for conflicts with existing ranges.
https://fedorahosted.org/freeipa/ticket/2185
|
| |
|
|
|
|
|
|
| |
This extop can be used by clients of the IPA domain, e.g. sssd, to
retrieve data from trusted external domains. It can be used e.g. to map
Windows SIDs to user or groups names and back.
|
|
|
|
| |
The framework can be found at http://check.sourceforge.net.
|