freeipa.git - FreeIPA project

	Commit message (Collapse)	Author	Age	Files	Lines
...
*	ipa-kdb: avoid ENOMEM when all SIDs are filtered out	Martin Kosek	2013-02-12	1	-4/+14
\| \| \| \| \| \| \| \| \|	When all SIDs in info3.sids structure were filtered out, we tried to talloc_realloc to zero memory size. talloc_realloc then returned NULL pointer and filter_login_info returned with ENOMEM. The code now rather frees the SID array and set info3.sidcount to correct value.
*	ipa-kdb: add sentinel for LDAPDerefSpec allocation	Martin Kosek	2013-02-12	1	-5/+6
\| \| \| \| \|	Without sentinel in place, ldap_create_deref_control_value executed an invalid read in unallocated memory.
*	Prevent integer overflow when setting krbPasswordExpiration	Tomas Babej	2013-02-08	4	-13/+47
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Since in Kerberos V5 are used 32-bit unix timestamps, setting maxlife in pwpolicy to values such as 9999 days would cause integer overflow in krbPasswordExpiration attribute. This would result into unpredictable behaviour such as users not being able to log in after password expiration if password policy was changed (#3114) or new users not being able to log in at all (#3312). The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver. https://fedorahosted.org/freeipa/ticket/3312 https://fedorahosted.org/freeipa/ticket/3114
*	ipa-kdb: Support Windows 2012 Server	Alexander Bokovoy	2012-12-07	1	-15/+253
\| \| \| \| \| \| \| \| \| \| \|	Windows 2012 Server changed procedure how KERB_VALIDATION_INFO ([MS-PAC] section 2.5) is populated. Detailed description is available in [MS-KILE] version 25.0 and above. Refactor KERB_VALIDATION_INFO verification and ensure we filter out extra SIDs in case they belong to our domain. https://fedorahosted.org/freeipa/ticket/3231
*	Bump 389-ds-base minimum in our spec file	Martin Kosek	2012-12-07	1	-1/+1
\| \| \| \| \|	Our code needs both Requires and BuildRequires set to 389-ds-base which supports transactions. Also add the requires to configure.ac.
*	Password change in a transaction, ensure passwords are truly expired	Rob Crittenden	2012-12-07	3	-4/+34
\| \| \| \| \| \| \| \| \| \|	Wrap the password change extop in a transaction. Fix the case where a password is reset and then immediately used. If done fast enough then the KDC may not detect that the password is expired and grant access using the expired password rather than prompting for a reset. https://fedorahosted.org/freeipa/ticket/1064
*	Honor the kdb options disabling KDC writes in ipa_lockout plugin	Rob Crittenden	2012-12-05	1	-1/+119
\| \| \| \| \| \| \| \| \| \| \| \| \|	Ther3 are two global ipaConfig options to disable undesirable writes that have performance impact. The "KDC:Disable Last Success" will disable writing back to ldap the last successful AS Request time (successful kinit) The "KDC:Disable Lockout" will disable completely writing back lockout related data. This means lockout policies will stop working. https://fedorahosted.org/freeipa/ticket/2734
*	Lookup the user SID in external group as well	Sumit Bose	2012-11-30	1	-5/+14
\| \| \| \| \| \| \|	Currently only the group SIDs from a PAC are used to find out about the membership in local groups. This patch adds the user SID to the list. Fixes https://fedorahosted.org/freeipa/ticket/3257
*	MS-PAC: Special case NFS services	Simo Sorce	2012-11-30	1	-1/+35
\| \| \| \| \| \| \| \| \| \|	The current Linux NFS server is severely limited when it comes to handling kerberos tickets. Bsically any ticket bigger than 2k will cause it to fail authentication due to kernel->userspace upcall interface restrictions. Until we have additional support in IPA to indivdually mark principals to opt out of getting PACs attached we always prevent PACs from being attached to TGTs or Tickets where NFS is involved.
*	Enable transactions by default, make password and modrdn TXN-aware	Rob Crittenden	2012-11-21	6	-5/+71
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The password and modrdn plugins needed to be made transaction aware for the pre and post operations. Remove the reverse member hoop jumping. Just fetch the entry once and all the memberof data is there (plus objectclass). Fix some unit tests that are failing because we actually get the data now due to transactions. Add small bit of code in user plugin to retrieve the user again ala wait_for_attr but in the case of transactions we need do it only once. Deprecate wait_for_attr code. Add a memberof fixup task for roles. https://fedorahosted.org/freeipa/ticket/1263 https://fedorahosted.org/freeipa/ticket/1891 https://fedorahosted.org/freeipa/ticket/2056 https://fedorahosted.org/freeipa/ticket/3043 https://fedorahosted.org/freeipa/ticket/3191 https://fedorahosted.org/freeipa/ticket/3046
*	ipasam: better Kerberos error handling in ipasam	Alexander Bokovoy	2012-11-21	1	-3/+5
\| \| \| \| \| \| \|	If time is moved back on the IPA server, ipasam does not invalidate the existing ticket. https://fedorahosted.org/freeipa/ticket/3183
*	Forbid overlapping primary and secondary rid ranges	Tomas Babej	2012-10-19	1	-14/+97
\| \| \| \| \| \| \| \| \| \| \|	Commands ipa idrange-add / idrange-mod no longer allows the user to enter primary or secondary rid range such that has non-zero intersection with primary or secondary rid range of another existing id range, as this could cause collision. Unit tests added to test_range_plugin.py https://fedorahosted.org/freeipa/ticket/3086
*	extdom: handle INP_POSIX_UID and INP_POSIX_GID requests	Sumit Bose	2012-10-18	1	-6/+32
\| \| \| \|	Fixes https://fedorahosted.org/freeipa/ticket/3166
*	Fix various issues found by Coverity	Sumit Bose	2012-10-17	6	-12/+22
\|
*	ipadb: reload trust information if domain is not known	Sumit Bose	2012-10-09	1	-1/+39
\| \| \| \| \| \| \| \| \| \|	Currently the data about trusted domains is read once at startup. If a new trust is added the KDC must be restarted to know about the new trust. This patch reloads the trust data if there is a request from an unknown domain. To make DOS attacks a bit harder the data can be updated only once in a minute. Fixes https://fedorahosted.org/freeipa/ticket/3156
*	ipasam: generate proper SID for trusted domain object	Sumit Bose	2012-10-04	1	-8/+49
\|
*	Add SIDs for existing users and groups at the end of ipa-adtrust-install	Sumit Bose	2012-10-04	3	-10/+11
\| \| \| \|	Fixes https://fedorahosted.org/freeipa/ticket/3104
*	ipasam: add fallback primary group	Sumit Bose	2012-10-04	1	-7/+230
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/2955
*	ipasam: Fixes build with samba4 rc1	Sumit Bose	2012-09-14	1	-10/+10
\|
*	Support the new Winsync POSIX API.	Rob Crittenden	2012-09-06	1	-6/+50
\| \| \| \| \| \| \| \| \| \| \|	This will sync down the POSIX attributes from AD so we need to be careful to not mess with them when they are already set. This includes uidNumber, gidNumber, homeDirectory, loginShell and gecos. http://port389.org/wiki/WinSync_Posix http://port389.org/wiki/Windows_Sync_Plugin_API#Version_3_API_functions https://fedorahosted.org/freeipa/ticket/3007
*	ipasam: replace trim_char() with trim_string()	Sumit Bose	2012-09-06	1	-2/+1
\|
*	ipasam: remove fetch_ldap_pw()	Sumit Bose	2012-09-06	1	-10/+2
\|
*	ipasam: replace get_global_sam_sid()	Sumit Bose	2012-09-06	1	-4/+12
\|
*	ipasam: add libsss_idmap context and replace string_to_sid()	Sumit Bose	2012-09-06	2	-31/+89
\|
*	ipasam: Replace global_sid_Builtin	Sumit Bose	2012-09-06	1	-1/+3
\|
*	ipasam: Replace sid_peek_check_rid()	Sumit Bose	2012-09-06	1	-1/+17
\|
*	ipasam: Replace sid_check_is_our_sam()	Sumit Bose	2012-09-06	1	-2/+1
\|
*	ipasam: Replace dom_sid_compare_domain()	Sumit Bose	2012-09-06	1	-1/+27
\|
*	ipasam: Replace is_null_sid()	Sumit Bose	2012-09-06	1	-1/+24
\|
*	ipasam: replace sid_compose()	Sumit Bose	2012-09-06	1	-1/+14
\|
*	ipasam: replace sid_copy()	Sumit Bose	2012-09-06	1	-1/+15
\|
*	ipasam: remove talloc_asprintf_strupper_m()	Sumit Bose	2012-09-06	1	-3/+8
\|
*	ipasam: remove strlower_m()	Sumit Bose	2012-09-06	1	-3/+1
\|
*	ipasam: replace strnequal()	Sumit Bose	2012-09-06	1	-1/+16
\|
*	ipasam: remove sid_peek_rid()	Sumit Bose	2012-09-06	1	-11/+18
\|
*	ipasam: remove nt_lm_owf_gen() and dependency to libcliauth.so	Sumit Bose	2012-09-06	1	-12/+59
\|
*	Make encode_ntlm_keys() public	Sumit Bose	2012-09-06	3	-197/+16
\|
*	ipasam: cleanup explicit dependencies to samba libs	Sumit Bose	2012-09-06	1	-2/+0
\|
*	ipadb_iterate(): handle match_entry == NULL	Sumit Bose	2012-09-05	2	-0/+10
\| \| \| \| \| \| \| \| \|	If match_entry == NULL all principals should be iterated. Additionally this patch adds a check in ipadb_filter_escape() to make sure that the input is not NULL. Fixes: https://fedorahosted.org/freeipa/ticket/3011
*	Change slapi_mods_init in ipa_winsync_pre_ad_mod_user_mods_cb	Tomas Babej	2012-09-04	1	-1/+1
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/2953
*	Don't generate password history error if history is set to 0.	Rob Crittenden	2012-08-27	1	-1/+1
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/2805
*	Fix ipasam ipaNThash magic regen to actually fetch updated password	Alexander Bokovoy	2012-08-22	1	-13/+9
\| \| \| \| \| \| \|	With this change ipasam is able to ask for ipaNTHash generation and if corresponding Kerberos key is available, will be able to retrieve generated ipaNTHash. Part 1 of https://fedorahosted.org/freeipa/ticket/3016
*	Recover from invalid cached kerberos credentials in ipasam	Alexander Bokovoy	2012-08-22	1	-37/+77
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	When developing and testing in the same environment, multiple re-installs may be needed. This means previously issued and cached Kerberos credentials will become invalid upon new install. ipasam passdb module for Samba uses Kerberos authentication when talking to IPA LDAP server. Obtained Kerberos credentials are cached during their lifetime. However, the ccache is not removed automatically and if IPA setup is made again, cached credentials are used, only to discover that they are invalid. With this change invalid correctly obtained cached credentials are recognized and, if LDAP SASL bind fails, new credentials are requested from the KDC. https://fedorahosted.org/freeipa/ticket/3009
*	Use libsamba-security instead of libsecurity	Sumit Bose	2012-08-22	1	-1/+1
\| \| \| \| \|	In samba4-beta6 the name of a library was changed from libsecurity to libsamba-security.
*	extdom: read ranges from LDAP	Sumit Bose	2012-08-15	1	-0/+72
\|
*	Add PAC filtering	Simo Sorce	2012-08-02	1	-8/+100
\| \| \| \| \| \| \| \|	This check the PAC we receive is consistent. realm, flat name and domain sid must much our understanding or the trustd realm and no additional sids beyond the own realm ones must be present. Ticket #2849
*	Split out manipulation of logon_info blob	Simo Sorce	2012-08-02	1	-40/+69
\| \| \| \| \|	This way multiple functions can manipulate the logon info structure until all operations we want to do on it are done and then fold it back once.
*	Properly name function to add ipa external groups	Simo Sorce	2012-08-02	1	-35/+39
\| \| \| \| \| \| \| \| \|	The function filter_pac was not filtering the pac at all, it was merely augmenting it with additional data relevant to the IPA server. Change the name of the function to avoid confusion. While there I also simplified and cleaed up the code a bit with regard to variable names and usage.
*	Load list of trusted domain on connecting to ldap	Simo Sorce	2012-08-02	1	-6/+104
\| \| \| \|	This list is used to validate data in mspac filtering
*	Move mspac structure to be a private pointer	Simo Sorce	2012-08-02	2	-25/+33
\| \| \| \| \|	By keeping it's definition in the mspac file it is easier to modify and make sure any opertion on it is handled in the same file.