sssd.git, branch oneway

IPA: Reuse ipa_subdomains_retrieve_send for re-setting up a trusted domain

2015-09-23T11:29:20+00:00

IPA: Only re-fetch the keytab if modifyTimestamp is newer than last LDAP connection

2015-09-23T07:45:57+00:00

Resolves:
    https://fedorahosted.org/sssd/ticket/2639

When a subdomain account lookup errors out, try to re-setup the trust
object. Only do this, if the connection was established after the last
re-set of the trust object.

Internally, the setup function looks at the modifyTimestamp operational
attribute of the TDO. If the modifyTimestamp is newer than the last
keytab check, then the trust was re-created and we need to fetch the
keytab again.

Marking the back end as online re-sets the TDO check timestamp so that
after cycling the sssd, the keytab would always be checked.

LDAP: Save connection time from LDAP provider

2015-09-23T07:24:49+00:00

Whenever a connection request ends successfully, store the success time
to the sdap_id_conn_ctx.

IPA: Retry fetching keytab if IPA user lookup fails

2015-09-23T07:24:44+00:00

Required for:
    https://fedorahosted.org/sssd/ticket/2639

Instead of calling ipa_get_ad_acct_send directly, call a new request
ipa_srv_ad_acct_send. The new request wraps ipa_get_ad_acct_send and
either tries to request a new keytab every time the lookup fails but the
domain is online.

be_mark_dom_offline() is called when the retry fails with the new code.

The retry tries to re-setup the trusted domain. With two-way setups, the
request is a no-op. With one-way trust setups, the request re-fetches
new keytab unconditionally.

FO: Also reset the server common data in addition to SRV

2015-09-22T21:35:52+00:00

In a server that is expanded from a SRV query was reset, only it's
'meta-server' status was set to neutral, but the server->common
structure still retained its not_working status.

This patch also resets the status of the common structure so that both
the SRV query and resolving the server are retried next time.

FO: Add an API to reset all servers in a single service

2015-09-22T21:35:25+00:00

Required for:
    https://fedorahosted.org/sssd/ticket/2639

Previously, we had a function that allowed the caller to reset the
status of all services in the global fail over context. This patch adds
a new function that allows the caller to reset a single service instead.

The main user would be IPA subdomain provider that might need to reset
the status of an AD trusted domain on demand.

IPA: Change ipa_server_trust_add_send request to be reusable from ID code

2015-09-22T20:11:23+00:00

Required for:
    https://fedorahosted.org/sssd/ticket/2639

Expose a request ipa_server_trusted_dom_setup_send that sets up a
trusted domain. The setup might include actions like retrieving a keytab
for one-way trusts.

Creating the AD ID context for the trused domain is now done in the
caller of this new request.

DDNS: execute nsupdate for single update of PTR rec

2015-09-22T12:51:22+00:00

nsupdate fails definitely if any of update request fails when GSSAPI is used.

As tmp solution nsupdate is executed for each update.

Resolves:
https://fedorahosted.org/sssd/ticket/2783

Reviewed-by: Jakub Hrozek

IPA PROVIDER: Resolve nested netgroup membership

2015-09-22T12:43:26+00:00

Informations about usergroup membership are stored in memberOf
attribute. And informations about hostgroup membership are stored
in originalMemberOf.
This patch add appropriate memberOf attributes
for searching in.

Ticket: https://fedorahosted.org/sssd/ticket/2275

Reviewed-by: Sumit Bose

LDAP: Filter out multiple entries when searching overlapping domains

2015-09-22T11:46:02+00:00

In case domain overlap, we might download multiple objects. To avoid
saving them all, we attempt to filter out the objects from foreign
domains.

We can only do this optimization for non-wildcard lookups.

Reviewed-by: Lukáš Slebodník