summaryrefslogtreecommitdiffstats
path: root/daemons/ipa-sam
Commit message (Collapse)AuthorAgeFilesLines
* Remove CFLAGS duplication.Jan Cholasta2013-12-061-1/+0
| | | | https://fedorahosted.org/freeipa/ticket/3896
* Remove generation and handling of LM hashesSumit Bose2013-11-011-18/+3
| | | | https://fedorahosted.org/freeipa/ticket/3795
* ipasam: for subdomains pick up defaults for missing valuesAlexander Bokovoy2013-10-041-0/+12
| | | | | | We don't store trust type, attributes, and direction for subdomains of the existing trust. Since trust is always forest level, these parameters can be added as defaults when they are missing.
* ipa-sam: report supported enctypes based on Kerberos realm configurationAlexander Bokovoy2013-09-201-12/+117
| | | | | | | | | | | | | | | | | | | We store Kerberos realm configuration in cn=REALM,cn=kerberos,$SUFFIX. Along other configuration options, this container has list of default supported encryption types, in krbDefaultEncSaltTypes. Fetch krbDefaultEncSaltTypes value on ipa-sam initialization and convert discovered list to the mask of supported encryption types according to security.idl from Samba: typedef [public,bitmap32bit] bitmap { KERB_ENCTYPE_DES_CBC_CRC = 0x00000001, KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002, KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004, KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008, KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010 } kerb_EncTypes; Part of https://fedorahosted.org/freeipa/ticket/3898
* ipa-sam: do not leak LDAPMessage on ipa-sam initializationAlexander Bokovoy2013-09-201-2/+7
| | | | | | | | We used to handle some of code paths to free memory allocated by the LDAP library but there are few more unhandled. In addition, search result wasn't freed on successful initialization, leaking for long time. https://fedorahosted.org/freeipa/ticket/3913
* ipa-sam: do not modify objectclass when trust object already createdAlexander Bokovoy2013-09-201-41/+71
| | | | | | | | | | | When trust is established, last step done by IPA framework is to set encryption types associated with the trust. This operation fails due to ipa-sam attempting to modify object classes in trust object entry which is not allowed by ACI. Additionally, wrong handle was used by dcerpc.py code when executing SetInformationTrustedDomain() against IPA smbd which prevented even to reach the point where ipa-sam would be asked to modify the trust object.
* ipasam: add enumeration of UPN suffixes based on the realm domainsAlexander Bokovoy2013-03-291-11/+181
| | | | | | | | | | | | | | | | PASSDB API in Samba adds support for specifying UPN suffixes. The change in ipasam will allow to pass through list of realm domains as UPN suffixes so that Active Directory domain controller will be able to recognize non-primary UPN suffixes as belonging to IPA and properly find our KDC for cross-realm TGT. Since Samba already returns primary DNS domain separately, filter it out from list of UPN suffixes. Also enclose provider of UPN suffixes into #ifdef to support both Samba with and without pdb_enum_upn_suffixes(). Part of https://fedorahosted.org/freeipa/ticket/2848
* Remove build warningsMartin Kosek2013-03-291-1/+1
| | | | | | Fix rpm build warnings report in Fedora 19 build. https://fedorahosted.org/freeipa/ticket/3500
* Change DNA magic value to -1 to make UID 999 usablePetr Viktorin2013-03-111-1/+1
| | | | | | | | | | | | | Change user-add's uid & gid parameters from autofill to optional. Change the DNA magic value to -1. For old clients, which will still send 999 when they want DNA assignment, translate the 999 to -1. This is done via a new capability, optional_uid_params. Tests included https://fedorahosted.org/freeipa/ticket/2886
* ipa-sam: Array compared against 0 in ipasam_set_trusted_domain()Sumit Bose2013-02-281-1/+1
| | | | | | | ipa_mspac_well_known_sids is a globally defined array so the check was always true. Fixes https://fedorahosted.org/freeipa/ticket/3423
* ipasam: use base scope when fetching domain information about own domainAlexander Bokovoy2013-02-191-1/+1
| | | | | | | | | Since we use associatedDomain attribute to store information about UPN suffixes and our own domain, searching subtree is going to return more than one entry. Limit search for own domain by base scope as we only need to fetch our own domain information here, not UPN suffixes. Required for https://fedorahosted.org/freeipa/ticket/2945
* ipa-sam: Fill SID blacklist when trust is addedMartin Kosek2013-02-121-1/+13
| | | | | | | Fill incoming and outgoing trust LDAP entry with default SID blacklist value. https://fedorahosted.org/freeipa/ticket/3289
* ipasam: better Kerberos error handling in ipasamAlexander Bokovoy2012-11-211-3/+5
| | | | | | | If time is moved back on the IPA server, ipasam does not invalidate the existing ticket. https://fedorahosted.org/freeipa/ticket/3183
* Fix various issues found by CoveritySumit Bose2012-10-171-1/+1
|
* ipasam: generate proper SID for trusted domain objectSumit Bose2012-10-041-8/+49
|
* ipasam: add fallback primary groupSumit Bose2012-10-041-7/+230
| | | | https://fedorahosted.org/freeipa/ticket/2955
* ipasam: Fixes build with samba4 rc1Sumit Bose2012-09-141-10/+10
|
* ipasam: replace trim_char() with trim_string()Sumit Bose2012-09-061-2/+1
|
* ipasam: remove fetch_ldap_pw()Sumit Bose2012-09-061-10/+2
|
* ipasam: replace get_global_sam_sid()Sumit Bose2012-09-061-4/+12
|
* ipasam: add libsss_idmap context and replace string_to_sid()Sumit Bose2012-09-062-31/+89
|
* ipasam: Replace global_sid_BuiltinSumit Bose2012-09-061-1/+3
|
* ipasam: Replace sid_peek_check_rid()Sumit Bose2012-09-061-1/+17
|
* ipasam: Replace sid_check_is_our_sam()Sumit Bose2012-09-061-2/+1
|
* ipasam: Replace dom_sid_compare_domain()Sumit Bose2012-09-061-1/+27
|
* ipasam: Replace is_null_sid()Sumit Bose2012-09-061-1/+24
|
* ipasam: replace sid_compose()Sumit Bose2012-09-061-1/+14
|
* ipasam: replace sid_copy()Sumit Bose2012-09-061-1/+15
|
* ipasam: remove talloc_asprintf_strupper_m()Sumit Bose2012-09-061-3/+8
|
* ipasam: remove strlower_m()Sumit Bose2012-09-061-3/+1
|
* ipasam: replace strnequal()Sumit Bose2012-09-061-1/+16
|
* ipasam: remove sid_peek_rid()Sumit Bose2012-09-061-11/+18
|
* ipasam: remove nt_lm_owf_gen() and dependency to libcliauth.soSumit Bose2012-09-061-12/+59
|
* Make encode_ntlm_keys() publicSumit Bose2012-09-061-1/+2
|
* ipasam: cleanup explicit dependencies to samba libsSumit Bose2012-09-061-2/+0
|
* Fix ipasam ipaNThash magic regen to actually fetch updated passwordAlexander Bokovoy2012-08-221-13/+9
| | | | | | | With this change ipasam is able to ask for ipaNTHash generation and if corresponding Kerberos key is available, will be able to retrieve generated ipaNTHash. Part 1 of https://fedorahosted.org/freeipa/ticket/3016
* Recover from invalid cached kerberos credentials in ipasamAlexander Bokovoy2012-08-221-37/+77
| | | | | | | | | | | | | | | | When developing and testing in the same environment, multiple re-installs may be needed. This means previously issued and cached Kerberos credentials will become invalid upon new install. ipasam passdb module for Samba uses Kerberos authentication when talking to IPA LDAP server. Obtained Kerberos credentials are cached during their lifetime. However, the ccache is not removed automatically and if IPA setup is made again, cached credentials are used, only to discover that they are invalid. With this change invalid correctly obtained cached credentials are recognized and, if LDAP SASL bind fails, new credentials are requested from the KDC. https://fedorahosted.org/freeipa/ticket/3009
* Use libsamba-security instead of libsecuritySumit Bose2012-08-221-1/+1
| | | | | In samba4-beta6 the name of a library was changed from libsecurity to libsamba-security.
* When ipaNTHash is missing, ask IPA to generate it from kerberos keysAlexander Bokovoy2012-07-301-3/+93
| | | | Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Follow change in samba4 beta4 for sid_check_is_domain to sid_check_is_our_samAlexander Bokovoy2012-07-181-1/+3
| | | | | | | With c43505b621725c9a754f0ee98318d451b093f2ed in samba git master the function sid_check_is_domain() was renamed to sid_check_is_our_sam(). https://fedorahosted.org/freeipa/ticket/2929
* reduce redundant checks in ldapsam_search_users() to a single statementAlexander Bokovoy2012-07-061-8/+1
|
* Use smb.conf 'dedicated keytab file' parameter instead of hard-coded valueAlexander Bokovoy2012-07-061-1/+2
|
* ipasam: replace testing codeSumit Bose2012-07-061-5/+5
|
* ipasam: fixes for clang warningsSumit Bose2012-07-061-28/+20
|
* ipasam: improve SASL bind callbackAlexander Bokovoy2012-07-061-42/+136
| | | | | | | | SASL bind callback due to refactoring was referencing local variable which didn't exist all the time. Fix that by including a copy of service principals into ipasam long term private struct. Rework ccache handling to avoid re-initing every time callback is called
* Add error condition handling to the SASL bind callback in ipasamAlexander Bokovoy2012-06-281-12/+80
| | | | https://fedorahosted.org/freeipa/ticket/2877
* Support requests for DOMAIN$ account for trusted domains in ipasam moduleAlexander Bokovoy2012-06-281-13/+20
| | | | https://fedorahosted.org/freeipa/ticket/2870
* ipasam: remove unused struct elementsSumit Bose2012-06-111-11/+0
|
* Use exop instead of kadmin.localSumit Bose2012-06-112-27/+80
|
* ipa-sam: update sid_to_id() interface to follow passdb API changes in SambaAlexander Bokovoy2012-06-072-18/+3
| | | | | | | | | Commit a6e29f23f09ba5b6b6d362f7683ae8088bc0ba85 in Samba changed id mapping API in passdb interface to use 'struct unixid'. The change replaced three arguments (uid, gid, type) by one (struct unixid). As result, ipa-sam became broken. Without this change ipa-sam introduces stack corruption in Samba post 4.0.0alpha18 leading to corrupted security context stack as well and then crashing in setgroups(3).