sssd2.git/src/config, branch master System Security Services Daemon [okos' clone] dyndns: new option dyndns_auth 2013-05-03T18:25:46+00:00 Jakub Hrozek jhrozek@redhat.com 2013-04-16T13:11:38+00:00 e15a9f81eb33066937710d7dee6976a3646d119c This options is mostly provided for future expansion. Currently it is undocumented and both IPA and AD dynamic DNS updates default to GSS-TSIG. Allowed values are GSS-TSIG and none. 
This options is mostly provided for future expansion. Currently it is
undocumented and both IPA and AD dynamic DNS updates default to
GSS-TSIG. Allowed values are GSS-TSIG and none.
dyndns: new option dyndns_force_tcp 2013-05-03T18:25:46+00:00 Jakub Hrozek jhrozek@redhat.com 2013-04-16T12:19:15+00:00 e45b81abe0aafa8a04bd64ac31a2fac63ce675b7 https://fedorahosted.org/sssd/ticket/1831 Adds a new option that can be used to force nsupdate to only use TCP to communicate with the DNS server. 
https://fedorahosted.org/sssd/ticket/1831

Adds a new option that can be used to force nsupdate to only use TCP to
communicate with the DNS server.
dyndns: New option dyndns_update_ptr 2013-05-03T18:25:46+00:00 Jakub Hrozek jhrozek@redhat.com 2013-04-30T14:40:09+00:00 38ebc764eeb7693e0c4f0894d6687e54fbba871b https://fedorahosted.org/sssd/ticket/1832 While some servers, such as FreeIPA allow the PTR record to be synchronized when the forward record is updated, other servers, including Active Directory, require that the PTR record is synchronized manually. This patch adds a new option, dyndns_update_ptr that automatically generates appropriate DNS update message for updating the reverse zone. This option is off by default in the IPA provider. Also renames be_nsupdate_create_msg to be_nsupdate_create_fwd_msg 
https://fedorahosted.org/sssd/ticket/1832

While some servers, such as FreeIPA allow the PTR record to be
synchronized when the forward record is updated, other servers,
including Active Directory, require that the PTR record is synchronized
manually.

This patch adds a new option, dyndns_update_ptr that automatically
generates appropriate DNS update message for updating the reverse zone.

This option is off by default in the IPA provider.

Also renames be_nsupdate_create_msg to be_nsupdate_create_fwd_msg
dyndns: new option dyndns_refresh_interval 2013-05-03T18:25:46+00:00 Jakub Hrozek jhrozek@redhat.com 2013-04-09T15:40:40+00:00 5a4239490c7fb7d732180a9d40f27f0247c56631 This new options adds the possibility of updating the DNS entries periodically regardless if they have changed or not. This feature will be useful mainly in AD environments where the Windows clients periodically update their DNS records. 
This new options adds the possibility of updating the DNS entries
periodically regardless if they have changed or not. This feature
will be useful mainly in AD environments where the Windows clients
periodically update their DNS records.
Convert IPA-specific options to be back-end agnostic 2013-05-03T18:22:37+00:00 Jakub Hrozek jhrozek@redhat.com 2013-04-09T12:20:28+00:00 04868f1573f4b26ef34610b6d7069172f93bd8ab This patch introduces new options for dynamic DNS updates that are not specific to any back end. The current ipa dyndns options are still usable, just with a deprecation warning. 
This patch introduces new options for dynamic DNS updates that are not
specific to any back end. The current ipa dyndns options are still
usable, just with a deprecation warning.
SUDO: IPA provider 2013-05-03T17:59:40+00:00 Lukas Slebodnik lslebodn@redhat.com 2013-04-24T18:26:40+00:00 b24e4bec819b29f1ec8e77083d4e7610c5dd9c77 This patch added auto configuration SUDO with ipa provider and compat tree. https://fedorahosted.org/sssd/ticket/1733 
This patch added auto configuration SUDO with ipa provider and compat tree.

https://fedorahosted.org/sssd/ticket/1733
DNS sites support - add AD SRV plugin 2013-05-02T14:48:12+00:00 Pavel Březina pbrezina@redhat.com 2013-04-16T13:41:33+00:00 a679f0167b646cffdae86546ed77e105576991b0 https://fedorahosted.org/sssd/ticket/1032 
https://fedorahosted.org/sssd/ticket/1032
Allow usage of enterprise principals 2013-04-22T13:33:40+00:00 Sumit Bose sbose@redhat.com 2013-03-25T16:41:19+00:00 edaa983d094c239c3e1ba667bcd20ed3934be3b8 Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842 
Enterprise principals are currently most useful for the AD provider and
hence enabled here by default while for the other Kerberos based
authentication providers they are disabled by default.

If additional UPN suffixes are configured for the AD domain the user
principal stored in the AD LDAP server might not contain the real
Kerberos realm of the AD domain but one of the additional suffixes which
might be completely randomly chooses, e.g. are not related to any
existing DNS domain. This make it hard for a client to figure out the
right KDC to send requests to.

To get around this enterprise principals (see
http://tools.ietf.org/html/rfc6806 for details) were introduced.
Basically a default realm is added to the principal so that the Kerberos
client libraries at least know where to send the request to. It is not
in the responsibility of the KDC to either handle the request itself,
return a client referral if he thinks a different KDC can handle the
request or return and error. This feature is also use to allow
authentication in AD environments with cross forest trusts.

Fixes https://fedorahosted.org/sssd/ticket/1842
DNS sites support - add IPA SRV plugin 2013-04-10T13:37:00+00:00 Pavel Březina pbrezina@redhat.com 2013-04-09T11:16:23+00:00 88275cccddf39892e01682b39b02292eb74729bd https://fedorahosted.org/sssd/ticket/1032 
https://fedorahosted.org/sssd/ticket/1032
Allow setting krb5_renew_interval with a delimiter 2013-04-03T11:33:21+00:00 Ariel Barria olivares73@hotmail.com 2013-03-27T21:04:06+00:00 1b171c456ff901ab622e44bcfd213f7de86fd787 https://fedorahosted.org/sssd/ticket/902 changed the data type the krb5_renew_interval to string. function krb5_string_to_deltat is used to convert and allow delimiters 
https://fedorahosted.org/sssd/ticket/902

changed the data type the krb5_renew_interval to string.
function krb5_string_to_deltat is used to convert and allow delimiters