freeipa.git/daemons/ipa-sam, branch patternfly Unnamed repository; edit this file 'description' to name the repository. ipa-sam: cache gid to sid and uid to sid requests in idmap cache 2014-03-12T11:19:06+00:00 Jason Woods devel@jasonwoods.me.uk 2014-03-07T16:38:24+00:00 d6a7923f71eb69bac53d6ff904086a9abd103dbc Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the directory service for gid/uid<->sid resolution. Additionally, this patch further reduces number of queries by: - fast fail on uidNumber=0 which doesn't exist in FreeIPA, - return fallback group correctly when looking up user primary group as is done during init, - checking for group objectclass in case insensitive way Patch by Jason Woods <devel@jasonwoods.me.uk> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> https://fedorahosted.org/freeipa/ticket/4234 and https://bugzilla.redhat.com/show_bug.cgi?id=1073829 https://bugzilla.redhat.com/show_bug.cgi?id=1074314 Reviewed-By: Sumit Bose <sbose@redhat.com> 
Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the
directory service for gid/uid<->sid resolution.

Additionally, this patch further reduces number of queries by:
 - fast fail on uidNumber=0 which doesn't exist in FreeIPA,
 - return fallback group correctly when looking up user primary group as is
   done during init,
 - checking for group objectclass in case insensitive way

Patch by Jason Woods <devel@jasonwoods.me.uk>

Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

https://fedorahosted.org/freeipa/ticket/4234
and
https://bugzilla.redhat.com/show_bug.cgi?id=1073829
https://bugzilla.redhat.com/show_bug.cgi?id=1074314

Reviewed-By: Sumit Bose <sbose@redhat.com>
ipasam: delete trusted child domains before removing the trust 2014-01-21T11:31:54+00:00 Alexander Bokovoy abokovoy@redhat.com 2014-01-20T14:42:48+00:00 c29211671cfd7d7734b932c8d6d70c94c849b5d1 LDAP protocol doesn't allow deleting non-leaf entries. One needs to remove all leaves first before removing the tree node. https://fedorahosted.org/freeipa/ticket/4126 
LDAP protocol doesn't allow deleting non-leaf entries. One needs to
remove all leaves first before removing the tree node.

https://fedorahosted.org/freeipa/ticket/4126
Remove CFLAGS duplication. 2013-12-06T13:44:41+00:00 Jan Cholasta jcholast@redhat.com 2013-12-06T10:47:44+00:00 5e2f7b68f0cb8e7fd6ea4f3236e84f1a8d075a13 https://fedorahosted.org/freeipa/ticket/3896 
https://fedorahosted.org/freeipa/ticket/3896
Remove generation and handling of LM hashes 2013-11-01T08:28:35+00:00 Sumit Bose sbose@redhat.com 2013-10-29T11:19:01+00:00 d876a22732d83ddf8e37ead89e6f23bf7aa0d69c https://fedorahosted.org/freeipa/ticket/3795 
https://fedorahosted.org/freeipa/ticket/3795
ipasam: for subdomains pick up defaults for missing values 2013-10-04T08:25:31+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-09-27T12:00:22+00:00 0ab40cdf6b354e8b760f604f2f94cf3c2292217e We don't store trust type, attributes, and direction for subdomains of the existing trust. Since trust is always forest level, these parameters can be added as defaults when they are missing. 
We don't store trust type, attributes, and direction for subdomains
of the existing trust. Since trust is always forest level, these parameters
can be added as defaults when they are missing.
ipa-sam: report supported enctypes based on Kerberos realm configuration 2013-09-20T07:59:02+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-09-10T08:56:40+00:00 a9843d6918f73c2236d0083b1e8adf54ca34eb0d We store Kerberos realm configuration in cn=REALM,cn=kerberos,$SUFFIX. Along other configuration options, this container has list of default supported encryption types, in krbDefaultEncSaltTypes. Fetch krbDefaultEncSaltTypes value on ipa-sam initialization and convert discovered list to the mask of supported encryption types according to security.idl from Samba: typedef [public,bitmap32bit] bitmap { KERB_ENCTYPE_DES_CBC_CRC = 0x00000001, KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002, KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004, KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008, KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010 } kerb_EncTypes; Part of https://fedorahosted.org/freeipa/ticket/3898 
We store Kerberos realm configuration in cn=REALM,cn=kerberos,$SUFFIX.
Along other configuration options, this container has list of default
supported encryption types, in krbDefaultEncSaltTypes.

Fetch krbDefaultEncSaltTypes value on ipa-sam initialization and convert
discovered list to the mask of supported encryption types according to
security.idl from Samba:
        typedef [public,bitmap32bit] bitmap {
                KERB_ENCTYPE_DES_CBC_CRC             = 0x00000001,
                KERB_ENCTYPE_DES_CBC_MD5             = 0x00000002,
                KERB_ENCTYPE_RC4_HMAC_MD5            = 0x00000004,
                KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
                KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
        } kerb_EncTypes;

Part of https://fedorahosted.org/freeipa/ticket/3898
ipa-sam: do not leak LDAPMessage on ipa-sam initialization 2013-09-20T07:59:02+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-09-09T12:52:17+00:00 860a3ff6477db1004773742e019603032239991e We used to handle some of code paths to free memory allocated by the LDAP library but there are few more unhandled. In addition, search result wasn't freed on successful initialization, leaking for long time. https://fedorahosted.org/freeipa/ticket/3913 
We used to handle some of code paths to free memory allocated by the LDAP library
but there are few more unhandled. In addition, search result wasn't freed on successful
initialization, leaking for long time.

https://fedorahosted.org/freeipa/ticket/3913
ipa-sam: do not modify objectclass when trust object already created 2013-09-20T07:59:02+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-09-05T05:13:53+00:00 9cf8ec79c9e9d05ce9f21b4b187077e1fa650c95 When trust is established, last step done by IPA framework is to set encryption types associated with the trust. This operation fails due to ipa-sam attempting to modify object classes in trust object entry which is not allowed by ACI. Additionally, wrong handle was used by dcerpc.py code when executing SetInformationTrustedDomain() against IPA smbd which prevented even to reach the point where ipa-sam would be asked to modify the trust object. 
When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.

Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.
ipasam: add enumeration of UPN suffixes based on the realm domains 2013-03-29T12:45:50+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-03-22T15:30:41+00:00 cc56723151c9ebf58d891e85617319d861af14a4 PASSDB API in Samba adds support for specifying UPN suffixes. The change in ipasam will allow to pass through list of realm domains as UPN suffixes so that Active Directory domain controller will be able to recognize non-primary UPN suffixes as belonging to IPA and properly find our KDC for cross-realm TGT. Since Samba already returns primary DNS domain separately, filter it out from list of UPN suffixes. Also enclose provider of UPN suffixes into #ifdef to support both Samba with and without pdb_enum_upn_suffixes(). Part of https://fedorahosted.org/freeipa/ticket/2848 
PASSDB API in Samba adds support for specifying UPN suffixes. The change
in ipasam will allow to pass through list of realm domains as UPN suffixes
so that Active Directory domain controller will be able to recognize
non-primary UPN suffixes as belonging to IPA and properly find our KDC
for cross-realm TGT.

Since Samba already returns primary DNS domain separately, filter it out
from list of UPN suffixes.

Also enclose provider of UPN suffixes into #ifdef to support both
Samba with and without pdb_enum_upn_suffixes().

Part of https://fedorahosted.org/freeipa/ticket/2848
Remove build warnings 2013-03-29T07:59:36+00:00 Martin Kosek mkosek@redhat.com 2013-03-12T14:28:58+00:00 13b1028ac832c29656c6711834f05f7b34c75cfa Fix rpm build warnings report in Fedora 19 build. https://fedorahosted.org/freeipa/ticket/3500 
Fix rpm build warnings report in Fedora 19 build.

https://fedorahosted.org/freeipa/ticket/3500