| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When AD administrator credentials passed, they stored in realm_passwd,
not realm_password in the options.
When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure
to normalize them.
Additionally, force Samba auth module to use NTLMSSP in case we have
credentials because at the point when trust is established, KDC is not
yet ready to issue tickets to a service in the other realm due to
MS-PAC information caching effects. The logic is a bit fuzzy because
credentials code makes decisions on what to use based on the smb.conf
parameters and Python bindings to set parameters to smb.conf make it so
that auth module believes these parameters were overidden by the user
through the command line and ignore some of options. We have to do calls
in the right order to force NTLMSSP use instead of Kerberos.
Fixes https://fedorahosted.org/freeipa/ticket/4046
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3971
|
|
|
|
|
|
| |
A single LDAP search is now used instead of one search per member.
https://fedorahosted.org/freeipa/ticket/3971
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3971
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3971
|
|
|
|
|
|
| |
Add the server class name, such as [xmlserver] or [jsonserver_kerb] to
the server logs. This will allow easier debugging of problems specific
to a protocol or server class.
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/3299
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC.
This is done by subclassing and extending xmlrpclib, because
our existing code relies on xmlrpclib internals.
The URI to use is given in the new jsonrpc_uri env variable. When
it is not given, it is generated from xmlrpc_uri by replacing
/xml with /json.
The rpc_json_uri env variable existed before, but was unused,
undocumented and not set the install scripts.
This patch removes it in favor of jsonrpc_uri (for consistency
with xmlrpc_uri).
Add the rpc_protocol env variable to control the protocol
IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed
to 'xmlrpc'.
Make backend.Executioner and tests use the backend specified by
rpc_protocol.
For compatibility with unwrap_xml, decoding JSON now gives tuples
instead of lists.
Design: http://freeipa.org/page/V3/JSON-RPC
Ticket: https://fedorahosted.org/freeipa/ticket/3299
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4042
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4021
|
|
|
|
|
|
| |
Some schema was only delivered in updates. Add it back as ldif files.
https://fedorahosted.org/freeipa/ticket/3454
|
|
|
|
|
|
|
| |
Now that there's a dedicated schema updater, we do not need the code
in ldapupdate.
https://fedorahosted.org/freeipa/ticket/3454
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new updater is run as part of `ipa-ldap-updater --upgrade`
and `ipa-ldap-updater --schema` (--schema is a new option).
The --schema-file option to ipa-ldap-updater may be used (multiple
times) to select a non-default set of schema files to update against.
The updater adds an X-ORIGIN tag with the current IPA version to
all elements it adds or modifies.
https://fedorahosted.org/freeipa/ticket/3454
|
|
|
|
| |
Preparation for: https://fedorahosted.org/freeipa/ticket/3454
|
|
|
|
|
|
|
| |
The connection code will be the same for both the LDAP updater
and the new schema updater.
Preparation for: https://fedorahosted.org/freeipa/ticket/3454
|
|
|
|
|
|
| |
Default to using the EXTERNAL authorization mechanism in calls to ldapmodify
https://fedorahosted.org/freeipa/ticket/3895
|
|
|
|
|
|
|
|
| |
When we get NT_STATUS_INVALID_PARAMETER in response to establish
DCE RPC pipe with Kerberos, the most likely reason is clock skew.
Suggest that it is so in the error message.
https://fedorahosted.org/freeipa/ticket/4024
|
|
|
|
|
|
|
| |
A regression, which prevented creation of a winsync agreement,
was introduced in the original fix for ticket #3989.
https://fedorahosted.org/freeipa/ticket/3989
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Server installer does not properly recognize a situation when server
fqdn is not in a subdomain of the IPA domain, but shares the same
suffix.
For example, if server FQDN is ipa-idm.example.com and domain
is idm.example.com, server's FQDN is not in the main domain, but
installer does not recognize that. proper Kerberos realm-domain
mapping is not created in this case and server does not work
(httpd reports gssapi errors).
https://fedorahosted.org/freeipa/ticket/4012
|
|
|
|
|
|
| |
This change makes single_value consistent with the raw property.
https://fedorahosted.org/freeipa/ticket/3521
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/3833
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3521
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/3833
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3975
|
|
|
|
|
|
|
|
|
|
|
| |
Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).
To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.
https://fedorahosted.org/freeipa/ticket/3974
|
|
|
|
|
|
|
|
|
|
|
| |
When set_directive was used for directive "foo" and the word "foo"
was detected anywhere on the line (e.g. in a comment, or in an example),
it was overwritten which may potentially lead to wrong line being
overwritten.
Only match the directives on the beginning of the lines, it is safer.
https://fedorahosted.org/freeipa/ticket/3974
|
|
|
|
|
|
|
| |
Add nsds5ReplicaStripAttrs to the agreement LDAP entry before the agreement
is created.
https://fedorahosted.org/freeipa/ticket/3989
|
|
|
|
|
|
|
|
|
|
|
| |
Add three new ipa-advise plugins, to facilitate configuration of
legacy clients using nss-pam-ldapd:
* config-redhat-nss-pam-ldapd
* config-generic-linux-nss-pam-ldapd
* config-freebsd-nss-pam-ldapd
https://fedorahosted.org/freeipa/ticket/3672
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Majority of the attributes set in the setup method can be set in the
__init__ method where they are actually defined (and set to None).
This is true for attributes that hold constant values and for
attributes that have their values derived from api.env dictionary.
Creates a new __setup_default_attributes method, that is called
from within __init__ and setup (in case the passed values for
hostname or domain do not correspond to that what is set in api.env,
doing otherwise could cause unexpected behaviour).
Part of: https://fedorahosted.org/freeipa/ticket/3479
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The uninstall method of the AD trust instance was not called upon
at all in the ipa-server-install --uninstall phase.
This patch makes sure that AD trust instance is unconfigured when
the server is uninstalled.
The following steps are undertaken:
* Remove /var/run/samba/krb5cc_samba
* Remove our keys from /etc/samba/samba.keytab using ipa-rmkeytab
* Remove /var/lib/samba/*.tdb files
Additionally, we make sure winbind service is stopped from within the
stop() method.
Part of: https://fedorahosted.org/freeipa/ticket/3479
|
|
|
|
|
|
|
|
|
|
|
| |
Since we are not able to properly restore the Samba server to the
working state after running ipa-adtrust-install, we should not keep
the smb.conf in the fstore.
This patch makes sure that any backed up smb.conf is removed from
the backup and that this file is not backed up anymore.
Part of: https://fedorahosted.org/freeipa/ticket/3479
|
|
|
|
|
|
|
|
| |
The installers used custom self.realm_name instead of standard
self.realm defined in Service class. It caused crashes in some cases
when Service class methods expected the self.realm to be filled.
https://fedorahosted.org/freeipa/ticket/3854
|
|
|
|
|
|
|
|
| |
Proxy configuration was not detected correctly. Both
ipa-pki-proxy.conf and ipa.conf need to be in place and httpd
restarted to be able to check it's status.
https://fedorahosted.org/freeipa/ticket/3964
|
|
|
|
|
|
|
|
| |
Deprecate this option and do not offer it in installation tools.
Without this option enabled, advanced DNS features like DNSSEC
would not work.
https://fedorahosted.org/freeipa/ticket/3962
|
|
|
|
|
|
| |
This helps forward compatibility: the anon ACI is scheduled for removal.
https://fedorahosted.org/freeipa/ticket/3956
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3897
|
|
|
|
|
|
|
| |
This works around pk12util refusing to use empty password files, which prevents
the use of PKCS#12 files with empty password.
https://fedorahosted.org/freeipa/ticket/3897
|
| |
|
|
|
|
|
|
|
|
| |
Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal,
it is possible to use it when talking to the trusted AD DC.
Remove support for authenticating as trust account because it should not
really be used other than within Samba.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add IPA CLI to manage trust domains.
ipa trust-fetch-domains <trust> -- fetch list of subdomains from AD side and add new ones to IPA
ipa trustdomain-find <trust> -- show all available domains
ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust>
ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA
ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain
By default all discovered trust domains are allowed to access IPA resources
IPA KDC needs also information for authentication paths to subdomains in case they
are not hierarchical under AD forest trust root. This information is managed via capaths
section in krb5.conf. SSSD should be able to generate it once
ticket https://fedorahosted.org/sssd/ticket/2093 is resolved.
part of https://fedorahosted.org/freeipa/ticket/3909
|
|
|
|
|
|
|
|
| |
Use realmdomains information to prepopulate forest trust info. As result,
all additional domains should now be enabled from the beginning, unless they
really conflict with existing DNS domains on AD side.
https://fedorahosted.org/freeipa/ticket/3919
|
|
|
|
|
|
|
| |
When IPA server hostname is outside of default DNS domain, instead
of relative domain name, FQDN should be used.
https://fedorahosted.org/freeipa/ticket/3908
|
|
|
|
|
|
|
|
|
|
|
| |
When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.
Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.
|
|
|
|
|
|
|
| |
Prevent showing of unfriendly "Unexpected error" message, when providing
incorrect DM password to ipa-ldap-updater.
https://fedorahosted.org/freeipa/ticket/3825
|
|
|
|
|
|
| |
This is a workaround for <https://fedorahosted.org/389/ticket/47490>.
https://fedorahosted.org/freeipa/ticket/3915
|
|
|
|
|
|
|
|
|
|
|
| |
The __all__ list does not cause submodules to be imported, e.g.
one would still have to `import ipaclient.ipachangeconf` rather than
just `import ipaclient` to use `ipaclient.ipachangeconf`.
Even if they did do anything, the lists were incomplete, and (since
`import *` is not used on these modules) unnecessary.
Pylint 1.0 reports undeclared names in __all__ as a warning.
|
|
|
|
|
|
|
| |
ipa-restore would fail if DS user did not exist. Check for presence of DS
user and group and create them if needed.
https://fedorahosted.org/freeipa/ticket/3856
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3869
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3869
|