| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3944
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4094
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4094
|
| |
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/4116
|
|
|
|
|
|
|
| |
LDAP protocol doesn't allow deleting non-leaf entries. One needs to
remove all leaves first before removing the tree node.
https://fedorahosted.org/freeipa/ticket/4126
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add Web UI counterpart of following CLI commands:
* trust-fetch-domains Refresh list of the domains associated with the trust
* trustdomain-del Remove infromation about the domain associated with the trust.
* trustdomain-disable Disable use of IPA resources by the domain of the trust
* trustdomain-enable Allow use of IPA resources by the domain of the trust
* trustdomain-find Search domains of the trust
https://fedorahosted.org/freeipa/ticket/4119
|
|
|
|
|
|
|
|
|
|
|
|
| |
We do not need to expose a public FreeIPA specific interface to resolve
SIDs to names. The interface is only used internally to resolve SIDs
when external group members are listed. Additionally, the command interface
is not prepared for regular user and can give rather confusing results.
Hide it from CLI. The API itself is still accessible and compatible with
older clients.
https://fedorahosted.org/freeipa/ticket/4113
|
|
|
|
|
|
|
|
|
|
| |
When legacy client tests fail during IPA installation, the legacy
client test produces an additional misleading error
(the real cause is reported as well). This happens due the fact
that we try to cleanup host that was not yet defined. We need to
check for this attribute being defined before unapplying fixes there.
https://fedorahosted.org/freeipa/ticket/4124
|
|
|
|
|
|
|
|
| |
Sudo calls are not necessary since we log in as a root. Additionally,
sudo requires tty in default configuration, which is not acquired
when using OpenSSH transport.
https://fedorahosted.org/freeipa/ticket/4125
|
|
|
|
|
|
| |
Ensure we set host netbios name by default in smb.conf
https://fedorahosted.org/freeipa/ticket/4116
|
|
|
|
|
|
|
| |
- it's called in group-show
https://bugzilla.redhat.com/show_bug.cgi?id=1054391
https://fedorahosted.org/freeipa/ticket/4123
|
|
|
|
|
|
|
|
| |
Perform SID to name conversion for existing external members of the
groups if trust is configured.
https://bugzilla.redhat.com/show_bug.cgi?id=1054391
https://fedorahosted.org/freeipa/ticket/4123
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4078
|
|
|
|
|
|
|
|
| |
dnsrecord-mod may call dnsrecord-delentry command when all records
are deleted. However, the version was not passwd to delentry and
it resulted in a warning.
https://fedorahosted.org/freeipa/ticket/4120
|
|
|
|
|
|
|
|
| |
When output_for_cli was called directly, rather than for values
received through XML or JSON API, joining multiple values failed
on non-strings such as DN objects.
Convert output to strings before printing it out.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Both the password plugin and the kdb driver code automatically fall
back to the default password policy.
so stop adding an explicit reference to user objects and instead rely on the
fallback.
This way users created via the framework and users created via winsync plugin
behave the same way wrt password policies and no surprises will happen.
Also in case we need to change the default password policy DN this will allow
just code changes instead of having to change each user entry created, and
distinguish between the default policy and explicit admin changes.
Related: https://fedorahosted.org/freeipa/ticket/4085
Patch backported/updated by Martin Kosek to accomodate different ipatests
structure in ipa-3-3 branch.
|
|
|
|
|
|
|
|
|
|
|
| |
The KDB driver does not walk the tree back like the original password plugin.
Also we do not store the default policy in the base DN as we used to do in the
past anymore.
So doing a full subtree search and walking back the tree is just a waste of
time.
Instead hardcode the default policy like we do in the kdb driver.
Fixes: https://fedorahosted.org/freeipa/ticket/4085
|
|
|
|
| |
This fixes a possible NSS database corruption in renew_ca_cert.
|
|
|
|
|
| |
When a context to which we yield generates exception, the code in
private_ccache() and stopped_service() didn't get called for cleanup.
|
|
|
|
|
|
|
|
|
| |
For NETLOGON_NT_VERSION_5EX requests the prepended \\ is not expected in
the PDC NetBIOS name. In general AD seems to be smart enough to handle
the two \ signs. But if the NetBIOS name reaches the maximum of 15
character AD does not accept the responses anymore.
Fixes https://fedorahosted.org/freeipa/ticket/4028
|
|
|
|
|
|
|
|
|
|
| |
Show status of each enumerated domain
trustdomain-find shows list of domains associated with the trust.
Each domain except the trust forest root can be enabled or disabled
with the help of trustdomain-enable and trustdomain-disable commands.
https://fedorahosted.org/freeipa/ticket/4096
|
|
|
|
|
|
|
|
|
|
|
|
| |
When trust is added, we do create ranges for discovered child domains.
However, this functionality was not available through
'trust-fetch-domains' command.
Additionally, make sure non-existing trust will report proper error in
trust-fetch-domains.
https://fedorahosted.org/freeipa/ticket/4111
https://fedorahosted.org/freeipa/ticket/4104
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4091
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4090
|
|
|
|
|
|
|
|
| |
sudoers compat plugin configuration missed the sudoOrder attribute
and it thus did not show up in ou=sudoers. Add the definion to update
file.
https://fedorahosted.org/freeipa/ticket/4107
|
|
|
|
|
|
|
|
|
|
| |
When creating a host with a password we don't set a Kerberos
principal or add the Kerberos objectclasses. Those get added when the
host is enrolled. If one passed in --password= (so no password) then
we incorrectly thought the user was in fact setting a password, so the
principal and objectclasses weren't updated.
https://fedorahosted.org/freeipa/ticket/4102
|
|
|
|
|
|
|
|
|
|
| |
Original patch for ticket #3803 implemented support to resolve SIDs
through SSSD. However, it also broke hbactest for external users. The
result of the updated external member group search must be local
non-external groups, not the external ones. Otherwise the rule is not
matched.
https://fedorahosted.org/freeipa/ticket/3803
|
|
|
|
|
| |
Previous commit accidentally added executable permission to
restart_pkicad and stop_pkicad.
|
|
|
|
|
|
|
|
|
|
| |
Fix both the service restart procedure and registration of old
pki-cad well known service name.
This patch was adapted from original patch of Jan Cholasta 178 to
fix ticket 4092.
https://fedorahosted.org/freeipa/ticket/4092
|
|
|
|
|
|
| |
As reported in https://bugzilla.redhat.com/show_bug.cgi?id=1040576,
the default stack trace needs to be also increased on s390 platforms
to prevent rhino segfault.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4064
|
|
|
|
|
|
| |
Wit the default stack size, rhino segfaulted on PPC platforms.
https://bugzilla.redhat.com/show_bug.cgi?id=1040576
|
|
|
|
|
|
|
|
|
| |
Web UI build fails on some architectures or configuration due to
StackOverflow. This patch increases the stack size to solve it.
512k is usually enough but we encountered fail on ppc64 even with 2m,
therefore the 8m. The build is single threaded so it shouldn't waste
much memory.
|
|
|
|
|
|
|
|
|
|
|
| |
Latest support for subdomains introduced regression that masked
difference between newly added trust and re-added one.
Additionally, in case no new subdomains were found, the code was
returning None instead of an empty list which later could confuse
trustdomain-find command.
https://fedorahosted.org/freeipa/ticket/4067
|
|
|
|
|
|
|
|
| |
The CLDAP DS plugin uses the uppercased first segment of the fully
qualified hostname as the NetBIOS name. We need to limit its size
to 15 characters.
https://fedorahosted.org/freeipa/ticket/4028
|
|
|
|
|
|
|
|
|
|
|
|
| |
The driver only checked if the corresponding value was in the config, so
no_dns: False
had the same effect as
no_dns: True
Change the check to take the value into consideration.
This makes false-y values like False (from YAML) and empty string
(from environment) work as if the value was not specified.
|
|
|
|
|
|
|
|
|
|
|
| |
The ipa-client-install script and ipa-join use different methods
of resolving the hostname, the former uses gethostbyaddr() call,
while the latter reads the "uinfo.nodename".
This can result ipa-client-install failures in case of broken PTR
records.
https://fedorahosted.org/freeipa/ticket/4027
|
|
|
|
|
|
|
| |
Server and client installer should allow kernel keyring ccache when
supported.
https://fedorahosted.org/freeipa/ticket/4013
|
|
|
|
|
|
| |
Modified web ui files had incorrect GPLv2 headers instead of GPLv3 ones.
All of the affected code is of FreeIPA origin.
|
|
|
|
| |
This may make debugging easier if the address is set incorrectly.
|
|
|
|
|
|
|
|
|
|
|
|
| |
The framework had a concept of external hostnames,
which the controller uses to contact the test machines,
but they were not loaded from configuration.
Load external names from configuration.
This makes tests pass in setups where internal and external
hostnames are different, and the internal hostnames are not
initially resolvable from the controller.
|
|
|
|
|
|
| |
Apparently when we relicensed to GPLv3 we missed these two spots.
The actual boilerplate was changed in these files but not the
license tag passed to python setup.
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 3a11044664341257a3929da2db1c493659515eec.
The required version of httpd is not available in Fedora 19.
Revert to using the workaround for the 3.3 branch.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4010
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4010
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When AD administrator credentials passed, they stored in realm_passwd,
not realm_password in the options.
When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure
to normalize them.
Additionally, force Samba auth module to use NTLMSSP in case we have
credentials because at the point when trust is established, KDC is not
yet ready to issue tickets to a service in the other realm due to
MS-PAC information caching effects. The logic is a bit fuzzy because
credentials code makes decisions on what to use based on the smb.conf
parameters and Python bindings to set parameters to smb.conf make it so
that auth module believes these parameters were overidden by the user
through the command line and ignore some of options. We have to do calls
in the right order to force NTLMSSP use instead of Kerberos.
Fixes https://fedorahosted.org/freeipa/ticket/4046
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4042
|