summaryrefslogtreecommitdiffstats
path: root/daemons
Commit message (Collapse)AuthorAgeFilesLines
...
* MS-PAC: Special case NFS servicesSimo Sorce2012-11-301-1/+35
| | | | | | | | | | The current Linux NFS server is severely limited when it comes to handling kerberos tickets. Bsically any ticket bigger than 2k will cause it to fail authentication due to kernel->userspace upcall interface restrictions. Until we have additional support in IPA to indivdually mark principals to opt out of getting PACs attached we always prevent PACs from being attached to TGTs or Tickets where NFS is involved.
* Enable transactions by default, make password and modrdn TXN-awareRob Crittenden2012-11-216-5/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | The password and modrdn plugins needed to be made transaction aware for the pre and post operations. Remove the reverse member hoop jumping. Just fetch the entry once and all the memberof data is there (plus objectclass). Fix some unit tests that are failing because we actually get the data now due to transactions. Add small bit of code in user plugin to retrieve the user again ala wait_for_attr but in the case of transactions we need do it only once. Deprecate wait_for_attr code. Add a memberof fixup task for roles. https://fedorahosted.org/freeipa/ticket/1263 https://fedorahosted.org/freeipa/ticket/1891 https://fedorahosted.org/freeipa/ticket/2056 https://fedorahosted.org/freeipa/ticket/3043 https://fedorahosted.org/freeipa/ticket/3191 https://fedorahosted.org/freeipa/ticket/3046
* ipasam: better Kerberos error handling in ipasamAlexander Bokovoy2012-11-211-3/+5
| | | | | | | If time is moved back on the IPA server, ipasam does not invalidate the existing ticket. https://fedorahosted.org/freeipa/ticket/3183
* Forbid overlapping primary and secondary rid rangesTomas Babej2012-10-191-14/+97
| | | | | | | | | | | Commands ipa idrange-add / idrange-mod no longer allows the user to enter primary or secondary rid range such that has non-zero intersection with primary or secondary rid range of another existing id range, as this could cause collision. Unit tests added to test_range_plugin.py https://fedorahosted.org/freeipa/ticket/3086
* extdom: handle INP_POSIX_UID and INP_POSIX_GID requestsSumit Bose2012-10-181-6/+32
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3166
* Fix various issues found by CoveritySumit Bose2012-10-176-12/+22
|
* ipadb: reload trust information if domain is not knownSumit Bose2012-10-091-1/+39
| | | | | | | | | | Currently the data about trusted domains is read once at startup. If a new trust is added the KDC must be restarted to know about the new trust. This patch reloads the trust data if there is a request from an unknown domain. To make DOS attacks a bit harder the data can be updated only once in a minute. Fixes https://fedorahosted.org/freeipa/ticket/3156
* ipasam: generate proper SID for trusted domain objectSumit Bose2012-10-041-8/+49
|
* Add SIDs for existing users and groups at the end of ipa-adtrust-installSumit Bose2012-10-043-10/+11
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3104
* ipasam: add fallback primary groupSumit Bose2012-10-041-7/+230
| | | | https://fedorahosted.org/freeipa/ticket/2955
* ipasam: Fixes build with samba4 rc1Sumit Bose2012-09-141-10/+10
|
* Support the new Winsync POSIX API.Rob Crittenden2012-09-061-6/+50
| | | | | | | | | | | This will sync down the POSIX attributes from AD so we need to be careful to not mess with them when they are already set. This includes uidNumber, gidNumber, homeDirectory, loginShell and gecos. http://port389.org/wiki/WinSync_Posix http://port389.org/wiki/Windows_Sync_Plugin_API#Version_3_API_functions https://fedorahosted.org/freeipa/ticket/3007
* ipasam: replace trim_char() with trim_string()Sumit Bose2012-09-061-2/+1
|
* ipasam: remove fetch_ldap_pw()Sumit Bose2012-09-061-10/+2
|
* ipasam: replace get_global_sam_sid()Sumit Bose2012-09-061-4/+12
|
* ipasam: add libsss_idmap context and replace string_to_sid()Sumit Bose2012-09-062-31/+89
|
* ipasam: Replace global_sid_BuiltinSumit Bose2012-09-061-1/+3
|
* ipasam: Replace sid_peek_check_rid()Sumit Bose2012-09-061-1/+17
|
* ipasam: Replace sid_check_is_our_sam()Sumit Bose2012-09-061-2/+1
|
* ipasam: Replace dom_sid_compare_domain()Sumit Bose2012-09-061-1/+27
|
* ipasam: Replace is_null_sid()Sumit Bose2012-09-061-1/+24
|
* ipasam: replace sid_compose()Sumit Bose2012-09-061-1/+14
|
* ipasam: replace sid_copy()Sumit Bose2012-09-061-1/+15
|
* ipasam: remove talloc_asprintf_strupper_m()Sumit Bose2012-09-061-3/+8
|
* ipasam: remove strlower_m()Sumit Bose2012-09-061-3/+1
|
* ipasam: replace strnequal()Sumit Bose2012-09-061-1/+16
|
* ipasam: remove sid_peek_rid()Sumit Bose2012-09-061-11/+18
|
* ipasam: remove nt_lm_owf_gen() and dependency to libcliauth.soSumit Bose2012-09-061-12/+59
|
* Make encode_ntlm_keys() publicSumit Bose2012-09-063-197/+16
|
* ipasam: cleanup explicit dependencies to samba libsSumit Bose2012-09-061-2/+0
|
* ipadb_iterate(): handle match_entry == NULLSumit Bose2012-09-052-0/+10
| | | | | | | | | If match_entry == NULL all principals should be iterated. Additionally this patch adds a check in ipadb_filter_escape() to make sure that the input is not NULL. Fixes: https://fedorahosted.org/freeipa/ticket/3011
* Change slapi_mods_init in ipa_winsync_pre_ad_mod_user_mods_cbTomas Babej2012-09-041-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2953
* Don't generate password history error if history is set to 0.Rob Crittenden2012-08-271-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2805
* Fix ipasam ipaNThash magic regen to actually fetch updated passwordAlexander Bokovoy2012-08-221-13/+9
| | | | | | | With this change ipasam is able to ask for ipaNTHash generation and if corresponding Kerberos key is available, will be able to retrieve generated ipaNTHash. Part 1 of https://fedorahosted.org/freeipa/ticket/3016
* Recover from invalid cached kerberos credentials in ipasamAlexander Bokovoy2012-08-221-37/+77
| | | | | | | | | | | | | | | | When developing and testing in the same environment, multiple re-installs may be needed. This means previously issued and cached Kerberos credentials will become invalid upon new install. ipasam passdb module for Samba uses Kerberos authentication when talking to IPA LDAP server. Obtained Kerberos credentials are cached during their lifetime. However, the ccache is not removed automatically and if IPA setup is made again, cached credentials are used, only to discover that they are invalid. With this change invalid correctly obtained cached credentials are recognized and, if LDAP SASL bind fails, new credentials are requested from the KDC. https://fedorahosted.org/freeipa/ticket/3009
* Use libsamba-security instead of libsecuritySumit Bose2012-08-221-1/+1
| | | | | In samba4-beta6 the name of a library was changed from libsecurity to libsamba-security.
* extdom: read ranges from LDAPSumit Bose2012-08-151-0/+72
|
* Add PAC filteringSimo Sorce2012-08-021-8/+100
| | | | | | | | This check the PAC we receive is consistent. realm, flat name and domain sid must much our understanding or the trustd realm and no additional sids beyond the own realm ones must be present. Ticket #2849
* Split out manipulation of logon_info blobSimo Sorce2012-08-021-40/+69
| | | | | This way multiple functions can manipulate the logon info structure until all operations we want to do on it are done and then fold it back once.
* Properly name function to add ipa external groupsSimo Sorce2012-08-021-35/+39
| | | | | | | | | The function filter_pac was not filtering the pac at all, it was merely augmenting it with additional data relevant to the IPA server. Change the name of the function to avoid confusion. While there I also simplified and cleaed up the code a bit with regard to variable names and usage.
* Load list of trusted domain on connecting to ldapSimo Sorce2012-08-021-6/+104
| | | | This list is used to validate data in mspac filtering
* Move mspac structure to be a private pointerSimo Sorce2012-08-022-25/+33
| | | | | By keeping it's definition in the mspac file it is easier to modify and make sure any opertion on it is handled in the same file.
* When ipaNTHash is missing, ask IPA to generate it from kerberos keysAlexander Bokovoy2012-07-301-3/+93
| | | | Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Add special modify op to regen ipaNTHashSimo Sorce2012-07-301-3/+143
| | | | | | The NT Hash is the same thing as the RC4-HMAC key, so we add a function to extract it from krb5 keys if they are available to avoid forcing a password change when configuring trust relationships.
* Improve loops around slapi modsSimo Sorce2012-07-301-68/+62
| | | | | Avoid the need to allocate/free a Slapi_Mod and avoid checking for attribute equvalence after a match (use if/else)
* Move code into common krb5 utilsSimo Sorce2012-07-301-141/+7
| | | | | | | | This moves the decoding function that reads the keys from the ber format into a structure in the common krb5 util code right below the function that encodes the same data structure into a ber format. This way the 2 functions are in the same place and can be both used by all ia components.
* Do not check for DNA magic valuesSimo Sorce2012-07-262-8/+0
| | | | | | | The DNA magic value can be arbitrarily changed by admins so we cannot use a const value to check. And we relly do not need to check at all. If the DNA plugin is broken and leaves magic values to reach the post-op stage we have bigger problems. So just simply get rid of this check.
* Follow change in samba4 beta4 for sid_check_is_domain to sid_check_is_our_samAlexander Bokovoy2012-07-181-1/+3
| | | | | | | With c43505b621725c9a754f0ee98318d451b093f2ed in samba git master the function sid_check_is_domain() was renamed to sid_check_is_our_sam(). https://fedorahosted.org/freeipa/ticket/2929
* Fix typoSumit Bose2012-07-091-1/+1
| | | | Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Fix wrong check after allocation.Simo Sorce2012-07-071-1/+1
|
generated by cgit (git 2.34.1) at 2025-09-09 20:10:50 +0000