freeipa.git/install, branch abbra

Add trust-related ACIs

2012-05-30T08:19:02+00:00

A high-level description of the design and ACIs for trusts is available at
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html
and
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html

Ticket #1731

Properly handle multiple IP addresses per host when installing trust support

2012-05-30T07:24:43+00:00

resolve_host() function returns a list of IP addresses. Handle it all rather
than expecting that there is a single address.

It wouldn't hurt to make a common function that takes --ip-address into account
when resolving host addresses and use it everywhere.

Perform case-insensitive searches for principals on TGS requests

2012-05-30T07:24:43+00:00

We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.

The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.

https://fedorahosted.org/freeipa/ticket/1577

Add trust management for Active Directory trusts

2012-05-30T07:24:43+00:00

Use dedicated keytab for Samba

2012-05-30T07:24:43+00:00

Samba just needs the cifs/ key on the ipa server. Configure samba to use a
different keytab file so that we do not risk samba commands (net, or similar)
to mess up the system keytab.

https://fedorahosted.org/freeipa/ticket/2168

Add separate attribute to store trusted domain SID

2012-05-30T07:24:42+00:00

We need two attributes in the ipaNTTrustedDomain objectclass to store different
kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID
of the trusted domain. A second attribute is needed to store the SID for the
trusted domain user. Since it cannot be derived safely from other values and
since it does not make sense to create a separate object for the user a new
attribute is needed.

https://fedorahosted.org/freeipa/ticket/2191

Replace DNS client based on acutil with python-dns

2012-05-24T11:55:56+00:00

IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
  but but rather C-like interface based on functions and
  structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
  authconfig and thus can break without notice

Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
  in installutils to make the whole DNS check simpler and
  less error-prone. Logging was improves for the remaining
  checks
- improved logging for ipa-client-install DNS discovery

https://fedorahosted.org/freeipa/ticket/2730
https://fedorahosted.org/freeipa/ticket/1837

ipa-server-install reword message

2012-05-22T13:16:18+00:00

Output message of the 'read_domain_name' function in ipa-server-install
was reworded.

https://fedorahosted.org/freeipa/ticket/2704

During replication installation see if an agreement already exists.

2012-05-17T15:12:45+00:00

We were inferring that an agreement existed if the host was present
as an IPA host. This was not enough if the replica installation failed
early enough.

https://fedorahosted.org/freeipa/ticket/2030

Validate on the user-provided domain name in the installer.

2012-05-17T06:01:42+00:00

Wrap printing exceptions in unicode() to do Gettext conversion.

https://fedorahosted.org/freeipa/ticket/2196