summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Set samba_portmapper SELinux boolean during ipa-adtrust-installabbrasbose2012-05-301-0/+51
|
* Fix ipasam buildsbose2012-05-301-1/+0
|
* ipa-sam: update sid_to_id() interface to follow passdb API changes in SambaAlexander Bokovoy2012-05-301-17/+3
| | | | | | | | | Commit a6e29f23f09ba5b6b6d362f7683ae8088bc0ba85 in Samba changed id mapping API in passdb interface to use 'struct unixid'. The change replaced three arguments (uid, gid, type) by one (struct unixid). As result, ipa-sam became broken. Without this change ipa-sam introduces stack corruption in Samba post 4.0.0alpha18 leading to corrupted security context stack as well and then crashing in setgroups(3).
* get_fqdn() moved to ipaserver.installutilsAlexander Bokovoy2012-05-301-2/+2
|
* Add trust-related ACIsAlexander Bokovoy2012-05-305-81/+196
| | | | | | | | | A high-level description of the design and ACIs for trusts is available at https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html and https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html Ticket #1731
* ipa-kdb: Add MS-PAC on constrained delegation.Simo Sorce2012-05-301-22/+26
|
* Restart KDC after installing trust support to allow MS PAC generationAlexander Bokovoy2012-05-301-7/+16
| | | | | | | | Also make sure all exceptions are captured when creating CIFS service record. The one we care about is duplicate entry and we do nothing in that case anyway. Also make uniform use of action descriptors.
* Properly handle multiple IP addresses per host when installing trust supportAlexander Bokovoy2012-05-301-16/+22
| | | | | | | | resolve_host() function returns a list of IP addresses. Handle it all rather than expecting that there is a single address. It wouldn't hurt to make a common function that takes --ip-address into account when resolving host addresses and use it everywhere.
* Perform case-insensitive searches for principals on TGS requestsAlexander Bokovoy2012-05-306-22/+65
| | | | | | | | | | We want to always resolve TGS requests even if the user mistakenly sends a request for a service ticket where the fqdn part contain upper case letters. The actual implementation follows hints set by KDC. When AP_REQ is done, KDC sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests. https://fedorahosted.org/freeipa/ticket/1577
* Use fully qualified PDC name when contacting for extended DN informationAlexander Bokovoy2012-05-301-1/+1
|
* Add trust management for Active Directory trustsAlexander Bokovoy2012-05-3010-8/+673
|
* Use dedicated keytab for SambaAlexander Bokovoy2012-05-302-12/+19
| | | | | | | | Samba just needs the cifs/ key on the ipa server. Configure samba to use a different keytab file so that we do not risk samba commands (net, or similar) to mess up the system keytab. https://fedorahosted.org/freeipa/ticket/2168
* Add separate attribute to store trusted domain SIDAlexander Bokovoy2012-05-308-6/+68
| | | | | | | | | | | We need two attributes in the ipaNTTrustedDomain objectclass to store different kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID of the trusted domain. A second attribute is needed to store the SID for the trusted domain user. Since it cannot be derived safely from other values and since it does not make sense to create a separate object for the user a new attribute is needed. https://fedorahosted.org/freeipa/ticket/2191
* Enforce sizelimit in permission-find, post_callback returns truncatedRob Crittenden2012-05-3011-11/+110
| | | | | | | | | | | | | | | We actually perform two searches in permission-find. The first looks for matches within the permission object itself. The second looks at matches in the underlying aci. We need to break out in two places. The first is if we find enough matches in the permission itself. The second when we are appending matches from acis. The post_callback() definition needed to be modified to return the truncated value so a plugin author can modify that value. https://fedorahosted.org/freeipa/ticket/2322
* SSH configuration fixes.Jan Cholasta2012-05-301-2/+7
| | | | | | | | | | | | | Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the latter has been deprecated in OpenSSH 5.9. If DNS host key verification is enabled, restrict the set of allowed host public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only these algorithms. Make sure public key user authentication is enabled in both ssh and sshd. ticket 2769
* Fix setting domain_sidSimo Sorce2012-05-291-1/+1
| | | | | | | 'sid' is a stack variable, by assigning its address to the domain_sid pointer we were later referencing grabage (whatever on the stack ha[ppened to be at that address. Properly copy the sid and allocate it on the provided memory context.
* Provide a better error message when deleting nonexistent attributesPetr Viktorin2012-05-292-0/+43
| | | | | | | | | If --delattr is used on an attribute that's not present on an entry, and --{set,add}attr isn't being used on that same attribute, say that there's "no such attribute" instead of "<attribute> does not contain <value>". https://fedorahosted.org/freeipa/ticket/2699
* Disallow setattr on no_update/no_create paramsPetr Viktorin2012-05-2911-38/+128
| | | | | | | | | | | | | Make --{set,add,del}attr fail on parameters with the no_update/no_create flag for the respective command. For attributes that can be modified, but we just don't want to display in the CLI, use the 'no_option' flag. These are "locking" attributes (ipaenabledflag, nsaccountlock) and externalhost. Document the 'no_option' flag. Add some tests. https://fedorahosted.org/freeipa/ticket/2580
* Reset krbtpolicy when a unit test is finishedMartin Kosek2012-05-281-0/+1
| | | | | | | | | | Kerberos ticket maximum life was being set to 1 hour which then affected lifetime of Kerberos tickets returned by IPA server under the test. Make sure that the policy is reset before and after the unit test to keep the IPA server settings clean and not to disrupt development environment.
* Always set ipa_hostname for sssd.confOndrej Hamada2012-05-281-4/+3
| | | | | | | ipa-client-install will always set ipa_hostname for sssd.conf in order to prevent the client from getting into weird state. https://fedorahosted.org/freeipa/ticket/2527
* Fix the pwpolicy_find post_callbackPetr Viktorin2012-05-282-18/+33
| | | | | | | | | | | | | Always call convert_time_for_output so time gets reported correctly. That method has its own checks for whether the attributes are present; an additional check is unnecessary. Use a key function for sorting; cmp is deprecated, slower and more complicated. Add a test https://fedorahosted.org/freeipa/ticket/2726
* Normalize uid to lower case in winsync.Rob Crittenden2012-05-251-1/+32
| | | | | | This in effect fixes uid, krbPrincipalName and homeDir. https://fedorahosted.org/freeipa/ticket/2756
* Fix default_server configuration in ipapython.configMartin Kosek2012-05-241-1/+1
| | | | | | When default server was being parsed from IPA's default.conf configuration file, the parsed server was not appended correctly to the default_server list.
* Replace DNS client based on acutil with python-dnsMartin Kosek2012-05-2413-721/+200
| | | | | | | | | | | | | | | | | | | | | | | | | | IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837
* Retry retrieving ldap principals when setting up replication.Rob Crittenden2012-05-221-18/+60
| | | | | | | | | | | | We've seen on a few occassions where one side or the other is missing the ldap principal. This causes replication to fail when trying to convert to using GSSAPI. If this happens force a synchronization again and try the retrieval again, up to 10 times. This should also make the error report clearer if even after the retries one of the principals doesn't exist. https://fedorahosted.org/freeipa/ticket/2737
* ipa-server-install reword messageOndrej Hamada2012-05-221-1/+1
| | | | | | | Output message of the 'read_domain_name' function in ipa-server-install was reworded. https://fedorahosted.org/freeipa/ticket/2704
* Remove LDAP limits from DNS serviceMartin Kosek2012-05-222-3/+71
| | | | | | | | | | | | bind-dyndb-ldap persistent search queries LDAP for all DNS records. The LDAP connection must have no size or time limits to work properly. This patch updates limits both for existing service principal on updated machine and for new service principals added as a part of DNS installation. https://fedorahosted.org/freeipa/ticket/2531
* Remove ipa-server-install LDAP update errorsMartin Kosek2012-05-172-2/+9
| | | | | | | | | | | | | | | | | | | python-ldap add_s method raises a NO_SUCH_OBJECT exception when a parent entry of the entry being added does not exist. This may not be an error, for example NIS entries are only added when NIS is enabled and thus the NIS entry container exists. The exception raised by python-ldap is also incorrectly processed in ipaldap's addEntry function and an irrelevant exception is re-raised instead. Fix LDAP updater to just log an information when an object cannot be added due to missing parent object. Also make sure that the addEntry function exception processing provides the right exception with a useful description. https://fedorahosted.org/freeipa/ticket/2520 https://fedorahosted.org/freeipa/ticket/2743
* Check for locked-out user before incrementing lastfail.Rob Crittenden2012-05-181-4/+6
| | | | | | | | | | | | | | | | | | | | | | If a user become locked due to too many failed logins and then were unlocked by an administrator, the account would not lock again. This was caused by two things: - We were incrementing the fail counter before checking to see if the account was already locked out. - The current fail count wasn't taken into consideration when deciding if the account is locked. The sequence was this: 1. Unlocked account, set failcount to 0 2. Failed login, increment failcount 3. Within lastfailed + lockout_duration, still locked. This skips update the last_failed date. So I reversed 2 and 3 and check to see if the fail count exceeds policy. https://fedorahosted.org/freeipa/ticket/2765
* Fix migration code password setting.Simo Sorce2012-05-171-0/+11
| | | | | | | | When we set a password we also need to make sure krbExtraData is set. If not kadmin will later complain that the object is corrupted at password change time. Ticket: https://fedorahosted.org/freeipa/ticket/2764
* During replication installation see if an agreement already exists.Rob Crittenden2012-05-172-10/+30
| | | | | | | | We were inferring that an agreement existed if the host was present as an IPA host. This was not enough if the replica installation failed early enough. https://fedorahosted.org/freeipa/ticket/2030
* permission-mod prompts for all parametersOndrej Hamada2012-05-173-21/+14
| | | | | | | | | ipa permission-mod was prompting for all parameters because they had specified flag 'ask_update'. The flag was removed. Additionally the exec_callback for permission-mod was updated to unify the behaviour with other ipa commands (raise exception when no modification was specified). https://fedorahosted.org/freeipa/ticket/2280
* Validate on the user-provided domain name in the installer.Rob Crittenden2012-05-171-2/+13
| | | | | | Wrap printing exceptions in unicode() to do Gettext conversion. https://fedorahosted.org/freeipa/ticket/2196
* Include more information when IP address is not local during installation.Rob Crittenden2012-05-171-1/+4
| | | | | | | | Provide the IP address we resolved when displaying the exception. Also handle the exception ourselves with sys.exit(). https://fedorahosted.org/freeipa/ticket/2654
* Correction of nested search facets tab labelsPetr Vobornik2012-05-152-0/+3
| | | | | | | | Nested search facets were using 'search' tab label instead of their nested entity name. This patch is fixing that regression. https://fedorahosted.org/freeipa/ticket/2744
* Improved calculation of max pkey length in facet headerPetr Vobornik2012-05-151-9/+55
| | | | | | | | | | | | Very long pkeys in facet header were limited to 60 characters. This magic number was good enough but with new action lists it isn't. This patch is adding calculation of maximum characters for pkey in facet header. It fixes regression introduced by Action Lists and also it uses effectively available space. Also this patch is changing limiting of breadcrumbs element to use as much space as possible. It works in three steps. First a threshold is set which is equal to length average. Then a total length of keys with length less than threshold is calculated. From this we can get remaining space for long keys and calculate new threshold. At last keys are limited to new threshold. https://fedorahosted.org/freeipa/ticket/2247 f
* Host page fixed to work with disabled DNS supportPetr Vobornik2012-05-153-0/+27
| | | | | | | | | | | | | | | | | When DNS support was disabled there were following errors in Web UI: 1) Host details page was not filled with data 2) Host adder dialog was broken -> unusable 3) DNS tab was displayed in navigation The bugs were fixed by: 1) Was caused by entity_link_widget. The widget was modified to do not show link if other_entity (in this case dnsrecord) is not present. 2) Was caused by host_fqdn_widget. The widget is unusable becouse withou DNS support it doesn't have access to DNS zone entity. The section with this widget was removed. Also IP address field was removed because it shouln't be used without DNS support. New 'fqdn' text box was added for specifying hostname. 3) New DNS config entity was initialized but it wasn't shown because it caused some JavaScript error. The dnsconfig's init method was modified to throw expected exception. Now no dns entity is initialized and therefore DNS tab in navigation is not displayed. https://fedorahosted.org/freeipa/ticket/2728
* Fix python Requires in Fedora 17 buildMartin Kosek2012-05-151-5/+7
| | | | | | | | | | | | | | | | When python's distutils build process prepares python scripts, it use current Python interpreter in an updated shebang for python scripts. Since Makefile did not use absolute path to python interpreter, it may be translated to "/bin/python" in Fedora 17 which is then taken by rpmbuild as freeipa-admintools dependency. This can break of F-17 python package which provides just "/usr/bin/python" This patch updates Makefile to use a correct absolute path to python interpreter which is then filled to freeipa scripts shebang and rpm Requires list. The value is taken from RPM __python macro so that we do not hardcode it. https://fedorahosted.org/freeipa/ticket/2727
* Instructions to generate cert use certutil instead of opensslPetr Vobornik2012-05-152-2/+2
| | | | | | Instructions to generate certificate were changed. Now they use certutil instead of openssl. In the example is also used option for specifying key size. https://fedorahosted.org/freeipa/ticket/2725
* Disallow '<' and non-ASCII characters in the DM passwordPetr Viktorin2012-05-151-6/+8
| | | | | | pkisilent does not handle these properly. https://fedorahosted.org/freeipa/ticket/2675
* Check for empty/single value parameters before calling callbacksPetr Viktorin2012-05-152-2/+11
| | | | https://fedorahosted.org/freeipa/ticket/2701
* Implement permission/aci find by subtreeRob Crittenden2012-05-152-1/+53
| | | | https://fedorahosted.org/freeipa/ticket/2321
* Do not use extra command options in ACI, permission, selfservicePetr Viktorin2012-05-144-37/+28
| | | | | | | | | | | Allowing Commands to be called with ignored unknown options opens the door to problems, for example with misspelled option names. Before we start rejecting them, we need to make sure IPA itself does not use them when it calls commands internally. This patch does that for ACI-related plugins. Part of the work for https://fedorahosted.org/freeipa/ticket/2509
* Fix overlapping cn param/option issue, pass cn as aciname in findRob Crittenden2012-05-142-0/+39
| | | | | | | | | | | | permission-find --name wasn't working for two reasons. The first was that the cn to search on in options ended up overlapping the primary key name causing the request to fail. The second reason was aci uses aciname, not cn, as its name field. So searching on --name matched everything because it was as if you were searching on nothing. https://fedorahosted.org/freeipa/ticket/2320
* Consistent change of entry status.Petr Vobornik2012-05-115-237/+215
| | | | | | | | | This patch adds action list and control buttons for consistent change of enty status for user, hbac rules, sudo rules, SELinux maps and dns zones. Action lists with 'enable' and 'disable' and 'delete' options were added to details facets. Two control buttons: 'enable' and 'disable' were added to search facets. https://fedorahosted.org/freeipa/ticket/2247
* General details facet actionsPetr Vobornik2012-05-114-0/+171
| | | | | | This patch adds common action button actions for enabling/disabling/deleting object. https://fedorahosted.org/freeipa/ticket/2707
* Batch action for search page control buttonsPetr Vobornik2012-05-111-0/+42
| | | | | | This patch implements a base action which can execute a batch of commands with single pkey as a parameter. https://fedorahosted.org/freeipa/ticket/2707
* Hide search facet add/delete buttons in self-servicePetr Vobornik2012-05-113-44/+78
| | | | | | Adds hiding/showing capabilities to action_button_widget. This patch is fixing regression caused replacing old details facet buttons with control_buttons_widget. The problem was that some buttons were not hidden in self-service mode. https://fedorahosted.org/freeipa/ticket/2707
* Redefined search control buttonsPetr Vobornik2012-05-112-72/+93
| | | | | | This patch replaces old search facet action buttons with new control_buttons_widget. https://fedorahosted.org/freeipa/ticket/2247
* Redefined details control buttonsPetr Vobornik2012-05-111-68/+65
| | | | | | This patch replaces old details facet action buttons with new control_buttons_widget. https://fedorahosted.org/freeipa/ticket/2247
generated by cgit (git 2.34.1) at 2025-08-28 19:17:13 +0000