| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
trust
We attempt to delete the trust that might exist already. If there are not enough
privileges to do so, we wouldn't be able to create trust at the next step and it will fail.
However, failure to create trust will be due to the name collision as we already had
the trust with the same name before. Thus, raise access denied exception here
to properly indicate wrong access level instead of returning NT_STATUS_OBJECT_NAME_COLLISION.
https://fedorahosted.org/freeipa/ticket/4202
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
| |
Even though we are creating idranges for subdomains only in case
there is algorithmic ID mapping in use, we still need to fetch
list of subdomains for all other cases.
https://fedorahosted.org/freeipa/ticket/4205
|
|
|
|
|
|
|
|
|
|
| |
In Firefox 27, default font size has bigger priority than body css,
text input font size is therefore explicitly set to 1em. Also
checkbox/radiobutton styling fixed.
https://fedorahosted.org/freeipa/ticket/4180
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
|
|
|
|
|
|
| |
With --pkey-only only primary key is returned. It makes no sense to check and
replace boolean values then.
https://fedorahosted.org/freeipa/ticket/4196
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
by admin
When admin clears authdata flag for the service principal, KDC will pass
NULL client pointer (service proxy) to the DAL driver.
Make sure we bail out correctly.
Reviewed-By: Tomáš Babej <tbabej@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
|
|
|
|
|
|
|
|
| |
proxy
https://fedorahosted.org/freeipa/ticket/4195
Reviewed-By: Tomáš Babej <tbabej@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Bind instance is configured using a short-circuited way when replica is set up.
Make sure required properties are in place for that.
https://fedorahosted.org/freeipa/ticket/4186
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
When restoring files from backup, we do use an incorrect order of
operations - we first restore SELinux context and then copy the
files from backup, when we need to do the exact opposite.
https://fedorahosted.org/freeipa/ticket/4133
Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
|
|
|
|
|
|
|
|
| |
Don't add duplicate indirect membership information.
https://fedorahosted.org/freeipa/ticket/4175
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
| |
Ticket: https://fedorahosted.org/freeipa/ticket/4143
Reviewed-by: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
| |
Ticket: https://fedorahosted.org/freeipa/ticket/4143
Reviewed-by: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now users can add reverse zones in classless form:
0/25.1.168.192.in-addr.arpa.
0-25.1.168.192.in-addr.arpa.
128/25 NS ns.example.com.
10 CNAME 10.128/25.1.168.192.in-addr.arpa.
Ticket: https://fedorahosted.org/freeipa/ticket/4143
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
In the non-posix tests on the legacy clients, the testuser does not
belong to the testgroup (since this is represented by the NIS
group membership).
Relax the regular expression check for the output of the id testuser.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The hardcoded values for the home directories for the AD users did
not properly scale up from the POSIX attrs only test scanario.
When using POSIX attrs, the home dir is returned as whatever is set
in the AD (/home/username by default). Without using POSIX attributes,
the /home/domain/username form is taken by default.
Refactor the tests to take this behaviour into account.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Adds test cases for:
* getent subdomain user on legacy client
* getent subdomain group on legacy client
* getent id subdomain user on legacy client
* ssh into legacy client with subdomain user
* ssh into legacy client with disabled subdomain user
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
| |
In the integration tests, we do not stop the sssd service
before deleting the cache, but rather start it. We need
to stop sssd before deleting the cache.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
|
|
|
|
|
| |
When we add the disabledipauser during the setup class part of the
BaseTestLegacyClient, we need to make sure that we re-kinit admin
since we do ntpsync with the AD just before that, which can render
the previous ticket invalid.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the host is down, the preparation of the host fails. This
produces misleading errors, since the test framework reports that
the actual command being executed failed, when in fact (in case
of SSHTransport), the cause of failure was unability to establish
a SSH session.
https://fedorahosted.org/freeipa/ticket/4132
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Adds test cases for legacy client support with IPA that has estabilish
trust with AD that does not leverage POSIX attributes defined on AD.
https://fedorahosted.org/freeipa/ticket/4134
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4158
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
When users with missing default group were searched, IPA suffix was
not passed so these users were searched in a wrong base DN. Thus,
no user was detected and added to default group.
https://fedorahosted.org/freeipa/ticket/4141
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Restoring backup files and restoring their context were two separate commands,
what means that in case we use SSHTrasport, which creates a separate SSH
session for each command, we try to restore the SELinux context of the
changed files in a new session.
This causes problems, if the access to files themselves are necessary
for the creation of the new SSH session.
https://fedorahosted.org/freeipa/ticket/4133
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All the hosts in the domain have IPA master set as their only
nameserver. However, the IPA master does not create records for
these machines by default. This is not an big issue for clients
or replicas, since those records do get created in other ways,
but external hosts using their internal hostnames will not resolve.
Adds an A record for each host in master's domain.
https://fedorahosted.org/freeipa/ticket/4130
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The integration test for legacy clients used incorrectly "test group"
instead of "testgroup" as group used on AD for test purposes. This
is inconsistent with the usage of "testuser".
https://fedorahosted.org/freeipa/ticket/4131
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The logging level for these messages was decreaed so that they
do not show up in ipa-advise output.
Reset the log level to INFO and configure ipa-advise to not display
INFO messages from xmlclient by default.
Partially reverts commit efe5a96725d3ddcd05b03a1ca9df5597eee693be
https://fedorahosted.org/freeipa/ticket/4135
Reviewed-By: Tomáš Babej <tbabej@redhat.com>
|
|
|
|
|
|
|
|
|
| |
root_ssh_key_filename
Expand paths beginning with a tilde, such as the default ~/.ssh/id_rsa,
to the home directory.
https://fedorahosted.org/freeipa/ticket/4115
|
|
|
|
|
|
|
|
|
|
|
| |
When ipa-lockout plugin is started during FreeIPA server installation,
the default realm may not be available and plugin should then not end
with failure.
Similarly to other plugins, start in degraded mode in this situation.
Operation is fully restored during the final services restart.
https://fedorahosted.org/freeipa/ticket/4085
|
|
|
|
|
|
|
|
|
|
| |
krbPwdPolicyReference is no longer filled default users. Instead, plugins
fallback to hardcoded global policy reference.
Fix ipa-lockout plugin to fallback to it instead of failing to apply
the policy.
https://fedorahosted.org/freeipa/ticket/4085
|
|
|
|
|
|
| |
Remove explicitly specified hardening flags from LDFLAGS in ipa-otpd.
https://fedorahosted.org/freeipa/ticket/3896
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3944
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4094
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4094
|
| |
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/4116
|
|
|
|
|
|
|
| |
LDAP protocol doesn't allow deleting non-leaf entries. One needs to
remove all leaves first before removing the tree node.
https://fedorahosted.org/freeipa/ticket/4126
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add Web UI counterpart of following CLI commands:
* trust-fetch-domains Refresh list of the domains associated with the trust
* trustdomain-del Remove infromation about the domain associated with the trust.
* trustdomain-disable Disable use of IPA resources by the domain of the trust
* trustdomain-enable Allow use of IPA resources by the domain of the trust
* trustdomain-find Search domains of the trust
https://fedorahosted.org/freeipa/ticket/4119
|
|
|
|
|
|
|
|
|
|
|
|
| |
We do not need to expose a public FreeIPA specific interface to resolve
SIDs to names. The interface is only used internally to resolve SIDs
when external group members are listed. Additionally, the command interface
is not prepared for regular user and can give rather confusing results.
Hide it from CLI. The API itself is still accessible and compatible with
older clients.
https://fedorahosted.org/freeipa/ticket/4113
|
|
|
|
|
|
|
|
|
|
| |
When legacy client tests fail during IPA installation, the legacy
client test produces an additional misleading error
(the real cause is reported as well). This happens due the fact
that we try to cleanup host that was not yet defined. We need to
check for this attribute being defined before unapplying fixes there.
https://fedorahosted.org/freeipa/ticket/4124
|
|
|
|
|
|
|
|
| |
Sudo calls are not necessary since we log in as a root. Additionally,
sudo requires tty in default configuration, which is not acquired
when using OpenSSH transport.
https://fedorahosted.org/freeipa/ticket/4125
|
|
|
|
|
|
| |
Ensure we set host netbios name by default in smb.conf
https://fedorahosted.org/freeipa/ticket/4116
|
|
|
|
|
|
|
| |
- it's called in group-show
https://bugzilla.redhat.com/show_bug.cgi?id=1054391
https://fedorahosted.org/freeipa/ticket/4123
|
|
|
|
|
|
|
|
| |
Perform SID to name conversion for existing external members of the
groups if trust is configured.
https://bugzilla.redhat.com/show_bug.cgi?id=1054391
https://fedorahosted.org/freeipa/ticket/4123
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4078
|
|
|
|
|
|
|
|
| |
dnsrecord-mod may call dnsrecord-delentry command when all records
are deleted. However, the version was not passwd to delentry and
it resulted in a warning.
https://fedorahosted.org/freeipa/ticket/4120
|
|
|
|
|
|
|
|
| |
When output_for_cli was called directly, rather than for values
received through XML or JSON API, joining multiple values failed
on non-strings such as DN objects.
Convert output to strings before printing it out.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Both the password plugin and the kdb driver code automatically fall
back to the default password policy.
so stop adding an explicit reference to user objects and instead rely on the
fallback.
This way users created via the framework and users created via winsync plugin
behave the same way wrt password policies and no surprises will happen.
Also in case we need to change the default password policy DN this will allow
just code changes instead of having to change each user entry created, and
distinguish between the default policy and explicit admin changes.
Related: https://fedorahosted.org/freeipa/ticket/4085
Patch backported/updated by Martin Kosek to accomodate different ipatests
structure in ipa-3-3 branch.
|
|
|
|
|
|
|
|
|
|
|
| |
The KDB driver does not walk the tree back like the original password plugin.
Also we do not store the default policy in the base DN as we used to do in the
past anymore.
So doing a full subtree search and walking back the tree is just a waste of
time.
Instead hardcode the default policy like we do in the kdb driver.
Fixes: https://fedorahosted.org/freeipa/ticket/4085
|
|
|
|
| |
This fixes a possible NSS database corruption in renew_ca_cert.
|