summaryrefslogtreecommitdiffstats
path: root/daemons
Commit message (Collapse)AuthorAgeFilesLines
* DNSSEC: remove ccache and keytab of ipa-ods-exporterMartin Basti2015-09-031-1/+1
| | | | | | | | | Reusing old ccache after reinstall causes authentication error. And prevents DNSSEC from working. Related to ticket: https://fedorahosted.org/freeipa/ticket/5273 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Use the print functionPetr Viktorin2015-09-011-1/+2
| | | | | | | | | In Python 3, `print` is no longer a statement. Call it as a function everywhere, and include the future import to remove the statement in Python 2 code as well. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use Python3-compatible dict method namesPetr Viktorin2015-09-012-5/+5
| | | | | | | | | | | | | | | | | | | | | | Python 2 has keys()/values()/items(), which return lists, iterkeys()/itervalues()/iteritems(), which return iterators, and viewkeys()/viewvalues()/viewitems() which return views. Python 3 has only keys()/values()/items(), which return views. To get iterators, one can use iter() or a for loop/comprehension; for lists there's the list() constructor. When iterating through the entire dict, without modifying the dict, the difference between Python 2's items() and iteritems() is negligible, especially on small dicts (the main overhead is extra memory, not CPU time). In the interest of simpler code, this patch changes many instances of iteritems() to items(), iterkeys() to keys() etc. In other cases, helpers like six.itervalues are used. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Port from python-krbV to python-gssapiMichael Simacek2015-08-262-4/+4
| | | | | | | | | | | | | | | | | | python-krbV library is deprecated and doesn't work with python 3. Replacing all it's usages with python-gssapi. - Removed Backend.krb and KRB5_CCache classes They were wrappers around krbV classes that cannot really work without them - Added few utility functions for querying GSSAPI credentials in krb_utils module. They provide replacements for KRB5_CCache. - Merged two kinit_keytab functions - Changed ldap plugin connection defaults to match ipaldap - Unified getting default realm Using api.env.realm instead of krbV call Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* improve the handling of krb5-related errors in dnssec daemonsMartin Babinsky2015-08-183-4/+20
| | | | | | | | | ipa-dnskeysync* and ipa-ods-exporter handle kerberos errors more gracefully instead of crashing with tracebacks. https://fedorahosted.org/freeipa/ticket/5229 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-2/+2
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Modernize number literalsPetr Viktorin2015-07-311-1/+1
| | | | | | | | | | | | | | Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix minor typosYuri Chornoivan2015-07-171-1/+1
| | | | | | | | | | | | | <ame> -> <name> overriden -> overridden ablity -> ability enties -> entries the the -> the https://fedorahosted.org/freeipa/ticket/5109 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* ipa-kdb: add unit_tests for string_to_sid() and dom_sid_string()Sumit Bose2015-07-081-0/+60
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-kdb: make string_to_sid() and dom_sid_string() more robustSumit Bose2015-07-081-1/+10
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-kdb: add unit-test for filter_logon_info()Sumit Bose2015-07-083-50/+323
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-kdb: convert test to cmockaSumit Bose2015-07-082-88/+49
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* extdom: add unit-test for get_user_grouplist()Sumit Bose2015-07-084-2/+1045
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-pwd-extop: expand error message to tell what user is not allowed to ↵Alexander Bokovoy2015-07-081-2/+2
| | | | | | | | | | | | | fetch keytab When retrieving keytab, it is useful to know what user was attempting to fetch the keyts and failed. This is useful to debug one-way trust where SSSD forks out a process of ipa-getkeytab and it might be using a wrong credentials cache for authentication purposes. Part of https://fedorahosted.org/freeipa/ticket/4959 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-sidgen: reduce log level to normal if domain SID is not availableAlexander Bokovoy2015-07-081-1/+1
| | | | | | | | | | | | To support AD trust agents, we need to run sidgen and extdom plugins on every IPA master. Lack of working configuration, thus, is not a failure so reduce log level to normal as sidgen plugin will not be active if domain SID is missing but it can certainly be kept enabled. Part of https://fedorahosted.org/freeipa/ticket/4951 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* add one-way trust support to ipasamAlexander Bokovoy2015-07-081-21/+85
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When trust is established, ipasam module creates a number of objects in LDAP to represent the trust information. Among them, for one-way trust we create a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest and AD is a realm of the trusted Active Directory forest root domain. This principal is then used by SSSD on IPA masters to authenticate against trusted Active Directory domain controllers and retrieve information about user and group identities. FreeIPA also uses this principal's credentials to retrieve domain topology. The access to the keys of the principal should be well-protected. We only allow to retrieve the keytab for it for members of cn=adtrust agents group. This group is populated with host/ and cifs/ principals from IPA masters. Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install on the master which will be configured to be a domain controller (e.g. run Samba with ipasam), and specify --add-agents option to trigger activation of the interactive mode to specify which IPA masters to enable. Fixes https://fedorahosted.org/freeipa/ticket/4962 Part of fixes for https://fedorahosted.org/freeipa/ticket/4546 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-kdb: filter out group membership from MS-PAC for exact SID matches tooAlexander Bokovoy2015-07-081-1/+99
| | | | | | | | | | | | | | | | | | When incoming SID blacklist contains exact SIDs of users and groups, attempt to filter them out as well, according to [MS-PAC] 4.1.1.2. Note that we treat user's SID and primary group RID filtering as violation of the KDC policy because the resulting MS-PAC will have no user SID or primary group and thus will be invalid. For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1 it is OK to have empty group RIDs array as GroupCount SHOULD be equal to Groups.MembershipCount returned by SamrGetGroupsForUser [MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty. Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-kdb: use proper memory chunk size when moving sidsAlexander Bokovoy2015-07-081-3/+17
| | | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* allow deletion of segment if endpoint is not managedLudwig Krispenz2015-07-023-0/+17
| | | | | | | | | in the preop check do not reject the deletion of a segment, if not both endpoints are managed servers for the suffix thisis part of work for ticlet #5072 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipalib: Load ipaserver plugins when api.env.in_server is TrueJan Cholasta2015-07-011-1/+0
| | | | | | | https://fedorahosted.org/freeipa/ticket/3090 https://fedorahosted.org/freeipa/ticket/5073 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* v2 improve processing of invalid data.Ludwig Krispenz2015-07-013-14/+43
| | | | | | | | | reject attempts to add segments to suffixes, which do not exist or are not configured. check completenes and validity of segment attributes cf ticket 5088: https://fedorahosted.org/freeipa/ticket/5088 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* DNSSEC: Store time & date key metadata in UTC.Petr Spacek2015-07-011-1/+7
| | | | | | | | | OpenDNSSEC stores key metadata in local time zone but BIND needs timestamps in UTC. UTC will be stored in LDAP. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* v2 clear start attr from segment after initializationLudwig Krispenz2015-06-304-0/+129
| | | | | | | | | | | | | Online initialization can be triggered by setting "nsds5BeginReplicaRefresh[;left|;right]": start to a segment. But this field remained in the segment and after restart the init would be executed again. see Ticket #5065 To fix this the field is cleared: - after a backend comes back online after being initialized - since there is a delay and the sending server could be restarted in between, the field is also scheced and renḿoved at startup Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* fix coverity issuesLudwig Krispenz2015-06-291-1/+13
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-kdb: common function to get key encodings/salt typesMartin Babinsky2015-06-292-70/+62
| | | | | | | | | | | This patch moves duplicate code in `ipadb_get_connection` to get default and supported key encodings/salt types from Kerberos container to a common function handling this task. It is actually a small cosmetic enhancement of the fix of https://fedorahosted.org/freeipa/ticket/4914 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: Improve ipa-ods-exporter log messages with key metadata.Petr Spacek2015-06-291-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: Add ability to trigger full data synchronization to ipa-ods-exporter.Petr Spacek2015-06-291-45/+57
| | | | | | | | | | | | | New exporter's command 'ipa-full-update' will resynchronize all zone keys from ODS database to LDAP. This command holds database lock for the whole time to avoid race conditions so it should be used only in special cases, e.g. during master server migration. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: log ipa-ods-exporter file lock operations into debug logPetr Spacek2015-06-291-0/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: ipa-ods-exporter: move zone synchronization into separate functionPetr Spacek2015-06-291-60/+64
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: Accept ipa-ods-exporter commands from command line.Petr Spacek2015-06-291-36/+60
| | | | | | | | | | Previously only systemd socket activation was supported. Ability to call the command directly is handy in special cases, e.g. for debugging or moving key master role from one server to another. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: Detect invalid master keys in LDAP.Petr Spacek2015-06-291-0/+1
| | | | | | | | This should never happen ... https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* correct management of one directional segmentsLudwig Krispenz2015-06-295-39/+160
| | | | | | | | | | this patch contains the following improvements: check for existing segments works for all combinations of one directional and bidirectional segments rdns of replication agreements generated from one directional segments are preserves after merging of segments, so that deletion of the segment deletes the corresponding replication agreements Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* Hide traceback in ipa-dnskeysyncd if kinit failed.Petr Spacek2015-06-241-1/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* DNSSEC: fix traceback during shutdown phaseMartin Basti2015-06-151-11/+11
| | | | | | | ipa-dnskeysyncd causes traceback when receive SIGTERM, SIGINT Ticket: https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* v2-reject modifications of endpoints and connectivity of a segmentLudwig Krispenz2015-06-111-9/+60
| | | | Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* make sure the agremment rdn match the rdn used in the segmentLudwig Krispenz2015-06-111-18/+19
| | | | Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* move replications managers group to cn=sysaccounts,cn=etc,$SUFFIXPetr Vobornik2015-06-111-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* check for existing and self referential segmentsLudwig Krispenz2015-06-101-10/+20
| | | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Fix s4u2proxy README and add warningSimo Sorce2015-06-081-2/+14
| | | | | | | | The attribute mentioned was using an older name that was later changed in the implementation. Also add a prominent warning about the use of the kadmin flags. Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* crash when removing a replicaLudwig Krispenz2015-06-041-3/+11
| | | | | | | | | | | when a server is removed from the topology the plugin tries to remove the credentials from the replica and the bind dn group. It performs an internal search for the ldap principal, but can fail if it was already removed Due to an unitialized variable in this case it can eitehr crash or erroneously remove all principals. Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* plugin uses 1 as minimum domain level to become active no calculation based ↵Ludwig Krispenz2015-06-044-28/+12
| | | | | | | on plugin version Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* replica install fails with domain level 1Ludwig Krispenz2015-06-023-5/+3
| | | | | | | | | | | when updating an replication agreement from a toplogy segment an incorrect default value was used for bindmethod. Only attributes explicitely set in the segment should be applied. At shutdown the server could crash because the plugin was called after it was stopped. https://fedorahosted.org/freeipa/ticket/5035 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* Detect default encsalts kadmin password changeSimo Sorce2015-05-275-0/+144
| | | | | | | | | | | | | | | | | | | When kadmin tries to change a password it will get the allowed keysalts from the password policy. Failure to provide them will result in kadmin using the defaults specified in the kdc.conf file or hardcoded defaults (the default salt is then of type NORMAL). This patch provides the supported values that have been read out of the appropriate LDAP attribute when we read the server configuration. Then at actual password change, check if kadmin is handing us back the exact list of supported encsalts we sent it, and in that case replace it with the real default encsalts. Fixes https://fedorahosted.org/freeipa/ticket/4914 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
* ds plugin - manage replication topology in the shared treeLudwig Krispenz2015-05-2611-0/+4061
| | | | | | | Implementation of ticket: https://fedorahosted.org/freeipa/ticket/4302 Design page: http://www.freeipa.org/page/V4/Manage_replication_topology Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* User life cycle: new stageuser commands activateThierry Bordaz2015-05-181-0/+48
| | | | | | | | | Add plugin commands to stageuser plugin: stageuser_activate: activate entries created by IPA CLIs https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix a signedness bug in OTP codeNathaniel McCallum2015-05-051-3/+3
| | | | | | | | | This bug caused negative token windows to wrap-around, causing issues with TOTP authentication and (especially) synchronization. https://fedorahosted.org/freeipa/ticket/4990 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* use separate ccache filename for each IPA DNSSEC daemonMartin Babinsky2015-04-243-3/+3
| | | | | | | | | ipa-dnskeysyncd, ipa-dnskeysync-replica, and ipa-ods-exporter use a generic 'ccache' filename for credential storage, making debugging Kerberos-related errors unnecessarily complicated. This patch renames the ccache files so that each of these daemons now has its own credenital cache. Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Adopted kinit_keytab and kinit_password for kerberos authMartin Babinsky2015-04-203-5/+11
| | | | | | | | | Calls to ipautil.run using kinit were replaced with calls kinit_keytab/kinit_password functions implemented in the PATCH 0015. Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* User Life Cycle: Exclude subtree for ipaUniqueID generationThierry bordaz (tbordaz)2015-04-081-0/+16
| | | | | | | | | | | IPA UUID should not generate ipaUniqueID for entries under 'cn=provisioning,SUFFIX' Add in the configuration the ability to set (optional) 'ipaUuidExcludeSubtree' https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* do not log BINDs to non-existent users as errorsMartin Babinsky2015-04-021-2/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4889 Reviewed-By: Petr Spacek <pspacek@redhat.com>