freeipa.git, branch fix_ber_scanf

Make sure to have storage space for tag

2019-09-16T15:18:30+00:00

ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at
by "t", if that is not provided the pointer will be store in whatever
memory location is pointed by the stack at that time causeing a crash.

Note that this is effectively unused code because in ipa-kdb the only
party that can write a key_data structure to be stored is te kdb_driver
itself and we never encode these s2kparam data.

But we need to handle this for future proofing.

Fixes #8071

Signed-off-by: Simo Sorce

Add container environment check to replicainstall

2019-09-16T07:44:52+00:00

Inside the container environment master's IP address
does not resolve to its name.

Resolves: https://pagure.io/freeipa/issue/6210
Reviewed-By: Rob Crittenden

Hidden Replica: Add a test for Automatic CRL configuration

2019-09-13T12:46:46+00:00

Added test to check whether hidden replica can be configurred
as CRL generation master.

Related Tickets:
https://pagure.io/freeipa/issue/7307

Signed-off-by: ndehadra 
Reviewed-By: Florence Blanc-Renaud

adtrust: add default read_keys permission for TDO objects

2019-09-12T14:17:53+00:00

If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
attribute values, it cannot be used by SSSD to retrieve TDO keys and the
whole communication with Active Directory domain controllers will not be
possible.

This seems to affect trusts which were created before
ipaAllowedToPerform;read_keys permission granting was introduced
(FreeIPA 4.2). Add back the default setting for the permissions which
grants access to trust agents and trust admins.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy 
Reviewed-By: Florence Blanc-Renaud

add default access control when migrating trust objects

2019-09-12T14:17:53+00:00

It looks like for some cases we do not have proper set up keytab
retrieval configuration in the old trusted domain object. This mostly
affects two-way trust cases. In such cases, create default configuration
as ipasam would have created when trust was established.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy 
Reviewed-By: Florence Blanc-Renaud

prci: increase gating tasks priority

2019-09-12T09:17:15+00:00

Sometimes the gating tasks (build and jobs) are blocked because of nightly
regression remaining tasks are in progress. The reason is because nightly
regressions are not finished or they are re-triggered during day-time.
Gating tasks are blocked because they have same priority than nightly tasks.

This commit increases gating tasks priority so the testing of pull requests
will not be blocked anymore.

Reviewed-By: Florence Blanc-Renaud

extdom: add extdom protocol documentation

2019-09-12T07:48:13+00:00

Add the description of extdom protocol and its versions

Reviewed-By: Alexander Bokovoy

extdom: use sss_nss_*_timeout calls

2019-09-12T07:48:13+00:00

Use nss calls with timeout in extdom plugin

Reviewed-By: Alexander Bokovoy

extdom: plugin doesn't use timeout in blocking call

2019-09-12T07:48:13+00:00

Expose nss timeout parameter. Use sss_nss_getorigbyname_timeout
instead of sss_nss_getorigbyname

Reviewed-By: Alexander Bokovoy

extdom: plugin doesn't allow @ in group name

2019-09-12T07:48:13+00:00

Old implementation handles username and group names with
one common call. Character @ is used in the call to detect UPN.

Group name can legaly contain this character and therefore the
common approach doesn't work in such case.

Also the original call is less efficient because it tries to resolv
username allways then it fallback to group resolution.

Here we implement two new separate calls for resolving users and
groups.

Fixes: https://bugzilla.redhat.com/1746951
Reviewed-By: Alexander Bokovoy