freeipa.git/daemons/ipa-kdb, branch custodia FreeIPA patches client referral support for trusted domain principals 2015-10-08T11:52:16+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-08-20T12:06:12+00:00 766438aba018037cffadadaf11eb92024be4fe01 https://fedorahosted.org/freeipa/ticket/3559 Reviewed-By: Sumit Bose <sbose@redhat.com> 
https://fedorahosted.org/freeipa/ticket/3559

Reviewed-By: Sumit Bose <sbose@redhat.com>
ipa-kdb: add unit_tests for string_to_sid() and dom_sid_string() 2015-07-07T23:56:52+00:00 Sumit Bose sbose@redhat.com 2015-05-26T11:01:13+00:00 5017726ebaf6eea3dedb1325efe00c0d6c4b6187 Reviewed-By: Tomas Babej <tbabej@redhat.com> 
Reviewed-By: Tomas Babej <tbabej@redhat.com>
ipa-kdb: make string_to_sid() and dom_sid_string() more robust 2015-07-07T23:56:52+00:00 Sumit Bose sbose@redhat.com 2015-05-26T11:00:26+00:00 3f7481a220371e1a1ff0babae39e26f78a8948ad Reviewed-By: Tomas Babej <tbabej@redhat.com> 
Reviewed-By: Tomas Babej <tbabej@redhat.com>
ipa-kdb: add unit-test for filter_logon_info() 2015-07-07T23:56:52+00:00 Sumit Bose sbose@redhat.com 2015-05-26T08:26:28+00:00 7a1b4dcafc35a9bd0a48bd6da342970f31426264 Reviewed-By: Tomas Babej <tbabej@redhat.com> 
Reviewed-By: Tomas Babej <tbabej@redhat.com>
ipa-kdb: convert test to cmocka 2015-07-07T23:56:52+00:00 Sumit Bose sbose@redhat.com 2015-05-20T16:31:19+00:00 9d026ba824e8451d52d02c839793cfc2893204d7 Reviewed-By: Tomas Babej <tbabej@redhat.com> 
Reviewed-By: Tomas Babej <tbabej@redhat.com>
ipa-kdb: filter out group membership from MS-PAC for exact SID matches too 2015-07-07T23:56:52+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-05-28T08:33:51+00:00 d3ccfefaa4671776df0743285dd6c7d49f832813 When incoming SID blacklist contains exact SIDs of users and groups, attempt to filter them out as well, according to [MS-PAC] 4.1.1.2. Note that we treat user's SID and primary group RID filtering as violation of the KDC policy because the resulting MS-PAC will have no user SID or primary group and thus will be invalid. For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1 it is OK to have empty group RIDs array as GroupCount SHOULD be equal to Groups.MembershipCount returned by SamrGetGroupsForUser [MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty. Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475 Reviewed-By: Tomas Babej <tbabej@redhat.com> 
When incoming SID blacklist contains exact SIDs of users and groups,
attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.

Note that we treat user's SID and primary group RID filtering as violation
of the KDC policy because the resulting MS-PAC will have no user SID or
primary group and thus will be invalid.

For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1
it is OK to have empty group RIDs array as GroupCount SHOULD be
equal to Groups.MembershipCount returned by SamrGetGroupsForUser
[MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty.

Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475

Reviewed-By: Tomas Babej <tbabej@redhat.com>
ipa-kdb: use proper memory chunk size when moving sids 2015-07-07T23:56:52+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-05-20T15:24:52+00:00 88c10dd9750516f49e6bbfa0246d390b3a10fc91 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475 Reviewed-By: Tomas Babej <tbabej@redhat.com> 
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475
Reviewed-By: Tomas Babej <tbabej@redhat.com>
ipa-kdb: common function to get key encodings/salt types 2015-06-29T15:15:00+00:00 Martin Babinsky mbabinsk@redhat.com 2015-05-22T15:23:00+00:00 4d7b630992da3d0c646b27268a85e6e8c30eebfe This patch moves duplicate code in `ipadb_get_connection` to get default and supported key encodings/salt types from Kerberos container to a common function handling this task. It is actually a small cosmetic enhancement of the fix of https://fedorahosted.org/freeipa/ticket/4914 Reviewed-By: Martin Basti <mbasti@redhat.com> 
This patch moves duplicate code in `ipadb_get_connection` to get default and
supported key encodings/salt types from Kerberos container to a common
function handling this task.

It is actually a small cosmetic enhancement of the fix of
https://fedorahosted.org/freeipa/ticket/4914

Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix s4u2proxy README and add warning 2015-06-08T18:37:29+00:00 Simo Sorce simo@redhat.com 2015-06-08T18:16:56+00:00 f530886193c5c109b9514e5f1ddd52e8b11825e1 The attribute mentioned was using an older name that was later changed in the implementation. Also add a prominent warning about the use of the kadmin flags. Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
The attribute mentioned was using an older name that was later changed
in the implementation.
Also add a prominent warning about the use of the kadmin flags.

Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Detect default encsalts kadmin password change 2015-05-27T13:45:56+00:00 Simo Sorce simo@redhat.com 2015-04-04T14:53:52+00:00 d5b6c8360116857623b4b67a42ed3788df2ba24a When kadmin tries to change a password it will get the allowed keysalts from the password policy. Failure to provide them will result in kadmin using the defaults specified in the kdc.conf file or hardcoded defaults (the default salt is then of type NORMAL). This patch provides the supported values that have been read out of the appropriate LDAP attribute when we read the server configuration. Then at actual password change, check if kadmin is handing us back the exact list of supported encsalts we sent it, and in that case replace it with the real default encsalts. Fixes https://fedorahosted.org/freeipa/ticket/4914 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Martin Babinsky <mbabinsk@redhat.com> 
When kadmin tries to change a password it will get the allowed keysalts
from the password policy. Failure to provide them will result in kadmin
using the defaults specified in the kdc.conf file or hardcoded defaults
(the default salt is then of type NORMAL).

This patch provides the supported values that have been read out of the
appropriate LDAP attribute when we read the server configuration.

Then at actual password change, check if kadmin is handing us back the exact
list of supported encsalts we sent it, and in that case replace it with the
real default encsalts.

Fixes https://fedorahosted.org/freeipa/ticket/4914

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>