freeipa.git/daemons/ipa-kdb, branch kdc-fixes FreeIPA patches TODO: make sure a single krbPrincipalName value gets used for canonicalization too 2015-08-10T21:03:29+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-08-10T20:26:59+00:00 9f49886f941772731c8ecca8825b2d87ffa0ccc9 






IPA KDB: use empty profile to init krb5 context in tests
2015-08-10T09:39:22+00:00

Sumit Bose
sbose@redhat.com

2015-07-28T08:56:26+00:00

fb592697d0be22111994f02c0586ac26012b122e

If the systems /etc/krb5.conf contains some unexpected or broken
configuration the test might fail. With this patch the tests are run
with an empty configuration.





If the systems /etc/krb5.conf contains some unexpected or broken
configuration the test might fail. With this patch the tests are run
with an empty configuration.







IPA KDB: allow case in-sensitive realm in AS request
2015-08-10T09:39:13+00:00

Sumit Bose
sbose@redhat.com

2015-07-28T09:00:41+00:00

43833ccbca01c8892409586b5e8381de2096ac1b

If the canonicalization flag is set the realm of the client principal in
an AS request (kinit) is transformed into upper-case to match the IPA
convention for realm names.

Resolves https://fedorahosted.org/freeipa/ticket/4844





If the canonicalization flag is set the realm of the client principal in
an AS request (kinit) is transformed into upper-case to match the IPA
convention for realm names.

Resolves https://fedorahosted.org/freeipa/ticket/4844







ipa-kdb: add unit_tests for string_to_sid() and dom_sid_string()
2015-07-07T23:56:52+00:00

Sumit Bose
sbose@redhat.com

2015-05-26T11:01:13+00:00

5017726ebaf6eea3dedb1325efe00c0d6c4b6187

Reviewed-By: Tomas Babej <tbabej@redhat.com>





Reviewed-By: Tomas Babej <tbabej@redhat.com>







ipa-kdb: make string_to_sid() and dom_sid_string() more robust
2015-07-07T23:56:52+00:00

Sumit Bose
sbose@redhat.com

2015-05-26T11:00:26+00:00

3f7481a220371e1a1ff0babae39e26f78a8948ad

Reviewed-By: Tomas Babej <tbabej@redhat.com>





Reviewed-By: Tomas Babej <tbabej@redhat.com>







ipa-kdb: add unit-test for filter_logon_info()
2015-07-07T23:56:52+00:00

Sumit Bose
sbose@redhat.com

2015-05-26T08:26:28+00:00

7a1b4dcafc35a9bd0a48bd6da342970f31426264

Reviewed-By: Tomas Babej <tbabej@redhat.com>





Reviewed-By: Tomas Babej <tbabej@redhat.com>







ipa-kdb: convert test to cmocka
2015-07-07T23:56:52+00:00

Sumit Bose
sbose@redhat.com

2015-05-20T16:31:19+00:00

9d026ba824e8451d52d02c839793cfc2893204d7

Reviewed-By: Tomas Babej <tbabej@redhat.com>





Reviewed-By: Tomas Babej <tbabej@redhat.com>







ipa-kdb: filter out group membership from MS-PAC for exact SID matches too
2015-07-07T23:56:52+00:00

Alexander Bokovoy
abokovoy@redhat.com

2015-05-28T08:33:51+00:00

d3ccfefaa4671776df0743285dd6c7d49f832813

When incoming SID blacklist contains exact SIDs of users and groups,
attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.

Note that we treat user's SID and primary group RID filtering as violation
of the KDC policy because the resulting MS-PAC will have no user SID or
primary group and thus will be invalid.

For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1
it is OK to have empty group RIDs array as GroupCount SHOULD be
equal to Groups.MembershipCount returned by SamrGetGroupsForUser
[MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty.

Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475

Reviewed-By: Tomas Babej <tbabej@redhat.com>





When incoming SID blacklist contains exact SIDs of users and groups,
attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.

Note that we treat user's SID and primary group RID filtering as violation
of the KDC policy because the resulting MS-PAC will have no user SID or
primary group and thus will be invalid.

For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1
it is OK to have empty group RIDs array as GroupCount SHOULD be
equal to Groups.MembershipCount returned by SamrGetGroupsForUser
[MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty.

Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475

Reviewed-By: Tomas Babej <tbabej@redhat.com>







ipa-kdb: use proper memory chunk size when moving sids
2015-07-07T23:56:52+00:00

Alexander Bokovoy
abokovoy@redhat.com

2015-05-20T15:24:52+00:00

88c10dd9750516f49e6bbfa0246d390b3a10fc91

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475
Reviewed-By: Tomas Babej <tbabej@redhat.com>





Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475
Reviewed-By: Tomas Babej <tbabej@redhat.com>







ipa-kdb: common function to get key encodings/salt types
2015-06-29T15:15:00+00:00

Martin Babinsky
mbabinsk@redhat.com

2015-05-22T15:23:00+00:00

4d7b630992da3d0c646b27268a85e6e8c30eebfe

This patch moves duplicate code in `ipadb_get_connection` to get default and
supported key encodings/salt types from Kerberos container to a common
function handling this task.

It is actually a small cosmetic enhancement of the fix of
https://fedorahosted.org/freeipa/ticket/4914

Reviewed-By: Martin Basti <mbasti@redhat.com>





This patch moves duplicate code in `ipadb_get_connection` to get default and
supported key encodings/salt types from Kerberos container to a common
function handling this task.

It is actually a small cosmetic enhancement of the fix of
https://fedorahosted.org/freeipa/ticket/4914

Reviewed-By: Martin Basti <mbasti@redhat.com>