freeipa.git/daemons/ipa-kdb, branch mspac FreeIPA patches mspac: Add support for UPN_DNS_INFO buffer 2013-10-10T14:20:02+00:00 Simo Sorce simo@redhat.com 2013-10-10T00:34:14+00:00 251f36c38dd636f3406cd8ef1b9affee841c70bd Fill up a upn_dns_info buffer and adds it to the pac. 
Fill up a upn_dns_info buffer and adds it to the pac.
mspac: Split retrieval of basic account data 2013-10-10T14:20:02+00:00 Simo Sorce simo@redhat.com 2013-10-10T00:32:18+00:00 a9cb481cd1aa1633d725e6bd9e60d5914b31c390 Split ipadb_fill_info3 in 2 functions: - one that retrieves basic account data and optionally fakes up some of the data - the other just fills info3 based on the input data as the name says 
Split ipadb_fill_info3 in 2 functions:
- one that retrieves basic account data and optionally fakes up some of
the data
- the other just fills info3 based on the input data as the name says
ipa-kdb: Handle parent-child relationship for subdomains 2013-10-04T08:25:31+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-10-03T10:30:44+00:00 d228b1bd70aeebb19fbf64ee64bbd662eda19fc4 When MS-PAC information is re-initialized, record also parent-child relationship between trust root level domain and its subdomains. Use parent incoming SID black list to check if child domain is not allowed to access IPA realm. We also should really use 'cn' of the entry as domain name. ipaNTTrustPartner has different meaning on wire, it is an index pointing to the parent domain of the domain and will be 0 for top level domains or disjoint subdomains of the trust. Finally, trustdomain-enable and trustdomain-disable commands should force MS-PAC cache re-initalization in case of black list change. Trigger that by asking for cross-realm TGT for HTTP service. 
When MS-PAC information is re-initialized, record also parent-child
relationship between trust root level domain and its subdomains.

Use parent incoming SID black list to check if child domain is not
allowed to access IPA realm.

We also should really use 'cn' of the entry as domain name.
ipaNTTrustPartner has different meaning on wire, it is an index
pointing to the parent domain of the domain and will be 0 for top
level domains or disjoint subdomains of the trust.

Finally, trustdomain-enable and trustdomain-disable commands should
force MS-PAC cache re-initalization in case of black list change.
Trigger that by asking for cross-realm TGT for HTTP service.
KDC: implement transition check for trusted domains 2013-10-04T08:25:31+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-09-28T19:49:57+00:00 749111e6c2dfbb288c864a6cd2f5ac228f30bec1 When client principal requests for a ticket for a server principal and we have to perform transition, check that all three belong to either our domain or the domains we trust through forest trusts. In case all three realms (client, transition, and server) match trusted domains and our domain, issue permission to transition from client realm to server realm. Part of https://fedorahosted.org/freeipa/ticket/3909 
When client principal requests for a ticket for a server principal
and we have to perform transition, check that all three belong to either
our domain or the domains we trust through forest trusts.

In case all three realms (client, transition, and server) match
trusted domains and our domain, issue permission to transition from client
realm to server realm.

Part of https://fedorahosted.org/freeipa/ticket/3909
Add Delegation Info to MS-PAC 2013-09-13T16:03:53+00:00 Simo Sorce simo@redhat.com 2013-02-05T22:50:55+00:00 5157fd450fb33a7a3b68525a255d2976dbb0840a https://fedorahosted.org/freeipa/ticket/3442 
https://fedorahosted.org/freeipa/ticket/3442
kdb-princ: Fix memory leak 2013-08-28T10:42:56+00:00 Simo Sorce simo@redhat.com 2013-08-27T13:28:14+00:00 bea533c69a2b11e4a774144b8ee335e458333f7a If we do not store the keys in the entry we need to free the array before continuing or the data is leaked. CoverityID: 11910 Fixes: https://fedorahosted.org/freeipa/ticket/3884 
If we do not store the keys in the entry we need to free the array before
continuing or the data is leaked.

CoverityID: 11910

Fixes:
https://fedorahosted.org/freeipa/ticket/3884
kdb-mspac: Fix out of bounds memset 2013-08-28T10:42:56+00:00 Simo Sorce simo@redhat.com 2013-08-27T13:24:32+00:00 f96257397e8f1cb8a307e6ec0e48bd3570a16671 This memset was harmless as the following data is then set again, but an optimizing compiler might conceivably reorder instructions causing issues. CoverityID: 11909 Fixes: https://fedorahosted.org/freeipa/ticket/3883 
This memset was harmless as the following data is then set again, but an
optimizing compiler might conceivably reorder instructions causing issues.

CoverityID: 11909

Fixes:
https://fedorahosted.org/freeipa/ticket/3883
IPA KDB MS-PAC: remove unused variable 2013-07-23T13:25:26+00:00 Jakub Hrozek jhrozek@redhat.com 2013-07-23T13:07:52+00:00 4a5cbde4bbec552416c74a86a74bc38f3147941b 






IPA KDB MS-PAC: return ENOMEM if allocation fails
2013-07-23T13:25:20+00:00

Jakub Hrozek
jhrozek@redhat.com

2013-07-23T13:07:39+00:00

85b8c747bb14bca8afc6b80ab27c3eda1f5e1c74












ipa-kdb: reinit mspac on HTTP TGT acquisition to aid trust-add case
2013-07-23T13:24:29+00:00

Alexander Bokovoy
abokovoy@redhat.com

2013-07-18T10:32:42+00:00

84b2269589c115cae2d2bcec32fec602143fc42e

When trust is established, we also create idrange for the trusted domain.
With FreeIPA 3.3 these ranges can have different types, and in order to
detect which one is to create, we need to do lookup at AD LDAP server.

Such lookup requires authenticated bind. We cannot bind as user because
IPA framework operates under constrained delegation using the user's
credentials and allowing HTTP/ipa.server@REALM to impersonate the user
against trusted domain's services would require two major things:

  - first, as we don't really know exact AD LDAP server names (any AD DC
    can be used), constrained delegation would have to be defined against
    a wild-card

  - second, constrained delegation requires that target principal exists
    in IPA LDAP as DN.

These two together limit use of user's ticket for the purpose of IPA
framework looking up AD LDAP.

Additionally, immediately after trust is established, issuing TGT with
MS-PAC to HTTP/ipa.server@REALM may fail due to the fact that KDB driver
did not yet refreshed its list of trusted domains -- we have limited
refresh rate of 60 seconds by default.

This patch makes possible to force re-initialization of trusted domains'
view in KDB driver if we are asked for TGT for HTTP/ipa.server@REALM.

We will need to improve refresh of trusted domains' view in KDB driver
in future to notice changes in cn=etc,$SUFFIX tree automatically.

This improvement is tracked in https://fedorahosted.org/freeipa/ticket/1302 and
https://fedorahosted.org/freeipa/ticket/3626

Part of https://fedorahosted.org/freeipa/ticket/3649





When trust is established, we also create idrange for the trusted domain.
With FreeIPA 3.3 these ranges can have different types, and in order to
detect which one is to create, we need to do lookup at AD LDAP server.

Such lookup requires authenticated bind. We cannot bind as user because
IPA framework operates under constrained delegation using the user's
credentials and allowing HTTP/ipa.server@REALM to impersonate the user
against trusted domain's services would require two major things:

  - first, as we don't really know exact AD LDAP server names (any AD DC
    can be used), constrained delegation would have to be defined against
    a wild-card

  - second, constrained delegation requires that target principal exists
    in IPA LDAP as DN.

These two together limit use of user's ticket for the purpose of IPA
framework looking up AD LDAP.

Additionally, immediately after trust is established, issuing TGT with
MS-PAC to HTTP/ipa.server@REALM may fail due to the fact that KDB driver
did not yet refreshed its list of trusted domains -- we have limited
refresh rate of 60 seconds by default.

This patch makes possible to force re-initialization of trusted domains'
view in KDB driver if we are asked for TGT for HTTP/ipa.server@REALM.

We will need to improve refresh of trusted domains' view in KDB driver
in future to notice changes in cn=etc,$SUFFIX tree automatically.

This improvement is tracked in https://fedorahosted.org/freeipa/ticket/1302 and
https://fedorahosted.org/freeipa/ticket/3626

Part of https://fedorahosted.org/freeipa/ticket/3649