freeipa.git/daemons/ipa-sam, branch custodia FreeIPA patches add one-way trust support to ipasam 2015-07-07T23:56:52+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-03-26T12:34:06+00:00 785f6593caf1817b84332397ca19752d3cf50c25 When trust is established, ipasam module creates a number of objects in LDAP to represent the trust information. Among them, for one-way trust we create a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest and AD is a realm of the trusted Active Directory forest root domain. This principal is then used by SSSD on IPA masters to authenticate against trusted Active Directory domain controllers and retrieve information about user and group identities. FreeIPA also uses this principal's credentials to retrieve domain topology. The access to the keys of the principal should be well-protected. We only allow to retrieve the keytab for it for members of cn=adtrust agents group. This group is populated with host/ and cifs/ principals from IPA masters. Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install on the master which will be configured to be a domain controller (e.g. run Samba with ipasam), and specify --add-agents option to trigger activation of the interactive mode to specify which IPA masters to enable. Fixes https://fedorahosted.org/freeipa/ticket/4962 Part of fixes for https://fedorahosted.org/freeipa/ticket/4546 Reviewed-By: Tomas Babej <tbabej@redhat.com> 
When trust is established, ipasam module creates a number of objects in LDAP
to represent the trust information. Among them, for one-way trust we create
a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest
and AD is a realm of the trusted Active Directory forest root domain.

This principal is then used by SSSD on IPA masters to authenticate against
trusted Active Directory domain controllers and retrieve information about
user and group identities.

FreeIPA also uses this principal's credentials to retrieve domain topology.

The access to the keys of the principal should be well-protected. We only
allow to retrieve the keytab for it for members of cn=adtrust agents group.
This group is populated with host/ and cifs/ principals from IPA masters.

Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters
where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install
on the master which will be configured to be a domain controller (e.g.
run Samba with ipasam), and specify --add-agents option to trigger activation
of the interactive mode to specify which IPA masters to enable.

Fixes https://fedorahosted.org/freeipa/ticket/4962
Part of fixes for https://fedorahosted.org/freeipa/ticket/4546

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Support Samba PASSDB 0.2.0 aka interface version 24 2015-01-19T09:21:48+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-01-12T11:36:36+00:00 d57efb74bb6ad91b029fffff39ed4e482c41f8ba 1. Samba project renamed libpdb to libsamba-passdb https://bugzilla.samba.org/show_bug.cgi?id=10355 2. With interface version 24, Samba removed uid_to_sid()/gid_to_sid() from the PASSDB interface and united them as id_to_sid(). Make sure FreeIPA ipa_sam code supports new and old versions of the PASSDB API. https://fedorahosted.org/freeipa/ticket/4778 Reviewed-By: Sumit Bose <sbose@redhat.com> 
1. Samba project renamed libpdb to libsamba-passdb
   https://bugzilla.samba.org/show_bug.cgi?id=10355

2. With interface version 24, Samba removed uid_to_sid()/gid_to_sid()
   from the PASSDB interface and united them as id_to_sid().

Make sure FreeIPA ipa_sam code supports new and old versions of
the PASSDB API.

https://fedorahosted.org/freeipa/ticket/4778

Reviewed-By: Sumit Bose <sbose@redhat.com>
Fix Kerberos error handling in ipa-sam 2014-11-25T08:23:24+00:00 Jan Cholasta jcholast@redhat.com 2014-11-10T17:40:35+00:00 eed7fb63789fb6349927e93e4cbd7b21db1a4f12 https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4713

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-sam: cache gid to sid and uid to sid requests in idmap cache 2014-03-12T11:19:06+00:00 Jason Woods devel@jasonwoods.me.uk 2014-03-07T16:38:24+00:00 d6a7923f71eb69bac53d6ff904086a9abd103dbc Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the directory service for gid/uid<->sid resolution. Additionally, this patch further reduces number of queries by: - fast fail on uidNumber=0 which doesn't exist in FreeIPA, - return fallback group correctly when looking up user primary group as is done during init, - checking for group objectclass in case insensitive way Patch by Jason Woods <devel@jasonwoods.me.uk> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> https://fedorahosted.org/freeipa/ticket/4234 and https://bugzilla.redhat.com/show_bug.cgi?id=1073829 https://bugzilla.redhat.com/show_bug.cgi?id=1074314 Reviewed-By: Sumit Bose <sbose@redhat.com> 
Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the
directory service for gid/uid<->sid resolution.

Additionally, this patch further reduces number of queries by:
 - fast fail on uidNumber=0 which doesn't exist in FreeIPA,
 - return fallback group correctly when looking up user primary group as is
   done during init,
 - checking for group objectclass in case insensitive way

Patch by Jason Woods <devel@jasonwoods.me.uk>

Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

https://fedorahosted.org/freeipa/ticket/4234
and
https://bugzilla.redhat.com/show_bug.cgi?id=1073829
https://bugzilla.redhat.com/show_bug.cgi?id=1074314

Reviewed-By: Sumit Bose <sbose@redhat.com>
ipasam: delete trusted child domains before removing the trust 2014-01-21T11:31:54+00:00 Alexander Bokovoy abokovoy@redhat.com 2014-01-20T14:42:48+00:00 c29211671cfd7d7734b932c8d6d70c94c849b5d1 LDAP protocol doesn't allow deleting non-leaf entries. One needs to remove all leaves first before removing the tree node. https://fedorahosted.org/freeipa/ticket/4126 
LDAP protocol doesn't allow deleting non-leaf entries. One needs to
remove all leaves first before removing the tree node.

https://fedorahosted.org/freeipa/ticket/4126
Remove CFLAGS duplication. 2013-12-06T13:44:41+00:00 Jan Cholasta jcholast@redhat.com 2013-12-06T10:47:44+00:00 5e2f7b68f0cb8e7fd6ea4f3236e84f1a8d075a13 https://fedorahosted.org/freeipa/ticket/3896 
https://fedorahosted.org/freeipa/ticket/3896
Remove generation and handling of LM hashes 2013-11-01T08:28:35+00:00 Sumit Bose sbose@redhat.com 2013-10-29T11:19:01+00:00 d876a22732d83ddf8e37ead89e6f23bf7aa0d69c https://fedorahosted.org/freeipa/ticket/3795 
https://fedorahosted.org/freeipa/ticket/3795
ipasam: for subdomains pick up defaults for missing values 2013-10-04T08:25:31+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-09-27T12:00:22+00:00 0ab40cdf6b354e8b760f604f2f94cf3c2292217e We don't store trust type, attributes, and direction for subdomains of the existing trust. Since trust is always forest level, these parameters can be added as defaults when they are missing. 
We don't store trust type, attributes, and direction for subdomains
of the existing trust. Since trust is always forest level, these parameters
can be added as defaults when they are missing.
ipa-sam: report supported enctypes based on Kerberos realm configuration 2013-09-20T07:59:02+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-09-10T08:56:40+00:00 a9843d6918f73c2236d0083b1e8adf54ca34eb0d We store Kerberos realm configuration in cn=REALM,cn=kerberos,$SUFFIX. Along other configuration options, this container has list of default supported encryption types, in krbDefaultEncSaltTypes. Fetch krbDefaultEncSaltTypes value on ipa-sam initialization and convert discovered list to the mask of supported encryption types according to security.idl from Samba: typedef [public,bitmap32bit] bitmap { KERB_ENCTYPE_DES_CBC_CRC = 0x00000001, KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002, KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004, KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008, KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010 } kerb_EncTypes; Part of https://fedorahosted.org/freeipa/ticket/3898 
We store Kerberos realm configuration in cn=REALM,cn=kerberos,$SUFFIX.
Along other configuration options, this container has list of default
supported encryption types, in krbDefaultEncSaltTypes.

Fetch krbDefaultEncSaltTypes value on ipa-sam initialization and convert
discovered list to the mask of supported encryption types according to
security.idl from Samba:
        typedef [public,bitmap32bit] bitmap {
                KERB_ENCTYPE_DES_CBC_CRC             = 0x00000001,
                KERB_ENCTYPE_DES_CBC_MD5             = 0x00000002,
                KERB_ENCTYPE_RC4_HMAC_MD5            = 0x00000004,
                KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
                KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
        } kerb_EncTypes;

Part of https://fedorahosted.org/freeipa/ticket/3898
ipa-sam: do not leak LDAPMessage on ipa-sam initialization 2013-09-20T07:59:02+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-09-09T12:52:17+00:00 860a3ff6477db1004773742e019603032239991e We used to handle some of code paths to free memory allocated by the LDAP library but there are few more unhandled. In addition, search result wasn't freed on successful initialization, leaking for long time. https://fedorahosted.org/freeipa/ticket/3913 
We used to handle some of code paths to free memory allocated by the LDAP library
but there are few more unhandled. In addition, search result wasn't freed on successful
initialization, leaking for long time.

https://fedorahosted.org/freeipa/ticket/3913