freeipa.git/daemons/ipa-sam, branch review FreeIPA patches Convert ipa-sam to use the new getkeytab control 2015-12-09T19:59:12+00:00 Simo Sorce simo@redhat.com 2015-12-01T18:43:35+00:00 6e31ab4b62d0fc6f2b2bef79d7914d7c06cac49c Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5495 
Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5495
ipasam: fix a use-after-free issue 2015-11-23T13:45:54+00:00 Sumit Bose sbose@redhat.com 2015-11-18T11:34:49+00:00 657cf958c6fc6767d09cfbd2d84046d5b84e9f80 Since endptr points to a location inside of dummy, dummy should be freed only after dereferencing endptr. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Since endptr points to a location inside of dummy, dummy should be freed
only after dereferencing endptr.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipasam: use more restrictive search filter for group lookup 2015-11-23T13:45:54+00:00 Sumit Bose sbose@redhat.com 2015-11-18T11:31:26+00:00 99cfc979d51213007569b51e48f43c99780148eb Since we are interested in looking up the SID of a group it makes sense to include the objectclass which contains the SID attribute in the search filter. This makes sure the group is not accidentally found a second time in the compat tree. Related to https://fedorahosted.org/freeipa/ticket/5457 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Since we are interested in looking up the SID of a group it makes sense
to include the objectclass which contains the SID attribute in the
search filter. This makes sure the group is not accidentally found a
second time in the compat tree.

Related to https://fedorahosted.org/freeipa/ticket/5457

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipasam: fix wrong usage of talloc_new() 2015-11-23T13:45:54+00:00 Sumit Bose sbose@redhat.com 2015-11-18T11:29:43+00:00 3d6fdab904319e38557080f7dec1d481be8f1469 Fixes https://fedorahosted.org/freeipa/ticket/5457 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Fixes https://fedorahosted.org/freeipa/ticket/5457

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
add one-way trust support to ipasam 2015-07-07T23:56:52+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-03-26T12:34:06+00:00 785f6593caf1817b84332397ca19752d3cf50c25 When trust is established, ipasam module creates a number of objects in LDAP to represent the trust information. Among them, for one-way trust we create a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest and AD is a realm of the trusted Active Directory forest root domain. This principal is then used by SSSD on IPA masters to authenticate against trusted Active Directory domain controllers and retrieve information about user and group identities. FreeIPA also uses this principal's credentials to retrieve domain topology. The access to the keys of the principal should be well-protected. We only allow to retrieve the keytab for it for members of cn=adtrust agents group. This group is populated with host/ and cifs/ principals from IPA masters. Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install on the master which will be configured to be a domain controller (e.g. run Samba with ipasam), and specify --add-agents option to trigger activation of the interactive mode to specify which IPA masters to enable. Fixes https://fedorahosted.org/freeipa/ticket/4962 Part of fixes for https://fedorahosted.org/freeipa/ticket/4546 Reviewed-By: Tomas Babej <tbabej@redhat.com> 
When trust is established, ipasam module creates a number of objects in LDAP
to represent the trust information. Among them, for one-way trust we create
a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest
and AD is a realm of the trusted Active Directory forest root domain.

This principal is then used by SSSD on IPA masters to authenticate against
trusted Active Directory domain controllers and retrieve information about
user and group identities.

FreeIPA also uses this principal's credentials to retrieve domain topology.

The access to the keys of the principal should be well-protected. We only
allow to retrieve the keytab for it for members of cn=adtrust agents group.
This group is populated with host/ and cifs/ principals from IPA masters.

Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters
where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install
on the master which will be configured to be a domain controller (e.g.
run Samba with ipasam), and specify --add-agents option to trigger activation
of the interactive mode to specify which IPA masters to enable.

Fixes https://fedorahosted.org/freeipa/ticket/4962
Part of fixes for https://fedorahosted.org/freeipa/ticket/4546

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Support Samba PASSDB 0.2.0 aka interface version 24 2015-01-19T09:21:48+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-01-12T11:36:36+00:00 d57efb74bb6ad91b029fffff39ed4e482c41f8ba 1. Samba project renamed libpdb to libsamba-passdb https://bugzilla.samba.org/show_bug.cgi?id=10355 2. With interface version 24, Samba removed uid_to_sid()/gid_to_sid() from the PASSDB interface and united them as id_to_sid(). Make sure FreeIPA ipa_sam code supports new and old versions of the PASSDB API. https://fedorahosted.org/freeipa/ticket/4778 Reviewed-By: Sumit Bose <sbose@redhat.com> 
1. Samba project renamed libpdb to libsamba-passdb
   https://bugzilla.samba.org/show_bug.cgi?id=10355

2. With interface version 24, Samba removed uid_to_sid()/gid_to_sid()
   from the PASSDB interface and united them as id_to_sid().

Make sure FreeIPA ipa_sam code supports new and old versions of
the PASSDB API.

https://fedorahosted.org/freeipa/ticket/4778

Reviewed-By: Sumit Bose <sbose@redhat.com>
Fix Kerberos error handling in ipa-sam 2014-11-25T08:23:24+00:00 Jan Cholasta jcholast@redhat.com 2014-11-10T17:40:35+00:00 eed7fb63789fb6349927e93e4cbd7b21db1a4f12 https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4713

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-sam: cache gid to sid and uid to sid requests in idmap cache 2014-03-12T11:19:06+00:00 Jason Woods devel@jasonwoods.me.uk 2014-03-07T16:38:24+00:00 d6a7923f71eb69bac53d6ff904086a9abd103dbc Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the directory service for gid/uid<->sid resolution. Additionally, this patch further reduces number of queries by: - fast fail on uidNumber=0 which doesn't exist in FreeIPA, - return fallback group correctly when looking up user primary group as is done during init, - checking for group objectclass in case insensitive way Patch by Jason Woods <devel@jasonwoods.me.uk> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> https://fedorahosted.org/freeipa/ticket/4234 and https://bugzilla.redhat.com/show_bug.cgi?id=1073829 https://bugzilla.redhat.com/show_bug.cgi?id=1074314 Reviewed-By: Sumit Bose <sbose@redhat.com> 
Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the
directory service for gid/uid<->sid resolution.

Additionally, this patch further reduces number of queries by:
 - fast fail on uidNumber=0 which doesn't exist in FreeIPA,
 - return fallback group correctly when looking up user primary group as is
   done during init,
 - checking for group objectclass in case insensitive way

Patch by Jason Woods <devel@jasonwoods.me.uk>

Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

https://fedorahosted.org/freeipa/ticket/4234
and
https://bugzilla.redhat.com/show_bug.cgi?id=1073829
https://bugzilla.redhat.com/show_bug.cgi?id=1074314

Reviewed-By: Sumit Bose <sbose@redhat.com>
ipasam: delete trusted child domains before removing the trust 2014-01-21T11:31:54+00:00 Alexander Bokovoy abokovoy@redhat.com 2014-01-20T14:42:48+00:00 c29211671cfd7d7734b932c8d6d70c94c849b5d1 LDAP protocol doesn't allow deleting non-leaf entries. One needs to remove all leaves first before removing the tree node. https://fedorahosted.org/freeipa/ticket/4126 
LDAP protocol doesn't allow deleting non-leaf entries. One needs to
remove all leaves first before removing the tree node.

https://fedorahosted.org/freeipa/ticket/4126
Remove CFLAGS duplication. 2013-12-06T13:44:41+00:00 Jan Cholasta jcholast@redhat.com 2013-12-06T10:47:44+00:00 5e2f7b68f0cb8e7fd6ea4f3236e84f1a8d075a13 https://fedorahosted.org/freeipa/ticket/3896 
https://fedorahosted.org/freeipa/ticket/3896