freeipa.git/daemons/ipa-slapi-plugins, branch ipasam_getkeytab FreeIPA patches Improve keytab code to select the right principal. 2015-12-02T22:48:47+00:00 Simo Sorce simo@redhat.com 2015-12-02T20:20:42+00:00 e13bb47a9e3673bb7af627bfb2bc59476552947e Whe requesting a keytab the salt used is the NORMAL type (for backwards and AD compatibility), however since we added alias support we need to search for the krbCanonicalName in preference, hen nothing is specified, and for the requested principal name when a getkeytab operation is performed. This is so that the correct salt can be applied. (Windows AD uses some peculiar aliases for some special accounts to generate the salt). Signed-off-by: Simo Sorce <simo@redhat.com> 
Whe requesting a keytab the salt used is the NORMAL type (for backwards and AD
compatibility), however since we added alias support we need to search for the
krbCanonicalName in preference, hen nothing is specified, and for the requested
principal name when a getkeytab operation is performed. This is so that the
correct salt can be applied. (Windows AD uses some peculiar aliases for some
special accounts to generate the salt).

Signed-off-by: Simo Sorce <simo@redhat.com>
Disable User's ability to use the setkeytab exop. 2015-12-02T21:14:03+00:00 Simo Sorce simo@redhat.com 2015-11-24T19:02:01+00:00 9ffd619f8c278d72d55aacae2667ddb28eab6d0e Users can still obtain a keytab for themselves using the getkeytab exop which does not circumvent password policy checks. Users are disallowed from using setkeytab by default in new installations but not in existing installations (no forced upgrade). Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5485 
Users can still obtain a keytab for themselves using the getkeytab exop
which does not circumvent password policy checks.

Users are disallowed from using setkeytab by default in new installations
but not in existing installations (no forced upgrade).

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5485
Introduce option to disable the SetKeytab exop 2015-12-02T21:14:03+00:00 Simo Sorce simo@redhat.com 2015-11-24T18:42:10+00:00 bde182421226bb32ab676c13a85bc95a2572f322 If DisableSetKeytab is set in ipaConfig options then setkeytab will not be available. The default is still to allow this operation for backwards compatibility towards older clients that do not know how to use the new GetKeytab extended operation. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5485 
If DisableSetKeytab is set in ipaConfig options then setkeytab will not be
available. The default is still to allow this operation for backwards
compatibility towards older clients that do not know how to use the new
GetKeytab extended operation.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5485
Use only AES enctypes by default 2015-12-02T21:14:03+00:00 Simo Sorce simo@redhat.com 2015-11-23T18:40:42+00:00 c6264b4344021b368077ffd2fee70f8541c2953f Remove des3 and arcfour from the defaults for new installs. NOTE: the ipasam/dcerpc code sill uses arcfour Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/4740 
Remove des3 and arcfour from the defaults for new installs.

NOTE: the ipasam/dcerpc code sill uses arcfour

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/4740
cmocka_tests: Do not use deprecated cmocka interface 2015-11-18T11:54:43+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-11-12T19:43:56+00:00 75c26f9ec8d69af88bbf1d07b2c7b38d08e8d67d The cmocka-1.0 introduced new interface for tests which is not compatible with the old one. And the old interface is deprecated which caused compiled warnings. Reviewed-By: Martin Basti <mbasti@redhat.com> 
The cmocka-1.0 introduced new interface for tests
which is not compatible with the old one.
And the old interface is deprecated which caused compiled warnings.

Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa-extdom-extop: Fix warning Wformat 2015-11-13T17:37:23+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-11-13T06:51:59+00:00 be6ecac220a8182ace0c8b8444cc2ec23bcff214 In file included from ipa_extdom_extop.c:41:0: ipa_extdom_extop.c: In function ‘ipa_extdom_init_ctx’: ipa_extdom_extop.c:203:9: warning: format ‘%d’ expects argument of type ‘int’, but argument 4 has type ‘size_t {aka long unsigned int}’ [-Wformat=] LOG("Maximal nss buffer size set to [%d]!\n", ctx->max_nss_buf_size); ^ ../common/util.h:53:21: note: in definition of macro ‘LOG_PLUGIN_NAME’ fmt, ##__VA_ARGS__) ^ ipa_extdom_extop.c:203:5: note: in expansion of macro ‘LOG’ Reviewed-By: Martin Basti <mbasti@redhat.com> 
In file included from ipa_extdom_extop.c:41:0:
ipa_extdom_extop.c: In function ‘ipa_extdom_init_ctx’:
ipa_extdom_extop.c:203:9: warning: format ‘%d’ expects argument of type ‘int’,
                          but argument 4 has type ‘size_t {aka long unsigned int}’ [-Wformat=]
     LOG("Maximal nss buffer size set to [%d]!\n", ctx->max_nss_buf_size);
         ^
../common/util.h:53:21: note: in definition of macro ‘LOG_PLUGIN_NAME’
                     fmt, ##__VA_ARGS__)
                     ^
ipa_extdom_extop.c:203:5: note: in expansion of macro ‘LOG’

Reviewed-By: Martin Basti <mbasti@redhat.com>
topology: Fix warning Wshadow 2015-11-13T17:37:23+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-11-12T19:49:16+00:00 08d65f54e75948b929fa1c1e66eefb6bfd8e9334 topology_pre.c: In function ‘ipa_topo_pre_add’: topology_pre.c:509:15: warning: declaration of ‘errtxt’ shadows a previous local [-Wshadow] char *errtxt; ^ topology_pre.c:494:11: note: shadowed declaration is here char *errtxt = NULL; ^ Reviewed-By: Martin Basti <mbasti@redhat.com> 
topology_pre.c: In function ‘ipa_topo_pre_add’:
topology_pre.c:509:15: warning: declaration of ‘errtxt’ shadows a previous local [-Wshadow]
         char *errtxt;
               ^
topology_pre.c:494:11: note: shadowed declaration is here
     char *errtxt  = NULL;
           ^

Reviewed-By: Martin Basti <mbasti@redhat.com>
update list of managed servers when a suffix becomes managed 2015-10-30T12:47:25+00:00 Ludwig Krispenz lkrispen@redhat.com 2015-10-30T08:44:21+00:00 3f70c9aed7d1357ac5031b8f8b48af320acba567 when a suffix becomes managed for a host, the host needs to be added to the managed servers, otherwise connectivity check would fail Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> 
    when a suffix becomes managed for a host, the host needs to
    be added to the managed servers, otherwise connectivity check would fail

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
reject agreement only if both ends are managed 2015-10-30T12:47:25+00:00 Ludwig Krispenz lkrispen@redhat.com 2015-08-24T11:29:35+00:00 22a999267c328bab7fd1d29434ac992f4b02e6c6 the creation or deletion of a replication agreemet is rejected if the servers are managed for the suffix. But bot endpoints need to checked Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> 
the creation or deletion of a replication agreemet is rejected if the
servers are managed for the suffix. But bot endpoints need to checked

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
handle cleaning of RUV in the topology plugin 2015-10-26T17:11:32+00:00 Ludwig Krispenz lkrispen@redhat.com 2015-10-23T12:18:48+00:00 26bfc914d97f8698f294967e9812b0a7ebc4bce6 After removing a server the replicaid needs to be cleared in the ruv entry and in the changelog. This was triggere by initiating a cleanallruv task in "ipa-replica-manage del", but the removal of a master already triggers a cleanup of segments and replication agreement by the topology plugin, so this could be handled by the plugin as well. Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> 
    After removing a server the replicaid needs to be cleared in the ruv entry and
    in the changelog.
    This was triggere by initiating a cleanallruv task in "ipa-replica-manage del",
    but the removal of a master already triggers a cleanup of segments and replication
    agreement by the topology plugin, so this could be handled by the plugin as well.

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>