freeipa.git/daemons, branch cakeysfix FreeIPA patches ipa-otpd.socket.in: Use a platform specific value for KDC service file 2017-04-12T14:17:51+00:00 Timo Aaltonen tjaalton@debian.org 2017-03-31T23:18:15+00:00 076eb409a032cbd689f1d5e298c1009e80168e34 https://pagure.io/freeipa/issue/6845 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
https://pagure.io/freeipa/issue/6845

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Fix PKCS11 helper 2017-04-12T07:54:10+00:00 Martin Basti mbasti@redhat.com 2017-03-29T16:53:11+00:00 e8f2a415b3dcba30b0c39cd542acd6b459f46957 Slots in HSM are not assigned statically, we have to chose proper slot from token label. Softhsm i2.2.0 changed this behavior and now slots can change over time (it is allowed by pkcs11 standard). Changelog: * created method get_slot() that returns slot number from used label * replaces usage of slot in __init__ method of P11_Helper with label * slot is dynamically detected from token label before session is opened * pkcs11-util --init-token now uses '--free' instead '--slot' which uses first free slot (we don't care about slot numbers anymore) https://pagure.io/freeipa/issue/6692 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.

Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).

Changelog:
* created method get_slot() that returns slot number from
  used label
* replaces usage of slot in __init__ method of P11_Helper
  with label
* slot is dynamically detected from token label before
  session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
  which uses first free slot (we don't care about slot numbers
  anymore)

https://pagure.io/freeipa/issue/6692

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Fix s4u2self with adtrust 2017-04-12T07:46:43+00:00 Simo Sorce simo@redhat.com 2017-04-10T19:32:54+00:00 e88d5e815ea440bcef4acdc5f8fcb3a29e6eaec9 When ADtrust is installed we add a PAC to all tickets, during protocol transition we need to generate a new PAC for the requested user ticket, not check the existing PAC on the requestor ticket. https://pagure.io/freeipa/issue/6862 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
When ADtrust is installed we add a PAC to all tickets, during protocol
transition we need to generate a new PAC for the requested user ticket,
not check the existing PAC on the requestor ticket.

https://pagure.io/freeipa/issue/6862

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-sam: create the gidNumber attribute in the trusted domain entry 2017-04-07T10:38:35+00:00 Florence Blanc-Renaud flo@redhat.com 2017-03-21T16:33:20+00:00 e052c2dce04f5ce147dc2b6804f44705fa4d69df When a trusted domain entry is created, the uidNumber attribute is created but not the gidNumber attribute. This causes samba to log Failed to find a Unix account for DOM-AD$ because the samu structure does not contain a group_sid and is not put in the cache. The fix creates the gidNumber attribute in the trusted domain entry, and initialises the group_sid field in the samu structure returned by ldapsam_getsampwnam. This ensures that the entry is put in the cache. Note that this is only a partial fix for 6660 as it does not prevent _netr_ServerAuthenticate3 from failing with the log _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com. https://pagure.io/freeipa/issue/6827 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
When a trusted domain entry is created, the uidNumber attribute is created
but not the gidNumber attribute. This causes samba to log
	Failed to find a Unix account for DOM-AD$
because the samu structure does not contain a group_sid and is not put
in the cache.
The fix creates the gidNumber attribute in the trusted domain entry,
and initialises the group_sid field in the samu structure returned
by ldapsam_getsampwnam. This ensures that the entry is put in the cache.

Note that this is only a partial fix for 6660 as it does not prevent
_netr_ServerAuthenticate3 from failing with the log
	_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com.

https://pagure.io/freeipa/issue/6827

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
IPA-KDB: use relative path in ipa-certmap config snippet 2017-04-05T07:30:41+00:00 Sumit Bose sbose@redhat.com 2017-03-29T13:46:50+00:00 6c2772dde52c84024d32533b29e6cbd04c69924a Architecture specific paths should be avoided in the global Kerberos configuration because it is read e.g. by 32bit and 64bit libraries they are installed in parallel. Resolves https://pagure.io/freeipa/issue/6833 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Architecture specific paths should be avoided in the global Kerberos
configuration because it is read e.g. by 32bit and 64bit libraries they
are installed in parallel.

Resolves https://pagure.io/freeipa/issue/6833

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
extdom: improve cert request 2017-03-28T16:21:18+00:00 Sumit Bose sbose@redhat.com 2017-03-17T13:48:50+00:00 8960398a57f69c124ec3105289dc355baa0d5b09 Certificates can be assigned to multiple user so the extdom plugin must use sss_nss_getlistbycert() instead of sss_nss_getnamebycert() and return a list of fully-qualified user names. Due to issues on the SSSD side the current version of lookups by certificates didn't work at all and the changes here won't break existing clients. Related to https://pagure.io/freeipa/issue/6826 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com> 
Certificates can be assigned to multiple user so the extdom plugin must
use sss_nss_getlistbycert() instead of sss_nss_getnamebycert() and
return a list of fully-qualified user names.

Due to issues on the SSSD side the current version of lookups by
certificates didn't work at all and the changes here won't break
existing clients.

Related to https://pagure.io/freeipa/issue/6826

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
extdom: do reverse search for domain separator 2017-03-28T16:21:18+00:00 Sumit Bose sbose@redhat.com 2017-03-17T13:10:52+00:00 ee455f163d756a6b71db8e999365139cad46c6ad To avoid issues which @-signs in the short user or group names it is better to search for the domain separator starting at the end of the fully-qualified name. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com> 
To avoid issues which @-signs in the short user or group names it is
better to search for the domain separator starting at the end of the
fully-qualified name.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
ipa-kdb: do not depend on certauth_plugin.h 2017-03-27T15:57:28+00:00 Sumit Bose sbose@redhat.com 2017-03-27T11:19:57+00:00 0ba0c0781367d8e2d4affca29e3cf5ab93c4c33a Related to https://pagure.io/freeipa/issue/4905 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Related to https://pagure.io/freeipa/issue/4905

Reviewed-By: Christian Heimes <cheimes@redhat.com>
IPA certauth plugin 2017-03-27T07:52:57+00:00 Sumit Bose sbose@redhat.com 2017-02-02T11:32:13+00:00 c4156041feb9c48598427ad59e43313b9c7327bb This patch add a certauth plugin which allows the IPA server to support PKINIT for certificates which do not include a special SAN extension which contains a Kerberos principal but allow other mappings with the help of SSSD's certmap library. Related to https://pagure.io/freeipa/issue/4905 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com> 
This patch add a certauth plugin which allows the IPA server to support
PKINIT for certificates which do not include a special SAN extension
which contains a Kerberos principal but allow other mappings with the
help of SSSD's certmap library.

Related to https://pagure.io/freeipa/issue/4905

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
ipa-kdb: add ipadb_fetch_principals_with_extra_filter() 2017-03-27T07:52:57+00:00 Sumit Bose sbose@redhat.com 2017-02-15T11:09:20+00:00 da880decfedc66f9d0d2734dcb86c23a8866f603 Additionally make ipadb_find_principal public. Related to https://pagure.io/freeipa/issue/4905 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com> 
Additionally make ipadb_find_principal public.

Related to https://pagure.io/freeipa/issue/4905

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>