freeipa.git/daemons, branch ipasam_getkeytab FreeIPA patches Convert ipa-sam to use the new getkeytab control 2015-12-03T13:19:14+00:00 Simo Sorce simo@redhat.com 2015-12-01T18:43:35+00:00 b384d65b20f88c11ac9dd637ea54ea35bbe636a6 Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5495 
Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5495
Improve keytab code to select the right principal. 2015-12-02T22:48:47+00:00 Simo Sorce simo@redhat.com 2015-12-02T20:20:42+00:00 e13bb47a9e3673bb7af627bfb2bc59476552947e Whe requesting a keytab the salt used is the NORMAL type (for backwards and AD compatibility), however since we added alias support we need to search for the krbCanonicalName in preference, hen nothing is specified, and for the requested principal name when a getkeytab operation is performed. This is so that the correct salt can be applied. (Windows AD uses some peculiar aliases for some special accounts to generate the salt). Signed-off-by: Simo Sorce <simo@redhat.com> 
Whe requesting a keytab the salt used is the NORMAL type (for backwards and AD
compatibility), however since we added alias support we need to search for the
krbCanonicalName in preference, hen nothing is specified, and for the requested
principal name when a getkeytab operation is performed. This is so that the
correct salt can be applied. (Windows AD uses some peculiar aliases for some
special accounts to generate the salt).

Signed-off-by: Simo Sorce <simo@redhat.com>
Allow to specify Kerberos authz data type per user 2015-12-02T21:14:03+00:00 Simo Sorce simo@redhat.com 2015-11-24T23:01:52+00:00 66c5082caaba5bbcbab7e3ca6ae7ef2f6c786e43 Like for services setting the ipaKrbAuthzData attribute on a user object will allow us to control exactly what authz data is allowed for that user. Setting NONE would allow no authz data, while setting MS-PAC would allow only Active Directory compatible data. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/2579 
Like for services setting the ipaKrbAuthzData attribute on a user object will
allow us to control exactly what authz data is allowed for that user.
Setting NONE would allow no authz data, while setting MS-PAC would allow only
Active Directory compatible data.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/2579
Allow admins to disable preauth for SPNs. 2015-12-02T21:14:03+00:00 Simo Sorce simo@redhat.com 2015-11-24T20:39:08+00:00 0815bec62f30850e7343e03fb26cc591a8666637 Some legacy softare is not able to properly cope with preauthentication, allow the admins to disable the requirement to use preauthentication for all Service Principal Names if they so desire. IPA Users are excluded, for users, which use password of lessere entrpy, preauthentication is always required by default. This setting does NOT override explicit policies set on service principals or in the global policy, it only affects the default. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/3860 
Some legacy softare is not able to properly cope with preauthentication,
allow the admins to disable the requirement to use preauthentication for
all Service Principal Names if they so desire. IPA Users are excluded,
for users, which use password of lessere entrpy, preauthentication is
always required by default.

This setting does NOT override explicit policies set on service principals
or in the global policy, it only affects the default.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/3860
Disable User's ability to use the setkeytab exop. 2015-12-02T21:14:03+00:00 Simo Sorce simo@redhat.com 2015-11-24T19:02:01+00:00 9ffd619f8c278d72d55aacae2667ddb28eab6d0e Users can still obtain a keytab for themselves using the getkeytab exop which does not circumvent password policy checks. Users are disallowed from using setkeytab by default in new installations but not in existing installations (no forced upgrade). Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5485 
Users can still obtain a keytab for themselves using the getkeytab exop
which does not circumvent password policy checks.

Users are disallowed from using setkeytab by default in new installations
but not in existing installations (no forced upgrade).

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5485
Introduce option to disable the SetKeytab exop 2015-12-02T21:14:03+00:00 Simo Sorce simo@redhat.com 2015-11-24T18:42:10+00:00 bde182421226bb32ab676c13a85bc95a2572f322 If DisableSetKeytab is set in ipaConfig options then setkeytab will not be available. The default is still to allow this operation for backwards compatibility towards older clients that do not know how to use the new GetKeytab extended operation. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/5485 
If DisableSetKeytab is set in ipaConfig options then setkeytab will not be
available. The default is still to allow this operation for backwards
compatibility towards older clients that do not know how to use the new
GetKeytab extended operation.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5485
Use only AES enctypes by default 2015-12-02T21:14:03+00:00 Simo Sorce simo@redhat.com 2015-11-23T18:40:42+00:00 c6264b4344021b368077ffd2fee70f8541c2953f Remove des3 and arcfour from the defaults for new installs. NOTE: the ipasam/dcerpc code sill uses arcfour Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/4740 
Remove des3 and arcfour from the defaults for new installs.

NOTE: the ipasam/dcerpc code sill uses arcfour

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/4740
FIX: ipa_kdb_principals: add missing break statement 2015-11-30T16:34:02+00:00 Martin Basti mbasti@redhat.com 2015-11-30T15:42:30+00:00 21f7584f9f44fdc3dee0f9d038f31edd8ee1aab2 Needs a 'break' otherwise prevents correct reporting of data and it always overrides it with the placeholder data. Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Needs a 'break' otherwise prevents correct reporting of data and it always overrides
it with the placeholder data.

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Return default TL_DATA is krbExtraData is missing 2015-11-25T13:12:11+00:00 Simo Sorce simo@redhat.com 2015-11-24T22:08:51+00:00 0f52eddd1d2781ccc1941c191e9ab6e3ccf6919d Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/937 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/937
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ipasam: fix a use-after-free issue 2015-11-23T13:45:54+00:00 Sumit Bose sbose@redhat.com 2015-11-18T11:34:49+00:00 657cf958c6fc6767d09cfbd2d84046d5b84e9f80 Since endptr points to a location inside of dummy, dummy should be freed only after dereferencing endptr. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Since endptr points to a location inside of dummy, dummy should be freed
only after dereferencing endptr.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>