freeipa.git/daemons, branch mspac FreeIPA patches mspac: Add support for UPN_DNS_INFO buffer 2013-10-10T14:20:02+00:00 Simo Sorce simo@redhat.com 2013-10-10T00:34:14+00:00 251f36c38dd636f3406cd8ef1b9affee841c70bd Fill up a upn_dns_info buffer and adds it to the pac. 
Fill up a upn_dns_info buffer and adds it to the pac.
mspac: Split retrieval of basic account data 2013-10-10T14:20:02+00:00 Simo Sorce simo@redhat.com 2013-10-10T00:32:18+00:00 a9cb481cd1aa1633d725e6bd9e60d5914b31c390 Split ipadb_fill_info3 in 2 functions: - one that retrieves basic account data and optionally fakes up some of the data - the other just fills info3 based on the input data as the name says 
Split ipadb_fill_info3 in 2 functions:
- one that retrieves basic account data and optionally fakes up some of
the data
- the other just fills info3 based on the input data as the name says
Use the right attribute with ipapwd_entry_checks for MagicRegen 2013-10-08T07:18:57+00:00 Sumit Bose sbose@redhat.com 2013-10-07T14:49:33+00:00 091e8fac3473e794e339b4a1a1ae819de8736af9 There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos key is available for the corresponding user. This is typically triggered by samba via the ipa_sam passdb plugin. The principal used by samba to connect to the IPA directory server has the right to modify ipaNTHash but no other password attribute. This means that the current check on the userPassword attribute is too strict for this case and leads to a failure of the whole operation. With this patch the access right on ipaNTHash are checked if no other password operations are requested. 
There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos
key is available for the corresponding user. This is typically triggered
by samba via the ipa_sam passdb plugin. The principal used by samba to
connect to the IPA directory server has the right to modify ipaNTHash
but no other password attribute. This means that the current check on
the userPassword attribute is too strict for this case and leads to a
failure of the whole operation.

With this patch the access right on ipaNTHash are checked if no other
password operations are requested.
ipa-kdb: Handle parent-child relationship for subdomains 2013-10-04T08:25:31+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-10-03T10:30:44+00:00 d228b1bd70aeebb19fbf64ee64bbd662eda19fc4 When MS-PAC information is re-initialized, record also parent-child relationship between trust root level domain and its subdomains. Use parent incoming SID black list to check if child domain is not allowed to access IPA realm. We also should really use 'cn' of the entry as domain name. ipaNTTrustPartner has different meaning on wire, it is an index pointing to the parent domain of the domain and will be 0 for top level domains or disjoint subdomains of the trust. Finally, trustdomain-enable and trustdomain-disable commands should force MS-PAC cache re-initalization in case of black list change. Trigger that by asking for cross-realm TGT for HTTP service. 
When MS-PAC information is re-initialized, record also parent-child
relationship between trust root level domain and its subdomains.

Use parent incoming SID black list to check if child domain is not
allowed to access IPA realm.

We also should really use 'cn' of the entry as domain name.
ipaNTTrustPartner has different meaning on wire, it is an index
pointing to the parent domain of the domain and will be 0 for top
level domains or disjoint subdomains of the trust.

Finally, trustdomain-enable and trustdomain-disable commands should
force MS-PAC cache re-initalization in case of black list change.
Trigger that by asking for cross-realm TGT for HTTP service.
KDC: implement transition check for trusted domains 2013-10-04T08:25:31+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-09-28T19:49:57+00:00 749111e6c2dfbb288c864a6cd2f5ac228f30bec1 When client principal requests for a ticket for a server principal and we have to perform transition, check that all three belong to either our domain or the domains we trust through forest trusts. In case all three realms (client, transition, and server) match trusted domains and our domain, issue permission to transition from client realm to server realm. Part of https://fedorahosted.org/freeipa/ticket/3909 
When client principal requests for a ticket for a server principal
and we have to perform transition, check that all three belong to either
our domain or the domains we trust through forest trusts.

In case all three realms (client, transition, and server) match
trusted domains and our domain, issue permission to transition from client
realm to server realm.

Part of https://fedorahosted.org/freeipa/ticket/3909
ipasam: for subdomains pick up defaults for missing values 2013-10-04T08:25:31+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-09-27T12:00:22+00:00 0ab40cdf6b354e8b760f604f2f94cf3c2292217e We don't store trust type, attributes, and direction for subdomains of the existing trust. Since trust is always forest level, these parameters can be added as defaults when they are missing. 
We don't store trust type, attributes, and direction for subdomains
of the existing trust. Since trust is always forest level, these parameters
can be added as defaults when they are missing.
Ensure credentials structure is initialized 2013-10-02T12:38:13+00:00 Nathaniel McCallum npmccallum@redhat.com 2013-09-25T22:04:02+00:00 1acd00487fad66983ec2716cb4ef888f8813d390 https://fedorahosted.org/freeipa/ticket/3953 
https://fedorahosted.org/freeipa/ticket/3953
CLDAP: do not read IPA domain from hostname 2013-09-27T13:06:21+00:00 Sumit Bose sbose@redhat.com 2013-09-24T08:09:26+00:00 b1cfb47dc03a49648fca7b9d5b0b041342689a88 Currently the CLDAP plugin determines the IPA domain name by reading the current host name and splitting of the domain part. But since an IPA server does not have to be in a DNS domain which has the same name as the IPA domain this may fail. The domain name was used to search the ipaNTDomainAttrs object, but since this object is unique in the tree it is sufficient to use the objectclass in the search filter. Now the IPA domain can be read from the ipaNTDomainAttrs object as well. Fixes https://fedorahosted.org/freeipa/ticket/3941 
Currently the CLDAP plugin determines the IPA domain name by reading
the current host name and splitting of the domain part. But since an IPA
server does not have to be in a DNS domain which has the same name as
the IPA domain this may fail. The domain name was used to search the
ipaNTDomainAttrs object, but since this object is unique in the tree it
is sufficient to use the objectclass in the search filter. Now the IPA
domain can be read from the ipaNTDomainAttrs object as well.

Fixes https://fedorahosted.org/freeipa/ticket/3941
ipa-sam: report supported enctypes based on Kerberos realm configuration 2013-09-20T07:59:02+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-09-10T08:56:40+00:00 a9843d6918f73c2236d0083b1e8adf54ca34eb0d We store Kerberos realm configuration in cn=REALM,cn=kerberos,$SUFFIX. Along other configuration options, this container has list of default supported encryption types, in krbDefaultEncSaltTypes. Fetch krbDefaultEncSaltTypes value on ipa-sam initialization and convert discovered list to the mask of supported encryption types according to security.idl from Samba: typedef [public,bitmap32bit] bitmap { KERB_ENCTYPE_DES_CBC_CRC = 0x00000001, KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002, KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004, KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008, KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010 } kerb_EncTypes; Part of https://fedorahosted.org/freeipa/ticket/3898 
We store Kerberos realm configuration in cn=REALM,cn=kerberos,$SUFFIX.
Along other configuration options, this container has list of default
supported encryption types, in krbDefaultEncSaltTypes.

Fetch krbDefaultEncSaltTypes value on ipa-sam initialization and convert
discovered list to the mask of supported encryption types according to
security.idl from Samba:
        typedef [public,bitmap32bit] bitmap {
                KERB_ENCTYPE_DES_CBC_CRC             = 0x00000001,
                KERB_ENCTYPE_DES_CBC_MD5             = 0x00000002,
                KERB_ENCTYPE_RC4_HMAC_MD5            = 0x00000004,
                KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
                KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
        } kerb_EncTypes;

Part of https://fedorahosted.org/freeipa/ticket/3898
ipa-sam: do not leak LDAPMessage on ipa-sam initialization 2013-09-20T07:59:02+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-09-09T12:52:17+00:00 860a3ff6477db1004773742e019603032239991e We used to handle some of code paths to free memory allocated by the LDAP library but there are few more unhandled. In addition, search result wasn't freed on successful initialization, leaking for long time. https://fedorahosted.org/freeipa/ticket/3913 
We used to handle some of code paths to free memory allocated by the LDAP library
but there are few more unhandled. In addition, search result wasn't freed on successful
initialization, leaking for long time.

https://fedorahosted.org/freeipa/ticket/3913