freeipa.git/ipalib/plugins, branch mspac FreeIPA patches ipa-kdb: Handle parent-child relationship for subdomains 2013-10-04T08:25:31+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-10-03T10:30:44+00:00 d228b1bd70aeebb19fbf64ee64bbd662eda19fc4 When MS-PAC information is re-initialized, record also parent-child relationship between trust root level domain and its subdomains. Use parent incoming SID black list to check if child domain is not allowed to access IPA realm. We also should really use 'cn' of the entry as domain name. ipaNTTrustPartner has different meaning on wire, it is an index pointing to the parent domain of the domain and will be 0 for top level domains or disjoint subdomains of the trust. Finally, trustdomain-enable and trustdomain-disable commands should force MS-PAC cache re-initalization in case of black list change. Trigger that by asking for cross-realm TGT for HTTP service. 
When MS-PAC information is re-initialized, record also parent-child
relationship between trust root level domain and its subdomains.

Use parent incoming SID black list to check if child domain is not
allowed to access IPA realm.

We also should really use 'cn' of the entry as domain name.
ipaNTTrustPartner has different meaning on wire, it is an index
pointing to the parent domain of the domain and will be 0 for top
level domains or disjoint subdomains of the trust.

Finally, trustdomain-enable and trustdomain-disable commands should
force MS-PAC cache re-initalization in case of black list change.
Trigger that by asking for cross-realm TGT for HTTP service.
trust: integrate subdomains support into trust-add 2013-10-04T08:25:31+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-09-27T10:39:57+00:00 f734988e24012bccdc5f982d56795213f9733f84 






ipaserver/dcerpc: remove use of trust account authentication
2013-10-04T08:25:31+00:00

Alexander Bokovoy
abokovoy@redhat.com

2013-09-27T10:36:59+00:00

a87813bf420c19a99b1a19711e63d231cd4afd86

Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal,
it is possible to use it when talking to the trusted AD DC.

Remove support for authenticating as trust account because it should not
really be used other than within Samba.





Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal,
it is possible to use it when talking to the trusted AD DC.

Remove support for authenticating as trust account because it should not
really be used other than within Samba.







trusts: support subdomains in a forest
2013-10-04T08:25:31+00:00

Alexander Bokovoy
abokovoy@redhat.com

2013-09-18T15:04:19+00:00

0b29bfde0df92ed0a61b5ce099295c0b0c6495d4

Add IPA CLI to manage trust domains.

ipa trust-fetch-domains <trust>      -- fetch list of subdomains from AD side and add new ones to IPA
ipa trustdomain-find <trust>         -- show all available domains
ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust>
ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA
ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain

By default all discovered trust domains are allowed to access IPA resources

IPA KDC needs also information for authentication paths to subdomains in case they
are not hierarchical under AD forest trust root. This information is managed via capaths
section in krb5.conf. SSSD should be able to generate it once
ticket https://fedorahosted.org/sssd/ticket/2093 is resolved.

part of https://fedorahosted.org/freeipa/ticket/3909





Add IPA CLI to manage trust domains.

ipa trust-fetch-domains <trust>      -- fetch list of subdomains from AD side and add new ones to IPA
ipa trustdomain-find <trust>         -- show all available domains
ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust>
ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA
ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain

By default all discovered trust domains are allowed to access IPA resources

IPA KDC needs also information for authentication paths to subdomains in case they
are not hierarchical under AD forest trust root. This information is managed via capaths
section in krb5.conf. SSSD should be able to generate it once
ticket https://fedorahosted.org/sssd/ticket/2093 is resolved.

part of https://fedorahosted.org/freeipa/ticket/3909







Do not add trust to AD in case of IPA realm-domain mismatch
2013-10-03T10:01:56+00:00

Tomas Babej
tbabej@redhat.com

2013-09-18T10:55:19+00:00

8ebb76177dbe675b281a4c06fabd4d27b2dffd7c

Make sure that trust-add command fails when admin attempts
to add an Active Directory trust when the realm name and
the domain name of the IPA server do not match.

https://fedorahosted.org/freeipa/ticket/3923





Make sure that trust-add command fails when admin attempts
to add an Active Directory trust when the realm name and
the domain name of the IPA server do not match.

https://fedorahosted.org/freeipa/ticket/3923







Use correct super-calls in get_args() methods
2013-10-02T14:09:07+00:00

Petr Viktorin
pviktori@redhat.com

2013-10-02T13:16:38+00:00

295ce7bf18510efbe7d170887eb4e6956d3db035

The get_args methods in ipalib.crud and ipalib.plugins.baseldap used
super() calls that skipped some of the classes in the inheritance
chain, and contained code that reimplemented some of the skipped
functionality.
This made it difficult to customize the get_args behavior.

Use proper super() calls.





The get_args methods in ipalib.crud and ipalib.plugins.baseldap used
super() calls that skipped some of the classes in the inheritance
chain, and contained code that reimplemented some of the skipped
functionality.
This made it difficult to customize the get_args behavior.

Use proper super() calls.







Fix service-disable in CA-less install.
2013-08-29T08:18:32+00:00

Jan Cholasta
jcholast@redhat.com

2013-08-29T06:44:43+00:00

7c66912824fbc2a4a2d1daf603b204fd7321bd8f

https://fedorahosted.org/freeipa/ticket/3886





https://fedorahosted.org/freeipa/ticket/3886







Fix tests which fail after ipa-adtrust-install
2013-08-28T14:45:57+00:00

Ana Krivokapic
akrivoka@redhat.com

2013-08-20T13:34:39+00:00

196c4b5f53c5ae9d6a471ed2da1eea4d78746fcb

Some unit tests were failing after ipa-adtrust-install has been run on the
IPA server, due to missing attributes ('ipantsecurityidentifier') and
objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if
ipa-adtrust-install has been run, and adds missing attributes and objectclasses
where appropriate.

https://fedorahosted.org/freeipa/ticket/3852





Some unit tests were failing after ipa-adtrust-install has been run on the
IPA server, due to missing attributes ('ipantsecurityidentifier') and
objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if
ipa-adtrust-install has been run, and adds missing attributes and objectclasses
where appropriate.

https://fedorahosted.org/freeipa/ticket/3852







Fix incorrect error message occurence when re-adding the trust
2013-08-27T15:01:37+00:00

Tomas Babej
tbabej@redhat.com

2013-08-23T11:06:52+00:00

e68bef0b1ce3786f896689975c78ffc61f4db970

You cannot re-add the trust and modify the range in the process.
The check in the code was malfunctioning since it assumed that
range_size parameter has default value. However, default value
is assigned only later in the add_range function.

https://fedorahosted.org/freeipa/ticket/3870





You cannot re-add the trust and modify the range in the process.
The check in the code was malfunctioning since it assumed that
range_size parameter has default value. However, default value
is assigned only later in the add_range function.

https://fedorahosted.org/freeipa/ticket/3870







Add base-id, range-size and range-type options to trust-add dialog
2013-08-22T13:23:56+00:00

Petr Vobornik
pvoborni@redhat.com

2013-08-15T10:31:32+00:00

ca0d959df8020c4e5c7bf9dd5d27556158e7191d

https://fedorahosted.org/freeipa/ticket/3049





https://fedorahosted.org/freeipa/ticket/3049