freeipa.git/ipaserver, branch fix_ber_scanf FreeIPA patches Add container environment check to replicainstall 2019-09-16T07:44:52+00:00 Tibor Dudlák tdudlak@redhat.com 2019-09-10T16:54:53+00:00 f1e20b45c5deeb25989c87a2d717bda5a31bb084 Inside the container environment master's IP address does not resolve to its name. Resolves: https://pagure.io/freeipa/issue/6210 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Inside the container environment master's IP address
does not resolve to its name.

Resolves: https://pagure.io/freeipa/issue/6210
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
adtrust: add default read_keys permission for TDO objects 2019-09-12T14:17:53+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-09-12T08:21:51+00:00 0be98884991ff14720dfce428e4f23ebc4a42311 If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys attribute values, it cannot be used by SSSD to retrieve TDO keys and the whole communication with Active Directory domain controllers will not be possible. This seems to affect trusts which were created before ipaAllowedToPerform;read_keys permission granting was introduced (FreeIPA 4.2). Add back the default setting for the permissions which grants access to trust agents and trust admins. Resolves: https://pagure.io/freeipa/issue/8067 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
attribute values, it cannot be used by SSSD to retrieve TDO keys and the
whole communication with Active Directory domain controllers will not be
possible.

This seems to affect trusts which were created before
ipaAllowedToPerform;read_keys permission granting was introduced
(FreeIPA 4.2). Add back the default setting for the permissions which
grants access to trust agents and trust admins.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
add default access control when migrating trust objects 2019-09-12T14:17:53+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-09-10T10:39:39+00:00 9aeb6bae23dc21b97dbd784f8d954ee0dcde1d8f It looks like for some cases we do not have proper set up keytab retrieval configuration in the old trusted domain object. This mostly affects two-way trust cases. In such cases, create default configuration as ipasam would have created when trust was established. Resolves: https://pagure.io/freeipa/issue/8067 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
It looks like for some cases we do not have proper set up keytab
retrieval configuration in the old trusted domain object. This mostly
affects two-way trust cases. In such cases, create default configuration
as ipasam would have created when trust was established.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Modify webUI to adhere to new IPA server API 2019-09-10T09:33:21+00:00 Changmin Teng cteng@redhat.com 2019-07-29T15:10:31+00:00 b66e8a1ee295e11e286979a0bd9ce303cbab2aa5 Given the changes in IPA server API changes, whebUI is modified to utilize new authentication indicators, and disabled custom indicators for services' white list. Resolves: https://pagure.io/freeipa/issue/8001 Signed-off-by: Changmin Teng <cteng@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
Given the changes in IPA server API changes, whebUI is modified to
utilize new authentication indicators, and disabled custom indicators
for services' white list.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Move certauth configuration into a server krb5.conf template 2019-09-10T09:33:21+00:00 Robbie Harwood rharwood@redhat.com 2019-04-11T22:11:06+00:00 39e3704a0679d117f5145044e73726175a8f600b Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Extend the list of supported pre-auth mechanisms in IPA server API 2019-09-10T09:33:21+00:00 Changmin Teng cteng@redhat.com 2019-07-29T15:00:35+00:00 d0570404ef5a79dfc08d7959d21e9e4843973faf As new authentication indicators implemented, we also modified server API to support those new values. Also, "krbprincipalauthind" attribute is modified to use a pre-defined set of values instead of arbitrary strings. Resolves: https://pagure.io/freeipa/issue/8001 Signed-off-by: Changmin Teng <cteng@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
As new authentication indicators implemented, we also modified server
API to support those new values. Also, "krbprincipalauthind" attribute
is modified to use a pre-defined set of values instead of arbitrary
strings.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
adtrust: avoid using timestamp in klist output 2019-09-10T09:25:07+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-09-09T08:02:29+00:00 80e4c18b75af989d5839aba7e6a1efc06da16f81 When parsing a keytab to copy keys to a different keytab, we don't need the timestamp, so don't ask klist to output it. In some locales (en_IN, for example), the timestamp is output in a single field without a space between date and time. In other locales it can be represented with date and time separated by a space. Fixes: https://pagure.io/freeipa/issue/8066 Reviewed-By: Thomas Woerner <twoerner@redhat.com> 
When parsing a keytab to copy keys to a different keytab, we don't need
the timestamp, so don't ask klist to output it. In some locales (en_IN,
for example), the timestamp is output in a single field without a space
between date and time. In other locales it can be represented with date
and time separated by a space.

Fixes: https://pagure.io/freeipa/issue/8066
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Add missing timeout option to logging statement 2019-09-05T07:15:23+00:00 Rob Crittenden rcritten@redhat.com 2019-09-04T15:22:17+00:00 5db48f151ba4aef2baebc40a4d357403a922d362 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Log dogtag auth timeout in install, provide hint to increase it 2019-09-04T12:52:14+00:00 Rob Crittenden rcritten@redhat.com 2019-07-05T18:15:32+00:00 adf2eab26309fb3ce0c2e2dbb0593f64bcd3d475 There is a loop which keeps trying to bind as the admin user which will fail until it is replicated. In the case where there is a lot to replicate the default 5 minute timeout may be insufficient. Provide a hint for tuning. Fixes: https://pagure.io/freeipa/issue/7971 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
There is a loop which keeps trying to bind as the admin user
which will fail until it is replicated.

In the case where there is a lot to replicate the default
5 minute timeout may be insufficient. Provide a hint for
tuning.

Fixes: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Log the replication wait timeout for debugging purposes 2019-09-04T12:52:14+00:00 Rob Crittenden rcritten@redhat.com 2019-07-05T18:14:53+00:00 54035982e5850ec59611798a9e172a044969106f Related: https://pagure.io/freeipa/issue/7971 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
Related: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>