freeipa.git/ipaserver, branch kdc-fixes FreeIPA patches dcerpc: Simplify generation of LSA-RPC binding strings 2015-08-07T16:06:02+00:00 Tomas Babej tbabej@redhat.com 2015-08-07T16:03:48+00:00 c906784ded416eec70704a07e3923601fe509927 https://fedorahosted.org/freeipa/ticket/5183 Reviewed-By: Tomas Babej <tbabej@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5183

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Fix selector of protocol for LSA RPC binding string 2015-08-07T15:55:48+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-08-05T18:33:45+00:00 ee377a20cd842f03ff263e21b00267732a9fe3dc For Windows Server 2012R2 and others which force SMB2 protocol use we have to specify right DCE RPC binding options. For using SMB1 protocol we have to omit specifying SMB2 protocol and anything else or otherwise SMB1 would be considered a pipe to connect to. This is by design of a binding string format. https://fedorahosted.org/freeipa/ticket/5183 Reviewed-By: Tomas Babej <tbabej@redhat.com> 
For Windows Server 2012R2 and others which force SMB2 protocol use
we have to specify right DCE RPC binding options.

For using SMB1 protocol we have to omit specifying SMB2 protocol and
anything else or otherwise SMB1 would be considered a pipe to connect
to. This is by design of a binding string format.

https://fedorahosted.org/freeipa/ticket/5183

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Modernize number literals 2015-07-31T13:22:19+00:00 Petr Viktorin pviktori@redhat.com 2015-07-15T14:38:06+00:00 b8c46f2a32d0d8c2dc6ef0867f85f63cf076a004 Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Use Python-3 compatible syntax, without breaking compatibility with py 2.7

- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
  long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
  strict type checking checking, e.g. type(0).

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Replace M2Crypto RC4 with python-cryptography ARC4 2015-07-31T11:33:02+00:00 Christian Heimes cheimes@redhat.com 2015-07-21T13:18:40+00:00 a908be2785d4388e3c97c7cd543c817c527d73c9 This patch removes the dependency on M2Crypto in favor for cryptography. Cryptography is more strict about the key size and doesn't support non-standard key sizes: >>> from M2Crypto import RC4 >>> from ipaserver.dcerpc import arcfour_encrypt >>> RC4.RC4(b'key').update(b'data') 'o\r@\x8c' >>> arcfour_encrypt(b'key', b'data') Traceback (most recent call last): ... ValueError: Invalid key size (24) for RC4. Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: >>> arcfour_encrypt(b'key12', b'data') '\xcd\xf80d' >>> RC4.RC4(b'key12').update(b'data') '\xcd\xf80d' http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4 https://fedorahosted.org/freeipa/ticket/5148 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
This patch removes the dependency on M2Crypto in favor for cryptography.
Cryptography is more strict about the key size and doesn't support
non-standard key sizes:

>>> from M2Crypto import RC4
>>> from ipaserver.dcerpc import arcfour_encrypt
>>> RC4.RC4(b'key').update(b'data')
'o\r@\x8c'
>>> arcfour_encrypt(b'key', b'data')
Traceback (most recent call last):
...
ValueError: Invalid key size (24) for RC4.

Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported:

>>> arcfour_encrypt(b'key12', b'data')
'\xcd\xf80d'
>>> RC4.RC4(b'key12').update(b'data')
'\xcd\xf80d'

http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4
https://fedorahosted.org/freeipa/ticket/5148

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
replication: Fix incorrect exception invocation 2015-07-24T09:27:22+00:00 Tomas Babej tbabej@redhat.com 2015-07-24T09:26:33+00:00 5df48d74a0b473f80f728c83b41d7660398a11a4 Reviewed-By: Tomas Babej <tbabej@redhat.com> 
Reviewed-By: Tomas Babej <tbabej@redhat.com>
dcerpc: Add get_trusted_domain_object_type method 2015-07-23T13:37:01+00:00 Tomas Babej tbabej@redhat.com 2015-07-22T12:00:37+00:00 970a5535c09f382527af212e77e842a279a7ad9b https://fedorahosted.org/freeipa/ticket/5029 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5029

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
dcerpc: Fix UnboundLocalError for ccache_name 2015-07-22T12:30:22+00:00 Tomas Babej tbabej@redhat.com 2015-07-22T12:29:35+00:00 cf59981cc2c6bb13c286188aa27cb10a49ff4a5e Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
dcerpc: Expand explanation for WERR_ACCESS_DENIED 2015-07-21T17:10:06+00:00 Tomas Babej tbabej@redhat.com 2015-07-15T13:38:50+00:00 1299c60a83ccaf669abd74d35845f8c321e4ed5e It's possible for AD to contact a wrong IPA server in case the DNS SRV records on the AD sides are not properly configured. Mention this case in the error message as well. https://fedorahosted.org/freeipa/ticket/5013 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
It's possible for AD to contact a wrong IPA server in case the DNS
SRV records on the AD sides are not properly configured.

Mention this case in the error message as well.

https://fedorahosted.org/freeipa/ticket/5013

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
DNS: check if DNS package is installed 2015-07-21T15:30:10+00:00 Martin Basti mbasti@redhat.com 2015-07-01T13:05:45+00:00 92828d3cf50e00fe75ebf3ec9e0edc8b9c8eae35 Instead of separate checking of DNS required packages, we need just check if IPA DNS package is installed. https://fedorahosted.org/freeipa/ticket/4058 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com> 
Instead of separate checking of DNS required packages, we need just
check if IPA DNS package is installed.

https://fedorahosted.org/freeipa/ticket/4058

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Py3: replace tab with space 2015-07-17T15:19:51+00:00 Martin Basti mbasti@redhat.com 2015-07-17T11:25:32+00:00 c6c84faecf5b7017c0d648d76ba0db4a2eba2f03 python3 does not allow to mix spaces and tabs Reviewed-By: Christian Heimes <cheimes@redhat.com> 
python3 does not allow to mix spaces and tabs

Reviewed-By: Christian Heimes <cheimes@redhat.com>