freeipa.git/ipaserver, branch mspac

Do not fail upgrade if the global anonymous read ACI is not found

2013-10-04T13:41:56+00:00

This helps forward compatibility: the anon ACI is scheduled for removal.

https://fedorahosted.org/freeipa/ticket/3956

Allow PKCS#12 files with empty password in install tools.

2013-10-04T08:27:23+00:00

https://fedorahosted.org/freeipa/ticket/3897

Read passwords from stdin when importing PKCS#12 files with pk12util.

2013-10-04T08:27:23+00:00

This works around pk12util refusing to use empty password files, which prevents
the use of PKCS#12 files with empty password.

https://fedorahosted.org/freeipa/ticket/3897

trust: integrate subdomains support into trust-add

2013-10-04T08:25:31+00:00

ipaserver/dcerpc: remove use of trust account authentication

2013-10-04T08:25:31+00:00

Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal,
it is possible to use it when talking to the trusted AD DC.

Remove support for authenticating as trust account because it should not
really be used other than within Samba.

trusts: support subdomains in a forest

2013-10-04T08:25:31+00:00

Add IPA CLI to manage trust domains.

ipa trust-fetch-domains       -- fetch list of subdomains from AD side and add new ones to IPA
ipa trustdomain-find          -- show all available domains
ipa trustdomain-del   -- remove domain from IPA view about 
ipa trustdomain-enable   -- allow users from trusted domain to access resources in IPA
ipa trustdomain-disable   -- disable access to resources in IPA from trusted domain

By default all discovered trust domains are allowed to access IPA resources

IPA KDC needs also information for authentication paths to subdomains in case they
are not hierarchical under AD forest trust root. This information is managed via capaths
section in krb5.conf. SSSD should be able to generate it once
ticket https://fedorahosted.org/sssd/ticket/2093 is resolved.

part of https://fedorahosted.org/freeipa/ticket/3909

ipaserver/dcerpc.py: populate forest trust information using realmdomains

2013-10-04T08:25:31+00:00

Use realmdomains information to prepopulate forest trust info. As result,
all additional domains should now be enabled from the beginning, unless they
really conflict with existing DNS domains on AD side.

https://fedorahosted.org/freeipa/ticket/3919

Use FQDN when creating MSDCS SRV records

2013-10-03T12:14:07+00:00

When IPA server hostname is outside of default DNS domain, instead
of relative domain name, FQDN should be used.

https://fedorahosted.org/freeipa/ticket/3908

ipa-sam: do not modify objectclass when trust object already created

2013-09-20T07:59:02+00:00

When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.

Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.

Do not show unexpected error in ipa-ldap-updater

2013-09-16T10:35:36+00:00

Prevent showing of unfriendly "Unexpected error" message, when providing
incorrect DM password to ipa-ldap-updater.

https://fedorahosted.org/freeipa/ticket/3825