| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
Key purging has to be only only after key metadata purging so
ipa-dnskeysyncd on replices does not fail while dereferencing
non-existing keys.
https://fedorahosted.org/freeipa/ticket/5334
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously we published timestamps of planned state changes in LDAP.
This led to situations where state transition in OpenDNSSEC was blocked
by an additional condition (or unavailability of OpenDNSSEC) but BIND
actually did the transition as planned.
Additionally key state mapping was incorrect for KSK so sometimes KSK
was not used for signing when it should.
Example (for code without this fix):
- Add a zone and let OpenDNSSEC to generate keys.
- Wait until keys are in state "published" and next state is "inactive".
- Shutdown OpenDNSSEC or break replication from DNSSEC key master.
- See that keys on DNS replicas will transition to state "inactive" even
though it should not happen because OpenDNSSEC is not available
(i.e. new keys may not be available).
- End result is that affected zone will not be signed anymore, even
though it should stay signed with the old keys.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
| |
This patch removes unused imports, alse pylint has been configured to
check unused imports.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
| |
Needs a 'break' otherwise prevents correct reporting of data and it always overrides
it with the placeholder data.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/937
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
| |
Since endptr points to a location inside of dummy, dummy should be freed
only after dereferencing endptr.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since we are interested in looking up the SID of a group it makes sense
to include the objectclass which contains the SID attribute in the
search filter. This makes sure the group is not accidentally found a
second time in the compat tree.
Related to https://fedorahosted.org/freeipa/ticket/5457
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/5457
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
| |
Default krb5.conf needn't have defined default_realm.
Unit tests should not rely on existing default value.
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
The cmocka-1.0 introduced new interface for tests
which is not compatible with the old one.
And the old interface is deprecated which caused compiled warnings.
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In file included from ipa_extdom_extop.c:41:0:
ipa_extdom_extop.c: In function ‘ipa_extdom_init_ctx’:
ipa_extdom_extop.c:203:9: warning: format ‘%d’ expects argument of type ‘int’,
but argument 4 has type ‘size_t {aka long unsigned int}’ [-Wformat=]
LOG("Maximal nss buffer size set to [%d]!\n", ctx->max_nss_buf_size);
^
../common/util.h:53:21: note: in definition of macro ‘LOG_PLUGIN_NAME’
fmt, ##__VA_ARGS__)
^
ipa_extdom_extop.c:203:5: note: in expansion of macro ‘LOG’
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
topology_pre.c: In function ‘ipa_topo_pre_add’:
topology_pre.c:509:15: warning: declaration of ‘errtxt’ shadows a previous local [-Wshadow]
char *errtxt;
^
topology_pre.c:494:11: note: shadowed declaration is here
char *errtxt = NULL;
^
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tests/ipa_kdb_tests.c:254:9: warning: missing braces around initializer [-Wmissing-braces]
{3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", BLACKLIST_SID"-1002"},
^
tests/ipa_kdb_tests.c:254:9: note: (near initialization for ‘test_data[6]’)
tests/ipa_kdb_tests.c:256:9: warning: missing braces around initializer [-Wmissing-braces]
{0, NULL, 0 , NULL}
^
tests/ipa_kdb_tests.c:256:9: note: (near initialization for ‘test_data[7]’)
tests/ipa_kdb_tests.c:234:21: warning: missing braces around initializer [-Wmissing-braces]
} test_data[] = {
^
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
| |
when a suffix becomes managed for a host, the host needs to
be added to the managed servers, otherwise connectivity check would fail
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
| |
|
|
|
|
|
| |
the creation or deletion of a replication agreemet is rejected if the
servers are managed for the suffix. But bot endpoints need to checked
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
After removing a server the replicaid needs to be cleared in the ruv entry and
in the changelog.
This was triggere by initiating a cleanallruv task in "ipa-replica-manage del",
but the removal of a master already triggers a cleanup of segments and replication
agreement by the topology plugin, so this could be handled by the plugin as well.
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
| |
|
|
| |
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
| |
trigger topology updaet if suffix entry is added
trigger topology update if managedSuffix is modified in host entry
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3559
Reviewed-By: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
LDAP limits
ldap2 internally does LDAP search to find out what LDAP search limits
should be used (!). The problem is that this internal search has hardcoded
limits and throws LimitExceeded exception when DS is too slow.
DNSSEC daemons do not need any abstractions from ldap2 so we are going
to use ipaldap directly. This will avoid the unnecessary search and
associated risks.
https://fedorahosted.org/freeipa/ticket/5342
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The StringIO class was moved to the io module.
(In Python 2, io.StringIO is available, but is Unicode-only.)
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Temporarily storing the offset time in an unsigned integer causes the
value of the offset to underflow when a (valid) negative offset value
is generated. Using a signed variable avoids this problem.
https://fedorahosted.org/freeipa/ticket/5333
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5273
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Incorrect SQL join condition could lead to situation where metadata from
ZSK and KSK were interchanged.
https://fedorahosted.org/freeipa/ticket/5273
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5273
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It might happen that systemd will restart the service even if there is
no incomming connection to service socket. In that case we want to exit
because HSM synchronization is done before socket.accept() and we want
to synchronize HSM and DNS zones at the same time.
https://fedorahosted.org/freeipa/ticket/5273
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Reusing old ccache after reinstall causes authentication error. And
prevents DNSSEC from working.
Related to ticket: https://fedorahosted.org/freeipa/ticket/5273
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.
- Removed Backend.krb and KRB5_CCache classes
They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
Using api.env.realm instead of krbV call
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
ipa-dnskeysync* and ipa-ods-exporter handle kerberos errors more gracefully
instead of crashing with tracebacks.
https://fedorahosted.org/freeipa/ticket/5229
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
| |
The 'as' syntax works from Python 2 on, and Python 3 will
drop the "comma" syntax.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use Python-3 compatible syntax, without breaking compatibility with py 2.7
- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
strict type checking checking, e.g. type(0).
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
<ame> -> <name>
overriden -> overridden
ablity -> ability
enties -> entries
the the -> the
https://fedorahosted.org/freeipa/ticket/5109
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
fetch keytab
When retrieving keytab, it is useful to know what user was attempting
to fetch the keyts and failed. This is useful to debug one-way trust
where SSSD forks out a process of ipa-getkeytab and it might be using
a wrong credentials cache for authentication purposes.
Part of https://fedorahosted.org/freeipa/ticket/4959
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To support AD trust agents, we need to run sidgen and extdom plugins
on every IPA master. Lack of working configuration, thus, is not a
failure so reduce log level to normal as sidgen plugin will not
be active if domain SID is missing but it can certainly be kept
enabled.
Part of https://fedorahosted.org/freeipa/ticket/4951
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When trust is established, ipasam module creates a number of objects in LDAP
to represent the trust information. Among them, for one-way trust we create
a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest
and AD is a realm of the trusted Active Directory forest root domain.
This principal is then used by SSSD on IPA masters to authenticate against
trusted Active Directory domain controllers and retrieve information about
user and group identities.
FreeIPA also uses this principal's credentials to retrieve domain topology.
The access to the keys of the principal should be well-protected. We only
allow to retrieve the keytab for it for members of cn=adtrust agents group.
This group is populated with host/ and cifs/ principals from IPA masters.
Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters
where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install
on the master which will be configured to be a domain controller (e.g.
run Samba with ipasam), and specify --add-agents option to trigger activation
of the interactive mode to specify which IPA masters to enable.
Fixes https://fedorahosted.org/freeipa/ticket/4962
Part of fixes for https://fedorahosted.org/freeipa/ticket/4546
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When incoming SID blacklist contains exact SIDs of users and groups,
attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.
Note that we treat user's SID and primary group RID filtering as violation
of the KDC policy because the resulting MS-PAC will have no user SID or
primary group and thus will be invalid.
For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1
it is OK to have empty group RIDs array as GroupCount SHOULD be
equal to Groups.MembershipCount returned by SamrGetGroupsForUser
[MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty.
Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
| |
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
in the preop check do not reject the deletion of a segment, if not both endpoints
are managed servers for the suffix
thisis part of work for ticlet #5072
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3090
https://fedorahosted.org/freeipa/ticket/5073
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
