| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/3015
|
| |
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/5495
|
| |
|
|
|
|
|
|
|
|
|
| |
Whe requesting a keytab the salt used is the NORMAL type (for backwards and AD
compatibility), however since we added alias support we need to search for the
krbCanonicalName in preference, hen nothing is specified, and for the requested
principal name when a getkeytab operation is performed. This is so that the
correct salt can be applied. (Windows AD uses some peculiar aliases for some
special accounts to generate the salt).
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Like for services setting the ipaKrbAuthzData attribute on a user object will
allow us to control exactly what authz data is allowed for that user.
Setting NONE would allow no authz data, while setting MS-PAC would allow only
Active Directory compatible data.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/2579
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some legacy softare is not able to properly cope with preauthentication,
allow the admins to disable the requirement to use preauthentication for
all Service Principal Names if they so desire. IPA Users are excluded,
for users, which use password of lessere entrpy, preauthentication is
always required by default.
This setting does NOT override explicit policies set on service principals
or in the global policy, it only affects the default.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/3860
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Users can still obtain a keytab for themselves using the getkeytab exop
which does not circumvent password policy checks.
Users are disallowed from using setkeytab by default in new installations
but not in existing installations (no forced upgrade).
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/5485
|
| |
|
|
|
|
|
|
|
|
|
| |
If DisableSetKeytab is set in ipaConfig options then setkeytab will not be
available. The default is still to allow this operation for backwards
compatibility towards older clients that do not know how to use the new
GetKeytab extended operation.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/5485
|
| |
|
|
|
|
|
|
|
|
| |
Remove des3 and arcfour from the defaults for new installs.
NOTE: the ipasam/dcerpc code sill uses arcfour
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/4740
|
| |
|
|
|
|
|
| |
Needs a 'break' otherwise prevents correct reporting of data and it always overrides
it with the placeholder data.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/937
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
| |
Since endptr points to a location inside of dummy, dummy should be freed
only after dereferencing endptr.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since we are interested in looking up the SID of a group it makes sense
to include the objectclass which contains the SID attribute in the
search filter. This makes sure the group is not accidentally found a
second time in the compat tree.
Related to https://fedorahosted.org/freeipa/ticket/5457
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/5457
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
| |
Default krb5.conf needn't have defined default_realm.
Unit tests should not rely on existing default value.
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
The cmocka-1.0 introduced new interface for tests
which is not compatible with the old one.
And the old interface is deprecated which caused compiled warnings.
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In file included from ipa_extdom_extop.c:41:0:
ipa_extdom_extop.c: In function ‘ipa_extdom_init_ctx’:
ipa_extdom_extop.c:203:9: warning: format ‘%d’ expects argument of type ‘int’,
but argument 4 has type ‘size_t {aka long unsigned int}’ [-Wformat=]
LOG("Maximal nss buffer size set to [%d]!\n", ctx->max_nss_buf_size);
^
../common/util.h:53:21: note: in definition of macro ‘LOG_PLUGIN_NAME’
fmt, ##__VA_ARGS__)
^
ipa_extdom_extop.c:203:5: note: in expansion of macro ‘LOG’
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
topology_pre.c: In function ‘ipa_topo_pre_add’:
topology_pre.c:509:15: warning: declaration of ‘errtxt’ shadows a previous local [-Wshadow]
char *errtxt;
^
topology_pre.c:494:11: note: shadowed declaration is here
char *errtxt = NULL;
^
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tests/ipa_kdb_tests.c:254:9: warning: missing braces around initializer [-Wmissing-braces]
{3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", BLACKLIST_SID"-1002"},
^
tests/ipa_kdb_tests.c:254:9: note: (near initialization for ‘test_data[6]’)
tests/ipa_kdb_tests.c:256:9: warning: missing braces around initializer [-Wmissing-braces]
{0, NULL, 0 , NULL}
^
tests/ipa_kdb_tests.c:256:9: note: (near initialization for ‘test_data[7]’)
tests/ipa_kdb_tests.c:234:21: warning: missing braces around initializer [-Wmissing-braces]
} test_data[] = {
^
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
| |
when a suffix becomes managed for a host, the host needs to
be added to the managed servers, otherwise connectivity check would fail
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
| |
|
|
|
|
|
| |
the creation or deletion of a replication agreemet is rejected if the
servers are managed for the suffix. But bot endpoints need to checked
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
After removing a server the replicaid needs to be cleared in the ruv entry and
in the changelog.
This was triggere by initiating a cleanallruv task in "ipa-replica-manage del",
but the removal of a master already triggers a cleanup of segments and replication
agreement by the topology plugin, so this could be handled by the plugin as well.
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
| |
|
|
| |
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
| |
trigger topology updaet if suffix entry is added
trigger topology update if managedSuffix is modified in host entry
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3559
Reviewed-By: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
LDAP limits
ldap2 internally does LDAP search to find out what LDAP search limits
should be used (!). The problem is that this internal search has hardcoded
limits and throws LimitExceeded exception when DS is too slow.
DNSSEC daemons do not need any abstractions from ldap2 so we are going
to use ipaldap directly. This will avoid the unnecessary search and
associated risks.
https://fedorahosted.org/freeipa/ticket/5342
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The StringIO class was moved to the io module.
(In Python 2, io.StringIO is available, but is Unicode-only.)
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Temporarily storing the offset time in an unsigned integer causes the
value of the offset to underflow when a (valid) negative offset value
is generated. Using a signed variable avoids this problem.
https://fedorahosted.org/freeipa/ticket/5333
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5273
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Incorrect SQL join condition could lead to situation where metadata from
ZSK and KSK were interchanged.
https://fedorahosted.org/freeipa/ticket/5273
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5273
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It might happen that systemd will restart the service even if there is
no incomming connection to service socket. In that case we want to exit
because HSM synchronization is done before socket.accept() and we want
to synchronize HSM and DNS zones at the same time.
https://fedorahosted.org/freeipa/ticket/5273
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Reusing old ccache after reinstall causes authentication error. And
prevents DNSSEC from working.
Related to ticket: https://fedorahosted.org/freeipa/ticket/5273
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.
- Removed Backend.krb and KRB5_CCache classes
They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
Using api.env.realm instead of krbV call
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
ipa-dnskeysync* and ipa-ods-exporter handle kerberos errors more gracefully
instead of crashing with tracebacks.
https://fedorahosted.org/freeipa/ticket/5229
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
| |
The 'as' syntax works from Python 2 on, and Python 3 will
drop the "comma" syntax.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use Python-3 compatible syntax, without breaking compatibility with py 2.7
- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
strict type checking checking, e.g. type(0).
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
<ame> -> <name>
overriden -> overridden
ablity -> ability
enties -> entries
the the -> the
https://fedorahosted.org/freeipa/ticket/5109
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
fetch keytab
When retrieving keytab, it is useful to know what user was attempting
to fetch the keyts and failed. This is useful to debug one-way trust
where SSSD forks out a process of ipa-getkeytab and it might be using
a wrong credentials cache for authentication purposes.
Part of https://fedorahosted.org/freeipa/ticket/4959
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To support AD trust agents, we need to run sidgen and extdom plugins
on every IPA master. Lack of working configuration, thus, is not a
failure so reduce log level to normal as sidgen plugin will not
be active if domain SID is missing but it can certainly be kept
enabled.
Part of https://fedorahosted.org/freeipa/ticket/4951
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When trust is established, ipasam module creates a number of objects in LDAP
to represent the trust information. Among them, for one-way trust we create
a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest
and AD is a realm of the trusted Active Directory forest root domain.
This principal is then used by SSSD on IPA masters to authenticate against
trusted Active Directory domain controllers and retrieve information about
user and group identities.
FreeIPA also uses this principal's credentials to retrieve domain topology.
The access to the keys of the principal should be well-protected. We only
allow to retrieve the keytab for it for members of cn=adtrust agents group.
This group is populated with host/ and cifs/ principals from IPA masters.
Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters
where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install
on the master which will be configured to be a domain controller (e.g.
run Samba with ipasam), and specify --add-agents option to trigger activation
of the interactive mode to specify which IPA masters to enable.
Fixes https://fedorahosted.org/freeipa/ticket/4962
Part of fixes for https://fedorahosted.org/freeipa/ticket/4546
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
