summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/trust.py
Commit message (Collapse)AuthorAgeFilesLines
* trustdomain: Perform validation of the trust domain firstTomas Babej2015-10-261-1/+6
| | | | | | | | | | Makes sure that the first check that is performed when trustdomain-del command is run is that the actual trusted domain exists. This is done to prevent a subseqent error which might be misleading. https://fedorahosted.org/freeipa/ticket/5389 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* trusts: Make trust_show.get_dn raise properly formatted NotFoundTomas Babej2015-10-261-8/+24
| | | | | | | | | | | | | The trust_show command does not raise a properly formatted NotFound error if the trust is not found, only a generic EmptyResult error is raised. This patch makes the trust_show tell us what actually could not be found. https://fedorahosted.org/freeipa/ticket/5389 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Alias "unicode" to "str" under Python 3Jan Cholasta2015-09-171-0/+5
| | | | | | | | | The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Replace uses of map()Petr Viktorin2015-09-011-3/+3
| | | | | | | | | | In Python 2, map() returns a list; in Python 3 it returns an iterator. Replace all uses by list comprehensions, generators, or for loops, as required. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* trusts: format Kerberos principal properly when fetching trust topologyAlexander Bokovoy2015-08-241-1/+6
| | | | | | | | | | | | | | | | | | For bidirectional trust if we have AD administrator credentials, we should be using them with Kerberos authentication. If we don't have AD administrator credentials, we should be using HTTP/ipa.master@IPA.REALM credentials. This means we should ask formatting 'creds' object in Kerberos style. For one-way trust we'll be fetching trust topology as TDO object, authenticating with pre-created Kerberos credentials cache, so in all cases we do use Kerberos authentication to talk to Active Directory domain controllers over cross-forest trust link. Part of trust refactoring series. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1250190 Fixes: https://fedorahosted.org/freeipa/ticket/5182 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trusts: Detect missing Samba instanceTomas Babej2015-08-171-20/+79
| | | | | | | | | | | | | | | | | | | | | In the event of invocation of trust related commands, IPA server needs to contact local Samba instance. This is not possible on servers that merely act as AD trust agents, since they do not have Samba instance running. Properly detect the absence of the Samba instance and output user-friendly message which includes list of servers that are capable of running the command, if such exist. List of commands affected: * ipa trust-add * ipa trust-fetch-domains * all of the trustdomain commands available via CLI https://fedorahosted.org/freeipa/ticket/5165 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* trusts: Detect domain clash with IPA domain when adding a AD trustTomas Babej2015-08-171-0/+8
| | | | | | | | | | | | | | | | | | When IPA is deployed in the same domain as AD, trust-add fails since the names of the local domain and trusted domain ranges is the same - it's always DOMAIN.NAME_id_range. When adding a trusted domain, we look for previous ranges for this domain (which may have been left behind by previous trust attempts). Since AD and IPA are in the same domain, we find a local domain range, which does not have a SID. Detect such domain collisions early and bail out with an appropriate error message. https://fedorahosted.org/freeipa/ticket/4549 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-4/+4
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix incorrect type comparison in trust-fetch-domainsTomas Babej2015-08-061-1/+1
| | | | | | | | Value needs to be unpacked from the list and converted before comparison. https://fedorahosted.org/freeipa/ticket/5182 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Modernize number literalsPetr Viktorin2015-07-311-1/+1
| | | | | | | | | | | | | | Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* trusts: Check for AD root domain among our trusted domainsTomas Babej2015-07-171-1/+20
| | | | | | | | | | | | | Check for the presence of the forest root DNS domain of the AD realm among the IPA realm domains prior to esablishing the trust. This prevents creation of a failing setup, as trusts would not work properly in this case. https://fedorahosted.org/freeipa/ticket/4799 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix minor typosYuri Chornoivan2015-07-171-1/+1
| | | | | | | | | | | | | <ame> -> <name> overriden -> overridden ablity -> ability enties -> entries the the -> the https://fedorahosted.org/freeipa/ticket/5109 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* trust: support retrieving POSIX IDs with one-way trust during trust-addAlexander Bokovoy2015-07-081-14/+51
| | | | | | | | | | | | With one-way trust we cannot rely on cross-realm TGT as there will be none. Thus, if we have AD administrator credentials we should reuse them. Additionally, such use should be done over Kerberos. Fixes: https://fedorahosted.org/freeipa/ticket/4960 https://fedorahosted.org/freeipa/ticket/4959 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trusts: add support for one-way trust and switch to it by defaultAlexander Bokovoy2015-07-081-34/+107
| | | | | | | | | | | | | | | | | | | | | | | | | | One-way trust is the default now, use 'trust add --two-way ' to force bidirectional trust https://fedorahosted.org/freeipa/ticket/4959 In case of one-way trust we cannot authenticate using cross-realm TGT against an AD DC. We have to use trusted domain object from within AD domain and access to this object is limited to avoid compromising the whole trust configuration. Instead, IPA framework can call out to oddjob daemon and ask it to run the script which can have access to the TDO object. This script (com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal to retrieve TDO object credentials from IPA LDAP if needed and then authenticate against AD DCs using the TDO object credentials. The script pulls the trust topology out of AD DCs and updates IPA LDAP store. Then IPA framework can pick the updated data from the IPA LDAP under normal access conditions. Part of https://fedorahosted.org/freeipa/ticket/4546 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trusts: pass AD DC hostname if specified explicitlyAlexander Bokovoy2015-07-081-1/+8
| | | | | | Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-adtrust-install: add IPA master host principal to adtrust agentsAlexander Bokovoy2015-07-081-1/+2
| | | | | | Fixes https://fedorahosted.org/freeipa/ticket/4951 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Remove ipanttrustauthincoming/ipanttrustauthoutgoing from ipa trust-add output.David Kupka2015-01-131-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4787 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* ipa trust-add command should be interactiveGabe2014-08-251-1/+25
| | | | | | | | | - Make ipa trust-add command interactive for realm_admin and realm_passwd - Fix 'Active directory' typo to 'Active Directory' https://fedorahosted.org/freeipa/ticket/3034 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* trusts: Validate missing trust secret properlyTomas Babej2014-07-141-4/+6
| | | | | | | | | Detect the situation if the user passes empty trust secret and error out properly. https://fedorahosted.org/freeipa/ticket/4266 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* trusts: Allow reading system trust accounts by adtrust agentsTomas Babej2014-06-251-0/+11
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* trusts: Add more read attributesTomas Babej2014-06-251-1/+2
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Update all remaining plugins to the new Registry APINathaniel McCallum2014-06-111-21/+24
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Make trust objects available to regular usersMartin Kosek2014-04-281-11/+19
| | | | | | | | With global read ACI removed, some of the trust and trustdomain attributes are not available. Make trust plugin resilient to these missing attributes and let it return the available information. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add managed read permissions to trustPetr Viktorin2014-04-281-0/+15
| | | | | | | | A single permission is added to cover trust, trustconfig, and trustdomain. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* trust plugin: Remove ipatrustauth{incoming,outgoing} from default attrsPetr Viktorin2014-04-281-4/+3
| | | | | | | | | These attributes contain secrets for the trusts and should not be returned by default. Also, search_display_attributes is modified to better match default_attributes Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Allow primary keys to use different type than unicode.Jan Cholasta2014-04-181-14/+16
| | | | | | | | | | Also return list of primary keys instead of a single unicode CSV value from LDAPDelete-based commands. This introduces a new capability 'primary_key_types' for backward compatibility with old clients. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trust: do not fetch subdomains in case shared secret was used to set up the ↵Alexander Bokovoy2014-03-121-1/+2
| | | | | | | | | | | | | | | | | | | | | | trust Until incoming trust is validated from AD side, we cannot run any operations against AD using the trust. Also, Samba currently does not suport verifying trust against the other party (returns WERR_NOT_SUPPORTED). This needs to be added to the documentation: When using 'ipa trust-add ad.domain --trust-secret', one has to manually validate incoming trust using forest trust properties in AD Domains and Trusts tool. Once incoming trust is validated at AD side, use IPA command 'ipa trust-fetch-domains ad.domain' to retrieve topology of the AD forest. From this point on the trust should be usable. https://fedorahosted.org/freeipa/ticket/4246 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* trust: make sure we always discover topology of theAlexander Bokovoy2014-02-271-31/+6
| | | | | | | | | | forest trust Even though we are creating idranges for subdomains only in case there is algorithmic ID mapping in use, we still need to fetch list of subdomains for all other cases. https://fedorahosted.org/freeipa/ticket/4205
* trustdomain_find: make sure we skip short entries when --pkey-only is specifiedAlexander Bokovoy2014-02-271-0/+2
| | | | | | | | | With --pkey-only only primary key is returned. It makes no sense to check and replace boolean values then. https://fedorahosted.org/freeipa/ticket/4196 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert remaining frontend code to LDAPEntry API.Jan Cholasta2014-01-241-6/+4
|
* Hide trust-resolve commandMartin Kosek2014-01-201-0/+1
| | | | | | | | | | | | We do not need to expose a public FreeIPA specific interface to resolve SIDs to names. The interface is only used internally to resolve SIDs when external group members are listed. Additionally, the command interface is not prepared for regular user and can give rather confusing results. Hide it from CLI. The API itself is still accessible and compatible with older clients. https://fedorahosted.org/freeipa/ticket/4113
* trustdomain-find: report status of the (sub)domainAlexander Bokovoy2014-01-151-1/+17
| | | | | | | | | | Show status of each enumerated domain trustdomain-find shows list of domains associated with the trust. Each domain except the trust forest root can be enabled or disabled with the help of trustdomain-enable and trustdomain-disable commands. https://fedorahosted.org/freeipa/ticket/4096
* trust-fetch-domains: create ranges for new child domainsAlexander Bokovoy2014-01-151-121/+135
| | | | | | | | | | | | When trust is added, we do create ranges for discovered child domains. However, this functionality was not available through 'trust-fetch-domains' command. Additionally, make sure non-existing trust will report proper error in trust-fetch-domains. https://fedorahosted.org/freeipa/ticket/4111 https://fedorahosted.org/freeipa/ticket/4104
* trust: fix get_dn() to distinguish creating and re-adding trustsAlexander Bokovoy2013-12-111-2/+2
| | | | | | | | | | | Latest support for subdomains introduced regression that masked difference between newly added trust and re-added one. Additionally, in case no new subdomains were found, the code was returning None instead of an empty list which later could confuse trustdomain-find command. https://fedorahosted.org/freeipa/ticket/4067
* subdomains: Use AD admin credentials when trust is being establishedAlexander Bokovoy2013-11-291-3/+10
| | | | | | | | | | | | | | | | | | | | When AD administrator credentials passed, they stored in realm_passwd, not realm_password in the options. When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure to normalize them. Additionally, force Samba auth module to use NTLMSSP in case we have credentials because at the point when trust is established, KDC is not yet ready to issue tickets to a service in the other realm due to MS-PAC information caching effects. The logic is a bit fuzzy because credentials code makes decisions on what to use based on the smb.conf parameters and Python bindings to set parameters to smb.conf make it so that auth module believes these parameters were overidden by the user through the command line and ignore some of options. We have to do calls in the right order to force NTLMSSP use instead of Kerberos. Fixes https://fedorahosted.org/freeipa/ticket/4046
* trusts: Do not pass base-id to the subdomain rangesTomas Babej2013-11-221-0/+5
| | | | | | | | | | | | | | | For trusted domains base id is calculated using a murmur3 hash of the domain Security Identifier (SID). During trust-add we create ranges for forest root domain and other forest domains. Since --base-id explicitly overrides generated base id for forest root domain, its value should not be passed to other forest domains' ranges -- their base ids must be calculated based on their SIDs. In case base id change for non-root forest domains is required, it can be done manually through idrange-mod command after the trust is established. https://fedorahosted.org/freeipa/ticket/4041
* trusts: Fix typo in error message for realm-domain mismatchTomas Babej2013-10-251-2/+2
|
* trusts: combine filters with AND to make sure only the intended domain matchesJakub Hrozek2013-10-241-1/+2
|
* Get the created range type in case of re-establishing trustTomas Babej2013-10-211-0/+2
| | | | | | | This is a regression fix introduced by commit id: 285ed59889590ddd0d6ca2e2a030b28527941cbf Fixes internal error in case of re-establishing the trust.
* trusts: Do not create ranges for subdomains in case of POSIX trustTomas Babej2013-10-141-11/+39
| | | | | | For the AD trusts where the ID range for the root level domain is of ipa-ad-trust-posix type, do not create a separate ranges for the subdomains, since POSIX attributes provide global mapping.
* ipa-kdb: Handle parent-child relationship for subdomainsAlexander Bokovoy2013-10-041-0/+6
| | | | | | | | | | | | | | | | | When MS-PAC information is re-initialized, record also parent-child relationship between trust root level domain and its subdomains. Use parent incoming SID black list to check if child domain is not allowed to access IPA realm. We also should really use 'cn' of the entry as domain name. ipaNTTrustPartner has different meaning on wire, it is an index pointing to the parent domain of the domain and will be 0 for top level domains or disjoint subdomains of the trust. Finally, trustdomain-enable and trustdomain-disable commands should force MS-PAC cache re-initalization in case of black list change. Trigger that by asking for cross-realm TGT for HTTP service.
* trust: integrate subdomains support into trust-addAlexander Bokovoy2013-10-041-3/+20
|
* ipaserver/dcerpc: remove use of trust account authenticationAlexander Bokovoy2013-10-041-1/+0
| | | | | | | | Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal, it is possible to use it when talking to the trusted AD DC. Remove support for authenticating as trust account because it should not really be used other than within Samba.
* trusts: support subdomains in a forestAlexander Bokovoy2013-10-041-51/+278
| | | | | | | | | | | | | | | | | | | Add IPA CLI to manage trust domains. ipa trust-fetch-domains <trust> -- fetch list of subdomains from AD side and add new ones to IPA ipa trustdomain-find <trust> -- show all available domains ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust> ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain By default all discovered trust domains are allowed to access IPA resources IPA KDC needs also information for authentication paths to subdomains in case they are not hierarchical under AD forest trust root. This information is managed via capaths section in krb5.conf. SSSD should be able to generate it once ticket https://fedorahosted.org/sssd/ticket/2093 is resolved. part of https://fedorahosted.org/freeipa/ticket/3909
* Do not add trust to AD in case of IPA realm-domain mismatchTomas Babej2013-10-031-0/+13
| | | | | | | | Make sure that trust-add command fails when admin attempts to add an Active Directory trust when the realm name and the domain name of the IPA server do not match. https://fedorahosted.org/freeipa/ticket/3923
* Fix tests which fail after ipa-adtrust-installAna Krivokapic2013-08-281-0/+44
| | | | | | | | | | Some unit tests were failing after ipa-adtrust-install has been run on the IPA server, due to missing attributes ('ipantsecurityidentifier') and objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if ipa-adtrust-install has been run, and adds missing attributes and objectclasses where appropriate. https://fedorahosted.org/freeipa/ticket/3852
* Fix incorrect error message occurence when re-adding the trustTomas Babej2013-08-271-1/+1
| | | | | | | | | You cannot re-add the trust and modify the range in the process. The check in the code was malfunctioning since it assumed that range_size parameter has default value. However, default value is assigned only later in the add_range function. https://fedorahosted.org/freeipa/ticket/3870
* Prevent *.pyo and *.pyc multilib problemsMartin Kosek2013-08-131-1/+1
| | | | | | | | | | | | | Differences in the python byte code fails in a build validation (rpmdiff) done on difference architecture of the same package. This patch: 1) Ensures that timestamps of generated *.pyo and *.pyc files match 2) Python integer literals greater or equal 2^32 and lower than 2^64 are converted to long right away to prevent different type of the integer on architectures with different size of int https://fedorahosted.org/freeipa/ticket/3858
* Add new command compat-is-enabledAna Krivokapic2013-08-071-0/+44
| | | | | | | | | Add a new API command 'compat-is-enabled' which can be used to determine whether Schema Compatibility plugin is configured to serve trusted domain users and groups. The new command is not visible in IPA CLI. https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
* Use AD LDAP probing to create trusted domain ID rangeTomas Babej2013-07-231-12/+99
| | | | | | | | | | When creating a trusted domain ID range, probe AD DC to get information about ID space leveraged by POSIX users already defined in AD, and create an ID range with according parameters. For more details: http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD https://fedorahosted.org/freeipa/ticket/3649
generated by cgit (git 2.34.1) at 2025-09-02 10:54:00 +0000