| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PASSDB API in Samba adds support for specifying UPN suffixes. The change
in ipasam will allow to pass through list of realm domains as UPN suffixes
so that Active Directory domain controller will be able to recognize
non-primary UPN suffixes as belonging to IPA and properly find our KDC
for cross-realm TGT.
Since Samba already returns primary DNS domain separately, filter it out
from list of UPN suffixes.
Also enclose provider of UPN suffixes into #ifdef to support both
Samba with and without pdb_enum_upn_suffixes().
Part of https://fedorahosted.org/freeipa/ticket/2848
|
|
|
|
|
|
| |
Fix rpm build warnings report in Fedora 19 build.
https://fedorahosted.org/freeipa/ticket/3500
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.
For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.
Tests included
https://fedorahosted.org/freeipa/ticket/2886
|
|
|
|
|
|
|
| |
ipa_mspac_well_known_sids is a globally defined array so the check was
always true.
Fixes https://fedorahosted.org/freeipa/ticket/3423
|
|
|
|
|
|
|
|
|
| |
Since we use associatedDomain attribute to store information about UPN suffixes
and our own domain, searching subtree is going to return more than one entry.
Limit search for own domain by base scope as we only need to fetch our own
domain information here, not UPN suffixes.
Required for https://fedorahosted.org/freeipa/ticket/2945
|
|
|
|
|
|
|
| |
Fill incoming and outgoing trust LDAP entry with default SID
blacklist value.
https://fedorahosted.org/freeipa/ticket/3289
|
|
|
|
|
|
|
| |
If time is moved back on the IPA server, ipasam does not invalidate the
existing ticket.
https://fedorahosted.org/freeipa/ticket/3183
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2955
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
With this change ipasam is able to ask for ipaNTHash generation and if
corresponding Kerberos key is available, will be able to retrieve generated ipaNTHash.
Part 1 of https://fedorahosted.org/freeipa/ticket/3016
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When developing and testing in the same environment, multiple re-installs
may be needed. This means previously issued and cached Kerberos credentials
will become invalid upon new install.
ipasam passdb module for Samba uses Kerberos authentication when talking to
IPA LDAP server. Obtained Kerberos credentials are cached during their lifetime.
However, the ccache is not removed automatically and if IPA setup is made
again, cached credentials are used, only to discover that they are invalid.
With this change invalid correctly obtained cached credentials are recognized
and, if LDAP SASL bind fails, new credentials are requested from the KDC.
https://fedorahosted.org/freeipa/ticket/3009
|
|
|
|
|
| |
In samba4-beta6 the name of a library was changed from libsecurity to
libsamba-security.
|
|
|
|
| |
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
|
|
|
|
|
|
| |
With c43505b621725c9a754f0ee98318d451b093f2ed in samba git master
the function sid_check_is_domain() was renamed to sid_check_is_our_sam().
https://fedorahosted.org/freeipa/ticket/2929
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
SASL bind callback due to refactoring was referencing local variable which
didn't exist all the time. Fix that by including a copy of service principals
into ipasam long term private struct.
Rework ccache handling to avoid re-initing every time callback is called
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2877
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2870
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Commit a6e29f23f09ba5b6b6d362f7683ae8088bc0ba85 in Samba changed id mapping
API in passdb interface to use 'struct unixid'. The change replaced three arguments
(uid, gid, type) by one (struct unixid). As result, ipa-sam became broken.
Without this change ipa-sam introduces stack corruption in Samba post 4.0.0alpha18
leading to corrupted security context stack as well and then crashing in setgroups(3).
|
|
|
|
|
|
|
|
|
| |
A high-level description of the design and ACIs for trusts is available at
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html
and
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html
Ticket #1731
|
|
|
|
|
|
|
|
|
|
|
| |
We need two attributes in the ipaNTTrustedDomain objectclass to store different
kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID
of the trusted domain. A second attribute is needed to store the SID for the
trusted domain user. Since it cannot be derived safely from other values and
since it does not make sense to create a separate object for the user a new
attribute is needed.
https://fedorahosted.org/freeipa/ticket/2191
|
| |
|
|
https://fedorahosted.org/freeipa/ticket/1874
|