| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3539
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PASSDB API in Samba adds support for specifying UPN suffixes. The change
in ipasam will allow to pass through list of realm domains as UPN suffixes
so that Active Directory domain controller will be able to recognize
non-primary UPN suffixes as belonging to IPA and properly find our KDC
for cross-realm TGT.
Since Samba already returns primary DNS domain separately, filter it out
from list of UPN suffixes.
Also enclose provider of UPN suffixes into #ifdef to support both
Samba with and without pdb_enum_upn_suffixes().
Part of https://fedorahosted.org/freeipa/ticket/2848
|
|
|
|
|
|
| |
Fix rpm build warnings report in Fedora 19 build.
https://fedorahosted.org/freeipa/ticket/3500
|
|
|
|
|
|
|
|
| |
cmocka is a more advanced unit test framework for C-code than the
currently used check framework. This patch adds configure checks and
makefile variables so that new unit tests can use cmocka.
Fixes https://fedorahosted.org/freeipa/ticket/3434
|
|
|
|
|
|
|
|
|
|
| |
The plugin is configured unconditionally (i.e. does not check if
IPA was configured with DNS) as the plugin is needed on all
replicas to prevent objectclass violations due to missing SOA
serial in idnsZone objectclass. The violation could happen if just
one replica configured DNS and added a new zone.
https://fedorahosted.org/freeipa/ticket/3347
|
|
|
|
|
|
|
|
|
| |
Default value "1" is added to replicated idnsZone objects
if idnsSOASerial attribute is missing.
https://fedorahosted.org/freeipa/ticket/3347
Signed-off-by: Petr Spacek <pspacek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were several problems:
- A cut-n-paste error where the wrong value was being considered when
an account was administratively unlocked.
- An off-by-one error where LDAP got one extra bind attempt.
- krbPwdPolicyReference wasn't being retrieved as a virtual attribute so
only the global_policy was used.
- The lockout duration wasn't examined in the context of too many failed
logins so wasn't being applied properly.
- Lockout duration wasn't used properly so a user was effectively unlocked
when the failure interval expired.
- krbLastFailedAuth and krbLoginFailedCount are no longer updated past
max failures.
https://fedorahosted.org/freeipa/ticket/3433
|
|
|
|
|
|
|
|
|
|
| |
The way how unhashed password is stored in the entry was changed in
389-ds-base-1.3.0, it is now stored in an entry extension rather than
in a magic attribute unhashed#user#password. New API using an entry
extension was introduced. ipa-pwd-extop should take advantage of the
new API as the old one will be removed in 389-ds-base-1.3.1.
https://fedorahosted.org/freeipa/ticket/3439
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.
For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.
Tests included
https://fedorahosted.org/freeipa/ticket/2886
|
|
|
|
|
|
|
|
|
|
|
| |
Any of the following checks:
- overlap between primary RID range and secondary RID range
- overlap between secondary RID range and secondary RID range
is performed now only if both of the ranges involved are local
domain ranges.
https://fedorahosted.org/freeipa/ticket/3391
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2960
|
|
|
|
|
|
|
|
| |
Instead of always adding a PAC to the Kerberos ticket the global default
for the authorization data and the authorization data of the service
entry is evaluated and the PAC is added accordingly.
https://fedorahosted.org/freeipa/ticket/2960
|
|
|
|
|
|
|
|
| |
The ipaKrbAuthzData LDAP attribute is read together with the other data
of the requestedprincipal and the read value(s) are stored in the e-data
of the entry for later use.
https://fedorahosted.org/freeipa/ticket/2960
|
|
|
|
|
|
|
| |
The ipaKrbAuthzData LDAP attribute is read from the ipaConfig object
and the read value(s) are stored in the ipadb context.
https://fedorahosted.org/freeipa/ticket/2960
|
|
|
|
|
|
|
|
| |
This reverts commit 5269458f552380759c86018cd1f30b64761be92e.
With the implementation of https://fedorahosted.org/freeipa/ticket/2960
a special hardcoded handling of NFS service tickets is not needed
anymore.
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/3427
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/3426
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/3425
|
|
|
|
|
|
| |
A wrong logic was used to check ipactx.
Fixes https://fedorahosted.org/freeipa/ticket/3424
|
|
|
|
|
|
|
| |
ipa_mspac_well_known_sids is a globally defined array so the check was
always true.
Fixes https://fedorahosted.org/freeipa/ticket/3423
|
|
|
|
|
|
|
| |
There was a code path where ret was used instead of kerr to save a
return value.
Fixes https://fedorahosted.org/freeipa/ticket/3422
|
| |
|
|
|
|
|
|
|
|
|
| |
Since we use associatedDomain attribute to store information about UPN suffixes
and our own domain, searching subtree is going to return more than one entry.
Limit search for own domain by base scope as we only need to fetch our own
domain information here, not UPN suffixes.
Required for https://fedorahosted.org/freeipa/ticket/2945
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently kdb5kdc crashes on exit if the ipadb KDB modules is loaded and trusts
are configured. The reason is the talloc autofree context which get initialised
during the ndr_push_union_blob() call. On exit the KDC module is unloaded an
later on atexit() tries to free the context, but all related symbols are
already unloaded with the module.
This patch frees the talloc autofree context during the cleanup routine of the
module. Since this is called only at exit and not during normal operations this
is safe even if other KDC plugins use the talloc autofree context, e.g. via
some Samba libraries, as well.
Fixes https://fedorahosted.org/freeipa/ticket/3410
|
|
|
|
|
|
|
|
| |
This function retried an LDAP search when the result was OK due to
flawed logic of retry detection (ipadb_need_retry function which
returns true when we need retry and not 0).
https://fedorahosted.org/freeipa/ticket/3413
|
|
|
|
|
|
|
|
| |
All known memory leaks caused by unfreed allocated memory or unfreed
LDAP results (which should be also done after unsuccessful searches)
are fixed.
https://fedorahosted.org/freeipa/ticket/3413
|
|
|
|
|
|
|
| |
Fill incoming and outgoing trust LDAP entry with default SID
blacklist value.
https://fedorahosted.org/freeipa/ticket/3289
|
|
|
|
|
|
|
|
|
|
|
|
| |
SIDs in incoming MS-PAC were checked and filtered with a fixed list of
well-known SIDs. Allow reading the SID blacklist from LDAP
(ipaNTSIDBlacklistIncoming and ipaNTSIDBlacklistOutgoing) and add the list
to mspac adtrust structure. Use the hardcoded SID list only if the LDAP
SID list is not configured.
LIMITATION: SID blacklist list is not used yet.
https://fedorahosted.org/freeipa/ticket/3289
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipa-kdb did not reinitialize trusted domain configuration when it
was loaded to ipa-kdb. However, admin then would have to restart
krb5kdc if he wanted to apply the change to running krb5kdc service.
Run ipadb_reinit_mspac unconditionally every time when trusted domain
is loaded. Among the already configured 1 minute grace time, also
add a quick check if there is at least one configured trusted domain
before reinitializing the mspac structure.
https://fedorahosted.org/freeipa/ticket/3289
|
|
|
|
|
|
|
|
|
| |
When all SIDs in info3.sids structure were filtered out, we tried
to talloc_realloc to zero memory size. talloc_realloc then returned
NULL pointer and filter_login_info returned with ENOMEM.
The code now rather frees the SID array and set info3.sidcount to
correct value.
|
|
|
|
|
| |
Without sentinel in place, ldap_create_deref_control_value executed
an invalid read in unallocated memory.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.
This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).
The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver.
https://fedorahosted.org/freeipa/ticket/3312
https://fedorahosted.org/freeipa/ticket/3114
|
|
|
|
|
|
|
|
|
|
|
| |
Windows 2012 Server changed procedure how KERB_VALIDATION_INFO ([MS-PAC]
section 2.5) is populated. Detailed description is available in [MS-KILE]
version 25.0 and above.
Refactor KERB_VALIDATION_INFO verification and ensure we filter out extra
SIDs in case they belong to our domain.
https://fedorahosted.org/freeipa/ticket/3231
|
|
|
|
|
| |
Our code needs both Requires and BuildRequires set to 389-ds-base
which supports transactions. Also add the requires to configure.ac.
|
|
|
|
|
|
|
|
|
|
| |
Wrap the password change extop in a transaction.
Fix the case where a password is reset and then immediately used. If done
fast enough then the KDC may not detect that the password is expired and
grant access using the expired password rather than prompting for a reset.
https://fedorahosted.org/freeipa/ticket/1064
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ther3 are two global ipaConfig options to disable undesirable writes that
have performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.
https://fedorahosted.org/freeipa/ticket/2734
|
|
|
|
|
|
|
| |
Currently only the group SIDs from a PAC are used to find out about the
membership in local groups. This patch adds the user SID to the list.
Fixes https://fedorahosted.org/freeipa/ticket/3257
|
|
|
|
|
|
|
|
|
|
| |
The current Linux NFS server is severely limited when it comes to handling
kerberos tickets. Bsically any ticket bigger than 2k will cause it to fail
authentication due to kernel->userspace upcall interface restrictions.
Until we have additional support in IPA to indivdually mark principals to
opt out of getting PACs attached we always prevent PACs from being attached
to TGTs or Tickets where NFS is involved.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.
Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).
Fix some unit tests that are failing because we actually get the data
now due to transactions.
Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.
Deprecate wait_for_attr code.
Add a memberof fixup task for roles.
https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
|
|
|
|
|
|
|
| |
If time is moved back on the IPA server, ipasam does not invalidate the
existing ticket.
https://fedorahosted.org/freeipa/ticket/3183
|
|
|
|
|
|
|
|
|
|
|
| |
Commands ipa idrange-add / idrange-mod no longer allows the user
to enter primary or secondary rid range such that has non-zero
intersection with primary or secondary rid range of another
existing id range, as this could cause collision.
Unit tests added to test_range_plugin.py
https://fedorahosted.org/freeipa/ticket/3086
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/3166
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently the data about trusted domains is read once at startup. If a
new trust is added the KDC must be restarted to know about the new
trust. This patch reloads the trust data if there is a request from an
unknown domain. To make DOS attacks a bit harder the data can be updated
only once in a minute.
Fixes https://fedorahosted.org/freeipa/ticket/3156
|
| |
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/3104
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2955
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This will sync down the POSIX attributes from AD so we need to be careful
to not mess with them when they are already set. This includes
uidNumber, gidNumber, homeDirectory, loginShell and gecos.
http://port389.org/wiki/WinSync_Posix
http://port389.org/wiki/Windows_Sync_Plugin_API#Version_3_API_functions
https://fedorahosted.org/freeipa/ticket/3007
|
| |
|