Commit Graph

25 Commits

Author SHA1 Message Date
Simo Sorce
f9ed0b6ff8 Convert ipa-sam to use the new getkeytab control
Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5495
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-02-01 13:28:39 +01:00
Alexander Bokovoy
5025204175 trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs
Part of https://fedorahosted.org/freeipa/ticket/4959

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Martin Basti
5783d0c832 Server Upgrade: remove CSV from upgrade files
CSV values are not supported in upgrade files anymore

Instead of

   add:attribute: 'first, part', second

please use

  add:attribute: firts, part
  add:attribute: second

Required for ticket: https://fedorahosted.org/freeipa/ticket/4984

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-11 16:08:01 +00:00
Martin Basti
2712b609cb Upgrade: fix trusts objectclass violationi
Execute updates in proper ordering.
Curently ldap-updater implementation doesnt allow better fix.

Ticket: https://fedorahosted.org/freeipa/ticket/4680
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-11-13 13:31:17 +01:00
Tomas Babej
b7a1401e9d trusts: Make cn=adtrust agents sysaccount nestedgroup
Since recent permissions work references this entry, we need to be
able to have memberOf attributes created on this entry. Hence we
need to include the nestedgroup objectclass.

https://fedorahosted.org/freeipa/ticket/4433

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-07-18 10:08:04 +02:00
Tomas Babej
c2e6b74029 trusts: Allow reading system trust accounts by adtrust agents
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-25 15:01:52 +02:00
Petr Viktorin
193ced0bd7 Remove the global anonymous read ACI
Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:14:55 +02:00
Petr Viktorin
223e6dc3f7 aci-update: Trim the admin write blacklist
These attributes are removed from the blacklist, which means
high-level admins can now modify them:

- krbPrincipalAliases
- krbPrincipalType
- krbPwdPolicyReference
- krbTicketPolicyReference
- krbUPEnabled
- serverHostName

The intention is to only blacklist password attributes and attributes
that are managed by DS plugins.

Also, move the admin ACIs from ldif and trusts.update to aci.update.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-25 14:06:08 +02:00
Tomas Babej
3e1386a57e acl: Remove krbPrincipalExpiration from list of admin's excluded attrs
Since we're exposing the krbPrincipalExpiration attribute for direct
editing in the CLI, remove it from the list of attributes that
admin cannot edit by default.

Part of: https://fedorahosted.org/freeipa/ticket/3306
2014-01-14 15:22:27 +01:00
Petr Viktorin
d9a1c09e7c Remove schema modifications from update files
As schema is now handled by the schema updater, these entries
are superfluous.

https://fedorahosted.org/freeipa/ticket/3454
2013-11-18 16:54:21 +01:00
Martin Kosek
cdd2e9caff Do not add kadmin/changepw ACIs on new installs
These ACI were needed when FreeIPA had a custom ipa_kpasswd daemon,
now that a standard kadmin is used, ACIs are not needed anymore as
kadmin uses the same driver as the KDC.

The ACIs is not removed on upgrades to avoid breaking older
replicas which may still use FreeIPA version with the ipa_kpasswd
daemon.

https://fedorahosted.org/freeipa/ticket/3987
2013-10-25 15:26:51 +02:00
Alexander Bokovoy
9cf8ec79c9 ipa-sam: do not modify objectclass when trust object already created
When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.

Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.
2013-09-20 09:59:02 +02:00
Tomas Babej
75f0801324 Add nfs:NONE to default PAC types only when needed
We need to add nfs:NONE as a default PAC type only if there's no
other default PAC type for nfs. Adds a update plugin which
determines whether default PAC type for nfs is set and adds
nfs:NONE PAC type accordingly.

https://fedorahosted.org/freeipa/ticket/3555
2013-04-15 14:46:21 +02:00
Jan Cholasta
5f26d2c6db Add Kerberos ticket flags management to service and host plugins.
https://fedorahosted.org/freeipa/ticket/3329
2013-03-29 16:34:46 +01:00
Sumit Bose
2d90724a7e Add NFS specific default for authorization data type
Since the hardcoded default fpr the NFS service was removed the default
authorization data type is now set in the global server configuration.

https://fedorahosted.org/freeipa/ticket/2960
2013-03-08 10:46:00 +01:00
Martin Kosek
4a6f3cac29 Remove ORDERING for IA5 attributeTypes
IA5 string syntax does not have a compatible ORDERING matching rule.
Simply use default ORDERING for these attributeTypes as we already
do in other cases.

https://fedorahosted.org/freeipa/ticket/3398
2013-02-27 12:47:04 +01:00
Rob Crittenden
49beb8cd3a Add missing v3 schema on upgrades, fix typo in schema.
Add mising ipaExternalMember attribute and ipaExternalGroup objectclass.

Replacing mis-spelled ORDERING value on new install and upgrades.

https://fedorahosted.org/freeipa/ticket/3398
2013-02-22 13:30:59 +01:00
Martin Kosek
d4d19ff423 Add SID blacklist attributes
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.

https://fedorahosted.org/freeipa/ticket/3289
2013-02-12 10:37:34 +01:00
Alexander Bokovoy
0840b588d7 Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-install
Since CIFS principal is generated by ipa-adtrust-install and is only
usable after setting CIFS configuration, there is no need to include it
into default setup.

This should fix upgrades from 2.2 to 3.0 where CIFS principal does not
exist by default.

https://fedorahosted.org/freeipa/ticket/3041
2012-10-09 18:15:01 -04:00
Alexander Bokovoy
155d1efd48 Add ACI to allow regenerating ipaNTHash from ipasam
ACI was lacking to allow actually writing MagicRegen into ipaNTHash attribute,

Part 2 of https://fedorahosted.org/freeipa/ticket/3016
2012-08-22 17:21:27 +03:00
Rob Crittenden
fb817d3401 Add per-service option to store the types of PAC it supports
Create a per-service default as well.

https://fedorahosted.org/freeipa/ticket/2184
2012-08-01 16:15:51 +02:00
Martin Kosek
32ef4efaca Remove ipaNTHash from global allow ACI
ipaNTHash contains security sensitive information, it should be hidden just
like other password attributes. As a part of preparation for ticket #2511,
the ACI allowing global access is also updated to hide DNS zones.

https://fedorahosted.org/freeipa/ticket/2856
2012-06-26 21:28:25 +02:00
Sumit Bose
b367c9ee7e Use exop instead of kadmin.local 2012-06-11 09:40:59 +02:00
Alexander Bokovoy
bd0d858043 Add trust-related ACIs
A high-level description of the design and ACIs for trusts is available at
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html
and
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html

Ticket #1731
2012-06-07 09:39:10 +02:00
Alexander Bokovoy
b32204fccc Add separate attribute to store trusted domain SID
We need two attributes in the ipaNTTrustedDomain objectclass to store different
kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID
of the trusted domain. A second attribute is needed to store the SID for the
trusted domain user. Since it cannot be derived safely from other values and
since it does not make sense to create a separate object for the user a new
attribute is needed.

https://fedorahosted.org/freeipa/ticket/2191
2012-06-07 09:39:09 +02:00