In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is
detected we disable NT hashes even is the are allowed by IPA
Reviewed-By: Alexander Bokovoy <>
Reviewed-By: Stanislav Laznicka <>
Since ipa-sam is running as part of smbd is it safe to use the
E_md4hash() from Samba. This way ipa-sam does not depend on other crypto
libraries which might depend on other rules like e.g. FIPS mode.
Reviewed-By: Alexander Bokovoy <>
Reviewed-By: Stanislav Laznicka <>
python-netifaces now provides IPv6 netmask in format mask/prefix. It
breaks freeipa as it is unexpected format for python-netaddr. We must
split netmask and provide only prefix for netaddr.
Reviewed-By: Martin Babinsky <>
Reviewed-By: Petr Vobornik <>
This testconfig is temporary until all plugins are migrated into py3.
After that this temporal config file will be removed and used only the
previous one again
Reviewed-By: Stanislav Laznicka <>
We will testing both py2 and py3 packages, first step is use only py2
builds for testing py2 packages
Reviewed-By: Stanislav Laznicka <>
We cannot reliably determine when an IP Address is network or broadcast.
We allowed to use non-local IP addresses due container use cases, we
don't know subnets of used IP addresses.
Reviewed-By: David Kupka <>
ipa-dns-install uses ip_netmask=False --> parse_netmask=False, other installers uses default (parse_netmask=True).
Use this consistent accross all installers.
Also this option is unused (and shouldn't be used).
Reviewed-By: David Kupka <>
This parameter is unused in code. We are no longer testing if IP address
matches an interface in constructor.
Reviewed-By: David Kupka <>
Previously bf9886a84393d1d1546db7e49b102e08a16a83e7 match_local has
undesirable side effect that CheckedIPAddress object has set self._net
from local interface.
However with the recent changes, match_local is usually set to False,
thus this side effect stops happening and default mask per address class
is used. This causes validation error because mask on interface and mask
used for provided IP addresses differ (reporducible only with classless
FreeIPA should compare only IP addresses with local addresses without masks
Reviewed-By: David Kupka <>
KDC cert validation was added but provides rather non-descriptive
error should there be something wrong with a certificate. Pass
the error message from the `openssl` tool in such cases.
Reviewed-By: Martin Babinsky <>
Previous attempt to improve error messages during certificate
validation would only work in English locale so we're keeping
the whole NSS messages for all cases.
Reviewed-By: Martin Babinsky <>
The cert-find command now uses the proxy to reach Dogtag, instead of using
the port 8080. In order to accomplish that, it's necessary to change the
proxy configuration including the URL called.
Reviewed-By: Fraser Tweedale <>
There have been several instances of people using the profile
configuration template files as actual profile configurations,
resulting in failures and support load. Add a README to the profile
template directory to explain that these files should not be used
and advise of the recommend procedure.
Reviewed-By: Martin Basti <>
If logs aren't collected to logfile_dir, skip collection of systemd
Signed-off-by: Tomas Krizek <>
Reviewed-By: Martin Basti <>
Reviewed-By: Alexander Bokovoy <>
Invocation of the ipa dnsserver-find command failed with
internal server error when there is no DNS server in topology.
Reviewed-By: Martin Basti <>
The ID range comparison was comparing numbers to a string or possibly
to `None` and was tailored in such a way that the check would always
pass although it went directly against the definition of the absolute
value of a substitution.
Reviewed-By: Martin Basti <>
Reviewed-By: Alexander Bokovoy <>
We don't have a use for realm as a bytes instance, return it as a
string, otherwise there's a use of str() on bytes in py3.
Reviewed-By: Martin Basti <>
When installing second (or consequent) KRA instance keys are retrieved
using custodia. Custodia checks that the keys are synchronized in
master's directory server and the check uses GSSAPI and therefore fails
if there's no ticket in ccache.
Reviewed-By: Stanislav Laznicka <>
Signed-off-by: David Kreitschmann <>
Reviewed-By: David Kupka <>
Reviewed-By: Martin Babinsky <>
It is now possible to change UPN suffixes in WebUI. This change
allows another way to changing UPN suffixes for AD users.
Reviewed-By: Alexander Bokovoy <>
There are two ways for maintaining user principal names (UPNs) in Active
- associate UPN suffixes with the forest root and then allow for each
user account to choose UPN suffix for logon
- directly modify userPrincipalName attribute in LDAP
Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.
The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.
This is especially true for one-word UPNs which otherwise wouldn't work
properly on Kerberos level for both FreeIPA and Active Directory.
Administrators are responsible for amending the list of UPNs associated
with the forest in this case. With this commit, an option is added to
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
trusted forest root.
As with all '-mod' commands, the change replaces existing UPNs when
applied, so administrators are responsible to specify all of them:
ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new}
Reviewed-By: Martin Babinsky <>
The advise printing code was augmented by methods that simplify
generating bash snippets that report errors or failed commands.
Reviewed-By: Alexander Bokovoy <>
Reviewed-By: Florence Blanc-Renaud <>
In, store_data() stores data as the bytes data
type but get_data() is returning a string. Have get_data() return
bytes as well.
Reviewed-By: Martin Basti <>
User with the 'Enrollment Administrator' role assigned is able to
enroll client with ipa-client-install command.
Reviewed-By: Alexander Bokovoy <>
Reviewed-By: Martin Basti <>
In future default package names can start to pointing to py3 instead of
py2. We have to explicitly ask for python2-* and python3-* packages.
This commit changes only dependencies that are available in both F25 and
Reviewed-By: Stanislav Laznicka <>
After invocation of the ipa server-del <hostname>
command there was still record in ldap if DNS
was installed on the <hostname> server.
Reviewed-By: Martin Basti <>
Older clients have issues properly parsing cookies and the sessionMaxAge
setting is one of those that breaks them.
Comment out the setting and add a comment that explains why it is not
set by default.
Signed-off-by: Simo Sorce <>
Reviewed-By: Pavel Vomacka <>
Reviewed-By: Alexander Bokovoy <>
This is done by setting the kinit_lifetime option in default.conf
to a value that can be passed in with the -l option syntax of kinit.
Signed-off-by: Simo Sorce <>
Reviewed-By: Pavel Vomacka <>
Reviewed-By: Alexander Bokovoy <>
Currently the certauth plugin use the unmodified principal from the
request to lookup the user. This might fail if e.g. enterprise
principals are use. With this patch the canonical principal form the kdc
entry is used.
Reviewed-By: David Kupka <>
Complete fixing of the bug requires fix on python-gssapi side.
That fix is included in version 1.2.0-5.
Reviewed-By: Stanislav Laznicka <>
The OCSP check was previously turned on but it introduced several
issues. Therefore the check will be turned off by default.
For turning on should be used ipa advise command with correct recipe.
The solution is tracked here:
Reviewed-By: Martin Babinsky <>
Enabling PKINIT often fails during server upgrade when requesting the KDC
Now that PKINIT can be enabled post-install using ipa-pkinit-manage, avoid
the upgrade failure by not enabling PKINIT by default.
Reviewed-By: Martin Babinsky <>
Add the ipa-pkinit-manage tool to allow enabling / disabling PKINIT after
the initial server install.
Reviewed-By: Martin Babinsky <>
After the KDC certificate is installed, add the PKINIT enabled flag to the
KDC master entry.
Reviewed-By: Martin Babinsky <>
When trying to delete a partially removed master entry lacking
'iparepltopomanagedsuffix' attribute, the code that tries to retrieve
tha value for further computations passes None and causes unhandled
internal errors.
If the attribute is empty or not present, we should return empty list
instead as to not break calling cod attribute, the code that tries to
retrieve tha value for further computations passes None and causes
unhandled internal errors. We should return empty list instead.
Reviewed-By: Felipe Volpone <>
We automatically add 'otp' and 'radius' authentication indicators when
pre-authentication with OTP or RADIUS did succeed. Do the same for
certauth-based pre-authentication (PKINIT).
A default PKINIT configuration does not add any authentication
indicators unless 'pkinit_indicator = pkinit' is set in kdc.conf.
Unfortunately, modifying kdc.conf automatically is a bit more
complicated than modifying krb5.conf. Given that we have 'otp' and
'radius' authentication indicators also defined in the code not in the
kdc.conf, this change is following an established trend.
SSSD certauth interface does not provide additional information about
which rule(s) succeeded in matching the incoming certificate. Thus,
there is not much information we can automatically provide in the
indicator. It would be good to generate indicators that include some
information from the certmapping rules in future but for now a single
'pkinit' indicator is enough.
Reviewed-By: Simo Sorce <>
In the primary key is krbCanonicalName, which we
don't want to use to do searchs. Now, cert-find uses primary
key or a specified attribute to do searches in LDAP, instead
of using only a primary key.
Reviewed-By: Martin Babinsky <>
Reviewed-By: Jan Cholasta <>
Reviewed-By: Fraser Tweedale <>
There was a recursion in RPCClient.create_connection() which under rare
circumstances would not have an ending condition. This commit removes
it and cleans up the code a bit as well.
Reviewed-By: Florence Blanc-Renaud <>