Use Python-3 compatible syntax, without breaking compatibility with py 2.7
- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
strict type checking checking, e.g. type(0).
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When retrieving keytab, it is useful to know what user was attempting
to fetch the keyts and failed. This is useful to debug one-way trust
where SSSD forks out a process of ipa-getkeytab and it might be using
a wrong credentials cache for authentication purposes.
Part of https://fedorahosted.org/freeipa/ticket/4959
Reviewed-By: Tomas Babej <tbabej@redhat.com>
To support AD trust agents, we need to run sidgen and extdom plugins
on every IPA master. Lack of working configuration, thus, is not a
failure so reduce log level to normal as sidgen plugin will not
be active if domain SID is missing but it can certainly be kept
enabled.
Part of https://fedorahosted.org/freeipa/ticket/4951
Reviewed-By: Tomas Babej <tbabej@redhat.com>
When trust is established, ipasam module creates a number of objects in LDAP
to represent the trust information. Among them, for one-way trust we create
a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest
and AD is a realm of the trusted Active Directory forest root domain.
This principal is then used by SSSD on IPA masters to authenticate against
trusted Active Directory domain controllers and retrieve information about
user and group identities.
FreeIPA also uses this principal's credentials to retrieve domain topology.
The access to the keys of the principal should be well-protected. We only
allow to retrieve the keytab for it for members of cn=adtrust agents group.
This group is populated with host/ and cifs/ principals from IPA masters.
Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters
where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install
on the master which will be configured to be a domain controller (e.g.
run Samba with ipasam), and specify --add-agents option to trigger activation
of the interactive mode to specify which IPA masters to enable.
Fixes https://fedorahosted.org/freeipa/ticket/4962
Part of fixes for https://fedorahosted.org/freeipa/ticket/4546
Reviewed-By: Tomas Babej <tbabej@redhat.com>
When incoming SID blacklist contains exact SIDs of users and groups,
attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.
Note that we treat user's SID and primary group RID filtering as violation
of the KDC policy because the resulting MS-PAC will have no user SID or
primary group and thus will be invalid.
For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1
it is OK to have empty group RIDs array as GroupCount SHOULD be
equal to Groups.MembershipCount returned by SamrGetGroupsForUser
[MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty.
Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475
Reviewed-By: Tomas Babej <tbabej@redhat.com>
in the preop check do not reject the deletion of a segment, if not both endpoints
are managed servers for the suffix
thisis part of work for ticlet #5072
Reviewed-By: Simo Sorce <ssorce@redhat.com>
reject attempts to add segments to suffixes, which do not exist or are not configured.
check completenes and validity of segment attributes
cf ticket 5088: https://fedorahosted.org/freeipa/ticket/5088
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Online initialization can be triggered by setting "nsds5BeginReplicaRefresh[;left|;right]": start to a
segment. But this field remained in the segment and after restart the init would be executed again.
see Ticket #5065
To fix this the field is cleared:
- after a backend comes back online after being initialized
- since there is a delay and the sending server could be restarted in between,
the field is also scheced and renḿoved at startup
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
This patch moves duplicate code in `ipadb_get_connection` to get default and
supported key encodings/salt types from Kerberos container to a common
function handling this task.
It is actually a small cosmetic enhancement of the fix of
https://fedorahosted.org/freeipa/ticket/4914
Reviewed-By: Martin Basti <mbasti@redhat.com>
New exporter's command 'ipa-full-update' will resynchronize all zone
keys from ODS database to LDAP.
This command holds database lock for the whole time to avoid race
conditions so it should be used only in special cases, e.g. during
master server migration.
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Martin Basti <mbasti@redhat.com>
Previously only systemd socket activation was supported.
Ability to call the command directly is handy in special cases,
e.g. for debugging or moving key master role from one server to another.
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Martin Basti <mbasti@redhat.com>
this patch contains the following improvements:
check for existing segments works for all combinations of one directional and bidirectional segments
rdns of replication agreements generated from one directional segments are preserves after
merging of segments, so that deletion of the segment deletes the corresponding replication
agreements
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
The attribute mentioned was using an older name that was later changed
in the implementation.
Also add a prominent warning about the use of the kadmin flags.
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
when a server is removed from the topology the plugin tries to remove the
credentials from the replica and the bind dn group.
It performs an internal search for the ldap principal, but can fail if it was already removed
Due to an unitialized variable in this case it can eitehr crash or erroneously remove all
principals.
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
when updating an replication agreement from a toplogy segment an incorrect default value was used for bindmethod.
Only attributes explicitely set in the segment should be applied.
At shutdown the server could crash because the plugin was called after it was stopped.
https://fedorahosted.org/freeipa/ticket/5035
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
When kadmin tries to change a password it will get the allowed keysalts
from the password policy. Failure to provide them will result in kadmin
using the defaults specified in the kdc.conf file or hardcoded defaults
(the default salt is then of type NORMAL).
This patch provides the supported values that have been read out of the
appropriate LDAP attribute when we read the server configuration.
Then at actual password change, check if kadmin is handing us back the exact
list of supported encsalts we sent it, and in that case replace it with the
real default encsalts.
Fixes https://fedorahosted.org/freeipa/ticket/4914
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
ipa-dnskeysyncd, ipa-dnskeysync-replica, and ipa-ods-exporter use a generic
'ccache' filename for credential storage, making debugging Kerberos-related
errors unnecessarily complicated. This patch renames the ccache files so that
each of these daemons now has its own credenital cache.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Calls to ipautil.run using kinit were replaced with calls
kinit_keytab/kinit_password functions implemented in the PATCH 0015.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
