cn=sysaccounts,cn=etc now has a default password policy to permit system
accounts with krbPrincipalAux object class. This allows system accounts
to have a keytab that does not expire.
The "Default System Accounts Password Policy" has a minimum password
length in case the password is directly modified with LDAP.
Fixes: https://pagure.io/freeipa/issue/8276
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix the syntax in ipa-cacert-manage.1 and default.conf.5
Fixes: https://pagure.io/freeipa/issue/8273
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Also add runstatedir autoconf var. IPA requires autoconf 2.59. The
variable will be available with autoconf 2.70.
Fixes: https://pagure.io/freeipa/issue/8272
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-backup does not check whether the IPA master it is running on has
all used roles installed. This can lead into situations where backups
are done on a CAless or KRAless host while these roles are used in the
IPA cluster. These backups cannot be used to restore a complete cluster.
With this change, ipa-backup refuses to execute if the roles installed
on the current host do not match the list of roles used in the cluster.
A --disable-role-check knob is provided to restore the previous behavior.
Fixes: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
For SAN IPAddress extension the cert plugin verifies that the IP address
matches the host entry. Certmonger uses the host principal to
authenticate and retrieve certificates. But the host principal did not
have permission to read DNS entries from LDAP.
Allow all hosts to read some entries from active DNS records.
Fixes: https://pagure.io/freeipa/issue/8098
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In opendnssec 2.1.6, the <Interval> element is not supported in the
configuration file.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
AJP implementation in Tomcat is vulnerable to CVE-2020-1938 if used
without shared secret. Set up a shared secret between localhost
connector and Apache mod_proxy_ajp pass-through.
For existing secured AJP pass-through make sure the option used for
configuration on the tomcat side is up to date. Tomcat 9.0.31.0
deprecated 'requiredSecret' option name in favor of 'secret'. Details
can be found at https://tomcat.apache.org/migration-9.html#Upgrading_9.0.x
Fixes: https://pagure.io/freeipa/issue/8221
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When ipa-adtrust-install is run, the tool detects masters that are
not enabled as trust agents and propose to configure them. With the
current code, the Schema Compat plugin is not enabled on these new
trust agents and a manual restart of LDAP server + SSSD is required.
With this commit, ipa-adtrust-install now calls remote code on the new
agents through JSON RPC api, in order to configure the missing parts.
On the remote agent, the command is using DBus and oddjob to launch
a new command,
/usr/libexec/ipa/oddjob/org.freeipa.server.trust-enable-agent [--enable-compat]
This command configures the Schema Compat plugin if --enable-compat is
provided, then restarts LDAP server and SSSD.
If the remote agent is an older version and does not support remote
enablement, or if the remote server is not responding, the tool
ipa-adtrust-install prints a WARNING explaining the steps that need
to be manually executed in order to complete the installation, and
exits successfully (keeping the current behavior).
Fixes: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
The trailing dot causes it to not function as expected, remove
it from the example.
https://pagure.io/freeipa/issue/8201
Reviewed-By: Christian Heimes <cheimes@redhat.com>
We cannot gather information about required DNS records before "ADTrust
Controller" role is enabled on this server. As result, we need to call
the step to add DNS records after the role was enabled.
Fixes: https://pagure.io/freeipa/issue/8192
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
There is an ordering discrepancy because the base compat tree
configuration is in install/updates/80-schema_compat.update so it is ran
after 50-externalmembers.update. And since at that point
cn=groups,cn=Schema ... does not exist yet, external members
configuration is not applied.
Move it around to make sure it is applied after Schema Compatibility
plugin configuration is created.
Fixes: https://pagure.io/freeipa/issue/8193
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Commit 49cf5ec64b fixed a bug that
prevented migration from externally-signed to self-signed IPA CA.
But it introduced a subtle new issue: certmonger-initiated renewal
renews an externally-signed IPA CA as a self-signed CA.
To resolve this issue, introduce the `--force-self-signed' flag for
the dogtag-ipa-ca-renew-agent script. Add another certmonger CA
definition that calls this script with the `--force-self-signed'
flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed
CA certificate if the existing certificate is self-signed or if
`--force-self-signed' was given. Update `ipa-cacert-manage renew'
to supply `--force-self-signed' when appropriate.
As a result of these changes, certmonger-initiated renewal of an
externally-signed IPA CA certificate will not issue a self-signed
certificate.
Fixes: https://pagure.io/freeipa/issue/8176
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Before removing a CA re-verify all the other CAs to ensure that
the chain is not broken. Provide a force option to handle cases
where the CA is expired or verification fails for some other
reason, or you really just want them gone.
https://pagure.io/freeipa/issue/8124
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
A "cookie" is used with certmonger to track the state of a
request across multiple requests to a CA (in ca-cookie). This
is used with the certmonger POLL operation to submit a request
to the CA for the status of a certificate request. This, along
with the profile, are passed to the certmonger CA helper
scripts via environment variables when a request is made. It is
cleared from the certmonger request once the certificate is
issued.
This CA helper can do a number of things:
- SUBMIT new certicate requests (including the CA)
- POLL for status of an existing certificate request
- For non renewal masters, POLL to see if an updated cert is in
LDAP
A POLL operation requires a cookie so that the state about the
request can be passed to the CA. For the case of retrieving an
updated cert from LDAP there is no state to maintain. It just
checks LDAP and returns either a cert or WAIT_WITH_DELAY if one
is not yet available.
There are two kinds of cookies in operation here:
1. The CERTMONGER_CA_COOKIE environment variable passed via
certmonger to this helper which is a JSON object.
2. The cookie value within the JSON object which contains the
URL to be passed to dogtag.
For the purposes of clarity "cookie" here is the value within
the JSON.
The CERTMONGER_CA_COOKIE is deconstructed and reconstructed as
the request is processed, doing double duty. It initially comes
in as a JSON dict object with two keys: profile and cookie.
In call_handler the CERTMONGER_CA_COOKIE is decomposed into a
python object and the profile compared to the requested profile
(and request rejected if they don't match) and the cookie key
overrides the CERTMONGER_CA_COOKIE environment variable. This is
then reversed at the end of the request when it again becomes a
JSON object containing the profile and cookie.
This script was previously enforcing that a cookie be available on
all POLL requests, whether it is actually required or not. This
patch relaxes that requirement.
The first request of a non-renewal master for an updated certicate
from LDAP is a SUBMIT operation. This is significant because it
doesn't require a cookie: there is no state on a new request. If
there is no updated cert in LDAP then the tracking request goes
into the CA_WORKING state and certmonger will wait 8 hours (as
returned by this script) and try again.
Subsequent requests are done using POLL. This required a cookie
so all such requests would fail with the ca-error
Invalid cookie: u'' as it was empty (because there is no state).
There is no need to fail early on a missing cookie. Enforcement
will be done later if needed (and it isn't always needed). So
if CERTMONGER_CA_COOKIE is an empty string then generate a new
CERTMONGER_CA_COOKIE containing the requested profile and an empty
cookie. It still will fail if certmonger doesn't set a cookie at
all.
An example of a cookie when retrieving a new RA Agent certificate
is:
{"profile": "caServerCert", "cookie": "state=retrieve&requestId=20"}
This will result in this request to the CA:
[09/Jan/2020:14:29:54 -0500] "GET
/ca/ee/ca/displayCertFromRequest?requestId=20&importCert=true&xml=true
HTTP/1.1" 200 9857
For a renewal, the reconstructed cookie will consist of:
{"profile": "caServerCert", "cookie": ""}
https://pagure.io/freeipa/issue/8164
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
After an upgrade, the group cn=adtrust agents may be missing some members.
Each ad trust controller must appear twice as member:
- krbprincipalname=cifs/hostname@realm,cn=services,cn=accounts,basedn
- fqdn=hostname,cn=computers,cn=accounts,basedn
Add an upgrade plugin that builds a list of hostnames from the cifs
principals and adds if needed fqdn=hostname...
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1778777
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
For the authentication indicators 'otp', 'radius', 'pkinit', and
'hardened', allow specifying maximum ticket life and maximum renewable
age in Kerberos ticket policy.
The policy extensions are now loaded when a Kerberos principal data is
requested by the KDC and evaluated in AS_REQ KDC policy check. If one of
the authentication indicators mentioned above is present in the AS_REQ,
corresponding policy is applied to the ticket.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The fix prevents blocking elements in the right side near notification area.
Notification area now has fixed width and it isn't offset.
Also notification icon is aligned to notification text.
Ticket: https://pagure.io/freeipa/issue/8120
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
- fix API method call for adding member manager
- fix regressions in host group associated tables
Ticket: https://pagure.io/freeipa/issue/8123
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
While [1] did open recursion, it also opened widely a security flaw.
This patch intends to close it back, while allowing operators to easily
add their open configuration within Bind9.
In order to allow operators to still open Bind recursion, a new file is
introduced, "ipa-ext.conf" (path might change according to the OS). This
file is not managed by the installer, meaning changes to it won't be
overridden.
Since it's included at the very end of the main configuration file, it
also allows to override some defaults - of course, operators have to be
careful with that.
Related-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1754530
Fixes: https://pagure.io/freeipa/issue/8079
[1] 5f4c75eb28
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
A group membership manager is a user or a group that can add members to
a group or remove members from a group or host group.
Fixes: https://pagure.io/freeipa/issue/8114
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add FIPS conditional to updates to prevent updater from adding camellia
encsalttypes.
Fixes: https://pagure.io/freeipa/issue/8111
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add an upgrade script to detect when ipakra people entry has
incorrect 'description' attribute and fix it.
Part of: https://pagure.io/freeipa/issue/8084
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Some options were not documented in the man page:
--version
-h, --help
-p DIRMAN_PASSWD (but the long name --dirman-password is in the man page)
-v, --verbose
-q, --quiet
--log-file=FILE
Fixes: https://pagure.io/freeipa/issue/8086
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Update the ipa-pki-retrieve-key client to issue a request that
specifies that AES encryption should be used. If the server
responds 404, fall back to a request *without* an algorithm
parameter. This handles both of the possible 404 scenarios:
a) It is an old server that does not support extra Custodia key
parameters;
b) The server supports extra parameters but the key does not exist,
in which case the fallback request will also fail with 404.
Fixes: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Helper scripts now use api.bootstrap(log=None) to avoid the creation of
log files. Helper scripts are typically executed from daemons which
perform their own logging. The helpers still log to stderr/stdout.
This also gets rid of some SELinux AVCs when the script tries to write
to /root/.ipa/.
Fixes: https://pagure.io/freeipa/issue/8075
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When the --server option is provided to ipa-replica-install (1-step
install), make sure that the server offers all the required roles
(CA, KRA). If it's not the case, refuse the installation.
Note that the --server option is ignored when promoting from client to
replica (2-step install with ipa-client-install and ipa-replica-install),
meaning that the existing behavior is not changed in this use case:
by default the host specified in default.conf as server is used for
enrollment, but if it does not provide a required role, another host can
be picked for CA or KRA setup.
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
"New Test" action cleared only information about selected options but kept
radio buttons checked. It confused users and caused an error on validation step.
New behaviour is:
- tables forget all selected values after "New Test" click;
- first table record is checked initially in case the option is mandatory;
- all records is unchecked initially in case the option is not mandatory.
Ticket: https://pagure.io/freeipa/issue/8031
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
No object can be added to a rule when object category is 'all'.
So while editing rule there is needed to save actual category value
before adding related objects.
Ticket: https://pagure.io/freeipa/issue/7961
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
attribute values, it cannot be used by SSSD to retrieve TDO keys and the
whole communication with Active Directory domain controllers will not be
possible.
This seems to affect trusts which were created before
ipaAllowedToPerform;read_keys permission granting was introduced
(FreeIPA 4.2). Add back the default setting for the permissions which
grants access to trust agents and trust admins.
Resolves: https://pagure.io/freeipa/issue/8067
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The implementation includes checking password policy for selected user.
'Unlock' option is available only in case user reached a limit of login failures.
Ticket: https://pagure.io/freeipa/issue/5062
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Given the changes in IPA server API changes, whebUI is modified to
utilize new authentication indicators, and disabled custom indicators
for services' white list.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
As of release 1.17, KDC can be configured to apply authentication
indicator for SPAKE, PKINIT, and encrypted challenge preauth via
FAST channel, which are not configured in current version of freeIPA.
Note that even though the value of encrypted_challenge_indicator is
attached only when encrypted challenge preauth is performed along
a FAST channel, it's possible to perform FAST without encrypted
challenge by using SPAKE. Since there is no reason to force clients
not to use SPAKE while using FAST, we made a design choice to merge
SPAKE and FAST in a new option called "Hardened Password", which
requires user to use at least one of SPAKE or FAST channel. Hence
same value attaching to both spake_preauth_indicator and
encrypted_challenge_indicator.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
On startup certmonger performs a number of options on the
configured CA (IPA, not to be confused with the real dogtag CA)
and the tracking requests.
Break early for operations that are not supported by ipa-submit.
This will save both a fork and a lock call.
https://bugzilla.redhat.com/show_bug.cgi?id=1656519
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Wait until we know a supported operation is being called
(SUBMIT and POLL) before initializing the API, which can be
an expensive operation.
https://bugzilla.redhat.com/show_bug.cgi?id=1656519
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This will let us call it from ipaplatform.
Mark the original location as deprecated.
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
If ipa-replica-manage is unable to retrieve e.g. due to certificate
validity problem. An UnboundLocalError is thrown for `type1`. This fixes
the issue with a clean exit.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
- Add 'Server Options' section to the page
- Add 'IPA master capable of PKINIT' field to the 'Server Options'
Ticket: https://pagure.io/freeipa/issue/7305
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Update the renewal helper to always request a new certificate
("enrollment request") instead of using "renewal request". The
latter is brittle in the face of:
- missing certificate record in database
- missing original request record in database (pointed to by
certificate record)
- "mismatched" certificate or request records (there have been many
cases of this; it is suspected that request/serial range conflicts,
or something similar, may be the cause)
The Dogtag tracking request must know what profile to use, except
where the certificate uses the default profile ("caServerCert" per
'dogtag-ipa-renew-agent' implementation in Certmonger itself).
This part of the puzzle was dealt with in previous commits.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
To aid reader comprehension, use long options instead of short
options when invoking dogtag-ipa-renew-agent.
-N -> --force-new
-O -> --approval-option
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Commit dd47cfc75a removed the ability
to set pki_req_ext_oid and pki_req_ext_data in the pkispawn config.
This results in the --external-ca-profile option never setting the
requested values in the CSR (the default V1 template type specifying
"SubCA" is always used).
Remove relevant fields from both ipaca_default.ini and
ipaca_customize.ini. This allows the IPA framework to set the
values (i.e. when --external-ca-type=ms-cs and
--external-ca-profile=... demand it). It also allows users to
override the pki_req_ext_* settings.
Part of: https://pagure.io/freeipa/issue/7548
Related: https://pagure.io/freeipa/issue/5608
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
As we expand the integration tests for external CA functionality, it
is helpful (and avoids duplication) to use the MSCSTemplate*
classes. These currently live in ipaserver.install.cainstance, but
ipatests is no longer permitted to import from ipaserver (see commit
81714976e5e13131654c78eb734746a20237c933). So move these classes to
ipalib.
Part of: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
During an investigation into filter optimisation in 389DS it was
discovered that two attributes of the certmap query are unindexed.
Due to the nature of LDAP filters, if any member of an OR query is
unindexed, the entire OR becomes unindexed.
This is then basically a full-table scan, which applies the filter test
to the contained members.
Fixes: https://pagure.io/freeipa/issue/7932
Fixes: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Active Directory schema includes altSecurityIdentities attribute
which presents alternative security identities for a bindable object in
Active Directory.
FreeIPA doesn't currently use this attribute. However, SSSD certmap
library may generate searches referencing the attribute if it is
specified in the certificate mapping rule. Such search might be
considered unindexed in 389-ds.
Define altSecurityIdentities attribute to allow specifying indexing
rules for it.
Fixes: https://pagure.io/freeipa/issue/7932
Related: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
A previous refactoring of SELinux tests has have a wrong
assumption about the user field separator within
ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.
Actually, '.ldif' and '.update' files are passed through
Python template string substitution:
> $$ is an escape; it is replaced with a single $.
> $identifier names a substitution placeholder matching
> a mapping key of "identifier"
This means that the text to be substituted on should not be escaped.
The wrong ipaSELinuxUserMapOrder previously set will be replaced on
upgrade.
Fixes: https://pagure.io/freeipa/issue/7996
Fixes: https://pagure.io/freeipa/issue/8005
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
These are already marked as deprecated by the KDC.
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The only permitted ciphers are the AES family (called aes, which
is the combination of: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and
aes128-cts-hmac-sha256-128).
DES, RC4, and Camellia are not permitted in FIPS mode. While 3DES
is permitted, the KDF used for it in krb5 is not, and Microsoft
doesn't implement 3DES anyway.
This is only applied on new installations because we don't
allow converting a non-FIPS install into a FIPS one.
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.
This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER
and applies corresponding changes to the test code.
Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
According to ipaserver/install/ldapupdate.py, the format of `replace`
action (during a parsing of update files) should be `old::new`.
By now, the value to be replaced on is 'ipaSELinuxUserMapOrder: guest_u$$...',
while it should be 'guest_u$$...'.
Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
SMB attributes are used by Samba domain controller when reporting
details about IPA users via LSA DCE RPC calls.
Based on the initial work from the external plugin:
https://github.com/abbra/freeipa-user-trust-attributes
Related: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Tibor Dudlák <tdudlak@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Apply pagination filter for cases when all table data is already loaded.
Ticket: https://pagure.io/freeipa/issue/6627
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Administrator should reset user password to make the unlock option available.
Ticket: https://pagure.io/freeipa/issue/5062
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When DCERPC clients use Kerberos authentication, they use a service
ticket to host/domain.controller because in Active Directory any
service on the host is an alias to the machine account object.
In FreeIPA each Kerberos service has own keys so host/.. and cifs/..
do not share the same keys. It means Samba suite needs to have access to
host/.. keytab entries to validate incoming DCERPC requests.
Unfortunately, MIT Kerberos has no means to operate on multiple keytabs
at the same time and Samba doesn't implement this either. We cannot use
GSS-Proxy as well because Samba daemons are running under root.
As a workaround, copy missing aes256 and aes128 keys from the host
keytab. SMB protocol doesn't use other encryption types and we don't
have rc4-hmac for the host either.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Since we are authenticating against AD DC before talking to it (by using
trusted domain object's credentials), we need to override krb5.conf
configuration in case --server option is specified.
The context is a helper which is launched out of process with the help
of oddjobd. The helper takes existing trusted domain object, uses its
credentials to authenticate and then runs LSA RPC calls against that
trusted domain's domain controller. Previous code directed Samba
bindings to use the correct domain controller. However, if a DC visible
to MIT Kerberos is not reachable, we would not be able to obtain TGT and
the whole process will fail.
trust_add.execute() was calling out to the D-Bus helper without passing
the options (e.g. --server) so there was no chance to get that option
visible by the oddjob helper.
Also we need to make errors in the oddjob helper more visible to
error_log. Thus, move error reporting for a normal communication up from
the exception catching.
Resolves: https://pagure.io/freeipa/issue/7895
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Now that ipa-client-automount and ipactl main logic has been
moved into modules, introduce minimal executables.
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Disable link to user page from user ID override in case it is in 'Default Trust View'
Ticket: https://pagure.io/freeipa/issue/7139
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Replace the @PYTHONSHEBANG@ substitution with a valid #!/usr/bin/python3
shebang. This turns Python .in files into valid Python files. The files
can now be checked with pylint and IDEs recognize the files as Python
files.
The shebang is still replaced with "#!$(PYTHON) -E" to support
platform-python.
Related: https://pagure.io/freeipa/issue/7984
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
For now all the default shells of users and admin are hardcoded in
different parts of the project. This makes it impossible to run the
test suite against the setup, which has the default shell differed
from '/bin/sh'.
The single configuration point for the shell of users and admin is
added to overcome this limitation.
Fixes: https://pagure.io/freeipa/issue/7978
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
A CustodiaClient object has to the process environment a bit, e.g. set
up GSSAPI credentials. To reuse the credentials in libldap connections,
it is also necessary to set up a custom ccache store and to set the
environment variable KRBCCNAME temporarily.
Fixes: https://pagure.io/freeipa/issue/7964
Co-Authored-By: Fraser Tweedale <ftweedal@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The ipa-cert-fix tool wraps `pki-server cert-fix`, performing
additional certificate requests for non-Dogtag IPA certificates and
performing additional actions. In particular:
- Run cert-fix with arguments particular to the IPA deployment.
- Update IPA RA certificate in the ipara user entry (if renewed).
- Add shared certificates (if renewed) to the ca_renewal LDAP
container for replication.
- Become the CA renewal master if shared certificates were renewed.
This ensures other CA replicas, including the previous CA renewal
master if not the current host, pick up those new certificates
when Certmonger attempts to renew them.
Fixes: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The ipa-cert-fix program needs to know where to put shared
certificates. Extract the logic that computes the nickname from
dogtag-ipa-ca-renew-agent to new subroutine
cainstance.get_ca_renewal_nickname().
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
When the CA renewal master renews certificates that are shared
across CA replicas, it puts them in LDAP for the other CA replicas
to see. The code to create/update these entries lives in the
dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for
the ipa-cert-fix program too. Extract it to a subroutine in the
cainstance module.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
we remove the "last init status" section in the output of
ipa-replica-manage to avoid confusion and show epoch date
when status is None
Fixes: https://pagure.io/freeipa/issue/7716
Signed-off-by: German Parente <gparente@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
With system-wide crypto policy in use, arcfour-hmac encryption type
might be removed from the list of permitted encryption types in the MIT
Kerberos library. Applications aren't prevented to use the arcfour-hmac
enctype if they operate on it directly.
Since FreeIPA supported and default encryption types stored in LDAP, on
the server side we don't directly use a set of permitted encryption
types provided by the MIT Kerberos library. However, this set will be
trimmed to disallow arcfour-hmac and other weaker types by default.
While the arcfour-hmac key can be generated and retrieved, MIT Kerberos
library will still not allow its use in Kerberos protocol if it is not
on the list of permitted encryption types. We only need this workaround
to allow setting up arcfour-hmac key for SMB services where arcfour-hmac
key is used to validate communication between a domain member and its
domain controller. Without this fix it will not be possible to request
setting up a machine account credential from the domain member side. The
latter is needed for Samba running on IPA client.
Thus, extend filtering facilities in ipa-pwd-extop plugin to explicitly
allow arcfour-hmac encryption type for SMB services (Kerberos principal
name starts with cifs/).
Reviewed-By: Christian Heimes <cheimes@redhat.com>
389-ds will change the default value of nsslapd-unhashed-pw-switch from 'on' to 'off'
For new or upgraded IPA instance, in case of winsync deployment the attribute is set
to 'on' and a warning is displayed. Else the attribute is set to 'nolog'
https://pagure.io/freeipa/issue/4812
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
'Metadata' phase (Web UI initialization flow) doesn't wait "whoami" response.
It causes the error when on the next phase "whoami" data is undefined.
To avoid this "whoami" request now has flag async = false,
so init_metadata waits until it will be completed.
Ticket: https://pagure.io/freeipa/issue/7917
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
On Linux systems the length limit for hostnames is hardcoded
at 64 in MAXHOSTNAMELEN
Solaris, for example, allows 255 characters, and DNS allows the
total length to be up to 255 (with each label < 64).
Add a knob to allow configuring the maximum hostname length (FQDN)
The same validators are used between hosts and DNS to apply
the knob only when dealing with a FQDN as a hostname.
The maxlen option is included so installers can limit the length
of allowed hostnames when the --hostname option is used.
https://pagure.io/freeipa/issue/2018
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This reverts commit 3509545897.
We cannot force increase in minimum SASL security factor until our
consumers are ready to deal with it. Unfortunately, realmd uses
anonymous connection for discovery and validation of IPA LDAP server.
The way it is done is fragile (it doesn't take into account an
advertised IPA version, only checks that 'IPA' string exists in the info
field) but since bumping of minimum SSF prevents reading IPA info field
using anonymous connection, client enrollment fails.
We should get back to bumping minimum SSF after realmd and other
potential consumers are fixed.
Reviewed-By: François Cami <fcami@redhat.com>
ipactl is building a list of currently running services from
the content of /var/run/ipa/services.list, and a list of expected services
from the services configured in LDAP.
Because CA and KRA both correspond to the same pki-tomcatd service, the
lists may contain duplicates. The code handling these duplicates is called
at the wrong place, and may result in a wrong list of services to
stop / restart / start.
The fix removes the duplicates before returning the lists, hence making sure
that there is no error when building the list of services to stop / restart
/ start.
Fixes: https://pagure.io/freeipa/issue/7927
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Implement the import and export handlers for Custodia keys as external
scripts. It's a prerequisite to drop DAC override permission and proper
SELinux rules for ipa-custodia.
Except for DMLDAP, handlers no longer run as root but as handler
specific users with reduced privileges. The Dogtag-related handlers run
as pkiuser, which also help with HSM support.
The export and import handles are designed to be executed by sudo, too.
In the future, ipa-custodia could be executed as an unprivileged process
that runs the minimal helper scripts with higher privileges.
Fixes: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
See https://access.redhat.com/security/vulnerabilities/smbloris for
details.
There is no recommended value but for IPA DC we can limit with 1000
concurrent connections from unrelated clients.
Related: https://pagure.io/freeipa/issue/6951
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Implicit idmap configuration in Samba was changed in Samba 4.7 to always
require range definition. A default ('*') idmap configuration lacks any
range and thus is marked by testparm utility as invalid one.
Since we do not expect Samba allocating any IDs, idmap configuration
needs to be set in a such way that it is correct from Samba side and is
effectively disabling any allocation on those domains that we don't need
to handle.
Note that 'idmap config <domain> : range' parameter accepts range in a
special format with spaces 'begin - end', so we have to keep the
formatting of the range exact.
Related: https://pagure.io/freeipa/issue/6951
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* override ipa_ca_key_size
* test with SHA512withRSA
Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The oddjobd config files are now auto-generated with automake to have
correct path to libexec on all platforms.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Debian has different paths and path suffix for font-awesome. Let's have
explicit paths for all our fonts.
Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
python3 -m lesscpy now works correctly. The make-css.sh script is
replaced with a simpler make call and ipa.css now depends on all less
files.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Dogtag PKI typically takes around 10 seconds to start and respond to
requests. Dogtag uses a simple systemd service, which means systemd is
unable to detect when Dogtag is ready. Commands like ``systemctl start``
and ``systemctl restart`` don't block and wait until the CA is up. There
have been various workarounds in Dogtag and IPA.
Systemd has an ExecStartPost hook to run programs after the main service
is started. The post hook blocks systemctl start and restart until all
post hooks report ready, too. The new ipa-pki-wait-running script polls
on port 8080 and waits until the CA subsystem returns ``running``.
Related: https://pagure.io/freeipa/issue/7916
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The signing key for IPA's CA certificate now uses a 3072 bit RSA key by
default.
According to https://www.keylength.com/, NIST 800-57 Part 1 Rev. 4
recommends 3072 bit RSA keys for keys that are used beyond 2030 for 128 bit
strength.
Fixes: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Mention the new option in the man pages for CA, KRA, replica, and server
installation. The documentation must be improved once we have figured
out which options are going to be supported.
Fixes: pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Allow to specify a pki.ini overlay file on the command line. The override
file can be used to override pkispawn settings.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Note: Some configuration stanzas are deprecated and have been replaced
with new stanzas, e.g. pki_cert_chain_path instead of
pki_external_ca_cert_chain_path.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Common settings like "pki_*_signing_key_algorithm" now use an IPA
specific template variable. The approach makes it easier to change all
signing parameters to use a different algorithm.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In oddjobd it is possible to pass arguments as command line or on the
stdin. We use command line to pass them but the way oddjobd registers
the D-BUS method signatures is by specifying all arguments as mandatory.
Internally, oddjobd simply ignores if you passed less arguments than
specified in the D-BUS defition. Unfortunately, it is not possible to
specify less than maximum due to D-BUS seeing all arguments in the
list (30 is defined for the trust-fetch-domains).
To pass options, have to pad a list of arguments to maximum with empty
strings and then filter out unneeded ones in the script. Option parser
already removes all options from the list of arguments so all we need to
do is to take our actual arguments. In case of trust-fetch-domains, it
is the name of the domain so we can only care about args[0].
Fixes: https://pagure.io/freeipa/issue/7903
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
SSF_MINX 56 level ensures data integrity and confidentiality for SASL
GSSAPI and SASL GSS SPNEGO connections.
Although at least AES128 is enforced pretty much everywhere, 56 is required
for backwards compatibility with systems that announce wrong SSF.
Related: https://pagure.io/freeipa/issue/7140
Related: https://pagure.io/freeipa/issue/4580
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
The IPA specific env vars KRB5_KTNAME and KRB5CCNAME are now defined in
a instance specific ipa-env.conf unit file.
Fixes: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
config_replace_variables() can now also remove lines from a file.
Related: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Refactor com.redhat.idm.trust-fetch.domains oddjob helper to allow
passing administrative credentials and a domain controller to talk to.
This approach allows to avoid rediscovering a domain controller in case
a user actually specified the domain controller when establishing trust.
It also allows to pass through admin credentials if user decides to do
so. The latter will be used later to allow updating trust topology in a
similar oddjob helper.
Resolves: https://pagure.io/freeipa/issue/7895
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-{adtrust|ca|dns|kra}-install on a hidden replica also installs the
new service as hidden service.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
A hidden replica is a replica that does not advertise its services via
DNS SRV records, ipa-ca DNS entry, or LDAP. Clients do not auto-select a
hidden replica, but are still free to explicitly connect to it.
Fixes: https://pagure.io/freeipa/issue/7892
Co-authored-by: Francois Cami <fcami@redhat.com>:
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
SSSD and Samba on IPA masters need to be able to look up POSIX
attributes of trusted domain objects in order to allow Active Directory
domain controllers from trusted forests to connect to LSA and NETLOGON
pipes.
We only have access to read POSIX attributes in cn=accounts,$SUFFIX
subtree rather than whole $SUFFIX. Thus, add an ACI to trusts subtree.
Fixes: https://pagure.io/freeipa/issue/6077
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-replica-manage force-sync --from <server> is performing a wrong check
that may result in the tool looping on "No status yet".
force-sync is adding a nsds5replicaupdateschedule attribute to the
replication agreement in order to force replication to wake up. Note that
this is not a re-initialization (re init drops the current db and reloads
the entire db).
In a second step, force-sync is checking the replication agreement by reading
nsds5BeginReplicaRefresh, nsds5ReplicaLastInitStatus,
nsds5ReplicaLastInitStart and nsds5ReplicaLastInitEnd. This is a wrong
test as force-sync is not an init operation and does not touch these
attributes.
The tool should call wait_for_repl_update rather than wait_for_repl_init.
This way, the check is done on the replication agreement attributes
nsds5replicaUpdateInProgress, nsds5ReplicaLastUpdateStatus,
nsds5ReplicaLastUpdateStart and nsds5ReplicaLastUpdateEnd.
Fixes: https://pagure.io/freeipa/issue/7886
Reviewed-By: Christian Heimes <cheimes@redhat.com>
It allows to avoid confusion with identical short hostnames.
There are two cases implemented:
- no common DNS zone: graph shows FQDN for all nodes
- all nodes have one common DNS zone: graph shows DN relatively to the common zone
https://pagure.io/freeipa/issue/7206
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The new lib389 installer configures LDAPI with correct socket path by
default. Use LDAPI to boot strap the IPA domain and autobind.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Replace get_ldap_uri() + LDAPClient() with new LDAPClient constructors
like LDAPClient.from_realm().
Some places now use LDAPI with external bind instead of LDAP with simple
bind. Although the FQDN *should* resolve to 127.0.0.1 / [::1], there is
no hard guarantee. The draft
https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-04#section-5.1
specifies that applications must verify that the resulting IP is a
loopback API. LDAPI is always local and a bit more efficient, too.
The simple_bind() method also prevents the caller from sending a
password over an insecure line.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add LDAPClient.from_realm(), LDAPClient.from_hostname_secure(), and
LDAPClient.from_hostname_plain() constructors.
The simple_bind() method now also refuses to transmit a password over a
plain, unencrypted line.
LDAPClient.from_hostname_secure() uses start_tls and FreeIPA's CA cert
by default. The constructor also automatically disables start_tls for
ldaps and ldapi connections.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The helper function realm_to_serverid() and realm_to_ldap_uri() are
useful outside the server installation framework. They are now in
ipapython.ipaldap along other helpers for LDAP handling in FreeIPA.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
'Origin' for IPA login page is 'httpS://xxx'. But 'configured' link
has URL like 'http://xxx/ssbrowser.html'.
Since IPA web server doesn't use any kind of Access-Control-Allow-Origin
rules Mozilla Firefox blocks Cross-Origin request due to the Same Origin
policy violation.
So, just follow the Same Origin policy.
Fixes: https://pagure.io/freeipa/issue/7832
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
authselect changed pam_systemd session from optional to required. When
the HBAC rule allow_all is disabled and replaced with more fine grained
rules, loginsi now to fail, because systemd's user@.service is able to
create a systemd session.
Add systemd-user HBAC service and a HBAC rule that allows systemd-user
to run on all hosts for all users by default. ipa-server-upgrade creates
the service and rule, too. In case the service already exists, no
attempt is made to create the rule. This allows admins to delete the
rule permanently.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The data structures for the internal DNS server use the attribute idnsName
instead of cn in the DN. It's also used to search for entries when entries
are added, modified, or removed.
The new index speeds up dnsrecord and dnszone related commands as well
as commands like host-add and host-del --updatedns.
Fixes: https://pagure.io/freeipa/issue/7803
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
An index is used to optimize an LDAP operation. Without an index, 389-DS
has to perform a partial or even full table scan. A full database scan can
easily take 10 seconds or more in a large installation.
* automountMapKey: eq, pres (was: eq)
* autoMountMapName: eq
* ipaConfigString: eq
* ipaEnabledFlag: eq
* ipaKrbAuthzData: eq, sub
* accessRuleType: eq
* hostCategory: eq
automountMapKey and autoMountMapName filters are used for automount.
Installation and service discovery (CA, KRA) use ipaConfigString to find
active services and CA renewal master.
SSSD filters with ipaEnabledFlag, accessRuleType, and hostCategory to
find and cache HBAC rules for each host.
ipaKrbAuthzData is used by ipa host-del. The framework performs a
'*arg*' query, therefore a sub index is required, too.
Partly fixes: https://pagure.io/freeipa/issue/7786
Fixes: https://pagure.io/freeipa/issue/7787
Fixes: https://pagure.io/freeipa/issue/7790
Fixes: https://pagure.io/freeipa/issue/7792
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
IPA doesn't officially support RFC 2307 IP services. However SSSD has a
nsswitch plugin to provide service lookups. The subtree search for
(&(ipserviceport=$PORT)(ipserviceprotocol=$SRV)(objectclass=ipservice)) in
cn=accounts,$SUFFIX has caused performance issues on large
installations.
This patch introduced a dedicated container
cn=ipservices,cn=accounts,$SUFFIX for IP services for future use or 3rd
party extensions. SSSD will be change its search base in an upcoming
release, too.
A new ipServicePort index is added to optimize searches for an IP
service by port. There is no index on ipServiceProtocol because the index
would have poor selectivity. An ipService entry has either 'tcp' or 'udp'
as protocol.
Fixes: https://pagure.io/freeipa/issue/7797
See: https://pagure.io/freeipa/issue/7786
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The CLI script files have additional pylint issues that were not noticed
before. The violations include using dict.keys() without directly
iterating of the result, inconsistent return statements and set([])
instead of set literals.
* dict-keys-not-iterating
* inconsistent-return-statements
* onsider-using-set-comprehensio
See: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Move LDAP service discovery and service definitions from
ipaserver.install to ipaserver. Simplify and unify different
implementations in favor of a single implementation.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
httpd-2.4+ has deprecated the Order, Allow and Deny directives. Use the Require directive instead.
Signed-off-by: Sudharsan Omprakash <sudharsan.omprakash@yahoo.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Pylint warns about inconsistent return statements when some paths of a
function return None implicitly. Make all implicit returns either
explicit or raise a proper exception.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Only a single cert in DER or PEM format would be loaded from the
provided file. Extend this to include PKCS#7 format and load all
certificates found in the file.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
https://pagure.io/freeipa/issue/7579
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
It is a standard SELinux user role included in RHEL (like
user_r, staff_r, guest_r) and used quite often.
Fixes: https://pagure.io/freeipa/issue/7658
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
There were two separate issues:
1. If not enrolling on a pre-configured client then the ntp-server and
ntp-pool options are not being passed down to the client installer
invocation.
2. If the client is already enrolled then the ntp options are ignored
altogether.
In the first case simply pass down the options to the client
installer invocation.
If the client is pre-enrolled and NTP options are provided then
raise an exception.
https://pagure.io/freeipa/issue/7723
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Replace six.moves and six.StringIO/BytesIO imports with cannonical
Python 3 packages.
Note: six.moves.input behaves differently than builtin input function.
Therefore I left six.moves.input for now.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
As for now the default title of add dialogs, which are
initialized from 'association_table' widget, is set to something
like 'Add ${other_entity} into ${entity} ${primary_key}',
where 'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'create_add_dialog' of
'association_table' widget for the all 'Add' actions within
details of entities.
Such concatenation leads to a bad quality translation and
should be changed to an entire sentence.
From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
As for now the 'Add' dialog title, which is initialized within
details of the entity, contains translated concatenated texts,
like:
'Add ${other_entity} into ${entity} ${primary_key}',
where 'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'show_add_dialog' of
association_facet for the all 'Add' actions within details
of entities.
The concatenation leads to a bad quality translation and
should be changed to an entire sentence.
From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
As for now the default title of 'add' dialog is set to something
like 'Add ${entity}', where 'entity' is also translatable text.
Such construction is used via method 'adder_dialog' of Entity
for the all 'Add' actions.
This leads to a bad quality translation and should be changed to
an entire sentence.
From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Python 2 had old style and new style classes. Python 3 has only new
style classes. There is no point to subclass from object any more.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
To improve translation quality the title of 'unprovision' dialog
should be specified explicitly in the spec and should be an entire
sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
As for now the default title of remove dialogs, which are
initialized from 'association_table' facet, is set to something
like 'Remove ${other_entity} from ${entity} ${primary_key}',
where 'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'show_remove_dialog'
of 'association_table' widget for the all 'Delete' actions within
details of entities.
Such concatenation leads to a bad quality translation and
should be changed to an entire sentence.
From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
As for now 'ssbrowser.html' and 'unauthorized.html' pages are
loaded without JS error at development mode only.
There is no standalone 'freeipa/text' module as source at
production mode. Thus 'core' one have to be loaded first and
then 'text'.
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Samba 4.9 became a bit more strict about creating a local NT token and a
failure to resolve or create BUILTIN\Guests group will cause a rejection
of the connection for a successfully authenticated one.
Add a default mapping of the nobody group to BUILTIN\Guests.
BUILTIN\Guests is a special group SID that is added to the NT token for
authenticated users.
For real guests there is 'guest account' option in smb.conf which
defaults to 'nobody' user.
This was implicit behavior before as 'guest account = nobody' by
default would pick up 'nobody' group as well.
Fixes: https://pagure.io/freeipa/issue/7705
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
As for now the default title of remove dialogs, which are
initialized from 'association' facet, is set to something like
'Remove ${other_entity} from ${entity} ${primary_key}', where
'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'show_remove_dialog'
of 'association' facet for the all 'Delete' actions within details
of entities.
Such concatenation leads to a bad quality translation and
should be changed to an entire sentence.
From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
