Commit Graph

46 Commits

Author SHA1 Message Date
Alexander Bokovoy
214aeb7243 ipaserver/dcerpc: store forest topology as a blob in ipasam
winbindd expects forest topology information blob to find out child
domains. We should store it in LDAP and let ipasam to retrieve it.
In fact, ipasam already supports updating and loading this information
but during 'ipa trust-fetch-domains' we didn't provide it.

Make sure the blob is preserved after it was retrieved and also updated
when we fetch forest topology information.

Fixes: https://pagure.io/freeipa/issue/8576
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-22 12:21:33 -05:00
Christian Heimes
3ec1b77f6a Terminology improvements: use block list
Some places have to use the old name because it's part of the stable API
or stable LDAP attributes.

See: https://tools.ietf.org/id/draft-knodel-terminology-01.html
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-23 10:16:29 +02:00
Alexander Bokovoy
ecc0a96d16 support using trust-related operations in the server console
When using `ipa -e in_server=True console` on IPA master, the whole IPA
framework is loaded in the same process ('ipa console'). The context
defined for this configuration is 'cli'. Some trust-related operations
need to load Samba bindings and guard itself to 'lite' and 'server'
contexts.

Upon reviewing these cases I came to conclusion that these guards are
unnecessary. It is enough to require that the context is in the server
code.

Allow these operations if we are operating in server mode. This allows
to debug trust-related issued directly in the IPA console on IPA trust
controllers.

Signed-of-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-08 12:39:34 -04:00
Christian Heimes
690b5519f8 Fix E712 comparison to True / False
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-05-05 10:42:46 +02:00
Florence Blanc-Renaud
233a18b2a2 ipa-adtrust-install: remote command fails if ipa-server-trust-ad pkg missing
When the command ipa-adtrust-install --add-agents is run, it executes
remotely the command trust_enable_agent. This command does not require
the package ipa-server-trust-ad to be installed on the remote node, but
fails if it's not the case because dbus is not imported.
Need to move the "import dbus" outside of the try/except related to
dcerpc import.

Related: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-10 18:21:50 +01:00
Florence Blanc-Renaud
911992b8bf ipa-adtrust-install: run remote configuration for new agents
When ipa-adtrust-install is run, the tool detects masters that are
not enabled as trust agents and propose to configure them. With the
current code, the Schema Compat plugin is not enabled on these new
trust agents and a manual restart of LDAP server + SSSD is required.

With this commit, ipa-adtrust-install now calls remote code on the new
agents through JSON RPC api, in order to configure the missing parts.
On the remote agent, the command is using DBus and oddjob to launch
a new command,
/usr/libexec/ipa/oddjob/org.freeipa.server.trust-enable-agent [--enable-compat]
This command configures the Schema Compat plugin if --enable-compat is
provided, then restarts LDAP server and SSSD.

If the remote agent is an older version and does not support remote
enablement, or if the remote server is not responding, the tool
ipa-adtrust-install prints a WARNING explaining the steps that need
to be manually executed in order to complete the installation, and
exits successfully (keeping the current behavior).

Fixes: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-05 14:40:58 +01:00
Stanislav Levin
c6769ad12f Fix errors found by Pylint-2.4.3
New Pylint (2.4.3) catches several new 'true problems'. At the same
time, it warns about things that are massively and reasonably
employed in FreeIPA.

list of fixed:
- no-else-continue
- redeclared-assigned-name
- no-else-break
- unnecessary-comprehension
- using-constant-test (false positive)

list of ignored (responsibility of contributors and reviewers):
- import-outside-toplevel

Fixes: https://pagure.io/freeipa/issue/8102
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-10-21 18:01:32 +11:00
Alexander Bokovoy
6c9fcccfbc trust-fetch-domains: make sure we use right KDC when --server is specified
Since we are authenticating against AD DC before talking to it (by using
trusted domain object's credentials), we need to override krb5.conf
configuration in case --server option is specified.

The context is a helper which is launched out of process with the help
of oddjobd. The helper takes existing trusted domain object, uses its
credentials to authenticate and then runs LSA RPC calls against that
trusted domain's domain controller. Previous code directed Samba
bindings to use the correct domain controller. However, if a DC visible
to MIT Kerberos is not reachable, we would not be able to obtain TGT and
the whole process will fail.

trust_add.execute() was calling out to the D-Bus helper without passing
the options (e.g. --server) so there was no chance to get that option
visible by the oddjob helper.

Also we need to make errors in the oddjob helper more visible to
error_log. Thus, move error reporting for a normal communication up from
the exception catching.

Resolves: https://pagure.io/freeipa/issue/7895
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-06-28 13:30:59 +02:00
Alexander Bokovoy
cb0f24bfe2 Bypass D-BUS interface definition deficiences for trust-fetch-domains
In oddjobd it is possible to pass arguments as command line or on the
stdin. We use command line to pass them but the way oddjobd registers
the D-BUS method signatures is by specifying all arguments as mandatory.

Internally, oddjobd simply ignores if you passed less arguments than
specified in the D-BUS defition. Unfortunately, it is not possible to
specify less than maximum due to D-BUS seeing all arguments in the
list (30 is defined for the trust-fetch-domains).

To pass options, have to pad a list of arguments to maximum with empty
strings and then filter out unneeded ones in the script. Option parser
already removes all options from the list of arguments so all we need to
do is to take our actual arguments. In case of trust-fetch-domains, it
is the name of the domain so we can only care about args[0].

Fixes: https://pagure.io/freeipa/issue/7903
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-04-08 17:51:38 +02:00
Alexander Bokovoy
de4a9875d4 oddjob: allow to pass options to trust-fetch-domains
Refactor com.redhat.idm.trust-fetch.domains oddjob helper to allow
passing administrative credentials and a domain controller to talk to.

This approach allows to avoid rediscovering a domain controller in case
a user actually specified the domain controller when establishing trust.

It also allows to pass through admin credentials if user decides to do
so. The latter will be used later to allow updating trust topology in a
similar oddjob helper.

Resolves: https://pagure.io/freeipa/issue/7895
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-01 13:27:41 +02:00
Stanislav Levin
6f245db8ea Fix formatted translations in trust plugin
Translation objects have support for format(). This allows to
get rid of unicode() which has been removed in Python3.

Also some messages to be translated at request time should
not use format()

Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-21 15:30:58 +02:00
Christian Heimes
8ffa33c24e Generate same API.txt under Python 2 and 3
Use Python 3's reprlib with customizations to create same API.txt under
Python 2 and 3. Some plugins have been slightly altered to use stable
sorting for dynamically created parameter lists.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-02-15 09:41:30 +01:00
Christian Heimes
f60b2c5906 LGTM: raise handle_not_found()
Turn calls "handle_not_found()" into "raise handle_not_found()" to
indicate control flow chance. It makes the code easier to understand,
the control flow more obvious and helps static analyzers.

It's OK to raise here because handle_not_found() always raises an
exception.

https://pagure.io/freeipa/issue/7344

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-09 07:53:28 +01:00
Christian Heimes
73ee9ff40e LGTM: Fix multiple use before assignment
- Move assignment before try/finally block
- Add raise to indicate control flow change
- Add default value

https://pagure.io/freeipa/issue/7344

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-09 07:53:28 +01:00
Alexander Bokovoy
c19eb49935 ipaserver/plugins/trust.py: pep8 compliance
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2017-12-07 21:18:51 +02:00
Alexander Bokovoy
a57f613314 trust: detect and error out when non-AD trust with IPA domain name exists
Quite often users choose wrong type of trust on Active Directory side
when setting up a trust to freeIPA. The trust type supported by freeIPA
is just a normal forest trust to another Active Directory. However,
some people follow old internet recipes that force using a trust to MIT
Kerberos realm.

This is a wrong type of trust. Unfortunately, when someone used MIT
Kerberos realm trust, there is no way to programmatically remote the
trust from freeIPA side. As result, we have to detect such situation and
report an error.

To do proper reporting, we need reuse some constants and trust type
names we use in IPA CLI/Web UI. These common components were moved to
a separate ipaserver/dcerpc_common.py module that is imported by both
ipaserver/plugins/trust.py and ipaserver/dcerpc.py.

Fixes https://pagure.io/freeipa/issue/7264

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2017-12-07 21:18:51 +02:00
Alexander Bokovoy
956e265fae ipaserver/plugins/trust.py; fix some indenting issues
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2017-12-07 21:18:51 +02:00
Florence Blanc-Renaud
891cced446 Improve help message for ipa trust-add --range-type
Add the correct procedure for re-running ipa trust-add with a different
range type.

Fixes:
https://pagure.io/freeipa/issue/7308

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-07 14:00:27 +01:00
Jan Cholasta
7a482b7c72 logging: do not log into the root logger
Deprecate `ipa_log_manager.root_logger` and replace all calls to it with
module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ffadcb0414 logging: remove object-specific loggers
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.

Deprecate object-specific loggers in `ipa_log_manager.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Alexander Bokovoy
abb6384875 trust-mod: allow modifying list of UPNs of a trusted forest
There are two ways for maintaining user principal names (UPNs) in Active
Directory:
 - associate UPN suffixes with the forest root and then allow for each
   user account to choose UPN suffix for logon
 - directly modify userPrincipalName attribute in LDAP

Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.

The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.

This is especially true for one-word UPNs which otherwise wouldn't work
properly on Kerberos level for both FreeIPA and Active Directory.

Administrators are responsible for amending the list of UPNs associated
with the forest in this case. With this commit, an option is added to
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
trusted forest root.

As with all '-mod' commands, the change replaces existing UPNs when
applied, so administrators are responsible to specify all of them:

  ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new}

Fixes: https://pagure.io/freeipa/issue/7015
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-14 16:38:12 +02:00
Martin Babinsky
cac7e49daa Refactor the role/attribute member reporting code
The `config` object now hosts a generic method for updating the config
entry for desired server role configuration (if not empty). The
duplicated code in dns/trust/vaultconfig commands was replaced by a call
to a common method.

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Alexander Bokovoy
e560899cce trust: always use oddjobd helper for fetching trust information
Since introduction of privilege separation in IPA framework none of the
operations that require direct access to the framework's credentials can
be done. All authentication has to be performed with GSSAPI.

As result, we cannot obtain TGT for HTTP/.. principal with kinit
anymore, so it is better to re-route all types of trust to oddjobd
helper and get rid of casing out two-way trust.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1438366

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-11 14:16:39 +02:00
Simo Sorce
b109f5d850 Drop use of kinit_as_http from trust code
The framework will not have direct access to the keytab anymore.
This function was used in two places, to fetch the domain list and to
re-initialize the PAC when enabling or disabling a domain trust.
The domian list is normally fetched via oddjob anyway so this use is
not necesary anymore, and the MS-PAC re-initialization can be moved
later to oddjob if needed.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Alexander Bokovoy
e8b94ef352 trustdomain-del: fix the way how subdomain is searched
With FreeIPA 4.4 we moved child domains behind the 'trustdomain' topic.
Update 'ipa trustdomain-del' command to properly calculate DN to the
actual child domain and handle the case when it is missing correctly.

Fixes https://fedorahosted.org/freeipa/ticket/6445

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-01 11:24:26 +01:00
Jan Cholasta
0d370a959b pylint: enable the import-error check
Check for import errors with pylint to make sure new python package
dependencies are not overlooked.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-24 14:11:08 +02:00
Martin Babinsky
29829cc55a remove trailing newlines form python modules
pylint-1.6.4-1.fc26.noarch reports these, hence they should be fixed in order
to build FreeIPA with this version

https://fedorahosted.org/freeipa/ticket/6391

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-12 10:38:52 +02:00
Martin Basti
135047d03c Pylint: remove unused variables in ipaserver package
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-10-06 10:43:36 +02:00
Martin Basti
45e3aee352 Pylint: enable check for unused-variables
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors

Enabled check should prevent to leave unused variable in code

Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Martin Babinsky
b0d40b80e8 trust-fetch-domains: contact forest DCs when fetching trust domain info
The code should always contact forest root DCs when requesting trust domain
info. In the case of one-way or external trusts
`com.redhat.idm.trust-fetch-domains` helper is leveraged, otherwise forest
root domain is contacted directly through Samba using the credentials of HTTP
principal.

https://fedorahosted.org/freeipa/ticket/6328

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-14 10:38:07 +02:00
Martin Babinsky
33f8685513 Always fetch forest info from root DCs when establishing two-way trust
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
performed against non-root forest domain DCs were automatically routed to the
root domain DCs to resolve trust topology information.

This is no longer the case, so the `dcerpc.fetch_domains` function must
explicitly contact root domain DCs even in the case when an external two-way
trust to non-root domain is requested.

https://fedorahosted.org/freeipa/ticket/6057

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-05 09:20:55 +02:00
Martin Babinsky
f32e0e4e52 do not use trusted forest name to construct domain admin principal
When `trust-add` is supplied AD domain admin name without realm component, the
code appends the uppercased AD forest root domain name to construct the full
principal. This can cause authentication error, however, when external trust
with non-root domain is requested.

We should instead use the supplied DNS domain name (if valid) as a realm
component.

https://fedorahosted.org/freeipa/ticket/6277

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-31 15:07:09 +02:00
Abhijeet Kasurde
c9419411c9 Corrected minor spell check in AD Trust information doc messages
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-22 17:15:11 +02:00
Alexander Bokovoy
62be554540 trust: make sure ID range is created for the child domain even if it exists
ID ranges for child domains of a forest trust were created incorrectly
in FreeIPA 4.4.0 due to refactoring of -- if the domain was already
existing, we never attempted to create the ID range for it.

At the same time, when domain was missing, we attempted to add ID range
and passed both forest root and the child domain names to add_range().
However, add_range() only looks at the first positional argument which
was the forest root name. That ID range always exists (it is created
before child domains are processed).

Modify the code to make sure child domain name is passed as the first
positional argument. In addition, the oddjob helper should explicitly
set context='server' so that idrange code will be able to see and use
ipaserver/dcerpc.py helpers.

Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 14:03:00 +02:00
Alexander Bokovoy
9b3819ea94 trust: make sure external trust topology is correctly rendered
When external trust is established, it is by definition is
non-transitive: it is not possible to obtain Kerberos tickets to any
service outside the trusted domain.

Reflect this reality by only accepting UPN suffixes from the external
trust -- since the trusted domain is a part of another forest and UPN
suffixes are forest-wide, there could be user accounts in the trusted
domain that use forest-wide UPN suffix but it will be impossible to
reach the forest root via the externally trusted domain.

Also, an argument to netr_DsRGetForestTrustInformation() has to be
either forest root domain name or None (NULL). Otherwise we'll get
an error as explained in MS-NRPC 3.5.4.7.5.

https://fedorahosted.org/freeipa/ticket/6021

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 13:38:18 +02:00
Martin Babinsky
2234a77441 trust-add: handle --all/--raw options properly
`trust-add` command did not handle these options correctly often resulting in
internal errors or mangled output. This patch implements a behavior which is
more in-line with the rest of the API commands.

https://fedorahosted.org/freeipa/ticket/6059

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-21 13:01:02 +02:00
Martin Babinsky
f0a61546f5 allow 'value' output param in commands without primary key
`PrimaryKey` output param works only for API objects that have primary keys,
otherwise it expects None (nothing is associated with this param). Since the
validation of command output was tightened durng thin client effort, some
commands not honoring this contract began to fail output validation.

A custom output was implemented for them to restore their functionality. It
should however be considered as a fix for broken commands and not used
further.

https://fedorahosted.org/freeipa/ticket/6037
https://fedorahosted.org/freeipa/ticket/6061

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-20 13:57:01 +02:00
Jan Cholasta
ae5f11b4de server: define missing virtual attributes
Move virtual attributes defined in output params of methods into params of
the related object.

This fixes the virtual attributes being ommited in CLI output.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-30 16:32:20 +02:00
Alexander Bokovoy
905db92e61 adtrust: optimize forest root LDAP filter
`ipa trust-find' command should only show trusted forest root domains

The child domains should be visible via

   ipa trustdomain-find forest.root

The difference between forest root (or external domain) and child
domains is that root domain gets ipaIDObject class to allow assigning a
POSIX ID to the object. This POSIX ID is used by Samba when an Active
Directory domain controller connects as forest trusted domain object.

Child domains can only talk to IPA via forest root domain, thus they
don't need POSIX ID for their TDOs. This allows us a way to
differentiate objects for the purpose of 'trust-find' /
'trustdomain-find' commands.

Fixes https://fedorahosted.org/freeipa/ticket/5942

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 10:02:33 +02:00
Martin Babinsky
5f7086e718 Server Roles: make *config-show consume relevant roles/attributes
This patch modifies config objects so that the roles/attributes relevant to
the configuration are shown in the output:

* config-{show,mod} will show list of all IPA masters, CA servers and CA
  renewal master

* dnsconfig-{show,mod} will list all DNS server and DNS key master

* trustconfig-{show,mod} will list all AD trust controllers and agents

* vaultconfig-show will list all Key Recovery Agents

http://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00
Alexander Bokovoy
bb75f5a583 adtrust: support UPNs for trusted domain users
Add support for additional user name principal suffixes from
trusted Active Directory forests. UPN suffixes are property
of the forest and as such are associated with the forest root
domain.

FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
attribute of ipaNTTrustedDomain object class.

In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.

For more details on UPN and naming in Active Directory see
https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx

https://fedorahosted.org/freeipa/ticket/5354

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-11 17:25:50 +02:00
Alexander Bokovoy
a0f953e0ff adtrust: remove nttrustpartner parameter
MS-ADTS spec requires that TrustPartner field should be equal to the
commonName (cn) of the trust. We used it a bit wrongly to express
trust relationship between parent and child domains. In fact, we
have parent-child relationship recorded in the DN (child domains
are part of the parent domain's container).

Remove the argument that was never used externally but only supplied by
trust-specific code inside the IPA framework.

Part of https://fedorahosted.org/freeipa/ticket/5354

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-10 12:24:00 +02:00
Martin Basti
478017357b Revert "adtrust: remove nttrustpartner parameter"
This reverts commit 185806432d.

The wrong version of patch has been pushed.

https://fedorahosted.org/freeipa/ticket/5354

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-10 12:20:17 +02:00
Alexander Bokovoy
185806432d adtrust: remove nttrustpartner parameter
MS-ADTS spec requires that TrustPartner field should be equal to the
commonName (cn) of the trust. We used it a bit wrongly to express
trust relationship between parent and child domains. In fact, we
have parent-child relationship recorded in the DN (child domains
are part of the parent domain's container).

Remove the argument that was never used externally but only supplied by
trust-specific code inside the IPA framework.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-10 09:58:43 +02:00
Alexander Bokovoy
8ca7a4c947 trusts: Add support for an external trust to Active Directory domain
External trust is a trust that can be created between Active Directory
domains that are in different forests or between an Active Directory
domain. Since FreeIPA does not support non-Kerberos means of
communication, external trust to Windows NT 4.0 or earlier domains is
not supported.

The external trust is not transitive and can be established to any
domain in another forest. This means no access beyond the external
domain is possible via the trust link.

Resolves: https://fedorahosted.org/freeipa/ticket/5743
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-09 21:04:31 +02:00
Jan Cholasta
6e44557b60 ipalib: move server-side plugins to ipaserver
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.

Remove the now unused ipalib.plugins package.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00