Commit Graph

6297 Commits

Author SHA1 Message Date
Petr Viktorin
b54cdab33d test_ipalib.test_crud: Don't use a string in takes_options
Options should be Param subclasses.
2013-10-08 16:46:19 +02:00
Nathaniel McCallum
fd63505f6d Don't special case the Password class in Param.__init__() 2013-10-08 16:14:32 +02:00
Sumit Bose
091e8fac34 Use the right attribute with ipapwd_entry_checks for MagicRegen
There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos
key is available for the corresponding user. This is typically triggered
by samba via the ipa_sam passdb plugin. The principal used by samba to
connect to the IPA directory server has the right to modify ipaNTHash
but no other password attribute. This means that the current check on
the userPassword attribute is too strict for this case and leads to a
failure of the whole operation.

With this patch the access right on ipaNTHash are checked if no other
password operations are requested.
2013-10-08 09:18:57 +02:00
Nathaniel McCallum
12ae6a054a Document no_search in Param flags 2013-10-07 14:00:52 +02:00
Martin Kosek
1480cf1603 Do not allow '%' in DM password
Having '%' in DM password causes pkispawn to crash. Do not allow
users to enter it until pkispawn is fixed.

https://bugzilla.redhat.com/show_bug.cgi?id=953488
2013-10-04 17:41:20 +02:00
Petr Viktorin
80886a50e6 ipapython.nsslib: Name arguments to NSPRError
Previously NSPRError was given arguments in the wrong order.
Fix this by naming the arguments.
2013-10-04 15:49:19 +02:00
Petr Viktorin
c813b8fbd3 Do not fail upgrade if the global anonymous read ACI is not found
This helps forward compatibility: the anon ACI is scheduled for removal.

https://fedorahosted.org/freeipa/ticket/3956
2013-10-04 15:41:56 +02:00
Petr Viktorin
5824a0e14e ipa-client-install: Verify RPC connection with a ping
With old servers, it is possible that xmlclient.connect() succeeds
but commands fail with a Kerberos error.

Verify that commands succeed by sending a ping after connecting.

Follow-up to: https://fedorahosted.org/freeipa/ticket/3931
2013-10-04 15:33:58 +02:00
Petr Viktorin
e01a28b584 ipa-client-install: Use direct RPC instead of api.Command
To make sure the installation works with older servers,
use XML-RPC directly, with a version set explicitly so the request
is not rejected.

RPC was chosen over ldapmodify, because going through the API allows
the server to process the request properly, or even cleanly reject
it if there are incompatible changes in future versions.

https://fedorahosted.org/freeipa/ticket/3931
2013-10-04 15:33:58 +02:00
Petr Viktorin
321e8635ae Update translations from Transifex 2013-10-04 14:51:19 +02:00
Martin Kosek
b1451373c4 Remove faulty DNS memberOf Task
This task was added with a DN colliding with privilege update memberOf
task being run later and caused this task to be ineffective and thus
miss some privilege membership, like "SELinux User Map Administrators"

DNS update plugin do not need to run any task at all as privileges
will be updated later in scope of 55-pbacmemberof.update

https://fedorahosted.org/freeipa/ticket/3877
2013-10-04 14:30:13 +02:00
Petr Viktorin
3a4a7458c7 Add tests for installing with empty PKCS#12 password 2013-10-04 10:27:23 +02:00
Jan Cholasta
194556beb0 Allow PKCS#12 files with empty password in install tools.
https://fedorahosted.org/freeipa/ticket/3897
2013-10-04 10:27:23 +02:00
Jan Cholasta
c123264ac7 Read passwords from stdin when importing PKCS#12 files with pk12util.
This works around pk12util refusing to use empty password files, which prevents
the use of PKCS#12 files with empty password.

https://fedorahosted.org/freeipa/ticket/3897
2013-10-04 10:27:23 +02:00
Martin Kosek
46b3588112 Require new SSSD to pull required AD subdomain fixes 2013-10-04 10:25:31 +02:00
Alexander Bokovoy
d228b1bd70 ipa-kdb: Handle parent-child relationship for subdomains
When MS-PAC information is re-initialized, record also parent-child
relationship between trust root level domain and its subdomains.

Use parent incoming SID black list to check if child domain is not
allowed to access IPA realm.

We also should really use 'cn' of the entry as domain name.
ipaNTTrustPartner has different meaning on wire, it is an index
pointing to the parent domain of the domain and will be 0 for top
level domains or disjoint subdomains of the trust.

Finally, trustdomain-enable and trustdomain-disable commands should
force MS-PAC cache re-initalization in case of black list change.
Trigger that by asking for cross-realm TGT for HTTP service.
2013-10-04 10:25:31 +02:00
Alexander Bokovoy
749111e6c2 KDC: implement transition check for trusted domains
When client principal requests for a ticket for a server principal
and we have to perform transition, check that all three belong to either
our domain or the domains we trust through forest trusts.

In case all three realms (client, transition, and server) match
trusted domains and our domain, issue permission to transition from client
realm to server realm.

Part of https://fedorahosted.org/freeipa/ticket/3909
2013-10-04 10:25:31 +02:00
Alexander Bokovoy
0ab40cdf6b ipasam: for subdomains pick up defaults for missing values
We don't store trust type, attributes, and direction for subdomains
of the existing trust. Since trust is always forest level, these parameters
can be added as defaults when they are missing.
2013-10-04 10:25:31 +02:00
Alexander Bokovoy
f734988e24 trust: integrate subdomains support into trust-add 2013-10-04 10:25:31 +02:00
Alexander Bokovoy
a87813bf42 ipaserver/dcerpc: remove use of trust account authentication
Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal,
it is possible to use it when talking to the trusted AD DC.

Remove support for authenticating as trust account because it should not
really be used other than within Samba.
2013-10-04 10:25:31 +02:00
Alexander Bokovoy
2d6c7e3adb frontend: report arguments errors with better detail
When reporting argument errors, show also a context -- what is processed,
what is the name of the command.
2013-10-04 10:25:31 +02:00
Alexander Bokovoy
0b29bfde0d trusts: support subdomains in a forest
Add IPA CLI to manage trust domains.

ipa trust-fetch-domains <trust>      -- fetch list of subdomains from AD side and add new ones to IPA
ipa trustdomain-find <trust>         -- show all available domains
ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust>
ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA
ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain

By default all discovered trust domains are allowed to access IPA resources

IPA KDC needs also information for authentication paths to subdomains in case they
are not hierarchical under AD forest trust root. This information is managed via capaths
section in krb5.conf. SSSD should be able to generate it once
ticket https://fedorahosted.org/sssd/ticket/2093 is resolved.

part of https://fedorahosted.org/freeipa/ticket/3909
2013-10-04 10:25:31 +02:00
Alexander Bokovoy
0637f590ed ipaserver/dcerpc.py: populate forest trust information using realmdomains
Use realmdomains information to prepopulate forest trust info. As result,
all additional domains should now be enabled from the beginning, unless they
really conflict with existing DNS domains on AD side.

https://fedorahosted.org/freeipa/ticket/3919
2013-10-04 10:25:31 +02:00
Petr Viktorin
ef2d61faa2 ipatests.test_cmdline.test_help: Re-raise unexpected exceptions on failure
If an exception is expected, but another one is raised, the CLITestContext
raised a generic AssertionError.
Pass through the original exception instead
2013-10-03 19:50:35 +02:00
Petr Vobornik
5c06e27ff9 ipatests.test_integration.host: Add logging to ldap_connect() 2013-10-03 19:50:35 +02:00
Petr Viktorin
f2e8624e76 ipatests.beakerlib_plugin: Add argument of generated tests to test captions
To differentiate between individual tests in BeakerLib output,
the argument needs to be added to the test name. Since Nose
doesn't provide a way to get the argument in a plugin,
a `test_argument` attribute must be added to the test function
to support this, simlarly to how `description` is used to set
individual "docstrings".

Add test_argument to the generated tests in the CA-less suite.
2013-10-03 19:50:35 +02:00
Petr Viktorin
0ad339a731 ipatests.order_plugin: Exclude test generators from the order
Ordered test generators were not announced in plugin hooks, so
e.g. the Beakerlib or collect plugin did not announce them.

Exclude test generators from ordering.
2013-10-03 19:50:35 +02:00
Petr Viktorin
a942ab4f12 ipatests.beakerlib_plugin: Warn instead of failing when some logs are missing 2013-10-03 19:50:35 +02:00
Petr Viktorin
23921f40d9 ipatests.test_integration.test_caless: Fix mkdir_recursive call 2013-10-03 19:50:35 +02:00
Petr Viktorin
3864760c52 test_integration: Add OpenSSHTransport, used if paramiko is not available
This adds a transport that uses /usr/bin/ssh calls to communicate
with remote hosts.
This transport is a bit slower and buffers output more than paramiko,
so it is only used if paramiko is not available, or forced with an
environment variable.

https://fedorahosted.org/freeipa/ticket/3890
2013-10-03 18:57:41 +02:00
Petr Viktorin
758c73e149 test_integration.host: Move transport-related functionality to a new module
This will make it possible to use a different mechanism for cases like
- Paramiko is not available
- Hosts without SSH servers (e.g. Windows)

Add BaseHost, Transport & Command base classes that define the interface
and common functionality, and Host, ParamikoTransport & SSHCommand with
specific details.

The {get,put}_file_contents methods are left on Host for convenience;
all other Transport methods must be now accessed through the transport.

Part of the work for https://fedorahosted.org/freeipa/ticket/3890
2013-10-03 18:57:41 +02:00
Martin Kosek
7d2d1cb59d Do not set DNS discovery domain in server mode
In server mode, the discovery domain should be left unset in all
cases as the DNS discovery is only driven by the AD domains.

https://fedorahosted.org/freeipa/ticket/3947
2013-10-03 15:22:09 +02:00
Martin Kosek
88759cf7b6 Use FQDN when creating MSDCS SRV records
When IPA server hostname is outside of default DNS domain, instead
of relative domain name, FQDN should be used.

https://fedorahosted.org/freeipa/ticket/3908
2013-10-03 14:14:07 +02:00
Tomas Babej
bae291def7 Warn user about realm-domain mismatch in install scripts
If the IPA server is setup with non-matching domain and realm
names, it will not be able to estabilish trust with the Active
Directory.

Adds warnings to the ipa-server-install and warning to the
ipa-adtrust-install (which has to be confirmed).

Man pages for the ipa-server-install and ipa-adtrust-install were
updated with the relevant notes.

https://fedorahosted.org/freeipa/ticket/3924
2013-10-03 12:02:44 +02:00
Tomas Babej
8ebb76177d Do not add trust to AD in case of IPA realm-domain mismatch
Make sure that trust-add command fails when admin attempts
to add an Active Directory trust when the realm name and
the domain name of the IPA server do not match.

https://fedorahosted.org/freeipa/ticket/3923
2013-10-03 12:01:56 +02:00
Petr Vobornik
6a124160a5 Fix enablement of automount map type selector
Map type radio used old way of defining that its value should not be used in add command.  Recent patch related to 'enable' attribute hardened/fixed the behavior of radio widgets so they are disabled in UI as well when enabled==false. Automount did not reflect this change.

https://fedorahosted.org/freeipa/ticket/3954
2013-10-03 09:13:45 +02:00
Petr Viktorin
295ce7bf18 Use correct super-calls in get_args() methods
The get_args methods in ipalib.crud and ipalib.plugins.baseldap used
super() calls that skipped some of the classes in the inheritance
chain, and contained code that reimplemented some of the skipped
functionality.
This made it difficult to customize the get_args behavior.

Use proper super() calls.
2013-10-02 16:09:07 +02:00
Nathaniel McCallum
1acd00487f Ensure credentials structure is initialized
https://fedorahosted.org/freeipa/ticket/3953
2013-10-02 14:38:13 +02:00
Sumit Bose
b1cfb47dc0 CLDAP: do not read IPA domain from hostname
Currently the CLDAP plugin determines the IPA domain name by reading
the current host name and splitting of the domain part. But since an IPA
server does not have to be in a DNS domain which has the same name as
the IPA domain this may fail. The domain name was used to search the
ipaNTDomainAttrs object, but since this object is unique in the tree it
is sufficient to use the objectclass in the search filter. Now the IPA
domain can be read from the ipaNTDomainAttrs object as well.

Fixes https://fedorahosted.org/freeipa/ticket/3941
2013-09-27 15:06:21 +02:00
Petr Vobornik
edf0719409 Allow edit of ipakrbokasdelegate in Web UI when attrlevelrights are unknown
Old host entries are missing object class with krbticketflags attribute. Therefore UI does not receive attrlevelrights for it. This OC is added when ipakrbokasdelegate is set.

This patch adds the usual hack for such cases.

https://fedorahosted.org/freeipa/ticket/3940
2013-09-26 10:24:14 +02:00
Petr Viktorin
a93fc02af6 Raise an error when updating CIDict with duplicate keys
Updating a CIDict with data like {'A': 1, 'a': 2} would lead to data
loss since only one of the items would get to the CIDict.
This can result in non-obvious bugs similar to this one in python-ldap:
https://bugzilla.redhat.com/show_bug.cgi?id=1007820

Raise an error in this case; any resolution must be done by the caller.
2013-09-25 10:13:56 +02:00
Petr Viktorin
0226064bac Add missing dict methods to CIDict
Make the CIDict interface match standard dict (except view* methods).

Add __contains__, __iter__, clear.
Add keyword and iterable support for __init__, update.
Also add values() and itervalues(). Previously the dict versions were
used; the new ones guarantee that the order matches keys().
Mark view* methods as not implemented.
CIDict.copy() now returns a CIDict.

Test the above additions, and fromkeys() which worked but wasn't tested.
2013-09-25 10:13:56 +02:00
Petr Viktorin
468e5e40cc Convert test_ipautil from unittest to nose 2013-09-25 10:13:56 +02:00
Petr Viktorin
3e505fe532 Move tests to test directories
Nose doesn't pick up directories that don't begin with 'test'.
Rename ipatests/test_ipaserver/install to test_install so that it's run.

Also, merge test_ipautil.py from ipapython/test into tests/test_ipapython,
so the whole test suite is in one place.
2013-09-25 10:13:56 +02:00
Alexander Bokovoy
a9843d6918 ipa-sam: report supported enctypes based on Kerberos realm configuration
We store Kerberos realm configuration in cn=REALM,cn=kerberos,$SUFFIX.
Along other configuration options, this container has list of default
supported encryption types, in krbDefaultEncSaltTypes.

Fetch krbDefaultEncSaltTypes value on ipa-sam initialization and convert
discovered list to the mask of supported encryption types according to
security.idl from Samba:
        typedef [public,bitmap32bit] bitmap {
                KERB_ENCTYPE_DES_CBC_CRC             = 0x00000001,
                KERB_ENCTYPE_DES_CBC_MD5             = 0x00000002,
                KERB_ENCTYPE_RC4_HMAC_MD5            = 0x00000004,
                KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
                KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
        } kerb_EncTypes;

Part of https://fedorahosted.org/freeipa/ticket/3898
2013-09-20 09:59:02 +02:00
Alexander Bokovoy
860a3ff647 ipa-sam: do not leak LDAPMessage on ipa-sam initialization
We used to handle some of code paths to free memory allocated by the LDAP library
but there are few more unhandled. In addition, search result wasn't freed on successful
initialization, leaking for long time.

https://fedorahosted.org/freeipa/ticket/3913
2013-09-20 09:59:02 +02:00
Alexander Bokovoy
9cf8ec79c9 ipa-sam: do not modify objectclass when trust object already created
When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.

Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.
2013-09-20 09:59:02 +02:00
Tomas Babej
316a9c2159 Use getent admin@domain for nss check in ipa-client-install
Use 'getent admin@domain' rather than 'getent admin@REALM' to check if nss
is working properly since admin@REALM check fails in case the domain and the realm
name does not match.

https://fedorahosted.org/freeipa/ticket/3906
2013-09-20 09:56:27 +02:00
Krzysztof Klimonda
8c03b1dbcd Fix -Wformat-security warnings 2013-09-16 17:35:22 +02:00
Nick Hatch
685bda4563 Don't exclude symlinks when loading plugins 2013-09-16 17:35:22 +02:00