There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos
key is available for the corresponding user. This is typically triggered
by samba via the ipa_sam passdb plugin. The principal used by samba to
connect to the IPA directory server has the right to modify ipaNTHash
but no other password attribute. This means that the current check on
the userPassword attribute is too strict for this case and leads to a
failure of the whole operation.
With this patch the access right on ipaNTHash are checked if no other
password operations are requested.
With old servers, it is possible that xmlclient.connect() succeeds
but commands fail with a Kerberos error.
Verify that commands succeed by sending a ping after connecting.
Follow-up to: https://fedorahosted.org/freeipa/ticket/3931
To make sure the installation works with older servers,
use XML-RPC directly, with a version set explicitly so the request
is not rejected.
RPC was chosen over ldapmodify, because going through the API allows
the server to process the request properly, or even cleanly reject
it if there are incompatible changes in future versions.
https://fedorahosted.org/freeipa/ticket/3931
This task was added with a DN colliding with privilege update memberOf
task being run later and caused this task to be ineffective and thus
miss some privilege membership, like "SELinux User Map Administrators"
DNS update plugin do not need to run any task at all as privileges
will be updated later in scope of 55-pbacmemberof.update
https://fedorahosted.org/freeipa/ticket/3877
When MS-PAC information is re-initialized, record also parent-child
relationship between trust root level domain and its subdomains.
Use parent incoming SID black list to check if child domain is not
allowed to access IPA realm.
We also should really use 'cn' of the entry as domain name.
ipaNTTrustPartner has different meaning on wire, it is an index
pointing to the parent domain of the domain and will be 0 for top
level domains or disjoint subdomains of the trust.
Finally, trustdomain-enable and trustdomain-disable commands should
force MS-PAC cache re-initalization in case of black list change.
Trigger that by asking for cross-realm TGT for HTTP service.
When client principal requests for a ticket for a server principal
and we have to perform transition, check that all three belong to either
our domain or the domains we trust through forest trusts.
In case all three realms (client, transition, and server) match
trusted domains and our domain, issue permission to transition from client
realm to server realm.
Part of https://fedorahosted.org/freeipa/ticket/3909
We don't store trust type, attributes, and direction for subdomains
of the existing trust. Since trust is always forest level, these parameters
can be added as defaults when they are missing.
Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal,
it is possible to use it when talking to the trusted AD DC.
Remove support for authenticating as trust account because it should not
really be used other than within Samba.
Add IPA CLI to manage trust domains.
ipa trust-fetch-domains <trust> -- fetch list of subdomains from AD side and add new ones to IPA
ipa trustdomain-find <trust> -- show all available domains
ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust>
ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA
ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain
By default all discovered trust domains are allowed to access IPA resources
IPA KDC needs also information for authentication paths to subdomains in case they
are not hierarchical under AD forest trust root. This information is managed via capaths
section in krb5.conf. SSSD should be able to generate it once
ticket https://fedorahosted.org/sssd/ticket/2093 is resolved.
part of https://fedorahosted.org/freeipa/ticket/3909
Use realmdomains information to prepopulate forest trust info. As result,
all additional domains should now be enabled from the beginning, unless they
really conflict with existing DNS domains on AD side.
https://fedorahosted.org/freeipa/ticket/3919
If an exception is expected, but another one is raised, the CLITestContext
raised a generic AssertionError.
Pass through the original exception instead
To differentiate between individual tests in BeakerLib output,
the argument needs to be added to the test name. Since Nose
doesn't provide a way to get the argument in a plugin,
a `test_argument` attribute must be added to the test function
to support this, simlarly to how `description` is used to set
individual "docstrings".
Add test_argument to the generated tests in the CA-less suite.
Ordered test generators were not announced in plugin hooks, so
e.g. the Beakerlib or collect plugin did not announce them.
Exclude test generators from ordering.
This adds a transport that uses /usr/bin/ssh calls to communicate
with remote hosts.
This transport is a bit slower and buffers output more than paramiko,
so it is only used if paramiko is not available, or forced with an
environment variable.
https://fedorahosted.org/freeipa/ticket/3890
This will make it possible to use a different mechanism for cases like
- Paramiko is not available
- Hosts without SSH servers (e.g. Windows)
Add BaseHost, Transport & Command base classes that define the interface
and common functionality, and Host, ParamikoTransport & SSHCommand with
specific details.
The {get,put}_file_contents methods are left on Host for convenience;
all other Transport methods must be now accessed through the transport.
Part of the work for https://fedorahosted.org/freeipa/ticket/3890
If the IPA server is setup with non-matching domain and realm
names, it will not be able to estabilish trust with the Active
Directory.
Adds warnings to the ipa-server-install and warning to the
ipa-adtrust-install (which has to be confirmed).
Man pages for the ipa-server-install and ipa-adtrust-install were
updated with the relevant notes.
https://fedorahosted.org/freeipa/ticket/3924
Make sure that trust-add command fails when admin attempts
to add an Active Directory trust when the realm name and
the domain name of the IPA server do not match.
https://fedorahosted.org/freeipa/ticket/3923
Map type radio used old way of defining that its value should not be used in add command. Recent patch related to 'enable' attribute hardened/fixed the behavior of radio widgets so they are disabled in UI as well when enabled==false. Automount did not reflect this change.
https://fedorahosted.org/freeipa/ticket/3954
The get_args methods in ipalib.crud and ipalib.plugins.baseldap used
super() calls that skipped some of the classes in the inheritance
chain, and contained code that reimplemented some of the skipped
functionality.
This made it difficult to customize the get_args behavior.
Use proper super() calls.
Currently the CLDAP plugin determines the IPA domain name by reading
the current host name and splitting of the domain part. But since an IPA
server does not have to be in a DNS domain which has the same name as
the IPA domain this may fail. The domain name was used to search the
ipaNTDomainAttrs object, but since this object is unique in the tree it
is sufficient to use the objectclass in the search filter. Now the IPA
domain can be read from the ipaNTDomainAttrs object as well.
Fixes https://fedorahosted.org/freeipa/ticket/3941
Old host entries are missing object class with krbticketflags attribute. Therefore UI does not receive attrlevelrights for it. This OC is added when ipakrbokasdelegate is set.
This patch adds the usual hack for such cases.
https://fedorahosted.org/freeipa/ticket/3940
Updating a CIDict with data like {'A': 1, 'a': 2} would lead to data
loss since only one of the items would get to the CIDict.
This can result in non-obvious bugs similar to this one in python-ldap:
https://bugzilla.redhat.com/show_bug.cgi?id=1007820
Raise an error in this case; any resolution must be done by the caller.
Make the CIDict interface match standard dict (except view* methods).
Add __contains__, __iter__, clear.
Add keyword and iterable support for __init__, update.
Also add values() and itervalues(). Previously the dict versions were
used; the new ones guarantee that the order matches keys().
Mark view* methods as not implemented.
CIDict.copy() now returns a CIDict.
Test the above additions, and fromkeys() which worked but wasn't tested.
Nose doesn't pick up directories that don't begin with 'test'.
Rename ipatests/test_ipaserver/install to test_install so that it's run.
Also, merge test_ipautil.py from ipapython/test into tests/test_ipapython,
so the whole test suite is in one place.
We store Kerberos realm configuration in cn=REALM,cn=kerberos,$SUFFIX.
Along other configuration options, this container has list of default
supported encryption types, in krbDefaultEncSaltTypes.
Fetch krbDefaultEncSaltTypes value on ipa-sam initialization and convert
discovered list to the mask of supported encryption types according to
security.idl from Samba:
typedef [public,bitmap32bit] bitmap {
KERB_ENCTYPE_DES_CBC_CRC = 0x00000001,
KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002,
KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004,
KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
} kerb_EncTypes;
Part of https://fedorahosted.org/freeipa/ticket/3898
We used to handle some of code paths to free memory allocated by the LDAP library
but there are few more unhandled. In addition, search result wasn't freed on successful
initialization, leaking for long time.
https://fedorahosted.org/freeipa/ticket/3913
When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.
Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.
Use 'getent admin@domain' rather than 'getent admin@REALM' to check if nss
is working properly since admin@REALM check fails in case the domain and the realm
name does not match.
https://fedorahosted.org/freeipa/ticket/3906