This function retried an LDAP search when the result was OK due to
flawed logic of retry detection (ipadb_need_retry function which
returns true when we need retry and not 0).
https://fedorahosted.org/freeipa/ticket/3413
All known memory leaks caused by unfreed allocated memory or unfreed
LDAP results (which should be also done after unsuccessful searches)
are fixed.
https://fedorahosted.org/freeipa/ticket/3413
SIDs in incoming MS-PAC were checked and filtered with a fixed list of
well-known SIDs. Allow reading the SID blacklist from LDAP
(ipaNTSIDBlacklistIncoming and ipaNTSIDBlacklistOutgoing) and add the list
to mspac adtrust structure. Use the hardcoded SID list only if the LDAP
SID list is not configured.
LIMITATION: SID blacklist list is not used yet.
https://fedorahosted.org/freeipa/ticket/3289
ipa-kdb did not reinitialize trusted domain configuration when it
was loaded to ipa-kdb. However, admin then would have to restart
krb5kdc if he wanted to apply the change to running krb5kdc service.
Run ipadb_reinit_mspac unconditionally every time when trusted domain
is loaded. Among the already configured 1 minute grace time, also
add a quick check if there is at least one configured trusted domain
before reinitializing the mspac structure.
https://fedorahosted.org/freeipa/ticket/3289
When all SIDs in info3.sids structure were filtered out, we tried
to talloc_realloc to zero memory size. talloc_realloc then returned
NULL pointer and filter_login_info returned with ENOMEM.
The code now rather frees the SID array and set info3.sidcount to
correct value.
Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.
This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).
The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver.
https://fedorahosted.org/freeipa/ticket/3312https://fedorahosted.org/freeipa/ticket/3114
Windows 2012 Server changed procedure how KERB_VALIDATION_INFO ([MS-PAC]
section 2.5) is populated. Detailed description is available in [MS-KILE]
version 25.0 and above.
Refactor KERB_VALIDATION_INFO verification and ensure we filter out extra
SIDs in case they belong to our domain.
https://fedorahosted.org/freeipa/ticket/3231
Wrap the password change extop in a transaction.
Fix the case where a password is reset and then immediately used. If done
fast enough then the KDC may not detect that the password is expired and
grant access using the expired password rather than prompting for a reset.
https://fedorahosted.org/freeipa/ticket/1064
Ther3 are two global ipaConfig options to disable undesirable writes that
have performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.
https://fedorahosted.org/freeipa/ticket/2734
Currently only the group SIDs from a PAC are used to find out about the
membership in local groups. This patch adds the user SID to the list.
Fixes https://fedorahosted.org/freeipa/ticket/3257
The current Linux NFS server is severely limited when it comes to handling
kerberos tickets. Bsically any ticket bigger than 2k will cause it to fail
authentication due to kernel->userspace upcall interface restrictions.
Until we have additional support in IPA to indivdually mark principals to
opt out of getting PACs attached we always prevent PACs from being attached
to TGTs or Tickets where NFS is involved.
Commands ipa idrange-add / idrange-mod no longer allows the user
to enter primary or secondary rid range such that has non-zero
intersection with primary or secondary rid range of another
existing id range, as this could cause collision.
Unit tests added to test_range_plugin.py
https://fedorahosted.org/freeipa/ticket/3086
Currently the data about trusted domains is read once at startup. If a
new trust is added the KDC must be restarted to know about the new
trust. This patch reloads the trust data if there is a request from an
unknown domain. To make DOS attacks a bit harder the data can be updated
only once in a minute.
Fixes https://fedorahosted.org/freeipa/ticket/3156
If match_entry == NULL all principals should be iterated.
Additionally this patch adds a check in ipadb_filter_escape() to make
sure that the input is not NULL.
Fixes: https://fedorahosted.org/freeipa/ticket/3011
With this change ipasam is able to ask for ipaNTHash generation and if
corresponding Kerberos key is available, will be able to retrieve generated ipaNTHash.
Part 1 of https://fedorahosted.org/freeipa/ticket/3016
When developing and testing in the same environment, multiple re-installs
may be needed. This means previously issued and cached Kerberos credentials
will become invalid upon new install.
ipasam passdb module for Samba uses Kerberos authentication when talking to
IPA LDAP server. Obtained Kerberos credentials are cached during their lifetime.
However, the ccache is not removed automatically and if IPA setup is made
again, cached credentials are used, only to discover that they are invalid.
With this change invalid correctly obtained cached credentials are recognized
and, if LDAP SASL bind fails, new credentials are requested from the KDC.
https://fedorahosted.org/freeipa/ticket/3009
