Commit Graph

69 Commits

Author SHA1 Message Date
Alexander Bokovoy
6171d0a01b Fix ipasam ipaNThash magic regen to actually fetch updated password
With this change ipasam is able to ask for ipaNTHash generation and if
corresponding Kerberos key is available, will be able to retrieve generated ipaNTHash.

Part 1 of https://fedorahosted.org/freeipa/ticket/3016
2012-08-22 17:21:11 +03:00
Alexander Bokovoy
14c48ba6fb Recover from invalid cached kerberos credentials in ipasam
When developing and testing in the same environment, multiple re-installs
may be needed. This means previously issued and cached Kerberos credentials
will become invalid upon new install.

ipasam passdb module for Samba uses Kerberos authentication when talking to
IPA LDAP server. Obtained Kerberos credentials are cached during their lifetime.
However, the ccache is not removed automatically and if IPA setup is made
again, cached credentials are used, only to discover that they are invalid.

With this change invalid correctly obtained cached credentials are recognized
and, if LDAP SASL bind fails, new credentials are requested from the KDC.

https://fedorahosted.org/freeipa/ticket/3009
2012-08-22 17:20:56 +03:00
Sumit Bose
e8d4cc65f8 Use libsamba-security instead of libsecurity
In samba4-beta6 the name of a library was changed from libsecurity to
libsamba-security.
2012-08-22 17:18:07 +03:00
Alexander Bokovoy
051eb5f7e4 When ipaNTHash is missing, ask IPA to generate it from kerberos keys
Signed-off-by: Simo Sorce <ssorce@redhat.com>
2012-07-30 10:32:14 -04:00
Alexander Bokovoy
61b2f0a5d0 Follow change in samba4 beta4 for sid_check_is_domain to sid_check_is_our_sam
With c43505b621725c9a754f0ee98318d451b093f2ed in samba git master
the function sid_check_is_domain() was renamed to sid_check_is_our_sam().

https://fedorahosted.org/freeipa/ticket/2929
2012-07-18 16:56:04 +03:00
Alexander Bokovoy
8c5504d26a reduce redundant checks in ldapsam_search_users() to a single statement 2012-07-06 13:39:27 +03:00
Alexander Bokovoy
75cb9bb0e1 Use smb.conf 'dedicated keytab file' parameter instead of hard-coded value 2012-07-06 13:38:46 +03:00
Sumit Bose
76d809574b ipasam: replace testing code 2012-07-06 13:06:16 +03:00
Sumit Bose
abe40284cf ipasam: fixes for clang warnings 2012-07-06 13:06:16 +03:00
Alexander Bokovoy
e88049ecee ipasam: improve SASL bind callback
SASL bind callback due to refactoring was referencing local variable which
didn't exist all the time. Fix that by including a copy of service principals
into ipasam long term private struct.

Rework ccache handling to avoid re-initing every time callback is called
2012-07-06 13:06:15 +03:00
Alexander Bokovoy
63567479df Add error condition handling to the SASL bind callback in ipasam
https://fedorahosted.org/freeipa/ticket/2877
2012-06-28 08:00:58 +02:00
Alexander Bokovoy
761cb71838 Support requests for DOMAIN$ account for trusted domains in ipasam module
https://fedorahosted.org/freeipa/ticket/2870
2012-06-28 07:57:29 +02:00
Sumit Bose
20fce97dfa ipasam: remove unused struct elements 2012-06-11 12:03:09 +02:00
Sumit Bose
b367c9ee7e Use exop instead of kadmin.local 2012-06-11 09:40:59 +02:00
Alexander Bokovoy
27c24ff7be ipa-sam: update sid_to_id() interface to follow passdb API changes in Samba
Commit a6e29f23f09ba5b6b6d362f7683ae8088bc0ba85 in Samba changed id mapping
API in passdb interface to use 'struct unixid'. The change replaced three arguments
(uid, gid, type) by one (struct unixid). As result, ipa-sam became broken.

Without this change ipa-sam introduces stack corruption in Samba post 4.0.0alpha18
leading to corrupted security context stack as well and then crashing in setgroups(3).
2012-06-07 09:39:10 +02:00
Alexander Bokovoy
bd0d858043 Add trust-related ACIs
A high-level description of the design and ACIs for trusts is available at
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html
and
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html

Ticket #1731
2012-06-07 09:39:10 +02:00
Alexander Bokovoy
b32204fccc Add separate attribute to store trusted domain SID
We need two attributes in the ipaNTTrustedDomain objectclass to store different
kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID
of the trusted domain. A second attribute is needed to store the SID for the
trusted domain user. Since it cannot be derived safely from other values and
since it does not make sense to create a separate object for the user a new
attribute is needed.

https://fedorahosted.org/freeipa/ticket/2191
2012-06-07 09:39:09 +02:00
Sumit Bose
808e75c13d Add a second module init call for newer samba versions 2011-12-09 15:57:49 -05:00
Sumit Bose
edb6ed5007 Add ipasam samba passdb backend
https://fedorahosted.org/freeipa/ticket/1874
2011-12-06 08:29:53 -05:00