Alexander Bokovoy 00f8ddbfd2 ipa-kdb: add better detection of allowed user auth type ... If default user authentication type is set to a list that does not include a password or a hardened credential, the resulting configuration might be incorrect for special service principals, including a krbtgt/.. one. Add detection of special principals to avoid these situations and always allow password or hardened for services. Special handling is needed for the following principals: - krbtgt/.. -- TGT service principals - K/M -- master key principal - kadmin/changepw -- service for changing passwords - kadmin/kadmin -- kadmin service principal - kadmin/history -- key used to encrypt history Additionally, implicitly allow password or hardened credential use for IPA services and IPA hosts since applications typically use keytabs for that purpose. Fixes: https://pagure.io/freeipa/issue/9485 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com>		2023-12-22 10:34:19 +01:00
..
dnssec	pylint: remove useless suppression	2023-01-10 08:30:58 +01:00
ipa-kdb	ipa-kdb: add better detection of allowed user auth type	2023-12-22 10:34:19 +01:00
ipa-otpd	ipa-otpd: add passkey_child_debug_level option	2023-06-01 08:20:37 +02:00
ipa-sam	ipa-sam: retrieve trusted domain account credential from the TDO itself	2022-04-13 18:37:12 +02:00
ipa-slapi-plugins	Issue 9497 - update debug logging in ipa_uuid	2023-12-14 09:24:46 +01:00
ipa-version.h.in	Build: move version handling from Makefile to configure	2016-11-09 13:08:32 +01:00
Makefile.am	build: Unify compiler warning flags used	2021-01-15 14:11:56 +01:00