mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-26 16:16:31 -06:00
d631e008cc
When DCERPC clients use Kerberos authentication, they use a service ticket to host/domain.controller because in Active Directory any service on the host is an alias to the machine account object. In FreeIPA each Kerberos service has own keys so host/.. and cifs/.. do not share the same keys. It means Samba suite needs to have access to host/.. keytab entries to validate incoming DCERPC requests. Unfortunately, MIT Kerberos has no means to operate on multiple keytabs at the same time and Samba doesn't implement this either. We cannot use GSS-Proxy as well because Samba daemons are running under root. As a workaround, copy missing aes256 and aes128 keys from the host keytab. SMB protocol doesn't use other encryption types and we don't have rc4-hmac for the host either. Fixes: https://pagure.io/freeipa/issue/3999 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> |
||
|---|---|---|
| .. | ||
| 05-pre_upgrade_plugins.update | ||
| 10-config.update | ||
| 10-enable-betxn.update | ||
| 10-ipapwd.update | ||
| 10-rootdse.update | ||
| 10-selinuxusermap.update | ||
| 10-uniqueness.update | ||
| 19-managed-entries.update | ||
| 20-aci.update | ||
| 20-default_password_policy.update | ||
| 20-dna.update | ||
| 20-enable_dirsrv_plugins.update | ||
| 20-host_nis_groups.update | ||
| 20-idoverride_index.update | ||
| 20-indices.update | ||
| 20-ipaservers_hostgroup.update | ||
| 20-nss_ldap.update | ||
| 20-replication.update | ||
| 20-sslciphers.update | ||
| 20-syncrepl.update | ||
| 20-user_private_groups.update | ||
| 20-uuid.update | ||
| 20-whoami.update | ||
| 20-winsync_index.update | ||
| 21-ca_renewal_container.update | ||
| 21-certstore_container.update | ||
| 21-replicas_container.update | ||
| 25-referint.update | ||
| 30-ipservices.update | ||
| 30-provisioning.update | ||
| 30-s4u2proxy.update | ||
| 37-locations.update | ||
| 40-automember.update | ||
| 40-certprofile.update | ||
| 40-delegation.update | ||
| 40-dns.update | ||
| 40-otp.update | ||
| 40-realm_domains.update | ||
| 40-replication.update | ||
| 40-vault.update | ||
| 41-caacl.update | ||
| 41-lightweight-cas.update | ||
| 45-roles.update | ||
| 50-7_bit_check.update | ||
| 50-dogtag10-migration.update | ||
| 50-externalmembers.update | ||
| 50-groupuuid.update | ||
| 50-hbacservice.update | ||
| 50-ipaconfig.update | ||
| 50-krbenctypes.update | ||
| 50-nis.update | ||
| 55-pbacmemberof.update | ||
| 59-trusts-sysacount.update | ||
| 60-trusts.update | ||
| 61-trusts-s4u2proxy.update | ||
| 62-ranges.update | ||
| 71-idviews-sasl-mapping.update | ||
| 71-idviews.update | ||
| 72-domainlevels.update | ||
| 73-certmap.update | ||
| 73-custodia.update | ||
| 73-winsync.update | ||
| 80-schema_compat.update | ||
| 90-post_upgrade_plugins.update | ||
| Makefile.am | ||
| README | ||
The update files are sorted before being processed because there are cases where order matters (such as getting schema added first, creating parent entries, etc). Updates are applied in blocks of ten so that any entries that are dependant on another can be added successfully without having to rely on the length of the DN to get the sorting correct. The file names should use the format #-<description>.update where # conforms to this: 10 - 19: Configuration 20 - 29: 389-ds configuration, new indices 30 - 39: Structual elements of the DIT 40 - 49: Pre-loaded data 50 - 59: Cleanup existing data 60 - 69: AD Trust 70 - 79: Reserved 80 - 89: Reserved These numbers aren't absolute, there may be reasons to put an update into one place or another, but by adhereing to the scheme it will be easier to find existing updates and know where to put new ones.