[freeipa PR#2461][opened] net groupmap: force using empty config when mapping Guests
by abbra
URL: https://github.com/freeipa/freeipa/pull/2461
Author: abbra
Title: #2461: net groupmap: force using empty config when mapping Guests
Action: opened
PR body:
"""
When we define a group mapping for BUILTIN\Guests to 'nobody' group in
we run 'net groupmap add ...' with a default /etc/samba/smb.conf which
is now configured to use ipasam passdb module. We authenticate to LDAP
with GSSAPI in ipasam passdb module initialization.
If GSSAPI authentication failed (KDC is offline, for example, during
server upgrade), 'net groupmap add' crashes after ~10 attempts to
re-authenticate. This is intended behavior in smbd/winbindd as they
cannot work anymore. However, for the command line tools there are
plenty of operations where passdb module is not needed.
Additionally, GSSAPI authentication uses the default ccache in the
environment and a key from /etc/samba/samba.keytab keytab. This means
that if you'd run 'net *' as root, it will replace whatever Kerberos
tickets you have with a TGT for cifs/`hostname` and a service ticket to
ldap/`hostname` of IPA master.
Apply a simple solution to avoid using /etc/samba/smb.conf when we
set up the group mapping by specifying '-s /dev/null' in 'net groupmap'
call.
For upgrade code this is enough as in
a678336b8b36cdbea2512e79c09e475fdc249569 we enforce use of empty
credentials cache during upgrade to prevent tripping on individual
ccaches from KEYRING: or KCM: cache collections.
Related: https://pagure.io/freeipa/issue/7705
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2461/head:pr2461
git checkout pr2461
5 years, 5 months
[freeipa PR#2469][opened] Fix C issues found by coverity and others
by t-woerner
URL: https://github.com/freeipa/freeipa/pull/2469
Author: t-woerner
Title: #2469: Fix C issues found by coverity and others
Action: opened
PR body:
"""
Two issues have been addressed:
Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon
The leak happens due to using strndup in a for loop to create a temporary
string without freeing it in all cases.
and
Fix ressource leak in client/config.c get_config_entry
The leak happens due to using strndup to create a temporary string without
freeing it afterwards.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2469/head:pr2469
git checkout pr2469
5 years, 5 months
[freeipa PR#2451][opened] Handle NTP configuration in a replica server installation
by rcritten
URL: https://github.com/freeipa/freeipa/pull/2451
Author: rcritten
Title: #2451: Handle NTP configuration in a replica server installation
Action: opened
PR body:
"""
There were two separate issues:
1. If not enrolling on a pre-configured client then the ntp-server and
ntp-pool options are not being passed down to the client installer
invocation.
2. If the client is already enrolled then the ntp options are ignored
altogether.
So basically reverse those. Detect the ntp options and add them to
the ipa-client-install invocation if the client is not pre-enrolled.
If it is pre-enrolled then call out to the time configuration
methods to setup the servers or pool. The changes will be recorded
in the client sysrestore.
https://pagure.io/freeipa/issue/7723
Signed-off-by: Rob Crittenden <rcritten(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2451/head:pr2451
git checkout pr2451
5 years, 6 months