Issue #8659: ipa-kdb: provide correct logon time in MS-PAC from authentication time - freeipa

freeipa

#8659 ipa-kdb: provide correct logon time in MS-PAC from authentication time

Closed: fixed 3 years ago by rcritten. Opened 3 years ago by abbra.

When MS-PAC structure is created, we get passed the time of authentication from KDC. Use this to record logon time in MS-PAC structure.

Set allow password change time to the last password change. We need to refer to the actual password policy here in future.

Also use INT64_MAX to represent the resulting value for logoff and kickoff times according to MS-PAC 2.6.

Metadata Update from @abbra:
- Issue assigned to abbra

3 years ago

Metadata Update from @abbra:
- Issue tagged with: trust

3 years ago

rcritten commented 3 years ago

master:

968f8ad ipa-kdb: provide correct logon time in MS-PAC from authentication time
e6f8d8b ipasam: implement PASSDB getgrnam call
7588251 ipasam: allow search of users by user principal name (UPN)
a1e2fe9 ipasam: free trusted domain context on failure
08d7d90 ipasam: derive parent domain for subdomains automatically
214aeb7 ipaserver/dcerpc: store forest topology as a blob in ipasam
9d19c08 ipatests: use fully qualified name for AD admin when establishing trust
9424256 Update ipa_sam.c
ae7cd47 trust-fetch-domains: use custom krb5.conf overlay for all trust operations
54e5ffc use a constant instead of /var/lib/sss/keytabs

rcritten commented 3 years ago

ipa-4-9:

f8bf374 ipa-kdb: provide correct logon time in MS-PAC from authentication time
962052a ipasam: implement PASSDB getgrnam call
2e8eb0f ipasam: allow search of users by user principal name (UPN)
e8f927d ipasam: free trusted domain context on failure
f103172 ipasam: derive parent domain for subdomains automatically
3d706b6 ipaserver/dcerpc: store forest topology as a blob in ipasam
dc16c24 ipatests: use fully qualified name for AD admin when establishing trust
b535924 Update ipa_sam.c
c842d4b trust-fetch-domains: use custom krb5.conf overlay for all trust operations
9f63afb use a constant instead of /var/lib/sss/keytabs

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata Update from @abbra:
- Custom field changelog adjusted to Trust to Active Directory support was improved to be more compatible with AD DC queries: lookup groups via LSA RPCs, allow user principal name lookups, more complete PAC record generation.

3 years ago

Metadata

Assignee

abbra

Tags

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

Trust to Active Directory support was improved to be more compatible with AD DC queries: lookup groups via LSA RPCs, allow user principal name lookups, more complete PAC record generation.

design

None

freeipa

Source Code

#8659 ipa-kdb: provide correct logon time in MS-PAC from authentication time Closed: fixed 3 years ago by rcritten. Opened 3 years ago by abbra.

Metadata

trust

#8659 ipa-kdb: provide correct logon time in MS-PAC from authentication time

Closed: fixed 3 years ago by rcritten. Opened 3 years ago by abbra.