failover: mark subdomain service with sd_ prefix Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Changing of confusing debug message This debug message used to confuse our users. So this patch changes it. Old version: "Trust direction of %s is %s\n" New version: "Trust type of [%s]: %s\n" Resolves: https://fedorahosted.org/sssd/ticket/3090 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD: use krb5_keytab for subdomain initialization During the initialization of AD subdomains parameters like the SASL auth id are determined. Since subdomains use a default set of the AD specific configuration options the default keytab will be used. If krb5_keytab is set in sssd.conf for the AD domain this keytab should be used for the subdomains (domains of the same AD forest) as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: use forest name when looking up the Global Catalog Resolves https://fedorahosted.org/sssd/ticket/3015 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

util: Update get_next_domain's interface Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Change ipa_server_trust_add_send request to be reusable from ID code Required for: https://fedorahosted.org/sssd/ticket/2639 Expose a request ipa_server_trusted_dom_setup_send that sets up a trusted domain. The setup might include actions like retrieving a keytab for one-way trusts. Creating the AD ID context for the trused domain is now done in the caller of this new request. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Always re-fetch the keytab from the IPA server Even if a keytab for one-way trust exists, re-fetch the keytab again and try to use it. Fall back to the previous one if it exists. This is in order to allow the admin to re-establish the trust keytabs with a simple sssd restart. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Handle sssd-owned keytabs when running as root https://fedorahosted.org/sssd/ticket/2718 This patch handles the case where the keytab is created with sssd:sssd ownership (perhaps by the IPA oddjob script) but SSSD runs as root, which is the default in many distributions. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

IPA: Better debugging Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

IPA: Utility function for setting up one-way trust context Related: https://fedorahosted.org/sssd/ticket/2638 Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Do not set AD_KRB5_REALM twice Related: https://fedorahosted.org/sssd/ticket/2638 Both the AD common code and ipa_ad_ctx_new() used set AD_KRB5_REALM. As verified by unit tests, we don't need to set the parameter twice. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA/AD: Set up AD domain in ad_create_2way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 Removed code duplication. Amends unit test to make sure we don't regress. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Rename ad_create_default_options to ad_create_2way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 Better reflects what's going on in the function. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Fetch keytab for 1way trusts Uses the ipa-getkeytab call to retrieve keytabs for one-way trust relationships. https://fedorahosted.org/sssd/ticket/2636 Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Make constructing an IPA server mode context async Refactoring in preparation for requesting the keytab in future patches. Currently it's a fake async that just marks the request as done. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Include ipaNTTrustDirection in the attribute set for trusted domains Allows to distinguish the trust directions for trusted domains. For domains where we don't know the direction in server mode, we assume two-way trusts. Member domains do not have the direction, but rather the forest root direction is used. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Move server-mode functions to a separate module There is already quite a few functions that are server-mode specific and there will be even more with one-way trusts. Split the server-mode specific functions into a separate module. Reviewed-by: Sumit Bose <sbose@redhat.com>