freeipa.git, branch 30gatepo FreeIPA project Resolve external members from trusted domain via Global Catalog 2012-10-31T20:28:53+00:00 Alexander Bokovoy abokovoy@redhat.com 2012-10-18T18:46:35+00:00 09a4764112b9aa3e2e26e00f20fa23f42356b9b4 A sequence is following: 1. Match external member against existing trusted domain 2. Find trusted domain's domain controller and preferred GC hosts 3. Fetch trusted domain account auth info 4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain 5. Do LDAP SASL interactive bind using the ccache 6. Search for the member's SID 7. Decode SID 8. Replace external member name by SID 
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller and preferred GC hosts
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
Use single warning message in idrange module and idrange-add 2012-10-31T17:08:31+00:00 Alexander Bokovoy abokovoy@redhat.com 2012-10-17T10:19:51+00:00 381f7f583ca02835731aeb2ca8be31ee279504ef Complements fix to https://fedorahosted.org/freeipa/ticket/3116 
Complements fix to https://fedorahosted.org/freeipa/ticket/3116
Get list of service from LDAP only at startup 2012-10-31T17:08:30+00:00 Simo Sorce ssorce@redhat.com 2012-10-12T19:58:02+00:00 d93b01eb4012ffffe78c31bc4307b2ad961ec383 We dump the list retriueved from LDAP at strstup in a temporary configuration file and always use that file afterwards. We check (possibly different) data from LDAP only at (re)start. This way we always shutdown exactly the services we started even if the list changed in the meanwhile (we avoid leaving a service running even if it was removed from LDAP as the admin decided it should not be started in future). This should also fix a problematic deadlock with systemd when we try to read the list of service from LDAP at shutdown. Simo. 
We dump the list retriueved from LDAP at strstup in a temporary configuration
file and always use that file afterwards.
We check (possibly different) data from LDAP only at (re)start.
This way we always shutdown exactly the services we started even if the list
changed in the meanwhile (we avoid leaving a service running even if it was
removed from LDAP as the admin decided it should not be started in future).

This should also fix a problematic deadlock with systemd when we try to read
the list of service from LDAP at shutdown.

Simo.
IPA Server check in ipa-replica-manage 2012-10-31T15:54:15+00:00 Tomas Babej tbabej@redhat.com 2012-10-02T13:15:33+00:00 e7c99e7d21f7923c92cf9dae9fd8c7d5ae4aa8cd When executing ipa-replica-manage connect to an master that raises NotFound error we now check if the master is at least IPA server. If so, we inform the user that it is probably foreign or previously deleted master. If not, we inform the user that the master is not an IPA server at all. https://fedorahosted.org/freeipa/ticket/3105 
When executing ipa-replica-manage connect to an master that raises
NotFound error we now check if the master is at least IPA server.
If so, we inform the user that it is probably foreign or previously
deleted master. If not, we inform the user that the master is not
an IPA server at all.

https://fedorahosted.org/freeipa/ticket/3105
Restart httpd if ipa-server-trust-ad is installed or updated 2012-10-31T07:48:25+00:00 Sumit Bose sbose@redhat.com 2012-10-26T11:12:17+00:00 fe66fbe637132ac5eb22eea388e2261f33497bf5 If ipa-server-trust-ad is installed after the ipa server is installed and configured, httpd needs a restart for additional python modules to be loaded into httpd on IPA initialization. Fixes https://fedorahosted.org/freeipa/ticket/3185 
If ipa-server-trust-ad is installed after the ipa server is installed
and configured, httpd needs a restart for additional python modules to
be loaded into httpd on IPA initialization.

Fixes https://fedorahosted.org/freeipa/ticket/3185
The SECURE_NFS value needs to be lower-case yes on SysV systems. 2012-10-26T19:18:55+00:00 Rob Crittenden rcritten@redhat.com 2012-10-26T17:31:22+00:00 2d3e91ff1cefc29f521991cf930fcf09bcdf78e8 The sysV rpcgssd init script tests for [ "${SECURE_NFS}" != "yes" ]. This also works as lower case for system so a simple fix. https://fedorahosted.org/freeipa/ticket/3207 
The sysV rpcgssd init script tests for [ "${SECURE_NFS}" != "yes" ].

This also works as lower case for system so a simple fix.

https://fedorahosted.org/freeipa/ticket/3207
Remove servertrls and clientctrls options from rename_s 2012-10-26T16:58:04+00:00 Martin Kosek mkosek@redhat.com 2012-10-25T14:12:54+00:00 1d5027bfc901544c6cfb2e65ea1448fe636666e0 python-ldap of version 2.3.10 and lower does not support serverctrls and clientctrls fir rename_s operation. Do not use these options until really needed. In that time, we may put a requirement in place, that minimal python-ldap version is 2.3.11. Also add a notice explaining why we did this change. https://fedorahosted.org/freeipa/ticket/3199 
python-ldap of version 2.3.10 and lower does not support serverctrls
and clientctrls fir rename_s operation. Do not use these options until
really needed. In that time, we may put a requirement in place, that
minimal python-ldap version is 2.3.11. Also add a notice explaining
why we did this change.

https://fedorahosted.org/freeipa/ticket/3199
Avoid uninstalling dependencies during package lifetime 2012-10-25T19:35:58+00:00 Martin Kosek mkosek@redhat.com 2012-10-24T10:35:36+00:00 1ed8ba6a7516ac9085e756c2232cf05e8350ad8a Requires(pre) only guarantees that package will be present before package scriptlets are run. However, the package can be removed after installation is finished without removing also IPA. Add standard Requires for these dependencies. Remove PRE version number from VERSION. This update and following is done on a top of IPA 3.0.0 GA. https://fedorahosted.org/freeipa/ticket/3189 
Requires(pre) only guarantees that package will be present before
package scriptlets are run. However, the package can be removed
after installation is finished without removing also IPA. Add
standard Requires for these dependencies.

Remove PRE version number from VERSION. This update and following
is done on a top of IPA 3.0.0 GA.

https://fedorahosted.org/freeipa/ticket/3189
ipa-client-automount: Add the autofs service if it doesn't exist yet 2012-10-25T18:27:38+00:00 Jakub Hrozek jhrozek@redhat.com 2012-10-25T17:59:21+00:00 5e79743a0b253b10e4530ab12e9395638f49db71 https://fedorahosted.org/freeipa/ticket/3201 
https://fedorahosted.org/freeipa/ticket/3201
Close connection after each request, avoid NSS shutdown problem. 2012-10-24T19:07:53+00:00 Rob Crittenden rcritten@redhat.com 2012-10-17T20:58:54+00:00 fb7575d6b77c1d85539c8e71b7fa931e758704d3 The unit tests were failing when executed against an Apache server in F-18 due to dangling references causing NSS shutdown to fail. https://fedorahosted.org/freeipa/ticket/3180 
The unit tests were failing when executed against an Apache server
in F-18 due to dangling references causing NSS shutdown to fail.

https://fedorahosted.org/freeipa/ticket/3180