freeipa.git/ipa-client/ipa-install, branch trusts-master FreeIPA project Allow host re-enrollment using delegation 2013-03-25T09:53:25+00:00 Tomas Babej tbabej@redhat.com 2013-03-18T10:06:22+00:00 a7ccc198a731d0e48319a73bcb2dd98c34de262a A new option --force-join has been added to ipa-client-install. It forces the host enrollment even if the host entry exists. Old certificate is revoked, new certificate and ssh key pair generated. See the relevant design for the re-enrollment part: http://freeipa.org/page/V3/Forced_client_re-enrollment https://fedorahosted.org/freeipa/ticket/3482 
A new option --force-join has been added to ipa-client-install.
It forces the host enrollment even if the host entry exists.
Old certificate is revoked, new certificate and ssh key pair
generated. See the relevant design for the re-enrollment part:
http://freeipa.org/page/V3/Forced_client_re-enrollment

https://fedorahosted.org/freeipa/ticket/3482
Improve client install LDAP cert retrieval fallback 2013-03-21T15:12:12+00:00 Martin Kosek mkosek@redhat.com 2013-03-14T13:36:39+00:00 1336b399065ff47477029ba487f1d392f1ce6ac8 CA certificate retrieval function did not fallback from LDAP to HTTP based retrieval in case of an LDAP error, when for example GSSAPI authentication failed. https://fedorahosted.org/freeipa/ticket/3512 
CA certificate retrieval function did not fallback from LDAP to
HTTP based retrieval in case of an LDAP error, when for example
GSSAPI authentication failed.

https://fedorahosted.org/freeipa/ticket/3512
Use temporary CCACHE in ipa-client-install 2013-03-21T15:12:12+00:00 Martin Kosek mkosek@redhat.com 2013-03-14T13:33:56+00:00 6540eff4687bbc400e285a68936d8edf1895168e ipa-client-install failed if user had set his own KRB5CCNAME in his environment. Use a temporary CCACHE for the installer to avoid these kind of errors. https://fedorahosted.org/freeipa/ticket/3512 
ipa-client-install failed if user had set his own KRB5CCNAME in his
environment. Use a temporary CCACHE for the installer to avoid these
kind of errors.

https://fedorahosted.org/freeipa/ticket/3512
Avoid multiple client discovery with fixed server list 2013-03-14T08:35:25+00:00 Martin Kosek mkosek@redhat.com 2013-03-13T13:44:20+00:00 354a5db38e46aaf7ff4ecb0b6ee54a18194c376e In client discovery module, we used to run up to three discovery processes even though we received a fixed list of servers to connect to. This could result in up to 3 identical "not an IPA server" error messages when the passed server is not an IPA server. Error out immediately when we are discovering against a fixed set of servers. Related to fixes in https://fedorahosted.org/freeipa/ticket/3418 
In client discovery module, we used to run up to three discovery
processes even though we received a fixed list of servers to connect
to. This could result in up to 3 identical "not an IPA server" error
messages when the passed server is not an IPA server.

Error out immediately when we are discovering against a fixed set
of servers.

Related to fixes in https://fedorahosted.org/freeipa/ticket/3418
Make sure uninstall script prompts for reboot as last 2013-03-13T15:53:19+00:00 Tomas Babej tbabej@redhat.com 2013-03-13T11:53:24+00:00 ade4aaef9aba7e05276dc2f436a43e0bb7d42da3 Parts of client uninstall logic could be skipped in attended uninstallation if user agreed to reboot the machine. Particulary, the uninstall script would not try to remove /etc/ipa/default.conf and therefore subsequent installation would fail, client being detected as already configured. https://fedorahosted.org/freeipa/ticket/3462 https://fedorahosted.org/freeipa/ticket/3463 
Parts of client uninstall logic could be skipped in attended
uninstallation if user agreed to reboot the machine. Particulary,
the uninstall script would not try to remove /etc/ipa/default.conf
and therefore subsequent installation would fail, client being
detected as already configured.

https://fedorahosted.org/freeipa/ticket/3462
https://fedorahosted.org/freeipa/ticket/3463
Use IPAdmin rather than raw python-ldap in ipa-client-install 2013-03-13T11:36:33+00:00 Petr Viktorin pviktori@redhat.com 2013-01-31T12:46:33+00:00 a0242334feb3da01430f517806768965dabe92c2 Part of the work for: https://fedorahosted.org/freeipa/ticket/3487 
Part of the work for: https://fedorahosted.org/freeipa/ticket/3487
Add support for re-enrolling hosts using keytab 2013-03-12T14:13:09+00:00 Tomas Babej tbabej@redhat.com 2013-02-26T12:20:13+00:00 a38d93f65f87db1a0b9c34eb0ba1b6d9dca9e060 A host that has been recreated and does not have its host entry disabled or removed, can be re-enrolled using a previously backed up keytab file. A new option --keytab has been added to ipa-client-install. This can be used to specify path to the keytab and can be used instead of -p or -w options. A new option -f has been added to ipa-join. It forces client to join even if the host entry already exits. A new certificate, ssh keys are generated, ipaUniqueID stays the same. Design page: http://freeipa.org/page/V3/Client_install_using_keytab https://fedorahosted.org/freeipa/ticket/3374 
A host that has been recreated  and does not have its
host entry disabled or removed, can be re-enrolled using
a previously backed up keytab file.

A new option --keytab has been added to ipa-client-install. This
can be used to specify path to the keytab and can be used instead
of -p or -w options.

A new option -f has been added to ipa-join. It forces client to
join even if the host entry already exits. A new certificate,
ssh keys are generated, ipaUniqueID stays the same.

Design page: http://freeipa.org/page/V3/Client_install_using_keytab

https://fedorahosted.org/freeipa/ticket/3374
Use default.conf as flag of IPA client being installed 2013-02-22T09:13:41+00:00 Tomas Babej tbabej@redhat.com 2013-02-19T16:59:50+00:00 a7110d7a32b6eb7131ce47655cb14f693681ab01 When installing / uninstalling IPA client, the checks that determine whether IPA client is installed now take the existence of /etc/ipa/default.conf into consideration. The client will not uninstall unless either something is backed up or /etc/ipa/default.conf file does exist. The client will not install if something is backed up or default.conf file does exist (unless it's installation on master). https://fedorahosted.org/freeipa/ticket/3331 
When installing / uninstalling IPA client, the checks that
determine whether IPA client is installed now take the existence
of /etc/ipa/default.conf into consideration.

The client will not uninstall unless either something is backed
up or /etc/ipa/default.conf file does exist.

The client will not install if something is backed up or
default.conf file does exist (unless it's installation on master).

https://fedorahosted.org/freeipa/ticket/3331
Add LDAP server fallback to client installer 2013-02-07T21:49:31+00:00 Rob Crittenden rcritten@redhat.com 2013-02-04T14:35:13+00:00 cbb262dc07ea0615068a630e6c7136e3200d5a06 Change the discovery code to validate all servers, regardless of where the originated (either via SRV records or --server). This will prevent the client installer from failing if one of those records points to a server that is either not running or is not an IPA server. If a server is not available it is not removed from the list of configured servers, simply moved to the end of the list. If a server is not an IPA server it is removed. https://fedorahosted.org/freeipa/ticket/3388 
Change the discovery code to validate all servers, regardless of where
the originated (either via SRV records or --server). This will prevent
the client installer from failing if one of those records points to a
server that is either not running or is not an IPA server.

If a server is not available it is not removed from the list of configured
servers, simply moved to the end of the list.

If a server is not an IPA server it is removed.

https://fedorahosted.org/freeipa/ticket/3388
Add support for RFC 6594 SSHFP DNS records. 2013-02-01T14:16:09+00:00 Jan Cholasta jcholast@redhat.com 2013-01-08T15:13:07+00:00 86dde3a38e801bb88a7d573a2a37ce7201e29e0f https://fedorahosted.org/freeipa/ticket/2642 
https://fedorahosted.org/freeipa/ticket/2642