freeipa.git/ipa-client, branch adwork FreeIPA project Improve autodiscovery logging 2012-06-18T01:47:06+00:00 Petr Viktorin pviktori@redhat.com 2012-06-13T15:44:06+00:00 8f051c978e2a3cf40ba6cc9c84652ae049d978ab Track the source of discovered values (e.g. from option, interactive, retrieved from DNS), and show it in the log in the configuration overview and on erorrs involving the value. Add additional log messages explaining the autodiscovery process. For domains the discovery tries to get LDAP SRV records from, log reasons explaining why the domain was chosen. Also, prevent the same domain from being searched multiple times. Add names for error codes, and show them in the log. Also, modernize the discovery code a bit: move away from the Java-style accessors, don't needlessly pre-declare variables, make IPADiscovery a new-style class. https://fedorahosted.org/freeipa/ticket/2553 
Track the source of discovered values (e.g. from option, interactive,
retrieved from DNS), and show it in the log in the configuration
overview and on erorrs involving the value.

Add additional log messages explaining the autodiscovery process.

For domains the discovery tries to get LDAP SRV records from, log
reasons explaining why the domain was chosen. Also, prevent the
same domain from being searched multiple times.

Add names for error codes, and show them in the log.

Also, modernize the discovery code a bit: move away from the
Java-style accessors, don't needlessly pre-declare variables, make
IPADiscovery a new-style class.

https://fedorahosted.org/freeipa/ticket/2553
Improve ipa-client-install debug output 2012-06-18T01:47:06+00:00 Petr Viktorin pviktori@redhat.com 2012-06-08T13:36:38+00:00 3e0116491f701222bd3941d0ad58feb7fe670ac4 The client does a fair bit of work when trying to validate the hostnames, do discovery and verify that the server it gets back is an IPA server. The debug logging around this was horrid with very little state information, duplicate log messages or just nothing at all. In many cases errors were printed only to stderr/stdout. This patch makes the logging and output go through the IPA log manager. It sets up logging so that INFO, WARNING, and ERROR messages show up on the console. If -d is given, DEBUG messages are also printed. All messages also go to the log file. The only exception is user input: prompts are only printed to the console, but if the user provides any information it is echoed in a DEBUG-level message. https://fedorahosted.org/freeipa/ticket/2553 
The client does a fair bit of work when trying to validate the hostnames,
do discovery and verify that the server it gets back is an IPA server.
The debug logging around this was horrid with very little state information,
duplicate log messages or just nothing at all.
In many cases errors were printed only to stderr/stdout.

This patch makes the logging and output go through the IPA log manager.
It sets up logging so that INFO, WARNING, and ERROR messages show up on the
console. If -d is given, DEBUG messages are also printed.
All messages also go to the log file.
The only exception is user input: prompts are only printed to the console,
but if the user provides any information it is echoed in a DEBUG-level
message.

https://fedorahosted.org/freeipa/ticket/2553
Add flag to ipa-client-install to managed order of ipa_server in sssd 2012-06-14T02:38:14+00:00 Rob Crittenden rcritten@redhat.com 2012-06-11T19:43:04+00:00 55d2d92dcf617e468bf05cea3cd8378a855b96e7 The --fixed-primary flag determine the order of the ipa_server directive. When set the IPA server discovered (or passed in via --server or via user-input) will be listed first. Otherwise _srv_ is listed first. https://fedorahosted.org/freeipa/ticket/2282 
The --fixed-primary flag determine the order of the ipa_server directive.
When set the IPA server discovered (or passed in via --server or via
user-input) will be listed first. Otherwise _srv_ is listed first.

https://fedorahosted.org/freeipa/ticket/2282
Clean keytabs before installing new keys into them 2012-06-11T12:42:52+00:00 Petr Viktorin pviktori@redhat.com 2012-06-06T14:44:06+00:00 3e3ac0ebabb5db25f9179b16ca8b4967e98a82a6 In ipa-client-install (which is also called from server/replica installation), call `ipa-rmkeytab -k <keytab> -r $REALM` to be sure that there aren't any remnants from a previous install of IPA or another KDC altogether. https://fedorahosted.org/freeipa/ticket/2698 
In ipa-client-install (which is also called from server/replica
installation), call `ipa-rmkeytab -k <keytab> -r $REALM` to be
sure that there aren't any remnants from a previous install of
IPA or another KDC altogether.

https://fedorahosted.org/freeipa/ticket/2698
Move some krb5 keys related functions from ipa-client to util 2012-06-11T10:04:05+00:00 Sumit Bose sbose@redhat.com 2012-03-13T09:29:00+00:00 ee936431c88a7b089c9c2780d63b393813d114e5 






If SELinux is enabled ensure we also have restorecon.
2012-05-31T12:07:05+00:00

Rob Crittenden
rcritten@redhat.com

2012-05-31T11:59:33+00:00

9e877585e213a9fccec8ff9b3dcb876b2ec65696

We don't have a specific requires on the policycoreutils package. It
gets pulled in as a dependency on the server anyway, but checking
there is like a belt and suspenders.

On the client we don't require SELinux at all. If SELinux is enabled
however we need to set things up properly. This is provided by the
policycoreutils package so fail if that isn't available.

https://fedorahosted.org/freeipa/ticket/2368





We don't have a specific requires on the policycoreutils package. It
gets pulled in as a dependency on the server anyway, but checking
there is like a belt and suspenders.

On the client we don't require SELinux at all. If SELinux is enabled
however we need to set things up properly. This is provided by the
policycoreutils package so fail if that isn't available.

https://fedorahosted.org/freeipa/ticket/2368







SSH configuration fixes.
2012-05-30T05:47:27+00:00

Jan Cholasta
jcholast@redhat.com

2012-05-23T09:00:55+00:00

d62b2d9be5a1162f5fdb255aa4f361ce048722fa

Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the
latter has been deprecated in OpenSSH 5.9.

If DNS host key verification is enabled, restrict the set of allowed host
public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only
these algorithms.

Make sure public key user authentication is enabled in both ssh and sshd.

ticket 2769





Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the
latter has been deprecated in OpenSSH 5.9.

If DNS host key verification is enabled, restrict the set of allowed host
public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only
these algorithms.

Make sure public key user authentication is enabled in both ssh and sshd.

ticket 2769







Always set ipa_hostname for sssd.conf
2012-05-28T15:09:22+00:00

Ondrej Hamada
ohamada@redhat.com

2012-04-12T12:19:15+00:00

bdc80fe372fa937a0cf4a411f550ae35caad3e42

ipa-client-install will always set ipa_hostname for sssd.conf in order
to prevent the client from getting into weird state.

https://fedorahosted.org/freeipa/ticket/2527





ipa-client-install will always set ipa_hostname for sssd.conf in order
to prevent the client from getting into weird state.

https://fedorahosted.org/freeipa/ticket/2527







Replace DNS client based on acutil with python-dns
2012-05-24T11:55:56+00:00

Martin Kosek
mkosek@redhat.com

2012-05-11T12:38:09+00:00

f1ed123caddd7525a0081c4a9de931cabdfda43f

IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
  but but rather C-like interface based on functions and
  structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
  authconfig and thus can break without notice

Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
  in installutils to make the whole DNS check simpler and
  less error-prone. Logging was improves for the remaining
  checks
- improved logging for ipa-client-install DNS discovery

https://fedorahosted.org/freeipa/ticket/2730
https://fedorahosted.org/freeipa/ticket/1837





IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
  but but rather C-like interface based on functions and
  structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
  authconfig and thus can break without notice

Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
  in installutils to make the whole DNS check simpler and
  less error-prone. Logging was improves for the remaining
  checks
- improved logging for ipa-client-install DNS discovery

https://fedorahosted.org/freeipa/ticket/2730
https://fedorahosted.org/freeipa/ticket/1837







Make ipa 2.2 client capable of joining an older server
2012-05-02T00:38:43+00:00

Martin Kosek
mkosek@redhat.com

2012-05-02T13:36:04+00:00

b8f30bce77837966597f5508625742c1bae04080

IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.

This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again. User is informed about this incompatibility.

Missing realm was also added to keytab kinit as it was reported to
fix occasional install issues.

https://fedorahosted.org/freeipa/ticket/2697





IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.

This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again. User is informed about this incompatibility.

Missing realm was also added to keytab kinit as it was reported to
fix occasional install issues.

https://fedorahosted.org/freeipa/ticket/2697