summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Resolve external members from trusted domain via Global Catalog30gatepoAlexander Bokovoy2012-10-313-26/+258
| | | | | | | | | | | | A sequence is following: 1. Match external member against existing trusted domain 2. Find trusted domain's domain controller and preferred GC hosts 3. Fetch trusted domain account auth info 4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain 5. Do LDAP SASL interactive bind using the ccache 6. Search for the member's SID 7. Decode SID 8. Replace external member name by SID
* Use single warning message in idrange module and idrange-addAlexander Bokovoy2012-10-311-22/+15
| | | | Complements fix to https://fedorahosted.org/freeipa/ticket/3116
* Get list of service from LDAP only at startupSimo Sorce2012-10-313-38/+138
| | | | | | | | | | | | | | We dump the list retriueved from LDAP at strstup in a temporary configuration file and always use that file afterwards. We check (possibly different) data from LDAP only at (re)start. This way we always shutdown exactly the services we started even if the list changed in the meanwhile (we avoid leaving a service running even if it was removed from LDAP as the admin decided it should not be started in future). This should also fix a problematic deadlock with systemd when we try to read the list of service from LDAP at shutdown. Simo.
* IPA Server check in ipa-replica-manageTomas Babej2012-10-312-1/+62
| | | | | | | | | | When executing ipa-replica-manage connect to an master that raises NotFound error we now check if the master is at least IPA server. If so, we inform the user that it is probably foreign or previously deleted master. If not, we inform the user that the master is not an IPA server at all. https://fedorahosted.org/freeipa/ticket/3105
* Restart httpd if ipa-server-trust-ad is installed or updatedSumit Bose2012-10-311-0/+14
| | | | | | | | If ipa-server-trust-ad is installed after the ipa server is installed and configured, httpd needs a restart for additional python modules to be loaded into httpd on IPA initialization. Fixes https://fedorahosted.org/freeipa/ticket/3185
* The SECURE_NFS value needs to be lower-case yes on SysV systems.Rob Crittenden2012-10-261-1/+1
| | | | | | | | The sysV rpcgssd init script tests for [ "${SECURE_NFS}" != "yes" ]. This also works as lower case for system so a simple fix. https://fedorahosted.org/freeipa/ticket/3207
* Remove servertrls and clientctrls options from rename_sMartin Kosek2012-10-261-2/+5
| | | | | | | | | | python-ldap of version 2.3.10 and lower does not support serverctrls and clientctrls fir rename_s operation. Do not use these options until really needed. In that time, we may put a requirement in place, that minimal python-ldap version is 2.3.11. Also add a notice explaining why we did this change. https://fedorahosted.org/freeipa/ticket/3199
* Avoid uninstalling dependencies during package lifetimeMartin Kosek2012-10-252-3/+8
| | | | | | | | | | | | Requires(pre) only guarantees that package will be present before package scriptlets are run. However, the package can be removed after installation is finished without removing also IPA. Add standard Requires for these dependencies. Remove PRE version number from VERSION. This update and following is done on a top of IPA 3.0.0 GA. https://fedorahosted.org/freeipa/ticket/3189
* ipa-client-automount: Add the autofs service if it doesn't exist yetJakub Hrozek2012-10-251-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/3201
* Close connection after each request, avoid NSS shutdown problem.Rob Crittenden2012-10-242-5/+30
| | | | | | | The unit tests were failing when executed against an Apache server in F-18 due to dangling references causing NSS shutdown to fail. https://fedorahosted.org/freeipa/ticket/3180
* Fixed incorrect link to browser config after session expirationPetr Vobornik2012-10-242-2/+2
| | | | | | Fixed typo in message placeholder. https://fedorahosted.org/freeipa/ticket/3187
* Make sure the CA is running when starting servicesPetr Viktorin2012-10-233-61/+162
| | | | | | | | | | | | | | | | - Provide a function for determinig the CA status using Dogtag 10's new getStatus endpoint. This must be done over HTTPS, but since our client certificate may not be set up yet, we need HTTPS without client authentication. Rather than copying from the existing http_request and https_request function, shared code is factored out to a common helper. - Call the new function when restarting the CA service. Since our Service can only be extended in platform-specific code, do this for Fedora only. Also, the status is only checked with Dogtag 10+. - When a restart call in cainstance failed, users were refered to the installation log, but no info was actually logged. Log the exception. https://fedorahosted.org/freeipa/ticket/3084
* ipa-replica-install: Use configured IPA DNS servers in forward/reverse ↵Petr Viktorin2012-10-231-8/+22
| | | | | | | | | | | | | | resolution check Previously, ipa-replica-install tried to check DNS resolution on the master being cloned. If that master was not a DNS server, the check failed. Change the check to query the first available configured DNS server. Log about the check before actually running it. Log in the case the check is skipped (no IPA DNS servers installed). https://fedorahosted.org/freeipa/ticket/3194
* Improve error messages in ipa-replica-manage.Rob Crittenden2012-10-231-8/+14
| | | | | | | | | | | | | Correctly handle case where we bind using GSSAPI with an unauthorized user. Remove extraneous except clause. We now have handle for LDAP errors. Make it explicit in a few places what server we can't connect to. When the remote replica is down and we are forcing its removal, remove a duplicate entry from the list of servers to remove. https://fedorahosted.org/freeipa/ticket/2871
* Make service naming in ipa-server-install consistentTomas Babej2012-10-2210-27/+86
| | | | | | | | | | | | | Forces more consistency into ipa-server-install output. All descriptions of services that are not instances of SimpleServiceInstance are now in the following format: <Description> (<Service Name>) Furthermore, start_creation method has been modified to support custom start and end messages. See documentation for more info. https://fedorahosted.org/freeipa/ticket/3059
* Refactoring of default.conf man pageTomas Babej2012-10-221-37/+49
| | | | | | | | | Description for the 'dogtag_version', 'startup_timeout', 'server', 'wait_for_attr' option has been added. Option 'server' has been marked as deprecated, as it is not used anywhere in IPA code. All the options have been sorted lexicographically. https://fedorahosted.org/freeipa/ticket/3071
* Report ipa-upgradeconfig errors during RPM upgradeMartin Kosek2012-10-183-4/+20
| | | | | | | | | | | | | Report errors just like with ipa-ldap-updater. These messages should warn user that some parts of the upgrades may have not been successful and he should follow up on them. Otherwise, user may not notice them at all. ipa-upgradeconfig now has a new --quiet option to make it output only error level log messages or higher. ipa-upgradeconfig run without options still pring INFO log messages as it can provide a clean overview about its actions (unlike ipa-ldap-updater). https://fedorahosted.org/freeipa/ticket/3157
* Add fallback for httpd restarts on sysV platformsMartin Kosek2012-10-181-0/+17
| | | | | | | | | | | | httpd init script on sysV based platforms cannot guarantee that two consecutive httpd service restarts succeed when run in a small time distance. Add fallback procedure that adds additional waiting time after such failed restart attempt, and then try to stop and start the service again. https://fedorahosted.org/freeipa/ticket/2965
* Create reverse zone in unattended modeMartin Kosek2012-10-192-2/+6
| | | | | | | | | Previous fix for ticket #3161 caused ipa-{server,dns}-install to skip creation of reverse zone when running in unattended mode. Make sure that reverse zone is created also in unattended mode (unless --no-reverse is specified). https://fedorahosted.org/freeipa/ticket/3161
* Fix requesting certificates that contain subject altnames.Rob Crittenden2012-10-191-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3184
* Simpler instructions to generate certificatePetr Vobornik2012-10-192-2/+2
| | | | | | | | | | | | | | Instructions to generate certificate were simplified. New instructions: 1) Create a certificate database or use an existing one. To create a new database: # certutil -N -d <database path> 2) Create a CSR with subject CN=<hostname>,O=<realm>, for example: # certutil -R -d <database path> -a -g <key size> -s 'CN=dev.example.com,O=DEV.EXAMPLE.COM' 3) Copy and paste the CSR (from -----BEGIN NEW CERTIFICATE REQUEST----- to -----END NEW CERTIFICATE REQUEST-----) into the text area below: https://fedorahosted.org/freeipa/ticket/3056
* log dogtag errorsJohn Dennis2012-10-191-20/+48
| | | | | | | | | | | | If we get an error from dogtag we always did raise a CertificateOperationError exception with a message describing the problem. Unfortuanately that error message did not go into the log, just sent back to the caller. The fix is to format the error message and send the same message to both the log and use it to initialize the CertificateOperationError exception. This is done in the utility method raise_certificate_operation_error(). https://fedorahosted.org/freeipa/ticket/2622
* Forbid overlapping primary and secondary rid rangesTomas Babej2012-10-192-20/+211
| | | | | | | | | | | Commands ipa idrange-add / idrange-mod no longer allows the user to enter primary or secondary rid range such that has non-zero intersection with primary or secondary rid range of another existing id range, as this could cause collision. Unit tests added to test_range_plugin.py https://fedorahosted.org/freeipa/ticket/3086
* ipautil.run: Log the command line before running the commandPetr Viktorin2012-10-171-6/+11
| | | | | | | | When the user interrupts a long-running command, this ensures that the command is logged. Also, when watching log files (or the -d output), it's apparent what's being done. https://fedorahosted.org/freeipa/ticket/3174
* extdom: handle INP_POSIX_UID and INP_POSIX_GID requestsSumit Bose2012-10-181-6/+32
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3166
* Fix various issues found by CoveritySumit Bose2012-10-176-12/+22
|
* Add support for using AES fo cross-realm TGTsSimo Sorce2012-10-171-1/+10
|
* Warn about DNA plugin configuration when working with local ID rangesAlexander Bokovoy2012-10-171-1/+22
| | | | https://fedorahosted.org/freeipa/ticket/3116
* Don't configure a reverse zone if not desired in interactive installer.Rob Crittenden2012-10-172-3/+3
| | | | | | | | A reverse zone was always configured in the interactive installer even if you answered "no" to the reverse zone question. The only way to not confiugre it was the --no-reverse option. https://fedorahosted.org/freeipa/ticket/3161
* Add uninstall command hints to ipa-*-installNikolai Kondrashov2012-10-163-7/+11
| | | | | | | | Add uninstall command to the uninstall instructions in the "already installed" responses of ipa-server-install, ipa-client-install and ipa-replica-install. https://fedorahosted.org/freeipa/ticket/3065
* Remove bogus check for smbpasswdAlexander Bokovoy2012-10-161-2/+2
| | | | | | | | We don't use smbpasswd when configuring IPA for AD trusts anymore because we switched to use Kerberos authentication in IPA passdb backend based on CIFS service keytab. https://fedorahosted.org/freeipa/ticket/3181
* Use TLS for CA replicationRob Crittenden2012-10-151-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3162
* Use PublicError instructions support for trust-add case when domain is not foundAlexander Bokovoy2012-10-111-7/+8
| | | | https://fedorahosted.org/freeipa/ticket/3167
* Add instructions support to PublicErrorAlexander Bokovoy2012-10-112-9/+29
| | | | | | | | | | | | | | | When long additional text should follow the error message, one can supply instructions parameter to a class derived from PublicError. This will cause following text added to the error message: Additional instructions: <additional text> `instructions' optional parameter could be a list or anything that coerces into unicode(). List entries will be joined with '\n'. https://fedorahosted.org/freeipa/ticket/3167
* Pull translation files from TransifexPetr Viktorin2012-10-1114-2862/+4444
| | | | | | | Patch generated by: cd install/po make pull-po make update-po
* Explicitly disable betxn plugins for the time being.Rob Crittenden2012-10-105-0/+104
| | | | | | | | This should work with 389-ds-base 1.2.x and 1.3.0. Without other plugin changes 389-ds-base can deadlock. https://fedorahosted.org/freeipa/ticket/3046
* Do not show full SSH public keys in command output by default.Jan Cholasta2012-10-111-3/+3
|
* Use stricter requirement for krb5-serverSimo Sorce2012-10-101-0/+1
| | | | | | | | Our code strictly depends on 1.10 as the KDC DAL plugin interface is not guaranteed stable and indeed is different in 1.9 and will be different in 1.11 So we cannot allow upgrades to 1.11 until we can provide a plugin that matches 1.11's interface.
* Make sure samba{,4}-winbind-krb5-locator package is not used with trustsAlexander Bokovoy2012-10-091-0/+31
| | | | | | | | Since use of winbind on FreeIPA server that is configured with trusts is conflicting with krb5 locator based on winbind, use alternatives mechanism to turn off the locator plugin by symlinking it to /dev/null. https://fedorahosted.org/freeipa/ticket/3102
* Configure the initial CA as the CRL generator.Rob Crittenden2012-10-093-3/+30
| | | | | | | | Any installed clones will have CRL generation explicitly disabled. It is a manual process to make a different CA the CRL generator. There should be only one. https://fedorahosted.org/freeipa/ticket/3051
* Create Firefox extension on upgrade and replica-installPetr Viktorin2012-10-105-24/+74
| | | | | | | | If the signing cert is not available, create an unsigned extension. Add a zip dependency to the specfile. https://fedorahosted.org/freeipa/ticket/3150
* replica-install: Don't copy Firefox config extension files if they're not in ↵Petr Viktorin2012-10-101-2/+6
| | | | | | | | the replica file This allows cloning from older masters. https://fedorahosted.org/freeipa/ticket/3150
* ipa-upgradeconfig: Remove the upgrade_httpd_selinux functionPetr Viktorin2012-10-101-8/+0
| | | | This function was never called from anywhere.
* Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-installAlexander Bokovoy2012-10-095-24/+42
| | | | | | | | | | | Since CIFS principal is generated by ipa-adtrust-install and is only usable after setting CIFS configuration, there is no need to include it into default setup. This should fix upgrades from 2.2 to 3.0 where CIFS principal does not exist by default. https://fedorahosted.org/freeipa/ticket/3041
* Notify user about necessary ports in ipa-client-installTomas Babej2012-10-092-2/+19
| | | | | | | | | | | | Connection error message in ipa-client-install now warns the user about the need of opening of all the necessary ports for ipa-client enrollment when error that might have been caused by closed ports is encountered. Mentions the ports needed after the client enrollment as well. Improves other error messages during installation in various ways. https://fedorahosted.org/freeipa/ticket/2816
* Fix CS replication management.Rob Crittenden2012-10-092-23/+57
| | | | | | | | | | | | | | | | | The master side should be on the local side, replica1, not the remote. This required reversing a few master variables. This impacts the naming of the replication agreements. When deleting an agreement pass in the DN of that agreement rather than trying to calculate what it is on-the-fly. We cannot be sure which side is the master/clone and since we search for it anyway to determine if the agreement exists it is more correct to use what we find. The force flag wasn't being passed into del_link so there was no way to force a deletion. https://fedorahosted.org/freeipa/ticket/2858
* Fix wrong RID for Domain Admins in the examples of trust commandsAlexander Bokovoy2012-10-101-2/+2
|
* Fix CA CRL migration crash in ipa-upgradeconfigMartin Kosek2012-10-102-16/+31
| | | | | | | | | | | | | | | | | CRL migrate procedure did not check if a CA was actually configured on an updated master/replica. This caused ipa-upgradeconfig to crash on replicas without a CA. Make sure that CRL migrate procedure is not run when CA is not configured on given master. Also add few try..except clauses to make the procedure more robust. There is also a small refactoring of "<service> is not configured" log messages, so that they have matching log level and message. dogtag.py constants were updated to have a correct path to new CRL directory on Fedora 18 (dogtag 10). https://fedorahosted.org/freeipa/ticket/3159
* Set renewal time for the CA audit certificate to 720 days.Rob Crittenden2012-10-092-7/+47
| | | | | | | | The initial certificate is issued for two years but renewals are for six months for some reason. This fixes it for new and updated IPA installs. https://fedorahosted.org/freeipa/ticket/2951
* Add uniqueness plugin configuration for sudorule cnRob Crittenden2012-10-083-0/+35
| | | | | | | | | We do a search looking for duplicate values but this leaves open the possibility that two adds are happening at the same time so both searches return NotFound therefore we get two entries with the same cn value. https://fedorahosted.org/freeipa/ticket/3017
generated by cgit (git 2.34.1) at 2024-05-10 07:15:44 +0000