| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
The working directory will be provided directly
by bind-dyndb-ldap package.
This partially reverts commit 689382dc833e687d30349b10a8fd7dc740d54d08.
https://fedorahosted.org/freeipa/ticket/3967
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The checks for existing host and existing replication agreement
set a flag that caused an exit() if any of them failed.
Between these checks there was an unrelated check, DNS resolution.
If the host and DNS checks both failed, this made it look like
the DNS check was the cause of failed install. Especially if the user
ignored the DNS check in unattended mode, the output was confusing.
Remove the flag and fail directly.
Do the replication agreement check first; fixing this with
ipa-replica-manage del will also remove the host entry.
Also, use the logger for error messages so they appear in the log
file as well as on the console.
https://fedorahosted.org/freeipa/ticket/3889
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stock httpd no longer uses systemd EnvironmentFile option which is
making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard
to debug problems during subsequent ipa-server-install's where HTTP
may use a stale CCACHE in the default kernel keyring CCACHE.
Avoid forcing custom CCACHE and switch to system one, just make sure
that it is properly cleaned by kdestroy run as "apache" user during
FreeIPA server installation process.
https://fedorahosted.org/freeipa/ticket/4084
|
|
|
|
|
|
|
|
|
| |
Enable Retro Changelog and Content Synchronization DS plugins which are required
for SyncRepl support.
Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+.
https://fedorahosted.org/freeipa/ticket/3967
|
|
|
|
|
|
|
|
|
|
|
|
| |
Part of the effort to port FreeIPA to Arch Linux,
where Python 3 is the default.
FreeIPA hasn't been ported to Python 3, so the code must be modified to
run /usr/bin/python2
https://fedorahosted.org/freeipa/ticket/3438
Updated by pviktori@redhat.com
|
|
|
|
|
|
|
|
| |
On sysrestore failure, user is prompted out to remove the sysrestore
file. However, the path to the sysrestore file mentioned in the
sentence is not correct.
https://fedorahosted.org/freeipa/ticket/4080
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4021
|
| |
|
|
|
|
|
|
| |
This change makes single_value consistent with the raw property.
https://fedorahosted.org/freeipa/ticket/3521
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4011
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3975
|
|
|
|
|
|
|
|
|
|
|
| |
Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).
To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.
https://fedorahosted.org/freeipa/ticket/3974
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The uninstall method of the AD trust instance was not called upon
at all in the ipa-server-install --uninstall phase.
This patch makes sure that AD trust instance is unconfigured when
the server is uninstalled.
The following steps are undertaken:
* Remove /var/run/samba/krb5cc_samba
* Remove our keys from /etc/samba/samba.keytab using ipa-rmkeytab
* Remove /var/lib/samba/*.tdb files
Additionally, we make sure winbind service is stopped from within the
stop() method.
Part of: https://fedorahosted.org/freeipa/ticket/3479
|
|
|
|
|
|
|
|
| |
In case /etc/samba/smb.conf exists and it was not created by ipa-adtrust-install,
print a warning that we will break existing samba configuration and ask for
a confirmation in the interactive mode.
Part of: https://fedorahosted.org/freeipa/ticket/3479
|
|
|
|
|
|
|
|
|
|
|
| |
Since we are not able to properly restore the Samba server to the
working state after running ipa-adtrust-install, we should not keep
the smb.conf in the fstore.
This patch makes sure that any backed up smb.conf is removed from
the backup and that this file is not backed up anymore.
Part of: https://fedorahosted.org/freeipa/ticket/3479
|
|
|
|
|
|
|
| |
Change re-initialize command to consider memberOf fixup task only
for non-winsync replication agreements.
https://fedorahosted.org/freeipa/ticket/3854
|
|
|
|
|
|
|
|
| |
Deprecate this option and do not offer it in installation tools.
Without this option enabled, advanced DNS features like DNSSEC
would not work.
https://fedorahosted.org/freeipa/ticket/3962
|
|
|
|
|
|
|
| |
Having '%' in DM password causes pkispawn to crash. Do not allow
users to enter it until pkispawn is fixed.
https://bugzilla.redhat.com/show_bug.cgi?id=953488
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3897
|
|
|
|
|
|
|
| |
This works around pk12util refusing to use empty password files, which prevents
the use of PKCS#12 files with empty password.
https://fedorahosted.org/freeipa/ticket/3897
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the IPA server is setup with non-matching domain and realm
names, it will not be able to estabilish trust with the Active
Directory.
Adds warnings to the ipa-server-install and warning to the
ipa-adtrust-install (which has to be confirmed).
Man pages for the ipa-server-install and ipa-adtrust-install were
updated with the relevant notes.
https://fedorahosted.org/freeipa/ticket/3924
|
|
|
|
|
|
|
|
| |
DS is contacted during server uninstallation, in order to obtain information
about replication agreements. If DS is unavailable, warn and continue with
uninstallation.
https://fedorahosted.org/freeipa/ticket/3867
|
|
|
|
|
|
|
|
| |
The search had an incorrect scope and therefore it didn't find any RUV.
This issue prevented removing of replica.
https://fedorahosted.org/freeipa/ticket/3876
|
|
|
|
|
|
|
| |
Add a warning when trying to uninstall a replica that has active replication
agreements.
https://fedorahosted.org/freeipa/ticket/3867
|
|
|
|
|
|
|
| |
ipa-restore would fail if DS user did not exist. Check for presence of DS
user and group and create them if needed.
https://fedorahosted.org/freeipa/ticket/3856
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3869
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes sure that all edits to CS.cfg configuration file
are performed while pki-tomcatd service is stopped.
Introduces a new contextmanager stopped_service for handling
a general problem of performing a task that needs certain service
being stopped.
https://fedorahosted.org/freeipa/ticket/3804
|
|
|
|
|
|
|
| |
Make sure the subject base parameter is correctly passed and used during the
creation of the DS instance on a replica.
https://fedorahosted.org/freeipa/ticket/3868
|
|
|
|
|
|
| |
Hide the unnecessary --dirsrv_pin and --http_pin options.
https://fedorahosted.org/freeipa/ticket/3869
|
|
|
|
|
|
|
| |
Change the log file path from /var/log/ipa/default.log to admintool's default
path.
https://fedorahosted.org/freeipa/ticket/3641
|
|
|
|
|
|
|
| |
In particular, PKCS#12 validation and server certificate selection is now done
the same way as in ipa-server-install and ipa-replica-prepare.
https://fedorahosted.org/freeipa/ticket/3641
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3777
|
|
|
|
|
|
|
|
|
| |
Drops the code from ipa-server-install, ipa-dns-install and the
BindInstance itself. Also changed ipa-upgradeconfig script so
that it does not set zone_refresh to 0 on upgrades, as the option
is deprecated.
https://fedorahosted.org/freeipa/ticket/3632
|
|
|
|
|
|
|
|
|
|
| |
Properly handle --subject option of ipa-server-install, making sure this
value gets passed to certmap.conf. Introduce a new template variable
$SUBJECT_BASE for this purpose.
Also make sure that this value is preserved on upgrades.
https://fedorahosted.org/freeipa/ticket/3783
|
|
|
|
|
|
|
|
|
|
| |
In external CA installation, ipa-server-install leaked NSS objects
which caused an installation crash later when a subsequent call of
NSSConnection tried to free them.
Properly freeing the NSS objects avoid this crash.
https://fedorahosted.org/freeipa/ticket/3773
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3717
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enables support for trusted domains users for old clients through Schema
Compatibility plugin. SSSD supports trusted domains natively starting with
version 1.9 platform. For platforms that lack SSSD or run older SSSD version
one needs to use this option. When enabled, slapi-nis package needs to
be installed and schema-compat-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and
groups will be available under cn=users,cn=compat,$SUFFIX and
cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and
groups to lower case.
In addition to providing these users and groups through the compat tree,
this option enables authentication over LDAP for trusted domain users with DN
under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
This authentication is related to PAM stack using 'system-auth' PAM
service. If you have disabled HBAC rule 'allow_all', then make sure there is
special service called 'system-auth' created and HBAC rule to allow access to
anyone to this rule on IPA masters is added. Please note that system-auth PAM
service is not used directly by any other application, therefore it is safe to
create one specifically to support trusted domain users via compatibility path.
https://fedorahosted.org/freeipa/ticket/3567
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3652
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provides a pluggable framework for generating configuration
scriptlets and instructions for various machine setups and use
cases.
Creates a new ipa-advise command, available to root user
on the IPA server.
Also provides an example configuration plugin,
config-fedora-authconfig.
https://fedorahosted.org/freeipa/ticket/3670
|
|
|
|
|
|
|
|
|
|
|
| |
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.
This ensures proper creation/removeal, group ownership
and SELinux context.
https://fedorahosted.org/freeipa/ticket/3727
|
|
|
|
|
|
|
|
|
|
| |
Create:
* kerberosauth.xpi
* krb.js
even when --http_pkcs12 option is used.
https://fedorahosted.org/freeipa/ticket/3747
|
|
|
|
|
|
|
| |
Entitlements code was not tested nor supported upstream since
version 3.0. Remove the associated code.
https://fedorahosted.org/freeipa/ticket/3739
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3750
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3673
https://fedorahosted.org/freeipa/ticket/3674
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3665
|
|
|
|
|
|
|
|
| |
Adds a new simple service called OtpdInstance, that manages
ipa-otpd.socket service. Added to server/replica installer
and ipa-upgradeconfig script.
https://fedorahosted.org/freeipa/ticket/3680
|
|
|
|
|
|
|
|
| |
All installers that handle Kerberos auth, have been altered to use
private ccache, that is ipa-server-install, ipa-dns-install,
ipa-replica-install, ipa-ca-install.
https://fedorahosted.org/freeipa/ticket/3666
|