summaryrefslogtreecommitdiffstats
path: root/ipa-client/ipa-install/ipa-client-install
Commit message (Collapse)AuthorAgeFilesLines
* Ensure network configuration file has proper permissionsgssapi-delegateAlexander Bokovoy2011-08-101-0/+10
| | | | | | | | | | As network configuration file is created as temporary file, it has stricter permissions than we need for the target system configuration file. Ensure permissions are properly reset before installing file. If permissions are not re-set, system may have no networking enabled after reboot. https://fedorahosted.org/freeipa/ticket/1606
* Make proper LDAP configuration reporting for ipa-client-installAlexander Bokovoy2011-07-281-18/+29
| | | | Ticket https://fedorahosted.org/freeipa/ticket/1369
* Modify /etc/sysconfig/network on a client when IPA manages hostnameAlexander Bokovoy2011-07-291-4/+61
| | | | https://fedorahosted.org/freeipa/ticket/1368
* Make ipa-client-install error messages more understandable and relevant.Rob Crittenden2011-07-191-13/+15
| | | | | | | | | | | * Check remote LDAP server to see if it is a V2 server * Replace numeric return values with alphanumeric constants * Display the error message from the ipa-enrollment extended op * Remove generic join failed error message when XML-RPC fails * Don't display Certificate subject base when enrollment fails * Return proper error message when LDAP bind fails https://fedorahosted.org/freeipa/ticket/1417
* Fix sssd.conf to always have IPA certificate for the domain.Alexander Bokovoy2011-07-181-0/+6
| | | | | | | | | Fixes https://fedorahosted.org/freeipa/ticket/1476 SSSD will need TLS for checking if ipaMigrationEnabled attribute is set Note that SSSD will force StartTLS because the channel is later used for authentication as well if password migration is enabled. Thus set the option unconditionally.
* Change client enrollment principal prompt to hopefully be clearer.Rob Crittenden2011-07-191-1/+1
| | | | ticket https://fedorahosted.org/freeipa/ticket/1449
* Rearrange logging for NSCD daemon.Alexander Bokovoy2011-07-181-1/+4
| | | | | | | https://fedorahosted.org/freeipa/ticket/1373 When SSSD is in use, we actually trying to disable NSCD daemon. Telling that we failed to configure automatic _startup_ of the NSCD is wrong then.
* Configure SSSD to store user password if offline.Jan Cholasta2011-07-141-0/+4
| | | | ticket 1359
* Remove redundant configuration values from krb5.conf.Jan Cholasta2011-06-281-3/+0
| | | | ticket 1358
* On a master configure sssd to only talk to the local master.Rob Crittenden2011-06-211-1/+5
| | | | | | | | Otherwise it is possible for sssd to pick a different master to communicate with via the DNS SRV records and if the remote master goes down the local one will have problems as well. ticket https://fedorahosted.org/freeipa/ticket/1187
* Fix support for nss-pam-ldapdMartin Kosek2011-06-081-14/+45
| | | | | | | | | | | | | Client installation with --no-sssd option was broken if the client was based on a nss-pam-ldap instead of nss_ldap. The main issue is with authconfig rewriting the nslcd.conf after it has been configured by ipa-client-install. This has been fixed by changing an order of installation steps. Additionally, nslcd daemon needed for nss-pam-ldap function is correctly started. https://fedorahosted.org/freeipa/ticket/1235
* Properly configure nsswitch.conf when using the --no-sssd option.Rob Crittenden2011-05-181-3/+4
| | | | | | | | | | | Even with --no-sssd authconfig was setting nsswitch.conf to use sssd for users, groups, shadow and netgroups. We need to pass in the --enableforcelegacy option hwen configuring nss_ldap. Also always back up and restore sssd.conf. It still gets configured for kerberos. ticket 1142
* KDC autodiscovery may fail when domain is not realmMartin Kosek2011-05-171-5/+10
| | | | | | | | | | | | | When ipa-client-install autodiscovers IPA server values it doesn't fill the fixed KDC address to Kerberos configuration file. However, when realm != domain or the autodiscovered values are overridden, installation may fail because it cannot find the KDC. This patch adds a failover to use static KDC address in case when such an issue occurs. https://fedorahosted.org/freeipa/ticket/1100
* Improve service manipulation in client installMartin Kosek2011-05-131-93/+64
| | | | | | | | Remove redundant ipa-client-install error message when optional nscd daemon was not installed. Additionally, use standard IPA functions for service manipulation and improve logging. https://fedorahosted.org/freeipa/ticket/1207
* install-scripts: avoid using --list with chkconfigSimo Sorce2011-05-061-6/+0
| | | | | | | | | | | | | This option does not behave properly in F15 as chkconfig does not list services moved to use systemd service files. Plus there are more direct ways than parsing its output, which are more reliable. Also just testing for the availability of the service calling 'chkconfig name' is enough. https://fedorahosted.org/freeipa/ticket/1206
* ipa-client-install uninstall does not work on IPA serverMartin Kosek2011-04-291-1/+1
| | | | | | | When IPA server is being uninstalled, IPA client on-master uninstallation which is called by the script fails. https://fedorahosted.org/freeipa/ticket/1197
* Forbid reinstallation in ipa-client-installMartin Kosek2011-04-291-7/+8
| | | | | | | | | | | | The --force option may be misused to reinstall an existing IPA client. This is not supported and may lead to unexpected errors. When required, the cleanest way to re-install IPA client is to run uninstall and then install again. This patch also includes few cosmetic changes in messages to user to provide more consistent user experience with the script. https://fedorahosted.org/freeipa/ticket/1117
* Prevent uninstalling client on the IPA serverMartin Kosek2011-04-291-0/+6
| | | | | | | | This patch prevents uninstalling IPA client when it is configured as a part of IPA server. ipa-server-installation script is advised for this situation. https://fedorahosted.org/freeipa/ticket/1049
* Log temporary files in ipa-client-installMartin Kosek2011-04-281-1/+8
| | | | | | | | This patch adds logging of temporary files (Kerberos configuration, nsupdate commands) that may be very useful for debugging purposes. https://fedorahosted.org/freeipa/ticket/1093 https://fedorahosted.org/freeipa/ticket/1094
* Suppress --on-master from ipa-client-install command-line and man page.Rob Crittenden2011-04-121-1/+4
| | | | | | | | This option is only used when configuring an IPA client on an IPA server. Describing it on the command-line will only confuse people so don't list it as an option. Ticket 1050
* Ensure that the system hostname is lower-case.Rob Crittenden2011-03-181-5/+8
| | | | ticket 1080
* Always consider domain and server when doing DNS discovery in client.Rob Crittenden2011-03-151-8/+4
| | | | | | | | | When not on master we weren't passing in the user-supplied domain and server. Because of changes made that require TLS on the LDAP calls we always need the server name early in the process to retrieve the IPA CA certificate. ticket 1090
* If --hostname is provided for ipa-client-install use it everywhere.Rob Crittenden2011-03-081-11/+56
| | | | | | | | | | | | | | | | | | | If a hostname was provided it wasn't used to configure either certmonger or sssd. This resulted in a non-working configuration. Additionally on un-enrollment the wrong hostname was unenrolled, it used the value of gethostname() rather than the one that was passed into the installer. We have to modify the CA configuration of certmonger to make it use the right principal when requesting certificates. The filename is unpredicable but it will be in /var/lib/certmonger/cas. We need to hunt for ipa_submit and add -k <principal> to it, then undo that on uninstall. These files are created the first time the certmonger service starts, so start and stop it before messing with them. ticket 1029
* Always try to stop tracking the server cert when uninstalling client.Rob Crittenden2011-03-081-10/+13
| | | | | | | | | | | stop_tracking() is robust enough to do the right thing if no certificate exists so go ahead and always call it. If the certificate failed to be issued for some reason the request will still in certmonger after uninstalling. This would cause problems when trying to reinstall the client. This will go ahead and always tell certmonger to stop tracking it. ticket 1028
* Fix kinit invocation in ipa-client-installSimo Sorce2011-03-011-1/+2
|
* Set krb5_realm in sssd.conf in the ipa provider.Rob Crittenden2011-02-221-2/+4
| | | | ticket 925
* Try to register DNS name through a DNS Update on install.Simo Sorce2011-02-171-0/+111
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/935
* Configure SSSD to use DNS to find the IPA server by default.Rob Crittenden2011-02-171-1/+1
| | | | | | Add the server we registered with as a fallback. ticket 980
* Bugfix for ipa-client-install echo's password in cleartext to stdout ↵Jr Aquino2011-02-141-2/+4
| | | | https://fedorahosted.org/freeipa/ticket/959
* Detection of v1 server during ipa-client-installMartin Kosek2011-02-141-1/+5
| | | | | | | | | | When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. https://fedorahosted.org/freeipa/ticket/553
* Fine tuning DNS optionsJakub Hrozek2011-02-141-0/+1
| | | | | | | | | | | | Add pointer to self to /etc/hosts to avoid chicken/egg problems when restarting DNS. On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't attempt to do any resolving. Leave it to true on clients. Set rdns to false on both server and client. https://fedorahosted.org/freeipa/ticket/931
* Make sure only root can run ipa-client-installJakub Hrozek2011-02-141-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/957
* nscd should be disabled before sssd is configured/started.Rob Crittenden2011-02-101-22/+22
| | | | | | | | | | | If not then sssd spits out a warning message: sssd: nscd socket was detected. As nscd caching capabilities may conflict with SSSD, it is recommended to not run nscd in parallel with SSSD Stop nscd before configuring sssd so we don't confuse our users. ticket 743
* Fix prompt for confirmation of fixed values wrapping around terminal.Rob Crittenden2011-02-101-1/+1
| | | | ticket 940
* Add an option for overriding the hostname value.Rob Crittenden2011-01-261-0/+5
| | | | Ticket 834
* Improve output when options are not found in non-interactive client installRob Crittenden2011-01-211-1/+3
| | | | | | | We should still give some feedback when things go wrong when in non-interactive mode. ticket 828
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Handle wget failures trying to retrieve the CA during the client installRob Crittenden2010-11-221-1/+5
| | | | ticket 405
* Use sys.exit to quit scriptsJakub Hrozek2010-11-221-25/+18
| | | | | | | Instead of print and return, use sys.exit() to quit scripts with an error message and a non zero return code. https://fedorahosted.org/freeipa/ticket/425
* Use provided domain name for the rest of installationJan Zeleny2010-11-191-1/+1
| | | | | | | | When installing IPA client, the install script used detected domain name of the machine instead of that given by administrator (in case one was given) https://fedorahosted.org/freeipa/ticket/363
* Log interactive options in install scriptsJakub Hrozek2010-11-191-0/+8
|
* Use Realm as certs subject base nameSimo Sorce2010-11-181-2/+2
| | | | Also use the realm name as nickname for the CA certificate
* Log script options to logfileJakub Hrozek2010-11-091-5/+7
| | | | | | | | Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
* Don't do autodiscovery on master install.Rob Crittenden2010-09-231-2/+8
| | | | | | If we pass in the domain and server to ipa-client-install it doesn't do service discovery which is what we want. We want to be sure the server is properly configured at install time.
* Add minimal client configuration for when we eventually get to PKINITRob Crittenden2010-09-231-8/+13
| | | | | | Also move the unenroll to clients only. This isn't necessary on the master ticket 53
* Unenroll the client from the IPA server on uninstall.Rob Crittenden2010-09-201-2/+8
| | | | | | | | | | | | | | | | | Unenrollment means that the host keytab is disabled on the server making it possible to re-install on the client. This host principal is how we distinguish an enrolled vs an unenrolled client machine on the server. I added a --unroll option to ipa-join that binds using the host credentials and disables its own keytab. I fixed a couple of other unrelated problems in ipa-join at the same time. I also documented all the possible return values of ipa-getkeytab and ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab and it returns whatever value ipa-getkeytab returned on failure. ticket 242
* Better distinguish between when DNS discovery works and search more domains.Rob Crittenden2010-09-201-4/+5
| | | | | | | | | | | | | | | | | | | | | | Passing domain and server on the command-line used to be considered as DNS autodiscovery worked. This was problematic if there was in fact no SRV records because krb5.conf would be configured without a specific KDC causing all Kerberos ops to fail. Now if you pass in a domain/server it still tries to see if they are discoverable and if so won't hardcode a server, but will fall back to doing so if necessary. Also be a lot more aggressive on looking for the SRV records. Use the search and domain values from /etc/resolv.conf on the chance that the SRV records aren't in the domain of the hostname of the machine. An example of this would be if your laptop is in dhcp.example.com and your company's SRV records are in corp.example.com. Searching dhcp.example.com and example.com won't find the SRV records but the user is likely to have corp.redhat.com in the search list, at least. ticket 234
* Use a more specific name for the IPA server certificate we install.Rob Crittenden2010-09-171-9/+24
| | | | | | | This should avoid conflicts with any other certs that might be installed there. ticket 49
* Remove some additional instances of krbV from ipa-clientRob Crittenden2010-09-101-5/+5
| | | | | | | | | | | Make two krbV imports conditional. These aren't used during a client install so should cause no problems. Also fix the client installer to use the new env option in ipautil.run. We weren't getting the krb5 configuration set in the environment because we were overriding the environment to set the PATH. ticket 136
* Fix certmonger errors when doing a client or server uninstall.Rob Crittenden2010-09-091-6/+13
| | | | | | | | | | | | | | | | This started with the client uninstaller returning a 1 when not installed. There was no way to tell whether the uninstall failed or the client simply wasn't installed which caused no end of grief with the installer. This led to a lot of certmonger failures too, either trying to stop tracking a non-existent cert or not handling an existing tracked certificate. I moved the certmonger code out of the installer and put it into the client/server shared ipapython lib. It now tries a lot harder and smarter to untrack a certificate. ticket 142
generated by cgit (git 2.34.1) at 2024-04-16 05:59:07 +0000