| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Re-arrange and improve reported warnings so that messages are clearer for administrators.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
packages
https://fedorahosted.org/freeipa/ticket/1369
When nss_ldap-based configuration does not work, report proper package name instead of always assuming nss_ldap.
At least, in RHEL6 and Fedora appropriate package is called nss-pam-ldapd while in older releases and other
distributions it might be called differently.
The change makes less confusing error reporting. It also introduces common utility function package_installed_name()
which provides an interface to query package manager for existence of mutually exclusive packages which is
helpful to distinguish between different configuration paths.
|
|
|
|
|
|
|
|
|
|
|
| |
* Check remote LDAP server to see if it is a V2 server
* Replace numeric return values with alphanumeric constants
* Display the error message from the ipa-enrollment extended op
* Remove generic join failed error message when XML-RPC fails
* Don't display Certificate subject base when enrollment fails
* Return proper error message when LDAP bind fails
https://fedorahosted.org/freeipa/ticket/1417
|
|
|
|
|
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/1476
SSSD will need TLS for checking if ipaMigrationEnabled attribute is set
Note that SSSD will force StartTLS because the channel is later used for
authentication as well if password migration is enabled. Thus set the option
unconditionally.
|
|
|
|
| |
ticket https://fedorahosted.org/freeipa/ticket/1449
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1373
When SSSD is in use, we actually trying to disable NSCD daemon. Telling
that we failed to configure automatic _startup_ of the NSCD is wrong then.
|
|
|
|
| |
ticket 1359
|
|
|
|
| |
ticket 1358
|
|
|
|
|
|
|
|
| |
Otherwise it is possible for sssd to pick a different master to
communicate with via the DNS SRV records and if the remote master
goes down the local one will have problems as well.
ticket https://fedorahosted.org/freeipa/ticket/1187
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Client installation with --no-sssd option was broken if the client
was based on a nss-pam-ldap instead of nss_ldap. The main issue is
with authconfig rewriting the nslcd.conf after it has been
configured by ipa-client-install.
This has been fixed by changing an order of installation steps.
Additionally, nslcd daemon needed for nss-pam-ldap function is
correctly started.
https://fedorahosted.org/freeipa/ticket/1235
|
|
|
|
|
|
|
|
|
|
|
| |
Even with --no-sssd authconfig was setting nsswitch.conf to use sssd
for users, groups, shadow and netgroups. We need to pass in the
--enableforcelegacy option hwen configuring nss_ldap.
Also always back up and restore sssd.conf. It still gets configured for
kerberos.
ticket 1142
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When ipa-client-install autodiscovers IPA server values it
doesn't fill the fixed KDC address to Kerberos configuration
file. However, when realm != domain or the autodiscovered values
are overridden, installation may fail because it cannot find the
KDC.
This patch adds a failover to use static KDC address in case when
such an issue occurs.
https://fedorahosted.org/freeipa/ticket/1100
|
|
|
|
|
|
|
|
| |
Remove redundant ipa-client-install error message when optional nscd
daemon was not installed. Additionally, use standard IPA functions
for service manipulation and improve logging.
https://fedorahosted.org/freeipa/ticket/1207
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This option does not behave properly in F15 as chkconfig does not list services
moved to use systemd service files.
Plus there are more direct ways than parsing its output, which are more
reliable.
Also just testing for the availability of the service calling 'chkconfig name'
is enough.
https://fedorahosted.org/freeipa/ticket/1206
|
|
|
|
|
|
|
| |
When IPA server is being uninstalled, IPA client on-master
uninstallation which is called by the script fails.
https://fedorahosted.org/freeipa/ticket/1197
|
|
|
|
|
|
|
|
|
|
|
|
| |
The --force option may be misused to reinstall an existing IPA
client. This is not supported and may lead to unexpected errors.
When required, the cleanest way to re-install IPA client is to
run uninstall and then install again.
This patch also includes few cosmetic changes in messages to user
to provide more consistent user experience with the script.
https://fedorahosted.org/freeipa/ticket/1117
|
|
|
|
|
|
|
|
| |
This patch prevents uninstalling IPA client when it is configured
as a part of IPA server. ipa-server-installation script is advised
for this situation.
https://fedorahosted.org/freeipa/ticket/1049
|
|
|
|
|
|
|
|
| |
This patch adds logging of temporary files (Kerberos configuration,
nsupdate commands) that may be very useful for debugging purposes.
https://fedorahosted.org/freeipa/ticket/1093
https://fedorahosted.org/freeipa/ticket/1094
|
|
|
|
|
|
|
|
| |
This option is only used when configuring an IPA client on an IPA server.
Describing it on the command-line will only confuse people so don't
list it as an option.
Ticket 1050
|
|
|
|
| |
ticket 1080
|
|
|
|
|
|
|
|
|
| |
When not on master we weren't passing in the user-supplied domain and
server. Because of changes made that require TLS on the LDAP calls
we always need the server name early in the process to retrieve the IPA
CA certificate.
ticket 1090
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a hostname was provided it wasn't used to configure either
certmonger or sssd. This resulted in a non-working configuration.
Additionally on un-enrollment the wrong hostname was unenrolled, it
used the value of gethostname() rather than the one that was passed
into the installer.
We have to modify the CA configuration of certmonger to make it
use the right principal when requesting certificates. The filename
is unpredicable but it will be in /var/lib/certmonger/cas.
We need to hunt for ipa_submit and add -k <principal> to it, then
undo that on uninstall. These files are created the first time
the certmonger service starts, so start and stop it before messing
with them.
ticket 1029
|
|
|
|
|
|
|
|
|
|
|
| |
stop_tracking() is robust enough to do the right thing if no certificate
exists so go ahead and always call it. If the certificate failed to
be issued for some reason the request will still in certmonger
after uninstalling. This would cause problems when trying to reinstall
the client. This will go ahead and always tell certmonger to stop
tracking it.
ticket 1028
|
| |
|
|
|
|
| |
ticket 925
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/935
|
|
|
|
|
|
| |
Add the server we registered with as a fallback.
ticket 980
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/959
|
|
|
|
|
|
|
|
|
|
| |
When v2 IPA client is trying to join an IPA v1 server
a strange exception is printed out to the user. This patch
detects this by catching an XML-RPC error reported by ipa-join
binary called in the process which fails on unexisting IPA server
'join' method.
https://fedorahosted.org/freeipa/ticket/553
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add pointer to self to /etc/hosts to avoid chicken/egg problems when
restarting DNS.
On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't
attempt to do any resolving. Leave it to true on clients.
Set rdns to false on both server and client.
https://fedorahosted.org/freeipa/ticket/931
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/957
|
|
|
|
|
|
|
|
|
|
|
| |
If not then sssd spits out a warning message:
sssd: nscd socket was detected. As nscd caching capabilities may conflict
with SSSD, it is recommended to not run nscd in parallel with SSSD
Stop nscd before configuring sssd so we don't confuse our users.
ticket 743
|
|
|
|
| |
ticket 940
|
|
|
|
| |
Ticket 834
|
|
|
|
|
|
|
| |
We should still give some feedback when things go wrong when in
non-interactive mode.
ticket 828
|
|
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
|
|
|
| |
ticket 405
|
|
|
|
|
|
|
| |
Instead of print and return, use sys.exit() to quit scripts with an
error message and a non zero return code.
https://fedorahosted.org/freeipa/ticket/425
|
|
|
|
|
|
|
|
| |
When installing IPA client, the install script used detected domain name
of the machine instead of that given by administrator (in case one was
given)
https://fedorahosted.org/freeipa/ticket/363
|
| |
|
|
|
|
| |
Also use the realm name as nickname for the CA certificate
|
|
|
|
|
|
|
|
| |
Uses a new subclass IPAOptionParser in scripts instead of OptionParser
from the standard python library. IPAOptionParser uses its own IPAOption
class to store options, which adds a new 'sensitive' attribute.
https://fedorahosted.org/freeipa/ticket/393
|
|
|
|
|
|
| |
If we pass in the domain and server to ipa-client-install it doesn't do
service discovery which is what we want. We want to be sure the server
is properly configured at install time.
|
|
|
|
|
|
| |
Also move the unenroll to clients only. This isn't necessary on the master
ticket 53
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unenrollment means that the host keytab is disabled on the server making
it possible to re-install on the client. This host principal is how we
distinguish an enrolled vs an unenrolled client machine on the server.
I added a --unroll option to ipa-join that binds using the host credentials
and disables its own keytab.
I fixed a couple of other unrelated problems in ipa-join at the same time.
I also documented all the possible return values of ipa-getkeytab and
ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab
and it returns whatever value ipa-getkeytab returned on failure.
ticket 242
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Passing domain and server on the command-line used to be considered as
DNS autodiscovery worked. This was problematic if there was in fact no
SRV records because krb5.conf would be configured without a specific KDC
causing all Kerberos ops to fail.
Now if you pass in a domain/server it still tries to see if they are
discoverable and if so won't hardcode a server, but will fall back to doing
so if necessary.
Also be a lot more aggressive on looking for the SRV records. Use the
search and domain values from /etc/resolv.conf on the chance that the
SRV records aren't in the domain of the hostname of the machine.
An example of this would be if your laptop is in dhcp.example.com and
your company's SRV records are in corp.example.com. Searching
dhcp.example.com and example.com won't find the SRV records but the user
is likely to have corp.redhat.com in the search list, at least.
ticket 234
|
|
|
|
|
|
|
| |
This should avoid conflicts with any other certs that might be installed
there.
ticket 49
|
|
|
|
|
|
|
|
|
|
|
| |
Make two krbV imports conditional. These aren't used during a client
install so should cause no problems.
Also fix the client installer to use the new env option in ipautil.run.
We weren't getting the krb5 configuration set in the environment because
we were overriding the environment to set the PATH.
ticket 136
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This started with the client uninstaller returning a 1 when not installed.
There was no way to tell whether the uninstall failed or the client
simply wasn't installed which caused no end of grief with the installer.
This led to a lot of certmonger failures too, either trying to stop
tracking a non-existent cert or not handling an existing tracked
certificate.
I moved the certmonger code out of the installer and put it into the
client/server shared ipapython lib. It now tries a lot harder and smarter
to untrack a certificate.
ticket 142
|
|
|
|
|
|
|
|
|
| |
We will update any/all of /etc/ldap.conf, /etc/nss_ldap.conf,
/etc/libnss-ldap.conf and /etc/pam_ldap.conf.
nslcd is the replacement for nss_ldap.
ticket 50
|