summaryrefslogtreecommitdiffstats
path: root/ipa-client/ipa-install/ipa-client-install
Commit message (Collapse)AuthorAgeFilesLines
...
* Add minimal client configuration for when we eventually get to PKINITRob Crittenden2010-09-231-8/+13
| | | | | | Also move the unenroll to clients only. This isn't necessary on the master ticket 53
* Unenroll the client from the IPA server on uninstall.Rob Crittenden2010-09-201-2/+8
| | | | | | | | | | | | | | | | | Unenrollment means that the host keytab is disabled on the server making it possible to re-install on the client. This host principal is how we distinguish an enrolled vs an unenrolled client machine on the server. I added a --unroll option to ipa-join that binds using the host credentials and disables its own keytab. I fixed a couple of other unrelated problems in ipa-join at the same time. I also documented all the possible return values of ipa-getkeytab and ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab and it returns whatever value ipa-getkeytab returned on failure. ticket 242
* Better distinguish between when DNS discovery works and search more domains.Rob Crittenden2010-09-201-4/+5
| | | | | | | | | | | | | | | | | | | | | | Passing domain and server on the command-line used to be considered as DNS autodiscovery worked. This was problematic if there was in fact no SRV records because krb5.conf would be configured without a specific KDC causing all Kerberos ops to fail. Now if you pass in a domain/server it still tries to see if they are discoverable and if so won't hardcode a server, but will fall back to doing so if necessary. Also be a lot more aggressive on looking for the SRV records. Use the search and domain values from /etc/resolv.conf on the chance that the SRV records aren't in the domain of the hostname of the machine. An example of this would be if your laptop is in dhcp.example.com and your company's SRV records are in corp.example.com. Searching dhcp.example.com and example.com won't find the SRV records but the user is likely to have corp.redhat.com in the search list, at least. ticket 234
* Use a more specific name for the IPA server certificate we install.Rob Crittenden2010-09-171-9/+24
| | | | | | | This should avoid conflicts with any other certs that might be installed there. ticket 49
* Remove some additional instances of krbV from ipa-clientRob Crittenden2010-09-101-5/+5
| | | | | | | | | | | Make two krbV imports conditional. These aren't used during a client install so should cause no problems. Also fix the client installer to use the new env option in ipautil.run. We weren't getting the krb5 configuration set in the environment because we were overriding the environment to set the PATH. ticket 136
* Fix certmonger errors when doing a client or server uninstall.Rob Crittenden2010-09-091-6/+13
| | | | | | | | | | | | | | | | This started with the client uninstaller returning a 1 when not installed. There was no way to tell whether the uninstall failed or the client simply wasn't installed which caused no end of grief with the installer. This led to a lot of certmonger failures too, either trying to stop tracking a non-existent cert or not handling an existing tracked certificate. I moved the certmonger code out of the installer and put it into the client/server shared ipapython lib. It now tries a lot harder and smarter to untrack a certificate. ticket 142
* Configure nslcd and a host of possible systems that use LDAP.Rob Crittenden2010-08-271-9/+53
| | | | | | | | | We will update any/all of /etc/ldap.conf, /etc/nss_ldap.conf, /etc/libnss-ldap.conf and /etc/pam_ldap.conf. nslcd is the replacement for nss_ldap. ticket 50
* Retrieve the CA certificate before starting enrollment.Rob Crittenden2010-06-211-2/+9
| | | | | We need the CA certificate so we can use SSL when binding with a one-time password (bulk enrollment)
* Remove Requires on separate package python-krbV in clientRob Crittenden2010-06-021-3/+7
| | | | | | We need the configured kerberos realm so we can clean up /etc/krb5.keytab. We have this already in /etc/ipa/default.conf so use that instead of requiring a whole other python package to do it.
* Check to see if we are configured before uninstalling.Rob Crittenden2010-05-071-1/+5
| | | | Allow the --force flag to override on both install and uninstall
* Add simple test to see if client is already configuredRob Crittenden2010-05-061-0/+4
| | | | | | | | | | | | If this ever gets out of sync the user can always remove /var/lib/ipa-client/sysrestore/*, they just need to understand the implications. One potential problem is with certmonger. If you install the client and then re-install without uninstalling then the subsequent certificate request by certmonger will fail because it will already be tracking a certificate in /etc/pki/nssdb of the same nickname and subject (the old cert).
* Make calling service and chkconfig tolerant of the service not installedRob Crittenden2010-05-061-9/+59
| | | | | For example, if nscd is not installed this would throw lots of errors about not being able to disable it, stop it, etc.
* Call certmonger after krb5, avoid uninstall errors, better password handling.Rob Crittenden2010-05-061-18/+43
| | | | | | | | | - Move the ipa-getcert request to after we set up /etc/krb5.conf - Don't try removing certificates that don't exist - Don't tell certmonger to stop tracking a cert that doesn't exist - Allow --password/-w to be the kerberos password - Print an error if prompting for a password would happen in unattended mode - Still support echoing a password in when in unattended mode
* Make the installer/uninstaller more aware of its stateRob Crittenden2010-05-031-4/+3
| | | | | | | | | | | | | | We have had a state file for quite some time that is used to return the system to its pre-install state. We can use that to determine what has been configured. This patch: - uses the state file to determine if dogtag was installed - prevents someone from trying to re-install an installed server - displays some output when uninstalling - re-arranges the ipa_kpasswd installation so the state is properly saved - removes pkiuser if it was added by the installer - fetches and installs the CA on both masters and clients
* client installation fixes: nscd, sssd min version, bogus join errorRob Crittenden2010-05-031-10/+22
| | | | | | - Don't run nscd if using sssd, the caching of nscd conflicts with sssd - Set the minimum version of sssd to 1.1.1 to pick up needed hbac fixes - only try to read the file configuration if the server isn't passed in
* Reorder some things in the client installerRob Crittenden2010-05-031-16/+27
| | | | | | - Fetch the CA cert before running certmonger - Delete entries from the keytab before removing /etc/krb5.conf - Add and remove the IPA CA to /etc/pki/nssdb
* Use the certificate subject base in IPA when requesting certs in certmonger.Rob Crittenden2010-04-231-3/+14
| | | | | | | | | | | | | | | | | When using the dogtag CA we can control what the subject of an issued certificate is regardless of what is in the CSR, we just use the CN value. The selfsign CA does not have this capability. The subject format must match the configured format or certificate requests are rejected. The default format is CN=%s,O=IPA. certmonger by default issues requests with just CN so all requests would fail if using the selfsign CA. This subject base is stored in cn=ipaconfig so we can just fetch that value in the enrollment process and pass it to certmonger to request the right thing. Note that this also fixes ipa-join to work with the new argument passing mechanism.
* Add option to enable pam_mkhomedirs in the IPA client installerrcrit2010-03-191-5/+12
|
* Configure sssd and certmonger in ipa-client-installRob Crittenden2010-02-031-8/+94
| | | | | | | | | | | This does a number of things under the hood: - Use authconfig to enable sssd in nss and pam - Configure /etc/sssd/sssd.conf to use our IPA provider - Enable the certmonger process and request a server cert - join the IPA domain and retrieve a principal. The clinet machine *must* exist in IPA to be able to do a join. - And then undo all this on uninstall
* Remove some configuration files we create upon un-installationRob Crittenden2010-01-281-0/+6
| | | | | This is particularly important for Apache since we'd leave the web server handling unconfigured locations.
* Pass on debug option from ipa-client-install to ipa-joinRob Crittenden2009-12-091-0/+2
|
* Add server option to ipa-join so the IPA server can be specified.Rob Crittenden2009-11-301-1/+1
| | | | | | | This is needed because in the client installer we actually perform the join before creating the configuration files that join uses. All we need is the IPA server to join to and we have that from the CLI options so use that.
* Integrate ipa-join and ipa-rmkeytab into the client install/uninstallRob Crittenden2009-11-251-110/+209
| | | | This will fetch a keytab on installation and remove it upon uninstallation.
* Enrollment for a host in an IPA domainRob Crittenden2009-09-241-0/+1
| | | | | | | | | | | | This will create a host service principal and may create a host entry (for admins). A keytab will be generated, by default in /etc/krb5.keytab If no kerberos credentails are available then enrollment over LDAPS is used if a password is provided. This change requires that openldap be used as our C LDAP client. It is much easier to do SSL using openldap than mozldap (no certdb required). Otherwise we'd have to write a slew of extra code to create a temporary cert database, import the CA cert, ...
* The new admin tool 'ipa' uses a different configuration file, create it.Rob Crittenden2009-04-131-7/+8
|
* Use OpenSSL for SSL instead of the built-in python version.Rob Crittenden2009-02-201-0/+3
|
* Rename ipa-python directory to ipapython so it is a real python libraryRob Crittenden2009-02-091-3/+3
| | | | | We used to install it as ipa, now installing it as ipapython. The rpm is still ipa-python.
* We were assuming that, if the realm was correct then also theSimo Sorce2008-09-181-9/+6
| | | | | | | | | | | rest of the krb5.conf configuration were. This clearly breaks with the default EXAMPLE.COM realm configuratrion. Furthermore it makes it not possible to try to 'fix' an installation by rerruninng ipa-client-install This patch removes the special case and avoids krb5.conf only if the on_master flag is passed. Fix also one inner 'if' statement to be simpler to understand.
* Wrap up the raw_input() to user_input() for convenience and uniformity.Martin Nagy2008-07-231-17/+6
|
* Move version.py to the common ipa directory instead of being server-based so ↵Rob Crittenden2008-06-031-16/+28
| | | | | | it can be used by the client tool. Fix the client tool imports to fail more gracefully.
* Try to clear up messages prompting for domain and IPA server when DNS ↵Rob Crittenden2008-05-301-4/+4
| | | | discovery fails to find them.
* Now that admin is in the common users tree make the nss_ldapSimo Sorce2008-05-291-2/+2
| | | | | configuration look at the specific tree where users are and not search the full server.
* Fix the case where domain != lower(REALM)Simo Sorce2008-05-291-13/+16
| | | | | add the domain to the ipa.conf file for apps that need to know This should fix a bug in the replica setup
* Change file mode of log files to 600.Martin Nagy2008-05-201-0/+3
| | | | 446869
* Make sure all services are stopped during uninstall.Rob Crittenden2008-05-141-0/+5
| | | | | | | | | We were just shutting down the KDC if it had been started prior to IPA installation. We need to stop it in all cases. And we should restart nscd as it may have made an LDAP connection. 440322
* fix stupid typo,Simo Sorce2008-05-101-1/+1
| | | | thanks Nalin for spotting this.
* On IPA Servers connect to ourselves using localhost,Simo Sorce2008-05-081-2/+5
| | | | | and avoid searching for KDC servers via DNS, we just connect to ourselves.
* Make sure we always have the [domain-realm] section or kerberos libs misbheave.Simo Sorce2008-04-221-5/+5
|
* Fix client discovery and make sure command line options are not overwrittenSimo Sorce2008-04-091-36/+53
| | | | with discovered options, just verified.
* Make sure we start the NSCD daemon.Simo Sorce2008-04-081-0/+15
| | | | It makes a huge difference on clients, if we cache lookups
* - Better defaults for nss_ldapSimo Sorce2008-04-011-2/+13
| | | | | | | | - Make sure timeouts are not too high, so that machine does not hang if remote servers are not reachable - Make sure root can always login no matter what the status of the ldap servers - use rfc2307bis schema directive
* Implement client uninstallSimo Sorce2008-03-311-2/+42
| | | | (including RHEL4 contrib setup script)
* Allow client install to specify ntp server nameSimo Sorce2008-03-141-1/+6
|
* Prevent server and domain from being undefined or blank when we need themRob Crittenden2008-03-051-4/+8
| | | | | | | Improve LDAP error reporting Don't return the str() of discovery values because it can return "None" 436130
* Close all fds when running another program. This fixes the SELinux AVCs.Rob Crittenden2008-03-031-1/+1
| | | | | | Put installation log files into /var/log. 430024
* Add action statement to ldap.conf updateRob Crittenden2008-02-271-15/+15
| | | | | Move imports into try/except so that ctrl-C can always be caught Fix typo
* Don't try to use options.realm_name unless it was passed inRob Crittenden2008-02-261-6/+15
| | | | | | | Don't allow empty responses to domain and realm name Handle ctrl-C 434982
* Provide feedback on what is being done during ipa-client-installRob Crittenden2008-02-201-0/+6
| | | | 429541
* Pass in server and domain parameters if provided, so that they are not ignoredSimo Sorce2008-02-191-3/+8
|
* Run ipa-client-install after server install bitsSimo Sorce2008-02-201-3/+21
|
generated by cgit (git 2.34.1) at 2024-04-24 04:25:58 +0000