| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
There can be more ntp servers in ntp.conf
Required for ticket: https://fedorahosted.org/freeipa/ticket/4981
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New option '--kinit-attempts' enables the host to make multiple attempts to
obtain host TGT from master before giving up and aborting client installation.
In addition, all kinit attempts were replaced by calls to
'ipautil.kinit_keytab' and 'ipautil.kinit_password'.
https://fedorahosted.org/freeipa/ticket/4808
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The certificate is stored in /etc/ipa/nssdb under the nickname
"Local IPA host".
https://fedorahosted.org/freeipa/ticket/4550
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Makes ipa-client-install configure SSSD as the data provider
for the sudo service by default. This behaviour can be disabled
by using --no-sudo flag.
https://fedorahosted.org/freeipa/ticket/3358
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provides two new options for the ipa-client-install:
--nisdomain: specifies the NIS domain name
--no_nisdomain: flag to aviod setting the NIS domain name
In case no --nisdomain is specified and --no_nisdomain flag was
not set, the IPA domain is used.
Manual pages updated.
http://fedorahosted.org/freeipa/ticket/3202
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
If SSH keys have not been generated prior to enrolling the client to the
IPA server, they will not be uploaded to the server, since they're not
present. Clarify this issue in the man pages.
https://fedorahosted.org/freeipa/ticket/4055
Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
|
|
|
|
|
|
| |
This file is always updated when client is installed or uninstalled.
https://fedorahosted.org/freeipa/ticket/3995
|
|
|
|
|
|
|
| |
Add the --automount-location option to ipa-client-install. If the option is
used, ipa-client-automount is called at the end of ipa-client-install.
https://fedorahosted.org/freeipa/ticket/3740
|
|
|
|
|
|
|
|
| |
Updates old information produced by the ipa help host command.
Also adds a section to ipa-client-install manpage about client
re-enrollment.
https://fedorahosted.org/freeipa/ticket/3820
|
|
|
|
|
|
|
|
|
|
| |
A new option --force-join has been added to ipa-client-install.
It forces the host enrollment even if the host entry exists.
Old certificate is revoked, new certificate and ssh key pair
generated. See the relevant design for the re-enrollment part:
http://freeipa.org/page/V3/Forced_client_re-enrollment
https://fedorahosted.org/freeipa/ticket/3482
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A host that has been recreated and does not have its
host entry disabled or removed, can be re-enrolled using
a previously backed up keytab file.
A new option --keytab has been added to ipa-client-install. This
can be used to specify path to the keytab and can be used instead
of -p or -w options.
A new option -f has been added to ipa-join. It forces client to
join even if the host entry already exits. A new certificate,
ssh keys are generated, ipaUniqueID stays the same.
Design page: http://freeipa.org/page/V3/Client_install_using_keytab
https://fedorahosted.org/freeipa/ticket/3374
|
|
|
|
|
|
|
| |
Explain how autodiscovery and failover works and which options
are important for these elements.
https://fedorahosted.org/freeipa/ticket/3383
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes ipa-client-install:
* Use GSSAPI connection to LDAP server to download CA cert (now
the default method)
* Add --ca-cert-file option to load the CA cert from a disk file.
Validate the file. If this option is used the supplied CA cert
is considered definitive.
* The insecure HTTP retrieval method is still supported but it must be
explicitly forced and a warning will be emitted.
* Remain backward compatible with unattended case (except for aberrant
condition when preexisting /etc/ipa/ca.crt differs from securely
obtained CA cert, see below)
* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
securely acquired CA cert, if not:
- If --unattended and not --force abort with error
- If interactive query user to accept new CA cert, if not abort
In either case warn user.
* If interactive and LDAP retrieval fails prompt user if they want to
proceed with insecure HTTP method
* If not interactive and LDAP retrieval fails abort unless --force
* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
if ipa-client-install fails it will be restored.
Other changes:
* Add new exception class CertificateInvalidError
* Add utility convert_ldap_error() to ipalib.ipautil
* Replace all hardcoded instances of /etc/ipa/ca.crt in
ipa-client-install with CACERT constant (matches existing practice
elsewhere).
* ipadiscovery no longer retrieves CA cert via HTTP.
* Handle LDAP minssf failures during discovery, treat failure to check
ldap server as a warninbg in absebce of a provided CA certificate via
--ca-cert-file or though existing /etc/ipa/ca.crt file.
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fedora 16 introduced chrony as default client time&date synchronization
service:
http://fedoraproject.org/wiki/Features/ChronyDefaultNTP
Thus, there may be people already using chrony as their time and date
synchronization service before installing IPA.
However, installing IPA server or client on such machine may lead to
unexpected behavior, as the IPA installer would configure ntpd and leave
the machine with both ntpd and chronyd enabled. However, since the OS
does not allow both chronyd and ntpd to be running concurrently and chronyd
has the precedence, ntpd would not be run on that system at all.
Make sure, that user is warned when trying to install IPA on such
system and is given a possibility to either not to let IPA configure
ntpd at all or to let the installer stop and disable chronyd.
https://fedorahosted.org/freeipa/ticket/2974
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3089
|
|
|
|
|
|
|
|
|
| |
configuration.
If both --no-ssh and --no-sshd are specified, do not configure the SSH service
in SSSD.
ticket 3070
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let the --server option be specified multiple times on the command line.
The first one passed in is the one we enroll against.
Do additional verification before setting dnsok so we can be sure that
the record(s) were actually discovered in DNS.
If servers are provided on the CLI and --fixed-primary is set then
_srv_ is not added to ipa_server in sssd.conf.
https://fedorahosted.org/freeipa/ticket/2841
|
|
|
|
|
|
|
|
| |
The --fixed-primary flag determine the order of the ipa_server directive.
When set the IPA server discovered (or passed in via --server or via
user-input) will be listed first. Otherwise _srv_ is listed first.
https://fedorahosted.org/freeipa/ticket/2282
|
|
|
|
|
|
|
|
|
| |
Set URI, BASE and TLS_CACERT
Also update the man page to include a list of files that the client
changes.
https://fedorahosted.org/freeipa/ticket/1810
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2369
|
|
|
|
|
|
|
|
| |
Changing a client hostname after ipa-client-install would break
the enrollment on IPA server. Update relevant man pages to contain
such information.
https://fedorahosted.org/freeipa/ticket/1967
|
|
|
|
|
|
|
|
|
|
|
| |
For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns
ipa-client-install option is used.
For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM
options are enabled (this can be disabled using --no-sshd
ipa-client-install option).
ticket 1634
|
|
|
|
|
|
|
|
| |
This is done by calling host-mod to update the keys on IPA server and nsupdate
to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp
ipa-client-install option.
https://fedorahosted.org/freeipa/ticket/1634
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add documentation about --preserve-sssd, an ipa-client-install's option to
honor previously available SSSD configuration in case it is not possible to
merge it cleanly with the new one. In this case ipa-client-install will fail
and ask user to fix SSSD config before continuing.
Additional fix for
https://fedorahosted.org/freeipa/ticket/1750
https://fedorahosted.org/freeipa/ticket/1769
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are too many options in ipa-*-install scripts which makes it
difficult to read. This patch adds subsections to install script
online help and man pages to improve readability. No option has
been changed.
To further improve man pages:
1) All man pages were changed to have the same header and top-center
title to provide united look.
2) Few typos in man pages have been fixed
https://fedorahosted.org/freeipa/ticket/1687
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1368
|
|
|
|
| |
ticket 1359
|
|
|
|
|
|
|
|
| |
IPA tools options are not consistent with information in man
pages.
https://fedorahosted.org/freeipa/ticket/1163
https://fedorahosted.org/freeipa/ticket/1178
|
|
|
|
|
|
|
|
| |
This option is only used when configuring an IPA client on an IPA server.
Describing it on the command-line will only confuse people so don't
list it as an option.
Ticket 1050
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/991
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/782
|
|
|
|
| |
Ticket 834
|
|
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unenrollment means that the host keytab is disabled on the server making
it possible to re-install on the client. This host principal is how we
distinguish an enrolled vs an unenrolled client machine on the server.
I added a --unroll option to ipa-join that binds using the host credentials
and disables its own keytab.
I fixed a couple of other unrelated problems in ipa-join at the same time.
I also documented all the possible return values of ipa-getkeytab and
ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab
and it returns whatever value ipa-getkeytab returned on failure.
ticket 242
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This started with the client uninstaller returning a 1 when not installed.
There was no way to tell whether the uninstall failed or the client
simply wasn't installed which caused no end of grief with the installer.
This led to a lot of certmonger failures too, either trying to stop
tracking a non-existent cert or not handling an existing tracked
certificate.
I moved the certmonger code out of the installer and put it into the
client/server shared ipapython lib. It now tries a lot harder and smarter
to untrack a certificate.
ticket 142
|
|
|
|
|
|
|
|
|
| |
- Move the ipa-getcert request to after we set up /etc/krb5.conf
- Don't try removing certificates that don't exist
- Don't tell certmonger to stop tracking a cert that doesn't exist
- Allow --password/-w to be the kerberos password
- Print an error if prompting for a password would happen in unattended mode
- Still support echoing a password in when in unattended mode
|
| |
|
| |
|
|
|
|
| |
446201
|
|
436501
|