| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
| |
Resolves #481230
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This does a number of things under the hood:
- Use authconfig to enable sssd in nss and pam
- Configure /etc/sssd/sssd.conf to use our IPA provider
- Enable the certmonger process and request a server cert
- join the IPA domain and retrieve a principal. The clinet machine
*must* exist in IPA to be able to do a join.
- And then undo all this on uninstall
|
|
|
|
|
| |
This is particularly important for Apache since we'd leave the web
server handling unconfigured locations.
|
| |
|
|
|
|
| |
This strange bit of duplication was not surprisingly causing a double-free
|
|
|
|
| |
keytab entries are locked when looping. Temporarily suspend the looping.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we un-enroll a client we'll do a bit of cleanup including removing
any principals for the IPA realm from /etc/krb5.keytab.
This removes principals in 2 ways:
- By principal, only entries matching the full principal are removed
- By realm. Any principal for that realm is removed
This does not change the KDC at all, just removes entries from a file
on the client machine.
|
| |
|
|
|
|
|
|
|
| |
This is needed because in the client installer we actually perform the
join before creating the configuration files that join uses. All we need
is the IPA server to join to and we have that from the CLI options so
use that.
|
|
|
|
| |
This will fetch a keytab on installation and remove it upon uninstallation.
|
|
|
|
|
|
|
| |
Because ipa-join calls ipa-getkeytab I'd like to keep the return values in
sync. ipa-join returns the value returned by ipa-getkeytab so in order to
tell what failed the return values need to mean the same things and not
overlap.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will create a host service principal and may create a host entry (for
admins). A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.
This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
We used to install it as ipa, now installing it as ipapython. The rpm
is still ipa-python.
|
| |
|
|
|
|
| |
Also cheat a little and don't force auto* to require files to exist
|
|
|
|
| |
463548
|
|
|
|
|
|
|
|
|
|
|
| |
rest of the krb5.conf configuration were. This clearly breaks
with the default EXAMPLE.COM realm configuratrion. Furthermore
it makes it not possible to try to 'fix' an installation by
rerruninng ipa-client-install
This patch removes the special case and avoids krb5.conf only
if the on_master flag is passed.
Fix also one inner 'if' statement to be simpler to understand.
|
|
|
|
|
| |
1. Allow to specify the salt type along with the enctype
2. Allow to specify a password instead of forcing a random secret
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fix make maintainer-clean
Also make RPM naming consistent by using a temp RELEASE file.
This one helps when testing builds using rpms.
Just 'echo X > RELEASE' to build a new rpms (X, X+1, X+2 ...)
Version 1.1.0 was released some times ago, bump up to 1.1.1
|
| |
|
|
|
|
| |
unused variables or missing krb5 prototypes.
|
|
|
|
| |
return in case any encryption type was explicitly requested
|
|
|
|
| |
438771
|
|
|
|
| |
443009
|
|
|
|
|
|
| |
on a separate line so moving it up front makes it easier to find.
443014
|
|
|
|
|
|
| |
it can be used by the client tool.
Fix the client tool imports to fail more gracefully.
|
|
|
|
| |
discovery fails to find them.
|
|
|
|
|
| |
configuration look at the specific tree where users are and
not search the full server.
|
|
|
|
|
| |
add the domain to the ipa.conf file for apps that need to know
This should fix a bug in the replica setup
|
|
|
|
| |
446869
|
|
|
|
|
|
|
|
|
|
|
|
| |
I've been on a crusade (;-) to remove useless if-before-free tests,
so ran a script that spotted some here. I think I removed the first
batch (without braces) automatically, then manually removed the ones
with curly braces around the free statements.
You may well have doubts about the portability of removing those
tests, but as long as you don't care about SunOS4 or earlier, you'll
be fine. I've done similar things for e.g., coreutils, glibc, and git,
and have had no problems.
|
|
|
|
| |
446201
|
|
|
|
|
|
|
|
|
| |
We were just shutting down the KDC if it had been started prior to IPA
installation. We need to stop it in all cases.
And we should restart nscd as it may have made an LDAP connection.
440322
|
|
|
|
| |
thanks Nalin for spotting this.
|
|
|
|
|
| |
and avoid searching for KDC servers via DNS, we just connect
to ourselves.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The file VERSION is now the sole-source of versioning.
The generated .spec files will been removed in the maintainer-clean targets
and have been removed from the repository.
By default a GIT build is done. To do a non-GIT build do:
$ make TARGET IPA_VERSION_IS_GIT_SNAPSHOT=no
When updating the version you can run this to regenerate the version:
$ make version-update
The version can be determined in Python by using ipaserver.version.VERSION
|