summaryrefslogtreecommitdiffstats
path: root/ipa-client
Commit message (Collapse)AuthorAgeFilesLines
* Improve autodiscovery loggingPetr Viktorin2012-06-172-65/+150
| | | | | | | | | | | | | | | | | | | | Track the source of discovered values (e.g. from option, interactive, retrieved from DNS), and show it in the log in the configuration overview and on erorrs involving the value. Add additional log messages explaining the autodiscovery process. For domains the discovery tries to get LDAP SRV records from, log reasons explaining why the domain was chosen. Also, prevent the same domain from being searched multiple times. Add names for error codes, and show them in the log. Also, modernize the discovery code a bit: move away from the Java-style accessors, don't needlessly pre-declare variables, make IPADiscovery a new-style class. https://fedorahosted.org/freeipa/ticket/2553
* Improve ipa-client-install debug outputPetr Viktorin2012-06-171-197/+276
| | | | | | | | | | | | | | | | | | The client does a fair bit of work when trying to validate the hostnames, do discovery and verify that the server it gets back is an IPA server. The debug logging around this was horrid with very little state information, duplicate log messages or just nothing at all. In many cases errors were printed only to stderr/stdout. This patch makes the logging and output go through the IPA log manager. It sets up logging so that INFO, WARNING, and ERROR messages show up on the console. If -d is given, DEBUG messages are also printed. All messages also go to the log file. The only exception is user input: prompts are only printed to the console, but if the user provides any information it is echoed in a DEBUG-level message. https://fedorahosted.org/freeipa/ticket/2553
* Add flag to ipa-client-install to managed order of ipa_server in sssdRob Crittenden2012-06-132-2/+10
| | | | | | | | The --fixed-primary flag determine the order of the ipa_server directive. When set the IPA server discovered (or passed in via --server or via user-input) will be listed first. Otherwise _srv_ is listed first. https://fedorahosted.org/freeipa/ticket/2282
* Clean keytabs before installing new keys into themPetr Viktorin2012-06-111-0/+15
| | | | | | | | | In ipa-client-install (which is also called from server/replica installation), call `ipa-rmkeytab -k <keytab> -r $REALM` to be sure that there aren't any remnants from a previous install of IPA or another KDC altogether. https://fedorahosted.org/freeipa/ticket/2698
* Move some krb5 keys related functions from ipa-client to utilSumit Bose2012-06-111-376/+5
|
* If SELinux is enabled ensure we also have restorecon.Rob Crittenden2012-05-311-0/+1
| | | | | | | | | | | | We don't have a specific requires on the policycoreutils package. It gets pulled in as a dependency on the server anyway, but checking there is like a belt and suspenders. On the client we don't require SELinux at all. If SELinux is enabled however we need to set things up properly. This is provided by the policycoreutils package so fail if that isn't available. https://fedorahosted.org/freeipa/ticket/2368
* SSH configuration fixes.Jan Cholasta2012-05-301-2/+7
| | | | | | | | | | | | | Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the latter has been deprecated in OpenSSH 5.9. If DNS host key verification is enabled, restrict the set of allowed host public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only these algorithms. Make sure public key user authentication is enabled in both ssh and sshd. ticket 2769
* Always set ipa_hostname for sssd.confOndrej Hamada2012-05-281-4/+3
| | | | | | | ipa-client-install will always set ipa_hostname for sssd.conf in order to prevent the client from getting into weird state. https://fedorahosted.org/freeipa/ticket/2527
* Replace DNS client based on acutil with python-dnsMartin Kosek2012-05-243-95/+85
| | | | | | | | | | | | | | | | | | | | | | | | | | IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837
* Make ipa 2.2 client capable of joining an older serverMartin Kosek2012-05-011-2/+24
| | | | | | | | | | | | | | | | | IPA server of version 2.2 and higher supports Kerberos S4U2Proxy delegation, i.e. ipa command no longer forwards Kerberos TGT to the server during authentication. However, when IPA client of version 2.2 and higher tries to join an older IPA server, the installer crashes because the pre-2.2 server expects the TGT to be forwarded. This patch adds a fallback to ipa-client-install which would detect this situation and tries connecting with TGT forwarding enabled again. User is informed about this incompatibility. Missing realm was also added to keytab kinit as it was reported to fix occasional install issues. https://fedorahosted.org/freeipa/ticket/2697
* Set the "KerberosAuthentication" option in sshd_config to "no" instead of "yes".Jan Cholasta2012-04-291-1/+1
| | | | | | Setting it to "yes" causes sshd to handle kinits itself, bypassing SSSD. ticket 2689
* Fix help of --hostname option in ipa-client-installMartin Kosek2012-04-191-1/+1
| | | | | | | | Replace word "server" with "machine" to clearly distinguish between IPA server and other machines (clients) and to also match the help with ipa-client-install man pages. https://fedorahosted.org/freeipa/ticket/1967
* Use indexed format specifiers in i18n stringsJohn Dennis2012-04-103-16/+16
| | | | | | | | | | Translators need to reorder messages to suit the needs of the target language. The conventional positional format specifiers (e.g. %s %d) do not permit reordering because their order is tied to the ordering of the arguments to the printf function. The fix is to use indexed format specifiers. https://fedorahosted.org/freeipa/ticket/2596
* Fix memleak and silence Coverity defectsSimo Sorce2012-03-221-2/+2
| | | | | | | | | | | | | | | Some of these are not real defects, because we are guaranteed to have valid context in some functions, and checks are not necessary. I added the checks anyway in order to silence Coverity on these issues. One meleak on error condition was fixed in daemons/ipa-kdb/ipa_kdb_pwdpolicy.c Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is actually fine as we count before hand so we never actually use the wrong value that is computed on the last pass when p == 0 Fixes: https://fedorahosted.org/freeipa/ticket/2488
* Add disovery domain if client domain is different from server domainLars Sjostrom2012-03-141-2/+6
| | | | https://fedorahosted.org/freeipa/ticket/2209
* Configure a basic ldap.conf for OpenLDAP in /etc/openldap/ldap.confRob Crittenden2012-03-142-1/+52
| | | | | | | | | Set URI, BASE and TLS_CACERT Also update the man page to include a list of files that the client changes. https://fedorahosted.org/freeipa/ticket/1810
* More exception handlers in ipa-client-installOndrej Hamada2012-03-091-1/+8
| | | | | | | | | | | | | Added exception handler to certutil operation of adding CA to the default NSS database. If operation fails, installation is aborted and changes are rolled back. https://fedorahosted.org/freeipa/ticket/2415 If obtaining host TGT fails, the installation is aborted and changes are rolled back. https://fedorahosted.org/freeipa/ticket/1995
* Only warn if ipa-getkeytab doesn't get all requested enctypes.Rob Crittenden2012-03-041-5/+32
| | | | | | | | Older client machines may request DES keys not supported in newer KDCs. Thsi was causing the entire request to fail as well as client enrollment. https://fedorahosted.org/freeipa/ticket/2424
* Do kinit in client before connecting to backendRob Crittenden2012-03-041-1/+4
| | | | | | | | | | | | | | The client installer was failing because a backend connection could be created before a kinit was done. Allow multiple simultaneous connections. This could fail with an NSS shutdown error when the second connection was created (objects still in use). If all connections currently use the same database then there is no need to initialize, let it be skipped. Add additional logging to client installer. https://fedorahosted.org/freeipa/ticket/2478
* Add --noac option to ipa-client-install man pageRob Crittenden2012-03-041-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/2369
* ipa-client-install not calling authconfigOndrej Hamada2012-03-051-62/+66
| | | | | | | Option '--noac' was added. If set, the ipa-client-install will not call authconfig for setting nsswitch.conf and PAM configuration. https://fedorahosted.org/freeipa/ticket/2369
* Configure SSH features of SSSD in ipa-client-install.Jan Cholasta2012-03-011-1/+28
| | | | | | | | OpenSSH server (sshd) is configured to fetch user authorized keys from SSSD and OpenSSH client (ssh) is configured to use and trigger updates of the SSSD-managed known hosts file. This requires SSSD 1.8.0.
* Use reboot from /sbinPetr Viktorin2012-03-021-1/+1
| | | | | | | According to FHS, the reboot command should live in /sbin. Systems may also have a symlink in /usr/bin, but they don't have to. https://fedorahosted.org/freeipa/ticket/2480
* Add support defaultNamingContext and add --basedn to migrate-dsRob Crittenden2012-02-291-25/+55
| | | | | | | | | | | | | | | | | | | | There are two sides to this, the server and client side. On the server side we attempt to add a defaultNamingContext on already installed servers. This will fail on older 389-ds instances but the failure is not fatal. New installations on versions of 389-ds that support this attribute will have it already defined. On the client side we need to look for both defaultNamingContext and namingContexts. We still need to check that the defaultNamingContext is an IPA server (info=IPAV2). The migration change also takes advantage of this and adds a new option which allows one to provide a basedn to use instead of trying to detect it. https://fedorahosted.org/freeipa/ticket/1919 https://fedorahosted.org/freeipa/ticket/2314
* Implement session activity timeoutJohn Dennis2012-02-271-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously sessions expired after session_auth_duration had elapsed commencing from the start of the session. We new support a "rolling" expiration where the expiration is advanced by session_auth_duration everytime the session is accessed, this is equivalent to a inactivity timeout. The expiration is still constrained by the credential expiration in all cases. The session expiration behavior is configurable based on the session_auth_duration_type. * Reduced the default session_auth_duration from 1 hour to 20 minutes. * Replaced the sesssion write_timestamp with the access_timestamp and update the access_timestamp whenever the session data is created, retrieved, or written. * Modify set_session_expiration_time to handle both an inactivity timeout and a fixed duration. * Introduce KerberosSession as a mixin class to share session duration functionality with all classes manipulating session data with Kerberos auth. This is both the non-RPC login class and the RPC classes. * Update make-lint to handle new classes. * Added session_auth_duration_type config item. * Updated default.conf.5 man page for new session_auth_duration_type item. * Removed these unused config items: mount_xmlserver, mount_jsonserver, webui_assets_dir https://fedorahosted.org/freeipa/ticket/2392
* Add client hostname requirements to manMartin Kosek2012-02-271-1/+6
| | | | | | | | Changing a client hostname after ipa-client-install would break the enrollment on IPA server. Update relevant man pages to contain such information. https://fedorahosted.org/freeipa/ticket/1967
* Configure ssh and sshd during ipa-client-install.Jan Cholasta2012-02-132-0/+114
| | | | | | | | | | | For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns ipa-client-install option is used. For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM options are enabled (this can be disabled using --no-sshd ipa-client-install option). ticket 1634
* Update host SSH public keys on the server during client install.Jan Cholasta2012-02-132-0/+67
| | | | | | | | This is done by calling host-mod to update the keys on IPA server and nsupdate to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp ipa-client-install option. https://fedorahosted.org/freeipa/ticket/1634
* Move the nsupdate functionality to separate function in ipa-client-install.Jan Cholasta2012-02-131-18/+26
| | | | | | Done as part of adding SSH support. https://fedorahosted.org/freeipa/ticket/1634
* Add API initialization to ipa-client-install.Jan Cholasta2012-02-131-9/+25
| | | | | | | | This change makes it possible to call IPA commands from ipa-client-install. Done to support adding SSH host keys to DNS. https://fedorahosted.org/freeipa/ticket/1634
* add session manager and cache krb authJohn Dennis2012-02-091-7/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a session manager and support for caching authentication in the session. Major elements of the patch are: * Add a session manager to support cookie based sessions which stores session data in a memcached entry. * Add ipalib/krb_utils.py which contains functions to parse ccache names, format principals, format KRB timestamps, and a KRB_CCache class which reads ccache entry and allows one to extract information such as the principal, credentials, credential timestamps, etc. * Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so that all kerberos items are co-located. * Modify javascript in ipa.js so that the IPA.command() RPC call checks for authentication needed error response and if it receives it sends a GET request to /ipa/login URL to refresh credentials. * Add session_auth_duration config item to constants.py, used to configure how long a session remains valid. * Add parse_time_duration utility to ipalib/util.py. Used to parse the session_auth_duration config item. * Update the default.conf.5 man page to document session_auth_duration config item (also added documentation for log_manager config items which had been inadvertantly omitted from a previous commit). * Add SessionError object to ipalib/errors.py * Move Kerberos protection in Apache config from /ipa to /ipa/xml and /ipa/login * Add SessionCCache class to session.py to manage temporary Kerberos ccache file in effect for the duration of an RPC command. * Adds a krblogin plugin used to implement the /ipa/login handler. login handler sets the session expiration time, currently 60 minutes or the expiration of the TGT, whichever is shorter. It also copies the ccache provied by mod_auth_kerb into the session data. The json handler will later extract and validate the ccache belonging to the session. * Refactored the WSGI handlers so that json and xlmrpc could have independent behavior, this also moves where create and destroy context occurs, now done in the individual handler rather than the parent class. * The json handler now looks up the session data, validates the ccache bound to the session, if it's expired replies with authenicated needed error. * Add documentation to session.py. Fully documents the entire process, got questions, read the doc. * Add exclusions to make-lint as needed.
* localhost.localdomain clients refused to joinOndrej Hamada2012-01-222-0/+9
| | | | | | | | | Machines with hostname 'localhost' or 'localhost.localdomain' are refused from joining IPA domain and proper error message is shown. The hostname check is done both in 'ipa-client-install' script and in 'ipa-join'. https://fedorahosted.org/freeipa/ticket/2112
* Require an HTTP Referer header in the server. Send one in ipa tools.Rob Crittenden2011-12-122-4/+41
| | | | | | | | | | This is to prevent a Cross-Site Request Forgery (CSRF) attack where a rogue server tricks a user who was logged into the FreeIPA management interface into visiting a specially-crafted URL where the attacker could perform FreeIPA oonfiguration changes with the privileges of the logged-in user. https://bugzilla.redhat.com/show_bug.cgi?id=747710
* Check through all LDAP servers in the domain during IPA discoveryAlexander Bokovoy2011-12-091-9/+25
| | | | | | | | | When discovering IPA LDAP servers through DNS records, look through all servers found until first success. A master might be not available or denied access but replica may succeed. Ticket #1827 https://fedorahosted.org/freeipa/ticket/1827
* Client install checks for nss_ldapOndrej Hamada2011-12-051-18/+44
| | | | | | | | | | | | | | | | | | | | | | | | In order to check presence of nss_ldap or nss-pam-ldapd when installing client with '--no-sssd' option there was added code into ipa-client-install. Checking is based on existence of one of nss_ldap configuration files. This configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or '/etc/libnss_ldap.conf'. Optionaly the nss_ldap could cooperate with pam_ldap module and hence the presence of it is checked by looking for 'pam_ldap.conf' file. Existence of nss-pam-ldapd is checked against existence of 'nslcd.conf' file. All this checking is done by function nssldap_exists(). Because both modules are maintained by two different functions, the function returns tuple containing return code and dictionary structure - its key is name of target function and value is list of existing configuration files. Files to check are specified inside the nssldap_exists() function. nssldap_exists() also returns True if any of the mandatory files was found, otherwise returns False. In order to fit the returned values, the functions configure_{ldap|nslcd}_conf() were slightly modified. They accept one more parameter which is list of existing files. They are not checking existence of above mentioned files anymore. https://fedorahosted.org/freeipa/ticket/2063
* Fix coverity issues in client CLI toolsMartin Kosek2011-11-232-10/+24
| | | | | | | | This patch fixes 2 coverity issues: * ipa-client/config.c: CID 11090: Resource leak * ipa-client/ipa-getkeytab.c: CID 11018: Unchecked return value https://fedorahosted.org/freeipa/ticket/2035
* ticket 2022 - modify codebase to utilize IPALogManager, obsoletes loggingJohn Dennis2011-11-232-64/+45
| | | | | | | | | | | | change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
* Client install root privileges checkOndrej Hamada2011-11-211-2/+2
| | | | | | | | | ipa-client-install was failing and returning traceback when wasn't run by root. It was caused by logging initialization that was taking part before the root privileges check. To correct it, the check was moved before the logging initialization. https://fedorahosted.org/freeipa/ticket/2123
* Add configure check for libintl.hAlexander Bokovoy2011-11-162-0/+18
| | | | | | | | | There are some distributions which do not provide gettext support within libc. For these cases checking for libintl is required. https://fedorahosted.org/freeipa/ticket/1840
* Fix client krb5 domain mapping and DNSMartin Kosek2011-10-211-7/+13
| | | | | | | | | | | Add Kerberos mapping for clients outside of server domain. Otherwise certmonger had problems issuing the certificate. Also make sure that client DNS records on the server are set before certmonger is started and certificate is requested. Based on Lars Sjostrom patch. https://fedorahosted.org/freeipa/ticket/2006
* If our domain is already configured in sssd.conf start with a new config.Rob Crittenden2011-10-131-1/+12
| | | | https://fedorahosted.org/freeipa/ticket/1989
* Update all LDAP configuration files that we can.Rob Crittenden2011-10-131-2/+5
| | | | | | | LDAP can be configured in any number of places, we need to update everything we find. https://fedorahosted.org/freeipa/ticket/1986
* Fix ipa-client-install -U option alignmentMartin Kosek2011-10-141-0/+1
|
* Document --preserve-sssd option of ipa-client-installAlexander Bokovoy2011-10-141-0/+9
| | | | | | | | | | | Add documentation about --preserve-sssd, an ipa-client-install's option to honor previously available SSSD configuration in case it is not possible to merge it cleanly with the new one. In this case ipa-client-install will fail and ask user to fix SSSD config before continuing. Additional fix for https://fedorahosted.org/freeipa/ticket/1750 https://fedorahosted.org/freeipa/ticket/1769
* Hostname used by IPA must be a system hostnameMartin Kosek2011-10-131-1/+3
| | | | | | | | | | | Make sure that the hostname IPA uses is a system hostname. If user passes a non-system hostname, update the network settings and system hostname in the same way that ipa-client-install does. This step should prevent various services failures which may not be ready to talk to IPA with non-system hostname. https://fedorahosted.org/freeipa/ticket/1931
* Refactor authconfig use in ipa-client-installAlexander Bokovoy2011-10-121-20/+90
| | | | | | | | | | | | | When certain features are being configured via authconfig, we need to remember what was configured and what was the state before it so that during uninstall we restore proper state of the services. Mostly it affects sssd configuration with multiple domains but also pre-existing LDAP and krb5 configurations. This should fix following tickets: https://fedorahosted.org/freeipa/ticket/1750 https://fedorahosted.org/freeipa/ticket/1769
* ipa-client-install hangs if the discovered server is unresponsiveMartin Kosek2011-10-122-3/+6
| | | | | | | | Add a timeout to the wget call to cover a case when autodiscovered server does not response to our attempt to download ca.crt. Let user specify a different IPA server in that case. https://fedorahosted.org/freeipa/ticket/1960
* Remove more redundant configuration values from krb5.conf.Jan Cholasta2011-10-111-6/+0
| | | | ticket 1358
* Make ipa-join work against an LDAP server that disallows anon bindsRob Crittenden2011-10-113-109/+94
| | | | | | | | | | | | | | | We determine the realm in the client installer so we can deduce the base dn, pass that into ipa-join so we don't have to hunt for it. Re-order the bind so when doing an OTP enrollment so we can use the host entry to authenticate before we retrieve the subject base, then initiate the enrollment. If ipa-join is called without a basedn it will still attempt to determine it, but it will fail if anonymous binds are not allowed. https://fedorahosted.org/freeipa/ticket/1935
* Increase number of 'getent passwd attempts' to 10Alexander Bokovoy2011-10-111-4/+4
| | | | | | | | During ipa-client-install SSSD is not always started up properly for some reason, things like "getent passwd admin" do not work. This is particulary true for large setups where admin is included in a large set of groups. https://fedorahosted.org/freeipa/ticket/1774
generated by cgit (git 2.34.1) at 2024-05-06 20:42:29 +0000