| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
setsebool -P was run for every package upgrade or server
installation even though the sebools were already set to the new
value.
Only set sebools which are different from current system values.
This speeds up ipa-upgradeconfig or package update by 150 seconds.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
From IPA 3.0, persistent search is a preferred mechanism for new DNS
zone detection and is also needed for other features (DNSSEC, SOA
serial updates).
Enable psearch and make sure connections attribute is right. This
step is done just once for a case when user switched the persistent
search back to disabled on purpose.
ipa-upgradeconfig was updated to accept --debug option in case
somebody would want to see debug messages.
|
| |
|
|
|
|
|
|
|
|
|
| |
From IPA version 3.0, the persistent search is a preferred mechanism
to for DNS zone list management. It will be also a requirement for
several bind-dyndb-ldap features, like SOA serial automatic updates
or DNSSEC.
Make this mechanism default in ipa-server-install and ipa-dns-istall.
https://fedorahosted.org/freeipa/ticket/2524
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When IPA package is being updated, some of the configuration files
are also updated. Sometimes it may be useful to store upgrade meta
information for next package upgrades. For example an information
that some config file was already updated and we don't want to
update it again if user purposedly reverted the change.
This patch adds a new StateFile in /var/lib/ipa/sysupgrade which
is capable of holding this information. New sysupgrade.py module
was created to provide simple API to access the upgrade state
information.
|
| |
|
|
|
|
|
|
|
| |
Sort a filtered list in the update plugin ordering method.
Unlike the previous algorithm, this always gives a correct order.
It should also be faster and more readable.
https://fedorahosted.org/freeipa/ticket/2820
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Several plugins need restarting the DS (or they currently do
an external bind).
Rather than disabling plugins (possibly partially), refuse
to run them when run as an unprivileged user.
This means running ipa-ldap-updater as non-root requires specifying
a list of files, and omiting the --upgrade and --plugins options.
https://fedorahosted.org/freeipa/ticket/2621
|
| | |
|
| |
|
|
|
|
|
|
|
| |
A high-level description of the design and ACIs for trusts is available at
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html
and
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html
Ticket #1731
|
| |
|
|
|
|
|
|
| |
Also make sure all exceptions are captured when creating CIFS service
record. The one we care about is duplicate entry and we do nothing
in that case anyway.
Also make uniform use of action descriptors.
|
| |
|
|
|
|
|
|
|
|
| |
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.
The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.
https://fedorahosted.org/freeipa/ticket/1577
|
| | |
|
| |
|
|
|
|
|
|
| |
Samba just needs the cifs/ key on the ipa server. Configure samba to use a
different keytab file so that we do not risk samba commands (net, or similar)
to mess up the system keytab.
https://fedorahosted.org/freeipa/ticket/2168
|
| |
|
|
|
|
|
|
|
|
|
| |
We need two attributes in the ipaNTTrustedDomain objectclass to store different
kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID
of the trusted domain. A second attribute is needed to store the SID for the
trusted domain user. Since it cannot be derived safely from other values and
since it does not make sense to create a separate object for the user a new
attribute is needed.
https://fedorahosted.org/freeipa/ticket/2191
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For security reasons, dynamic updates are not enabled for new DNS
zones. In order to enable the dynamic zone securely, user needs to
allow dynamic updates and create a zone update policy.
The policy is not easy to construct for regular users, we should
rather fill it by default and let users just switch the policy
on or off.
https://fedorahosted.org/freeipa/ticket/2441
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
All of our install/admin scripts had a try/except block calling the
main function and handling common exceptions. These were copy-pasted
from each other and modified to various levels of sophistication.
This refactors them out of installers to a single function, which
includes a final pass/fail message for all of the scripts.
Non-install scripts that set up the same log handler levels for
stderr and log file are not changed, as it's not possible to log
to only the logfile without changing the logger configuration.
https://fedorahosted.org/freeipa/ticket/2071
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
but but rather C-like interface based on functions and
structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
authconfig and thus can break without notice
Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
in installutils to make the whole DNS check simpler and
less error-prone. Logging was improves for the remaining
checks
- improved logging for ipa-client-install DNS discovery
https://fedorahosted.org/freeipa/ticket/2730
https://fedorahosted.org/freeipa/ticket/1837
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We've seen on a few occassions where one side or the other is missing
the ldap principal. This causes replication to fail when trying to
convert to using GSSAPI. If this happens force a synchronization again
and try the retrieval again, up to 10 times.
This should also make the error report clearer if even after the retries
one of the principals doesn't exist.
https://fedorahosted.org/freeipa/ticket/2737
|
| |
|
|
|
|
|
|
|
|
|
|
| |
bind-dyndb-ldap persistent search queries LDAP for all DNS records.
The LDAP connection must have no size or time limits to work
properly.
This patch updates limits both for existing service principal
on updated machine and for new service principals added
as a part of DNS installation.
https://fedorahosted.org/freeipa/ticket/2531
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
python-ldap add_s method raises a NO_SUCH_OBJECT exception when
a parent entry of the entry being added does not exist. This may
not be an error, for example NIS entries are only added when NIS
is enabled and thus the NIS entry container exists.
The exception raised by python-ldap is also incorrectly processed
in ipaldap's addEntry function and an irrelevant exception is
re-raised instead.
Fix LDAP updater to just log an information when an object cannot
be added due to missing parent object. Also make sure that the
addEntry function exception processing provides the right exception
with a useful description.
https://fedorahosted.org/freeipa/ticket/2520
https://fedorahosted.org/freeipa/ticket/2743
|
| |
|
|
|
|
|
|
| |
Provide the IP address we resolved when displaying the exception.
Also handle the exception ourselves with sys.exit().
https://fedorahosted.org/freeipa/ticket/2654
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA has some unused code from abandoned features (Radius, ipa 1.x user
input, commant-line tab completion), as well as some duplicate utilities.
This patch cleans up the utility modules.
Duplicate code consolidated into ipapython.ipautil:
{ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix
{ipaserver,ipapython}.ipautil.CIDict
(with style improvements from the ipaserver version)
{ipapython.entity,ipaserver.ipautil}.utf8_encode_value
{ipapython.entity,ipaserver.ipautil}.utf8_encode_values
ipalib.util.get_fqdn was removed in favor of the same function in
ipaserver.install.installutils
Removed unused code:
ipalib.util:
load_plugins_in_dir
import_plugins_subpackage
make_repr (was imported but unused; also removed from tests)
ipapython.ipautil:
format_list
parse_key_value_pairs
read_pairs_file
read_items_file
user_input_plain
AttributeValueCompleter
ItemCompleter
ipaserver.ipautil:
get_gsserror (a different version exists in ipapython.ipautil)
ipaserver.ipautil ended up empty and is removed entirely.
https://fedorahosted.org/freeipa/ticket/2650
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2569
|
| |
|
|
|
|
|
|
| |
We don't need to do anything with the state but if it exists in
the sysrestore index at the end of uninstallation the uninstaller will
complain about it.
https://fedorahosted.org/freeipa/ticket/2637
|
| |
|
|
|
|
|
|
| |
certmonger now has the ability to execute a script when it renews a
certificate. This can be used to automatically restart servers so
the certificate doesn't expire in the running server.
https://fedorahosted.org/freeipa/ticket/2050
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When IPA server is configured with DNS and its hostname is not
located in a default domain, SRV records are not valid.
Additionally, httpd does not serve XMLRPC interface because it
IPA server domain-realm mapping is missing in krb5.conf. All CLI
commands were then failing.
This patch amends this configuration. It fixes SRV records in
served domain to include full FQDN instead of relative hostname
when the IPA server hostname is not located in served domain.
IPA server forward record is also placed to correct zone.
When IPA server is not in a served domain a proper domain-realm
mapping is configured to krb5.conf. The template was improved
in order to be able to hold this information.
https://fedorahosted.org/freeipa/ticket/2602
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #2502
* remove the "running" flag from backup_state in cainstance.py and
dsinstance.py because it does not provide the correct
information. In cainstance the running flag was never referenced
because restarting dirsrv instances occurs later in dsinstance. In
dsinstance when the running flag is set it incorrectly identifed the
PKI ds instance configured earlier by cainstance. The intent was to
determine if there were any ds instances other than those owned by
IPA which will need to be restarted upon uninstall. Clearly the PKI
ds instance does not qualify. We were generating a traceback when at
the conclusion of dsinstance.uninstall we tried to start the
remaining ds instances as indicated by the running flag, but there
were none to restart (because the running flag had been set as a
consequence of the PKI ds instance).
* We only want to restart ds instances if there are other ds instances
besides those owned by IPA. We shouldn't be stopping all ds
instances either, but that's going to be covered by another
ticket. The fix for restarting other ds instances at the end of
uninstall is to check and see if there are other ds instances
remaining after we've removed ours, if so we restart them. Also it's
irrelevant if those ds instances were not present when we installed,
it only matters if they exist after we restore things during
uninstall. If they are present we have to start them back up because
we shut them down during uninstall.
* Add new function get_ds_instances() which returns a list of existing
ds instances.
* fixed error messages that incorrectly stated it "failed to restart"
a ds instance when it should be "failed to create".
|
| |
|
|
|
|
|
|
|
|
|
|
| |
SELinux configuration for httpd instance was set for new
installations only. Upgraded IPA servers (namely 2.1.x -> 2.2.x
upgrade) missed the configuration. This lead to AVCs when httpd
tries to contact ipa_memcached and user not being able to log in.
This patch updates ipa-upgradeconfig to configure SELinux
in the same way as ipa-server-install does.
https://fedorahosted.org/freeipa/ticket/2603
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With a publicly accessible DNS tree in LDAP, anyone with an access
to the LDAP server can get all DNS data as with a zone transfer
which is already restricted with ACL. Making DNS tree not readable
to public is a common security practice and should be applied
in FreeIPA as well.
This patch adds a new deny rule to forbid access to DNS tree to
users or hosts without an appropriate permission or users which
are not members of admins group. The new permission/aci is
applied both for new installs and upgraded servers.
bind-dyndb-ldap plugin is allowed to read DNS tree without any
change because its principal is already a member of "DNS
Servers" privilege.
https://fedorahosted.org/freeipa/ticket/2569
|
| |
|
|
|
|
|
|
| |
The server installation failed on F17 due to permission problem.
The /var/lib/dirsrv/boot.ldif was previously owned and only readable
by root. It is now owned by DS user dirsrv.
Ticket #2544
|
| |
|
|
|
|
|
|
|
|
| |
When updating from 2.x we need to add nsDS5ReplicatedAttributeList and
nsDS5ReplicatedAttributeListTotal if they aren't present.
If nsDS5ReplicatedAttributeList is present and doesn't contain memberof
then we want to add it.
https://fedorahosted.org/freeipa/ticket/2594
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Global DNS configuration is a nice tool to maintain a common DNS
settings stored in LDAP which are then used for all enrolled IPA
servers. However, the settings stored in LDAP override local
settings in named.conf on DNS servers.
This patch adds more information about global DNS configuration
options in install scripts and DNS module help.
https://fedorahosted.org/freeipa/ticket/2525
|
| |
|
|
|
|
|
|
|
|
|
|
| |
New features in bind-dyndb-ldap and IPA DNS plugin pulled new
attributes and objectclasses. ACIs and permissions need to be
updated to allow users with appropriate permissions update
these attributes in LDAP.
This patch updates the ACI for DNS record updates and adds one
new permission to update global DNS configuration.
https://fedorahosted.org/freeipa/ticket/2510
|
| |
|
|
| |
Fixes SELinux configuration for ipa-server-install with selinux-policy 3.10.0-104.fc17.
|
| |
|
|
|
|
|
|
|
| |
pkisilent was modified to handle escaping characters itself in
BZ https://bugzilla.redhat.com/show_bug.cgi?id=769388
This removes the workaround from ticket 1636.
https://fedorahosted.org/freeipa/ticket/2529
|
| |
|
|
|
|
|
|
|
|
| |
This will add it on upgrades too and any new certs issued will have
a subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
https://fedorahosted.org/freeipa/ticket/2446
|
| |
|
|
|
|
|
| |
This is being done in the HTTP instance so we can set both
booleans in one step and save a bit of time (it is still slow).
https://fedorahosted.org/freeipa/ticket/2432
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its
ABI and broke our TLS connection in ipa-replica-manage. This makes
it impossible to connect for example to Active Directory to set up
a winsync replication. We always receive a connection error stating
that Peer's certificate is not recognized even though we pass
a correct certificate.
This patch fixes the way we set up TLS. The change is backwards
compatible with older versions of openldap.
https://fedorahosted.org/freeipa/ticket/2500
|
| |
|
|
|
|
|
|
|
|
| |
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.
The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.
https://fedorahosted.org/freeipa/ticket/1314
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When a replica is deleted, its memberPrincipal entries in
cn=s4u2proxy,cn=etc,SUFFIX were not removed. Then, if the replica
is reinstalled and connected again, the installer would report
an error with duplicate value in LDAP.
This patch extends replica cleanup procedure to remove replica
principal from s4u2proxy configuration.
https://fedorahosted.org/freeipa/ticket/2451
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Our install tools like ipa-server-install, ipa-replica-{prepare,
install} may allow hostnames that do not match the requirements
in ipalib. This creates a disconnect and may cause issues when
user cannot delete hostnames created by install tools.
This patch makes sure that ipalib requirements are applied to
install tools hostnames as well.
https://fedorahosted.org/freeipa/ticket/2089
|
| |
|
|
|
|
|
|
|
| |
We don't want to run the risk of adding a user, uninstalling it,
the system adding a new user (for another package install for example)
and then re-installing IPA. This wreaks havoc with file and directory
ownership.
https://fedorahosted.org/freeipa/ticket/2423
|
| |
|
|
|
|
|
|
|
|
|
| |
ipautil.run expects a tuple of passwords for nolog; passing a
single string causes all individual letters from that string to
be replaced by Xes.
This fixes such a call, and adds a sanity check to ipautil.run
that prevents lone strings from being used in nolog.
https://fedorahosted.org/freeipa/ticket/2419
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
SSH public key support includes a feature to automatically add/update
client SSH fingerprints in SSHFP records. However, the update won't
work for zones created before this support was added as they don't
allow clients to update SSHFP records in their update policies.
This patch lets dns upgrade module extend the original policy
to allow the SSHFP dynamic updates. It updates only original
policy, we don't want it to overwrite custom user policies.
https://fedorahosted.org/freeipa/ticket/2394
|
| |
|
|
|
|
|
|
|
|
|
|
| |
force-sync, re-initialize and del were not working because they
all attempted to contact the AD server. winsync agreements are
managed on the local 389-ds instance.
This also:
- requires root to create winsync agreement (for updating NSS db)
- fixes filter in get_replication_agreement() to work with winsync
https://fedorahosted.org/freeipa/ticket/2128
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provide a way to specify BIND allow-query and allow-transfer ACLs
for DNS zones.
IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To
avoid zone information leaks to unintended places, allow-transfer
ACL for every zone is by default set to none and has to be
explicitly enabled by an Administrator. This is done both for new
DNS zones and old DNS zones during RPM update via new DNS upgrade
plugin.
https://fedorahosted.org/freeipa/ticket/1211
|
| |
|
|
|
|
|
|
|
|
| |
This is needed on F-17+, otherwise things blow up when we try to see
if we've added new schema.
Introspection is required to see if the argument check_uniqueness is
available.
https://fedorahosted.org/freeipa/ticket/2383
|
| |
|
|
|
|
|
| |
A previous bug caused this attribute to not be added which would lead
to unnecessary replication. This runs as an updater plugin.
https://fedorahosted.org/freeipa/ticket/2223
|
| |
|
|
|
|
|
|
| |
I noticed a couple of bad references in ipapython/dogtag.py and
fixed those as well. We used to call sslget for all our SSL client
needs before python-nss was written.
https://fedorahosted.org/freeipa/ticket/2391
|
| |
|
|
|
|
|
| |
For some reason lost to history the sub_dict in dsinstance and
cainstance used FQHN instead of FQDN. This made upgrade scripts not
work reliably as the variable might be different depending on context.
Use FQDN universally instead.
|
| |
|
|
|
|
|
|
|
|
| |
Add support for autobind to services. This is a bit of a special case
so I currently require the caller to specify ldapi separately. It only
makes sense to do this only in upgrade cases.
Also uninstall ipa_memcached when uninstalling the server.
https://fedorahosted.org/freeipa/ticket/2399
|
