summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* Backup/resore authentication control configurationDavid Kupka2015-08-192-0/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/5071 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Server Upgrade: Start DS before CA is started.Martin Basti2015-08-191-2/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/5232 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* install: Fix replica install with custom certificatesJan Cholasta2015-08-181-8/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/5226 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa-restore: check whether DS is running before attempting connectionMartin Babinsky2015-08-181-0/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4838 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-backup: archive DNSSEC zone file and kasp.dbMartin Babinsky2015-08-171-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5159 Reviewed-By: Martin Basti <mbasti@redhat.com>
* fix typo in BasePathNamespace member pointing to ods exporter configMartin Babinsky2015-08-172-2/+2
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* winsync-migrate: Add warning about passsyncTomas Babej2015-08-171-0/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/5162 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* install: Fix server and replica install optionsJan Cholasta2015-08-122-74/+17
| | | | | | https://fedorahosted.org/freeipa/ticket/5184 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Fix default CA ACL added during upgradeFraser Tweedale2015-08-111-1/+1
| | | | | | | | | The upgrade script is adding the default CA ACL with incorrect attributes - usercategory=all instead of servicecategory=all. Fix it to create the correct object. Fixes: https://fedorahosted.org/freeipa/ticket/5185 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Fix upgrade of sidgen and extdom pluginsMartin Basti2015-08-102-6/+31
| | | | | | | | | If configuration entries already exist, upgrade will not add them again. https://fedorahosted.org/freeipa/ticket/5151 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Fixed missing KRA agent cert on replica.Endi S. Dewata2015-08-101-8/+9
| | | | | | | | | The code that exports the KRA agent certificate has been moved such that it will be executed both on master and replica. https://fedorahosted.org/freeipa/ticket/5174 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* dcerpc: Simplify generation of LSA-RPC binding stringsTomas Babej2015-08-071-2/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5183 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix selector of protocol for LSA RPC binding stringAlexander Bokovoy2015-08-071-2/+2
| | | | | | | | | | | | | For Windows Server 2012R2 and others which force SMB2 protocol use we have to specify right DCE RPC binding options. For using SMB1 protocol we have to omit specifying SMB2 protocol and anything else or otherwise SMB1 would be considered a pipe to connect to. This is by design of a binding string format. https://fedorahosted.org/freeipa/ticket/5183 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* replication: Fix incorrect exception invocationTomas Babej2015-07-241-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* dcerpc: Add get_trusted_domain_object_type methodTomas Babej2015-07-231-0/+29
| | | | | | https://fedorahosted.org/freeipa/ticket/5029 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* dcerpc: Fix UnboundLocalError for ccache_nameTomas Babej2015-07-221-0/+2
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* dcerpc: Expand explanation for WERR_ACCESS_DENIEDTomas Babej2015-07-211-7/+29
| | | | | | | | | | | It's possible for AD to contact a wrong IPA server in case the DNS SRV records on the AD sides are not properly configured. Mention this case in the error message as well. https://fedorahosted.org/freeipa/ticket/5013 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* DNS: check if DNS package is installedMartin Basti2015-07-214-37/+7
| | | | | | | | | | | Instead of separate checking of DNS required packages, we need just check if IPA DNS package is installed. https://fedorahosted.org/freeipa/ticket/4058 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Py3: replace tab with spaceMartin Basti2015-07-171-1/+1
| | | | | | python3 does not allow to mix spaces and tabs Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommandMartin Basti2015-07-171-1/+2
| | | | | | | | | --force option set replica-certify-all to 'no' during abort-clean-ruv subcommand https://fedorahosted.org/freeipa/ticket/4988 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix minor typosYuri Chornoivan2015-07-171-1/+1
| | | | | | | | | | | | | <ame> -> <name> overriden -> overridden ablity -> ability enties -> entries the the -> the https://fedorahosted.org/freeipa/ticket/5109 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* ipa-ca-install: print more specific errors when CA is already installedMartin Babinsky2015-07-161-2/+10
| | | | | | | | | | | This patch implements a more thorough checking for already installed CAs during standalone CA installation using ipa-ca-install. The installer now differentiates between CA that is already installed locally and CA installed on one or more masters in topology and prints an appropriate error message. https://fedorahosted.org/freeipa/ticket/4492 Reviewed-By: Martin Basti <mbasti@redhat.com>
* selinux: enable httpd_run_ipa to allow communicating with oddjobd servicesAlexander Bokovoy2015-07-161-0/+1
| | | | | | | | | | | | | A new SELinux policy allows communication between IPA framework running under Apache with oddjobd-based services via DBus. This communication is crucial for one-way trust support and also is required for any out of band tools which may be executed by IPA framework. Details of out of band communication and SELinux policy can be found in a bug https://bugzilla.redhat.com/show_bug.cgi?id=1238165 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix DNS records installation for replicasSimo Sorce2015-07-141-3/+3
| | | | | | | Ticket: https:/fedorahosted.org/freeipa/ticket/5116 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Start dirsrv for kdcproxy upgradeChristian Heimes2015-07-141-16/+19
| | | | | | | | | | The kdcproxy upgrade step in ipa-server-upgrade needs a running dirsrv instance. Under some circumstances the dirsrv isn't running. The patch rearranges some upgrade steps and starts DS before enable_kdcproxy(). https://fedorahosted.org/freeipa/ticket/5113 Reviewed-By: Martin Basti <mbasti@redhat.com>
* upgrade: Enable and start oddjobd if adtrust is availableTomas Babej2015-07-081-0/+24
| | | | | | | If ipa-adtrust-install has already been run on the system, enable and start the oddjobd service. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* adtrustinstance: Enable and start oddjobdTomas Babej2015-07-082-0/+30
| | | | | | | Enable and start the oddjobd service as part of the ipa-adtrust-install for the new IPA installations. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Upgrade: Do not show upgrade failed message when IPA is not installedMartin Basti2015-07-081-0/+5
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* trust: support retrieving POSIX IDs with one-way trust during trust-addAlexander Bokovoy2015-07-081-18/+65
| | | | | | | | | | | | With one-way trust we cannot rely on cross-realm TGT as there will be none. Thus, if we have AD administrator credentials we should reuse them. Additionally, such use should be done over Kerberos. Fixes: https://fedorahosted.org/freeipa/ticket/4960 https://fedorahosted.org/freeipa/ticket/4959 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trusts: add support for one-way trust and switch to it by defaultAlexander Bokovoy2015-07-081-12/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | One-way trust is the default now, use 'trust add --two-way ' to force bidirectional trust https://fedorahosted.org/freeipa/ticket/4959 In case of one-way trust we cannot authenticate using cross-realm TGT against an AD DC. We have to use trusted domain object from within AD domain and access to this object is limited to avoid compromising the whole trust configuration. Instead, IPA framework can call out to oddjob daemon and ask it to run the script which can have access to the TDO object. This script (com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal to retrieve TDO object credentials from IPA LDAP if needed and then authenticate against AD DCs using the TDO object credentials. The script pulls the trust topology out of AD DCs and updates IPA LDAP store. Then IPA framework can pick the updated data from the IPA LDAP under normal access conditions. Part of https://fedorahosted.org/freeipa/ticket/4546 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trusts: pass AD DC hostname if specified explicitlyAlexander Bokovoy2015-07-081-3/+7
| | | | | | Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-adtrust-install: add IPA master host principal to adtrust agentsAlexander Bokovoy2015-07-084-30/+78
| | | | | | Fixes https://fedorahosted.org/freeipa/ticket/4951 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* dcerpc: Raise ACIError correctlyTomas Babej2015-07-081-3/+5
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-replica-prepare: Do not create DNS zone it automatically.David Kupka2015-07-081-5/+8
| | | | | | | | | When --ip-address is specified check if relevant DNS zone exists in IPA managed DNS server, exit with error when not. https://fedorahosted.org/freeipa/ticket/5014 Reviewed-By: Martin Basti <mbasti@redhat.com>
* certprofile: add ability to update profile config in DogtagFraser Tweedale2015-07-081-0/+12
| | | | | | | | | Add the `--file=FILENAME' option to `certprofile-mod' which, when given, will update the profile configuration in Dogtag to the contents of the file. Fixes: https://fedorahosted.org/freeipa/ticket/5093 Reviewed-By: Martin Basti <mbasti@redhat.com>
* certprofile: add option to export profile configFraser Tweedale2015-07-081-0/+8
| | | | | | | | | Add the `--out=FILENAME' option to `certprofile-show'. When given, it exports the profile configuration from Dogtag and writes it to the named file. Fixes: https://fedorahosted.org/freeipa/ticket/5091 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Hide topology and domainlevel featuresTomas Babej2015-07-081-1/+2
| | | | | | | | | | | * Hide topology and domainlevel commands in the CLI * Hide topology and domainlevel in the WebUI * Set maximum allowed domain level to 0 * Do not configure and enable the topology plugin https://fedorahosted.org/freeipa/ticket/5097 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: ipa-dns-install: Detect existing master server sooner.Petr Spacek2015-07-071-14/+12
| | | | | | | | User should get the error before he installs missing packages etc. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: update messageMartin Basti2015-07-071-7/+21
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: allow to disable/replace DNSSEC key masterMartin Basti2015-07-075-22/+295
| | | | | | | | | | | | | | | This commit allows to replace or disable DNSSEC key master Replacing DNSSEC master requires to copy kasp.db file manually by user ipa-dns-install: --disable-dnssec-master DNSSEC master will be disabled --dnssec-master --kasp-db=FILE This configure new DNSSEC master server, kasp.db from old server is required for sucessful replacement --force Skip checks https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Server Upgrade: use debug log level for upgrade instead of infoMartin Basti2015-07-037-39/+39
| | | | | | Upgrade contains too many unnecessary info logs. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* winsync_migrate: Generalize membership migrationTomas Babej2015-07-021-21/+78
| | | | | | https://fedorahosted.org/freeipa/ticket/4943 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync_migrate: Migrate memberships of the winsynced usersTomas Babej2015-07-021-0/+51
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* idviews: Fallback to AD DC LDAP only if specifically allowedTomas Babej2015-07-021-1/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Move the tool under ipaserver.install packageTomas Babej2015-07-021-0/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Rename to tool to achive consistency with other toolsTomas Babej2015-07-022-28/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Delete winsync agreement prior to migrationTomas Babej2015-07-021-0/+35
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Require explicit specification of the target server and ↵Tomas Babej2015-07-021-0/+33
| | | | | | | | validate existing agreement https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Require root privilegesTomas Babej2015-07-021-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* dcerpc: Add debugging message to failing kinit as httpTomas Babej2015-07-021-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-08 23:46:14 +0000