summaryrefslogtreecommitdiffstats
path: root/ipa-client/ipa-install
Commit message (Collapse)AuthorAgeFilesLines
* ipa-client-install uninstall does not work on IPA serverMartin Kosek2011-04-291-1/+1
| | | | | | | When IPA server is being uninstalled, IPA client on-master uninstallation which is called by the script fails. https://fedorahosted.org/freeipa/ticket/1197
* Forbid reinstallation in ipa-client-installMartin Kosek2011-04-291-7/+8
| | | | | | | | | | | | The --force option may be misused to reinstall an existing IPA client. This is not supported and may lead to unexpected errors. When required, the cleanest way to re-install IPA client is to run uninstall and then install again. This patch also includes few cosmetic changes in messages to user to provide more consistent user experience with the script. https://fedorahosted.org/freeipa/ticket/1117
* Prevent uninstalling client on the IPA serverMartin Kosek2011-04-291-0/+6
| | | | | | | | This patch prevents uninstalling IPA client when it is configured as a part of IPA server. ipa-server-installation script is advised for this situation. https://fedorahosted.org/freeipa/ticket/1049
* Log temporary files in ipa-client-installMartin Kosek2011-04-281-1/+8
| | | | | | | | This patch adds logging of temporary files (Kerberos configuration, nsupdate commands) that may be very useful for debugging purposes. https://fedorahosted.org/freeipa/ticket/1093 https://fedorahosted.org/freeipa/ticket/1094
* Suppress --on-master from ipa-client-install command-line and man page.Rob Crittenden2011-04-121-1/+4
| | | | | | | | This option is only used when configuring an IPA client on an IPA server. Describing it on the command-line will only confuse people so don't list it as an option. Ticket 1050
* Ensure that the system hostname is lower-case.Rob Crittenden2011-03-181-5/+8
| | | | ticket 1080
* Always consider domain and server when doing DNS discovery in client.Rob Crittenden2011-03-151-8/+4
| | | | | | | | | When not on master we weren't passing in the user-supplied domain and server. Because of changes made that require TLS on the LDAP calls we always need the server name early in the process to retrieve the IPA CA certificate. ticket 1090
* If --hostname is provided for ipa-client-install use it everywhere.Rob Crittenden2011-03-081-11/+56
| | | | | | | | | | | | | | | | | | | If a hostname was provided it wasn't used to configure either certmonger or sssd. This resulted in a non-working configuration. Additionally on un-enrollment the wrong hostname was unenrolled, it used the value of gethostname() rather than the one that was passed into the installer. We have to modify the CA configuration of certmonger to make it use the right principal when requesting certificates. The filename is unpredicable but it will be in /var/lib/certmonger/cas. We need to hunt for ipa_submit and add -k <principal> to it, then undo that on uninstall. These files are created the first time the certmonger service starts, so start and stop it before messing with them. ticket 1029
* Always try to stop tracking the server cert when uninstalling client.Rob Crittenden2011-03-081-10/+13
| | | | | | | | | | | stop_tracking() is robust enough to do the right thing if no certificate exists so go ahead and always call it. If the certificate failed to be issued for some reason the request will still in certmonger after uninstalling. This would cause problems when trying to reinstall the client. This will go ahead and always tell certmonger to stop tracking it. ticket 1028
* Fix kinit invocation in ipa-client-installSimo Sorce2011-03-011-1/+2
|
* Set krb5_realm in sssd.conf in the ipa provider.Rob Crittenden2011-02-221-2/+4
| | | | ticket 925
* Try to register DNS name through a DNS Update on install.Simo Sorce2011-02-171-0/+111
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/935
* Configure SSSD to use DNS to find the IPA server by default.Rob Crittenden2011-02-171-1/+1
| | | | | | Add the server we registered with as a fallback. ticket 980
* Bugfix for ipa-client-install echo's password in cleartext to stdout ↵Jr Aquino2011-02-141-2/+4
| | | | https://fedorahosted.org/freeipa/ticket/959
* Detection of v1 server during ipa-client-installMartin Kosek2011-02-141-1/+5
| | | | | | | | | | When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. https://fedorahosted.org/freeipa/ticket/553
* Fine tuning DNS optionsJakub Hrozek2011-02-141-0/+1
| | | | | | | | | | | | Add pointer to self to /etc/hosts to avoid chicken/egg problems when restarting DNS. On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't attempt to do any resolving. Leave it to true on clients. Set rdns to false on both server and client. https://fedorahosted.org/freeipa/ticket/931
* Make sure only root can run ipa-client-installJakub Hrozek2011-02-141-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/957
* nscd should be disabled before sssd is configured/started.Rob Crittenden2011-02-101-22/+22
| | | | | | | | | | | If not then sssd spits out a warning message: sssd: nscd socket was detected. As nscd caching capabilities may conflict with SSSD, it is recommended to not run nscd in parallel with SSSD Stop nscd before configuring sssd so we don't confuse our users. ticket 743
* Fix prompt for confirmation of fixed values wrapping around terminal.Rob Crittenden2011-02-101-1/+1
| | | | ticket 940
* Add an option for overriding the hostname value.Rob Crittenden2011-01-261-0/+5
| | | | Ticket 834
* Improve output when options are not found in non-interactive client installRob Crittenden2011-01-211-1/+3
| | | | | | | We should still give some feedback when things go wrong when in non-interactive mode. ticket 828
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Handle wget failures trying to retrieve the CA during the client installRob Crittenden2010-11-221-1/+5
| | | | ticket 405
* Use sys.exit to quit scriptsJakub Hrozek2010-11-221-25/+18
| | | | | | | Instead of print and return, use sys.exit() to quit scripts with an error message and a non zero return code. https://fedorahosted.org/freeipa/ticket/425
* Use provided domain name for the rest of installationJan Zeleny2010-11-191-1/+1
| | | | | | | | When installing IPA client, the install script used detected domain name of the machine instead of that given by administrator (in case one was given) https://fedorahosted.org/freeipa/ticket/363
* Log interactive options in install scriptsJakub Hrozek2010-11-191-0/+8
|
* Use Realm as certs subject base nameSimo Sorce2010-11-181-2/+2
| | | | Also use the realm name as nickname for the CA certificate
* Log script options to logfileJakub Hrozek2010-11-091-5/+7
| | | | | | | | Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
* Don't do autodiscovery on master install.Rob Crittenden2010-09-231-2/+8
| | | | | | If we pass in the domain and server to ipa-client-install it doesn't do service discovery which is what we want. We want to be sure the server is properly configured at install time.
* Add minimal client configuration for when we eventually get to PKINITRob Crittenden2010-09-231-8/+13
| | | | | | Also move the unenroll to clients only. This isn't necessary on the master ticket 53
* Unenroll the client from the IPA server on uninstall.Rob Crittenden2010-09-201-2/+8
| | | | | | | | | | | | | | | | | Unenrollment means that the host keytab is disabled on the server making it possible to re-install on the client. This host principal is how we distinguish an enrolled vs an unenrolled client machine on the server. I added a --unroll option to ipa-join that binds using the host credentials and disables its own keytab. I fixed a couple of other unrelated problems in ipa-join at the same time. I also documented all the possible return values of ipa-getkeytab and ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab and it returns whatever value ipa-getkeytab returned on failure. ticket 242
* Better distinguish between when DNS discovery works and search more domains.Rob Crittenden2010-09-201-4/+5
| | | | | | | | | | | | | | | | | | | | | | Passing domain and server on the command-line used to be considered as DNS autodiscovery worked. This was problematic if there was in fact no SRV records because krb5.conf would be configured without a specific KDC causing all Kerberos ops to fail. Now if you pass in a domain/server it still tries to see if they are discoverable and if so won't hardcode a server, but will fall back to doing so if necessary. Also be a lot more aggressive on looking for the SRV records. Use the search and domain values from /etc/resolv.conf on the chance that the SRV records aren't in the domain of the hostname of the machine. An example of this would be if your laptop is in dhcp.example.com and your company's SRV records are in corp.example.com. Searching dhcp.example.com and example.com won't find the SRV records but the user is likely to have corp.redhat.com in the search list, at least. ticket 234
* Use a more specific name for the IPA server certificate we install.Rob Crittenden2010-09-171-9/+24
| | | | | | | This should avoid conflicts with any other certs that might be installed there. ticket 49
* Remove some additional instances of krbV from ipa-clientRob Crittenden2010-09-101-5/+5
| | | | | | | | | | | Make two krbV imports conditional. These aren't used during a client install so should cause no problems. Also fix the client installer to use the new env option in ipautil.run. We weren't getting the krb5 configuration set in the environment because we were overriding the environment to set the PATH. ticket 136
* Fix certmonger errors when doing a client or server uninstall.Rob Crittenden2010-09-091-6/+13
| | | | | | | | | | | | | | | | This started with the client uninstaller returning a 1 when not installed. There was no way to tell whether the uninstall failed or the client simply wasn't installed which caused no end of grief with the installer. This led to a lot of certmonger failures too, either trying to stop tracking a non-existent cert or not handling an existing tracked certificate. I moved the certmonger code out of the installer and put it into the client/server shared ipapython lib. It now tries a lot harder and smarter to untrack a certificate. ticket 142
* Configure nslcd and a host of possible systems that use LDAP.Rob Crittenden2010-08-271-9/+53
| | | | | | | | | We will update any/all of /etc/ldap.conf, /etc/nss_ldap.conf, /etc/libnss-ldap.conf and /etc/pam_ldap.conf. nslcd is the replacement for nss_ldap. ticket 50
* Retrieve the CA certificate before starting enrollment.Rob Crittenden2010-06-211-2/+9
| | | | | We need the CA certificate so we can use SSL when binding with a one-time password (bulk enrollment)
* Remove Requires on separate package python-krbV in clientRob Crittenden2010-06-021-3/+7
| | | | | | We need the configured kerberos realm so we can clean up /etc/krb5.keytab. We have this already in /etc/ipa/default.conf so use that instead of requiring a whole other python package to do it.
* Check to see if we are configured before uninstalling.Rob Crittenden2010-05-071-1/+5
| | | | Allow the --force flag to override on both install and uninstall
* Add simple test to see if client is already configuredRob Crittenden2010-05-061-0/+4
| | | | | | | | | | | | If this ever gets out of sync the user can always remove /var/lib/ipa-client/sysrestore/*, they just need to understand the implications. One potential problem is with certmonger. If you install the client and then re-install without uninstalling then the subsequent certificate request by certmonger will fail because it will already be tracking a certificate in /etc/pki/nssdb of the same nickname and subject (the old cert).
* Make calling service and chkconfig tolerant of the service not installedRob Crittenden2010-05-061-9/+59
| | | | | For example, if nscd is not installed this would throw lots of errors about not being able to disable it, stop it, etc.
* Call certmonger after krb5, avoid uninstall errors, better password handling.Rob Crittenden2010-05-061-18/+43
| | | | | | | | | - Move the ipa-getcert request to after we set up /etc/krb5.conf - Don't try removing certificates that don't exist - Don't tell certmonger to stop tracking a cert that doesn't exist - Allow --password/-w to be the kerberos password - Print an error if prompting for a password would happen in unattended mode - Still support echoing a password in when in unattended mode
* Make the installer/uninstaller more aware of its stateRob Crittenden2010-05-031-4/+3
| | | | | | | | | | | | | | We have had a state file for quite some time that is used to return the system to its pre-install state. We can use that to determine what has been configured. This patch: - uses the state file to determine if dogtag was installed - prevents someone from trying to re-install an installed server - displays some output when uninstalling - re-arranges the ipa_kpasswd installation so the state is properly saved - removes pkiuser if it was added by the installer - fetches and installs the CA on both masters and clients
* client installation fixes: nscd, sssd min version, bogus join errorRob Crittenden2010-05-031-10/+22
| | | | | | - Don't run nscd if using sssd, the caching of nscd conflicts with sssd - Set the minimum version of sssd to 1.1.1 to pick up needed hbac fixes - only try to read the file configuration if the server isn't passed in
* Reorder some things in the client installerRob Crittenden2010-05-031-16/+27
| | | | | | - Fetch the CA cert before running certmonger - Delete entries from the keytab before removing /etc/krb5.conf - Add and remove the IPA CA to /etc/pki/nssdb
* Use the certificate subject base in IPA when requesting certs in certmonger.Rob Crittenden2010-04-231-3/+14
| | | | | | | | | | | | | | | | | When using the dogtag CA we can control what the subject of an issued certificate is regardless of what is in the CSR, we just use the CN value. The selfsign CA does not have this capability. The subject format must match the configured format or certificate requests are rejected. The default format is CN=%s,O=IPA. certmonger by default issues requests with just CN so all requests would fail if using the selfsign CA. This subject base is stored in cn=ipaconfig so we can just fetch that value in the enrollment process and pass it to certmonger to request the right thing. Note that this also fixes ipa-join to work with the new argument passing mechanism.
* Add option to enable pam_mkhomedirs in the IPA client installerrcrit2010-03-191-5/+12
|
* Configure sssd and certmonger in ipa-client-installRob Crittenden2010-02-031-8/+94
| | | | | | | | | | | This does a number of things under the hood: - Use authconfig to enable sssd in nss and pam - Configure /etc/sssd/sssd.conf to use our IPA provider - Enable the certmonger process and request a server cert - join the IPA domain and retrieve a principal. The clinet machine *must* exist in IPA to be able to do a join. - And then undo all this on uninstall
* Remove some configuration files we create upon un-installationRob Crittenden2010-01-281-0/+6
| | | | | This is particularly important for Apache since we'd leave the web server handling unconfigured locations.
* Pass on debug option from ipa-client-install to ipa-joinRob Crittenden2009-12-091-0/+2
|