freeipa.git/ipa-client/ipa-install, branch framework Unnamed repository; edit this file 'description' to name the repository. Make ipa 2.2 client capable of joining an older server 2012-05-02T00:38:43+00:00 Martin Kosek mkosek@redhat.com 2012-05-02T13:36:04+00:00 b8f30bce77837966597f5508625742c1bae04080 IPA server of version 2.2 and higher supports Kerberos S4U2Proxy delegation, i.e. ipa command no longer forwards Kerberos TGT to the server during authentication. However, when IPA client of version 2.2 and higher tries to join an older IPA server, the installer crashes because the pre-2.2 server expects the TGT to be forwarded. This patch adds a fallback to ipa-client-install which would detect this situation and tries connecting with TGT forwarding enabled again. User is informed about this incompatibility. Missing realm was also added to keytab kinit as it was reported to fix occasional install issues. https://fedorahosted.org/freeipa/ticket/2697 
IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.

This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again. User is informed about this incompatibility.

Missing realm was also added to keytab kinit as it was reported to
fix occasional install issues.

https://fedorahosted.org/freeipa/ticket/2697
Set the "KerberosAuthentication" option in sshd_config to "no" instead of "yes". 2012-04-29T23:45:13+00:00 Jan Cholasta jcholast@redhat.com 2012-04-30T15:58:55+00:00 6569f355b61d4c0d55ca9ee2c5f36787cce73593 Setting it to "yes" causes sshd to handle kinits itself, bypassing SSSD. ticket 2689 
Setting it to "yes" causes sshd to handle kinits itself, bypassing SSSD.

ticket 2689
Fix help of --hostname option in ipa-client-install 2012-04-19T17:55:44+00:00 Martin Kosek mkosek@redhat.com 2012-04-19T17:50:57+00:00 4d66cc07dc0b8dd357ab8dfe555702130aba299f Replace word "server" with "machine" to clearly distinguish between IPA server and other machines (clients) and to also match the help with ipa-client-install man pages. https://fedorahosted.org/freeipa/ticket/1967 
Replace word "server" with "machine" to clearly distinguish between
IPA server and other machines (clients) and to also match the help
with ipa-client-install man pages.

https://fedorahosted.org/freeipa/ticket/1967
Add disovery domain if client domain is different from server domain 2012-03-15T02:06:26+00:00 Lars Sjostrom lars radicore se 2011-12-21T21:32:01+00:00 96390ca3e5f9fb89fe930e62dbd267a2de0af1d1 https://fedorahosted.org/freeipa/ticket/2209 
https://fedorahosted.org/freeipa/ticket/2209
Configure a basic ldap.conf for OpenLDAP in /etc/openldap/ldap.conf 2012-03-15T01:28:52+00:00 Rob Crittenden rcritten@redhat.com 2012-02-01T03:44:20+00:00 14975cdcddab5f757502ef7736e93a965ce1f207 Set URI, BASE and TLS_CACERT Also update the man page to include a list of files that the client changes. https://fedorahosted.org/freeipa/ticket/1810 
Set URI, BASE and TLS_CACERT

Also update the man page to include a list of files that the client
changes.

https://fedorahosted.org/freeipa/ticket/1810
More exception handlers in ipa-client-install 2012-03-09T14:48:27+00:00 Ondrej Hamada ohamada@redhat.com 2012-03-09T12:04:23+00:00 71d134dfa03eb86066eeb331815647bdff04aaa8 Added exception handler to certutil operation of adding CA to the default NSS database. If operation fails, installation is aborted and changes are rolled back. https://fedorahosted.org/freeipa/ticket/2415 If obtaining host TGT fails, the installation is aborted and changes are rolled back. https://fedorahosted.org/freeipa/ticket/1995 
Added exception handler to certutil operation of adding CA to the
default NSS database. If operation fails, installation is aborted and
changes are rolled back.

https://fedorahosted.org/freeipa/ticket/2415

If obtaining host TGT fails, the installation is aborted and changes are
rolled back.

https://fedorahosted.org/freeipa/ticket/1995
Do kinit in client before connecting to backend 2012-03-04T22:23:01+00:00 Rob Crittenden rcritten@redhat.com 2012-03-04T00:50:21+00:00 55f89dc68940e3a4376fb80e97dbd0f2773c6ed1 The client installer was failing because a backend connection could be created before a kinit was done. Allow multiple simultaneous connections. This could fail with an NSS shutdown error when the second connection was created (objects still in use). If all connections currently use the same database then there is no need to initialize, let it be skipped. Add additional logging to client installer. https://fedorahosted.org/freeipa/ticket/2478 
The client installer was failing because a backend connection could be
created before a kinit was done.

Allow multiple simultaneous connections. This could fail with an NSS
shutdown error when the second connection was created (objects still
in use). If all connections currently use the same database then there
is no need to initialize, let it be skipped.

Add additional logging to client installer.

https://fedorahosted.org/freeipa/ticket/2478
ipa-client-install not calling authconfig 2012-03-05T14:46:14+00:00 Ondrej Hamada ohamada@redhat.com 2012-02-23T16:24:46+00:00 111ca8a4823171cc29ca582ca8fb8c0c5330374c Option '--noac' was added. If set, the ipa-client-install will not call authconfig for setting nsswitch.conf and PAM configuration. https://fedorahosted.org/freeipa/ticket/2369 
Option '--noac' was added. If set, the ipa-client-install will not call
authconfig for setting nsswitch.conf and PAM configuration.

https://fedorahosted.org/freeipa/ticket/2369
Configure SSH features of SSSD in ipa-client-install. 2012-03-01T23:42:56+00:00 Jan Cholasta jcholast@redhat.com 2012-02-16T09:21:56+00:00 afad0775e16e52aa2d6637e809ad748ace838bea OpenSSH server (sshd) is configured to fetch user authorized keys from SSSD and OpenSSH client (ssh) is configured to use and trigger updates of the SSSD-managed known hosts file. This requires SSSD 1.8.0. 
OpenSSH server (sshd) is configured to fetch user authorized keys from
SSSD and OpenSSH client (ssh) is configured to use and trigger updates
of the SSSD-managed known hosts file.

This requires SSSD 1.8.0.
Use reboot from /sbin 2012-03-02T15:53:47+00:00 Petr Viktorin pviktori@redhat.com 2012-03-02T12:18:56+00:00 be14c6609be8f76a808c90e0c8be8b189dfa8333 According to FHS, the reboot command should live in /sbin. Systems may also have a symlink in /usr/bin, but they don't have to. https://fedorahosted.org/freeipa/ticket/2480 
According to FHS, the reboot command should live in /sbin.
Systems may also have a symlink in /usr/bin, but they don't have to.

https://fedorahosted.org/freeipa/ticket/2480