summaryrefslogtreecommitdiffstats
path: root/ipa-client
Commit message (Collapse)AuthorAgeFilesLines
* Fix getkeytab code to always use implicit tagging.Simo Sorce2014-06-271-4/+4
| | | | | | | | | | | | | | A mixture of implicit and explicit tagging was being used and this caused a bug in retrieving the enctype number due to the way ber_scanf() loosely treat sequences and explicit tagging. The ASN.1 notation used to describe the getkeytab operation uses implicit tagging, so by changing the code we simply follow to the specified encoding. Resolves: https://fedorahosted.org/freeipa/ticket/4404 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Do not corrupt sshd_config in client install when trailing newline is missing.Jan Cholasta2014-06-261-25/+17
| | | | | | https://fedorahosted.org/freeipa/ticket/4373 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* man: Add -r option to ipa-getkeytab.1Simo Sorce2014-06-261-1/+7
| | | | | | Update the man page with the new ipa-getkeytab option. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* ipa-getkeytab: Add support for get_keytab extopSimo Sorce2014-06-261-5/+305
| | | | | | | | | | | | This new extended operation is tried by default and then the code falls back to the old method if it fails. The new method allows for server side password generation as well as retrieval of existing credentials w/o causing regeneration of keys on the server. Resolves: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* ipa-getkeytab: Modularize ldap_set_keytab functionSimo Sorce2014-06-261-138/+181
| | | | | | Isolate parts that will be reused in following patches. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* ipaplatform: Move paths from installers to paths moduleTomas Babej2014-06-262-79/+78
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Pylint fixesTomas Babej2014-06-161-15/+15
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-162-5/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-162-4/+2
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change paths dependant on ipaservices to use ipaplatform.pathsTomas Babej2014-06-161-4/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change service code in freeipa to use ipaplatform servicesTomas Babej2014-06-163-45/+47
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasksTomas Babej2014-06-163-12/+14
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Do not require custom Authconfig implementations from platform ↵Tomas Babej2014-06-161-63/+16
| | | | | | | | modules https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Moved Fedora 16 service implementations and refactored them as ↵Tomas Babej2014-06-161-1/+0
| | | | | | | | base Fedora module service implementations https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* admin tools: Log IPA versionPetr Viktorin2014-05-271-0/+1
| | | | | | | | | | | Add the IPA version, and vendor version if applicable, to the beginning of admintool logs -- both framework and indivitual tools that don't yet use the framework. This will make debugging easier. https://fedorahosted.org/freeipa/ticket/4219 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-client-automount should not configure nsswitch.conf manuallyGabe2014-05-161-6/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/3733 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipa-client-automount: Use rpcclient, not xmlclient, for automountlocation_showPetr Viktorin2014-05-141-1/+1
| | | | | Fix for a regression in 66fb4d5e849a049e95d3ef4fcf2b86217488634d https://fedorahosted.org/freeipa/ticket/4290
* ipa-client-install: Configure sudo to use SSSD as data sourceTomas Babej2014-05-092-1/+86
| | | | | | | | | | | Makes ipa-client-install configure SSSD as the data provider for the sudo service by default. This behaviour can be disabled by using --no-sudo flag. https://fedorahosted.org/freeipa/ticket/3358 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-client: Set NIS domain name in the installerTomas Babej2014-05-092-0/+71
| | | | | | | | | | | | | | | | Provides two new options for the ipa-client-install: --nisdomain: specifies the NIS domain name --no_nisdomain: flag to aviod setting the NIS domain name In case no --nisdomain is specified and --no_nisdomain flag was not set, the IPA domain is used. Manual pages updated. http://fedorahosted.org/freeipa/ticket/3202 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fixed various typos in ipa-client-install man pageThorsten Scherf2014-05-061-3/+3
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Add wait_for_dns option to default.conf.Petr Spacek2014-04-041-0/+9
| | | | | | | | | | | This option makes record changes in DNS tree synchronous. IPA calls will wait until new data are visible over DNS protocol or until timeout. It is intended only for testing. It should prevent tests from failing if there is bigger delay between changes in LDAP and DNS. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Make ipa-client-automount backwards compatibleMartin Kosek2014-04-021-1/+6
| | | | | | | | | | | | | | ipa-client-automount calls automountlocation-show command during the process. Unfortunately, FreeIPA commands are forward compatible only and thus fail the installer. Similarly to ipa-client-install, call XML-RPC interface directly with version fixed to 2.0 (command was already available at that version) to fix the failure. https://fedorahosted.org/freeipa/ticket/4290 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Move CACERT definition to a single place.Jan Cholasta2014-03-252-3/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix order of synchronizing time when running ipa-client-installGabe2014-03-201-17/+19
| | | | | | | | | | When running ipa-client-install, it asks for user name, synchronizes time, then asks for user password which the order could be confusing to some users. This changes ipa-client-install to synchronize time before prompting for user kerberos authentication. https://fedorahosted.org/freeipa/ticket/3957 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* man: sshd should be run at least once before client enrollmentTomas Babej2014-03-051-0/+3
| | | | | | | | | | If SSH keys have not been generated prior to enrolling the client to the IPA server, they will not be uploaded to the server, since they're not present. Clarify this issue in the man pages. https://fedorahosted.org/freeipa/ticket/4055 Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
* Improve error message on failed Kerberos authenticationAna Krivokapic2014-02-181-2/+2
| | | | | | | | | | | When ipa client installation fails due to failed Kerberos authentication, make sure that the message about the failed authentication is displayed last. This makes it clear to the user that this was the reason for failed installation. https://fedorahosted.org/freeipa/ticket/3573 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipa-join usage instructions are incorrectGabe2014-02-181-1/+1
| | | | | | | | Parameter -s for ipa-join has hostame instead of hostname https://fedorahosted.org/freeipa/ticket/3250 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Enable building in C99 modeNathaniel McCallum2014-02-141-1/+1
| | | | | | | | | | | | | C99 is supported on all compilers we target and provides some useful features, including: * Standard struct initializers * Compound literals * For-loop declarations * Standard bool type * Variable arrays (use with caution) * Too many others to mention... Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ntpconf: remove redundant commentMartin Kosek2014-01-241-2/+1
| | | | https://fedorahosted.org/freeipa/ticket/4094
* Fix ntpd config on clients.Jan Cholasta2014-01-241-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/4094
* Fix ipa-client-automount uninstall when fstore is empty.Jan Cholasta2014-01-151-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/4091
* Make sure state of services is preserved after client uninstallAna Krivokapic2014-01-141-34/+47
| | | | | | | | | IPA client installation did not preserve the status of nscd and nslcd services correctly. E.g. nscd would be started after uninstallation, even though it wasn't running before client installation. Make sure the state of services is saved before installation and correctly restored after uninstallation. https://fedorahosted.org/freeipa/ticket/3790
* Use /usr/bin/python2Xiao-Long Chen2014-01-032-2/+2
| | | | | | | | | | | | Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com
* ipa-client-install: Always pass hostname to the ipa-joinTomas Babej2013-12-091-4/+4
| | | | | | | | | | | The ipa-client-install script and ipa-join use different methods of resolving the hostname, the former uses gethostbyaddr() call, while the latter reads the "uinfo.nodename". This can result ipa-client-install failures in case of broken PTR records. https://fedorahosted.org/freeipa/ticket/4027
* Allow kernel keyring CCACHE when supportedMartin Kosek2013-12-091-0/+7
| | | | | | | Server and client installer should allow kernel keyring ccache when supported. https://fedorahosted.org/freeipa/ticket/4013
* Remove CFLAGS duplication.Jan Cholasta2013-12-061-1/+0
| | | | https://fedorahosted.org/freeipa/ticket/3896
* Switch client to JSON-RPCPetr Viktorin2013-11-263-9/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC. This is done by subclassing and extending xmlrpclib, because our existing code relies on xmlrpclib internals. The URI to use is given in the new jsonrpc_uri env variable. When it is not given, it is generated from xmlrpc_uri by replacing /xml with /json. The rpc_json_uri env variable existed before, but was unused, undocumented and not set the install scripts. This patch removes it in favor of jsonrpc_uri (for consistency with xmlrpc_uri). Add the rpc_protocol env variable to control the protocol IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed to 'xmlrpc'. Make backend.Executioner and tests use the backend specified by rpc_protocol. For compatibility with unwrap_xml, decoding JSON now gives tuples instead of lists. Design: http://freeipa.org/page/V3/JSON-RPC Ticket: https://fedorahosted.org/freeipa/ticket/3299
* ipa-client-install: Publish CA certificate to systemwide storeTomas Babej2013-11-201-1/+12
| | | | | | | | | | | During the installation, copy the CA certificate to the systemwide store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the systemwide CA database. This allows browsers to access IPA WebUI without warning out of the box. https://fedorahosted.org/freeipa/ticket/3504
* Removed old firefox configuration scriptsMartin Basti2013-11-158-188/+0
| | | | Part of ticket https://fedorahosted.org/freeipa/ticket/3821
* ipa-client-install: Added options to configure firefoxMartin Basti2013-11-151-1/+95
| | | | | | | | | Option --configure-firefox configures firefox to use Kerberos credentials within IPA domain Optional option --firefox-dir=DIR allows to user to specify non-standard path where firefox install directory is placed. Part of ticket: https://fedorahosted.org/freeipa/ticket/3821
* Turn LDAPEntry.single_value into a dictionary-like property.Jan Cholasta2013-11-051-1/+1
| | | | | | This change makes single_value consistent with the raw property. https://fedorahosted.org/freeipa/ticket/3521
* Add nsswitch.conf to FILES section of ipa-client-install man pageMartin Kosek2013-10-291-0/+1
| | | | | | This file is always updated when client is installed or uninstalled. https://fedorahosted.org/freeipa/ticket/3995
* Do not roll back failed client installation on serverAna Krivokapic2013-10-251-0/+5
| | | | | | | | In case of a failed enrollment, IPA client rolls back any changes it has made to the system. In order to have a more debuggable setup, do not roll back these changes in the case of an IPA server install. https://fedorahosted.org/freeipa/ticket/3990
* Added warning if cert '/etc/ipa/ca.crt' existsMartin Basti2013-10-161-0/+4
| | | | https://fedorahosted.org/freeipa/ticket/3944
* ipa-client-install: Verify RPC connection with a pingPetr Viktorin2013-10-041-0/+9
| | | | | | | | | With old servers, it is possible that xmlclient.connect() succeeds but commands fail with a Kerberos error. Verify that commands succeed by sending a ping after connecting. Follow-up to: https://fedorahosted.org/freeipa/ticket/3931
* ipa-client-install: Use direct RPC instead of api.CommandPetr Viktorin2013-10-041-3/+13
| | | | | | | | | | | | To make sure the installation works with older servers, use XML-RPC directly, with a version set explicitly so the request is not rejected. RPC was chosen over ldapmodify, because going through the API allows the server to process the request properly, or even cleanly reject it if there are incompatible changes in future versions. https://fedorahosted.org/freeipa/ticket/3931
* Do not set DNS discovery domain in server modeMartin Kosek2013-10-031-1/+2
| | | | | | | In server mode, the discovery domain should be left unset in all cases as the DNS discovery is only driven by the AD domains. https://fedorahosted.org/freeipa/ticket/3947
* Use getent admin@domain for nss check in ipa-client-installTomas Babej2013-09-201-2/+2
| | | | | | | | Use 'getent admin@domain' rather than 'getent admin@REALM' to check if nss is working properly since admin@REALM check fails in case the domain and the realm name does not match. https://fedorahosted.org/freeipa/ticket/3906
* Fix invocations of FileError in ipa-client-installAna Krivokapic2013-09-091-10/+12
| | | | | | | | Some of the FileErrors in ipa-client-install were raised incorrectly (without the 'reason' argument), which resulted in bad error messages during ipa-client-install. https://fedorahosted.org/freeipa/ticket/3758
* Replace ntpdate calls with ntpdAna Krivokapic2013-09-091-14/+12
| | | | | | | Due to the upcoming deprecation of the ntpdate program (targeted for Fedora 20), replace ntpdate calls with ntpd. https://fedorahosted.org/freeipa/ticket/3797