summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Become IPA 3.3.4release-3-3-4Martin Kosek2014-01-281-1/+1
|
* Added warning if cert '/etc/ipa/ca.crt' existsMartin Basti2014-01-271-0/+4
| | | | https://fedorahosted.org/freeipa/ticket/3944
* ntpconf: remove redundant commentMartin Kosek2014-01-241-2/+1
| | | | https://fedorahosted.org/freeipa/ticket/4094
* Fix ntpd config on clients.Jan Cholasta2014-01-242-1/+11
| | | | https://fedorahosted.org/freeipa/ticket/4094
* CLDAP: add unit tests for make_netbios_nameSumit Bose2014-01-232-0/+87
|
* CLDAP: generate NetBIOS name like ipa-adtrust-install doesSumit Bose2014-01-232-14/+35
| | | | Fixes https://fedorahosted.org/freeipa/ticket/4116
* ipasam: delete trusted child domains before removing the trustAlexander Bokovoy2014-01-211-1/+44
| | | | | | | LDAP protocol doesn't allow deleting non-leaf entries. One needs to remove all leaves first before removing the tree node. https://fedorahosted.org/freeipa/ticket/4126
* Trust domains Web UIPetr Vobornik2014-01-214-4/+77
| | | | | | | | | | | | Add Web UI counterpart of following CLI commands: * trust-fetch-domains Refresh list of the domains associated with the trust * trustdomain-del Remove infromation about the domain associated with the trust. * trustdomain-disable Disable use of IPA resources by the domain of the trust * trustdomain-enable Allow use of IPA resources by the domain of the trust * trustdomain-find Search domains of the trust https://fedorahosted.org/freeipa/ticket/4119
* Hide trust-resolve commandMartin Kosek2014-01-201-0/+1
| | | | | | | | | | | | We do not need to expose a public FreeIPA specific interface to resolve SIDs to names. The interface is only used internally to resolve SIDs when external group members are listed. Additionally, the command interface is not prepared for regular user and can give rather confusing results. Hide it from CLI. The API itself is still accessible and compatible with older clients. https://fedorahosted.org/freeipa/ticket/4113
* ipatests: Check for legacy_client attribute presence if unapplying fixesTomas Babej2014-01-201-1/+5
| | | | | | | | | | When legacy client tests fail during IPA installation, the legacy client test produces an additional misleading error (the real cause is reported as well). This happens due the fact that we try to cleanup host that was not yet defined. We need to check for this attribute being defined before unapplying fixes there. https://fedorahosted.org/freeipa/ticket/4124
* ipatests: Remove sudo calls from tasksTomas Babej2014-01-201-2/+2
| | | | | | | | Sudo calls are not necessary since we log in as a root. Additionally, sudo requires tty in default configuration, which is not acquired when using OpenSSH transport. https://fedorahosted.org/freeipa/ticket/4125
* ipa-adtrust-install: configure host netbios name by defaultAlexander Bokovoy2014-01-202-0/+4
| | | | | | Ensure we set host netbios name by default in smb.conf https://fedorahosted.org/freeipa/ticket/4116
* Remove SID resolve call from Web UIPetr Vobornik2014-01-202-48/+0
| | | | | | | - it's called in group-show https://bugzilla.redhat.com/show_bug.cgi?id=1054391 https://fedorahosted.org/freeipa/ticket/4123
* group-show: resolve external members of the groupsAlexander Bokovoy2014-01-201-0/+15
| | | | | | | | Perform SID to name conversion for existing external members of the groups if trust is configured. https://bugzilla.redhat.com/show_bug.cgi?id=1054391 https://fedorahosted.org/freeipa/ticket/4123
* Increase service startup timeout default.Jan Cholasta2014-01-171-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/4078
* Remove missing VERSION warning in dnsrecord-modMartin Kosek2014-01-171-1/+1
| | | | | | | | dnsrecord-mod may call dnsrecord-delentry command when all records are deleted. However, the version was not passwd to delentry and it resulted in a warning. https://fedorahosted.org/freeipa/ticket/4120
* cli.print_attribute: Convert values to stringsPetr Viktorin2014-01-171-1/+1
| | | | | | | | When output_for_cli was called directly, rather than for values received through XML or JSON API, joining multiple values failed on non-strings such as DN objects. Convert output to strings before printing it out.
* Stop adding a default password policy referenceSimo Sorce2014-01-1611-76/+0
| | | | | | | | | | | | | | | | | | Both the password plugin and the kdb driver code automatically fall back to the default password policy. so stop adding an explicit reference to user objects and instead rely on the fallback. This way users created via the framework and users created via winsync plugin behave the same way wrt password policies and no surprises will happen. Also in case we need to change the default password policy DN this will allow just code changes instead of having to change each user entry created, and distinguish between the default policy and explicit admin changes. Related: https://fedorahosted.org/freeipa/ticket/4085 Patch backported/updated by Martin Kosek to accomodate different ipatests structure in ipa-3-3 branch.
* Harmonize policy discovery to kdb driverSimo Sorce2014-01-161-89/+17
| | | | | | | | | | | The KDB driver does not walk the tree back like the original password plugin. Also we do not store the default policy in the base DN as we used to do in the past anymore. So doing a full subtree search and walking back the tree is just a waste of time. Instead hardcode the default policy like we do in the kdb driver. Fixes: https://fedorahosted.org/freeipa/ticket/4085
* Do not start the service in stopped_service if it was not running before.Jan Cholasta2014-01-151-3/+0
| | | | This fixes a possible NSS database corruption in renew_ca_cert.
* ipaserver/install/installutils: clean up properly after yieldAlexander Bokovoy2014-01-151-11/+14
| | | | | When a context to which we yield generates exception, the code in private_ccache() and stopped_service() didn't get called for cleanup.
* CLDAP: do not prepend \\Sumit Bose2014-01-151-1/+1
| | | | | | | | | For NETLOGON_NT_VERSION_5EX requests the prepended \\ is not expected in the PDC NetBIOS name. In general AD seems to be smart enough to handle the two \ signs. But if the NetBIOS name reaches the maximum of 15 character AD does not accept the responses anymore. Fixes https://fedorahosted.org/freeipa/ticket/4028
* trustdomain-find: report status of the (sub)domainAlexander Bokovoy2014-01-151-1/+17
| | | | | | | | | | Show status of each enumerated domain trustdomain-find shows list of domains associated with the trust. Each domain except the trust forest root can be enabled or disabled with the help of trustdomain-enable and trustdomain-disable commands. https://fedorahosted.org/freeipa/ticket/4096
* trust-fetch-domains: create ranges for new child domainsAlexander Bokovoy2014-01-151-121/+135
| | | | | | | | | | | | When trust is added, we do create ranges for discovered child domains. However, this functionality was not available through 'trust-fetch-domains' command. Additionally, make sure non-existing trust will report proper error in trust-fetch-domains. https://fedorahosted.org/freeipa/ticket/4111 https://fedorahosted.org/freeipa/ticket/4104
* Fix ipa-client-automount uninstall when fstore is empty.Jan Cholasta2014-01-151-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/4091
* Add missing example to sudoruleMartin Kosek2014-01-151-1/+20
| | | | https://fedorahosted.org/freeipa/ticket/4090
* sudoOrder missing in sudoersMartin Kosek2014-01-151-0/+2
| | | | | | | | sudoers compat plugin configuration missed the sudoOrder attribute and it thus did not show up in ou=sudoers. Add the definion to update file. https://fedorahosted.org/freeipa/ticket/4107
* Change the way we determine if the host has a password set.Rob Crittenden2014-01-152-1/+28
| | | | | | | | | | When creating a host with a password we don't set a Kerberos principal or add the Kerberos objectclasses. Those get added when the host is enrolled. If one passed in --password= (so no password) then we incorrectly thought the user was in fact setting a password, so the principal and objectclasses weren't updated. https://fedorahosted.org/freeipa/ticket/4102
* hbactest does not work for external usersMartin Kosek2014-01-101-3/+5
| | | | | | | | | | Original patch for ticket #3803 implemented support to resolve SIDs through SSSD. However, it also broke hbactest for external users. The result of the updated external member group search must be local non-external groups, not the external ones. Otherwise the rule is not matched. https://fedorahosted.org/freeipa/ticket/3803
* Revert restart scripts file permissions changeMartin Kosek2014-01-082-0/+0
| | | | | Previous commit accidentally added executable permission to restart_pkicad and stop_pkicad.
* PKI service restart after CA renewal failedJan Cholasta2014-01-086-30/+42
| | | | | | | | | | Fix both the service restart procedure and registration of old pki-cad well known service name. This patch was adapted from original patch of Jan Cholasta 178 to fix ticket 4092. https://fedorahosted.org/freeipa/ticket/4092
* Increase Java stack size on s390 platformsMartin Kosek2014-01-031-2/+2
| | | | | | As reported in https://bugzilla.redhat.com/show_bug.cgi?id=1040576, the default stack trace needs to be also increased on s390 platforms to prevent rhino segfault.
* Prevent garbage from readline on standard output of dogtag-ipa-retrieve-agent.Jan Cholasta2014-01-021-0/+4
| | | | https://fedorahosted.org/freeipa/ticket/4064
* Increase Java stack size on PPC platformsMartin Kosek2013-12-131-0/+4
| | | | | | Wit the default stack size, rhino segfaulted on PPC platforms. https://bugzilla.redhat.com/show_bug.cgi?id=1040576
* Increase stack size for Web UI builderPetr Vobornik2013-12-133-6/+13
| | | | | | | | | Web UI build fails on some architectures or configuration due to StackOverflow. This patch increases the stack size to solve it. 512k is usually enough but we encountered fail on ppc64 even with 2m, therefore the 8m. The build is single threaded so it shouldn't waste much memory.
* trust: fix get_dn() to distinguish creating and re-adding trustsAlexander Bokovoy2013-12-111-2/+2
| | | | | | | | | | | Latest support for subdomains introduced regression that masked difference between newly added trust and re-added one. Additionally, in case no new subdomains were found, the code was returning None instead of an empty list which later could confuse trustdomain-find command. https://fedorahosted.org/freeipa/ticket/4067
* ipa-cldap: Cut NetBIOS name after 15 charactersTomas Babej2013-12-112-1/+6
| | | | | | | | The CLDAP DS plugin uses the uppercased first segment of the fully qualified hostname as the NetBIOS name. We need to limit its size to 15 characters. https://fedorahosted.org/freeipa/ticket/4028
* test_webui: Allow False values in configuration for no_ca, no_dns, has_trustsPetr Viktorin2013-12-101-3/+3
| | | | | | | | | | | | The driver only checked if the corresponding value was in the config, so no_dns: False had the same effect as no_dns: True Change the check to take the value into consideration. This makes false-y values like False (from YAML) and empty string (from environment) work as if the value was not specified.
* ipa-client-install: Always pass hostname to the ipa-joinTomas Babej2013-12-091-4/+4
| | | | | | | | | | | The ipa-client-install script and ipa-join use different methods of resolving the hostname, the former uses gethostbyaddr() call, while the latter reads the "uinfo.nodename". This can result ipa-client-install failures in case of broken PTR records. https://fedorahosted.org/freeipa/ticket/4027
* Allow kernel keyring CCACHE when supportedMartin Kosek2013-12-094-1/+35
| | | | | | | Server and client installer should allow kernel keyring ccache when supported. https://fedorahosted.org/freeipa/ticket/4013
* Fix license in some Web UI filesPetr Vobornik2013-12-094-20/+17
| | | | | | Modified web ui files had incorrect GPLv2 headers instead of GPLv3 ones. All of the affected code is of FreeIPA origin.
* test_integration: Log external hostname in Host.ldap_connectPetr Viktorin2013-12-061-1/+1
| | | | This may make debugging easier if the address is set incorrectly.
* test_integration: Support external names for hostsPetr Viktorin2013-12-062-7/+16
| | | | | | | | | | | | The framework had a concept of external hostnames, which the controller uses to contact the test machines, but they were not loaded from configuration. Load external names from configuration. This makes tests pass in setups where internal and external hostnames are different, and the internal hostnames are not initially resolvable from the controller.
* Fix license tag in python setup filesSimo Sorce2013-12-052-2/+2
| | | | | | Apparently when we relicensed to GPLv3 we missed these two spots. The actual boilerplate was changed in these files but not the license tag passed to python setup.
* Fix -Wformat-security warningsKrzysztof Klimonda2013-12-032-7/+7
|
* Revert "Remove mod_ssl port workaround."Petr Viktorin2013-12-023-15/+12
| | | | | | | This reverts commit 3a11044664341257a3929da2db1c493659515eec. The required version of httpd is not available in Fedora 19. Revert to using the workaround for the 3.3 branch.
* Own /usr/share/ipa/ui/js/ in the spec file.Jan Cholasta2013-12-021-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/4010
* Use hardening flags for ipa-optd.Jan Cholasta2013-12-022-1/+5
| | | | https://fedorahosted.org/freeipa/ticket/4010
* subdomains: Use AD admin credentials when trust is being establishedAlexander Bokovoy2013-11-292-17/+38
| | | | | | | | | | | | | | | | | | | | When AD administrator credentials passed, they stored in realm_passwd, not realm_password in the options. When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure to normalize them. Additionally, force Samba auth module to use NTLMSSP in case we have credentials because at the point when trust is established, KDC is not yet ready to issue tickets to a service in the other realm due to MS-PAC information caching effects. The logic is a bit fuzzy because credentials code makes decisions on what to use based on the smb.conf parameters and Python bindings to set parameters to smb.conf make it so that auth module believes these parameters were overidden by the user through the command line and ignore some of options. We have to do calls in the right order to force NTLMSSP use instead of Kerberos. Fixes https://fedorahosted.org/freeipa/ticket/4046
* trusts: Always stop and disable smb service on uninstallTomas Babej2013-11-261-8/+7
| | | | https://fedorahosted.org/freeipa/ticket/4042
generated by cgit (git 2.34.1) at 2024-05-02 15:15:15 +0000