summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Make sure the CA is running when starting servicesPetr Viktorin2012-10-233-61/+162
| | | | | | | | | | | | | | | | - Provide a function for determinig the CA status using Dogtag 10's new getStatus endpoint. This must be done over HTTPS, but since our client certificate may not be set up yet, we need HTTPS without client authentication. Rather than copying from the existing http_request and https_request function, shared code is factored out to a common helper. - Call the new function when restarting the CA service. Since our Service can only be extended in platform-specific code, do this for Fedora only. Also, the status is only checked with Dogtag 10+. - When a restart call in cainstance failed, users were refered to the installation log, but no info was actually logged. Log the exception. https://fedorahosted.org/freeipa/ticket/3084
* ipa-replica-install: Use configured IPA DNS servers in forward/reverse ↵Petr Viktorin2012-10-231-8/+22
| | | | | | | | | | | | | | resolution check Previously, ipa-replica-install tried to check DNS resolution on the master being cloned. If that master was not a DNS server, the check failed. Change the check to query the first available configured DNS server. Log about the check before actually running it. Log in the case the check is skipped (no IPA DNS servers installed). https://fedorahosted.org/freeipa/ticket/3194
* Improve error messages in ipa-replica-manage.Rob Crittenden2012-10-231-8/+14
| | | | | | | | | | | | | Correctly handle case where we bind using GSSAPI with an unauthorized user. Remove extraneous except clause. We now have handle for LDAP errors. Make it explicit in a few places what server we can't connect to. When the remote replica is down and we are forcing its removal, remove a duplicate entry from the list of servers to remove. https://fedorahosted.org/freeipa/ticket/2871
* Make service naming in ipa-server-install consistentTomas Babej2012-10-2210-27/+86
| | | | | | | | | | | | | Forces more consistency into ipa-server-install output. All descriptions of services that are not instances of SimpleServiceInstance are now in the following format: <Description> (<Service Name>) Furthermore, start_creation method has been modified to support custom start and end messages. See documentation for more info. https://fedorahosted.org/freeipa/ticket/3059
* Refactoring of default.conf man pageTomas Babej2012-10-221-37/+49
| | | | | | | | | Description for the 'dogtag_version', 'startup_timeout', 'server', 'wait_for_attr' option has been added. Option 'server' has been marked as deprecated, as it is not used anywhere in IPA code. All the options have been sorted lexicographically. https://fedorahosted.org/freeipa/ticket/3071
* Report ipa-upgradeconfig errors during RPM upgradeMartin Kosek2012-10-183-4/+20
| | | | | | | | | | | | | Report errors just like with ipa-ldap-updater. These messages should warn user that some parts of the upgrades may have not been successful and he should follow up on them. Otherwise, user may not notice them at all. ipa-upgradeconfig now has a new --quiet option to make it output only error level log messages or higher. ipa-upgradeconfig run without options still pring INFO log messages as it can provide a clean overview about its actions (unlike ipa-ldap-updater). https://fedorahosted.org/freeipa/ticket/3157
* Add fallback for httpd restarts on sysV platformsMartin Kosek2012-10-181-0/+17
| | | | | | | | | | | | httpd init script on sysV based platforms cannot guarantee that two consecutive httpd service restarts succeed when run in a small time distance. Add fallback procedure that adds additional waiting time after such failed restart attempt, and then try to stop and start the service again. https://fedorahosted.org/freeipa/ticket/2965
* Create reverse zone in unattended modeMartin Kosek2012-10-192-2/+6
| | | | | | | | | Previous fix for ticket #3161 caused ipa-{server,dns}-install to skip creation of reverse zone when running in unattended mode. Make sure that reverse zone is created also in unattended mode (unless --no-reverse is specified). https://fedorahosted.org/freeipa/ticket/3161
* Fix requesting certificates that contain subject altnames.Rob Crittenden2012-10-191-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3184
* Simpler instructions to generate certificatePetr Vobornik2012-10-192-2/+2
| | | | | | | | | | | | | | Instructions to generate certificate were simplified. New instructions: 1) Create a certificate database or use an existing one. To create a new database: # certutil -N -d <database path> 2) Create a CSR with subject CN=<hostname>,O=<realm>, for example: # certutil -R -d <database path> -a -g <key size> -s 'CN=dev.example.com,O=DEV.EXAMPLE.COM' 3) Copy and paste the CSR (from -----BEGIN NEW CERTIFICATE REQUEST----- to -----END NEW CERTIFICATE REQUEST-----) into the text area below: https://fedorahosted.org/freeipa/ticket/3056
* log dogtag errorsJohn Dennis2012-10-191-20/+48
| | | | | | | | | | | | If we get an error from dogtag we always did raise a CertificateOperationError exception with a message describing the problem. Unfortuanately that error message did not go into the log, just sent back to the caller. The fix is to format the error message and send the same message to both the log and use it to initialize the CertificateOperationError exception. This is done in the utility method raise_certificate_operation_error(). https://fedorahosted.org/freeipa/ticket/2622
* Forbid overlapping primary and secondary rid rangesTomas Babej2012-10-192-20/+211
| | | | | | | | | | | Commands ipa idrange-add / idrange-mod no longer allows the user to enter primary or secondary rid range such that has non-zero intersection with primary or secondary rid range of another existing id range, as this could cause collision. Unit tests added to test_range_plugin.py https://fedorahosted.org/freeipa/ticket/3086
* ipautil.run: Log the command line before running the commandPetr Viktorin2012-10-171-6/+11
| | | | | | | | When the user interrupts a long-running command, this ensures that the command is logged. Also, when watching log files (or the -d output), it's apparent what's being done. https://fedorahosted.org/freeipa/ticket/3174
* extdom: handle INP_POSIX_UID and INP_POSIX_GID requestsSumit Bose2012-10-181-6/+32
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3166
* Fix various issues found by CoveritySumit Bose2012-10-176-12/+22
|
* Add support for using AES fo cross-realm TGTsSimo Sorce2012-10-171-1/+10
|
* Warn about DNA plugin configuration when working with local ID rangesAlexander Bokovoy2012-10-171-1/+22
| | | | https://fedorahosted.org/freeipa/ticket/3116
* Don't configure a reverse zone if not desired in interactive installer.Rob Crittenden2012-10-172-3/+3
| | | | | | | | A reverse zone was always configured in the interactive installer even if you answered "no" to the reverse zone question. The only way to not confiugre it was the --no-reverse option. https://fedorahosted.org/freeipa/ticket/3161
* Add uninstall command hints to ipa-*-installNikolai Kondrashov2012-10-163-7/+11
| | | | | | | | Add uninstall command to the uninstall instructions in the "already installed" responses of ipa-server-install, ipa-client-install and ipa-replica-install. https://fedorahosted.org/freeipa/ticket/3065
* Remove bogus check for smbpasswdAlexander Bokovoy2012-10-161-2/+2
| | | | | | | | We don't use smbpasswd when configuring IPA for AD trusts anymore because we switched to use Kerberos authentication in IPA passdb backend based on CIFS service keytab. https://fedorahosted.org/freeipa/ticket/3181
* Use TLS for CA replicationRob Crittenden2012-10-151-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3162
* Use PublicError instructions support for trust-add case when domain is not foundAlexander Bokovoy2012-10-111-7/+8
| | | | https://fedorahosted.org/freeipa/ticket/3167
* Add instructions support to PublicErrorAlexander Bokovoy2012-10-112-9/+29
| | | | | | | | | | | | | | | When long additional text should follow the error message, one can supply instructions parameter to a class derived from PublicError. This will cause following text added to the error message: Additional instructions: <additional text> `instructions' optional parameter could be a list or anything that coerces into unicode(). List entries will be joined with '\n'. https://fedorahosted.org/freeipa/ticket/3167
* Pull translation files from TransifexPetr Viktorin2012-10-1114-2862/+4444
| | | | | | | Patch generated by: cd install/po make pull-po make update-po
* Explicitly disable betxn plugins for the time being.Rob Crittenden2012-10-105-0/+104
| | | | | | | | This should work with 389-ds-base 1.2.x and 1.3.0. Without other plugin changes 389-ds-base can deadlock. https://fedorahosted.org/freeipa/ticket/3046
* Do not show full SSH public keys in command output by default.Jan Cholasta2012-10-111-3/+3
|
* Use stricter requirement for krb5-serverSimo Sorce2012-10-101-0/+1
| | | | | | | | Our code strictly depends on 1.10 as the KDC DAL plugin interface is not guaranteed stable and indeed is different in 1.9 and will be different in 1.11 So we cannot allow upgrades to 1.11 until we can provide a plugin that matches 1.11's interface.
* Make sure samba{,4}-winbind-krb5-locator package is not used with trustsAlexander Bokovoy2012-10-091-0/+31
| | | | | | | | Since use of winbind on FreeIPA server that is configured with trusts is conflicting with krb5 locator based on winbind, use alternatives mechanism to turn off the locator plugin by symlinking it to /dev/null. https://fedorahosted.org/freeipa/ticket/3102
* Configure the initial CA as the CRL generator.Rob Crittenden2012-10-093-3/+30
| | | | | | | | Any installed clones will have CRL generation explicitly disabled. It is a manual process to make a different CA the CRL generator. There should be only one. https://fedorahosted.org/freeipa/ticket/3051
* Create Firefox extension on upgrade and replica-installPetr Viktorin2012-10-105-24/+74
| | | | | | | | If the signing cert is not available, create an unsigned extension. Add a zip dependency to the specfile. https://fedorahosted.org/freeipa/ticket/3150
* replica-install: Don't copy Firefox config extension files if they're not in ↵Petr Viktorin2012-10-101-2/+6
| | | | | | | | the replica file This allows cloning from older masters. https://fedorahosted.org/freeipa/ticket/3150
* ipa-upgradeconfig: Remove the upgrade_httpd_selinux functionPetr Viktorin2012-10-101-8/+0
| | | | This function was never called from anywhere.
* Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-installAlexander Bokovoy2012-10-095-24/+42
| | | | | | | | | | | Since CIFS principal is generated by ipa-adtrust-install and is only usable after setting CIFS configuration, there is no need to include it into default setup. This should fix upgrades from 2.2 to 3.0 where CIFS principal does not exist by default. https://fedorahosted.org/freeipa/ticket/3041
* Notify user about necessary ports in ipa-client-installTomas Babej2012-10-092-2/+19
| | | | | | | | | | | | Connection error message in ipa-client-install now warns the user about the need of opening of all the necessary ports for ipa-client enrollment when error that might have been caused by closed ports is encountered. Mentions the ports needed after the client enrollment as well. Improves other error messages during installation in various ways. https://fedorahosted.org/freeipa/ticket/2816
* Fix CS replication management.Rob Crittenden2012-10-092-23/+57
| | | | | | | | | | | | | | | | | The master side should be on the local side, replica1, not the remote. This required reversing a few master variables. This impacts the naming of the replication agreements. When deleting an agreement pass in the DN of that agreement rather than trying to calculate what it is on-the-fly. We cannot be sure which side is the master/clone and since we search for it anyway to determine if the agreement exists it is more correct to use what we find. The force flag wasn't being passed into del_link so there was no way to force a deletion. https://fedorahosted.org/freeipa/ticket/2858
* Fix wrong RID for Domain Admins in the examples of trust commandsAlexander Bokovoy2012-10-101-2/+2
|
* Fix CA CRL migration crash in ipa-upgradeconfigMartin Kosek2012-10-102-16/+31
| | | | | | | | | | | | | | | | | CRL migrate procedure did not check if a CA was actually configured on an updated master/replica. This caused ipa-upgradeconfig to crash on replicas without a CA. Make sure that CRL migrate procedure is not run when CA is not configured on given master. Also add few try..except clauses to make the procedure more robust. There is also a small refactoring of "<service> is not configured" log messages, so that they have matching log level and message. dogtag.py constants were updated to have a correct path to new CRL directory on Fedora 18 (dogtag 10). https://fedorahosted.org/freeipa/ticket/3159
* Set renewal time for the CA audit certificate to 720 days.Rob Crittenden2012-10-092-7/+47
| | | | | | | | The initial certificate is issued for two years but renewals are for six months for some reason. This fixes it for new and updated IPA installs. https://fedorahosted.org/freeipa/ticket/2951
* Add uniqueness plugin configuration for sudorule cnRob Crittenden2012-10-083-0/+35
| | | | | | | | | We do a search looking for duplicate values but this leaves open the possibility that two adds are happening at the same time so both searches return NotFound therefore we get two entries with the same cn value. https://fedorahosted.org/freeipa/ticket/3017
* Move CRL publish directory to IPA owned directoryMartin Kosek2012-10-097-24/+146
| | | | | | | | | | | | | | | | | | | | | | | Currently, CRL files are being exported to /var/lib/pki-ca sub-directory, which is then served by httpd to clients. However, this approach has several disadvantages: * We depend on pki-ca directory structure and relevant permissions. If pki-ca changes directory structure or permissions on upgrade, IPA may break. This is also a root cause of the latest error, where the pki-ca directory does not have X permission for others and CRL publishing by httpd breaks. * Since the directory is not static and is generated during ipa-server-install, RPM upgrade of IPA packages report errors when defining SELinux policy for these directories. Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy configuration does not report any error. The new CRL publish directory is used for both new IPA installs and upgrades, where contents of the directory (CRLs) is first migrated to the new location and then the actual configuration change is made. https://fedorahosted.org/freeipa/ticket/3144
* Add mime type to httpd ipa.conf for xpi exetensionPetr Vobornik2012-10-091-1/+2
| | | | | | Some configuration doesn't give proper mime type to xpi files. This patch explicitly sets it. https://fedorahosted.org/freeipa/ticket/3094
* Minor fixes for default SMB groupMartin Kosek2012-10-093-4/+4
| | | | | | | | This patch contains additional minor fixes which were proposed during review but were not pushed (accidentaly). Also amends a name of the default SMB group in a list of protected groups in group.py. https://fedorahosted.org/freeipa/ticket/3147
* Fix trust attributes for ipa trust-addSimo Sorce2012-10-091-1/+1
| | | | | The RC4 flags in the trust attributes makes sense only fro trust type MIT We are using the UPLEVEL trust type.
* ipadb: reload trust information if domain is not knownSumit Bose2012-10-091-1/+39
| | | | | | | | | | Currently the data about trusted domains is read once at startup. If a new trust is added the KDC must be restarted to know about the new trust. This patch reloads the trust data if there is a request from an unknown domain. To make DOS attacks a bit harder the data can be updated only once in a minute. Fixes https://fedorahosted.org/freeipa/ticket/3156
* ipa-adtrust-install: create fallback group with ldif fileSumit Bose2012-10-093-30/+20
| | | | | | | | | | Currently the framework is used to add the group but we want to avoid that users are added explicitly to the group by removing the objectclasses groupofnames, ipausergroup and nestedgroup and we want to use a name with spaces in it. Both it not easy possible with the framework, a LDIF file is used instead to create the group. Fixes https://fedorahosted.org/freeipa/ticket/3147
* Handle NotFound exception when establishing trustAlexander Bokovoy2012-10-091-3/+34
| | | | | | | | | | | Establishing trust implies discovery of the trusted domain's domain controller via DNS. If DNS discovery is not possible, NotFound exception is raised. Intercept the exception and process it to help diagnose and fix actual problem: - if IPA is managing DNS, suggest to make a forward for the domain's zone - otherwise suggest to setup DNS forwarder at upstream DNS server https://fedorahosted.org/freeipa/ticket/3103
* support multi-line error messages in exceptionsAlexander Bokovoy2012-10-093-10/+42
|
* ipasam: generate proper SID for trusted domain objectSumit Bose2012-10-041-8/+49
|
* Add new ipaIDobject to DNA plugin configuratonSumit Bose2012-10-042-1/+6
|
* ipa-adtrust-install: print list of needed SRV recordsSumit Bose2012-10-041-9/+13
| | | | | | | If --no-msdcs is given on the command line all needed SRV records will be printed. Fixes https://fedorahosted.org/freeipa/ticket/3019
generated by cgit (git 2.34.1) at 2024-11-15 18:23:17 +0000