summaryrefslogtreecommitdiffstats
path: root/ipa-client/ipa-install/ipa-client-install
Commit message (Collapse)AuthorAgeFilesLines
* Enable SSSD on client installMartin Kosek2012-12-181-0/+18
| | | | | | | | | | | authconfig component changed its behavior. It no longer starts and enables SSSD daemon when --enablesssd and --enablesssdauth options are used. It only enables the PAM module and adds SSSD to nsswitch. Enable SSSD on new client/server installs manually. Also make sure that we stop&disable SSSD when we delete the configuration. https://fedorahosted.org/freeipa/ticket/3307
* Compliant client side session cookie behaviorJohn Dennis2012-12-101-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In summary this patch does: * Follow the defined rules for cookies when: - receiving a cookie (process the attributes) - storing a cookie (store cookie + attributes) - sending a cookie + validate the cookie domain against the request URL + validate the cookie path against the request URL + validate the cookie expiration + if valid then send only the cookie, no attribtues * Modifies how a request URL is stored during a XMLRPC request/response sequence. * Refactors a bit of the request/response logic to allow for making the decision whether to send a session cookie instead of full Kerberous auth easier. * The server now includes expiration information in the session cookie it sends to the client. The server always had the information available to prevent using an expired session cookie. Now that expiration timestamp is returned to the client as well and now the client will not send an expired session cookie back to the server. * Adds a new module and unit test for cookies (see below) Formerly we were always returning the session cookie no matter what the domain or path was in the URL. We were also sending the cookie attributes which are for the client only (used to determine if to return a cookie). The attributes are not meant to be sent to the server and the previous behavior was a protocol violation. We also were not checking the cookie expiration. Cookie library issues: We need a library to create, parse, manipulate and format cookies both in a client context and a server context. Core Python has two cookie libraries, Cookie.py and cookielib.py. Why did we add a new cookie module instead of using either of these two core Python libaries? Cookie.py is designed for server side generation but can be used to parse cookies on the client. It's the library we were using in the server. However when I tried to use it in the client I discovered it has some serious bugs. There are 7 defined cookie elements, it fails to correctly parse 3 of the 7 elements which makes it unusable because we depend on those elements. Since Cookie.py was designed for server side cookie processing it's not hard to understand how fails to correctly parse a cookie because that's a client side need. (Cookie.py also has an awkward baroque API and is missing some useful functionality we would have to build on top of it). cookielib.py is designed for client side. It's fully featured and obeys all the RFC's. It would be great to use however it's tightly coupled with another core library, urllib2.py. The http request and response objects must be urllib2 objects. But we don't use urllib2, rather we use httplib because xmlrpclib uses httplib. I don't see a reason why a cookie library should be so tightly coupled to a protocol library, but it is and that means we can't use it (I tried to just pick some isolated entrypoints for our use but I kept hitting interaction/dependency problems). I decided to solve the cookie library problems by writing a minimal cookie library that does what we need and no more than that. It is a new module in ipapython shared by both client and server and comes with a new unit test. The module has plenty of documentation, no need to repeat it here. Request URL issues: We also had problems in rpc.py whereby information from the request which is needed when we process the response is not available. Most important was the requesting URL. It turns out that the way the class and object relationships are structured it's impossible to get this information. Someone else must have run into the same issue because there was a routine called reconstruct_url() which attempted to recreate the request URL from other available information. Unfortunately reconstruct_url() was not callable from inside the response handler. So I decided to store the information in the thread context and when the request is received extract it from the thread context. It's perhaps not an ideal solution but we do similar things elsewhere so at least it's consistent. I removed the reconstruct_url() function because the exact information is now in the context and trying to apply heuristics to recreate the url is probably not robust. Ticket https://fedorahosted.org/freeipa/ticket/3022
* Fix sshd feature checkMartin Kosek2012-12-101-4/+8
| | | | | | | | | | | OpenSSH server included in Fedora 18 raises a validation error when the tested AuthorizedKeysCommand/PubKeyAgent option is tested with an empty value. It requires a command with an absolute path to be passed. Due to this issue, sshd support is never configured on Fedora 18. Pass the real agent we will use later to the testing command to avoid this error.
* Stop and disable conflicting time&date servicesMartin Kosek2012-12-071-0/+27
| | | | | | | | | | | | | | | | | | | | Fedora 16 introduced chrony as default client time&date synchronization service: http://fedoraproject.org/wiki/Features/ChronyDefaultNTP Thus, there may be people already using chrony as their time and date synchronization service before installing IPA. However, installing IPA server or client on such machine may lead to unexpected behavior, as the IPA installer would configure ntpd and leave the machine with both ntpd and chronyd enabled. However, since the OS does not allow both chronyd and ntpd to be running concurrently and chronyd has the precedence, ntpd would not be run on that system at all. Make sure, that user is warned when trying to install IPA on such system and is given a possibility to either not to let IPA configure ntpd at all or to let the installer stop and disable chronyd. https://fedorahosted.org/freeipa/ticket/2974
* Specify includedir in krb5.conf on new installsJakub Hrozek2012-12-061-1/+6
| | | | https://fedorahosted.org/freeipa/ticket/3132
* Change network configuration fileMartin Kosek2012-12-051-8/+2
| | | | | | | | | | | Fedora+systemd changed deprecated /etc/sysconfig/network which was used by IPA to store static hostname for the IPA machine. See https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details. Change Fedora platform files to store the hostname to /etc/hostname instead. https://fedorahosted.org/freeipa/ticket/3279
* Restart sssd after authconfig updateSumit Bose2012-12-031-0/+6
| | | | | | | | | | | | | Recent versions of authconfig do not restart sssd if only the --enablesssd and --enablesssdauth options are used. To make sure sssd is running after ipa-server-install is run this patch add an unconditional restart of sssd after authconfig is run during the installation. Since there already is some logic trying to determine if sssd needs to be restarted or stopped if freeipa in uninstalled no changes are needed here. Fixes https://fedorahosted.org/freeipa/ticket/3267
* Add uninstall command hints to ipa-*-installNikolai Kondrashov2012-10-161-1/+2
| | | | | | | | Add uninstall command to the uninstall instructions in the "already installed" responses of ipa-server-install, ipa-client-install and ipa-replica-install. https://fedorahosted.org/freeipa/ticket/3065
* Notify user about necessary ports in ipa-client-installTomas Babej2012-10-091-2/+18
| | | | | | | | | | | | Connection error message in ipa-client-install now warns the user about the need of opening of all the necessary ports for ipa-client enrollment when error that might have been caused by closed ports is encountered. Mentions the ports needed after the client enrollment as well. Improves other error messages during installation in various ways. https://fedorahosted.org/freeipa/ticket/2816
* Clear kernel keyring in client installer, save dbdir on new connectionsRob Crittenden2012-10-031-1/+10
| | | | | | | | | | | | | | | | | | | This patch addresses two issues: 1. If a client is previously enrolled in an IPA server and the server gets re-installed then the client machine may still have a keyring entry for the old server. This can cause a redirect from the session URI to the negotiate one. As a rule, always clear the keyring when enrolling a new client. 2. We save the NSS dbdir in the connection so that when creating a new session we can determine if we need to re-initialize NSS or not. Most of the time we do not. The dbdir was not always being preserved between connections which could cause an NSS_Shutdown() to happen which would fail because of existing usage. This preserves the dbdir information when a new connection is created as part of the session mechanism. https://fedorahosted.org/freeipa/ticket/3108
* Don't use bare except: clauses in ipa-client-installPetr Viktorin2012-09-271-13/+13
| | | | | | | | Instead of `except:`, use `except Exception:`. This means that errors like KeyboardInterrupt are not handled, letting them terminate the script as expected. https://fedorahosted.org/freeipa/ticket/2941
* Set master_kdc and dns_lookup_kdc to trueSumit Bose2012-09-191-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/2515
* Improves sssd.conf handling during ipa-client uninstallTomas Babej2012-09-201-15/+97
| | | | | | | | | | | | | | | | | | | | | | | The sssd.conf file is no longer left behind in case sssd was not configured before the installation. However, the patch goes behind the scope of this ticked and improves the handling of sssd.conf during the ipa-client-install --uninstall in general. The current behaviour (well documented in source code) is as follows: - In general, the IPA domain is simply removed from the sssd.conf file, instead of sssd.conf being rewritten from the backup. This preserves any domains added after installation. - If sssd.conf existed before the installation, it is restored to sssd.conf.bkp. However, any IPA domains from pre-installation sssd.conf should have been merged during the installation. - If sssd.conf did not exist before the installation, and no other domains than IPA domain exist in it, the patch makes sure that sssd.conf is moved to sssd.conf.deleted so user experiences no crash during any next installation due to its existence. https://fedorahosted.org/freeipa/ticket/2740
* Add --no-ssh option to ipa-client-install to disable OpenSSH client ↵Jan Cholasta2012-09-131-32/+46
| | | | | | | | | configuration. If both --no-ssh and --no-sshd are specified, do not configure the SSH service in SSSD. ticket 3070
* Add the SSH service to SSSD config file before trying to activate it.Jan Cholasta2012-09-131-2/+6
| | | | ticket 3069
* Use temporary key cache for host key in server installationPetr Viktorin2012-09-131-1/+2
| | | | This fixes an oversight in the earlier patch
* Fix server installationPetr Viktorin2012-09-111-2/+10
| | | | | The fix to ticket #2982 removed a kinit call when the client was installed as part of a master. Re-add the kinit call in this case.
* ipa-client-install: Obtain host TGT from one specific KDCPetr Viktorin2012-09-101-15/+39
| | | | | | | | | | | | | | | | When clients install, they use kinit to obtain a TGT, which uses DNS to find the KDC to connect to. It might happen that the newly created principal has not replicated to selected KDC yet, making kinit fail and aborting the install. The client sets a temporary krb5 config file while installing via $KRB5_CONFIG. Modify this file so that the kerberos library only uses the specific server we're installing under, and call kinit while it's still in place. Clean up the configure_krb5_conf function to remove unused arguments. For clarity, use keyword arguments when calling it. https://fedorahosted.org/freeipa/ticket/2982
* Use OpenSSH-style public keys as the preferred format of SSH public keys.Jan Cholasta2012-09-061-18/+11
| | | | | | | | | | | | | | | Public keys in the old format (raw RFC 4253 blob) are automatically converted to OpenSSH-style public keys. OpenSSH-style public keys are now stored in LDAP. Changed sshpubkeyfp to be an output parameter, as that is what it actually is. Allow parameter normalizers to be used on values of any type, not just unicode, so that public key blobs (which are str) can be normalized to OpenSSH-style public keys. ticket 2932, 2935
* Run ntpdate in verbose mode, not debug (i.e. no-op) modePetr Viktorin2012-09-041-2/+2
| | | | | | | Remove the debug argument to synconce_ntp since we always want the logs to be verbose. https://fedorahosted.org/freeipa/ticket/3048
* Handle SSSD restart crash more gently.Tomas Babej2012-08-141-1/+4
| | | | | | | | In ipa-client-install, failure of restart of sssd service no longer causes the crash of the install process. Adds a warning message to the root logger instead. https://fedorahosted.org/freeipa/ticket/2827
* Use DN objects instead of stringsJohn Dennis2012-08-121-8/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Convert every string specifying a DN into a DN object * Every place a dn was manipulated in some fashion it was replaced by the use of DN operators * Add new DNParam parameter type for parameters which are DN's * DN objects are used 100% of the time throughout the entire data pipeline whenever something is logically a dn. * Many classes now enforce DN usage for their attributes which are dn's. This is implmented via ipautil.dn_attribute_property(). The only permitted types for a class attribute specified to be a DN are either None or a DN object. * Require that every place a dn is used it must be a DN object. This translates into lot of:: assert isinstance(dn, DN) sprinkled through out the code. Maintaining these asserts is valuable to preserve DN type enforcement. The asserts can be disabled in production. The goal of 100% DN usage 100% of the time has been realized, these asserts are meant to preserve that. The asserts also proved valuable in detecting functions which did not obey their function signatures, such as the baseldap pre and post callbacks. * Moved ipalib.dn to ipapython.dn because DN class is shared with all components, not just the server which uses ipalib. * All API's now accept DN's natively, no need to convert to str (or unicode). * Removed ipalib.encoder and encode/decode decorators. Type conversion is now explicitly performed in each IPASimpleLDAPObject method which emulates a ldap.SimpleLDAPObject method. * Entity & Entry classes now utilize DN's * Removed __getattr__ in Entity & Entity clases. There were two problems with it. It presented synthetic Python object attributes based on the current LDAP data it contained. There is no way to validate synthetic attributes using code checkers, you can't search the code to find LDAP attribute accesses (because synthetic attriutes look like Python attributes instead of LDAP data) and error handling is circumscribed. Secondly __getattr__ was hiding Python internal methods which broke class semantics. * Replace use of methods inherited from ldap.SimpleLDAPObject via IPAdmin class with IPAdmin methods. Directly using inherited methods was causing us to bypass IPA logic. Mostly this meant replacing the use of search_s() with getEntry() or getList(). Similarly direct access of the LDAP data in classes using IPAdmin were replaced with calls to getValue() or getValues(). * Objects returned by ldap2.find_entries() are now compatible with either the python-ldap access methodology or the Entity/Entry access methodology. * All ldap operations now funnel through the common IPASimpleLDAPObject giving us a single location where we interface to python-ldap and perform conversions. * The above 4 modifications means we've greatly reduced the proliferation of multiple inconsistent ways to perform LDAP operations. We are well on the way to having a single API in IPA for doing LDAP (a long range goal). * All certificate subject bases are now DN's * DN objects were enhanced thusly: - find, rfind, index, rindex, replace and insert methods were added - AVA, RDN and DN classes were refactored in immutable and mutable variants, the mutable variants are EditableAVA, EditableRDN and EditableDN. By default we use the immutable variants preserving important semantics. To edit a DN cast it to an EditableDN and cast it back to DN when done editing. These issues are fully described in other documentation. - first_key_match was removed - DN equalty comparison permits comparison to a basestring * Fixed ldapupdate to work with DN's. This work included: - Enhance test_updates.py to do more checking after applying update. Add test for update_from_dict(). Convert code to use unittest classes. - Consolidated duplicate code. - Moved code which should have been in the class into the class. - Fix the handling of the 'deleteentry' update action. It's no longer necessary to supply fake attributes to make it work. Detect case where subsequent update applies a change to entry previously marked for deletetion. General clean-up and simplification of the 'deleteentry' logic. - Rewrote a couple of functions to be clearer and more Pythonic. - Added documentation on the data structure being used. - Simplfy the use of update_from_dict() * Removed all usage of get_schema() which was being called prior to accessing the .schema attribute of an object. If a class is using internal lazy loading as an optimization it's not right to require users of the interface to be aware of internal optimization's. schema is now a property and when the schema property is accessed it calls a private internal method to perform the lazy loading. * Added SchemaCache class to cache the schema's from individual servers. This was done because of the observation we talk to different LDAP servers, each of which may have it's own schema. Previously we globally cached the schema from the first server we connected to and returned that schema in all contexts. The cache includes controls to invalidate it thus forcing a schema refresh. * Schema caching is now senstive to the run time context. During install and upgrade the schema can change leading to errors due to out-of-date cached schema. The schema cache is refreshed in these contexts. * We are aware of the LDAP syntax of all LDAP attributes. Every attribute returned from an LDAP operation is passed through a central table look-up based on it's LDAP syntax. The table key is the LDAP syntax it's value is a Python callable that returns a Python object matching the LDAP syntax. There are a handful of LDAP attributes whose syntax is historically incorrect (e.g. DistguishedNames that are defined as DirectoryStrings). The table driven conversion mechanism is augmented with a table of hard coded exceptions. Currently only the following conversions occur via the table: - dn's are converted to DN objects - binary objects are converted to Python str objects (IPA convention). - everything else is converted to unicode using UTF-8 decoding (IPA convention). However, now that the table driven conversion mechanism is in place it would be trivial to do things such as converting attributes which have LDAP integer syntax into a Python integer, etc. * Expected values in the unit tests which are a DN no longer need to use lambda expressions to promote the returned value to a DN for equality comparison. The return value is automatically promoted to a DN. The lambda expressions have been removed making the code much simpler and easier to read. * Add class level logging to a number of classes which did not support logging, less need for use of root_logger. * Remove ipaserver/conn.py, it was unused. * Consolidated duplicate code wherever it was found. * Fixed many places that used string concatenation to form a new string rather than string formatting operators. This is necessary because string formatting converts it's arguments to a string prior to building the result string. You can't concatenate a string and a non-string. * Simplify logic in rename_managed plugin. Use DN operators to edit dn's. * The live version of ipa-ldap-updater did not generate a log file. The offline version did, now both do. https://fedorahosted.org/freeipa/ticket/1670 https://fedorahosted.org/freeipa/ticket/1671 https://fedorahosted.org/freeipa/ticket/1672 https://fedorahosted.org/freeipa/ticket/1673 https://fedorahosted.org/freeipa/ticket/1674 https://fedorahosted.org/freeipa/ticket/1392 https://fedorahosted.org/freeipa/ticket/2872
* Improve address family handling in socketsMartin Kosek2012-07-131-13/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Many functions use low-level socket interface for connection or various checks. However, most of the time we don't respect automatic address family detection but rather try to force our values. This may cause either redundat connection tries when an address family is disabled on system tries or even crashes when socket exceptions are not properly caught. Instead of forcing address families to socket, rather use getaddrinfo interface to automatically retrieve a list of all relevant address families and other connection settings when connecting to remote/local machine or binding to a local port. Now, we will also fill correctly all connection parameters like flowinfo and scopeid for IPv6 connections which will for example prevent issues with scoped IPv6 addresses. bind_port_responder function was changed to at first try to bind to IPv6 wildcard address before IPv4 as IPv6 socket is able to accept both IPv4 and IPv6 connections (unlike IPv4 socket). nsslib connection was refactored to use nss.io.AddrInfo class to get all the available connections. Socket is now not created by default in NSSConnection class initializer, but rather when the actual connection is being made, becase we do not an address family where connection is successful. https://fedorahosted.org/freeipa/ticket/2913 https://fedorahosted.org/freeipa/ticket/2695
* Make client server option multi-valued, allow disabling DNS discoveryRob Crittenden2012-07-101-36/+65
| | | | | | | | | | | | | Let the --server option be specified multiple times on the command line. The first one passed in is the one we enroll against. Do additional verification before setting dnsok so we can be sure that the record(s) were actually discovered in DNS. If servers are provided on the CLI and --fixed-primary is set then _srv_ is not added to ipa_server in sssd.conf. https://fedorahosted.org/freeipa/ticket/2841
* Configure automount using autofs or sssd.Rob Crittenden2012-06-251-1/+24
| | | | | | | | | | | This script edits nsswitch.conf to use either ldap (autofs) or sss (sssd) to find automount maps. NFSv4 services are started so Kerberos encryption and/or integrity can be used on the maps. https://fedorahosted.org/freeipa/ticket/1233 https://fedorahosted.org/freeipa/ticket/2193
* Improve autodiscovery loggingPetr Viktorin2012-06-171-23/+57
| | | | | | | | | | | | | | | | | | | | Track the source of discovered values (e.g. from option, interactive, retrieved from DNS), and show it in the log in the configuration overview and on erorrs involving the value. Add additional log messages explaining the autodiscovery process. For domains the discovery tries to get LDAP SRV records from, log reasons explaining why the domain was chosen. Also, prevent the same domain from being searched multiple times. Add names for error codes, and show them in the log. Also, modernize the discovery code a bit: move away from the Java-style accessors, don't needlessly pre-declare variables, make IPADiscovery a new-style class. https://fedorahosted.org/freeipa/ticket/2553
* Improve ipa-client-install debug outputPetr Viktorin2012-06-171-197/+276
| | | | | | | | | | | | | | | | | | The client does a fair bit of work when trying to validate the hostnames, do discovery and verify that the server it gets back is an IPA server. The debug logging around this was horrid with very little state information, duplicate log messages or just nothing at all. In many cases errors were printed only to stderr/stdout. This patch makes the logging and output go through the IPA log manager. It sets up logging so that INFO, WARNING, and ERROR messages show up on the console. If -d is given, DEBUG messages are also printed. All messages also go to the log file. The only exception is user input: prompts are only printed to the console, but if the user provides any information it is echoed in a DEBUG-level message. https://fedorahosted.org/freeipa/ticket/2553
* Add flag to ipa-client-install to managed order of ipa_server in sssdRob Crittenden2012-06-131-1/+6
| | | | | | | | The --fixed-primary flag determine the order of the ipa_server directive. When set the IPA server discovered (or passed in via --server or via user-input) will be listed first. Otherwise _srv_ is listed first. https://fedorahosted.org/freeipa/ticket/2282
* Clean keytabs before installing new keys into themPetr Viktorin2012-06-111-0/+15
| | | | | | | | | In ipa-client-install (which is also called from server/replica installation), call `ipa-rmkeytab -k <keytab> -r $REALM` to be sure that there aren't any remnants from a previous install of IPA or another KDC altogether. https://fedorahosted.org/freeipa/ticket/2698
* If SELinux is enabled ensure we also have restorecon.Rob Crittenden2012-05-311-0/+1
| | | | | | | | | | | | We don't have a specific requires on the policycoreutils package. It gets pulled in as a dependency on the server anyway, but checking there is like a belt and suspenders. On the client we don't require SELinux at all. If SELinux is enabled however we need to set things up properly. This is provided by the policycoreutils package so fail if that isn't available. https://fedorahosted.org/freeipa/ticket/2368
* SSH configuration fixes.Jan Cholasta2012-05-301-2/+7
| | | | | | | | | | | | | Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the latter has been deprecated in OpenSSH 5.9. If DNS host key verification is enabled, restrict the set of allowed host public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only these algorithms. Make sure public key user authentication is enabled in both ssh and sshd. ticket 2769
* Always set ipa_hostname for sssd.confOndrej Hamada2012-05-281-4/+3
| | | | | | | ipa-client-install will always set ipa_hostname for sssd.conf in order to prevent the client from getting into weird state. https://fedorahosted.org/freeipa/ticket/2527
* Replace DNS client based on acutil with python-dnsMartin Kosek2012-05-241-16/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837
* Make ipa 2.2 client capable of joining an older serverMartin Kosek2012-05-011-2/+24
| | | | | | | | | | | | | | | | | IPA server of version 2.2 and higher supports Kerberos S4U2Proxy delegation, i.e. ipa command no longer forwards Kerberos TGT to the server during authentication. However, when IPA client of version 2.2 and higher tries to join an older IPA server, the installer crashes because the pre-2.2 server expects the TGT to be forwarded. This patch adds a fallback to ipa-client-install which would detect this situation and tries connecting with TGT forwarding enabled again. User is informed about this incompatibility. Missing realm was also added to keytab kinit as it was reported to fix occasional install issues. https://fedorahosted.org/freeipa/ticket/2697
* Set the "KerberosAuthentication" option in sshd_config to "no" instead of "yes".Jan Cholasta2012-04-291-1/+1
| | | | | | Setting it to "yes" causes sshd to handle kinits itself, bypassing SSSD. ticket 2689
* Fix help of --hostname option in ipa-client-installMartin Kosek2012-04-191-1/+1
| | | | | | | | Replace word "server" with "machine" to clearly distinguish between IPA server and other machines (clients) and to also match the help with ipa-client-install man pages. https://fedorahosted.org/freeipa/ticket/1967
* Add disovery domain if client domain is different from server domainLars Sjostrom2012-03-141-2/+6
| | | | https://fedorahosted.org/freeipa/ticket/2209
* Configure a basic ldap.conf for OpenLDAP in /etc/openldap/ldap.confRob Crittenden2012-03-141-0/+19
| | | | | | | | | Set URI, BASE and TLS_CACERT Also update the man page to include a list of files that the client changes. https://fedorahosted.org/freeipa/ticket/1810
* More exception handlers in ipa-client-installOndrej Hamada2012-03-091-1/+8
| | | | | | | | | | | | | Added exception handler to certutil operation of adding CA to the default NSS database. If operation fails, installation is aborted and changes are rolled back. https://fedorahosted.org/freeipa/ticket/2415 If obtaining host TGT fails, the installation is aborted and changes are rolled back. https://fedorahosted.org/freeipa/ticket/1995
* Do kinit in client before connecting to backendRob Crittenden2012-03-041-1/+4
| | | | | | | | | | | | | | The client installer was failing because a backend connection could be created before a kinit was done. Allow multiple simultaneous connections. This could fail with an NSS shutdown error when the second connection was created (objects still in use). If all connections currently use the same database then there is no need to initialize, let it be skipped. Add additional logging to client installer. https://fedorahosted.org/freeipa/ticket/2478
* ipa-client-install not calling authconfigOndrej Hamada2012-03-051-62/+66
| | | | | | | Option '--noac' was added. If set, the ipa-client-install will not call authconfig for setting nsswitch.conf and PAM configuration. https://fedorahosted.org/freeipa/ticket/2369
* Configure SSH features of SSSD in ipa-client-install.Jan Cholasta2012-03-011-1/+28
| | | | | | | | OpenSSH server (sshd) is configured to fetch user authorized keys from SSSD and OpenSSH client (ssh) is configured to use and trigger updates of the SSSD-managed known hosts file. This requires SSSD 1.8.0.
* Use reboot from /sbinPetr Viktorin2012-03-021-1/+1
| | | | | | | According to FHS, the reboot command should live in /sbin. Systems may also have a symlink in /usr/bin, but they don't have to. https://fedorahosted.org/freeipa/ticket/2480
* Configure ssh and sshd during ipa-client-install.Jan Cholasta2012-02-131-0/+108
| | | | | | | | | | | For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns ipa-client-install option is used. For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM options are enabled (this can be disabled using --no-sshd ipa-client-install option). ticket 1634
* Update host SSH public keys on the server during client install.Jan Cholasta2012-02-131-0/+64
| | | | | | | | This is done by calling host-mod to update the keys on IPA server and nsupdate to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp ipa-client-install option. https://fedorahosted.org/freeipa/ticket/1634
* Move the nsupdate functionality to separate function in ipa-client-install.Jan Cholasta2012-02-131-18/+26
| | | | | | Done as part of adding SSH support. https://fedorahosted.org/freeipa/ticket/1634
* Add API initialization to ipa-client-install.Jan Cholasta2012-02-131-9/+25
| | | | | | | | This change makes it possible to call IPA commands from ipa-client-install. Done to support adding SSH host keys to DNS. https://fedorahosted.org/freeipa/ticket/1634
* localhost.localdomain clients refused to joinOndrej Hamada2012-01-221-0/+3
| | | | | | | | | Machines with hostname 'localhost' or 'localhost.localdomain' are refused from joining IPA domain and proper error message is shown. The hostname check is done both in 'ipa-client-install' script and in 'ipa-join'. https://fedorahosted.org/freeipa/ticket/2112
* Require an HTTP Referer header in the server. Send one in ipa tools.Rob Crittenden2011-12-121-0/+4
| | | | | | | | | | This is to prevent a Cross-Site Request Forgery (CSRF) attack where a rogue server tricks a user who was logged into the FreeIPA management interface into visiting a specially-crafted URL where the attacker could perform FreeIPA oonfiguration changes with the privileges of the logged-in user. https://bugzilla.redhat.com/show_bug.cgi?id=747710
* Client install checks for nss_ldapOndrej Hamada2011-12-051-18/+44
| | | | | | | | | | | | | | | | | | | | | | | | In order to check presence of nss_ldap or nss-pam-ldapd when installing client with '--no-sssd' option there was added code into ipa-client-install. Checking is based on existence of one of nss_ldap configuration files. This configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or '/etc/libnss_ldap.conf'. Optionaly the nss_ldap could cooperate with pam_ldap module and hence the presence of it is checked by looking for 'pam_ldap.conf' file. Existence of nss-pam-ldapd is checked against existence of 'nslcd.conf' file. All this checking is done by function nssldap_exists(). Because both modules are maintained by two different functions, the function returns tuple containing return code and dictionary structure - its key is name of target function and value is list of existing configuration files. Files to check are specified inside the nssldap_exists() function. nssldap_exists() also returns True if any of the mandatory files was found, otherwise returns False. In order to fit the returned values, the functions configure_{ldap|nslcd}_conf() were slightly modified. They accept one more parameter which is list of existing files. They are not checking existence of above mentioned files anymore. https://fedorahosted.org/freeipa/ticket/2063