freeipa.git/ipa-client/ipa-install, branch abbra Unnamed repository; edit this file 'description' to name the repository. SSH configuration fixes. 2012-05-30T05:47:27+00:00 Jan Cholasta jcholast@redhat.com 2012-05-23T09:00:55+00:00 d62b2d9be5a1162f5fdb255aa4f361ce048722fa Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the latter has been deprecated in OpenSSH 5.9. If DNS host key verification is enabled, restrict the set of allowed host public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only these algorithms. Make sure public key user authentication is enabled in both ssh and sshd. ticket 2769 
Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the
latter has been deprecated in OpenSSH 5.9.

If DNS host key verification is enabled, restrict the set of allowed host
public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only
these algorithms.

Make sure public key user authentication is enabled in both ssh and sshd.

ticket 2769
Always set ipa_hostname for sssd.conf 2012-05-28T15:09:22+00:00 Ondrej Hamada ohamada@redhat.com 2012-04-12T12:19:15+00:00 bdc80fe372fa937a0cf4a411f550ae35caad3e42 ipa-client-install will always set ipa_hostname for sssd.conf in order to prevent the client from getting into weird state. https://fedorahosted.org/freeipa/ticket/2527 
ipa-client-install will always set ipa_hostname for sssd.conf in order
to prevent the client from getting into weird state.

https://fedorahosted.org/freeipa/ticket/2527
Replace DNS client based on acutil with python-dns 2012-05-24T11:55:56+00:00 Martin Kosek mkosek@redhat.com 2012-05-11T12:38:09+00:00 f1ed123caddd7525a0081c4a9de931cabdfda43f IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837 
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
  but but rather C-like interface based on functions and
  structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
  authconfig and thus can break without notice

Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
  in installutils to make the whole DNS check simpler and
  less error-prone. Logging was improves for the remaining
  checks
- improved logging for ipa-client-install DNS discovery

https://fedorahosted.org/freeipa/ticket/2730
https://fedorahosted.org/freeipa/ticket/1837
Make ipa 2.2 client capable of joining an older server 2012-05-02T00:38:43+00:00 Martin Kosek mkosek@redhat.com 2012-05-02T13:36:04+00:00 b8f30bce77837966597f5508625742c1bae04080 IPA server of version 2.2 and higher supports Kerberos S4U2Proxy delegation, i.e. ipa command no longer forwards Kerberos TGT to the server during authentication. However, when IPA client of version 2.2 and higher tries to join an older IPA server, the installer crashes because the pre-2.2 server expects the TGT to be forwarded. This patch adds a fallback to ipa-client-install which would detect this situation and tries connecting with TGT forwarding enabled again. User is informed about this incompatibility. Missing realm was also added to keytab kinit as it was reported to fix occasional install issues. https://fedorahosted.org/freeipa/ticket/2697 
IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.

This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again. User is informed about this incompatibility.

Missing realm was also added to keytab kinit as it was reported to
fix occasional install issues.

https://fedorahosted.org/freeipa/ticket/2697
Set the "KerberosAuthentication" option in sshd_config to "no" instead of "yes". 2012-04-29T23:45:13+00:00 Jan Cholasta jcholast@redhat.com 2012-04-30T15:58:55+00:00 6569f355b61d4c0d55ca9ee2c5f36787cce73593 Setting it to "yes" causes sshd to handle kinits itself, bypassing SSSD. ticket 2689 
Setting it to "yes" causes sshd to handle kinits itself, bypassing SSSD.

ticket 2689
Fix help of --hostname option in ipa-client-install 2012-04-19T17:55:44+00:00 Martin Kosek mkosek@redhat.com 2012-04-19T17:50:57+00:00 4d66cc07dc0b8dd357ab8dfe555702130aba299f Replace word "server" with "machine" to clearly distinguish between IPA server and other machines (clients) and to also match the help with ipa-client-install man pages. https://fedorahosted.org/freeipa/ticket/1967 
Replace word "server" with "machine" to clearly distinguish between
IPA server and other machines (clients) and to also match the help
with ipa-client-install man pages.

https://fedorahosted.org/freeipa/ticket/1967
Add disovery domain if client domain is different from server domain 2012-03-15T02:06:26+00:00 Lars Sjostrom lars radicore se 2011-12-21T21:32:01+00:00 96390ca3e5f9fb89fe930e62dbd267a2de0af1d1 https://fedorahosted.org/freeipa/ticket/2209 
https://fedorahosted.org/freeipa/ticket/2209
Configure a basic ldap.conf for OpenLDAP in /etc/openldap/ldap.conf 2012-03-15T01:28:52+00:00 Rob Crittenden rcritten@redhat.com 2012-02-01T03:44:20+00:00 14975cdcddab5f757502ef7736e93a965ce1f207 Set URI, BASE and TLS_CACERT Also update the man page to include a list of files that the client changes. https://fedorahosted.org/freeipa/ticket/1810 
Set URI, BASE and TLS_CACERT

Also update the man page to include a list of files that the client
changes.

https://fedorahosted.org/freeipa/ticket/1810
More exception handlers in ipa-client-install 2012-03-09T14:48:27+00:00 Ondrej Hamada ohamada@redhat.com 2012-03-09T12:04:23+00:00 71d134dfa03eb86066eeb331815647bdff04aaa8 Added exception handler to certutil operation of adding CA to the default NSS database. If operation fails, installation is aborted and changes are rolled back. https://fedorahosted.org/freeipa/ticket/2415 If obtaining host TGT fails, the installation is aborted and changes are rolled back. https://fedorahosted.org/freeipa/ticket/1995 
Added exception handler to certutil operation of adding CA to the
default NSS database. If operation fails, installation is aborted and
changes are rolled back.

https://fedorahosted.org/freeipa/ticket/2415

If obtaining host TGT fails, the installation is aborted and changes are
rolled back.

https://fedorahosted.org/freeipa/ticket/1995
Do kinit in client before connecting to backend 2012-03-04T22:23:01+00:00 Rob Crittenden rcritten@redhat.com 2012-03-04T00:50:21+00:00 55f89dc68940e3a4376fb80e97dbd0f2773c6ed1 The client installer was failing because a backend connection could be created before a kinit was done. Allow multiple simultaneous connections. This could fail with an NSS shutdown error when the second connection was created (objects still in use). If all connections currently use the same database then there is no need to initialize, let it be skipped. Add additional logging to client installer. https://fedorahosted.org/freeipa/ticket/2478 
The client installer was failing because a backend connection could be
created before a kinit was done.

Allow multiple simultaneous connections. This could fail with an NSS
shutdown error when the second connection was created (objects still
in use). If all connections currently use the same database then there
is no need to initialize, let it be skipped.

Add additional logging to client installer.

https://fedorahosted.org/freeipa/ticket/2478