freeipa.git/ipa-client, branch abbra Unnamed repository; edit this file 'description' to name the repository. SSH configuration fixes. 2012-05-30T05:47:27+00:00 Jan Cholasta jcholast@redhat.com 2012-05-23T09:00:55+00:00 d62b2d9be5a1162f5fdb255aa4f361ce048722fa Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the latter has been deprecated in OpenSSH 5.9. If DNS host key verification is enabled, restrict the set of allowed host public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only these algorithms. Make sure public key user authentication is enabled in both ssh and sshd. ticket 2769 
Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the
latter has been deprecated in OpenSSH 5.9.

If DNS host key verification is enabled, restrict the set of allowed host
public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only
these algorithms.

Make sure public key user authentication is enabled in both ssh and sshd.

ticket 2769
Always set ipa_hostname for sssd.conf 2012-05-28T15:09:22+00:00 Ondrej Hamada ohamada@redhat.com 2012-04-12T12:19:15+00:00 bdc80fe372fa937a0cf4a411f550ae35caad3e42 ipa-client-install will always set ipa_hostname for sssd.conf in order to prevent the client from getting into weird state. https://fedorahosted.org/freeipa/ticket/2527 
ipa-client-install will always set ipa_hostname for sssd.conf in order
to prevent the client from getting into weird state.

https://fedorahosted.org/freeipa/ticket/2527
Replace DNS client based on acutil with python-dns 2012-05-24T11:55:56+00:00 Martin Kosek mkosek@redhat.com 2012-05-11T12:38:09+00:00 f1ed123caddd7525a0081c4a9de931cabdfda43f IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837 
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
  but but rather C-like interface based on functions and
  structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
  authconfig and thus can break without notice

Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
  in installutils to make the whole DNS check simpler and
  less error-prone. Logging was improves for the remaining
  checks
- improved logging for ipa-client-install DNS discovery

https://fedorahosted.org/freeipa/ticket/2730
https://fedorahosted.org/freeipa/ticket/1837
Make ipa 2.2 client capable of joining an older server 2012-05-02T00:38:43+00:00 Martin Kosek mkosek@redhat.com 2012-05-02T13:36:04+00:00 b8f30bce77837966597f5508625742c1bae04080 IPA server of version 2.2 and higher supports Kerberos S4U2Proxy delegation, i.e. ipa command no longer forwards Kerberos TGT to the server during authentication. However, when IPA client of version 2.2 and higher tries to join an older IPA server, the installer crashes because the pre-2.2 server expects the TGT to be forwarded. This patch adds a fallback to ipa-client-install which would detect this situation and tries connecting with TGT forwarding enabled again. User is informed about this incompatibility. Missing realm was also added to keytab kinit as it was reported to fix occasional install issues. https://fedorahosted.org/freeipa/ticket/2697 
IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.

This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again. User is informed about this incompatibility.

Missing realm was also added to keytab kinit as it was reported to
fix occasional install issues.

https://fedorahosted.org/freeipa/ticket/2697
Set the "KerberosAuthentication" option in sshd_config to "no" instead of "yes". 2012-04-29T23:45:13+00:00 Jan Cholasta jcholast@redhat.com 2012-04-30T15:58:55+00:00 6569f355b61d4c0d55ca9ee2c5f36787cce73593 Setting it to "yes" causes sshd to handle kinits itself, bypassing SSSD. ticket 2689 
Setting it to "yes" causes sshd to handle kinits itself, bypassing SSSD.

ticket 2689
Fix help of --hostname option in ipa-client-install 2012-04-19T17:55:44+00:00 Martin Kosek mkosek@redhat.com 2012-04-19T17:50:57+00:00 4d66cc07dc0b8dd357ab8dfe555702130aba299f Replace word "server" with "machine" to clearly distinguish between IPA server and other machines (clients) and to also match the help with ipa-client-install man pages. https://fedorahosted.org/freeipa/ticket/1967 
Replace word "server" with "machine" to clearly distinguish between
IPA server and other machines (clients) and to also match the help
with ipa-client-install man pages.

https://fedorahosted.org/freeipa/ticket/1967
Use indexed format specifiers in i18n strings 2012-04-10T22:07:10+00:00 John Dennis jdennis@redhat.com 2012-03-30T01:34:19+00:00 b8f1292e869c3c0d2301809054eb21a72f02b180 Translators need to reorder messages to suit the needs of the target language. The conventional positional format specifiers (e.g. %s %d) do not permit reordering because their order is tied to the ordering of the arguments to the printf function. The fix is to use indexed format specifiers. https://fedorahosted.org/freeipa/ticket/2596 
Translators need to reorder messages to suit the needs of the target
language. The conventional positional format specifiers (e.g. %s %d)
do not permit reordering because their order is tied to the ordering
of the arguments to the printf function. The fix is to use indexed
format specifiers.

https://fedorahosted.org/freeipa/ticket/2596
Fix memleak and silence Coverity defects 2012-03-22T16:33:13+00:00 Simo Sorce ssorce@redhat.com 2012-03-20T13:47:52+00:00 735618a1c6aee05d1c6455320da46fc52c85ca8c Some of these are not real defects, because we are guaranteed to have valid context in some functions, and checks are not necessary. I added the checks anyway in order to silence Coverity on these issues. One meleak on error condition was fixed in daemons/ipa-kdb/ipa_kdb_pwdpolicy.c Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is actually fine as we count before hand so we never actually use the wrong value that is computed on the last pass when p == 0 Fixes: https://fedorahosted.org/freeipa/ticket/2488 
Some of these are not real defects, because we are guaranteed to have valid
context in some functions, and checks are not necessary.
I added the checks anyway in order to silence Coverity on these issues.

One meleak on error condition was fixed in
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c

Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is
actually fine as we count before hand so we never actually use the wrong value
that is computed on the last pass when p == 0

Fixes: https://fedorahosted.org/freeipa/ticket/2488
Add disovery domain if client domain is different from server domain 2012-03-15T02:06:26+00:00 Lars Sjostrom lars radicore se 2011-12-21T21:32:01+00:00 96390ca3e5f9fb89fe930e62dbd267a2de0af1d1 https://fedorahosted.org/freeipa/ticket/2209 
https://fedorahosted.org/freeipa/ticket/2209
Configure a basic ldap.conf for OpenLDAP in /etc/openldap/ldap.conf 2012-03-15T01:28:52+00:00 Rob Crittenden rcritten@redhat.com 2012-02-01T03:44:20+00:00 14975cdcddab5f757502ef7736e93a965ce1f207 Set URI, BASE and TLS_CACERT Also update the man page to include a list of files that the client changes. https://fedorahosted.org/freeipa/ticket/1810 
Set URI, BASE and TLS_CACERT

Also update the man page to include a list of files that the client
changes.

https://fedorahosted.org/freeipa/ticket/1810