freeipa.git/ipaserver/install, branch WIP Unnamed repository; edit this file 'description' to name the repository. Fix for adtrustinstance 2012-05-08T12:27:06+00:00 Sumit Bose sbose@redhat.com 2012-05-08T12:27:06+00:00 4103f16fd26bb9bc30ff8e6965f08292fbfc4e81 






Perform case-insensitive searches for principals on TGS requests
2012-04-30T15:26:24+00:00

Alexander Bokovoy
abokovoy@redhat.com

2012-03-26T11:23:42+00:00

3c8876c3587c86de9684afe882965d40f1c75847

We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.

The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.

https://fedorahosted.org/freeipa/ticket/1577





We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.

The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.

https://fedorahosted.org/freeipa/ticket/1577







Use a dedicated keytab for samba
2012-04-30T15:26:24+00:00

Sumit Bose
sbose@redhat.com

2012-01-03T16:58:54+00:00

08d169fb14dad41bb6e90132d94ad0ec629edc61

Fixes https://fedorahosted.org/freeipa/ticket/2168





Fixes https://fedorahosted.org/freeipa/ticket/2168







Use mixed-case for Read DNS Entries permission
2012-04-23T08:00:40+00:00

Rob Crittenden
rcritten@redhat.com

2012-04-20T15:07:47+00:00

0423213148a1a2f9762adf243f383398c1ec8b9e

https://fedorahosted.org/freeipa/ticket/2569





https://fedorahosted.org/freeipa/ticket/2569







Remove the running state when uninstalling DS instances.
2012-04-17T09:25:41+00:00

Rob Crittenden
rcritten@redhat.com

2012-04-16T21:03:46+00:00

9c39f95f2174d8197102080314eab7a10cf8c86c

We don't need to do anything with the state but if it exists in
the sysrestore index at the end of uninstallation the uninstaller will
complain about it.

https://fedorahosted.org/freeipa/ticket/2637





We don't need to do anything with the state but if it exists in
the sysrestore index at the end of uninstallation the uninstaller will
complain about it.

https://fedorahosted.org/freeipa/ticket/2637







Configure certmonger to execute restart scripts on renewal.
2012-04-10T05:08:41+00:00

Rob Crittenden
rcritten@redhat.com

2012-04-10T19:21:08+00:00

717bbcd2bf624ad68ea1cdf08216ab4f06e8bc4d

certmonger now has the ability to execute a script when it renews a
certificate. This can be used to automatically restart servers so
the certificate doesn't expire in the running server.

https://fedorahosted.org/freeipa/ticket/2050





certmonger now has the ability to execute a script when it renews a
certificate. This can be used to automatically restart servers so
the certificate doesn't expire in the running server.

https://fedorahosted.org/freeipa/ticket/2050







Fix installation when server hostname is not in a default domain
2012-04-09T00:35:10+00:00

Martin Kosek
mkosek@redhat.com

2012-04-04T14:31:04+00:00

184a066f4abc0ef83434f8cebbec87028258db65

When IPA server is configured with DNS and its hostname is not
located in a default domain, SRV records are not valid.
Additionally, httpd does not serve XMLRPC interface because it
IPA server domain-realm mapping is missing in krb5.conf. All CLI
commands were then failing.

This patch amends this configuration. It fixes SRV records in
served domain to include full FQDN instead of relative hostname
when the IPA server hostname is not located in served domain.
IPA server forward record is also placed to correct zone.

When IPA server is not in a served domain a proper domain-realm
mapping is configured to krb5.conf. The template was improved
in order to be able to hold this information.

https://fedorahosted.org/freeipa/ticket/2602





When IPA server is configured with DNS and its hostname is not
located in a default domain, SRV records are not valid.
Additionally, httpd does not serve XMLRPC interface because it
IPA server domain-realm mapping is missing in krb5.conf. All CLI
commands were then failing.

This patch amends this configuration. It fixes SRV records in
served domain to include full FQDN instead of relative hostname
when the IPA server hostname is not located in served domain.
IPA server forward record is also placed to correct zone.

When IPA server is not in a served domain a proper domain-realm
mapping is configured to krb5.conf. The template was improved
in order to be able to hold this information.

https://fedorahosted.org/freeipa/ticket/2602







improve handling of ds instances during uninstall
2012-04-05T02:47:08+00:00

John Dennis
jdennis@redhat.com

2012-04-04T19:19:29+00:00

af0ac845ff2ebb5a7c045acdc17dc656522039aa

Ticket #2502

* remove the "running" flag from backup_state in cainstance.py and
  dsinstance.py because it does not provide the correct
  information. In cainstance the running flag was never referenced
  because restarting dirsrv instances occurs later in dsinstance. In
  dsinstance when the running flag is set it incorrectly identifed the
  PKI ds instance configured earlier by cainstance. The intent was to
  determine if there were any ds instances other than those owned by
  IPA which will need to be restarted upon uninstall. Clearly the PKI
  ds instance does not qualify. We were generating a traceback when at
  the conclusion of dsinstance.uninstall we tried to start the
  remaining ds instances as indicated by the running flag, but there
  were none to restart (because the running flag had been set as a
  consequence of the PKI ds instance).

* We only want to restart ds instances if there are other ds instances
  besides those owned by IPA. We shouldn't be stopping all ds
  instances either, but that's going to be covered by another
  ticket. The fix for restarting other ds instances at the end of
  uninstall is to check and see if there are other ds instances
  remaining after we've removed ours, if so we restart them. Also it's
  irrelevant if those ds instances were not present when we installed,
  it only matters if they exist after we restore things during
  uninstall. If they are present we have to start them back up because
  we shut them down during uninstall.

* Add new function get_ds_instances() which returns a list of existing
  ds instances.

* fixed error messages that incorrectly stated it "failed to restart"
  a ds instance when it should be "failed to create".





Ticket #2502

* remove the "running" flag from backup_state in cainstance.py and
  dsinstance.py because it does not provide the correct
  information. In cainstance the running flag was never referenced
  because restarting dirsrv instances occurs later in dsinstance. In
  dsinstance when the running flag is set it incorrectly identifed the
  PKI ds instance configured earlier by cainstance. The intent was to
  determine if there were any ds instances other than those owned by
  IPA which will need to be restarted upon uninstall. Clearly the PKI
  ds instance does not qualify. We were generating a traceback when at
  the conclusion of dsinstance.uninstall we tried to start the
  remaining ds instances as indicated by the running flag, but there
  were none to restart (because the running flag had been set as a
  consequence of the PKI ds instance).

* We only want to restart ds instances if there are other ds instances
  besides those owned by IPA. We shouldn't be stopping all ds
  instances either, but that's going to be covered by another
  ticket. The fix for restarting other ds instances at the end of
  uninstall is to check and see if there are other ds instances
  remaining after we've removed ours, if so we restart them. Also it's
  irrelevant if those ds instances were not present when we installed,
  it only matters if they exist after we restore things during
  uninstall. If they are present we have to start them back up because
  we shut them down during uninstall.

* Add new function get_ds_instances() which returns a list of existing
  ds instances.

* fixed error messages that incorrectly stated it "failed to restart"
  a ds instance when it should be "failed to create".







Configure SELinux for httpd during upgrades
2012-04-03T22:20:51+00:00

Martin Kosek
mkosek@redhat.com

2012-04-03T08:47:40+00:00

17a0738d2d352f9c3d73167b3fb22cd566fd98d4

SELinux configuration for httpd instance was set for new
installations only. Upgraded IPA servers (namely 2.1.x -> 2.2.x
upgrade) missed the configuration. This lead to AVCs when httpd
tries to contact ipa_memcached and user not being able to log in.

This patch updates ipa-upgradeconfig to configure SELinux
in the same way as ipa-server-install does.

https://fedorahosted.org/freeipa/ticket/2603





SELinux configuration for httpd instance was set for new
installations only. Upgraded IPA servers (namely 2.1.x -> 2.2.x
upgrade) missed the configuration. This lead to AVCs when httpd
tries to contact ipa_memcached and user not being able to log in.

This patch updates ipa-upgradeconfig to configure SELinux
in the same way as ipa-server-install does.

https://fedorahosted.org/freeipa/ticket/2603







Forbid public access to DNS tree
2012-04-02T01:17:04+00:00

Martin Kosek
mkosek@redhat.com

2012-04-02T12:57:33+00:00

df13cdcb974e9f8b161be35fcef9651c2ffe0b5e

With a publicly accessible DNS tree in LDAP, anyone with an access
to the LDAP server can get all DNS data as with a zone transfer
which is already restricted with ACL. Making DNS tree not readable
to public is a common security practice and should be applied
in FreeIPA as well.

This patch adds a new deny rule to forbid access to DNS tree to
users or hosts without an appropriate permission or users which
are not members of admins group. The new permission/aci is
applied both for new installs and upgraded servers.

bind-dyndb-ldap plugin is allowed to read DNS tree without any
change because its principal is already a member of "DNS
Servers" privilege.

https://fedorahosted.org/freeipa/ticket/2569





With a publicly accessible DNS tree in LDAP, anyone with an access
to the LDAP server can get all DNS data as with a zone transfer
which is already restricted with ACL. Making DNS tree not readable
to public is a common security practice and should be applied
in FreeIPA as well.

This patch adds a new deny rule to forbid access to DNS tree to
users or hosts without an appropriate permission or users which
are not members of admins group. The new permission/aci is
applied both for new installs and upgraded servers.

bind-dyndb-ldap plugin is allowed to read DNS tree without any
change because its principal is already a member of "DNS
Servers" privilege.

https://fedorahosted.org/freeipa/ticket/2569