summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* ipaserver/install/installutils: clean up properly after yieldAlexander Bokovoy2014-01-151-11/+14
| | | | | When a context to which we yield generates exception, the code in private_ccache() and stopped_service() didn't get called for cleanup.
* CLDAP: do not prepend \\Sumit Bose2014-01-151-1/+1
| | | | | | | | | For NETLOGON_NT_VERSION_5EX requests the prepended \\ is not expected in the PDC NetBIOS name. In general AD seems to be smart enough to handle the two \ signs. But if the NetBIOS name reaches the maximum of 15 character AD does not accept the responses anymore. Fixes https://fedorahosted.org/freeipa/ticket/4028
* trustdomain-find: report status of the (sub)domainAlexander Bokovoy2014-01-151-1/+17
| | | | | | | | | | Show status of each enumerated domain trustdomain-find shows list of domains associated with the trust. Each domain except the trust forest root can be enabled or disabled with the help of trustdomain-enable and trustdomain-disable commands. https://fedorahosted.org/freeipa/ticket/4096
* trust-fetch-domains: create ranges for new child domainsAlexander Bokovoy2014-01-151-121/+135
| | | | | | | | | | | | When trust is added, we do create ranges for discovered child domains. However, this functionality was not available through 'trust-fetch-domains' command. Additionally, make sure non-existing trust will report proper error in trust-fetch-domains. https://fedorahosted.org/freeipa/ticket/4111 https://fedorahosted.org/freeipa/ticket/4104
* Fix ipa-client-automount uninstall when fstore is empty.Jan Cholasta2014-01-151-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/4091
* Add missing example to sudoruleMartin Kosek2014-01-151-1/+20
| | | | https://fedorahosted.org/freeipa/ticket/4090
* sudoOrder missing in sudoersMartin Kosek2014-01-151-0/+2
| | | | | | | | sudoers compat plugin configuration missed the sudoOrder attribute and it thus did not show up in ou=sudoers. Add the definion to update file. https://fedorahosted.org/freeipa/ticket/4107
* Change the way we determine if the host has a password set.Rob Crittenden2014-01-152-1/+28
| | | | | | | | | | When creating a host with a password we don't set a Kerberos principal or add the Kerberos objectclasses. Those get added when the host is enrolled. If one passed in --password= (so no password) then we incorrectly thought the user was in fact setting a password, so the principal and objectclasses weren't updated. https://fedorahosted.org/freeipa/ticket/4102
* hbactest does not work for external usersMartin Kosek2014-01-101-3/+5
| | | | | | | | | | Original patch for ticket #3803 implemented support to resolve SIDs through SSSD. However, it also broke hbactest for external users. The result of the updated external member group search must be local non-external groups, not the external ones. Otherwise the rule is not matched. https://fedorahosted.org/freeipa/ticket/3803
* Revert restart scripts file permissions changeMartin Kosek2014-01-082-0/+0
| | | | | Previous commit accidentally added executable permission to restart_pkicad and stop_pkicad.
* PKI service restart after CA renewal failedJan Cholasta2014-01-086-30/+42
| | | | | | | | | | Fix both the service restart procedure and registration of old pki-cad well known service name. This patch was adapted from original patch of Jan Cholasta 178 to fix ticket 4092. https://fedorahosted.org/freeipa/ticket/4092
* Increase Java stack size on s390 platformsMartin Kosek2014-01-031-2/+2
| | | | | | As reported in https://bugzilla.redhat.com/show_bug.cgi?id=1040576, the default stack trace needs to be also increased on s390 platforms to prevent rhino segfault.
* Prevent garbage from readline on standard output of dogtag-ipa-retrieve-agent.Jan Cholasta2014-01-021-0/+4
| | | | https://fedorahosted.org/freeipa/ticket/4064
* Increase Java stack size on PPC platformsMartin Kosek2013-12-131-0/+4
| | | | | | Wit the default stack size, rhino segfaulted on PPC platforms. https://bugzilla.redhat.com/show_bug.cgi?id=1040576
* Increase stack size for Web UI builderPetr Vobornik2013-12-133-6/+13
| | | | | | | | | Web UI build fails on some architectures or configuration due to StackOverflow. This patch increases the stack size to solve it. 512k is usually enough but we encountered fail on ppc64 even with 2m, therefore the 8m. The build is single threaded so it shouldn't waste much memory.
* trust: fix get_dn() to distinguish creating and re-adding trustsAlexander Bokovoy2013-12-111-2/+2
| | | | | | | | | | | Latest support for subdomains introduced regression that masked difference between newly added trust and re-added one. Additionally, in case no new subdomains were found, the code was returning None instead of an empty list which later could confuse trustdomain-find command. https://fedorahosted.org/freeipa/ticket/4067
* ipa-cldap: Cut NetBIOS name after 15 charactersTomas Babej2013-12-112-1/+6
| | | | | | | | The CLDAP DS plugin uses the uppercased first segment of the fully qualified hostname as the NetBIOS name. We need to limit its size to 15 characters. https://fedorahosted.org/freeipa/ticket/4028
* test_webui: Allow False values in configuration for no_ca, no_dns, has_trustsPetr Viktorin2013-12-101-3/+3
| | | | | | | | | | | | The driver only checked if the corresponding value was in the config, so no_dns: False had the same effect as no_dns: True Change the check to take the value into consideration. This makes false-y values like False (from YAML) and empty string (from environment) work as if the value was not specified.
* ipa-client-install: Always pass hostname to the ipa-joinTomas Babej2013-12-091-4/+4
| | | | | | | | | | | The ipa-client-install script and ipa-join use different methods of resolving the hostname, the former uses gethostbyaddr() call, while the latter reads the "uinfo.nodename". This can result ipa-client-install failures in case of broken PTR records. https://fedorahosted.org/freeipa/ticket/4027
* Allow kernel keyring CCACHE when supportedMartin Kosek2013-12-094-1/+35
| | | | | | | Server and client installer should allow kernel keyring ccache when supported. https://fedorahosted.org/freeipa/ticket/4013
* Fix license in some Web UI filesPetr Vobornik2013-12-094-20/+17
| | | | | | Modified web ui files had incorrect GPLv2 headers instead of GPLv3 ones. All of the affected code is of FreeIPA origin.
* test_integration: Log external hostname in Host.ldap_connectPetr Viktorin2013-12-061-1/+1
| | | | This may make debugging easier if the address is set incorrectly.
* test_integration: Support external names for hostsPetr Viktorin2013-12-062-7/+16
| | | | | | | | | | | | The framework had a concept of external hostnames, which the controller uses to contact the test machines, but they were not loaded from configuration. Load external names from configuration. This makes tests pass in setups where internal and external hostnames are different, and the internal hostnames are not initially resolvable from the controller.
* Fix license tag in python setup filesSimo Sorce2013-12-052-2/+2
| | | | | | Apparently when we relicensed to GPLv3 we missed these two spots. The actual boilerplate was changed in these files but not the license tag passed to python setup.
* Fix -Wformat-security warningsKrzysztof Klimonda2013-12-032-7/+7
|
* Revert "Remove mod_ssl port workaround."Petr Viktorin2013-12-023-15/+12
| | | | | | | This reverts commit 3a11044664341257a3929da2db1c493659515eec. The required version of httpd is not available in Fedora 19. Revert to using the workaround for the 3.3 branch.
* Own /usr/share/ipa/ui/js/ in the spec file.Jan Cholasta2013-12-021-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/4010
* Use hardening flags for ipa-optd.Jan Cholasta2013-12-022-1/+5
| | | | https://fedorahosted.org/freeipa/ticket/4010
* subdomains: Use AD admin credentials when trust is being establishedAlexander Bokovoy2013-11-292-17/+38
| | | | | | | | | | | | | | | | | | | | When AD administrator credentials passed, they stored in realm_passwd, not realm_password in the options. When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure to normalize them. Additionally, force Samba auth module to use NTLMSSP in case we have credentials because at the point when trust is established, KDC is not yet ready to issue tickets to a service in the other realm due to MS-PAC information caching effects. The logic is a bit fuzzy because credentials code makes decisions on what to use based on the smb.conf parameters and Python bindings to set parameters to smb.conf make it so that auth module believes these parameters were overidden by the user through the command line and ignore some of options. We have to do calls in the right order to force NTLMSSP use instead of Kerberos. Fixes https://fedorahosted.org/freeipa/ticket/4046
* trusts: Always stop and disable smb service on uninstallTomas Babej2013-11-261-8/+7
| | | | https://fedorahosted.org/freeipa/ticket/4042
* Remove mod_ssl port workaround.Jan Cholasta2013-11-263-12/+15
| | | | https://fedorahosted.org/freeipa/ticket/4021
* trusts: Do not pass base-id to the subdomain rangesTomas Babej2013-11-221-0/+5
| | | | | | | | | | | | | | | For trusted domains base id is calculated using a murmur3 hash of the domain Security Identifier (SID). During trust-add we create ranges for forest root domain and other forest domains. Since --base-id explicitly overrides generated base id for forest root domain, its value should not be passed to other forest domains' ranges -- their base ids must be calculated based on their SIDs. In case base id change for non-root forest domains is required, it can be done manually through idrange-mod command after the trust is established. https://fedorahosted.org/freeipa/ticket/4041
* Map NT_STATUS_INVALID_PARAMETER to most likely error cause: clock skewAlexander Bokovoy2013-11-131-0/+3
| | | | | | | | When we get NT_STATUS_INVALID_PARAMETER in response to establish DCE RPC pipe with Kerberos, the most likely reason is clock skew. Suggest that it is so in the error message. https://fedorahosted.org/freeipa/ticket/4024
* Fix regression which prevents creating a winsync agreementAna Krivokapic2013-11-131-1/+2
| | | | | | | A regression, which prevented creation of a winsync agreement, was introduced in the original fix for ticket #3989. https://fedorahosted.org/freeipa/ticket/3989
* Server does not detect different server and IPA domainMartin Kosek2013-11-111-7/+11
| | | | | | | | | | | | | | Server installer does not properly recognize a situation when server fqdn is not in a subdomain of the IPA domain, but shares the same suffix. For example, if server FQDN is ipa-idm.example.com and domain is idm.example.com, server's FQDN is not in the main domain, but installer does not recognize that. proper Kerberos realm-domain mapping is not created in this case and server does not work (httpd reports gssapi errors). https://fedorahosted.org/freeipa/ticket/4012
* Guard import of adtrustinstance for case without trustsAlexander Bokovoy2013-11-041-2/+8
| | | | https://fedorahosted.org/freeipa/ticket/4011
* Become IPA 3.3.3Martin Kosek2013-11-011-1/+1
|
* ipatests: test_trust: use domain name instead of realm for user lookupsTomas Babej2013-11-011-3/+6
|
* ipatests: Add integration tests for legacy clientsTomas Babej2013-11-011-0/+261
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3833
* ipatests: Use command -v instead of which in legacy client adviceTomas Babej2013-11-011-2/+2
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3833
* Remove deprecated AllowLMhash configMartin Kosek2013-11-011-1/+1
| | | | | | | Remove this ipaConfigString value as LM hash is deprecated and in fact even insecure. https://fedorahosted.org/freeipa/ticket/3795
* Remove generation and handling of LM hashesSumit Bose2013-11-017-250/+74
| | | | https://fedorahosted.org/freeipa/ticket/3795
* Remove AllowLMhash from the allowed IPA config stringsSumit Bose2013-11-015-5/+3
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3795
* ipatests: Add support for extra roles referenced by a keywordTomas Babej2013-10-316-40/+158
| | | | | | | | | | | | | | | | | | Adds support for host definition by a environment variables of the following form: ROLE_<keyword>_envX, where X is the number of the environment for which host referenced by a role <keyword> should be defined. Adds a required_extra_roles attribute to the IntegrationTest class, which can test developer use to specify the extra roles that this particular test requires. If not all required extra roles are available, the test will be skipped. All extra (and static) roles are accessible to the IntegrationTests via the host_by_role method, which returns a host of given role. Part of: https://fedorahosted.org/freeipa/ticket/3833
* ipatests: Do not use /usr/bin hardcoded pathsTomas Babej2013-10-311-6/+7
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3833
* ipatests: Restore SELinux context after restoring files from backupTomas Babej2013-10-311-0/+12
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3833
* ipatests: Extend clear_sssd_cache to support non-systemd platformsTomas Babej2013-10-311-6/+16
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3833
* advice: Add legacy client configuration script using nss-ldapTomas Babej2013-10-311-1/+36
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3833
* Remove ipa-pwd-extop and ipa-enrollment duplicate error stringsMartin Kosek2013-10-303-16/+22
| | | | | | | Some error strings were duplicate which makes it then harder to see what is the real root cause of it. https://fedorahosted.org/freeipa/ticket/3988
* Fix password expiration notificationPetr Vobornik2013-10-305-19/+137
| | | | | | - was broken by navigation and application controller refactoring https://fedorahosted.org/freeipa/ticket/4003
generated by cgit (git 2.34.1) at 2025-09-04 04:15:03 +0000