freeipa.git/client/ipa-client-install, branch coverity FreeIPA patches server uninstall fails to remove krb principals 2016-07-20T14:35:49+00:00 Florence Blanc-Renaud frenaud@redhat.com 2016-07-11T07:00:44+00:00 a0d90263d62f48f0c04b8b9e7da3aaa10201c3a0 This patch fixes the 3rd issue of ticket 6012: ipa-server-install --uninstall -U complains while removing Kerberos service principals from /etc/krb5.keytab ---- Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-221.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5 ---- This happens because the uninstaller performs the following sequence: 1/ restore pre-install files, including /etc/krb5.keytab At this point /etc/krb5.keytab does not contain any principal for IPA domain 2/ call ipa-client-install --uninstall, which in turns runs ipa-rmkeytab -k /etc/krb5.keytab -r <domain> to remove the principals. The fix ignores ipa-rmkeytab's exit code 5 (Principal name or realm not found in keytab) https://fedorahosted.org/freeipa/ticket/6012 Reviewed-By: Martin Basti <mbasti@redhat.com> 
This patch fixes the 3rd issue of ticket 6012:
ipa-server-install --uninstall -U
complains while removing Kerberos service principals from /etc/krb5.keytab
----
Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-221.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5
----

This happens because the uninstaller performs the following sequence:
1/ restore pre-install files, including /etc/krb5.keytab
At this point /etc/krb5.keytab does not contain any principal for
IPA domain
2/ call ipa-client-install --uninstall, which in turns runs
ipa-rmkeytab -k /etc/krb5.keytab -r <domain>
to remove the principals.

The fix ignores ipa-rmkeytab's exit code 5 (Principal name or realm not
found in keytab)

https://fedorahosted.org/freeipa/ticket/6012

Reviewed-By: Martin Basti <mbasti@redhat.com>
Create server and host certs with DNS altname 2016-07-19T12:18:04+00:00 Fraser Tweedale ftweedal@redhat.com 2015-12-07T05:14:28+00:00 b12db924143cd6828c596c0b8a261325f3f589f3 Currently server (HTTP / LDAP) certs are created without a Subject Alternative Name extension during server install, replica prepare and host enrolment, a potentially problematic violation of RFC 2818. Add the hostname as a SAN dNSName when these certs are created. (Certmonger adds an appropriate request extension when renewing the certificate, so nothing needs to be done for renewal). Fixes: https://fedorahosted.org/freeipa/ticket/4970 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.

Add the hostname as a SAN dNSName when these certs are created.

(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).

Fixes: https://fedorahosted.org/freeipa/ticket/4970
Reviewed-By: Petr Spacek <pspacek@redhat.com>
client-install: log exceptions from certmonger.request_cert 2016-07-01T11:33:49+00:00 Petr Spacek pspacek@redhat.com 2016-07-01T09:57:35+00:00 dc5b2eaa772fda5673b222bc9107cf5b85c1295d Reviewed-By: Martin Basti <mbasti@redhat.com> 
Reviewed-By: Martin Basti <mbasti@redhat.com>
Do not allow installation in FIPS mode 2016-06-29T14:17:27+00:00 Florence Blanc-Renaud frenaud@redhat.com 2016-06-27T08:23:14+00:00 3c40d3aa9e3d431be1e625aa91cdcbeffd0d1271 https://fedorahosted.org/freeipa/ticket/5761 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5761

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
client-install: do not fail if DNS times out during DNS update generation 2016-06-29T12:19:59+00:00 Petr Spacek pspacek@redhat.com 2016-06-28T16:13:58+00:00 1802f7a2258c793d11c7a9c2a4786cea42b9b058 https://fedorahosted.org/freeipa/ticket/5962 Reviewed-By: Martin Basti <mbasti@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5962

Reviewed-By: Martin Basti <mbasti@redhat.com>
client: Share validator and domain name normalization with server install 2016-06-28T12:14:32+00:00 Petr Spacek pspacek@redhat.com 2016-06-27T12:00:01+00:00 8b12ef50e1c016a5a025cf2a69271f769b585a03 https://fedorahosted.org/freeipa/ticket/5976 Reviewed-By: Martin Basti <mbasti@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5976

Reviewed-By: Martin Basti <mbasti@redhat.com>
Added krb5.conf.d/ to included dirs in krb5.conf 2016-06-05T07:47:13+00:00 Stanislav Laznicka slaznick@redhat.com 2016-05-27T14:12:31+00:00 2026677635c6d4b086670cb9d8f3570bd1b95c27 The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly https://fedorahosted.org/freeipa/ticket/5912 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly

https://fedorahosted.org/freeipa/ticket/5912

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
client install: finalize API after CA certs are available 2016-06-03T07:00:34+00:00 Jan Cholasta jcholast@redhat.com 2016-05-30T10:19:08+00:00 08ff248eeedd6dc4ebc5b118b7e4e81773594f51 This is required for the finalize call to be able connect to the server to retrieve API schema. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 
This is required for the finalize call to be able connect to the server to
retrieve API schema.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
rpc: specify connection options in API config 2016-06-03T07:00:34+00:00 Jan Cholasta jcholast@redhat.com 2016-05-25T10:31:03+00:00 56c66f44a0e356504bf8a7edcc924777adc1b352 Specify RPC connection options once in API.bootstrap rather than in each invocation of rpcclient.connect. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 
Specify RPC connection options once in API.bootstrap rather than in each
invocation of rpcclient.connect.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
rpc: respect API config in RPCClient.create_connection 2016-06-03T07:00:34+00:00 Jan Cholasta jcholast@redhat.com 2016-05-25T10:20:31+00:00 43dc424041e6766dbadd46f6f3982d85e69049cc When connecting rpcclient, get the default values of the `verbose`, `fallback` and `delegate` options from API config rather than hard-code them. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 
When connecting rpcclient, get the default values of the `verbose`,
`fallback` and `delegate` options from API config rather than hard-code
them.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>