freeipa.git/client/man, branch fix_ber_scanf FreeIPA patches Replace replication_wait_timeout with certmonger_wait_timeout 2019-09-04T12:52:14+00:00 Rob Crittenden rcritten@redhat.com 2019-07-05T17:31:32+00:00 faf34fcdfd78208726e3e8586186f34e7c44d732 The variable is intended to control the timeout for replication events. If someone had significantly reduced it via configuration then it could have caused certmogner requests to fail due to timeouts. Add replication_wait_timeout, certmonger_wait_timeout and http_timeout to the default.conf man page. Related: https://pagure.io/freeipa/issue/7971 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
The variable is intended to control the timeout for replication
events. If someone had significantly reduced it via configuration
then it could have caused certmogner requests to fail due to timeouts.

Add replication_wait_timeout, certmonger_wait_timeout and
http_timeout to the default.conf man page.

Related: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
ipa-client-samba: a tool to configure Samba domain member on IPA client 2019-06-29T08:00:28+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-05-18T11:54:48+00:00 814592cf2218956893baa2272101fffa93abb465 Introduces new utility to configure Samba on an IPA domain member. The tool sets up Samba configuration and internal databases, creates cifs/... Kerberos service and makes sure that a keytab for this service contains the key with the same randomly generated password that is set in the internal Samba databases. Samba configuration is created by querying an IPA master about details of trust to Active Directory configuration. All known identity ranges added to the configuration to allow Samba to properly handle them (read-only) via idmap_sss. Resulting configuration allows connection with both NTLMSSP and Kerberos authentication for IPA users. Access controls for the shared content should be set by utilizing POSIX ACLs on the file system under a specific share. The utility is packaged as freeipa-client-samba package to allow pulling in all required dependencies for Samba and cifs.ko (smb3.ko) kernel module. This allows an IPA client to become both an SMB server and an SMB client. Fixes: https://pagure.io/freeipa/issue/3999 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Introduces new utility to configure Samba on an IPA domain member.

The tool sets up Samba configuration and internal databases, creates
cifs/... Kerberos service and makes sure that a keytab for this service
contains the key with the same randomly generated password that is set
in the internal Samba databases.

Samba configuration is created by querying an IPA master about details
of trust to Active Directory configuration. All known identity ranges
added to the configuration to allow Samba to properly handle them
(read-only) via idmap_sss.

Resulting configuration allows connection with both NTLMSSP and Kerberos
authentication for IPA users. Access controls for the shared content
should be set by utilizing POSIX ACLs on the file system under a
specific share.

The utility is packaged as freeipa-client-samba package to allow pulling
in all required dependencies for Samba and cifs.ko (smb3.ko) kernel
module. This allows an IPA client to become both an SMB server and an
SMB client.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-client-automount: add knob to configure NFSv4 Domain (idmapd.conf) 2019-05-06T15:46:19+00:00 François Cami fcami@redhat.com 2019-05-03T08:49:28+00:00 660c4984c6281055752d74dc276fc39a07da324a ipa-client-automount assumes the NFS domain to be the same as the IPA domain. This is not always the case. This commit adds a --idmap-domain knob with the following behavior: - if not present, default to IDM domain (current behavior) - if equal to DNS (magic value), set nothing and let idmapd autodetect domain - otherwise set Domain in idmap.conf to the value passed by this parameter Fixes: https://pagure.io/freeipa/issue/7918 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
ipa-client-automount assumes the NFS domain to be the same as the IPA domain.
This is not always the case.
This commit adds a --idmap-domain knob with the following behavior:
- if not present, default to IDM domain (current behavior)
- if equal to DNS (magic value), set nothing and let idmapd autodetect domain
- otherwise set Domain in idmap.conf to the value passed by this parameter

Fixes: https://pagure.io/freeipa/issue/7918
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Deprecate ipa-client-install --request-cert 2019-04-24T14:23:17+00:00 Christian Heimes cheimes@redhat.com 2019-04-23T13:57:28+00:00 411e6c37fbcb6ddc4c60b240ecaaa418401ac359 Mark the --request-cert option for ipa-client-install as deprecated. Users are encouraged to request a PEM certificate with certmonger instead. The option and /etc/ipa/nssdb will be removed in a future version. Related: https://pagure.io/freeipa/issue/7492 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Mark the --request-cert option for ipa-client-install as deprecated.
Users are encouraged to request a PEM certificate with certmonger
instead. The option and /etc/ipa/nssdb will be removed in a future
version.

Related: https://pagure.io/freeipa/issue/7492
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add interactive prompt for the LDAP bind password to ipa-getkeytab 2019-04-08T08:22:45+00:00 Rob Crittenden rcritten@redhat.com 2019-04-05T15:17:22+00:00 a241a81ba4fa489be4503828787e69adbf624fc0 This provides a mechanism to bind over LDAP without exposing the password on the command-line. https://pagure.io/freeipa/issue/631 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
This provides a mechanism to bind over LDAP without exposing
the password on the command-line.

https://pagure.io/freeipa/issue/631

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Return unique error when automount is already or not configured 2018-05-16T15:32:29+00:00 Rob Crittenden rcritten@redhat.com 2018-04-30T21:16:40+00:00 a0e846f56c8de3b549d1d284087131da13135e34 Use identical return codes as ipa-client-install when uninstalling ipa-client-automount and it is not configured, or when calling it again to return that is ias already configured. https://pagure.io/freeipa/issue/7396 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Tibor Dudlak <tdudlak@redhat.com> 
Use identical return codes as ipa-client-install when uninstalling
ipa-client-automount and it is not configured, or when calling
it again to return that is ias already configured.

https://pagure.io/freeipa/issue/7396

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Remove unnecessary option --force-chrony 2018-04-09T15:00:02+00:00 Tibor Dudlák tdudlak@redhat.com 2018-03-26T13:54:13+00:00 74c2b46cde5bd332bd2ea95854cdb6178c72857d FreeIPA will always force chrony service and disable any other conflicting time synchronization daemon. Add --ntp-server option to server manpage and note to NTP pool option. Addresses: https://pagure.io/freeipa/issue/7024 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
FreeIPA will always force chrony service and disable any
other conflicting time synchronization daemon.
Add --ntp-server option to server manpage and note to NTP pool option.

Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Remove NTP server role while upgrading 2018-04-09T15:00:02+00:00 Tibor Dudlák tdudlak@redhat.com 2018-03-23T14:32:14+00:00 dba87a47a7df092a1044c116ef9e7590ebdc8b62 Remove NTP server role from config.py. Remove uneccesary variables and replaced untrack_file with restore_file. Update typo in manpages and messages printed while installing. Resolves: https://pagure.io/freeipa/issue/7024 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Remove NTP server role from config.py.
Remove uneccesary variables and replaced untrack_file with restore_file.
Update typo in manpages and messages printed while installing.

Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Removes NTP server role from servroles and description 2018-04-09T15:00:02+00:00 Tibor Dudlák tdudlak@redhat.com 2018-03-23T12:28:41+00:00 ece56ea69a24279d416ec2d6c13e06949001534a Resolves: https://pagure.io/freeipa/issue/7024 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Update man pages for FreeIPA client, replica and server install 2018-04-09T15:00:02+00:00 Tibor Dudlák tdudlak@redhat.com 2018-03-22T12:13:32+00:00 333acf1ab6dc710d05e1978f72775c77fbef00c7 Addresses: https://pagure.io/freeipa/issue/7024 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>