freeipa.git/client, branch coverity FreeIPA patches server uninstall fails to remove krb principals 2016-07-20T14:35:49+00:00 Florence Blanc-Renaud frenaud@redhat.com 2016-07-11T07:00:44+00:00 a0d90263d62f48f0c04b8b9e7da3aaa10201c3a0 This patch fixes the 3rd issue of ticket 6012: ipa-server-install --uninstall -U complains while removing Kerberos service principals from /etc/krb5.keytab ---- Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-221.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5 ---- This happens because the uninstaller performs the following sequence: 1/ restore pre-install files, including /etc/krb5.keytab At this point /etc/krb5.keytab does not contain any principal for IPA domain 2/ call ipa-client-install --uninstall, which in turns runs ipa-rmkeytab -k /etc/krb5.keytab -r <domain> to remove the principals. The fix ignores ipa-rmkeytab's exit code 5 (Principal name or realm not found in keytab) https://fedorahosted.org/freeipa/ticket/6012 Reviewed-By: Martin Basti <mbasti@redhat.com> 
This patch fixes the 3rd issue of ticket 6012:
ipa-server-install --uninstall -U
complains while removing Kerberos service principals from /etc/krb5.keytab
----
Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-221.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5
----

This happens because the uninstaller performs the following sequence:
1/ restore pre-install files, including /etc/krb5.keytab
At this point /etc/krb5.keytab does not contain any principal for
IPA domain
2/ call ipa-client-install --uninstall, which in turns runs
ipa-rmkeytab -k /etc/krb5.keytab -r <domain>
to remove the principals.

The fix ignores ipa-rmkeytab's exit code 5 (Principal name or realm not
found in keytab)

https://fedorahosted.org/freeipa/ticket/6012

Reviewed-By: Martin Basti <mbasti@redhat.com>
Create server and host certs with DNS altname 2016-07-19T12:18:04+00:00 Fraser Tweedale ftweedal@redhat.com 2015-12-07T05:14:28+00:00 b12db924143cd6828c596c0b8a261325f3f589f3 Currently server (HTTP / LDAP) certs are created without a Subject Alternative Name extension during server install, replica prepare and host enrolment, a potentially problematic violation of RFC 2818. Add the hostname as a SAN dNSName when these certs are created. (Certmonger adds an appropriate request extension when renewing the certificate, so nothing needs to be done for renewal). Fixes: https://fedorahosted.org/freeipa/ticket/4970 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.

Add the hostname as a SAN dNSName when these certs are created.

(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).

Fixes: https://fedorahosted.org/freeipa/ticket/4970
Reviewed-By: Petr Spacek <pspacek@redhat.com>
client-install: log exceptions from certmonger.request_cert 2016-07-01T11:33:49+00:00 Petr Spacek pspacek@redhat.com 2016-07-01T09:57:35+00:00 dc5b2eaa772fda5673b222bc9107cf5b85c1295d Reviewed-By: Martin Basti <mbasti@redhat.com> 
Reviewed-By: Martin Basti <mbasti@redhat.com>
Do not allow installation in FIPS mode 2016-06-29T14:17:27+00:00 Florence Blanc-Renaud frenaud@redhat.com 2016-06-27T08:23:14+00:00 3c40d3aa9e3d431be1e625aa91cdcbeffd0d1271 https://fedorahosted.org/freeipa/ticket/5761 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5761

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
client-install: do not fail if DNS times out during DNS update generation 2016-06-29T12:19:59+00:00 Petr Spacek pspacek@redhat.com 2016-06-28T16:13:58+00:00 1802f7a2258c793d11c7a9c2a4786cea42b9b058 https://fedorahosted.org/freeipa/ticket/5962 Reviewed-By: Martin Basti <mbasti@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5962

Reviewed-By: Martin Basti <mbasti@redhat.com>
client: Share validator and domain name normalization with server install 2016-06-28T12:14:32+00:00 Petr Spacek pspacek@redhat.com 2016-06-27T12:00:01+00:00 8b12ef50e1c016a5a025cf2a69271f769b585a03 https://fedorahosted.org/freeipa/ticket/5976 Reviewed-By: Martin Basti <mbasti@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5976

Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa-rmkeytab, ipa-join: don't fail if init of gettext failed 2016-06-27T10:34:18+00:00 Martin Basti mbasti@redhat.com 2016-06-24T15:34:02+00:00 a07030f3867168969d32f0f46e792ae0697529bc If locale setting was incorect, gettext failed to initialize and scripts failed. this commit replaces error exit with warning message. (Better to have untranslated output than fail) https://fedorahosted.org/freeipa/ticket/5973 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
If locale setting was incorect, gettext failed to initialize and scripts
failed. this commit replaces error exit with warning message. (Better to
have untranslated output than fail)

https://fedorahosted.org/freeipa/ticket/5973

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Increase ipa-getkeytab LDAP timeout to 100sec 2016-06-27T07:33:02+00:00 Martin Basti mbasti@redhat.com 2016-06-23T14:49:32+00:00 deb99c11d4c0f7c5f68ed36b183f69281b2222f6 On slower machines, the original time 10s is not enough. Raising timeout to 100sec should help. https://fedorahosted.org/freeipa/ticket/5842 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
On slower machines, the original time 10s is not enough. Raising timeout
to 100sec should help.

https://fedorahosted.org/freeipa/ticket/5842

Reviewed-By: Petr Spacek <pspacek@redhat.com>
man: Decribe ipa-client-install workaround for broken D-Bus enviroment. 2016-06-09T11:08:46+00:00 David Kupka dkupka@redhat.com 2016-03-02T10:08:19+00:00 da5885b72a284811bda7ddd36b8716d71ac66bd9 https://fedorahosted.org/freeipa/ticket/5694 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5694

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Added krb5.conf.d/ to included dirs in krb5.conf 2016-06-05T07:47:13+00:00 Stanislav Laznicka slaznick@redhat.com 2016-05-27T14:12:31+00:00 2026677635c6d4b086670cb9d8f3570bd1b95c27 The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly https://fedorahosted.org/freeipa/ticket/5912 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly

https://fedorahosted.org/freeipa/ticket/5912

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>