freeipa.git/install/tools/ipa-adtrust-install, branch mspac FreeIPA patches Warn user about realm-domain mismatch in install scripts 2013-10-03T10:02:44+00:00 Tomas Babej tbabej@redhat.com 2013-09-18T10:56:00+00:00 bae291def780c81144c8f4d71ced5007e1ee3867 If the IPA server is setup with non-matching domain and realm names, it will not be able to estabilish trust with the Active Directory. Adds warnings to the ipa-server-install and warning to the ipa-adtrust-install (which has to be confirmed). Man pages for the ipa-server-install and ipa-adtrust-install were updated with the relevant notes. https://fedorahosted.org/freeipa/ticket/3924 
If the IPA server is setup with non-matching domain and realm
names, it will not be able to estabilish trust with the Active
Directory.

Adds warnings to the ipa-server-install and warning to the
ipa-adtrust-install (which has to be confirmed).

Man pages for the ipa-server-install and ipa-adtrust-install were
updated with the relevant notes.

https://fedorahosted.org/freeipa/ticket/3924
ipa-adtrust-install: configure compatibility tree to serve trusted domain users 2013-07-18T15:56:30+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-07-15T16:13:50+00:00 e95a7b1b8db9fb12c25fd371cac627352c5e93fb Enables support for trusted domains users for old clients through Schema Compatibility plugin. SSSD supports trusted domains natively starting with version 1.9 platform. For platforms that lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi-nis package needs to be installed and schema-compat-plugin will be configured to provide lookup of users and groups from trusted domains via SSSD on IPA server. These users and groups will be available under cn=users,cn=compat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and groups to lower case. In addition to providing these users and groups through the compat tree, this option enables authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX. This authentication is related to PAM stack using 'system-auth' PAM service. If you have disabled HBAC rule 'allow_all', then make sure there is special service called 'system-auth' created and HBAC rule to allow access to anyone to this rule on IPA masters is added. Please note that system-auth PAM service is not used directly by any other application, therefore it is safe to create one specifically to support trusted domain users via compatibility path. https://fedorahosted.org/freeipa/ticket/3567 
Enables  support  for  trusted  domains  users  for old clients through Schema
Compatibility plugin.  SSSD supports trusted domains natively starting with
version 1.9 platform. For platforms that lack SSSD or run older SSSD version
one needs  to  use  this  option.  When  enabled, slapi-nis  package  needs  to
be  installed  and schema-compat-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and
groups will be available under  cn=users,cn=compat,$SUFFIX  and
cn=groups,cn=compat,$SUFFIX trees.  SSSD will normalize names of users and
groups to lower case.

In  addition  to  providing  these users and groups through the compat tree,
this option enables authentication over LDAP for trusted domain users with DN
under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.

This authentication  is related to  PAM  stack  using  'system-auth' PAM
service. If you have disabled HBAC rule 'allow_all', then make sure there is
special service called 'system-auth' created and HBAC rule to allow access to
anyone to this rule on IPA masters is added. Please note that system-auth PAM
service is  not used directly by any other application, therefore it is safe to
create one specifically to support trusted domain users via compatibility path.

https://fedorahosted.org/freeipa/ticket/3567
Use default NETBIOS name in unattended ipa-adtrust-install 2013-03-22T14:05:59+00:00 Ana Krivokapic akrivoka@redhat.com 2013-03-12T15:12:56+00:00 c2034805d323dcf505042d03dbd801561aa64ed3 Unattended ipa-adtrust-install used to fail if --netbios option was not provided. This patches fixes this, so that instead of failing the default NETBIOS name is used. https://fedorahosted.org/freeipa/ticket/3497 
Unattended ipa-adtrust-install used to fail if --netbios option
was not provided. This patches fixes this, so that instead of
failing the default NETBIOS name is used.

https://fedorahosted.org/freeipa/ticket/3497
Remove some unused imports 2013-03-01T15:59:42+00:00 Petr Viktorin pviktori@redhat.com 2013-01-10T11:14:15+00:00 c0a89efd6852bfd07dec4c8b1e74f0e927e7fdd8 Remove all unused LDAP-related imports, plus some other ones. This should make it easier to quickly check what uses which LDAP wrapper 
Remove all unused LDAP-related imports, plus some other ones.

This should make it easier to quickly check what uses which LDAP wrapper
ipa-adtrust-install should ask for SID generation 2013-02-12T16:28:42+00:00 Martin Kosek mkosek@redhat.com 2013-01-31T14:08:08+00:00 45c0dd7448caeb86bcdf3edf624ac15efbbf2ac2 When ipa-adtrust-install is run, check if there are any objects that need have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 
When ipa-adtrust-install is run, check if there are any objects
that need have SID generated. If yes, interactively ask the user
if the sidgen task should be run.

https://fedorahosted.org/freeipa/ticket/3195
Use fully qualified CCACHE names 2013-02-01T07:13:50+00:00 Martin Kosek mkosek@redhat.com 2013-01-31T16:18:35+00:00 893064f6132a9cbcfa35f6eca8964c69caad533e Some parts of install scripts used only ccache name as returned by krbV.CCache.name attribute. However, when this name is used again to initialize krbV.CCache object or when it is used in KRB5CCNAME environmental variable, it fails for new DIR type of CCACHE. We should always use both CCACHE type and name when referring to them to avoid these crashes. ldap2 backend was also updated to accept directly krbV.CCache object which contains everything we need to authenticate with ccache. https://fedorahosted.org/freeipa/ticket/3381 
Some parts of install scripts used only ccache name as returned by
krbV.CCache.name attribute. However, when this name is used again
to initialize krbV.CCache object or when it is used in KRB5CCNAME
environmental variable, it fails for new DIR type of CCACHE.

We should always use both CCACHE type and name when referring to
them to avoid these crashes. ldap2 backend was also updated to
accept directly krbV.CCache object which contains everything we need
to authenticate with ccache.

https://fedorahosted.org/freeipa/ticket/3381
Fix a typo in ipa-adtrust-install help 2013-01-31T13:11:30+00:00 Tomas Babej tbabej@redhat.com 2013-01-31T12:58:48+00:00 0beaad9686c7b473eaf216219d4cefbf966dd416 "Add SIDs for existing users andgroups as the final step" changed to "Add SIDs for existing users and groups as the final step". 
"Add SIDs for existing users andgroups as the final step" changed
to "Add SIDs for existing users and groups as the final step".
ipa-adtrust-install: allow to reset te NetBIOS domain name 2012-11-08T07:18:14+00:00 Sumit Bose sbose@redhat.com 2012-10-29T20:43:56+00:00 b204881ab989aa8287897711358189b687fb3996 Fixes https://fedorahosted.org/freeipa/ticket/3192 
Fixes https://fedorahosted.org/freeipa/ticket/3192
Add SIDs for existing users and groups at the end of ipa-adtrust-install 2012-10-05T02:15:36+00:00 Sumit Bose sbose@redhat.com 2012-10-02T20:11:17+00:00 58a99dd5ac5755cb02feb0feecb18d294eaa805c Fixes https://fedorahosted.org/freeipa/ticket/3104 
Fixes https://fedorahosted.org/freeipa/ticket/3104
ipa-adtrust-install: remove wrong check for dm_password 2012-10-04T11:05:48+00:00 Sumit Bose sbose@redhat.com 2012-10-04T09:37:45+00:00 a72064c3778f20da04fb664459782b4d4ecba473 Additionally this patch removes a comment which makes no sense at this place anymore. Fixes https://fedorahosted.org/freeipa/ticket/3023 
Additionally this patch removes a comment which makes no sense at this
place anymore.

Fixes https://fedorahosted.org/freeipa/ticket/3023