freeipa.git/install/tools, branch mindatefix FreeIPA patches ipa-compat-manage: use server API to retrieve plugin status 2016-07-12T08:59:59+00:00 Martin Babinsky mbabinsk@redhat.com 2016-07-11T08:46:34+00:00 a5efeb449bba47dd430a7b8ffa594ace189252f4 https://fedorahosted.org/freeipa/ticket/6033 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
https://fedorahosted.org/freeipa/ticket/6033

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipa-nis-manage: Use server API to retrieve plugin status 2016-07-12T08:53:03+00:00 Martin Babinsky mbabinsk@redhat.com 2016-07-04T11:33:10+00:00 c5cc79f1ad2ef1eb81ad3d9cea2882a7ae1825b2 https://fedorahosted.org/freeipa/ticket/6027 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
https://fedorahosted.org/freeipa/ticket/6027

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add option --no-log for ipa-replica-conncheck script 2016-07-01T07:05:33+00:00 Martin Basti mbasti@redhat.com 2016-06-30T09:21:34+00:00 4ce0258c235c985e07a19d291bd699720d9ef1bf When option is sued, ipa-replica-conncheck will not log into file https://fedorahosted.org/freeipa/ticket/5757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
When option is sued, ipa-replica-conncheck will not log into file

https://fedorahosted.org/freeipa/ticket/5757

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Fix replica install with CA 2016-06-30T11:18:51+00:00 Martin Basti mbasti@redhat.com 2016-06-29T17:49:43+00:00 a155f692e7ad7807a5ea28250d1e72b3e821991e The incorrect api was used, and CA record updated was duplicated. https://fedorahosted.org/freeipa/ticket/5966 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
The incorrect api was used, and CA record updated was duplicated.

https://fedorahosted.org/freeipa/ticket/5966

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Do not allow installation in FIPS mode 2016-06-29T14:17:27+00:00 Florence Blanc-Renaud frenaud@redhat.com 2016-06-27T08:23:14+00:00 3c40d3aa9e3d431be1e625aa91cdcbeffd0d1271 https://fedorahosted.org/freeipa/ticket/5761 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5761

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
DNS Locations: hide option --no-msdcs in adtrust-install 2016-06-27T11:35:00+00:00 Martin Basti mbasti@redhat.com 2016-06-21T16:17:55+00:00 218734ba5ac3326daaf1097ef98217f6c86f526c Since DNS location mechanism is active, this option has no effect, because records are generate dynamically. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
Since DNS location mechanism is active, this option has no effect,
because records are generate dynamically.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Fix to ipa-ca-install asking for host principal password 2016-06-23T10:26:20+00:00 Stanislav Laznicka slaznick@redhat.com 2016-06-22T14:08:49+00:00 0db48e4d04b3b8377667b388b88f2fe9f57bf4a3 With a ca_cert_file specified in options, the nss_db was used before the certificates from the file were added to it, which caused an exception that led to fallback to ssh which is broken. https://fedorahosted.org/freeipa/ticket/5965 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
With a ca_cert_file specified in options, the nss_db was used before the
certificates from the file were added to it, which caused an exception
that led to fallback to ssh which is broken.

https://fedorahosted.org/freeipa/ticket/5965

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa-replica-manage: use `server_del` when removing domain level 1 replica 2016-06-17T16:55:19+00:00 Martin Babinsky mbabinsk@redhat.com 2016-06-08T16:34:37+00:00 47decc9b843b1b1d292511bcc8a24f8ac85745c0 `ipa-replica-manage del` will now call `server_del` behind the scenes when a removal of replica from managed topology is requested. The existing removal options were mapped on the server_del options to maintain backwards compatibility with earlier versions. https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Martin Basti <mbasti@redhat.com> 
`ipa-replica-manage del` will now call `server_del` behind the scenes when a
removal of replica from managed topology is requested. The existing removal
options were mapped on the server_del options to maintain backwards
compatibility with earlier versions.

https://fedorahosted.org/freeipa/ticket/5588

Reviewed-By: Martin Basti <mbasti@redhat.com>
delegate removal of master DNS record and replica keys to separate functions 2016-06-17T16:55:19+00:00 Martin Babinsky mbabinsk@redhat.com 2016-06-08T16:22:57+00:00 db882ae8d6eba768e08be9317e386f8ab3c8fcf7 https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Martin Basti <mbasti@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5588

Reviewed-By: Martin Basti <mbasti@redhat.com>
Always qualify requests for admin in ipa-replica-conncheck 2016-06-17T15:31:08+00:00 Florence Blanc-Renaud frenaud@redhat.com 2016-06-01T15:42:48+00:00 4a7345e44804cf14f664814a2ab60f7a43ffa4ee ipa-replica-conncheck connects to the master using an SSH command: ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \ -o GSSAPIAuthentication=yes <principal>@<master hostname> \ echo OK The issue is that the principal name is not fully qualified (for instance 'admin' is used, even if ipa-replica-conncheck was called with --principal admin@EXAMPLE.COM). When the FreeIPA server is running with a /etc/sssd/sssd.conf containing [sssd] default_domain_suffix = ad.domain.com this leads to the SSH connection failure because admin is not defined in the default domain. The fix uses the fully qualified principal name, and calls ssh with ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \ -o GSSAPIAuthentication=yes -o User=<principal> \ <master hostname> echo OK to avoid syntax issues with admin@DOMAIN@master https://fedorahosted.org/freeipa/ticket/5812 Reviewed-By: Martin Basti <mbasti@redhat.com> 
ipa-replica-conncheck connects to the master using an SSH command:
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
    -o GSSAPIAuthentication=yes <principal>@<master hostname> \
    echo OK

The issue is that the principal name is not fully qualified (for instance
'admin' is used, even if ipa-replica-conncheck was called with
--principal admin@EXAMPLE.COM).
When the FreeIPA server is running with a /etc/sssd/sssd.conf containing
    [sssd]
    default_domain_suffix = ad.domain.com
this leads to the SSH connection failure because admin is not defined in
the default domain.

The fix uses the fully qualified principal name, and calls ssh with
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
    -o GSSAPIAuthentication=yes -o User=<principal> \
    <master hostname> echo OK
to avoid syntax issues with admin@DOMAIN@master

https://fedorahosted.org/freeipa/ticket/5812

Reviewed-By: Martin Basti <mbasti@redhat.com>