freeipa.git/ipaclient/install, branch fix_ber_scanf FreeIPA patches Enable krb5 snippet updates on client update 2019-09-10T09:33:21+00:00 Robbie Harwood rharwood@redhat.com 2018-07-20T18:08:14+00:00 c7b938a1d5c20df24a2d8a62019c5341e0f26c63 Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Use tasks to configure automount nsswitch settings 2019-08-29T02:15:50+00:00 Rob Critenden rcritten@redhat.com 2019-08-16T18:10:15+00:00 41ef8fba31ddbb32e2e5b7cccdc9b582a0809111 authselect doesn't allow one to directly write to /etc/nsswitch.conf. It will complain bitterly if it detects it and will refuse to work until reset. Instead it wants the user to write to /etc/authselect/user-nsswitch.conf and then it will handle merging in any differences. To complicate matters some databases are not user configurable like passwd, group and of course, automount. There are some undocumented options to allow one to override these though so we utilize that. tasks are used so that authselect-based installations can still write directly to /etc/nsswitch.conf and operate as it used to. Reviewed-By: Francois Cami <fcami@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
authselect doesn't allow one to directly write to
/etc/nsswitch.conf. It will complain bitterly if it
detects it and will refuse to work until reset.

Instead it wants the user to write to
/etc/authselect/user-nsswitch.conf and then it will handle
merging in any differences.

To complicate matters some databases are not user configurable
like passwd, group and of course, automount. There are some
undocumented options to allow one to override these though so
we utilize that.

tasks are used so that authselect-based installations can still
write directly to /etc/nsswitch.conf and operate as it used to.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Move ipachangeconf from ipaclient.install to ipapython 2019-08-29T02:15:50+00:00 Rob Critenden rcritten@redhat.com 2019-08-16T18:10:05+00:00 e5af8c19a9e40fb3b96c56ace081f79980437fc2 This will let us call it from ipaplatform. Mark the original location as deprecated. Reviewed-By: Francois Cami <fcami@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
This will let us call it from ipaplatform.

Mark the original location as deprecated.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa-client-automount: always restore nsswitch.conf at uninstall time 2019-08-29T02:15:50+00:00 François Cami fcami@redhat.com 2019-08-14T19:47:31+00:00 b27ad6e9f956a2485eee09b647b45c4901a1f928 ipa-client-automount used to only restore nsswitch.conf when sssd was not used. However authselect's default profile is now sssd so always restore nsswitch.conf's automount configuration to 'files sssd'. Note that the behavior seen before commit: a0e846f56c8de3b549d1d284087131da13135e34 would always restore nsswitch.conf to the previous state which in some cases was wrong. Fixes: https://pagure.io/freeipa/issue/8038 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Francois Cami <fcami@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
ipa-client-automount used to only restore nsswitch.conf when sssd was not
used. However authselect's default profile is now sssd so always restore
nsswitch.conf's automount configuration to 'files sssd'.
Note that the behavior seen before commit:
a0e846f56c8de3b549d1d284087131da13135e34
would always restore nsswitch.conf to the previous state which in some cases
was wrong.

Fixes: https://pagure.io/freeipa/issue/8038
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa-client-samba: remove state on uninstall 2019-07-26T08:49:54+00:00 François Cami fcami@redhat.com 2019-07-24T07:41:19+00:00 cd2cbaecfce6b7b607619b34503b62c8afbbe594 The "domain_member" state was not removed at uninstall time. Remove it so that future invocations of ipa-client-samba work. Fixes: https://pagure.io/freeipa/issue/8021 Signed-off-by: François Cami <fcami@redhat.com> https://pagure.io/freeipa/issue/8021 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Sergey Orlov <sorlov@redhat.com> 
The "domain_member" state was not removed at uninstall time.
Remove it so that future invocations of ipa-client-samba work.

Fixes: https://pagure.io/freeipa/issue/8021
Signed-off-by: François Cami <fcami@redhat.com>

https://pagure.io/freeipa/issue/8021

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
ipa-client-samba: remove and restore smb.conf only on first uninstall 2019-07-26T08:49:54+00:00 François Cami fcami@redhat.com 2019-07-23T20:25:38+00:00 5b65551b3107e46853afcc4901a60ea6e661a511 Fixes: https://pagure.io/freeipa/issue/8019 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Sergey Orlov <sorlov@redhat.com> 
Fixes: https://pagure.io/freeipa/issue/8019
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
ipa-client-samba: a tool to configure Samba domain member on IPA client 2019-06-29T08:00:28+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-05-18T11:54:48+00:00 814592cf2218956893baa2272101fffa93abb465 Introduces new utility to configure Samba on an IPA domain member. The tool sets up Samba configuration and internal databases, creates cifs/... Kerberos service and makes sure that a keytab for this service contains the key with the same randomly generated password that is set in the internal Samba databases. Samba configuration is created by querying an IPA master about details of trust to Active Directory configuration. All known identity ranges added to the configuration to allow Samba to properly handle them (read-only) via idmap_sss. Resulting configuration allows connection with both NTLMSSP and Kerberos authentication for IPA users. Access controls for the shared content should be set by utilizing POSIX ACLs on the file system under a specific share. The utility is packaged as freeipa-client-samba package to allow pulling in all required dependencies for Samba and cifs.ko (smb3.ko) kernel module. This allows an IPA client to become both an SMB server and an SMB client. Fixes: https://pagure.io/freeipa/issue/3999 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Introduces new utility to configure Samba on an IPA domain member.

The tool sets up Samba configuration and internal databases, creates
cifs/... Kerberos service and makes sure that a keytab for this service
contains the key with the same randomly generated password that is set
in the internal Samba databases.

Samba configuration is created by querying an IPA master about details
of trust to Active Directory configuration. All known identity ranges
added to the configuration to allow Samba to properly handle them
(read-only) via idmap_sss.

Resulting configuration allows connection with both NTLMSSP and Kerberos
authentication for IPA users. Access controls for the shared content
should be set by utilizing POSIX ACLs on the file system under a
specific share.

The utility is packaged as freeipa-client-samba package to allow pulling
in all required dependencies for Samba and cifs.ko (smb3.ko) kernel
module. This allows an IPA client to become both an SMB server and an
SMB client.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa_client_automount.py and ipactl.py: fix codestyle 2019-06-28T08:53:07+00:00 François Cami fcami@redhat.com 2019-06-26T16:03:17+00:00 b49c627aa688e0eb1e9b34ff626f2a19aa4f6c3e Updating ipa_client_automount.py and ipactl.py's codestyle is mandatory to make pylint pass as these are considered new files. Fixes: https://pagure.io/freeipa/issue/7984 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Updating ipa_client_automount.py and ipactl.py's codestyle is
mandatory to make pylint pass as these are considered new files.

Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Move ipa-client-automount.in and ipactl into modules 2019-06-28T08:53:07+00:00 François Cami fcami@redhat.com 2019-06-26T15:59:08+00:00 c0cf65c4f78bdb410a472f63b98870321fd751e1 Fixes: https://pagure.io/freeipa/issue/7984 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Return 0 on uninstall when on_master for case of not installed 2019-06-07T09:24:45+00:00 Rob Crittenden rcritten@redhat.com 2019-06-04T16:18:46+00:00 c1c50650a7f359aa9fd77d4348c31169ca878003 This is to suppress the spurious error message: The ipa-client-install command failed. when the client is not configured. This is managed by allowing a ScriptError to return SUCCESS (0) and have this ignored in log_failure(). https://pagure.io/freeipa/issue/7836 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
This is to suppress the spurious error message:

The ipa-client-install command failed.

when the client is not configured.

This is managed by allowing a ScriptError to return SUCCESS (0)
and have this ignored in log_failure().

https://pagure.io/freeipa/issue/7836

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>