freeipa.git/ipaserver/install/server, branch cakeysfix FreeIPA patches Do not test anonymous PKINIT after install/upgrade 2017-04-28T08:38:12+00:00 Martin Babinsky mbabinsk@redhat.com 2017-04-25T17:12:51+00:00 960e361f68a3d7acd9bcf16ec6fe8f6d5376c4ae Local FAST armoring will now work regardless of PKINIT status so there is no need to explicitly test for working PKINIT. If there is, there should be a test case for that. https://pagure.io/freeipa/issue/6830 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Local FAST armoring will now work regardless of PKINIT status so there
is no need to explicitly test for working PKINIT. If there is, there
should be a test case for that.

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Upgrade: configure local/full PKINIT depending on the master status 2017-04-28T08:38:12+00:00 Martin Babinsky mbabinsk@redhat.com 2017-04-06T16:52:05+00:00 a194055c92c7ca4eba29323f990ec3b92026221b The upgrader has been modified to configure either local or full PKINIT depending on the CA status. Additionally, the new PKINIT configuration will be written to the master's KDC entry. https://pagure.io/freeipa/issue/6830 http://www.freeipa.org/page/V4/Kerberos_PKINIT Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
The upgrader has been modified to configure either local or full PKINIT
depending on the CA status. Additionally, the new PKINIT configuration
will be written to the master's KDC entry.

https://pagure.io/freeipa/issue/6830
http://www.freeipa.org/page/V4/Kerberos_PKINIT

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Stop requesting anonymous keytab and purge all references of it 2017-04-28T08:38:12+00:00 Martin Babinsky mbabinsk@redhat.com 2017-04-05T15:29:26+00:00 68c6a4d4e1340ce01bdc7ec5dd394604a3da7688 anonymous kinit using keytab never worked so we may safely remove all code that requests/uses it. https://pagure.io/freeipa/issue/6830 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
anonymous kinit using keytab never worked so we may safely remove all
code that requests/uses it.

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
server-install: No double Kerberos install 2017-04-19T12:00:38+00:00 Stanislav Laznicka slaznick@redhat.com 2017-04-18T15:14:27+00:00 25a33ce8b1c77b0d957772143affd7085757bccb When we're installing server with an external CA, the installation would have failed in the second step where it's passed the required CA cert file because it would have tried to perform the Kerberos installation for the second time. https://pagure.io/freeipa/issue/6757 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
When we're installing server with an external CA, the installation
would have failed in the second step where it's passed the required
CA cert file because it would have tried to perform the Kerberos
installation for the second time.

https://pagure.io/freeipa/issue/6757

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
replicainstall: better client install exception handling 2017-04-12T13:52:41+00:00 Stanislav Laznicka slaznick@redhat.com 2017-04-05T07:57:44+00:00 db84516d23d3a6e53e95881828d494fb80647602 The exception handling of client install inside replica installation was rather promiscuous, hungrily eating any possible exception thrown at it. Scoped down the try-except block and reduced its promiscuity. This change should improve the future development experience debugging this part of the code. https://pagure.io/freeipa/issue/6183 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The exception handling of client install inside replica installation
was rather promiscuous, hungrily eating any possible exception thrown
at it. Scoped down the try-except block and reduced its promiscuity.
This change should improve the future development experience debugging
this part of the code.

https://pagure.io/freeipa/issue/6183

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add the force-join option to replica install 2017-04-12T13:52:41+00:00 Stanislav Laznicka slaznick@redhat.com 2017-04-05T07:49:57+00:00 87051f51c695afa3e9ba072da7005cf1a4194668 When installing client from inside replica installation on DL1, it's possible that the client installation would fail and recommend using --force-join option which is not available in replica installer. Add the option there. https://pagure.io/freeipa/issue/6183 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
When installing client from inside replica installation on DL1,
it's possible that the client installation would fail and recommend
using --force-join option which is not available in replica installer.
Add the option there.

https://pagure.io/freeipa/issue/6183

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
server-install: remove broken no-pkinit check 2017-04-12T11:02:47+00:00 Stanislav Laznicka slaznick@redhat.com 2017-04-04T08:41:23+00:00 1160dc5d8bacea42a7ada45a10bf1019a3af5aca Don't check for no-pkinit option in case pkinit cert file was provided. Setting no-pkinit is prohibited in this case, so without this fix we have an impossible option-check if we want to provide an own pkinit certificate and private key. https://pagure.io/freeipa/issue/6807 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Don't check for no-pkinit option in case pkinit cert file was
provided. Setting no-pkinit is prohibited in this case, so without
this fix we have an impossible option-check if we want to provide
an own pkinit certificate and private key.

https://pagure.io/freeipa/issue/6807

Reviewed-By: Martin Basti <mbasti@redhat.com>
Create system users for FreeIPA services during package installation 2017-04-11T15:51:49+00:00 David Kupka dkupka@redhat.com 2017-04-11T09:43:40+00:00 a726e98f034347227765d7303a033a0538f5d8a1 Previously system users needed by FreeIPA server services was created during ipa-server-install. This led to problem when DBus policy was configured during package installation but the user specified in the policy didn't exist yet (and potentionally similar ones). Now the users will be created in package %pre section so all users freeipa-server package needs exist before any installation or configuration begins. Another possibility would be using systemd-sysusers(8) for this purpose but given that systemd is not available during container build the traditional approach is superior. Also dirsrv and pkiuser users are no longer created by FreeIPA instead it depends on 389ds and dogtag to create those users. https://pagure.io/freeipa/issue/6743 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.

https://pagure.io/freeipa/issue/6743

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
install: request service certs after host keytab is set up 2017-04-07T16:53:15+00:00 Jan Cholasta jcholast@redhat.com 2017-04-07T05:44:21+00:00 181cb94e744c380a823b94d0d5ca088ab3dcca1c The certmonger renew agent and restart scripts use host keytab for authentication. When they are executed during a certmonger request before the host keytab is set up, the authentication will fail. Make sure all certmonger requests in the installer are done after the host keytab is set up. https://pagure.io/freeipa/issue/6757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
The certmonger renew agent and restart scripts use host keytab for
authentication. When they are executed during a certmonger request before
the host keytab is set up, the authentication will fail.

Make sure all certmonger requests in the installer are done after the host
keytab is set up.

https://pagure.io/freeipa/issue/6757

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
dsinstance, httpinstance: consolidate certificate request code 2017-04-07T16:53:15+00:00 Jan Cholasta jcholast@redhat.com 2017-04-07T05:43:09+00:00 ec52332229672f35af8db5aaf1ed2827a8dd5467 A different code path is used for DS and httpd certificate requests in replica promotion. This is rather unnecessary and makes the certificate request code not easy to follow. Consolidate the non-promotion and promotion code paths into one. https://pagure.io/freeipa/issue/6757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
A different code path is used for DS and httpd certificate requests in
replica promotion. This is rather unnecessary and makes the certificate
request code not easy to follow.

Consolidate the non-promotion and promotion code paths into one.

https://pagure.io/freeipa/issue/6757

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>