freeipa.git/ipaserver/install, branch fix_ber_scanf FreeIPA patches Add container environment check to replicainstall 2019-09-16T07:44:52+00:00 Tibor Dudlák tdudlak@redhat.com 2019-09-10T16:54:53+00:00 f1e20b45c5deeb25989c87a2d717bda5a31bb084 Inside the container environment master's IP address does not resolve to its name. Resolves: https://pagure.io/freeipa/issue/6210 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Inside the container environment master's IP address
does not resolve to its name.

Resolves: https://pagure.io/freeipa/issue/6210
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
adtrust: add default read_keys permission for TDO objects 2019-09-12T14:17:53+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-09-12T08:21:51+00:00 0be98884991ff14720dfce428e4f23ebc4a42311 If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys attribute values, it cannot be used by SSSD to retrieve TDO keys and the whole communication with Active Directory domain controllers will not be possible. This seems to affect trusts which were created before ipaAllowedToPerform;read_keys permission granting was introduced (FreeIPA 4.2). Add back the default setting for the permissions which grants access to trust agents and trust admins. Resolves: https://pagure.io/freeipa/issue/8067 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
attribute values, it cannot be used by SSSD to retrieve TDO keys and the
whole communication with Active Directory domain controllers will not be
possible.

This seems to affect trusts which were created before
ipaAllowedToPerform;read_keys permission granting was introduced
(FreeIPA 4.2). Add back the default setting for the permissions which
grants access to trust agents and trust admins.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
add default access control when migrating trust objects 2019-09-12T14:17:53+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-09-10T10:39:39+00:00 9aeb6bae23dc21b97dbd784f8d954ee0dcde1d8f It looks like for some cases we do not have proper set up keytab retrieval configuration in the old trusted domain object. This mostly affects two-way trust cases. In such cases, create default configuration as ipasam would have created when trust was established. Resolves: https://pagure.io/freeipa/issue/8067 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
It looks like for some cases we do not have proper set up keytab
retrieval configuration in the old trusted domain object. This mostly
affects two-way trust cases. In such cases, create default configuration
as ipasam would have created when trust was established.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Move certauth configuration into a server krb5.conf template 2019-09-10T09:33:21+00:00 Robbie Harwood rharwood@redhat.com 2019-04-11T22:11:06+00:00 39e3704a0679d117f5145044e73726175a8f600b Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
adtrust: avoid using timestamp in klist output 2019-09-10T09:25:07+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-09-09T08:02:29+00:00 80e4c18b75af989d5839aba7e6a1efc06da16f81 When parsing a keytab to copy keys to a different keytab, we don't need the timestamp, so don't ask klist to output it. In some locales (en_IN, for example), the timestamp is output in a single field without a space between date and time. In other locales it can be represented with date and time separated by a space. Fixes: https://pagure.io/freeipa/issue/8066 Reviewed-By: Thomas Woerner <twoerner@redhat.com> 
When parsing a keytab to copy keys to a different keytab, we don't need
the timestamp, so don't ask klist to output it. In some locales (en_IN,
for example), the timestamp is output in a single field without a space
between date and time. In other locales it can be represented with date
and time separated by a space.

Fixes: https://pagure.io/freeipa/issue/8066
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Add missing timeout option to logging statement 2019-09-05T07:15:23+00:00 Rob Crittenden rcritten@redhat.com 2019-09-04T15:22:17+00:00 5db48f151ba4aef2baebc40a4d357403a922d362 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Log dogtag auth timeout in install, provide hint to increase it 2019-09-04T12:52:14+00:00 Rob Crittenden rcritten@redhat.com 2019-07-05T18:15:32+00:00 adf2eab26309fb3ce0c2e2dbb0593f64bcd3d475 There is a loop which keeps trying to bind as the admin user which will fail until it is replicated. In the case where there is a lot to replicate the default 5 minute timeout may be insufficient. Provide a hint for tuning. Fixes: https://pagure.io/freeipa/issue/7971 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
There is a loop which keeps trying to bind as the admin user
which will fail until it is replicated.

In the case where there is a lot to replicate the default
5 minute timeout may be insufficient. Provide a hint for
tuning.

Fixes: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Log the replication wait timeout for debugging purposes 2019-09-04T12:52:14+00:00 Rob Crittenden rcritten@redhat.com 2019-07-05T18:14:53+00:00 54035982e5850ec59611798a9e172a044969106f Related: https://pagure.io/freeipa/issue/7971 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
Related: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Replace replication_wait_timeout with certmonger_wait_timeout 2019-09-04T12:52:14+00:00 Rob Crittenden rcritten@redhat.com 2019-07-05T17:31:32+00:00 faf34fcdfd78208726e3e8586186f34e7c44d732 The variable is intended to control the timeout for replication events. If someone had significantly reduced it via configuration then it could have caused certmogner requests to fail due to timeouts. Add replication_wait_timeout, certmonger_wait_timeout and http_timeout to the default.conf man page. Related: https://pagure.io/freeipa/issue/7971 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
The variable is intended to control the timeout for replication
events. If someone had significantly reduced it via configuration
then it could have caused certmogner requests to fail due to timeouts.

Add replication_wait_timeout, certmonger_wait_timeout and
http_timeout to the default.conf man page.

Related: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Move ipachangeconf from ipaclient.install to ipapython 2019-08-29T02:15:50+00:00 Rob Critenden rcritten@redhat.com 2019-08-16T18:10:05+00:00 e5af8c19a9e40fb3b96c56ace081f79980437fc2 This will let us call it from ipaplatform. Mark the original location as deprecated. Reviewed-By: Francois Cami <fcami@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
This will let us call it from ipaplatform.

Mark the original location as deprecated.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>