freeipa.git/ipaserver/install, branch replica_kdc FreeIPA patches Configure KDC to use certs after they are deployed 2017-03-09T17:49:54+00:00 Simo Sorce simo@redhat.com 2017-03-09T17:49:54+00:00 d9fb5cb52b9450f6ac514b75ec4b74ec3d30affa Certmonger needs to access the KDC when it tries to obtain certs, so make sure the KDC can run, then reconfigure it to use pkinit anchors once certs are deployed. Signed-off-by: Simo Sorce <simo@redhat.com> 
Certmonger needs to access the KDC when it tries to obtain certs,
so make sure the KDC can run, then reconfigure it to use pkinit anchors
once certs are deployed.

Signed-off-by: Simo Sorce <simo@redhat.com>
backup: backup anonymous keytab 2017-03-09T17:22:34+00:00 Martin Basti mbasti@redhat.com 2017-03-09T16:25:49+00:00 8fb61a55fe32438752567bde8af73d6b8230a386 Freeipa stops working without anon keytab https://pagure.io/freeipa/issue/5959 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Freeipa stops working without anon keytab

https://pagure.io/freeipa/issue/5959

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
server install: require IPv6 stack to be enabled 2017-03-09T15:50:21+00:00 Tomas Krizek tkrizek@redhat.com 2017-03-07T12:54:41+00:00 ecb450308d0a49afffb31dda1e405ad40552e70e Add checks to install and replica install to verify IPv6 stack is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...). https://pagure.io/freeipa/issue/6608 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Add checks to install and replica install to verify IPv6 stack
is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...).

https://pagure.io/freeipa/issue/6608

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
KRA: add --setup-kra to ipa-server-install 2017-03-08T14:50:30+00:00 Martin Basti mbasti@redhat.com 2017-03-02T16:08:59+00:00 4006cbbc02c368ac9e5e3721613158decb34fd37 This patch allows to install KRA on first IPA server in one step using ipa-server-install This option improves containers installation where ipa-server can be installed with KRA using one call without need to call docker exec. Please note the the original `kra.install()` calls in ipaserver/install/server/install.py were empty operations as it did nothing, so it is safe to move them out from CA block https://pagure.io/freeipa/issue/6731 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
This patch allows to install KRA on first IPA server in one step using
ipa-server-install

This option improves containers installation where ipa-server can be
installed with KRA using one call without need to call docker exec.

Please note the the original `kra.install()` calls in
ipaserver/install/server/install.py were empty operations as it did
nothing, so it is safe to move them out from CA block

https://pagure.io/freeipa/issue/6731

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Use https to get security domain from Dogtag 2017-03-03T12:33:51+00:00 Christian Heimes cheimes@redhat.com 2017-02-24T12:00:25+00:00 d1c5d92897d3e262edd2e43295c1270590aebd3d Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Support for Certificate Identity Mapping 2017-03-02T14:09:42+00:00 Florence Blanc-Renaud flo@redhat.com 2016-12-20T15:21:58+00:00 9e24918c89f30a6d7064844dc0dd848bb35140df See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com> 
See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Cleanup certdb 2017-03-02T13:45:00+00:00 Christian Heimes cheimes@redhat.com 2017-02-09T13:55:45+00:00 22d7492c94837342a559c368454c223f566490ac * use with statement to open/close files * prefer fchmod/fchown when a file descriptor is available * set permission before data is written to file Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
* use with statement to open/close files
* prefer fchmod/fchown when a file descriptor is available
* set permission before data is written to file

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
server install: do not attempt to issue PKINIT cert in CA-less 2017-03-02T09:10:22+00:00 Jan Cholasta jcholast@redhat.com 2017-03-01T15:43:20+00:00 ba3c201a03cd0b224b43e45245147e48b7291f9f Require the user to provide the PKINIT cert with --pkinit-cert-file or disable PKINIT with --no-pkinit in CA-less ipa-server-install, ipa-replica-prepare and ipa-replica-install. Do not attempt to issue the PKINIT cert in CA-less ipa-server-upgrade. https://pagure.io/freeipa/issue/5678 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Require the user to provide the PKINIT cert with --pkinit-cert-file or
disable PKINIT with --no-pkinit in CA-less ipa-server-install,
ipa-replica-prepare and ipa-replica-install.

Do not attempt to issue the PKINIT cert in CA-less ipa-server-upgrade.

https://pagure.io/freeipa/issue/5678

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix CA-less upgrade 2017-03-01T15:38:43+00:00 Stanislav Laznicka slaznick@redhat.com 2017-03-01T14:40:10+00:00 a7c8077ce8f72eee26e8f5d4362239313ffdae3d In CA-less mode there's no /etc/pki/pki-tomcat/password.conf so it does not make sense to try to create a password file for an NSS database from it (the NSS database does not exist either). https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
In CA-less mode there's no /etc/pki/pki-tomcat/password.conf so it
does not make sense to try to create a password file for an NSS
database from it (the NSS database does not exist either).

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Merge AD trust configurator into replica installer 2017-03-01T14:55:45+00:00 Martin Babinsky mbabinsk@redhat.com 2017-02-17T12:51:00+00:00 eee319dba12a6ab7daa06ca0d7d8ac8fc754f961 `ipa-replica-install` is now able to configure Samba and winbind services in order to manage Active Directory trusts. `--add-agents` option is exposed in replica installer, while `--add-sids` now defaults to `False` since adding a first AD trust controller to an existing sizeable deployment can result in stuck installation as sidgen tasks can take a long time to complete. That's why adding SIDs should be a conscious decision in this case. https://fedorahosted.org/freeipa/ticket/6630 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
`ipa-replica-install` is now able to configure Samba and winbind
services in order to manage Active Directory trusts. `--add-agents`
option is exposed in replica installer, while `--add-sids` now defaults
to `False` since adding a first AD trust controller to an existing
sizeable deployment can result in stuck installation as sidgen tasks can
take a long time to complete. That's why adding SIDs should be a
conscious decision in this case.

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>