summaryrefslogtreecommitdiffstats
path: root/ipa-client/ipa-install
Commit message (Collapse)AuthorAgeFilesLines
* Clarify host name output in ipa-client-installPetr Spacek2015-06-051-1/+1
| | | | | | Proposed by Tomas Capek Reviewed-By: Martin Basti <mbasti@redhat.com>
* client-install: Fix kinits with non-default Kerberos config fileJan Cholasta2015-05-211-1/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4808 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* suppress errors arising from deleting non-existent files during client uninstallMartin Babinsky2015-04-291-18/+22
| | | | | | | | | | | When rolling back partially configured IPA client a number of OSErrors pop up due to uninstaller trying to remove files that do not exist anymore. This patch supresses these errors while keeping them in log as debug messages. https://fedorahosted.org/freeipa/ticket/4966 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa client: use NTP servers specified by userMartin Basti2015-04-241-9/+15
| | | | | | | | NTP servers specified by user should be used to synchronize time. https://fedorahosted.org/freeipa/ticket/4983 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa client: use NTP servers detected from SRVMartin Basti2015-04-241-1/+8
| | | | | | | | | Detected NTP servers from SRV records should be used in NTP client configuration. https://fedorahosted.org/freeipa/ticket/4981 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa client: make --ntp-server option multivaluedMartin Basti2015-04-241-8/+11
| | | | | | | | There can be more ntp servers in ntp.conf Required for ticket: https://fedorahosted.org/freeipa/ticket/4981 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Adopted kinit_keytab and kinit_password for kerberos authMartin Babinsky2015-04-201-3/+5
| | | | | | | | | Calls to ipautil.run using kinit were replaced with calls kinit_keytab/kinit_password functions implemented in the PATCH 0015. Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* ipa-client-install: try to get host TGT several times before giving upMartin Babinsky2015-04-201-29/+40
| | | | | | | | | | | | | | New option '--kinit-attempts' enables the host to make multiple attempts to obtain host TGT from master before giving up and aborting client installation. In addition, all kinit attempts were replaced by calls to 'ipautil.kinit_keytab' and 'ipautil.kinit_password'. https://fedorahosted.org/freeipa/ticket/4808 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Add message for skipping NTP configuration during client installGabe2015-04-141-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/3092 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Skip time sync during client install when using --no-ntpNathan Kinder2015-03-261-1/+2
| | | | | | | | | | When --no-ntp is specified during ipa-client-install, we still attempt to perform a time sync before obtaining a TGT from the KDC. We should not be attempting to sync time with the KDC if we are explicitly told to not configure ntp. Ticket: https://fedorahosted.org/freeipa/ticket/4842 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* client: Fix ca_is_enabled callsJan Cholasta2015-03-191-2/+2
| | | | | | | | | The command was added in API version 2.107. Old IPA servers may crash with NetworkError on ca_is_enabled, handle this case gracefully. https://fedorahosted.org/freeipa/ticket/4565 Reviewed-By: David Kupka <dkupka@redhat.com>
* client-install: Do not crash on invalid CA certificate in LDAPJan Cholasta2015-03-191-4/+13
| | | | | | | | | When CA certificates in LDAP are corrupted, use the otherwise acquired CA certificates from before. https://fedorahosted.org/freeipa/ticket/4565 Reviewed-By: David Kupka <dkupka@redhat.com>
* Use IPA CA certificate when available and ignore NO_TLS_LDAP when not.David Kupka2015-03-051-2/+8
| | | | | | | | | | | ipa-client-automount is run after ipa-client-install so the CA certificate should be available. If the certificate is not available and ipadiscovery.ipacheckldap returns NO_TLS_LDAP warn user and try to continue. https://fedorahosted.org/freeipa/ticket/4902 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Use dyndns_update instead of deprecated sssd optionMartin Basti2015-01-281-1/+1
| | | | | | | | | ipa_dyndns_update is deprecated in SSSD, dyndns_update should be used instead. https://fedorahosted.org/freeipa/ticket/4849 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Prefer TCP connections to UDP in krb5 clientsNathaniel McCallum2014-12-081-0/+1
| | | | | | | | | | | | | | In general, TCP is a better fit for FreeIPA due to large packet sizes. However, there is also a specific need for TCP when using OTP. If a UDP packet is delivered to the server and the server takes longer to process it than the client timeout (likely), the OTP value will be resent. Unfortunately, this will cause failures or even lockouts. Switching to TCP avoids this problem altogether. https://fedorahosted.org/freeipa/ticket/4725 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* No explicit zone specification.Jan Pazdziora2014-12-051-6/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4780 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove trivial path constants from modulesGabe2014-11-042-44/+35
| | | | | | https://fedorahosted.org/freeipa/ticket/4399 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Check LDAP instead of local configuration to see if IPA CA is enabledJan Cholasta2014-10-171-13/+20
| | | | | | | | The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
* Add ipa-client-install switch --request-cert to request cert for the hostJan Cholasta2014-10-161-12/+93
| | | | | | | | | The certificate is stored in /etc/ipa/nssdb under the nickname "Local IPA host". https://fedorahosted.org/freeipa/ticket/4550 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Use /etc/ipa/nssdb to get nicknames of IPA certs installed in /etc/pki/nssdbJan Cholasta2014-09-301-57/+21
| | | | | | | | | Previously a list of nicknames was kept in /etc/pki/nssdb/ipa.txt. The file is removed now. https://fedorahosted.org/freeipa/ticket/3259 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Use NSSDatabase instead of direct certutil calls in client codeJan Cholasta2014-09-301-38/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/4416 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Introduce NSS database /etc/ipa/nssdbJan Cholasta2014-09-301-62/+97
| | | | | | | | | | This is the new default NSS database for IPA. /etc/pki/nssdb is still maintained for backward compatibility. https://fedorahosted.org/freeipa/ticket/3259 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add 'host' setting into default.conf configuration file on client. Fix ↵David Kupka2014-09-261-2/+3
| | | | | | | | | | description in man page. 'host' setting specifies local hostname not the hostname of IPA server. https://fedorahosted.org/freeipa/ticket/4481 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* No longer generate a machine certificate on client installsRob Crittenden2014-09-051-66/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4449 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Allow user to force Kerberos realm during installation.David Kupka2014-09-051-1/+1
| | | | | | | | | User can set realm not matching one resolved from DNS. This is useful especially when DNS is missconfigured. https://fedorahosted.org/freeipa/ticket/4444 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-client-install: Do not add already configured sources to nsswitch.conf ↵Tomas Babej2014-09-041-12/+18
| | | | | | | | | | | entries Makes sure that any new sources added are not already present in the entry. https://fedorahosted.org/freeipa/ticket/4508 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add client certificate update tool ipa-certupdate.Jan Cholasta2014-07-302-0/+24
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Get CA certs for system-wide store from cert store in ipa-client-install.Jan Cholasta2014-07-301-6/+8
| | | | | | | | | | All of the certificates and associated key policy are now stored in /etc/pki/ca-trust/source/ipa.p11-kit. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Get CA certs for /etc/pki/nssdb from certificate store in ipa-client-install.Jan Cholasta2014-07-301-43/+120
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Get CA certs for /etc/ipa/ca.crt from certificate store in ipa-client-install.Jan Cholasta2014-07-301-26/+10
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Support multiple CA certificates in /etc/ipa/ca.crt in ipa-client-install.Jan Cholasta2014-07-301-45/+51
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Refactor CA certificate fetching code in ipa-client-install.Jan Cholasta2014-07-301-51/+37
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Remove certificate "External CA cert" from /etc/pki/nssdb on client uninstall.Jan Cholasta2014-07-301-3/+7
| | | | | | | This is a no longer used nickname for CA certificate on CA-less server installs. Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Fix ipa-client-install --uninstall crashDavid Kupka2014-07-081-1/+4
| | | | | | | | Fix ipa-client-install crash when chronyd service fails to start. https://fedorahosted.org/freeipa/ticket/4273 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipa-client-install: Restart nisdomain service instead of startingTomas Babej2014-06-301-1/+3
| | | | | | | | | | To ensure new NIS domain name is loaded after ipa-client-install even in case when nisdomainname service is already running, we need to restart the service rather than starting it. https://fedorahosted.org/freeipa/ticket/4393 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Do not corrupt sshd_config in client install when trailing newline is missing.Jan Cholasta2014-06-261-25/+17
| | | | | | https://fedorahosted.org/freeipa/ticket/4373 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaplatform: Move paths from installers to paths moduleTomas Babej2014-06-262-79/+78
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-161-2/+1
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change paths dependant on ipaservices to use ipaplatform.pathsTomas Babej2014-06-161-4/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change service code in freeipa to use ipaplatform servicesTomas Babej2014-06-162-36/+37
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasksTomas Babej2014-06-162-9/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Do not require custom Authconfig implementations from platform ↵Tomas Babej2014-06-161-63/+16
| | | | | | | | modules https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Moved Fedora 16 service implementations and refactored them as ↵Tomas Babej2014-06-161-1/+0
| | | | | | | | base Fedora module service implementations https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* admin tools: Log IPA versionPetr Viktorin2014-05-271-0/+1
| | | | | | | | | | | Add the IPA version, and vendor version if applicable, to the beginning of admintool logs -- both framework and indivitual tools that don't yet use the framework. This will make debugging easier. https://fedorahosted.org/freeipa/ticket/4219 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-client-automount should not configure nsswitch.conf manuallyGabe2014-05-161-6/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/3733 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipa-client-automount: Use rpcclient, not xmlclient, for automountlocation_showPetr Viktorin2014-05-141-1/+1
| | | | | Fix for a regression in 66fb4d5e849a049e95d3ef4fcf2b86217488634d https://fedorahosted.org/freeipa/ticket/4290
* ipa-client-install: Configure sudo to use SSSD as data sourceTomas Babej2014-05-091-1/+83
| | | | | | | | | | | Makes ipa-client-install configure SSSD as the data provider for the sudo service by default. This behaviour can be disabled by using --no-sudo flag. https://fedorahosted.org/freeipa/ticket/3358 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-client: Set NIS domain name in the installerTomas Babej2014-05-091-0/+65
| | | | | | | | | | | | | | | | Provides two new options for the ipa-client-install: --nisdomain: specifies the NIS domain name --no_nisdomain: flag to aviod setting the NIS domain name In case no --nisdomain is specified and --no_nisdomain flag was not set, the IPA domain is used. Manual pages updated. http://fedorahosted.org/freeipa/ticket/3202 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Make ipa-client-automount backwards compatibleMartin Kosek2014-04-021-1/+6
| | | | | | | | | | | | | | ipa-client-automount calls automountlocation-show command during the process. Unfortunately, FreeIPA commands are forward compatible only and thus fail the installer. Similarly to ipa-client-install, call XML-RPC interface directly with version fixed to 2.0 (command was already available at that version) to fix the failure. https://fedorahosted.org/freeipa/ticket/4290 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Move CACERT definition to a single place.Jan Cholasta2014-03-251-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
generated by cgit (git 2.34.1) at 2026-01-06 00:16:14 +0000