summaryrefslogtreecommitdiffstats
path: root/ipa-client/ipa-install
Commit message (Collapse)AuthorAgeFilesLines
* Require an HTTP Referer header in the server. Send one in ipa tools.Rob Crittenden2011-12-051-0/+4
| | | | | | | | | | This is to prevent a Cross-Site Request Forgery (CSRF) attack where a rogue server tricks a user who was logged into the FreeIPA management interface into visiting a specially-crafted URL where the attacker could perform FreeIPA oonfiguration changes with the privileges of the logged-in user. https://bugzilla.redhat.com/show_bug.cgi?id=747710
* Client install root privileges checkOndrej Hamada2011-11-211-2/+2
| | | | | | | | | ipa-client-install was failing and returning traceback when wasn't run by root. It was caused by logging initialization that was taking part before the root privileges check. To correct it, the check was moved before the logging initialization. https://fedorahosted.org/freeipa/ticket/2123
* Fix client krb5 domain mapping and DNSMartin Kosek2011-10-211-7/+13
| | | | | | | | | | | Add Kerberos mapping for clients outside of server domain. Otherwise certmonger had problems issuing the certificate. Also make sure that client DNS records on the server are set before certmonger is started and certificate is requested. Based on Lars Sjostrom patch. https://fedorahosted.org/freeipa/ticket/2006
* If our domain is already configured in sssd.conf start with a new config.Rob Crittenden2011-10-131-1/+12
| | | | https://fedorahosted.org/freeipa/ticket/1989
* Update all LDAP configuration files that we can.Rob Crittenden2011-10-131-2/+5
| | | | | | | LDAP can be configured in any number of places, we need to update everything we find. https://fedorahosted.org/freeipa/ticket/1986
* Hostname used by IPA must be a system hostnameMartin Kosek2011-10-131-1/+3
| | | | | | | | | | | Make sure that the hostname IPA uses is a system hostname. If user passes a non-system hostname, update the network settings and system hostname in the same way that ipa-client-install does. This step should prevent various services failures which may not be ready to talk to IPA with non-system hostname. https://fedorahosted.org/freeipa/ticket/1931
* Refactor authconfig use in ipa-client-installAlexander Bokovoy2011-10-121-20/+90
| | | | | | | | | | | | | When certain features are being configured via authconfig, we need to remember what was configured and what was the state before it so that during uninstall we restore proper state of the services. Mostly it affects sssd configuration with multiple domains but also pre-existing LDAP and krb5 configurations. This should fix following tickets: https://fedorahosted.org/freeipa/ticket/1750 https://fedorahosted.org/freeipa/ticket/1769
* ipa-client-install hangs if the discovered server is unresponsiveMartin Kosek2011-10-121-2/+4
| | | | | | | | Add a timeout to the wget call to cover a case when autodiscovered server does not response to our attempt to download ca.crt. Let user specify a different IPA server in that case. https://fedorahosted.org/freeipa/ticket/1960
* Remove more redundant configuration values from krb5.conf.Jan Cholasta2011-10-111-6/+0
| | | | ticket 1358
* Make ipa-join work against an LDAP server that disallows anon bindsRob Crittenden2011-10-111-2/+2
| | | | | | | | | | | | | | | We determine the realm in the client installer so we can deduce the base dn, pass that into ipa-join so we don't have to hunt for it. Re-order the bind so when doing an OTP enrollment so we can use the host entry to authenticate before we retrieve the subject base, then initiate the enrollment. If ipa-join is called without a basedn it will still attempt to determine it, but it will fail if anonymous binds are not allowed. https://fedorahosted.org/freeipa/ticket/1935
* Increase number of 'getent passwd attempts' to 10Alexander Bokovoy2011-10-111-4/+4
| | | | | | | | During ipa-client-install SSSD is not always started up properly for some reason, things like "getent passwd admin" do not work. This is particulary true for large setups where admin is included in a large set of groups. https://fedorahosted.org/freeipa/ticket/1774
* Make sure ipa-client-install returns correct error codeMartin Kosek2011-10-071-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/1937
* Before kinit, try to sync time with the NTP servers of the domain we are joiningAlexander Bokovoy2011-10-061-0/+15
| | | | | | | | | | | | | | When running ipa-client-install on a system whose clock is not in sync with the master, kinit fails and enrollment is aborted. Manual checking of current time at the master and adjusting on the client-to-be is then needed. The patch tries to fetch SRV records for NTP servers of the domain we aim to join and runs ntpdate to get time synchronized. If no SRV records are found, sync with IPA server itself. If that fails, warn that time might be not in sync with KDC. https://fedorahosted.org/freeipa/ticket/1773
* Install tools crash when password prompt is interruptedMartin Kosek2011-10-061-2/+11
| | | | | | | | | When getpass.getpass() function is interrupted via CTRL+D, EOFError exception is thrown. Most of the install tools are not prepared for this event and crash with this exception. Make sure that it is handled properly and nice error message is printed. https://fedorahosted.org/freeipa/ticket/1916
* Fix 'referenced before assignment' warningAlexander Bokovoy2011-10-051-0/+1
|
* Setup and restore ntp configuration on the client side properlyAlexander Bokovoy2011-10-051-1/+25
| | | | | | | | | When setting up the client-side NTP configuration, make sure that /etc/ntp/step-tickers point to IPA NTP server as well. When restoring the client during ipa-client-install --uninstall, make sure NTP configuration is fully restored and NTP service is disabled if it was disabled before the installation. https://fedorahosted.org/freeipa/ticket/1770
* Add a function for formatting network locations of the form host:port for ↵Jan Cholasta2011-10-051-7/+7
| | | | | | | | | use in URLs. If the host part is a literal IPv6 address, it must be enclosed in square brackets (RFC 2732). ticket 1869
* Configure pam_krb5 on the client only if sssd is not configuredAlexander Bokovoy2011-10-041-7/+8
| | | | https://fedorahosted.org/freeipa/ticket/1775
* ipa-client-install: Fix joining when LDAP access is restrictedSimo Sorce2011-09-301-0/+7
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1881
* Don't log one-time password in logs when configuring client.Rob Crittenden2011-09-231-4/+5
| | | | https://fedorahosted.org/freeipa/ticket/1801
* Fix client install on IPv6 machines.Jan Cholasta2011-09-191-2/+7
| | | | ticket 1804
* Convert client-side tools to platform-independent access to system servicesAlexander Bokovoy2011-09-131-116/+93
| | | | https://fedorahosted.org/freeipa/ticket/1605
* Fix permissions in installersMartin Kosek2011-09-071-3/+6
| | | | | | | | Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644
* Improve man pages structureMartin Kosek2011-09-071-34/+49
| | | | | | | | | | | | | | | | There are too many options in ipa-*-install scripts which makes it difficult to read. This patch adds subsections to install script online help and man pages to improve readability. No option has been changed. To further improve man pages: 1) All man pages were changed to have the same header and top-center title to provide united look. 2) Few typos in man pages have been fixed https://fedorahosted.org/freeipa/ticket/1687
* Roll back changes if client installation fails.Rob Crittenden2011-08-291-80/+115
| | | | | | | | | | | | If the client installer fails for some reason and --force was not used then roll back the configuration. This is needed because we touch /etc/sysconfig/network early in the configuration and if it fails due to any number of issues (mostly related to authentication) it will not be reset. We may as well run through the entire uninstall process to be sure the system has been reset. https://fedorahosted.org/freeipa/ticket/1704
* ipa-client-install breaks network configurationMartin Kosek2011-08-291-5/+5
| | | | | | | | | Do not forget to add new line in updated /etc/sysconfig/network configuration. Move the actual change of the hostname after the user confirmation about proceeding with installation. It confused users when the hostname change occurred before this prompt. https://fedorahosted.org/freeipa/ticket/1724
* Make sure messagebus is running prior to starting certmonger.Jan Cholasta2011-08-181-0/+10
| | | | ticket 1580
* Ensure network configuration file has proper permissionsAlexander Bokovoy2011-08-101-0/+10
| | | | | | | | | | As network configuration file is created as temporary file, it has stricter permissions than we need for the target system configuration file. Ensure permissions are properly reset before installing file. If permissions are not re-set, system may have no networking enabled after reboot. https://fedorahosted.org/freeipa/ticket/1606
* Make proper LDAP configuration reporting for ipa-client-installAlexander Bokovoy2011-07-281-18/+29
| | | | Ticket https://fedorahosted.org/freeipa/ticket/1369
* Modify /etc/sysconfig/network on a client when IPA manages hostnameAlexander Bokovoy2011-07-291-4/+61
| | | | https://fedorahosted.org/freeipa/ticket/1368
* Make ipa-client-install error messages more understandable and relevant.Rob Crittenden2011-07-191-13/+15
| | | | | | | | | | | * Check remote LDAP server to see if it is a V2 server * Replace numeric return values with alphanumeric constants * Display the error message from the ipa-enrollment extended op * Remove generic join failed error message when XML-RPC fails * Don't display Certificate subject base when enrollment fails * Return proper error message when LDAP bind fails https://fedorahosted.org/freeipa/ticket/1417
* Fix sssd.conf to always have IPA certificate for the domain.Alexander Bokovoy2011-07-181-0/+6
| | | | | | | | | Fixes https://fedorahosted.org/freeipa/ticket/1476 SSSD will need TLS for checking if ipaMigrationEnabled attribute is set Note that SSSD will force StartTLS because the channel is later used for authentication as well if password migration is enabled. Thus set the option unconditionally.
* Change client enrollment principal prompt to hopefully be clearer.Rob Crittenden2011-07-191-1/+1
| | | | ticket https://fedorahosted.org/freeipa/ticket/1449
* Rearrange logging for NSCD daemon.Alexander Bokovoy2011-07-181-1/+4
| | | | | | | https://fedorahosted.org/freeipa/ticket/1373 When SSSD is in use, we actually trying to disable NSCD daemon. Telling that we failed to configure automatic _startup_ of the NSCD is wrong then.
* Configure SSSD to store user password if offline.Jan Cholasta2011-07-141-0/+4
| | | | ticket 1359
* Remove redundant configuration values from krb5.conf.Jan Cholasta2011-06-281-3/+0
| | | | ticket 1358
* On a master configure sssd to only talk to the local master.Rob Crittenden2011-06-211-1/+5
| | | | | | | | Otherwise it is possible for sssd to pick a different master to communicate with via the DNS SRV records and if the remote master goes down the local one will have problems as well. ticket https://fedorahosted.org/freeipa/ticket/1187
* Fix support for nss-pam-ldapdMartin Kosek2011-06-081-14/+45
| | | | | | | | | | | | | Client installation with --no-sssd option was broken if the client was based on a nss-pam-ldap instead of nss_ldap. The main issue is with authconfig rewriting the nslcd.conf after it has been configured by ipa-client-install. This has been fixed by changing an order of installation steps. Additionally, nslcd daemon needed for nss-pam-ldap function is correctly started. https://fedorahosted.org/freeipa/ticket/1235
* Properly configure nsswitch.conf when using the --no-sssd option.Rob Crittenden2011-05-181-3/+4
| | | | | | | | | | | Even with --no-sssd authconfig was setting nsswitch.conf to use sssd for users, groups, shadow and netgroups. We need to pass in the --enableforcelegacy option hwen configuring nss_ldap. Also always back up and restore sssd.conf. It still gets configured for kerberos. ticket 1142
* KDC autodiscovery may fail when domain is not realmMartin Kosek2011-05-171-5/+10
| | | | | | | | | | | | | When ipa-client-install autodiscovers IPA server values it doesn't fill the fixed KDC address to Kerberos configuration file. However, when realm != domain or the autodiscovered values are overridden, installation may fail because it cannot find the KDC. This patch adds a failover to use static KDC address in case when such an issue occurs. https://fedorahosted.org/freeipa/ticket/1100
* Improve service manipulation in client installMartin Kosek2011-05-131-93/+64
| | | | | | | | Remove redundant ipa-client-install error message when optional nscd daemon was not installed. Additionally, use standard IPA functions for service manipulation and improve logging. https://fedorahosted.org/freeipa/ticket/1207
* install-scripts: avoid using --list with chkconfigSimo Sorce2011-05-061-6/+0
| | | | | | | | | | | | | This option does not behave properly in F15 as chkconfig does not list services moved to use systemd service files. Plus there are more direct ways than parsing its output, which are more reliable. Also just testing for the availability of the service calling 'chkconfig name' is enough. https://fedorahosted.org/freeipa/ticket/1206
* ipa-client-install uninstall does not work on IPA serverMartin Kosek2011-04-291-1/+1
| | | | | | | When IPA server is being uninstalled, IPA client on-master uninstallation which is called by the script fails. https://fedorahosted.org/freeipa/ticket/1197
* Forbid reinstallation in ipa-client-installMartin Kosek2011-04-291-7/+8
| | | | | | | | | | | | The --force option may be misused to reinstall an existing IPA client. This is not supported and may lead to unexpected errors. When required, the cleanest way to re-install IPA client is to run uninstall and then install again. This patch also includes few cosmetic changes in messages to user to provide more consistent user experience with the script. https://fedorahosted.org/freeipa/ticket/1117
* Prevent uninstalling client on the IPA serverMartin Kosek2011-04-291-0/+6
| | | | | | | | This patch prevents uninstalling IPA client when it is configured as a part of IPA server. ipa-server-installation script is advised for this situation. https://fedorahosted.org/freeipa/ticket/1049
* Log temporary files in ipa-client-installMartin Kosek2011-04-281-1/+8
| | | | | | | | This patch adds logging of temporary files (Kerberos configuration, nsupdate commands) that may be very useful for debugging purposes. https://fedorahosted.org/freeipa/ticket/1093 https://fedorahosted.org/freeipa/ticket/1094
* Suppress --on-master from ipa-client-install command-line and man page.Rob Crittenden2011-04-121-1/+4
| | | | | | | | This option is only used when configuring an IPA client on an IPA server. Describing it on the command-line will only confuse people so don't list it as an option. Ticket 1050
* Ensure that the system hostname is lower-case.Rob Crittenden2011-03-181-5/+8
| | | | ticket 1080
* Always consider domain and server when doing DNS discovery in client.Rob Crittenden2011-03-151-8/+4
| | | | | | | | | When not on master we weren't passing in the user-supplied domain and server. Because of changes made that require TLS on the LDAP calls we always need the server name early in the process to retrieve the IPA CA certificate. ticket 1090
* If --hostname is provided for ipa-client-install use it everywhere.Rob Crittenden2011-03-081-11/+56
| | | | | | | | | | | | | | | | | | | If a hostname was provided it wasn't used to configure either certmonger or sssd. This resulted in a non-working configuration. Additionally on un-enrollment the wrong hostname was unenrolled, it used the value of gethostname() rather than the one that was passed into the installer. We have to modify the CA configuration of certmonger to make it use the right principal when requesting certificates. The filename is unpredicable but it will be in /var/lib/certmonger/cas. We need to hunt for ipa_submit and add -k <principal> to it, then undo that on uninstall. These files are created the first time the certmonger service starts, so start and stop it before messing with them. ticket 1029
generated by cgit (git 2.34.1) at 2024-11-11 07:18:43 +0000