summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/adtrustinstance.py
Commit message (Collapse)AuthorAgeFilesLines
* Alias "unicode" to "str" under Python 3Jan Cholasta2015-09-171-0/+4
| | | | | | | | | The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use the print functionPetr Viktorin2015-09-011-3/+5
| | | | | | | | | In Python 3, `print` is no longer a statement. Call it as a function everywhere, and include the future import to remove the statement in Python 2 code as well. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Replace filter() calls with list comprehensionsPetr Viktorin2015-09-011-1/+1
| | | | | | | | In Python 3, filter() returns an iterator. Use list comprehensions instead. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-12/+12
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* adtrustinstance: Enable and start oddjobdTomas Babej2015-07-081-0/+19
| | | | | | | Enable and start the oddjobd service as part of the ipa-adtrust-install for the new IPA installations. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-adtrust-install: add IPA master host principal to adtrust agentsAlexander Bokovoy2015-07-081-30/+14
| | | | | | Fixes https://fedorahosted.org/freeipa/ticket/4951 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* move realm_to_serverid to installutils moduleMartin Basti2015-05-051-2/+1
| | | | | | | | | To avoid cyclic imports realm_to_serverid function had to be moved to installutils from dsinstance. Required for: https://fedorahosted.org/freeipa/ticket/4925 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Remove unneeded ip-address option in ipa-adtrust-installGabe2015-05-051-3/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4575 Reviewed-By: Martin Basti <mbasti@redhat.com>
* idviews: Add Default Trust View as part of adtrustinstallTomas Babej2014-09-301-0/+22
| | | | | | | | | | Add a Default Trust View, which is used by SSSD as default mapping for AD users. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Move setting SELinux booleans to platform codePetr Viktorin2014-09-261-46/+16
| | | | | | | | | | | | | | | | | | | Create a platform task for setting SELinux booleans. Use an exception for the case when the booleans could not be set (since this is an error if not handled). Since ipaplatform should not depend on ipalib, create a new errors module in ipapython for SetseboolError. Handle uninstallation with the same task, which means the booleans are now restored with a single call to setsebool. Preparation for: https://fedorahosted.org/freeipa/ticket/4157 Fixes: https://fedorahosted.org/freeipa/ticket/2934 Fixes: https://fedorahosted.org/freeipa/ticket/2519 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* ipa-adtrust-install does not re-add member in adtrust agents groupMartin Kosek2014-08-071-18/+21
| | | | | | | | | | | | When a CIFS service exists and adtrust agents group does not have it as a member attribute (for whatever reason), re-running ipa-adtrust-install does not fix the inconsistency. Make the installer more robust by being able to fix the inconsistency. https://fedorahosted.org/freeipa/ticket/4464 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Enable debug pid in smb.confGabe2014-07-181-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/3485 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-161-15/+16
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-161-1/+0
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change service code in freeipa to use ipaplatform servicesTomas Babej2014-06-161-4/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* adtrustinstance: make sure to stop and disable winbind in uninstall()Alexander Bokovoy2014-02-281-2/+5
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert remaining installer code to LDAPEntry API.Jan Cholasta2014-01-241-3/+3
|
* ipa-adtrust-install: configure host netbios name by defaultAlexander Bokovoy2014-01-201-0/+3
| | | | | | Ensure we set host netbios name by default in smb.conf https://fedorahosted.org/freeipa/ticket/4116
* trusts: Always stop and disable smb service on uninstallTomas Babej2013-11-261-8/+7
| | | | https://fedorahosted.org/freeipa/ticket/4042
* Turn LDAPEntry.single_value into a dictionary-like property.Jan Cholasta2013-11-051-9/+9
| | | | | | This change makes single_value consistent with the raw property. https://fedorahosted.org/freeipa/ticket/3521
* adtrustinstance: Move attribute definitions from setup to init methodTomas Babej2013-10-141-29/+49
| | | | | | | | | | | | | | | Majority of the attributes set in the setup method can be set in the __init__ method where they are actually defined (and set to None). This is true for attributes that hold constant values and for attributes that have their values derived from api.env dictionary. Creates a new __setup_default_attributes method, that is called from within __init__ and setup (in case the passed values for hostname or domain do not correspond to that what is set in api.env, doing otherwise could cause unexpected behaviour). Part of: https://fedorahosted.org/freeipa/ticket/3479
* adtrustinstance: Properly handle uninstall of AD trust instanceTomas Babej2013-10-141-14/+37
| | | | | | | | | | | | | | | | | | The uninstall method of the AD trust instance was not called upon at all in the ipa-server-install --uninstall phase. This patch makes sure that AD trust instance is unconfigured when the server is uninstalled. The following steps are undertaken: * Remove /var/run/samba/krb5cc_samba * Remove our keys from /etc/samba/samba.keytab using ipa-rmkeytab * Remove /var/lib/samba/*.tdb files Additionally, we make sure winbind service is stopped from within the stop() method. Part of: https://fedorahosted.org/freeipa/ticket/3479
* ipa-upgradeconfig: Remove backed up smb.confTomas Babej2013-10-141-9/+6
| | | | | | | | | | | Since we are not able to properly restore the Samba server to the working state after running ipa-adtrust-install, we should not keep the smb.conf in the fstore. This patch makes sure that any backed up smb.conf is removed from the backup and that this file is not backed up anymore. Part of: https://fedorahosted.org/freeipa/ticket/3479
* Use FQDN when creating MSDCS SRV recordsMartin Kosek2013-10-031-4/+11
| | | | | | | When IPA server hostname is outside of default DNS domain, instead of relative domain name, FQDN should be used. https://fedorahosted.org/freeipa/ticket/3908
* Rename slapi-nis configuration variableAlexander Bokovoy2013-08-061-5/+5
|
* ipa-adtrust-install: configure compatibility tree to serve trusted domain usersAlexander Bokovoy2013-07-181-1/+21
| | | | | | | | | | | | | | | | | | | | | | | | | Enables support for trusted domains users for old clients through Schema Compatibility plugin. SSSD supports trusted domains natively starting with version 1.9 platform. For platforms that lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi-nis package needs to be installed and schema-compat-plugin will be configured to provide lookup of users and groups from trusted domains via SSSD on IPA server. These users and groups will be available under cn=users,cn=compat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and groups to lower case. In addition to providing these users and groups through the compat tree, this option enables authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX. This authentication is related to PAM stack using 'system-auth' PAM service. If you have disabled HBAC rule 'allow_all', then make sure there is special service called 'system-auth' created and HBAC rule to allow access to anyone to this rule on IPA masters is added. Please note that system-auth PAM service is not used directly by any other application, therefore it is safe to create one specifically to support trusted domain users via compatibility path. https://fedorahosted.org/freeipa/ticket/3567
* Fix bug in adtrustinstanceAna Krivokapic2013-07-091-2/+2
| | | | | | | Incorrect tuple unpacking in adtrustinstance was causing ipa-adtrust-install to fail when IPA was installed with no DNS. https://fedorahosted.org/freeipa/ticket/3746
* Support multiple local domain ranges with RID base setTomas Babej2013-05-301-16/+34
| | | | | | | | | | | | | | | In ip-adtrust-install, "adding RID bases" step would fail if there was more than one local range defined. This can be a common case if e.g. there are users that migrated from previous IdM solution. With this patch, we fail only if there are multiple local ranges that do not have RID bases set. Keep in mind that overlap checking is ensured by ipa-range-check DS plugin. https://fedorahosted.org/freeipa/ticket/3498
* Enhance ipa-adtrust-install for domains with multiple IPA serverAlexander Bokovoy2013-04-021-8/+36
| | | | | | | | | | As described on http://www.freeipa.org/page/V3/MultipleTrustServers, notice if FreeIPA server is a replica and adtrust agents contains members corresponding to the cifs/ services from replication partners. Only these servers will be advertised as SMB domain controllers https://fedorahosted.org/freeipa/ticket/2189
* Remove search_s and search_ext_s from IPAdminPetr Viktorin2013-03-011-5/+6
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* replace getEntry with get_entry (or get_entries if scope != SCOPE_BASE)Petr Viktorin2013-03-011-14/+11
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace addEntry with add_entryPetr Viktorin2013-03-011-4/+4
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace getList by a get_entries methodPetr Viktorin2013-03-011-3/+3
| | | | | | | | | | | The find_entries method is cumbersome to use: it requires keyword arguments for simple uses, and callers are tempted to ignore the 'truncated' flag it returns. Introduce a simpler method, get_entries, that returns the found list directly, and raises an errors if the list is truncated. Replace the getList method by get_entries. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace entry.getValue by entry.single_valuePetr Viktorin2013-03-011-8/+8
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove unused imports from ipaserver/installPetr Viktorin2013-03-011-5/+4
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Use update_entry with a single entry in adtrustinstancePetr Viktorin2013-03-011-10/+8
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace setValue by keyword arguments when creating entriesPetr Viktorin2013-03-011-20/+27
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Add make_entry factory method to LDAPConnection.Jan Cholasta2013-03-011-9/+8
| | | | Replace all occurences of Entry instantiation with calls to make_entry.
* Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedirJakub Hrozek2013-02-181-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3132
* ipa-adtrust-install: allow to reset te NetBIOS domain nameSumit Bose2012-11-081-3/+21
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3192
* Make service naming in ipa-server-install consistentTomas Babej2012-10-221-2/+2
| | | | | | | | | | | | | Forces more consistency into ipa-server-install output. All descriptions of services that are not instances of SimpleServiceInstance are now in the following format: <Description> (<Service Name>) Furthermore, start_creation method has been modified to support custom start and end messages. See documentation for more info. https://fedorahosted.org/freeipa/ticket/3059
* Remove bogus check for smbpasswdAlexander Bokovoy2012-10-161-2/+2
| | | | | | | | We don't use smbpasswd when configuring IPA for AD trusts anymore because we switched to use Kerberos authentication in IPA passdb backend based on CIFS service keytab. https://fedorahosted.org/freeipa/ticket/3181
* Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-installAlexander Bokovoy2012-10-091-6/+40
| | | | | | | | | | | Since CIFS principal is generated by ipa-adtrust-install and is only usable after setting CIFS configuration, there is no need to include it into default setup. This should fix upgrades from 2.2 to 3.0 where CIFS principal does not exist by default. https://fedorahosted.org/freeipa/ticket/3041
* Minor fixes for default SMB groupMartin Kosek2012-10-091-2/+2
| | | | | | | | This patch contains additional minor fixes which were proposed during review but were not pushed (accidentaly). Also amends a name of the default SMB group in a list of protected groups in group.py. https://fedorahosted.org/freeipa/ticket/3147
* ipa-adtrust-install: create fallback group with ldif fileSumit Bose2012-10-091-30/+11
| | | | | | | | | | Currently the framework is used to add the group but we want to avoid that users are added explicitly to the group by removing the objectclasses groupofnames, ipausergroup and nestedgroup and we want to use a name with spaces in it. Both it not easy possible with the framework, a LDIF file is used instead to create the group. Fixes https://fedorahosted.org/freeipa/ticket/3147
* ipa-adtrust-install: print list of needed SRV recordsSumit Bose2012-10-041-9/+13
| | | | | | | If --no-msdcs is given on the command line all needed SRV records will be printed. Fixes https://fedorahosted.org/freeipa/ticket/3019
* Avoid ldapmodify error messages during ipa-adtrust-installSumit Bose2012-10-041-13/+34
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3012
* Add SIDs for existing users and groups at the end of ipa-adtrust-installSumit Bose2012-10-041-1/+18
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3104
* ipa-adtrust-install: replace print with self.print_msgSumit Bose2012-10-041-14/+14
| | | | https://fedorahosted.org/freeipa/ticket/3019
* ipa-adtrust-install: Add fallback groupSumit Bose2012-10-041-12/+96
| | | | https://fedorahosted.org/freeipa/ticket/2955
generated by cgit (git 2.34.1) at 2024-09-24 06:32:45 +0000