summaryrefslogtreecommitdiffstats
path: root/ipa-client/ipa-install
Commit message (Collapse)AuthorAgeFilesLines
* ipa-client-install: Configure sudo to use SSSD as data sourceTomas Babej2014-05-091-1/+83
| | | | | | | | | | | Makes ipa-client-install configure SSSD as the data provider for the sudo service by default. This behaviour can be disabled by using --no-sudo flag. https://fedorahosted.org/freeipa/ticket/3358 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-client: Set NIS domain name in the installerTomas Babej2014-05-091-0/+65
| | | | | | | | | | | | | | | | Provides two new options for the ipa-client-install: --nisdomain: specifies the NIS domain name --no_nisdomain: flag to aviod setting the NIS domain name In case no --nisdomain is specified and --no_nisdomain flag was not set, the IPA domain is used. Manual pages updated. http://fedorahosted.org/freeipa/ticket/3202 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Make ipa-client-automount backwards compatibleMartin Kosek2014-04-021-1/+6
| | | | | | | | | | | | | | ipa-client-automount calls automountlocation-show command during the process. Unfortunately, FreeIPA commands are forward compatible only and thus fail the installer. Similarly to ipa-client-install, call XML-RPC interface directly with version fixed to 2.0 (command was already available at that version) to fix the failure. https://fedorahosted.org/freeipa/ticket/4290 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Move CACERT definition to a single place.Jan Cholasta2014-03-251-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix order of synchronizing time when running ipa-client-installGabe2014-03-201-17/+19
| | | | | | | | | | When running ipa-client-install, it asks for user name, synchronizes time, then asks for user password which the order could be confusing to some users. This changes ipa-client-install to synchronize time before prompting for user kerberos authentication. https://fedorahosted.org/freeipa/ticket/3957 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Improve error message on failed Kerberos authenticationAna Krivokapic2014-02-181-2/+2
| | | | | | | | | | | When ipa client installation fails due to failed Kerberos authentication, make sure that the message about the failed authentication is displayed last. This makes it clear to the user that this was the reason for failed installation. https://fedorahosted.org/freeipa/ticket/3573 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix ipa-client-automount uninstall when fstore is empty.Jan Cholasta2014-01-151-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/4091
* Make sure state of services is preserved after client uninstallAna Krivokapic2014-01-141-34/+47
| | | | | | | | | IPA client installation did not preserve the status of nscd and nslcd services correctly. E.g. nscd would be started after uninstallation, even though it wasn't running before client installation. Make sure the state of services is saved before installation and correctly restored after uninstallation. https://fedorahosted.org/freeipa/ticket/3790
* Use /usr/bin/python2Xiao-Long Chen2014-01-032-2/+2
| | | | | | | | | | | | Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com
* ipa-client-install: Always pass hostname to the ipa-joinTomas Babej2013-12-091-4/+4
| | | | | | | | | | | The ipa-client-install script and ipa-join use different methods of resolving the hostname, the former uses gethostbyaddr() call, while the latter reads the "uinfo.nodename". This can result ipa-client-install failures in case of broken PTR records. https://fedorahosted.org/freeipa/ticket/4027
* Allow kernel keyring CCACHE when supportedMartin Kosek2013-12-091-0/+7
| | | | | | | Server and client installer should allow kernel keyring ccache when supported. https://fedorahosted.org/freeipa/ticket/4013
* Switch client to JSON-RPCPetr Viktorin2013-11-262-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC. This is done by subclassing and extending xmlrpclib, because our existing code relies on xmlrpclib internals. The URI to use is given in the new jsonrpc_uri env variable. When it is not given, it is generated from xmlrpc_uri by replacing /xml with /json. The rpc_json_uri env variable existed before, but was unused, undocumented and not set the install scripts. This patch removes it in favor of jsonrpc_uri (for consistency with xmlrpc_uri). Add the rpc_protocol env variable to control the protocol IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed to 'xmlrpc'. Make backend.Executioner and tests use the backend specified by rpc_protocol. For compatibility with unwrap_xml, decoding JSON now gives tuples instead of lists. Design: http://freeipa.org/page/V3/JSON-RPC Ticket: https://fedorahosted.org/freeipa/ticket/3299
* ipa-client-install: Publish CA certificate to systemwide storeTomas Babej2013-11-201-1/+12
| | | | | | | | | | | During the installation, copy the CA certificate to the systemwide store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the systemwide CA database. This allows browsers to access IPA WebUI without warning out of the box. https://fedorahosted.org/freeipa/ticket/3504
* ipa-client-install: Added options to configure firefoxMartin Basti2013-11-151-1/+95
| | | | | | | | | Option --configure-firefox configures firefox to use Kerberos credentials within IPA domain Optional option --firefox-dir=DIR allows to user to specify non-standard path where firefox install directory is placed. Part of ticket: https://fedorahosted.org/freeipa/ticket/3821
* Do not roll back failed client installation on serverAna Krivokapic2013-10-251-0/+5
| | | | | | | | In case of a failed enrollment, IPA client rolls back any changes it has made to the system. In order to have a more debuggable setup, do not roll back these changes in the case of an IPA server install. https://fedorahosted.org/freeipa/ticket/3990
* Added warning if cert '/etc/ipa/ca.crt' existsMartin Basti2013-10-161-0/+4
| | | | https://fedorahosted.org/freeipa/ticket/3944
* ipa-client-install: Verify RPC connection with a pingPetr Viktorin2013-10-041-0/+9
| | | | | | | | | With old servers, it is possible that xmlclient.connect() succeeds but commands fail with a Kerberos error. Verify that commands succeed by sending a ping after connecting. Follow-up to: https://fedorahosted.org/freeipa/ticket/3931
* ipa-client-install: Use direct RPC instead of api.CommandPetr Viktorin2013-10-041-3/+13
| | | | | | | | | | | | To make sure the installation works with older servers, use XML-RPC directly, with a version set explicitly so the request is not rejected. RPC was chosen over ldapmodify, because going through the API allows the server to process the request properly, or even cleanly reject it if there are incompatible changes in future versions. https://fedorahosted.org/freeipa/ticket/3931
* Do not set DNS discovery domain in server modeMartin Kosek2013-10-031-1/+2
| | | | | | | In server mode, the discovery domain should be left unset in all cases as the DNS discovery is only driven by the AD domains. https://fedorahosted.org/freeipa/ticket/3947
* Use getent admin@domain for nss check in ipa-client-installTomas Babej2013-09-201-2/+2
| | | | | | | | Use 'getent admin@domain' rather than 'getent admin@REALM' to check if nss is working properly since admin@REALM check fails in case the domain and the realm name does not match. https://fedorahosted.org/freeipa/ticket/3906
* Fix invocations of FileError in ipa-client-installAna Krivokapic2013-09-091-10/+12
| | | | | | | | Some of the FileErrors in ipa-client-install were raised incorrectly (without the 'reason' argument), which resulted in bad error messages during ipa-client-install. https://fedorahosted.org/freeipa/ticket/3758
* Add option to ipa-client-install to configure automountAna Krivokapic2013-09-051-0/+27
| | | | | | | Add the --automount-location option to ipa-client-install. If the option is used, ipa-client-automount is called at the end of ipa-client-install. https://fedorahosted.org/freeipa/ticket/3740
* Change shebang to absolute path in ipa-client-automountTomas Babej2013-07-251-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3811
* Use admin@REALM when testing if SSSD is readyAna Krivokapic2013-07-192-5/+8
| | | | https://fedorahosted.org/freeipa/ticket/3771
* Add 'ipa_server_mode' option to SSSD configurationAna Krivokapic2013-07-181-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/3652
* Fix client install exception if /etc/ssh is missingNathaniel McCallum2013-07-091-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/3766
* Do not skip SSSD known hosts in ipa-client-install --ssh-trust-dns.Jan Cholasta2013-06-271-3/+3
| | | | https://fedorahosted.org/freeipa/ticket/3705
* Improve handling of options in ipa-client-installAna Krivokapic2013-06-201-0/+9
| | | | | | | | | | | Improve handling of command line options related to forced client re-enrollment in ipa-client-install: * Make --keytab and --principal options mutually exclusive. * Warn that using --force-join together with --keytab provides no additional functionality. https://fedorahosted.org/freeipa/ticket/3686
* ipa-client-install: Add 'debug' and 'show' statements to nsupdate commandsPetr Spacek2013-05-221-2/+9
| | | | https://fedorahosted.org/freeipa/ticket/3629
* Drop uniqueMember mapping with nss-pam-ldapd.Rob Crittenden2013-05-021-1/+0
| | | | | | | | | | nss-pam-ldapd in 0.8.4 changed the default to map uniqueMember to member so it is no longer needed in the config file, and in fact causes an error to be raised. Add a Conflicts on older versions. https://fedorahosted.org/freeipa/ticket/3589
* Add support for OpenSSH 6.2.Jan Cholasta2013-04-301-21/+42
| | | | | | | Run sss_ssh_authorizedkeyscommand as nobody. Automatically update sshd_config on openssh-server update. https://fedorahosted.org/freeipa/ticket/3571
* Preserve already configured options in openldap confTomas Babej2013-04-301-9/+53
| | | | | | | | | | | | | We should respect already configured options present in /etc/openldap/ldap.conf when generating our own configuration. With this patch, we only rewrite URI, BASE and TLS_CACERT options only if they are not configured. In the case they are, our suggested configuration is inserted as a comment. Also adds tab as a delimeter character in /etc/openldap/ldap.conf https://fedorahosted.org/freeipa/ticket/3582
* Avoid removing sss from nssswitch.conf during client uninstallTomas Babej2013-04-231-5/+7
| | | | | | | | | This patch makes sure that sss is not removed from nsswitch.conf which causes probles with later uses of sssd. Makes sure that authconfig with --disablesssd option is not executed during ipa client uninstall. https://fedorahosted.org/freeipa/ticket/3577
* Add hint message about --force-join option when enrollment failsTomas Babej2013-04-231-0/+4
| | | | | | | | When client enrollment fails due to the fact that host entry already exists on the server, display an message informing the user about the possibility of using --force-join option. https://fedorahosted.org/freeipa/ticket/3572
* Handle missing /etc/ipa in ipa-client-installAna Krivokapic2013-04-191-0/+9
| | | | | | | | Make sure /etc/ipa is created and owned by freeipa-python package. Report correct error to user if /etc/ipa is missing during client installation. https://fedorahosted.org/freeipa/ticket/3551
* Remove CA cert on client uninstallAna Krivokapic2013-04-041-0/+9
| | | | | | | | The CA cert (/etc/ipa/ca.crt) was not being removed on client uninstall, causing failure on subsequent client installation in some cases. https://fedorahosted.org/freeipa/ticket/3537
* ipa-client-install: Do not request host certificate if server is CA-lessPetr Viktorin2013-04-021-10/+37
| | | | https://fedorahosted.org/freeipa/ticket/3536
* Allow host re-enrollment using delegationTomas Babej2013-03-251-0/+5
| | | | | | | | | | A new option --force-join has been added to ipa-client-install. It forces the host enrollment even if the host entry exists. Old certificate is revoked, new certificate and ssh key pair generated. See the relevant design for the re-enrollment part: http://freeipa.org/page/V3/Forced_client_re-enrollment https://fedorahosted.org/freeipa/ticket/3482
* Improve client install LDAP cert retrieval fallbackMartin Kosek2013-03-211-1/+1
| | | | | | | | CA certificate retrieval function did not fallback from LDAP to HTTP based retrieval in case of an LDAP error, when for example GSSAPI authentication failed. https://fedorahosted.org/freeipa/ticket/3512
* Use temporary CCACHE in ipa-client-installMartin Kosek2013-03-211-0/+7
| | | | | | | | ipa-client-install failed if user had set his own KRB5CCNAME in his environment. Use a temporary CCACHE for the installer to avoid these kind of errors. https://fedorahosted.org/freeipa/ticket/3512
* Avoid multiple client discovery with fixed server listMartin Kosek2013-03-141-0/+11
| | | | | | | | | | | | In client discovery module, we used to run up to three discovery processes even though we received a fixed list of servers to connect to. This could result in up to 3 identical "not an IPA server" error messages when the passed server is not an IPA server. Error out immediately when we are discovering against a fixed set of servers. Related to fixes in https://fedorahosted.org/freeipa/ticket/3418
* Make sure uninstall script prompts for reboot as lastTomas Babej2013-03-131-19/+35
| | | | | | | | | | | Parts of client uninstall logic could be skipped in attended uninstallation if user agreed to reboot the machine. Particulary, the uninstall script would not try to remove /etc/ipa/default.conf and therefore subsequent installation would fail, client being detected as already configured. https://fedorahosted.org/freeipa/ticket/3462 https://fedorahosted.org/freeipa/ticket/3463
* Use IPAdmin rather than raw python-ldap in ipa-client-installPetr Viktorin2013-03-131-37/+31
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3487
* Add support for re-enrolling hosts using keytabTomas Babej2013-03-121-5/+35
| | | | | | | | | | | | | | | | | | A host that has been recreated and does not have its host entry disabled or removed, can be re-enrolled using a previously backed up keytab file. A new option --keytab has been added to ipa-client-install. This can be used to specify path to the keytab and can be used instead of -p or -w options. A new option -f has been added to ipa-join. It forces client to join even if the host entry already exits. A new certificate, ssh keys are generated, ipaUniqueID stays the same. Design page: http://freeipa.org/page/V3/Client_install_using_keytab https://fedorahosted.org/freeipa/ticket/3374
* Use default.conf as flag of IPA client being installedTomas Babej2013-02-221-3/+18
| | | | | | | | | | | | | | When installing / uninstalling IPA client, the checks that determine whether IPA client is installed now take the existence of /etc/ipa/default.conf into consideration. The client will not uninstall unless either something is backed up or /etc/ipa/default.conf file does exist. The client will not install if something is backed up or default.conf file does exist (unless it's installation on master). https://fedorahosted.org/freeipa/ticket/3331
* Add LDAP server fallback to client installerRob Crittenden2013-02-072-32/+23
| | | | | | | | | | | | | | Change the discovery code to validate all servers, regardless of where the originated (either via SRV records or --server). This will prevent the client installer from failing if one of those records points to a server that is either not running or is not an IPA server. If a server is not available it is not removed from the list of configured servers, simply moved to the end of the list. If a server is not an IPA server it is removed. https://fedorahosted.org/freeipa/ticket/3388
* Add support for RFC 6594 SSHFP DNS records.Jan Cholasta2013-02-011-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/2642
* Pylint cleanup.Jan Cholasta2013-01-291-1/+0
| | | | | | | Add more dynamic attribute info to IPATypeChecker in make-lint. Remove unnecessary pylint comments. Fix false positivies introduced by Pylint 0.26. https://fedorahosted.org/freeipa/ticket/3379
* Don't initialize NSS if we don't have to, clean up unused cert refsRob Crittenden2013-01-231-0/+10
| | | | | | | | | | | Check to see if NSS is initialized before trying to do so again. If we are temporarily creating a certificate be sure to delete it in order to remove references to it and avoid NSS shutdown issues. In the certificate load validator shut down NSS if we end up initializing it. I'm not entirely sure why but this prevents a later shutdown issue if we are passed the --ca-cert-file option.
* Use secure method to acquire IPA CA certificateJohn Dennis2013-01-231-25/+380
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Major changes ipa-client-install: * Use GSSAPI connection to LDAP server to download CA cert (now the default method) * Add --ca-cert-file option to load the CA cert from a disk file. Validate the file. If this option is used the supplied CA cert is considered definitive. * The insecure HTTP retrieval method is still supported but it must be explicitly forced and a warning will be emitted. * Remain backward compatible with unattended case (except for aberrant condition when preexisting /etc/ipa/ca.crt differs from securely obtained CA cert, see below) * If /etc/ipa/ca.crt CA cert preexists the validate it matches the securely acquired CA cert, if not: - If --unattended and not --force abort with error - If interactive query user to accept new CA cert, if not abort In either case warn user. * If interactive and LDAP retrieval fails prompt user if they want to proceed with insecure HTTP method * If not interactive and LDAP retrieval fails abort unless --force * Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution, if ipa-client-install fails it will be restored. Other changes: * Add new exception class CertificateInvalidError * Add utility convert_ldap_error() to ipalib.ipautil * Replace all hardcoded instances of /etc/ipa/ca.crt in ipa-client-install with CACERT constant (matches existing practice elsewhere). * ipadiscovery no longer retrieves CA cert via HTTP. * Handle LDAP minssf failures during discovery, treat failure to check ldap server as a warninbg in absebce of a provided CA certificate via --ca-cert-file or though existing /etc/ipa/ca.crt file. Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Rob Crittenden <rcritten@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-17 23:42:43 +0000