The python-ldap classes that process schema definitions require a
unicode string, not a byte string. A recent py3 compatibility fix
(d89de4219d) changed the constructor
argument to a unicode string to dispel a warning, but this broke
schema update. Change it back to a bytestring.
Part of: https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Py3 doesn't support ordering with None value
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
with py3 urlopen used internally with pyldap doesn't work with raw
filepaths without specifying "file://" prefix. This works on both
py2/py3
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Functions mix unicode and bytes, use only bytes.
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
softhsm works with bytes, so key_id must be byte otherwise we get errors
from bytes and string comparison
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ConfigParser.readfd() is deprecated in py3, we can use .read() which is
compatible with py2
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
DeprecationWarning: The SafeConfigParser class has been renamed
to ConfigParser in Python 3.2. This alias will be removed in
future versions. Use ConfigParser directly instead.
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Wait until the local HTTP service entry is replicated to the remote master
before requesting the server certificate.
This prevents a replication conflict between the service entry added
locally and service entry added remotely when requesting the certificate.
https://pagure.io/freeipa/issue/6867
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In case ipa_generate_password() generates a sequence containing
'%', ConfigParser.set() will fail because it would think it is a
string that should be interpolated.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
The SimpleServiceInstance uninstaller assument that the service to
uninstall was always present on the system. This may not be valid in
some cases (e.g. containerized deployments) and thus we need to change
the service state only when we know that the unit file exists.
https://pagure.io/freeipa/issue/6977
Reviewed-By: Martin Basti <mbasti@redhat.com>
When requesting certificate for KDC profile, make sure its public part
is actually readable to others.
Fixes https://pagure.io/freeipa/issue/6973
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa-ca-install currently overwrites /etc/ipa/ca.crt with the CA chain
retrieved from Dogtag. It should instead append the new certs, otherwise
the CA that signed dirsrv and httpd certificates is removed and ipa tools
fail.
A consequence is that ipa-kra-install fails.
This is a regression introduced by 5ab85b36.
https://pagure.io/freeipa/issue/6925
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipa-replica-manage del should remove the server from the entry
cn=default,ou=profile,$BASE
The entry contains an attribute
defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com
The code calls srvlist = ret.single_value.get('defaultServerList') which means
that srvlist contains a single value (string) containing all the servers
separated by a space, and not a list of attribute values. Because of that,
srvlist[0] corresponds to the first character of the value.
The fix splits srvlist and not srvlist[0].
https://pagure.io/freeipa/issue/6946
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Allow replacing the KDC certificate.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Allow installing 3rd party CA certificates trusted to issue PKINIT KDC
and/or client certificates.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When --pkinit-cert-file is used, make sure the certificate and key is
actually passed to `KrbInstance`.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Verify that the provided certificate has the extended key usage and subject
alternative name required for KDC.
https://pagure.io/freeipa/issue/6831https://pagure.io/freeipa/issue/6869
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This fixes `kdc.crt` containing the full chain rather than just the KDC
certificate in CA-less server install.
https://pagure.io/freeipa/issue/6831https://pagure.io/freeipa/issue/6869
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Make sure the exported private key files are readable only by the owner.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known
to IPA.
Make sure `cacert.pem` is exported in all installation code paths.
Use the KDC certificate itself as a PKINIT anchor in `login_password`.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.
Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.
Make sure both bundles are exported in all installation code paths.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Trust IPA CA to issue PKINIT KDC and client authentication certificates in
the IPA certificate store.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Make the trust flags argument mandatory in all functions in `certdb` and
`certs`.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add named constants for common trust flag combinations.
Use the named constants instead of trust flags strings in the code.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
During ipa-kra-install, the installer prepares a configuration file
provided to pkispawn. This configuration file defines
pki_security_domain_hostname=(first master)
but when we are installing a clone, it should be set to the local hostname
instead, see man page pki_default.cfg:
pki_security_domain_hostname, pki_security_domain_https_port
Location of the security domain. Required for KRA, OCSP, TKS,
and TPS subsystems and for CA subsystems joining a security
domain. Defaults to the location of the CA subsystem within the
same instance.
When pki_security_domain_hostname points to the 1st master, and this first
master is decommissioned, ipa-kra-install fails on new replicas because pkispawn
tries to connect to this (non-existing) host.
https://pagure.io/freeipa/issue/6895
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Before proceeding with installation, validate DM password. If the
provided DM password is invalid, abort the installation.
Fixes https://pagure.io/freeipa/issue/6892
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add a validator that checks whether provided Directory Manager
is valid by attempting to connect to LDAP.
Related https://pagure.io/freeipa/issue/6892
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipa-server-install --uninstall fails to stop tracking the certificates
because it assigns a tuple to the variable nicknames, then tries to
call nicknames.append(). This is a regression introduced by 21f4cbf8.
Assignment should be done using nicknames = list(self.tracking_reqs) instead.
https://pagure.io/freeipa/issue/6950
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add the `--external-ca-type`, as known from `ipa-server-install` and
`ipa-ca-install`, to `ipa-cacert-manage`.
This allows creating IPA CA CSRs suitable for use with Microsoft CS using
`ipa-cacert-manage`:
```
ipa-cacert-manage renew --external-ca --external-ca-type=ms-cs
```
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Replace all uses of virtual profiles with `dogtag-ipa-ca-renew-agent-reuse`
and remove profile from the IPA CA certificate tracking request.
This prevents virtual profiles from making their way into CSRs and in turn
being rejected by certain CAs. This affected the IPA CA CSR with Microsoft
CS in particular.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add a switch which makes `dogtag-ipa-ca-renew-agent-submit` reuse the
existing certificate rather than request a new one from the CA while
maintaining LDAP replication of the certificate.
Make this available as a new `dogtag-ipa-ca-renew-agent-reuse` certmonger
CA.
This allows redoing the LDAP replication and reexecuting pre- and post-save
commands of a tracking request without reissuing the certificate.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Use Dogtag's `caCACert` CA certificate profile rather than the
`ipaCACertRenewal` virtual profile for lightweight CA certificates.
The `ipaCACertRenewal` virtual profile adds special handling of externally
signed CA certificates and LDAP replication of issued certificates on top
of `caCACert`, neither of which is relevant for lightweight CA
certificates.
Remove all of the special casing of lightweight CA certificates from
dogtag-ipa-ca-renew-agent-submit.
Make sure existing lightweight CA certmonger tracking requests are updated
on server upgrade.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Fix certmonger tracking requests on every run of ipa-server-upgrade rather
than only when the tracking configuration has changed and the requests have
not yet been updated.
This allows fixing broken tracking requests just by re-running
ipa-server-upgrade.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Do not bypass the renewal master check when a non-virtual profile is used
in dogtag-ipa-ca-renew-agent-submit.
This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master
setting for certificates tracked with a real profile. (Note that there
currently aren't any such certificates tracked by us.)
Request the RA certificate using dogtag-submit rather than
dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not
available so early in the install process.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.
Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.
https://pagure.io/freeipa/issue/6370
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
During an upgrade, http.suffix is used to identify ldap entry when
configuring kdc proxy. When the suffix is missing, the script crashed
when enabling KDC proxy, because it used invalid DN.
Fixes https://pagure.io/freeipa/issue/6920
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The typo would result in incorrect resolution of existing keys and
their existence wasn't properly logged as intended.
Related https://pagure.io/freeipa/issue/6920
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Since all the services throw exceptions when we're unable to
start/restart them, CA/KRA should not be an exception to it.
https://pagure.io/freeipa/issue/6766
Reviewed-By: Martin Basti <mbasti@redhat.com>
During upgrade keytab is moved to a new location using "move" operation.
This commit replaces move operation with "copy" and "remove" that
ensures a proper selinux context.
https://pagure.io/freeipa/issue/6924
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.
Fixes: https://pagure.io/freeipa/issue/6838
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When installation fails, do not advise the user to use the
obsoleted --uninstall option.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Fixes https://pagure.io/freeipa/issue/6923
Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa-server-install with external CA fails to issue pkinit certs.
This happens because the installer calls
krb = krbinstance.KrbInstance(fstore)
then
krb.enable_ssl()
and in this code path self.config_pkinit is set to None, leading to a wrong
code path.
The fix initializes the required fields of the krbinstance before calling
krb.enable_ssl.
https://pagure.io/freeipa/issue/6921
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Refresh the ca_host property of the Dogtag's RestClient class when
it's requested as a context manager.
This solves the problem which would occur on DL0 when installing
CA which needs to perform a set of steps against itself accessing
8443 port. This port should however only be available locally so
trying to connect to remote master would fail. We need to make
sure the right CA host is accessed.
https://pagure.io/freeipa/issue/6878
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
So that gssproxy picks up new configuration and therefore related
usages like authentication of CLI against server works
https://pagure.io/freeipa/issue/6902
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Local FAST armoring will now work regardless of PKINIT status so there
is no need to explicitly test for working PKINIT. If there is, there
should be a test case for that.
https://pagure.io/freeipa/issue/6830
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
The upgrader has been modified to configure either local or full PKINIT
depending on the CA status. Additionally, the new PKINIT configuration
will be written to the master's KDC entry.
https://pagure.io/freeipa/issue/6830http://www.freeipa.org/page/V4/Kerberos_PKINIT
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
anonymous kinit using keytab never worked so we may safely remove all
code that requests/uses it.
https://pagure.io/freeipa/issue/6830
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
An API was provided to report whether PKINIT is enabled for clients or
not. If yes, the pkinitEnabled value will be added to the
ipaConfigString attribute of master's KDC entry.
See http://www.freeipa.org/page/V4/Kerberos_PKINIT#Configuration for
more details.
https://pagure.io/freeipa/issue/6830
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
The PKINIT setup code now can configure PKINIT using IPA CA signed
certificate, 3rd party certificate and local PKINIT with self-signed
keypair. The local PKINIT is also selected as a fallback mechanism if
the CSR is rejected by CA master or `--no-pkinit` is used.
http://www.freeipa.org/page/V4/Kerberos_PKINIThttps://pagure.io/freeipa/issue/6830
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
There is some code duplication regarding setting ipaConfigString values
when:
* LDAP-enabling a service entry
* advertising enabled KDCProxy in LDAP
We can delegate the common work to a single re-usable function and thus
expose it to future use-cases (like PKINIT advertising).
https://pagure.io/freeipa/issue/6830
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
The compat plugin was causing deadlocks with the topology plugin. Move
its setup at the end of the installation and remove the
cn=topology,cn=ipa,cn=etc subtree from its scope.
https://pagure.io/freeipa/issue/6821
Reviewed-By: Martin Basti <mbasti@redhat.com>
During upgrade, the plugin update_tdo_gidnumber is launched in order to
add a gidnumber to the Trusted Domain Object.
This plugin should not be run when ad trust is not installed, otherwise an
error message is displayed.
https://pagure.io/freeipa/issue/6881
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
OpenSSL can't cope with empty files, add a newline after each password
https://pagure.io/freeipa/issue/6878
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Previous versions of FreeIPA add password to the ra.p12 file
contained in the password-protected tarball. This was forgotten
about in the recent changes and fixed now.
https://pagure.io/freeipa/issue/6878
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The cert file would have been rewritten all over again with
any of the cert in the CA cert chain without this patch.
https://pagure.io/freeipa/issue/6872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When we're installing server with an external CA, the installation
would have failed in the second step where it's passed the required
CA cert file because it would have tried to perform the Kerberos
installation for the second time.
https://pagure.io/freeipa/issue/6757
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
CertDB would have always created a directory on initialization. This
behavior changes here by replacing the truncate argument with create
which will only create the database when really required.
https://pagure.io/freeipa/issue/6853
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
The exception handling of client install inside replica installation
was rather promiscuous, hungrily eating any possible exception thrown
at it. Scoped down the try-except block and reduced its promiscuity.
This change should improve the future development experience debugging
this part of the code.
https://pagure.io/freeipa/issue/6183
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When installing client from inside replica installation on DL1,
it's possible that the client installation would fail and recommend
using --force-join option which is not available in replica installer.
Add the option there.
https://pagure.io/freeipa/issue/6183
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Don't check for no-pkinit option in case pkinit cert file was
provided. Setting no-pkinit is prohibited in this case, so without
this fix we have an impossible option-check if we want to provide
an own pkinit certificate and private key.
https://pagure.io/freeipa/issue/6807
Reviewed-By: Martin Basti <mbasti@redhat.com>
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.
Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).
Changelog:
* created method get_slot() that returns slot number from
used label
* replaces usage of slot in __init__ method of P11_Helper
with label
* slot is dynamically detected from token label before
session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
which uses first free slot (we don't care about slot numbers
anymore)
https://pagure.io/freeipa/issue/6692
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.
https://pagure.io/freeipa/issue/6743
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The certmonger renew agent and restart scripts use host keytab for
authentication. When they are executed during a certmonger request before
the host keytab is set up, the authentication will fail.
Make sure all certmonger requests in the installer are done after the host
keytab is set up.
https://pagure.io/freeipa/issue/6757
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
A different code path is used for DS and httpd certificate requests in
replica promotion. This is rather unnecessary and makes the certificate
request code not easy to follow.
Consolidate the non-promotion and promotion code paths into one.
https://pagure.io/freeipa/issue/6757
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
httpd is restarted by certmonger in the restart_httpd script after the
httpd certificate is saved if it was previously running. The restart will
fail because httpd is not properly configured at this point.
Stop httpd at the beginning of httpd install to avoid the restart.
https://pagure.io/freeipa/issue/6757
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
DS is restarted by certmonger in the restart_dirsrv script after the DS
certificate is saved. This breaks the ldap2 backend and makes any operation
fail with NetworkError until it is reconnected.
Reconnect ldap2 after the DS certificate request is finished to fix the
issue. Make sure restart_dirsrv waits for the ldapi socket so that the
reconnect does not fail.
https://pagure.io/freeipa/issue/6757
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The trusted domain entries created in earlier versions are missing gidnumber.
During upgrade, a new plugin will read the gidnumber of the fallback group
cn=Default SMB Group and add this value to trusted domain entries which do
not have a gidNumber.
https://pagure.io/freeipa/issue/6827
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If both the pki-tomcat NSS database and its password.conf have been
created, don't try to override the password.conf file.
https://pagure.io/freeipa/issue/6839
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The NSS database at /etc/httpd/alias is not properly initialized and backed
up in CA-less replica promotion. This might cause the install to fail after
previous install and uninstall.
Make sure the NSS database is initialized and backed up even in CA-less
replica promotion to fix the issue.
https://pagure.io/freeipa/issue/4639
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
During CA-less installation, we initialize the HTTPD alias
database from a pkcs12 file. This means there's going to
be different nicknames to the added certificates. Store
the CA certificate nickname in HTTPInstance__setup_ssl()
to be able to correctly export it later.
https://pagure.io/freeipa/issue/6806
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
There was a redundant check for CA-less install certificate files
for replicas but the same check is done for all installers before
that.
https://pagure.io/freeipa/issue/6801
Reviewed-By: Martin Basti <mbasti@redhat.com>
pkinit is not supported on DL0, remove options that allow to set it
from ipa-{server,replica}-install.
https://pagure.io/freeipa/issue/6801
Reviewed-By: Martin Basti <mbasti@redhat.com>
Without this patch, if either of dirsrv_cert_files, http_cert_files
or pkinit_cert_files is set along with no-pkinit, the user is first
requested to add the remaining options and when they do that,
they are told that they are using 'no-pkinit' along with
'pkinit-cert-file'.
https://pagure.io/freeipa/issue/6801
Reviewed-By: Martin Basti <mbasti@redhat.com>
Since krbinstance code can now handle all operations of the
`enabled_anonymous_principal` function from upgrade we can remove
extraneous function altogether.
https://pagure.io/freeipa/issue/6799
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The anonymous principal will now be checked for presence and created on
both server and replica install. This fixes errors caused during replica
installation against older master that do not have anonymous principal
present.
https://pagure.io/freeipa/issue/6799
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
FreeIPA's `ipasam` module to Samba uses gethostname() call to identify
own server's host name. This value is then used in multiple places,
including construction of cifs/host.name principal. `ipasam` module
always uses GSSAPI authentication when talking to LDAP, so Kerberos
keys must be available in the /etc/samba/samba.keytab. However, if
the principal was created using non-FQDN name but system reports
FQDN name, `ipasam` will fail to acquire Kerberos credentials.
Same with FQDN principal and non-FQDN hostname.
Also host name and principal name must have the same case.
Report an error when configuring ADTrust instance with inconsistent
runtime hostname and configuration. This prevents errors like this:
[20/21]: starting CIFS services
ipa : CRITICAL CIFS services failed to start
where samba logs have this:
[2017/03/20 06:34:27.385307, 0] ipa_sam.c:4193(bind_callback_cleanup)
kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatrust@EXAMPLE.COM
[2017/03/20 06:34:27.385476, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
Connection to LDAP server failed for the 16 try!
Fixes https://pagure.io/freeipa/issue/6786
Reviewed-By: Martin Basti <mbasti@redhat.com>
This allows for more flexibility in the whole PKINIT setup process.
https://pagure.io/freeipa/issue/6792
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
In order to set up PKINIT, the anonymous principal must already be
created, otherwise the upgrade with fail when trying out anonymous
PKINIT. Switch the order of steps so that this issue does not occur.
https://pagure.io/freeipa/issue/6792
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Server installation failed when attmpting to disable module 'Root Certs' and
the module was not available in HTTP_ALIAS_DIR. When the module is not
available there's no need to disable it and the error may be treated as
success.
https://pagure.io/freeipa/issue/6803
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Dogtag is currently unable to generate a PIN it could use for
an NSS database creation in FIPS. Generate it for them so that
we don't fail.
https://pagure.io/freeipa/issue/6824
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Since commit 38c6689 temporary directories are no longer created at package
install time. Instead they're created at server install time.
Some steps in uninstall also assume that temporary direcories exist. Creating
the directories in the begining of server uninstall ensure that the uninstall
will go through.
https://pagure.io/freeipa/issue/6715
Reviewed-By: Martin Basti <mbasti@redhat.com>
On backup-restore, the ipa unit file for httpd was not backed up.
This file however contains setting for httpd to communicate with
gssproxy so not backing it up will result in httpd not knowing
how to get credentials.
https://pagure.io/freeipa/issue/6748
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Lookup IPA CA subject and pass it to CertDB when creating dscert.p12 and
httpcert.p12, otherwise a generic nickname will be used for the IPA CA
certificate instead of "$REALM IPA CA".
This fixes replica install on domain level 0 from a replica file created
using ipa-replica-install on IPA 4.5.
https://pagure.io/freeipa/issue/6777
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Now, at the domain level 0, the replica install always uses
Directory Manager credentials to create the LDAP connection.
Since ACIs permitting hosts to manage their own services were
added in 4.2 release, the old master denies this operations.
https://pagure.io/freeipa/issue/6549
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias
from backup on uninstall.
Files modified by IPA are kept with .ipasave suffix.
https://pagure.io/freeipa/issue/4639
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create
it explicitly in `DSInstance.__enable_ssl()`.
This stops the file from being created in /etc/httpd/alias during classic
replica install.
https://pagure.io/freeipa/issue/4639
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
