Commit Graph

281 Commits

Author SHA1 Message Date
Ondrej Hamada
bdc80fe372 Always set ipa_hostname for sssd.conf
ipa-client-install will always set ipa_hostname for sssd.conf in order
to prevent the client from getting into weird state.

https://fedorahosted.org/freeipa/ticket/2527
2012-05-28 17:09:22 +02:00
Martin Kosek
f1ed123cad Replace DNS client based on acutil with python-dns
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
  but but rather C-like interface based on functions and
  structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
  authconfig and thus can break without notice

Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
  in installutils to make the whole DNS check simpler and
  less error-prone. Logging was improves for the remaining
  checks
- improved logging for ipa-client-install DNS discovery

https://fedorahosted.org/freeipa/ticket/2730
https://fedorahosted.org/freeipa/ticket/1837
2012-05-24 13:55:56 +02:00
Martin Kosek
b8f30bce77 Make ipa 2.2 client capable of joining an older server
IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.

This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again. User is informed about this incompatibility.

Missing realm was also added to keytab kinit as it was reported to
fix occasional install issues.

https://fedorahosted.org/freeipa/ticket/2697
2012-05-01 20:38:43 -04:00
Jan Cholasta
6569f355b6 Set the "KerberosAuthentication" option in sshd_config to "no" instead of "yes".
Setting it to "yes" causes sshd to handle kinits itself, bypassing SSSD.

ticket 2689
2012-04-29 19:45:13 -04:00
Martin Kosek
4d66cc07dc Fix help of --hostname option in ipa-client-install
Replace word "server" with "machine" to clearly distinguish between
IPA server and other machines (clients) and to also match the help
with ipa-client-install man pages.

https://fedorahosted.org/freeipa/ticket/1967
2012-04-19 19:55:44 +02:00
John Dennis
b8f1292e86 Use indexed format specifiers in i18n strings
Translators need to reorder messages to suit the needs of the target
language. The conventional positional format specifiers (e.g. %s %d)
do not permit reordering because their order is tied to the ordering
of the arguments to the printf function. The fix is to use indexed
format specifiers.

https://fedorahosted.org/freeipa/ticket/2596
2012-04-10 18:07:10 -04:00
Simo Sorce
735618a1c6 Fix memleak and silence Coverity defects
Some of these are not real defects, because we are guaranteed to have valid
context in some functions, and checks are not necessary.
I added the checks anyway in order to silence Coverity on these issues.

One meleak on error condition was fixed in
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c

Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is
actually fine as we count before hand so we never actually use the wrong value
that is computed on the last pass when p == 0

Fixes: https://fedorahosted.org/freeipa/ticket/2488
2012-03-22 17:33:13 +01:00
Lars Sjostrom
96390ca3e5 Add disovery domain if client domain is different from server domain
https://fedorahosted.org/freeipa/ticket/2209
2012-03-14 22:06:26 -04:00
Rob Crittenden
14975cdcdd Configure a basic ldap.conf for OpenLDAP in /etc/openldap/ldap.conf
Set URI, BASE and TLS_CACERT

Also update the man page to include a list of files that the client
changes.

https://fedorahosted.org/freeipa/ticket/1810
2012-03-14 21:28:52 -04:00
Ondrej Hamada
71d134dfa0 More exception handlers in ipa-client-install
Added exception handler to certutil operation of adding CA to the
default NSS database. If operation fails, installation is aborted and
changes are rolled back.

https://fedorahosted.org/freeipa/ticket/2415

If obtaining host TGT fails, the installation is aborted and changes are
rolled back.

https://fedorahosted.org/freeipa/ticket/1995
2012-03-09 15:48:27 +01:00
Rob Crittenden
10478ac8a1 Only warn if ipa-getkeytab doesn't get all requested enctypes.
Older client machines may request DES keys not supported in newer
KDCs. Thsi was causing the entire request to fail as well as client
enrollment.

https://fedorahosted.org/freeipa/ticket/2424
2012-03-04 17:42:18 -05:00
Rob Crittenden
55f89dc689 Do kinit in client before connecting to backend
The client installer was failing because a backend connection could be
created before a kinit was done.

Allow multiple simultaneous connections. This could fail with an NSS
shutdown error when the second connection was created (objects still
in use). If all connections currently use the same database then there
is no need to initialize, let it be skipped.

Add additional logging to client installer.

https://fedorahosted.org/freeipa/ticket/2478
2012-03-04 17:23:01 -05:00
Rob Crittenden
356823d270 Add --noac option to ipa-client-install man page
https://fedorahosted.org/freeipa/ticket/2369
2012-03-04 17:17:01 -05:00
Ondrej Hamada
111ca8a482 ipa-client-install not calling authconfig
Option '--noac' was added. If set, the ipa-client-install will not call
authconfig for setting nsswitch.conf and PAM configuration.

https://fedorahosted.org/freeipa/ticket/2369
2012-03-05 09:46:14 -05:00
Jan Cholasta
afad0775e1 Configure SSH features of SSSD in ipa-client-install.
OpenSSH server (sshd) is configured to fetch user authorized keys from
SSSD and OpenSSH client (ssh) is configured to use and trigger updates
of the SSSD-managed known hosts file.

This requires SSSD 1.8.0.
2012-03-01 18:42:56 -05:00
Petr Viktorin
be14c6609b Use reboot from /sbin
According to FHS, the reboot command should live in /sbin.
Systems may also have a symlink in /usr/bin, but they don't have to.

https://fedorahosted.org/freeipa/ticket/2480
2012-03-02 16:53:47 +01:00
Rob Crittenden
e889b82599 Add support defaultNamingContext and add --basedn to migrate-ds
There are two sides to this, the server and client side.

On the server side we attempt to add a defaultNamingContext on already
installed servers. This will fail on older 389-ds instances but the
failure is not fatal. New installations on versions of 389-ds that
support this attribute will have it already defined.

On the client side we need to look for both defaultNamingContext and
namingContexts. We still need to check that the defaultNamingContext
is an IPA server (info=IPAV2).

The migration change also takes advantage of this and adds a new
option which allows one to provide a basedn to use instead of trying
to detect it.

https://fedorahosted.org/freeipa/ticket/1919
https://fedorahosted.org/freeipa/ticket/2314
2012-02-29 15:28:13 +01:00
John Dennis
059a90702e Implement session activity timeout
Previously sessions expired after session_auth_duration had elapsed
commencing from the start of the session. We new support a "rolling"
expiration where the expiration is advanced by session_auth_duration
everytime the session is accessed, this is equivalent to a inactivity
timeout. The expiration is still constrained by the credential
expiration in all cases. The session expiration behavior is
configurable based on the session_auth_duration_type.

* Reduced the default session_auth_duration from 1 hour to 20 minutes.

* Replaced the sesssion write_timestamp with the access_timestamp and
  update the access_timestamp whenever the session data is created,
  retrieved, or written.

* Modify set_session_expiration_time to handle both an inactivity
  timeout and a fixed duration.

* Introduce  KerberosSession as a mixin class to share session
  duration functionality with all classes manipulating session data
  with Kerberos auth. This is both the non-RPC login class and the RPC
  classes.

* Update make-lint to handle new classes.

* Added session_auth_duration_type config item.

* Updated default.conf.5 man page for new session_auth_duration_type item.

* Removed these unused config items: mount_xmlserver,
  mount_jsonserver, webui_assets_dir

https://fedorahosted.org/freeipa/ticket/2392
2012-02-27 05:55:15 -05:00
Martin Kosek
dc47f77dc1 Add client hostname requirements to man
Changing a client hostname after ipa-client-install would break
the enrollment on IPA server. Update relevant man pages to contain
such information.

https://fedorahosted.org/freeipa/ticket/1967
2012-02-27 17:50:46 +01:00
Jan Cholasta
c00bf9e38a Configure ssh and sshd during ipa-client-install.
For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns
ipa-client-install option is used.

For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM
options are enabled (this can be disabled using --no-sshd
ipa-client-install option).

ticket 1634
2012-02-13 22:21:47 -05:00
Jan Cholasta
c34f5fbc88 Update host SSH public keys on the server during client install.
This is done by calling host-mod to update the keys on IPA server and nsupdate
to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp
ipa-client-install option.

https://fedorahosted.org/freeipa/ticket/1634
2012-02-13 22:21:43 -05:00
Jan Cholasta
9b6649a1ce Move the nsupdate functionality to separate function in ipa-client-install.
Done as part of adding SSH support.

https://fedorahosted.org/freeipa/ticket/1634
2012-02-13 22:21:38 -05:00
Jan Cholasta
04b8575c52 Add API initialization to ipa-client-install.
This change makes it possible to call IPA commands from ipa-client-install.

Done to support adding SSH host keys to DNS.

https://fedorahosted.org/freeipa/ticket/1634
2012-02-13 22:21:35 -05:00
John Dennis
bba4ccb3a0 add session manager and cache krb auth
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:

* Add a session manager to support cookie based sessions which
  stores session data in a memcached entry.

* Add ipalib/krb_utils.py which contains functions to parse ccache
  names, format principals, format KRB timestamps, and a KRB_CCache
  class which reads ccache entry and allows one to extract information
  such as the principal, credentials, credential timestamps, etc.

* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
  that all kerberos items are co-located.

* Modify javascript in ipa.js so that the IPA.command() RPC call
  checks for authentication needed error response and if it receives
  it sends a GET request to /ipa/login URL to refresh credentials.

* Add session_auth_duration config item to constants.py, used to
  configure how long a session remains valid.

* Add parse_time_duration utility to ipalib/util.py. Used to parse the
  session_auth_duration config item.

* Update the default.conf.5 man page to document session_auth_duration
  config item (also added documentation for log_manager config items
  which had been inadvertantly omitted from a previous commit).

* Add SessionError object to ipalib/errors.py

* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
  /ipa/login

* Add SessionCCache class to session.py to manage temporary Kerberos
  ccache file in effect for the duration of an RPC command.

* Adds a krblogin plugin used to implement the /ipa/login
  handler. login handler sets the session expiration time, currently
  60 minutes or the expiration of the TGT, whichever is shorter. It
  also copies the ccache provied by mod_auth_kerb into the session
  data.  The json handler will later extract and validate the ccache
  belonging to the session.

* Refactored the WSGI handlers so that json and xlmrpc could have
  independent behavior, this also moves where create and destroy
  context occurs, now done in the individual handler rather than the
  parent class.

* The json handler now looks up the session data, validates the ccache
  bound to the session, if it's expired replies with authenicated
  needed error.

* Add documentation to session.py. Fully documents the entire process,
  got questions, read the doc.

* Add exclusions to make-lint as needed.
2012-02-09 13:20:45 -06:00
Ondrej Hamada
f7b4eb6a09 localhost.localdomain clients refused to join
Machines with hostname 'localhost' or 'localhost.localdomain' are
refused from joining IPA domain and proper error message is shown.
The hostname check is done both in 'ipa-client-install' script and in
'ipa-join'.

https://fedorahosted.org/freeipa/ticket/2112
2012-01-22 22:01:40 -05:00
Rob Crittenden
2d6eeb205e Require an HTTP Referer header in the server. Send one in ipa tools.
This is to prevent a Cross-Site Request Forgery (CSRF) attack where
a rogue server tricks a user who was logged into the FreeIPA
management interface into visiting a specially-crafted URL where
the attacker could perform FreeIPA oonfiguration changes with the
privileges of the logged-in user.

https://bugzilla.redhat.com/show_bug.cgi?id=747710
2011-12-12 17:36:45 -05:00
Alexander Bokovoy
790ffc42a8 Check through all LDAP servers in the domain during IPA discovery
When discovering IPA LDAP servers through DNS records, look through all
servers found until first success. A master might be not available or
denied access but replica may succeed.

Ticket #1827
https://fedorahosted.org/freeipa/ticket/1827
2011-12-09 00:19:57 -05:00
Ondrej Hamada
005b74d869 Client install checks for nss_ldap
In order to check presence of nss_ldap or nss-pam-ldapd when installing
client with '--no-sssd' option there was added code into ipa-client-install.
Checking is based on existence of one of nss_ldap configuration files.
This configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or
'/etc/libnss_ldap.conf'. Optionaly the nss_ldap could cooperate with
pam_ldap module and hence the presence of it is checked by looking for
'pam_ldap.conf' file. Existence of nss-pam-ldapd is checked against
existence of 'nslcd.conf' file. All this checking is done by function
nssldap_exists(). Because both modules are maintained by two different
functions, the function returns tuple containing return code and dictionary
structure - its key is name of target function and value is list of existing
configuration files. Files to check are specified inside the
nssldap_exists() function. nssldap_exists() also returns True if any of
the mandatory files was found, otherwise returns False.

In order to fit the returned values, the functions
configure_{ldap|nslcd}_conf() were slightly modified. They accept one more
parameter which is list of existing files.  They are not checking existence
of above mentioned files anymore.

https://fedorahosted.org/freeipa/ticket/2063
2011-12-05 22:53:04 -05:00
Martin Kosek
216505d2a0 Fix coverity issues in client CLI tools
This patch fixes 2 coverity issues:
 * ipa-client/config.c: CID 11090: Resource leak
 * ipa-client/ipa-getkeytab.c: CID 11018: Unchecked return value

https://fedorahosted.org/freeipa/ticket/2035
2011-11-23 00:30:41 -05:00
John Dennis
56401c1abe ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging
change default_logger_level to debug in configure_standard_logging

add new ipa_log_manager module, move log_mgr there, also export
root_logger from log_mgr.

change all log_manager imports to ipa_log_manager and change
log_manager.root_logger to root_logger.

add missing import for parse_log_level()
2011-11-23 09:36:18 +01:00
Ondrej Hamada
bf57388e54 Client install root privileges check
ipa-client-install was failing and returning traceback when
wasn't run by root. It was caused by logging initialization that
was taking part before the root privileges check. To correct it,
the check was moved before the logging initialization.

https://fedorahosted.org/freeipa/ticket/2123
2011-11-21 09:39:37 +01:00
Alexander Bokovoy
1f9ab4283c Add configure check for libintl.h
There are some distributions which do not provide gettext support within
libc.

For these cases checking for libintl is required.

https://fedorahosted.org/freeipa/ticket/1840
2011-11-16 18:35:19 -05:00
Martin Kosek
bb6e720393 Fix client krb5 domain mapping and DNS
Add Kerberos mapping for clients outside of server domain. Otherwise
certmonger had problems issuing the certificate. Also make sure that
client DNS records on the server are set before certmonger is started
and certificate is requested.

Based on Lars Sjostrom patch.

https://fedorahosted.org/freeipa/ticket/2006
2011-10-21 14:53:12 +02:00
Rob Crittenden
470576a832 If our domain is already configured in sssd.conf start with a new config.
https://fedorahosted.org/freeipa/ticket/1989
2011-10-13 21:24:07 -04:00
Rob Crittenden
814a424a37 Update all LDAP configuration files that we can.
LDAP can be configured in any number of places, we need to update everything
we find.

https://fedorahosted.org/freeipa/ticket/1986
2011-10-13 20:45:06 -04:00
Martin Kosek
d6a1ff9eb6 Fix ipa-client-install -U option alignment 2011-10-14 10:35:15 +02:00
Alexander Bokovoy
8ad4a648a9 Document --preserve-sssd option of ipa-client-install
Add documentation about --preserve-sssd, an ipa-client-install's option to
honor previously available SSSD configuration in case it is not possible to
merge it cleanly with the new one. In this case ipa-client-install will fail
and ask user to fix SSSD config before continuing.

Additional fix for
https://fedorahosted.org/freeipa/ticket/1750
https://fedorahosted.org/freeipa/ticket/1769
2011-10-14 10:30:37 +02:00
Martin Kosek
77cc5e0246 Hostname used by IPA must be a system hostname
Make sure that the hostname IPA uses is a system hostname. If user
passes a non-system hostname, update the network settings and
system hostname in the same way that ipa-client-install does.

This step should prevent various services failures which may not
be ready to talk to IPA with non-system hostname.

https://fedorahosted.org/freeipa/ticket/1931
2011-10-13 00:54:41 -04:00
Alexander Bokovoy
8baec8d06b Refactor authconfig use in ipa-client-install
When certain features are being configured via authconfig, we need to
remember what was configured and what was the state before it so that
during uninstall we restore proper state of the services.

Mostly it affects sssd configuration with multiple domains but also
pre-existing LDAP and krb5 configurations.

This should fix following tickets:
https://fedorahosted.org/freeipa/ticket/1750
https://fedorahosted.org/freeipa/ticket/1769
2011-10-12 19:20:09 -04:00
Martin Kosek
17f247d6c2 ipa-client-install hangs if the discovered server is unresponsive
Add a timeout to the wget call to cover a case when autodiscovered
server does not response to our attempt to download ca.crt. Let
user specify a different IPA server in that case.

https://fedorahosted.org/freeipa/ticket/1960
2011-10-12 00:50:22 -04:00
Jan Cholasta
592bf62161 Remove more redundant configuration values from krb5.conf.
ticket 1358
2011-10-11 22:00:50 -04:00
Rob Crittenden
f2fb6552c9 Make ipa-join work against an LDAP server that disallows anon binds
We determine the realm in the client installer so we can deduce
the base dn, pass that into ipa-join so we don't have to hunt for
it.

Re-order the bind so when doing an OTP enrollment so we can use the host
entry to authenticate before we retrieve the subject base, then initiate
the enrollment.

If ipa-join is called without a basedn it will still attempt to
determine it, but it will fail if anonymous binds are not allowed.

https://fedorahosted.org/freeipa/ticket/1935
2011-10-11 18:26:29 -04:00
Alexander Bokovoy
59c2e0fbd1 Increase number of 'getent passwd attempts' to 10
During ipa-client-install SSSD is not always started up properly for some
reason, things like "getent passwd admin" do not work.  This is particulary
true for large setups where admin is included in a large set of groups.

https://fedorahosted.org/freeipa/ticket/1774
2011-10-11 10:36:45 +02:00
Martin Kosek
af63731363 Make sure ipa-client-install returns correct error code
https://fedorahosted.org/freeipa/ticket/1937
2011-10-07 15:23:17 +02:00
Alexander Bokovoy
acb2c3106a Before kinit, try to sync time with the NTP servers of the domain we are joining
When running ipa-client-install on a system whose clock is not in sync
with the master, kinit fails and enrollment is aborted. Manual checking
of current time at the master and adjusting on the client-to-be is then
needed.

The patch tries to fetch SRV records for NTP servers of the domain we aim
to join and runs ntpdate to get time synchronized. If no SRV records are
found, sync with IPA server itself.  If that fails, warn that time might
be not in sync with KDC.

https://fedorahosted.org/freeipa/ticket/1773
2011-10-06 05:16:41 -04:00
Martin Kosek
185ca8f6fc Install tools crash when password prompt is interrupted
When getpass.getpass() function is interrupted via CTRL+D, EOFError
exception is thrown. Most of the install tools are not prepared for
this event and crash with this exception. Make sure that it is
handled properly and nice error message is printed.

https://fedorahosted.org/freeipa/ticket/1916
2011-10-06 08:28:15 +02:00
Alexander Bokovoy
c76bbd5129 Fix 'referenced before assignment' warning 2011-10-05 15:04:12 +02:00
Alexander Bokovoy
f93d71409a Setup and restore ntp configuration on the client side properly
When setting up the client-side NTP configuration, make sure that /etc/ntp/step-tickers
point to IPA NTP server as well.
When restoring the client during ipa-client-install --uninstall, make sure NTP configuration
is fully restored and NTP service is disabled if it was disabled before the installation.

https://fedorahosted.org/freeipa/ticket/1770
2011-10-05 12:52:40 +02:00
Jan Cholasta
12bfed37d4 Add a function for formatting network locations of the form host:port for use in URLs.
If the host part is a literal IPv6 address, it must be enclosed in square
brackets (RFC 2732).

ticket 1869
2011-10-05 10:58:25 +02:00
Alexander Bokovoy
fb79c50b39 Configure pam_krb5 on the client only if sssd is not configured
https://fedorahosted.org/freeipa/ticket/1775
2011-10-04 17:00:37 +02:00