Nameserver hostname passed to dnszone_add command was always treated
as FQDN even though it was a relative DNS name to the new zone. All
relative names were being rejected as unresolvable.
Modify --name-server option processing in dnszone_add and dnszone_mod
to respect FQDN/relative DNS name and do the checks accordingly. With
this change, user can add a new zone "example.com" and let dnszone_add
to create NS record "ns" in it, when supplied with its IP address. IP
address check is more strict so that it is not entered when no forward
record is created. Places misusing the option were fixed.
Nameserver option now also accepts zone name, which means that NS and A
record is placed to DNS zone itself. Also "@" is accepted as a nameserver
name, BIND understand it also as a zone name. As a side-effect of this
change, other records with hostname part (MX, KX, NS, SRV) accept "@"
as valid hostname. BIND replaces it with respective zone name as well.
Unit tests were updated to test the new format.
https://fedorahosted.org/freeipa/ticket/3204
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller and preferred GC hosts
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
It is possible that either or both of the LDAP instances are being restarted
during the renewal process. Make the script retry if this is the case.
It is also safe to re-run this script if it fails. It will take the current
ipaCert certificate and attempt to update the agent information in LDAP.
https://fedorahosted.org/freeipa/ticket/3179
ldap2 server plugin generates a modlist for every IPA command entry
modification. However, encoding of attributes entry_attrs generated
by our framework still does not match entry read from LDAP (until
ticket #2265 is addressed), convert compared values to common ground
so that the comparison does not report false positives when encoding
do not match (e.g. 'int' and 'unicode').
https://fedorahosted.org/freeipa/ticket/3220
python-ldap of version 2.3.10 and lower does not support serverctrls
and clientctrls fir rename_s operation. Do not use these options until
really needed. In that time, we may put a requirement in place, that
minimal python-ldap version is 2.3.11. Also add a notice explaining
why we did this change.
https://fedorahosted.org/freeipa/ticket/3199
- Provide a function for determinig the CA status using Dogtag 10's new
getStatus endpoint.
This must be done over HTTPS, but since our client certificate may not be set
up yet, we need HTTPS without client authentication.
Rather than copying from the existing http_request and https_request
function, shared code is factored out to a common helper.
- Call the new function when restarting the CA service. Since our Service
can only be extended in platform-specific code, do this for Fedora only.
Also, the status is only checked with Dogtag 10+.
- When a restart call in cainstance failed, users were refered to the
installation log, but no info was actually logged. Log the exception.
https://fedorahosted.org/freeipa/ticket/3084
Forces more consistency into ipa-server-install output. All
descriptions of services that are not instances of
SimpleServiceInstance are now in the following format:
<Description> (<Service Name>)
Furthermore, start_creation method has been modified to support
custom start and end messages. See documentation for more info.
https://fedorahosted.org/freeipa/ticket/3059
If we get an error from dogtag we always did raise a
CertificateOperationError exception with a message describing the
problem. Unfortuanately that error message did not go into the log,
just sent back to the caller. The fix is to format the error message
and send the same message to both the log and use it to initialize the
CertificateOperationError exception. This is done in the utility
method raise_certificate_operation_error().
https://fedorahosted.org/freeipa/ticket/2622
We don't use smbpasswd when configuring IPA for AD trusts anymore
because we switched to use Kerberos authentication in IPA passdb
backend based on CIFS service keytab.
https://fedorahosted.org/freeipa/ticket/3181
Any installed clones will have CRL generation explicitly disabled.
It is a manual process to make a different CA the CRL generator.
There should be only one.
https://fedorahosted.org/freeipa/ticket/3051
Since CIFS principal is generated by ipa-adtrust-install and is only
usable after setting CIFS configuration, there is no need to include it
into default setup.
This should fix upgrades from 2.2 to 3.0 where CIFS principal does not
exist by default.
https://fedorahosted.org/freeipa/ticket/3041
The master side should be on the local side, replica1, not the
remote. This required reversing a few master variables. This impacts
the naming of the replication agreements.
When deleting an agreement pass in the DN of that agreement
rather than trying to calculate what it is on-the-fly. We cannot
be sure which side is the master/clone and since we search for it
anyway to determine if the agreement exists it is more correct
to use what we find.
The force flag wasn't being passed into del_link so there was no way
to force a deletion.
https://fedorahosted.org/freeipa/ticket/2858
The initial certificate is issued for two years but renewals are
for six months for some reason. This fixes it for new and updated
IPA installs.
https://fedorahosted.org/freeipa/ticket/2951
Currently, CRL files are being exported to /var/lib/pki-ca
sub-directory, which is then served by httpd to clients. However,
this approach has several disadvantages:
* We depend on pki-ca directory structure and relevant permissions.
If pki-ca changes directory structure or permissions on upgrade,
IPA may break. This is also a root cause of the latest error, where
the pki-ca directory does not have X permission for others and CRL
publishing by httpd breaks.
* Since the directory is not static and is generated during
ipa-server-install, RPM upgrade of IPA packages report errors when
defining SELinux policy for these directories.
Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for
both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy
configuration does not report any error. The new CRL publish directory
is used for both new IPA installs and upgrades, where contents of
the directory (CRLs) is first migrated to the new location and then the
actual configuration change is made.
https://fedorahosted.org/freeipa/ticket/3144
This patch contains additional minor fixes which were proposed during
review but were not pushed (accidentaly). Also amends a name of the
default SMB group in a list of protected groups in group.py.
https://fedorahosted.org/freeipa/ticket/3147
Currently the framework is used to add the group but we want to avoid
that users are added explicitly to the group by removing the
objectclasses groupofnames, ipausergroup and nestedgroup and we want to
use a name with spaces in it. Both it not easy possible with the
framework, a LDIF file is used instead to create the group.
Fixes https://fedorahosted.org/freeipa/ticket/3147
This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension).
Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter.
If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet.
In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file.
Ticket: https://fedorahosted.org/freeipa/ticket/3094
This strange patch is to accomodate both python-ldap 2.3 and later versions.
There was refactoring in python-ldap support for LDAP controls that split
base class into two different, changing properties and method signatures.
Luckily, we don't use any values passed to encodeControlValue.
From IPA 3.0, services have by default ipakrbprincipal objectclass which
allows ipakrbprincipalalias attribute used for case-insensitive principal
searches. However, services created in previous version do not have
this objectclass (and attribute) and thus case-insensitive searches
may return inconsistent results.
Fill ipakrbprincipalalias on upgrades for all 2.x services. Also treat
Treat the ipakrbprincipal as optional to avoid missing services in
service-find command if the upgrade fails for any reason.
https://fedorahosted.org/freeipa/ticket/3106
Every <plugin>-del command executes an "(objectclass=*)" search
to find out if a deleted node has any child nodes which would need
to be deleted first. This produces an unindexed search for every del
command which biases access log audits and may affect performance too.
Since most of the *-del commands delete just a single object (user,
group, RBAC objects, SUDO or HBAC objects, ...) and not a tree
(automount location, dns zone, ...) run a single entry delete first
and only revert to subtree search&delete when that fails.
Our installation added two final dots to the NS records,
so the records were invalid, Bind ignored the entire zone,
and name resolution didn't work.
Fix this error and add a check for empty DNS labels to the validator
When DNS is being installed during ipa-{server,dns,replica}-install,
forward and reverse zone is created. However, reverse zone was always
created with default zonemgr even when a custom zonemgr was passed
to the installer as this functionality was missing in function
creating reverse zone.
Consolidate functions creating forward and reverse zones to avoid
code duplication and errors like this one. Reverse zones are now
created with custom zonemgr (when entered by user).
https://fedorahosted.org/freeipa/ticket/2790
When a new reverse zone is to be generated based on an IP address without
a network prefix length, we need to use some default value. While netaddr
library default ones (32b for IPv4 and 128b for IPv6) are not very sensible
we should use the defaults already applied in installers. That is 24b for
IPv6 and 64 for IPv6.
Test case has been added to cover the new default.
https://fedorahosted.org/freeipa/ticket/2461
Since we only can perform verification when AD admin credentials are available,
report that trust should be verified from the AD side in other cases,
including unsuccessful verification.
Once trust is added, status of it is never stored anywhere.
https://fedorahosted.org/freeipa/ticket/2763
We've been stopping both DS instances (main and PKI) when upgrading.
This can happen while the CA is running. In some cases stopping the PKI
DS also killed the CA.
Only stop the specific instance for upgrades.
Also, wait for open ports after the upgrade is complete. The wait was
skipped previously. This can prevent bugs if scripts that need a DS are
run after the upgrade.
https://fedorahosted.org/freeipa/ticket/3083
Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.
Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.
This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
Dogtag 10 uses a new installer, new directory layout and new default
ports. This patch changes the ipa install code to integrate these changes.
https://fedorahosted.org/freeipa/ticket/2846
This adds two new commands to ipa-replica-manage: list-ruv & clean-ruv
list-ruv can be use to list the update vectors the master has
configugured
clean-ruv can be used to fire off the CLEANRUV task to remove a
replication vector. It should be used with caution.
https://fedorahosted.org/freeipa/ticket/2303
Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
are used to store DNs of linked objects in IPA (users, hosts, sudo
commands, etc.). However, when the linked objects is deleted or
renamed, the attribute pointing to it stays with the objects and
thus may create a dangling link causing issues in client software
reading the data.
Directory Server has a plugin to enforce referential integrity (RI)
by checking DEL and MODRDN operations and updating affected links.
It was already used for manager and secretary attributes and
should be expanded for the missing attributes to avoid dangling
links.
As a prerequisite, all attributes checked for RI must have pres
and eq indexes to avoid performance issues. Thus, the following
indexes are added:
* manager (pres index only)
* secretary (pres index only)
* memberHost
* memberUser
* sourcehost
* memberservice
* managedby
* memberallowcmd
* memberdenycmd
* ipasudorunas
* ipasudorunasgroup
Referential Integrity plugin is updated to enforce RI for all these
attributes. Unit tests covering RI checks for all these attributes
were added as well.
Note: this update will only fix RI on one master as RI plugin does
not check replicated operations.
https://fedorahosted.org/freeipa/ticket/2866
When LDAP updater detected an update instruction in indexing tree, it run
an indexing task and waited until it ends. However, the task was run
regardless of the update instruction result. This lead to unnecessary
index tasks being defined and waited for which makes the whole LDAP
last longer.
Execute indexing task only when an index add/update instruction is
successful.
https://fedorahosted.org/freeipa/ticket/2866
AttributeType updates are sensitive to case, whitespace or X-ORIGIN mismatch
just like ObjectClass attribute which is already being normalized before
an update value is compared with update instructions.
Expand safe schema updater routine to cover both ObjectClasses and
AttributeTypes updates.
https://fedorahosted.org/freeipa/ticket/2440
The restart_dirsrv script wasn't initializing the api so the
startup_timeout wasn't available.
The subsystemCert cert-pki-ca definition was missing so we didn't
know which certificate to update in CS.cfg.
Add some documentation and a pause between restarts for the
renew_ca_cert script so that when the CA subsystem certs are renewed
they don't all try to restart the CA at the same time.
https://fedorahosted.org/freeipa/ticket/3006
Current objectclass updates in a form of "replace" update instruction
dependent on exact match of the old object class specification in the
update instruction and the real value in LDAP. However, this approach is
very error prone as object class definition can easily differ as for
example because of unexpected X-ORIGIN value. Such objectclass update
failures may lead to serious malfunctions later.
When comparing the objectclasses, make sure we normalize them both
before we compare them to mitigate these kinds of errors. python-ldap's
objectclass model can be utilized to do the normalization part.
One objectclass update instruction was changed to do a replace of
an objectclass separately from add update instruction so that we
really only replace what's stored in LDAP.
https://fedorahosted.org/freeipa/ticket/2440
Generalize the fix_replica_memberof update plugin to allow updating more
replication attributes.
Add nsds5ReplicaStripAttrs to replication agreements on update and
replica install.
https://fedorahosted.org/freeipa/ticket/2534
Under certain circumstances, replica installation may fail in
"enable GSSAPI for replication" step when it cannot sync LDAP service
principals. There is often not much we can do as Directory Server
may be in an unrecoverable state but we should at least wait longer
before we give up.
A function checking replication status was also fixed to give more
accurate results by properly comparing start/end time of the
replication process and returning an error message to calling
function. This error message is then returned to user if do not
manage to get the LDAP service principals to give him a pointer
to the actual issue.
https://fedorahosted.org/freeipa/ticket/2950
Currently, we throw many public exceptions without proper i18n.
Wrap natural-language error messages in _() so they can be translated.
In the service plugin, raise NotFound errors using handle_not_found helper
so the error message contains the offending service.
Use ScriptError instead of NotFoundError in bindinstance install.
https://fedorahosted.org/freeipa/ticket/1953