When rolling back partially configured IPA client a number of OSErrors pop up
due to uninstaller trying to remove files that do not exist anymore. This
patch supresses these errors while keeping them in log as debug messages.
https://fedorahosted.org/freeipa/ticket/4966
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Detected NTP servers from SRV records should be used in NTP client
configuration.
https://fedorahosted.org/freeipa/ticket/4981
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Calls to ipautil.run using kinit were replaced with calls
kinit_keytab/kinit_password functions implemented in the PATCH 0015.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
New option '--kinit-attempts' enables the host to make multiple attempts to
obtain host TGT from master before giving up and aborting client installation.
In addition, all kinit attempts were replaced by calls to
'ipautil.kinit_keytab' and 'ipautil.kinit_password'.
https://fedorahosted.org/freeipa/ticket/4808
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
When --no-ntp is specified during ipa-client-install, we still
attempt to perform a time sync before obtaining a TGT from the
KDC. We should not be attempting to sync time with the KDC if
we are explicitly told to not configure ntp.
Ticket: https://fedorahosted.org/freeipa/ticket/4842
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The command was added in API version 2.107. Old IPA servers may crash with
NetworkError on ca_is_enabled, handle this case gracefully.
https://fedorahosted.org/freeipa/ticket/4565
Reviewed-By: David Kupka <dkupka@redhat.com>
When CA certificates in LDAP are corrupted, use the otherwise acquired CA
certificates from before.
https://fedorahosted.org/freeipa/ticket/4565
Reviewed-By: David Kupka <dkupka@redhat.com>
We use ntpd now to sync time before fetching a TGT during client
install. Unfortuantely, ntpd will hang forever if it is unable to
reach the NTP server.
This patch adds the ability for commands run via ipautil.run() to
have an optional timeout. This capability is used by the NTP sync
code that is run during ipa-client-install.
Ticket: https://fedorahosted.org/freeipa/ticket/4842
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ipa-client-automount is run after ipa-client-install so the CA certificate
should be available. If the certificate is not available and ipadiscovery.ipacheckldap
returns NO_TLS_LDAP warn user and try to continue.
https://fedorahosted.org/freeipa/ticket/4902
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In general, TCP is a better fit for FreeIPA due to large packet sizes.
However, there is also a specific need for TCP when using OTP. If a UDP
packet is delivered to the server and the server takes longer to process
it than the client timeout (likely), the OTP value will be resent.
Unfortunately, this will cause failures or even lockouts. Switching to
TCP avoids this problem altogether.
https://fedorahosted.org/freeipa/ticket/4725
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Also remove dead code in ipa-join and add initializer to a variable in
ipa-getkeytab to prevent false positives in static code analysis.
https://fedorahosted.org/freeipa/ticket/4651
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If new certificate is not available, reuse the old one, instead of waiting
indefinitely for the new certificate to appear.
https://fedorahosted.org/freeipa/ticket/4628
Reviewed-By: David Kupka <dkupka@redhat.com>
Previously a list of nicknames was kept in /etc/pki/nssdb/ipa.txt. The file
is removed now.
https://fedorahosted.org/freeipa/ticket/3259
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This is the new default NSS database for IPA.
/etc/pki/nssdb is still maintained for backward compatibility.
https://fedorahosted.org/freeipa/ticket/3259
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
User can set realm not matching one resolved from DNS. This is useful especially
when DNS is missconfigured.
https://fedorahosted.org/freeipa/ticket/4444
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.
>=certmonger-0.75.13 is needed for this to work.
https://fedorahosted.org/freeipa/ticket/4280
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa-client-install runs anonymous search in non-rootdse space which
may raise UNWILLING_TO_PERFORM error. This case was only covered for
BIND, but not for the actual LDAP queries.
https://fedorahosted.org/freeipa/ticket/4459
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Also, make the error messages for this fallback case less scary and
clean up some indentation issues in the nearby code which made this
code difficult to read.
https://fedorahosted.org/freeipa/ticket/4446
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
To ensure new NIS domain name is loaded after ipa-client-install
even in case when nisdomainname service is already running, we
need to restart the service rather than starting it.
https://fedorahosted.org/freeipa/ticket/4393
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
A mixture of implicit and explicit tagging was being used and this caused
a bug in retrieving the enctype number due to the way ber_scanf() loosely
treat sequences and explicit tagging.
The ASN.1 notation used to describe the getkeytab operation uses implicit
tagging, so by changing the code we simply follow to the specified encoding.
Resolves: https://fedorahosted.org/freeipa/ticket/4404
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
