There are too many options in ipa-*-install scripts which makes it
difficult to read. This patch adds subsections to install script
online help and man pages to improve readability. No option has
been changed.
To further improve man pages:
1) All man pages were changed to have the same header and top-center
title to provide united look.
2) Few typos in man pages have been fixed
https://fedorahosted.org/freeipa/ticket/1687
If the client installer fails for some reason and --force was not used
then roll back the configuration.
This is needed because we touch /etc/sysconfig/network early in the
configuration and if it fails due to any number of issues (mostly related
to authentication) it will not be reset. We may as well run through the
entire uninstall process to be sure the system has been reset.
https://fedorahosted.org/freeipa/ticket/1704
Do not forget to add new line in updated /etc/sysconfig/network
configuration. Move the actual change of the hostname after the
user confirmation about proceeding with installation. It confused
users when the hostname change occurred before this prompt.
https://fedorahosted.org/freeipa/ticket/1724
Enable GSSAPI credentials delegation in xmlrpc-c/curl to fix client
enrollment. The unconditional GSSAPI was previously dropped from
curl because of CVE-2011-2192.
https://fedorahosted.org/freeipa/ticket/1452
As network configuration file is created as temporary file, it has stricter permissions than
we need for the target system configuration file. Ensure permissions are properly reset before
installing file.
If permissions are not re-set, system may have no networking enabled after reboot.
https://fedorahosted.org/freeipa/ticket/1606
* Check remote LDAP server to see if it is a V2 server
* Replace numeric return values with alphanumeric constants
* Display the error message from the ipa-enrollment extended op
* Remove generic join failed error message when XML-RPC fails
* Don't display Certificate subject base when enrollment fails
* Return proper error message when LDAP bind fails
https://fedorahosted.org/freeipa/ticket/1417
Fixes https://fedorahosted.org/freeipa/ticket/1476
SSSD will need TLS for checking if ipaMigrationEnabled attribute is set
Note that SSSD will force StartTLS because the channel is later used for
authentication as well if password migration is enabled. Thus set the option
unconditionally.
https://fedorahosted.org/freeipa/ticket/1373
When SSSD is in use, we actually trying to disable NSCD daemon. Telling
that we failed to configure automatic _startup_ of the NSCD is wrong then.
Otherwise it is possible for sssd to pick a different master to
communicate with via the DNS SRV records and if the remote master
goes down the local one will have problems as well.
ticket https://fedorahosted.org/freeipa/ticket/1187
Client installation with --no-sssd option was broken if the client
was based on a nss-pam-ldap instead of nss_ldap. The main issue is
with authconfig rewriting the nslcd.conf after it has been
configured by ipa-client-install.
This has been fixed by changing an order of installation steps.
Additionally, nslcd daemon needed for nss-pam-ldap function is
correctly started.
https://fedorahosted.org/freeipa/ticket/1235
Even with --no-sssd authconfig was setting nsswitch.conf to use sssd
for users, groups, shadow and netgroups. We need to pass in the
--enableforcelegacy option hwen configuring nss_ldap.
Also always back up and restore sssd.conf. It still gets configured for
kerberos.
ticket 1142
When ipa-client-install autodiscovers IPA server values it
doesn't fill the fixed KDC address to Kerberos configuration
file. However, when realm != domain or the autodiscovered values
are overridden, installation may fail because it cannot find the
KDC.
This patch adds a failover to use static KDC address in case when
such an issue occurs.
https://fedorahosted.org/freeipa/ticket/1100
Remove redundant ipa-client-install error message when optional nscd
daemon was not installed. Additionally, use standard IPA functions
for service manipulation and improve logging.
https://fedorahosted.org/freeipa/ticket/1207
This option does not behave properly in F15 as chkconfig does not list services
moved to use systemd service files.
Plus there are more direct ways than parsing its output, which are more
reliable.
Also just testing for the availability of the service calling 'chkconfig name'
is enough.
https://fedorahosted.org/freeipa/ticket/1206
ipa-rmkeytab returns success even when the realm passed to the
program is not found in a keytab. This patch adds an explanatory
error message and returns error code 5 - Principal or realm not
found.
https://fedorahosted.org/freeipa/ticket/694
The --force option may be misused to reinstall an existing IPA
client. This is not supported and may lead to unexpected errors.
When required, the cleanest way to re-install IPA client is to
run uninstall and then install again.
This patch also includes few cosmetic changes in messages to user
to provide more consistent user experience with the script.
https://fedorahosted.org/freeipa/ticket/1117
This patch prevents uninstalling IPA client when it is configured
as a part of IPA server. ipa-server-installation script is advised
for this situation.
https://fedorahosted.org/freeipa/ticket/1049
This option is only used when configuring an IPA client on an IPA server.
Describing it on the command-line will only confuse people so don't
list it as an option.
Ticket 1050
When not on master we weren't passing in the user-supplied domain and
server. Because of changes made that require TLS on the LDAP calls
we always need the server name early in the process to retrieve the IPA
CA certificate.
ticket 1090
If a hostname was provided it wasn't used to configure either
certmonger or sssd. This resulted in a non-working configuration.
Additionally on un-enrollment the wrong hostname was unenrolled, it
used the value of gethostname() rather than the one that was passed
into the installer.
We have to modify the CA configuration of certmonger to make it
use the right principal when requesting certificates. The filename
is unpredicable but it will be in /var/lib/certmonger/cas.
We need to hunt for ipa_submit and add -k <principal> to it, then
undo that on uninstall. These files are created the first time
the certmonger service starts, so start and stop it before messing
with them.
ticket 1029
stop_tracking() is robust enough to do the right thing if no certificate
exists so go ahead and always call it. If the certificate failed to
be issued for some reason the request will still in certmonger
after uninstalling. This would cause problems when trying to reinstall
the client. This will go ahead and always tell certmonger to stop
tracking it.
ticket 1028
Apparently we forgot to check OID consistency between the schema and the
extensions, and we got duplicates.
Technically the schema was done later but it is easier to change the extensions
OIDs than to change the schema of current beta2/rc1 installations.
The only side effect is that older ipa-getkeytab and ipa-join binaries will
fail. So all the admin/client tools must be upgraded at the same time as well
as all the masters (otherwise some will show/accept the new OID while others
won't).
Fixes: https://fedorahosted.org/freeipa/ticket/976
When v2 IPA client is trying to join an IPA v1 server
a strange exception is printed out to the user. This patch
detects this by catching an XML-RPC error reported by ipa-join
binary called in the process which fails on unexisting IPA server
'join' method.
https://fedorahosted.org/freeipa/ticket/553
Add pointer to self to /etc/hosts to avoid chicken/egg problems when
restarting DNS.
On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't
attempt to do any resolving. Leave it to true on clients.
Set rdns to false on both server and client.
https://fedorahosted.org/freeipa/ticket/931
If not then sssd spits out a warning message:
sssd: nscd socket was detected. As nscd caching capabilities may conflict
with SSSD, it is recommended to not run nscd in parallel with SSSD
Stop nscd before configuring sssd so we don't confuse our users.
ticket 743
Mozldap code removed from all sources and configure source script.
Now, IPA will compile even when package mozldap-devel is not
installed on the system.
https://fedorahosted.org/freeipa/ticket/756
This patch fixes 2 situations where a pointer to allocated error
string could be overwritten - which could have resulted in
a memory leak.
https://fedorahosted.org/freeipa/ticket/714
krb5_get_default_realm() and asprintf() return values were ignored.
This could lead to unhandled error issues or memory access
issues.
This patch adds return value checks to all such functions.
As a consequence, one new return value has been added to man page.
https://fedorahosted.org/freeipa/ticket/720
krb5_init_context return value was not checked. This could lead
to unhandled error issues.
This patch moves the Kerberos context initialization to the
branch where it is needed and handles the error value in a way
that allows program exit in a standard way deallocating all
resources.
https://fedorahosted.org/freeipa/ticket/721
In some cases recently freed memory was used/freed again. This
patch introduces more consistency between functions
join_ldap/join_krb5 when dealing with affected variables.
https://fedorahosted.org/freeipa/ticket/709
Remove the LDAP_DEPRECATED constant and do not use functions that are
marked as deprecated in recent OpenLDAP releases. Also always define
WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that
depend on that constant.
https://fedorahosted.org/freeipa/ticket/576
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
Fixes errors about implicit function declaration and moves duplicated
gettext code into a common module. Also silences some warnings.
Signed-off-by: Simo Sorce <ssorce@redhat.com>
Don't use KRB5_PRIVATE.
The patch implements and uses the following krb5 functions that are
otherwise private in recent MIT Kerberos releases:
* krb5_principal2salt_norealm
* krb5_free_ktypes
Signed-off-by: Simo Sorce <ssorce@redhat.com>
Use a little stricter compilation flags, in particular -Wall and treat
implicit function declarations as errors.
Signed-off-by: Simo Sorce <ssorce@redhat.com>
When installing IPA client, the install script used detected domain name
of the machine instead of that given by administrator (in case one was
given)
https://fedorahosted.org/freeipa/ticket/363
Uses a new subclass IPAOptionParser in scripts instead of OptionParser
from the standard python library. IPAOptionParser uses its own IPAOption
class to store options, which adds a new 'sensitive' attribute.
https://fedorahosted.org/freeipa/ticket/393
Add automatic creation of python an C file lists for potfiles
Deletes useless copy of Makefile in install/po
Remove duplicate maintainer-clean target
Add debug target that prints file lists
Unbreak update-po target, merges in patch from John
If we pass in the domain and server to ipa-client-install it doesn't do
service discovery which is what we want. We want to be sure the server
is properly configured at install time.
Unenrollment means that the host keytab is disabled on the server making
it possible to re-install on the client. This host principal is how we
distinguish an enrolled vs an unenrolled client machine on the server.
I added a --unroll option to ipa-join that binds using the host credentials
and disables its own keytab.
I fixed a couple of other unrelated problems in ipa-join at the same time.
I also documented all the possible return values of ipa-getkeytab and
ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab
and it returns whatever value ipa-getkeytab returned on failure.
ticket 242
Passing domain and server on the command-line used to be considered as
DNS autodiscovery worked. This was problematic if there was in fact no
SRV records because krb5.conf would be configured without a specific KDC
causing all Kerberos ops to fail.
Now if you pass in a domain/server it still tries to see if they are
discoverable and if so won't hardcode a server, but will fall back to doing
so if necessary.
Also be a lot more aggressive on looking for the SRV records. Use the
search and domain values from /etc/resolv.conf on the chance that the
SRV records aren't in the domain of the hostname of the machine.
An example of this would be if your laptop is in dhcp.example.com and
your company's SRV records are in corp.example.com. Searching
dhcp.example.com and example.com won't find the SRV records but the user
is likely to have corp.redhat.com in the search list, at least.
ticket 234
Make two krbV imports conditional. These aren't used during a client
install so should cause no problems.
Also fix the client installer to use the new env option in ipautil.run.
We weren't getting the krb5 configuration set in the environment because
we were overriding the environment to set the PATH.
ticket 136
This started with the client uninstaller returning a 1 when not installed.
There was no way to tell whether the uninstall failed or the client
simply wasn't installed which caused no end of grief with the installer.
This led to a lot of certmonger failures too, either trying to stop
tracking a non-existent cert or not handling an existing tracked
certificate.
I moved the certmonger code out of the installer and put it into the
client/server shared ipapython lib. It now tries a lot harder and smarter
to untrack a certificate.
ticket 142
We will update any/all of /etc/ldap.conf, /etc/nss_ldap.conf,
/etc/libnss-ldap.conf and /etc/pam_ldap.conf.
nslcd is the replacement for nss_ldap.
ticket 50
the code was calling ldap_init, which is a deprecated function, and getting a compilation warning. This version uses the recommended function ldap_initilaize.
Using the host service principal one should be able to retrieve a keytab
for other services for the host using ipa-getkeytab. This required a number
of changes:
- allow hosts in the service's managedby to write krbPrincipalKey
- automatically add the host to managedby when a service is created
- fix ipa-getkeytab to return the entire prinicpal and not just the
first data element. It was returning "host" from the service tgt
and not host/ipa.example.com
- fix the display of the managedby attribute in the service plugin
This led to a number of changes in the service unit tests. I took the
opportunity to switch to the Declarative scheme and tripled the number
of tests we were doing. This shed some light on a few bugs in the plugin:
- if a service had a bad usercertificate it was impossible to delete the
service. I made it a bit more flexible.
- I added a summary for the mod and find commands
- has_keytab wasn't being set in the find output
ticket 68
We need the configured kerberos realm so we can clean up /etc/krb5.keytab.
We have this already in /etc/ipa/default.conf so use that instead of
requiring a whole other python package to do it.
If this ever gets out of sync the user can always remove
/var/lib/ipa-client/sysrestore/*, they just need to understand the
implications.
One potential problem is with certmonger. If you install the client
and then re-install without uninstalling then the subsequent
certificate request by certmonger will fail because it will already
be tracking a certificate in /etc/pki/nssdb of the same nickname and
subject (the old cert).
- Move the ipa-getcert request to after we set up /etc/krb5.conf
- Don't try removing certificates that don't exist
- Don't tell certmonger to stop tracking a cert that doesn't exist
- Allow --password/-w to be the kerberos password
- Print an error if prompting for a password would happen in unattended mode
- Still support echoing a password in when in unattended mode
Also re-arrange some code around reading the configuration file. In trying
to eliminate bogus error messages I prevented the file from being read at all.
It isn't a problem when joining with ipa-client (which uses -s) but it wouldn't
work if you don't pass in a server name.
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.
This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
- Don't run nscd if using sssd, the caching of nscd conflicts with sssd
- Set the minimum version of sssd to 1.1.1 to pick up needed hbac fixes
- only try to read the file configuration if the server isn't passed in
- Fetch the CA cert before running certmonger
- Delete entries from the keytab before removing /etc/krb5.conf
- Add and remove the IPA CA to /etc/pki/nssdb
When using the dogtag CA we can control what the subject of an issued
certificate is regardless of what is in the CSR, we just use the CN value.
The selfsign CA does not have this capability. The subject format must
match the configured format or certificate requests are rejected.
The default format is CN=%s,O=IPA. certmonger by default issues requests
with just CN so all requests would fail if using the selfsign CA.
This subject base is stored in cn=ipaconfig so we can just fetch that
value in the enrollment process and pass it to certmonger to request
the right thing.
Note that this also fixes ipa-join to work with the new argument passing
mechanism.
This does a number of things under the hood:
- Use authconfig to enable sssd in nss and pam
- Configure /etc/sssd/sssd.conf to use our IPA provider
- Enable the certmonger process and request a server cert
- join the IPA domain and retrieve a principal. The clinet machine
*must* exist in IPA to be able to do a join.
- And then undo all this on uninstall
When we un-enroll a client we'll do a bit of cleanup including removing
any principals for the IPA realm from /etc/krb5.keytab.
This removes principals in 2 ways:
- By principal, only entries matching the full principal are removed
- By realm. Any principal for that realm is removed
This does not change the KDC at all, just removes entries from a file
on the client machine.
This is needed because in the client installer we actually perform the
join before creating the configuration files that join uses. All we need
is the IPA server to join to and we have that from the CLI options so
use that.
Because ipa-join calls ipa-getkeytab I'd like to keep the return values in
sync. ipa-join returns the value returned by ipa-getkeytab so in order to
tell what failed the return values need to mean the same things and not
overlap.
This will create a host service principal and may create a host entry (for
admins). A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.
This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
rest of the krb5.conf configuration were. This clearly breaks
with the default EXAMPLE.COM realm configuratrion. Furthermore
it makes it not possible to try to 'fix' an installation by
rerruninng ipa-client-install
This patch removes the special case and avoids krb5.conf only
if the on_master flag is passed.
Fix also one inner 'if' statement to be simpler to understand.
Fix make maintainer-clean
Also make RPM naming consistent by using a temp RELEASE file.
This one helps when testing builds using rpms.
Just 'echo X > RELEASE' to build a new rpms (X, X+1, X+2 ...)
Version 1.1.0 was released some times ago, bump up to 1.1.1
I've been on a crusade (;-) to remove useless if-before-free tests,
so ran a script that spotted some here. I think I removed the first
batch (without braces) automatically, then manually removed the ones
with curly braces around the free statements.
You may well have doubts about the portability of removing those
tests, but as long as you don't care about SunOS4 or earlier, you'll
be fine. I've done similar things for e.g., coreutils, glibc, and git,
and have had no problems.
We were just shutting down the KDC if it had been started prior to IPA
installation. We need to stop it in all cases.
And we should restart nscd as it may have made an LDAP connection.
440322
The file VERSION is now the sole-source of versioning.
The generated .spec files will been removed in the maintainer-clean targets
and have been removed from the repository.
By default a GIT build is done. To do a non-GIT build do:
$ make TARGET IPA_VERSION_IS_GIT_SNAPSHOT=no
When updating the version you can run this to regenerate the version:
$ make version-update
The version can be determined in Python by using ipaserver.version.VERSION
FreeIPA relies on RedHat's Directory Server, which uses mozldap.
A FreeIPA build using mozldap would reduce the project's dependencies and
redundant code. In addition, mozldap uses NSS instead of OpenSSL.
This is beneficial for the reasons listed in [1].
[1] http://fedoraproject.org/wiki/FedoraCryptoConsolidation
- Make sure timeouts are not too high, so that machine does not hang if remote
servers are not reachable
- Make sure root can always login no matter what the status of the ldap
servers
- use rfc2307bis schema directive
- Removing shebangs (#!) from a bunch of python libraries
- Don't use a variable name in init scripts for the lock file
- Keep the init script name consistent with the binary name, so renamed
ipa-kpasswd.init to ipa_kpasswd.init
- Add status option to the init scripts
- Move most python scripts out of /usr/share/ipa and into the python
site-packages directories (ipaserver and ipaclient)
- Remove unnecessary sys.path.append("/usr/share/ipa")
- Fix the license string in the spec files
- Rename ipa-webgui to ipa_webgui everywhere
- Fix a couple of issues reported by pychecker in ipa-python
Following the changelog history from my dev tree, some comments are useful imo
------------------------------------------------------
user: Simo Sorce <ssorce@redhat.com>
date: Fri Dec 21 03:05:36 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Remove remnants of the initial test tool
changeset: 563:4fe574b7bdf1
user: Simo Sorce <ssorce@redhat.com>
date: Fri Dec 21 02:58:37 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
description:
Maybe actually encrypting the keys will help :-)
changeset: 562:488ded41242a
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 23:53:50 2007 -0500
files: ipa-server/ipa-install/share/Makefile.am ipa-server/ipa-install/share/default-aci.ldif
description:
Fixes
changeset: 561:4518f6f5ecaf
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 23:53:32 2007 -0500
files: ipa-admintools/Makefile ipa-admintools/ipa-addservice
description:
transform the old ipa-getkeytab in a tool to add services as the new
ipa-getkeytab won't do it (and IMO it makes more sense to keep the
two functions separate anyway).
changeset: 559:25a7f8ee973d
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 23:48:59 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
description:
Bugfixes
changeset: 558:28fcabe4aeba
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 23:48:29 2007 -0500
files: ipa-client/configure.ac ipa-client/ipa-client.spec ipa-client/ipa-client.spec.in ipa-client/ipa-getkeytab.c
description:
Configure fixes
Add ipa-getkeytab to spec
Client fixes
changeset: 557:e92a4ffdcda4
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 20:57:10 2007 -0500
files: ipa-client/Makefile.am ipa-client/configure.ac
description:
Try to make ipa-getkeytab build via autotools
changeset: 556:224894175d6b
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 20:35:56 2007 -0500
files: ipa-admintools/ipa-getkeytab ipa-client/ipa-getkeytab.c
description:
Messed a bit with hg commands.
To make it short:
- Remove the python ipa-getkeytab program
- Rename the keytab plugin test program to ipa-getkeytab
- Put the program in ipa-client as it should be distributed with the client
tools
changeset: 555:5e1a068f2e90
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 20:20:40 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Polish the client program
changeset: 554:0a5b19a167cf
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 18:53:49 2007 -0500
files: ipa-server/ipa-install/share/default-aci.ldif ipa-server/ipa-install/share/default-keytypes.ldif ipa-server/ipa-install/share/kdc.conf.template ipa-server/ipa-install/share/kerberos.ldif ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c ipa-server/ipaserver/krbinstance.py
description:
Support retrieving enctypes from LDAP
Filter enctypes
Update test program
changeset: 553:f75d7886cb91
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 00:17:40 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Fix ber generation and remove redundant keys
changeset: 552:0769cafe6dcd
user: Simo Sorce <ssorce@redhat.com>
date: Wed Dec 19 19:31:37 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Avoid stupid segfault
changeset: 551:1acd5fdb5788
user: Simo Sorce <ssorce@redhat.com>
date: Wed Dec 19 18:39:12 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
description:
If ber_peek_tag() returns LBER_ERROR it may just be that we are at the
end of the buffer. Unfortunately ber_scanf is broken in the sense that
it doesn't actually really consider sequence endings (due probably to the fact
they are just representation and do not reflect in the underlieing DER
encoding.)
changeset: 550:e974fb2726a4
user: Simo Sorce <ssorce@redhat.com>
date: Wed Dec 19 18:35:07 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
First shot at the new method