Commit Graph

1338 Commits

Author SHA1 Message Date
Martin Basti
5251cf5d14 Print to debug output answer from CA
CA request may fail due various erros, without debug output we cannot
decide what is wrong.

Reviewed-By: Oleg Fayans <ofayans@redhat.com>
2016-08-30 10:54:04 +02:00
Tomas Krizek
89de60c5d8 Enable LDAPS in replica promotion
With CA-less master and CA-less replica, attempting to install CA on replica
would fail. LDAPS has to be enabled during replica promotion, because it is
required by Dogtag.

https://fedorahosted.org/freeipa/ticket/6226

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-30 08:18:20 +02:00
Jan Cholasta
6581389ac3 custodia: include known CA certs in the PKCS#12 file for Dogtag
This fixes CA replica install in a topology upgraded from CA-less to
CA-full.

https://fedorahosted.org/freeipa/ticket/6207

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-26 16:31:01 +02:00
Tomas Krizek
fa3b3193fa Fix ipa-server-install in pure IPv6 environment
Installation in pure IPv6 environment failed because pki-tomcat tried to use
IPv4 loopback. Configuring tomcat to use IPv6 loopback instead of IPv4 fixes
this issue.

https://fedorahosted.org/freeipa/ticket/4291

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-25 10:19:52 +02:00
Christian Heimes
d9ab0097e1 Secure permissions of Custodia server.keys
Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.

https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6056

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-24 16:59:43 +02:00
Alexander Bokovoy
7bec8a246d support schema files from third-party plugins
Allow upgrade process to include schema files from third-party plugins
installed in /usr/share/ipa/schema.d/*.schema.

The directory /usr/shar/eipa/schema.d is owned by the server-common
subpackage and therefore third-party plugins should depend on
freeipa-server-common (ipa-server-common) package in their package
dependencies.

Resolves: https://fedorahosted.org/freeipa/ticket/5864
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-19 15:34:26 +02:00
Jan Cholasta
4ee426a68e server install: do not prompt for cert file PIN repeatedly
Prompt for PIN only once in interactive mode.

This fixes ipa-server-install, ipa-server-certinstall and
ipa-replica-prepare prompting over and over when the PIN is empty.

https://fedorahosted.org/freeipa/ticket/6032

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-08-17 15:11:55 +02:00
Stanislav Laznicka
fea56fefff Fail on topology disconnect/last role removal
Disconnecting topology/removing last-role-host during server
uninstallation should raise error rather than just being logged
if the appropriate ignore settings are not present.

https://fedorahosted.org/freeipa/ticket/6168

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-17 14:58:11 +02:00
Stanislav Laznicka
5776f1e900 Remove sys.exit from install modules and scripts
sys.exit() calls sometimes make it hard to find bugs and mask code that
does not always work properly.

https://fedorahosted.org/freeipa/ticket/5750

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 18:22:44 +02:00
Petr Spacek
d461f42f95 server upgrade: do not start BIND if it was not running before the upgrade
https://fedorahosted.org/freeipa/ticket/6206

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 14:33:17 +02:00
Petr Spacek
f2fe357219 DNS server upgrade: do not fail when DNS server did not respond
Previously, update_dnsforward_emptyzones failed with an exeception if
DNS query failed for some reason. Now the error is logged and upgrade
continues.

I assume that this is okay because the DNS query is used as heuristics
of last resort in the upgrade logic and failure to do so should not have
catastrophics consequences: In the worst case, the admin needs to
manually change forwarding policy from 'first' to 'only'.

In the end I have decided not to auto-start BIND because BIND depends on
GSSAPI for authentication, which in turn depends on KDC ... Alternative
like reconfiguring BIND to use LDAPI+EXTERNAL and reconfiguring DS to
accept LDAP external bind from named user are too complicated.

https://fedorahosted.org/freeipa/ticket/6205

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 14:23:30 +02:00
Stanislav Laznicka
0745c5d0f9 Don't show --force-ntpd option in replica install
Always run the client installation script with --no-ntp
option so that it does not show the message about --force-ntpd
option that does not exist in ipa-replica-install. The time
synchronization is done elsewhere anyway.

https://fedorahosted.org/freeipa/ticket/6046

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-11 15:33:35 +02:00
Petr Spacek
80e544e7a9 install: Call hostnamectl set-hostname only if --hostname option is used
This commit also splits hostname backup and configuration into two separate
functions. This allows us to backup hostname without setting it at the
same time.

https://fedorahosted.org/freeipa/ticket/6071

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-10 10:48:05 +02:00
Petr Spacek
a83523e37e server-install: Fix --hostname option to always override api.env values
Attempts to compare local hostname with user-provided values are error
prone as we found out in #5794. This patch removes comparison and makes
the env values deterministic.

https://fedorahosted.org/freeipa/ticket/6071

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-10 10:48:05 +02:00
Martin Basti
148e021ac1 ipa-backup: backup /etc/tmpfiles.d/dirsrv-<instance>.conf
This file allows daemon tmpfiles.d to re-create the dirs in volatile
directories like /var/run or /var/lock. Without this file Dirsrv will
not start.

https://fedorahosted.org/freeipa/ticket/6165

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-08-09 18:29:21 +02:00
Stanislav Laznicka
bf6adfe69d Improvements for the ipa-cacert-manage man and help
The man page for ipa-cacert-manage didn't mention that some
options are only applicable to the install some to the renew
subcommand.

Also fixed a few missing articles.

https://fedorahosted.org/freeipa/ticket/6013

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-08-09 16:09:08 +02:00
Petr Spacek
503d096ebc Fix ipa-replica-prepare's error message about missing local CA instance
ipa-replica-prepare must be run on a replica with CA or all the certs
needs to be provided (for CA-less case).

The old messages were utterly confusing because they mixed errors about
missing certs and missing local CA instance into one text.

https://fedorahosted.org/freeipa/ticket/6134

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
2016-08-05 11:49:39 +02:00
Jan Cholasta
a42b456b91 install: fix external CA cert validation
The code which loads the external CA cert chain was never executed because
of an incorrect usage of an iterator (iterating over it twice).

https://fedorahosted.org/freeipa/ticket/6166

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-04 10:44:59 +02:00
Petr Spacek
6eb9eb7303 replica-install: Fix --domain
Replica installation must not check existence of --domain - the domain
must (logically) exist.

https://fedorahosted.org/freeipa/ticket/6130

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-29 07:38:57 +02:00
Martin Basti
524719f420 DNS Locations: fix update-system-records unpacking error
Method IPASystemRecords.records_list_from_node returns only list
consists only from record names not tuple, which caused unpacking error

https://fedorahosted.org/freeipa/ticket/6117

Reviewed-By: Nikhil Dehadrai <ndehadra@redhat.com>
2016-07-22 15:16:08 +02:00
Fraser Tweedale
b12db92414 Create server and host certs with DNS altname
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.

Add the hostname as a SAN dNSName when these certs are created.

(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).

Fixes: https://fedorahosted.org/freeipa/ticket/4970
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-07-19 14:18:04 +02:00
Martin Babinsky
37bfd1fdde DNS install: Ensure that DNS servers container exists
during DNS installation it is assumed that the cn=servers,cn=dns container is
always present in LDAP backend when migrating DNS server info to LDAP.

This may not always be the case (e.g. when a new replica is set up against
older master) so the code must take additional steps to ensure this container
is present.

https://fedorahosted.org/freeipa/ticket/6083

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-07-15 14:13:32 +02:00
Fraser Tweedale
88841a5619 uninstall: untrack lightweight CA certs
Fixes: https://fedorahosted.org/freeipa/ticket/6020
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-07-12 10:50:52 +02:00
Fraser Tweedale
3691e39a62 Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3
ipa-server-upgrade from pre-lightweight CAs version fails when
Dogtag is also being upgraded from pre-lightweight CAs version,
because Dogtag needs to be restarted after adding the lightweight
CAs container, before requesting information about the host
authority.

Move the addition of the Dogtag lightweight CAs container entry a
bit earlier in the upgrade procedure, ensuring restart.

Fixes: https://fedorahosted.org/freeipa/ticket/6011
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-07-01 11:09:53 +02:00
Petr Spacek
5e78b54d7c Fix internal errors in host-add and other commands caused by DNS resolution
Previously resolver was returning CheckedIPAddress objects. This
internal server error in cases where DNS actually returned reserved IP
addresses.

Now the resolver is returning UnsafeIPAddress objects which do syntactic
checks but do not filter IP addresses.

From now on we can decide if some IP address should be accepted as-is or
if it needs to be contrained to some subset of IP addresses using
CheckedIPAddress class.

This regression was caused by changes for
https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-07-01 10:35:39 +02:00
Fraser Tweedale
3ac3882631 Fix migration from pre-lightweight CAs master
Some container objects are not added when migrating from a
pre-lightweight CAs master, causing replica installation to fail.
Make sure that the containers exist and add an explanatory comment.

Fixes: https://fedorahosted.org/freeipa/ticket/5963
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-07-01 08:56:26 +02:00
Fraser Tweedale
0334693cfc Split CA replica installation steps for domain level 0
Installation from replica file is broken because lightweight CA
replication setup is attempted before Kerberos is set up.  To fix
the issue, explicitly execute step 1 before Kerberos setup, and
step 2 afterwards.

Part of: https://fedorahosted.org/freeipa/ticket/5963

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-07-01 08:56:26 +02:00
Florence Blanc-Renaud
025cfd911b Fix ipa-server-certinstall with certs signed by 3rd-party CA
Multiple issues fixed:
- when untracking a certificate, the path to the NSS directory must be
exactly identical (no trailing /), otherwise the request is not found
and the old certificate is still tracked.

- when a cert is issued by a 3rd party CA, no need to track it

- the server_cert should not be found using cdb.find_server_certs()[0][0]
because this function can return multiple server certificates. For
instance, /etc/httpd/alias contains ipaCert, Server-Cert and Signing-Cert
with the trust flags u,u,u. This leads to trying to track ipaCert (which is
already tracked).
The workaround is looking for server certs before and after the import,
and extract server-cert as the certificate in the second list but not in the
first list.

https://fedorahosted.org/freeipa/ticket/4785
https://fedorahosted.org/freeipa/ticket/4786

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-06-30 14:53:37 +02:00
Petr Spacek
3b79ce005c DNS: Reinitialize DNS resolver after changing resolv.conf
Previously the installer did not reinitialize resolver so queries for
records created using --ip-address option might not be answered. This led
to incorrect results during 'Updating DNS system records' phase at the
end of installation.

This is kind of hack but right now we do not have enough time to extend
python-dns's interface with resolver_reinit() method.

https://fedorahosted.org/freeipa/ticket/5962

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-30 14:08:04 +02:00
Jan Cholasta
dcf8b47471 session: move the session module from ipalib to ipaserver
The module is used only on the server, so there's no need to have it in
ipalib, which is shared by client and server.

https://fedorahosted.org/freeipa/ticket/5988

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-30 14:09:24 +02:00
Martin Basti
a155f692e7 Fix replica install with CA
The incorrect api was used, and CA record updated was duplicated.

https://fedorahosted.org/freeipa/ticket/5966

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-30 13:18:51 +02:00
Jan Cholasta
99339bf789 replica install: don't allow install against a newer server
If the version of the remote server is higher than the local version, don't
allow installing a replica of it.

https://fedorahosted.org/freeipa/ticket/5983

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-30 11:54:47 +02:00
Jan Cholasta
ce93b091d2 backup: use in-server API in ipa-backup and ipa-restore
Use in-server API so that the commands don't try to fetch API schema and
fail.

https://fedorahosted.org/freeipa/ticket/5995

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-06-30 11:04:05 +02:00
Florence Blanc-Renaud
3c40d3aa9e Do not allow installation in FIPS mode
https://fedorahosted.org/freeipa/ticket/5761

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2016-06-29 16:17:27 +02:00
Petr Spacek
954f6095fd DNS: Remove unnecessary DNS check from installer
Previously we were checking content of DNS before actually adding DNS
records for replicas. This is causing cycle in logic and adds weird
corner cases to the installer which can blow up on DNS timeout or so.

The check was completely unnecessary because the installer knows IP
addresses and name of the machine. Removal of the check makes
the installer more reliable.

https://fedorahosted.org/freeipa/ticket/5962

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-29 14:19:59 +02:00
Petr Spacek
7be50ea715 Use NSS for name->resolution in IPA installer
This fixes scenarios where IPA server is not able to resolve own name
and option --ip-address was not specified by the user.

This partially reverts changes from commit
dc405005f5

https://fedorahosted.org/freeipa/ticket/5962

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-29 14:19:59 +02:00
Fraser Tweedale
b720aa94e9 Update lightweight CA serial after renewal
For CA replicas to pick up renewed lightweight CA signing
certificates, the authoritySerial attribute can be updated with the
new serial number.

Update the renew_ca_cert script, which is executed by Certmonger
after writing a renewed CA certificate to the NSSDB, to update the
authoritySerial attribute if the certificate belongs to a
lightweight CA.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-29 08:52:29 +02:00
Fraser Tweedale
67f13c82d8 Skip CS.cfg update if cert nickname not known
After CA certificate renewal, the ``renew_ca_cert`` helper updates
certificate data in CS.cfg.  An unrecognised nickname will raise
``KeyError``.  To allow the helper to be used for arbitrary
certificates (e.g. lightweight CAs), do not fail if the nickname is
unrecognised - just skip the update.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-29 08:52:29 +02:00
Fraser Tweedale
45daffa22f Set default OCSP URI on install and upgrade
Dogtag has been updated to support a default OCSP URI when the
profile includes AuthInfoAccess with URI method but does not specify
the URI (instead of constructing one based on Dogtag's hostname and
port).

Add the pkispawn config to ensure that the OCSP URI is set before
issuing CA and system certificates, and add the config to existing
CA instances on upgrade.

Fixes: https://fedorahosted.org/freeipa/ticket/5956
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-28 19:15:35 +02:00
Martin Basti
5693d19550 CA replica promotion: add proper CA DNS records
Update 'ipa-ca' records with A/AAAA records of the newly added replica

https://fedorahosted.org/freeipa/ticket/5966

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-28 16:56:35 +02:00
Martin Basti
104040cf36 DNS Locations: cleanup of bininstance
We don't need anymore:
* sample of zone file - list of all records required by IPa will be
provided

* NTP related params - DNS records will be updated automatically,
based on LDAP values

* CA related params - DNS records will be updated automatically based
* on LDAP values

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-28 15:23:51 +02:00
Martin Basti
218734ba5a DNS Locations: hide option --no-msdcs in adtrust-install
Since DNS location mechanism is active, this option has no effect,
because records are generate dynamically.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-27 13:35:00 +02:00
Martin Babinsky
1bba2ed45d set krbcanonicalname on host entry during krbinstance configuration
part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-06-23 09:48:06 +02:00
Florence Blanc-Renaud
517964f746 Report missing certificate in external trust chain
When ipa-server-install is called with an external CA, but the cert chain is
incomplete, the command exits with the following error:
ERROR CA certificate chain in <list of --external-cert-file> is incomplete

The fix adds in the log the name of the missing certificate:
ERROR    CA certificate chain in <list of --external-cert-file> is incomplete: missing certificate with subject '<dn of the missing certificate>'

https://fedorahosted.org/freeipa/ticket/5792

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-23 07:36:57 +02:00
Martin Basti
9ae98420e9 Replica promotion: use the correct IPA domain for replica
IPA domain is detected from LDAP for replica promote installation.
If local domain and IPA domain does not match, installer refuses
to install replica.

IPA versions 4.3.0 and 4.3.1 allow to specify different domain for
replica. Only one IPA domain is allowed (domain used with master)
and different domain may cause issues.

This commit prevents to install new replica if multiple domains was
used in past. User action is required to fix this issue and remove
incorrect IPA domains from LDAP.

https://fedorahosted.org/freeipa/ticket/5976

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-21 17:09:06 +02:00
Martin Basti
fe689e9938 Fix possibly undefined variable in ipa_smb_conf_exists()
There was missing else statement what may result in undefined conf_fd
variable.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-06-20 20:49:35 +02:00
Oleg Fayans
0ba9e72057 Increased certmonger timeout
https://fedorahosted.org/freeipa/ticket/5758

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-20 19:36:45 +02:00
Jan Cholasta
91d6d87ca7 replica install: fix thin client regression
Fix a regression introduced by commit
3157eec28f.

https://fedorahosted.org/freeipa/ticket/4739
https://fedorahosted.org/freeipa/ticket/5985

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 18:45:26 +02:00
Yuri Chornoivan
a95e0777ac Fix minor typos
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-20 13:49:32 +02:00
Martin Babinsky
31ffe1a129 remove the master from managed topology during uninstallation
In managed topology, calling `ipa-server-install --uninstall` will cause the
master to remove itself from the topology by calling `server_del` behind the
scenes.

https://fedorahosted.org/freeipa/ticket/5588

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-17 18:55:19 +02:00