IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
8,262 Commits 11 Branches 60 Tags
90788a25d6d54b084541336a83946d37a73076ef
Commit Graph

476 Commits

Author SHA1 Message Date
Martin Babinsky
90788a25d6 increase NSS memcache timeout for IPA server 
Increasing memcache timeout to 600 seconds when configuring sssd on IPA server
should improve performance when dealing with large groups in trusts.

https://fedorahosted.org/freeipa/ticket/4964

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-30 12:50:00 +02:00
Jan Cholasta
81729e22d3 vault: Move vaults to cn=vaults,cn=kra 
https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: David Kupka <dkupka@redhat.com>
 2015-06-10 16:17:34 +00:00
Petr Spacek
13700d9d3f Clarify host name output in ipa-client-install 
Proposed by Tomas Capek

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-05 19:25:56 +02:00
Endi S. Dewata
fde21adcbd Added vault plugin. 
A new plugin has been added to manage vaults. Test scripts have
also been added to verify the functionality.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2015-05-25 06:17:09 +00:00
Jan Cholasta
454e8691cf client-install: Fix kinits with non-default Kerberos config file 
https://fedorahosted.org/freeipa/ticket/4808

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-05-21 07:42:24 +00:00
Martin Babinsky
98376589de suppress errors arising from deleting non-existent files during client uninstall 
When rolling back partially configured IPA client a number of OSErrors pop up
due to uninstaller trying to remove files that do not exist anymore. This
patch supresses these errors while keeping them in log as debug messages.

https://fedorahosted.org/freeipa/ticket/4966

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2015-04-29 05:24:58 +00:00
Martin Basti
2c8c4b8c88 ipa client: use NTP servers specified by user 
NTP servers specified by user should be used to synchronize time.

https://fedorahosted.org/freeipa/ticket/4983

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-04-24 15:39:08 +02:00
Martin Basti
e55d8ee5d4 ipa client: use NTP servers detected from SRV 
Detected NTP servers from SRV records should be used in NTP client
configuration.

https://fedorahosted.org/freeipa/ticket/4981

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-04-24 15:36:07 +02:00
Martin Basti
e395bdb911 ipa client: make --ntp-server option multivalued 
There can be more ntp servers in ntp.conf

Required for ticket: https://fedorahosted.org/freeipa/ticket/4981

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-04-24 15:36:07 +02:00
Martin Babinsky
3d2feac0e4 Adopted kinit_keytab and kinit_password for kerberos auth 
Calls to ipautil.run using kinit were replaced with calls
kinit_keytab/kinit_password functions implemented in the PATCH 0015.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2015-04-20 08:27:35 +00:00
Martin Babinsky
a8e30e9671 ipa-client-install: try to get host TGT several times before giving up 
New option '--kinit-attempts' enables the host to make multiple attempts to
obtain host TGT from master before giving up and aborting client installation.

In addition, all kinit attempts were replaced by calls to
'ipautil.kinit_keytab' and 'ipautil.kinit_password'.

https://fedorahosted.org/freeipa/ticket/4808

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2015-04-20 08:27:35 +00:00
Gabe
e537fd202e Add message for skipping NTP configuration during client install 
https://fedorahosted.org/freeipa/ticket/3092

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-04-14 19:12:47 +02:00
Nathan Kinder
f0c1daf7a2 Skip time sync during client install when using --no-ntp 
When --no-ntp is specified during ipa-client-install, we still
attempt to perform a time sync before obtaining a TGT from the
KDC.  We should not be attempting to sync time with the KDC if
we are explicitly told to not configure ntp.

Ticket: https://fedorahosted.org/freeipa/ticket/4842
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-03-26 18:30:19 +01:00
Jan Cholasta
572d68b539 client: Fix ca_is_enabled calls 
The command was added in API version 2.107. Old IPA servers may crash with
NetworkError on ca_is_enabled, handle this case gracefully.

https://fedorahosted.org/freeipa/ticket/4565

Reviewed-By: David Kupka <dkupka@redhat.com>
 2015-03-19 14:38:34 +00:00
Jan Cholasta
95a628cfb9 client-install: Do not crash on invalid CA certificate in LDAP 
When CA certificates in LDAP are corrupted, use the otherwise acquired CA
certificates from before.

https://fedorahosted.org/freeipa/ticket/4565

Reviewed-By: David Kupka <dkupka@redhat.com>
 2015-03-19 14:38:34 +00:00
Nathan Kinder
a58b77ca9c Timeout when performing time sync during client install 
We use ntpd now to sync time before fetching a TGT during client
install.  Unfortuantely, ntpd will hang forever if it is unable to
reach the NTP server.

This patch adds the ability for commands run via ipautil.run() to
have an optional timeout.  This capability is used by the NTP sync
code that is run during ipa-client-install.

Ticket: https://fedorahosted.org/freeipa/ticket/4842
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-03-16 15:55:26 +01:00
David Kupka
aa745b31d3 Use IPA CA certificate when available and ignore NO_TLS_LDAP when not. 
ipa-client-automount is run after ipa-client-install so the CA certificate
should be available. If the certificate is not available and ipadiscovery.ipacheckldap
returns NO_TLS_LDAP warn user and try to continue.

https://fedorahosted.org/freeipa/ticket/4902

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2015-03-05 10:59:01 +01:00
Martin Babinsky
a448102347 ipa-client-install: put eol character after the last line of altered config file(s) 
https://fedorahosted.org/freeipa/ticket/4864

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-02-10 12:54:29 +01:00
Gabe
959b0efa38 Typos in ipa-rmkeytab options help and man page 
https://fedorahosted.org/freeipa/ticket/4890

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2015-02-10 08:30:46 +01:00
Martin Basti
e29f9280fd Use dyndns_update instead of deprecated sssd option 
ipa_dyndns_update is deprecated in SSSD, dyndns_update should be used
instead.

https://fedorahosted.org/freeipa/ticket/4849

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-01-28 14:28:33 +01:00
Martin Basti
af1f87a034 Add debug messages into client autodetection 
Is hard to debug what the problem with REALM is without debug messages.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2015-01-21 08:34:26 +01:00
Gabe
6d3403edac Remove usage of app_PYTHON in ipaserver Makefiles 
- Remove ChangeLog from ipa-client/Makefile.am

https://fedorahosted.org/freeipa/ticket/4700

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2014-12-10 15:42:39 +01:00
Nathaniel McCallum
7ad9f5d3d5 Prefer TCP connections to UDP in krb5 clients 
In general, TCP is a better fit for FreeIPA due to large packet sizes.

However, there is also a specific need for TCP when using OTP. If a UDP
packet is delivered to the server and the server takes longer to process
it than the client timeout (likely), the OTP value will be resent.
Unfortunately, this will cause failures or even lockouts. Switching to
TCP avoids this problem altogether.

https://fedorahosted.org/freeipa/ticket/4725

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-12-08 10:56:06 +01:00
Jan Pazdziora
bea417828d No explicit zone specification. 
https://fedorahosted.org/freeipa/ticket/4780

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2014-12-05 09:46:56 +01:00
Jan Cholasta
47a08f3498 Fix unchecked return value in ipa-join 
https://fedorahosted.org/freeipa/ticket/4713

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-11-25 08:23:24 +00:00
Simo Sorce
b1a30bff04 Use asn1c helpers to encode/decode the getkeytab control 
Replaces manual encoding with automatically generated code.

Fixes:
https://fedorahosted.org/freeipa/ticket/4718
https://fedorahosted.org/freeipa/ticket/4728

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
 2014-11-20 10:52:13 -05:00
Jan Cholasta
ade02cdac4 Fix memory leaks in ipa-join 
Also remove dead code in ipa-join and add initializer to a variable in
ipa-getkeytab to prevent false positives in static code analysis.

https://fedorahosted.org/freeipa/ticket/4651

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-11-05 15:28:27 +01:00
Gabe
7eca640ffa Remove trivial path constants from modules 
https://fedorahosted.org/freeipa/ticket/4399

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-11-04 12:57:01 +01:00
Jan Cholasta
35947c6e10 Do not wait for new CA certificate to appear in LDAP in ipa-certupdate 
If new certificate is not available, reuse the old one, instead of waiting
indefinitely for the new certificate to appear.

https://fedorahosted.org/freeipa/ticket/4628

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-30 10:51:36 +01:00
Jan Cholasta
608851d3f8 Check LDAP instead of local configuration to see if IPA CA is enabled 
The check is done using a new hidden command ca_is_enabled.

https://fedorahosted.org/freeipa/ticket/4621

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-17 12:53:11 +02:00
Jan Cholasta
ca7e0c270f Add ipa-client-install switch --request-cert to request cert for the host 
The certificate is stored in /etc/ipa/nssdb under the nickname
"Local IPA host".

https://fedorahosted.org/freeipa/ticket/4550

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-16 19:11:52 +02:00
Jan Cholasta
da24d8a6e7 Fix certmonger search for the CA cert in ipa-certupdate and ipa-cacert-manage 
The search criteria did not include the CA agent name.

https://fedorahosted.org/freeipa/ticket/3259

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-09-30 10:01:38 +02:00
Jan Cholasta
4e68046751 Get server hostname from jsonrpc_uri in ipa-certupdate 
https://fedorahosted.org/freeipa/ticket/3259

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-09-30 10:01:38 +02:00
Jan Cholasta
9ab402c495 Check if IPA client is configured in ipa-certupdate 
https://fedorahosted.org/freeipa/ticket/4460

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-09-30 10:01:38 +02:00
Jan Cholasta
f40a0ad325 Use /etc/ipa/nssdb to get nicknames of IPA certs installed in /etc/pki/nssdb 
Previously a list of nicknames was kept in /etc/pki/nssdb/ipa.txt. The file
is removed now.

https://fedorahosted.org/freeipa/ticket/3259

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-09-30 10:01:38 +02:00
Jan Cholasta
bbf962299d Use NSSDatabase instead of direct certutil calls in client code 
https://fedorahosted.org/freeipa/ticket/4416

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-09-30 10:01:38 +02:00
Jan Cholasta
231f57cedb Introduce NSS database /etc/ipa/nssdb 
This is the new default NSS database for IPA.

/etc/pki/nssdb is still maintained for backward compatibility.

https://fedorahosted.org/freeipa/ticket/3259

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-09-30 10:01:38 +02:00
David Kupka
89c4f12425 Add 'host' setting into default.conf configuration file on client. Fix description in man page. 
'host' setting specifies local hostname not the hostname of IPA server.

https://fedorahosted.org/freeipa/ticket/4481

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-09-26 13:38:57 +02:00
Rob Crittenden
c1bf520393 No longer generate a machine certificate on client installs 
https://fedorahosted.org/freeipa/ticket/4449

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-09-05 17:50:59 +02:00
David Kupka
dc4bdd327f Allow user to force Kerberos realm during installation. 
User can set realm not matching one resolved from DNS. This is useful especially
when DNS is missconfigured.

https://fedorahosted.org/freeipa/ticket/4444

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-09-05 14:50:36 +02:00
David Kupka
6d94cdf250 Use certmonger D-Bus API instead of messing with its files. 
FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.

>=certmonger-0.75.13 is needed for this to work.

https://fedorahosted.org/freeipa/ticket/4280

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-09-05 10:51:42 +02:00
Tomas Babej
fd26560a16 ipa-client-install: Do not add already configured sources to nsswitch.conf entries 
Makes sure that any new sources added are not already present
in the entry.

https://fedorahosted.org/freeipa/ticket/4508

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-09-04 13:39:13 +02:00
Jan Cholasta
60e19b585c Add client certificate update tool ipa-certupdate. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
55d3bab57b Get CA certs for system-wide store from cert store in ipa-client-install. 
All of the certificates and associated key policy are now stored in
/etc/pki/ca-trust/source/ipa.p11-kit.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
b5471a9f3e Get CA certs for /etc/pki/nssdb from certificate store in ipa-client-install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
459d6cff4e Get CA certs for /etc/ipa/ca.crt from certificate store in ipa-client-install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
fd400588d7 Support multiple CA certificates in /etc/ipa/ca.crt in ipa-client-install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
29f42cbec1 Refactor CA certificate fetching code in ipa-client-install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
a8a44c1c71 Remove certificate "External CA cert" from /etc/pki/nssdb on client uninstall. 
This is a no longer used nickname for CA certificate on CA-less server
installs.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Martin Kosek
aa0639284c Do not crash client basedn discovery when SSF not met 
ipa-client-install runs anonymous search in non-rootdse space which
may raise UNWILLING_TO_PERFORM error. This case was only covered for
BIND, but not for the actual LDAP queries.

https://fedorahosted.org/freeipa/ticket/4459

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-07-29 17:48:05 +02:00