Otherwise it is possible for sssd to pick a different master to
communicate with via the DNS SRV records and if the remote master
goes down the local one will have problems as well.
ticket https://fedorahosted.org/freeipa/ticket/1187
Client installation with --no-sssd option was broken if the client
was based on a nss-pam-ldap instead of nss_ldap. The main issue is
with authconfig rewriting the nslcd.conf after it has been
configured by ipa-client-install.
This has been fixed by changing an order of installation steps.
Additionally, nslcd daemon needed for nss-pam-ldap function is
correctly started.
https://fedorahosted.org/freeipa/ticket/1235
Even with --no-sssd authconfig was setting nsswitch.conf to use sssd
for users, groups, shadow and netgroups. We need to pass in the
--enableforcelegacy option hwen configuring nss_ldap.
Also always back up and restore sssd.conf. It still gets configured for
kerberos.
ticket 1142
When ipa-client-install autodiscovers IPA server values it
doesn't fill the fixed KDC address to Kerberos configuration
file. However, when realm != domain or the autodiscovered values
are overridden, installation may fail because it cannot find the
KDC.
This patch adds a failover to use static KDC address in case when
such an issue occurs.
https://fedorahosted.org/freeipa/ticket/1100
Remove redundant ipa-client-install error message when optional nscd
daemon was not installed. Additionally, use standard IPA functions
for service manipulation and improve logging.
https://fedorahosted.org/freeipa/ticket/1207
This option does not behave properly in F15 as chkconfig does not list services
moved to use systemd service files.
Plus there are more direct ways than parsing its output, which are more
reliable.
Also just testing for the availability of the service calling 'chkconfig name'
is enough.
https://fedorahosted.org/freeipa/ticket/1206
ipa-rmkeytab returns success even when the realm passed to the
program is not found in a keytab. This patch adds an explanatory
error message and returns error code 5 - Principal or realm not
found.
https://fedorahosted.org/freeipa/ticket/694
The --force option may be misused to reinstall an existing IPA
client. This is not supported and may lead to unexpected errors.
When required, the cleanest way to re-install IPA client is to
run uninstall and then install again.
This patch also includes few cosmetic changes in messages to user
to provide more consistent user experience with the script.
https://fedorahosted.org/freeipa/ticket/1117
This patch prevents uninstalling IPA client when it is configured
as a part of IPA server. ipa-server-installation script is advised
for this situation.
https://fedorahosted.org/freeipa/ticket/1049
This option is only used when configuring an IPA client on an IPA server.
Describing it on the command-line will only confuse people so don't
list it as an option.
Ticket 1050
When not on master we weren't passing in the user-supplied domain and
server. Because of changes made that require TLS on the LDAP calls
we always need the server name early in the process to retrieve the IPA
CA certificate.
ticket 1090
If a hostname was provided it wasn't used to configure either
certmonger or sssd. This resulted in a non-working configuration.
Additionally on un-enrollment the wrong hostname was unenrolled, it
used the value of gethostname() rather than the one that was passed
into the installer.
We have to modify the CA configuration of certmonger to make it
use the right principal when requesting certificates. The filename
is unpredicable but it will be in /var/lib/certmonger/cas.
We need to hunt for ipa_submit and add -k <principal> to it, then
undo that on uninstall. These files are created the first time
the certmonger service starts, so start and stop it before messing
with them.
ticket 1029
stop_tracking() is robust enough to do the right thing if no certificate
exists so go ahead and always call it. If the certificate failed to
be issued for some reason the request will still in certmonger
after uninstalling. This would cause problems when trying to reinstall
the client. This will go ahead and always tell certmonger to stop
tracking it.
ticket 1028
Apparently we forgot to check OID consistency between the schema and the
extensions, and we got duplicates.
Technically the schema was done later but it is easier to change the extensions
OIDs than to change the schema of current beta2/rc1 installations.
The only side effect is that older ipa-getkeytab and ipa-join binaries will
fail. So all the admin/client tools must be upgraded at the same time as well
as all the masters (otherwise some will show/accept the new OID while others
won't).
Fixes: https://fedorahosted.org/freeipa/ticket/976
When v2 IPA client is trying to join an IPA v1 server
a strange exception is printed out to the user. This patch
detects this by catching an XML-RPC error reported by ipa-join
binary called in the process which fails on unexisting IPA server
'join' method.
https://fedorahosted.org/freeipa/ticket/553
Add pointer to self to /etc/hosts to avoid chicken/egg problems when
restarting DNS.
On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't
attempt to do any resolving. Leave it to true on clients.
Set rdns to false on both server and client.
https://fedorahosted.org/freeipa/ticket/931
If not then sssd spits out a warning message:
sssd: nscd socket was detected. As nscd caching capabilities may conflict
with SSSD, it is recommended to not run nscd in parallel with SSSD
Stop nscd before configuring sssd so we don't confuse our users.
ticket 743
Mozldap code removed from all sources and configure source script.
Now, IPA will compile even when package mozldap-devel is not
installed on the system.
https://fedorahosted.org/freeipa/ticket/756
This patch fixes 2 situations where a pointer to allocated error
string could be overwritten - which could have resulted in
a memory leak.
https://fedorahosted.org/freeipa/ticket/714
krb5_get_default_realm() and asprintf() return values were ignored.
This could lead to unhandled error issues or memory access
issues.
This patch adds return value checks to all such functions.
As a consequence, one new return value has been added to man page.
https://fedorahosted.org/freeipa/ticket/720
krb5_init_context return value was not checked. This could lead
to unhandled error issues.
This patch moves the Kerberos context initialization to the
branch where it is needed and handles the error value in a way
that allows program exit in a standard way deallocating all
resources.
https://fedorahosted.org/freeipa/ticket/721
In some cases recently freed memory was used/freed again. This
patch introduces more consistency between functions
join_ldap/join_krb5 when dealing with affected variables.
https://fedorahosted.org/freeipa/ticket/709
Remove the LDAP_DEPRECATED constant and do not use functions that are
marked as deprecated in recent OpenLDAP releases. Also always define
WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that
depend on that constant.
https://fedorahosted.org/freeipa/ticket/576
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
Fixes errors about implicit function declaration and moves duplicated
gettext code into a common module. Also silences some warnings.
Signed-off-by: Simo Sorce <ssorce@redhat.com>
Don't use KRB5_PRIVATE.
The patch implements and uses the following krb5 functions that are
otherwise private in recent MIT Kerberos releases:
* krb5_principal2salt_norealm
* krb5_free_ktypes
Signed-off-by: Simo Sorce <ssorce@redhat.com>
Use a little stricter compilation flags, in particular -Wall and treat
implicit function declarations as errors.
Signed-off-by: Simo Sorce <ssorce@redhat.com>
When installing IPA client, the install script used detected domain name
of the machine instead of that given by administrator (in case one was
given)
https://fedorahosted.org/freeipa/ticket/363
Uses a new subclass IPAOptionParser in scripts instead of OptionParser
from the standard python library. IPAOptionParser uses its own IPAOption
class to store options, which adds a new 'sensitive' attribute.
https://fedorahosted.org/freeipa/ticket/393
Add automatic creation of python an C file lists for potfiles
Deletes useless copy of Makefile in install/po
Remove duplicate maintainer-clean target
Add debug target that prints file lists
Unbreak update-po target, merges in patch from John
If we pass in the domain and server to ipa-client-install it doesn't do
service discovery which is what we want. We want to be sure the server
is properly configured at install time.
Unenrollment means that the host keytab is disabled on the server making
it possible to re-install on the client. This host principal is how we
distinguish an enrolled vs an unenrolled client machine on the server.
I added a --unroll option to ipa-join that binds using the host credentials
and disables its own keytab.
I fixed a couple of other unrelated problems in ipa-join at the same time.
I also documented all the possible return values of ipa-getkeytab and
ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab
and it returns whatever value ipa-getkeytab returned on failure.
ticket 242
Passing domain and server on the command-line used to be considered as
DNS autodiscovery worked. This was problematic if there was in fact no
SRV records because krb5.conf would be configured without a specific KDC
causing all Kerberos ops to fail.
Now if you pass in a domain/server it still tries to see if they are
discoverable and if so won't hardcode a server, but will fall back to doing
so if necessary.
Also be a lot more aggressive on looking for the SRV records. Use the
search and domain values from /etc/resolv.conf on the chance that the
SRV records aren't in the domain of the hostname of the machine.
An example of this would be if your laptop is in dhcp.example.com and
your company's SRV records are in corp.example.com. Searching
dhcp.example.com and example.com won't find the SRV records but the user
is likely to have corp.redhat.com in the search list, at least.
ticket 234
Make two krbV imports conditional. These aren't used during a client
install so should cause no problems.
Also fix the client installer to use the new env option in ipautil.run.
We weren't getting the krb5 configuration set in the environment because
we were overriding the environment to set the PATH.
ticket 136
This started with the client uninstaller returning a 1 when not installed.
There was no way to tell whether the uninstall failed or the client
simply wasn't installed which caused no end of grief with the installer.
This led to a lot of certmonger failures too, either trying to stop
tracking a non-existent cert or not handling an existing tracked
certificate.
I moved the certmonger code out of the installer and put it into the
client/server shared ipapython lib. It now tries a lot harder and smarter
to untrack a certificate.
ticket 142
We will update any/all of /etc/ldap.conf, /etc/nss_ldap.conf,
/etc/libnss-ldap.conf and /etc/pam_ldap.conf.
nslcd is the replacement for nss_ldap.
ticket 50
the code was calling ldap_init, which is a deprecated function, and getting a compilation warning. This version uses the recommended function ldap_initilaize.
Using the host service principal one should be able to retrieve a keytab
for other services for the host using ipa-getkeytab. This required a number
of changes:
- allow hosts in the service's managedby to write krbPrincipalKey
- automatically add the host to managedby when a service is created
- fix ipa-getkeytab to return the entire prinicpal and not just the
first data element. It was returning "host" from the service tgt
and not host/ipa.example.com
- fix the display of the managedby attribute in the service plugin
This led to a number of changes in the service unit tests. I took the
opportunity to switch to the Declarative scheme and tripled the number
of tests we were doing. This shed some light on a few bugs in the plugin:
- if a service had a bad usercertificate it was impossible to delete the
service. I made it a bit more flexible.
- I added a summary for the mod and find commands
- has_keytab wasn't being set in the find output
ticket 68
We need the configured kerberos realm so we can clean up /etc/krb5.keytab.
We have this already in /etc/ipa/default.conf so use that instead of
requiring a whole other python package to do it.
If this ever gets out of sync the user can always remove
/var/lib/ipa-client/sysrestore/*, they just need to understand the
implications.
One potential problem is with certmonger. If you install the client
and then re-install without uninstalling then the subsequent
certificate request by certmonger will fail because it will already
be tracking a certificate in /etc/pki/nssdb of the same nickname and
subject (the old cert).
- Move the ipa-getcert request to after we set up /etc/krb5.conf
- Don't try removing certificates that don't exist
- Don't tell certmonger to stop tracking a cert that doesn't exist
- Allow --password/-w to be the kerberos password
- Print an error if prompting for a password would happen in unattended mode
- Still support echoing a password in when in unattended mode
Also re-arrange some code around reading the configuration file. In trying
to eliminate bogus error messages I prevented the file from being read at all.
It isn't a problem when joining with ipa-client (which uses -s) but it wouldn't
work if you don't pass in a server name.
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.
This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
- Don't run nscd if using sssd, the caching of nscd conflicts with sssd
- Set the minimum version of sssd to 1.1.1 to pick up needed hbac fixes
- only try to read the file configuration if the server isn't passed in
- Fetch the CA cert before running certmonger
- Delete entries from the keytab before removing /etc/krb5.conf
- Add and remove the IPA CA to /etc/pki/nssdb
When using the dogtag CA we can control what the subject of an issued
certificate is regardless of what is in the CSR, we just use the CN value.
The selfsign CA does not have this capability. The subject format must
match the configured format or certificate requests are rejected.
The default format is CN=%s,O=IPA. certmonger by default issues requests
with just CN so all requests would fail if using the selfsign CA.
This subject base is stored in cn=ipaconfig so we can just fetch that
value in the enrollment process and pass it to certmonger to request
the right thing.
Note that this also fixes ipa-join to work with the new argument passing
mechanism.
This does a number of things under the hood:
- Use authconfig to enable sssd in nss and pam
- Configure /etc/sssd/sssd.conf to use our IPA provider
- Enable the certmonger process and request a server cert
- join the IPA domain and retrieve a principal. The clinet machine
*must* exist in IPA to be able to do a join.
- And then undo all this on uninstall
