Improve the single/double quote handling during parsing/unparsing of
nss.conf's NSSNickname directive. Single quotes are now added/stripped
explicitly when handling the certificate nickname.
https://fedorahosted.org/freeipa/ticket/6460
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Separate functions were added to installutils module to quote/unquote a
string in arbitrary characters.
`installutils.get/set_directive` functions will use them to enclose
the directive values in double quotes/strip the double quotes from
retrieved values to maintain the original behavior.
These functions can be used also for custom quoting/unquoting of
retrieved values when desired.
https://fedorahosted.org/freeipa/ticket/6460
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
`get_directive` value parsing was improved in order to bring its logic
more in-line to changes in `set_directive`: a specified quoting
character is now unquoted and stripped from the retrieved value. The
function will now also error out when malformed directive is
encountered.
https://fedorahosted.org/freeipa/ticket/6460
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
ipa-restore calls certmonger to stop tracking the PKI certs, HTTP and DS certs.
It must also stop tracking the newly introduced PKINIT cert (stored in
/var/kerberos/krb5kdc/kdc.crt).
Otherwise the restore operation ends up with PKINIT cert tracked twice and
uninstallation fails.
https://fedorahosted.org/freeipa/ticket/6570
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
"Adding SASL mappings.." is duplicated step in __common_setup in DS
instance and should be removed.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Print an error and terminate if --ca-subject or --subject-base are
used when installing a CA-less master or when performing standalone
installation of a CA replica.
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Currently only the "subject base" of the IPA CA subject DN can be
customised, via the installer's --subject-base option. The RDN
"CN=Certificate Authority" is appended to form the subject DN, and
this composition is widely assumed.
Some administrators need more control over the CA subject DN,
especially to satisfy expectations of external CAs when the IPA CA
is to be externally signed.
This patch adds full customisability of the CA subject DN.
Specifically:
- Add the --ca-subject option for specifying the full IPA CA subject
DN. Defaults to "CN=Certificate Authority, O=$SUBJECT_BASE".
- ipa-ca-install, when installing a CA in a previous CA-less
topology, updates DS certmap.conf with the new new CA subject DN.
- DsInstance.find_subject_base no longer looks in certmap.conf,
because the CA subject DN can be unrelated to the subject base.
Fixes: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
For full customisability of the IPA CA subject DN, we will need the
ability to update DS `certmap.conf' when upgrading a deployment from
CA-less to CA-ful.
Extract the existing behaviour, which is private to DsInstance, to
the `write_certmap_conf' top-level function.
Also update `certmap.conf.template' for substition of the whole CA
subject DN (not just the subject base).
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The --subject option is actually used to provide the "subject base".
We are also going to add an option for fully specifying the IPA CA
subject DN in a subsequent commit. So to avoid confusion, rename
--subject to --subject-base, retaining --subject as a deprecated
alias.
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
`installutils.load_external_cert` assumes that the IPA CA subject
DN is `CN=Certificate Authority, {subject_base}`. In preparation
for full customisability of IPA CA subject DN, push this assumption
out of this function to call sites (which will be updated in a
subsequent commit).
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Refactor set_subject_base_in_config to use api.Backend.ldap2 instead
of a manually created LDAP connection.
Also rename the function to have a more accurate name, and move it
to 'ipaserver.install.ca' to avoid cyclic import (we will eventually
need to use it from within that module).
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
A change to the algorithm that generates random passwords
for multiple purposes throught IPA. This spells out the need
to assess password strength by the entropy it contains rather
than its length.
This new password generation should also be compatible with the
NSS implementation of password requirements in FIPS environment
so that newly created databases won't fail with wrong authentication.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Also had to recalculate entropy of the passwords as originally,
probability of generating each character was 1/256, however the
default probability of each character in the ipa_generate_password
is 1/95 (1/94 for first and last character).
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Distribution packaged ntpd has servers preconfigured in ntp.conf so
there's no point in trying to add them again during FreeIPA server
installation.
Also fix the code to always put fudge line right after the local server
line as required by ntpd.
https://fedorahosted.org/freeipa/ticket/6486
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In commit 822e1bc82a the call to create the
KRA agent PEM file was accidentally removed from the server installer.
Call into the KRA installer from the server installer to create the file
again.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Commit dbb98765d7 changed certmonger
requests for DS and HTTP certificates during installation to raise
on error (https://fedorahosted.org/freeipa/ticket/6514).
This introduced a regression in DL1 replica installation in CA-less
topology. A certificate was requested, but prior to the
aforementioned commit this would fail silently and installation
continued, whereas now installation fails.
Guard the certificate request with a check that the topology is
CA-ful.
Fixes: https://fedorahosted.org/freeipa/ticket/6573
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This allows for diagnose the output and error code of these operations.
Otherwise there is no way to infer their success or failure apart from
inspecting logs post-mortem.
https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
CoS so no attributes are really added.
The default policies effectively disable any enforcement or lockout for hosts
and services. Since hosts and services use keytabs passwords enforcements
doesn't make much sense. Also the lockout policy could be used for easy and
cheap DoS.
https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Samba 4.5 does not allow to specify access mode for the keytab (FILE: or
WRFILE:) from external sources. Thus, change the defaults to a path
(implies FILE: prefix) while Samba Team fixes the code to allow the
access mode prefix for keytabs.
On upgrade we need to replace 'dedicated keytab file' value with the
path to the Samba keytab that FreeIPA maintains. Since the configuration
is stored in the Samba registry, we use net utility to manipulate the
configuration:
net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab
Fixes https://fedorahosted.org/freeipa/ticket/6551
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Pre-3.3 masters do not support setting 'nsds5replicabinddngroup'
attribute on existing replica entry during setup of initial replication.
In this case UNWILLING_TO_PERFORM is returned. The code can interpret
this error as an indication of old master and fall back to just adding
its LDAP principal to entry's 'nsds5replicabinddn' attribute.
https://fedorahosted.org/freeipa/ticket/6532
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
'nsds5replicabinddngroupcheckinterval' attribute was not properly added
to 'o=ipaca' replica attribute during upgrade. The CA topology update
plugin should now add it to the entry if it exists.
https://fedorahosted.org/freeipa/ticket/6508
Reviewed-By: Martin Basti <mbasti@redhat.com>
Replace the dual definitions of domain_name, dm_password and admin_password
knobs in server install with single definitions using the original names
without the 'new_' prefix.
This fixes the options read from the installer option cache in step 2 of
external CA install to use the correct knob names.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Instead of checking sysrestore status which leads to incorrect
evaluation of DNS configuration status during 4.2 -> 4.4 upgrade, look
into named.conf to see whther it was already modified by IPA installer.
https://fedorahosted.org/freeipa/ticket/6503
Reviewed-By: Martin Basti <mbasti@redhat.com>
Replica conncheck may fail for other reasons then network
misconfiguration. For example, an incorrect admin password might be
provided. Since conncheck is ran as a separate script in quiet mode,
no insightful error message can be displayed.
https://fedorahosted.org/freeipa/ticket/6497
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.
The special contexts are:
* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates
The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.
https://fedorahosted.org/freeipa/ticket/6389
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When running ipa-replica-install in domain-level 1, the installer
requests the LDAP and HTTP certificates using certmonger but does
not check the return code. The installer goes on and fails when
restarting dirsrv.
Fix: when certmonger was not able to request the certificate, raise an
exception and exit from the installer:
[28/45]: retrieving DS Certificate
[error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
https://fedorahosted.org/freeipa/ticket/6514
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
During the rebase of commit 822e1bc82a on top
of commit 808b1436b4, the call to track the
RA agent certificate with certmonger was accidentally removed from
ipa-replica-install.
Put the call back so that the certificate is tracked after replica install.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Apparently "files" implementation of hosts NSS database cannot deal with
trailing period in host names.
Previously name server.example.com which is was resolvable neither using
dns nor myhostname NSS modules were rejected by installer
(despite having matching line in /etc/hosts).
These names which are resolvable purely using "files" database are now
accepted.
The problem is that I had to remove trailing period from names passed
to getaddrinfo() function. This effectivelly enables search list processing.
This means that items from the search list might be silently appended to
the query and we might get an IP address for totally different names
than we asked for.
Unfortunatelly I see no way around this while keeping ability
to use names from NSS hosts database.
https://fedorahosted.org/freeipa/ticket/6518
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This is a safeguard ensuring valid replica configuration against incorrectly
upgraded masters lacking 'nsds5replicabinddngroupcheckinterval' attribute on
their domain/ca topology config.
https://fedorahosted.org/freeipa/ticket/6508
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
