This option makes record changes in DNS tree synchronous.
IPA calls will wait until new data are visible over DNS protocol
or until timeout.
It is intended only for testing. It should prevent tests from
failing if there is bigger delay between changes in LDAP and DNS.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
ipa-client-automount calls automountlocation-show command during the
process. Unfortunately, FreeIPA commands are forward compatible only
and thus fail the installer.
Similarly to ipa-client-install, call XML-RPC interface directly
with version fixed to 2.0 (command was already available at that
version) to fix the failure.
https://fedorahosted.org/freeipa/ticket/4290
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When running ipa-client-install, it asks for user name, synchronizes time, then asks for user password
which the order could be confusing to some users. This changes ipa-client-install to synchronize time
before prompting for user kerberos authentication.
https://fedorahosted.org/freeipa/ticket/3957
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
If SSH keys have not been generated prior to enrolling the client to the
IPA server, they will not be uploaded to the server, since they're not
present. Clarify this issue in the man pages.
https://fedorahosted.org/freeipa/ticket/4055
Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
When ipa client installation fails due to failed Kerberos authentication,
make sure that the message about the failed authentication is displayed last.
This makes it clear to the user that this was the reason for failed
installation.
https://fedorahosted.org/freeipa/ticket/3573
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
C99 is supported on all compilers we target and
provides some useful features, including:
* Standard struct initializers
* Compound literals
* For-loop declarations
* Standard bool type
* Variable arrays (use with caution)
* Too many others to mention...
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
IPA client installation did not preserve the status of nscd and nslcd services
correctly. E.g. nscd would be started after uninstallation, even though it
wasn't running before client installation. Make sure the state of services is
saved before installation and correctly restored after uninstallation.
https://fedorahosted.org/freeipa/ticket/3790
The ipa-client-install script and ipa-join use different methods
of resolving the hostname, the former uses gethostbyaddr() call,
while the latter reads the "uinfo.nodename".
This can result ipa-client-install failures in case of broken PTR
records.
https://fedorahosted.org/freeipa/ticket/4027
Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC.
This is done by subclassing and extending xmlrpclib, because
our existing code relies on xmlrpclib internals.
The URI to use is given in the new jsonrpc_uri env variable. When
it is not given, it is generated from xmlrpc_uri by replacing
/xml with /json.
The rpc_json_uri env variable existed before, but was unused,
undocumented and not set the install scripts.
This patch removes it in favor of jsonrpc_uri (for consistency
with xmlrpc_uri).
Add the rpc_protocol env variable to control the protocol
IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed
to 'xmlrpc'.
Make backend.Executioner and tests use the backend specified by
rpc_protocol.
For compatibility with unwrap_xml, decoding JSON now gives tuples
instead of lists.
Design: http://freeipa.org/page/V3/JSON-RPC
Ticket: https://fedorahosted.org/freeipa/ticket/3299
During the installation, copy the CA certificate to the systemwide
store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
systemwide CA database.
This allows browsers to access IPA WebUI without warning out of the
box.
https://fedorahosted.org/freeipa/ticket/3504
Option --configure-firefox configures firefox to use Kerberos
credentials within IPA domain
Optional option --firefox-dir=DIR allows to user to specify non-standard
path where firefox install directory is placed.
Part of ticket: https://fedorahosted.org/freeipa/ticket/3821
In case of a failed enrollment, IPA client rolls back any changes it has made
to the system. In order to have a more debuggable setup, do not roll back these
changes in the case of an IPA server install.
https://fedorahosted.org/freeipa/ticket/3990
With old servers, it is possible that xmlclient.connect() succeeds
but commands fail with a Kerberos error.
Verify that commands succeed by sending a ping after connecting.
Follow-up to: https://fedorahosted.org/freeipa/ticket/3931
To make sure the installation works with older servers,
use XML-RPC directly, with a version set explicitly so the request
is not rejected.
RPC was chosen over ldapmodify, because going through the API allows
the server to process the request properly, or even cleanly reject
it if there are incompatible changes in future versions.
https://fedorahosted.org/freeipa/ticket/3931
Use 'getent admin@domain' rather than 'getent admin@REALM' to check if nss
is working properly since admin@REALM check fails in case the domain and the realm
name does not match.
https://fedorahosted.org/freeipa/ticket/3906
Some of the FileErrors in ipa-client-install were raised incorrectly
(without the 'reason' argument), which resulted in bad error messages
during ipa-client-install.
https://fedorahosted.org/freeipa/ticket/3758
The __all__ list does not cause submodules to be imported, e.g.
one would still have to `import ipaclient.ipachangeconf` rather than
just `import ipaclient` to use `ipaclient.ipachangeconf`.
Even if they did do anything, the lists were incomplete, and (since
`import *` is not used on these modules) unnecessary.
Pylint 1.0 reports undeclared names in __all__ as a warning.
Add the --automount-location option to ipa-client-install. If the option is
used, ipa-client-automount is called at the end of ipa-client-install.
https://fedorahosted.org/freeipa/ticket/3740
Differences in the python byte code fails in a build validation
(rpmdiff) done on difference architecture of the same package.
This patch:
1) Ensures that timestamps of generated *.pyo and *.pyc files match
2) Python integer literals greater or equal 2^32 and lower than 2^64
are converted to long right away to prevent different type of
the integer on architectures with different size of int
https://fedorahosted.org/freeipa/ticket/3858
Updates old information produced by the ipa help host command.
Also adds a section to ipa-client-install manpage about client
re-enrollment.
https://fedorahosted.org/freeipa/ticket/3820
Improve handling of command line options related to forced client re-enrollment
in ipa-client-install:
* Make --keytab and --principal options mutually exclusive.
* Warn that using --force-join together with --keytab provides no additional
functionality.
https://fedorahosted.org/freeipa/ticket/3686
nss-pam-ldapd in 0.8.4 changed the default to map uniqueMember to
member so it is no longer needed in the config file, and in fact
causes an error to be raised.
Add a Conflicts on older versions.
https://fedorahosted.org/freeipa/ticket/3589
We should respect already configured options present in
/etc/openldap/ldap.conf when generating our own configuration.
With this patch, we only rewrite URI, BASE and TLS_CACERT options
only if they are not configured. In the case they are, our suggested
configuration is inserted as a comment.
Also adds tab as a delimeter character in /etc/openldap/ldap.conf
https://fedorahosted.org/freeipa/ticket/3582
This patch makes sure that sss is not removed from nsswitch.conf
which causes probles with later uses of sssd. Makes sure that
authconfig with --disablesssd option is not executed during
ipa client uninstall.
https://fedorahosted.org/freeipa/ticket/3577
When client enrollment fails due to the fact that host entry
already exists on the server, display an message informing the
user about the possibility of using --force-join option.
https://fedorahosted.org/freeipa/ticket/3572
Make sure /etc/ipa is created and owned by freeipa-python package.
Report correct error to user if /etc/ipa is missing during client installation.
https://fedorahosted.org/freeipa/ticket/3551
