The logging level for these messages was decreaed so that they
do not show up in ipa-advise output.
Reset the log level to INFO and configure ipa-advise to not display
INFO messages from xmlclient by default.
Partially reverts commit efe5a96725https://fedorahosted.org/freeipa/ticket/4135
Reviewed-By: Tomáš Babej <tbabej@redhat.com>
The two classes had very similar __call__ methods, but the JSON
server lacked error handling.
Create a common class for the __call__ method.
https://fedorahosted.org/freeipa/ticket/4069
Use "kdestroy -A" command to destroy all CCACHEs, both the primary
and the non-primary ones to make sure that the non-primary ones are
not used later.
https://fedorahosted.org/freeipa/ticket/4084
Stock httpd no longer uses systemd EnvironmentFile option which is
making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard
to debug problems during subsequent ipa-server-install's where HTTP
may use a stale CCACHE in the default kernel keyring CCACHE.
Avoid forcing custom CCACHE and switch to system one, just make sure
that it is properly cleaned by kdestroy run as "apache" user during
FreeIPA server installation process.
https://fedorahosted.org/freeipa/ticket/4084
Enable Retro Changelog and Content Synchronization DS plugins which are required
for SyncRepl support.
Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+.
https://fedorahosted.org/freeipa/ticket/3967
Fix both the service restart procedure and registration of old
pki-cad well known service name.
This patch was adapted from original patch of Jan Cholasta 178 to
fix ticket 4092.
https://fedorahosted.org/freeipa/ticket/4092
When AD administrator credentials passed, they stored in realm_passwd,
not realm_password in the options.
When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure
to normalize them.
Additionally, force Samba auth module to use NTLMSSP in case we have
credentials because at the point when trust is established, KDC is not
yet ready to issue tickets to a service in the other realm due to
MS-PAC information caching effects. The logic is a bit fuzzy because
credentials code makes decisions on what to use based on the smb.conf
parameters and Python bindings to set parameters to smb.conf make it so
that auth module believes these parameters were overidden by the user
through the command line and ignore some of options. We have to do calls
in the right order to force NTLMSSP use instead of Kerberos.
Fixes https://fedorahosted.org/freeipa/ticket/4046
Add the server class name, such as [xmlserver] or [jsonserver_kerb] to
the server logs. This will allow easier debugging of problems specific
to a protocol or server class.
Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC.
This is done by subclassing and extending xmlrpclib, because
our existing code relies on xmlrpclib internals.
The URI to use is given in the new jsonrpc_uri env variable. When
it is not given, it is generated from xmlrpc_uri by replacing
/xml with /json.
The rpc_json_uri env variable existed before, but was unused,
undocumented and not set the install scripts.
This patch removes it in favor of jsonrpc_uri (for consistency
with xmlrpc_uri).
Add the rpc_protocol env variable to control the protocol
IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed
to 'xmlrpc'.
Make backend.Executioner and tests use the backend specified by
rpc_protocol.
For compatibility with unwrap_xml, decoding JSON now gives tuples
instead of lists.
Design: http://freeipa.org/page/V3/JSON-RPC
Ticket: https://fedorahosted.org/freeipa/ticket/3299
The new updater is run as part of `ipa-ldap-updater --upgrade`
and `ipa-ldap-updater --schema` (--schema is a new option).
The --schema-file option to ipa-ldap-updater may be used (multiple
times) to select a non-default set of schema files to update against.
The updater adds an X-ORIGIN tag with the current IPA version to
all elements it adds or modifies.
https://fedorahosted.org/freeipa/ticket/3454
When we get NT_STATUS_INVALID_PARAMETER in response to establish
DCE RPC pipe with Kerberos, the most likely reason is clock skew.
Suggest that it is so in the error message.
https://fedorahosted.org/freeipa/ticket/4024
Server installer does not properly recognize a situation when server
fqdn is not in a subdomain of the IPA domain, but shares the same
suffix.
For example, if server FQDN is ipa-idm.example.com and domain
is idm.example.com, server's FQDN is not in the main domain, but
installer does not recognize that. proper Kerberos realm-domain
mapping is not created in this case and server does not work
(httpd reports gssapi errors).
https://fedorahosted.org/freeipa/ticket/4012
Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).
To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.
https://fedorahosted.org/freeipa/ticket/3974
When set_directive was used for directive "foo" and the word "foo"
was detected anywhere on the line (e.g. in a comment, or in an example),
it was overwritten which may potentially lead to wrong line being
overwritten.
Only match the directives on the beginning of the lines, it is safer.
https://fedorahosted.org/freeipa/ticket/3974
Add three new ipa-advise plugins, to facilitate configuration of
legacy clients using nss-pam-ldapd:
* config-redhat-nss-pam-ldapd
* config-generic-linux-nss-pam-ldapd
* config-freebsd-nss-pam-ldapd
https://fedorahosted.org/freeipa/ticket/3672
Majority of the attributes set in the setup method can be set in the
__init__ method where they are actually defined (and set to None).
This is true for attributes that hold constant values and for
attributes that have their values derived from api.env dictionary.
Creates a new __setup_default_attributes method, that is called
from within __init__ and setup (in case the passed values for
hostname or domain do not correspond to that what is set in api.env,
doing otherwise could cause unexpected behaviour).
Part of: https://fedorahosted.org/freeipa/ticket/3479
The uninstall method of the AD trust instance was not called upon
at all in the ipa-server-install --uninstall phase.
This patch makes sure that AD trust instance is unconfigured when
the server is uninstalled.
The following steps are undertaken:
* Remove /var/run/samba/krb5cc_samba
* Remove our keys from /etc/samba/samba.keytab using ipa-rmkeytab
* Remove /var/lib/samba/*.tdb files
Additionally, we make sure winbind service is stopped from within the
stop() method.
Part of: https://fedorahosted.org/freeipa/ticket/3479
Since we are not able to properly restore the Samba server to the
working state after running ipa-adtrust-install, we should not keep
the smb.conf in the fstore.
This patch makes sure that any backed up smb.conf is removed from
the backup and that this file is not backed up anymore.
Part of: https://fedorahosted.org/freeipa/ticket/3479
The installers used custom self.realm_name instead of standard
self.realm defined in Service class. It caused crashes in some cases
when Service class methods expected the self.realm to be filled.
https://fedorahosted.org/freeipa/ticket/3854
Proxy configuration was not detected correctly. Both
ipa-pki-proxy.conf and ipa.conf need to be in place and httpd
restarted to be able to check it's status.
https://fedorahosted.org/freeipa/ticket/3964
Deprecate this option and do not offer it in installation tools.
Without this option enabled, advanced DNS features like DNSSEC
would not work.
https://fedorahosted.org/freeipa/ticket/3962
Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal,
it is possible to use it when talking to the trusted AD DC.
Remove support for authenticating as trust account because it should not
really be used other than within Samba.
Add IPA CLI to manage trust domains.
ipa trust-fetch-domains <trust> -- fetch list of subdomains from AD side and add new ones to IPA
ipa trustdomain-find <trust> -- show all available domains
ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust>
ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA
ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain
By default all discovered trust domains are allowed to access IPA resources
IPA KDC needs also information for authentication paths to subdomains in case they
are not hierarchical under AD forest trust root. This information is managed via capaths
section in krb5.conf. SSSD should be able to generate it once
ticket https://fedorahosted.org/sssd/ticket/2093 is resolved.
part of https://fedorahosted.org/freeipa/ticket/3909
Use realmdomains information to prepopulate forest trust info. As result,
all additional domains should now be enabled from the beginning, unless they
really conflict with existing DNS domains on AD side.
https://fedorahosted.org/freeipa/ticket/3919
When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.
Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.
The __all__ list does not cause submodules to be imported, e.g.
one would still have to `import ipaclient.ipachangeconf` rather than
just `import ipaclient` to use `ipaclient.ipachangeconf`.
Even if they did do anything, the lists were incomplete, and (since
`import *` is not used on these modules) unnecessary.
Pylint 1.0 reports undeclared names in __all__ as a warning.
This patch makes sure that all edits to CS.cfg configuration file
are performed while pki-tomcatd service is stopped.
Introduces a new contextmanager stopped_service for handling
a general problem of performing a task that needs certain service
being stopped.
https://fedorahosted.org/freeipa/ticket/3804
When configuring the 389 Directory Server instance, we tune it
so that number of file descriptors available to the DS is increased
from the default 1024 to 8192.
There are platform specific steps that need to be conducted
differently on systemd compatible platforms and sysV compatible
platforms.
systemd: set LimitNOFILE to 8192 in /etc/sysconfig/dirsrv.systemd
sysV: set ulimit -n 8192 in /etc/sysconfig/dirsrv
set ulimit - nofile 8192 in /etc/security/limits.conf
https://fedorahosted.org/freeipa/ticket/3823
Differences in the python byte code fails in a build validation
(rpmdiff) done on difference architecture of the same package.
This patch:
1) Ensures that timestamps of generated *.pyo and *.pyc files match
2) Python integer literals greater or equal 2^32 and lower than 2^64
are converted to long right away to prevent different type of
the integer on architectures with different size of int
https://fedorahosted.org/freeipa/ticket/3858
Drops the code from ipa-server-install, ipa-dns-install and the
BindInstance itself. Also changed ipa-upgradeconfig script so
that it does not set zone_refresh to 0 on upgrades, as the option
is deprecated.
https://fedorahosted.org/freeipa/ticket/3632
Properly handle --subject option of ipa-server-install, making sure this
value gets passed to certmap.conf. Introduce a new template variable
$SUBJECT_BASE for this purpose.
Also make sure that this value is preserved on upgrades.
https://fedorahosted.org/freeipa/ticket/3783
Old versions of SSSD do not directly support cross-realm trusts between IPA
and AD. This patch introduces plugins for the ipa-advise tool, which should
help with configuring an old version of SSSD (1.5-1.8) to gain access to
resources in trusted domain.
Since the configuration steps differ depending on whether the platform includes
the authconfig tool, two plugins are needed:
* config-redhat-sssd-before-1-9 - provides configuration for Red Hat based
systems, as these system include the autconfig utility
* config-generic-sssd-before-1-9 - provides configuration for other platforms
https://fedorahosted.org/freeipa/ticket/3671https://fedorahosted.org/freeipa/ticket/3672
Now the list of available advices is neatly formatted:
-------------------------
List of available advices
-------------------------
config-fedora-authconfig : Authconfig instructions for configuring Fedora
18/19 client with IPA server without use of SSSD.
The advice header printing has been reformatted to conform with the changes.
In DomainValidator, we store a dictionary containing information
for trusted domains. This is a case-sensitive dictionary keyed by
the domain name.
We need to use case-insensitive dictionary since domain names
are generally case-insensitive.
https://fedorahosted.org/freeipa/ticket/3816
If stdin is a TTY, ipaserver.install.installutils uses getpass and all
is well. Without a TTY, though, there were two problems:
* The prompt was not printed
* On end of file, an empty string was returned, which caused read_password
to enter an infinite loop.
Fix both problems.
https://fedorahosted.org/freeipa/ticket/3824
