Commit Graph

269 Commits

Author SHA1 Message Date
Simo Sorce
74ba0cc7c1 Use Realm as certs subject base name
Also use the realm name as nickname for the CA certificate
2010-11-18 15:09:31 -05:00
Jakub Hrozek
594adb9877 Log script options to logfile
Uses a new subclass IPAOptionParser in scripts instead of OptionParser
from the standard python library. IPAOptionParser uses its own IPAOption
class to store options, which adds a new 'sensitive' attribute.

https://fedorahosted.org/freeipa/ticket/393
2010-11-09 13:28:10 -05:00
Rob Crittenden
3d3197b11a Don't do autodiscovery on master install.
If we pass in the domain and server to ipa-client-install it doesn't do
service discovery which is what we want. We want to be sure the server
is properly configured at install time.
2010-09-23 16:12:11 -04:00
Rob Crittenden
2a85755968 Add minimal client configuration for when we eventually get to PKINIT
Also move the unenroll to clients only. This isn't necessary on the master

ticket 53
2010-09-23 12:03:11 -04:00
Rob Crittenden
6de0834fca Unenroll the client from the IPA server on uninstall.
Unenrollment means that the host keytab is disabled on the server making
it possible to re-install on the client. This host principal is how we
distinguish an enrolled vs an unenrolled client machine on the server.

I added a --unroll option to ipa-join that binds using the host credentials
and disables its own keytab.

I fixed a couple of other unrelated problems in ipa-join at the same time.

I also documented all the possible return values of ipa-getkeytab and
ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab
and it returns whatever value ipa-getkeytab returned on failure.

ticket 242
2010-09-20 16:07:42 -04:00
Rob Crittenden
74e5d8c2af Better distinguish between when DNS discovery works and search more domains.
Passing domain and server on the command-line used to be considered as
DNS autodiscovery worked. This was problematic if there was in fact no
SRV records because krb5.conf would be configured without a specific KDC
causing all Kerberos ops to fail.

Now if you pass in a domain/server it still tries to see if they are
discoverable and if so won't hardcode a server, but will fall back to doing
so if necessary.

Also be a lot more aggressive on looking for the SRV records. Use the
search and domain values from /etc/resolv.conf on the chance that the
SRV records aren't in the domain of the hostname of the machine.

An example of this would be if your laptop is in dhcp.example.com and
your company's SRV records are in corp.example.com. Searching
dhcp.example.com and example.com won't find the SRV records but the user
is likely to have corp.redhat.com in the search list, at least.

ticket 234
2010-09-20 16:04:30 -04:00
Rob Crittenden
4f37775db7 Use a more specific name for the IPA server certificate we install.
This should avoid conflicts with any other certs that might be installed
there.

ticket 49
2010-09-17 17:21:43 -04:00
Rob Crittenden
67a4549519 Remove some additional instances of krbV from ipa-client
Make two krbV imports conditional. These aren't used during a client
install so should cause no problems.

Also fix the client installer to use the new env option in ipautil.run.
We weren't getting the krb5 configuration set in the environment because
we were overriding the environment to set the PATH.

ticket 136
2010-09-10 17:04:01 -04:00
Rob Crittenden
f87bd57c1d Fix certmonger errors when doing a client or server uninstall.
This started with the client uninstaller returning a 1 when not installed.
There was no way to tell whether the uninstall failed or the client
simply wasn't installed which caused no end of grief with the installer.

This led to a lot of certmonger failures too, either trying to stop
tracking a non-existent cert or not handling an existing tracked
certificate.

I moved the certmonger code out of the installer and put it into the
client/server shared ipapython lib. It now tries a lot harder and smarter
to untrack a certificate.

ticket 142
2010-09-09 16:38:52 -04:00
Rob Crittenden
ea76d8c59a Configure nslcd and a host of possible systems that use LDAP.
We will update any/all of /etc/ldap.conf, /etc/nss_ldap.conf,
/etc/libnss-ldap.conf and /etc/pam_ldap.conf.

nslcd is the replacement for nss_ldap.

ticket 50
2010-08-27 09:50:50 -04:00
Rob Crittenden
4ca95a0cbf Retrieve the CA certificate before starting enrollment.
We need the CA certificate so we can use SSL when binding with a
one-time password (bulk enrollment)
2010-06-21 09:52:15 -04:00
Rob Crittenden
dbd1f50111 Remove Requires on separate package python-krbV in client
We need the configured kerberos realm so we can clean up /etc/krb5.keytab.
We have this already in /etc/ipa/default.conf so use that instead of
requiring a whole other python package to do it.
2010-06-02 14:41:16 -04:00
Rob Crittenden
2876bd11dd Check to see if we are configured before uninstalling.
Allow the --force flag to override on both install and uninstall
2010-05-07 12:02:12 -04:00
Rob Crittenden
3bf7268d74 Add simple test to see if client is already configured
If this ever gets out of sync the user can always remove
/var/lib/ipa-client/sysrestore/*, they just need to understand the
implications.

One potential problem is with certmonger. If you install the client
and then re-install without uninstalling then the subsequent
certificate request by certmonger will fail because it will already
be tracking a certificate in /etc/pki/nssdb of the same nickname and
subject (the old cert).
2010-05-06 15:17:16 -06:00
Rob Crittenden
cd5eddd843 Make calling service and chkconfig tolerant of the service not installed
For example, if nscd is not installed this would throw lots of errors about
not being able to disable it, stop it, etc.
2010-05-06 14:47:25 -06:00
Rob Crittenden
83cb7e75b8 Call certmonger after krb5, avoid uninstall errors, better password handling.
- Move the ipa-getcert request to after we set up /etc/krb5.conf
- Don't try removing certificates that don't exist
- Don't tell certmonger to stop tracking a cert that doesn't exist
- Allow --password/-w to be the kerberos password
- Print an error if prompting for a password would happen in unattended mode
- Still support echoing a password in when in unattended mode
2010-05-06 09:05:30 -06:00
Rob Crittenden
04e9056ec2 Make the installer/uninstaller more aware of its state
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.

This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
2010-05-03 13:41:18 -06:00
Rob Crittenden
cef30893ec client installation fixes: nscd, sssd min version, bogus join error
- Don't run nscd if using sssd, the caching of nscd conflicts with sssd
- Set the minimum version of sssd to 1.1.1 to pick up needed hbac fixes
- only try to read the file configuration if the server isn't passed in
2010-05-03 13:40:14 -06:00
Rob Crittenden
244870932c Reorder some things in the client installer
- Fetch the CA cert before running certmonger
- Delete entries from the keytab before removing /etc/krb5.conf
- Add and remove the IPA CA to /etc/pki/nssdb
2010-05-03 13:33:08 -06:00
Rob Crittenden
1d635090cb Use the certificate subject base in IPA when requesting certs in certmonger.
When using the dogtag CA we can control what the subject of an issued
certificate is regardless of what is in the CSR, we just use the CN value.
The selfsign CA does not have this capability. The subject format must
match the configured format or certificate requests are rejected.

The default format is CN=%s,O=IPA. certmonger by default issues requests
with just CN so all requests would fail if using the selfsign CA.

This subject base is stored in cn=ipaconfig so we can just fetch that
value in the enrollment process and pass it to certmonger to request
the right thing.

Note that this also fixes ipa-join to work with the new argument passing
mechanism.
2010-04-23 04:57:40 -06:00
rcrit
a887922fa9 Add option to enable pam_mkhomedirs in the IPA client installer 2010-03-19 07:58:47 -06:00
Rob Crittenden
3ff06c498b Configure sssd and certmonger in ipa-client-install
This does a number of things under the hood:

- Use authconfig to enable sssd in nss and pam
- Configure /etc/sssd/sssd.conf to use our IPA provider
- Enable the certmonger process and request a server cert
- join the IPA domain and retrieve a principal. The clinet machine
  *must* exist in IPA to be able to do a join.
- And then undo all this on uninstall
2010-02-03 15:41:02 -05:00
Rob Crittenden
bf63cd30a6 Remove some configuration files we create upon un-installation
This is particularly important for Apache since we'd leave the web
server handling unconfigured locations.
2010-01-28 17:29:18 -05:00
Rob Crittenden
d08b8858dd Pass on debug option from ipa-client-install to ipa-join 2009-12-09 17:17:08 -05:00
Rob Crittenden
0dcaea8d16 Add server option to ipa-join so the IPA server can be specified.
This is needed because in the client installer we actually perform the
join before creating the configuration files that join uses. All we need
is the IPA server to join to and we have that from the CLI options so
use that.
2009-11-30 18:12:11 -07:00
Rob Crittenden
f14f5156d4 Integrate ipa-join and ipa-rmkeytab into the client install/uninstall
This will fetch a keytab on installation and remove it upon uninstallation.
2009-11-25 09:21:34 -07:00
Rob Crittenden
d0587cbdd5 Enrollment for a host in an IPA domain
This will create a host service principal and may create a host entry (for
admins).  A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.

This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
2009-09-24 17:45:49 -06:00
Rob Crittenden
44afa977a8 The new admin tool 'ipa' uses a different configuration file, create it. 2009-04-13 14:53:08 -04:00
Rob Crittenden
f2abe05398 Use OpenSSL for SSL instead of the built-in python version. 2009-02-20 10:40:54 -05:00
Rob Crittenden
262ff2d731 Rename ipa-python directory to ipapython so it is a real python library
We used to install it as ipa, now installing it as ipapython. The rpm
is still ipa-python.
2009-02-09 14:35:15 -05:00
Simo Sorce
f6cd489909 We were assuming that, if the realm was correct then also the
rest of the krb5.conf configuration were. This clearly breaks
with the default EXAMPLE.COM realm configuratrion. Furthermore
it makes it not possible to try to 'fix' an installation by
rerruninng ipa-client-install

This patch removes the special case and avoids krb5.conf only
if the on_master flag is passed.
Fix also one inner 'if' statement to be simpler to understand.
2008-09-18 17:23:12 -04:00
Martin Nagy
f7ca405716 Wrap up the raw_input() to user_input() for convenience and uniformity. 2008-07-23 10:05:06 -04:00
Rob Crittenden
c58b7a3d7c Move version.py to the common ipa directory instead of being server-based so it can be used by the client tool.
Fix the client tool imports to fail more gracefully.
2008-06-03 22:39:11 -04:00
Rob Crittenden
e935287f6e Try to clear up messages prompting for domain and IPA server when DNS discovery fails to find them. 2008-05-30 15:44:56 -04:00
Simo Sorce
8f082f2d4f Now that admin is in the common users tree make the nss_ldap
configuration look at the specific tree where users are and
not search the full server.
2008-05-29 09:43:08 -04:00
Simo Sorce
53afb67537 Fix the case where domain != lower(REALM)
add the domain to the ipa.conf file for apps that need to know
This should fix a bug in the replica setup
2008-05-29 09:43:00 -04:00
Martin Nagy
2f69e7e18d Change file mode of log files to 600.
446869
2008-05-20 22:43:03 -04:00
Rob Crittenden
92d7f9c28a Make sure all services are stopped during uninstall.
We were just shutting down the KDC if it had been started prior to IPA
installation. We need to stop it in all cases.

And we should restart nscd as it may have made an LDAP connection.

440322
2008-05-14 09:57:09 -04:00
Simo Sorce
a86b1eaeed fix stupid typo,
thanks Nalin for spotting this.
2008-05-10 11:25:31 -04:00
Simo Sorce
5c4b1770c0 On IPA Servers connect to ourselves using localhost,
and avoid searching for KDC servers via DNS, we just connect
to ourselves.
2008-05-08 17:31:19 -04:00
Simo Sorce
298747e15a Make sure we always have the [domain-realm] section or kerberos libs misbheave. 2008-04-22 15:28:42 -04:00
Simo Sorce
24a7cf3714 Fix client discovery and make sure command line options are not overwritten
with discovered options, just verified.
2008-04-09 15:55:46 -04:00
Simo Sorce
c45d58cc3f Make sure we start the NSCD daemon.
It makes a huge difference on clients, if we cache lookups
2008-04-08 14:58:52 -04:00
Simo Sorce
625d9b2de8 - Better defaults for nss_ldap
- Make sure timeouts are not too high, so that machine does not hang if remote
  servers are not reachable
- Make sure root can always login no matter what the status of the ldap
  servers
- use rfc2307bis schema directive
2008-04-01 18:04:59 -04:00
Simo Sorce
28ac93a535 Implement client uninstall
(including RHEL4 contrib setup script)
2008-03-31 17:33:55 -04:00
Simo Sorce
8bfe814358 Allow client install to specify ntp server name 2008-03-14 08:42:06 -04:00
Rob Crittenden
7fd656477a Prevent server and domain from being undefined or blank when we need them
Improve LDAP error reporting
Don't return the str() of discovery values because it can return "None"

436130
2008-03-05 16:33:12 -05:00
Rob Crittenden
b49942fe96 Close all fds when running another program. This fixes the SELinux AVCs.
Put installation log files into /var/log.

430024
2008-03-03 16:14:48 -05:00
Rob Crittenden
6533bc1a84 Add action statement to ldap.conf update
Move imports into try/except so that ctrl-C can always be caught
Fix typo
2008-02-27 16:17:38 -05:00
Rob Crittenden
111a475b15 Don't try to use options.realm_name unless it was passed in
Don't allow empty responses to domain and realm name
Handle ctrl-C

434982
2008-02-26 15:31:34 -05:00
Rob Crittenden
cbb6b5a005 Provide feedback on what is being done during ipa-client-install
429541
2008-02-20 17:09:02 -05:00
Simo Sorce
30195fb5fb Pass in server and domain parameters if provided, so that they are not ignored 2008-02-19 15:57:53 -05:00
Simo Sorce
46cb6e9bdd Run ipa-client-install after server install bits 2008-02-20 10:16:19 -05:00
Simo Sorce
3902a381d5 Add uniqueMember -> member mapping into /etc/ldap.conf on installation 2008-02-05 15:41:55 -05:00
Rob Crittenden
042fb11fa1 Fix issues reported by rpmlint.
- Removing shebangs (#!) from a bunch of python libraries
- Don't use a variable name in init scripts for the lock file
- Keep the init script name consistent with the binary name, so renamed
  ipa-kpasswd.init to ipa_kpasswd.init
- Add status option to the init scripts
- Move most python scripts out of /usr/share/ipa and into the python
  site-packages directories (ipaserver and ipaclient)
- Remove unnecessary sys.path.append("/usr/share/ipa")
- Fix the license string in the spec files
- Rename ipa-webgui to ipa_webgui everywhere
- Fix a couple of issues reported by pychecker in ipa-python
2008-01-18 16:20:36 -05:00
Rob Crittenden
aaa3cfd58c Fix case where a question was being asked in unattended mode.
Catch permission errors on install.
Initialize srv so the error message works if the user presses enter
2008-01-17 16:36:05 -05:00
Karl MacMillan
2892c28f56 Improve confirmation. 0001-01-01 00:00:00 +00:00
Karl MacMillan
380756ace9 Confirm before configuring the client. 0001-01-01 00:00:00 +00:00
Simo Sorce
25c542870d Fix client installation tool 2007-12-04 09:01:40 -05:00
Simo Sorce
b51f4b28ec - Set correct values in ipa.conf during client install so that admin tools can
reach the xml-rpc server.
- Assume the kdc/ldap server == xml-rpc server for v1.


Initial code to read the Kerberos Master Key from the Directory
2007-11-16 20:18:36 -05:00
Karl MacMillan
36e43aed1b NTP configuration for client and server.
Configure ipa servers as an ntp server and clients
to (by default) us the ipa server as an ntp server.

Also corrected the messages about which ports should
be opened.
0001-01-01 00:00:00 +00:00
Karl MacMillan
2703be51c8 Print warning about NTP
After looking into setting up ntpd on the IPA servers I decided it
was better just to warn admins. There are just too many valid setups
for time synchronization for us to try to get this right. Additionally,
just installing ntp and accepting the default config will result in
a configuration that is perfectly valid for IPA.

This patch checks if ntpd is running and suggests enabling it if it
is not - for client and server. It also adds some suggested next
steps to the server installation.
0001-01-01 00:00:00 +00:00
Karl MacMillan
1fcc3c6650 Autotool ipa-client - patch from William Jon McCann <mccann@jhu.edu> 0001-01-01 00:00:00 +00:00
Simo Sorce
3fd4b9ba2c Initial support for confiuguring a DNS Server during installation.
It's not perfect yet but good enough to include it.
2007-09-20 15:10:21 -04:00
Simo Sorce
566018f4d4 Better file parsing routines,
also switch to recreate ldap.conf and krb5.conf from scratch on clients,
avoid nasty failures in case the original files contained strange directives
2007-09-06 17:57:54 -04:00
Simo Sorce
584baa7ee2 merge ipa-server/ipaserver/util.py into ipa-python/ipautil.py
this way freeipa-client does not depend on freeipa-server
2007-09-04 16:13:15 -04:00
Simo Sorce
12b46527c6 Complete autodiscovery with autoconfiguration
The code is still not perfect and rely on a yet unreleased
nss_ldap package that fix dns discovery problems within nss_ldap
itself.
Also the manipulation of krb5.conf need to be improved
2007-08-30 19:40:54 -04:00
Simo Sorce
48bb474e68 Add interactive prompts to ipa-server-install
Change unattended flag to be -U
Change master password flag to be -P instead of -m
Improve ipa-client-install readability for user prompts
2007-08-20 18:40:32 -04:00
Simo Sorce
0e419aa4bf Add a prototype client tool to configure a client of the IPA server
Right now it does only discovery (or fallback)
2007-08-16 18:00:16 -04:00