Commit Graph

5407 Commits

Author SHA1 Message Date
Tomas Babej
e7c99e7d21 IPA Server check in ipa-replica-manage
When executing ipa-replica-manage connect to an master that raises
NotFound error we now check if the master is at least IPA server.
If so, we inform the user that it is probably foreign or previously
deleted master. If not, we inform the user that the master is not
an IPA server at all.

https://fedorahosted.org/freeipa/ticket/3105
2012-10-31 11:54:15 -04:00
Sumit Bose
fe66fbe637 Restart httpd if ipa-server-trust-ad is installed or updated
If ipa-server-trust-ad is installed after the ipa server is installed
and configured, httpd needs a restart for additional python modules to
be loaded into httpd on IPA initialization.

Fixes https://fedorahosted.org/freeipa/ticket/3185
2012-10-31 08:48:25 +01:00
Rob Crittenden
2d3e91ff1c The SECURE_NFS value needs to be lower-case yes on SysV systems.
The sysV rpcgssd init script tests for [ "${SECURE_NFS}" != "yes" ].

This also works as lower case for system so a simple fix.

https://fedorahosted.org/freeipa/ticket/3207
2012-10-26 15:18:55 -04:00
Martin Kosek
1d5027bfc9 Remove servertrls and clientctrls options from rename_s
python-ldap of version 2.3.10 and lower does not support serverctrls
and clientctrls fir rename_s operation. Do not use these options until
really needed. In that time, we may put a requirement in place, that
minimal python-ldap version is 2.3.11. Also add a notice explaining
why we did this change.

https://fedorahosted.org/freeipa/ticket/3199
2012-10-26 12:58:04 -04:00
Martin Kosek
1ed8ba6a75 Avoid uninstalling dependencies during package lifetime
Requires(pre) only guarantees that package will be present before
package scriptlets are run. However, the package can be removed
after installation is finished without removing also IPA. Add
standard Requires for these dependencies.

Remove PRE version number from VERSION. This update and following
is done on a top of IPA 3.0.0 GA.

https://fedorahosted.org/freeipa/ticket/3189
2012-10-25 15:35:58 -04:00
Jakub Hrozek
5e79743a0b ipa-client-automount: Add the autofs service if it doesn't exist yet
https://fedorahosted.org/freeipa/ticket/3201
2012-10-25 14:27:38 -04:00
Rob Crittenden
fb7575d6b7 Close connection after each request, avoid NSS shutdown problem.
The unit tests were failing when executed against an Apache server
in F-18 due to dangling references causing NSS shutdown to fail.

https://fedorahosted.org/freeipa/ticket/3180
2012-10-24 15:07:53 -04:00
Petr Vobornik
445744206b Fixed incorrect link to browser config after session expiration
Fixed typo in message placeholder.

https://fedorahosted.org/freeipa/ticket/3187
2012-10-24 09:17:26 +02:00
Petr Viktorin
d6fbbd530e Make sure the CA is running when starting services
- Provide a function for determinig the CA status using Dogtag 10's new
  getStatus endpoint.
  This must be done over HTTPS, but since our client certificate may not be set
  up yet, we need HTTPS without client authentication.
  Rather than copying from the existing http_request and https_request
  function, shared code is factored out to a common helper.
- Call the new function when restarting the CA service. Since our Service
  can only be extended in platform-specific code, do this for Fedora only.
  Also, the status is only checked with Dogtag 10+.
- When a restart call in cainstance failed, users were refered to the
  installation log, but no info was actually logged. Log the exception.

https://fedorahosted.org/freeipa/ticket/3084
2012-10-23 22:02:21 -04:00
Petr Viktorin
e4853ebc59 ipa-replica-install: Use configured IPA DNS servers in forward/reverse resolution check
Previously, ipa-replica-install tried to check DNS resolution on the master
being cloned. If that master was not a DNS server, the check failed.

Change the check to query the first available configured DNS server.

Log about the check before actually running it.
Log in the case the check is skipped (no IPA DNS servers installed).

https://fedorahosted.org/freeipa/ticket/3194
2012-10-23 18:40:37 -04:00
Rob Crittenden
6e1a806709 Improve error messages in ipa-replica-manage.
Correctly handle case where we bind using GSSAPI with an unauthorized user.

Remove extraneous except clause. We now have handle for LDAP errors.

Make it explicit in a few places what server we can't connect to.

When the remote replica is down and we are forcing its removal, remove
a duplicate entry from the list of servers to remove.

https://fedorahosted.org/freeipa/ticket/2871
2012-10-23 14:11:50 -04:00
Tomas Babej
7ce6c4a2d3 Make service naming in ipa-server-install consistent
Forces more consistency into ipa-server-install output. All
descriptions of services that are not instances of
SimpleServiceInstance are now in the following format:

<Description> (<Service Name>)

Furthermore, start_creation method has been modified to support
custom start and end messages. See documentation for more info.

https://fedorahosted.org/freeipa/ticket/3059
2012-10-22 21:37:11 -04:00
Tomas Babej
7e3c5e3283 Refactoring of default.conf man page
Description for the 'dogtag_version', 'startup_timeout', 'server',
'wait_for_attr' option has been added. Option 'server' has been
marked as deprecated, as it is not used anywhere in IPA code. All
the options have been sorted lexicographically.

https://fedorahosted.org/freeipa/ticket/3071
2012-10-22 20:48:04 -04:00
Martin Kosek
a5ec992ed9 Report ipa-upgradeconfig errors during RPM upgrade
Report errors just like with ipa-ldap-updater. These messages should warn
user that some parts of the upgrades may have not been successful and
he should follow up on them. Otherwise, user may not notice them at all.

ipa-upgradeconfig now has a new --quiet option to make it output only error
level log messages or higher. ipa-upgradeconfig run without options still
pring INFO log messages as it can provide a clean overview about its
actions (unlike ipa-ldap-updater).

https://fedorahosted.org/freeipa/ticket/3157
2012-10-18 21:10:17 -04:00
Martin Kosek
9126b18d8b Add fallback for httpd restarts on sysV platforms
httpd init script on sysV based platforms cannot guarantee that two
consecutive httpd service restarts succeed when run in a small
time distance.

Add fallback procedure that adds additional waiting time after such
failed restart attempt, and then try to stop and start the service
again.

https://fedorahosted.org/freeipa/ticket/2965
2012-10-18 20:53:42 -04:00
Martin Kosek
62cce24224 Create reverse zone in unattended mode
Previous fix for ticket #3161 caused ipa-{server,dns}-install to
skip creation of reverse zone when running in unattended mode. Make
sure that reverse zone is created also in unattended mode (unless
--no-reverse is specified).

https://fedorahosted.org/freeipa/ticket/3161
2012-10-19 16:19:14 +02:00
Rob Crittenden
4a97fd0601 Fix requesting certificates that contain subject altnames.
https://fedorahosted.org/freeipa/ticket/3184
2012-10-19 16:16:06 +02:00
Petr Vobornik
fed5bbd298 Simpler instructions to generate certificate
Instructions to generate certificate were simplified.

New instructions:

 1) Create a certificate database or use an existing one. To create a new database:
    # certutil -N -d <database path>
 2) Create a CSR with subject CN=<hostname>,O=<realm>, for example:
    # certutil -R -d <database path> -a -g <key size> -s 'CN=dev.example.com,O=DEV.EXAMPLE.COM'
 3) Copy and paste the CSR (from -----BEGIN NEW CERTIFICATE REQUEST----- to -----END NEW CERTIFICATE REQUEST-----) into the text area below:

https://fedorahosted.org/freeipa/ticket/3056
2012-10-19 14:30:06 +02:00
John Dennis
38bbbdea61 log dogtag errors
If we get an error from dogtag we always did raise a
CertificateOperationError exception with a message describing the
problem. Unfortuanately that error message did not go into the log,
just sent back to the caller. The fix is to format the error message
and send the same message to both the log and use it to initialize the
CertificateOperationError exception. This is done in the utility
method raise_certificate_operation_error().

https://fedorahosted.org/freeipa/ticket/2622
2012-10-19 10:12:05 +02:00
Tomas Babej
27a8f93178 Forbid overlapping primary and secondary rid ranges
Commands ipa idrange-add / idrange-mod no longer allows the user
to enter primary or secondary rid range such that has non-zero
intersection with primary or secondary rid range of another
existing id range, as this could cause collision.

Unit tests added to test_range_plugin.py

https://fedorahosted.org/freeipa/ticket/3086
2012-10-19 09:02:50 +02:00
Petr Viktorin
049bc7042e ipautil.run: Log the command line before running the command
When the user interrupts a long-running command, this ensures that
the command is logged. Also, when watching log files (or the -d
output), it's apparent what's being done.

https://fedorahosted.org/freeipa/ticket/3174
2012-10-17 18:29:35 -04:00
Sumit Bose
89e315d639 extdom: handle INP_POSIX_UID and INP_POSIX_GID requests
Fixes https://fedorahosted.org/freeipa/ticket/3166
2012-10-18 10:57:54 +02:00
Sumit Bose
c1b922352f Fix various issues found by Coverity 2012-10-17 14:32:37 +02:00
Simo Sorce
2d42737d01 Add support for using AES fo cross-realm TGTs 2012-10-17 13:55:11 +02:00
Alexander Bokovoy
21d893ddde Warn about DNA plugin configuration when working with local ID ranges
https://fedorahosted.org/freeipa/ticket/3116
2012-10-17 12:08:15 +02:00
Rob Crittenden
8222799b91 Don't configure a reverse zone if not desired in interactive installer.
A reverse zone was always configured in the interactive installer
even if you answered "no" to the reverse zone question. The only way
to not confiugre it was the --no-reverse option.

https://fedorahosted.org/freeipa/ticket/3161
2012-10-17 08:59:13 +02:00
Nikolai Kondrashov
92331c0074 Add uninstall command hints to ipa-*-install
Add uninstall command to the uninstall instructions in the "already
installed" responses of ipa-server-install, ipa-client-install and
ipa-replica-install.

https://fedorahosted.org/freeipa/ticket/3065
2012-10-16 09:12:41 +02:00
Alexander Bokovoy
2d7f2928b9 Remove bogus check for smbpasswd
We don't use smbpasswd when configuring IPA for AD trusts anymore
because we switched to use Kerberos authentication in IPA passdb
backend based on CIFS service keytab.

https://fedorahosted.org/freeipa/ticket/3181
2012-10-16 09:05:55 +02:00
Rob Crittenden
5c054a77f3 Use TLS for CA replication
https://fedorahosted.org/freeipa/ticket/3162
2012-10-15 12:56:57 +02:00
Alexander Bokovoy
d05e297015 Use PublicError instructions support for trust-add case when domain is not found
https://fedorahosted.org/freeipa/ticket/3167
2012-10-11 16:31:02 -04:00
Alexander Bokovoy
88262a75ff Add instructions support to PublicError
When long additional text should follow the error message, one can
supply instructions parameter to a class derived from PublicError.

This will cause following text added to the error message:

    Additional instructions:
    <additional text>

`instructions' optional parameter could be a list or anything that coerces
into unicode(). List entries will be joined with '\n'.

https://fedorahosted.org/freeipa/ticket/3167
2012-10-11 16:30:58 -04:00
Petr Viktorin
1907f720d5 Pull translation files from Transifex
Patch generated by:
  cd install/po
  make pull-po
  make update-po
2012-10-11 16:09:27 -04:00
Rob Crittenden
ea4f60b15a Explicitly disable betxn plugins for the time being.
This should work with 389-ds-base 1.2.x and 1.3.0.

Without other plugin changes 389-ds-base can deadlock.

https://fedorahosted.org/freeipa/ticket/3046
2012-10-10 20:24:10 -04:00
Jan Cholasta
a51b65d9d4 Do not show full SSH public keys in command output by default. 2012-10-11 12:19:17 +02:00
Simo Sorce
f1ce31486c Use stricter requirement for krb5-server
Our code strictly depends on 1.10 as the KDC DAL plugin interface is not
guaranteed stable and indeed is different in 1.9 and will be different
in 1.11
So we cannot allow upgrades to 1.11 until we can provide a plugin that matches
1.11's interface.
2012-10-10 17:08:03 -04:00
Alexander Bokovoy
9cd0b7b498 Make sure samba{,4}-winbind-krb5-locator package is not used with trusts
Since use of winbind on FreeIPA server that is configured with trusts is
conflicting with krb5 locator based on winbind, use alternatives mechanism
to turn off the locator plugin by symlinking it to /dev/null.

https://fedorahosted.org/freeipa/ticket/3102
2012-10-09 22:24:34 -04:00
Rob Crittenden
392097f206 Configure the initial CA as the CRL generator.
Any installed clones will have CRL generation explicitly disabled.
It is a manual process to make a different CA the CRL generator.
There should be only one.

https://fedorahosted.org/freeipa/ticket/3051
2012-10-09 19:24:43 -04:00
Petr Viktorin
1dd103bc8c Create Firefox extension on upgrade and replica-install
If the signing cert is not available, create an unsigned extension.

Add a zip dependency to the specfile.

https://fedorahosted.org/freeipa/ticket/3150
2012-10-10 17:34:19 +02:00
Petr Viktorin
7c0f1ea501 replica-install: Don't copy Firefox config extension files if they're not in the replica file
This allows cloning from older masters.

https://fedorahosted.org/freeipa/ticket/3150
2012-10-10 17:33:43 +02:00
Petr Viktorin
595b37d6bb ipa-upgradeconfig: Remove the upgrade_httpd_selinux function
This function was never called from anywhere.
2012-10-10 17:33:01 +02:00
Alexander Bokovoy
0840b588d7 Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-install
Since CIFS principal is generated by ipa-adtrust-install and is only
usable after setting CIFS configuration, there is no need to include it
into default setup.

This should fix upgrades from 2.2 to 3.0 where CIFS principal does not
exist by default.

https://fedorahosted.org/freeipa/ticket/3041
2012-10-09 18:15:01 -04:00
Tomas Babej
00a54b8b7f Notify user about necessary ports in ipa-client-install
Connection error message in ipa-client-install now warns the user
about the need of opening of all the necessary ports for ipa-client
enrollment when error that might have been caused by closed ports
is encountered. Mentions the ports needed after the client
enrollment as well.

Improves other error messages during installation in various ways.

https://fedorahosted.org/freeipa/ticket/2816
2012-10-09 16:57:06 -04:00
Rob Crittenden
2ca7bb3134 Fix CS replication management.
The master side should be on the local side, replica1, not the
remote. This required reversing a few master variables. This impacts
the naming of the replication agreements.

When deleting an agreement pass in the DN of that agreement
rather than trying to calculate what it is on-the-fly. We cannot
be sure which side is the master/clone and since we search for it
anyway to determine if the agreement exists it is more correct
to use what we find.

The force flag wasn't being passed into del_link so there was no way
to force a deletion.

https://fedorahosted.org/freeipa/ticket/2858
2012-10-09 15:45:44 -04:00
Alexander Bokovoy
b3606e3d92 Fix wrong RID for Domain Admins in the examples of trust commands 2012-10-10 14:53:24 +02:00
Martin Kosek
fff56ee1c8 Fix CA CRL migration crash in ipa-upgradeconfig
CRL migrate procedure did not check if a CA was actually configured
on an updated master/replica. This caused ipa-upgradeconfig to
crash on replicas without a CA.

Make sure that CRL migrate procedure is not run when CA is not
configured on given master. Also add few try..except clauses to
make the procedure more robust. There is also a small refactoring of
"<service> is not configured" log messages, so that they have matching
log level and message.

dogtag.py constants were updated to have a correct path to new CRL
directory on Fedora 18 (dogtag 10).

https://fedorahosted.org/freeipa/ticket/3159
2012-10-10 14:15:46 +02:00
Rob Crittenden
eb79f5c955 Set renewal time for the CA audit certificate to 720 days.
The initial certificate is issued for two years but renewals are
for six months for some reason. This fixes it for new and updated
IPA installs.

https://fedorahosted.org/freeipa/ticket/2951
2012-10-09 17:51:13 +02:00
Rob Crittenden
96decfea26 Add uniqueness plugin configuration for sudorule cn
We do a search looking for duplicate values but this leaves open the
possibility that two adds are happening at the same time so both
searches return NotFound therefore we get two entries with the same
cn value.

https://fedorahosted.org/freeipa/ticket/3017
2012-10-08 18:32:41 -04:00
Martin Kosek
74ebd0fd75 Move CRL publish directory to IPA owned directory
Currently, CRL files are being exported to /var/lib/pki-ca
sub-directory, which is then served by httpd to clients. However,
this approach has several disadvantages:
 * We depend on pki-ca directory structure and relevant permissions.
   If pki-ca changes directory structure or permissions on upgrade,
   IPA may break. This is also a root cause of the latest error, where
   the pki-ca directory does not have X permission for others and CRL
   publishing by httpd breaks.
 * Since the directory is not static and is generated during
   ipa-server-install, RPM upgrade of IPA packages report errors when
   defining SELinux policy for these directories.

Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for
both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy
configuration does not report any error. The new CRL publish directory
is used for both new IPA installs and upgrades, where contents of
the directory (CRLs) is first migrated to the new location and then the
actual configuration change is made.

https://fedorahosted.org/freeipa/ticket/3144
2012-10-09 16:00:01 +02:00
Petr Vobornik
9bb927eb1c Add mime type to httpd ipa.conf for xpi exetension
Some configuration doesn't give proper mime type to xpi files. This patch explicitly sets it.

https://fedorahosted.org/freeipa/ticket/3094
2012-10-09 15:41:48 +02:00
Martin Kosek
2411377d40 Minor fixes for default SMB group
This patch contains additional minor fixes which were proposed during
review but were not pushed (accidentaly). Also amends a name of the
default SMB group in a list of protected groups in group.py.

https://fedorahosted.org/freeipa/ticket/3147
2012-10-09 12:15:07 +02:00