Commit Graph

2130 Commits

Author SHA1 Message Date
Rob Crittenden
f5822e3a25 httpinstance: add pinfile when tracking certificate
When the HTTP certificate gets untracked then tracked again, it
loses its pin file.  Ensure we add the pin file when (re-)tracking
the HTTP certificate.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
bb779baadf Use RENEWAL_CA_NAME and RA_AGENT_PROFILE constants
Replace renewal CA and profile name literals with corresponding
symbols from ipalib.constants.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
1bf008a64f cainstance: add profile to IPA RA tracking request
Profile-based renewal means we should always explicitly specify the
profile in tracking requests that use the dogtag-ipa-ca-renew-agent
renewal helper.  This includes the IPA RA agent certificate.  Update
CAInstance.configure_agent_renewal() to add the profile to the
tracking request.  This also covers the upgrade scenario (because
the same method gets invoked).

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
fa5675582c upgrade: fix spurious certmonger re-tracking
The search for the HTTP Certmonger tracking request uses an
incorrect parameter ('key-storage'), triggering removal and
recreation of tracking requests on every upgrade.  Replace
'key-storage' with the correct parameter, 'key-file'.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
2d22f568a1 upgrade: log missing/misconfigured tracking requests
For better diagnostics during upgrade, log the Certmonger tracking
requests that were not found (either because they do not exist, or
do not have the expected configuration).

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
482866e47e upgrade: update KRA tracking requests
The upgrade routine checks tracking requests for CA system
certificates, IPA RA and HTTP/LDAP/KDC service certificates.  If a
tracking request matching our expectations is not found, we stop
tracking all certificates, then create new tracking requests with
the correct configuration.

But the KRA was left out.  Add checks for KRA certificates, and
remove/recreate KRA tracking requests when appropriate.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
4f4e2f96b0 upgrade: always add profile to tracking requests
The profile for every Dogtag system cert tracking request is now
explicitly specified.  So remove the code that handled unspecified
profiles.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
588f1ddce2 dogtaginstance: avoid special cases for Server-Cert
The Dogtag "Server-Cert cert-pki-ca" certificate is treated
specially, with its own track_servercert() method and other special
casing.  But there is no real need for this - the only (potential)
difference is the token name.  Account for the token name difference
with a lookup method and treat all Dogtag system certs equally
w.r.t. tracking request creation and removal.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
f6f6f83dca upgrade: add profile to Dogtag tracking requests
To use profile-based renewal (rather than "renewal existing cert"
renewal which is brittle against database corruption or deleted
certificate / request objects), Certmonger tracking requests for
Dogtag system certs must record the profile to be used.

Update the upgrade method that checks tracking requests to look for
the profile.  Tracking requests will be recreated if the expected
data are not found.  The code that actually adds the tracking
requests was updated in a previous commit.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
3c388f5a22 dogtaginstance: add profile to tracking requests
Enabling "fresh" renewals (c.f. "renewal"-based renewals that
reference the expired certificate and its associated request object)
will improve renewal robustness.

To use fresh renewals the tracking request must record the profile
to be used.  Make dogtaginstance record the profile when creating
tracking requests for both CA and KRA.

Note that 'Server-Cert cert-pki-ca' and the 'IPA RA' both use
profile 'caServerCert', which is the default (according to
dogtag-ipa-renew-agent which is part of Certmonger).  So we do not
need any special handling for those certificates.

This commit does not handle upgrade.  It will be handled in a
subsequent commit.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
7171142aaf Fix use of incorrect variable
Part of: https://pagure.io/freeipa/issue/7548
Related: https://pagure.io/freeipa/issue/5608
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-17 17:58:58 +03:00
Fraser Tweedale
130e1dc343 move MSCSTemplate classes to ipalib
As we expand the integration tests for external CA functionality, it
is helpful (and avoids duplication) to use the MSCSTemplate*
classes.  These currently live in ipaserver.install.cainstance, but
ipatests is no longer permitted to import from ipaserver (see commit
81714976e5e13131654c78eb734746a20237c933).  So move these classes to
ipalib.

Part of: https://pagure.io/freeipa/issue/7548

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-17 17:58:58 +03:00
Florence Blanc-Renaud
ef39e1b02a upgrade: remove ipaCert and key from /etc/httpd/alias
With ipa 4.5+, the RA cert is stored in files in
/var/lib/ipa/ra-agent.{key|pem}. The upgrade code handles
the move from /etc/httpd/alias to the files but does not remove
the private key from /etc/httpd/alias.

The fix calls certutil -F -n ipaCert to remove cert and key,
instead of -D -n ipaCert which removes only the cert.

Fixes: https://pagure.io/freeipa/issue/7329
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-07-15 17:08:21 +03:00
Stanislav Levin
ac1ea0ec67 Fix test_webui.test_selinuxusermap
A previous refactoring of SELinux tests has have a wrong
assumption about the user field separator within
ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.

Actually, '.ldif' and '.update' files are passed through
Python template string substitution:

> $$ is an escape; it is replaced with a single $.
> $identifier names a substitution placeholder matching
> a mapping key of "identifier"

This means that the text to be substituted on should not be escaped.
The wrong ipaSELinuxUserMapOrder previously set will be replaced on
upgrade.

Fixes: https://pagure.io/freeipa/issue/7996
Fixes: https://pagure.io/freeipa/issue/8005
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-15 14:41:23 +03:00
Rob Crittenden
a43100badc Don't configure disabled krb5 enctypes in FIPS mode
The only permitted ciphers are the AES family (called aes, which
is the combination of: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and
aes128-cts-hmac-sha256-128).

DES, RC4, and Camellia are not permitted in FIPS mode.  While 3DES
is permitted, the KDF used for it in krb5 is not, and Microsoft
doesn't implement 3DES anyway.

This is only applied on new installations because we don't
allow converting a non-FIPS install into a FIPS one.

Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-07-02 10:35:00 +03:00
Rob Crittenden
c484d79ecf For Fedora and RHEL use system-wide crypto policy for mod_ssl
Drop the SSLProtocol directive for Fedora and RHEL systems. mod_ssl
will use crypto policies for the set of protocols.

For Debian systems configure a similar set of protocols for what
was previously configured, but do it in a different way. Rather than
iterating the allowed protocols just include the ones not allowed.

Fixes: https://pagure.io/freeipa/issue/7667

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-01 14:55:29 +02:00
Stanislav Levin
b2acd65013 Make use of single configuration point for SELinux
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.

This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER

and applies corresponding changes to the test code.

Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-07-01 14:44:57 +03:00
Tibor Dudlák
339771b0d8
Remove unreachable code
Removing same elsif from install_check method.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-07-01 13:21:21 +02:00
Alexander Bokovoy
814592cf22 ipa-client-samba: a tool to configure Samba domain member on IPA client
Introduces new utility to configure Samba on an IPA domain member.

The tool sets up Samba configuration and internal databases, creates
cifs/... Kerberos service and makes sure that a keytab for this service
contains the key with the same randomly generated password that is set
in the internal Samba databases.

Samba configuration is created by querying an IPA master about details
of trust to Active Directory configuration. All known identity ranges
added to the configuration to allow Samba to properly handle them
(read-only) via idmap_sss.

Resulting configuration allows connection with both NTLMSSP and Kerberos
authentication for IPA users. Access controls for the shared content
should be set by utilizing POSIX ACLs on the file system under a
specific share.

The utility is packaged as freeipa-client-samba package to allow pulling
in all required dependencies for Samba and cifs.ko (smb3.ko) kernel
module. This allows an IPA client to become both an SMB server and an
SMB client.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-29 11:00:28 +03:00
Alexander Bokovoy
d631e008cc adtrust: update Samba domain controller keytab with host keys
When DCERPC clients use Kerberos authentication, they use a service
ticket to host/domain.controller because in Active Directory any
service on the host is an alias to the machine account object.

In FreeIPA each Kerberos service has own keys so host/.. and cifs/..
do not share the same keys. It means Samba suite needs to have access to
host/.. keytab entries to validate incoming DCERPC requests.

Unfortunately, MIT Kerberos has no means to operate on multiple keytabs
at the same time and Samba doesn't implement this either. We cannot use
GSS-Proxy as well because Samba daemons are running under root.

As a workaround, copy missing aes256 and aes128 keys from the host
keytab. SMB protocol doesn't use other encryption types and we don't
have rc4-hmac for the host either.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-29 11:00:28 +03:00
Alexander Bokovoy
cdb94e0ff2 ipaserver.install.installutils: move commonly used utils to ipapython.ipautil
When creating ipa-client-samba tool, few common routines from the server
installer code became useful for the client code as well.

Move them to ipapython.ipautil and update references as well.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-29 11:00:28 +03:00
François Cami
b49c627aa6 ipa_client_automount.py and ipactl.py: fix codestyle
Updating ipa_client_automount.py and ipactl.py's codestyle is
mandatory to make pylint pass as these are considered new files.

Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-28 10:53:07 +02:00
François Cami
c0cf65c4f7 Move ipa-client-automount.in and ipactl into modules
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-28 10:53:07 +02:00
Alexander Bokovoy
7af4c7d472 adtrust upgrade: fix wrong primary principal name, part 2
Second part of the trust principals upgrade

For existing LOCAL-FLAT$@REMOTE object, convert it to
krbtgt/LOCAL-FLAT@REMOTE and add LOCAL-FLAT$@REMOTE as an alias. To do
so we need to modify an entry content a bit so it is better to remove
the old entry and create a new one instead of renaming.

Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-06-27 16:50:15 +03:00
Alexander Bokovoy
34bfffd1be adtrust upgrade: fix wrong primary principal name
Upgrade code had Kerberos principal names mixed up: instead of creating
krbtgt/LOCAL-FLAT@REMOTE and marking LOCAL-FLAT$@REMOTE as an alias to
it, it created LOCAL-FLAT$@REMOTE Kerberos principal and marked
krbtgt/LOCAL-FLAT@REMOTE as an alias.

This differs from what Active Directory expects and what is created by
ipasam plugin when trust is established. When upgrading such deployment,
an upgrade code then unexpectedly failed.

Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-26 10:50:45 +02:00
Rob Crittenden
0184e967e5 Log the raised message when DNS check_zone_overlap fails
The check can fail for a lot of other reasons than there is
overlap so the error should be logged.

This causes confusion when --auto-reverse is requested and
some lookup fails causing the reverse to not be created.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-06-24 14:04:03 +02:00
Stanislav Levin
d86b57c057 Make use of the single configuration point for the default shells
For now all the default shells of users and admin are hardcoded in
different parts of the project. This makes it impossible to run the
test suite against the setup, which has the default shell differed
from '/bin/sh'.

The single configuration point for the shell of users and admin is
added to overcome this limitation.

Fixes: https://pagure.io/freeipa/issue/7978
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-19 11:39:51 +02:00
Rob Crittenden
f606d82024 Stop using 389-ds legacy backup and restoration utilities
Use dsctl instead, the modern replacement for ldif2db, db2ldif,
bak2db and db2bak.

https://pagure.io/freeipa/issue/7965

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-05 13:18:45 -04:00
Fraser Tweedale
f30f040dca avoid realm_to_serverid deprecation warning
ipaserver.installutils.realm_to_serverid was deprecated.  Use
ipapython.ipaldap.realm_to_serverid instead.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
162dce1c70 ipa-cert-fix: fix spurious renewal master change
We only want to become the renewal master if we actually renewed a
shared certificate.  But there is a bug in the logic; even if the
only Dogtag certificate to be renewed is the 'sslserver' (a
non-shared certificate), the renewal master will be reset.  Fix the
bug.

A static type system would have excluded this bug.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
582cc7da1d ipa-cert-fix: handle 'pki-server cert-fix' failure
When DS cert is expired, 'pki-server cert-fix' will fail at the
final step (restart).  When this case arises, ignore the
CalledProcessError and continue.

We can't know for sure if the error was due to failure of final
restart, or something going wrong earlier.  But if it was a more
serious failure, the next step (installing the renewed IPA-specific
certificates) will fail.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
e41b7457f3 ipa-cert-fix: use customary exit statuses
It is customary to return 2 when IPA is not configured, and 1 when
other required bits are not installed or configured.  Update
ipa-cert-fix exit statuses accordingly.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
09aa3d1f76 Add ipa-cert-fix tool
The ipa-cert-fix tool wraps `pki-server cert-fix`, performing
additional certificate requests for non-Dogtag IPA certificates and
performing additional actions.  In particular:

- Run cert-fix with arguments particular to the IPA deployment.

- Update IPA RA certificate in the ipara user entry (if renewed).

- Add shared certificates (if renewed) to the ca_renewal LDAP
  container for replication.

- Become the CA renewal master if shared certificates were renewed.
  This ensures other CA replicas, including the previous CA renewal
  master if not the current host, pick up those new certificates
  when Certmonger attempts to renew them.

Fixes: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
a3becc76dd constants: add ca_renewal container
Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
c28a42e27e cainstance: add function to determine ca_renewal nickname
The ipa-cert-fix program needs to know where to put shared
certificates.  Extract the logic that computes the nickname from
dogtag-ipa-ca-renew-agent to new subroutine
cainstance.get_ca_renewal_nickname().

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
a2a006c746 Extract ca_renewal cert update subroutine
When the CA renewal master renews certificates that are shared
across CA replicas, it puts them in LDAP for the other CA replicas
to see.  The code to create/update these entries lives in the
dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for
the ipa-cert-fix program too.  Extract it to a subroutine in the
cainstance module.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Thierry Bordaz
67490acb04 Switch nsslapd-unhashed-pw-switch to nolog
389-ds will change the default value of nsslapd-unhashed-pw-switch from 'on' to 'off'
For new or upgraded IPA instance, in case of winsync deployment the attribute is set
to 'on' and a warning is displayed.  Else the attribute is set to 'nolog'

https://pagure.io/freeipa/issue/4812

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-24 12:42:51 +02:00
Tibor Dudlák
e3f35843dc
Moving prompt for NTP options to install_check
In a interactive installation of freeipa server a promt asks for NTP related
options after install_check has been called. As it may cause confusion to users
moving to install_check methods where the prompt for other options is being done.
Refactored sync_time() method to use passed parameters ntp_servers and ntp_pool.

Resolves: https://pagure.io/freeipa/issue/7930
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
2019-05-22 18:20:22 +02:00
Florence Blanc-Renaud
9cd88587e4 CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA
Commit fa50068 introduced a regression. Previously, the
upgrade plugin upload_cacrt was setting the attribute
ipaconfigstring: compatCA in the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN

After commit fa50068, the value is not set any more. As a
consequence, the LDAP entry is not identified as the CA and
CA renewal does not update the entry
cn=CAcert,cn=certificates,cn=ipa,cn=etc,BASEDN.

RHEL 6 client rely on this entry to retrieve the CA and
client install fails because cn=CAcert is out-of-date.

The fix makes sure that upload_cacrt plugin properly sets
ipaconfigstring: compatCA in the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN

Fixed: https://pagure.io/freeipa/issue/7928
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-22 17:53:13 +02:00
Rob Crittenden
6662e99e17 Add knob to limit hostname length
On Linux systems the length limit for hostnames is hardcoded
at 64 in MAXHOSTNAMELEN

Solaris, for example, allows 255 characters, and DNS allows the
total length to be up to 255 (with each label < 64).

Add a knob to allow configuring the maximum hostname length (FQDN)

The same validators are used between hosts and DNS to apply
the knob only when dealing with a FQDN as a hostname.

The maxlen option is included so installers can limit the length
of allowed hostnames when the --hostname option is used.

https://pagure.io/freeipa/issue/2018

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-16 14:38:43 -04:00
Florence Blanc-Renaud
a425448914 Fix expected file permissions for ghost files
File permissions from the rpm freeipa-server-common and
freeipa-client-common do not match the runtime permissions. This results
in mode failures on rpm -Va.
Fix the expected file permissions on rpm spec file for
/var/lib/ipa/pki-ca/publish
/var/named/dyndb-ldap/ipa
/etc/ipa/pwdfile.txt
/etc/pki/ca-trust/source/ipa.p11-kit
(new format SQLite)
/etc/ipa/nssdb/cert9.db
/etc/ipa/nssdb/key4.db
/etc/ipa/pkcs11.txt
(old format DBM)
/etc/ipa/cert8.db
/etc/ipa/key3.db
/etc/ipa/secmod.db

The commit also fixes the file permissions for
/etc/httpd/conf.d/ipa-pki-proxy.conf (644)
during server installation, and the group ownership.

Fixes: https://pagure.io/freeipa/issue/7934
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-16 14:28:00 +02:00
Alexander Bokovoy
98b4c710d9 upgrade: adtrust - catch empty result when retrieving list of trusts
Upgrade failure when ipa-server-upgrade is being run on a system with no
trust established but trust configured

Fixes: https://pagure.io/freeipa/issue/7939
Reviewed-By: François Cami <fcami@redhat.com>
2019-05-11 21:15:37 +02:00
François Cami
5331510eab ipa_backup.py: replace /var/lib/ipa/backup with paths.IPA_BACKUP_DIR
/var/lib/ipa/backup is defined in ipaplatform.paths as paths.IPA_BACKUP_DIR
Remove all instances of /var/lib/ipa/backup/ in ipa_backup.py.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-07 09:08:40 +02:00
François Cami
e6415ec321 ipa-backup: better error message if ENOSPC
When the destination directory cannot store the complete backup
ipa-backup fails but does not explain why.
This commit adds error-checking to db2ldif(), db2bak() and
finalize_backup() and enhances the error message.

Fixes: https://pagure.io/freeipa/issue/7647
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Tibor Dudlák <tdudlak@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-05-07 09:00:42 +02:00
Alexander Bokovoy
294aa3a333 Revert "Require a minimum SASL security factor of 56"
This reverts commit 3509545897.

We cannot force increase in minimum SASL security factor until our
consumers are ready to deal with it. Unfortunately, realmd uses
anonymous connection for discovery and validation of IPA LDAP server.

The way it is done is fragile (it doesn't take into account an
advertised IPA version, only checks that 'IPA' string exists in the info
field) but since bumping of minimum SSF prevents reading IPA info field
using anonymous connection, client enrollment fails.

We should get back to bumping minimum SSF after realmd and other
potential consumers are fixed.

Reviewed-By: François Cami <fcami@redhat.com>
2019-05-02 11:39:23 +02:00
Christian Heimes
4f3c4f87a1 Guard dbus.start() with dbus.is_running()
Some platforms like Debian protect the dbus.service with
RefuseManualStart=True. "systemctl start dbus" fails with operation
refused (it is configured to refuse manual start/stop). On Fedora
"systemctl start dbus" is a no-op when dbus is already running.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:47:51 +02:00
Christian Heimes
a22b4a35f2 chmod SYSTEMD_PKI_TOMCAT_IPA_CONF
Change the permission of the new config file
/etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf to 644.
This fixes the systemd warning

Configuration file /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 09:56:44 +02:00
Oleg Kozlov
23d5c05232 Check have packages for extra features been installed before restoring backup
`iparestore --full` should check that packages for extra features such as dns and adtrust are installed in the system before restoring a backup in case the backup includes content for these features. If the packages are not installed full backup should be refused and an error message with suggestions should be showed.

If corresponding packages for these features are not installed before the backup restoring, it may cause a situation when the packages are going to be installed after the restoring. In that case configuration files restored by `ipa-restore` will be replaced by default configuration files if the files are tracked by `rpm`. E.g. if `freeipa-server-trust-ad` is not installed before `ipa-restore --full` running, when the package will be installed it also will bring `samba` package according to the dependencies. At `samba` installation step exist correct `/etc/samba/smb.conf` is going to be replaced by the default one from the `samba` package.

Fixes: https://pagure.io/freeipa/issue/7630
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-25 14:47:09 +02:00
Christian Heimes
74e09087ed Globally disable softhsm2 in p11-kit-proxy
The p11-kit configuration injects p11-kit-proxy into all NSS databases.
Amongst other p11-kit loads SoftHSM2 PKCS#11 provider. This interferes
with 389-DS, certmonger, Dogtag and other services. For example certmonger
tries to open OpenDNSSEC's SoftHSM2 token, although it doesn't use it at
all. It also breaks Dogtag HSM support testing with SoftHSM2.

IPA server does neither need nor use SoftHSM2 proxied by p11-kit.

Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-25 12:53:08 +02:00
Christian Heimes
8686cd3b4b Pass token_name to certmonger
For HSM support, IPA has to pass the token name for CA and subsystem
certificates to certmonger. For now, only the default 'internal' token is
supported.

Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-25 08:57:58 +02:00