freeipa

mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00

Author	SHA1	Message	Date
Martin Babinsky	a448102347	ipa-client-install: put eol character after the last line of altered config file(s) https://fedorahosted.org/freeipa/ticket/4864 Reviewed-By: Martin Basti <mbasti@redhat.com>	2015-02-10 12:54:29 +01:00
Gabe	959b0efa38	Typos in ipa-rmkeytab options help and man page https://fedorahosted.org/freeipa/ticket/4890 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2015-02-10 08:30:46 +01:00
Martin Basti	e29f9280fd	Use dyndns_update instead of deprecated sssd option ipa_dyndns_update is deprecated in SSSD, dyndns_update should be used instead. https://fedorahosted.org/freeipa/ticket/4849 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>	2015-01-28 14:28:33 +01:00
Martin Basti	af1f87a034	Add debug messages into client autodetection Is hard to debug what the problem with REALM is without debug messages. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2015-01-21 08:34:26 +01:00
Gabe	6d3403edac	Remove usage of app_PYTHON in ipaserver Makefiles - Remove ChangeLog from ipa-client/Makefile.am https://fedorahosted.org/freeipa/ticket/4700 Reviewed-By: Martin Basti <mbasti@redhat.com>	2014-12-10 15:42:39 +01:00
Nathaniel McCallum	7ad9f5d3d5	Prefer TCP connections to UDP in krb5 clients In general, TCP is a better fit for FreeIPA due to large packet sizes. However, there is also a specific need for TCP when using OTP. If a UDP packet is delivered to the server and the server takes longer to process it than the client timeout (likely), the OTP value will be resent. Unfortunately, this will cause failures or even lockouts. Switching to TCP avoids this problem altogether. https://fedorahosted.org/freeipa/ticket/4725 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-12-08 10:56:06 +01:00
Jan Pazdziora	bea417828d	No explicit zone specification. https://fedorahosted.org/freeipa/ticket/4780 Reviewed-By: Martin Basti <mbasti@redhat.com>	2014-12-05 09:46:56 +01:00
Jan Cholasta	47a08f3498	Fix unchecked return value in ipa-join https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-11-25 08:23:24 +00:00
Simo Sorce	b1a30bff04	Use asn1c helpers to encode/decode the getkeytab control Replaces manual encoding with automatically generated code. Fixes: https://fedorahosted.org/freeipa/ticket/4718 https://fedorahosted.org/freeipa/ticket/4728 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>	2014-11-20 10:52:13 -05:00
Jan Cholasta	ade02cdac4	Fix memory leaks in ipa-join Also remove dead code in ipa-join and add initializer to a variable in ipa-getkeytab to prevent false positives in static code analysis. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-11-05 15:28:27 +01:00
Gabe	7eca640ffa	Remove trivial path constants from modules https://fedorahosted.org/freeipa/ticket/4399 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-11-04 12:57:01 +01:00
Jan Cholasta	35947c6e10	Do not wait for new CA certificate to appear in LDAP in ipa-certupdate If new certificate is not available, reuse the old one, instead of waiting indefinitely for the new certificate to appear. https://fedorahosted.org/freeipa/ticket/4628 Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-30 10:51:36 +01:00
Jan Cholasta	608851d3f8	Check LDAP instead of local configuration to see if IPA CA is enabled The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-17 12:53:11 +02:00
Jan Cholasta	ca7e0c270f	Add ipa-client-install switch --request-cert to request cert for the host The certificate is stored in /etc/ipa/nssdb under the nickname "Local IPA host". https://fedorahosted.org/freeipa/ticket/4550 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>	2014-10-16 19:11:52 +02:00
Jan Cholasta	da24d8a6e7	Fix certmonger search for the CA cert in ipa-certupdate and ipa-cacert-manage The search criteria did not include the CA agent name. https://fedorahosted.org/freeipa/ticket/3259 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-09-30 10:01:38 +02:00
Jan Cholasta	4e68046751	Get server hostname from jsonrpc_uri in ipa-certupdate https://fedorahosted.org/freeipa/ticket/3259 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-09-30 10:01:38 +02:00
Jan Cholasta	9ab402c495	Check if IPA client is configured in ipa-certupdate https://fedorahosted.org/freeipa/ticket/4460 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-09-30 10:01:38 +02:00
Jan Cholasta	f40a0ad325	Use /etc/ipa/nssdb to get nicknames of IPA certs installed in /etc/pki/nssdb Previously a list of nicknames was kept in /etc/pki/nssdb/ipa.txt. The file is removed now. https://fedorahosted.org/freeipa/ticket/3259 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-09-30 10:01:38 +02:00
Jan Cholasta	bbf962299d	Use NSSDatabase instead of direct certutil calls in client code https://fedorahosted.org/freeipa/ticket/4416 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-09-30 10:01:38 +02:00
Jan Cholasta	231f57cedb	Introduce NSS database /etc/ipa/nssdb This is the new default NSS database for IPA. /etc/pki/nssdb is still maintained for backward compatibility. https://fedorahosted.org/freeipa/ticket/3259 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-09-30 10:01:38 +02:00
David Kupka	89c4f12425	Add 'host' setting into default.conf configuration file on client. Fix description in man page. 'host' setting specifies local hostname not the hostname of IPA server. https://fedorahosted.org/freeipa/ticket/4481 Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-09-26 13:38:57 +02:00
Rob Crittenden	c1bf520393	No longer generate a machine certificate on client installs https://fedorahosted.org/freeipa/ticket/4449 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-09-05 17:50:59 +02:00
David Kupka	dc4bdd327f	Allow user to force Kerberos realm during installation. User can set realm not matching one resolved from DNS. This is useful especially when DNS is missconfigured. https://fedorahosted.org/freeipa/ticket/4444 Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-09-05 14:50:36 +02:00
David Kupka	6d94cdf250	Use certmonger D-Bus API instead of messing with its files. FreeIPA certmonger module changed to use D-Bus to communicate with certmonger. Using the D-Bus API should be more stable and supported way of using cermonger than tampering with its files. >=certmonger-0.75.13 is needed for this to work. https://fedorahosted.org/freeipa/ticket/4280 Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-09-05 10:51:42 +02:00
Tomas Babej	fd26560a16	ipa-client-install: Do not add already configured sources to nsswitch.conf entries Makes sure that any new sources added are not already present in the entry. https://fedorahosted.org/freeipa/ticket/4508 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-09-04 13:39:13 +02:00
Jan Cholasta	60e19b585c	Add client certificate update tool ipa-certupdate. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	55d3bab57b	Get CA certs for system-wide store from cert store in ipa-client-install. All of the certificates and associated key policy are now stored in /etc/pki/ca-trust/source/ipa.p11-kit. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	b5471a9f3e	Get CA certs for /etc/pki/nssdb from certificate store in ipa-client-install. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	459d6cff4e	Get CA certs for /etc/ipa/ca.crt from certificate store in ipa-client-install. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	fd400588d7	Support multiple CA certificates in /etc/ipa/ca.crt in ipa-client-install. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	29f42cbec1	Refactor CA certificate fetching code in ipa-client-install. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Jan Cholasta	a8a44c1c71	Remove certificate "External CA cert" from /etc/pki/nssdb on client uninstall. This is a no longer used nickname for CA certificate on CA-less server installs. Reviewed-By: Rob Crittenden <rcritten@redhat.com>	2014-07-30 16:04:21 +02:00
Martin Kosek	aa0639284c	Do not crash client basedn discovery when SSF not met ipa-client-install runs anonymous search in non-rootdse space which may raise UNWILLING_TO_PERFORM error. This case was only covered for BIND, but not for the actual LDAP queries. https://fedorahosted.org/freeipa/ticket/4459 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-07-29 17:48:05 +02:00
Nathaniel McCallum	96986056f6	Fix ipa-getkeytab for pre-4.0 servers Also, make the error messages for this fallback case less scary and clean up some indentation issues in the nearby code which made this code difficult to read. https://fedorahosted.org/freeipa/ticket/4446 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-07-25 08:22:46 +02:00
Lukas Slebodnik	277a01589b	Fix warning: Using uninitialized value ld. If create_getkeytab_control fails variable uninitialized pointer 'ld' will be used. Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-07-14 16:04:58 +02:00
David Kupka	2ff14607b1	Fix ipa-client-install --uninstall crash Fix ipa-client-install crash when chronyd service fails to start. https://fedorahosted.org/freeipa/ticket/4273 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-07-08 10:29:13 +02:00
Tomas Babej	ffab09a7ef	ipa-client-install: Restart nisdomain service instead of starting To ensure new NIS domain name is loaded after ipa-client-install even in case when nisdomainname service is already running, we need to restart the service rather than starting it. https://fedorahosted.org/freeipa/ticket/4393 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-06-30 13:58:29 +02:00
Simo Sorce	d9d5967f7e	Fix getkeytab code to always use implicit tagging. A mixture of implicit and explicit tagging was being used and this caused a bug in retrieving the enctype number due to the way ber_scanf() loosely treat sequences and explicit tagging. The ASN.1 notation used to describe the getkeytab operation uses implicit tagging, so by changing the code we simply follow to the specified encoding. Resolves: https://fedorahosted.org/freeipa/ticket/4404 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-06-27 10:03:23 +02:00
Jan Cholasta	3e0245f28f	Do not corrupt sshd_config in client install when trailing newline is missing. https://fedorahosted.org/freeipa/ticket/4373 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-06-26 12:00:29 +02:00
Simo Sorce	6b92fb2a96	man: Add -r option to ipa-getkeytab.1 Update the man page with the new ipa-getkeytab option. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>	2014-06-26 10:30:53 +02:00
Simo Sorce	f352702d67	ipa-getkeytab: Add support for get_keytab extop This new extended operation is tried by default and then the code falls back to the old method if it fails. The new method allows for server side password generation as well as retrieval of existing credentials w/o causing regeneration of keys on the server. Resolves: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>	2014-06-26 10:30:53 +02:00
Simo Sorce	153a009a07	ipa-getkeytab: Modularize ldap_set_keytab function Isolate parts that will be reused in following patches. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>	2014-06-26 10:30:53 +02:00
Tomas Babej	e5e42fc83a	ipaplatform: Move paths from installers to paths module Part of: https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-06-26 09:22:21 +02:00
Tomas Babej	f0d0640a46	ipaplatform: Pylint fixes https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-06-16 19:48:21 +02:00
Tomas Babej	4d2ef43f28	ipaplatform: Move all filesystem paths to ipaplatform.paths module https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-06-16 19:48:20 +02:00
Tomas Babej	c7edd7b68c	ipaplatform: Remove redundant imports of ipaservices Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-06-16 19:48:20 +02:00
Tomas Babej	c011bccf45	ipaplatform: Change paths dependant on ipaservices to use ipaplatform.paths https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-06-16 19:48:19 +02:00
Tomas Babej	49fcd42f8f	ipaplatform: Change service code in freeipa to use ipaplatform services https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-06-16 19:48:19 +02:00
Tomas Babej	926f8647d2	ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasks https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-06-16 19:48:19 +02:00
Tomas Babej	5f31f2d35f	ipaplatform: Do not require custom Authconfig implementations from platform modules https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>	2014-06-16 19:48:18 +02:00

1 2 3 4 5 ...

459 Commits