mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
74e5d8c2af
Passing domain and server on the command-line used to be considered as DNS autodiscovery worked. This was problematic if there was in fact no SRV records because krb5.conf would be configured without a specific KDC causing all Kerberos ops to fail. Now if you pass in a domain/server it still tries to see if they are discoverable and if so won't hardcode a server, but will fall back to doing so if necessary. Also be a lot more aggressive on looking for the SRV records. Use the search and domain values from /etc/resolv.conf on the chance that the SRV records aren't in the domain of the hostname of the machine. An example of this would be if your laptop is in dhcp.example.com and your company's SRV records are in corp.example.com. Searching dhcp.example.com and example.com won't find the SRV records but the user is likely to have corp.redhat.com in the search list, at least. ticket 234
-
-
Code to be installed on any client that wants to be in an IPA domain. Mostly consists of a tool for Linux systems that will help configure the client so it will work properly in a kerberized environment. It also includes several ways to configure Firefox to do single sign-on. The two methods on the client side are: 1. globalsetup.sh. This modifies the global Firefox installation so that any profiles created will be pre-configured. 2. usersetup.sh. This will update a user's existing profile. The downside of #1 is that an rpm -V will return a failure. It will also need to be run with every update of Firefox. One a profile contains the proper preferences it will be unaffected by upgrades to Firefox. The downside of #2 is that every user would need to run this each time they create a new profile. There is a third, server-side method. See ipa-server/README for details.