Kvno error on validating one-way trust: "kvno: Decrypt integrity check failed while getting credentials"
by bogusmaster@o2.pl
Hi All,
I am setting up a one-way trust from FreeIPA server to AD domain with a pre-shared key.
It seems that it was set up successfully but I cannot verify the Kerberos configuration when I follow the steps described here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/....
Although I successfuly kinit with a username from AD domain and obtain a ticket:
klist
Ticket cache: KEYRING:persistent:0:0
Default principal: testuser(a)DOMAIN.COM
Valid starting Expires Service principal
08/22/2017 09:47:41 08/22/2017 19:47:41 krbtgt/DOMAIN.COM(a)DOMAIN.COM
renew until 08/23/2017 09:47:34
I am not able to request service tickets for a service within IdM domain:
[root@idm1 ~]# KRB5_TRACE=/dev/stdout kvno -S host idm1.ipa.domain.com
[16119] 1503409696.153004: Getting credentials testuser(a)DOMAIN.COM -> host/idm1.ipa.domain.com(a)IPA.DOMAIN.COM using ccache KEYRING:persistent:0:0
[16119] 1503409696.153288: Retrieving testuser(a)DOMAIN.COM -> host/idm1.ipa.domain.com(a)IPA.DOMAIN.COM from KEYRING:persistent:0:0 with result: -1765328243/Matching credential not found
[16119] 1503409696.153422: Retrieving testuser(a)DOMAIN.COM -> krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM from KEYRING:persistent:0:0 with result: -1765328243/Matching credential not found
[16119] 1503409696.153520: Retrieving testuser(a)DOMAIN.COM -> krbtgt/DOMAIN.COM(a)DOMAIN.COM from KEYRING:persistent:0:0 with result: 0/Success
[16119] 1503409696.153536: Starting with TGT for client realm: testuser(a)DOMAIN.COM -> krbtgt/DOMAIN.COM(a)DOMAIN.COM
[16119] 1503409696.153600: Retrieving testuser(a)DOMAIN.COM -> krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM from KEYRING:persistent:0:0 with result: -1765328243/Matching credential not found
[16119] 1503409696.153609: Requesting TGT krbtgt/IPA.DOMAIN.COM(a)DOMAIN.COM using TGT krbtgt/DOMAIN.COM(a)DOMAIN.COM
[16119] 1503409696.153663: Generated subkey for TGS request: aes256-cts/A13D
[16119] 1503409696.153718: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[16119] 1503409696.153875: Encoding request body and padata into FAST request
[16119] 1503409696.153942: Sending request (1851 bytes) to DOMAIN.COM
[16119] 1503409696.154236: Resolving hostname domain.com
[16119] 1503409696.290796: Initiating TCP connection to stream 10.10.10.10:88
[16119] 1503409696.398086: Sending TCP request to stream 10.10.10.10:88
[16119] 1503409696.836098: Received answer (1551 bytes) from stream 10.10.10.10:88
[16119] 1503409696.836121: Terminating TCP connection to stream 10.10.10.10:88
[16119] 1503409696.836212: Response was from master KDC
[16119] 1503409696.836258: Decoding FAST response
[16119] 1503409696.836423: TGS reply is for testuser(a)DOMAIN.COM -> krbtgt/ipa.domain.com(a)DOMAIN.COM with session key aes256-cts/C0B1
[16119] 1503409696.836454: TGS request result: 0/Success
[16119] 1503409696.836461: Received TGT for offpath realm ipa.domain.com
[16119] 1503409696.836468: Requesting TGT krbtgt/IPA.DOMAIN.COM(a)ipa.domain.com using TGT krbtgt/ipa.domain.com(a)DOMAIN.COM
[16119] 1503409696.836486: Generated subkey for TGS request: aes256-cts/743D
[16119] 1503409696.836523: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[16119] 1503409696.836579: Encoding request body and padata into FAST request
[16119] 1503409696.836648: Sending request (1854 bytes) to ipa.domain.com
[16119] 1503409696.904352: Resolving hostname idm1.ipa.domain.com.
[16119] 1503409696.938147: Sending initial UDP request to dgram 10.10.10.11:88
[16119] 1503409696.943465: Received answer (146 bytes) from dgram 10.10.10.11:88
[16119] 1503409696.977047: Response was from master KDC
[16119] 1503409696.977102: TGS request result: -1765328353/Decrypt integrity check failed
kvno: Decrypt integrity check failed while getting credentials for host/idm1.ipa.domain.com(a)IPA.DOMAIN.COM
Can you please advise me on how to resolve this issue?
Bart
6 years, 7 months
Changing case of user attributes fails
by Anthony Clark
It may possibly be related to this, but this is marked as fixed for 4.3:
https://pagure.io/freeipa/issue/5456
I'm on 4.4.0-14.el7.centos.7
A user had their lastname entry added with the wrong case. I attempted to
update it by changing the case, got an error like this:
[Wed Sep 06 17:46:08.010202 2017] [:error] [pid 15253] ipa: INFO:
[jsonserver_session] aclark(a)DEV.REDACTED.NET: user_mod/1(u'pboppe',
sn=u'Boppe', version=u'2.213'): DatabaseError
I changed it to something else entirely, then changed it to the correct
case.
This happened on attributes: "lastname", "fullname", "displayname",
"initials", "gecos". I didn't test it elsewhere.
Is there a ticket already for this or should I create a new one? I don't
want to create work for the IPA devs :)
Thanks,
Anthony Clark
6 years, 7 months
Which one?
by Kat
Hi all,
Looking to proxy some applications with a reverse proxy. Want to ingrate
with IPA to do auth on the front end of the proxy so it passes kerberos
tickets to the back-end applications. Any suggestions on which proxy
would be best for this and integrating with IPA?
Just to clarify I am not trying to put a proxy in front of IPA UI as
most of the writeups I have found refer to.
thanks
K
6 years, 7 months
Failure to login on 2/3 of servers after RHEL7.4 upgrade
by Steve Huston
Running a clone of RHEL (Springdale Linux), and recently upgraded to
7.4 and all its ensuing surprises. Todays is strange because it
affects one of three servers.
If a user tries to login to the web UI on 2/3 of the servers, they get
the same error listed in this ticket:
https://pagure.io/freeipa/issue/6739
One of the three servers works fine, and getting a Kerberos ticket
first also works (assuming the browser is configured properly, etc).
I noticed an error in the messages file on one of the failing machines:
Sep 5 13:22:59 ipa ipa-httpd-kdcproxy: ipa : WARNING
Unable to connect to dirsrv: cannot connect to
'ldapi://%2Fvar%2Frun%2Fslapd-ASTRO-PRINCETON-EDU.socket':
Sep 5 13:22:59 ipa ipa-httpd-kdcproxy: ipa : WARNING
Disabling KDC proxy
So I ran an 'ipactl restart' on that machine, and saw it successfully
connected later:
Sep 5 13:33:36 ipa systemd: Stopping The Apache HTTP Server...
Sep 5 13:33:37 ipa systemd: Starting The Apache HTTP Server...
Sep 5 13:33:38 ipa ipa-httpd-kdcproxy: ipa : INFO KDC
proxy enabled
Sep 5 13:33:38 ipa systemd: Started The Apache HTTP Server.
But that did not solve the problem. I'm happy to provide more
information, but as this is all new to me I don't know where to begin
to debug. Thanks for any pointers you can send my way.
--
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
Princeton University | ICBM Address: 40.346344 -74.652242
345 Lewis Library |"On my ship, the Rocinante, wheeling through
Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
6 years, 7 months
freeipa sudo expiration
by Scott Lucas
Hi,
I have a global password policy set for unlimited on expiration date,
however a user who has no issues logging in as himself, got a password
expiration notice when he recently used sudo. I can't seem to find anything
pertaining to sudo rights expiring in the freeipa gui, is there somewhere
specific I need to look, or a command I should run to check?
Thanks in advance
6 years, 7 months
Adding new attribute in the user add dialog
by Prashant M. Bapat
Hi All,
I wanted to add a custom attribute to user. I followed the freeipa
extension guide here
http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
So far I have add this to the LDAP schema and added a custom python code
to /usr/lib/python2.7/site-packages/ipaserver/plugins/.
With this the CLI part is working fine.
The new attribute (say "favoritecolorname") should be mandatory for all
users. I want the "user_add" call to validate the string using a regex.
This works perfectly! I used this guide
https://abbra.fedorapeople.org/guide.html
I'm stuck with chaning the User Add dialog in Web UI. I need this new
atribute "favoritecolor" to be mandatory. Is there any sample code on
chaning the default user add dialog ?
Any pointers would be great.
Thanks.
--Prashant
6 years, 7 months
kerberos nfs home directory, permission denied
by Hui Zhang
I setup a kerberos-aware nfs server for home directory. The nfs server and ipa server are all rhel7.4. Users can login most clients (rhel6.9 rhel7.3 rhel7.4) without error, but after login some clients, users have no permission to access home directories. They have to kinit first. For some clients (rhel 6.9) , password authentication is disabled. No one can login these clients any more because he cannot access home directory. As an admin, how to help these users wihtout knowing his password.
6 years, 7 months
Re: Krb5.conf only sees first two kdc servers
by pgb205
Sumit, thank you very much for this. Very helpful, but I am still not seeing the problem
So at first I will try with the following in krb5.confkdc=server1 <--shut off on the network#kdc=server2 <--shut off on the network and commented out in krb5.confkdc=server3 <--up and running
KRB5_TRACE=/dev/stdout kinit user(a)test.domain
[12583] 1501113245.556036: Getting initial credentials for user(a)test.domain
[12583] 1501113245.556244: Sending request (181 bytes) to test.domain
[12583] 1501113245.556282: Resolving hostname server1
[12583] 1501113245.557235: Sending initial UDP request to dgram ip_addr_server1:88
[12583] 1501113246.558328: Resolving hostname server3
[12583] 1501113246.558974: Sending initial UDP request to dgram ip_addr_server3:88
[12583] 1501113246.729059: Received answer (275 bytes) from dgram ip_addr_server3:88
[12583] 1501113246.729111: Response was from master KDC
[12583] 1501113246.729155: Received error from KDC: -1765328359/Additional pre-authentication required
[12583] 1501113246.729219: Processing preauth types: 136, 19, 2, 133
[12583] 1501113246.729245: Selected etype info: etype aes256-cts, salt "pY;=XB+5_*EjJC%S", params ""
[12583] 1501113246.729254: Received cookie: MIT
Password for user(a)test.domain <--get prompted for password
Now with all three kdc uncommentedkdc=server1 <-shut off and uncommentedkdc=server2 <--shut off and uncommentedkdc=server3 <--up and running
KRB5_TRACE=/dev/stdout kinit user(a)test.domain
[12536] 1501112935.251721: Getting initial credentials for user(a)test.domain
[12536] 1501112935.251917: Sending request (181 bytes) to test.domain
[12536] 1501112935.251956: Resolving hostname server1
[12536] 1501112935.252875: Sending initial UDP request to dgram server1_ip:88
[12536] 1501112936.253962: Resolving hostname server2
[12536] 1501112936.255680: Retrying AS request with master KDC
[12536] 1501112936.255699: Getting initial credentials for user(a)test.domain
[12536] 1501112936.255763: Sending request (181 bytes) to test.domain (master)
[12536] 1501112936.255779: Resolving hostname server1
[12536] 1501112936.256379: Sending initial UDP request to dgram server1_ip:88
[12536] 1501112937.257451: Resolving hostname server2
kinit: Invalid argument while getting initial credentials
>
So as you can see server3 is never even tried for authentication. One of my theories is that there might be maximum number of kdc's to tryor maximum total authentication timeout?! Just a wild guess as I'm reaching for straws.
-------------------------------My other question with regards to how sssd and krb work together was prompted by sssd.confipa_server= _srv_ option which supposed to find available IPA servers from DNS records. We do indeed have this option set in sssd.confand are able to resolve server1,server2 server3 when querying for following records
_ldap._tcp _kerberos._tcp _kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp
If the _srv_ is enabled then am i correct in assuming that we wouldn't even need kdc= records in krb5.conf ??I tried removing kdc= linesand was unable to authenticate.
6 years, 7 months
Announcing FreeIPA 4.6.0
by Tomas Krizek
The FreeIPA team would like to announce FreeIPA 4.6.0 release!
It can be downloaded from https://releases.pagure.org/freeipa/. Builds for
Fedora 25 and 26 will be available in the officialCOPR repository
https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-6/ .
== Highlights in 4.6.0 ==
=== Enhancements ===
* Python 3 is now supported.
=== Known Issues ===
* WebUI doesn't work [#7126, #7127]
* Attempting un-installation if IPA isn't installed prints confusing
strings [#7063]
=== Bug fixes ===
Contains all bugfixes and enhancements of 4.5.1, 4.5.2 and 4.5.3 releases.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing
list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 7123 External CA renewal fails when IPA CA subject DN does not match
"CN=Certificate Authority, {subject-base}"
* 7116 dnssec: fix localhsm.py with openhsm >= 2.2.0
* 7108 ipa-backup broken because of cyclic import
* 7086 [ipatests] - add caless to cafull tests
* 7066 WebUI: All columns of user in group table are clickable
* 7035 ipa-otptoken-import - XML file is missing PBKDF2 parameters!
* 7017 NULL LDAP context in call to ldap_search_ext_s during search in
cn=ad,cn=trusts,dc=example,dc=com
* 6605 make lint + make modifies PO files in place
* 6582 Web UI: Change "Host Based" and "Role Based" to "Host-Based" and
"Role-Based"
* 6447 [WebUI] Remove offline version of WebUI
* 6261 Replace ERROR: cannot connect to
'http://localhost:8888/ipa/json': [Errno 111] Connection refused with
'IPA is not configured on this system'
* 6176 Updating of dns system records rapidly slowdown uninstallation
* 7121 ipa otptoken-add-yubikey fails with python3
* 7118 Fix CA-less installation due to incorrect with statement
* 7110 Missing requirement in freeipa 4.5.90.dev201708161122+git799551892-0
* 7100 test_caless: add SAN dNSName extensions for wildcard tests
* 7088 Use X509v3 Basic Constraints "CA:TRUE" instead of "CA:FALSE" IPA
CA CSR
* 7076 Adjust to CURL whichs started to use OpenSSL -
ipa-server-install fails to obtain RA certificate from CA (CA_UNREACHABLE)
* 7053 Replica install fails to configure IPA-specific temporary
files/directories
* 7052 WebUI: search facet spec actions contains 'undefined' item
* 7051 ipapython/graph.py complexity optimization
* 7050 Type error when running tests for whoami command.
* 7046 missing default basedn causes failure during initialization of
multi host tests
* 7030 tests: CA-less test suite broken due to missing subject key
identifier extension
* 7011 --force-join option is not mentioned in ipa-replica-install man page
* 7010 ipa-backup fails silently
* 7002 adtrustinstance: broken ID range assessment
* 6987 ca-add: invalid X.509 DN fails ungracefully
* 6986 make pylint is not working on F26
* 6980 Pagination Size under Customization in IPA WebUI accepts negative
values
* 6976 External CA: check that IPA CA certificate contains Subject Key
Identifier
* 6974 WebUI: Fix unit webUI tests
* 6971 ipatests: collect systemd journal
* 6956 Backup and restore tests faliling
* 6946 ipa-replica-manage del (dl 0) doesn't remove server from
defaultServerList
* 6945 Bring back error messages from certificate validation
* 6943 server-del doesn't remove server from defaultServerList in
cn=default,ou=profile,$BASE
* 6940 installer should indicate that it is waiting for keys
* 6939 ipaserver.plugins.host.get_dn timeout due to unindexed search
* 6928 ipa-managed-entries incorrectly states server not installed
* 6865 minor spelling mistake in ipa-adtrust-install.1
* 6863 minor spelling mistake
* 6852 [RFE] Create client enrollment role
* 6849 Priority field missing in required field incicator - *
* 6845 ipa-otpd.socket.in has wrong kdc service name for Debian
* 6834 ipa-kdc-proxy.conf.template hardcodes python module directory
* 6822 git-commit-template: update ticket URL to use pagure.io instead
of fedorahosted.org
* 6818 Update asn1c code in /asn1/asn1c
* 6809 Failed to write schema: b'sudo/1' is not JSON serializable
* 6745 [test] ipa whoami command
* 6725 No page for information on build from source
* 6642 Py3: test_serverroles: use ldap2/ldapclient instead of MockLDAP
* 6591 pytest 3.0: yield tests are deprecated
* 5990 Py3: zonemgr_callback: expected unicode, got bytes
* 5919 cert-request rfc822Name check compares whole email address
case-sensitively
* 4985 [RFE] Support Python 3
== Detailed changelog since 4.5.3 ==
=== Alexander Bokovoy (13) ===
* csrgen: support openssl 1.0 and 1.1
* dcerpc: support Python 3
* ipa-sam: use smbldap_set_bind_callback for Samba 4.7 or later
* ipa-sam: use own private structure, not ldapsam_privates
* trust-mod: allow modifying list of UPNs of a trusted forest
* ipa-kdb: add pkinit authentication indicator in case of a successful
certauth
* Fix index definition for ipaAnchorUUID
* krb5: make sure KDC certificate is readable
* trust: always use oddjobd helper for fetching trust information
* ipaserver/dcerpc: unify error processing
* adtrust: make sure that runtime hostname result is consistent with the
configuration
* server: make sure we test for sss_nss_getlistbycert
* ldap2: use LDAP whoami operation to retrieve bind DN for current
connection
=== Abhijeet Kasurde (6) ===
* Vault testcase improvement
* Minor typo fixes
* Minor typo in details.js
* Hide request_type doc string in cert-request help
* Hide PKI Client database password in log file
* Use with statement for opening file
=== Alex Zeleznikov (1) ===
* Sort SRV records by priority
=== Aleksei Slaikovskii (3) ===
* ipapython/graph.py redundant variable fix
* ipapython/graph.py String formatting
* ipapython/graph.py complexity optimization
=== Ben Lipton (4) ===
* csrgen: Beginnings of NSS database support
* csrgen: Modify cert_get_requestdata to return a CertificationRequestInfo
* csrgen: Change to pure openssl config format (no script)
* csrgen: Remove helper abstraction
=== Christian Heimes (40) ===
* Misc Python 3 fixes for ipaserver.secrets
* Reimplement yield tests are parametrized tests
* Silence pytest.yield_fixture deprecation warning
* Slim down dependencies
* Vault: Explicitly default to 3DES CBC
* Band-aid for pip dependency bug
* Correct PyPI package dependencies
* tox: use pylint 1.6.x for now
* Replace _BSD_SOURCE with _DEFAULT_SOURCE
* Regenerate ASN.1 code with asn1c 0.9.28
* tox testing support for client wheel packages
* Stabilize make pypi_packages
* Replace hard-coded kdcproxy path with WSGI script
* Use entry_points for ipa CLI
* Don't hard-code with_wheels
* Add an option to build ipaserver wheels
* Add extra_requires for additional dependencies
* Conditionally import pyhbac
* Skip test_session_storage in ipaclient unittest mode
* Add make devcheck for developers
* session storage parameters must be bytes
* Fix ipatests.util doc tests
* Use Custodia 0.3.1 features
* Simplify KRA transport cert cache
* pytest 3.x compatibility
* Constrain wheel package versions
* Move remaining util functions to tasks module
* Ship ipatests.pytest_plugins.integration
* Move function run_repeatedly to tasks module
* Move hosts module to ipatests.pytest_plugins.integration.hosts
* Move tasks module to ipatests.pytest_plugins.integration.tasks
* Move env_config module to ipatests.pytest_plugins.integration.env_config
* Move config module to ipatests.pytest_plugins.integration.config
* Move helper code for integration plugin
* Increase Apache HTTPD's default keep alive timeout
* Add debug logging for keep-alive
* Use connection keep-alive
* Add options to run only ipaclient unittests
* Python 3: Fix session storage
* Fix Python 3 pylint errors
=== David Kreitschmann (4) ===
* Disable pylint in get_help function because of type confusion.
* Store help in Schema before writing to disk
* Use os.fsync instead of os.fdatasync because macOS doesn't support
fdatasync
* Fix libkrb5 filename for macOS
=== David Kupka (22) ===
* tests: certmap: Add test for user-{add,remove}-certmap
* tests: tracker: Add CertmapdataMixin tracker
* tests: certmap: Add test for certmapconfig-{mod,show}
* tests: tracker: Add CertmapconfigTracker to tests certmapconfig-* commands
* tests: certmap: Test permissions for certmap
* tests: certmap: Add basic tests for certmaprule commands
* tests: tracker: Add CertmapTracker for testing certmap-* commands
* tests: tracker: Add ConfigurationTracker to test *config-{mod,show}
commands
* tests: tracker: Add EnableTracker to test *-{enable,disable} commands
* tests: tracker: Split Tracker into one-purpose Trackers
* install: replica: Show message about key synchronization
* kra: promote: Get ticket before calling custodia
* ipapython.ipautil.run: Add option to set umask before executing command
* otptoken-add-yubikey: When --digits not provided use default value
* Bump version of ipa.conf file
* Create system users for FreeIPA services during package installation
* WebUI: cert login: Configure name of parameter used to pass username
* httpinstance.disable_system_trust: Don't fail if module 'Root Certs'
is not available
* spec file: Bump requires to make Certificate Login in WebUI work
* rpcserver.login_x509: Actually return reply from __call__ method
* Create temporaty directories at the begining of uninstall
* ipapython.ipautil.nolog_replace: Do not replace empty value
=== felipe (1) ===
* Fixing replica install: fix ldap connection in domlvl 0
=== Felipe Volpone (3) ===
* Removing part of circular dependency of ipalib in ipaplaform
* Changing how commands handles error when it can't connect to IPA server
* py3: fixing zonemgr_callback
=== Felipe Volpone (5) ===
* Adding section "Building FreeIPA from source" on README
* Changing cert-find to go through the proxy instead of using the port 8080
* Changing cert-find to do not use only primary key to search in LDAP.
* Fixing adding authenticator indicators to host
* Fixing the cert-request comparing whole email address case-sensitively.
=== Fabiano Fidêncio (1) ===
* Allow erasing ipaDomainResolutionOrder attribute
=== Florence Blanc-Renaud (22) ===
* Fix Certificate renewal (with ext ca)
* Fix ipa-server-upgrade: This entry already exists
* ipa-replica-conncheck: handle ssh not installed
* ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
* ipa-replica-manage del (dl 0): remove server from defaultServerList
* server-del: update defaultServerList in cn=default,ou=profile,$BASE
* ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname
* ipa-server-install: fix uninstall
* ipa-kra-install manpage: document domain-level 1
* ipa-kra-install: fix check_host_keys
* ipa-server-install with external CA: fix pkinit cert issuance
* ipa-client-install: remove extra space in pkinit_anchors definition
* vault: piped input for ipa vault-add fails
* upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is
installed
* tests: add non-reg for idrange-add
* Upgrade: add gidnumber to trusted domain entry
* ipa-sam: create the gidNumber attribute in the trusted domain entry
* idrange-add: properly handle empty --dom-name option
* ipa-ca-install man page: Add domain level 1 help
* git-commit-template: update ticket url to use pagure.io instead of
fedorahosted.org
* dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
* man ipa-cacert-manage install needs clarification
=== Fraser Tweedale (14) ===
* Fix external renewal for CA with non-default subject DN
* py3: handle bytes in schema response
* py3: fix vault public key decoding
* cert: fix application of 'str' to bytes when formatting otherName
* py3: fix schema response for py2 server with py3 client
* Fix incorrect 'with' statement in CA-less installation
* Restore old version of caIPAserviceCert for upgrade only
* cert-request: simplify request processing
* Add CommonNameToSANDefault to default cert profile
* Add a README to certificate profile templates directory
* py3: fix regression in schemaupdate
* ca-add: validate Subject DN name attributes
* Add Subject Key Identifier to CA cert validity check
* Support 8192-bit RSA keys in default cert profile
=== Jan Cholasta (61) ===
* pylint: enable logging checks
* logging: do not use `ipa_log_manager` to create module-level loggers
* logging: do not log into the root logger
* logging: do not reference loggers in arguments and attributes
* doc: sync guide.org with cli.py
* logging: remove object-specific loggers
* logging: use the actual root logger as the root logger
* logging: port to standard Python logging
* logging: do not configure any handlers by default
* wsgi, oddjob: remove needless uses of Env
* config: provide defaults for `xmlrpc_uri`, `ldap_uri` and `basedn`
* ldap2: remove URI argument from ldap2 constructor
* test_ldap: drop redundant URI argument
* {ca,kra}instance: drop redundant URI argument from ad-hoc ldap2
connections
* user, migration: use LDAPClient for ad-hoc LDAP connections
* install: do not assume /etc/krb5.conf.d exists
* server upgrade: do not enable PKINIT by default
* pkinit manage: introduce ipa-pkinit-manage
* server certinstall: update KDC master entry
* httpinstance: wait until the service entry is replicated
* server certinstall: support PKINIT
* cacert manage: support PKINIT
* replica install: respect --pkinit-cert-file
* server install: fix KDC certificate validation in CA-less
* certs: do not export CA certs in install_pem_from_p12
* certs: do not export keys world-readable in install_key_from_p12
* server install: fix KDC PKINIT configuration
* install: introduce generic Kerberos Augeas lens
* client install: fix client PKINIT configuration
* install: trust IPA CA for PKINIT
* certdb: use custom object for trust flags
* certdb, certs: make trust flags argument mandatory
* certdb: add named trust flag constants
* ipa-cacert-manage: add --external-ca-type
* renew agent: get rid of virtual profiles
* renew agent: always export CSR on IPA CA certificate renewal
* renew agent: allow reusing existing certs
* cainstance: use correct profile for lightweight CA certificates
* server upgrade: always fix certmonger tracking request
* renew agent: respect CA renewal master setting
* spec file: bump krb5 Requires for certauth fixes
* spec file: bump python-netaddr Requires
* configure: fix AC_CHECK_LIB usage
* cert: defer cert-find result post-processing
* renew agent, restart scripts: connect to LDAP after kinit
* renew agent: revert to host keytab authentication
* install: request service certs after host keytab is set up
* dsinstance, httpinstance: consolidate certificate request code
* httpinstance: avoid httpd restart during certificate request
* dsinstance: reconnect ldap2 after DS is restarted by certmonger
* httpinstance: make sure NSS database is backed up
* certdb: fix `AttributeError` in `verify_ca_cert_validity`
* setup, pylint, spec file: drop python-nss dependency
* certdb: use certutil and match_hostname for cert verification
* spec file: bump libsss_nss_idmap-devel BuildRequires
* spec file: bump krb5-devel BuildRequires for certauth
* cert: do not limit internal searches in cert-find
* replica prepare: fix wrong IPA CA nickname in replica file
* httpinstance: clean up /etc/httpd/alias on uninstall
* certs: do not implicitly create DS pin.txt
* tasks: run `systemctl daemon-reload` after httpd.service.d updates
=== René Genz (3) ===
* fix minor spelling mistakes
* fix spelling mistake; minor rewording
* fix minor typos in ipa-adtrust-install.1
=== Martin Babinsky (45) ===
* Move tmpfiles.d configuration handling back to spec file
* Do not remove the old masters when setting the attribute fails
* *config-show: Do not show empty roles/attributes
* smart-card-advises: ensure that krb5-pkinit is installed on client
* smart card advise: use password when changing trust flags on HTTP cert
* smart card advises: use a wrapper around Bash `for` loops
* Use the compound statement formatting API for configuring PKINIT
* Fix indentation of statements in Smart card advises
* delegate formatting of compound Bash statements to dedicated classes
* advise: add an infrastructure for formatting Bash compound statements
* delegate the indentation handling in advises to dedicated class
* add a class that tracks the indentation in the generated advises
* Allow to pass in multiple CA cert paths to the smart card advises
* smart-card advises: add steps to store smart card signing CA cert
* smart-card advises: configure systemwide NSS DB also on master
* Prepare advise plugin for smart card auth configuration
* Extend the advice printing code by some useful abstractions
* fix incorrect suffix handling in topology checks
* Do not delete DS and PKI users during backup/restore tests
* test_backup_restore: do not fail on missing KrbLastSuccessfulAuth
* only stop/disable simple service if it is installed
* test_serverroles: Get rid of MockLDAP and use ldap2 instead
* Add `pkinit-status` command
* Add the list of PKINIT servers as a virtual attribute to global config
* Add an attribute reporting client PKINIT-capable servers
* Refactor the role/attribute member reporting code
* Allow for multivalued server attributes
* Travis CI: Add the server uninstaller as a last step of tests
* Travis CI: explicitly update pip before running the builds
* Do not test anonymous PKINIT after install/upgrade
* Upgrade: configure local/full PKINIT depending on the master status
* Use local anchor when armoring password requests
* Stop requesting anonymous keytab and purge all references of it
* Use only anonymous PKINIT to fetch armor ccache
* API for retrieval of master's PKINIT status and publishing it in LDAP
* Allow for configuration of all three PKINIT variants when deploying KDC
* separate function to set ipaConfigString values on service entry
* Revert "Store GSSAPI session key in /var/run/ipa"
* Remove duplicate functionality in upgrade
* Always check and create anonymous principal during KDC install
* Ensure KDC is propery configured after upgrade
* Split out anonymous PKINIT test to a separate method
* Remove unused variable from failed anonymous PKINIT handling
* Upgrade: configure PKINIT after adding anonymous principal
* Travis CI: invoke integration test helper scripts before test execution
=== Martin Basti (63) ===
* DNS update: reduce timeout for CA records
* baseldap: fix format string
* IPAOptionParser: fix dict comprehension
* py3: run already ported scripts under py3 by default
* py3: temporary set dependencies to both py2 and py3 packages
* py3: test_otptoken_import: fix bytes usage
* py3: ipa_otptoken_import: fix hex decoding
* py3: ipa_otptoken_import: fix calling unicode on bytes
* py3: ipa_otptoken_import: fix lamba code inspection
* py3: Remove comparison >=2 of debnug log level
* py3: vault: data must be bytes
* py3: test_location_plugin: fix iteration over changed dict
* py3: test_kerberos_principal_aliases: fix code scope
* py3: dogtag.py: fix bytes warnings
* py3: travis: enable tests for plugins that are aleready working
* py3: secrets: remove iteritems usage
* Travis: check for BytesWarnings in httpd error_log
* py3: ipaldap: fix encoding of datetime objects
* py3: LDAPClient: remove __del__ method
* LDAPEntry: rename _orig to _orig_raw
* python-netifaces: update to reflect upstream changes
* Travis: enable temporary Py3 testing
* Travis: build only py2 packages for py2 testing
* Build: allow to build only py2 rpms for fedora
* Remove network and broadcast address warnings
* replica install: add missing check for non-local IP address
* Remove ip_netmask from option parser
* CheckedIPAddress: remove match_local param
* refactor CheckedIPAddress class
* ipa-dns-install: remove check for local ip address
* Fix local IP address validation
* Explicitly ask for py2 dependencies in py2 packages
* Only warn when specified server IP addresses don't match intf
* pylint: explicitly depends on python2-pylint
* py3: update_mod_nss_cipher_suite: ordering doesn't work with None
* py3: urlfetch: use "file://" prefix with filenames
* py3: cainstance: fix BytesWarning
* py3: schemaupdate: fix BytesWarning
* py3: LDAP updates: use only bytes/raw values
* py3: softhsm key_id must be bytes
* py3: ipaldap: encode Boolean as bytes
* py3: ConfigParser: replace deprecated readfd with read
* py3: use ConfigParser instead of SafeConfigParser
* Add remote_plugins subdirectories to RPM
* custodia dep: require explictly python2 version
* pylint: ignore new checks added in 1.7
* Pylint: fix ipa_forbidden_import checker
* travis: fix pylint execution with py3
* py3: add missing py3 pylint depedencies
* adtrust: move SELinux settings to constants
* httpd: move SELinux settings to constants
* ipasetup: fix dependencies handling based on python version
* ipaclient: fix missing RPM ownership
* tests: add missing dependency iptables
* ca_status: add HTTP timeout 30 seconds
* http_request: add timeout option
* Use proper SELinux context with http.keytab
* Store GSSAPI session key in /var/run/ipa
* Fix PKCS11 helper
* Remove surplus 'the' in output of ipa-adtrust-install
* collect audit.log for easier selinux investigation
* Set "KDC:Disable Last Success" by default
* Set development version to 4.5.90
=== Lewis Eason (1) ===
* Correct typo estabilish->establish in the install scripts
=== Michal Reznik (9) ===
* test_caless: add SAN dNSName extensions for wildcard tests
* test_caless: add replica ca-less to ca-full test (master caless)
* test_caless: add server_replica ca-less to ca-full test
* tests: fix external_ca test suite failing due to missing SKI
* test_caless: remove xfail in wildcard certificate tests
* test_caless: introduce new python makepki + fix SKI extension issue
* test_caless: mark TestCertinstall intermediate CA tests as xfail
* test_caless: add pkinit option and test it
* - added krb5kdc.log to pytest logging
=== Nathaniel McCallum (1) ===
* ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace
=== Oliver Gutierrez (1) ===
* Added plugins directory to paclient subpackages
=== Petr Spacek (1) ===
* ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri,
ldap_uri
=== Petr Vobornik (5) ===
* log progress of wait_for_open_ports
* control logging of host_port_open from caller
* kerberos session: use CA cert with full cert chain for obtaining cookie
* restore: restart/reload gssproxy after restore
* automount install: fix checking of SSSD functionality on uninstall
=== Pavel Vomacka (34) ===
* Fixes bug in actions creating for search facet
* WebUI: fix showing required asterisk '*'
* WebUI: Update unit test README
* Fixes details_test.js
* Fixes for widget_tests.js
* Fixes for aci_tests.js
* Fixes for entity_tests.js
* Fixes for ipa_test.js
* Add up to date JSON files
* Add loader.js into requirements of all HTML unit test files
* WebUI: remove creating js/libs symlink from makefile
* WebUI: Remove plugins symlink as it is unused
* Remove all old JSON files
* Revert "Web UI: Remove offline version of Web UI"
* WebUI: Add hyphenate versions of Host(Role) Based strings
* WebUI: fix incorrectly shown links in association tables
* WebUI: fix jslint error
* WebUI: change validator of page size settings
* WebUI: Add positive number validator
* WebUI: add support for changing trust UPN suffixes
* Bump version of python-gssapi
* Turn off OCSP check
* Change python-cryptography to python2-cryptography
* Turn on NSSOCSP check in mod_nss conf
* WebUI - Coverity: fix identical branches of if statement
* WebUI - Coverity: fixed null pointer exception
* WebUI: Coverity - add explicit window object to alert methods
* WebUI: Allow to add certs to certmapping with CERT LINES around
* WebUI: Fix showing vault in selfservice view
* WebUI: suppress truncation warning in select widget
* WebUI: Add support for suppressing warnings
* WebUI: Add support for login for AD users
* WebUI: add method for disabling item in user dropdown menu
* WebUI: check principals in lowercase
=== Rob Crittenden (2) ===
* Include the CA basic constraint in CSRs when renewing a CA
* Pass ipa-ca-agent credentials as PEM files
=== Gabe (2) ===
* Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
* Add --password-expiration to allow admin to force user password expiration
=== Sumit Bose (11) ===
* ipa_pwd_extop: do not generate NT hashes in FIPS mode
* ipa-sam: replace encode_nt_key() with E_md4hash()
* ipa-kdb: use canonical principal in certauth plugin
* ipa-kdb: reload certificate mapping rules periodically
* IPA-KDB: use relative path in ipa-certmap config snippet
* extdom: improve cert request
* extdom: do reverse search for domain separator
* ipa-kdb: do not depend on certauth_plugin.h
* configure: fix --disable-server with certauth plugin
* IPA certauth plugin
* ipa-kdb: add ipadb_fetch_principals_with_extra_filter()
=== Simo Sorce (12) ===
* Always check peer has keys before connecting
* Make sure we check ccaches in all rpcserver paths
* Revert setting sessionMaxAge for old clients
* Add code to be able to set default kinit lifetime
* Fix rare race condition with missing ccache file
* Make sure remote hosts have our keys
* Fix s4u2self with adtrust
* Prevent churn on ccaches
* Work around issues fetching session data
* Handle failed authentication via cookie
* Avoid growing FILE ccaches unnecessarily
* Add options to allow ticket caching
=== Stanislav Laznicka (97) ===
* spec: remove strict options from shebangs
* spec: have the scripts depend on py3 packages
* spec: remove python3 workaround
* Remove unused variable
* certmonger: remove temporary workaround
* cert: fix wrong assumption of cert-show result type
* rpc: don't encode bytes
* py3: Fix searching for yubikeys
* py3: remove relative import
* py3: remove Exception.message appearances
* Fix cert file creation during CA-less installation
* Uninstall: fix BytesWarning exception
* Unify storing certificates in LDAP
* py3: fix caless to CA promotion on replica
* cacert_manage: fix CA cert renewal
* python3: port certmonger requests script
* crtmgr: fix bug if CERTMONGER_CERTIFICATE not set
* certmonger: finish refactoring for request script
* certmonger: fix storing retrieved certificates
* Make the IPA server run under Python 3 by default
* Turn IPA scripts to python3 -bb for testing
* py3: Depend on newer pyldap for server-upgrade
* ipautil: port host_port_open() to python 3
* conncheck: fix progression on failure
* kerberos: fix sorting Principal objects
* host, service: fix adding host/svc with a cert
* server plugin: pass bytes to ldap.modify_s
* replica: fix SetuptoolsVersion comparison
* replica-prepare: run the script in py3 by default
* certs: write and read bytes as such
* client: make ipa-client-install py3 compatible
* cainstance: read cert file as bytes
* ca: TypeError fix
* krainstance: fix writing str to file
* replica-conncheck: log when failed to RPC connect
* Fixup of not-so-good PEM certs
* x509,certdb: handle certificates as bytes
* Create a Certificate parameter
* parameters: relax type checks
* tests: fix failing HTTPS connection
* Introduce load_unknown_x509_certificate()
* x509: Make certificates represented as objects
* Split x509.load_certificate() into PEM/DER functions
* README: Fix trailing whitespace
* Ensure network is online prior to an upgrade
* rpcserver: remove addition of str and bytes
* wsgi plugins: mod_wsgi expects bytes as an output
* adtrustinstance: write the conf as a string
* adtrustinstance: pep8 fix
* More verbose error message on kdc cert validation
* cert-validate: keep all messages in cert validation
* adtrustinstance: fix ID range comparison
* Docstring+refactor of IPADiscovery.ipadnssearchkrbrealm()
* ipadiscovery: Return realm as a string
* session_storage: Correctly handle string/byte types
* rpc: avoid possible recursion in create_connection
* rpc: preparations for recursion fix
* Avoid possible endless recursion in RPC call
* kdc.key should not be visible to all
* Change ConfigParser to RawConfigParser
* ca/cert-show: check certificate_out in options
* Remove pkinit-anonymous command
* Make a doctext more clear
* Provide useful messages during cert validation
* cert-show: writable files does not mean dirs
* fix managed-entries printing IPA not installed
* Fix wrong message on Dogtag instances stop
* Make CA/KRA fail when they don't start
* Remove the cachedproperty class
* Refresh Dogtag RestClient.ca_host property
* compat plugin: Update link to slapi-nis project
* compat: ignore cn=topology,cn=ipa,cn=etc subtree
* Move the compat plugin setup at the end of install
* compat-manage: behave the same for all users
* Fix CAInstance.import_ra_cert for empty passwords
* Fix RA cert import during DL0 replication
* ext. CA: correctly write the cert chain
* server-install: No double Kerberos install
* Fix CA-less to CA-full upgrade
* replicainstall: better client install exception handling
* Add the force-join option to replica install
* server-install: remove broken no-pkinit check
* Add pki_pin only when needed
* Remove publish_ca_cert() method from NSSDatabase
* Get correct CA cert nickname in CA-less
* Remove redundant option check for cert files
* replica-prepare man: remove pkinit option refs
* Don't allow setting pkinit-related options on DL0
* Fix the order of cert-files check
* Generate PIN for PKI to help Dogtag in FIPS
* Backup CA cert from kerberos folder
* Allow renaming of the sudorule objects
* Allow renaming of the HBAC rule objects
* Reworked the renaming mechanism
* Bump samba version for FIPS and priv. separation
* Backup ipa-specific httpd unit-file
* Add debug log in case cookie retrieval went wrong
=== Thierry Bordaz (1) ===
* NULL LDAP context in call to ldap_search_ext_s during search
=== Tibor Dudlák (11) ===
* otptoken_yubikey.py: Removed traceback when package missing.
* topology.py: Removes error message from dictionary.
* Add test: test_xmlrpc/test_whoami_plugin.py
* whoami.py: Type error when running tests
* Create indexes for 'serverhostname' attribute
* Add --force-join into ipa-replica-install manpage
* dnsserver.py: dnsserver-find no longer returns internal server error
* Add Role 'Enrollment Administrator'
* server.py: Removes dns-server configuration from ldap
* sssd.py: Deprecating no-sssd option.
* client.py: Replace hardcoded 'admin' with options.principal
=== Tibor Dudlák (2) ===
* user.py: replace user_mod with ldap.update_entry()
* Add 'TIP' to enable copr repo.
=== Timo Aaltonen (2) ===
* ipa-otpd.socket.in: Use a platform specific value for KDC service file
* configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in
=== Tomas Krizek (25) ===
* Become IPA 4.6.0
* Contributors.txt: update
* zanata: update translations for ipa-4-6
* zanata: set project version to ipa-4-6
* dnssec: keep dnssec daemons in Python2
* ipatests: collect log after ipa-ca-install
* dnssec: fix localhsm.py utility script
* prci: add caless tests
* makerpms.sh: make git checkout optional
* build: checkout *.po files at the end of makerpms.sh
* freeipa-pr-ci: enable pull-request CI
* ipactl: log check_version exception
* logging: make sure logging level is set to proper value
* ipatests: do not finalize api when IPA is not configured
* ipatests: do not collect systemd journal when logfile_dir is missing
* ipatests: add systemd journal collection for multihost tests
* ipatests: change logdir naming pattern for multihost tests
* named.conf template: add modification warning
* ca, kra install: validate DM password
* installutils: add DM password validator
* ca install: merge duplicated code for DM password
* upgrade: add missing suffix to http instance
* installer service: fix typo in service entry
* python2-ipalib: add missing python dependency
* kra install: update installation failure message
=== Thorsten Scherf (2) ===
* Changed ownership of ldiffile to DS_USER
* Fixed typo in ipa-client-install output
6 years, 7 months