Import Upstream version 4.12.4

client/man/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.2 from Makefile.am.
+# Makefile.in generated by automake 1.17 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2020 Free Software Foundation, Inc.
+# Copyright (C) 1994-2024 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -71,6 +71,8 @@ am__make_running_with_option = \
   test $$has_opt = yes
 am__make_dryrun = (target_option=n; $(am__make_running_with_option))
 am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+am__rm_f = rm -f $(am__rm_f_notfound)
+am__rm_rf = rm -rf $(am__rm_f_notfound)
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -148,10 +150,9 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
+  { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+  || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+       $(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
   }
 man1dir = $(mandir)/man1
 am__installdirs = "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man5dir)"
@@ -181,6 +182,8 @@ CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
 CRYPTO_LIBS = @CRYPTO_LIBS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DATA_VERSION = @DATA_VERSION@
 DEFS = @DEFS@
@@ -194,8 +197,10 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+FILECMD = @FILECMD@
 GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GIT_BRANCH = @GIT_BRANCH@
@@ -203,6 +208,7 @@ GIT_VERSION = @GIT_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
+HTTPD_GROUP = @HTTPD_GROUP@
 INI_CFLAGS = @INI_CFLAGS@
 INI_LIBS = @INI_LIBS@
 INSTALL = @INSTALL@
@@ -215,9 +221,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
 IPAPLATFORM = @IPAPLATFORM@
 IPA_DATA_DIR = @IPA_DATA_DIR@
 IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
+JANSSON_CFLAGS = @JANSSON_CFLAGS@
+JANSSON_LIBS = @JANSSON_LIBS@
 JSLINT = @JSLINT@
 KRAD_LIBS = @KRAD_LIBS@
 KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
+KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
 KRB5_CFLAGS = @KRB5_CFLAGS@
 KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
 KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -226,6 +235,8 @@ LD = @LD@
 LDAP_CFLAGS = @LDAP_CFLAGS@
 LDAP_LIBS = @LDAP_LIBS@
 LDFLAGS = @LDFLAGS@
+LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
+LIBCURL_LIBS = @LIBCURL_LIBS@
 LIBICONV = @LIBICONV@
 LIBINTL = @LIBINTL@
 LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -285,6 +296,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
 POPT_CFLAGS = @POPT_CFLAGS@
 POPT_LIBS = @POPT_LIBS@
 POSUB = @POSUB@
+PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
+PWQUALITY_LIBS = @PWQUALITY_LIBS@
 PYLINT = @PYLINT@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -293,9 +306,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
+RESOLV_LIBS = @RESOLV_LIBS@
+RPMLINT = @RPMLINT@
 SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
 SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
 SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
+SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
 SASL_CFLAGS = @SASL_CFLAGS@
 SASL_LIBS = @SASL_LIBS@
 SED = @SED@
@@ -334,8 +350,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
+am__rm_f_notfound = @am__rm_f_notfound@
 am__tar = @am__tar@
 am__untar = @am__untar@
+am__xargs_n = @am__xargs_n@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -381,6 +399,7 @@ sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 sysconfenvdir = @sysconfenvdir@
+systemdcatalogdir = @systemdcatalogdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 systemdtmpfilesdir = @systemdtmpfilesdir@
 target_alias = @target_alias@
@@ -529,7 +548,6 @@ ctags CTAGS:
 
 cscope cscopelist:
 
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 
@@ -594,8 +612,8 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-$(am__rm_f) $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -689,3 +707,10 @@ uninstall-man: uninstall-man1 uninstall-man5
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
+
+# Tell GNU make to disable its built-in pattern rules.
+%:: %,v
+%:: RCS/%,v
+%:: RCS/%
+%:: s.%
+%:: SCCS/s.%

client/man/default.conf.5

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Rob Crittenden <rcritten@@redhat.com>
 .\"
-.TH "default.conf" "5" "Feb 21 2011" "FreeIPA" "FreeIPA Manual Pages"
+.TH "default.conf" "5" "Feb 21 2011" "IPA" "IPA Manual Pages"
 .SH "NAME"
 default.conf \- IPA configuration file
 .SH "SYNOPSIS"
@@ -68,9 +68,6 @@ Specifies the base DN to use when performing LDAP operations. The base must be i
 .B ca_agent_port <port>
 Specifies the secure CA agent port. The default is 8443.
 .TP
-.B ca_ee_port <port>
-Specifies the secure CA end user port. The default is 8443.
-.TP
 .B ca_host <hostname>
 Specifies the hostname of the dogtag CA server. The default is the hostname of the IPA server.
 .TP
@@ -81,7 +78,7 @@ Specifies the insecure CA end user port. The default is 8080.
 The time to wait for a certmonger request to complete during installation. The default value is 300 seconds.
 .TP
 .B context <context>
-Specifies the context that IPA is being executed in. IPA may operate differently depending on the context. The current defined contexts are cli and server. Additionally this value is used to load /etc/ipa/\fBcontext\fR.conf to provide context\-specific configuration. For example, if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server, add the verbose option to \fI/etc/ipa/cli.conf\fR.
+Specifies the context that IPA is being executed in. IPA may operate differently depending on the context. The current defined contexts are cli, server and dns. Additionally this value is used to load /etc/ipa/\fBcontext\fR.conf to provide context\-specific configuration. For example, if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server, add the verbose option to \fI/etc/ipa/cli.conf\fR.
 .TP
 .B debug <boolean>
 When True provides detailed information. Specifically this set the global log level to "debug". Default is False.
@@ -116,6 +113,15 @@ Specifies whether values should be prompted for or not. The default is True.
 .B kinit_lifetime <time duration spec>
 Controls the lifetime of ticket obtained by users authenticating to the WebGUI using login/password. The expected format is a time duration string. Examples are "2 hours", "1h:30m", "10 minutes", "5min, 30sec". When the parameter is not set in default.conf, the ticket will have a duration inherited from the default value for kerberos clients, that can be set as ticket_lifetime in krb5.conf. When the ticket lifetime has expired, the ticket is not valid anymore and the GUI will prompt to re-login with a message "Your session has expired. Please re-login."
 .TP
+.B ldap_cache <boolean>
+Enable a per-request LDAP cache. The default is True.
+.TP
+.B ldap_cache_size <integer>
+The maximum number of entries cached if ldap_cache is True. Since this cache is per-request it is not expected to be very large. The default is 100. Setting the value < 1 effectively disables the cache regardless of the ldap_cache setting
+.TP
+.B ldap_cache_debug <boolean>
+Log details on hits, misses, etc. for the LDAP cache if the cache is enabled.
+.TP
 .B ldap_uri <URI>
 Specifies the URI of the IPA LDAP server to connect to. The URI scheme may be one of \fBldap\fR or \fBldapi\fR. The default is to use ldapi, e.g. ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-COM.socket
 .TP
@@ -157,6 +163,12 @@ Specifies the mode the server is running in. The currently support values are \f
 .B mount_ipa <URI>
 Specifies the mount point that the development server will register. The default is /ipa/
 .TP
+.B oidc_child_debug_level <debuglevel>
+Specifies the debug level of \fBoidc_child\fR, a helper process used by \fBipa-otpd\fR for OIDC/OAuth2 authentication. Level can be between 0 and 10, the higher the more details. If the level is 6 or higher HTTP debug output is added as well.
+.TP
+.B passkey_child_debug_level <debuglevel>
+Specifies the debug level of \fBpasskey_child\fR, a helper process used by \fBipa-otpd\fR for passkey authentication. Level can be between 0 and 10, the higher the more details. If the level is 6 or higher libfido2 debug output is added as well.
+.TP
 .B prompt_all <boolean>
 Specifies that all options should be prompted for in the IPA client, even optional values. Default is False.
 .TP
@@ -169,6 +181,9 @@ Specifies the Kerberos realm.
 .B replication_wait_timeout <seconds>
 The time to wait for a new entry to be replicated during replica installation. The default value is 300 seconds.
 .TP
+.B schema_ttl <seconds>
+The number of seconds for the ipa tool to cache the IPA API and help schema. Reducing this value during development is helpful so that API changes are seen sooner in the tool. Setting this on a server will define the TTL for all client versions > 4.3.1. Client versions > 4.3.1 that connect to IPA servers older than 4.3.1 will use the client-side configuration value. The default is 3600 seconds. 0 disables the cache. A change in the ttl will not be immediately recognized by clients. They will use the new value once their current cache expires.
+.TP
 .B server <hostname>
 Specifies the IPA Server hostname.
 .TP
@@ -241,12 +256,20 @@ system\-wide IPA configuration file
 .I $HOME/.ipa/default.conf
 user IPA configuration file
 .TP
-It is also possible to define context\-specific configuration files. The \fBcontext\fR is set when the IPA api is initialized. The two currently defined contexts in IPA are \fBcli\fR and \fBserver\fR. This is helpful, for example, if you only want \fBdebug\fR enabled on the server and not in the client. If this is set to True in \fIdefault.conf\fR it will affect both the ipa client tool and the IPA server. If it is only set in \fIserver.conf\fR then only the server will have \fBdebug\fR set. These files will be loaded if they exist:
+It is also possible to define context\-specific configuration files. The \fBcontext\fR is set when the IPA api is initialized. The currently defined contexts in IPA are \fBcli\fR, \fBserver\fR and \fBdns\fR. This is helpful, for example, if you only want \fBdebug\fR enabled on the server and not in the client. If this is set to True in \fIdefault.conf\fR it will affect both the ipa client tool and the IPA server. If it is only set in \fIserver.conf\fR then only the server will have \fBdebug\fR set. These files will be loaded if they exist:
 .TP
 .I /etc/ipa/cli.conf
 system\-wide IPA client configuration file
 .TP
 .I /etc/ipa/server.conf
 system\-wide IPA server configuration file
+.SH "EXAMPLES"
+.TP
+An example of a context-specific configuration file is \fB/etc/ipa/dns.conf\fR to be used to increase debug output of the IPA DNSSEC daemons.
+.TP
+.RS L
+[global]
+debug = True
+.RE
 .SH "SEE ALSO"
 .BR ipa (1)

client/man/epn.conf.5

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Rob Crittenden <rcritten@@redhat.com>
 .\"
-.TH "EPN.CONF" "5" "April 28, 2020" "FreeIPA" "FreeIPA Manual Pages"
+.TH "EPN.CONF" "5" "April 28, 2020" "IPA" "IPA Manual Pages"
 .SH "NAME"
 epn.conf \- Expiring Password Notification configuration file
 .SH "SYNOPSIS"
@@ -60,6 +60,15 @@ Specifies the id of the user to authenticate with the SMTP server. Default None.
 .B smtp_password <password>
 Specifies the password for the authorized user. Default None.
 .TP
+.B smtp_client_cert <certificate>
+Specifies the path to a single file in PEM format containing the certificate. Default None.
+.TP
+.B smtp_client_key <private key>
+Specifies the path to a file containing the private key in. Otherwise the private key will be taken from certfile as well. Default None.
+.TP
+.B smtp_client_key_pass <private key password>
+Specifies the password for decrypting the private key. Default None.
+.TP
 .B smtp_timeout <seconds>
 Specifies the number of seconds to wait for SMTP to respond. Default 60.
 .TP
@@ -77,9 +86,15 @@ Time to wait, in milliseconds, between each e-mail sent to try to avoid overload
 Specifies the From: e-mail address value in the e-mails sent. The default is noreply@ipadefaultemaildomain. This value can be found by running
 .I ipa config-show
 .TP
+.B mail_from_name <name>
+Specifies the From: name value in the e-mails sent. The default is IPA-EPN.
+.TP
 .B notify_ttls <list of days>
 This is the list of days before a password expiration when ipa-epn should notify a user that their password will soon require a reset. If this value is not specified then the default list will be used: 28, 14, 7, 3, 1.
 .TP
+.B msg_subject <subject>
+Specifies the subject of the e-mails sent. The default is "Your password will expire soon."
+.TP
 .B msg_charset <type>
 Set the character set of the message. The default is utf8. This will result in he body of the message being base64-encoded.
 .TP

client/man/ipa-certupdate.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Jan Cholasta <jcholast@redhat.com>
 .\"
-.TH "ipa-certupdate" "1" "Jul 2 2014" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-certupdate" "1" "Jul 2 2014" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-certupdate \- Update local IPA certificate databases with certificates from the server
 .SH "SYNOPSIS"

client/man/ipa-client-automount.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Rob Crittenden <rcritten@redhat.com>
 .\"
-.TH "ipa-client-automount" "1" "May 25 2012" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-client-automount" "1" "May 25 2012" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-client\-automount \- Configure automount and NFS for IPA
 .SH "SYNOPSIS"
@@ -24,14 +24,12 @@ ipa\-client\-automount [\fIOPTION\fR]... <location>
 .SH "DESCRIPTION"
 Configures automount for IPA.
 
-The automount configuration consists of three files:
+The automount configuration consists of two files:
 .PP
 .IP  o
 /etc/nsswitch.conf
 .IP  o
 /etc/sysconfig/autofs
-.IP  o
-/etc/autofs_ldap_auth.conf
 
 .TP
 By default this will use DNS discovery to attempt to determine the IPA server(s) to use. If IPA servers are discovered then the automount client will be configured to use DNS discovery.
@@ -42,9 +40,9 @@ The default automount location is named default. To specify a different one use
 .TP
 The IPA client must already be configured in order to configure automount. The IPA client is configured as part of a server installation.
 .TP
-There are two ways to configure automount. The default is to use sssd to manage the automount maps. Alternatively autofs can configured to bind to LDAP over GSSAPI and authenticate using the machine's host principal.
+SSSD is configured to manage the automount maps.
 .TP
-The nsswitch automount service is configured to use either sss or ldap and files depending on whether SSSD is configured or not.
+The nss automount service is configured to use sss and files.
 .TP
 NFSv4 is also configured. The rpc.gssd and rpc.idmapd are started on clients to support Kerberos\-secured mounts.
 .SH "OPTIONS"
@@ -54,10 +52,7 @@ Set the FQDN of the IPA server to connect to.
 \fB\-\-location\fR=\fILOCATION\fR
 Automount location.
 .TP
-\fB\-S\fR, \fB\-\-no\-sssd\fR
-Do not configure the client to use SSSD for automount.
-.TP
-\fB\-S\fR, \fB\-\-idmap\-domain\fR=\fIIDMAP_DOMAIN\fR
+\fB\-\-idmap\-domain\fR=\fIIDMAP_DOMAIN\fR
 NFS domain for idmapd.conf. If unset, defaults to the IPA domain. If set to DNS, let idmapd or nfsidmap determine the domain from DNS (see idmapd(8) or nfsidmap(5) for details). If set to anything else, set idmapd.conf's Domain entry to that value.
 .TP
 \fB\-d\fR, \fB\-\-debug\fR
@@ -71,21 +66,12 @@ Restore the automount configuration files.
 
 .SH "FILES"
 .TP
-Files that will be always be configured:
+Files that will be configured:
 
 /etc/nsswitch.conf
-.TP
-Files that will be configured when SSSD is the automount client (default):
 
 /etc/sssd/sssd.conf
 
-.TP
-Files that will be configured when using the ldap automount client:
-
-/etc/sysconfig/autofs
-
-/etc/autofs_ldap_auth.conf
-
 .SH "EXIT STATUS"
 0 if the installation was successful
 

client/man/ipa-client-install.1

@@ -1,7 +1,7 @@
 .\" A man page for ipa-client-install
 .\" Copyright (C) 2008-2016  FreeIPA Contributors see COPYING for license
 .\"
-.TH "ipa-client-install" "1" "Dec 19 2016" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-client-install" "1" "Dec 19 2016" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-client\-install \- Configure an IPA client
 .SH "SYNOPSIS"
@@ -11,7 +11,7 @@ Configures a client machine to use IPA for authentication and identity services.
 
 By default this configures SSSD to connect to an IPA server for authentication and authorization. Optionally one can instead configure PAM and NSS (Name Switching Service) to work with an IPA server over Kerberos and LDAP.
 
-An authorized user is required to join a client machine to IPA. This can take the form of a kerberos principal or a one\-time password associated with the machine.
+An authorized account is required to join a client machine to IPA. This can take the form of a kerberos principal, a one\-time password associated with the machine, or PKINIT identity associated with the machine.
 
 This same tool is used to unconfigure IPA and attempts to return the machine to its previous state. Part of this process is to unenroll the host from the IPA server. Unenrollment consists of disabling the principal key on the IPA server so that it may be re\-enrolled. The machine principal in /etc/krb5.keytab (host/<fqdn>@REALM) is used to authenticate to the IPA server to unenroll itself. If this principal does not exist then unenrollment will fail and an administrator will need to disable the host principal (ipa host\-disable <fqdn>).
 
@@ -136,6 +136,9 @@ Do not configure OpenSSH server.
 \fB\-\-no\-sudo\fR
 Do not configure SSSD as a data source for sudo.
 .TP
+\fB\-\-subid\fR
+Configure SSSD as data source for subid.
+.TP
 \fB\-\-no\-dns\-sshfp\fR
 Do not automatically create DNS SSHFP records.
 .TP
@@ -205,7 +208,11 @@ Create DNS A/AAAA record for each IP address on this host.
 Configure SSSD to permit all access. Otherwise the machine will be controlled by the Host\-based Access Controls (HBAC) on the IPA server.
 .TP
 \fB\-\-enable\-dns\-updates\fR
-This option tells SSSD to automatically update DNS with the IP address of this client.
+This option tells SSSD to automatically update DNS with the IP address of this
+client.
+The default is to use GSS-TSIG. However, if using GSS-TSIG fails for any reason
+at install time, \fBipa\-client\-install\fR will configure SSSD to use
+unauthenticated nsupdates instead.
 .TP
 \fB\-\-no\-krb5\-offline\-passwords\fR
 Configure SSSD not to store user password when the server is offline.
@@ -222,6 +229,22 @@ first. When this option is not specified, \fBipa\-client\-install\fR will back
 up SSSD config and create new one. The back up version will be restored during
 uninstall.
 
+.SS "PKINIT OPTIONS"
+.TP
+\fB\-\-pkinit\-identity=\fIDENTITY\fR
+Identity string for PKINIT authentication to use to join the IPA realm,
+for example 'FILE:/path/to/cert.pem,/path/to/key.pem'. See krb5.conf(5)
+for more information. The option is mutually exclusive with
+\fB\-\-password\fR and \fB\-\-keytab\fR.
+.TP
+\fB\-\-pkinit\-anchor\fR=\fIFILEDIR\fR
+Trust anchors (root and intermediate CA certs) for PKINIT. \fIFILEDIR\fR is
+either the absolute path to a PEM bundle (for example
+'FILE:/etc/pki/tls/cert.pem') or to an OpenSSL hash directory (for example
+'DIR:/etc/ssl/certs/'). The option can be used multiple times. PKINIT
+requires the full trust chain of the Kerberos KDC server as well as the full
+trust chain of the identity certificate.
+
 .SS "UNINSTALL OPTIONS"
 .TP
 \fB\-\-uninstall\fR
@@ -230,6 +253,12 @@ Remove the IPA client software and restore the configuration to the pre\-IPA sta
 \fB\-U\fR, \fB\-\-unattended\fR
 Unattended uninstallation. The user will not be prompted.
 
+.SH "DISABLED SERVICES"
+.TP
+ipa-client-install will automatically disable the Name Service Caching Daemon (nscd) when configuring the SSSD client. These are competing services and cannot co-exist.
+.TP
+If there are other similar services providing nss capabilities they will need to be manually disabled by the user. An example is unscd, a complete replacement for nscd.
+
 .SH "FILES"
 .TP
 Files that will be replaced if SSSD is configured (default):
@@ -263,6 +292,8 @@ Files always created (replacing existing content):
 /etc/ipa/nssdb
 .br
 /etc/openldap/ldap.conf
+.br
+/etc/pki/ca-trust/source/ipa.p11-kit
 .TP
 Files updated, existing content is maintained:
 

client/man/ipa-client-samba.1

@@ -1,7 +1,7 @@
 .\" A man page for ipa-client-samba
 .\" Copyright (C) 2008-2016  FreeIPA Contributors see COPYING for license
 .\"
-.TH "ipa-client-samba" "1" "Jun 10 2019" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-client-samba" "1" "Jun 10 2019" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-client\-samba \- Configure Samba file server on an IPA client
 .SH "SYNOPSIS"
@@ -18,7 +18,7 @@ During the configuration process, the tool will perform following steps:
 
 1. Discover details of IPA domain: realm, domain SID, domain ID range
 
-2. Discover details of trusted Actvide Directory domains: domain name, domain SID, domain ID range
+2. Discover details of trusted Active Directory domains: domain name, domain SID, domain ID range
 
 3. Create Samba configuration file using the details discovered above.
 
@@ -34,12 +34,12 @@ The tool does not start nor does it enable Samba file services after the configu
 systemctl enable --now smb winbind
 
 .SS "Assumptions"
-The ipa\-client\-samba script assumes that the machine has alreaby been enrolled into IPA.
+The ipa\-client\-samba script assumes that the machine has already been enrolled into IPA.
 
 .SS "IPA Master Requirements"
 At least one IPA master must hold a \fBTrust Controller\fR role. This can be achieved by running ipa\-adtrust\-install on the IPA master. The utility will configure IPA master to be a domain controller for IPA domain.
 
-IPA master holding a \fBTrust Controller\fR role has also to have support for a special service command to create SMB service, \fBipa service-add-smb\fR. This command is available with FreeIPA 4.8.0 or later release.
+IPA master holding a \fBTrust Controller\fR role has also to have support for a special service command to create SMB service, \fBipa service-add-smb\fR. This command is available with IPA 4.8.0 or later release.
 
 .SH "OPTIONS"
 .SS "BASIC OPTIONS"

client/man/ipa-epn.1

@@ -15,16 +15,16 @@
 .\" along with this program.  If not, see <http://www.gnu.org/licenses/>.
 .\"
 .\"
-.TH "IPA-EPN" "1" "April 24, 2020" "FreeIPA" "FreeIPA Manual Pages"
+.TH "IPA-EPN" "1" "April 24, 2020" "IPA" "IPA Manual Pages"
 .SH "NAME"
-ipa\-epn \- Send expiring password nofications
+ipa\-epn \- Send expiring password notifications
 .SH "SYNOPSIS"
 ipa\-epn \fR[options\fR]
 
 .SH "DESCRIPTION"
 ipa\-epn provides a method to warn users via email that their IPA account password is about to expire.
 
-It can be used in dry\-run mode which is recommmended during setup. The output is always JSON in this case.
+It can be used in dry\-run mode which is recommended during setup. The output is always JSON in this case.
 
 It can also be launched daily by its systemd timer.
 In this case it will parse its configuration file epn.conf(5) and send an email to users whose passwords are expiring within the defined future date ranges.
@@ -45,10 +45,10 @@ Together, these two CLI options can be used to determine how many emails would b
 The \fB\-\-to\-nbdays\fR CLI option implies \fB\-\-dry\-run\fR.
 .TP
 \fB\-\-from\-nbdays\fR \fI<number of days>\fR
-See \fB\-\-to\-nbdays\fR for an explanation. This option must be used in conjonction with \fB\-\-to\-nbdays\fR.
+See \fB\-\-to\-nbdays\fR for an explanation. This option must be used in conjunction with \fB\-\-to\-nbdays\fR.
 .TP
 \fB\-\-dry\-run\fR
-The \fB\-\-dry\-run\fR CLI option is intented to test ipa\-epn's configuration.
+The \fB\-\-dry\-run\fR CLI option is intended to test ipa\-epn's configuration.
 
 For instance, if notify_ttls is set to 21, 14, 3, \fB\-\-dry-run\fR would display the list of users whose passwords would expire in 21, 14, and 3 days in the future.
 .TP

client/man/ipa-getkeytab.1

@@ -17,7 +17,7 @@
 .\" Author: Karl MacMillan <kmacmill@redhat.com>
 .\" Author: Simo Sorce <ssorce@redhat.com>
 .\"
-.TH "ipa-getkeytab" "1" "Oct 10 2007" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-getkeytab" "1" "Oct 10 2007" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-getkeytab \- Get a keytab for a Kerberos principal
 .SH "SYNOPSIS"
@@ -78,7 +78,10 @@ arcfour\-hmac
 \fB\-s ipaserver\fR
 The IPA server to retrieve the keytab from (FQDN). If this option is not
 provided the server name is read from the IPA configuration file
-(/etc/ipa/default.conf). Cannot be used together with \fB\-H\fR.
+(/etc/ipa/default.conf). Cannot be used together with \fB\-H\fR. If the
+value is _srv_ then DNS discovery will be used to determine a server.
+If this discovery fails then it will fall back to using the configuration
+file.
 .TP
 \fB\-q\fR
 Quiet mode. Only errors are displayed.
@@ -118,7 +121,7 @@ GSSAPI or EXTERNAL.
 \fB\-r\fR
 Retrieve mode. Retrieve an existing key from the server instead of generating a
 new one. This is incompatible with the \-\-password option, and will work only
-against a FreeIPA server more recent than version 3.3. The user requesting the
+against a IPA server more recent than version 3.3. The user requesting the
 keytab must have access to the keys for this operation to succeed.
 .SH "EXAMPLES"
 Add and retrieve a keytab for the NFS service principal on

client/man/ipa-join.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Rob Crittenden <rcritten@redhat.com>
 .\"
-.TH "ipa-join" "1" "Oct 8 2009" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-join" "1" "Oct 8 2009" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal
 .SH "SYNOPSIS"
@@ -50,7 +50,7 @@ Please note, that while the ipa\-join option removes the client from the domain,
 .SH "OPTIONS"
 .TP
 \fB\-h,\-\-hostname hostname\fR
-The hostname of this server (FQDN). By default of nodename from uname(2) is used.
+The hostname of this server (FQDN). By default the canonical name from getaddrinfo(3) for gethostname(2) is used.
 .TP
 \fB\-s,\-\-server server\fR
 The hostname of the IPA server (FQDN). Note that by default there is no /etc/ipa/default.conf, in most cases it needs to be supplied.
@@ -76,7 +76,7 @@ Unenroll this host from the IPA server. No keytab entry is removed in the proces
 Quiet mode. Only errors are displayed.
 .TP
 \fB\-d,\-\-debug\fR
-Print the raw XML-RPC output in GSSAPI mode.
+Print the raw RPC output in GSSAPI mode.
 .SH "EXAMPLES"
 Join IPA domain and retrieve a keytab with kerberos credentials.
 
@@ -127,16 +127,18 @@ The exit status is 0 on success, nonzero on error.
 
 16 Host name must be fully\-qualified
 
-17 XML\-RPC fault
+17 RPC fault
 
 18 Principal not found in host entry
 
 19 Unable to generate Kerberos credentials cache
 
-20 Unenrollment result not in XML\-RPC response
+20 Unenrollment result not in RPC response
 
 21 Failed to get default Kerberos realm
 
+22 Unable to auto-detect fully\-qualified hostname
+
 .SH "SEE ALSO"
 .BR ipa-rmkeytab (1)
 .BR ipa-client-install (1)

client/man/ipa-rmkeytab.1

@@ -17,7 +17,7 @@
 .\" Author: Rob Crittenden <rcritten@redhat.com>
 .\"
 .\"
-.TH "ipa-rmkeytab" "1" "Oct 30 2009" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-rmkeytab" "1" "Oct 30 2009" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-rmkeytab \- Remove a kerberos principal from a keytab
 .SH "SYNOPSIS"
@@ -87,3 +87,5 @@ The exit status is 0 on success, nonzero on error.
 5 Principal name or realm not found in keytab
 
 6 Unable to remove principal from keytab
+
+7 Failed to set cursor

client/man/ipa.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Pavel Zuna <pzuna@redhat.com>
 .\"
-.TH "ipa" "1" "Apr 29 2016" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa" "1" "Apr 29 2016" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa \- IPA command\-line interface
 .SH "SYNOPSIS"
@@ -132,12 +132,64 @@ c \- compare\p
 W \- self\-write\p
 O \- self\-obliterate
 
+.SH "AUDIT AND LOGGING"
+
+The IPA API logs audit messages to systemd journal about each command executed
+through IPA API on the IPA server. These messages can be found by grepping
+systemd journal with \fBjournalctl -g IPA.API\fR command. The message includes
+following information:
+
+May 21 11:31:33 master1.ipa1.test /usr/bin/ipa[247422]: [IPA.API] [autobind]: user_del: SUCCESS [ldap2_140328582446688] {"uid": ["foobar"], "continue": false, "version": "2.253"}
+
+.TP
+\fB/usr/bin/ipa[247422]\fR
+executable name and PID (`/mod_wsgi` for HTTP end-point)
+.TP
+\fB[IPA.API]\fR
+marker to allow searches with \fBjournalctl -g IPA.API\R
+.TP
+\fBusername@REALM\fR
+authenticated Kerberos principal or \fB[autobind]\fR marker for LDAP-based operations done as root
+.TP
+\fBuser_del\fR
+name of the command executed
+.TP
+\fBSUCCESS\fR
+result of execution: \fBSUCCESS\fR or an exception name
+.TP
+\fB[ldap2_140328582446688]\fR
+LDAP backend connection instance identifier. The identifier will be the same for all
+operations performed under the same request. This allows to identify operations
+which were executed using the same LDAP connection. For API operations that
+didn't result in LDAP access, there will be \fB[no_connection_id]\fR marker.
+.TP
+\fB{"uid": ["foobar"], "continue": false, "version": "2.253"}\fR
+a list of arguments and options passed to the IPA API command, provided in JSON
+format. Credentials are filtered out.
+
+.LP
+All explicitly requested operations logged. Internal operations, initiated as
+part of execution of the explicitly requested IPA API calls, aren't logged. For
+HTTP end-point operations will be logged as performed by the '/mod_wsgi'
+executable binary.  Remaining details can be inspected through the systemd
+journal as journald records execution context. See systemd.journal\-fields(7)
+for details.
+
+The details of the individual logged messages can be explained with the help of
+'\fBjournalctl -x\fR' command, while full set of logged properties can be
+retrieved with '\fBjournalctl -o json-pretty\fR'. See journalctl(1) for details
+on the systemd journal viewer.
+
+For the sample message above, an explanation could be requested with '\fBjournalctl -x -g ldap2_140328582446688\fR' where LDAP backend connection instance identifier can be used to uniquely fetch that individual message.
+
 .SH "EXAMPLES"
 .TP
 \fBipa help commands\fR
 Display a list of available commands
+.TP
 \fBipa help topics\fR
 Display a high\-level list of help topics
+.TP
 \fBipa help user\fR
 Display documentation and list of commands in the "user" topic.
 .TP
@@ -204,4 +256,5 @@ IPA default configuration file.
 ipa\-client\-install(1), ipa\-compat\-manage(1), ipactl(1), ipa\-dns\-install(1),
 ipa\-getcert(1), ipa\-getkeytab(1), ipa\-join(1), ipa\-ldap\-updater(1),
 ipa\-nis\-manage(1), ipa\-replica\-install(1), ipa\-replica\-manage(1), ipa\-replica\-prepare(1),
-ipa\-rmkeytab(1), ipa\-server\-certinstall(2), ipa\-server\-install(1), ipa\-server\-upgrade(1)
+ipa\-rmkeytab(1), ipa\-server\-certinstall(2), ipa\-server\-install(1), ipa\-server\-upgrade(1),
+systemd.journal\-fields(7), journalctl(1)