From rcritten at redhat.com Thu Sep 1 03:51:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 31 Aug 2011 23:51:05 -0400 Subject: [Freeipa-devel] [PATCH] stop checking for CA ports In-Reply-To: <1314822281.20296.345.camel@willson.li.ssimo.org> References: <1314822281.20296.345.camel@willson.li.ssimo.org> Message-ID: <4E5F0129.3040608@redhat.com> Simo Sorce wrote: > We use the new proxy code for dogtag now, so we do not need to open all > the CA ports as all connections go through the standard https port. > > Fixes https://fedorahosted.org/freeipa/ticket/1745 > > Simo. nack. dogtag replication still takes place over 7389. rob From simo at redhat.com Thu Sep 1 12:10:37 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 01 Sep 2011 08:10:37 -0400 Subject: [Freeipa-devel] [PATCH] stop checking for CA ports In-Reply-To: <4E5F0129.3040608@redhat.com> References: <1314822281.20296.345.camel@willson.li.ssimo.org> <4E5F0129.3040608@redhat.com> Message-ID: <1314879037.20296.349.camel@willson.li.ssimo.org> On Wed, 2011-08-31 at 23:51 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > We use the new proxy code for dogtag now, so we do not need to open all > > the CA ports as all connections go through the standard https port. > > > > Fixes https://fedorahosted.org/freeipa/ticket/1745 > > > > Simo. > > nack. dogtag replication still takes place over 7389. Ouch, I am so glad we have a review process :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Thu Sep 1 12:21:00 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 01 Sep 2011 08:21:00 -0400 Subject: [Freeipa-devel] [PATCH] 098 stop checking for CA ports In-Reply-To: <1314879037.20296.349.camel@willson.li.ssimo.org> References: <1314822281.20296.345.camel@willson.li.ssimo.org> <4E5F0129.3040608@redhat.com> <1314879037.20296.349.camel@willson.li.ssimo.org> Message-ID: <1314879660.20296.350.camel@willson.li.ssimo.org> On Thu, 2011-09-01 at 08:10 -0400, Simo Sorce wrote: > On Wed, 2011-08-31 at 23:51 -0400, Rob Crittenden wrote: > > Simo Sorce wrote: > > > We use the new proxy code for dogtag now, so we do not need to open all > > > the CA ports as all connections go through the standard https port. > > > > > > Fixes https://fedorahosted.org/freeipa/ticket/1745 > > > > > > Simo. > > > > nack. dogtag replication still takes place over 7389. > > Ouch, I am so glad we have a review process :-) New patch. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0098-2-conncheck-No-need-to-check-for-CA-ports-anymore.patch Type: text/x-patch Size: 1340 bytes Desc: not available URL: From simo at redhat.com Thu Sep 1 12:34:53 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 01 Sep 2011 08:34:53 -0400 Subject: [Freeipa-devel] [PATCH] 098 stop checking for CA ports In-Reply-To: <1314879660.20296.350.camel@willson.li.ssimo.org> References: <1314822281.20296.345.camel@willson.li.ssimo.org> <4E5F0129.3040608@redhat.com> <1314879037.20296.349.camel@willson.li.ssimo.org> <1314879660.20296.350.camel@willson.li.ssimo.org> Message-ID: <1314880493.20296.352.camel@willson.li.ssimo.org> On Thu, 2011-09-01 at 08:21 -0400, Simo Sorce wrote: > On Thu, 2011-09-01 at 08:10 -0400, Simo Sorce wrote: > > On Wed, 2011-08-31 at 23:51 -0400, Rob Crittenden wrote: > > > Simo Sorce wrote: > > > > We use the new proxy code for dogtag now, so we do not need to open all > > > > the CA ports as all connections go through the standard https port. > > > > > > > > Fixes https://fedorahosted.org/freeipa/ticket/1745 > > > > > > > > Simo. > > > > > > nack. dogtag replication still takes place over 7389. > > > > Ouch, I am so glad we have a review process :-) > > New patch. After a quick convo with Rob on IRC I added a few ports that we should always test. 80/443 is also necessary for CA replication but they are always checked anyway because it is a basic services that should always be available. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0098-3-conncheck-No-need-to-check-for-CA-ports-anymore.patch Type: text/x-patch Size: 1340 bytes Desc: not available URL: From rcritten at redhat.com Thu Sep 1 14:07:00 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 01 Sep 2011 10:07:00 -0400 Subject: [Freeipa-devel] [PATCH] 261 Fixed hard-coded UI message in entity.js. In-Reply-To: <4E5EA1A6.5040403@redhat.com> References: <4E5EA1A6.5040403@redhat.com> Message-ID: <4E5F9184.5020403@redhat.com> Endi Sukma Dewata wrote: > The hard-coded label in IPA.facet has been moved into internal.py to > allow translation. > > Ticket #1701 ACK From rcritten at redhat.com Thu Sep 1 14:07:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 01 Sep 2011 10:07:08 -0400 Subject: [Freeipa-devel] [PATCH] 262 Fixed missing permission filter field. In-Reply-To: <4E5EB8D6.3020903@redhat.com> References: <4E5EB8D6.3020903@redhat.com> Message-ID: <4E5F918C.50904@redhat.com> Endi Sukma Dewata wrote: > Due to a recent change, all dialog boxes are now reset initially. The > IPA.target_section has been modified to show the default target (i.e. > filter) and the fields properly when reset. > > Ticket #1748 ACK From rcritten at redhat.com Thu Sep 1 14:07:16 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 01 Sep 2011 10:07:16 -0400 Subject: [Freeipa-devel] [PATCH] 098 stop checking for CA ports In-Reply-To: <1314880493.20296.352.camel@willson.li.ssimo.org> References: <1314822281.20296.345.camel@willson.li.ssimo.org> <4E5F0129.3040608@redhat.com> <1314879037.20296.349.camel@willson.li.ssimo.org> <1314879660.20296.350.camel@willson.li.ssimo.org> <1314880493.20296.352.camel@willson.li.ssimo.org> Message-ID: <4E5F9194.90009@redhat.com> Simo Sorce wrote: > On Thu, 2011-09-01 at 08:21 -0400, Simo Sorce wrote: >> On Thu, 2011-09-01 at 08:10 -0400, Simo Sorce wrote: >>> On Wed, 2011-08-31 at 23:51 -0400, Rob Crittenden wrote: >>>> Simo Sorce wrote: >>>>> We use the new proxy code for dogtag now, so we do not need to open all >>>>> the CA ports as all connections go through the standard https port. >>>>> >>>>> Fixes https://fedorahosted.org/freeipa/ticket/1745 >>>>> >>>>> Simo. >>>> >>>> nack. dogtag replication still takes place over 7389. >>> >>> Ouch, I am so glad we have a review process :-) >> >> New patch. > > After a quick convo with Rob on IRC I added a few ports that we should > always test. > 80/443 is also necessary for CA replication but they are always checked > anyway because it is a basic services that should always be available. > > Simo. > ACK From simo at redhat.com Thu Sep 1 14:12:57 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 01 Sep 2011 10:12:57 -0400 Subject: [Freeipa-devel] [PATCH] 098 stop checking for CA ports In-Reply-To: <4E5F9194.90009@redhat.com> References: <1314822281.20296.345.camel@willson.li.ssimo.org> <4E5F0129.3040608@redhat.com> <1314879037.20296.349.camel@willson.li.ssimo.org> <1314879660.20296.350.camel@willson.li.ssimo.org> <1314880493.20296.352.camel@willson.li.ssimo.org> <4E5F9194.90009@redhat.com> Message-ID: <1314886377.20296.353.camel@willson.li.ssimo.org> On Thu, 2011-09-01 at 10:07 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Thu, 2011-09-01 at 08:21 -0400, Simo Sorce wrote: > >> On Thu, 2011-09-01 at 08:10 -0400, Simo Sorce wrote: > >>> On Wed, 2011-08-31 at 23:51 -0400, Rob Crittenden wrote: > >>>> Simo Sorce wrote: > >>>>> We use the new proxy code for dogtag now, so we do not need to open all > >>>>> the CA ports as all connections go through the standard https port. > >>>>> > >>>>> Fixes https://fedorahosted.org/freeipa/ticket/1745 > >>>>> > >>>>> Simo. > >>>> > >>>> nack. dogtag replication still takes place over 7389. > >>> > >>> Ouch, I am so glad we have a review process :-) > >> > >> New patch. > > > > After a quick convo with Rob on IRC I added a few ports that we should > > always test. > > 80/443 is also necessary for CA replication but they are always checked > > anyway because it is a basic services that should always be available. > > > > Simo. > > > > ACK Pushed to master and 2.1 Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Thu Sep 1 14:15:25 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 01 Sep 2011 09:15:25 -0500 Subject: [Freeipa-devel] [PATCH] 261 Fixed hard-coded UI message in entity.js. In-Reply-To: <4E5F9184.5020403@redhat.com> References: <4E5EA1A6.5040403@redhat.com> <4E5F9184.5020403@redhat.com> Message-ID: <4E5F937D.90207@redhat.com> On 9/1/2011 9:07 AM, Rob Crittenden wrote: > Endi Sukma Dewata wrote: >> The hard-coded label in IPA.facet has been moved into internal.py to >> allow translation. >> >> Ticket #1701 > ACK Pushed to master and ipa-2-1. -- Endi S. Dewata From edewata at redhat.com Thu Sep 1 14:16:10 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 01 Sep 2011 09:16:10 -0500 Subject: [Freeipa-devel] [PATCH] 262 Fixed missing permission filter field. In-Reply-To: <4E5F918C.50904@redhat.com> References: <4E5EB8D6.3020903@redhat.com> <4E5F918C.50904@redhat.com> Message-ID: <4E5F93AA.80801@redhat.com> On 9/1/2011 9:07 AM, Rob Crittenden wrote: > Endi Sukma Dewata wrote: >> Due to a recent change, all dialog boxes are now reset initially. The >> IPA.target_section has been modified to show the default target (i.e. >> filter) and the fields properly when reset. >> >> Ticket #1748 > ACK Pushed to master and ipa-2-1. -- Endi S. Dewata From simo at redhat.com Thu Sep 1 19:41:46 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 01 Sep 2011 15:41:46 -0400 Subject: [Freeipa-devel] [PATCH, FreeIPA2.1] Review request for platform abstraction refactoring In-Reply-To: <4E5E8542.4090001@redhat.com> References: <4E5E8542.4090001@redhat.com> Message-ID: <1314906106.20296.372.camel@willson.li.ssimo.org> On Wed, 2011-08-31 at 22:02 +0300, Alexander Bokovoy wrote: > Hi! > > In branch 'platform' of > http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=summary > you can find four commits which represent working code to address > https://fedorahosted.org/freeipa/ticket/1605. > > What is done: > 1. ipapython.services module represents system-agnostic way to > communicate with platform-specific services management and other > platform-specific functions. > > 2. ipapython.platform.* implements platform-specific functionality. The > code is pulled in by ipapython.services module and should not be > adressed directly. > > 3. ipapython.platform.redhat module (not to be called directly!) is what > FreeIPA 2.1 has had previously -- current RHEL6 and Fedora14/15 > implementation. > > 4. Install tools, IPA client, and IPA server install code is converted > to use ipapython.services. > > To facilitate more expressive way of working with often used services, > ipapython.services module provides a shortcut to access them by name via > ipapython.services.knownservices.. A typical code change looks > like this: > ------------------------------------------------ > (from ipapython import services as ipaservices) > - service.restart("dirsrv") > - service.restart("krb5kdc") > - service.restart("httpd") > + ipaservices.knownservices.dirsrv.restart() > + ipaservices.knownservices.krb5kdc.restart() > + ipaservices.knownservices.httpd.restart() > ------------------------------------------------ > > Besides expression change this also makes more explicit to platform > providers access to what services they have to implement. Service names > are defined in ipapython.platform.base.wellknownservices and represent > definitive names to access these services from FreeIPA code. Of course, > platform provider should remap those names to platform-specific ones -- > for ipapython.platform.redhat provider mapping is identity. > > If code needs direct access to some unnamed service, one could use > ipapython.services.service class: > ------------------------------------------------ > for (order, svc) in sorted(svc_list): > svc_name = service.SERVICE_LIST[svc][0] > + svchandle = ipaservices.service(svc_name) > try: > print "Starting %s Service" % svc > - service.start(svc_name, > capture_output=get_capture_output(svc_name, options.debug)) > + svchandle.start(capture_output=get_capture_output(svc_name, > options.debug)) > except: > emit_err("Failed to start %s Service" % svc) > ------------------------------------------------ > > Server-side installation code depends on quite a delicate arrangement of > Certificate Server, Directory Server, and is not really portable to > other environments unless you do provide same packages as Fedora or RHEL > have. However, I tried to abstract service-specific calls in such way > that they all go through ipapython.platform.* so even here remapping of > names is possible. Unfortunately, not for file paths yet. > > Client side is more ready for porting except authconfig(8) use. > One of substantial issues for porting FreeIPA client code to platforms > other than Red Hat's is use of authconfig(8) utility to configure > authentication services. What I ended up is a flexible interface > (ipapython.platform.base.AuthConfig) to specify options and execute > external apps. As with knownservices, one step more is to make those > options accessible as member attributes instead of strings but even with > current approach this gives full isolation of implementation of > authconfig replacement from FreeIPA code. > > Typical use for AuthConfig is via ipapython.services.authconfig class: > ------------------------------------------------ > - run(["/usr/sbin/authconfig", "--disableldap", "--disablekrb5", > "--disablesssd", "--disablesssdauth", "--disablemkhomedir", "--update"]) > + auth_config = ipaservices.authconfig() > + auth_config.disable("ldap").\ > + disable("krb5").\ > + disable("sssd").\ > + disable("sssdauth").\ > + disable("mkhomedir").\ > + add_option("update") > + auth_config.execute() > ------------------------------------------------ > This should make porting much simpler -- less code to touch in core FreeIPA. > > Now good things: this all works! :) > > I tried on F15, doing ipa-server-install with different options and > uninstalling as well, joining another client and removing it later. Of > course, more testing is needed too. Patches look good, and they mostly work fine on top of master but I got this stack trace trying to uninstall: # ipa-client-install --uninstall Unenrolling client from IPA server Unenrolling host failed: Error obtaining initial credentials: Decrypt integrity check failed. Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Restoring client configuration files Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1117, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1099, in main return uninstall(options, env) File "/usr/sbin/ipa-client-install", line 295, in uninstall nslcd = ipaservices.knownservices.nslcd File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 167, in __getattr__ raise AttributeError('no magic attribute %r' % name) AttributeError: no magic attribute 'nslcd' If you resolve this issue we should be basically good to go. Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Thu Sep 1 20:25:15 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 01 Sep 2011 23:25:15 +0300 Subject: [Freeipa-devel] [PATCH, FreeIPA2.1] Review request for platform abstraction refactoring In-Reply-To: <1314906106.20296.372.camel@willson.li.ssimo.org> References: <4E5E8542.4090001@redhat.com> <1314906106.20296.372.camel@willson.li.ssimo.org> Message-ID: <4E5FEA2B.5080702@redhat.com> On 01.09.2011 22:41, Simo Sorce wrote: >> I tried on F15, doing ipa-server-install with different options and >> uninstalling as well, joining another client and removing it later. Of >> course, more testing is needed too. > > Patches look good, and they mostly work fine on top of master but I got > this stack trace trying to uninstall: > > > # ipa-client-install --uninstall > Unenrolling client from IPA server > Unenrolling host failed: Error obtaining initial credentials: > Decrypt integrity check failed. > > Removing Kerberos service principals from /etc/krb5.keytab > Disabling client Kerberos and LDAP configurations > Restoring client configuration files > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 1117, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 1099, in main > return uninstall(options, env) > File "/usr/sbin/ipa-client-install", line 295, in uninstall > nslcd = ipaservices.knownservices.nslcd > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line > 167, in __getattr__ > raise AttributeError('no magic attribute %r' % name) > AttributeError: no magic attribute 'nslcd' > > > If you resolve this issue we should be basically good to go. Ohh, this was simple typo in ipapython/platform/base.py, wellknownservices contained nlscd instead of nslcd. And this example shows how important to work with services as "native" objects -- Python interpreter will help to protect against such typos in the client code. Of course, if framework is not broken... :) Fixed and pushed update into the tree on fedorapeople. Thanks for the review! -- / Alexander Bokovoy From edewata at redhat.com Thu Sep 1 21:24:42 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 01 Sep 2011 16:24:42 -0500 Subject: [Freeipa-devel] [PATCH] 263 Fixed problem with combobox using Sahi Message-ID: <4E5FF81A.2030409@redhat.com> The IPA.combobox_widget has been temporarily fixed to support automation using Sahi. Ticket #1754 Pushed to master and ipa-2-1 under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0263-Fixed-problem-with-combobox-using-Sahi.patch Type: text/x-patch Size: 1184 bytes Desc: not available URL: From mkosek at redhat.com Mon Sep 5 09:29:56 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 05 Sep 2011 11:29:56 +0200 Subject: [Freeipa-devel] [PATCH] 116 Improve man pages structure Message-ID: <1315214998.24171.0.camel@dhcp-25-52.brq.redhat.com> There are too many options in ipa-*-install scripts which makes it difficult to read. This patch adds subsections to install script online help and man pages to improve readability. No option has been changed. To further improve man pages: 1) All man pages were changed to have the same header and top-center title to provide united look. 2) Few typos in man pages have been fixed https://fedorahosted.org/freeipa/ticket/1687 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-116-improve-man-pages-structure.patch Type: text/x-patch Size: 49309 bytes Desc: not available URL: From mkosek at redhat.com Mon Sep 5 10:38:09 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 05 Sep 2011 12:38:09 +0200 Subject: [Freeipa-devel] [PATCH] 117 Improve ipa-join man page Message-ID: <1315219091.24171.1.camel@dhcp-25-52.brq.redhat.com> Make it clear in man pages that ipa-join -u does not remove keytab. https://fedorahosted.org/freeipa/ticket/1317 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-117-improve-ipa-join-man-page.patch Type: text/x-patch Size: 2194 bytes Desc: not available URL: From mkosek at redhat.com Mon Sep 5 14:24:00 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 05 Sep 2011 16:24:00 +0200 Subject: [Freeipa-devel] [PATCH] 118 Fix permissions in installers Message-ID: <1315232643.24171.5.camel@dhcp-25-52.brq.redhat.com> How to test: 1) on server: - check that files in /usr/share/ipa/html are world readable - check that IPA files in /etc/httpd/conf.d/ are world readable 2) on client: - check that /etc/ipa/default.conf is world readable, i.e. non-root can kinit and run "ipa" commands --- Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-118-fix-permissions-in-installers.patch Type: text/x-patch Size: 9076 bytes Desc: not available URL: From mkosek at redhat.com Mon Sep 5 14:37:33 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 05 Sep 2011 16:37:33 +0200 Subject: [Freeipa-devel] [PATCH] 119 Fix typos Message-ID: <1315233454.24171.9.camel@dhcp-25-52.brq.redhat.com> Kudos to Yuri Chornoivan who submitted the patch. I just created the commit message and prepared separate patches for master/ipa-2-1 branches as there was a conflict. --- Fix "The the" and "classses" in FreeIPA code and messages. https://fedorahosted.org/freeipa/ticket/1480 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-119-fix-typos.patch Type: text/x-patch Size: 19002 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-119-ipa-2-1.patch Type: text/x-patch Size: 19585 bytes Desc: not available URL: From abokovoy at redhat.com Mon Sep 5 16:16:05 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 05 Sep 2011 19:16:05 +0300 Subject: [Freeipa-devel] [PATCH] 116 Improve man pages structure In-Reply-To: <1315214998.24171.0.camel@dhcp-25-52.brq.redhat.com> References: <1315214998.24171.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E64F5C5.9000607@redhat.com> Hi Martin, On 05.09.2011 12:29, Martin Kosek wrote: > There are too many options in ipa-*-install scripts which makes it > difficult to read. This patch adds subsections to install script > online help and man pages to improve readability. No option has > been changed. > > To further improve man pages: > > 1) All man pages were changed to have the same header and top-center > title to provide united look. > > 2) Few typos in man pages have been fixed > > https://fedorahosted.org/freeipa/ticket/1687 I'm checking these (116-119) patches against ipa-2-1 tree and there are few conflicts: PATCH freeipa-mkosek-116-improve-man-pages-structure.patch .... patching file install/tools/man/ipa-server-install.1 Hunk #1 FAILED at 16. 1 out of 4 hunks FAILED -- saving rejects to file install/tools/man/ipa-server-install.1.rej PATCH freeipa-mkosek-118-fix-permissions-in-installers.patch patching file install/tools/ipa-server-install Hunk #1 succeeded at 820 (offset 14 lines). patching file ipa-client/ipa-install/ipa-client-install Hunk #1 succeeded at 345 (offset 15 lines). Hunk #2 succeeded at 521 (offset 15 lines). patching file ipaserver/install/dsinstance.py patching file ipaserver/install/httpinstance.py patching file ipaserver/install/krbinstance.py Hunk #1 succeeded at 316 with fuzz 2 (offset 34 lines). Hunk #2 FAILED at 303. 1 out of 2 hunks FAILED -- saving rejects to file ipaserver/install/krbinstance.py.rej Could you please re-base these two? -- / Alexander Bokovoy From ayoung at redhat.com Tue Sep 6 02:49:55 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 05 Sep 2011 22:49:55 -0400 Subject: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag In-Reply-To: <1314655116.20296.290.camel@willson.li.ssimo.org> References: <4E4E9B34.10309@redhat.com> <4E4EA415.9010907@redhat.com> <4E5455EC.2020505@redhat.com> <4E56BD82.6060501@redhat.com> <4E57CDA8.6080303@redhat.com> <1314381838.20296.242.camel@willson.li.ssimo.org> <1314383672.20296.245.camel@willson.li.ssimo.org> <4E5812F3.9030001@redhat.com> <1314397806.20296.252.camel@willson.li.ssimo.org> <4E584105.8040508@redhat.com> <4E58564A.9050405@redhat.com> <1314655116.20296.290.camel@willson.li.ssimo.org> Message-ID: <4E658A53.5010207@redhat.com> On 08/29/2011 05:58 PM, Simo Sorce wrote: > On Fri, 2011-08-26 at 22:28 -0400, Adam Young wrote: >> On 08/26/2011 08:57 PM, Adam Young wrote: >>> On 08/26/2011 06:30 PM, Simo Sorce wrote: >>>> On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: >>>>> On 08/26/2011 02:34 PM, Simo Sorce wrote: >>>>>> On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: >>>>>>> On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: >>>>>>>> On 08/25/2011 05:24 PM, Adam Young wrote: >>>>>>>>> Uses the updated version of pkicreate which makes an ipa specific >>>>>>>>> proxy config file. >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Freeipa-devel mailing list >>>>>>>>> Freeipa-devel at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>> The test for the proxy file in /etc/httpd/conf.d was "isfile' but >>>>>>>> since the file is actually a symlink, it needs to be "islink". >>>>>>>> This >>>>>>>> one checks for either. >>>>>>> Nack, install fails after configuring the http service. >>>>>>> Restart bails out >>>>>>> >>>>>>> using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the >>>>>>> way (it >>>>>>> was suppressing the error output) I get an permission denied error >>>>>>> trying to open /etc/httpd/conf.d/proxy-ipa.conf >>>>>>> That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file >>>>>>> owned >>>>>>> by pkiuser:pkiuser with permission 660 (therefore not readable by the >>>>>>> apache user). >>>>>> Ok it turns out permissions are not the real issue as the file is read >>>>>> while apache is till root, it's a selinux issue. >>>>>> Apache starts if I setenforce 0 >>>>>> >>>>>> Still a NAck of course, it needs to work with selinux in enforcing >>>>>> mode >>>>>> >>>>>> Simo. >>>>>> >>>>> This version owns the proxy config file. It works with setenforce 0, >>>>> but does not work with SELinux, so, preemptive-nack. But I will be gone >>>>> for a week, so if someone wants to pick this up and run with it, start >>>>> from here. >>>> The previous patch with the corrected isfile vs islink issue works fine >>>> as long as the SELinux policy is fixed to allow access >>>> to /etc/pki-ca/proxy-ipa.conf >>>> >>>> I have tested a mastyer and then replica install with no issues after I >>>> loaded a custom SeLinux policy that allow that. >>>> >>>> So tentative ACK to the former patch. >>>> I will discuss with Ade how to resolve the SELinux issue and willpush to >>>> master once that is solved. >>>> >>>> Simo. >>>> >>> Previous patch is based on a change for PKI-CA that we are not going >>> to push, so we can't go with that. The file >>> /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use. >>> Whatever the issue is with this patch it has to be fairly minor. The >>> difference in approach is that this one includes the conf file and >>> places it in /etc/httpd/conf.d. The problem is possibly the fact that >>> this one uses localhost instead of the FQDN, although I did test it >>> both ways prior to adding it to the RPM, and it worked with localhost >>> and SELinux in enforcing mode. >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Failure seems to be from this step in the install log: >> >> >> >> After configuration, the server can be operated by the command: >> >> /sbin/service pki-cad restart pki-ca >> >> >> 2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED >> run_command("/sbin/service p >> ki-cad restart pki-ca"), exit status=126 output="Stopping pki-ca: [ OK ] >> /usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied" >> >> >> And in the Audit log: >> >> >> type=AVC msg=audit(1314409907.089:2397): avc: denied { transition } >> for pid=21040 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0 >> ino=35449 scontext=system_u:system_r:kernel_t:s0 >> tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process >> type=AVC msg=audit(1314410048.272:2398): avc: denied { transition } >> for pid=21124 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0 >> ino=35449 scontext=system_u:system_r:kernel_t:s0 >> tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process > > I guess these AVCs were due to mislabeling of your development system. > I tried multiple times w/o any issues. > > I added a few minor corrections. > > a) actually copying the file to /etc/httpd/conf.d was missing, I do that > as an additional final configuration step in cainstance.py > b) renamed the file to ipa-pki-proxy.conf, the orginal name was fine as > a dogtag file, but as an ipa file it lacked context > c) I added an httpd server restart in ipa-ca-install as that script does > not otherwise restart apache and we need it to read the new conf file > that was just dropped down. > > This was tested and pushed to master. > > Simo. > Thanks Simo. Considering that this happend a few days back, I'm guessing that it hasn't blown up on anyone yet. From ayoung at redhat.com Tue Sep 6 02:51:59 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 05 Sep 2011 22:51:59 -0400 Subject: [Freeipa-devel] [PATCH] 263 Fixed problem with combobox using Sahi In-Reply-To: <4E5FF81A.2030409@redhat.com> References: <4E5FF81A.2030409@redhat.com> Message-ID: <4E658ACF.3020100@redhat.com> On 09/01/2011 05:24 PM, Endi Sukma Dewata wrote: > The IPA.combobox_widget has been temporarily fixed to support automation > using Sahi. > > Ticket #1754 > > Pushed to master and ipa-2-1 under one-liner/trivial rule. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel This looks like a reasonable change. I think that most combo-box controls would close once you made a persisted change. Any reason not to keep this as the long term fix? -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Sep 6 06:51:05 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 06 Sep 2011 08:51:05 +0200 Subject: [Freeipa-devel] [PATCH] 116 Improve man pages structure In-Reply-To: <4E64F5C5.9000607@redhat.com> References: <1315214998.24171.0.camel@dhcp-25-52.brq.redhat.com> <4E64F5C5.9000607@redhat.com> Message-ID: <1315291867.4820.2.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-09-05 at 19:16 +0300, Alexander Bokovoy wrote: > Hi Martin, > > On 05.09.2011 12:29, Martin Kosek wrote: > > There are too many options in ipa-*-install scripts which makes it > > difficult to read. This patch adds subsections to install script > > online help and man pages to improve readability. No option has > > been changed. > > > > To further improve man pages: > > > > 1) All man pages were changed to have the same header and top-center > > title to provide united look. > > > > 2) Few typos in man pages have been fixed > > > > https://fedorahosted.org/freeipa/ticket/1687 > I'm checking these (116-119) patches against ipa-2-1 tree and there are > few conflicts: > > PATCH freeipa-mkosek-116-improve-man-pages-structure.patch > .... > patching file install/tools/man/ipa-server-install.1 > Hunk #1 FAILED at 16. > 1 out of 4 hunks FAILED -- saving rejects to file > install/tools/man/ipa-server-install.1.rej > > > PATCH freeipa-mkosek-118-fix-permissions-in-installers.patch > patching file install/tools/ipa-server-install > Hunk #1 succeeded at 820 (offset 14 lines). > patching file ipa-client/ipa-install/ipa-client-install > Hunk #1 succeeded at 345 (offset 15 lines). > Hunk #2 succeeded at 521 (offset 15 lines). > patching file ipaserver/install/dsinstance.py > patching file ipaserver/install/httpinstance.py > patching file ipaserver/install/krbinstance.py > Hunk #1 succeeded at 316 with fuzz 2 (offset 34 lines). > Hunk #2 FAILED at 303. > 1 out of 2 hunks FAILED -- saving rejects to file > ipaserver/install/krbinstance.py.rej > > > Could you please re-base these two? > Sending also an ipa-2-1 patch. I usually develop patches for master branch only when there are only slight differences so that I can rebase for ipa-2-1 just once - after the patch is acked. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-116-ipa-2-1.patch Type: text/x-patch Size: 49289 bytes Desc: not available URL: From mkosek at redhat.com Tue Sep 6 06:52:23 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 06 Sep 2011 08:52:23 +0200 Subject: [Freeipa-devel] [PATCH] 118 Fix permissions in installers In-Reply-To: <1315232643.24171.5.camel@dhcp-25-52.brq.redhat.com> References: <1315232643.24171.5.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1315291945.4820.4.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-09-05 at 16:24 +0200, Martin Kosek wrote: > How to test: > 1) on server: > - check that files in /usr/share/ipa/html are world readable > - check that IPA files in /etc/httpd/conf.d/ are world readable > > 2) on client: > - check that /etc/ipa/default.conf is world readable, i.e. non-root can > kinit and run "ipa" commands > > --- > > Fix permissions for (configuration) files produced by > ipa-server-install or ipa-client-install. This patch is needed > when root has a umask preventing files from being world readable. > > https://fedorahosted.org/freeipa/ticket/1644 > Attaching a patch for ipa-2-1 branch too. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-118-ipa-2-1.patch Type: text/x-patch Size: 8872 bytes Desc: not available URL: From pedro.nova33 at gmail.com Tue Sep 6 07:05:40 2011 From: pedro.nova33 at gmail.com (Pedro Nova) Date: Tue, 6 Sep 2011 09:05:40 +0200 Subject: [Freeipa-devel] no valid certificate In-Reply-To: References: Message-ID: Hi All, How can I charge a valid certificate through the web admin interface https://hostname/ipa/ui? Some tips for Sudo commands settings? Thanks, -- ############################### # Nov@ # # *d( '_' )b * # ############################### -- ############################### # Nov@ # # *d( '_' )b * # ############################### -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: no valid certificate.png Type: image/png Size: 2706 bytes Desc: not available URL: From mkosek at redhat.com Tue Sep 6 08:41:41 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 06 Sep 2011 10:41:41 +0200 Subject: [Freeipa-devel] [PATCH] 067 Silence a compilation warning in ipa_kpasswd In-Reply-To: <4E32CB99.8020107@redhat.com> References: <4E26EFF2.6010609@redhat.com> <4E281E2C.4030505@redhat.com> <1311252799.17378.45.camel@dhcp-25-52.brq.redhat.com> <4E32CB99.8020107@redhat.com> Message-ID: <1315298504.4820.5.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-29 at 17:02 +0200, Jakub Hrozek wrote: > On 07/21/2011 02:53 PM, Martin Kosek wrote: > > On Thu, 2011-07-21 at 14:40 +0200, Jan Cholasta wrote: > >> On 20.7.2011 17:10, Jakub Hrozek wrote: > >>> I was playing with ipa_kpasswd (long story short - I needed it running > >>> on a non-standard port) and I noticed there was a compilation warning - > >>> rtag was set but never checked. > >>> > >>> Also removes one unused #define. > >>> > >> > >> Found just a minor issue: you use spaces for indentation, but the rest > >> of the file uses tabs. > >> > >> Honza > >> > > > > To put my 2 cents in - I don't like throwing the same error message in > > more places. > > > > When it really ends with this message we wouldn't know the exact spot > > with the error. IMO it would make the following investigation simpler if > > we fix this. > > > > Martin > > > > A new patch is attached. ACK and pushed to ipa-2-1. Martin From abokovoy at redhat.com Tue Sep 6 09:59:27 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 06 Sep 2011 12:59:27 +0300 Subject: [Freeipa-devel] [PATCH] 116 Improve man pages structure In-Reply-To: <1315214998.24171.0.camel@dhcp-25-52.brq.redhat.com> References: <1315214998.24171.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E65EEFF.7070006@redhat.com> On 05.09.2011 12:29, Martin Kosek wrote: > There are too many options in ipa-*-install scripts which makes it > difficult to read. This patch adds subsections to install script > online help and man pages to improve readability. No option has > been changed. > > To further improve man pages: > > 1) All man pages were changed to have the same header and top-center > title to provide united look. > > 2) Few typos in man pages have been fixed > > https://fedorahosted.org/freeipa/ticket/1687 ACK for master. -- / Alexander Bokovoy From abokovoy at redhat.com Tue Sep 6 10:00:27 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 06 Sep 2011 13:00:27 +0300 Subject: [Freeipa-devel] [PATCH] 117 Improve ipa-join man page In-Reply-To: <1315219091.24171.1.camel@dhcp-25-52.brq.redhat.com> References: <1315219091.24171.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E65EF3B.5090603@redhat.com> On 05.09.2011 13:38, Martin Kosek wrote: > Make it clear in man pages that ipa-join -u does not remove keytab. > > https://fedorahosted.org/freeipa/ticket/1317 ACK for both ipa-2-1 and master. -- / Alexander Bokovoy From abokovoy at redhat.com Tue Sep 6 10:12:06 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 06 Sep 2011 13:12:06 +0300 Subject: [Freeipa-devel] [PATCH] 118 Fix permissions in installers In-Reply-To: <1315232643.24171.5.camel@dhcp-25-52.brq.redhat.com> References: <1315232643.24171.5.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E65F1F6.2020908@redhat.com> On 05.09.2011 17:24, Martin Kosek wrote: > How to test: > 1) on server: > - check that files in /usr/share/ipa/html are world readable why /usr/share/ipa/html/configure.jar has to be executable? -- / Alexander Bokovoy From abokovoy at redhat.com Tue Sep 6 10:16:20 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 06 Sep 2011 13:16:20 +0300 Subject: [Freeipa-devel] [PATCH] 119 Fix typos In-Reply-To: <1315233454.24171.9.camel@dhcp-25-52.brq.redhat.com> References: <1315233454.24171.9.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E65F2F4.2000604@redhat.com> On 05.09.2011 17:37, Martin Kosek wrote: > Kudos to Yuri Chornoivan who submitted the patch. > > I just created the commit message and prepared separate patches for > master/ipa-2-1 branches as there was a conflict. > > --- > Fix "The the" and "classses" in FreeIPA code and messages. > > https://fedorahosted.org/freeipa/ticket/1480 > ACK master and ipa-2-1 -- / Alexander Bokovoy From mkosek at redhat.com Tue Sep 6 10:52:07 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 06 Sep 2011 12:52:07 +0200 Subject: [Freeipa-devel] [PATCH] 118 Fix permissions in installers In-Reply-To: <4E65F1F6.2020908@redhat.com> References: <1315232643.24171.5.camel@dhcp-25-52.brq.redhat.com> <4E65F1F6.2020908@redhat.com> Message-ID: <1315306329.4820.8.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-06 at 13:12 +0300, Alexander Bokovoy wrote: > On 05.09.2011 17:24, Martin Kosek wrote: > > How to test: > > 1) on server: > > - check that files in /usr/share/ipa/html are world readable > why /usr/share/ipa/html/configure.jar has to be executable? > The file is generated with this flag by /usr/bin/signtool. But I verified that the browser configuration with configure.jar works without the executable bit. I will change the rights to 0644 instead before pushing (if you ack the rest). Martin From abokovoy at redhat.com Tue Sep 6 10:59:25 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 06 Sep 2011 13:59:25 +0300 Subject: [Freeipa-devel] [PATCH] 118 Fix permissions in installers In-Reply-To: <1315306329.4820.8.camel@dhcp-25-52.brq.redhat.com> References: <1315232643.24171.5.camel@dhcp-25-52.brq.redhat.com> <4E65F1F6.2020908@redhat.com> <1315306329.4820.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E65FD0D.2060003@redhat.com> On 06.09.2011 13:52, Martin Kosek wrote: > On Tue, 2011-09-06 at 13:12 +0300, Alexander Bokovoy wrote: >> On 05.09.2011 17:24, Martin Kosek wrote: >>> How to test: >>> 1) on server: >>> - check that files in /usr/share/ipa/html are world readable >> why /usr/share/ipa/html/configure.jar has to be executable? >> > > The file is generated with this flag by /usr/bin/signtool. But I > verified that the browser configuration with configure.jar works without > the executable bit. > > I will change the rights to 0644 instead before pushing (if you ack the > rest). When zipfile is created, it uses PR_Open(filename,PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 0777) (http://mxr.mozilla.org/mozilla/source/security/nss/cmd/signtool/zip.c#73, via http://mxr.mozilla.org/mozilla/source/security/nss/cmd/signtool/sign.c#90) So I guess it is Mozilla's way to handle files on all platforms. We definitely don't need resulting executable bit anywhere afterwards. ACK. Related question: should we also mark these generated files in /usr/share/ipa/html/ as %ghost in freeipa.spec.in? -- / Alexander Bokovoy From abokovoy at redhat.com Tue Sep 6 11:08:08 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 06 Sep 2011 14:08:08 +0300 Subject: [Freeipa-devel] [PATCH] 116 Improve man pages structure In-Reply-To: <1315214998.24171.0.camel@dhcp-25-52.brq.redhat.com> References: <1315214998.24171.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E65FF18.6050602@redhat.com> On 05.09.2011 12:29, Martin Kosek wrote: > There are too many options in ipa-*-install scripts which makes it > difficult to read. This patch adds subsections to install script > online help and man pages to improve readability. No option has > been changed. > > To further improve man pages: > > 1) All man pages were changed to have the same header and top-center > title to provide united look. > > 2) Few typos in man pages have been fixed > > https://fedorahosted.org/freeipa/ticket/1687 ACK for ipa-2-1. -- / Alexander Bokovoy From jcholast at redhat.com Tue Sep 6 13:53:41 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 06 Sep 2011 15:53:41 +0200 Subject: [Freeipa-devel] [PATCH] 45 Check that install hostname matches the server hostname Message-ID: <4E6625E5.2040201@redhat.com> https://fedorahosted.org/freeipa/ticket/1717 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-45-hostname-check.patch Type: text/x-patch Size: 1059 bytes Desc: not available URL: From edewata at redhat.com Tue Sep 6 14:14:34 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 06 Sep 2011 09:14:34 -0500 Subject: [Freeipa-devel] [PATCH] 263 Fixed problem with combobox using Sahi In-Reply-To: <4E658ACF.3020100@redhat.com> References: <4E5FF81A.2030409@redhat.com> <4E658ACF.3020100@redhat.com> Message-ID: <4E662ACA.2060505@redhat.com> On 9/5/2011 9:51 PM, Adam Young wrote: > On 09/01/2011 05:24 PM, Endi Sukma Dewata wrote: >> The IPA.combobox_widget has been temporarily fixed to support automation >> using Sahi. >> >> Ticket #1754 > > This looks like a reasonable change. I think that most combo-box > controls would close once you made a persisted change. Any reason not to > keep this as the long term fix? With a native drop-down list if you click the same value that you've already selected previously the list will close. Our custom combo-box was able to replicate this behavior before this change, but it didn't work for Sahi. With this patch if you click the same value again the list will not close, you'd have to click the down arrow to close it, so it's is not consistent with the native widget. Although users probably wouldn't see this issue too often, I think it's better to keep the custom widget as close as possible to the native widget. -- Endi S. Dewata From rcritten at redhat.com Tue Sep 6 17:49:55 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 06 Sep 2011 13:49:55 -0400 Subject: [Freeipa-devel] [PATCH] 45 Check that install hostname matches the server hostname In-Reply-To: <4E6625E5.2040201@redhat.com> References: <4E6625E5.2040201@redhat.com> Message-ID: <4E665D43.4090204@redhat.com> Jan Cholasta wrote: > https://fedorahosted.org/freeipa/ticket/1717 > > Honza nack, what if there are multiple interfaces and you want IPA to use one (that doesn't happen to be the system hostname one)? rob From JR.Aquino at citrix.com Tue Sep 6 22:33:26 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 6 Sep 2011 22:33:26 +0000 Subject: [Freeipa-devel] [PATCH] 38 Move Managed Entries into their own container in the replicated space. In-Reply-To: <1311342896.12679.9.camel@dhcp-25-52.brq.redhat.com> References: <1311342896.12679.9.camel@dhcp-25-52.brq.redhat.com> Message-ID: <81DEB284-E8C1-47C3-9130-846E2A4669C4@citrixonline.com> On Jul 22, 2011, at 6:54 AM, Martin Kosek wrote: > On Thu, 2011-07-21 at 23:00 +0000, JR Aquino wrote: >> Create: cn=Managed Entries,cn=etc,$SUFFIX >> Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX >> Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX >> >> Create method for migrating any and all custom Managed Entries from >> the cn=config space into the new container. >> >> The Managed Entries plugin configurations weren't being created on >> replica installs. >> >> This patch addresses two seperate tickets and accounts for >> new installs, replica installs, and upgrades. >> >> https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container >> https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation > > I found few issues with the patch (tested along with 25): > > 1) When upgrading an old instance, NGP and UGP definitions in > cn=Managed Entries,cn=plugins,cn=config were not deleted. This lead to 2 > managed entries plugin definitions Fixed this condition. 389 prohibits the deletion of Managed Entries while they are active. I had to perform the repointing to the new cn=etc container, perform the migration of the legacy configs, then perform a restart of dirsrv. > > 2) Managed entries on a replica didn't work for me. For example UPG was > created on a master, but was not on a replica This should also be resolved now. > > Martin > I had to break out the connection code in update for ldapupdate.py so that connections could be reestablished post dirsrv restart. I also had to create a service class to perform the restart. installutils.py has been modified to provide wait_for_open_socket() similar to wait_for_open_port() -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch Type: application/octet-stream Size: 22016 bytes Desc: freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch URL: From ayoung at redhat.com Wed Sep 7 00:08:49 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 06 Sep 2011 20:08:49 -0400 Subject: [Freeipa-devel] [rhcs-dev-list] IPA as a subordinate CA issuer In-Reply-To: <4E610856.90004@redhat.com> References: <4E60D483.2010302@redhat.com> <4E610856.90004@redhat.com> Message-ID: <4E66B611.4090505@redhat.com> On 09/02/2011 12:46 PM, Andrew Wnuk wrote: > On 09/02/2011 06:05 AM, Rob Crittenden wrote: >> The rhev-m team is trying to integrate IPA into their installs. They >> currently use SSL as well and we're battling over the Apache >> certificate (there can be only one). >> >> One option that came up is if they install IPA first if we can issue >> them a subordinate CA then they can do their own thing without >> changing too much of their code. >> >> I know dogtag can do this but I have no doubt that it currently >> requires human intervention. Is it possible to write a profile to >> have the IPA RA issue a subordinate CA cert automatically (as >> dangerous as that is)? >> >> rob >> > > Although we agree that this practice should be avoided, Dogtag can be > configured to issue subordinate CA certificates automatically. > However, certificate request parametrization may need to be provided > if we want to issue different certificates for services and sub-CAs. > This assumes IPA has the ability to authenticate and authorize rhev-m > sub-CA requests properly, and that rhev-m sub-CA functionality is well > reviewed so nobody will question certificates issued by rhev-m sub-CAs. > > Thank you, > Andrew > Does this even make sense? Wouldn't we want to have RHEV-M and IPA use the same CA?Do they really need their own? I can't see that you would take an existing CA and later make it a subordinate to a Dogtag CA, so really they can use the Dogtrag instance from IPA, and not try to manage the CA themselves, OR manage it themselves completely. I'm guessing that, like most of the projects that do some aspect of CA-stuff, they have an incomplete solution, probably along the lines of IPA's self-signed certs. From jcholast at redhat.com Wed Sep 7 06:43:39 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 07 Sep 2011 08:43:39 +0200 Subject: [Freeipa-devel] [PATCH] 45 Check that install hostname matches the server hostname In-Reply-To: <4E665D43.4090204@redhat.com> References: <4E6625E5.2040201@redhat.com> <4E665D43.4090204@redhat.com> Message-ID: <4E67129B.8020809@redhat.com> On 6.9.2011 19:49, Rob Crittenden wrote: > Jan Cholasta wrote: >> https://fedorahosted.org/freeipa/ticket/1717 >> >> Honza > > nack, what if there are multiple interfaces and you want IPA to use one > (that doesn't happen to be the system hostname one)? > > rob Then the user configures the system hostname to match the hostname of the interface. Or should we configure it automatically from the install? Honza -- Jan Cholasta From mkosek at redhat.com Wed Sep 7 10:58:48 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 07 Sep 2011 12:58:48 +0200 Subject: [Freeipa-devel] [PATCH] 116 Improve man pages structure In-Reply-To: <4E65FF18.6050602@redhat.com> References: <1315214998.24171.0.camel@dhcp-25-52.brq.redhat.com> <4E65FF18.6050602@redhat.com> Message-ID: <1315393131.12548.0.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-06 at 14:08 +0300, Alexander Bokovoy wrote: > On 05.09.2011 12:29, Martin Kosek wrote: > > There are too many options in ipa-*-install scripts which makes it > > difficult to read. This patch adds subsections to install script > > online help and man pages to improve readability. No option has > > been changed. > > > > To further improve man pages: > > > > 1) All man pages were changed to have the same header and top-center > > title to provide united look. > > > > 2) Few typos in man pages have been fixed > > > > https://fedorahosted.org/freeipa/ticket/1687 > ACK for ipa-2-1. > Pushed to master, ipa-2-1. Martin From mkosek at redhat.com Wed Sep 7 11:02:23 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 07 Sep 2011 13:02:23 +0200 Subject: [Freeipa-devel] [PATCH] 117 Improve ipa-join man page In-Reply-To: <4E65EF3B.5090603@redhat.com> References: <1315219091.24171.1.camel@dhcp-25-52.brq.redhat.com> <4E65EF3B.5090603@redhat.com> Message-ID: <1315393346.12548.1.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-06 at 13:00 +0300, Alexander Bokovoy wrote: > On 05.09.2011 13:38, Martin Kosek wrote: > > Make it clear in man pages that ipa-join -u does not remove keytab. > > > > https://fedorahosted.org/freeipa/ticket/1317 > ACK for both ipa-2-1 and master. > > Pushed to master, ipa-2-1. Martin From mkosek at redhat.com Wed Sep 7 11:23:33 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 07 Sep 2011 13:23:33 +0200 Subject: [Freeipa-devel] [PATCH] 119 Fix typos In-Reply-To: <4E65F2F4.2000604@redhat.com> References: <1315233454.24171.9.camel@dhcp-25-52.brq.redhat.com> <4E65F2F4.2000604@redhat.com> Message-ID: <1315394616.12548.5.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-06 at 13:16 +0300, Alexander Bokovoy wrote: > On 05.09.2011 17:37, Martin Kosek wrote: > > Kudos to Yuri Chornoivan who submitted the patch. > > > > I just created the commit message and prepared separate patches for > > master/ipa-2-1 branches as there was a conflict. > > > > --- > > Fix "The the" and "classses" in FreeIPA code and messages. > > > > https://fedorahosted.org/freeipa/ticket/1480 > > > ACK master and ipa-2-1 > > Pushed to master, ipa-2-1. Martin From mkosek at redhat.com Wed Sep 7 11:19:18 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 07 Sep 2011 13:19:18 +0200 Subject: [Freeipa-devel] [PATCH] 118 Fix permissions in installers In-Reply-To: <4E65FD0D.2060003@redhat.com> References: <1315232643.24171.5.camel@dhcp-25-52.brq.redhat.com> <4E65F1F6.2020908@redhat.com> <1315306329.4820.8.camel@dhcp-25-52.brq.redhat.com> <4E65FD0D.2060003@redhat.com> Message-ID: <1315394372.12548.4.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-06 at 13:59 +0300, Alexander Bokovoy wrote: > On 06.09.2011 13:52, Martin Kosek wrote: > > On Tue, 2011-09-06 at 13:12 +0300, Alexander Bokovoy wrote: > >> On 05.09.2011 17:24, Martin Kosek wrote: > >>> How to test: > >>> 1) on server: > >>> - check that files in /usr/share/ipa/html are world readable > >> why /usr/share/ipa/html/configure.jar has to be executable? > >> > > > > The file is generated with this flag by /usr/bin/signtool. But I > > verified that the browser configuration with configure.jar works without > > the executable bit. > > > > I will change the rights to 0644 instead before pushing (if you ack the > > rest). > When zipfile is created, it uses PR_Open(filename,PR_WRONLY | > PR_CREATE_FILE | PR_TRUNCATE, 0777) > (http://mxr.mozilla.org/mozilla/source/security/nss/cmd/signtool/zip.c#73, > via > http://mxr.mozilla.org/mozilla/source/security/nss/cmd/signtool/sign.c#90) > > So I guess it is Mozilla's way to handle files on all platforms. We > definitely don't need resulting executable bit anywhere afterwards. > > ACK. Pushed to master, ipa-2-1. configure.jar permissions have been set to 0644. > > Related question: should we also mark these generated files in > /usr/share/ipa/html/ as %ghost in freeipa.spec.in? Good idea, then these files could be erased when our package is removed. Can you please create a ticket? Martin From pvoborni at redhat.com Wed Sep 7 12:16:44 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 07 Sep 2011 14:16:44 +0200 Subject: [Freeipa-devel] [PATCH] 012 Fixed inconsistency in enabling delete buttons Message-ID: <4E6760AC.20705@redhat.com> https://fedorahosted.org/freeipa/ticket/1640 On the HBAC Rules page, where the rules are listed, if no rule is selected, the "Delete" button is not enabled, and cannot be clicked on. But edit a Rule, and Delete button is enabled in the available sections - regardless of, if an object is selected to be deleted or not, or even if there is no object to be selected to delete. One can click on this button...but then - there is no message indicating that something should be selected for deletion for this button to do anything. Milestone: 3.0 Core Effort Backlog -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0012-Fixed-inconsistency-in-enabling-delete-buttons.patch Type: text/x-patch Size: 3914 bytes Desc: not available URL: From mkosek at redhat.com Wed Sep 7 13:05:25 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 07 Sep 2011 15:05:25 +0200 Subject: [Freeipa-devel] [PATCH] 120 Improve DNS record data validation Message-ID: <1315400728.12548.12.camel@dhcp-25-52.brq.redhat.com> This is 3.0 Core Effort Backlog patch. The changes to API may look scary, but it should be OK, I just added validators and normalizers. I found a lot of RR types unsupported by bind-dyndb-ldap. I implemented a validator telling this information to the user. I think the message is more user-friendly than the previous LDAP schema error. Enjoy the RFCs! :-) Martin --- Implement missing validators for DNS RR types so that we can capture at least basic user errors. Additionally, a normalizer creating a fully-qualified domain name has been implemented for several RRs to prevent this common user error. https://fedorahosted.org/freeipa/ticket/1106 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-120-improve-dns-record-data-validation.patch Type: text/x-patch Size: 64980 bytes Desc: not available URL: From rcritten at redhat.com Wed Sep 7 13:13:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 07 Sep 2011 09:13:17 -0400 Subject: [Freeipa-devel] [PATCH] 45 Check that install hostname matches the server hostname In-Reply-To: <4E67129B.8020809@redhat.com> References: <4E6625E5.2040201@redhat.com> <4E665D43.4090204@redhat.com> <4E67129B.8020809@redhat.com> Message-ID: <4E676DED.2050102@redhat.com> Jan Cholasta wrote: > On 6.9.2011 19:49, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> https://fedorahosted.org/freeipa/ticket/1717 >>> >>> Honza >> >> nack, what if there are multiple interfaces and you want IPA to use one >> (that doesn't happen to be the system hostname one)? >> >> rob > > Then the user configures the system hostname to match the hostname of > the interface. Or should we configure it automatically from the install? > > Honza > We can't dictate which interface matches the hostname. At most we can warn about this, but not fail to install. rob From abokovoy at redhat.com Wed Sep 7 13:15:15 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 7 Sep 2011 16:15:15 +0300 Subject: [Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration instead of dropping it Message-ID: <20110907131514.GA5491@redhat.com> Hi! When modifying SSSD configuration, attempt to add new domain rather than replacing whole configuration file. Only replace file in case it is impossible to parse it by current SSSD version. https://fedorahosted.org/freeipa/ticket/1750 -- / Alexander Bokovoy -------------- next part -------------- >From d09127943967e1760bd2f8a61d10be15776f4255 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 7 Sep 2011 14:23:29 +0300 Subject: [PATCH] ipa-client-install should not clobber existing SSSD configurations https://fedorahosted.org/freeipa/ticket/1750 When modifying SSSD configuration, attempt to add new domain rather than replacing whole configuration file. Only replace file in case it is impossible to parse it by current SSSD version. --- ipa-client/ipa-install/ipa-client-install | 13 +++++++++++-- 1 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index fe520be9e79b12b2222fce45c6f7b1716d67ff46..31f0e87da5266cc7528b802a96322254a04cfa6e 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -609,8 +609,17 @@ $)''', re.VERBOSE) print >>sys.stderr, "Failed to set permissions for %s (%s)." % (network_filename, str(e)) def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): - sssdconfig = SSSDConfig.SSSDConfig() - sssdconfig.new_config() + try: + sssdconfig = SSSDConfig.SSSDConfig() + sssdconfig.import_config() + except SSSDConfig.ParsingError, e: + # no existing SSSD configuration, make a new one + # We do make new SSSDConfig instance because IPAChangeConf-derived classes have no + # means to reset their state and ParseError exception could come due to parsing + # error from older version which cannot be upgraded anymore, leaving sssdconfig + # instance practically unusable + sssdconfig = SSSDConfig.SSSDConfig() + sssdconfig.new_config() domain = sssdconfig.new_domain(cli_domain) domain.add_provider('ipa', 'id') -- 1.7.6.1 From mkosek at redhat.com Wed Sep 7 13:18:25 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 07 Sep 2011 15:18:25 +0200 Subject: [Freeipa-devel] [PATCH] 120 Improve DNS record data validation In-Reply-To: <1315400728.12548.12.camel@dhcp-25-52.brq.redhat.com> References: <1315400728.12548.12.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1315401507.12548.14.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-09-07 at 15:05 +0200, Martin Kosek wrote: > This is 3.0 Core Effort Backlog patch. > > The changes to API may look scary, but it should be OK, I just added > validators and normalizers. I found a lot of RR types unsupported by > bind-dyndb-ldap. I implemented a validator telling this information to > the user. I think the message is more user-friendly than the previous > LDAP schema error. > > Enjoy the RFCs! :-) > > Martin > > --- > Implement missing validators for DNS RR types so that we can capture > at least basic user errors. Additionally, a normalizer creating > a fully-qualified domain name has been implemented for several RRs > to prevent this common user error. > > https://fedorahosted.org/freeipa/ticket/1106 > I noticed a typo in format description for LOC record validation. A fixed patch attached. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-120-2-improve-dns-record-data-validation.patch Type: text/x-patch Size: 64978 bytes Desc: not available URL: From abokovoy at redhat.com Wed Sep 7 13:22:40 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 7 Sep 2011 16:22:40 +0300 Subject: [Freeipa-devel] [PATCH] 118 Fix permissions in installers In-Reply-To: <1315394372.12548.4.camel@dhcp-25-52.brq.redhat.com> References: <1315232643.24171.5.camel@dhcp-25-52.brq.redhat.com> <4E65F1F6.2020908@redhat.com> <1315306329.4820.8.camel@dhcp-25-52.brq.redhat.com> <4E65FD0D.2060003@redhat.com> <1315394372.12548.4.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110907132239.GB5491@redhat.com> On Wed, 07 Sep 2011, Martin Kosek wrote: > > > > Related question: should we also mark these generated files in > > /usr/share/ipa/html/ as %ghost in freeipa.spec.in? > > Good idea, then these files could be erased when our package is removed. > Can you please create a ticket? I have created ticket 1764 to track this (in 3.0). https://fedorahosted.org/freeipa/ticket/1764 -- / Alexander Bokovoy From sgallagh at redhat.com Wed Sep 7 14:19:28 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 07 Sep 2011 10:19:28 -0400 Subject: [Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration instead of dropping it In-Reply-To: <20110907131514.GA5491@redhat.com> References: <20110907131514.GA5491@redhat.com> Message-ID: <1315405169.15945.3.camel@sgallagh520.bos.redhat.com> On Wed, 2011-09-07 at 16:15 +0300, Alexander Bokovoy wrote: > Hi! > > When modifying SSSD configuration, attempt to add new domain rather > than replacing whole configuration file. > > Only replace file in case it is impossible to parse it by current SSSD > version. > > https://fedorahosted.org/freeipa/ticket/1750 Looks good to me. Ack. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From pvoborni at redhat.com Wed Sep 7 16:24:09 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 07 Sep 2011 18:24:09 +0200 Subject: [Freeipa-devel] [PATCH] 013 Fixed: JavaScript type error in entitlement page Message-ID: <4E679AA9.7090104@redhat.com> https://fedorahosted.org/freeipa/ticket/1767 Opening IPA Server/Entitlements causes: "Uncaught TypeError: Cannot call method 'addClass' of undefined" error - Details.js:489 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0013-Fixed-JavaScript-type-error-in-entitlement-page.patch Type: text/x-patch Size: 1775 bytes Desc: not available URL: From edewata at redhat.com Wed Sep 7 19:06:32 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 07 Sep 2011 14:06:32 -0500 Subject: [Freeipa-devel] [PATCH] 012 Fixed inconsistency in enabling delete buttons In-Reply-To: <4E6760AC.20705@redhat.com> References: <4E6760AC.20705@redhat.com> Message-ID: <4E67C0B8.9030000@redhat.com> On 9/7/2011 7:16 AM, Petr Vobornik wrote: > https://fedorahosted.org/freeipa/ticket/1640 > > On the HBAC Rules page, where the rules are listed, if no rule is > selected, the "Delete" button is not enabled, and cannot be clicked on. > But edit a Rule, and Delete button is enabled in the available sections > - regardless of, if an object is selected to be deleted or not, or even > if there is no object to be selected to delete. > > One can click on this button...but then - there is no message indicating > that something should be selected for deletion for this button to do > anything. > > Milestone: 3.0 Core Effort Backlog One issue, in HBAC/sudo rules details page if the category is changed from 'all' to 'specific', the Delete button will be enabled although there is no entries selected. See the set_enabled() in IPA.association_table_widget. I think if the parameter is true it should enable only the Add button. If the parameter is false it disable both Add and Delete button and call unselect_all(). -- Endi S. Dewata From edewata at redhat.com Wed Sep 7 19:26:01 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 07 Sep 2011 14:26:01 -0500 Subject: [Freeipa-devel] [PATCH] 013 Fixed: JavaScript type error in entitlement page In-Reply-To: <4E679AA9.7090104@redhat.com> References: <4E679AA9.7090104@redhat.com> Message-ID: <4E67C549.30908@redhat.com> On 9/7/2011 11:24 AM, Petr Vobornik wrote: > https://fedorahosted.org/freeipa/ticket/1767 > > Opening IPA Server/Entitlements causes: "Uncaught TypeError: Cannot call > method 'addClass' of undefined" error - Details.js:489 ACK. Pushed to master and ipa-2-1. -- Endi S. Dewata From edewata at redhat.com Wed Sep 7 19:28:30 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 07 Sep 2011 14:28:30 -0500 Subject: [Freeipa-devel] [PATCH] 264 Fixed unit test for entity select widget. Message-ID: <4E67C5DE.5020507@redhat.com> The unit test for IPA.entity_select_widget has been fixed to check the options after loading the record. Pushed under one-liner/trivial rule. -- Endi S. Dewata From simo at redhat.com Wed Sep 7 22:10:50 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 07 Sep 2011 18:10:50 -0400 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <20110830144028.GE12659@localhost.localdomain> References: <20110826093926.GF2374@localhost.localdomain> <1314364467.20296.226.camel@willson.li.ssimo.org> <20110830144028.GE12659@localhost.localdomain> Message-ID: <1315433450.2684.13.camel@willson.li.ssimo.org> On Tue, 2011-08-30 at 16:40 +0200, Sumit Bose wrote: > I don't think that we should run winbind. > > I also changed the path to the smb.conf file from /etc/ipa > to /etc/samba > which makes the change to /etc/sysconfig/samba unnecessary. > > Thanks for review. > Ok tested this today, after I was able to tame my machine. Some issues and comments still. 1) If you just run ipa-adtrust-install it throws an error about an Illegal netbios name and quits. That's not right, as it should ask for the netbios name if one is not provided on the command line presenting a default option (based on the last domain component uppercased maybe), 2) I see the way you write the temp smb.conf is by using a lot of fd.write() calls. It would be much easier instead to use the templating engine we use elsewhere in the code and drop a template file in install/share, this will allow us to easily tweak the initial installation options w/o touching the python code every time. 3) Everything installed and started but my smbd coredump immediately after. It is almost certainly not a problem in your patch though :-) So jokes aside if you fix 1 and 2 I think we can push to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Wed Sep 7 22:41:09 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 07 Sep 2011 17:41:09 -0500 Subject: [Freeipa-devel] [PATCH] 265 Fixed layout problem in permission adder dialog. Message-ID: <4E67F305.9060001@redhat.com> In order to maintain consistent layout between details page and dialog boxes the IPA.details_list_section has been replaced with IPA.details_table_section which is based on table. The IPA.target_section and other subclasses of IPA.details_list_section have been converted to use IPA.details_table_section as well. The unit tests have been updated accordingly. Ticket #1648 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0265-Fixed-layout-problem-in-permission-adder-dialog.patch Type: text/x-patch Size: 41465 bytes Desc: not available URL: From pedro.nova33 at gmail.com Thu Sep 8 09:11:31 2011 From: pedro.nova33 at gmail.com (Pedro Nova) Date: Thu, 8 Sep 2011 11:11:31 +0200 Subject: [Freeipa-devel] Failed to remove SELinux rule for port 7390 when uninstalling server (S.O.Fedora 15) Message-ID: Error thrown when uninstalling FreeIPA Server on Fedora 15 When I try to uninstall IPA server using command: ipa-server-install --uninstall -d or /usr/sbin/ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Unconfiguring CA directory server *root : CRITICAL Failed to remove SELinux rule for port 7390* Unconfiguring CA Unconfiguring named Unconfiguring directory server Regards, Pedro Nova -------------- next part -------------- An HTML attachment was scrubbed... URL: From pedro.nova33 at gmail.com Thu Sep 8 10:20:20 2011 From: pedro.nova33 at gmail.com (Pedro Nova) Date: Thu, 8 Sep 2011 12:20:20 +0200 Subject: [Freeipa-devel] Creation of replica failed: Failed to start replication on Fedora 15 Message-ID: Hi All, When Im installing ipa-server-replica on Fedora release 15 failed: [20/27]: setting up initial replication Starting replication, please wait until this has completed. [vmnxipatest02.freeipa.gsnet.corp] reports: Update failed! Status: [-2 - System error] creation of replica failed: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Then I run ipa-server-install --uninstall without issue. The server settings is Ok. Any ideas or support? Thanks, Pedro Nova -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Sep 8 11:26:50 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 8 Sep 2011 14:26:50 +0300 Subject: [Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration instead of dropping it In-Reply-To: <1315405169.15945.3.camel@sgallagh520.bos.redhat.com> References: <20110907131514.GA5491@redhat.com> <1315405169.15945.3.camel@sgallagh520.bos.redhat.com> Message-ID: <20110908112649.GA17001@redhat.com> On Wed, 07 Sep 2011, Stephen Gallagher wrote: > On Wed, 2011-09-07 at 16:15 +0300, Alexander Bokovoy wrote: > > Hi! > > > > When modifying SSSD configuration, attempt to add new domain rather > > than replacing whole configuration file. > > > > Only replace file in case it is impossible to parse it by current SSSD > > version. > > > > https://fedorahosted.org/freeipa/ticket/1750 > > Looks good to me. Ack. Unfortunately, there is a bug in libini_config that prevents modifying existing sssd configuration as it becomes unreadable by libini_config. https://fedorahosted.org/sssd/ticket/991 I would suggest to postpone this patch until libini_config bug is fixed and released. -- / Alexander Bokovoy From mkosek at redhat.com Thu Sep 8 11:38:35 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 08 Sep 2011 13:38:35 +0200 Subject: [Freeipa-devel] [PATCH] 38 Move Managed Entries into their own container in the replicated space. In-Reply-To: <81DEB284-E8C1-47C3-9130-846E2A4669C4@citrixonline.com> References: <1311342896.12679.9.camel@dhcp-25-52.brq.redhat.com> <81DEB284-E8C1-47C3-9130-846E2A4669C4@citrixonline.com> Message-ID: <1315481921.5141.16.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-06 at 22:33 +0000, JR Aquino wrote: > On Jul 22, 2011, at 6:54 AM, Martin Kosek wrote: > > > On Thu, 2011-07-21 at 23:00 +0000, JR Aquino wrote: > >> Create: cn=Managed Entries,cn=etc,$SUFFIX > >> Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX > >> Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX > >> > >> Create method for migrating any and all custom Managed Entries from > >> the cn=config space into the new container. > >> > >> The Managed Entries plugin configurations weren't being created on > >> replica installs. > >> > >> This patch addresses two seperate tickets and accounts for > >> new installs, replica installs, and upgrades. > >> > >> https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container > >> https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation > > > > I found few issues with the patch (tested along with 25): > > > > 1) When upgrading an old instance, NGP and UGP definitions in > > cn=Managed Entries,cn=plugins,cn=config were not deleted. This lead to 2 > > managed entries plugin definitions > > Fixed this condition. 389 prohibits the deletion of Managed Entries while they are active. > I had to perform the repointing to the new cn=etc container, perform the migration of the legacy configs, then perform a restart of dirsrv. > > > > > 2) Managed entries on a replica didn't work for me. For example UPG was > > created on a master, but was not on a replica > > This should also be resolved now. > > > > > Martin > > > > I had to break out the connection code in update for ldapupdate.py so that connections could be reestablished post dirsrv restart. > > I also had to create a service class to perform the restart. > > installutils.py has been modified to provide wait_for_open_socket() similar to wait_for_open_port() > Hello JR, I tested you patch, it works fine for both upgrading the replicas and new installations. Old Managed Entries definitions were successfully deleted. I just found few issues with the patch format itself: 1) Commit message is all wrong, its all on the Subject line which is then put to commit title during "git am". I suggest using our standard commit message formatting: COMMIT_TITLE COMMIT_DESCRIPTION TRAC_TICKET_LINK 2) There were few whitespace errors: $ git apply ~/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch /home/mkosek/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch:519: trailing whitespace. /home/mkosek/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch:526: trailing whitespace. Otherwise the patch looks good to me, if it is OK with Rob (since he wrote the entire ldapupdate.py) I think we can push it after you fix the 2 changes I proposed. Martin From sbose at redhat.com Thu Sep 8 11:52:45 2011 From: sbose at redhat.com (Sumit Bose) Date: Thu, 8 Sep 2011 13:52:45 +0200 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <1315433450.2684.13.camel@willson.li.ssimo.org> References: <20110826093926.GF2374@localhost.localdomain> <1314364467.20296.226.camel@willson.li.ssimo.org> <20110830144028.GE12659@localhost.localdomain> <1315433450.2684.13.camel@willson.li.ssimo.org> Message-ID: <20110908115245.GF21228@localhost.localdomain> On Wed, Sep 07, 2011 at 06:10:50PM -0400, Simo Sorce wrote: > On Tue, 2011-08-30 at 16:40 +0200, Sumit Bose wrote: > > I don't think that we should run winbind. > > > > I also changed the path to the smb.conf file from /etc/ipa > > to /etc/samba > > which makes the change to /etc/sysconfig/samba unnecessary. > > > > Thanks for review. > > > Ok tested this today, after I was able to tame my machine. > > Some issues and comments still. > > 1) If you just run ipa-adtrust-install it throws an error about an > Illegal netbios name and quits. That's not right, as it should ask for > the netbios name if one is not provided on the command line presenting a > default option (based on the last domain component uppercased maybe), fixed > > 2) I see the way you write the temp smb.conf is by using a lot of > fd.write() calls. It would be much easier instead to use the templating > engine we use elsewhere in the code and drop a template file in > install/share, this will allow us to easily tweak the initial > installation options w/o touching the python code every time. fixed new version attached. bye, Sumit > > 3) Everything installed and started but my smbd coredump immediately > after. It is almost certainly not a problem in your patch though :-) > > So jokes aside if you fix 1 and 2 I think we can push to master. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -------------- next part -------------- From fdc80a6178bcc9a6cfe461d072f5ad99670ef280 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 7 Sep 2011 10:17:12 +0200 Subject: [PATCH] Add ipa-adtrust-install utility https://fedorahosted.org/freeipa/ticket/1619 --- freeipa.spec.in | 2 + install/po/Makefile.in | 1 + install/share/Makefile.am | 1 + install/share/smb.conf.template | 25 +++ install/tools/Makefile.am | 1 + install/tools/ipa-adtrust-install | 244 +++++++++++++++++++++ install/tools/man/Makefile.am | 1 + install/tools/man/ipa-adtrust-install.1 | 44 ++++ ipaserver/install/Makefile.am | 1 + ipaserver/install/service.py | 3 +- ipaserver/install/smbinstance.py | 246 ++++++++++++++++++++++ tests/test_ipaserver/install/test_smbinstance.py | 59 +++++ 12 files changed, 627 insertions(+), 1 deletions(-) create mode 100644 install/share/smb.conf.template create mode 100755 install/tools/ipa-adtrust-install create mode 100644 install/tools/man/ipa-adtrust-install.1 create mode 100644 ipaserver/install/smbinstance.py create mode 100755 tests/test_ipaserver/install/test_smbinstance.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 31a1e943a3c33645e9d6a8a2c4fc86b89c32f382..772c5e39b13a740a33667efcd6ebfaca7c539a43 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -395,6 +395,7 @@ fi %doc COPYING README Contributors.txt %{_sbindir}/ipa-ca-install %{_sbindir}/ipa-dns-install +%{_sbindir}/ipa-adtrust-install %{_sbindir}/ipa-server-install %{_sbindir}/ipa-replica-conncheck %{_sbindir}/ipa-replica-install @@ -476,6 +477,7 @@ fi %{_mandir}/man1/ipa-server-certinstall.1.gz %{_mandir}/man1/ipa-server-install.1.gz %{_mandir}/man1/ipa-dns-install.1.gz +%{_mandir}/man1/ipa-adtrust-install.1.gz %{_mandir}/man1/ipa-ca-install.1.gz %{_mandir}/man1/ipa-compat-manage.1.gz %{_mandir}/man1/ipa-nis-manage.1.gz diff --git a/install/po/Makefile.in b/install/po/Makefile.in index 47c8bbba56041f95fc6641ff0188ab60db658de8..ac08b47921c0a96d0fe06b8d8f1419d7cd76bd36 100644 --- a/install/po/Makefile.in +++ b/install/po/Makefile.in @@ -51,6 +51,7 @@ PY_EXPLICIT_FILES = \ install/tools/ipa-server-install \ install/tools/ipa-ldap-updater \ install/tools/ipa-dns-install \ + install/tools/ipa-adtrust-install \ install/tools/ipa-ca-install \ ipa-client/ipa-install/ipa-client-install diff --git a/install/share/Makefile.am b/install/share/Makefile.am index f2a6a6cae418b2f31151130c4fd53db8cbbe922a..50ec816b42fcbad619504bf3ccf6ef293e5188ba 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -32,6 +32,7 @@ app_DATA = \ krb.con.template \ krbrealm.con.template \ preferences.html.template \ + smb.conf.template \ referint-conf.ldif \ dna.ldif \ master-entry.ldif \ diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template new file mode 100644 index 0000000000000000000000000000000000000000..55948badef6e75e5159ecbd6f83ad8b62aff792a --- /dev/null +++ b/install/share/smb.conf.template @@ -0,0 +1,25 @@ +[global] +workgroup = $NETBIOS_NAME +realm = $REALM +security = user +domain master = yes +domain logons = yes +log level = 1 +max log size = 100000 +log file = /var/log/samba/log.%d +passdb backend = IPA_ldapsam:ldapi://$LDAPI_SOCKET +ldapsam:trusted=yes +ldap admin dn = $SMB_DN +ldap suffix = cn=accounts,dc=ipa,dc=test +ldap user suffix = cn=users +ldap group suffix = cn=groups +ldap machine suffix = cn=computers +rpc_server:epmapper = external +rpc_server:lsarpc = external +rpc_server:lsass = external +rpc_server:lsasd = external +rpc_server:samr = external +rpc_server:netlogon = external +rpc_server:tcpip = yes +rpc_daemon:epmd = fork +rpc_daemon:lsasd = fork diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index fc615ec04f324c2d9c98dc8cf674938e1064bec6..96da7531764598878f94b6abd54c27a74671c028 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -8,6 +8,7 @@ sbin_SCRIPTS = \ ipa-ca-install \ ipa-dns-install \ ipa-server-install \ + ipa-adtrust-install \ ipa-replica-conncheck \ ipa-replica-install \ ipa-replica-prepare \ diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install new file mode 100755 index 0000000000000000000000000000000000000000..86c69ca459026a0fd91ab196461cd63547f7ca57 --- /dev/null +++ b/install/tools/ipa-adtrust-install @@ -0,0 +1,244 @@ +#! /usr/bin/python +# +# Authors: Sumit Bose +# Based on ipa-server-install by Karl MacMillan +# and ipa-dns-install by Martin Nagy +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import traceback + +from ipaserver.plugins.ldap2 import ldap2 +from ipaserver.install import smbinstance +from ipaserver.install.installutils import * +from ipaserver.install import installutils +from ipapython import version +from ipapython import ipautil, sysrestore +from ipalib import api, errors, util +from ipapython.config import IPAOptionParser +import krbV +import ldap + +def parse_options(): + parser = IPAOptionParser(version=version.VERSION) + parser.add_option("-p", "--ds-password", dest="dm_password", + sensitive=True, help="directory manager password") + parser.add_option("-d", "--debug", dest="debug", action="store_true", + default=False, help="print debugging information") + parser.add_option("--ip-address", dest="ip_address", + type="ip", ip_local=True, help="Master Server IP Address") + parser.add_option("--netbios-name", dest="netbios_name", + help="NetBIOS name of the IPA domain") + parser.add_option("-U", "--unattended", dest="unattended", action="store_true", + default=False, help="unattended installation never prompts the user") + + options, args = parser.parse_args() + safe_options = parser.get_safe_opts(options) + + return safe_options, options + +def netbios_name_error(name): + print "Illegal NetBIOS name [%s].\n" % name + print "Up to 15 characters and only uppercase ASCII letter and digits are allowed." + +def read_netbios_name(netbios_default): + netbios_name = "" + + print "Enter the NetBIOS name for the IPA domain." + print "Only up to 15 uppercase ASCII letters and digits are allowed." + print "Example: EXAMPLE." + print "" + print "" + if not netbios_default: + netbios_default = "EXAMPLE" + while True: + netbios_name = ipautil.user_input("NetBIOS domain name", netbios_default, allow_empty = False) + print "" + if smbinstance.check_netbios_name(netbios_name): + break + + netbios_name_error(netbios_name) + + return netbios_name + +def main(): + safe_options, options = parse_options() + + if os.getegid() != 0: + sys.exit("Must be root to setup AD trusts on server") + + installutils.check_server_configuration() + + standard_logging_setup("/var/log/ipaserver-install.log", options.debug, filemode='a') + print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log" + + logging.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options)) + logging.debug("missing options might be asked for interactively later\n") + + global fstore + fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + + print "==============================================================================" + print "This program will setup components needed to establish trust to AD domains for" + print "the FreeIPA Server." + print "" + print "This includes:" + print " * Configure Samba" + print " * Add trust related objects to FreeIPA LDAP server" + #TODO: + #print " * Add a SID to all users and Posix groups" + print "" + print "To accept the default shown in brackets, press the Enter key." + print "" + + # Check if samba packages are installed + if not smbinstance.check_inst(options.unattended): + sys.exit("Aborting installation.") + + # Initialize the ipalib api + cfg = dict( + in_server=True, + debug=options.debug, + ) + api.bootstrap(**cfg) + api.finalize() + + if smbinstance.ipa_smb_conf_exists(): + sys.exit("Aborting installation.") + + # Check we have a public IP that is associated with the hostname + try: + if options.ip_address: + ip = ipautil.CheckedIPAddress(options.ip_address, match_local=True) + else: + hostaddr = resolve_host(api.env.host) + ip = hostaddr and ipautil.CheckedIPAddress(hostaddr, match_local=True) + except Exception, e: + print "Error: Invalid IP Address %s: %s" % (ip, e) + ip = None + + if not ip: + if options.unattended: + sys.exit("Unable to resolve IP address for host name") + else: + read_ip = read_ip_address(api.env.host, fstore) + try: + ip = ipautil.CheckedIPAddress(read_ip, match_local=True) + except Exception, e: + print "Error: Invalid IP Address %s: %s" % (ip, e) + sys.exit("Aborting installation.") + + ip_address = str(ip) + logging.debug("will use ip_address: %s\n", ip_address) + + if not options.unattended: + print "" + print "The following operations may take some minutes to complete." + print "Please wait until the prompt is returned." + print "" + + # Create a Samba instance + if options.unattended and not options.dm_password: + sys.exit("\nIn unattended mode you need to provide at least the -p option") + + netbios_name = options.netbios_name + if not netbios_name: + netbios_name = smbinstance.make_netbios_name(api.env.domain) + + if not smbinstance.check_netbios_name(netbios_name): + if options.unattended: + netbios_name_error(netbios_name) + sys.exit("Aborting installation.") + else: + netbios_name = None + if options.netbios_name: + netbios_name_error(options.netbios_name) + + if not options.unattended and ( not netbios_name or not options.netbios_name): + netbios_name = read_netbios_name(netbios_name) + + dm_password = options.dm_password or read_password("Directory Manager", + confirm=False, validate=False) + smb = smbinstance.SMBInstance(fstore, dm_password) + + # try the connection + try: + smb.ldap_connect() + smb.ldap_disconnect() + except ldap.INVALID_CREDENTIALS, e: + sys.exit("Password is not valid!") + + if smb.dm_password: + api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=smb.dm_password) + else: + # See if our LDAP server is up and we can talk to it over GSSAPI + ccache = krbV.default_context().default_ccache().name + api.Backend.ldap2.connect(ccache) + + smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain, + netbios_name) + smb.create_instance() + + print "==============================================================================" + print "Setup complete" + print "" + print "\tYou must make sure these network ports are open:" + print "\t\tTCP Ports:" + print "\t\t * 138: netbios-dgm" + print "\t\t * 139: netbios-ssn" + print "\t\t * 445: microsoft-ds" + print "\t\tUDP Ports:" + print "\t\t * 138: netbios-dgm" + print "\t\t * 139: netbios-ssn" + print "\t\t * 445: microsoft-ds" + print "" + print "\tAdditionally you have to make sure the FreeIPA LDAP server cannot reached" + print "\tby any domain controller in the Active Directory domain by closing the" + print "\tfollowing ports for these servers:" + print "\t\tTCP Ports:" + print "\t\t * 389, 636: LDAP/LDAPS" + print "\t\tUDP Ports:" + print "\t\t * 389: (C)LDAP" + print "\tYou may want to choose to REJECT the network packets instead of DROPing them" + print "\tto avoid timeouts on the AD domain controllers." + + return 0 + +try: + sys.exit(main()) +except SystemExit, e: + sys.exit(e) +except KeyboardInterrupt: + print "Installation cancelled." +except RuntimeError, e: + print str(e) +except HostnameLocalhost: + print "The hostname resolves to the localhost address (127.0.0.1/::1)" + print "Please change your /etc/hosts file so that the hostname" + print "resolves to the ip address of your network interface." + print "The KDC service does not listen on localhost" + print "" + print "Please fix your /etc/hosts file and restart the setup program" +except Exception, e: + message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e) + print message + message = str(e) + for str in traceback.format_tb(sys.exc_info()[2]): + message = message + "\n" + str + logging.debug(message) + sys.exit(1) diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am index 71d9b29c87d2b24c51d3048dc1050e099a89835d..d5b5976b0fd8c8e6683d09e7ade575fda2527832 100644 --- a/install/tools/man/Makefile.am +++ b/install/tools/man/Makefile.am @@ -13,6 +13,7 @@ man1_MANS = \ ipa-server-certinstall.1 \ ipa-server-install.1 \ ipa-dns-install.1 \ + ipa-adtrust-install.1 \ ipa-ca-install.1 \ ipa-ldap-updater.1 \ ipa-compat-manage.1 \ diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 new file mode 100644 index 0000000000000000000000000000000000000000..9e976d83bcd16abfca4e8eedfccf23a908c43400 --- /dev/null +++ b/install/tools/man/ipa-adtrust-install.1 @@ -0,0 +1,44 @@ +.\" A man page for ipa-adtrust-install +.\" Copyright (C) 2011 Red Hat, Inc. +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, but +.\" WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +.\" General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see . +.\" +.\" Author: Sumit Bose +.\" +.TH "ipa-adtrust-install" "1" "Aug 23, 2011" "freeipa" "" +.SH "NAME" +ipa\-adtrust\-install \- Prepare an IPA server to be able to establish trust relationships with AD domains +.SH "SYNOPSIS" +ipa\-adtrust\-install [\fIOPTION\fR]... +.SH "DESCRIPTION" +Adds all necesary objects and configuration to allow an IPA server to create a +trust to an Active Directory domain. This requires that the IPA server is +already installed and configured. +.SH "OPTIONS" +.TP +\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR +The password to be used by the Directory Server for the Directory Manager user +.TP +\fB\-d\fR, \fB\-\-debug\fR +Enable debug logging when more verbose output is needed +.TP +\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR +The IP address of the IPA server. If not provided then this is determined based on the hostname of the server. +.TP +\fB\-U\fR, \fB\-\-unattended\fR +An unattended installation that will never prompt for user input +.SH "EXIT STATUS" +0 if the installation was successful + +1 if an error occurred diff --git a/ipaserver/install/Makefile.am b/ipaserver/install/Makefile.am index 8932eadbb7ace71372277259a557884d989ea2c1..398551bd78aa4ba893a3953f0c7ee7bcb23d1a14 100644 --- a/ipaserver/install/Makefile.am +++ b/ipaserver/install/Makefile.am @@ -10,6 +10,7 @@ app_PYTHON = \ krbinstance.py \ httpinstance.py \ ntpinstance.py \ + smbinstance.py \ service.py \ installutils.py \ replication.py \ diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 2f80749ade535ff24cbacd90f8c03699432f3186..5f7260e2343e9d9373ff4cfd8d071b82f218ed33 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -37,7 +37,8 @@ SERVICE_LIST = { 'KPASSWD':('kadmin', 20), 'DNS':('named', 30), 'HTTP':('httpd', 40), - 'CA':('pki-cad', 50) + 'CA':('pki-cad', 50), + 'ADTRUST':('smb', 60) } def stop(service_name, instance_name="", capture_output=True): diff --git a/ipaserver/install/smbinstance.py b/ipaserver/install/smbinstance.py new file mode 100644 index 0000000000000000000000000000000000000000..4e749fe5b7a0ff48a900948ec7c9ee07b2f1c310 --- /dev/null +++ b/ipaserver/install/smbinstance.py @@ -0,0 +1,246 @@ +# Authors: Sumit Bose +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import logging + +import os +import ldap +import service +import tempfile +from ipaserver import ipaldap +from ipaserver.install.dsinstance import realm_to_serverid +from ipalib import errors +from ipapython import sysrestore +from ipapython import ipautil + +import random +import string +import struct + +allowed_netbios_chars = string.ascii_uppercase + string.digits + +def check_inst(unattended): + has_smb = True + + if not os.path.exists('/usr/sbin/smbd'): + print "Samba was not found on this system" + print "Please install the 'samba' package and start the installation again" + has_smb = False + + #TODO: Add check for needed samba4 libraries + + return has_smb + +def ipa_smb_conf_exists(): + fd = open('/etc/samba/smb.conf', 'r') + lines = fd.readlines() + fd.close() + for line in lines: + if line.startswith('### Added by IPA Installer ###'): + return True + return False + + +def check_netbios_name(s): + # NetBIOS names may not be longer than 15 allowed characters + if not s or len(s) > 15 or ''.join([c for c in s if c not in allowed_netbios_chars]): + return False + + return True + +def make_netbios_name(s): + return ''.join([c for c in s.split('.')[0].upper() if c in allowed_netbios_chars])[:15] + +class SMBInstance(service.Service): + def __init__(self, fstore=None, dm_password=None): + service.Service.__init__(self, "smb", dm_password=dm_password) + + if fstore: + self.fstore = fstore + else: + self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + + def __create_samba_user(self): + print "The user for Samba is %s" % self.smb_dn + try: + self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE) + print "Samba user entry exists, not resetting password" + return + except errors.NotFound: + pass + + # The user doesn't exist, add it + entry = ipaldap.Entry(self.smb_dn) + entry.setValues("objectclass", ["account", "simplesecurityobject"]) + entry.setValues("uid", "samba") + entry.setValues("userPassword", self.smb_dn_pwd) + self.admin_conn.add_s(entry) + + # And finally grant it permission to read NT passwords, we do not want + # to support LM passwords so there is no need to allow access to them + mod = [(ldap.MOD_ADD, 'aci', + str(['(targetattr = "sambaNTPassword")(version 3.0; acl "Samba user can read NT passwords"; allow (read) userdn="ldap:///%s";)' % self.smb_dn]))] + try: + self.admin_conn.modify_s(self.suffix, mod) + except ldap.TYPE_OR_VALUE_EXISTS: + logging.debug("samba user aci already exists in suffix %s on %s" % (self.suffix, self.admin_conn.host)) + + def __gen_sid_string(self): + sub_ids = struct.unpack(" +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +""" +Test `smbinstance` +""" + +import os +import nose + +from ipaserver.install import smbinstance + +class test_smbinstance: + """ + Test `smbinstance`. + """ + + def test_make_netbios_name(self): + s = smbinstance.make_netbios_name("ABCDEF") + assert s == 'ABCDEF' and isinstance(s, str) + s = smbinstance.make_netbios_name(U"ABCDEF") + assert s == 'ABCDEF' and isinstance(s, unicode) + s = smbinstance.make_netbios_name("abcdef") + assert s == 'ABCDEF' + s = smbinstance.make_netbios_name("abc.def") + assert s == 'ABC' + s = smbinstance.make_netbios_name("abcdefghijklmnopqr.def") + assert s == 'ABCDEFGHIJKLMNO' + s = smbinstance.make_netbios_name("A!$%B&/()C=?+*D") + assert s == 'ABCD' + s = smbinstance.make_netbios_name("!$%&/()=?+*") + assert not s + + def test_check_netbios_name(self): + assert smbinstance.check_netbios_name("ABCDEF") + assert not smbinstance.check_netbios_name("abcdef") + assert smbinstance.check_netbios_name("ABCDE12345ABCDE") + assert not smbinstance.check_netbios_name("ABCDE12345ABCDE1") + assert not smbinstance.check_netbios_name("") + + assert smbinstance.check_netbios_name(U"ABCDEF") + assert not smbinstance.check_netbios_name(U"abcdef") + assert smbinstance.check_netbios_name(U"ABCDE12345ABCDE") + assert not smbinstance.check_netbios_name(U"ABCDE12345ABCDE1") -- 1.7.6 From mkosek at redhat.com Thu Sep 8 12:06:44 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 08 Sep 2011 14:06:44 +0200 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <20110908115245.GF21228@localhost.localdomain> References: <20110826093926.GF2374@localhost.localdomain> <1314364467.20296.226.camel@willson.li.ssimo.org> <20110830144028.GE12659@localhost.localdomain> <1315433450.2684.13.camel@willson.li.ssimo.org> <20110908115245.GF21228@localhost.localdomain> Message-ID: <1315483606.5141.20.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-09-08 at 13:52 +0200, Sumit Bose wrote: > On Wed, Sep 07, 2011 at 06:10:50PM -0400, Simo Sorce wrote: > > On Tue, 2011-08-30 at 16:40 +0200, Sumit Bose wrote: > > > I don't think that we should run winbind. > > > > > > I also changed the path to the smb.conf file from /etc/ipa > > > to /etc/samba > > > which makes the change to /etc/sysconfig/samba unnecessary. > > > > > > Thanks for review. > > > > > Ok tested this today, after I was able to tame my machine. > > > > Some issues and comments still. > > > > 1) If you just run ipa-adtrust-install it throws an error about an > > Illegal netbios name and quits. That's not right, as it should ask for > > the netbios name if one is not provided on the command line presenting a > > default option (based on the last domain component uppercased maybe), > > fixed > > > > > 2) I see the way you write the temp smb.conf is by using a lot of > > fd.write() calls. It would be much easier instead to use the templating > > engine we use elsewhere in the code and drop a template file in > > install/share, this will allow us to easily tweak the initial > > installation options w/o touching the python code every time. > > fixed > > new version attached. > > bye, > Sumit > > > > > 3) Everything installed and started but my smbd coredump immediately > > after. It is almost certainly not a problem in your patch though :-) > > > > So jokes aside if you fix 1 and 2 I think we can push to master. > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > Only one nitpick from me. The new man page header should be changed according to our last man page consolidation effort in ticket 1687 so that it is consistent with the others. In your case, the header should be: +.TH "ipa-adtrust-install" "1" "Aug 23 2011" "FreeIPA" "FreeIPA Manual Pages" Plus, --netbios-name option is not covered in the man page. Martin From sbose at redhat.com Thu Sep 8 12:39:28 2011 From: sbose at redhat.com (Sumit Bose) Date: Thu, 8 Sep 2011 14:39:28 +0200 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <1315483606.5141.20.camel@dhcp-25-52.brq.redhat.com> References: <20110826093926.GF2374@localhost.localdomain> <1314364467.20296.226.camel@willson.li.ssimo.org> <20110830144028.GE12659@localhost.localdomain> <1315433450.2684.13.camel@willson.li.ssimo.org> <20110908115245.GF21228@localhost.localdomain> <1315483606.5141.20.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110908123927.GG21228@localhost.localdomain> On Thu, Sep 08, 2011 at 02:06:44PM +0200, Martin Kosek wrote: > On Thu, 2011-09-08 at 13:52 +0200, Sumit Bose wrote: > > On Wed, Sep 07, 2011 at 06:10:50PM -0400, Simo Sorce wrote: > > > On Tue, 2011-08-30 at 16:40 +0200, Sumit Bose wrote: > > > > I don't think that we should run winbind. > > > > > > > > I also changed the path to the smb.conf file from /etc/ipa > > > > to /etc/samba > > > > which makes the change to /etc/sysconfig/samba unnecessary. > > > > > > > > Thanks for review. > > > > > > > Ok tested this today, after I was able to tame my machine. > > > > > > Some issues and comments still. > > > > > > 1) If you just run ipa-adtrust-install it throws an error about an > > > Illegal netbios name and quits. That's not right, as it should ask for > > > the netbios name if one is not provided on the command line presenting a > > > default option (based on the last domain component uppercased maybe), > > > > fixed > > > > > > > > 2) I see the way you write the temp smb.conf is by using a lot of > > > fd.write() calls. It would be much easier instead to use the templating > > > engine we use elsewhere in the code and drop a template file in > > > install/share, this will allow us to easily tweak the initial > > > installation options w/o touching the python code every time. > > > > fixed > > > > new version attached. > > > > bye, > > Sumit > > > > > > > > 3) Everything installed and started but my smbd coredump immediately > > > after. It is almost certainly not a problem in your patch though :-) > > > > > > So jokes aside if you fix 1 and 2 I think we can push to master. > > > > > > Simo. > > > > > > -- > > > Simo Sorce * Red Hat, Inc * New York > > > > > Only one nitpick from me. The new man page header should be changed > according to our last man page consolidation effort in ticket 1687 so > that it is consistent with the others. In your case, the header should > be: > > +.TH "ipa-adtrust-install" "1" "Aug 23 2011" "FreeIPA" "FreeIPA Manual Pages" > > Plus, --netbios-name option is not covered in the man page. Thank you for the feedback, I fixed it accordingly. New version attached. bye, Sumit > > Martin > -------------- next part -------------- From 85909ba9437171d763c8dfe68e4caede8de75c55 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 7 Sep 2011 10:17:12 +0200 Subject: [PATCH] Add ipa-adtrust-install utility https://fedorahosted.org/freeipa/ticket/1619 --- freeipa.spec.in | 2 + install/po/Makefile.in | 1 + install/share/Makefile.am | 1 + install/share/smb.conf.template | 25 +++ install/tools/Makefile.am | 1 + install/tools/ipa-adtrust-install | 244 +++++++++++++++++++++ install/tools/man/Makefile.am | 1 + install/tools/man/ipa-adtrust-install.1 | 47 ++++ ipaserver/install/Makefile.am | 1 + ipaserver/install/service.py | 3 +- ipaserver/install/smbinstance.py | 246 ++++++++++++++++++++++ tests/test_ipaserver/install/test_smbinstance.py | 59 +++++ 12 files changed, 630 insertions(+), 1 deletions(-) create mode 100644 install/share/smb.conf.template create mode 100755 install/tools/ipa-adtrust-install create mode 100644 install/tools/man/ipa-adtrust-install.1 create mode 100644 ipaserver/install/smbinstance.py create mode 100755 tests/test_ipaserver/install/test_smbinstance.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 31a1e943a3c33645e9d6a8a2c4fc86b89c32f382..772c5e39b13a740a33667efcd6ebfaca7c539a43 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -395,6 +395,7 @@ fi %doc COPYING README Contributors.txt %{_sbindir}/ipa-ca-install %{_sbindir}/ipa-dns-install +%{_sbindir}/ipa-adtrust-install %{_sbindir}/ipa-server-install %{_sbindir}/ipa-replica-conncheck %{_sbindir}/ipa-replica-install @@ -476,6 +477,7 @@ fi %{_mandir}/man1/ipa-server-certinstall.1.gz %{_mandir}/man1/ipa-server-install.1.gz %{_mandir}/man1/ipa-dns-install.1.gz +%{_mandir}/man1/ipa-adtrust-install.1.gz %{_mandir}/man1/ipa-ca-install.1.gz %{_mandir}/man1/ipa-compat-manage.1.gz %{_mandir}/man1/ipa-nis-manage.1.gz diff --git a/install/po/Makefile.in b/install/po/Makefile.in index 47c8bbba56041f95fc6641ff0188ab60db658de8..ac08b47921c0a96d0fe06b8d8f1419d7cd76bd36 100644 --- a/install/po/Makefile.in +++ b/install/po/Makefile.in @@ -51,6 +51,7 @@ PY_EXPLICIT_FILES = \ install/tools/ipa-server-install \ install/tools/ipa-ldap-updater \ install/tools/ipa-dns-install \ + install/tools/ipa-adtrust-install \ install/tools/ipa-ca-install \ ipa-client/ipa-install/ipa-client-install diff --git a/install/share/Makefile.am b/install/share/Makefile.am index f2a6a6cae418b2f31151130c4fd53db8cbbe922a..50ec816b42fcbad619504bf3ccf6ef293e5188ba 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -32,6 +32,7 @@ app_DATA = \ krb.con.template \ krbrealm.con.template \ preferences.html.template \ + smb.conf.template \ referint-conf.ldif \ dna.ldif \ master-entry.ldif \ diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template new file mode 100644 index 0000000000000000000000000000000000000000..55948badef6e75e5159ecbd6f83ad8b62aff792a --- /dev/null +++ b/install/share/smb.conf.template @@ -0,0 +1,25 @@ +[global] +workgroup = $NETBIOS_NAME +realm = $REALM +security = user +domain master = yes +domain logons = yes +log level = 1 +max log size = 100000 +log file = /var/log/samba/log.%d +passdb backend = IPA_ldapsam:ldapi://$LDAPI_SOCKET +ldapsam:trusted=yes +ldap admin dn = $SMB_DN +ldap suffix = cn=accounts,dc=ipa,dc=test +ldap user suffix = cn=users +ldap group suffix = cn=groups +ldap machine suffix = cn=computers +rpc_server:epmapper = external +rpc_server:lsarpc = external +rpc_server:lsass = external +rpc_server:lsasd = external +rpc_server:samr = external +rpc_server:netlogon = external +rpc_server:tcpip = yes +rpc_daemon:epmd = fork +rpc_daemon:lsasd = fork diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index fc615ec04f324c2d9c98dc8cf674938e1064bec6..96da7531764598878f94b6abd54c27a74671c028 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -8,6 +8,7 @@ sbin_SCRIPTS = \ ipa-ca-install \ ipa-dns-install \ ipa-server-install \ + ipa-adtrust-install \ ipa-replica-conncheck \ ipa-replica-install \ ipa-replica-prepare \ diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install new file mode 100755 index 0000000000000000000000000000000000000000..86c69ca459026a0fd91ab196461cd63547f7ca57 --- /dev/null +++ b/install/tools/ipa-adtrust-install @@ -0,0 +1,244 @@ +#! /usr/bin/python +# +# Authors: Sumit Bose +# Based on ipa-server-install by Karl MacMillan +# and ipa-dns-install by Martin Nagy +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import traceback + +from ipaserver.plugins.ldap2 import ldap2 +from ipaserver.install import smbinstance +from ipaserver.install.installutils import * +from ipaserver.install import installutils +from ipapython import version +from ipapython import ipautil, sysrestore +from ipalib import api, errors, util +from ipapython.config import IPAOptionParser +import krbV +import ldap + +def parse_options(): + parser = IPAOptionParser(version=version.VERSION) + parser.add_option("-p", "--ds-password", dest="dm_password", + sensitive=True, help="directory manager password") + parser.add_option("-d", "--debug", dest="debug", action="store_true", + default=False, help="print debugging information") + parser.add_option("--ip-address", dest="ip_address", + type="ip", ip_local=True, help="Master Server IP Address") + parser.add_option("--netbios-name", dest="netbios_name", + help="NetBIOS name of the IPA domain") + parser.add_option("-U", "--unattended", dest="unattended", action="store_true", + default=False, help="unattended installation never prompts the user") + + options, args = parser.parse_args() + safe_options = parser.get_safe_opts(options) + + return safe_options, options + +def netbios_name_error(name): + print "Illegal NetBIOS name [%s].\n" % name + print "Up to 15 characters and only uppercase ASCII letter and digits are allowed." + +def read_netbios_name(netbios_default): + netbios_name = "" + + print "Enter the NetBIOS name for the IPA domain." + print "Only up to 15 uppercase ASCII letters and digits are allowed." + print "Example: EXAMPLE." + print "" + print "" + if not netbios_default: + netbios_default = "EXAMPLE" + while True: + netbios_name = ipautil.user_input("NetBIOS domain name", netbios_default, allow_empty = False) + print "" + if smbinstance.check_netbios_name(netbios_name): + break + + netbios_name_error(netbios_name) + + return netbios_name + +def main(): + safe_options, options = parse_options() + + if os.getegid() != 0: + sys.exit("Must be root to setup AD trusts on server") + + installutils.check_server_configuration() + + standard_logging_setup("/var/log/ipaserver-install.log", options.debug, filemode='a') + print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log" + + logging.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options)) + logging.debug("missing options might be asked for interactively later\n") + + global fstore + fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + + print "==============================================================================" + print "This program will setup components needed to establish trust to AD domains for" + print "the FreeIPA Server." + print "" + print "This includes:" + print " * Configure Samba" + print " * Add trust related objects to FreeIPA LDAP server" + #TODO: + #print " * Add a SID to all users and Posix groups" + print "" + print "To accept the default shown in brackets, press the Enter key." + print "" + + # Check if samba packages are installed + if not smbinstance.check_inst(options.unattended): + sys.exit("Aborting installation.") + + # Initialize the ipalib api + cfg = dict( + in_server=True, + debug=options.debug, + ) + api.bootstrap(**cfg) + api.finalize() + + if smbinstance.ipa_smb_conf_exists(): + sys.exit("Aborting installation.") + + # Check we have a public IP that is associated with the hostname + try: + if options.ip_address: + ip = ipautil.CheckedIPAddress(options.ip_address, match_local=True) + else: + hostaddr = resolve_host(api.env.host) + ip = hostaddr and ipautil.CheckedIPAddress(hostaddr, match_local=True) + except Exception, e: + print "Error: Invalid IP Address %s: %s" % (ip, e) + ip = None + + if not ip: + if options.unattended: + sys.exit("Unable to resolve IP address for host name") + else: + read_ip = read_ip_address(api.env.host, fstore) + try: + ip = ipautil.CheckedIPAddress(read_ip, match_local=True) + except Exception, e: + print "Error: Invalid IP Address %s: %s" % (ip, e) + sys.exit("Aborting installation.") + + ip_address = str(ip) + logging.debug("will use ip_address: %s\n", ip_address) + + if not options.unattended: + print "" + print "The following operations may take some minutes to complete." + print "Please wait until the prompt is returned." + print "" + + # Create a Samba instance + if options.unattended and not options.dm_password: + sys.exit("\nIn unattended mode you need to provide at least the -p option") + + netbios_name = options.netbios_name + if not netbios_name: + netbios_name = smbinstance.make_netbios_name(api.env.domain) + + if not smbinstance.check_netbios_name(netbios_name): + if options.unattended: + netbios_name_error(netbios_name) + sys.exit("Aborting installation.") + else: + netbios_name = None + if options.netbios_name: + netbios_name_error(options.netbios_name) + + if not options.unattended and ( not netbios_name or not options.netbios_name): + netbios_name = read_netbios_name(netbios_name) + + dm_password = options.dm_password or read_password("Directory Manager", + confirm=False, validate=False) + smb = smbinstance.SMBInstance(fstore, dm_password) + + # try the connection + try: + smb.ldap_connect() + smb.ldap_disconnect() + except ldap.INVALID_CREDENTIALS, e: + sys.exit("Password is not valid!") + + if smb.dm_password: + api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=smb.dm_password) + else: + # See if our LDAP server is up and we can talk to it over GSSAPI + ccache = krbV.default_context().default_ccache().name + api.Backend.ldap2.connect(ccache) + + smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain, + netbios_name) + smb.create_instance() + + print "==============================================================================" + print "Setup complete" + print "" + print "\tYou must make sure these network ports are open:" + print "\t\tTCP Ports:" + print "\t\t * 138: netbios-dgm" + print "\t\t * 139: netbios-ssn" + print "\t\t * 445: microsoft-ds" + print "\t\tUDP Ports:" + print "\t\t * 138: netbios-dgm" + print "\t\t * 139: netbios-ssn" + print "\t\t * 445: microsoft-ds" + print "" + print "\tAdditionally you have to make sure the FreeIPA LDAP server cannot reached" + print "\tby any domain controller in the Active Directory domain by closing the" + print "\tfollowing ports for these servers:" + print "\t\tTCP Ports:" + print "\t\t * 389, 636: LDAP/LDAPS" + print "\t\tUDP Ports:" + print "\t\t * 389: (C)LDAP" + print "\tYou may want to choose to REJECT the network packets instead of DROPing them" + print "\tto avoid timeouts on the AD domain controllers." + + return 0 + +try: + sys.exit(main()) +except SystemExit, e: + sys.exit(e) +except KeyboardInterrupt: + print "Installation cancelled." +except RuntimeError, e: + print str(e) +except HostnameLocalhost: + print "The hostname resolves to the localhost address (127.0.0.1/::1)" + print "Please change your /etc/hosts file so that the hostname" + print "resolves to the ip address of your network interface." + print "The KDC service does not listen on localhost" + print "" + print "Please fix your /etc/hosts file and restart the setup program" +except Exception, e: + message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e) + print message + message = str(e) + for str in traceback.format_tb(sys.exc_info()[2]): + message = message + "\n" + str + logging.debug(message) + sys.exit(1) diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am index 71d9b29c87d2b24c51d3048dc1050e099a89835d..d5b5976b0fd8c8e6683d09e7ade575fda2527832 100644 --- a/install/tools/man/Makefile.am +++ b/install/tools/man/Makefile.am @@ -13,6 +13,7 @@ man1_MANS = \ ipa-server-certinstall.1 \ ipa-server-install.1 \ ipa-dns-install.1 \ + ipa-adtrust-install.1 \ ipa-ca-install.1 \ ipa-ldap-updater.1 \ ipa-compat-manage.1 \ diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 new file mode 100644 index 0000000000000000000000000000000000000000..a3981adf48d14cc0e540c646fff099490203f862 --- /dev/null +++ b/install/tools/man/ipa-adtrust-install.1 @@ -0,0 +1,47 @@ +.\" A man page for ipa-adtrust-install +.\" Copyright (C) 2011 Red Hat, Inc. +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, but +.\" WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +.\" General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see . +.\" +.\" Author: Sumit Bose +.\" +.TH "ipa-adtrust-install" "1" "Aug 23 2011" "FreeIPA" "FreeIPA Manual Pages" +.SH "NAME" +ipa\-adtrust\-install \- Prepare an IPA server to be able to establish trust relationships with AD domains +.SH "SYNOPSIS" +ipa\-adtrust\-install [\fIOPTION\fR]... +.SH "DESCRIPTION" +Adds all necesary objects and configuration to allow an IPA server to create a +trust to an Active Directory domain. This requires that the IPA server is +already installed and configured. +.SH "OPTIONS" +.TP +\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR +The password to be used by the Directory Server for the Directory Manager user +.TP +\fB\-d\fR, \fB\-\-debug\fR +Enable debug logging when more verbose output is needed +.TP +\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR +The IP address of the IPA server. If not provided then this is determined based on the hostname of the server. +.TP +\fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR +The NetBIOS name for the IPA domain. If not provided then this is determined based on the leading component of the DNS domain name. +.TP +\fB\-U\fR, \fB\-\-unattended\fR +An unattended installation that will never prompt for user input +.SH "EXIT STATUS" +0 if the installation was successful + +1 if an error occurred diff --git a/ipaserver/install/Makefile.am b/ipaserver/install/Makefile.am index 8932eadbb7ace71372277259a557884d989ea2c1..398551bd78aa4ba893a3953f0c7ee7bcb23d1a14 100644 --- a/ipaserver/install/Makefile.am +++ b/ipaserver/install/Makefile.am @@ -10,6 +10,7 @@ app_PYTHON = \ krbinstance.py \ httpinstance.py \ ntpinstance.py \ + smbinstance.py \ service.py \ installutils.py \ replication.py \ diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 2f80749ade535ff24cbacd90f8c03699432f3186..5f7260e2343e9d9373ff4cfd8d071b82f218ed33 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -37,7 +37,8 @@ SERVICE_LIST = { 'KPASSWD':('kadmin', 20), 'DNS':('named', 30), 'HTTP':('httpd', 40), - 'CA':('pki-cad', 50) + 'CA':('pki-cad', 50), + 'ADTRUST':('smb', 60) } def stop(service_name, instance_name="", capture_output=True): diff --git a/ipaserver/install/smbinstance.py b/ipaserver/install/smbinstance.py new file mode 100644 index 0000000000000000000000000000000000000000..4e749fe5b7a0ff48a900948ec7c9ee07b2f1c310 --- /dev/null +++ b/ipaserver/install/smbinstance.py @@ -0,0 +1,246 @@ +# Authors: Sumit Bose +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import logging + +import os +import ldap +import service +import tempfile +from ipaserver import ipaldap +from ipaserver.install.dsinstance import realm_to_serverid +from ipalib import errors +from ipapython import sysrestore +from ipapython import ipautil + +import random +import string +import struct + +allowed_netbios_chars = string.ascii_uppercase + string.digits + +def check_inst(unattended): + has_smb = True + + if not os.path.exists('/usr/sbin/smbd'): + print "Samba was not found on this system" + print "Please install the 'samba' package and start the installation again" + has_smb = False + + #TODO: Add check for needed samba4 libraries + + return has_smb + +def ipa_smb_conf_exists(): + fd = open('/etc/samba/smb.conf', 'r') + lines = fd.readlines() + fd.close() + for line in lines: + if line.startswith('### Added by IPA Installer ###'): + return True + return False + + +def check_netbios_name(s): + # NetBIOS names may not be longer than 15 allowed characters + if not s or len(s) > 15 or ''.join([c for c in s if c not in allowed_netbios_chars]): + return False + + return True + +def make_netbios_name(s): + return ''.join([c for c in s.split('.')[0].upper() if c in allowed_netbios_chars])[:15] + +class SMBInstance(service.Service): + def __init__(self, fstore=None, dm_password=None): + service.Service.__init__(self, "smb", dm_password=dm_password) + + if fstore: + self.fstore = fstore + else: + self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + + def __create_samba_user(self): + print "The user for Samba is %s" % self.smb_dn + try: + self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE) + print "Samba user entry exists, not resetting password" + return + except errors.NotFound: + pass + + # The user doesn't exist, add it + entry = ipaldap.Entry(self.smb_dn) + entry.setValues("objectclass", ["account", "simplesecurityobject"]) + entry.setValues("uid", "samba") + entry.setValues("userPassword", self.smb_dn_pwd) + self.admin_conn.add_s(entry) + + # And finally grant it permission to read NT passwords, we do not want + # to support LM passwords so there is no need to allow access to them + mod = [(ldap.MOD_ADD, 'aci', + str(['(targetattr = "sambaNTPassword")(version 3.0; acl "Samba user can read NT passwords"; allow (read) userdn="ldap:///%s";)' % self.smb_dn]))] + try: + self.admin_conn.modify_s(self.suffix, mod) + except ldap.TYPE_OR_VALUE_EXISTS: + logging.debug("samba user aci already exists in suffix %s on %s" % (self.suffix, self.admin_conn.host)) + + def __gen_sid_string(self): + sub_ids = struct.unpack(" +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +""" +Test `smbinstance` +""" + +import os +import nose + +from ipaserver.install import smbinstance + +class test_smbinstance: + """ + Test `smbinstance`. + """ + + def test_make_netbios_name(self): + s = smbinstance.make_netbios_name("ABCDEF") + assert s == 'ABCDEF' and isinstance(s, str) + s = smbinstance.make_netbios_name(U"ABCDEF") + assert s == 'ABCDEF' and isinstance(s, unicode) + s = smbinstance.make_netbios_name("abcdef") + assert s == 'ABCDEF' + s = smbinstance.make_netbios_name("abc.def") + assert s == 'ABC' + s = smbinstance.make_netbios_name("abcdefghijklmnopqr.def") + assert s == 'ABCDEFGHIJKLMNO' + s = smbinstance.make_netbios_name("A!$%B&/()C=?+*D") + assert s == 'ABCD' + s = smbinstance.make_netbios_name("!$%&/()=?+*") + assert not s + + def test_check_netbios_name(self): + assert smbinstance.check_netbios_name("ABCDEF") + assert not smbinstance.check_netbios_name("abcdef") + assert smbinstance.check_netbios_name("ABCDE12345ABCDE") + assert not smbinstance.check_netbios_name("ABCDE12345ABCDE1") + assert not smbinstance.check_netbios_name("") + + assert smbinstance.check_netbios_name(U"ABCDEF") + assert not smbinstance.check_netbios_name(U"abcdef") + assert smbinstance.check_netbios_name(U"ABCDE12345ABCDE") + assert not smbinstance.check_netbios_name(U"ABCDE12345ABCDE1") -- 1.7.6 From rcritten at redhat.com Thu Sep 8 14:34:54 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 Sep 2011 10:34:54 -0400 Subject: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA 2.1.1 Message-ID: <4E68D28E.9090204@redhat.com> The FreeIPA Project is proud to announce the latest release of the FreeIPA. As always, the latest tarball can be found at http://freeipa.org/ FreeIPA 2.1.1 is available in Fedora 15. It is currently in the updates-testing repository along with a number of its dependencies. Fedora 16 and rawhide builds will be coming soon. == Highlights == * Reduced number of ports needed to punch through firewall by proxying dogtag through port 443 * New plugin, automember, that can automatically add users and hosts to groups and hostgroups based on regular expressions. * Indicator in the UI and CLI when a host has a one-time password set * DNS improvements - loading new zones via regular polling or LDAP persistent search == Upgrading == === Server === To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following: # yum update freeipa-server --enablerepo=updates-testing This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c packages (and perhaps some others). A script will be executed in the rpm postinstall phase to update the IPA LDAP server with any required changes. There is a bug reported against 389-ds, https://bugzilla.redhat.com/show_bug.cgi?id=730387, related to read-write locks. The NSPR RW lock implementation does not safely allow re-entrant use of reader locks. This is a timing issue so it is difficult to predict. During testing one user experienced this and the upgrade hung. To break the hang kill the ns-slapd process for your realm, wait for the yum transaction to complete, then restart 389-ds and manually run the update process: # service dirsrv start # ipa-ldap-updater === Client === The ipa-client-install tool in the ipa-client package is just a configuration tool. There should be no need to re-run this on every client already enrolled. == Detailed Changelog == Adam Young (1): * enable proxy for dogtag Alexander Bokovoy (1): * Propagate environment when it is required. Endi S. Dewata (19): * Fixed browser configuration pages * Hide activation/deactivation link from regular users. * Fixed problem selecting value from combobox * Fixed inconsistent layout for password reset dialog. * Removed 'Hide already enrolled' checkbox. * Replaced page dirty dialog title. * Updated add and delete association dialog titles. * Removed unnecessary HBAC/sudo rule category modification. * Fixed command partial failure handling. * Fixed default map type in automount map adder dialog. * Fixed host OTP status. * Fixed host keytab status after setting OTP. * Fixed host adder dialog to show default DNS zone. * Fixed hard-coded UI messages. * Fixed problem adding hostgroup into netgroup. * Fixed problem with combobox. * Fixed hard-coded UI message in entity.js. * Fixed missing permission filter field. * Fixed problem with combobox using Sahi Jan Cholasta (6): * Make sure messagebus is running prior to starting certmonger. * Verify that passwords specified through command line options of ipa-server-install meet the length requirement. * Add option to install without the automatic redirect to the Web UI. * Search for users in all the naming contexts present on the directory server. * Add subscription-manager dependency for RHEL. * Verify that the external CA certificate files are correct. John Dennis (11): * ticket 1568 - DN objects should support the insert method * ticket 1569 - Test DN object non-latin Unicode support * ticket 1600 - convert unittests to use DN objects * ticket 1659 - invalid i18n string in dns.py * ticket 1660 - update LINGUAS file, add missing po files * ticket 1661 - Update all po files * ticket 1650 - compute accurate translation statistics * ticket 1707 - add documentation validation to makeapi tool * ticket 1705 - internationalize help topics * ticket 1706 - internationalize cli help framework * ticket 1669 - improve i18n docstring extraction Jr Aquino (2): * Improve sudorule documentation * Create FreeIPA CLI Plugin for the 389 Auto Membership plugin Martin Kosek (6): * Add missing attribute labels for sudorule * Fix automountkey-mod * Fix automountlocation-import conflicts * ipa-client-install breaks network configuration * Fix sudo help and summaries * Let Bind track data changes Petr Vobornik (8): * error dialog for batch command * Uncheck checkboxes in association after deletion * Show error in adding associations * Validation of details facet before update * Modify serial associator to use batch * Modifying sudo options refreshes the whole page * Enable update and reset button only if dirty * Attributes table not scrollable Rob Crittenden (24): * Add information on setting api.env.host in the ipactl.8 man page * Log each command in a batch separately. * Do batch logging on successful commands too, not just failures. * Fix wording in examples of delegation plugin. * Suppress 389-ds debug output when starting services * Fix thread deadlock by using pthreads library instead of NSPR. * Change the way has_keytab is determined, also check for password. * Add additional pam ftp services to HBAC, and a ftp HBAC service group * Add label for HBAC services to show as members * Add option to only prompt once for passwords, use in entitle_register * Retrieve password/keytab state when modifying a host. * Disable reverse lookups in ipa-join and ipa-getkeytab * Remove more 389-ds files/directories on uninstallation. * Remove 389-ds upgrade state during uninstall * Set min nvr of pki-ca to 9.0.12 for fix in BZ 700505 * Add common is_installed() fn, better uninstall logging, check for errors. * Add external source hosts to HBAC. * Roll back changes if client installation fails. * Add netgroup as possible memberOf for hostgroups * Sort lists so order is predictable and tests pass as expected. * Suppress managed netgroups from showing as memberof hostgroups. * Use the IPA server cert profile in the installer. * Set min nvr of 389-ds-base to 1.2.9.7-1 for BZ 728605 * Become IPA 2.1.1 Simo Sorce (1): * conncheck: Fix List of ports to check From edewata at redhat.com Thu Sep 8 15:28:34 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 08 Sep 2011 10:28:34 -0500 Subject: [Freeipa-devel] [PATCH] 265 Fixed sudo rule association dialogs. Message-ID: <4E68DF22.6010805@redhat.com> The adder dialog for the user and host tables in sudo rule details page have been fixed to use --not-in-sudorules to avoid showing entries that are already added into the rule either directly or indirectly via groups. This does not apply to the command and run-as tables because they do not support such option. Ticket #1768 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0266-Fixed-sudo-rule-association-dialogs.patch Type: text/x-patch Size: 3509 bytes Desc: not available URL: From pvoborni at redhat.com Thu Sep 8 16:13:36 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 08 Sep 2011 18:13:36 +0200 Subject: [Freeipa-devel] [PATCH] 265 Fixed layout problem in permission adder dialog. In-Reply-To: <4E67F305.9060001@redhat.com> References: <4E67F305.9060001@redhat.com> Message-ID: <4E68E9B0.9080500@redhat.com> On 09/08/2011 12:41 AM, Endi Sukma Dewata wrote: > In order to maintain consistent layout between details page and dialog > boxes the IPA.details_list_section has been replaced with > IPA.details_table_section which is based on table. > > The IPA.target_section and other subclasses of IPA.details_list_section > have been converted to use IPA.details_table_section as well. > > The unit tests have been updated accordingly. > > Ticket #1648 Some minor things: In IPA.details_table_section: 1)not renamed list_section_create method Code clean-up in aci.js: 2) IPA.rights_section can be deleted and replaced by spec object usage. It doesn't add any functionality. 3) IPA.permission_details_facet can be deleted - it isn't used anywhere. Should we unite label align? In add dialog labels are aligned left, in details table right. Otherwise it looks OK. -- Petr Vobornik From edewata at redhat.com Thu Sep 8 16:51:49 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 08 Sep 2011 11:51:49 -0500 Subject: [Freeipa-devel] [PATCH] 265 Fixed layout problem in permission adder dialog. In-Reply-To: <4E68E9B0.9080500@redhat.com> References: <4E67F305.9060001@redhat.com> <4E68E9B0.9080500@redhat.com> Message-ID: <4E68F2A5.7010901@redhat.com> On 9/8/2011 11:13 AM, Petr Vobornik wrote: > In IPA.details_table_section: > 1)not renamed list_section_create method Fixed. > Code clean-up in aci.js: > 2) IPA.rights_section can be deleted and replaced by spec object usage. > It doesn't add any functionality. Fixed. > 3) IPA.permission_details_facet can be deleted - it isn't used anywhere. Fixed. > Should we unite label align? In add dialog labels are aligned left, in > details table right. In my personal opinion the alignment is ok right now, but let's ask UXD about that. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0265-2-Fixed-layout-problem-in-permission-adder-dialog.patch Type: text/x-patch Size: 42675 bytes Desc: not available URL: From edewata at redhat.com Thu Sep 8 16:53:46 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 08 Sep 2011 11:53:46 -0500 Subject: [Freeipa-devel] [PATCH] 266 Fixed sudo rule association dialogs. In-Reply-To: <4E68DF22.6010805@redhat.com> References: <4E68DF22.6010805@redhat.com> Message-ID: <4E68F31A.7060809@redhat.com> On 9/8/2011 10:28 AM, Endi Sukma Dewata wrote: > The adder dialog for the user and host tables in sudo rule details > page have been fixed to use --not-in-sudorules to avoid showing > entries that are already added into the rule either directly or > indirectly via groups. > > This does not apply to the command and run-as tables because they > do not support such option. > > Ticket #1768 Wrong email title. It should be patch #266. -- Endi S. Dewata From JR.Aquino at citrix.com Thu Sep 8 17:06:07 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 8 Sep 2011 17:06:07 +0000 Subject: [Freeipa-devel] [PATCH] 38 Move Managed Entries into their own container in the replicated space. In-Reply-To: <1315481921.5141.16.camel@dhcp-25-52.brq.redhat.com> References: <1311342896.12679.9.camel@dhcp-25-52.brq.redhat.com> <81DEB284-E8C1-47C3-9130-846E2A4669C4@citrixonline.com> <1315481921.5141.16.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1E9EBA67-372A-4915-A62D-4388DF1B5D09@citrixonline.com> On Sep 8, 2011, at 4:38 AM, Martin Kosek wrote: > On Tue, 2011-09-06 at 22:33 +0000, JR Aquino wrote: >> On Jul 22, 2011, at 6:54 AM, Martin Kosek wrote: >> >>> On Thu, 2011-07-21 at 23:00 +0000, JR Aquino wrote: >>>> Create: cn=Managed Entries,cn=etc,$SUFFIX >>>> Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX >>>> Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX >>>> >>>> Create method for migrating any and all custom Managed Entries from >>>> the cn=config space into the new container. >>>> >>>> The Managed Entries plugin configurations weren't being created on >>>> replica installs. >>>> >>>> This patch addresses two seperate tickets and accounts for >>>> new installs, replica installs, and upgrades. >>>> >>>> https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container >>>> https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation >>> >>> I found few issues with the patch (tested along with 25): >>> >>> 1) When upgrading an old instance, NGP and UGP definitions in >>> cn=Managed Entries,cn=plugins,cn=config were not deleted. This lead to 2 >>> managed entries plugin definitions >> >> Fixed this condition. 389 prohibits the deletion of Managed Entries while they are active. >> I had to perform the repointing to the new cn=etc container, perform the migration of the legacy configs, then perform a restart of dirsrv. >> >>> >>> 2) Managed entries on a replica didn't work for me. For example UPG was >>> created on a master, but was not on a replica >> >> This should also be resolved now. >> >>> >>> Martin >>> >> >> I had to break out the connection code in update for ldapupdate.py so that connections could be reestablished post dirsrv restart. >> >> I also had to create a service class to perform the restart. >> >> installutils.py has been modified to provide wait_for_open_socket() similar to wait_for_open_port() >> > > Hello JR, > > I tested you patch, it works fine for both upgrading the replicas and > new installations. Old Managed Entries definitions were successfully > deleted. > > I just found few issues with the patch format itself: > > 1) Commit message is all wrong, its all on the Subject line which is > then put to commit title during "git am". I suggest using our standard > commit message formatting: > > COMMIT_TITLE > > COMMIT_DESCRIPTION > > TRAC_TICKET_LINK > > 2) There were few whitespace errors: > $ git apply ~/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch > /home/mkosek/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch:519: trailing whitespace. > > /home/mkosek/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch:526: trailing whitespace. > > Otherwise the patch looks good to me, if it is OK with Rob (since he > wrote the entire ldapupdate.py) I think we can push it after you fix the > 2 changes I proposed. Fixed the whitespace errors and adjusted the commit message. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch Type: application/octet-stream Size: 21512 bytes Desc: freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch URL: From JR.Aquino at citrix.com Thu Sep 8 17:41:36 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 8 Sep 2011 17:41:36 +0000 Subject: [Freeipa-devel] [PATCH] 38 Move Managed Entries into their own container in the replicated space. In-Reply-To: <1E9EBA67-372A-4915-A62D-4388DF1B5D09@citrixonline.com> References: <1311342896.12679.9.camel@dhcp-25-52.brq.redhat.com> <81DEB284-E8C1-47C3-9130-846E2A4669C4@citrixonline.com> <1315481921.5141.16.camel@dhcp-25-52.brq.redhat.com> <1E9EBA67-372A-4915-A62D-4388DF1B5D09@citrixonline.com> Message-ID: <1676DC33-2A70-477A-A321-67CF58F76D00@citrixonline.com> On Sep 8, 2011, at 10:06 AM, JR Aquino wrote: > On Sep 8, 2011, at 4:38 AM, Martin Kosek wrote: > >> On Tue, 2011-09-06 at 22:33 +0000, JR Aquino wrote: >>> On Jul 22, 2011, at 6:54 AM, Martin Kosek wrote: >>> >>>> On Thu, 2011-07-21 at 23:00 +0000, JR Aquino wrote: >>>>> Create: cn=Managed Entries,cn=etc,$SUFFIX >>>>> Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX >>>>> Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX >>>>> >>>>> Create method for migrating any and all custom Managed Entries from >>>>> the cn=config space into the new container. >>>>> >>>>> The Managed Entries plugin configurations weren't being created on >>>>> replica installs. >>>>> >>>>> This patch addresses two seperate tickets and accounts for >>>>> new installs, replica installs, and upgrades. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container >>>>> https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation >>>> >>>> I found few issues with the patch (tested along with 25): >>>> >>>> 1) When upgrading an old instance, NGP and UGP definitions in >>>> cn=Managed Entries,cn=plugins,cn=config were not deleted. This lead to 2 >>>> managed entries plugin definitions >>> >>> Fixed this condition. 389 prohibits the deletion of Managed Entries while they are active. >>> I had to perform the repointing to the new cn=etc container, perform the migration of the legacy configs, then perform a restart of dirsrv. >>> >>>> >>>> 2) Managed entries on a replica didn't work for me. For example UPG was >>>> created on a master, but was not on a replica >>> >>> This should also be resolved now. >>> >>>> >>>> Martin >>>> >>> >>> I had to break out the connection code in update for ldapupdate.py so that connections could be reestablished post dirsrv restart. >>> >>> I also had to create a service class to perform the restart. >>> >>> installutils.py has been modified to provide wait_for_open_socket() similar to wait_for_open_port() >>> >> >> Hello JR, >> >> I tested you patch, it works fine for both upgrading the replicas and >> new installations. Old Managed Entries definitions were successfully >> deleted. >> >> I just found few issues with the patch format itself: >> >> 1) Commit message is all wrong, its all on the Subject line which is >> then put to commit title during "git am". I suggest using our standard >> commit message formatting: >> >> COMMIT_TITLE >> >> COMMIT_DESCRIPTION >> >> TRAC_TICKET_LINK >> >> 2) There were few whitespace errors: >> $ git apply ~/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch >> /home/mkosek/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch:519: trailing whitespace. >> >> /home/mkosek/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch:526: trailing whitespace. >> >> Otherwise the patch looks good to me, if it is OK with Rob (since he >> wrote the entire ldapupdate.py) I think we can push it after you fix the >> 2 changes I proposed. > > Fixed the whitespace errors and adjusted the commit message. > > Self NAK Looks like I missed a piece in this recent patch that creates the cn=etc containers out of order. New patch to follow shortly From rcritten at redhat.com Thu Sep 8 17:51:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 Sep 2011 13:51:03 -0400 Subject: [Freeipa-devel] [PATCH] 866 don't allow a otp to be set on enrolled hosts Message-ID: <4E690087.8040606@redhat.com> Don't allow a one-time password to be set on enrolled hosts. This will invalidate the existing keytab. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-866-otp.patch Type: text/x-patch Size: 1285 bytes Desc: not available URL: From JR.Aquino at citrix.com Thu Sep 8 19:15:45 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 8 Sep 2011 19:15:45 +0000 Subject: [Freeipa-devel] [PATCH] 38 Move Managed Entries into their own container in the replicated space. In-Reply-To: <1676DC33-2A70-477A-A321-67CF58F76D00@citrixonline.com> References: <1311342896.12679.9.camel@dhcp-25-52.brq.redhat.com> <81DEB284-E8C1-47C3-9130-846E2A4669C4@citrixonline.com> <1315481921.5141.16.camel@dhcp-25-52.brq.redhat.com> <1E9EBA67-372A-4915-A62D-4388DF1B5D09@citrixonline.com> <1676DC33-2A70-477A-A321-67CF58F76D00@citrixonline.com> Message-ID: <7EE5C13D-C14C-455B-98B7-D565C6B52924@citrixonline.com> On Sep 8, 2011, at 10:41 AM, JR Aquino wrote: > On Sep 8, 2011, at 10:06 AM, JR Aquino wrote: > >> On Sep 8, 2011, at 4:38 AM, Martin Kosek wrote: >> >>> On Tue, 2011-09-06 at 22:33 +0000, JR Aquino wrote: >>>> On Jul 22, 2011, at 6:54 AM, Martin Kosek wrote: >>>> >>>>> On Thu, 2011-07-21 at 23:00 +0000, JR Aquino wrote: >>>>>> Create: cn=Managed Entries,cn=etc,$SUFFIX >>>>>> Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX >>>>>> Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX >>>>>> >>>>>> Create method for migrating any and all custom Managed Entries from >>>>>> the cn=config space into the new container. >>>>>> >>>>>> The Managed Entries plugin configurations weren't being created on >>>>>> replica installs. >>>>>> >>>>>> This patch addresses two seperate tickets and accounts for >>>>>> new installs, replica installs, and upgrades. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container >>>>>> https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation >>>>> >>>>> I found few issues with the patch (tested along with 25): >>>>> >>>>> 1) When upgrading an old instance, NGP and UGP definitions in >>>>> cn=Managed Entries,cn=plugins,cn=config were not deleted. This lead to 2 >>>>> managed entries plugin definitions >>>> >>>> Fixed this condition. 389 prohibits the deletion of Managed Entries while they are active. >>>> I had to perform the repointing to the new cn=etc container, perform the migration of the legacy configs, then perform a restart of dirsrv. >>>> >>>>> >>>>> 2) Managed entries on a replica didn't work for me. For example UPG was >>>>> created on a master, but was not on a replica >>>> >>>> This should also be resolved now. >>>> >>>>> >>>>> Martin >>>>> >>>> >>>> I had to break out the connection code in update for ldapupdate.py so that connections could be reestablished post dirsrv restart. >>>> >>>> I also had to create a service class to perform the restart. >>>> >>>> installutils.py has been modified to provide wait_for_open_socket() similar to wait_for_open_port() >>>> >>> >>> Hello JR, >>> >>> I tested you patch, it works fine for both upgrading the replicas and >>> new installations. Old Managed Entries definitions were successfully >>> deleted. >>> >>> I just found few issues with the patch format itself: >>> >>> 1) Commit message is all wrong, its all on the Subject line which is >>> then put to commit title during "git am". I suggest using our standard >>> commit message formatting: >>> >>> COMMIT_TITLE >>> >>> COMMIT_DESCRIPTION >>> >>> TRAC_TICKET_LINK >>> >>> 2) There were few whitespace errors: >>> $ git apply ~/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch >>> /home/mkosek/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch:519: trailing whitespace. >>> >>> /home/mkosek/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch:526: trailing whitespace. >>> >>> Otherwise the patch looks good to me, if it is OK with Rob (since he >>> wrote the entire ldapupdate.py) I think we can push it after you fix the >>> 2 changes I proposed. >> >> Fixed the whitespace errors and adjusted the commit message. >> >> > > Self NAK > > Looks like I missed a piece in this recent patch that creates the cn=etc containers out of order. > > New patch to follow shortly Ok. Whitespace errors corrected Commit Format Corrected Order of creation for Managed Entry Container is now corrected Martin if you could do a quick double check to make sure everything still looks clean to you. After that, I believe it just needs Rob's blessing. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch Type: application/octet-stream Size: 23628 bytes Desc: freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch URL: From rcritten at redhat.com Thu Sep 8 21:24:26 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 Sep 2011 17:24:26 -0400 Subject: [Freeipa-devel] [PATCH] 867 detect CA install status Message-ID: <4E69328A.9020902@redhat.com> When using a selfsign CA you can't run ipa-ca-install at all and you can only run ipa-replica-prepare on the initial master. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-867-selfsign.patch Type: text/x-patch Size: 3363 bytes Desc: not available URL: From pvoborni at redhat.com Fri Sep 9 08:19:13 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 09 Sep 2011 10:19:13 +0200 Subject: [Freeipa-devel] [PATCH] 265 Fixed layout problem in permission adder dialog. In-Reply-To: <4E68F2A5.7010901@redhat.com> References: <4E67F305.9060001@redhat.com> <4E68E9B0.9080500@redhat.com> <4E68F2A5.7010901@redhat.com> Message-ID: <4E69CC01.504@redhat.com> On 09/08/2011 06:51 PM, Endi Sukma Dewata wrote: > On 9/8/2011 11:13 AM, Petr Vobornik wrote: >> In IPA.details_table_section: >> 1)not renamed list_section_create method > > Fixed. > >> Code clean-up in aci.js: >> 2) IPA.rights_section can be deleted and replaced by spec object usage. >> It doesn't add any functionality. > > Fixed. > >> 3) IPA.permission_details_facet can be deleted - it isn't used anywhere. > > Fixed. > ACK -- Petr Vobornik From pvoborni at redhat.com Fri Sep 9 10:55:34 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 09 Sep 2011 12:55:34 +0200 Subject: [Freeipa-devel] [PATCH] 266 Fixed sudo rule association dialogs. In-Reply-To: <4E68F31A.7060809@redhat.com> References: <4E68DF22.6010805@redhat.com> <4E68F31A.7060809@redhat.com> Message-ID: <4E69F0A6.3000501@redhat.com> On 09/08/2011 06:53 PM, Endi Sukma Dewata wrote: > On 9/8/2011 10:28 AM, Endi Sukma Dewata wrote: >> The adder dialog for the user and host tables in sudo rule details >> page have been fixed to use --not-in-sudorules to avoid showing >> entries that are already added into the rule either directly or >> indirectly via groups. >> >> This does not apply to the command and run-as tables because they >> do not support such option. >> >> Ticket #1768 > > Wrong email title. It should be patch #266. > ACK -- Petr Vobornik From mkosek at redhat.com Fri Sep 9 11:07:15 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 09 Sep 2011 13:07:15 +0200 Subject: [Freeipa-devel] [PATCH] 121 Set bind and bind-dyndb-ldap min nvr Message-ID: <1315566437.2517.4.camel@dhcp-25-52.brq.redhat.com> bind-dyndb-ldap will be in stable repo soon, it has already been requested: https://admin.fedoraproject.org/updates/bind-dyndb-ldap-1.0.0-0.1.b1.fc15 bind is still in koji only, it can be downloaded here: http://koji.fedoraproject.org/koji/buildinfo?buildID=262773 There are 2 version of the patch - master and ipa-2-1. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-121-set-bind-and-bind-dyndb-ldap-min-nvr.patch Type: text/x-patch Size: 1490 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-121-ipa-2-1.patch Type: text/x-patch Size: 1488 bytes Desc: not available URL: From pvoborni at redhat.com Fri Sep 9 11:24:47 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 09 Sep 2011 13:24:47 +0200 Subject: [Freeipa-devel] [PATCH] 012 Fixed inconsistency in enabling delete buttons In-Reply-To: <4E67C0B8.9030000@redhat.com> References: <4E6760AC.20705@redhat.com> <4E67C0B8.9030000@redhat.com> Message-ID: <4E69F77F.7060001@redhat.com> On 09/07/2011 09:06 PM, Endi Sukma Dewata wrote: > On 9/7/2011 7:16 AM, Petr Vobornik wrote: >> https://fedorahosted.org/freeipa/ticket/1640 >> .. > One issue, in HBAC/sudo rules details page if the category is changed > from 'all' to 'specific', the Delete button will be enabled although > there is no entries selected. > > See the set_enabled() in IPA.association_table_widget. I think if the > parameter is true it should enable only the Add button. If the parameter > is false it disable both Add and Delete button and call unselect_all(). > Fixed -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0012-1-Fixed-inconsistency-in-enabling-delete-buttons.patch Type: text/x-patch Size: 4267 bytes Desc: not available URL: From abokovoy at redhat.com Fri Sep 9 11:26:44 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 9 Sep 2011 14:26:44 +0300 Subject: [Freeipa-devel] [PATCH] 121 Set bind and bind-dyndb-ldap min nvr In-Reply-To: <1315566437.2517.4.camel@dhcp-25-52.brq.redhat.com> References: <1315566437.2517.4.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110909112643.GA21428@redhat.com> On Fri, 09 Sep 2011, Martin Kosek wrote: > bind-dyndb-ldap will be in stable repo soon, it has already been requested: > https://admin.fedoraproject.org/updates/bind-dyndb-ldap-1.0.0-0.1.b1.fc15 > > bind is still in koji only, it can be downloaded here: > http://koji.fedoraproject.org/koji/buildinfo?buildID=262773 > > There are 2 version of the patch - master and ipa-2-1. ACK for both. -- / Alexander Bokovoy From mkosek at redhat.com Fri Sep 9 12:35:35 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 09 Sep 2011 14:35:35 +0200 Subject: [Freeipa-devel] [PATCH] 121 Set bind and bind-dyndb-ldap min nvr In-Reply-To: <20110909112643.GA21428@redhat.com> References: <1315566437.2517.4.camel@dhcp-25-52.brq.redhat.com> <20110909112643.GA21428@redhat.com> Message-ID: <1315571737.2517.5.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-09-09 at 14:26 +0300, Alexander Bokovoy wrote: > On Fri, 09 Sep 2011, Martin Kosek wrote: > > > bind-dyndb-ldap will be in stable repo soon, it has already been requested: > > https://admin.fedoraproject.org/updates/bind-dyndb-ldap-1.0.0-0.1.b1.fc15 > > > > bind is still in koji only, it can be downloaded here: > > http://koji.fedoraproject.org/koji/buildinfo?buildID=262773 > > > > There are 2 version of the patch - master and ipa-2-1. > ACK for both. > bind has been pushed to updates-testing now, so the installation is much easier. Pushed to master, ipa-2-1. Martin From rcritten at redhat.com Fri Sep 9 21:41:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 09 Sep 2011 17:41:49 -0400 Subject: [Freeipa-devel] [PATCH] 868 better handling of ipa-pki-proxy.conf Message-ID: <4E6A881D.9070802@redhat.com> - Remove ipa-pki-proxy.conf when IPA is uninstalled - Move file removal to httpinstance.py and use remove_file() - Add a version stanza - Create the file if it doesn't exist on upgraded installs https://fedorahosted.org/freeipa/ticket/1771 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-868-proxy.patch Type: text/x-patch Size: 4522 bytes Desc: not available URL: From simo at redhat.com Fri Sep 9 23:06:47 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 09 Sep 2011 19:06:47 -0400 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <20110908123927.GG21228@localhost.localdomain> References: <20110826093926.GF2374@localhost.localdomain> <1314364467.20296.226.camel@willson.li.ssimo.org> <20110830144028.GE12659@localhost.localdomain> <1315433450.2684.13.camel@willson.li.ssimo.org> <20110908115245.GF21228@localhost.localdomain> <1315483606.5141.20.camel@dhcp-25-52.brq.redhat.com> <20110908123927.GG21228@localhost.localdomain> Message-ID: <1315609607.2684.137.camel@willson.li.ssimo.org> On Thu, 2011-09-08 at 14:39 +0200, Sumit Bose wrote: > On Thu, Sep 08, 2011 at 02:06:44PM +0200, Martin Kosek wrote: > > On Thu, 2011-09-08 at 13:52 +0200, Sumit Bose wrote: > > > On Wed, Sep 07, 2011 at 06:10:50PM -0400, Simo Sorce wrote: > > > > On Tue, 2011-08-30 at 16:40 +0200, Sumit Bose wrote: > > > > > I don't think that we should run winbind. > > > > > > > > > > I also changed the path to the smb.conf file from /etc/ipa > > > > > to /etc/samba > > > > > which makes the change to /etc/sysconfig/samba unnecessary. > > > > > > > > > > Thanks for review. > > > > > > > > > Ok tested this today, after I was able to tame my machine. > > > > > > > > Some issues and comments still. > > > > > > > > 1) If you just run ipa-adtrust-install it throws an error about an > > > > Illegal netbios name and quits. That's not right, as it should ask for > > > > the netbios name if one is not provided on the command line presenting a > > > > default option (based on the last domain component uppercased maybe), > > > > > > fixed > > > > > > > > > > > 2) I see the way you write the temp smb.conf is by using a lot of > > > > fd.write() calls. It would be much easier instead to use the templating > > > > engine we use elsewhere in the code and drop a template file in > > > > install/share, this will allow us to easily tweak the initial > > > > installation options w/o touching the python code every time. > > > > > > fixed > > > > > > new version attached. > > > > > > bye, > > > Sumit > > > > > > > > > > > 3) Everything installed and started but my smbd coredump immediately > > > > after. It is almost certainly not a problem in your patch though :-) > > > > > > > > So jokes aside if you fix 1 and 2 I think we can push to master. > > > > > > > > Simo. > > > > > > > > -- > > > > Simo Sorce * Red Hat, Inc * New York > > > > > > > > Only one nitpick from me. The new man page header should be changed > > according to our last man page consolidation effort in ticket 1687 so > > that it is consistent with the others. In your case, the header should > > be: > > > > +.TH "ipa-adtrust-install" "1" "Aug 23 2011" "FreeIPA" "FreeIPA Manual Pages" > > > > Plus, --netbios-name option is not covered in the man page. > > Thank you for the feedback, I fixed it accordingly. New version > attached. NACK Ok I spent an afternoon with gd's packages trying to get the install work. I have it finally start smbd if run manually. Quite a few things needed to be changed in the configuration to get it to start smbd (not a working solution yet though). First of all for some reason passdb backend would use the hostname instead of the ldapi socket. This seem to be fixed in the latest patch (the install had been done with the previous) - ldap ssl need to set to off, as dirsrv does not allow (nor we want) to use start tls on ldapi I had to use: net conf setparms global 'ldap ssl' off - ldap suffix = cn=accounts,dc=ipa,dc=test is definitely not right. This is not fixed in the current patch either. It should be ldap suffix = $SUFFIX - log file directive is unusual %d causes each log file to be created with the pid number, that is very annoying when you want to see the logs of a specific machine, please change it to use %m - No service principal is created for cifs/fqdn - No directive to tell samba to use the system keytab. you should probably set 'kerberos method = system keytab' I couldn't test everything due to other issues I found and need to investigate in both the samba packaghes and krb5kdc segfaulting on me when I try to use smbclient -k yes :-( Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Sat Sep 10 00:06:25 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 09 Sep 2011 19:06:25 -0500 Subject: [Freeipa-devel] [PATCH] 866 don't allow a otp to be set on enrolled hosts In-Reply-To: <4E690087.8040606@redhat.com> References: <4E690087.8040606@redhat.com> Message-ID: <4E6AAA01.1020409@redhat.com> On 9/8/2011 12:51 PM, Rob Crittenden wrote: > Don't allow a one-time password to be set on enrolled hosts. This will > invalidate the existing keytab. ACK and pushed to master and ipa-2-1. -- Endi S. Dewata From edewata at redhat.com Sat Sep 10 00:20:43 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 09 Sep 2011 19:20:43 -0500 Subject: [Freeipa-devel] [PATCH] 267 Fixed missing optional field. Message-ID: <4E6AAD5B.2040603@redhat.com> The optional uid field in user's adder dialog did not appear when the link is clicked to show the field. This is a regression introduced in the patch for ticket #1648. The click handler for the link field has been moved into a new closure so that the variables point to the correct elements. Note: the duplicate code in IPA.details_table_section.create() and IPA.dialog.create() will be addressed separately in ticket #1394. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0267-Fixed-missing-optional-field.patch Type: text/x-patch Size: 3039 bytes Desc: not available URL: From edewata at redhat.com Sat Sep 10 00:21:39 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 09 Sep 2011 19:21:39 -0500 Subject: [Freeipa-devel] [PATCH] 268 Fixed labels for run-as users and groups. Message-ID: <4E6AAD93.9090907@redhat.com> The labels for the run-as users and groups tables in sudo rule details page have been modified to improve the clarity. Ticket #1752 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0268-Fixed-labels-for-run-as-users-and-groups.patch Type: text/x-patch Size: 5396 bytes Desc: not available URL: From jcholast at redhat.com Mon Sep 12 07:50:47 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 12 Sep 2011 09:50:47 +0200 Subject: [Freeipa-devel] [PATCH] 45 Check that install hostname matches the server hostname In-Reply-To: <4E676DED.2050102@redhat.com> References: <4E6625E5.2040201@redhat.com> <4E665D43.4090204@redhat.com> <4E67129B.8020809@redhat.com> <4E676DED.2050102@redhat.com> Message-ID: <4E6DB9D7.7060300@redhat.com> On 7.9.2011 15:13, Rob Crittenden wrote: > Jan Cholasta wrote: >> On 6.9.2011 19:49, Rob Crittenden wrote: >>> Jan Cholasta wrote: >>>> https://fedorahosted.org/freeipa/ticket/1717 >>>> >>>> Honza >>> >>> nack, what if there are multiple interfaces and you want IPA to use one >>> (that doesn't happen to be the system hostname one)? >>> >>> rob >> >> Then the user configures the system hostname to match the hostname of >> the interface. Or should we configure it automatically from the install? >> >> Honza >> > > We can't dictate which interface matches the hostname. At most we can > warn about this, but not fail to install. > > rob Changed to print a warning message instead of raising an error. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-45.1-hostname-check.patch Type: text/x-patch Size: 1119 bytes Desc: not available URL: From abokovoy at redhat.com Mon Sep 12 07:58:33 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 12 Sep 2011 10:58:33 +0300 Subject: [Freeipa-devel] [PULL REQUEST, ipa-2-1] Platform-specific adaptation Message-ID: <20110912075833.GA19967@redhat.com> Hi, As the patchset is rather big, I'm sending pull request from my fedorapeople.org git repository instead of separate patches. This is pull request for ipa-2-1, I'll send pull request for master branch as a separate email, there is single difference in freeipa.spec.in's %changelog section. The following changes since commit d3c24bb0a65dae85e665ebc617ab4f084c2299fd: Don't allow a OTP to be set on an enrolled host (2011-09-10 00:03:32 +0000) are available in the git repository at: git://fedorapeople.org/home/fedora/abbra/public_git/freeipa.git platform Alexander Bokovoy (5): Introduce platform-specific adaptation Convert server install code to platform-independent access to system services Convert client-side tools to platform-independent access to system services Convert installation tools to platform-independent access to system services fixup! Introduce platform-specific adaptation Makefile | 8 + freeipa.spec.in | 5 + install/tools/ipa-ca-install | 4 +- install/tools/ipa-nis-manage | 13 +- install/tools/ipa-replica-install | 15 +- install/tools/ipa-server-install | 11 +- install/tools/ipactl | 43 ++++--- ipa-client/ipa-install/ipa-client-install | 211 +++++++++++++---------------- ipa-client/ipaclient/ntpconf.py | 5 +- ipapython/Makefile | 2 +- ipapython/ipautil.py | 48 +------- ipapython/platform/__init__.py | 23 +++ ipapython/platform/base.py | 150 ++++++++++++++++++++ ipapython/platform/redhat.py | 176 ++++++++++++++++++++++++ ipapython/services.py.in | 48 +++++++ ipapython/setup.py.in | 2 +- ipapython/sysrestore.py | 5 +- ipaserver/install/bindinstance.py | 2 +- ipaserver/install/cainstance.py | 26 +--- ipaserver/install/certs.py | 25 ++-- ipaserver/install/dsinstance.py | 19 +-- ipaserver/install/httpinstance.py | 9 +- ipaserver/install/krbinstance.py | 3 +- ipaserver/install/ntpinstance.py | 5 +- ipaserver/install/replication.py | 4 +- ipaserver/install/service.py | 68 +++------- 26 files changed, 624 insertions(+), 306 deletions(-) create mode 100644 ipapython/platform/__init__.py create mode 100644 ipapython/platform/base.py create mode 100644 ipapython/platform/redhat.py create mode 100644 ipapython/services.py.in -- / Alexander Bokovoy From abokovoy at redhat.com Mon Sep 12 08:18:22 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 12 Sep 2011 11:18:22 +0300 Subject: [Freeipa-devel] [PULL REQUEST, master] Platform-specific adaptation Message-ID: <20110912081821.GA22121@redhat.com> Hi, As the patchset is rather big, I'm sending pull request from my fedorapeople.org git repository instead of separate patches. This is pull request for master branch. The following changes since commit c97eb871c53c4a8c3bbd0f9f4b2ff23bc390bc71: Don't allow a OTP to be set on an enrolled host (2011-09-10 00:03:19 +0000) are available in the git repository at: git://fedorapeople.org/home/fedora/abbra/public_git/freeipa.git platform-master Alexander Bokovoy (5): Introduce platform-specific adaptation Convert server install code to platform-independent access to system services Convert client install code to platform-independent access to system services Convert installation tools to platform-independent access to installation services Add ipapython/services.py to auto-generated files and ignore it .gitignore | 2 +- Makefile | 8 + freeipa.spec.in | 5 + install/tools/ipa-ca-install | 4 +- install/tools/ipa-nis-manage | 13 +- install/tools/ipa-replica-install | 15 +- install/tools/ipa-server-install | 11 +- install/tools/ipactl | 43 ++++--- ipa-client/ipa-install/ipa-client-install | 211 +++++++++++++---------------- ipa-client/ipaclient/ntpconf.py | 5 +- ipapython/Makefile | 2 +- ipapython/ipautil.py | 48 +------- ipapython/platform/__init__.py | 23 +++ ipapython/platform/base.py | 150 ++++++++++++++++++++ ipapython/platform/redhat.py | 176 ++++++++++++++++++++++++ ipapython/services.py.in | 48 +++++++ ipapython/setup.py.in | 2 +- ipapython/sysrestore.py | 5 +- ipaserver/install/bindinstance.py | 2 +- ipaserver/install/cainstance.py | 26 +--- ipaserver/install/certs.py | 25 ++-- ipaserver/install/dsinstance.py | 19 +-- ipaserver/install/httpinstance.py | 9 +- ipaserver/install/krbinstance.py | 3 +- ipaserver/install/ntpinstance.py | 5 +- ipaserver/install/replication.py | 4 +- ipaserver/install/service.py | 68 +++------- 27 files changed, 625 insertions(+), 307 deletions(-) create mode 100644 ipapython/platform/__init__.py create mode 100644 ipapython/platform/base.py create mode 100644 ipapython/platform/redhat.py create mode 100644 ipapython/services.py.in -- / Alexander Bokovoy From abokovoy at redhat.com Mon Sep 12 10:09:26 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 12 Sep 2011 13:09:26 +0300 Subject: [Freeipa-devel] [PATCH] 45 Check that install hostname matches the server hostname In-Reply-To: <4E6DB9D7.7060300@redhat.com> References: <4E6625E5.2040201@redhat.com> <4E665D43.4090204@redhat.com> <4E67129B.8020809@redhat.com> <4E676DED.2050102@redhat.com> <4E6DB9D7.7060300@redhat.com> Message-ID: <20110912100924.GB22121@redhat.com> On Mon, 12 Sep 2011, Jan Cholasta wrote: > >We can't dictate which interface matches the hostname. At most we can > >warn about this, but not fail to install. > > > >rob > > Changed to print a warning message instead of raising an error. ACK. -- / Alexander Bokovoy From pvoborni at redhat.com Mon Sep 12 12:24:01 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 12 Sep 2011 14:24:01 +0200 Subject: [Freeipa-devel] [PATCH] 267 Fixed missing optional field. In-Reply-To: <4E6AAD5B.2040603@redhat.com> References: <4E6AAD5B.2040603@redhat.com> Message-ID: <4E6DF9E1.7010709@redhat.com> On 09/10/2011 02:20 AM, Endi Sukma Dewata wrote: > The optional uid field in user's adder dialog did not appear when > the link is clicked to show the field. This is a regression introduced > in the patch for ticket #1648. > > The click handler for the link field has been moved into a new closure > so that the variables point to the correct elements. > > Note: the duplicate code in IPA.details_table_section.create() and > IPA.dialog.create() will be addressed separately in ticket #1394. ACK But: The part of code in details.js is never executed because field.optional is never set to true for fields in details facet. As you write, some clean-up should be addressed in #1394 or/and in #1696 (to be consistent with dialogs). -- Petr Vobornik From mkosek at redhat.com Mon Sep 12 12:45:27 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 12 Sep 2011 14:45:27 +0200 Subject: [Freeipa-devel] [PULL REQUEST, master] Platform-specific adaptation In-Reply-To: <20110912081821.GA22121@redhat.com> References: <20110912081821.GA22121@redhat.com> Message-ID: <1315831529.2444.6.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-09-12 at 11:18 +0300, Alexander Bokovoy wrote: > Hi, > > As the patchset is rather big, I'm sending pull request from my > fedorapeople.org git repository instead of separate patches. > > This is pull request for master branch. > > The following changes since commit c97eb871c53c4a8c3bbd0f9f4b2ff23bc390bc71: > > Don't allow a OTP to be set on an enrolled host (2011-09-10 00:03:19 +0000) > > are available in the git repository at: > git://fedorapeople.org/home/fedora/abbra/public_git/freeipa.git platform-master > > Alexander Bokovoy (5): > Introduce platform-specific adaptation > Convert server install code to platform-independent access to system services > Convert client install code to platform-independent access to system services > Convert installation tools to platform-independent access to installation services > Add ipapython/services.py to auto-generated files and ignore it > > .gitignore | 2 +- > Makefile | 8 + > freeipa.spec.in | 5 + > install/tools/ipa-ca-install | 4 +- > install/tools/ipa-nis-manage | 13 +- > install/tools/ipa-replica-install | 15 +- > install/tools/ipa-server-install | 11 +- > install/tools/ipactl | 43 ++++--- > ipa-client/ipa-install/ipa-client-install | 211 +++++++++++++---------------- > ipa-client/ipaclient/ntpconf.py | 5 +- > ipapython/Makefile | 2 +- > ipapython/ipautil.py | 48 +------- > ipapython/platform/__init__.py | 23 +++ > ipapython/platform/base.py | 150 ++++++++++++++++++++ > ipapython/platform/redhat.py | 176 ++++++++++++++++++++++++ > ipapython/services.py.in | 48 +++++++ > ipapython/setup.py.in | 2 +- > ipapython/sysrestore.py | 5 +- > ipaserver/install/bindinstance.py | 2 +- > ipaserver/install/cainstance.py | 26 +--- > ipaserver/install/certs.py | 25 ++-- > ipaserver/install/dsinstance.py | 19 +-- > ipaserver/install/httpinstance.py | 9 +- > ipaserver/install/krbinstance.py | 3 +- > ipaserver/install/ntpinstance.py | 5 +- > ipaserver/install/replication.py | 4 +- > ipaserver/install/service.py | 68 +++------- > 27 files changed, 625 insertions(+), 307 deletions(-) > create mode 100644 ipapython/platform/__init__.py > create mode 100644 ipapython/platform/base.py > create mode 100644 ipapython/platform/redhat.py > create mode 100644 ipapython/services.py.in > > Good job! This all looks very good, I found no installation error in various scenarios I tried. I only found a problem with mixed tabs-spaces indentation. You introduced it at least in install/tools/ipactl. You can easily check these cases with: $ ./make-lint --enable-noerror | grep W0312 ipa-client/ipa-install/ipa-client-install:221: [W0312] Found indentation with tabs instead of spaces ipa-client/ipa-install/ipa-client-install:237: [W0312] Found indentation with tabs instead of spaces ... install/tools/ipactl:194: [W0312] Found indentation with tabs instead of spaces install/tools/ipactl:203: [W0312] Found indentation with tabs instead of spaces install/tools/ipactl:241: [W0312] Found indentation with tabs instead of spaces ... We don't have to fix the old indentation problems right in your patches but we should not introduce new tab-spaces problems as they have a potential to cause nasty problems. Martin From pvoborni at redhat.com Mon Sep 12 13:43:56 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 12 Sep 2011 15:43:56 +0200 Subject: [Freeipa-devel] [PATCH] 268 Fixed labels for run-as users and groups. In-Reply-To: <4E6AAD93.9090907@redhat.com> References: <4E6AAD93.9090907@redhat.com> Message-ID: <4E6E0C9C.1090304@redhat.com> On 09/10/2011 02:21 AM, Endi Sukma Dewata wrote: > The labels for the run-as users and groups tables in sudo rule details > page have been modified to improve the clarity. > > Ticket #1752 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Use of 'that.label = that.label | ...' in association_table_widget is affecting other labels besides that specified in spec object. In Who section of sudo rule label "User Group" is changed to "Groups". Because this way it uses default label retrieval method in widget (IPA.get_entity_param) instead of metadata.objects.[other_entity].label. This isn't entirely wrong, but param labels aren't always consistent with entity.labels. Otherwise its OK. -- Petr Vobornik From abokovoy at redhat.com Mon Sep 12 14:49:50 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 12 Sep 2011 17:49:50 +0300 Subject: [Freeipa-devel] [PULL REQUEST, master] Platform-specific adaptation In-Reply-To: <1315831529.2444.6.camel@dhcp-25-52.brq.redhat.com> References: <20110912081821.GA22121@redhat.com> <1315831529.2444.6.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110912144949.GD22121@redhat.com> On Mon, 12 Sep 2011, Martin Kosek wrote: > Good job! This all looks very good, I found no installation error in > various scenarios I tried. I only found a problem with mixed tabs-spaces > indentation. You introduced it at least in install/tools/ipactl. You can > easily check these cases with: > > $ ./make-lint --enable-noerror | grep W0312 > ipa-client/ipa-install/ipa-client-install:221: [W0312] Found indentation with tabs instead of spaces > ipa-client/ipa-install/ipa-client-install:237: [W0312] Found indentation with tabs instead of spaces > ... > install/tools/ipactl:194: [W0312] Found indentation with tabs instead of spaces > install/tools/ipactl:203: [W0312] Found indentation with tabs instead of spaces > install/tools/ipactl:241: [W0312] Found indentation with tabs instead of spaces > ... > > We don't have to fix the old indentation problems right in your patches > but we should not introduce new tab-spaces problems as they have a > potential to cause nasty problems. I believe I fixed all whitespace problems, old and new. I eneded up with a separate commit due to scale of it. It is pushed to both platform and platform-master branches on fedorapeople repo. -- / Alexander Bokovoy From abokovoy at redhat.com Mon Sep 12 14:51:19 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 12 Sep 2011 17:51:19 +0300 Subject: [Freeipa-devel] [PATCH] 0013 Use proper HBAC service names in the documentation Message-ID: <20110912145119.GE22121@redhat.com> https://fedorahosted.org/freeipa/ticket/1741 -- / Alexander Bokovoy -------------- next part -------------- >From 5391bfde89d890541a0274d39a909c08f09ab3ca Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 12 Sep 2011 14:06:55 +0300 Subject: [PATCH 6/8] Incorrect name in examples of ipa help hbactest https://fedorahosted.org/freeipa/ticket/1741 HBAC rules address PAM services, thus service names should correspond to proper PAM names. --- ipalib/plugins/hbactest.py | 14 +++++++------- 1 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index f6f652177b7b1b45a7581f8a5a07257803e869d6..d007845926aaaf4241243e65d73d4759319a5e80 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -60,7 +60,7 @@ having access to the production environment. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: - $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh + $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=sshd -------------------- Access granted: True -------------------- @@ -70,13 +70,13 @@ EXAMPLES: matched: allow_all 2. Disable detailed summary of how rules were applied: - $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail + $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=sshd --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: - $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh \ + $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=sshd \ --rules=my-second-rule,myrule --------------------- Access granted: False @@ -85,7 +85,7 @@ EXAMPLES: notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: - $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh \ + $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=sshd \ --rules=my-second-rule,myrule --enabled -------------------- Access granted: True @@ -96,14 +96,14 @@ EXAMPLES: matched: allow_all 5. Test all disabled HBAC rules in IPA database: - $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled + $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=sshd --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: - $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh \ + $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=sshd \ --rules=my-second-rule,myrule --disabled --------------------- Access granted: False @@ -113,7 +113,7 @@ EXAMPLES: notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: - $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh \ + $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=sshd \ --enabled --disabled -------------------- Access granted: True -- 1.7.6.1 From abokovoy at redhat.com Mon Sep 12 14:52:18 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 12 Sep 2011 17:52:18 +0300 Subject: [Freeipa-devel] [PATCH] 0014 Unroll groups for users, hosts, and services when testing HBAC rules Message-ID: <20110912145217.GF22121@redhat.com> https://fedorahosted.org/freeipa/ticket/1740 -- / Alexander Bokovoy -------------- next part -------------- >From a87317a404717882e35cdeb9a9bc5aa3445e5353 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 12 Sep 2011 17:23:56 +0300 Subject: [PATCH 7/8] Unroll groups when testing HBAC rules Fixes https://fedorahosted.org/freeipa/ticket/1741 Fixes https://fedorahosted.org/freeipa/ticket/1740 --- ipalib/plugins/hbactest.py | 39 ++++++++++++++++++++++++++++++++++----- 1 files changed, 34 insertions(+), 5 deletions(-) diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index d007845926aaaf4241243e65d73d4759319a5e80..5fce2e5fbf89b19a315e721d5237c1f1b2267421 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -255,12 +255,41 @@ class hbactest(Command): 'error': testrules, 'matched': None, 'notmatched': None, 'value' : False} - # Rules are converted to pyhbac format, we can test them + # Rules are converted to pyhbac format, build request and then test it request = pyhbac.HbacRequest() - request.user.name = options['user'] - request.service.name = options['service'] - request.srchost.name = options['sourcehost'] - request.targethost.name = options['targethost'] + + if options['user'] != u'all': + try: + request.user.name = options['user'] + request.user.groups = self.api.Command.user_show(request.user.name)['result']['memberof_group'] + except: + pass + + if options['service'] != u'all': + try: + request.service.name = options['service'] + request.service.groups = \ + self.api.Command.hbacsvcgroup_show(request.service.name)['result']['member_hbacsvc'] + except: + pass + + if options['sourcehost'] != u'all': + try: + request.srchost.name = options['sourcehost'] + srchost_result = self.api.Command.host_show(request.srchost.name)['result'] + srchost_groups = srchost_result['memberof_hostgroup'] + request.srchost.groups = sorted(set(srchost_groups)) + except: + pass + + if options['targethost'] != u'all': + try: + request.targethost.name = options['targethost'] + tgthost_result = self.api.Command.host_show(request.targethost.name)['result'] + tgthost_groups = tgthost_result['memberof_hostgroup'] + request.targethost.groups = sorted(set(tgthost_groups)) + except: + pass matched_rules = [] notmatched_rules = [] -- 1.7.6.1 From rcritten at redhat.com Mon Sep 12 15:01:38 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 Sep 2011 11:01:38 -0400 Subject: [Freeipa-devel] [PATCH] 869 set precedence correctly Message-ID: <4E6E1ED2.2040500@redhat.com> I set precedence in the wrong entry of the modrdn plugin so it wasn't having any effect. This should fix it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-869-precedence.patch Type: text/x-patch Size: 1904 bytes Desc: not available URL: From rcritten at redhat.com Mon Sep 12 15:48:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 Sep 2011 11:48:12 -0400 Subject: [Freeipa-devel] [PATCH] 870 remove normalizer Message-ID: <4E6E29BC.6090800@redhat.com> Remove the lower-case normalizer on roles, privileges and permissions. Mixed-case works fine. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-870-case.patch Type: text/x-patch Size: 28780 bytes Desc: not available URL: From sbose at redhat.com Mon Sep 12 15:53:08 2011 From: sbose at redhat.com (Sumit Bose) Date: Mon, 12 Sep 2011 17:53:08 +0200 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <1315609607.2684.137.camel@willson.li.ssimo.org> References: <20110826093926.GF2374@localhost.localdomain> <1314364467.20296.226.camel@willson.li.ssimo.org> <20110830144028.GE12659@localhost.localdomain> <1315433450.2684.13.camel@willson.li.ssimo.org> <20110908115245.GF21228@localhost.localdomain> <1315483606.5141.20.camel@dhcp-25-52.brq.redhat.com> <20110908123927.GG21228@localhost.localdomain> <1315609607.2684.137.camel@willson.li.ssimo.org> Message-ID: <20110912155308.GB7369@localhost.localdomain> On Fri, Sep 09, 2011 at 07:06:47PM -0400, Simo Sorce wrote: > On Thu, 2011-09-08 at 14:39 +0200, Sumit Bose wrote: > > On Thu, Sep 08, 2011 at 02:06:44PM +0200, Martin Kosek wrote: > > > On Thu, 2011-09-08 at 13:52 +0200, Sumit Bose wrote: > > > > On Wed, Sep 07, 2011 at 06:10:50PM -0400, Simo Sorce wrote: > > > > > On Tue, 2011-08-30 at 16:40 +0200, Sumit Bose wrote: > > > > > > I don't think that we should run winbind. > > > > > > > > > > > > I also changed the path to the smb.conf file from /etc/ipa > > > > > > to /etc/samba > > > > > > which makes the change to /etc/sysconfig/samba unnecessary. > > > > > > > > > > > > Thanks for review. > > > > > > > > > > > Ok tested this today, after I was able to tame my machine. > > > > > > > > > > Some issues and comments still. > > > > > > > > > > 1) If you just run ipa-adtrust-install it throws an error about an > > > > > Illegal netbios name and quits. That's not right, as it should ask for > > > > > the netbios name if one is not provided on the command line presenting a > > > > > default option (based on the last domain component uppercased maybe), > > > > > > > > fixed > > > > > > > > > > > > > > 2) I see the way you write the temp smb.conf is by using a lot of > > > > > fd.write() calls. It would be much easier instead to use the templating > > > > > engine we use elsewhere in the code and drop a template file in > > > > > install/share, this will allow us to easily tweak the initial > > > > > installation options w/o touching the python code every time. > > > > > > > > fixed > > > > > > > > new version attached. > > > > > > > > bye, > > > > Sumit > > > > > > > > > > > > > > 3) Everything installed and started but my smbd coredump immediately > > > > > after. It is almost certainly not a problem in your patch though :-) > > > > > > > > > > So jokes aside if you fix 1 and 2 I think we can push to master. > > > > > > > > > > Simo. > > > > > > > > > > -- > > > > > Simo Sorce * Red Hat, Inc * New York > > > > > > > > > > > Only one nitpick from me. The new man page header should be changed > > > according to our last man page consolidation effort in ticket 1687 so > > > that it is consistent with the others. In your case, the header should > > > be: > > > > > > +.TH "ipa-adtrust-install" "1" "Aug 23 2011" "FreeIPA" "FreeIPA Manual Pages" > > > > > > Plus, --netbios-name option is not covered in the man page. > > > > Thank you for the feedback, I fixed it accordingly. New version > > attached. > > NACK > > Ok I spent an afternoon with gd's packages trying to get the install > work. > I have it finally start smbd if run manually. > > Quite a few things needed to be changed in the configuration to get it > to start smbd (not a working solution yet though). > > First of all for some reason passdb backend would use the hostname > instead of the ldapi socket. This seem to be fixed in the latest patch > (the install had been done with the previous) yes, was already fixed > > - ldap ssl need to set to off, as dirsrv does not allow (nor we want) to > use start tls on ldapi > I had to use: net conf setparms global 'ldap ssl' off fixed > > - ldap suffix = cn=accounts,dc=ipa,dc=test is definitely not right. > This is not fixed in the current patch either. > > It should be ldap suffix = $SUFFIX fixed > > - log file directive is unusual %d causes each log file to be created > with the pid number, that is very annoying when you want to see the logs > of a specific machine, please change it to use %m fixed > > - No service principal is created for cifs/fqdn fixed > > - No directive to tell samba to use the system keytab. you should > probably set 'kerberos method = system keytab' > fixed > > I couldn't test everything due to other issues I found and need to > investigate in both the samba packaghes and krb5kdc segfaulting on me > when I try to use smbclient -k yes :-( I can now run 'smbclient -k -L' on my test system wit hthe recent samba patch. bye, Sumit > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -------------- next part -------------- From d321445103df0ce185be30e31fb88d70724aefb6 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 7 Sep 2011 10:17:12 +0200 Subject: [PATCH] Add ipa-adtrust-install utility https://fedorahosted.org/freeipa/ticket/1619 --- freeipa.spec.in | 2 + install/po/Makefile.in | 1 + install/share/Makefile.am | 1 + install/share/smb.conf.template | 28 +++ install/tools/Makefile.am | 1 + install/tools/ipa-adtrust-install | 244 ++++++++++++++++++++ install/tools/man/Makefile.am | 1 + install/tools/man/ipa-adtrust-install.1 | 47 ++++ ipaserver/install/Makefile.am | 1 + ipaserver/install/service.py | 3 +- ipaserver/install/smbinstance.py | 269 ++++++++++++++++++++++ tests/test_ipaserver/install/test_smbinstance.py | 59 +++++ 12 files changed, 656 insertions(+), 1 deletions(-) create mode 100644 install/share/smb.conf.template create mode 100755 install/tools/ipa-adtrust-install create mode 100644 install/tools/man/ipa-adtrust-install.1 create mode 100644 ipaserver/install/smbinstance.py create mode 100755 tests/test_ipaserver/install/test_smbinstance.py diff --git a/freeipa.spec.in b/freeipa.spec.in index fc7141cc1729b751e09f8fc8dfdd1c8d94756359..2aa90a8c45efb1d2b8978b5d98e3afb22b2a71df 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -401,6 +401,7 @@ fi %doc COPYING README Contributors.txt %{_sbindir}/ipa-ca-install %{_sbindir}/ipa-dns-install +%{_sbindir}/ipa-adtrust-install %{_sbindir}/ipa-server-install %{_sbindir}/ipa-replica-conncheck %{_sbindir}/ipa-replica-install @@ -482,6 +483,7 @@ fi %{_mandir}/man1/ipa-server-certinstall.1.gz %{_mandir}/man1/ipa-server-install.1.gz %{_mandir}/man1/ipa-dns-install.1.gz +%{_mandir}/man1/ipa-adtrust-install.1.gz %{_mandir}/man1/ipa-ca-install.1.gz %{_mandir}/man1/ipa-compat-manage.1.gz %{_mandir}/man1/ipa-nis-manage.1.gz diff --git a/install/po/Makefile.in b/install/po/Makefile.in index 47c8bbba56041f95fc6641ff0188ab60db658de8..ac08b47921c0a96d0fe06b8d8f1419d7cd76bd36 100644 --- a/install/po/Makefile.in +++ b/install/po/Makefile.in @@ -51,6 +51,7 @@ PY_EXPLICIT_FILES = \ install/tools/ipa-server-install \ install/tools/ipa-ldap-updater \ install/tools/ipa-dns-install \ + install/tools/ipa-adtrust-install \ install/tools/ipa-ca-install \ ipa-client/ipa-install/ipa-client-install diff --git a/install/share/Makefile.am b/install/share/Makefile.am index f2a6a6cae418b2f31151130c4fd53db8cbbe922a..50ec816b42fcbad619504bf3ccf6ef293e5188ba 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -32,6 +32,7 @@ app_DATA = \ krb.con.template \ krbrealm.con.template \ preferences.html.template \ + smb.conf.template \ referint-conf.ldif \ dna.ldif \ master-entry.ldif \ diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template new file mode 100644 index 0000000000000000000000000000000000000000..a7fc10691e8a4dd69b711d266f6bb70479dd319d --- /dev/null +++ b/install/share/smb.conf.template @@ -0,0 +1,28 @@ +[global] +workgroup = $NETBIOS_NAME +realm = $REALM +kerberos method = system keytab +create krb5 conf = no +security = user +domain master = yes +domain logons = yes +log level = 1 +max log size = 100000 +log file = /var/log/samba/log.%m +passdb backend = IPA_ldapsam:ldapi://$LDAPI_SOCKET +ldapsam:trusted=yes +ldap ssl = off +ldap admin dn = $SMB_DN +ldap suffix = $SUFFIX +ldap user suffix = cn=users,cn=accounts +ldap group suffix = cn=groups,cn=accounts +ldap machine suffix = cn=computers,cn=accounts +rpc_server:epmapper = external +rpc_server:lsarpc = external +rpc_server:lsass = external +rpc_server:lsasd = external +rpc_server:samr = external +rpc_server:netlogon = external +rpc_server:tcpip = yes +rpc_daemon:epmd = fork +rpc_daemon:lsasd = fork diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index fc615ec04f324c2d9c98dc8cf674938e1064bec6..96da7531764598878f94b6abd54c27a74671c028 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -8,6 +8,7 @@ sbin_SCRIPTS = \ ipa-ca-install \ ipa-dns-install \ ipa-server-install \ + ipa-adtrust-install \ ipa-replica-conncheck \ ipa-replica-install \ ipa-replica-prepare \ diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install new file mode 100755 index 0000000000000000000000000000000000000000..86c69ca459026a0fd91ab196461cd63547f7ca57 --- /dev/null +++ b/install/tools/ipa-adtrust-install @@ -0,0 +1,244 @@ +#! /usr/bin/python +# +# Authors: Sumit Bose +# Based on ipa-server-install by Karl MacMillan +# and ipa-dns-install by Martin Nagy +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import traceback + +from ipaserver.plugins.ldap2 import ldap2 +from ipaserver.install import smbinstance +from ipaserver.install.installutils import * +from ipaserver.install import installutils +from ipapython import version +from ipapython import ipautil, sysrestore +from ipalib import api, errors, util +from ipapython.config import IPAOptionParser +import krbV +import ldap + +def parse_options(): + parser = IPAOptionParser(version=version.VERSION) + parser.add_option("-p", "--ds-password", dest="dm_password", + sensitive=True, help="directory manager password") + parser.add_option("-d", "--debug", dest="debug", action="store_true", + default=False, help="print debugging information") + parser.add_option("--ip-address", dest="ip_address", + type="ip", ip_local=True, help="Master Server IP Address") + parser.add_option("--netbios-name", dest="netbios_name", + help="NetBIOS name of the IPA domain") + parser.add_option("-U", "--unattended", dest="unattended", action="store_true", + default=False, help="unattended installation never prompts the user") + + options, args = parser.parse_args() + safe_options = parser.get_safe_opts(options) + + return safe_options, options + +def netbios_name_error(name): + print "Illegal NetBIOS name [%s].\n" % name + print "Up to 15 characters and only uppercase ASCII letter and digits are allowed." + +def read_netbios_name(netbios_default): + netbios_name = "" + + print "Enter the NetBIOS name for the IPA domain." + print "Only up to 15 uppercase ASCII letters and digits are allowed." + print "Example: EXAMPLE." + print "" + print "" + if not netbios_default: + netbios_default = "EXAMPLE" + while True: + netbios_name = ipautil.user_input("NetBIOS domain name", netbios_default, allow_empty = False) + print "" + if smbinstance.check_netbios_name(netbios_name): + break + + netbios_name_error(netbios_name) + + return netbios_name + +def main(): + safe_options, options = parse_options() + + if os.getegid() != 0: + sys.exit("Must be root to setup AD trusts on server") + + installutils.check_server_configuration() + + standard_logging_setup("/var/log/ipaserver-install.log", options.debug, filemode='a') + print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log" + + logging.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options)) + logging.debug("missing options might be asked for interactively later\n") + + global fstore + fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + + print "==============================================================================" + print "This program will setup components needed to establish trust to AD domains for" + print "the FreeIPA Server." + print "" + print "This includes:" + print " * Configure Samba" + print " * Add trust related objects to FreeIPA LDAP server" + #TODO: + #print " * Add a SID to all users and Posix groups" + print "" + print "To accept the default shown in brackets, press the Enter key." + print "" + + # Check if samba packages are installed + if not smbinstance.check_inst(options.unattended): + sys.exit("Aborting installation.") + + # Initialize the ipalib api + cfg = dict( + in_server=True, + debug=options.debug, + ) + api.bootstrap(**cfg) + api.finalize() + + if smbinstance.ipa_smb_conf_exists(): + sys.exit("Aborting installation.") + + # Check we have a public IP that is associated with the hostname + try: + if options.ip_address: + ip = ipautil.CheckedIPAddress(options.ip_address, match_local=True) + else: + hostaddr = resolve_host(api.env.host) + ip = hostaddr and ipautil.CheckedIPAddress(hostaddr, match_local=True) + except Exception, e: + print "Error: Invalid IP Address %s: %s" % (ip, e) + ip = None + + if not ip: + if options.unattended: + sys.exit("Unable to resolve IP address for host name") + else: + read_ip = read_ip_address(api.env.host, fstore) + try: + ip = ipautil.CheckedIPAddress(read_ip, match_local=True) + except Exception, e: + print "Error: Invalid IP Address %s: %s" % (ip, e) + sys.exit("Aborting installation.") + + ip_address = str(ip) + logging.debug("will use ip_address: %s\n", ip_address) + + if not options.unattended: + print "" + print "The following operations may take some minutes to complete." + print "Please wait until the prompt is returned." + print "" + + # Create a Samba instance + if options.unattended and not options.dm_password: + sys.exit("\nIn unattended mode you need to provide at least the -p option") + + netbios_name = options.netbios_name + if not netbios_name: + netbios_name = smbinstance.make_netbios_name(api.env.domain) + + if not smbinstance.check_netbios_name(netbios_name): + if options.unattended: + netbios_name_error(netbios_name) + sys.exit("Aborting installation.") + else: + netbios_name = None + if options.netbios_name: + netbios_name_error(options.netbios_name) + + if not options.unattended and ( not netbios_name or not options.netbios_name): + netbios_name = read_netbios_name(netbios_name) + + dm_password = options.dm_password or read_password("Directory Manager", + confirm=False, validate=False) + smb = smbinstance.SMBInstance(fstore, dm_password) + + # try the connection + try: + smb.ldap_connect() + smb.ldap_disconnect() + except ldap.INVALID_CREDENTIALS, e: + sys.exit("Password is not valid!") + + if smb.dm_password: + api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=smb.dm_password) + else: + # See if our LDAP server is up and we can talk to it over GSSAPI + ccache = krbV.default_context().default_ccache().name + api.Backend.ldap2.connect(ccache) + + smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain, + netbios_name) + smb.create_instance() + + print "==============================================================================" + print "Setup complete" + print "" + print "\tYou must make sure these network ports are open:" + print "\t\tTCP Ports:" + print "\t\t * 138: netbios-dgm" + print "\t\t * 139: netbios-ssn" + print "\t\t * 445: microsoft-ds" + print "\t\tUDP Ports:" + print "\t\t * 138: netbios-dgm" + print "\t\t * 139: netbios-ssn" + print "\t\t * 445: microsoft-ds" + print "" + print "\tAdditionally you have to make sure the FreeIPA LDAP server cannot reached" + print "\tby any domain controller in the Active Directory domain by closing the" + print "\tfollowing ports for these servers:" + print "\t\tTCP Ports:" + print "\t\t * 389, 636: LDAP/LDAPS" + print "\t\tUDP Ports:" + print "\t\t * 389: (C)LDAP" + print "\tYou may want to choose to REJECT the network packets instead of DROPing them" + print "\tto avoid timeouts on the AD domain controllers." + + return 0 + +try: + sys.exit(main()) +except SystemExit, e: + sys.exit(e) +except KeyboardInterrupt: + print "Installation cancelled." +except RuntimeError, e: + print str(e) +except HostnameLocalhost: + print "The hostname resolves to the localhost address (127.0.0.1/::1)" + print "Please change your /etc/hosts file so that the hostname" + print "resolves to the ip address of your network interface." + print "The KDC service does not listen on localhost" + print "" + print "Please fix your /etc/hosts file and restart the setup program" +except Exception, e: + message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e) + print message + message = str(e) + for str in traceback.format_tb(sys.exc_info()[2]): + message = message + "\n" + str + logging.debug(message) + sys.exit(1) diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am index 71d9b29c87d2b24c51d3048dc1050e099a89835d..d5b5976b0fd8c8e6683d09e7ade575fda2527832 100644 --- a/install/tools/man/Makefile.am +++ b/install/tools/man/Makefile.am @@ -13,6 +13,7 @@ man1_MANS = \ ipa-server-certinstall.1 \ ipa-server-install.1 \ ipa-dns-install.1 \ + ipa-adtrust-install.1 \ ipa-ca-install.1 \ ipa-ldap-updater.1 \ ipa-compat-manage.1 \ diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 new file mode 100644 index 0000000000000000000000000000000000000000..a3981adf48d14cc0e540c646fff099490203f862 --- /dev/null +++ b/install/tools/man/ipa-adtrust-install.1 @@ -0,0 +1,47 @@ +.\" A man page for ipa-adtrust-install +.\" Copyright (C) 2011 Red Hat, Inc. +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, but +.\" WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +.\" General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see . +.\" +.\" Author: Sumit Bose +.\" +.TH "ipa-adtrust-install" "1" "Aug 23 2011" "FreeIPA" "FreeIPA Manual Pages" +.SH "NAME" +ipa\-adtrust\-install \- Prepare an IPA server to be able to establish trust relationships with AD domains +.SH "SYNOPSIS" +ipa\-adtrust\-install [\fIOPTION\fR]... +.SH "DESCRIPTION" +Adds all necesary objects and configuration to allow an IPA server to create a +trust to an Active Directory domain. This requires that the IPA server is +already installed and configured. +.SH "OPTIONS" +.TP +\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR +The password to be used by the Directory Server for the Directory Manager user +.TP +\fB\-d\fR, \fB\-\-debug\fR +Enable debug logging when more verbose output is needed +.TP +\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR +The IP address of the IPA server. If not provided then this is determined based on the hostname of the server. +.TP +\fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR +The NetBIOS name for the IPA domain. If not provided then this is determined based on the leading component of the DNS domain name. +.TP +\fB\-U\fR, \fB\-\-unattended\fR +An unattended installation that will never prompt for user input +.SH "EXIT STATUS" +0 if the installation was successful + +1 if an error occurred diff --git a/ipaserver/install/Makefile.am b/ipaserver/install/Makefile.am index 8932eadbb7ace71372277259a557884d989ea2c1..398551bd78aa4ba893a3953f0c7ee7bcb23d1a14 100644 --- a/ipaserver/install/Makefile.am +++ b/ipaserver/install/Makefile.am @@ -10,6 +10,7 @@ app_PYTHON = \ krbinstance.py \ httpinstance.py \ ntpinstance.py \ + smbinstance.py \ service.py \ installutils.py \ replication.py \ diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 2f80749ade535ff24cbacd90f8c03699432f3186..5f7260e2343e9d9373ff4cfd8d071b82f218ed33 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -37,7 +37,8 @@ SERVICE_LIST = { 'KPASSWD':('kadmin', 20), 'DNS':('named', 30), 'HTTP':('httpd', 40), - 'CA':('pki-cad', 50) + 'CA':('pki-cad', 50), + 'ADTRUST':('smb', 60) } def stop(service_name, instance_name="", capture_output=True): diff --git a/ipaserver/install/smbinstance.py b/ipaserver/install/smbinstance.py new file mode 100644 index 0000000000000000000000000000000000000000..a6caca8bb995ea58fee895d5bd395c30b8204557 --- /dev/null +++ b/ipaserver/install/smbinstance.py @@ -0,0 +1,269 @@ +# Authors: Sumit Bose +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import logging + +import os +import ldap +import service +import tempfile +import installutils +from ipaserver import ipaldap +from ipaserver.install.dsinstance import realm_to_serverid +from ipalib import errors +from ipapython import sysrestore +from ipapython import ipautil + +import random +import string +import struct + +allowed_netbios_chars = string.ascii_uppercase + string.digits + +def check_inst(unattended): + has_smb = True + + if not os.path.exists('/usr/sbin/smbd'): + print "Samba was not found on this system" + print "Please install the 'samba' package and start the installation again" + has_smb = False + + #TODO: Add check for needed samba4 libraries + + return has_smb + +def ipa_smb_conf_exists(): + fd = open('/etc/samba/smb.conf', 'r') + lines = fd.readlines() + fd.close() + for line in lines: + if line.startswith('### Added by IPA Installer ###'): + return True + return False + + +def check_netbios_name(s): + # NetBIOS names may not be longer than 15 allowed characters + if not s or len(s) > 15 or ''.join([c for c in s if c not in allowed_netbios_chars]): + return False + + return True + +def make_netbios_name(s): + return ''.join([c for c in s.split('.')[0].upper() if c in allowed_netbios_chars])[:15] + +class SMBInstance(service.Service): + def __init__(self, fstore=None, dm_password=None): + service.Service.__init__(self, "smb", dm_password=dm_password) + + if fstore: + self.fstore = fstore + else: + self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + + def __create_samba_user(self): + print "The user for Samba is %s" % self.smb_dn + try: + self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE) + print "Samba user entry exists, not resetting password" + return + except errors.NotFound: + pass + + # The user doesn't exist, add it + entry = ipaldap.Entry(self.smb_dn) + entry.setValues("objectclass", ["account", "simplesecurityobject"]) + entry.setValues("uid", "samba") + entry.setValues("userPassword", self.smb_dn_pwd) + self.admin_conn.add_s(entry) + + # And finally grant it permission to read NT passwords, we do not want + # to support LM passwords so there is no need to allow access to them + mod = [(ldap.MOD_ADD, 'aci', + str(['(targetattr = "sambaNTPassword")(version 3.0; acl "Samba user can read NT passwords"; allow (read) userdn="ldap:///%s";)' % self.smb_dn]))] + try: + self.admin_conn.modify_s(self.suffix, mod) + except ldap.TYPE_OR_VALUE_EXISTS: + logging.debug("samba user aci already exists in suffix %s on %s" % (self.suffix, self.admin_conn.host)) + + def __gen_sid_string(self): + sub_ids = struct.unpack(" +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +""" +Test `smbinstance` +""" + +import os +import nose + +from ipaserver.install import smbinstance + +class test_smbinstance: + """ + Test `smbinstance`. + """ + + def test_make_netbios_name(self): + s = smbinstance.make_netbios_name("ABCDEF") + assert s == 'ABCDEF' and isinstance(s, str) + s = smbinstance.make_netbios_name(U"ABCDEF") + assert s == 'ABCDEF' and isinstance(s, unicode) + s = smbinstance.make_netbios_name("abcdef") + assert s == 'ABCDEF' + s = smbinstance.make_netbios_name("abc.def") + assert s == 'ABC' + s = smbinstance.make_netbios_name("abcdefghijklmnopqr.def") + assert s == 'ABCDEFGHIJKLMNO' + s = smbinstance.make_netbios_name("A!$%B&/()C=?+*D") + assert s == 'ABCD' + s = smbinstance.make_netbios_name("!$%&/()=?+*") + assert not s + + def test_check_netbios_name(self): + assert smbinstance.check_netbios_name("ABCDEF") + assert not smbinstance.check_netbios_name("abcdef") + assert smbinstance.check_netbios_name("ABCDE12345ABCDE") + assert not smbinstance.check_netbios_name("ABCDE12345ABCDE1") + assert not smbinstance.check_netbios_name("") + + assert smbinstance.check_netbios_name(U"ABCDEF") + assert not smbinstance.check_netbios_name(U"abcdef") + assert smbinstance.check_netbios_name(U"ABCDE12345ABCDE") + assert not smbinstance.check_netbios_name(U"ABCDE12345ABCDE1") -- 1.7.6 From rcritten at redhat.com Mon Sep 12 17:40:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 Sep 2011 13:40:53 -0400 Subject: [Freeipa-devel] [PATCH] 0013 Use proper HBAC service names in the documentation In-Reply-To: <20110912145119.GE22121@redhat.com> References: <20110912145119.GE22121@redhat.com> Message-ID: <4E6E4425.6030009@redhat.com> Alexander Bokovoy wrote: > https://fedorahosted.org/freeipa/ticket/1741 ACK, pushed to master and ipa-2-1 From rcritten at redhat.com Mon Sep 12 17:53:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 Sep 2011 13:53:24 -0400 Subject: [Freeipa-devel] [PATCH] 871 add hostname regex Message-ID: <4E6E4714.7050007@redhat.com> Limit hostnames to letters, digits and - with a max length of 255 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-871-hostname.patch Type: text/x-patch Size: 10849 bytes Desc: not available URL: From rcritten at redhat.com Mon Sep 12 18:17:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 Sep 2011 14:17:49 -0400 Subject: [Freeipa-devel] [PATCH] 0014 Unroll groups for users, hosts, and services when testing HBAC rules In-Reply-To: <20110912145217.GF22121@redhat.com> References: <20110912145217.GF22121@redhat.com> Message-ID: <4E6E4CCD.2060402@redhat.com> Alexander Bokovoy wrote: > https://fedorahosted.org/freeipa/ticket/1740 > ACK, pushed to master and ipa-2-1 From abokovoy at redhat.com Mon Sep 12 19:50:18 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 12 Sep 2011 22:50:18 +0300 Subject: [Freeipa-devel] [PATCH] 871 add hostname regex In-Reply-To: <4E6E4714.7050007@redhat.com> References: <4E6E4714.7050007@redhat.com> Message-ID: <20110912195017.GG22121@redhat.com> On Mon, 12 Sep 2011, Rob Crittenden wrote: > Limit hostnames to letters, digits and - with a max length of 255 > > takes_params = ( > Str('fqdn', validate_host, > + pattern='^[a-zA-Z0-9][a-zA-Z0-9-\.]{0,254}$', > + pattern_errmsg='may only include letters, numbers, and -', > + maxlength=255, > cli_name='hostname', > label=_('Host name'), > primary_key=True, What about IDN hosts? With this change we would require them to be always in Punycode? -- / Alexander Bokovoy From abokovoy at redhat.com Mon Sep 12 20:00:18 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 12 Sep 2011 23:00:18 +0300 Subject: [Freeipa-devel] [PATCH] 870 remove normalizer In-Reply-To: <4E6E29BC.6090800@redhat.com> References: <4E6E29BC.6090800@redhat.com> Message-ID: <20110912200018.GH22121@redhat.com> On Mon, 12 Sep 2011, Rob Crittenden wrote: > Remove the lower-case normalizer on roles, privileges and > permissions. Mixed-case works fine. ACK. I suppose we don't need any unit-test for lift of restriction... -- / Alexander Bokovoy From rcritten at redhat.com Mon Sep 12 20:13:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 Sep 2011 16:13:32 -0400 Subject: [Freeipa-devel] [PATCH] 871 add hostname regex In-Reply-To: <20110912195017.GG22121@redhat.com> References: <4E6E4714.7050007@redhat.com> <20110912195017.GG22121@redhat.com> Message-ID: <4E6E67EC.9010202@redhat.com> Alexander Bokovoy wrote: > On Mon, 12 Sep 2011, Rob Crittenden wrote: > >> Limit hostnames to letters, digits and - with a max length of 255 >> >> takes_params = ( >> Str('fqdn', validate_host, >> + pattern='^[a-zA-Z0-9][a-zA-Z0-9-\.]{0,254}$', >> + pattern_errmsg='may only include letters, numbers, and -', >> + maxlength=255, >> cli_name='hostname', >> label=_('Host name'), >> primary_key=True, > > What about IDN hosts? With this change we would require them to be > always in Punycode? > Oh, hadn't considered that, I was just following the relevent RFCs. Is there a way we can easily support those as well? rob From abokovoy at redhat.com Mon Sep 12 20:20:55 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 12 Sep 2011 23:20:55 +0300 Subject: [Freeipa-devel] [PATCH] 871 add hostname regex In-Reply-To: <4E6E67EC.9010202@redhat.com> References: <4E6E4714.7050007@redhat.com> <20110912195017.GG22121@redhat.com> <4E6E67EC.9010202@redhat.com> Message-ID: <20110912202054.GI22121@redhat.com> On Mon, 12 Sep 2011, Rob Crittenden wrote: > Alexander Bokovoy wrote: > >On Mon, 12 Sep 2011, Rob Crittenden wrote: > > > >>Limit hostnames to letters, digits and - with a max length of 255 > >> > >> takes_params = ( > >> Str('fqdn', validate_host, > >>+ pattern='^[a-zA-Z0-9][a-zA-Z0-9-\.]{0,254}$', > >>+ pattern_errmsg='may only include letters, numbers, and -', > >>+ maxlength=255, > >> cli_name='hostname', > >> label=_('Host name'), > >> primary_key=True, > > > >What about IDN hosts? With this change we would require them to be > >always in Punycode? > > > > Oh, hadn't considered that, I was just following the relevent RFCs. > Is there a way we can easily support those as well? IDN with Punycode-encoded names would already be supported by this validator. I was wondering about being able to enter those names as it is and if they fail the validator, convert them to IDN (xn-- per name component) and use it forward. However, we would need to make sure all of the comparisons would be done properly... -- / Alexander Bokovoy From simo at redhat.com Mon Sep 12 21:24:38 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 12 Sep 2011 17:24:38 -0400 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <20110912155308.GB7369@localhost.localdomain> References: <20110826093926.GF2374@localhost.localdomain> <1314364467.20296.226.camel@willson.li.ssimo.org> <20110830144028.GE12659@localhost.localdomain> <1315433450.2684.13.camel@willson.li.ssimo.org> <20110908115245.GF21228@localhost.localdomain> <1315483606.5141.20.camel@dhcp-25-52.brq.redhat.com> <20110908123927.GG21228@localhost.localdomain> <1315609607.2684.137.camel@willson.li.ssimo.org> <20110912155308.GB7369@localhost.localdomain> Message-ID: <1315862678.2684.237.camel@willson.li.ssimo.org> On Mon, 2011-09-12 at 17:53 +0200, Sumit Bose wrote: [..] > > > I can now run 'smbclient -k -L' on my test system wit hthe recent samba > patch. Sorry a couple more nitpicks. Trying to reinstall ipa-adtrust-install it returned immediately with "Aborting Installation" and no explanation whatsoever. Turned out it saw there was the IPA autogenerated text in smb.conf and decided to get out. - 2 issues here: 1) no information (I had to check the code to see what reported that error message), so we need a reason nif we abort. 2) In interactive mode we should ask if we want to proceed anyway I think (to make it simpler to test it on an already enabled tree), but can be convinced it is safer to just abort. - Once I fixed that by removing smb.conf and all tdbs to be sure, it failed because smb.conf was not found, we should not require to find it if we are going to wipe it anyway. If it is not there we should just go on and create one. - Then it correctly detected the samba sysaccount user existed and decided not to reset the password. Not sure why, if we proceeed and reset the password in both ldap and secrets.tdb we are sure they are the same, if we don't we just risk having no password (I wiped out secrets.tdb and running ipa-adtruct-install again is the fastest way to get that restered). I think you should always reset that password. - The installation also failed because the service entry under the master entry already existed. We should probably ignore and proceed, in case of existing object. Not fail. Except for these points I had to set SELinux in permissive mode in order to run the epmd, we need to track SELinux changes in a ticket I think. I wasn't able to test smbclient -k yes due to another bug in smbd but the install seem fine so far, and I was able to get a ticket for cifs/ w/o any issue, and auth seemed to work. So if the nitpicks above get fixed it should be the last revision. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Tue Sep 13 05:56:13 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 13 Sep 2011 00:56:13 -0500 Subject: [Freeipa-devel] [PATCH] 012 Fixed inconsistency in enabling delete buttons In-Reply-To: <4E69F77F.7060001@redhat.com> References: <4E6760AC.20705@redhat.com> <4E67C0B8.9030000@redhat.com> <4E69F77F.7060001@redhat.com> Message-ID: <4E6EF07D.6030506@redhat.com> On 9/9/2011 6:24 AM, Petr Vobornik wrote: > On 09/07/2011 09:06 PM, Endi Sukma Dewata wrote: >> On 9/7/2011 7:16 AM, Petr Vobornik wrote: >>> https://fedorahosted.org/freeipa/ticket/1640 >>> .. >> One issue, in HBAC/sudo rules details page if the category is changed >> from 'all' to 'specific', the Delete button will be enabled although >> there is no entries selected. >> >> See the set_enabled() in IPA.association_table_widget. I think if the >> parameter is true it should enable only the Add button. If the parameter >> is false it disable both Add and Delete button and call unselect_all(). >> > Fixed ACK. It was already pushed to master and ipa-2-1 last week. -- Endi S. Dewata From edewata at redhat.com Tue Sep 13 06:00:10 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 13 Sep 2011 01:00:10 -0500 Subject: [Freeipa-devel] [PATCH] 267 Fixed missing optional field. In-Reply-To: <4E6DF9E1.7010709@redhat.com> References: <4E6AAD5B.2040603@redhat.com> <4E6DF9E1.7010709@redhat.com> Message-ID: <4E6EF16A.80502@redhat.com> On 9/12/2011 7:24 AM, Petr Vobornik wrote: > On 09/10/2011 02:20 AM, Endi Sukma Dewata wrote: >> The optional uid field in user's adder dialog did not appear when >> the link is clicked to show the field. This is a regression introduced >> in the patch for ticket #1648. >> >> The click handler for the link field has been moved into a new closure >> so that the variables point to the correct elements. >> >> Note: the duplicate code in IPA.details_table_section.create() and >> IPA.dialog.create() will be addressed separately in ticket #1394. > > ACK Pushed to master and ipa-2-1. > But: > The part of code in details.js is never executed because field.optional > is never set to true for fields in details facet. As you write, some > clean-up should be addressed in #1394 or/and in #1696 (to be consistent > with dialogs). That's true. The code is being kept consistent in these locations to simplify merging in my next patch for #1394. For #1696 depending on UXD feedback we might need to change this code again. -- Endi S. Dewata From edewata at redhat.com Tue Sep 13 06:04:45 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 13 Sep 2011 01:04:45 -0500 Subject: [Freeipa-devel] [PATCH] 268 Fixed labels for run-as users and groups. In-Reply-To: <4E6E0C9C.1090304@redhat.com> References: <4E6AAD93.9090907@redhat.com> <4E6E0C9C.1090304@redhat.com> Message-ID: <4E6EF27D.6050803@redhat.com> On 9/12/2011 8:43 AM, Petr Vobornik wrote: > On 09/10/2011 02:21 AM, Endi Sukma Dewata wrote: >> The labels for the run-as users and groups tables in sudo rule details >> page have been modified to improve the clarity. >> >> Ticket #1752 > > Use of 'that.label = that.label | ...' in association_table_widget is > affecting other labels besides that specified in spec object. In Who > section of sudo rule label "User Group" is changed to "Groups". Because > this way it uses default label retrieval method in widget > (IPA.get_entity_param) instead of metadata.objects.[other_entity].label. > This isn't entirely wrong, but param labels aren't always consistent > with entity.labels. > > Otherwise its OK. The labels from entity parameter are actually more appropriate. I've updated the patch to use them instead. I also fixed some of the labels (the run-as group label & doc is incorrect). -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0268-2-Fixed-labels-for-run-as-users-and-groups.patch Type: text/x-patch Size: 64293 bytes Desc: not available URL: From jcholast at redhat.com Tue Sep 13 07:10:15 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 13 Sep 2011 09:10:15 +0200 Subject: [Freeipa-devel] [PATCH] 871 add hostname regex In-Reply-To: <4E6E67EC.9010202@redhat.com> References: <4E6E4714.7050007@redhat.com> <20110912195017.GG22121@redhat.com> <4E6E67EC.9010202@redhat.com> Message-ID: <4E6F01D7.7090902@redhat.com> On 12.9.2011 22:13, Rob Crittenden wrote: > Alexander Bokovoy wrote: >> On Mon, 12 Sep 2011, Rob Crittenden wrote: >> >>> Limit hostnames to letters, digits and - with a max length of 255 >>> >>> takes_params = ( >>> Str('fqdn', validate_host, >>> + pattern='^[a-zA-Z0-9][a-zA-Z0-9-\.]{0,254}$', >>> + pattern_errmsg='may only include letters, numbers, and -', >>> + maxlength=255, >>> cli_name='hostname', >>> label=_('Host name'), >>> primary_key=True, >> >> What about IDN hosts? With this change we would require them to be >> always in Punycode? >> > > Oh, hadn't considered that, I was just following the relevent RFCs. Is > there a way we can easily support those as well? The easiest way would probably be: normalizer=lambda value: unicode(value.encode('idna')) > > rob > Honza -- Jan Cholasta From abokovoy at redhat.com Tue Sep 13 07:18:41 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 13 Sep 2011 10:18:41 +0300 Subject: [Freeipa-devel] [PATCH] 871 add hostname regex In-Reply-To: <4E6F01D7.7090902@redhat.com> References: <4E6E4714.7050007@redhat.com> <20110912195017.GG22121@redhat.com> <4E6E67EC.9010202@redhat.com> <4E6F01D7.7090902@redhat.com> Message-ID: <20110913071840.GA13127@redhat.com> On Tue, 13 Sep 2011, Jan Cholasta wrote: > >>What about IDN hosts? With this change we would require them to be > >>always in Punycode? > >> > > > >Oh, hadn't considered that, I was just following the relevent RFCs. Is > >there a way we can easily support those as well? > > The easiest way would probably be: > > normalizer=lambda value: unicode(value.encode('idna')) That's one part. Another one is visualizing such content -- for both Web UI and CLI we would need to run encodings.idna.ToUnicode(). Finally, make sure whatever we pass to external applications is properly formatted as well -- all of them should be able to work with xn- form. -- / Alexander Bokovoy From abokovoy at redhat.com Tue Sep 13 08:54:46 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 13 Sep 2011 11:54:46 +0300 Subject: [Freeipa-devel] [PATCH] Allow using external hosts in HBAC test Message-ID: <20110913085446.GB13127@redhat.com> When external host is specified in HBAC rule, allow its use in simulation https://fedorahosted.org/freeipa/ticket/1763 When external host is specified in HBAC rule, it needs to be added to the set of source hosts this rule applies to. Add (list of external hosts) explicitly when converting FreeIPA rules to PyHBAC objects. -- / Alexander Bokovoy -------------- next part -------------- >From 27f44edb48fdcbf1f007282b17bbb5206f676c39 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 13 Sep 2011 11:49:27 +0300 Subject: [PATCH] When external host is specified in HBAC rule, allow its use in simulation https://fedorahosted.org/freeipa/ticket/1763 When external host is specified in HBAC rule, it needs to be added to the set of source hosts this rule applies to. Add (list of external hosts) explicitly when converting FreeIPA rules to PyHBAC objects. --- ipalib/plugins/hbactest.py | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index 5fce2e5fbf89b19a315e721d5237c1f1b2267421..43151e3407cba5808035259d36f99f09d6fd759f 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -131,7 +131,8 @@ def convert_to_ipa_rule(rule): ipa_rule = pyhbac.HbacRule(rule['cn'][0]) ipa_rule.enabled = rule['ipaenabledflag'][0] # Following code attempts to process rule systematically - structure = (('user', 'memberuser', 'user', 'group', ipa_rule.users), + structure = \ + (('user', 'memberuser', 'user', 'group', ipa_rule.users), ('host', 'memberhost', 'host', 'hostgroup', ipa_rule.targethosts), ('sourcehost', 'sourcehost', 'host', 'hostgroup', ipa_rule.srchosts), ('service', 'memberservice', 'hbacsvc', 'hbacsvcgroup', ipa_rule.services), @@ -151,6 +152,8 @@ def convert_to_ipa_rule(rule): attr_name = '%s_%s' % (element[1], element[3]) if attr_name in rule: element[4].groups = rule[attr_name] + if 'externalhost' in rule: + ipa_rule.srchosts.names.extend(rule['externalhost']) return ipa_rule -- 1.7.6.1 From mkosek at redhat.com Tue Sep 13 09:40:59 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 13 Sep 2011 11:40:59 +0200 Subject: [Freeipa-devel] [PULL REQUEST, master] Platform-specific adaptation In-Reply-To: <20110912144949.GD22121@redhat.com> References: <20110912081821.GA22121@redhat.com> <1315831529.2444.6.camel@dhcp-25-52.brq.redhat.com> <20110912144949.GD22121@redhat.com> Message-ID: <1315906862.15570.13.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-09-12 at 17:49 +0300, Alexander Bokovoy wrote: > On Mon, 12 Sep 2011, Martin Kosek wrote: > > Good job! This all looks very good, I found no installation error in > > various scenarios I tried. I only found a problem with mixed tabs-spaces > > indentation. You introduced it at least in install/tools/ipactl. You can > > easily check these cases with: > > > > $ ./make-lint --enable-noerror | grep W0312 > > ipa-client/ipa-install/ipa-client-install:221: [W0312] Found indentation with tabs instead of spaces > > ipa-client/ipa-install/ipa-client-install:237: [W0312] Found indentation with tabs instead of spaces > > ... > > install/tools/ipactl:194: [W0312] Found indentation with tabs instead of spaces > > install/tools/ipactl:203: [W0312] Found indentation with tabs instead of spaces > > install/tools/ipactl:241: [W0312] Found indentation with tabs instead of spaces > > ... > > > > We don't have to fix the old indentation problems right in your patches > > but we should not introduce new tab-spaces problems as they have a > > potential to cause nasty problems. > I believe I fixed all whitespace problems, old and new. I eneded up > with a separate commit due to scale of it. It is pushed to both > platform and platform-master branches on fedorapeople repo. > ACK for fixed patches in the tree. Pushed to master. I didn't push your last whitespace cleanup patch for ipapython/dnsclient.py because it introduces 8 space indentation instead of our standard 4 space. Martin From mkosek at redhat.com Tue Sep 13 09:41:41 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 13 Sep 2011 11:41:41 +0200 Subject: [Freeipa-devel] [PULL REQUEST, ipa-2-1] Platform-specific adaptation In-Reply-To: <20110912075833.GA19967@redhat.com> References: <20110912075833.GA19967@redhat.com> Message-ID: <1315906903.15570.14.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-09-12 at 10:58 +0300, Alexander Bokovoy wrote: > Hi, > > As the patchset is rather big, I'm sending pull request from my > fedorapeople.org git repository instead of separate patches. > > This is pull request for ipa-2-1, I'll send pull request for master > branch as a separate email, there is single difference in > freeipa.spec.in's %changelog section. > > The following changes since commit d3c24bb0a65dae85e665ebc617ab4f084c2299fd: > > Don't allow a OTP to be set on an enrolled host (2011-09-10 00:03:32 +0000) > > are available in the git repository at: > git://fedorapeople.org/home/fedora/abbra/public_git/freeipa.git platform > > Alexander Bokovoy (5): > Introduce platform-specific adaptation > Convert server install code to platform-independent access to system services > Convert client-side tools to platform-independent access to system services > Convert installation tools to platform-independent access to system services > fixup! Introduce platform-specific adaptation > > Makefile | 8 + > freeipa.spec.in | 5 + > install/tools/ipa-ca-install | 4 +- > install/tools/ipa-nis-manage | 13 +- > install/tools/ipa-replica-install | 15 +- > install/tools/ipa-server-install | 11 +- > install/tools/ipactl | 43 ++++--- > ipa-client/ipa-install/ipa-client-install | 211 +++++++++++++---------------- > ipa-client/ipaclient/ntpconf.py | 5 +- > ipapython/Makefile | 2 +- > ipapython/ipautil.py | 48 +------- > ipapython/platform/__init__.py | 23 +++ > ipapython/platform/base.py | 150 ++++++++++++++++++++ > ipapython/platform/redhat.py | 176 ++++++++++++++++++++++++ > ipapython/services.py.in | 48 +++++++ > ipapython/setup.py.in | 2 +- > ipapython/sysrestore.py | 5 +- > ipaserver/install/bindinstance.py | 2 +- > ipaserver/install/cainstance.py | 26 +--- > ipaserver/install/certs.py | 25 ++-- > ipaserver/install/dsinstance.py | 19 +-- > ipaserver/install/httpinstance.py | 9 +- > ipaserver/install/krbinstance.py | 3 +- > ipaserver/install/ntpinstance.py | 5 +- > ipaserver/install/replication.py | 4 +- > ipaserver/install/service.py | 68 +++------- > 26 files changed, 624 insertions(+), 306 deletions(-) > create mode 100644 ipapython/platform/__init__.py > create mode 100644 ipapython/platform/base.py > create mode 100644 ipapython/platform/redhat.py > create mode 100644 ipapython/services.py.in > > ACK for fixed patches in the tree. Pushed to ipa-2-1. The same thing as for master, last whitespace cleanup patch is not pushed. Martin From sbose at redhat.com Tue Sep 13 10:44:27 2011 From: sbose at redhat.com (Sumit Bose) Date: Tue, 13 Sep 2011 12:44:27 +0200 Subject: [Freeipa-devel] [PATCH] 2 Call standard_logging_setup() before any logging is done Message-ID: <20110913104427.GC7369@localhost.localdomain> Hi, in ipa-dns-install installutils.check_server_configuration() is called before standard_logging_setup() but already calls logging.debug() and all settings from standard_logging_setup() are ignored. The attached patch should fix it. bye, Sumit -------------- next part -------------- From 4379fda4b40d0a8b76d2ec9ee960904d321acc2f Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 13 Sep 2011 12:37:47 +0200 Subject: [PATCH] Call standard_logging_setup() before any logging is done --- install/tools/ipa-dns-install | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 09006a2009c42a61ab80172637eeaf87a9db0635..9869eae8b143ee10e15fc811f9c1ab25aee77544 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -87,14 +87,14 @@ def main(): if os.getegid() != 0: sys.exit("Must be root to setup server") - installutils.check_server_configuration() - standard_logging_setup("/var/log/ipaserver-install.log", options.debug, filemode='a') print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log" logging.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options)) logging.debug("missing options might be asked for interactively later\n") + installutils.check_server_configuration() + global fstore fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') -- 1.7.6 From mkosek at redhat.com Tue Sep 13 11:17:23 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 13 Sep 2011 13:17:23 +0200 Subject: [Freeipa-devel] [PATCH] Allow using external hosts in HBAC test In-Reply-To: <20110913085446.GB13127@redhat.com> References: <20110913085446.GB13127@redhat.com> Message-ID: <1315912646.15570.17.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-13 at 11:54 +0300, Alexander Bokovoy wrote: > When external host is specified in HBAC rule, allow its use in simulation > > https://fedorahosted.org/freeipa/ticket/1763 > > When external host is specified in HBAC rule, it needs to be added to > the set of source hosts this rule applies to. Add (list of external hosts) > explicitly when converting FreeIPA rules to PyHBAC objects. > ACK. Pushed to master, ipa-2-1. Martin From mkosek at redhat.com Tue Sep 13 10:57:48 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 13 Sep 2011 12:57:48 +0200 Subject: [Freeipa-devel] [PATCH] 2 Call standard_logging_setup() before any logging is done In-Reply-To: <20110913104427.GC7369@localhost.localdomain> References: <20110913104427.GC7369@localhost.localdomain> Message-ID: <1315911476.15570.16.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-13 at 12:44 +0200, Sumit Bose wrote: > Hi, > > in ipa-dns-install installutils.check_server_configuration() is called > before standard_logging_setup() but already calls logging.debug() and > all settings from standard_logging_setup() are ignored. The attached > patch should fix it. > > bye, > Sumit ACK. Pushed to master, ipa-2-1. Martin From mkosek at redhat.com Tue Sep 13 11:54:04 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 13 Sep 2011 13:54:04 +0200 Subject: [Freeipa-devel] [PATCH] Allow using external hosts in HBAC test In-Reply-To: <1315912646.15570.17.camel@dhcp-25-52.brq.redhat.com> References: <20110913085446.GB13127@redhat.com> <1315912646.15570.17.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1315914847.15570.20.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-13 at 13:17 +0200, Martin Kosek wrote: > On Tue, 2011-09-13 at 11:54 +0300, Alexander Bokovoy wrote: > > When external host is specified in HBAC rule, allow its use in simulation > > > > https://fedorahosted.org/freeipa/ticket/1763 > > > > When external host is specified in HBAC rule, it needs to be added to > > the set of source hosts this rule applies to. Add (list of external hosts) > > explicitly when converting FreeIPA rules to PyHBAC objects. > > > > ACK. Pushed to master, ipa-2-1. > > Martin We missed a pylint false positive. Attached one-liner was acked by Alexander over IRC and pushed to master, ipa-2-1. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-122-fix-pylint-false-positive-in-hbactest-module.patch Type: text/x-patch Size: 943 bytes Desc: not available URL: From mkosek at redhat.com Tue Sep 13 12:09:59 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 13 Sep 2011 14:09:59 +0200 Subject: [Freeipa-devel] [PATCH] 869 set precedence correctly In-Reply-To: <4E6E1ED2.2040500@redhat.com> References: <4E6E1ED2.2040500@redhat.com> Message-ID: <1315915802.15570.22.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-09-12 at 11:01 -0400, Rob Crittenden wrote: > I set precedence in the wrong entry of the modrdn plugin so it wasn't > having any effect. This should fix it. > > rob Works fine. Shouldn't we remove errorneous nsslapd-pluginprecedence from cn=Kerberos Principal Name,cn=IPA MODRDN,cn=plugins,cn=config during update process? If not, then ACK. Martin From abokovoy at redhat.com Tue Sep 13 12:11:44 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 13 Sep 2011 15:11:44 +0300 Subject: [Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration instead of dropping it In-Reply-To: <20110908112649.GA17001@redhat.com> References: <20110907131514.GA5491@redhat.com> <1315405169.15945.3.camel@sgallagh520.bos.redhat.com> <20110908112649.GA17001@redhat.com> Message-ID: <20110913121143.GA27633@redhat.com> On Thu, 08 Sep 2011, Alexander Bokovoy wrote: > On Wed, 07 Sep 2011, Stephen Gallagher wrote: > > > On Wed, 2011-09-07 at 16:15 +0300, Alexander Bokovoy wrote: > > > Hi! > > > > > > When modifying SSSD configuration, attempt to add new domain rather > > > than replacing whole configuration file. > > > > > > Only replace file in case it is impossible to parse it by current SSSD > > > version. > > > > > > https://fedorahosted.org/freeipa/ticket/1750 > > > > Looks good to me. Ack. > Unfortunately, there is a bug in libini_config that prevents modifying > existing sssd configuration as it becomes unreadable by libini_config. > > https://fedorahosted.org/sssd/ticket/991 > > I would suggest to postpone this patch until libini_config bug is > fixed and released. After some research it appears there is no issue with libini_config, SSSD happily reads configs amended by ipa-client-install, with or without empty line between sections. The issue Marko was seeing in SSSD991 or FreeIPA1174 is unrelated to this change. It is an issue of timing -- by time we ask for 'getent passwd admin', SSSD might have not started its providers. We are trying to wait 1 second and do re-try for 5 times but some people have experienced delays up to 10 seconds. So this patch is unblocked. To solve delayed data initialization from SSSD in NSS responder we might simply increase number of tries to 10 in case SSSD is in use. -- / Alexander Bokovoy From pvoborni at redhat.com Tue Sep 13 12:54:00 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 13 Sep 2011 14:54:00 +0200 Subject: [Freeipa-devel] [PATCH] 268 Fixed labels for run-as users and groups. In-Reply-To: <4E6EF27D.6050803@redhat.com> References: <4E6AAD93.9090907@redhat.com> <4E6E0C9C.1090304@redhat.com> <4E6EF27D.6050803@redhat.com> Message-ID: <4E6F5268.2060503@redhat.com> On 09/13/2011 08:04 AM, Endi Sukma Dewata wrote: > > The labels from entity parameter are actually more appropriate. I've > updated the patch to use them instead. I also fixed some of the labels > (the run-as group label & doc is incorrect). > ACK -- Petr Vobornik From pvoborni at redhat.com Tue Sep 13 12:57:04 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 13 Sep 2011 14:57:04 +0200 Subject: [Freeipa-devel] [PATCH] 014 Code cleanup: widget creation Message-ID: <4E6F5320.1050505@redhat.com> https://fedorahosted.org/freeipa/ticket/1788 Removed code duplication of undo links. Simplified code of widget creation to be more readable. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0014-Code-cleanup-widget-creation.patch Type: text/x-patch Size: 12502 bytes Desc: not available URL: From pvoborni at redhat.com Tue Sep 13 13:08:06 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 13 Sep 2011 15:08:06 +0200 Subject: [Freeipa-devel] [PATCH] 015 Fixed: Missing read permission option in RBAC permission Message-ID: <4E6F55B6.4080909@redhat.com> https://fedorahosted.org/freeipa/ticket/1787 In 'IPA Server/RBAC/Permission/Settings/Rights' is missing a option for setting 'read' permission which is supported in CLI. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0015-Fixed-Missing-read-permission-option-in-RBAC-permiss.patch Type: text/x-patch Size: 1036 bytes Desc: not available URL: From mkosek at redhat.com Tue Sep 13 13:08:27 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 13 Sep 2011 15:08:27 +0200 Subject: [Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration instead of dropping it In-Reply-To: <20110913121143.GA27633@redhat.com> References: <20110907131514.GA5491@redhat.com> <1315405169.15945.3.camel@sgallagh520.bos.redhat.com> <20110908112649.GA17001@redhat.com> <20110913121143.GA27633@redhat.com> Message-ID: <1315919309.15570.24.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-13 at 15:11 +0300, Alexander Bokovoy wrote: > On Thu, 08 Sep 2011, Alexander Bokovoy wrote: > > > On Wed, 07 Sep 2011, Stephen Gallagher wrote: > > > > > On Wed, 2011-09-07 at 16:15 +0300, Alexander Bokovoy wrote: > > > > Hi! > > > > > > > > When modifying SSSD configuration, attempt to add new domain rather > > > > than replacing whole configuration file. > > > > > > > > Only replace file in case it is impossible to parse it by current SSSD > > > > version. > > > > > > > > https://fedorahosted.org/freeipa/ticket/1750 > > > > > > Looks good to me. Ack. > > Unfortunately, there is a bug in libini_config that prevents modifying > > existing sssd configuration as it becomes unreadable by libini_config. > > > > https://fedorahosted.org/sssd/ticket/991 > > > > I would suggest to postpone this patch until libini_config bug is > > fixed and released. > After some research it appears there is no issue with libini_config, > SSSD happily reads configs amended by ipa-client-install, with or > without empty line between sections. > > The issue Marko was seeing in SSSD991 or FreeIPA1174 is unrelated to > this change. It is an issue of timing -- by time we ask for 'getent > passwd admin', SSSD might have not started its providers. We are > trying to wait 1 second and do re-try for 5 times but some people have > experienced delays up to 10 seconds. > > So this patch is unblocked. To solve delayed data initialization from > SSSD in NSS responder we might simply increase number of tries to 10 > in case SSSD is in use. > > That sounds good. I made few tests of this patch and I still see a problem here. What if, for any reason, sssd.conf is not present on the machine? IPA client installation then crashes: # ipa-client-install --server vm-139.idm.lab.bos.redhat.com --domain idm.lab.bos.redhat.com DNS domain 'idm.lab.bos.redhat.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: vm-027.idm.lab.bos.redhat.com Realm: IDM.LAB.BOS.REDHAT.COM DNS Domain: idm.lab.bos.redhat.com IPA Server: vm-139.idm.lab.bos.redhat.com BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Continue to configure the system with these values? [no]: y User authorized to enroll computers: admin Password for admin at IDM.LAB.BOS.REDHAT.COM: Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM Created /etc/ipa/default.conf Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1144, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1133, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 977, in install if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): File "/usr/sbin/ipa-client-install", line 600, in configure_sssd_conf sssdconfig.import_config() File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1207, in import_config fd = open(configfile, 'r') IOError: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf' Martin From sgallagh at redhat.com Tue Sep 13 13:18:09 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 13 Sep 2011 09:18:09 -0400 Subject: [Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration instead of dropping it In-Reply-To: <1315919309.15570.24.camel@dhcp-25-52.brq.redhat.com> References: <20110907131514.GA5491@redhat.com> <1315405169.15945.3.camel@sgallagh520.bos.redhat.com> <20110908112649.GA17001@redhat.com> <20110913121143.GA27633@redhat.com> <1315919309.15570.24.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1315919891.2367.41.camel@sgallagh520.bos.redhat.com> On Tue, 2011-09-13 at 15:08 +0200, Martin Kosek wrote: > On Tue, 2011-09-13 at 15:11 +0300, Alexander Bokovoy wrote: > > On Thu, 08 Sep 2011, Alexander Bokovoy wrote: > > > > > On Wed, 07 Sep 2011, Stephen Gallagher wrote: > > > > > > > On Wed, 2011-09-07 at 16:15 +0300, Alexander Bokovoy wrote: > > > > > Hi! > > > > > > > > > > When modifying SSSD configuration, attempt to add new domain rather > > > > > than replacing whole configuration file. > > > > > > > > > > Only replace file in case it is impossible to parse it by current SSSD > > > > > version. > > > > > > > > > > https://fedorahosted.org/freeipa/ticket/1750 > > > > > > > > Looks good to me. Ack. > > > Unfortunately, there is a bug in libini_config that prevents modifying > > > existing sssd configuration as it becomes unreadable by libini_config. > > > > > > https://fedorahosted.org/sssd/ticket/991 > > > > > > I would suggest to postpone this patch until libini_config bug is > > > fixed and released. > > After some research it appears there is no issue with libini_config, > > SSSD happily reads configs amended by ipa-client-install, with or > > without empty line between sections. > > > > The issue Marko was seeing in SSSD991 or FreeIPA1174 is unrelated to > > this change. It is an issue of timing -- by time we ask for 'getent > > passwd admin', SSSD might have not started its providers. We are > > trying to wait 1 second and do re-try for 5 times but some people have > > experienced delays up to 10 seconds. > > > > So this patch is unblocked. To solve delayed data initialization from > > SSSD in NSS responder we might simply increase number of tries to 10 > > in case SSSD is in use. > > > > > > That sounds good. I made few tests of this patch and I still see a > problem here. What if, for any reason, sssd.conf is not present on the > machine? IPA client installation then crashes: > > # ipa-client-install --server vm-139.idm.lab.bos.redhat.com --domain idm.lab.bos.redhat.com > DNS domain 'idm.lab.bos.redhat.com' is not configured for automatic KDC address lookup. > KDC address will be set to fixed value. > > Discovery was successful! > Hostname: vm-027.idm.lab.bos.redhat.com > Realm: IDM.LAB.BOS.REDHAT.COM > DNS Domain: idm.lab.bos.redhat.com > IPA Server: vm-139.idm.lab.bos.redhat.com > BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > > Continue to configure the system with these values? [no]: y > User authorized to enroll computers: admin > Password for admin at IDM.LAB.BOS.REDHAT.COM: > > Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM > Created /etc/ipa/default.conf > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 1144, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 1133, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 977, in install > if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): > File "/usr/sbin/ipa-client-install", line 600, in configure_sssd_conf > sssdconfig.import_config() > File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1207, in import_config > fd = open(configfile, 'r') > IOError: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf' ipa-client-install should be trapping this error and calling SSSDConfig.new_config() to create a blank configuration. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From abokovoy at redhat.com Tue Sep 13 13:22:43 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 13 Sep 2011 16:22:43 +0300 Subject: [Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration instead of dropping it In-Reply-To: <1315919309.15570.24.camel@dhcp-25-52.brq.redhat.com> References: <20110907131514.GA5491@redhat.com> <1315405169.15945.3.camel@sgallagh520.bos.redhat.com> <20110908112649.GA17001@redhat.com> <20110913121143.GA27633@redhat.com> <1315919309.15570.24.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110913132241.GB27633@redhat.com> On Tue, 13 Sep 2011, Martin Kosek wrote: > > So this patch is unblocked. To solve delayed data initialization from > > SSSD in NSS responder we might simply increase number of tries to 10 > > in case SSSD is in use. > That sounds good. I made few tests of this patch and I still see a > problem here. What if, for any reason, sssd.conf is not present on the > machine? IPA client installation then crashes: > > # ipa-client-install --server vm-139.idm.lab.bos.redhat.com --domain idm.lab.bos.redhat.com > DNS domain 'idm.lab.bos.redhat.com' is not configured for automatic KDC address lookup. > KDC address will be set to fixed value. > > Discovery was successful! > Hostname: vm-027.idm.lab.bos.redhat.com > Realm: IDM.LAB.BOS.REDHAT.COM > DNS Domain: idm.lab.bos.redhat.com > IPA Server: vm-139.idm.lab.bos.redhat.com > BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > > Continue to configure the system with these values? [no]: y > User authorized to enroll computers: admin > Password for admin at IDM.LAB.BOS.REDHAT.COM: > > Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM > Created /etc/ipa/default.conf > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 1144, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 1133, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 977, in install > if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): > File "/usr/sbin/ipa-client-install", line 600, in configure_sssd_conf > sssdconfig.import_config() > File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1207, in import_config > fd = open(configfile, 'r') > IOError: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf' Right, we need to fallback to new sssd.conf in case of any exception, not only for ParsingError. Attached. -- / Alexander Bokovoy -------------- next part -------------- >From 47d663ce4b265b65f1c4ab4b4e8ec36379d9e602 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 7 Sep 2011 14:23:29 +0300 Subject: [PATCH] ipa-client-install should not clobber existing SSSD configurations https://fedorahosted.org/freeipa/ticket/1750 When modifying SSSD configuration, attempt to add new domain rather than replacing whole configuration file. Only replace file in case it is impossible to parse it by current SSSD version. --- ipa-client/ipa-install/ipa-client-install | 13 +++++++++++-- 1 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index b3b8b7788fc39ec2d7f427c4dd260c8d36365657..e1cc8059a3d613e4e37e96b07c60c3dc6f0d8bdc 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -595,8 +595,17 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options): print "%s request for host certificate failed" % (cmonger.service_name) def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): - sssdconfig = SSSDConfig.SSSDConfig() - sssdconfig.new_config() + try: + sssdconfig = SSSDConfig.SSSDConfig() + sssdconfig.import_config() + except: + # no existing SSSD configuration, make a new one + # We do make new SSSDConfig instance because IPAChangeConf-derived classes have no + # means to reset their state and ParseError exception could come due to parsing + # error from older version which cannot be upgraded anymore, leaving sssdconfig + # instance practically unusable + sssdconfig = SSSDConfig.SSSDConfig() + sssdconfig.new_config() domain = sssdconfig.new_domain(cli_domain) domain.add_provider('ipa', 'id') -- 1.7.6.1 From sgallagh at redhat.com Tue Sep 13 13:26:39 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 13 Sep 2011 09:26:39 -0400 Subject: [Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration instead of dropping it In-Reply-To: <20110913132241.GB27633@redhat.com> References: <20110907131514.GA5491@redhat.com> <1315405169.15945.3.camel@sgallagh520.bos.redhat.com> <20110908112649.GA17001@redhat.com> <20110913121143.GA27633@redhat.com> <1315919309.15570.24.camel@dhcp-25-52.brq.redhat.com> <20110913132241.GB27633@redhat.com> Message-ID: <1315920400.2367.43.camel@sgallagh520.bos.redhat.com> On Tue, 2011-09-13 at 16:22 +0300, Alexander Bokovoy wrote: > On Tue, 13 Sep 2011, Martin Kosek wrote: > > > So this patch is unblocked. To solve delayed data initialization from > > > SSSD in NSS responder we might simply increase number of tries to 10 > > > in case SSSD is in use. > > That sounds good. I made few tests of this patch and I still see a > > problem here. What if, for any reason, sssd.conf is not present on the > > machine? IPA client installation then crashes: > > > > # ipa-client-install --server vm-139.idm.lab.bos.redhat.com --domain idm.lab.bos.redhat.com > > DNS domain 'idm.lab.bos.redhat.com' is not configured for automatic KDC address lookup. > > KDC address will be set to fixed value. > > > > Discovery was successful! > > Hostname: vm-027.idm.lab.bos.redhat.com > > Realm: IDM.LAB.BOS.REDHAT.COM > > DNS Domain: idm.lab.bos.redhat.com > > IPA Server: vm-139.idm.lab.bos.redhat.com > > BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > > > > > Continue to configure the system with these values? [no]: y > > User authorized to enroll computers: admin > > Password for admin at IDM.LAB.BOS.REDHAT.COM: > > > > Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM > > Created /etc/ipa/default.conf > > Traceback (most recent call last): > > File "/usr/sbin/ipa-client-install", line 1144, in > > sys.exit(main()) > > File "/usr/sbin/ipa-client-install", line 1133, in main > > rval = install(options, env, fstore, statestore) > > File "/usr/sbin/ipa-client-install", line 977, in install > > if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): > > File "/usr/sbin/ipa-client-install", line 600, in configure_sssd_conf > > sssdconfig.import_config() > > File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1207, in import_config > > fd = open(configfile, 'r') > > IOError: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf' > Right, we need to fallback to new sssd.conf in case of any exception, > not only for ParsingError. Actually, that's not necessarily true. Do we want to fall back on permission error, for instance? This could result in clobbering an existing file (if for example the existing sssd.conf's SELinux context is wrong, preventing reading, but when we create a new one and save it in place later we have the right context and it replaces the old one). Admittedly, it's a contrived example, but where contrived examples exist, so can real issues. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From mkosek at redhat.com Tue Sep 13 13:33:35 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 13 Sep 2011 15:33:35 +0200 Subject: [Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration instead of dropping it In-Reply-To: <20110913132241.GB27633@redhat.com> References: <20110907131514.GA5491@redhat.com> <1315405169.15945.3.camel@sgallagh520.bos.redhat.com> <20110908112649.GA17001@redhat.com> <20110913121143.GA27633@redhat.com> <1315919309.15570.24.camel@dhcp-25-52.brq.redhat.com> <20110913132241.GB27633@redhat.com> Message-ID: <1315920817.15570.30.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-13 at 16:22 +0300, Alexander Bokovoy wrote: > On Tue, 13 Sep 2011, Martin Kosek wrote: > > > So this patch is unblocked. To solve delayed data initialization from > > > SSSD in NSS responder we might simply increase number of tries to 10 > > > in case SSSD is in use. > > That sounds good. I made few tests of this patch and I still see a > > problem here. What if, for any reason, sssd.conf is not present on the > > machine? IPA client installation then crashes: > > > > # ipa-client-install --server vm-139.idm.lab.bos.redhat.com --domain idm.lab.bos.redhat.com > > DNS domain 'idm.lab.bos.redhat.com' is not configured for automatic KDC address lookup. > > KDC address will be set to fixed value. > > > > Discovery was successful! > > Hostname: vm-027.idm.lab.bos.redhat.com > > Realm: IDM.LAB.BOS.REDHAT.COM > > DNS Domain: idm.lab.bos.redhat.com > > IPA Server: vm-139.idm.lab.bos.redhat.com > > BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > > > > > Continue to configure the system with these values? [no]: y > > User authorized to enroll computers: admin > > Password for admin at IDM.LAB.BOS.REDHAT.COM: > > > > Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM > > Created /etc/ipa/default.conf > > Traceback (most recent call last): > > File "/usr/sbin/ipa-client-install", line 1144, in > > sys.exit(main()) > > File "/usr/sbin/ipa-client-install", line 1133, in main > > rval = install(options, env, fstore, statestore) > > File "/usr/sbin/ipa-client-install", line 977, in install > > if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): > > File "/usr/sbin/ipa-client-install", line 600, in configure_sssd_conf > > sssdconfig.import_config() > > File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1207, in import_config > > fd = open(configfile, 'r') > > IOError: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf' > Right, we need to fallback to new sssd.conf in case of any exception, > not only for ParsingError. > > Attached. Looks promising. I have a suggestion - I think it would make sense logging the thrown exception. We would then be able to easily investigate potential user logs and explain why we generated a brand new sssd.conf. Martin From abokovoy at redhat.com Tue Sep 13 13:33:52 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 13 Sep 2011 16:33:52 +0300 Subject: [Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration instead of dropping it In-Reply-To: <1315920400.2367.43.camel@sgallagh520.bos.redhat.com> References: <20110907131514.GA5491@redhat.com> <1315405169.15945.3.camel@sgallagh520.bos.redhat.com> <20110908112649.GA17001@redhat.com> <20110913121143.GA27633@redhat.com> <1315919309.15570.24.camel@dhcp-25-52.brq.redhat.com> <20110913132241.GB27633@redhat.com> <1315920400.2367.43.camel@sgallagh520.bos.redhat.com> Message-ID: <20110913133352.GC27633@redhat.com> On Tue, 13 Sep 2011, Stephen Gallagher wrote: > > > File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1207, in import_config > > > fd = open(configfile, 'r') > > > IOError: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf' > > Right, we need to fallback to new sssd.conf in case of any exception, > > not only for ParsingError. > Actually, that's not necessarily true. Do we want to fall back on > permission error, for instance? This could result in clobbering an > existing file (if for example the existing sssd.conf's SELinux context > is wrong, preventing reading, but when we create a new one and save it > in place later we have the right context and it replaces the old one). Let's define what we want to see here. 1. There is no sssd.conf -> create new one (unlikely for existing SSSD installation -- if we went to this path, we already found SSSD installed) 2. There is sssd.conf -> modify existing one 2.1. Can't open for write -> report error 2.2. Can't open and read due to parsing error -> create new one ... What are other cases? > Admittedly, it's a contrived example, but where contrived examples > exist, so can real issues. True. -- / Alexander Bokovoy From mkosek at redhat.com Tue Sep 13 13:35:58 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 13 Sep 2011 15:35:58 +0200 Subject: [Freeipa-devel] [PATCH] 868 better handling of ipa-pki-proxy.conf In-Reply-To: <4E6A881D.9070802@redhat.com> References: <4E6A881D.9070802@redhat.com> Message-ID: <1315920960.15570.31.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-09-09 at 17:41 -0400, Rob Crittenden wrote: > - Remove ipa-pki-proxy.conf when IPA is uninstalled > - Move file removal to httpinstance.py and use remove_file() > - Add a version stanza > - Create the file if it doesn't exist on upgraded installs > > https://fedorahosted.org/freeipa/ticket/1771 > > rob Both upgrade and new install worked fine. I only find the following try..except clause redundant since all exceptions are captured and logged in installutils.remove_file: + # Remove the configuration files we create + try: + installutils.remove_file("/etc/httpd/conf.d/ipa-rewrite.conf") + installutils.remove_file("/etc/httpd/conf.d/ipa.conf") + installutils.remove_file("/etc/httpd/conf.d/ipa-pki-proxy.conf") + except: + pass Martin From rcritten at redhat.com Tue Sep 13 13:38:11 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 Sep 2011 09:38:11 -0400 Subject: [Freeipa-devel] [PATCH] 38 Move Managed Entries into their own container in the replicated space. In-Reply-To: <7EE5C13D-C14C-455B-98B7-D565C6B52924@citrixonline.com> References: <1311342896.12679.9.camel@dhcp-25-52.brq.redhat.com> <81DEB284-E8C1-47C3-9130-846E2A4669C4@citrixonline.com> <1315481921.5141.16.camel@dhcp-25-52.brq.redhat.com> <1E9EBA67-372A-4915-A62D-4388DF1B5D09@citrixonline.com> <1676DC33-2A70-477A-A321-67CF58F76D00@citrixonline.com> <7EE5C13D-C14C-455B-98B7-D565C6B52924@citrixonline.com> Message-ID: <4E6F5CC3.9070301@redhat.com> JR Aquino wrote: > On Sep 8, 2011, at 10:41 AM, JR Aquino wrote: > >> On Sep 8, 2011, at 10:06 AM, JR Aquino wrote: >> >>> On Sep 8, 2011, at 4:38 AM, Martin Kosek wrote: >>> >>>> On Tue, 2011-09-06 at 22:33 +0000, JR Aquino wrote: >>>>> On Jul 22, 2011, at 6:54 AM, Martin Kosek wrote: >>>>> >>>>>> On Thu, 2011-07-21 at 23:00 +0000, JR Aquino wrote: >>>>>>> Create: cn=Managed Entries,cn=etc,$SUFFIX >>>>>>> Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX >>>>>>> Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX >>>>>>> >>>>>>> Create method for migrating any and all custom Managed Entries from >>>>>>> the cn=config space into the new container. >>>>>>> >>>>>>> The Managed Entries plugin configurations weren't being created on >>>>>>> replica installs. >>>>>>> >>>>>>> This patch addresses two seperate tickets and accounts for >>>>>>> new installs, replica installs, and upgrades. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container >>>>>>> https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation >>>>>> >>>>>> I found few issues with the patch (tested along with 25): >>>>>> >>>>>> 1) When upgrading an old instance, NGP and UGP definitions in >>>>>> cn=Managed Entries,cn=plugins,cn=config were not deleted. This lead to 2 >>>>>> managed entries plugin definitions >>>>> >>>>> Fixed this condition. 389 prohibits the deletion of Managed Entries while they are active. >>>>> I had to perform the repointing to the new cn=etc container, perform the migration of the legacy configs, then perform a restart of dirsrv. >>>>> >>>>>> >>>>>> 2) Managed entries on a replica didn't work for me. For example UPG was >>>>>> created on a master, but was not on a replica >>>>> >>>>> This should also be resolved now. >>>>> >>>>>> >>>>>> Martin >>>>>> >>>>> >>>>> I had to break out the connection code in update for ldapupdate.py so that connections could be reestablished post dirsrv restart. >>>>> >>>>> I also had to create a service class to perform the restart. >>>>> >>>>> installutils.py has been modified to provide wait_for_open_socket() similar to wait_for_open_port() >>>>> >>>> >>>> Hello JR, >>>> >>>> I tested you patch, it works fine for both upgrading the replicas and >>>> new installations. Old Managed Entries definitions were successfully >>>> deleted. >>>> >>>> I just found few issues with the patch format itself: >>>> > >>>> 1) Commit message is all wrong, its all on the Subject line which is >>>> then put to commit title during "git am". I suggest using our standard >>>> commit message formatting: >>>> >>>> COMMIT_TITLE >>>> >>>> COMMIT_DESCRIPTION >>>> >>>> TRAC_TICKET_LINK >>>> >>>> 2) There were few whitespace errors: >>>> $ git apply ~/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch >>>> /home/mkosek/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch:519: trailing whitespace. >>>> >>>> /home/mkosek/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch:526: trailing whitespace. >>>> >>>> Otherwise the patch looks good to me, if it is OK with Rob (since he >>>> wrote the entire ldapupdate.py) I think we can push it after you fix the >>>> 2 changes I proposed. >>> >>> Fixed the whitespace errors and adjusted the commit message. >>> >>> >> >> Self NAK >> >> Looks like I missed a piece in this recent patch that creates the cn=etc containers out of order. >> >> New patch to follow shortly > > Ok. > > Whitespace errors corrected > Commit Format Corrected > Order of creation for Managed Entry Container is now corrected > > Martin if you could do a quick double check to make sure everything still looks clean to you. > > After that, I believe it just needs Rob's blessing. > ACK, pushed to master and ipa-2-1. rob From sgallagh at redhat.com Tue Sep 13 13:51:30 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 13 Sep 2011 09:51:30 -0400 Subject: [Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration instead of dropping it In-Reply-To: <20110913133352.GC27633@redhat.com> References: <20110907131514.GA5491@redhat.com> <1315405169.15945.3.camel@sgallagh520.bos.redhat.com> <20110908112649.GA17001@redhat.com> <20110913121143.GA27633@redhat.com> <1315919309.15570.24.camel@dhcp-25-52.brq.redhat.com> <20110913132241.GB27633@redhat.com> <1315920400.2367.43.camel@sgallagh520.bos.redhat.com> <20110913133352.GC27633@redhat.com> Message-ID: <1315921891.2367.54.camel@sgallagh520.bos.redhat.com> On Tue, 2011-09-13 at 16:33 +0300, Alexander Bokovoy wrote: > On Tue, 13 Sep 2011, Stephen Gallagher wrote: > > > > File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1207, in import_config > > > > fd = open(configfile, 'r') > > > > IOError: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf' > > > Right, we need to fallback to new sssd.conf in case of any exception, > > > not only for ParsingError. > > Actually, that's not necessarily true. Do we want to fall back on > > permission error, for instance? This could result in clobbering an > > existing file (if for example the existing sssd.conf's SELinux context > > is wrong, preventing reading, but when we create a new one and save it > > in place later we have the right context and it replaces the old one). > Let's define what we want to see here. > > 1. There is no sssd.conf -> create new one (unlikely for existing SSSD > installation -- if we went to this path, we already found SSSD > installed) Actually, this is fairly likely in future releases. There's so much noise in the example configuration that I've decided that we're going to install it as %doc instead of %config. So a raw installation of the SSSD package will have no sssd.conf in place. We obviously need to consider this. > 2. There is sssd.conf -> modify existing one > 2.1. Can't open for write -> report error Agreed. > 2.2. Can't open and read due to parsing error -> create new one > ... There are two issues here. Failure to open for reading and ParseError on read. That said, I think they should be handled the same way (see below). Unfortunately, we have additional issues here... The SSSDConfig API is more strict with options than the SSSD itself is. Specifically, the SSSD will ignore unknown options entirely, but the SSSDConfig will through a ParseError on unknown options. The long-term goal is for SSSD to be more strict about this, but we don't currently have a way to do this. So as I see it, we have three choices for dealing with ParseError: 1) Back up the existing sssd.conf and replace it with a completely new one for FreeIPA. Pros: sssd.conf is guaranteed to parse cleanly. FreeIPA client install completes successfully. Cons: existing configuration (which may have worked) is not preserved. 2) Be restrictive on ParseError and throw an error telling them to fix their config file. Pros: we don't break an existing setup. Cons: FreeIPA installation has been broken. 3) Default to one of the above but provide a command-line flag to behave the other way. This is probably our best bet. I'd suggest defaulting to replacing the config file on ParseError (with a loud message at the END of ipa-client-install pointing to the backed-up file). > > What are other cases? > > > > Admittedly, it's a contrived example, but where contrived examples > > exist, so can real issues. > True. > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Tue Sep 13 13:58:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 Sep 2011 09:58:05 -0400 Subject: [Freeipa-devel] [PATCH] 868 better handling of ipa-pki-proxy.conf In-Reply-To: <1315920960.15570.31.camel@dhcp-25-52.brq.redhat.com> References: <4E6A881D.9070802@redhat.com> <1315920960.15570.31.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E6F616D.4020406@redhat.com> Martin Kosek wrote: > On Fri, 2011-09-09 at 17:41 -0400, Rob Crittenden wrote: >> - Remove ipa-pki-proxy.conf when IPA is uninstalled >> - Move file removal to httpinstance.py and use remove_file() >> - Add a version stanza >> - Create the file if it doesn't exist on upgraded installs >> >> https://fedorahosted.org/freeipa/ticket/1771 >> >> rob > > Both upgrade and new install worked fine. I only find the following > try..except clause redundant since all exceptions are captured and > logged in installutils.remove_file: > > + # Remove the configuration files we create > + try: > + installutils.remove_file("/etc/httpd/conf.d/ipa-rewrite.conf") > + installutils.remove_file("/etc/httpd/conf.d/ipa.conf") > + installutils.remove_file("/etc/httpd/conf.d/ipa-pki-proxy.conf") > + except: > + pass > > Martin > Updated patch attached rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-868-2-proxy.patch Type: text/x-patch Size: 4194 bytes Desc: not available URL: From rcritten at redhat.com Tue Sep 13 14:01:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 Sep 2011 10:01:12 -0400 Subject: [Freeipa-devel] [PATCH] 870 remove normalizer In-Reply-To: <20110912200018.GH22121@redhat.com> References: <4E6E29BC.6090800@redhat.com> <20110912200018.GH22121@redhat.com> Message-ID: <4E6F6228.70002@redhat.com> Alexander Bokovoy wrote: > On Mon, 12 Sep 2011, Rob Crittenden wrote: > >> Remove the lower-case normalizer on roles, privileges and >> permissions. Mixed-case works fine. > ACK. > > I suppose we don't need any unit-test for lift of restriction... > pushed to master and ipa-2-1 From rcritten at redhat.com Tue Sep 13 14:15:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 Sep 2011 10:15:10 -0400 Subject: [Freeipa-devel] [PATCH] 869 set precedence correctly In-Reply-To: <1315915802.15570.22.camel@dhcp-25-52.brq.redhat.com> References: <4E6E1ED2.2040500@redhat.com> <1315915802.15570.22.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E6F656E.1070605@redhat.com> Martin Kosek wrote: > On Mon, 2011-09-12 at 11:01 -0400, Rob Crittenden wrote: >> I set precedence in the wrong entry of the modrdn plugin so it wasn't >> having any effect. This should fix it. >> >> rob > > Works fine. > > Shouldn't we remove errorneous nsslapd-pluginprecedence from cn=Kerberos > Principal Name,cn=IPA MODRDN,cn=plugins,cn=config during update process? > If not, then ACK. > > Martin > Good point. The old value doesn't actually do anything but lets remove it to avoid confusion. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-869-2-precedence.patch Type: text/x-patch Size: 1904 bytes Desc: not available URL: From mkosek at redhat.com Tue Sep 13 14:16:53 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 13 Sep 2011 16:16:53 +0200 Subject: [Freeipa-devel] [PATCH] 868 better handling of ipa-pki-proxy.conf In-Reply-To: <4E6F616D.4020406@redhat.com> References: <4E6A881D.9070802@redhat.com> <1315920960.15570.31.camel@dhcp-25-52.brq.redhat.com> <4E6F616D.4020406@redhat.com> Message-ID: <1315923415.15570.33.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-13 at 09:58 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Fri, 2011-09-09 at 17:41 -0400, Rob Crittenden wrote: > >> - Remove ipa-pki-proxy.conf when IPA is uninstalled > >> - Move file removal to httpinstance.py and use remove_file() > >> - Add a version stanza > >> - Create the file if it doesn't exist on upgraded installs > >> > >> https://fedorahosted.org/freeipa/ticket/1771 > >> > >> rob > > > > Both upgrade and new install worked fine. I only find the following > > try..except clause redundant since all exceptions are captured and > > logged in installutils.remove_file: > > > > + # Remove the configuration files we create > > + try: > > + installutils.remove_file("/etc/httpd/conf.d/ipa-rewrite.conf") > > + installutils.remove_file("/etc/httpd/conf.d/ipa.conf") > > + installutils.remove_file("/etc/httpd/conf.d/ipa-pki-proxy.conf") > > + except: > > + pass > > > > Martin > > > > Updated patch attached > > rob ACK. Pushed to master, ipa-2-1. I didn't close the ticket as I saw that this patch is not a complete solution. Martin From ayoung at redhat.com Tue Sep 13 14:40:39 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 13 Sep 2011 10:40:39 -0400 Subject: [Freeipa-devel] Upgrading a machine to use the proxy. Message-ID: <4E6F6B67.4000001@redhat.com> To convert an older build where the PKI system wasn't proxied: awk '{print $0} /Define an AJP 1.3 Connector on port/ {print "}" }' /etc/pki-ca/server.xml > server.xml.new ; mv server.xml.new /etc/pki-ca/server.xml sed -e "s/\[PKI_MACHINE_NAME\]/$HOSTNAME/g" -e "s/\[PKI_AJP_PORT\]/9444/g" /usr/share/pki/ca/conf/proxy.conf > /etc/pki-ca/proxy.conf I've used the default ports here. Adjest is you've altered yours. IPA copies the proxy.conf file into /etc/httpd/conf.d and renames it. You can do the same thing by hand. I'm not sure if this should go into PKI or IPA. From mkosek at redhat.com Tue Sep 13 15:04:41 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 13 Sep 2011 17:04:41 +0200 Subject: [Freeipa-devel] [PATCH] 869 set precedence correctly In-Reply-To: <4E6F656E.1070605@redhat.com> References: <4E6E1ED2.2040500@redhat.com> <1315915802.15570.22.camel@dhcp-25-52.brq.redhat.com> <4E6F656E.1070605@redhat.com> Message-ID: <1315926283.2516.1.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-13 at 10:15 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2011-09-12 at 11:01 -0400, Rob Crittenden wrote: > >> I set precedence in the wrong entry of the modrdn plugin so it wasn't > >> having any effect. This should fix it. > >> > >> rob > > > > Works fine. > > > > Shouldn't we remove errorneous nsslapd-pluginprecedence from cn=Kerberos > > Principal Name,cn=IPA MODRDN,cn=plugins,cn=config during update process? > > If not, then ACK. > > > > Martin > > > > Good point. The old value doesn't actually do anything but lets remove > it to avoid confusion. > > rob Ok. But I think you attached an incorrect patch, its the same as the first version. Martin From ayoung at redhat.com Tue Sep 13 15:07:45 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 13 Sep 2011 11:07:45 -0400 Subject: [Freeipa-devel] [PATCH] 015 Fixed: Missing read permission option in RBAC permission In-Reply-To: <4E6F55B6.4080909@redhat.com> References: <4E6F55B6.4080909@redhat.com> Message-ID: <4E6F71C1.2040002@redhat.com> On 09/13/2011 09:08 AM, Petr Vobornik wrote: > https://fedorahosted.org/freeipa/ticket/1787 > > In 'IPA Server/RBAC/Permission/Settings/Rights' is missing a option > for setting 'read' permission which is supported in CLI. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel It was a deliberate decision to leave READ off the list. ACLs in the underlying DirSrv is read by default. Has this changed? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Sep 13 15:14:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 Sep 2011 11:14:27 -0400 Subject: [Freeipa-devel] [PATCH] 869 set precedence correctly In-Reply-To: <1315926283.2516.1.camel@dhcp-25-52.brq.redhat.com> References: <4E6E1ED2.2040500@redhat.com> <1315915802.15570.22.camel@dhcp-25-52.brq.redhat.com> <4E6F656E.1070605@redhat.com> <1315926283.2516.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E6F7353.9060401@redhat.com> Martin Kosek wrote: > On Tue, 2011-09-13 at 10:15 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Mon, 2011-09-12 at 11:01 -0400, Rob Crittenden wrote: >>>> I set precedence in the wrong entry of the modrdn plugin so it wasn't >>>> having any effect. This should fix it. >>>> >>>> rob >>> >>> Works fine. >>> >>> Shouldn't we remove errorneous nsslapd-pluginprecedence from cn=Kerberos >>> Principal Name,cn=IPA MODRDN,cn=plugins,cn=config during update process? >>> If not, then ACK. >>> >>> Martin >>> >> >> Good point. The old value doesn't actually do anything but lets remove >> it to avoid confusion. >> >> rob > > Ok. But I think you attached an incorrect patch, its the same as the > first version. > > Martin > Sorry, used wrong commit id when regenerating patch rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-869-2-precedence.patch Type: text/x-patch Size: 2062 bytes Desc: not available URL: From mkosek at redhat.com Tue Sep 13 15:40:02 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 13 Sep 2011 17:40:02 +0200 Subject: [Freeipa-devel] [PATCH] 869 set precedence correctly In-Reply-To: <4E6F7353.9060401@redhat.com> References: <4E6E1ED2.2040500@redhat.com> <1315915802.15570.22.camel@dhcp-25-52.brq.redhat.com> <4E6F656E.1070605@redhat.com> <1315926283.2516.1.camel@dhcp-25-52.brq.redhat.com> <4E6F7353.9060401@redhat.com> Message-ID: <1315928405.2516.2.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-13 at 11:14 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Tue, 2011-09-13 at 10:15 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> On Mon, 2011-09-12 at 11:01 -0400, Rob Crittenden wrote: > >>>> I set precedence in the wrong entry of the modrdn plugin so it wasn't > >>>> having any effect. This should fix it. > >>>> > >>>> rob > >>> > >>> Works fine. > >>> > >>> Shouldn't we remove errorneous nsslapd-pluginprecedence from cn=Kerberos > >>> Principal Name,cn=IPA MODRDN,cn=plugins,cn=config during update process? > >>> If not, then ACK. > >>> > >>> Martin > >>> > >> > >> Good point. The old value doesn't actually do anything but lets remove > >> it to avoid confusion. > >> > >> rob > > > > Ok. But I think you attached an incorrect patch, its the same as the > > first version. > > > > Martin > > > > Sorry, used wrong commit id when regenerating patch > > rob ACK. Pushed to master, ipa-2-1. Martin From sbose at redhat.com Tue Sep 13 16:01:33 2011 From: sbose at redhat.com (Sumit Bose) Date: Tue, 13 Sep 2011 18:01:33 +0200 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <1315862678.2684.237.camel@willson.li.ssimo.org> References: <20110826093926.GF2374@localhost.localdomain> <1314364467.20296.226.camel@willson.li.ssimo.org> <20110830144028.GE12659@localhost.localdomain> <1315433450.2684.13.camel@willson.li.ssimo.org> <20110908115245.GF21228@localhost.localdomain> <1315483606.5141.20.camel@dhcp-25-52.brq.redhat.com> <20110908123927.GG21228@localhost.localdomain> <1315609607.2684.137.camel@willson.li.ssimo.org> <20110912155308.GB7369@localhost.localdomain> <1315862678.2684.237.camel@willson.li.ssimo.org> Message-ID: <20110913160133.GE7369@localhost.localdomain> On Mon, Sep 12, 2011 at 05:24:38PM -0400, Simo Sorce wrote: > On Mon, 2011-09-12 at 17:53 +0200, Sumit Bose wrote: > [..] > > > > > I can now run 'smbclient -k -L' on my test system wit hthe recent samba > > patch. > > Sorry a couple more nitpicks. > > Trying to reinstall ipa-adtrust-install it returned immediately with > "Aborting Installation" and no explanation whatsoever. Turned out it saw > there was the IPA autogenerated text in smb.conf and decided to get out. > > - 2 issues here: > 1) no information (I had to check the code to see what reported that > error message), so we need a reason nif we abort. > 2) In interactive mode we should ask if we want to proceed anyway I > think (to make it simpler to test it on an already enabled tree), but > can be convinced it is safer to just abort. interactive mode now stops and ask for confirmation > > > - Once I fixed that by removing smb.conf and all tdbs to be sure, it > failed because smb.conf was not found, we should not require to find it > if we are going to wipe it anyway. If it is not there we should just go > on and create one. > fixed > > - Then it correctly detected the samba sysaccount user existed and > decided not to reset the password. Not sure why, if we proceeed and > reset the password in both ldap and secrets.tdb we are sure they are the > same, if we don't we just risk having no password (I wiped out > secrets.tdb and running ipa-adtruct-install again is the fastest way to > get that restered). I think you should always reset that password. fixed > > > - The installation also failed because the service entry under the > master entry already existed. We should probably ignore and proceed, in > case of existing object. Not fail. fixed, since ldap_enable() already print a logging.critical I added another one which should clarify what happens. > > > Except for these points I had to set SELinux in permissive mode in order > to run the epmd, we need to track SELinux changes in a ticket I think. > > I wasn't able to test smbclient -k yes due to another bug in smbd but > the install seem fine so far, and I was able to get a ticket for cifs/ > w/o any issue, and auth seemed to work. > > So if the nitpicks above get fixed it should be the last revision. Yes, if you do not find another major issue it would be nice if you can open a new ticket for new features. bye, Sumit > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -------------- next part -------------- From 46340ab1143cfe0b6e5886b12da28517fbbb70f5 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 7 Sep 2011 10:17:12 +0200 Subject: [PATCH] Add ipa-adtrust-install utility https://fedorahosted.org/freeipa/ticket/1619 --- freeipa.spec.in | 2 + install/po/Makefile.in | 1 + install/share/Makefile.am | 1 + install/share/smb.conf.template | 28 +++ install/tools/Makefile.am | 1 + install/tools/ipa-adtrust-install | 249 +++++++++++++++++++ install/tools/man/Makefile.am | 1 + install/tools/man/ipa-adtrust-install.1 | 47 ++++ ipaserver/install/Makefile.am | 1 + ipaserver/install/service.py | 3 +- ipaserver/install/smbinstance.py | 282 ++++++++++++++++++++++ tests/test_ipaserver/install/test_smbinstance.py | 59 +++++ 12 files changed, 674 insertions(+), 1 deletions(-) create mode 100644 install/share/smb.conf.template create mode 100755 install/tools/ipa-adtrust-install create mode 100644 install/tools/man/ipa-adtrust-install.1 create mode 100644 ipaserver/install/smbinstance.py create mode 100755 tests/test_ipaserver/install/test_smbinstance.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 0f358fb4c34c52f2d86d1089b475e725fc6a5131..50b22b0779e77136a3a2bbc55dc8e56a6c094a8f 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -401,6 +401,7 @@ fi %doc COPYING README Contributors.txt %{_sbindir}/ipa-ca-install %{_sbindir}/ipa-dns-install +%{_sbindir}/ipa-adtrust-install %{_sbindir}/ipa-server-install %{_sbindir}/ipa-replica-conncheck %{_sbindir}/ipa-replica-install @@ -482,6 +483,7 @@ fi %{_mandir}/man1/ipa-server-certinstall.1.gz %{_mandir}/man1/ipa-server-install.1.gz %{_mandir}/man1/ipa-dns-install.1.gz +%{_mandir}/man1/ipa-adtrust-install.1.gz %{_mandir}/man1/ipa-ca-install.1.gz %{_mandir}/man1/ipa-compat-manage.1.gz %{_mandir}/man1/ipa-nis-manage.1.gz diff --git a/install/po/Makefile.in b/install/po/Makefile.in index 47c8bbba56041f95fc6641ff0188ab60db658de8..ac08b47921c0a96d0fe06b8d8f1419d7cd76bd36 100644 --- a/install/po/Makefile.in +++ b/install/po/Makefile.in @@ -51,6 +51,7 @@ PY_EXPLICIT_FILES = \ install/tools/ipa-server-install \ install/tools/ipa-ldap-updater \ install/tools/ipa-dns-install \ + install/tools/ipa-adtrust-install \ install/tools/ipa-ca-install \ ipa-client/ipa-install/ipa-client-install diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 991f3b478ad5af974d667a5126e6612027603af3..682a57c7d71eaccec8f6b92c4e0f2dd030179f55 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -32,6 +32,7 @@ app_DATA = \ krb.con.template \ krbrealm.con.template \ preferences.html.template \ + smb.conf.template \ referint-conf.ldif \ dna.ldif \ master-entry.ldif \ diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template new file mode 100644 index 0000000000000000000000000000000000000000..a7fc10691e8a4dd69b711d266f6bb70479dd319d --- /dev/null +++ b/install/share/smb.conf.template @@ -0,0 +1,28 @@ +[global] +workgroup = $NETBIOS_NAME +realm = $REALM +kerberos method = system keytab +create krb5 conf = no +security = user +domain master = yes +domain logons = yes +log level = 1 +max log size = 100000 +log file = /var/log/samba/log.%m +passdb backend = IPA_ldapsam:ldapi://$LDAPI_SOCKET +ldapsam:trusted=yes +ldap ssl = off +ldap admin dn = $SMB_DN +ldap suffix = $SUFFIX +ldap user suffix = cn=users,cn=accounts +ldap group suffix = cn=groups,cn=accounts +ldap machine suffix = cn=computers,cn=accounts +rpc_server:epmapper = external +rpc_server:lsarpc = external +rpc_server:lsass = external +rpc_server:lsasd = external +rpc_server:samr = external +rpc_server:netlogon = external +rpc_server:tcpip = yes +rpc_daemon:epmd = fork +rpc_daemon:lsasd = fork diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index fc615ec04f324c2d9c98dc8cf674938e1064bec6..96da7531764598878f94b6abd54c27a74671c028 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -8,6 +8,7 @@ sbin_SCRIPTS = \ ipa-ca-install \ ipa-dns-install \ ipa-server-install \ + ipa-adtrust-install \ ipa-replica-conncheck \ ipa-replica-install \ ipa-replica-prepare \ diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install new file mode 100755 index 0000000000000000000000000000000000000000..9468ef884dcafe51377701636920394ed4267937 --- /dev/null +++ b/install/tools/ipa-adtrust-install @@ -0,0 +1,249 @@ +#! /usr/bin/python +# +# Authors: Sumit Bose +# Based on ipa-server-install by Karl MacMillan +# and ipa-dns-install by Martin Nagy +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import traceback + +from ipaserver.plugins.ldap2 import ldap2 +from ipaserver.install import smbinstance +from ipaserver.install.installutils import * +from ipaserver.install import installutils +from ipapython import version +from ipapython import ipautil, sysrestore +from ipalib import api, errors, util +from ipapython.config import IPAOptionParser +import krbV +import ldap + +def parse_options(): + parser = IPAOptionParser(version=version.VERSION) + parser.add_option("-p", "--ds-password", dest="dm_password", + sensitive=True, help="directory manager password") + parser.add_option("-d", "--debug", dest="debug", action="store_true", + default=False, help="print debugging information") + parser.add_option("--ip-address", dest="ip_address", + type="ip", ip_local=True, help="Master Server IP Address") + parser.add_option("--netbios-name", dest="netbios_name", + help="NetBIOS name of the IPA domain") + parser.add_option("-U", "--unattended", dest="unattended", action="store_true", + default=False, help="unattended installation never prompts the user") + + options, args = parser.parse_args() + safe_options = parser.get_safe_opts(options) + + return safe_options, options + +def netbios_name_error(name): + print "Illegal NetBIOS name [%s].\n" % name + print "Up to 15 characters and only uppercase ASCII letter and digits are allowed." + +def read_netbios_name(netbios_default): + netbios_name = "" + + print "Enter the NetBIOS name for the IPA domain." + print "Only up to 15 uppercase ASCII letters and digits are allowed." + print "Example: EXAMPLE." + print "" + print "" + if not netbios_default: + netbios_default = "EXAMPLE" + while True: + netbios_name = ipautil.user_input("NetBIOS domain name", netbios_default, allow_empty = False) + print "" + if smbinstance.check_netbios_name(netbios_name): + break + + netbios_name_error(netbios_name) + + return netbios_name + +def main(): + safe_options, options = parse_options() + + if os.getegid() != 0: + sys.exit("Must be root to setup AD trusts on server") + + standard_logging_setup("/var/log/ipaserver-install.log", options.debug, filemode='a') + print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log" + + logging.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options)) + logging.debug("missing options might be asked for interactively later\n") + + installutils.check_server_configuration() + + global fstore + fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + + print "==============================================================================" + print "This program will setup components needed to establish trust to AD domains for" + print "the FreeIPA Server." + print "" + print "This includes:" + print " * Configure Samba" + print " * Add trust related objects to FreeIPA LDAP server" + #TODO: + #print " * Add a SID to all users and Posix groups" + print "" + print "To accept the default shown in brackets, press the Enter key." + print "" + + # Check if samba packages are installed + if not smbinstance.check_inst(options.unattended): + sys.exit("Aborting installation.") + + # Initialize the ipalib api + cfg = dict( + in_server=True, + debug=options.debug, + ) + api.bootstrap(**cfg) + api.finalize() + + if smbinstance.ipa_smb_conf_exists(): + if not options.unattended: + while True: + print "IPA generated smb.conf detected." + if not ipautil.user_input("Overwrite smb.conf?", default = False, allow_empty = False): + sys.exit("Aborting installation.") + break + + # Check we have a public IP that is associated with the hostname + try: + if options.ip_address: + ip = ipautil.CheckedIPAddress(options.ip_address, match_local=True) + else: + hostaddr = resolve_host(api.env.host) + ip = hostaddr and ipautil.CheckedIPAddress(hostaddr, match_local=True) + except Exception, e: + print "Error: Invalid IP Address %s: %s" % (ip, e) + ip = None + + if not ip: + if options.unattended: + sys.exit("Unable to resolve IP address for host name") + else: + read_ip = read_ip_address(api.env.host, fstore) + try: + ip = ipautil.CheckedIPAddress(read_ip, match_local=True) + except Exception, e: + print "Error: Invalid IP Address %s: %s" % (ip, e) + sys.exit("Aborting installation.") + + ip_address = str(ip) + logging.debug("will use ip_address: %s\n", ip_address) + + if not options.unattended: + print "" + print "The following operations may take some minutes to complete." + print "Please wait until the prompt is returned." + print "" + + # Create a Samba instance + if options.unattended and not options.dm_password: + sys.exit("\nIn unattended mode you need to provide at least the -p option") + + netbios_name = options.netbios_name + if not netbios_name: + netbios_name = smbinstance.make_netbios_name(api.env.domain) + + if not smbinstance.check_netbios_name(netbios_name): + if options.unattended: + netbios_name_error(netbios_name) + sys.exit("Aborting installation.") + else: + netbios_name = None + if options.netbios_name: + netbios_name_error(options.netbios_name) + + if not options.unattended and ( not netbios_name or not options.netbios_name): + netbios_name = read_netbios_name(netbios_name) + + dm_password = options.dm_password or read_password("Directory Manager", + confirm=False, validate=False) + smb = smbinstance.SMBInstance(fstore, dm_password) + + # try the connection + try: + smb.ldap_connect() + smb.ldap_disconnect() + except ldap.INVALID_CREDENTIALS, e: + sys.exit("Password is not valid!") + + if smb.dm_password: + api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=smb.dm_password) + else: + # See if our LDAP server is up and we can talk to it over GSSAPI + ccache = krbV.default_context().default_ccache().name + api.Backend.ldap2.connect(ccache) + + smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain, + netbios_name) + smb.create_instance() + + print "==============================================================================" + print "Setup complete" + print "" + print "\tYou must make sure these network ports are open:" + print "\t\tTCP Ports:" + print "\t\t * 138: netbios-dgm" + print "\t\t * 139: netbios-ssn" + print "\t\t * 445: microsoft-ds" + print "\t\tUDP Ports:" + print "\t\t * 138: netbios-dgm" + print "\t\t * 139: netbios-ssn" + print "\t\t * 445: microsoft-ds" + print "" + print "\tAdditionally you have to make sure the FreeIPA LDAP server cannot reached" + print "\tby any domain controller in the Active Directory domain by closing the" + print "\tfollowing ports for these servers:" + print "\t\tTCP Ports:" + print "\t\t * 389, 636: LDAP/LDAPS" + print "\t\tUDP Ports:" + print "\t\t * 389: (C)LDAP" + print "\tYou may want to choose to REJECT the network packets instead of DROPing them" + print "\tto avoid timeouts on the AD domain controllers." + + return 0 + +try: + sys.exit(main()) +except SystemExit, e: + sys.exit(e) +except KeyboardInterrupt: + print "Installation cancelled." +except RuntimeError, e: + print str(e) +except HostnameLocalhost: + print "The hostname resolves to the localhost address (127.0.0.1/::1)" + print "Please change your /etc/hosts file so that the hostname" + print "resolves to the ip address of your network interface." + print "The KDC service does not listen on localhost" + print "" + print "Please fix your /etc/hosts file and restart the setup program" +except Exception, e: + message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e) + print message + message = str(e) + for str in traceback.format_tb(sys.exc_info()[2]): + message = message + "\n" + str + logging.debug(message) + sys.exit(1) diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am index 71d9b29c87d2b24c51d3048dc1050e099a89835d..d5b5976b0fd8c8e6683d09e7ade575fda2527832 100644 --- a/install/tools/man/Makefile.am +++ b/install/tools/man/Makefile.am @@ -13,6 +13,7 @@ man1_MANS = \ ipa-server-certinstall.1 \ ipa-server-install.1 \ ipa-dns-install.1 \ + ipa-adtrust-install.1 \ ipa-ca-install.1 \ ipa-ldap-updater.1 \ ipa-compat-manage.1 \ diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 new file mode 100644 index 0000000000000000000000000000000000000000..a3981adf48d14cc0e540c646fff099490203f862 --- /dev/null +++ b/install/tools/man/ipa-adtrust-install.1 @@ -0,0 +1,47 @@ +.\" A man page for ipa-adtrust-install +.\" Copyright (C) 2011 Red Hat, Inc. +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, but +.\" WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +.\" General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see . +.\" +.\" Author: Sumit Bose +.\" +.TH "ipa-adtrust-install" "1" "Aug 23 2011" "FreeIPA" "FreeIPA Manual Pages" +.SH "NAME" +ipa\-adtrust\-install \- Prepare an IPA server to be able to establish trust relationships with AD domains +.SH "SYNOPSIS" +ipa\-adtrust\-install [\fIOPTION\fR]... +.SH "DESCRIPTION" +Adds all necesary objects and configuration to allow an IPA server to create a +trust to an Active Directory domain. This requires that the IPA server is +already installed and configured. +.SH "OPTIONS" +.TP +\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR +The password to be used by the Directory Server for the Directory Manager user +.TP +\fB\-d\fR, \fB\-\-debug\fR +Enable debug logging when more verbose output is needed +.TP +\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR +The IP address of the IPA server. If not provided then this is determined based on the hostname of the server. +.TP +\fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR +The NetBIOS name for the IPA domain. If not provided then this is determined based on the leading component of the DNS domain name. +.TP +\fB\-U\fR, \fB\-\-unattended\fR +An unattended installation that will never prompt for user input +.SH "EXIT STATUS" +0 if the installation was successful + +1 if an error occurred diff --git a/ipaserver/install/Makefile.am b/ipaserver/install/Makefile.am index 8932eadbb7ace71372277259a557884d989ea2c1..398551bd78aa4ba893a3953f0c7ee7bcb23d1a14 100644 --- a/ipaserver/install/Makefile.am +++ b/ipaserver/install/Makefile.am @@ -10,6 +10,7 @@ app_PYTHON = \ krbinstance.py \ httpinstance.py \ ntpinstance.py \ + smbinstance.py \ service.py \ installutils.py \ replication.py \ diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index a1c94dfaa031c8afb090b31a9275c30367202319..c9ff793f73913bf2b7c681a545162f018042c081 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -38,7 +38,8 @@ SERVICE_LIST = { 'KPASSWD':('kadmin', 20), 'DNS':('named', 30), 'HTTP':('httpd', 40), - 'CA':('pki-cad', 50) + 'CA':('pki-cad', 50), + 'ADTRUST':('smb', 60) } def print_msg(message, output_fd=sys.stdout): diff --git a/ipaserver/install/smbinstance.py b/ipaserver/install/smbinstance.py new file mode 100644 index 0000000000000000000000000000000000000000..25a0a04b9400a268ab62b309d56283042b34bf5f --- /dev/null +++ b/ipaserver/install/smbinstance.py @@ -0,0 +1,282 @@ +# Authors: Sumit Bose +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import logging + +import os +import errno +import ldap +import service +import tempfile +import installutils +from ipaserver import ipaldap +from ipaserver.install.dsinstance import realm_to_serverid +from ipalib import errors +from ipapython import sysrestore +from ipapython import ipautil + +import random +import string +import struct + +allowed_netbios_chars = string.ascii_uppercase + string.digits + +def check_inst(unattended): + has_smb = True + + if not os.path.exists('/usr/sbin/smbd'): + print "Samba was not found on this system" + print "Please install the 'samba' package and start the installation again" + has_smb = False + + #TODO: Add check for needed samba4 libraries + + return has_smb + +def ipa_smb_conf_exists(): + try: + fd = open('/etc/samba/smb.conf', 'r') + except IOError, e: + if e.errno == errno.ENOENT: + return False + + lines = fd.readlines() + fd.close() + for line in lines: + if line.startswith('### Added by IPA Installer ###'): + return True + return False + + +def check_netbios_name(s): + # NetBIOS names may not be longer than 15 allowed characters + if not s or len(s) > 15 or ''.join([c for c in s if c not in allowed_netbios_chars]): + return False + + return True + +def make_netbios_name(s): + return ''.join([c for c in s.split('.')[0].upper() if c in allowed_netbios_chars])[:15] + +class SMBInstance(service.Service): + def __init__(self, fstore=None, dm_password=None): + service.Service.__init__(self, "smb", dm_password=dm_password) + + if fstore: + self.fstore = fstore + else: + self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + + def __create_samba_user(self): + print "The user for Samba is %s" % self.smb_dn + try: + self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE) + print "Samba user entry exists, resetting password" + + self.admin_conn.modify_s(self.smb_dn, [(ldap.MOD_REPLACE, "userPassword", self.smb_dn_pwd)]) + return + + except errors.NotFound: + pass + + # The user doesn't exist, add it + entry = ipaldap.Entry(self.smb_dn) + entry.setValues("objectclass", ["account", "simplesecurityobject"]) + entry.setValues("uid", "samba") + entry.setValues("userPassword", self.smb_dn_pwd) + self.admin_conn.add_s(entry) + + # And finally grant it permission to read NT passwords, we do not want + # to support LM passwords so there is no need to allow access to them + mod = [(ldap.MOD_ADD, 'aci', + str(['(targetattr = "sambaNTPassword")(version 3.0; acl "Samba user can read NT passwords"; allow (read) userdn="ldap:///%s";)' % self.smb_dn]))] + try: + self.admin_conn.modify_s(self.suffix, mod) + except ldap.TYPE_OR_VALUE_EXISTS: + logging.debug("samba user aci already exists in suffix %s on %s" % (self.suffix, self.admin_conn.host)) + + def __gen_sid_string(self): + sub_ids = struct.unpack(" +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +""" +Test `smbinstance` +""" + +import os +import nose + +from ipaserver.install import smbinstance + +class test_smbinstance: + """ + Test `smbinstance`. + """ + + def test_make_netbios_name(self): + s = smbinstance.make_netbios_name("ABCDEF") + assert s == 'ABCDEF' and isinstance(s, str) + s = smbinstance.make_netbios_name(U"ABCDEF") + assert s == 'ABCDEF' and isinstance(s, unicode) + s = smbinstance.make_netbios_name("abcdef") + assert s == 'ABCDEF' + s = smbinstance.make_netbios_name("abc.def") + assert s == 'ABC' + s = smbinstance.make_netbios_name("abcdefghijklmnopqr.def") + assert s == 'ABCDEFGHIJKLMNO' + s = smbinstance.make_netbios_name("A!$%B&/()C=?+*D") + assert s == 'ABCD' + s = smbinstance.make_netbios_name("!$%&/()=?+*") + assert not s + + def test_check_netbios_name(self): + assert smbinstance.check_netbios_name("ABCDEF") + assert not smbinstance.check_netbios_name("abcdef") + assert smbinstance.check_netbios_name("ABCDE12345ABCDE") + assert not smbinstance.check_netbios_name("ABCDE12345ABCDE1") + assert not smbinstance.check_netbios_name("") + + assert smbinstance.check_netbios_name(U"ABCDEF") + assert not smbinstance.check_netbios_name(U"abcdef") + assert smbinstance.check_netbios_name(U"ABCDE12345ABCDE") + assert not smbinstance.check_netbios_name(U"ABCDE12345ABCDE1") -- 1.7.6 From edewata at redhat.com Tue Sep 13 17:43:56 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 13 Sep 2011 12:43:56 -0500 Subject: [Freeipa-devel] [PATCH] 014 Code cleanup: widget creation In-Reply-To: <4E6F5320.1050505@redhat.com> References: <4E6F5320.1050505@redhat.com> Message-ID: <4E6F965C.50100@redhat.com> On 9/13/2011 7:57 AM, Petr Vobornik wrote: > https://fedorahosted.org/freeipa/ticket/1788 > > Removed code duplication of undo links. > Simplified code of widget creation to be more readable. ACK and pushed to master and ipa-2-1. One little thing though, the create_undo() will always append a space before the undo element. Right now it's not a problem, but suppose there's a custom widget that doesn't want a space before the undo element we can't use the standard method. We'll deal with that if it becomes a problem. -- Endi S. Dewata From edewata at redhat.com Tue Sep 13 18:09:22 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 13 Sep 2011 13:09:22 -0500 Subject: [Freeipa-devel] [PATCH] 015 Fixed: Missing read permission option in RBAC permission In-Reply-To: <4E6F55B6.4080909@redhat.com> References: <4E6F55B6.4080909@redhat.com> Message-ID: <4E6F9C52.8030403@redhat.com> On 9/13/2011 8:08 AM, Petr Vobornik wrote: > https://fedorahosted.org/freeipa/ticket/1787 > > In 'IPA Server/RBAC/Permission/Settings/Rights' is missing a option for > setting 'read' permission which is supported in CLI. As discussed in the meeting, the UI will not provide a 'read' checkbox (sorry!). I've put the patch into the ticket in case we need to revisit this issue again. -- Endi S. Dewata From edewata at redhat.com Tue Sep 13 18:10:12 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 13 Sep 2011 13:10:12 -0500 Subject: [Freeipa-devel] [PATCH] 268 Fixed labels for run-as users and groups. In-Reply-To: <4E6F5268.2060503@redhat.com> References: <4E6AAD93.9090907@redhat.com> <4E6E0C9C.1090304@redhat.com> <4E6EF27D.6050803@redhat.com> <4E6F5268.2060503@redhat.com> Message-ID: <4E6F9C84.9060606@redhat.com> On 9/13/2011 7:54 AM, Petr Vobornik wrote: >> The labels from entity parameter are actually more appropriate. I've >> updated the patch to use them instead. I also fixed some of the labels >> (the run-as group label & doc is incorrect). >> > ACK Pushed to master and ipa-2-1. -- Endi S. Dewata From edewata at redhat.com Tue Sep 13 18:17:31 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 13 Sep 2011 13:17:31 -0500 Subject: [Freeipa-devel] [PATCH] 268 Fixed labels for run-as users and groups. In-Reply-To: <4E6F5268.2060503@redhat.com> References: <4E6AAD93.9090907@redhat.com> <4E6E0C9C.1090304@redhat.com> <4E6EF27D.6050803@redhat.com> <4E6F5268.2060503@redhat.com> Message-ID: <4E6F9E3B.2090204@redhat.com> On 9/13/2011 7:54 AM, Petr Vobornik wrote: >> The labels from entity parameter are actually more appropriate. I've >> updated the patch to use them instead. I also fixed some of the labels >> (the run-as group label & doc is incorrect). >> > ACK Pushed to master and ipa-2-1. -- Endi S. Dewata From rcritten at redhat.com Tue Sep 13 18:35:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 Sep 2011 14:35:14 -0400 Subject: [Freeipa-devel] [PATCH] 872 allow csr file to be provided interactively Message-ID: <4E6FA262.9070709@redhat.com> Add an escape clause to the CSR validator in the cert plugin. If the csr is a file just return and let the load_files() call slurp in the contents. It will still get validated. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-872-file.patch Type: text/x-patch Size: 1827 bytes Desc: not available URL: From rcritten at redhat.com Tue Sep 13 20:13:26 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 Sep 2011 16:13:26 -0400 Subject: [Freeipa-devel] [PATCH] 873 update ipa-ldap-updater man page Message-ID: <4E6FB966.4090208@redhat.com> ipa-ldap-updater is really just meant to be run during upgrades, not as a user utility. Add a blurb about that. This also fixes a bit of formatting and adds a bit about the order of operations. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-873-man.patch Type: text/x-patch Size: 3165 bytes Desc: not available URL: From simo at redhat.com Tue Sep 13 22:43:25 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 13 Sep 2011 18:43:25 -0400 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <20110913160133.GE7369@localhost.localdomain> References: <20110826093926.GF2374@localhost.localdomain> <1314364467.20296.226.camel@willson.li.ssimo.org> <20110830144028.GE12659@localhost.localdomain> <1315433450.2684.13.camel@willson.li.ssimo.org> <20110908115245.GF21228@localhost.localdomain> <1315483606.5141.20.camel@dhcp-25-52.brq.redhat.com> <20110908123927.GG21228@localhost.localdomain> <1315609607.2684.137.camel@willson.li.ssimo.org> <20110912155308.GB7369@localhost.localdomain> <1315862678.2684.237.camel@willson.li.ssimo.org> <20110913160133.GE7369@localhost.localdomain> Message-ID: <1315953805.2684.277.camel@willson.li.ssimo.org> On Tue, 2011-09-13 at 18:01 +0200, Sumit Bose wrote: > Yes, if you do not find another major issue it would be nice if you > can > open a new ticket for new features. > Haven't finished testing, but compiling on master throws an error. You need to rebase and s/chkconfig_off/disable/ in smbinstance.py Also should we rename the file to adtrustinstance.py ? Simo. -- Simo Sorce * Red Hat, Inc * New York From pvoborni at redhat.com Wed Sep 14 12:12:16 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 14 Sep 2011 14:12:16 +0200 Subject: [Freeipa-devel] [PATCH] 016 Fixed: Some widgets do not have space for validation error message Message-ID: <4E709A20.8070301@redhat.com> https://fedorahosted.org/freeipa/ticket/1454 The following widgets should call create_error_link() to create a space to show validation error messages: IPA.checkbox_widget IPA.checkboxes_widget IPA.radio_widget IPA.select_widget IPA.table_widget IPA.attributes_widget IPA.rights_widget IPA.target_section (it's a widget) Solution: * added call to checkbox, checkboxes, radio, select, table, attributes widget * rights_widget inherits it from checkboxes_widget. * target_section IS NOT a widget as it doesn't inherit from widget. It's still a section, which shows different widgets based on its state. * table_widget displays error_link above pagination. It looks better than under the table. Attaching some sreenshots for demonstration purposes, as these changes aren't achievable in current UI state. * 1.png - checkbox and some current implementation of err. msg. * 2.png - radio button and demonstration of how would table_widget look if error msg. was under the table * 3.png - attributes_widget * 4.png - new implementation of table_widget with customized pagination note: sreensthots are from chromium To test table_widget you can use these JavaSript console commands var userSection = IPA.entities.get('hbacrule').facets.get('details').sections.get('user'); var usersField = userSection.get_field('memberuser_user'); var groupsField = userSection.get_field('memberuser_group'); usersField.show_error('test users error message'); groupsField.show_error('test users groups error message'); groupsField.hide_error(); usersField.hide_error(); //rights_widget: IPA.entities.get('permission').facets.get('details').sections.get('rights').fields.get('permissions').show_error('rights widget error'); IPA.entities.get('permission').facets.get('details').sections.get('rights').fields.get('permissions').hide_error(); //attributes_widget IPA.entities.get('delegation').facets.get('details').sections.get('general').fields.get('attrs').show_error('attrs error') IPA.entities.get('delegation').facets.get('details').sections.get('general').fields.get('attrs').hide_error() -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0016-Fixed-Some-widgets-do-not-have-space-for-validation-.patch Type: text/x-patch Size: 5515 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: error-messages-01.png Type: image/png Size: 50876 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: error-messages-02.png Type: image/png Size: 20140 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: error-messages-03.png Type: image/png Size: 12017 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: error-messages-05.png Type: image/png Size: 16169 bytes Desc: not available URL: From pvoborni at redhat.com Wed Sep 14 12:23:25 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 14 Sep 2011 14:23:25 +0200 Subject: [Freeipa-devel] [PATCH] 016 Fixed: Some widgets do not have space for validation error message In-Reply-To: <4E709A20.8070301@redhat.com> References: <4E709A20.8070301@redhat.com> Message-ID: <4E709CBD.7040009@redhat.com> Forgot to update tests - to address newly added validation row in table_widget. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0016-1-Fixed-Some-widgets-do-not-have-space-for-validation-.patch Type: text/x-patch Size: 6073 bytes Desc: not available URL: From mkosek at redhat.com Wed Sep 14 12:23:53 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 14 Sep 2011 14:23:53 +0200 Subject: [Freeipa-devel] [PATCH] 872 allow csr file to be provided interactively In-Reply-To: <4E6FA262.9070709@redhat.com> References: <4E6FA262.9070709@redhat.com> Message-ID: <1316003037.2647.31.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-13 at 14:35 -0400, Rob Crittenden wrote: > Add an escape clause to the CSR validator in the cert plugin. If the csr > is a file just return and let the load_files() call slurp in the > contents. It will still get validated. > > rob This works fine for CSR file. Shouldn't we fix this also for other File params? For example, entitle-import command will be affected as well: takes_args = ( File('usercertificate*', validate_certificate, cli_name='certificate_file', ), ) We can create a separate ticket for entitle-import if you want. Martin From mkosek at redhat.com Wed Sep 14 12:32:38 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 14 Sep 2011 14:32:38 +0200 Subject: [Freeipa-devel] [PATCH] 872 allow csr file to be provided interactively References: <4E6FA262.9070709@redhat.com> Message-ID: <1316003561.2647.32.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-09-14 at 14:23 +0200, Martin Kosek wrote: > On Tue, 2011-09-13 at 14:35 -0400, Rob Crittenden wrote: > > Add an escape clause to the CSR validator in the cert plugin. If the csr > > is a file just return and let the load_files() call slurp in the > > contents. It will still get validated. > > > > rob > > This works fine for CSR file. > > Shouldn't we fix this also for other File params? For example, > entitle-import command will be affected as well: > > takes_args = ( > File('usercertificate*', validate_certificate, > cli_name='certificate_file', > ), > ) > > We can create a separate ticket for entitle-import if you want. > > Martin Oh, and one more thing - API.txt has to be updated since you added a label to the CSR parameter. Martin From mkosek at redhat.com Wed Sep 14 12:41:50 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 14 Sep 2011 14:41:50 +0200 Subject: [Freeipa-devel] [PATCH] 873 update ipa-ldap-updater man page In-Reply-To: <4E6FB966.4090208@redhat.com> References: <4E6FB966.4090208@redhat.com> Message-ID: <1316004117.2647.33.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-13 at 16:13 -0400, Rob Crittenden wrote: > ipa-ldap-updater is really just meant to be run during upgrades, not as > a user utility. Add a blurb about that. > > This also fixes a bit of formatting and adds a bit about the order of > operations. > > rob ACK. Pushed to master, ipa-2-1. Martin From sbose at redhat.com Wed Sep 14 12:50:42 2011 From: sbose at redhat.com (Sumit Bose) Date: Wed, 14 Sep 2011 14:50:42 +0200 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <20110913160133.GE7369@localhost.localdomain> References: <1314364467.20296.226.camel@willson.li.ssimo.org> <20110830144028.GE12659@localhost.localdomain> <1315433450.2684.13.camel@willson.li.ssimo.org> <20110908115245.GF21228@localhost.localdomain> <1315483606.5141.20.camel@dhcp-25-52.brq.redhat.com> <20110908123927.GG21228@localhost.localdomain> <1315609607.2684.137.camel@willson.li.ssimo.org> <20110912155308.GB7369@localhost.localdomain> <1315862678.2684.237.camel@willson.li.ssimo.org> <20110913160133.GE7369@localhost.localdomain> Message-ID: <20110914125042.GA2186@localhost.localdomain> On Tue, Sep 13, 2011 at 06:01:33PM +0200, Sumit Bose wrote: > On Mon, Sep 12, 2011 at 05:24:38PM -0400, Simo Sorce wrote: > > On Mon, 2011-09-12 at 17:53 +0200, Sumit Bose wrote: > > [..] > > > > > > > I can now run 'smbclient -k -L' on my test system wit hthe recent samba > > > patch. > > > > Sorry a couple more nitpicks. > > > > Trying to reinstall ipa-adtrust-install it returned immediately with > > "Aborting Installation" and no explanation whatsoever. Turned out it saw > > there was the IPA autogenerated text in smb.conf and decided to get out. > > > > - 2 issues here: > > 1) no information (I had to check the code to see what reported that > > error message), so we need a reason nif we abort. > > 2) In interactive mode we should ask if we want to proceed anyway I > > think (to make it simpler to test it on an already enabled tree), but > > can be convinced it is safer to just abort. > > interactive mode now stops and ask for confirmation > > > > > > > - Once I fixed that by removing smb.conf and all tdbs to be sure, it > > failed because smb.conf was not found, we should not require to find it > > if we are going to wipe it anyway. If it is not there we should just go > > on and create one. > > > > fixed > > > > > - Then it correctly detected the samba sysaccount user existed and > > decided not to reset the password. Not sure why, if we proceeed and > > reset the password in both ldap and secrets.tdb we are sure they are the > > same, if we don't we just risk having no password (I wiped out > > secrets.tdb and running ipa-adtruct-install again is the fastest way to > > get that restered). I think you should always reset that password. > > fixed > > > > > > > - The installation also failed because the service entry under the > > master entry already existed. We should probably ignore and proceed, in > > case of existing object. Not fail. > > fixed, since ldap_enable() already print a logging.critical I added > another one which should clarify what happens. > > > > > > > Except for these points I had to set SELinux in permissive mode in order > > to run the epmd, we need to track SELinux changes in a ticket I think. > > > > I wasn't able to test smbclient -k yes due to another bug in smbd but > > the install seem fine so far, and I was able to get a ticket for cifs/ > > w/o any issue, and auth seemed to work. > > > > So if the nitpicks above get fixed it should be the last revision. > > Yes, if you do not find another major issue it would be nice if you can > open a new ticket for new features. > > bye, > Sumit a recent commit in master made another change necesary. Additionally I renamed smbinstance to adtrustinstance and check for more samba client binaries which are needed by the utility. New version attached. bye, Sumit > > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- From b7c2a3089b74a929cf28d581fd816a60d749ecc9 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 7 Sep 2011 10:17:12 +0200 Subject: [PATCH] Add ipa-adtrust-install utility https://fedorahosted.org/freeipa/ticket/1619 --- freeipa.spec.in | 2 + install/po/Makefile.in | 1 + install/share/Makefile.am | 1 + install/share/smb.conf.template | 28 ++ install/tools/Makefile.am | 1 + install/tools/ipa-adtrust-install | 249 +++++++++++++++++ install/tools/man/Makefile.am | 1 + install/tools/man/ipa-adtrust-install.1 | 47 ++++ ipaserver/install/Makefile.am | 1 + ipaserver/install/adtrustinstance.py | 281 ++++++++++++++++++++ ipaserver/install/service.py | 3 +- .../test_ipaserver/install/test_adtrustinstance.py | 59 ++++ 12 files changed, 673 insertions(+), 1 deletions(-) create mode 100644 install/share/smb.conf.template create mode 100755 install/tools/ipa-adtrust-install create mode 100644 install/tools/man/ipa-adtrust-install.1 create mode 100644 ipaserver/install/adtrustinstance.py create mode 100755 tests/test_ipaserver/install/test_adtrustinstance.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 0f358fb4c34c52f2d86d1089b475e725fc6a5131..50b22b0779e77136a3a2bbc55dc8e56a6c094a8f 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -401,6 +401,7 @@ fi %doc COPYING README Contributors.txt %{_sbindir}/ipa-ca-install %{_sbindir}/ipa-dns-install +%{_sbindir}/ipa-adtrust-install %{_sbindir}/ipa-server-install %{_sbindir}/ipa-replica-conncheck %{_sbindir}/ipa-replica-install @@ -482,6 +483,7 @@ fi %{_mandir}/man1/ipa-server-certinstall.1.gz %{_mandir}/man1/ipa-server-install.1.gz %{_mandir}/man1/ipa-dns-install.1.gz +%{_mandir}/man1/ipa-adtrust-install.1.gz %{_mandir}/man1/ipa-ca-install.1.gz %{_mandir}/man1/ipa-compat-manage.1.gz %{_mandir}/man1/ipa-nis-manage.1.gz diff --git a/install/po/Makefile.in b/install/po/Makefile.in index 47c8bbba56041f95fc6641ff0188ab60db658de8..ac08b47921c0a96d0fe06b8d8f1419d7cd76bd36 100644 --- a/install/po/Makefile.in +++ b/install/po/Makefile.in @@ -51,6 +51,7 @@ PY_EXPLICIT_FILES = \ install/tools/ipa-server-install \ install/tools/ipa-ldap-updater \ install/tools/ipa-dns-install \ + install/tools/ipa-adtrust-install \ install/tools/ipa-ca-install \ ipa-client/ipa-install/ipa-client-install diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 991f3b478ad5af974d667a5126e6612027603af3..682a57c7d71eaccec8f6b92c4e0f2dd030179f55 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -32,6 +32,7 @@ app_DATA = \ krb.con.template \ krbrealm.con.template \ preferences.html.template \ + smb.conf.template \ referint-conf.ldif \ dna.ldif \ master-entry.ldif \ diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template new file mode 100644 index 0000000000000000000000000000000000000000..a7fc10691e8a4dd69b711d266f6bb70479dd319d --- /dev/null +++ b/install/share/smb.conf.template @@ -0,0 +1,28 @@ +[global] +workgroup = $NETBIOS_NAME +realm = $REALM +kerberos method = system keytab +create krb5 conf = no +security = user +domain master = yes +domain logons = yes +log level = 1 +max log size = 100000 +log file = /var/log/samba/log.%m +passdb backend = IPA_ldapsam:ldapi://$LDAPI_SOCKET +ldapsam:trusted=yes +ldap ssl = off +ldap admin dn = $SMB_DN +ldap suffix = $SUFFIX +ldap user suffix = cn=users,cn=accounts +ldap group suffix = cn=groups,cn=accounts +ldap machine suffix = cn=computers,cn=accounts +rpc_server:epmapper = external +rpc_server:lsarpc = external +rpc_server:lsass = external +rpc_server:lsasd = external +rpc_server:samr = external +rpc_server:netlogon = external +rpc_server:tcpip = yes +rpc_daemon:epmd = fork +rpc_daemon:lsasd = fork diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index fc615ec04f324c2d9c98dc8cf674938e1064bec6..96da7531764598878f94b6abd54c27a74671c028 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -8,6 +8,7 @@ sbin_SCRIPTS = \ ipa-ca-install \ ipa-dns-install \ ipa-server-install \ + ipa-adtrust-install \ ipa-replica-conncheck \ ipa-replica-install \ ipa-replica-prepare \ diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install new file mode 100755 index 0000000000000000000000000000000000000000..cc99b5551ede7787ce296bae594553da74da0ffa --- /dev/null +++ b/install/tools/ipa-adtrust-install @@ -0,0 +1,249 @@ +#! /usr/bin/python +# +# Authors: Sumit Bose +# Based on ipa-server-install by Karl MacMillan +# and ipa-dns-install by Martin Nagy +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import traceback + +from ipaserver.plugins.ldap2 import ldap2 +from ipaserver.install import adtrustinstance +from ipaserver.install.installutils import * +from ipaserver.install import installutils +from ipapython import version +from ipapython import ipautil, sysrestore +from ipalib import api, errors, util +from ipapython.config import IPAOptionParser +import krbV +import ldap + +def parse_options(): + parser = IPAOptionParser(version=version.VERSION) + parser.add_option("-p", "--ds-password", dest="dm_password", + sensitive=True, help="directory manager password") + parser.add_option("-d", "--debug", dest="debug", action="store_true", + default=False, help="print debugging information") + parser.add_option("--ip-address", dest="ip_address", + type="ip", ip_local=True, help="Master Server IP Address") + parser.add_option("--netbios-name", dest="netbios_name", + help="NetBIOS name of the IPA domain") + parser.add_option("-U", "--unattended", dest="unattended", action="store_true", + default=False, help="unattended installation never prompts the user") + + options, args = parser.parse_args() + safe_options = parser.get_safe_opts(options) + + return safe_options, options + +def netbios_name_error(name): + print "Illegal NetBIOS name [%s].\n" % name + print "Up to 15 characters and only uppercase ASCII letter and digits are allowed." + +def read_netbios_name(netbios_default): + netbios_name = "" + + print "Enter the NetBIOS name for the IPA domain." + print "Only up to 15 uppercase ASCII letters and digits are allowed." + print "Example: EXAMPLE." + print "" + print "" + if not netbios_default: + netbios_default = "EXAMPLE" + while True: + netbios_name = ipautil.user_input("NetBIOS domain name", netbios_default, allow_empty = False) + print "" + if adtrustinstance.check_netbios_name(netbios_name): + break + + netbios_name_error(netbios_name) + + return netbios_name + +def main(): + safe_options, options = parse_options() + + if os.getegid() != 0: + sys.exit("Must be root to setup AD trusts on server") + + standard_logging_setup("/var/log/ipaserver-install.log", options.debug, filemode='a') + print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log" + + logging.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options)) + logging.debug("missing options might be asked for interactively later\n") + + installutils.check_server_configuration() + + global fstore + fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + + print "==============================================================================" + print "This program will setup components needed to establish trust to AD domains for" + print "the FreeIPA Server." + print "" + print "This includes:" + print " * Configure Samba" + print " * Add trust related objects to FreeIPA LDAP server" + #TODO: + #print " * Add a SID to all users and Posix groups" + print "" + print "To accept the default shown in brackets, press the Enter key." + print "" + + # Check if samba packages are installed + if not adtrustinstance.check_inst(options.unattended): + sys.exit("Aborting installation.") + + # Initialize the ipalib api + cfg = dict( + in_server=True, + debug=options.debug, + ) + api.bootstrap(**cfg) + api.finalize() + + if adtrustinstance.ipa_smb_conf_exists(): + if not options.unattended: + while True: + print "IPA generated smb.conf detected." + if not ipautil.user_input("Overwrite smb.conf?", default = False, allow_empty = False): + sys.exit("Aborting installation.") + break + + # Check we have a public IP that is associated with the hostname + try: + if options.ip_address: + ip = ipautil.CheckedIPAddress(options.ip_address, match_local=True) + else: + hostaddr = resolve_host(api.env.host) + ip = hostaddr and ipautil.CheckedIPAddress(hostaddr, match_local=True) + except Exception, e: + print "Error: Invalid IP Address %s: %s" % (ip, e) + ip = None + + if not ip: + if options.unattended: + sys.exit("Unable to resolve IP address for host name") + else: + read_ip = read_ip_address(api.env.host, fstore) + try: + ip = ipautil.CheckedIPAddress(read_ip, match_local=True) + except Exception, e: + print "Error: Invalid IP Address %s: %s" % (ip, e) + sys.exit("Aborting installation.") + + ip_address = str(ip) + logging.debug("will use ip_address: %s\n", ip_address) + + if not options.unattended: + print "" + print "The following operations may take some minutes to complete." + print "Please wait until the prompt is returned." + print "" + + # Create a Adtrust instance + if options.unattended and not options.dm_password: + sys.exit("\nIn unattended mode you need to provide at least the -p option") + + netbios_name = options.netbios_name + if not netbios_name: + netbios_name = adtrustinstance.make_netbios_name(api.env.domain) + + if not adtrustinstance.check_netbios_name(netbios_name): + if options.unattended: + netbios_name_error(netbios_name) + sys.exit("Aborting installation.") + else: + netbios_name = None + if options.netbios_name: + netbios_name_error(options.netbios_name) + + if not options.unattended and ( not netbios_name or not options.netbios_name): + netbios_name = read_netbios_name(netbios_name) + + dm_password = options.dm_password or read_password("Directory Manager", + confirm=False, validate=False) + smb = adtrustinstance.ADTRUSTInstance(fstore, dm_password) + + # try the connection + try: + smb.ldap_connect() + smb.ldap_disconnect() + except ldap.INVALID_CREDENTIALS, e: + sys.exit("Password is not valid!") + + if smb.dm_password: + api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=smb.dm_password) + else: + # See if our LDAP server is up and we can talk to it over GSSAPI + ccache = krbV.default_context().default_ccache().name + api.Backend.ldap2.connect(ccache) + + smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain, + netbios_name) + smb.create_instance() + + print "==============================================================================" + print "Setup complete" + print "" + print "\tYou must make sure these network ports are open:" + print "\t\tTCP Ports:" + print "\t\t * 138: netbios-dgm" + print "\t\t * 139: netbios-ssn" + print "\t\t * 445: microsoft-ds" + print "\t\tUDP Ports:" + print "\t\t * 138: netbios-dgm" + print "\t\t * 139: netbios-ssn" + print "\t\t * 445: microsoft-ds" + print "" + print "\tAdditionally you have to make sure the FreeIPA LDAP server cannot reached" + print "\tby any domain controller in the Active Directory domain by closing the" + print "\tfollowing ports for these servers:" + print "\t\tTCP Ports:" + print "\t\t * 389, 636: LDAP/LDAPS" + print "\t\tUDP Ports:" + print "\t\t * 389: (C)LDAP" + print "\tYou may want to choose to REJECT the network packets instead of DROPing them" + print "\tto avoid timeouts on the AD domain controllers." + + return 0 + +try: + sys.exit(main()) +except SystemExit, e: + sys.exit(e) +except KeyboardInterrupt: + print "Installation cancelled." +except RuntimeError, e: + print str(e) +except HostnameLocalhost: + print "The hostname resolves to the localhost address (127.0.0.1/::1)" + print "Please change your /etc/hosts file so that the hostname" + print "resolves to the ip address of your network interface." + print "The KDC service does not listen on localhost" + print "" + print "Please fix your /etc/hosts file and restart the setup program" +except Exception, e: + message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e) + print message + message = str(e) + for str in traceback.format_tb(sys.exc_info()[2]): + message = message + "\n" + str + logging.debug(message) + sys.exit(1) diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am index 71d9b29c87d2b24c51d3048dc1050e099a89835d..d5b5976b0fd8c8e6683d09e7ade575fda2527832 100644 --- a/install/tools/man/Makefile.am +++ b/install/tools/man/Makefile.am @@ -13,6 +13,7 @@ man1_MANS = \ ipa-server-certinstall.1 \ ipa-server-install.1 \ ipa-dns-install.1 \ + ipa-adtrust-install.1 \ ipa-ca-install.1 \ ipa-ldap-updater.1 \ ipa-compat-manage.1 \ diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 new file mode 100644 index 0000000000000000000000000000000000000000..a3981adf48d14cc0e540c646fff099490203f862 --- /dev/null +++ b/install/tools/man/ipa-adtrust-install.1 @@ -0,0 +1,47 @@ +.\" A man page for ipa-adtrust-install +.\" Copyright (C) 2011 Red Hat, Inc. +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, but +.\" WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +.\" General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see . +.\" +.\" Author: Sumit Bose +.\" +.TH "ipa-adtrust-install" "1" "Aug 23 2011" "FreeIPA" "FreeIPA Manual Pages" +.SH "NAME" +ipa\-adtrust\-install \- Prepare an IPA server to be able to establish trust relationships with AD domains +.SH "SYNOPSIS" +ipa\-adtrust\-install [\fIOPTION\fR]... +.SH "DESCRIPTION" +Adds all necesary objects and configuration to allow an IPA server to create a +trust to an Active Directory domain. This requires that the IPA server is +already installed and configured. +.SH "OPTIONS" +.TP +\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR +The password to be used by the Directory Server for the Directory Manager user +.TP +\fB\-d\fR, \fB\-\-debug\fR +Enable debug logging when more verbose output is needed +.TP +\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR +The IP address of the IPA server. If not provided then this is determined based on the hostname of the server. +.TP +\fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR +The NetBIOS name for the IPA domain. If not provided then this is determined based on the leading component of the DNS domain name. +.TP +\fB\-U\fR, \fB\-\-unattended\fR +An unattended installation that will never prompt for user input +.SH "EXIT STATUS" +0 if the installation was successful + +1 if an error occurred diff --git a/ipaserver/install/Makefile.am b/ipaserver/install/Makefile.am index 8932eadbb7ace71372277259a557884d989ea2c1..9fcad4e77c93cf44ed5fcf3ff793233ba35482c1 100644 --- a/ipaserver/install/Makefile.am +++ b/ipaserver/install/Makefile.am @@ -10,6 +10,7 @@ app_PYTHON = \ krbinstance.py \ httpinstance.py \ ntpinstance.py \ + adtrustinstance.py \ service.py \ installutils.py \ replication.py \ diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py new file mode 100644 index 0000000000000000000000000000000000000000..f2cc3327deb7fb8b7dacf8aef4c42597cc82ca1d --- /dev/null +++ b/ipaserver/install/adtrustinstance.py @@ -0,0 +1,281 @@ +# Authors: Sumit Bose +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import logging + +import os +import errno +import ldap +import service +import tempfile +import installutils +from ipaserver import ipaldap +from ipaserver.install.dsinstance import realm_to_serverid +from ipalib import errors +from ipapython import sysrestore +from ipapython import ipautil + +import random +import string +import struct + +allowed_netbios_chars = string.ascii_uppercase + string.digits + +def check_inst(unattended): + for f in ['/usr/sbin/smbd', '/usr/bin/net', '/usr/bin/smbpasswd']: + if not os.path.exists(f): + print "%s was not found on this system" % f + print "Please install the 'samba' packages and start the installation again" + return False + + #TODO: Add check for needed samba4 libraries + + return True + +def ipa_smb_conf_exists(): + try: + fd = open('/etc/samba/smb.conf', 'r') + except IOError, e: + if e.errno == errno.ENOENT: + return False + + lines = fd.readlines() + fd.close() + for line in lines: + if line.startswith('### Added by IPA Installer ###'): + return True + return False + + +def check_netbios_name(s): + # NetBIOS names may not be longer than 15 allowed characters + if not s or len(s) > 15 or ''.join([c for c in s if c not in allowed_netbios_chars]): + return False + + return True + +def make_netbios_name(s): + return ''.join([c for c in s.split('.')[0].upper() if c in allowed_netbios_chars])[:15] + +class ADTRUSTInstance(service.Service): + def __init__(self, fstore=None, dm_password=None): + service.Service.__init__(self, "smb", dm_password=dm_password) + + if fstore: + self.fstore = fstore + else: + self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + + def __create_samba_user(self): + print "The user for Samba is %s" % self.smb_dn + try: + self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE) + print "Samba user entry exists, resetting password" + + self.admin_conn.modify_s(self.smb_dn, [(ldap.MOD_REPLACE, "userPassword", self.smb_dn_pwd)]) + return + + except errors.NotFound: + pass + + # The user doesn't exist, add it + entry = ipaldap.Entry(self.smb_dn) + entry.setValues("objectclass", ["account", "simplesecurityobject"]) + entry.setValues("uid", "samba") + entry.setValues("userPassword", self.smb_dn_pwd) + self.admin_conn.add_s(entry) + + # And finally grant it permission to read NT passwords, we do not want + # to support LM passwords so there is no need to allow access to them + mod = [(ldap.MOD_ADD, 'aci', + str(['(targetattr = "sambaNTPassword")(version 3.0; acl "Samba user can read NT passwords"; allow (read) userdn="ldap:///%s";)' % self.smb_dn]))] + try: + self.admin_conn.modify_s(self.suffix, mod) + except ldap.TYPE_OR_VALUE_EXISTS: + logging.debug("samba user aci already exists in suffix %s on %s" % (self.suffix, self.admin_conn.host)) + + def __gen_sid_string(self): + sub_ids = struct.unpack(" +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +""" +Test `adtrustinstance` +""" + +import os +import nose + +from ipaserver.install import adtrustinstance + +class test_adtrustinstance: + """ + Test `adtrustinstance`. + """ + + def test_make_netbios_name(self): + s = adtrustinstance.make_netbios_name("ABCDEF") + assert s == 'ABCDEF' and isinstance(s, str) + s = adtrustinstance.make_netbios_name(U"ABCDEF") + assert s == 'ABCDEF' and isinstance(s, unicode) + s = adtrustinstance.make_netbios_name("abcdef") + assert s == 'ABCDEF' + s = adtrustinstance.make_netbios_name("abc.def") + assert s == 'ABC' + s = adtrustinstance.make_netbios_name("abcdefghijklmnopqr.def") + assert s == 'ABCDEFGHIJKLMNO' + s = adtrustinstance.make_netbios_name("A!$%B&/()C=?+*D") + assert s == 'ABCD' + s = adtrustinstance.make_netbios_name("!$%&/()=?+*") + assert not s + + def test_check_netbios_name(self): + assert adtrustinstance.check_netbios_name("ABCDEF") + assert not adtrustinstance.check_netbios_name("abcdef") + assert adtrustinstance.check_netbios_name("ABCDE12345ABCDE") + assert not adtrustinstance.check_netbios_name("ABCDE12345ABCDE1") + assert not adtrustinstance.check_netbios_name("") + + assert adtrustinstance.check_netbios_name(U"ABCDEF") + assert not adtrustinstance.check_netbios_name(U"abcdef") + assert adtrustinstance.check_netbios_name(U"ABCDE12345ABCDE") + assert not adtrustinstance.check_netbios_name(U"ABCDE12345ABCDE1") -- 1.7.6 From rcritten at redhat.com Wed Sep 14 15:29:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Sep 2011 11:29:03 -0400 Subject: [Freeipa-devel] [PATCH] 872 allow csr file to be provided interactively In-Reply-To: <1316003561.2647.32.camel@dhcp-25-52.brq.redhat.com> References: <4E6FA262.9070709@redhat.com> <1316003561.2647.32.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E70C83F.9070008@redhat.com> Martin Kosek wrote: > On Wed, 2011-09-14 at 14:23 +0200, Martin Kosek wrote: >> On Tue, 2011-09-13 at 14:35 -0400, Rob Crittenden wrote: >>> Add an escape clause to the CSR validator in the cert plugin. If the csr >>> is a file just return and let the load_files() call slurp in the >>> contents. It will still get validated. >>> >>> rob >> >> This works fine for CSR file. >> >> Shouldn't we fix this also for other File params? For example, >> entitle-import command will be affected as well: >> >> takes_args = ( >> File('usercertificate*', validate_certificate, >> cli_name='certificate_file', >> ), >> ) >> >> We can create a separate ticket for entitle-import if you want. >> >> Martin > > Oh, and one more thing - API.txt has to be updated since you added a > label to the CSR parameter. > > Martin > Updated patch with API attached. I had that fixed, dropped my changes, re-made them and forgot to update API again. entitle-import doesn't have stdin_if_missing set so will only read from a file, there is no interactive option. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-872-2-file.patch Type: text/x-patch Size: 2541 bytes Desc: not available URL: From rcritten at redhat.com Wed Sep 14 15:35:13 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Sep 2011 11:35:13 -0400 Subject: [Freeipa-devel] [PATCH] 871 add hostname regex In-Reply-To: <20110913071840.GA13127@redhat.com> References: <4E6E4714.7050007@redhat.com> <20110912195017.GG22121@redhat.com> <4E6E67EC.9010202@redhat.com> <4E6F01D7.7090902@redhat.com> <20110913071840.GA13127@redhat.com> Message-ID: <4E70C9B1.3060902@redhat.com> Alexander Bokovoy wrote: > On Tue, 13 Sep 2011, Jan Cholasta wrote: >>>> What about IDN hosts? With this change we would require them to be >>>> always in Punycode? >>>> >>> >>> Oh, hadn't considered that, I was just following the relevent RFCs. Is >>> there a way we can easily support those as well? >> >> The easiest way would probably be: >> >> normalizer=lambda value: unicode(value.encode('idna')) > That's one part. Another one is visualizing such content -- for both > Web UI and CLI we would need to run encodings.idna.ToUnicode(). > Finally, make sure whatever we pass to external applications is > properly formatted as well -- all of them should be able to work with > xn- form. The UI also links the DNS hostname to the host entries so I'd think the names must be matchable in some way. If DNS can only store punycode names I think the regex will be fine. rob From mkosek at redhat.com Wed Sep 14 16:18:40 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 14 Sep 2011 18:18:40 +0200 Subject: [Freeipa-devel] Structured DNS record API proposal Message-ID: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> Attached in the txt file. If you have any comments or suggestions to this proposal, please let me know. https://fedorahosted.org/freeipa/ticket/1766 -------------- next part -------------- https://fedorahosted.org/freeipa/ticket/1766 This is a proposal for API for per-DNS-type interface in FreeIPA. There are many structured DNS RR types where DNS data is not just an IP address or a domain name, but a (often complex) data structure. Example of adding a structured DNS RR (LOC in this case): ipa dnsrecord-add example.com @ --loc-rec "49 11 42.4 N 16 36 29.6 E 227.64m" It may be difficult to enter such DNS record to FreeIPA without making error (which would lead to invalid zone in this case). For this reason, I have created at least basic validators in my patch 120 (ticket 1106). GOAL: Create API useful for both CLI and WebUI capable of creating these structured DNS types CURRENT API: ipa dnsrecord-add Add new DNS resource record. ipa dnsrecord-del Delete DNS resource record. ipa dnsrecord-find Search for DNS resources. ipa dnsrecord-mod Modify a DNS resource record. ipa dnsrecord-show Display DNS resource. PROPOSED API IMPROVEMENT: Proposed API for all supported structured DNS follows: ipa dnsrecord-afsdb-add --subtype=INT --hostname=STR ipa dnsrecord-cert-add --type=ENUM --tag=INT --algorithm=ENUM --certificate=STR ipa dnsrecord-ds-add --tag=INT --algorithm=ENUM --type=ENUM --digest=STR ipa dnsrecord-key-add --flags=LIST --protocol=INT --algorithm=ENUM --digest=STR ipa dnsrecord-kx-add --preference=INT --exchanger=STR ipa dnsrecord-loc-add --lat-deg=INT --lat-min=INT --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT --v-precision=FLOAT ipa dnsrecord-mx-add --priority=INT --mailserver=STR ipa dnsrecord-nsec-add --next=STR --types=LIST ipa dnsrecord-naptr-add --order=INT --preference=INT --flag=ENUM --service=STR --regexp=STR --replacement=STR ipa dnsrecord-sig-add --type=ENUM --algorithm=ENUM --labels=INT --original-ttl=INT --sig-expiration=INT --sig-inception=INT --tag=INT --signer=STR --signature=STR ipa dnsrecord-srv-add --priority=INT --weight=INT --port=INT --target=STR ipa dnsrecord-sshfp-add --algorithm=ENUM --type=ENUM --fingerprint=STR ipa dnsrecord-rrsig-add --type=ENUM --algorithm=ENUM --labels=INT --original-ttl=INT --sig-expiration=INT --sig-inception=INT --tag=INT --signer=STR --signature=STR To support also modification of current records (i.e. replacement) we can add a "mod" equivalent, e.g.: ipa dnsrecord-afsdb-mod --subtype=INT --hostname=STR ipa dnsrecord-cert-mod --type=ENUM --tag=INT --algorithm=ENUM --certificate=STR ... I think this is what WebUI guys will want. EXAMPLE OF OPTIONS: The available options for particular RR types will be based on RFC research I have already done for my patch 120. Lets see how the API will look. 1) LOC record example noted in the begging: ipa dnsrecord-loc-add example.com @ --lat-deg=49 --lat-min=11 --lat-sec=42.4 --lat-dir=N --lon-deg=16 --lon-min=36 --lon-sec=29.6 --lon-dir=E --alt=227.64 Good thing about options is that we can divide then to mandatory and optional and provide defaults. In this case, one can enter imprecise LOC record with: ipa dnsrecord-loc-add example.com @ --lat-deg=49 --lat-dir=N --lon-deg=16 --lon-dir=E 2) Another example with CERT RR type: CURRENT API: ipa dnsrecord-add example.com foo --cert-rec="1 0 5 MIIDfzCCAuigAwIBAgIKcYxqqAAAAAAAFzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpVTS1BTUFMR0ExMB4XDTEwMDYwMTE3NTM1NVoXDTExMDYwMTE4MDM1NVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEMMAoG" NEW API: ipa dnsrecord-cert-add example.com foo --type=PKIX --tag=0 --algorithm=RSASHA1 --certificate=MIIDfzCCAuigAwIBAgIKcYxqqAAAAAAAFzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpVTS1BTUFMR0ExMB4XDTEwMDYwMTE3NTM1NVoXDTExMDYwMTE4MDM1NVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEMMAoG" From mkosek at redhat.com Wed Sep 14 16:30:10 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 14 Sep 2011 18:30:10 +0200 Subject: [Freeipa-devel] [PATCH] 872 allow csr file to be provided interactively In-Reply-To: <4E70C83F.9070008@redhat.com> References: <4E6FA262.9070709@redhat.com> <1316003561.2647.32.camel@dhcp-25-52.brq.redhat.com> <4E70C83F.9070008@redhat.com> Message-ID: <1316017812.2647.41.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-09-14 at 11:29 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2011-09-14 at 14:23 +0200, Martin Kosek wrote: > >> On Tue, 2011-09-13 at 14:35 -0400, Rob Crittenden wrote: > >>> Add an escape clause to the CSR validator in the cert plugin. If the csr > >>> is a file just return and let the load_files() call slurp in the > >>> contents. It will still get validated. > >>> > >>> rob > >> > >> This works fine for CSR file. > >> > >> Shouldn't we fix this also for other File params? For example, > >> entitle-import command will be affected as well: > >> > >> takes_args = ( > >> File('usercertificate*', validate_certificate, > >> cli_name='certificate_file', > >> ), > >> ) > >> > >> We can create a separate ticket for entitle-import if you want. > >> > >> Martin > > > > Oh, and one more thing - API.txt has to be updated since you added a > > label to the CSR parameter. > > > > Martin > > > > Updated patch with API attached. I had that fixed, dropped my changes, > re-made them and forgot to update API again. > > entitle-import doesn't have stdin_if_missing set so will only read from > a file, there is no interactive option. > > rob ACK. Pushed to master, ipa-2-1. Martin From rcritten at redhat.com Wed Sep 14 20:39:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Sep 2011 16:39:37 -0400 Subject: [Freeipa-devel] [PATCH] 874 suppress managed netgroups as indirect members of hosts Message-ID: <4E711109.3090501@redhat.com> Suppress managed netgroups as indirect members of hosts. This enhances a previous patch that I did for hostgroups. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-874-hosts.patch Type: text/x-patch Size: 4358 bytes Desc: not available URL: From rcritten at redhat.com Wed Sep 14 20:46:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Sep 2011 16:46:40 -0400 Subject: [Freeipa-devel] Upgrading a machine to use the proxy. In-Reply-To: <4E6F6B67.4000001@redhat.com> References: <4E6F6B67.4000001@redhat.com> Message-ID: <4E7112B0.3060502@redhat.com> Adam Young wrote: > To convert an older build where the PKI system wasn't proxied: > > > awk '{print $0} /Define an AJP 1.3 Connector on port/ {print " port=\"9447\" protocol=\"AJP/1.3\" redirectPort=\"9444\" />}" }' > /etc/pki-ca/server.xml > server.xml.new ; mv server.xml.new > /etc/pki-ca/server.xml > > sed -e "s/\[PKI_MACHINE_NAME\]/$HOSTNAME/g" -e > "s/\[PKI_AJP_PORT\]/9444/g" /usr/share/pki/ca/conf/proxy.conf > > /etc/pki-ca/proxy.conf > > > I've used the default ports here. Adjest is you've altered yours. > > > IPA copies the proxy.conf file into /etc/httpd/conf.d and renames it. > You can do the same thing by hand. > > > I'm not sure if this should go into PKI or IPA. Since these are dogtag configuration files I think dogtag needs to handle updating them. rob From dpal at redhat.com Wed Sep 14 21:04:34 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 14 Sep 2011 17:04:34 -0400 Subject: [Freeipa-devel] Upgrading a machine to use the proxy. In-Reply-To: <4E7112B0.3060502@redhat.com> References: <4E6F6B67.4000001@redhat.com> <4E7112B0.3060502@redhat.com> Message-ID: <4E7116E2.1080305@redhat.com> On 09/14/2011 04:46 PM, Rob Crittenden wrote: > Adam Young wrote: >> To convert an older build where the PKI system wasn't proxied: >> >> >> awk '{print $0} /Define an AJP 1.3 Connector on port/ {print "> port=\"9447\" protocol=\"AJP/1.3\" redirectPort=\"9444\" />}" }' >> /etc/pki-ca/server.xml > server.xml.new ; mv server.xml.new >> /etc/pki-ca/server.xml >> >> sed -e "s/\[PKI_MACHINE_NAME\]/$HOSTNAME/g" -e >> "s/\[PKI_AJP_PORT\]/9444/g" /usr/share/pki/ca/conf/proxy.conf > >> /etc/pki-ca/proxy.conf >> >> >> I've used the default ports here. Adjest is you've altered yours. >> >> >> IPA copies the proxy.conf file into /etc/httpd/conf.d and renames it. >> You can do the same thing by hand. >> >> >> I'm not sure if this should go into PKI or IPA. > > Since these are dogtag configuration files I think dogtag needs to > handle updating them. > Agree. > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Wed Sep 14 22:45:59 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 14 Sep 2011 18:45:59 -0400 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <20110914125042.GA2186@localhost.localdomain> References: <1314364467.20296.226.camel@willson.li.ssimo.org> <20110830144028.GE12659@localhost.localdomain> <1315433450.2684.13.camel@willson.li.ssimo.org> <20110908115245.GF21228@localhost.localdomain> <1315483606.5141.20.camel@dhcp-25-52.brq.redhat.com> <20110908123927.GG21228@localhost.localdomain> <1315609607.2684.137.camel@willson.li.ssimo.org> <20110912155308.GB7369@localhost.localdomain> <1315862678.2684.237.camel@willson.li.ssimo.org> <20110913160133.GE7369@localhost.localdomain> <20110914125042.GA2186@localhost.localdomain> Message-ID: <1316040359.2684.330.camel@willson.li.ssimo.org> On Wed, 2011-09-14 at 14:50 +0200, Sumit Bose wrote: > a recent commit in master made another change necesary. Additionally I > renamed smbinstance to adtrustinstance and check for more samba client > binaries which are needed by the utility. New version attached. Tested and works great! ACK, Pushed to master. Simo. > -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Wed Sep 14 23:51:42 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 14 Sep 2011 18:51:42 -0500 Subject: [Freeipa-devel] [PATCH] 016 Fixed: Some widgets do not have space for validation error message In-Reply-To: <4E709CBD.7040009@redhat.com> References: <4E709A20.8070301@redhat.com> <4E709CBD.7040009@redhat.com> Message-ID: <4E713E0E.80609@redhat.com> On 9/14/2011 7:23 AM, Petr Vobornik wrote: > Forgot to update tests - to address newly added validation row in > table_widget. One issue, in all search and association facets we now have 2 rows of footer (there are 2 horizontal lines at the bottom). I think it would be better to use a single row for both summary/error messages and pagination. The messages will be left aligned, the pagination will be right aligned. -- Endi S. Dewata From edewata at redhat.com Thu Sep 15 00:00:26 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 14 Sep 2011 19:00:26 -0500 Subject: [Freeipa-devel] [PATCH] 269 Fixed problem opening host adder dialog. Message-ID: <4E71401A.4050402@redhat.com> The hidden fqdn field in the host adder dialog has been changed to use a generic widget instead of text widget to avoid null pointer error since the UI elements are never created. Ticket #1788 Pushed to master and ipa-2-1 under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0269-Fixed-problem-opening-host-adder-dialog.patch Type: text/x-patch Size: 978 bytes Desc: not available URL: From edewata at redhat.com Thu Sep 15 00:06:49 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 14 Sep 2011 19:06:49 -0500 Subject: [Freeipa-devel] [PATCH] 270 Fixed posix group checkbox. Message-ID: <4E714199.9030501@redhat.com> In the adder dialog for groups the checkbox has been modified to use the correct field name "nonposix" and be checked by default. Note: This is a temporary fix to minimize the changes due to release schedule. Eventually the field label will be changed into "Non-POSIX group" and the checkbox will be unchecked by default, which is more consistent with CLI. Ticket #1799 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0270-Fixed-posix-group-checkbox.patch Type: text/x-patch Size: 3504 bytes Desc: not available URL: From edewata at redhat.com Thu Sep 15 00:10:28 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 14 Sep 2011 19:10:28 -0500 Subject: [Freeipa-devel] [PATCH] 271 Modified dialog to use sections. Message-ID: <4E714274.7080507@redhat.com> The IPA.dialog has been modified to store sections instead of fields. If there is no sections specified, it will create a default section. The adder dialog for automount map has been modified such that the fields related to indirect map are stored in a section which will only be visible when the map type is set to indirect. The adder dialog for host has been modified such that it uses a custom section for hostname and DNS zone and standard section for the other fields. Ticket #1394 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0271-Modified-dialog-to-use-sections.patch Type: text/x-patch Size: 46800 bytes Desc: not available URL: From JR.Aquino at citrix.com Thu Sep 15 00:47:52 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 15 Sep 2011 00:47:52 +0000 Subject: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry In-Reply-To: <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> References: <28D50949-6CAB-4B58-BA3D-7F2C31EFEC35@citrixonline.com> <4DB085BB.6080104@redhat.com> <1303426875.26325.4.camel@willson.li.ssimo.org> <1303738997.23464.13.camel@willson.li.ssimo.org> <1303747204.23464.19.camel@willson.li.ssimo.org> <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> Message-ID: <128FDDA2-BC61-4D75-B08F-EA89C0C62CB3@citrixonline.com> On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote: > On Thu, 2011-07-21 at 23:52 +0000, JR Aquino wrote: >> On Apr 25, 2011, at 9:00 AM, Simo Sorce wrote: >> >>> On Mon, 2011-04-25 at 14:59 +0000, JR Aquino wrote: >>>> On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote: >>>> >>>>> On Thu, 2011-04-21 at 23:28 +0000, JR Aquino wrote: >>>>>> Hmmm >>>>>> Both Private Groups and the Hostgroup -> Netgroup Managed Entries >>>>>> create objects in the container: >>>>>> cn=Managed Entries,cn=plugins,cn=config >>>>>> >>>>>> Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX, >>>>>> and one in the cn=config >>>>>> >>>>>> How will these be treated by replication and the multi masters? >>>>> >>>>> Only the common objects in the public suffix are replicated. >>>>> I think at some point we discussed that we should use a filter in the >>>>> private config entry made so that we could enable/disable the plugin by >>>>> simply making the filter result true/false. >>>>> Thus not ever touch the entries in cn=config but simply >>>>> "enable"/"disable" the functionality by (not)adding the appropriate >>>>> attributes to objects so that filters would (not) match. >>>>> >>>>> Simo. >>>> >>>> This tool works by toggling the originfilter: objectclass=disabled in order to turn off the plugin. >>> >>> But this is backwards, because originfilter is defined in the >>> configuration entry stored in cn=config >>> >>> Meaning as soon as you change it one server will behave differently from >>> the others until you go and change it on each and every server. >> >> Finally able to revisit this Patch / Ticket: >> (To be used in conjunction with Patch 38) >> >> 25 Create Tool for Enabling/Disabling Managed Entry >> Plugins https://fedorahosted.org/freeipa/ticket/1181 >> >> Remove legacy ipa-host-net-manage >> Add ipa-managed-entries tool >> Add man page for ipa-managed-entries tool >> > > I have found few issues with the patch: > > 1) I don't think its necessary to change BuildRequires to > 389-ds-base-devel >= 1.2.8 This is no longer necessary and has been removed. > > 2) Invalid comment in get_dirman_password() function. There is no > verification of the password. It just prompts it This has been corrected > > 3) ipa-managed entries man pages: copy & paste error: > +Directory Server will need to be restarted after the schema > compatibility plugin has been enabled. Copy / Paste Typo corrected > > 4) Invalid help of the program: > # ipa-managed-entries --help > Usage: ipa-managed-entries [options] > ipa-managed-entries [options] > > - status action is missing > - running program without action is not allowed, i.e. should not be > offered Corrected help entries > > 5) I was thinking if there is a better solution to enabling/disabling of > the plugin. Likes setting something like "managedEntryEnabled" attribute > to on/off as we do with compat plugin. Current concept with disabling > the definition by damaging the originFilter and then restoring it from > an LDIF seems a bit awkward to me. This has been completely changed: Instead of looking to ldif files, an ldap look up is now performed to dynamically list the available managed entries. > > 6) ipa-managed-entries crashes when managed entry is a wrong file: > > # ipa-managed-entries status -f /usr/share/ipa/managed-entries.ldif > Directory Manager password: > > Traceback (most recent call last): > File "/usr/sbin/ipa-managed-entries", line 245, in > sys.exit(main()) > File "/usr/sbin/ipa-managed-entries", line 141, in main > originFilter = entry_attr['originFilter'][0] > KeyError: 'originFilter' This is no longer an issue now that it is no longer using the ldif files. > 7) What if there are more managed entries in the LDIF? This concept > would not work correctly then. A behavior I would expect: > a) User (optionally) passes a directory with managed entries LDIFs > b) ipa-managed-entries analyzes all LDIFs and prints available Managed > Entry definitions > c) I would choose the one I want to enable/disable via > ipa-managed-entries option Also no longer an issue. > Martin > Corrected Patch Attached: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch Type: application/octet-stream Size: 24589 bytes Desc: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch URL: From mkosek at redhat.com Thu Sep 15 07:38:45 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 15 Sep 2011 09:38:45 +0200 Subject: [Freeipa-devel] [PATCH] 874 suppress managed netgroups as indirect members of hosts In-Reply-To: <4E711109.3090501@redhat.com> References: <4E711109.3090501@redhat.com> Message-ID: <1316072330.2479.4.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-09-14 at 16:39 -0400, Rob Crittenden wrote: > Suppress managed netgroups as indirect members of hosts. This enhances a > previous patch that I did for hostgroups. > > rob This works fine. I just one suggestion for the code - the function suppress_netgroup_memberof() function was already implemented in the last patch: https://fedorahosted.org/freeipa/changeset/ca1ca17cb61516dff6933b1b0381b32e1e38d44c for hostgroup. I suggest making this function more general and calling it from both host and hostgroup objects. Martin From atkac at redhat.com Thu Sep 15 08:26:50 2011 From: atkac at redhat.com (Adam Tkac) Date: Thu, 15 Sep 2011 10:26:50 +0200 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E71B6CA.3030002@redhat.com> On 09/14/2011 06:18 PM, Martin Kosek wrote: > Attached in the txt file. If you have any comments or suggestions to > this proposal, please let me know. > > https://fedorahosted.org/freeipa/ticket/1766 Your proposal seems fine for me. However I would recommend not to expose routines for managing DNSSEC related records because DNSSEC is currently not supported in the bind-dyndb-ldap. This doesn't mean you should remove code which handles those records, just don't expose them to users, please. Routines can be reused in future, when we decide how to handle DNSSEC in FreeIPA. I checked the "dnsrecord--add" list below and DNSSEC related records are DS, KEY, NSEC, RRSIG, SIG. Regards, Adam > > new-dns-api.txt > > > https://fedorahosted.org/freeipa/ticket/1766 > > This is a proposal for API for per-DNS-type interface in FreeIPA. > > There are many structured DNS RR types where DNS data is not just an IP address or a domain name, but a (often complex) data structure. Example of adding a structured DNS RR (LOC in this case): > > ipa dnsrecord-add example.com @ --loc-rec "49 11 42.4 N 16 36 29.6 E 227.64m" > > It may be difficult to enter such DNS record to FreeIPA without making error (which would lead to invalid zone in this case). For this reason, I have created at least basic validators in my patch 120 (ticket 1106). > > GOAL: > Create API useful for both CLI and WebUI capable of creating these structured DNS types > > CURRENT API: > ipa dnsrecord-add Add new DNS resource record. > ipa dnsrecord-del Delete DNS resource record. > ipa dnsrecord-find Search for DNS resources. > ipa dnsrecord-mod Modify a DNS resource record. > ipa dnsrecord-show Display DNS resource. > > PROPOSED API IMPROVEMENT: > Proposed API for all supported structured DNS follows: > > ipa dnsrecord-afsdb-add --subtype=INT --hostname=STR > ipa dnsrecord-cert-add --type=ENUM --tag=INT --algorithm=ENUM --certificate=STR > ipa dnsrecord-ds-add --tag=INT --algorithm=ENUM --type=ENUM --digest=STR > ipa dnsrecord-key-add --flags=LIST --protocol=INT --algorithm=ENUM --digest=STR > ipa dnsrecord-kx-add --preference=INT --exchanger=STR > ipa dnsrecord-loc-add --lat-deg=INT --lat-min=INT --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT --v-precision=FLOAT > ipa dnsrecord-mx-add --priority=INT --mailserver=STR > ipa dnsrecord-nsec-add --next=STR --types=LIST > ipa dnsrecord-naptr-add --order=INT --preference=INT --flag=ENUM --service=STR --regexp=STR --replacement=STR > ipa dnsrecord-sig-add --type=ENUM --algorithm=ENUM --labels=INT --original-ttl=INT --sig-expiration=INT --sig-inception=INT --tag=INT --signer=STR --signature=STR > ipa dnsrecord-srv-add --priority=INT --weight=INT --port=INT --target=STR > ipa dnsrecord-sshfp-add --algorithm=ENUM --type=ENUM --fingerprint=STR > ipa dnsrecord-rrsig-add --type=ENUM --algorithm=ENUM --labels=INT --original-ttl=INT --sig-expiration=INT --sig-inception=INT --tag=INT --signer=STR --signature=STR > > To support also modification of current records (i.e. replacement) we can add a "mod" equivalent, e.g.: > ipa dnsrecord-afsdb-mod --subtype=INT --hostname=STR > ipa dnsrecord-cert-mod --type=ENUM --tag=INT --algorithm=ENUM --certificate=STR > ... > > I think this is what WebUI guys will want. > > > EXAMPLE OF OPTIONS: > The available options for particular RR types will be based on RFC research I have already done for my patch 120. Lets see how the API will look. > > 1) LOC record example noted in the begging: > > ipa dnsrecord-loc-add example.com @ --lat-deg=49 --lat-min=11 --lat-sec=42.4 --lat-dir=N --lon-deg=16 --lon-min=36 --lon-sec=29.6 --lon-dir=E --alt=227.64 > > Good thing about options is that we can divide then to mandatory and optional and provide defaults. In this case, one can enter imprecise LOC record with: > > ipa dnsrecord-loc-add example.com @ --lat-deg=49 --lat-dir=N --lon-deg=16 --lon-dir=E > > > 2) Another example with CERT RR type: > > CURRENT API: > ipa dnsrecord-add example.com foo --cert-rec="1 0 5 MIIDfzCCAuigAwIBAgIKcYxqqAAAAAAAFzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpVTS1BTUFMR0ExMB4XDTEwMDYwMTE3NTM1NVoXDTExMDYwMTE4MDM1NVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEMMAoG" > > NEW API: > ipa dnsrecord-cert-add example.com foo --type=PKIX --tag=0 --algorithm=RSASHA1 --certificate=MIIDfzCCAuigAwIBAgIKcYxqqAAAAAAAFzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpVTS1BTUFMR0ExMB4XDTEwMDYwMTE3NTM1NVoXDTExMDYwMTE4MDM1NVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEMMAoG" > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From mkosek at redhat.com Thu Sep 15 08:47:50 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 15 Sep 2011 10:47:50 +0200 Subject: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry In-Reply-To: <128FDDA2-BC61-4D75-B08F-EA89C0C62CB3@citrixonline.com> References: <28D50949-6CAB-4B58-BA3D-7F2C31EFEC35@citrixonline.com> <4DB085BB.6080104@redhat.com> <1303426875.26325.4.camel@willson.li.ssimo.org> <1303738997.23464.13.camel@willson.li.ssimo.org> <1303747204.23464.19.camel@willson.li.ssimo.org> <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> <128FDDA2-BC61-4D75-B08F-EA89C0C62CB3@citrixonline.com> Message-ID: <1316076472.2479.10.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-09-15 at 00:47 +0000, JR Aquino wrote: > On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote: > > 5) I was thinking if there is a better solution to enabling/disabling of > > the plugin. Likes setting something like "managedEntryEnabled" attribute > > to on/off as we do with compat plugin. Current concept with disabling > > the definition by damaging the originFilter and then restoring it from > > an LDIF seems a bit awkward to me. > > This has been completely changed: > Instead of looking to ldif files, an ldap look up is now performed to dynamically list the available managed entries. Now we are talking :-) I like the new approach. I have reviewed your patch, basic functionality looks good. But I still have few (nitpicking) comments: 1) There are parts from the previous file that are no longer needed since you switched to different approach: +import os + from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax + import StringIO + import ldif +except BadSyntax, e: + print "There is a syntax error in this update file:" + print " %s" % e + sys.exit(1) 2) I saw few whitespace errors on following lines of the patch: 419, 433 and 453 3) Output of the --list method is confusing: # ipa-managed-entries --list Directory Manager password: Available Managed Entry Plugins: cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com cn=ngp definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com You must specify a managed entry definition <<< # echo $? 1 <<< a) I shouldn't be asked to specify a managed entry definition for --list b) The listing was successful, so we shouldn't return error code 4) Return code for disabling an already disabled entry should be 2 (according to man pages): # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable Directory Manager password: Plugin already disabled # echo $? 0 5) Strange is, that enabling a disabled plugin gives me return code 2: # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable Directory Manager password: Enabling Plugin # echo $? 2 Return codes for these actions should fit the man pages. 6) I would improve working with LDAP filters, current solution is error prone. Try disabling&enabling NGP Defition, we end up with this originFilter: originfilter: (&(objectclass=ipahostgroup)) I think the cleanest solution would be to use ldap.make_filter and ldap.combine_filters functions to play with these filter. You can inspire yourself in this example I wrote for DNS plugin: rev_zone_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE, exact=False, trailing_wildcard=False) filter = ldap.combine_filters((rev_zone_filter, filter), rules=ldap.MATCH_ALL) 7) Entering Directory Manager every time may be a bit tedious. Could we use current Kerberos credentials and fall-back to asking Directory Manager password if it doesn't work? Its already done this way in ipa-replica-manage for example. We could fix this, however, as an enhancement in another patch. 8) Man page - please use the new united FreeIPA man page header. Instead of +.TH "ipa-managed-entries" "1" "Sept 15 2011" "freeipa" "" use: +.TH "ipa-managed-entries" "1" "Sept 15 2011" "FreeIPA" "FreeIPA Manual Pages" 9) Man page - comma is missing for --list option: +\fB\-l\-\-list\fR 10) install/po/Makefile.in should be updated to: there is still reference to ipa-host-net-manage and ipa-managed-entries reference is missing Martin From rcritten at redhat.com Thu Sep 15 12:56:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 Sep 2011 08:56:33 -0400 Subject: [Freeipa-devel] [PATCH] 874 suppress managed netgroups as indirect members of hosts In-Reply-To: <1316072330.2479.4.camel@dhcp-25-52.brq.redhat.com> References: <4E711109.3090501@redhat.com> <1316072330.2479.4.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E71F601.4090900@redhat.com> Martin Kosek wrote: > On Wed, 2011-09-14 at 16:39 -0400, Rob Crittenden wrote: >> Suppress managed netgroups as indirect members of hosts. This enhances a >> previous patch that I did for hostgroups. >> >> rob > > This works fine. I just one suggestion for the code - the function > suppress_netgroup_memberof() function was already implemented in the > last patch: > > https://fedorahosted.org/freeipa/changeset/ca1ca17cb61516dff6933b1b0381b32e1e38d44c > > for hostgroup. I suggest making this function more general and calling > it from both host and hostgroup objects. > > Martin > > I looked at that. For the hostgroup once you find your own entry you can exit, for hosts you have to look at all netgroups. The dn comparison is also very different. These could be handled as arguments but I think the code would be less clear so I chose quasi-duplication. rob From rcritten at redhat.com Thu Sep 15 13:01:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 Sep 2011 09:01:04 -0400 Subject: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry In-Reply-To: <1316076472.2479.10.camel@dhcp-25-52.brq.redhat.com> References: <28D50949-6CAB-4B58-BA3D-7F2C31EFEC35@citrixonline.com> <4DB085BB.6080104@redhat.com> <1303426875.26325.4.camel@willson.li.ssimo.org> <1303738997.23464.13.camel@willson.li.ssimo.org> <1303747204.23464.19.camel@willson.li.ssimo.org> <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> <128FDDA2-BC61-4D75-B08F-EA89C0C62CB3@citrixonline.com> <1316076472.2479.10.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E71F710.4050707@redhat.com> Martin Kosek wrote: > On Thu, 2011-09-15 at 00:47 +0000, JR Aquino wrote: >> On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote: > >>> 5) I was thinking if there is a better solution to enabling/disabling of >>> the plugin. Likes setting something like "managedEntryEnabled" attribute >>> to on/off as we do with compat plugin. Current concept with disabling >>> the definition by damaging the originFilter and then restoring it from >>> an LDIF seems a bit awkward to me. >> >> This has been completely changed: >> Instead of looking to ldif files, an ldap look up is now performed to dynamically list the available managed entries. > > Now we are talking :-) I like the new approach. > > I have reviewed your patch, basic functionality looks good. But I still > have few (nitpicking) comments: > > 1) There are parts from the previous file that are no longer needed > since you switched to different approach: > > +import os > > + from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax > > + import StringIO > > + import ldif > > +except BadSyntax, e: > + print "There is a syntax error in this update file:" > + print " %s" % e > + sys.exit(1) > > > 2) I saw few whitespace errors on following lines of the patch: 419, 433 > and 453 > > 3) Output of the --list method is confusing: > > # ipa-managed-entries --list > Directory Manager password: > > Available Managed Entry Plugins: > cn=upg definition,cn=definitions,cn=managed > entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > cn=ngp definition,cn=definitions,cn=managed > entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > You must specify a managed entry definition<<< > # echo $? > 1<<< > > a) I shouldn't be asked to specify a managed entry definition for --list > b) The listing was successful, so we shouldn't return error code > > 4) Return code for disabling an already disabled entry should be 2 > (according to man pages): > > # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable > Directory Manager password: > > Plugin already disabled > # echo $? > 0 > > 5) Strange is, that enabling a disabled plugin gives me return code 2: > # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable > Directory Manager password: > > Enabling Plugin > # echo $? > 2 > > Return codes for these actions should fit the man pages. > > 6) I would improve working with LDAP filters, current solution is error > prone. Try disabling&enabling NGP Defition, we end up with this > originFilter: > > originfilter: (&(objectclass=ipahostgroup)) This is actually a legal filter. > > I think the cleanest solution would be to use ldap.make_filter and > ldap.combine_filters functions to play with these filter. You can > inspire yourself in this example I wrote for DNS plugin: > > rev_zone_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE, exact=False, > trailing_wildcard=False) > filter = ldap.combine_filters((rev_zone_filter, filter), rules=ldap.MATCH_ALL) I talked to JR about this in irc yesterday and talked him out of using make_filter. We already know what every permutation of these filters is going to look like, building them dynamically seems like overkill. > 7) Entering Directory Manager every time may be a bit tedious. Could we > use current Kerberos credentials and fall-back to asking Directory > Manager password if it doesn't work? Its already done this way in > ipa-replica-manage for example. > > We could fix this, however, as an enhancement in another patch. > > 8) Man page - please use the new united FreeIPA man page header. Instead > of > > +.TH "ipa-managed-entries" "1" "Sept 15 2011" "freeipa" "" > > use: > > +.TH "ipa-managed-entries" "1" "Sept 15 2011" "FreeIPA" "FreeIPA Manual > Pages" > > > 9) Man page - comma is missing for --list option: > > +\fB\-l\-\-list\fR > > > 10) install/po/Makefile.in should be updated to: there is still > reference to ipa-host-net-manage and ipa-managed-entries reference is > missing > > > Martin > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From mkosek at redhat.com Thu Sep 15 14:50:32 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 15 Sep 2011 16:50:32 +0200 Subject: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry In-Reply-To: <4E71F710.4050707@redhat.com> References: <28D50949-6CAB-4B58-BA3D-7F2C31EFEC35@citrixonline.com> <4DB085BB.6080104@redhat.com> <1303426875.26325.4.camel@willson.li.ssimo.org> <1303738997.23464.13.camel@willson.li.ssimo.org> <1303747204.23464.19.camel@willson.li.ssimo.org> <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> <128FDDA2-BC61-4D75-B08F-EA89C0C62CB3@citrixonline.com> <1316076472.2479.10.camel@dhcp-25-52.brq.redhat.com> <4E71F710.4050707@redhat.com> Message-ID: <1316098235.15088.2.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-09-15 at 09:01 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Thu, 2011-09-15 at 00:47 +0000, JR Aquino wrote: > > > > I think the cleanest solution would be to use ldap.make_filter and > > ldap.combine_filters functions to play with these filter. You can > > inspire yourself in this example I wrote for DNS plugin: > > > > rev_zone_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE, exact=False, > > trailing_wildcard=False) > > filter = ldap.combine_filters((rev_zone_filter, filter), rules=ldap.MATCH_ALL) > > I talked to JR about this in irc yesterday and talked him out of using > make_filter. We already know what every permutation of these filters is > going to look like, building them dynamically seems like overkill. > OK. I did some tests with filter methods we provide (make_filter, combine_filters, etc.). It easy to build a new filter with them, but we don't have means to modify an existing one (enable action). So I can live with the solution that JR has in his current patch. Martin From pvoborni at redhat.com Thu Sep 15 16:36:48 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 15 Sep 2011 18:36:48 +0200 Subject: [Freeipa-devel] [PATCH] 270 Fixed posix group checkbox. In-Reply-To: <4E714199.9030501@redhat.com> References: <4E714199.9030501@redhat.com> Message-ID: <4E7229A0.7070002@redhat.com> On 09/15/2011 02:06 AM, Endi Sukma Dewata wrote: > In the adder dialog for groups the checkbox has been modified to use > the correct field name "nonposix" and be checked by default. > > Note: This is a temporary fix to minimize the changes due to release > schedule. Eventually the field label will be changed into "Non-POSIX > group" and the checkbox will be unchecked by default, which is more > consistent with CLI. > > Ticket #1799 The temporary workaround approach is good but there might be a minor issue. One test for this patch fails. It is because current implementation sets checked attribute to false for all values except 'TRUE'. Previous implementation set checked to true if there was any value except 'FALSE'. I tried to search for all usages of checkbox and found that this behaviour is not a problem right now, but I'm not sure if it won't be in the future (but there would have to be changes in save method). So if its OK, after a test correction I would consider it ACKed. -- Petr Vobornik From JR.Aquino at citrix.com Thu Sep 15 17:25:02 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 15 Sep 2011 17:25:02 +0000 Subject: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry In-Reply-To: <1316076472.2479.10.camel@dhcp-25-52.brq.redhat.com> References: <28D50949-6CAB-4B58-BA3D-7F2C31EFEC35@citrixonline.com> <4DB085BB.6080104@redhat.com> <1303426875.26325.4.camel@willson.li.ssimo.org> <1303738997.23464.13.camel@willson.li.ssimo.org> <1303747204.23464.19.camel@willson.li.ssimo.org> <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> <128FDDA2-BC61-4D75-B08F-EA89C0C62CB3@citrixonline.com> <1316076472.2479.10.camel@dhcp-25-52.brq.redhat.com> Message-ID: <967AED78-B524-4EE8-8A0D-D13E26E7AE6E@citrixonline.com> On Sep 15, 2011, at 1:47 AM, Martin Kosek wrote: > On Thu, 2011-09-15 at 00:47 +0000, JR Aquino wrote: >> On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote: > >>> 5) I was thinking if there is a better solution to enabling/disabling of >>> the plugin. Likes setting something like "managedEntryEnabled" attribute >>> to on/off as we do with compat plugin. Current concept with disabling >>> the definition by damaging the originFilter and then restoring it from >>> an LDIF seems a bit awkward to me. >> >> This has been completely changed: >> Instead of looking to ldif files, an ldap look up is now performed to dynamically list the available managed entries. > > Now we are talking :-) I like the new approach. > > I have reviewed your patch, basic functionality looks good. But I still > have few (nitpicking) comments: > > 1) There are parts from the previous file that are no longer needed > since you switched to different approach: > > +import os > > + from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax > > + import StringIO > > + import ldif > > +except BadSyntax, e: > + print "There is a syntax error in this update file:" > + print " %s" % e > + sys.exit(1) Removed > > 2) I saw few whitespace errors on following lines of the patch: 419, 433 > and 453 Fixed whitespace errors > > 3) Output of the --list method is confusing: > > # ipa-managed-entries --list > Directory Manager password: > > Available Managed Entry Plugins: > cn=upg definition,cn=definitions,cn=managed > entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > cn=ngp definition,cn=definitions,cn=managed > entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > You must specify a managed entry definition <<< > # echo $? > 1 <<< > > a) I shouldn't be asked to specify a managed entry definition for --list Fixed > b) The listing was successful, so we shouldn't return error code Corrected error code > > 4) Return code for disabling an already disabled entry should be 2 > (according to man pages): > > # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable > Directory Manager password: > > Plugin already disabled > # echo $? > 0 Fixed error code > > 5) Strange is, that enabling a disabled plugin gives me return code 2: > # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable > Directory Manager password: > > Enabling Plugin > # echo $? > 2 > > Return codes for these actions should fit the man pages. Fixed error code > > 6) I would improve working with LDAP filters, current solution is error > prone. Try disabling&enabling NGP Defition, we end up with this > originFilter: > > originfilter: (&(objectclass=ipahostgroup)) > > I think the cleanest solution would be to use ldap.make_filter and > ldap.combine_filters functions to play with these filter. You can > inspire yourself in this example I wrote for DNS plugin: > > rev_zone_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE, exact=False, > trailing_wildcard=False) > filter = ldap.combine_filters((rev_zone_filter, filter), rules=ldap.MATCH_ALL) Rob and you addressed this in the mailing list. For the record, I do agree that we are lacking a method for reading and modifying existing ldap filters. We will continue with the simple string method here for this iteration. > > 7) Entering Directory Manager every time may be a bit tedious. Could we > use current Kerberos credentials and fall-back to asking Directory > Manager password if it doesn't work? Its already done this way in > ipa-replica-manage for example. > > We could fix this, however, as an enhancement in another patch. Fixed. We now will use gssapi if available, and prompt for password if there is no ticket. > > 8) Man page - please use the new united FreeIPA man page header. Instead > of > > +.TH "ipa-managed-entries" "1" "Sept 15 2011" "freeipa" "" > > use: > > +.TH "ipa-managed-entries" "1" "Sept 15 2011" "FreeIPA" "FreeIPA Manual > Pages" Fixed > > > 9) Man page - comma is missing for --list option: > > +\fB\-l\-\-list\fR > Fixed > > 10) install/po/Makefile.in should be updated to: there is still > reference to ipa-host-net-manage and ipa-managed-entries reference is > missing Fixed -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch Type: application/octet-stream Size: 24651 bytes Desc: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ATT00001.txt URL: From ayoung at redhat.com Thu Sep 15 19:28:59 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 15 Sep 2011 15:28:59 -0400 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E7251FB.4040406@redhat.com> On 09/14/2011 12:18 PM, Martin Kosek wrote: > Attached in the txt file. If you have any comments or suggestions to > this proposal, please let me know. > > https://fedorahosted.org/freeipa/ticket/1766 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Proposal looks like it will work fairly easily with the UI. We'll have to make some chagnes due to the Add doing something different based on the type, but that is the case anyway. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Sep 15 19:51:16 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 Sep 2011 15:51:16 -0400 Subject: [Freeipa-devel] [PATCH] 45 Check that install hostname matches the server hostname In-Reply-To: <20110912100924.GB22121@redhat.com> References: <4E6625E5.2040201@redhat.com> <4E665D43.4090204@redhat.com> <4E67129B.8020809@redhat.com> <4E676DED.2050102@redhat.com> <4E6DB9D7.7060300@redhat.com> <20110912100924.GB22121@redhat.com> Message-ID: <4E725734.4040009@redhat.com> Alexander Bokovoy wrote: > On Mon, 12 Sep 2011, Jan Cholasta wrote: >>> We can't dictate which interface matches the hostname. At most we can >>> warn about this, but not fail to install. >>> >>> rob >> >> Changed to print a warning message instead of raising an error. > ACK. > pushed to master and ipa-2-1 From rcritten at redhat.com Thu Sep 15 20:05:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 Sep 2011 16:05:19 -0400 Subject: [Freeipa-devel] [PATCH] 875 fix rpm installation ordering Message-ID: <4E725A7F.7020502@redhat.com> freeipa-server-selinux was getting installed before freeipa-server which caused some SELinux contexts to not be set properly. The existing Requires we had used to fix things, perhaps a change in rpm caused this to break, who knows. I'm not even sure when this stopped working. I added an extra postun rule so that the server-selinux package is removed as a dependency when you do a yum erase freeipa-python. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-875-selinux.patch Type: text/x-patch Size: 1553 bytes Desc: not available URL: From ayoung at redhat.com Thu Sep 15 21:39:18 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 15 Sep 2011 17:39:18 -0400 Subject: [Freeipa-devel] Upgrading a machine to use the proxy. In-Reply-To: <4E7112B0.3060502@redhat.com> References: <4E6F6B67.4000001@redhat.com> <4E7112B0.3060502@redhat.com> Message-ID: <4E727086.2010907@redhat.com> OK, here's something closer to releasable and written in Perl. This script will upgrade the proxy ports to 9444 by default, or allow you to override by setting the first parameter. -------------- next part -------------- A non-text attachment was scrubbed... Name: enable_proxy_dogtag.pl Type: application/x-perl Size: 1445 bytes Desc: not available URL: From mkosek at redhat.com Fri Sep 16 07:42:31 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 16 Sep 2011 09:42:31 +0200 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <4E7251FB.4040406@redhat.com> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> <4E7251FB.4040406@redhat.com> Message-ID: <1316158954.24447.31.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-09-15 at 15:28 -0400, Adam Young wrote: > On 09/14/2011 12:18 PM, Martin Kosek wrote: > > Attached in the txt file. If you have any comments or suggestions to > > this proposal, please let me know. > > > > https://fedorahosted.org/freeipa/ticket/1766 > > > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > ACK. Proposal looks like it will work fairly easily with the UI. > We'll have to make some chagnes due to the Add doing something > different based on the type, but that is the case anyway. Yes, I was thinking how can we integrate this new API to WebUI. AFAIK you use dnsrecord-add $ZONE $REC --a-rec=... --mx-rec=... for adding a new DNS record and dnsrecord-mod $ZONE $REC --mx-rec=... when for example the mx record is being modified. All MX values (even the unmodified ones) are passed to dnsrecord-mod. 1) I was wondering how the new dnsrecord--add commands can be used. I suppose WebUI will know a list of DNS record types with these new structured commands and offer the user new window to add a record for these types instead of typing them directly to the text box as it is now. 2) But my main concern here is how the modification of current DNS records should work. Say, we have 2 MX records for example.com. How can we modify one of it in a new structured interface? We would have to implement dnsrecord-mx-show method so that you can fill all the text areas (preference, mailserver). Question is how to refer the value we want to show since DNS records are multivalued. We could pass --dnsrecord="..." with DNS record value, e.g. "0 mx.example.com." and then use the same value for dnsrecord-mx-mod. The whole command sequence would look this way: dnsrecord-find example.com -- get all DNS records for example.com dnsrecord-show example.com @ -- show DNS records directly in the zone NS: "ns.example.com" MX: "0 mx1.example.com." MX: "1 mx2.example.com." << user wants to modify this one -> new window dnsrecord-mx-show example.com --dnsrecord="1 mx1.example.com." PREFERENCE: 1 << user modifies this to 0 MAILSERVER: mx2.example.com. dnsrecord-mx-mod example.com --dnsrecord="1 mx1.example.com." --preference=0 What do you think about this API for record modification? Martin From mkosek at redhat.com Fri Sep 16 07:51:41 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 16 Sep 2011 09:51:41 +0200 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <4E71B6CA.3030002@redhat.com> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> <4E71B6CA.3030002@redhat.com> Message-ID: <1316159504.24447.39.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-09-15 at 10:26 +0200, Adam Tkac wrote: > On 09/14/2011 06:18 PM, Martin Kosek wrote: > > Attached in the txt file. If you have any comments or suggestions to > > this proposal, please let me know. > > > > https://fedorahosted.org/freeipa/ticket/1766 > > Your proposal seems fine for me. However I would recommend not to expose > routines for managing DNSSEC related records because DNSSEC is currently > not supported in the bind-dyndb-ldap. This doesn't mean you should > remove code which handles those records, just don't expose them to > users, please. Routines can be reused in future, when we decide how to > handle DNSSEC in FreeIPA. > > I checked the "dnsrecord--add" list below and DNSSEC related > records are DS, KEY, NSEC, RRSIG, SIG. > > Regards, Adam Since we don't know how DNSSEC records will be handled, I would rather don't implement the methods now and then reimplement them. When I was implementing DNS validators in patch 120 I noticed we provide API to add many RR types that are not supported via bind-dyndb-ldap at all. Any attempt to add them ends with missing LDAP schema attribute error. Since the new API is targeted for new FreeIPA major release I wouldn't be afraid to remove all these RR types from our API (they don't work anyway). This applies to these RR types: APL, DHCID, DLV, DNSKEY, HIP, IPSECKEY, NSEC3, NSEC3PARAM, RP, TA, TKEY, TSIG. IMO, we should then add there RR types _only_ when they are supported by bind-dyndb-ldap. Martin From atkac at redhat.com Fri Sep 16 08:13:13 2011 From: atkac at redhat.com (Adam Tkac) Date: Fri, 16 Sep 2011 10:13:13 +0200 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <1316159504.24447.39.camel@dhcp-25-52.brq.redhat.com> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> <4E71B6CA.3030002@redhat.com> <1316159504.24447.39.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E730519.6090408@redhat.com> On 09/16/2011 09:51 AM, Martin Kosek wrote: > On Thu, 2011-09-15 at 10:26 +0200, Adam Tkac wrote: > >> Your proposal seems fine for me. However I would recommend not to expose >> routines for managing DNSSEC related records because DNSSEC is currently >> not supported in the bind-dyndb-ldap. This doesn't mean you should >> remove code which handles those records, just don't expose them to >> users, please. Routines can be reused in future, when we decide how to >> handle DNSSEC in FreeIPA. >> >> I checked the "dnsrecord--add" list below and DNSSEC related >> records are DS, KEY, NSEC, RRSIG, SIG. >> >> Regards, Adam > Since we don't know how DNSSEC records will be handled, I would rather > don't implement the methods now and then reimplement them. > > When I was implementing DNS validators in patch 120 I noticed we provide > API to add many RR types that are not supported via bind-dyndb-ldap at > all. Any attempt to add them ends with missing LDAP schema attribute > error. > > Since the new API is targeted for new FreeIPA major release I wouldn't > be afraid to remove all these RR types from our API (they don't work > anyway). > > This applies to these RR types: APL, DHCID, DLV, DNSKEY, HIP, IPSECKEY, > NSEC3, NSEC3PARAM, RP, TA, TKEY, TSIG. > > IMO, we should then add there RR types _only_ when they are supported by > bind-dyndb-ldap. Ack, this is the best for now. Regards, Adam From abokovoy at redhat.com Fri Sep 16 08:48:27 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 16 Sep 2011 11:48:27 +0300 Subject: [Freeipa-devel] [PATCH] 875 fix rpm installation ordering In-Reply-To: <4E725A7F.7020502@redhat.com> References: <4E725A7F.7020502@redhat.com> Message-ID: <20110916084826.GC31677@redhat.com> On Thu, 15 Sep 2011, Rob Crittenden wrote: > freeipa-server-selinux was getting installed before freeipa-server > which caused some SELinux contexts to not be set properly. > > The existing Requires we had used to fix things, perhaps a change in > rpm caused this to break, who knows. I'm not even sure when this > stopped working. > > I added an extra postun rule so that the server-selinux package is > removed as a dependency when you do a yum erase freeipa-python. ACK. -- / Alexander Bokovoy From mkosek at redhat.com Fri Sep 16 09:11:32 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 16 Sep 2011 11:11:32 +0200 Subject: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry In-Reply-To: <967AED78-B524-4EE8-8A0D-D13E26E7AE6E@citrixonline.com> References: <28D50949-6CAB-4B58-BA3D-7F2C31EFEC35@citrixonline.com> <4DB085BB.6080104@redhat.com> <1303426875.26325.4.camel@willson.li.ssimo.org> <1303738997.23464.13.camel@willson.li.ssimo.org> <1303747204.23464.19.camel@willson.li.ssimo.org> <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> <128FDDA2-BC61-4D75-B08F-EA89C0C62CB3@citrixonline.com> <1316076472.2479.10.camel@dhcp-25-52.brq.redhat.com> <967AED78-B524-4EE8-8A0D-D13E26E7AE6E@citrixonline.com> Message-ID: <1316164295.24447.43.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-09-15 at 17:25 +0000, JR Aquino wrote: > On Sep 15, 2011, at 1:47 AM, Martin Kosek wrote: > > > On Thu, 2011-09-15 at 00:47 +0000, JR Aquino wrote: > >> On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote: > > > >>> 5) I was thinking if there is a better solution to enabling/disabling of > >>> the plugin. Likes setting something like "managedEntryEnabled" attribute > >>> to on/off as we do with compat plugin. Current concept with disabling > >>> the definition by damaging the originFilter and then restoring it from > >>> an LDIF seems a bit awkward to me. > >> > >> This has been completely changed: > >> Instead of looking to ldif files, an ldap look up is now performed to dynamically list the available managed entries. > > > > Now we are talking :-) I like the new approach. > > > > > > > I have reviewed your patch, basic functionality looks good. But I still > > have few (nitpicking) comments: > > > > 1) There are parts from the previous file that are no longer needed > > since you switched to different approach: > > > > +import os > > > > + from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax > > > > + import StringIO > > > > + import ldif > > > > +except BadSyntax, e: > > + print "There is a syntax error in this update file:" > > + print " %s" % e > > + sys.exit(1) > > Removed > > > > > 2) I saw few whitespace errors on following lines of the patch: 419, 433 > > and 453 > > Fixed whitespace errors > > > > > 3) Output of the --list method is confusing: > > > > # ipa-managed-entries --list > > Directory Manager password: > > > > Available Managed Entry Plugins: > > cn=upg definition,cn=definitions,cn=managed > > entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > cn=ngp definition,cn=definitions,cn=managed > > entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > > > You must specify a managed entry definition <<< > > # echo $? > > 1 <<< > > > > a) I shouldn't be asked to specify a managed entry definition for --list > > Fixed > > > b) The listing was successful, so we shouldn't return error code > > Corrected error code > > > > > 4) Return code for disabling an already disabled entry should be 2 > > (according to man pages): > > > > # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable > > Directory Manager password: > > > > Plugin already disabled > > # echo $? > > 0 > > Fixed error code > > > > > 5) Strange is, that enabling a disabled plugin gives me return code 2: > > # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable > > Directory Manager password: > > > > Enabling Plugin > > # echo $? > > 2 > > > > Return codes for these actions should fit the man pages. > > Fixed error code > > > > > 6) I would improve working with LDAP filters, current solution is error > > prone. Try disabling&enabling NGP Defition, we end up with this > > originFilter: > > > > originfilter: (&(objectclass=ipahostgroup)) > > > > I think the cleanest solution would be to use ldap.make_filter and > > ldap.combine_filters functions to play with these filter. You can > > inspire yourself in this example I wrote for DNS plugin: > > > > rev_zone_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE, exact=False, > > trailing_wildcard=False) > > filter = ldap.combine_filters((rev_zone_filter, filter), rules=ldap.MATCH_ALL) > > Rob and you addressed this in the mailing list. > For the record, I do agree that we are lacking a method for reading and modifying existing ldap filters. > We will continue with the simple string method here for this iteration. > > > > > 7) Entering Directory Manager every time may be a bit tedious. Could we > > use current Kerberos credentials and fall-back to asking Directory > > Manager password if it doesn't work? Its already done this way in > > ipa-replica-manage for example. > > > > We could fix this, however, as an enhancement in another patch. > > Fixed. We now will use gssapi if available, and prompt for password if there is no ticket. > > > > > 8) Man page - please use the new united FreeIPA man page header. Instead > > of > > > > +.TH "ipa-managed-entries" "1" "Sept 15 2011" "freeipa" "" > > > > use: > > > > +.TH "ipa-managed-entries" "1" "Sept 15 2011" "FreeIPA" "FreeIPA Manual > > Pages" > > Fixed > > > > > > > 9) Man page - comma is missing for --list option: > > > > +\fB\-l\-\-list\fR > > > > Fixed > > > > > 10) install/po/Makefile.in should be updated to: there is still > > reference to ipa-host-net-manage and ipa-managed-entries reference is > > missing > > Fixed > Great, most bugs are fixed. I only saw these 2 minor bugs. If those are fixed, I think we can ack&push. 1) Man pages: --list option is still not right, formating is wrong +\fB\-l\fR, -\-list\fR 2) Enable action is missing a notice for the user, like the disable action has: # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable Disabling Plugin # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable Martin From abokovoy at redhat.com Fri Sep 16 11:41:47 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 16 Sep 2011 14:41:47 +0300 Subject: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry In-Reply-To: <1316164295.24447.43.camel@dhcp-25-52.brq.redhat.com> References: <1303738997.23464.13.camel@willson.li.ssimo.org> <1303747204.23464.19.camel@willson.li.ssimo.org> <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> <128FDDA2-BC61-4D75-B08F-EA89C0C62CB3@citrixonline.com> <1316076472.2479.10.camel@dhcp-25-52.brq.redhat.com> <967AED78-B524-4EE8-8A0D-D13E26E7AE6E@citrixonline.com> <1316164295.24447.43.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110916114146.GD31677@redhat.com> On Fri, 16 Sep 2011, Martin Kosek wrote: > Great, most bugs are fixed. I only saw these 2 minor bugs. If those are > fixed, I think we can ack&push. > > 1) Man pages: --list option is still not right, formating is wrong > +\fB\-l\fR, -\-list\fR > > 2) Enable action is missing a notice for the user, like the disable > action has: > > # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable > Disabling Plugin > > # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable This hurts. :) Can't we have a shortcut that allows to specify only name of the managed entry and we will expand it to full DN? Current approach is way error-prone for admins to accidently make a typo or two... -- / Alexander Bokovoy From simo at redhat.com Fri Sep 16 11:58:04 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 16 Sep 2011 07:58:04 -0400 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <1316158954.24447.31.camel@dhcp-25-52.brq.redhat.com> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> <4E7251FB.4040406@redhat.com> <1316158954.24447.31.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1316174284.2684.428.camel@willson.li.ssimo.org> On Fri, 2011-09-16 at 09:42 +0200, Martin Kosek wrote: > On Thu, 2011-09-15 at 15:28 -0400, Adam Young wrote: > > On 09/14/2011 12:18 PM, Martin Kosek wrote: > > > Attached in the txt file. If you have any comments or suggestions to > > > this proposal, please let me know. > > > > > > https://fedorahosted.org/freeipa/ticket/1766 > > > > > > > > > _______________________________________________ > > > Freeipa-devel mailing list > > > Freeipa-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > > > ACK. Proposal looks like it will work fairly easily with the UI. > > We'll have to make some chagnes due to the Add doing something > > different based on the type, but that is the case anyway. > > Yes, I was thinking how can we integrate this new API to WebUI. AFAIK > you use dnsrecord-add $ZONE $REC --a-rec=... --mx-rec=... for adding a > new DNS record and dnsrecord-mod $ZONE $REC --mx-rec=... when for > example the mx record is being modified. All MX values (even the > unmodified ones) are passed to dnsrecord-mod. > > 1) I was wondering how the new dnsrecord--add commands can be > used. I suppose WebUI will know a list of DNS record types with these > new structured commands and offer the user new window to add a record > for these types instead of typing them directly to the text box as it is > now. > > 2) But my main concern here is how the modification of current DNS > records should work. Say, we have 2 MX records for example.com. How can > we modify one of it in a new structured interface? > > We would have to implement dnsrecord-mx-show method so that you can fill > all the text areas (preference, mailserver). Question is how to refer > the value we want to show since DNS records are multivalued. We could > pass --dnsrecord="..." with DNS record value, e.g. "0 mx.example.com." > and then use the same value for dnsrecord-mx-mod. The whole command > sequence would look this way: > > dnsrecord-find example.com -- get all DNS records for example.com > dnsrecord-show example.com @ -- show DNS records directly in the zone > NS: "ns.example.com" > MX: "0 mx1.example.com." > MX: "1 mx2.example.com." << user wants to modify this one -> new window > > dnsrecord-mx-show example.com --dnsrecord="1 mx1.example.com." > PREFERENCE: 1 << user modifies this to 0 > MAILSERVER: mx2.example.com. > > dnsrecord-mx-mod example.com --dnsrecord="1 mx1.example.com." --preference=0 > > > What do you think about this API for record modification? Although racy, isn't it simpler to just always replace the whole set ? Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Fri Sep 16 12:04:31 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 16 Sep 2011 14:04:31 +0200 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <1316174284.2684.428.camel@willson.li.ssimo.org> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> <4E7251FB.4040406@redhat.com> <1316158954.24447.31.camel@dhcp-25-52.brq.redhat.com> <1316174284.2684.428.camel@willson.li.ssimo.org> Message-ID: <1316174674.24447.48.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-09-16 at 07:58 -0400, Simo Sorce wrote: > On Fri, 2011-09-16 at 09:42 +0200, Martin Kosek wrote: > > On Thu, 2011-09-15 at 15:28 -0400, Adam Young wrote: > > > On 09/14/2011 12:18 PM, Martin Kosek wrote: > > > > Attached in the txt file. If you have any comments or suggestions to > > > > this proposal, please let me know. > > > > > > > > https://fedorahosted.org/freeipa/ticket/1766 > > > > > > > > > > > > _______________________________________________ > > > > Freeipa-devel mailing list > > > > Freeipa-devel at redhat.com > > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > > > > > > ACK. Proposal looks like it will work fairly easily with the UI. > > > We'll have to make some chagnes due to the Add doing something > > > different based on the type, but that is the case anyway. > > > > Yes, I was thinking how can we integrate this new API to WebUI. AFAIK > > you use dnsrecord-add $ZONE $REC --a-rec=... --mx-rec=... for adding a > > new DNS record and dnsrecord-mod $ZONE $REC --mx-rec=... when for > > example the mx record is being modified. All MX values (even the > > unmodified ones) are passed to dnsrecord-mod. > > > > 1) I was wondering how the new dnsrecord--add commands can be > > used. I suppose WebUI will know a list of DNS record types with these > > new structured commands and offer the user new window to add a record > > for these types instead of typing them directly to the text box as it is > > now. > > > > 2) But my main concern here is how the modification of current DNS > > records should work. Say, we have 2 MX records for example.com. How can > > we modify one of it in a new structured interface? > > > > We would have to implement dnsrecord-mx-show method so that you can fill > > all the text areas (preference, mailserver). Question is how to refer > > the value we want to show since DNS records are multivalued. We could > > pass --dnsrecord="..." with DNS record value, e.g. "0 mx.example.com." > > and then use the same value for dnsrecord-mx-mod. The whole command > > sequence would look this way: > > > > dnsrecord-find example.com -- get all DNS records for example.com > > dnsrecord-show example.com @ -- show DNS records directly in the zone > > NS: "ns.example.com" > > MX: "0 mx1.example.com." > > MX: "1 mx2.example.com." << user wants to modify this one -> new window > > > > dnsrecord-mx-show example.com --dnsrecord="1 mx1.example.com." > > PREFERENCE: 1 << user modifies this to 0 > > MAILSERVER: mx2.example.com. > > > > dnsrecord-mx-mod example.com --dnsrecord="1 mx1.example.com." --preference=0 > > > > > > What do you think about this API for record modification? > > Although racy, isn't it simpler to just always replace the whole set ? > > Simo. > How would that work? We are designing -add -show -mod commands for mutlivalued LDAP attribute values, we should have some reference what value we are modifying. Or did you mean the following command sequence for mod operation? dnsrecord-del example.com @ --mx-rec="0 mx1.example.com.", "1 mx2.example.com." dnsrecord-mx-add example.com @ --priority=0 --mailserver=mx1.example.com. dnsrecord-mx-add example.com @ --priority=1 --mailserver=mx2.example.com. Martin From simo at redhat.com Fri Sep 16 12:12:19 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 16 Sep 2011 08:12:19 -0400 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <1316174674.24447.48.camel@dhcp-25-52.brq.redhat.com> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> <4E7251FB.4040406@redhat.com> <1316158954.24447.31.camel@dhcp-25-52.brq.redhat.com> <1316174284.2684.428.camel@willson.li.ssimo.org> <1316174674.24447.48.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1316175139.2684.435.camel@willson.li.ssimo.org> On Fri, 2011-09-16 at 14:04 +0200, Martin Kosek wrote: > On Fri, 2011-09-16 at 07:58 -0400, Simo Sorce wrote: > > On Fri, 2011-09-16 at 09:42 +0200, Martin Kosek wrote: > > > On Thu, 2011-09-15 at 15:28 -0400, Adam Young wrote: > > > > On 09/14/2011 12:18 PM, Martin Kosek wrote: > > > > > Attached in the txt file. If you have any comments or suggestions to > > > > > this proposal, please let me know. > > > > > > > > > > https://fedorahosted.org/freeipa/ticket/1766 > > > > > > > > > > > > > > > _______________________________________________ > > > > > Freeipa-devel mailing list > > > > > Freeipa-devel at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > > > > > > > > > ACK. Proposal looks like it will work fairly easily with the UI. > > > > We'll have to make some chagnes due to the Add doing something > > > > different based on the type, but that is the case anyway. > > > > > > Yes, I was thinking how can we integrate this new API to WebUI. AFAIK > > > you use dnsrecord-add $ZONE $REC --a-rec=... --mx-rec=... for adding a > > > new DNS record and dnsrecord-mod $ZONE $REC --mx-rec=... when for > > > example the mx record is being modified. All MX values (even the > > > unmodified ones) are passed to dnsrecord-mod. > > > > > > 1) I was wondering how the new dnsrecord--add commands can be > > > used. I suppose WebUI will know a list of DNS record types with these > > > new structured commands and offer the user new window to add a record > > > for these types instead of typing them directly to the text box as it is > > > now. > > > > > > 2) But my main concern here is how the modification of current DNS > > > records should work. Say, we have 2 MX records for example.com. How can > > > we modify one of it in a new structured interface? > > > > > > We would have to implement dnsrecord-mx-show method so that you can fill > > > all the text areas (preference, mailserver). Question is how to refer > > > the value we want to show since DNS records are multivalued. We could > > > pass --dnsrecord="..." with DNS record value, e.g. "0 mx.example.com." > > > and then use the same value for dnsrecord-mx-mod. The whole command > > > sequence would look this way: > > > > > > dnsrecord-find example.com -- get all DNS records for example.com > > > dnsrecord-show example.com @ -- show DNS records directly in the zone > > > NS: "ns.example.com" > > > MX: "0 mx1.example.com." > > > MX: "1 mx2.example.com." << user wants to modify this one -> new window > > > > > > dnsrecord-mx-show example.com --dnsrecord="1 mx1.example.com." > > > PREFERENCE: 1 << user modifies this to 0 > > > MAILSERVER: mx2.example.com. > > > > > > dnsrecord-mx-mod example.com --dnsrecord="1 mx1.example.com." --preference=0 > > > > > > > > > What do you think about this API for record modification? > > > > Although racy, isn't it simpler to just always replace the whole set ? > > > > Simo. > > > > How would that work? We are designing -add -show -mod commands for > mutlivalued LDAP attribute values, we should have some reference what > value we are modifying. Or did you mean the following command sequence > for mod operation? > > dnsrecord-del example.com @ --mx-rec="0 mx1.example.com.", "1 mx2.example.com." > dnsrecord-mx-add example.com @ --priority=0 --mailserver=mx1.example.com. > dnsrecord-mx-add example.com @ --priority=1 --mailserver=mx2.example.com. Oh I see, I thought we could add multuple values at the same time, but with this syntax it is not possible. Perhaps something like this: dnsrecord-mod example.com @ --replace --mx-rec="0 mx1.example.com., 1 mx2.example.com." This would replace any existing record with the list of 'raw' records provided. Whatever you do do not split this operation into a DEL+ADD, we want an atomic modify operation in any case. as you do not want to have a race where named may query the MX records and find them empty. That'd be much worse than returning one of them outdated. This means whatever the API we need to support a way to add all values at the same time. We can also have the more verbose API to make things more understandable, but we need this "bulk" API for the WebUI IMHO. Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Fri Sep 16 12:25:14 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 16 Sep 2011 14:25:14 +0200 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <1316175139.2684.435.camel@willson.li.ssimo.org> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> <4E7251FB.4040406@redhat.com> <1316158954.24447.31.camel@dhcp-25-52.brq.redhat.com> <1316174284.2684.428.camel@willson.li.ssimo.org> <1316174674.24447.48.camel@dhcp-25-52.brq.redhat.com> <1316175139.2684.435.camel@willson.li.ssimo.org> Message-ID: <1316175916.24447.58.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-09-16 at 08:12 -0400, Simo Sorce wrote: > On Fri, 2011-09-16 at 14:04 +0200, Martin Kosek wrote: ... > > How would that work? We are designing -add -show -mod commands for > > mutlivalued LDAP attribute values, we should have some reference what > > value we are modifying. Or did you mean the following command sequence > > for mod operation? > > > > dnsrecord-del example.com @ --mx-rec="0 mx1.example.com.", "1 mx2.example.com." > > dnsrecord-mx-add example.com @ --priority=0 --mailserver=mx1.example.com. > > dnsrecord-mx-add example.com @ --priority=1 --mailserver=mx2.example.com. > > Oh I see, I thought we could add multuple values at the same time, but > with this syntax it is not possible. > > Perhaps something like this: > > dnsrecord-mod example.com @ --replace --mx-rec="0 mx1.example.com., 1 mx2.example.com." We have something similar already. Current implementation of dnsrecord-mod jus replaces whatever was in the multivalued attribute now with the new values. That's what WebUI uses now. Now, if you modify MX record priority in "raw" record, this is what is sent to IPA: dnsrecord-mod example.com @ --mx-rec="0 mx1.example.com.","1 mx2.example.com." > > This would replace any existing record with the list of 'raw' records provided. Yes, that is current state. The motivation for this new API, however, is an ability to edit the structured DNS records, not the raw ones. WebUI shouldn't generate raw DNS records from structured WebUI form and send them to server, server should do it. That was my motivation for the proposed API. > > Whatever you do do not split this operation into a DEL+ADD, we want an > atomic modify operation in any case. as you do not want to have a race > where named may query the MX records and find them empty. That'd be much > worse than returning one of them outdated. > > This means whatever the API we need to support a way to add all values > at the same time. We can also have the more verbose API to make things > more understandable, but we need this "bulk" API for the WebUI IMHO. I agree, the change shouldn't be split to del+add. My proposed API: dnsrecord-mx-mod example.com --dnsrecord="1 mx1.example.com." --preference=0 would do just one write to LDAP. Unfortunately, this is not so pretty for CLI, one would have to copy&paste raw DNS value to be able to edit its components, but it should be simple for WebUI. Right now, I don't see some better way. Martin From jcholast at redhat.com Fri Sep 16 12:55:16 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 16 Sep 2011 14:55:16 +0200 Subject: [Freeipa-devel] [PATCH] 44 Fix parameter validation In-Reply-To: <4E567681.8080308@redhat.com> References: <4E567681.8080308@redhat.com> Message-ID: <4E734734.3070506@redhat.com> On 25.8.2011 18:21, Jan Cholasta wrote: > What this patch does: > > * Make sure arguments are validated and default values are filled in > before calling a command. > * Add new parameter flag "validate_search" to force validation on search > arguments. > * Fix validation of IP network parameters in the DNS plugin. > > https://fedorahosted.org/freeipa/ticket/1627 > > Honza > Redone the patch and split it to 3 parts: * [PATCH 46] Add IP address and IP network parameter types Adds two new parameter types, IPAddress and IPNetwork (which replaces the validate_search flag, as it was just a hack). * [PATCH 44] Fix parameter validation Changes Command.get_default so that default_from parameters are validated before they are used to create the default value. * [PATCH 47] Remove create_default Removes create_default, as it does exactly the same thing as default_from, but without the advantage of knowing what parameters are used to create the default value. All uses of create_default are replaced by default_from with no arguments, because that's all create_default is currently used for in IPA. 'make test' shows no regressions. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-46-parameter-ip.patch Type: text/x-patch Size: 53976 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-44.2-parameter-validation.patch Type: text/x-patch Size: 6842 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-47-parameter-remove-create-default.patch Type: text/x-patch Size: 17635 bytes Desc: not available URL: From jdennis at redhat.com Fri Sep 16 12:58:25 2011 From: jdennis at redhat.com (John Dennis) Date: Fri, 16 Sep 2011 08:58:25 -0400 Subject: [Freeipa-devel] [Pki-devel] Upgrading a machine to use the proxy. In-Reply-To: <4E727086.2010907@redhat.com> References: <4E6F6B67.4000001@redhat.com> <4E7112B0.3060502@redhat.com> <4E727086.2010907@redhat.com> Message-ID: <4E7347F1.2@redhat.com> Thanks Adam! FWIW I was kinda hoping for new development we would start using Python and have as a general goal of migrating Perl code to Python as opportunities arose. Python is the company preferred scripting language. Once upon a time I was a Perl fan boy, I though it was the greatest thing since sliced bread, after all it was light years better than writing shell scripts. Then I got introduced to Python and I never looked back, Python is a much better language, much easier to write clean structured maintainable code in. Just my 2 cents, just a thought. /me John puts his flame resistant Nomex suit on and prepares to get flamed in the programming language war :-) -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Sep 16 13:40:43 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 16 Sep 2011 09:40:43 -0400 Subject: [Freeipa-devel] [PATCH] 876 normalize user principal Message-ID: <4E7351DB.8060007@redhat.com> Normalize and validate user principals in user and passwd plugins. The uid in the principal should be lower-case. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-876-principal.patch Type: text/x-patch Size: 7992 bytes Desc: not available URL: From JR.Aquino at citrix.com Fri Sep 16 13:42:11 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 16 Sep 2011 13:42:11 +0000 Subject: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry In-Reply-To: <20110916114146.GD31677@redhat.com> References: <1303738997.23464.13.camel@willson.li.ssimo.org> <1303747204.23464.19.camel@willson.li.ssimo.org> <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> <128FDDA2-BC61-4D75-B08F-EA89C0C62CB3@citrixonline.com> <1316076472.2479.10.camel@dhcp-25-52.brq.redhat.com> <967AED78-B524-4EE8-8A0D-D13E26E7AE6E@citrixonline.com> <1316164295.24447.43.camel@dhcp-25-52.brq.redhat.com>, <20110916114146.GD31677@redhat.com> Message-ID: <8916BA46-6385-4A51-A0E2-AF4A7069F5DD@citrix.com> On Sep 16, 2011, at 4:41 AM, "Alexander Bokovoy" wrote: > On Fri, 16 Sep 2011, Martin Kosek wrote: >> Great, most bugs are fixed. I only saw these 2 minor bugs. If those are >> fixed, I think we can ack&push. >> >> 1) Man pages: --list option is still not right, formating is wrong >> +\fB\-l\fR, -\-list\fR >> >> 2) Enable action is missing a notice for the user, like the disable >> action has: >> >> # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable >> Disabling Plugin >> >> # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable > This hurts. :) > > Can't we have a shortcut that allows to specify only name of the > managed entry and we will expand it to full DN? Current approach is > way error-prone for admins to accidently make a typo or two... > It may look intimidating via email, but the tool provides --list to show the exact line thats needed to copy past, it also does checks to prevent accidental typos. The user isn't expected to know the full dn off the top of their head :) The other nice thing is that the tool is not limited to only the stock FreeIPA managed entries, so it will also list, enable, and disable any custom user created managed entries, or future FreeIPA entries without modification. -jr > -- > / Alexander Bokovoy From edewata at redhat.com Fri Sep 16 13:59:22 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 16 Sep 2011 08:59:22 -0500 Subject: [Freeipa-devel] [PATCH] 270 Fixed posix group checkbox. In-Reply-To: <4E7229A0.7070002@redhat.com> References: <4E714199.9030501@redhat.com> <4E7229A0.7070002@redhat.com> Message-ID: <4E73563A.4080506@redhat.com> On 9/15/2011 11:36 AM, Petr Vobornik wrote: > On 09/15/2011 02:06 AM, Endi Sukma Dewata wrote: >> In the adder dialog for groups the checkbox has been modified to use >> the correct field name "nonposix" and be checked by default. >> >> Note: This is a temporary fix to minimize the changes due to release >> schedule. Eventually the field label will be changed into "Non-POSIX >> group" and the checkbox will be unchecked by default, which is more >> consistent with CLI. >> >> Ticket #1799 > > The temporary workaround approach is good but there might be a minor > issue. One test for this patch fails. It is because current > implementation sets checked attribute to false for all values except > 'TRUE'. Previous implementation set checked to true if there was any > value except 'FALSE'. I tried to search for all usages of checkbox and > found that this behaviour is not a problem right now, but I'm not sure > if it won't be in the future (but there would have to be changes in save > method). So if its OK, after a test correction I would consider it ACKed. Attached is the updated patch. I fixed the test case and did some cleanup. This is actually the problem I mentioned in the meeting (so patch 271 is actually fine). It looks like currently the checkbox widget is only used with boolean attributes. And it will only work with boolean attributes anyway because right now the save() will always return a boolean value. But for now I'm trying to use the original loaded/default value unless it's 'TRUE' or 'FALSE' which will be converted into boolean. In the future we might want to use this with non-boolean attributes. So we need to be able to map a pair of non-boolean values into checked and unchecked state during load()/reset() and vice versa during save(). -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0270-2-Fixed-posix-group-checkbox.patch Type: text/x-patch Size: 4446 bytes Desc: not available URL: From ayoung at redhat.com Fri Sep 16 14:09:23 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 16 Sep 2011 10:09:23 -0400 Subject: [Freeipa-devel] [Pki-devel] Upgrading a machine to use the proxy. In-Reply-To: <4E7347F1.2@redhat.com> References: <4E6F6B67.4000001@redhat.com> <4E7112B0.3060502@redhat.com> <4E727086.2010907@redhat.com> <4E7347F1.2@redhat.com> Message-ID: <4E735893.3060702@redhat.com> On 09/16/2011 08:58 AM, John Dennis wrote: > Thanks Adam! > > FWIW I was kinda hoping for new development we would start using > Python and have as a general goal of migrating Perl code to Python as > opportunities arose. > > Python is the company preferred scripting language. Once upon a time I > was a Perl fan boy, I though it was the greatest thing since sliced > bread, after all it was light years better than writing shell scripts. > Then I got introduced to Python and I never looked back, Python is a > much better language, much easier to write clean structured > maintainable code in. Just my 2 cents, just a thought. > > /me John puts his flame resistant Nomex suit on and prepares to get > flamed in the programming language war :-) > OK already has too many languages involved. I'm no weilling to sff sny motr. We are working on a plan to simplify a lot of the stuff that wwe currently do in Perl, but it too will unlikely be in Python. Since this project is priamily Java, And the pkisilet program is the start point for doing a/utomated cofiguration, it will likely be in pkisilent written in Java./ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Sep 16 14:13:41 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 16 Sep 2011 08:13:41 -0600 Subject: [Freeipa-devel] [Pki-devel] Upgrading a machine to use the proxy. In-Reply-To: <4E735893.3060702@redhat.com> References: <4E6F6B67.4000001@redhat.com> <4E7112B0.3060502@redhat.com> <4E727086.2010907@redhat.com> <4E7347F1.2@redhat.com> <4E735893.3060702@redhat.com> Message-ID: <4E735995.1070307@redhat.com> On 09/16/2011 08:09 AM, Adam Young wrote: > On 09/16/2011 08:58 AM, John Dennis wrote: >> Thanks Adam! >> >> FWIW I was kinda hoping for new development we would start using >> Python and have as a general goal of migrating Perl code to Python as >> opportunities arose. >> >> Python is the company preferred scripting language. Once upon a time >> I was a Perl fan boy, I though it was the greatest thing since sliced >> bread, after all it was light years better than writing shell >> scripts. Then I got introduced to Python and I never looked back, >> Python is a much better language, much easier to write clean >> structured maintainable code in. Just my 2 cents, just a thought. >> >> /me John puts his flame resistant Nomex suit on and prepares to get >> flamed in the programming language war :-) >> > > OK already has too many languages involved. I'm no weilling to sff > sny motr. > > We are working on a plan to simplify a lot of the stuff that wwe > currently do in Perl, but it too will unlikely be in Python. Since > this project is priamily Java, And the pkisilet program is the start > point for doing a/utomated cofiguration, it will likely be in > pkisilent written in Java./ jython > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Sep 16 14:16:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 16 Sep 2011 10:16:32 -0400 Subject: [Freeipa-devel] [PATCH] 876 normalize user principal In-Reply-To: <4E7351DB.8060007@redhat.com> References: <4E7351DB.8060007@redhat.com> Message-ID: <4E735A40.9000102@redhat.com> Rob Crittenden wrote: > Normalize and validate user principals in user and passwd plugins. The > uid in the principal should be lower-case. > > rob With updated API.txt rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-876-2-principal.patch Type: text/x-patch Size: 12692 bytes Desc: not available URL: From abokovoy at redhat.com Fri Sep 16 14:25:18 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 16 Sep 2011 17:25:18 +0300 Subject: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry In-Reply-To: <8916BA46-6385-4A51-A0E2-AF4A7069F5DD@citrix.com> References: <1303747204.23464.19.camel@willson.li.ssimo.org> <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> <128FDDA2-BC61-4D75-B08F-EA89C0C62CB3@citrixonline.com> <1316076472.2479.10.camel@dhcp-25-52.brq.redhat.com> <967AED78-B524-4EE8-8A0D-D13E26E7AE6E@citrixonline.com> <1316164295.24447.43.camel@dhcp-25-52.brq.redhat.com> <20110916114146.GD31677@redhat.com> <8916BA46-6385-4A51-A0E2-AF4A7069F5DD@citrix.com> Message-ID: <20110916142517.GB7854@redhat.com> On Fri, 16 Sep 2011, JR Aquino wrote: > On Sep 16, 2011, at 4:41 AM, "Alexander Bokovoy" wrote: > > Can't we have a shortcut that allows to specify only name of the > > managed entry and we will expand it to full DN? Current approach is > > way error-prone for admins to accidently make a typo or two... > It may look intimidating via email, but the tool provides --list to > show the exact line thats needed to copy past, it also does checks > to prevent accidental typos. > > The user isn't expected to know the full dn off the top of their > head :) > > The other nice thing is that the tool is not limited to only the > stock FreeIPA managed entries, so it will also list, enable, and > disable any custom user created managed entries, or future FreeIPA > entries without modification. That is all fine but having *always* go through complete DN is simply wrong from user experience perspective. If we can have helper shortcut for most common cases for stock FreeIPA, we should do that. For example, if DN provided by user does not include = sign, treat it as last component CN. That would already cover majority of cases. -- / Alexander Bokovoy From jdennis at redhat.com Fri Sep 16 14:33:13 2011 From: jdennis at redhat.com (John Dennis) Date: Fri, 16 Sep 2011 10:33:13 -0400 Subject: [Freeipa-devel] [Pki-devel] Upgrading a machine to use the proxy. In-Reply-To: <4E735893.3060702@redhat.com> References: <4E6F6B67.4000001@redhat.com> <4E7112B0.3060502@redhat.com> <4E727086.2010907@redhat.com> <4E7347F1.2@redhat.com> <4E735893.3060702@redhat.com> Message-ID: <4E735E29.6000703@redhat.com> On 09/16/2011 10:09 AM, Adam Young wrote: > We are working on a plan to simplify a lot of the stuff that wwe > currently do in Perl, but it too will unlikely be in Python. Since this > project is priamily Java, And the pkisilet program is the start point > for doing a/utomated cofiguration, it will likely be in pkisilent > written in Java./ I'm cool with that, Java is a decent language. Perl is just plain evil. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Fri Sep 16 16:24:18 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 16 Sep 2011 11:24:18 -0500 Subject: [Freeipa-devel] [PATCH] 272 Fixed columns in HBAC/sudo rules list pages. Message-ID: <4E737832.9090207@redhat.com> The following list pages were modified to show these columns only: * HBAC rules: name, type, enabled, description * Sudo rules: name, enabled, description Ticket #1796 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0272-Fixed-columns-in-HBAC-sudo-rules-list-pages.patch Type: text/x-patch Size: 5248 bytes Desc: not available URL: From edewata at redhat.com Fri Sep 16 16:24:33 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 16 Sep 2011 11:24:33 -0500 Subject: [Freeipa-devel] [PATCH] 273 Removed HBAC rule type. Message-ID: <4E737841.7080106@redhat.com> HBAC rule type has been removed from the list page and details page because it is no longer supported in IPA 3.0. Ticket #1795 This should be pushed to master branch only. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0273-Removed-HBAC-rule-type.patch Type: text/x-patch Size: 1732 bytes Desc: not available URL: From edewata at redhat.com Fri Sep 16 16:36:40 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 16 Sep 2011 11:36:40 -0500 Subject: [Freeipa-devel] [PATCH] 274 Removed entitlement menu. Message-ID: <4E737B18.1070006@redhat.com> Ticket #1806 Pushed to master and ipa-2-1 under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0274-Removed-entitlement-menu.patch Type: text/x-patch Size: 742 bytes Desc: not available URL: From JR.Aquino at citrix.com Fri Sep 16 16:37:21 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 16 Sep 2011 16:37:21 +0000 Subject: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry In-Reply-To: <1316164295.24447.43.camel@dhcp-25-52.brq.redhat.com> References: <28D50949-6CAB-4B58-BA3D-7F2C31EFEC35@citrixonline.com> <4DB085BB.6080104@redhat.com> <1303426875.26325.4.camel@willson.li.ssimo.org> <1303738997.23464.13.camel@willson.li.ssimo.org> <1303747204.23464.19.camel@willson.li.ssimo.org> <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> <128FDDA2-BC61-4D75-B08F-EA89C0C62CB3@citrixonline.com> <1316076472.2479.10.camel@dhcp-25-52.brq.redhat.com> <967AED78-B524-4EE8-8A0D-D13E26E7AE6E@citrixonline.com> <1316164295.24447.43.camel@dhcp-25-52.brq.redhat.com> Message-ID: On Sep 16, 2011, at 2:11 AM, Martin Kosek wrote: > On Thu, 2011-09-15 at 17:25 +0000, JR Aquino wrote: >> On Sep 15, 2011, at 1:47 AM, Martin Kosek wrote: >> >>> On Thu, 2011-09-15 at 00:47 +0000, JR Aquino wrote: >>>> On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote: >>> >>>>> 5) I was thinking if there is a better solution to enabling/disabling of >>>>> the plugin. Likes setting something like "managedEntryEnabled" attribute >>>>> to on/off as we do with compat plugin. Current concept with disabling >>>>> the definition by damaging the originFilter and then restoring it from >>>>> an LDIF seems a bit awkward to me. >>>> >>>> This has been completely changed: >>>> Instead of looking to ldif files, an ldap look up is now performed to dynamically list the available managed entries. >>> >>> Now we are talking :-) I like the new approach. >> >> >> >>> >>> I have reviewed your patch, basic functionality looks good. But I still >>> have few (nitpicking) comments: >>> >>> 1) There are parts from the previous file that are no longer needed >>> since you switched to different approach: >>> >>> +import os >>> >>> + from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax >>> >>> + import StringIO >>> >>> + import ldif >>> >>> +except BadSyntax, e: >>> + print "There is a syntax error in this update file:" >>> + print " %s" % e >>> + sys.exit(1) >> >> Removed >> >>> >>> 2) I saw few whitespace errors on following lines of the patch: 419, 433 >>> and 453 >> >> Fixed whitespace errors >> >>> >>> 3) Output of the --list method is confusing: >>> >>> # ipa-managed-entries --list >>> Directory Manager password: >>> >>> Available Managed Entry Plugins: >>> cn=upg definition,cn=definitions,cn=managed >>> entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com >>> cn=ngp definition,cn=definitions,cn=managed >>> entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com >>> >>> You must specify a managed entry definition <<< >>> # echo $? >>> 1 <<< >>> >>> a) I shouldn't be asked to specify a managed entry definition for --list >> >> Fixed >> >>> b) The listing was successful, so we shouldn't return error code >> >> Corrected error code >> >>> >>> 4) Return code for disabling an already disabled entry should be 2 >>> (according to man pages): >>> >>> # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable >>> Directory Manager password: >>> >>> Plugin already disabled >>> # echo $? >>> 0 >> >> Fixed error code >> >>> >>> 5) Strange is, that enabling a disabled plugin gives me return code 2: >>> # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable >>> Directory Manager password: >>> >>> Enabling Plugin >>> # echo $? >>> 2 >>> >>> Return codes for these actions should fit the man pages. >> >> Fixed error code >> >>> >>> 6) I would improve working with LDAP filters, current solution is error >>> prone. Try disabling&enabling NGP Defition, we end up with this >>> originFilter: >>> >>> originfilter: (&(objectclass=ipahostgroup)) >>> >>> I think the cleanest solution would be to use ldap.make_filter and >>> ldap.combine_filters functions to play with these filter. You can >>> inspire yourself in this example I wrote for DNS plugin: >>> >>> rev_zone_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE, exact=False, >>> trailing_wildcard=False) >>> filter = ldap.combine_filters((rev_zone_filter, filter), rules=ldap.MATCH_ALL) >> >> Rob and you addressed this in the mailing list. >> For the record, I do agree that we are lacking a method for reading and modifying existing ldap filters. >> We will continue with the simple string method here for this iteration. >> >>> >>> 7) Entering Directory Manager every time may be a bit tedious. Could we >>> use current Kerberos credentials and fall-back to asking Directory >>> Manager password if it doesn't work? Its already done this way in >>> ipa-replica-manage for example. >>> >>> We could fix this, however, as an enhancement in another patch. >> >> Fixed. We now will use gssapi if available, and prompt for password if there is no ticket. >> >>> >>> 8) Man page - please use the new united FreeIPA man page header. Instead >>> of >>> >>> +.TH "ipa-managed-entries" "1" "Sept 15 2011" "freeipa" "" >>> >>> use: >>> >>> +.TH "ipa-managed-entries" "1" "Sept 15 2011" "FreeIPA" "FreeIPA Manual >>> Pages" >> >> Fixed >> >>> >>> >>> 9) Man page - comma is missing for --list option: >>> >>> +\fB\-l\-\-list\fR >>> >> >> Fixed >> >>> >>> 10) install/po/Makefile.in should be updated to: there is still >>> reference to ipa-host-net-manage and ipa-managed-entries reference is >>> missing >> >> Fixed >> > > Great, most bugs are fixed. I only saw these 2 minor bugs. If those are > fixed, I think we can ack&push. > > 1) Man pages: --list option is still not right, formating is wrong > +\fB\-l\fR, -\-list\fR This typo is now corrected > > 2) Enable action is missing a notice for the user, like the disable > action has: > > # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable > Disabling Plugin The output is now corrected. > # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable I have now also corrected the --list / -e / --entry to support/display shorthand for the managed entries instead of the full DN. # ipa-managed-entries --list Available Managed Entry Definitions: UPG Definition NGP Definition # # ipa-managed-entries --entry="UPG Definition" status Plugin Enabled # -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch Type: application/octet-stream Size: 24879 bytes Desc: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch URL: From edewata at redhat.com Fri Sep 16 17:16:22 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 16 Sep 2011 12:16:22 -0500 Subject: [Freeipa-devel] [PATCH] 275 Use editable combobox for service type. Message-ID: <4E738466.3060705@redhat.com> The service type field in the service adder dialog has been modified to use an editable combobox. Ticket #1633. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0275-Use-editable-combobox-for-service-type.patch Type: text/x-patch Size: 4600 bytes Desc: not available URL: From JR.Aquino at citrix.com Fri Sep 16 17:29:19 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 16 Sep 2011 17:29:19 +0000 Subject: [Freeipa-devel] [PATCH] 40 Adjust replica installation to omit processing memberof computations Message-ID: Adjust ipa-replica-install, ipa_init.json, json_metadata.json, replication.py, and dsinstance.py to accomodate Fractional replication changes. A bug is being addressed in 389 ds to allow for the transmission of memberof data during replication due to the potentially high resource impact of having to recompute all of a production directory's memberof referential integrity. The installation scripts for FreeIPA replica's need to be modified in conjunction with this effort. https://fedorahosted.org/freeipa/ticket/1794 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0040-Adjust-replica-installation-to-omit-processing-memberof.patch Type: application/octet-stream Size: 4077 bytes Desc: freeipa-jraquino-0040-Adjust-replica-installation-to-omit-processing-memberof.patch URL: From rcritten at redhat.com Fri Sep 16 19:16:36 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 16 Sep 2011 15:16:36 -0400 Subject: [Freeipa-devel] [PATCH] 877 prompt for current password Message-ID: <4E73A094.8060409@redhat.com> Prompt for the current password when changing your own password using ipa passwd. I had to jump through several hoops with this: - Added a new sortorder option so the Current password is prompted first - Pass a magic value for current_password if changing someone else's password NOTE: This breaks the API for passwd. There is no way around it. I have this as a minor update as it won't cause older clients to blow up too badly, but their passwd command won't work. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-877-passwd.patch Type: text/x-patch Size: 8483 bytes Desc: not available URL: From JR.Aquino at citrix.com Fri Sep 16 19:47:02 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 16 Sep 2011 19:47:02 +0000 Subject: [Freeipa-devel] [PATCH] 874 suppress managed netgroups as indirect members of hosts In-Reply-To: <4E711109.3090501@redhat.com> References: <4E711109.3090501@redhat.com> Message-ID: <6606F6F0-AEF1-4266-A6D3-C4E0DE071F62@citrixonline.com> On Sep 14, 2011, at 1:39 PM, Rob Crittenden wrote: > Suppress managed netgroups as indirect members of hosts. This enhances a previous patch that I did for hostgroups. > > rob Works as advertised: ACK From rcritten at redhat.com Fri Sep 16 20:51:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 16 Sep 2011 16:51:25 -0400 Subject: [Freeipa-devel] [PATCH] 875 fix rpm installation ordering In-Reply-To: <20110916084826.GC31677@redhat.com> References: <4E725A7F.7020502@redhat.com> <20110916084826.GC31677@redhat.com> Message-ID: <4E73B6CD.1090000@redhat.com> Alexander Bokovoy wrote: > On Thu, 15 Sep 2011, Rob Crittenden wrote: > >> freeipa-server-selinux was getting installed before freeipa-server >> which caused some SELinux contexts to not be set properly. >> >> The existing Requires we had used to fix things, perhaps a change in >> rpm caused this to break, who knows. I'm not even sure when this >> stopped working. >> >> I added an extra postun rule so that the server-selinux package is >> removed as a dependency when you do a yum erase freeipa-python. > ACK. > pushed to master and ipa-2-1 From rcritten at redhat.com Fri Sep 16 21:24:23 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 16 Sep 2011 17:24:23 -0400 Subject: [Freeipa-devel] [PATCH] 874 suppress managed netgroups as indirect members of hosts In-Reply-To: <6606F6F0-AEF1-4266-A6D3-C4E0DE071F62@citrixonline.com> References: <4E711109.3090501@redhat.com> <6606F6F0-AEF1-4266-A6D3-C4E0DE071F62@citrixonline.com> Message-ID: <4E73BE87.8000009@redhat.com> JR Aquino wrote: > On Sep 14, 2011, at 1:39 PM, Rob Crittenden wrote: > >> Suppress managed netgroups as indirect members of hosts. This enhances a previous patch that I did for hostgroups. >> >> rob > > Works as advertised: > > ACK > Martin, ok to push? rob From simo at redhat.com Fri Sep 16 21:25:15 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 16 Sep 2011 17:25:15 -0400 Subject: [Freeipa-devel] [PATCH] #1812 Fixes segfault in ipa-pwd-extop plugin Message-ID: <1316208315.2684.453.camel@willson.li.ssimo.org> While investigating ticket 1808 Rob found this issue. Patch attached. Fixes: https://fedorahosted.org/freeipa/ticket/1812 Tested and solves the problem here. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ipa-pwd-extop-Fix-segfault-in-password-change.patch Type: text/x-patch Size: 1347 bytes Desc: not available URL: From simo at redhat.com Fri Sep 16 21:30:17 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 16 Sep 2011 17:30:17 -0400 Subject: [Freeipa-devel] [PATCH] #1814 Enforce old password requirement in ldappasswd operations Message-ID: <1316208617.2684.458.camel@willson.li.ssimo.org> Although we were properly checking that the user successfully authenticated (either through a password bind or a GSSAPI bind) we were not enforcing the requirement to provide us with the old password, and this is better security hygiene. Fixes: https://fedorahosted.org/freeipa/ticket/1814 Tested and works for me. Properly requires old password for self password changes. Do not require it for admin password changes. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-ipa-pwd-extop-Enforce-old-password-checks.patch Type: text/x-patch Size: 3547 bytes Desc: not available URL: From edewata at redhat.com Fri Sep 16 22:18:06 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 16 Sep 2011 17:18:06 -0500 Subject: [Freeipa-devel] [PATCH] 276 Fixed problem enabling/disabling DNS zone. Message-ID: <4E73CB1E.70006@redhat.com> The details facet for DNS zone has been modified to use dnszone- enable/disable for idnszoneactive and dnszone-mod for other fields. Ticket #1813 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0276-Fixed-problem-enabling-disabling-DNS-zone.patch Type: text/x-patch Size: 14425 bytes Desc: not available URL: From edewata at redhat.com Fri Sep 16 22:19:08 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 16 Sep 2011 17:19:08 -0500 Subject: [Freeipa-devel] [PATCH] 277 Updated DNS zone details page. Message-ID: <4E73CB5C.4000306@redhat.com> The DNS zone details page has been modified to use radio buttons for active zone and dynamic update fields, and text area for BIND update policy field. Ticket #1781, #1785 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0277-Updated-DNS-zone-details-page.patch Type: text/x-patch Size: 2192 bytes Desc: not available URL: From edewata at redhat.com Fri Sep 16 23:42:40 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 16 Sep 2011 18:42:40 -0500 Subject: [Freeipa-devel] [PATCH] 278 Replaced description text fields with text areas. Message-ID: <4E73DEF0.3010302@redhat.com> Ticket #1783 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0278-Replaced-description-text-fields-with-text-areas.patch Type: text/x-patch Size: 18203 bytes Desc: not available URL: From mkosek at redhat.com Mon Sep 19 06:43:00 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 19 Sep 2011 08:43:00 +0200 Subject: [Freeipa-devel] [PATCH] 874 suppress managed netgroups as indirect members of hosts In-Reply-To: <4E73BE87.8000009@redhat.com> References: <4E711109.3090501@redhat.com> <6606F6F0-AEF1-4266-A6D3-C4E0DE071F62@citrixonline.com> <4E73BE87.8000009@redhat.com> Message-ID: <1316414582.3594.0.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-09-16 at 17:24 -0400, Rob Crittenden wrote: > JR Aquino wrote: > > On Sep 14, 2011, at 1:39 PM, Rob Crittenden wrote: > > > >> Suppress managed netgroups as indirect members of hosts. This enhances a previous patch that I did for hostgroups. > >> > >> rob > > > > Works as advertised: > > > > ACK > > > > Martin, ok to push? > > rob Agreed. Pushed to master, ipa-2-1. Martin From jcholast at redhat.com Mon Sep 19 06:49:58 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 19 Sep 2011 08:49:58 +0200 Subject: [Freeipa-devel] [PATCH] 877 prompt for current password In-Reply-To: <4E73A094.8060409@redhat.com> References: <4E73A094.8060409@redhat.com> Message-ID: <4E76E616.5080208@redhat.com> On 16.9.2011 21:16, Rob Crittenden wrote: > Prompt for the current password when changing your own password using > ipa passwd. > > I had to jump through several hoops with this: > > - Added a new sortorder option so the Current password is prompted first IMO something like "before='password'" would be more readable and probably less error-prone than "sortorder=-1". > - Pass a magic value for current_password if changing someone else's > password > > NOTE: This breaks the API for passwd. There is no way around it. I have > this as a minor update as it won't cause older clients to blow up too > badly, but their passwd command won't work. > > rob > Honza -- Jan Cholasta From jcholast at redhat.com Mon Sep 19 09:52:04 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 19 Sep 2011 11:52:04 +0200 Subject: [Freeipa-devel] [PATCH] 48 Fix client install on IPv6 machines Message-ID: <4E7710C4.3050104@redhat.com> https://fedorahosted.org/freeipa/ticket/1804 -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-48-fix-ipv6-client-install.patch Type: text/x-patch Size: 1088 bytes Desc: not available URL: From dpal at redhat.com Mon Sep 19 12:38:49 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 19 Sep 2011 08:38:49 -0400 Subject: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry In-Reply-To: <20110916142517.GB7854@redhat.com> References: <1303747204.23464.19.camel@willson.li.ssimo.org> <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> <128FDDA2-BC61-4D75-B08F-EA89C0C62CB3@citrixonline.com> <1316076472.2479.10.camel@dhcp-25-52.brq.redhat.com> <967AED78-B524-4EE8-8A0D-D13E26E7AE6E@citrixonline.com> <1316164295.24447.43.camel@dhcp-25-52.brq.redhat.com> <20110916114146.GD31677@redhat.com> <8916BA46-6385-4A51-A0E2-AF4A7069F5DD@citrix.com> <20110916142517.GB7854@redhat.com> Message-ID: <4E7737D9.4090601@redhat.com> On 09/16/2011 10:25 AM, Alexander Bokovoy wrote: > On Fri, 16 Sep 2011, JR Aquino wrote: >> On Sep 16, 2011, at 4:41 AM, "Alexander Bokovoy" wrote: >>> Can't we have a shortcut that allows to specify only name of the >>> managed entry and we will expand it to full DN? Current approach is >>> way error-prone for admins to accidently make a typo or two... >> It may look intimidating via email, but the tool provides --list to >> show the exact line thats needed to copy past, it also does checks >> to prevent accidental typos. >> >> The user isn't expected to know the full dn off the top of their >> head :) >> >> The other nice thing is that the tool is not limited to only the >> stock FreeIPA managed entries, so it will also list, enable, and >> disable any custom user created managed entries, or future FreeIPA >> entries without modification. > That is all fine but having *always* go through complete DN is simply > wrong from user experience perspective. If we can have helper shortcut > for most common cases for stock FreeIPA, we should do that. > > For example, if DN provided by user does not include = sign, treat it > as last component CN. That would already cover majority of cases. > +1. Should we have a helper function that works across all commands or it is just limited to this commend? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Sep 19 13:03:07 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 19 Sep 2011 09:03:07 -0400 Subject: [Freeipa-devel] [PATCH] 877 prompt for current password In-Reply-To: <4E76E616.5080208@redhat.com> References: <4E73A094.8060409@redhat.com> <4E76E616.5080208@redhat.com> Message-ID: <4E773D8B.3020801@redhat.com> Jan Cholasta wrote: > On 16.9.2011 21:16, Rob Crittenden wrote: >> Prompt for the current password when changing your own password using >> ipa passwd. >> >> I had to jump through several hoops with this: >> >> - Added a new sortorder option so the Current password is prompted first > > IMO something like "before='password'" would be more readable and > probably less error-prone than "sortorder=-1". The params are sorted numerically based on whether they are required, have a default, etc. A negative value means it will appear first. This is intended to be generic enough without having to worry about nested resolution (A before B, B before C, C before A). > >> - Pass a magic value for current_password if changing someone else's >> password >> >> NOTE: This breaks the API for passwd. There is no way around it. I have >> this as a minor update as it won't cause older clients to blow up too >> badly, but their passwd command won't work. >> >> rob >> > > Honza > From simo at redhat.com Mon Sep 19 13:37:37 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 19 Sep 2011 09:37:37 -0400 Subject: [Freeipa-devel] [PATCH] #1793 Fix expiration on password change Message-ID: <1316439457.2684.468.camel@willson.li.ssimo.org> Changing passwords would not properly set expiration date with the new ipa-kdb code. Patches fixes this. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ipa-kdb-Properly-set-password-expiration-time.patch Type: text/x-patch Size: 5847 bytes Desc: not available URL: From sbose at redhat.com Mon Sep 19 13:53:20 2011 From: sbose at redhat.com (Sumit Bose) Date: Mon, 19 Sep 2011 15:53:20 +0200 Subject: [Freeipa-devel] [PATCH] 3 Fix ACIs in ipa-adtrust-install Message-ID: <20110919135320.GD11912@localhost.localdomain> Hi, while testing the creation of trust objects I found a typo in the ACI allowing to read the NT hash and realized that an ACI was missing to allow the samba user to add and modify the trust objects. The attached patch should fix it. bye, Sumit -------------- next part -------------- From 6f5adfcd4e4f176230abd48bd8aa8847a2add20a Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 19 Sep 2011 11:48:05 +0200 Subject: [PATCH] Fix ACIs in ipa-adtrust-install --- ipaserver/install/adtrustinstance.py | 15 +++++++++++++-- 1 files changed, 13 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index f2cc3327deb7fb8b7dacf8aef4c42597cc82ca1d..1bd37d4eb1f93db6609f8c9a06ac02923e9db20b 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -102,9 +102,20 @@ class ADTRUSTInstance(service.Service): self.admin_conn.add_s(entry) # And finally grant it permission to read NT passwords, we do not want - # to support LM passwords so there is no need to allow access to them + # to support LM passwords so there is no need to allow access to them. + # Also the premission to create trusted domain objects below the + # domain object is granted. mod = [(ldap.MOD_ADD, 'aci', - str(['(targetattr = "sambaNTPassword")(version 3.0; acl "Samba user can read NT passwords"; allow (read) userdn="ldap:///%s";)' % self.smb_dn]))] + str('(targetattr = "sambaNTPassword")' \ + '(version 3.0; acl "Samba user can read NT passwords";' \ + 'allow (read) userdn="ldap:///%s";)' % self.smb_dn)), + (ldap.MOD_ADD, 'aci', + str('(target = "ldap:///cn=ad,cn=trusts,%s")' \ + '(targetattr = "sambaTrustType || sambaTrustAttributes || sambaTrustDirection || sambaTrustPartner || sambaFlatName || sambaTrustAuthOutgoing || sambaTrustAuthIncoming || sambaSecurityIdentifier || sambaTrustForestTrustInfo || sambaTrustPosixOffset || sambaSupportedEncryptionTypes")' \ + '(version 3.0;acl "Allow samba user to create and delete trust accounts";' \ + 'allow (write,add,delete) userdn = "ldap:///%s";)' % \ + (self.suffix, self.smb_dn)))] + try: self.admin_conn.modify_s(self.suffix, mod) except ldap.TYPE_OR_VALUE_EXISTS: -- 1.7.6 From sbose at redhat.com Mon Sep 19 14:10:06 2011 From: sbose at redhat.com (Sumit Bose) Date: Mon, 19 Sep 2011 16:10:06 +0200 Subject: [Freeipa-devel] [PATCH] 4 Update samba LDAP schema Message-ID: <20110919141006.GE11912@localhost.localdomain> Hi, this patch updates the samba LDAP schema to the latest version available. I think the next change to this file will be removing it because Simo is working on new objectclasses for IPA which will replace the ones from the samba schema. But for the time being the samba's IPA passdb backend expects the old objectclasses for users, groups and trust objects. bye, Sumit -------------- next part -------------- From 08ba5beebf81be67f03ae384f2119ae81b3ebf9d Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 19 Sep 2011 15:45:30 +0200 Subject: [PATCH] Update samba LDAP schema The samba LDAP schema is updated to the lastest version available from the samba source code to be able to use the new trust related object class and attributes. --- install/share/60samba.ldif | 40 +++++++++++++++++++++++++++++++++++++++- 1 files changed, 39 insertions(+), 1 deletions(-) diff --git a/install/share/60samba.ldif b/install/share/60samba.ldif index d3a6d31b0956f73178c07f456a0dc20225dbb3a2..fdfdab618c046810f8850db39f3f55054242773d 100644 --- a/install/share/60samba.ldif +++ b/install/share/60samba.ldif @@ -1,4 +1,8 @@ -## schema file for Fedora DS +## schema file for Fedora/RedHat Directory Server +## +## NOTE: this file can be copied as 60samba.ldif into your instance schema +## directory: +## cp samba-schema-FDS.ldif /etc/dirsrv/slapd-/schema/60schema.ldif ## ## Schema for storing Samba user accounts and group maps in LDAP ## OIDs are owned by the Samba Team @@ -111,6 +115,32 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' DESC 'Loc attributeTypes: ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # "refuse machine password change" attributeTypes: ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword' DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +# +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextPassword' DESC 'Previous clear text password (used for trusted domain passwords)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +# +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' DESC 'Type of trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.71 NAME 'sambaTrustAttributes' DESC 'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection' DESC 'Direction of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.73 NAME 'sambaTrustPartner' DESC 'Fully qualified name of the domain with which a trust exists' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) +# +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.74 NAME 'sambaFlatName' DESC 'NetBIOS name of a domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) +# +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.75 NAME 'sambaTrustAuthOutgoing' DESC 'Authentication information for the outgoing portion of a trust' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) +# +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.76 NAME 'sambaTrustAuthIncoming' DESC 'Authentication information for the incoming portion of a trust' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) +# +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier' DESC 'SID of a trusted domain' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) +# +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.78 NAME 'sambaTrustForestTrustInfo' DESC 'Forest trust information for a trusted domain object' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) +# +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.79 NAME 'sambaTrustPosixOffset' DESC 'POSIX offset of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.80 NAME 'sambaSupportedEncryptionTypes' DESC 'Supported encryption types of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) ## ####################################################################### ## objectClasses: used by Samba 3.0 schema ## @@ -150,3 +180,11 @@ objectClasses: ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCT ## DESC 'Samba Privilege' ## MUST ( sambaSID ) ## MAY ( sambaPrivilegeList ) ) +## +## Trusted Domain Relationships +## +objectClasses: ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassword' SUP top STRUCTURAL DESC 'Samba Trusted Domain Password' MUST ( sambaDomainName $ sambaSID $ sambaClearTextPassword $ sambaPwdLastSet ) MAY ( sambaPreviousClearTextPassword ) ) +## +## used for IPA_ldapsam +## +objectClasses: ( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' SUP top STRUCTURAL DESC 'Samba Trusted Domain Object' MUST ( cn ) MAY ( sambaTrustType $ sambaTrustAttributes $ sambaTrustDirection $ sambaTrustPartner $ sambaFlatName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecurityIdentifier $ sambaTrustForestTrustInfo $ sambaTrustPosixOffset $ sambaSupportedEncryptionTypes) ) -- 1.7.6 From mkosek at redhat.com Mon Sep 19 16:13:23 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 19 Sep 2011 18:13:23 +0200 Subject: [Freeipa-devel] [PATCH] 48 Fix client install on IPv6 machines In-Reply-To: <4E7710C4.3050104@redhat.com> References: <4E7710C4.3050104@redhat.com> Message-ID: <1316448805.3594.26.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-09-19 at 11:52 +0200, Jan Cholasta wrote: > https://fedorahosted.org/freeipa/ticket/1804 > ACK. Works fine. Now I was able to enroll client to host in an IPv6-only environment. Pushed to master, ipa-2-1. Martin From JR.Aquino at citrix.com Mon Sep 19 16:16:30 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 19 Sep 2011 16:16:30 +0000 Subject: [Freeipa-devel] [PATCH] #1793 Fix expiration on password change In-Reply-To: <1316439457.2684.468.camel@willson.li.ssimo.org> References: <1316439457.2684.468.camel@willson.li.ssimo.org> Message-ID: On Sep 19, 2011, at 6:37 AM, Simo Sorce wrote: > Changing passwords would not properly set expiration date with the new > ipa-kdb code. > > Patches fixes this. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > <0001-ipa-kdb-Properly-set-password-expiration-time.patch>_______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Works Perfectly! ACK From simo at redhat.com Mon Sep 19 16:30:26 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 19 Sep 2011 12:30:26 -0400 Subject: [Freeipa-devel] [PATCH] #1793 Fix expiration on password change In-Reply-To: References: <1316439457.2684.468.camel@willson.li.ssimo.org> Message-ID: <1316449826.2684.486.camel@willson.li.ssimo.org> On Mon, 2011-09-19 at 16:16 +0000, JR Aquino wrote: > On Sep 19, 2011, at 6:37 AM, Simo Sorce wrote: > > > Changing passwords would not properly set expiration date with the new > > ipa-kdb code. > > > > Patches fixes this. > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > <0001-ipa-kdb-Properly-set-password-expiration-time.patch>_______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Works Perfectly! > > ACK Thanks for testing. Pushed to master! Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Mon Sep 19 16:34:36 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 19 Sep 2011 12:34:36 -0400 Subject: [Freeipa-devel] [PATCH] #1728 New schema for IPAv3 required attributes Message-ID: <1316450076.2684.488.camel@willson.li.ssimo.org> Attached find a patch for new attributes and objectclasses for the IPA v3 goal of configuring trust relationships between freeipa and windows domains. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-schema-Add-new-attributes-and-objectclasses-for-AD-T.patch Type: text/x-patch Size: 3920 bytes Desc: not available URL: From mkosek at redhat.com Mon Sep 19 16:40:45 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 19 Sep 2011 18:40:45 +0200 Subject: [Freeipa-devel] [PATCH] 123 Fix /usr/bin/ipa dupled server list Message-ID: <1316450446.3594.27.camel@dhcp-25-52.brq.redhat.com> Fix get_url_list() so that the configured master server is there just once. This fix lets /usr/bin/ipa try connecting to all IPA masters just once and not print confusing server list with dupled master. https://fedorahosted.org/freeipa/ticket/1817 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-123-fix-usr-bin-ipa-dupled-server-list.patch Type: text/x-patch Size: 1417 bytes Desc: not available URL: From rcritten at redhat.com Mon Sep 19 21:31:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 19 Sep 2011 17:31:42 -0400 Subject: [Freeipa-devel] [PATCH] 878 ignore restorecon errors Message-ID: <4E77B4BE.6090605@redhat.com> According to the SELinux devs the return value from restorecon does not necessarily reflect success/failure and recommended ignoring it. This does that. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-878-restorecon.patch Type: text/x-patch Size: 1203 bytes Desc: not available URL: From rcritten at redhat.com Mon Sep 19 21:32:54 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 19 Sep 2011 17:32:54 -0400 Subject: [Freeipa-devel] [PATCH] 879 ensure ssl socket is shut down Message-ID: <4E77B506.8030909@redhat.com> httplib makes a copy of the nss file descriptor but doesn't close it when the response code != 200 so we need to close it ourselves. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-879-shutdown.patch Type: text/x-patch Size: 1301 bytes Desc: not available URL: From simo at redhat.com Mon Sep 19 21:39:06 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 19 Sep 2011 17:39:06 -0400 Subject: [Freeipa-devel] [PATCH] #1820 Fix legacy password generation Message-ID: <1316468346.2684.509.camel@willson.li.ssimo.org> Today I found another regression in the kpasswd password change path. I filed ticket #1820 Legacy password hashes were not generated due to an issue with the list of attributes being searched in ipadb_get_principal(), objectclass was missing. This patch fixes it. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ipa-kdb-Fix-legacy-password-hashes-generation.patch Type: text/x-patch Size: 1819 bytes Desc: not available URL: From abokovoy at redhat.com Mon Sep 19 22:04:41 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 20 Sep 2011 01:04:41 +0300 Subject: [Freeipa-devel] [PATCH] 878 ignore restorecon errors In-Reply-To: <4E77B4BE.6090605@redhat.com> References: <4E77B4BE.6090605@redhat.com> Message-ID: <20110919220440.GE24991@redhat.com> On Mon, 19 Sep 2011, Rob Crittenden wrote: > According to the SELinux devs the return value from restorecon does > not necessarily reflect success/failure and recommended ignoring it. > This does that. ACK. I was about to submit similar but stuck with systemd port and forgot it. :) -- / Alexander Bokovoy From edewata at redhat.com Tue Sep 20 00:19:29 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 19 Sep 2011 19:19:29 -0500 Subject: [Freeipa-devel] [PATCH] 279 Fixed problem enrolling member with the same name. Message-ID: <4E77DC11.1000508@redhat.com> The IPA.association_adder_dialog has been modified to use an exclusion list to hide entries that are already enrolled. The IPA.adder_dialog has been modified to store the columns directly in the available & selected tables. Ticket #1797 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0279-Fixed-problem-enrolling-member-with-the-same-name.patch Type: text/x-patch Size: 10356 bytes Desc: not available URL: From JR.Aquino at citrix.com Tue Sep 20 05:16:23 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 20 Sep 2011 05:16:23 +0000 Subject: [Freeipa-devel] Fwd: Still failing on 5.7 with the same error........ In-Reply-To: References: Message-ID: <3BD75A55-6C9C-4B34-A7C4-5B3E6BD0740D@citrix.com> We're having significant reproducible problems with rhel 5.7 + FreeIPA master... I'm not sure if it is localized to us or even which side is responsible for the error... Has anyone had success with rhel 5.7's repo included FreeIPA client joining a fedora based FreeIPA server? We are essentially dead in the water at this point. Sent from my iPad Begin forwarded message: From: Brett Campbell <Brett.Campbell at citrix.com> Date: September 19, 2011 6:48:55 PM PDT To: JR Aquino <JR.Aquino at citrix.com> Cc: Jason Vagalatos <Jason.Vagalatos at citrix.com> Subject: RE: Still failing on 5.7 with the same error........ Apparently this error is printed from FreeIPA code and not an underlying library. Here?s the relevant bit from ipa-getkeytab.c: /* Format of response * * KeytabGetRequest ::= SEQUENCE { * new_kvno Int32 * SEQUENCE OF KeyTypes * } * * * List of accepted enctypes * * KeyTypes ::= SEQUENCE { * enctype Int32 * } */ rtag = ber_scanf(sctrl, "{i{", &kvno); if (rtag == LBER_ERROR) { fprintf(stderr, "ber_scanf() failed, Invalid control ?!\n"); goto error_out; } However, the call that?s failing (ber_scanf()) is one from the openldap library: [root at util1 Server]# strings /usr/lib/liblber-2.3.so.0 |grep ber_scanf ber_scanf ber_scanf fmt (%s) ber: ber_scanf: unknown fmt %c ber_scanf From: /O=EXPERTCITY.COM/OU=BETA.EXPERTCITY/CN=RECIPIENTS/CN=BRETT.CAMPBELL On Behalf Of Brett Campbell Sent: Monday, September 19, 2011 6:29 PM To: JR.Aquino at citrix.com Subject: Still failing on 5.7 with the same error........ Are you sure it?s not the server? Can you check the logs? [root at util1 Server]# cat /etc/issue Red Hat Enterprise Linux Server release 5.7 (Tikanga) Kernel \r on an \m [root at util1 Server]# [root at util1 Server]# [root at util1 Server]# [root at util1 Server]# rpm --aid -ivh /tmp/ipa-client-2.0-14.el5_7.1.x86_64.rpm certmonger-0.42-1.el5.x86_64.rpm cyrus-sasl-gssapi-2.1.22-5.el5_4.3.x86_64.rpm sssd-client-1.5.1-37.el5.x86_64.rpm sssd-1.5.1-37.el5.x86_64.rpm xmlrpc-c-1.16.24-1206.1840.el5.x86_64.rpm libcollection-0.6.0-10.el5.x86_64.rpm libdhash-0.4.2-10.el5.x86_64.rpm libldb-0.9.10-33.el5.x86_64.rpm libtdb-1.2.1-6.el5.x86_64.rpm openssl-devel-0.9.8e-20.el5.x86_64.rpm libref_array-0.1.1-10.el5.x86_64.rpm libpath_utils-0.2.1-10.el5.x86_64.rpm libini_config-0.6.1-10.el5.x86_64.rpm libref_array-0.1.1-10.el5.x86_64.rpm openldap24-libs-2.4.23-5.el5.x86_64.rpm xmlrpc-c-client-1.16.24-1206.1840.el5.x86_64.rpm libtalloc-2.0.1-11.el5.x86_64.rpm c-ares-1.6.0-5.el5.x86_64.rpm krb5-devel-1.6.1-62.el5.x86_64.rpm zlib-devel-1.2.3-4.el5.x86_64.rpm libtevent-0.9.8-10.el5.x86_64.rpm e2fsprogs-devel-1.39-33.el5.x86_64.rpm keyutils-libs-devel-1.2-1.el5.x86_64.rpm libselinux-devel-1.33.4-5.7.el5.x86_64.rpm libsepol-devel-1.15.2-3.el5.x86_64.rpm warning: /tmp/ipa-client-2.0-14.el5_7.1.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 37017186 Preparing... ########################################### [100%] 1:libtalloc ########################################### [ 4%] 2:libtevent ########################################### [ 8%] 3:xmlrpc-c ########################################### [ 12%] 4:xmlrpc-c-client ########################################### [ 15%] 5:libref_array ########################################### [ 19%] 6:libtdb ########################################### [ 23%] 7:libcollection ########################################### [ 27%] 8:cyrus-sasl-gssapi ########################################### [ 31%] 9:libldb ########################################### [ 35%] 10:certmonger ########################################### [ 38%] 11:c-ares ########################################### [ 42%] 12:openldap24-libs ########################################### [ 46%] 13:libpath_utils ########################################### [ 50%] 14:libini_config ########################################### [ 54%] 15:libdhash ########################################### [ 58%] 16:sssd-client ########################################### [ 62%] 17:sssd ########################################### [ 65%] 18:libsepol-devel ########################################### [ 69%] 19:libselinux-devel ########################################### [ 73%] 20:keyutils-libs-devel ########################################### [ 77%] 21:e2fsprogs-devel ########################################### [ 81%] 22:krb5-devel ########################################### [ 85%] 23:zlib-devel ########################################### [ 88%] 24:ipa-client ########################################### [ 92%] 25:openssl-devel ########################################### [ 96%] 26:libref_array ########################################### [100%] [root at util1 Server]# [root at util1 Server]# [root at util1 Server]# [root at util1 Server]# [root at util1 Server]# ipa-client-install --unattended --password='n7 I,6TN+!TF' --domain=expertcity.com --server=authstage1.ops.expertcity.com --hostname=$(hostname) --no-ntp Realm: EXPERTCITY.COM DNS Domain: expertcity.com IPA Server: authstage1.ops.expertcity.com BaseDN: dc=expertcity,dc=com Joining realm failed: ber_scanf() failed, Invalid control ?! child exited with 9 Certificate subject base is: O=EXPERTCITY.COM [root at util1 Server]# [root at util1 Server]# [root at util1 Server]# [root at util1 Server]# ipa-client-install --unattended --password='n7 I,6TN+!TF' --domain=expertcity.com --server=authstage1.ops.expertcity.com --hostname=$(hostname) --no-ntp Realm: EXPERTCITY.COM DNS Domain: expertcity.com IPA Server: authstage1.ops.expertcity.com BaseDN: dc=expertcity,dc=com Joining realm failed: Host is already joined. Certificate subject base is: O=EXPERTCITY.COM From jcholast at redhat.com Tue Sep 20 06:28:33 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 20 Sep 2011 08:28:33 +0200 Subject: [Freeipa-devel] [PATCH] 879 ensure ssl socket is shut down In-Reply-To: <4E77B506.8030909@redhat.com> References: <4E77B506.8030909@redhat.com> Message-ID: <4E783291.6090308@redhat.com> On 19.9.2011 23:32, Rob Crittenden wrote: > httplib makes a copy of the nss file descriptor but doesn't close it > when the response code != 200 so we need to close it ourselves. > > rob > Can we be sure that httplib's behavior is consistent and won't change? I would rather try to close the fd without regard to the status and ignore any exceptions that it might raise, just to be on the safe side. Honza -- Jan Cholasta From mkosek at redhat.com Tue Sep 20 06:56:32 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 20 Sep 2011 08:56:32 +0200 Subject: [Freeipa-devel] [PATCH] 878 ignore restorecon errors In-Reply-To: <20110919220440.GE24991@redhat.com> References: <4E77B4BE.6090605@redhat.com> <20110919220440.GE24991@redhat.com> Message-ID: <1316501794.18528.5.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-20 at 01:04 +0300, Alexander Bokovoy wrote: > On Mon, 19 Sep 2011, Rob Crittenden wrote: > > According to the SELinux devs the return value from restorecon does > > not necessarily reflect success/failure and recommended ignoring it. > > This does that. > ACK. I was about to submit similar but stuck with systemd port and > forgot it. :) > Pushed to master, ipa-2-1. Martin From mkosek at redhat.com Tue Sep 20 08:18:02 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 20 Sep 2011 10:18:02 +0200 Subject: [Freeipa-devel] [PATCH] 124 ipactl does not stop dirsrv Message-ID: <1316506685.18528.10.camel@dhcp-25-52.brq.redhat.com> Remove an invalid instance name passed to dirsrv service so that it is correctly stopped. https://fedorahosted.org/freeipa/ticket/1800 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-124-ipactl-does-not-stop-dirsrv.patch Type: text/x-patch Size: 909 bytes Desc: not available URL: From mkosek at redhat.com Tue Sep 20 08:45:47 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 20 Sep 2011 10:45:47 +0200 Subject: [Freeipa-devel] [PATCH] 125 Remove checks for ds-replication plugin Message-ID: <1316508349.18528.13.camel@dhcp-25-52.brq.redhat.com> The replication plugin is no longer shipped as a separate package. Remove the code checking its existence. https://fedorahosted.org/freeipa/ticket/1815 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-125-remove-checks-for-ds-replication-plugin.patch Type: text/x-patch Size: 3933 bytes Desc: not available URL: From abokovoy at redhat.com Tue Sep 20 08:47:53 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 20 Sep 2011 11:47:53 +0300 Subject: [Freeipa-devel] [PATCH] 124 ipactl does not stop dirsrv In-Reply-To: <1316506685.18528.10.camel@dhcp-25-52.brq.redhat.com> References: <1316506685.18528.10.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110920084753.GA561@redhat.com> On Tue, 20 Sep 2011, Martin Kosek wrote: > Remove an invalid instance name passed to dirsrv service so that > it is correctly stopped. > > https://fedorahosted.org/freeipa/ticket/1800 ACK. -- / Alexander Bokovoy From mkosek at redhat.com Tue Sep 20 08:52:01 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 20 Sep 2011 10:52:01 +0200 Subject: [Freeipa-devel] [PATCH] 124 ipactl does not stop dirsrv In-Reply-To: <20110920084753.GA561@redhat.com> References: <1316506685.18528.10.camel@dhcp-25-52.brq.redhat.com> <20110920084753.GA561@redhat.com> Message-ID: <1316508724.18528.14.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-20 at 11:47 +0300, Alexander Bokovoy wrote: > On Tue, 20 Sep 2011, Martin Kosek wrote: > > Remove an invalid instance name passed to dirsrv service so that > > it is correctly stopped. > > > > https://fedorahosted.org/freeipa/ticket/1800 > ACK. > Pushed to master, ipa-2-1. Martin From mkosek at redhat.com Tue Sep 20 09:19:20 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 20 Sep 2011 11:19:20 +0200 Subject: [Freeipa-devel] [PATCH] 124 ipactl does not stop dirsrv In-Reply-To: <1316508724.18528.14.camel@dhcp-25-52.brq.redhat.com> References: <1316506685.18528.10.camel@dhcp-25-52.brq.redhat.com> <20110920084753.GA561@redhat.com> <1316508724.18528.14.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1316510363.18528.16.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-20 at 10:52 +0200, Martin Kosek wrote: > On Tue, 2011-09-20 at 11:47 +0300, Alexander Bokovoy wrote: > > On Tue, 20 Sep 2011, Martin Kosek wrote: > > > Remove an invalid instance name passed to dirsrv service so that > > > it is correctly stopped. > > > > > > https://fedorahosted.org/freeipa/ticket/1800 > > ACK. > > > > Pushed to master, ipa-2-1. > > Martin Alexander just noticed, that dirsrv stop in ipactl start fallback code was not right either. One-liner patch attached. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-126-dirsrv-is-not-stopped-correctly-in-the-fallback.patch Type: text/x-patch Size: 1017 bytes Desc: not available URL: From abokovoy at redhat.com Tue Sep 20 09:30:51 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 20 Sep 2011 12:30:51 +0300 Subject: [Freeipa-devel] [PATCH] 124 ipactl does not stop dirsrv In-Reply-To: <1316510363.18528.16.camel@dhcp-25-52.brq.redhat.com> References: <1316506685.18528.10.camel@dhcp-25-52.brq.redhat.com> <20110920084753.GA561@redhat.com> <1316508724.18528.14.camel@dhcp-25-52.brq.redhat.com> <1316510363.18528.16.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110920093051.GB561@redhat.com> On Tue, 20 Sep 2011, Martin Kosek wrote: > > Pushed to master, ipa-2-1. > > > Alexander just noticed, that dirsrv stop in ipactl start fallback code > was not right either. One-liner patch attached. ACK as well. -- / Alexander Bokovoy From sbose at redhat.com Tue Sep 20 10:36:29 2011 From: sbose at redhat.com (Sumit Bose) Date: Tue, 20 Sep 2011 12:36:29 +0200 Subject: [Freeipa-devel] [PATCH] #1728 New schema for IPAv3 required attributes In-Reply-To: <1316450076.2684.488.camel@willson.li.ssimo.org> References: <1316450076.2684.488.camel@willson.li.ssimo.org> Message-ID: <20110920103629.GA2400@localhost.localdomain> On Mon, Sep 19, 2011 at 12:34:36PM -0400, Simo Sorce wrote: > Attached find a patch for new attributes and objectclasses for the IPA > v3 goal of configuring trust relationships between freeipa and windows > domains. I think everything is ok, I just started to wonder if it is maybe safer to always have a fallback primary group by making ipaNTFallbackPrimaryGroup a MUST attrbute? bye, Sumit > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > >From 4e1f05a524a1a73dacbd85f996a8c666cf5897e1 Mon Sep 17 00:00:00 2001 > From: Simo Sorce > Date: Thu, 8 Sep 2011 15:40:47 -0400 > Subject: [PATCH] schema: Add new attributes and objectclasses for AD Trusts > > --- > install/share/60basev3.ldif | 15 +++++++++++++-- > 1 files changed, 13 insertions(+), 2 deletions(-) > > diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif > index bdeee4b66f853e230f1edca039a556dc5537796e..64f42d480d68724ee2cdb548ead10d13361b0d40 100644 > --- a/install/share/60basev3.ldif > +++ b/install/share/60basev3.ldif > @@ -1,8 +1,19 @@ > ## IPA Base OID: 2.16.840.1.113730.3.8 > ## > -## Attributes: 2.16.840.1.113730.3.8.11 - V2 base attributres > -## ObjectClasses: 2.16.840.1.113730.3.8.12 - V2 base objectclasses > +## Attributes: 2.16.840.1.113730.3.8.11 - V3 base attributres > +## ObjectClasses: 2.16.840.1.113730.3.8.12 - V3 base objectclasses > ## > dn: cn=schema > attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME 'ipaExternalMember' DESC 'External Group Member Identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) > +attributeTypes: (2.16.840.1.113730.3.8.11.2 NAME 'ipaNTSecurityIdentfier' DESC 'NT Security ID' EQUALITY caseIgnoreIA5Match OREDRING caseIgnoreIA5OrderingMatch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v3' ) > +attributeTypes: (2.16.840.1.113730.3.8.11.3 NAME 'ipaNTFlatName' DESC 'Flat/Netbios Name' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) > +attributeTypes: (2.16.840.1.113730.3.8.11.4 NAME 'ipaNTFallbackPrimaryGroup' DESC 'Fallback Group to set the Primary group Security Identifier for users with UPGs' SUP distinguishedName X-ORIGIN 'IPA v3' ) > +attributeTypes: (2.16.840.1.113730.3.8.11.5 NAME 'ipaNTHash' DESC 'NT Hash of user password' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v3' ) > +attributeTypes: (2.16.840.1.113730.3.8.11.6 NAME 'ipaNTLogonScript' DESC 'User Logon Script Name' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) > +attributeTypes: (2.16.840.1.113730.3.8.11.7 NAME 'ipaNTProfilePath' DESC 'User Profile Path' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) > +attributeTypes: (2.16.840.1.113730.3.8.11.8 NAME 'ipaNTHomeDirectory' DESC 'User Home Directory Path' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) > +attributeTypes: (2.16.840.1.113730.3.8.11.9 NAME 'ipaNTHomeDirectoryDrive' DESC 'User Home Drive Letter' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) > objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) > +objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectotryDrive ) X-ORIGIN 'IPA v3' ) > +objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) > +objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $ ipaNTFlatName ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' ) > -- > 1.7.6.2 > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From mkosek at redhat.com Tue Sep 20 10:42:45 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 20 Sep 2011 12:42:45 +0200 Subject: [Freeipa-devel] [PATCH] 124 ipactl does not stop dirsrv In-Reply-To: <20110920093051.GB561@redhat.com> References: <1316506685.18528.10.camel@dhcp-25-52.brq.redhat.com> <20110920084753.GA561@redhat.com> <1316508724.18528.14.camel@dhcp-25-52.brq.redhat.com> <1316510363.18528.16.camel@dhcp-25-52.brq.redhat.com> <20110920093051.GB561@redhat.com> Message-ID: <1316515367.18528.17.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-20 at 12:30 +0300, Alexander Bokovoy wrote: > On Tue, 20 Sep 2011, Martin Kosek wrote: > > > Pushed to master, ipa-2-1. > > > > > Alexander just noticed, that dirsrv stop in ipactl start fallback code > > was not right either. One-liner patch attached. > ACK as well. > Pushed to master, ipa-2-1. Martin From mkosek at redhat.com Tue Sep 20 11:13:22 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 20 Sep 2011 13:13:22 +0200 Subject: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry In-Reply-To: References: <28D50949-6CAB-4B58-BA3D-7F2C31EFEC35@citrixonline.com> <4DB085BB.6080104@redhat.com> <1303426875.26325.4.camel@willson.li.ssimo.org> <1303738997.23464.13.camel@willson.li.ssimo.org> <1303747204.23464.19.camel@willson.li.ssimo.org> <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> <128FDDA2-BC61-4D75-B08F-EA89C0C62CB3@citrixonline.com> <1316076472.2479.10.camel@dhcp-25-52.brq.redhat.com> <967AED78-B524-4EE8-8A0D-D13E26E7AE6E@citrixonline.com> <1316164295.24447.43.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1316517204.18528.20.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-09-16 at 16:37 +0000, JR Aquino wrote: > On Sep 16, 2011, at 2:11 AM, Martin Kosek wrote: > > > On Thu, 2011-09-15 at 17:25 +0000, JR Aquino wrote: > >> On Sep 15, 2011, at 1:47 AM, Martin Kosek wrote: > >> > >>> On Thu, 2011-09-15 at 00:47 +0000, JR Aquino wrote: > >>>> On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote: > >>> > >>>>> 5) I was thinking if there is a better solution to enabling/disabling of > >>>>> the plugin. Likes setting something like "managedEntryEnabled" attribute > >>>>> to on/off as we do with compat plugin. Current concept with disabling > >>>>> the definition by damaging the originFilter and then restoring it from > >>>>> an LDIF seems a bit awkward to me. > >>>> > >>>> This has been completely changed: > >>>> Instead of looking to ldif files, an ldap look up is now performed to dynamically list the available managed entries. > >>> > >>> Now we are talking :-) I like the new approach. > >> > >> > >> > >>> > >>> I have reviewed your patch, basic functionality looks good. But I still > >>> have few (nitpicking) comments: > >>> > >>> 1) There are parts from the previous file that are no longer needed > >>> since you switched to different approach: > >>> > >>> +import os > >>> > >>> + from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax > >>> > >>> + import StringIO > >>> > >>> + import ldif > >>> > >>> +except BadSyntax, e: > >>> + print "There is a syntax error in this update file:" > >>> + print " %s" % e > >>> + sys.exit(1) > >> > >> Removed > >> > >>> > >>> 2) I saw few whitespace errors on following lines of the patch: 419, 433 > >>> and 453 > >> > >> Fixed whitespace errors > >> > >>> > >>> 3) Output of the --list method is confusing: > >>> > >>> # ipa-managed-entries --list > >>> Directory Manager password: > >>> > >>> Available Managed Entry Plugins: > >>> cn=upg definition,cn=definitions,cn=managed > >>> entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > >>> cn=ngp definition,cn=definitions,cn=managed > >>> entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > >>> > >>> You must specify a managed entry definition <<< > >>> # echo $? > >>> 1 <<< > >>> > >>> a) I shouldn't be asked to specify a managed entry definition for --list > >> > >> Fixed > >> > >>> b) The listing was successful, so we shouldn't return error code > >> > >> Corrected error code > >> > >>> > >>> 4) Return code for disabling an already disabled entry should be 2 > >>> (according to man pages): > >>> > >>> # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable > >>> Directory Manager password: > >>> > >>> Plugin already disabled > >>> # echo $? > >>> 0 > >> > >> Fixed error code > >> > >>> > >>> 5) Strange is, that enabling a disabled plugin gives me return code 2: > >>> # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable > >>> Directory Manager password: > >>> > >>> Enabling Plugin > >>> # echo $? > >>> 2 > >>> > >>> Return codes for these actions should fit the man pages. > >> > >> Fixed error code > >> > >>> > >>> 6) I would improve working with LDAP filters, current solution is error > >>> prone. Try disabling&enabling NGP Defition, we end up with this > >>> originFilter: > >>> > >>> originfilter: (&(objectclass=ipahostgroup)) > >>> > >>> I think the cleanest solution would be to use ldap.make_filter and > >>> ldap.combine_filters functions to play with these filter. You can > >>> inspire yourself in this example I wrote for DNS plugin: > >>> > >>> rev_zone_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE, exact=False, > >>> trailing_wildcard=False) > >>> filter = ldap.combine_filters((rev_zone_filter, filter), rules=ldap.MATCH_ALL) > >> > >> Rob and you addressed this in the mailing list. > >> For the record, I do agree that we are lacking a method for reading and modifying existing ldap filters. > >> We will continue with the simple string method here for this iteration. > >> > >>> > >>> 7) Entering Directory Manager every time may be a bit tedious. Could we > >>> use current Kerberos credentials and fall-back to asking Directory > >>> Manager password if it doesn't work? Its already done this way in > >>> ipa-replica-manage for example. > >>> > >>> We could fix this, however, as an enhancement in another patch. > >> > >> Fixed. We now will use gssapi if available, and prompt for password if there is no ticket. > >> > >>> > >>> 8) Man page - please use the new united FreeIPA man page header. Instead > >>> of > >>> > >>> +.TH "ipa-managed-entries" "1" "Sept 15 2011" "freeipa" "" > >>> > >>> use: > >>> > >>> +.TH "ipa-managed-entries" "1" "Sept 15 2011" "FreeIPA" "FreeIPA Manual > >>> Pages" > >> > >> Fixed > >> > >>> > >>> > >>> 9) Man page - comma is missing for --list option: > >>> > >>> +\fB\-l\-\-list\fR > >>> > >> > >> Fixed > >> > >>> > >>> 10) install/po/Makefile.in should be updated to: there is still > >>> reference to ipa-host-net-manage and ipa-managed-entries reference is > >>> missing > >> > >> Fixed > >> > > > > Great, most bugs are fixed. I only saw these 2 minor bugs. If those are > > fixed, I think we can ack&push. > > > > 1) Man pages: --list option is still not right, formating is wrong > > +\fB\-l\fR, -\-list\fR > > This typo is now corrected > > > > > 2) Enable action is missing a notice for the user, like the disable > > action has: > > > > # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable > > Disabling Plugin > > The output is now corrected. > > > # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable > > I have now also corrected the --list / -e / --entry to support/display shorthand for the managed entries instead of the full DN. > > # ipa-managed-entries --list > Available Managed Entry Definitions: > UPG Definition > NGP Definition > # > > # ipa-managed-entries --entry="UPG Definition" status > Plugin Enabled > # > Looks good. I found just one more bug: # ipa-managed-entries -e foo status Traceback (most recent call last): File "/usr/sbin/ipa-managed-entries", line 236, in sys.exit(main()) File "/usr/sbin/ipa-managed-entries", line 152, in main ['originfilter'], File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner return f(*args, **kargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 502, in search_s return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner return f(*args, **kargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 496, in search_ext_s return self.result(msgid,all=1,timeout=timeout)[1] File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 181, in inner objtype, data = f(*args, **kargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 422, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner return f(*args, **kargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 426, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner return f(*args, **kargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 432, in result3 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner return f(*args, **kargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 96, in _ldap_call result = func(*args,**kwargs) ldap.NO_SUCH_OBJECT: {'matched': 'cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'desc': 'No such object'} I think we should handle this situation better and report a nice error message. Martin From mkosek at redhat.com Tue Sep 20 11:15:36 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 20 Sep 2011 13:15:36 +0200 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <1316158954.24447.31.camel@dhcp-25-52.brq.redhat.com> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> <4E7251FB.4040406@redhat.com> <1316158954.24447.31.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1316517338.18528.22.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-09-16 at 09:42 +0200, Martin Kosek wrote: > On Thu, 2011-09-15 at 15:28 -0400, Adam Young wrote: > > On 09/14/2011 12:18 PM, Martin Kosek wrote: > > > Attached in the txt file. If you have any comments or suggestions to > > > this proposal, please let me know. > > > > > > https://fedorahosted.org/freeipa/ticket/1766 > > > > > > > > > _______________________________________________ > > > Freeipa-devel mailing list > > > Freeipa-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > > > ACK. Proposal looks like it will work fairly easily with the UI. > > We'll have to make some chagnes due to the Add doing something > > different based on the type, but that is the case anyway. > > Yes, I was thinking how can we integrate this new API to WebUI. AFAIK > you use dnsrecord-add $ZONE $REC --a-rec=... --mx-rec=... for adding a > new DNS record and dnsrecord-mod $ZONE $REC --mx-rec=... when for > example the mx record is being modified. All MX values (even the > unmodified ones) are passed to dnsrecord-mod. > > 1) I was wondering how the new dnsrecord--add commands can be > used. I suppose WebUI will know a list of DNS record types with these > new structured commands and offer the user new window to add a record > for these types instead of typing them directly to the text box as it is > now. > > 2) But my main concern here is how the modification of current DNS > records should work. Say, we have 2 MX records for example.com. How can > we modify one of it in a new structured interface? > > We would have to implement dnsrecord-mx-show method so that you can fill > all the text areas (preference, mailserver). Question is how to refer > the value we want to show since DNS records are multivalued. We could > pass --dnsrecord="..." with DNS record value, e.g. "0 mx.example.com." > and then use the same value for dnsrecord-mx-mod. The whole command > sequence would look this way: > > dnsrecord-find example.com -- get all DNS records for example.com > dnsrecord-show example.com @ -- show DNS records directly in the zone > NS: "ns.example.com" > MX: "0 mx1.example.com." > MX: "1 mx2.example.com." << user wants to modify this one -> new window > > dnsrecord-mx-show example.com --dnsrecord="1 mx1.example.com." > PREFERENCE: 1 << user modifies this to 0 > MAILSERVER: mx2.example.com. > > dnsrecord-mx-mod example.com --dnsrecord="1 mx1.example.com." --preference=0 > > > What do you think about this API for record modification? > > Martin > Adam, Endi or Petr - can you please comment this API proposal for record modification? It is important to design the API correctly. Thanks, Martin From mkosek at redhat.com Tue Sep 20 11:50:02 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 20 Sep 2011 13:50:02 +0200 Subject: [Freeipa-devel] [PATCH] 876 normalize user principal In-Reply-To: <4E735A40.9000102@redhat.com> References: <4E7351DB.8060007@redhat.com> <4E735A40.9000102@redhat.com> Message-ID: <1316519405.18528.25.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-09-16 at 10:16 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Normalize and validate user principals in user and passwd plugins. The > > uid in the principal should be lower-case. > > > > rob > > With updated API.txt > > rob This works fine. I would just suggest improving the way how we handle realm case mismatch: # ipa user-add --first=Foo --last=Bar --principal=fbar3 at idm.lab.bos.redhat.com FBar3 ipa: ERROR: The realm for the principal does not match the realm for this IPA server [root at vm-120 ~]# ipa user-add --first=Foo --last=Bar --principal=fbar3 at IDM.LAB.BOS.REDHAT.COM FBar3 ------------------ Added user "fbar3" ------------------ User login: fbar3 First name: Foo Last name: Bar Full name: Foo Bar Display name: Foo Bar Initials: FB Home directory: /home/fbar3 GECOS field: Foo Bar Login shell: /bin/sh Kerberos principal: fbar3 at IDM.LAB.BOS.REDHAT.COM UID: 63600005 GID: 63600001 Keytab: False Password: False I think we should force it to uppercase in split_principal() as we do in service.py. Martin From pvoborni at redhat.com Tue Sep 20 11:57:53 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 20 Sep 2011 13:57:53 +0200 Subject: [Freeipa-devel] [PATCH] 270 Fixed posix group checkbox. In-Reply-To: <4E73563A.4080506@redhat.com> References: <4E714199.9030501@redhat.com> <4E7229A0.7070002@redhat.com> <4E73563A.4080506@redhat.com> Message-ID: <4E787FC1.8010604@redhat.com> On 09/16/2011 03:59 PM, Endi Sukma Dewata wrote: > Attached is the updated patch. I fixed the test case and did some > cleanup. This is actually the problem I mentioned in the meeting (so > patch 271 is actually fine). > > It looks like currently the checkbox widget is only used with boolean > attributes. And it will only work with boolean attributes anyway because > right now the save() will always return a boolean value. But for now I'm > trying to use the original loaded/default value unless it's 'TRUE' or > 'FALSE' which will be converted into boolean. > > In the future we might want to use this with non-boolean attributes. So > we need to be able to map a pair of non-boolean values into checked and > unchecked state during load()/reset() and vice versa during save(). > > -- > Endi S. Dewata ACK -- Petr Vobornik From pvoborni at redhat.com Tue Sep 20 12:15:57 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 20 Sep 2011 14:15:57 +0200 Subject: [Freeipa-devel] [PATCH] 272 Fixed columns in HBAC/sudo rules list pages. In-Reply-To: <4E737832.9090207@redhat.com> References: <4E737832.9090207@redhat.com> Message-ID: <4E7883FD.6010101@redhat.com> On 09/16/2011 06:24 PM, Endi Sukma Dewata wrote: > The following list pages were modified to show these columns only: > * HBAC rules: name, type, enabled, description > * Sudo rules: name, enabled, description > > Ticket #1796 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Petr Vobornik From simo at redhat.com Tue Sep 20 12:47:58 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 20 Sep 2011 08:47:58 -0400 Subject: [Freeipa-devel] [PATCH] #1728 New schema for IPAv3 required attributes In-Reply-To: <20110920103629.GA2400@localhost.localdomain> References: <1316450076.2684.488.camel@willson.li.ssimo.org> <20110920103629.GA2400@localhost.localdomain> Message-ID: <1316522878.2684.518.camel@willson.li.ssimo.org> On Tue, 2011-09-20 at 12:36 +0200, Sumit Bose wrote: > On Mon, Sep 19, 2011 at 12:34:36PM -0400, Simo Sorce wrote: > > Attached find a patch for new attributes and objectclasses for the IPA > > v3 goal of configuring trust relationships between freeipa and windows > > domains. > > I think everything is ok, I just started to wonder if it is maybe safer > to always have a fallback primary group by making > ipaNTFallbackPrimaryGroup a MUST attrbute? I thought about that and although we are probably always going to try to set it I did not want to force it. Some people may decide to remove the ipausers group or rename it or something and I do not want to find ourselves in a situation where ipa-adtrust-install can't proceed because it doesn't find a suitable group. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Sep 20 12:57:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 20 Sep 2011 08:57:45 -0400 Subject: [Freeipa-devel] [PATCH] 879 ensure ssl socket is shut down In-Reply-To: <4E783291.6090308@redhat.com> References: <4E77B506.8030909@redhat.com> <4E783291.6090308@redhat.com> Message-ID: <4E788DC9.8000600@redhat.com> Jan Cholasta wrote: > On 19.9.2011 23:32, Rob Crittenden wrote: >> httplib makes a copy of the nss file descriptor but doesn't close it >> when the response code != 200 so we need to close it ourselves. >> >> rob >> > > Can we be sure that httplib's behavior is consistent and won't change? I > would rather try to close the fd without regard to the status and ignore > any exceptions that it might raise, just to be on the safe side. > > Honza > We don't really have a lot of choice, the file pointer can be used at any point in a successful request. rob From sbose at redhat.com Tue Sep 20 12:59:10 2011 From: sbose at redhat.com (Sumit Bose) Date: Tue, 20 Sep 2011 14:59:10 +0200 Subject: [Freeipa-devel] [PATCH] #1728 New schema for IPAv3 required attributes In-Reply-To: <1316522878.2684.518.camel@willson.li.ssimo.org> References: <1316450076.2684.488.camel@willson.li.ssimo.org> <20110920103629.GA2400@localhost.localdomain> <1316522878.2684.518.camel@willson.li.ssimo.org> Message-ID: <20110920125910.GC2400@localhost.localdomain> On Tue, Sep 20, 2011 at 08:47:58AM -0400, Simo Sorce wrote: > On Tue, 2011-09-20 at 12:36 +0200, Sumit Bose wrote: > > On Mon, Sep 19, 2011 at 12:34:36PM -0400, Simo Sorce wrote: > > > Attached find a patch for new attributes and objectclasses for the IPA > > > v3 goal of configuring trust relationships between freeipa and windows > > > domains. > > > > I think everything is ok, I just started to wonder if it is maybe safer > > to always have a fallback primary group by making > > ipaNTFallbackPrimaryGroup a MUST attrbute? > > I thought about that and although we are probably always going to try to > set it I did not want to force it. > Some people may decide to remove the ipausers group or rename it or > something and I do not want to find ourselves in a situation where > ipa-adtrust-install can't proceed because it doesn't find a suitable > group. good point. ACK bye, Sumit > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > From pvoborni at redhat.com Tue Sep 20 13:02:14 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 20 Sep 2011 15:02:14 +0200 Subject: [Freeipa-devel] [PATCH] 273 Removed HBAC rule type. In-Reply-To: <4E737841.7080106@redhat.com> References: <4E737841.7080106@redhat.com> Message-ID: <4E788ED6.4050600@redhat.com> On 09/16/2011 06:24 PM, Endi Sukma Dewata wrote: > HBAC rule type has been removed from the list page and details page > because it is no longer supported in IPA 3.0. > > Ticket #1795 > > This should be pushed to master branch only. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Petr Vobornik From ayoung at redhat.com Tue Sep 20 14:02:42 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 20 Sep 2011 10:02:42 -0400 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <1316517338.18528.22.camel@dhcp-25-52.brq.redhat.com> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> <4E7251FB.4040406@redhat.com> <1316158954.24447.31.camel@dhcp-25-52.brq.redhat.com> <1316517338.18528.22.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E789D02.90204@redhat.com> This discussion got me thinking, always a dangerous proposal: We are currently exposing record add with the lie that when you add a record, it has a type. THe reality is that a record is just this big collection of multi value attributes, and each of those is the "type" of the record. If all of the 'records' have the same idnsname, then they really fall under the same Record object in LDAP. What if we focuses on the attribtutes themselves, and add the type info there. Pie in the sky proposal. Treat it as a starting point: From the webui perspective dnsrecord-add allows the case where it just has the the idnsname with no "records" dnsrecordattr-mod takes record type specific values. To add a location entry: ipa dnsrecordattr-mod --append location --lat-deg=INT --lat-min=INT --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT --v-precision=FLOAT And to remove it ipa dnsrecordattr-mod --remove location --lat-deg=INT --lat-min=INT --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT --v-precision=FLOAT mod2 is expected to work on a single attribute at a time. From simo at redhat.com Tue Sep 20 14:41:46 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 20 Sep 2011 10:41:46 -0400 Subject: [Freeipa-devel] [PATCH] #1728 New schema for IPAv3 required attributes In-Reply-To: <20110920125910.GC2400@localhost.localdomain> References: <1316450076.2684.488.camel@willson.li.ssimo.org> <20110920103629.GA2400@localhost.localdomain> <1316522878.2684.518.camel@willson.li.ssimo.org> <20110920125910.GC2400@localhost.localdomain> Message-ID: <1316529706.2684.520.camel@willson.li.ssimo.org> On Tue, 2011-09-20 at 14:59 +0200, Sumit Bose wrote: > On Tue, Sep 20, 2011 at 08:47:58AM -0400, Simo Sorce wrote: > > On Tue, 2011-09-20 at 12:36 +0200, Sumit Bose wrote: > > > On Mon, Sep 19, 2011 at 12:34:36PM -0400, Simo Sorce wrote: > > > > Attached find a patch for new attributes and objectclasses for the IPA > > > > v3 goal of configuring trust relationships between freeipa and windows > > > > domains. > > > > > > I think everything is ok, I just started to wonder if it is maybe safer > > > to always have a fallback primary group by making > > > ipaNTFallbackPrimaryGroup a MUST attrbute? > > > > I thought about that and although we are probably always going to try to > > set it I did not want to force it. > > Some people may decide to remove the ipausers group or rename it or > > something and I do not want to find ourselves in a situation where > > ipa-adtrust-install can't proceed because it doesn't find a suitable > > group. > > good point. > > ACK Thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Tue Sep 20 15:11:30 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 20 Sep 2011 17:11:30 +0200 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <4E789D02.90204@redhat.com> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> <4E7251FB.4040406@redhat.com> <1316158954.24447.31.camel@dhcp-25-52.brq.redhat.com> <1316517338.18528.22.camel@dhcp-25-52.brq.redhat.com> <4E789D02.90204@redhat.com> Message-ID: <1316531492.12296.14.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-20 at 10:02 -0400, Adam Young wrote: > This discussion got me thinking, always a dangerous proposal: > > We are currently exposing record add with the lie that when you add a > record, it has a type. THe reality is that a record is just this big > collection of multi value attributes, and each of those is the "type" > of the record. The way I see it is that we have different types of Resource Records with a (domain) name that can be shared. > > > If all of the 'records' have the same idnsname, then they really fall > under the same Record object in LDAP. Yes. > > What if we focuses on the attribtutes themselves, and add the type info > there. I thought we do this already. > > > Pie in the sky proposal. Treat it as a starting point: > > From the webui perspective > dnsrecord-add allows the case where it just has the the idnsname with > no "records" > > dnsrecordattr-mod takes record type specific values. > > To add a location entry: > > ipa dnsrecordattr-mod --append location --lat-deg=INT --lat-min=INT --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT --v-precision=FLOAT > > > And to remove it > > ipa dnsrecordattr-mod --remove location --lat-deg=INT --lat-min=INT --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT --v-precision=FLOAT So if user would want to remove a LOC record, he would have to pass all these attributes to refer which attribute value to remove? > > mod2 is expected to work on a single attribute at a time. > I don't think this is good, dnsrecordattr would then have to accept all possible DNS parts from all supported structured DNS records, i.e. if you'd run "ipa dnsrecordattr-mod --help" you would get a list of DNS parts from LOC (you wrote the options above), KX, NAPTR, etc. which would be handled by dnsrecordattr. Each RR type should have its own command, as I proposed. Then if user wants to add a LOC record, he can just execute: # ipa dnsrecord-loc-add --help CLI then offers a list of options for all parts of the structured DNS record. I designed it this way so that it keeps current DNS API and is consistent with the rest of the record. I think that proposed interface for adding is OK, Adam Tkac acked it too. I just wasn't sure how to help webui show structured DNS record (fill the fields/parts from the "raw" structured DNS record) and how to modify. Proposed API is in the mail you replied to. Martin From JR.Aquino at citrix.com Tue Sep 20 16:16:59 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 20 Sep 2011 16:16:59 +0000 Subject: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry In-Reply-To: <1316517204.18528.20.camel@dhcp-25-52.brq.redhat.com> References: <28D50949-6CAB-4B58-BA3D-7F2C31EFEC35@citrixonline.com> <4DB085BB.6080104@redhat.com> <1303426875.26325.4.camel@willson.li.ssimo.org> <1303738997.23464.13.camel@willson.li.ssimo.org> <1303747204.23464.19.camel@willson.li.ssimo.org> <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> <128FDDA2-BC61-4D75-B08F-EA89C0C62CB3@citrixonline.com> <1316076472.2479.10.camel@dhcp-25-52.brq.redhat.com> <967AED78-B524-4EE8-8A0D-D13E26E7AE6E@citrixonline.com> <1316164295.24447.43.camel@dhcp-25-52.brq.redhat.com> <1316517204.18528.20.camel@dhcp-25-52.brq.redhat.com> Message-ID: On Sep 20, 2011, at 4:13 AM, Martin Kosek wrote: > On Fri, 2011-09-16 at 16:37 +0000, JR Aquino wrote: >> On Sep 16, 2011, at 2:11 AM, Martin Kosek wrote: >> >>> On Thu, 2011-09-15 at 17:25 +0000, JR Aquino wrote: >>>> On Sep 15, 2011, at 1:47 AM, Martin Kosek wrote: >>>> >>>>> On Thu, 2011-09-15 at 00:47 +0000, JR Aquino wrote: >>>>>> On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote: >>>>> >>>>>>> 5) I was thinking if there is a better solution to enabling/disabling of >>>>>>> the plugin. Likes setting something like "managedEntryEnabled" attribute >>>>>>> to on/off as we do with compat plugin. Current concept with disabling >>>>>>> the definition by damaging the originFilter and then restoring it from >>>>>>> an LDIF seems a bit awkward to me. >>>>>> >>>>>> This has been completely changed: >>>>>> Instead of looking to ldif files, an ldap look up is now performed to dynamically list the available managed entries. >>>>> >>>>> Now we are talking :-) I like the new approach. >>>> >>>> >>>> >>>>> >>>>> I have reviewed your patch, basic functionality looks good. But I still >>>>> have few (nitpicking) comments: >>>>> >>>>> 1) There are parts from the previous file that are no longer needed >>>>> since you switched to different approach: >>>>> >>>>> +import os >>>>> >>>>> + from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax >>>>> >>>>> + import StringIO >>>>> >>>>> + import ldif >>>>> >>>>> +except BadSyntax, e: >>>>> + print "There is a syntax error in this update file:" >>>>> + print " %s" % e >>>>> + sys.exit(1) >>>> >>>> Removed >>>> >>>>> >>>>> 2) I saw few whitespace errors on following lines of the patch: 419, 433 >>>>> and 453 >>>> >>>> Fixed whitespace errors >>>> >>>>> >>>>> 3) Output of the --list method is confusing: >>>>> >>>>> # ipa-managed-entries --list >>>>> Directory Manager password: >>>>> >>>>> Available Managed Entry Plugins: >>>>> cn=upg definition,cn=definitions,cn=managed >>>>> entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com >>>>> cn=ngp definition,cn=definitions,cn=managed >>>>> entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com >>>>> >>>>> You must specify a managed entry definition <<< >>>>> # echo $? >>>>> 1 <<< >>>>> >>>>> a) I shouldn't be asked to specify a managed entry definition for --list >>>> >>>> Fixed >>>> >>>>> b) The listing was successful, so we shouldn't return error code >>>> >>>> Corrected error code >>>> >>>>> >>>>> 4) Return code for disabling an already disabled entry should be 2 >>>>> (according to man pages): >>>>> >>>>> # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable >>>>> Directory Manager password: >>>>> >>>>> Plugin already disabled >>>>> # echo $? >>>>> 0 >>>> >>>> Fixed error code >>>> >>>>> >>>>> 5) Strange is, that enabling a disabled plugin gives me return code 2: >>>>> # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable >>>>> Directory Manager password: >>>>> >>>>> Enabling Plugin >>>>> # echo $? >>>>> 2 >>>>> >>>>> Return codes for these actions should fit the man pages. >>>> >>>> Fixed error code >>>> >>>>> >>>>> 6) I would improve working with LDAP filters, current solution is error >>>>> prone. Try disabling&enabling NGP Defition, we end up with this >>>>> originFilter: >>>>> >>>>> originfilter: (&(objectclass=ipahostgroup)) >>>>> >>>>> I think the cleanest solution would be to use ldap.make_filter and >>>>> ldap.combine_filters functions to play with these filter. You can >>>>> inspire yourself in this example I wrote for DNS plugin: >>>>> >>>>> rev_zone_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE, exact=False, >>>>> trailing_wildcard=False) >>>>> filter = ldap.combine_filters((rev_zone_filter, filter), rules=ldap.MATCH_ALL) >>>> >>>> Rob and you addressed this in the mailing list. >>>> For the record, I do agree that we are lacking a method for reading and modifying existing ldap filters. >>>> We will continue with the simple string method here for this iteration. >>>> >>>>> >>>>> 7) Entering Directory Manager every time may be a bit tedious. Could we >>>>> use current Kerberos credentials and fall-back to asking Directory >>>>> Manager password if it doesn't work? Its already done this way in >>>>> ipa-replica-manage for example. >>>>> >>>>> We could fix this, however, as an enhancement in another patch. >>>> >>>> Fixed. We now will use gssapi if available, and prompt for password if there is no ticket. >>>> >>>>> >>>>> 8) Man page - please use the new united FreeIPA man page header. Instead >>>>> of >>>>> >>>>> +.TH "ipa-managed-entries" "1" "Sept 15 2011" "freeipa" "" >>>>> >>>>> use: >>>>> >>>>> +.TH "ipa-managed-entries" "1" "Sept 15 2011" "FreeIPA" "FreeIPA Manual >>>>> Pages" >>>> >>>> Fixed >>>> >>>>> >>>>> >>>>> 9) Man page - comma is missing for --list option: >>>>> >>>>> +\fB\-l\-\-list\fR >>>>> >>>> >>>> Fixed >>>> >>>>> >>>>> 10) install/po/Makefile.in should be updated to: there is still >>>>> reference to ipa-host-net-manage and ipa-managed-entries reference is >>>>> missing >>>> >>>> Fixed >>>> >>> >>> Great, most bugs are fixed. I only saw these 2 minor bugs. If those are >>> fixed, I think we can ack&push. >>> >>> 1) Man pages: --list option is still not right, formating is wrong >>> +\fB\-l\fR, -\-list\fR >> >> This typo is now corrected >> >>> >>> 2) Enable action is missing a notice for the user, like the disable >>> action has: >>> >>> # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable >>> Disabling Plugin >> >> The output is now corrected. >> >>> # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable >> >> I have now also corrected the --list / -e / --entry to support/display shorthand for the managed entries instead of the full DN. >> >> # ipa-managed-entries --list >> Available Managed Entry Definitions: >> UPG Definition >> NGP Definition >> # >> >> # ipa-managed-entries --entry="UPG Definition" status >> Plugin Enabled >> # >> > > Looks good. I found just one more bug: > > # ipa-managed-entries -e foo status > Traceback (most recent call last): > File "/usr/sbin/ipa-managed-entries", line 236, in > sys.exit(main()) > File "/usr/sbin/ipa-managed-entries", line 152, in main > ['originfilter'], > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner > return f(*args, **kargs) > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 502, in search_s > return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout) > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner > return f(*args, **kargs) > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 496, in search_ext_s > return self.result(msgid,all=1,timeout=timeout)[1] > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 181, in inner > objtype, data = f(*args, **kargs) > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 422, in result > res_type,res_data,res_msgid = self.result2(msgid,all,timeout) > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner > return f(*args, **kargs) > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 426, in result2 > res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner > return f(*args, **kargs) > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 432, in result3 > ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner > return f(*args, **kargs) > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 96, in _ldap_call > result = func(*args,**kwargs) > ldap.NO_SUCH_OBJECT: {'matched': 'cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'desc': 'No such object'} Thanks, It has now been corrected. > I think we should handle this situation better and report a nice error > message. > > Martin > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch Type: application/octet-stream Size: 24982 bytes Desc: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch URL: From edewata at redhat.com Tue Sep 20 16:22:32 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 20 Sep 2011 11:22:32 -0500 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <1316517338.18528.22.camel@dhcp-25-52.brq.redhat.com> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> <4E7251FB.4040406@redhat.com> <1316158954.24447.31.camel@dhcp-25-52.brq.redhat.com> <1316517338.18528.22.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E78BDC8.7010306@redhat.com> On 9/20/2011 6:15 AM, Martin Kosek wrote: >>> ACK. Proposal looks like it will work fairly easily with the UI. >>> We'll have to make some chagnes due to the Add doing something >>> different based on the type, but that is the case anyway. >> >> Yes, I was thinking how can we integrate this new API to WebUI. AFAIK >> you use dnsrecord-add $ZONE $REC --a-rec=... --mx-rec=... for adding a >> new DNS record and dnsrecord-mod $ZONE $REC --mx-rec=... when for >> example the mx record is being modified. All MX values (even the >> unmodified ones) are passed to dnsrecord-mod. >> >> 1) I was wondering how the new dnsrecord--add commands can be >> used. I suppose WebUI will know a list of DNS record types with these >> new structured commands and offer the user new window to add a record >> for these types instead of typing them directly to the text box as it is >> now. When adding a DNS record the user will specify the name and the type, then the UI will show a set of fields based on the selected record type. So instead of a generic 'data' field like below (click Add): http://edewata.fedorapeople.org/freeipa/install/ui/index.html#dns=dnszone&identity=dns&navigation=identity&dnszone-facet=default&dnszone-pkey=ayoung.boston.devel.redhat.com it will be similar to Permissions (click Add): http://edewata.fedorapeople.org/freeipa/install/ui/index.html#rolebased=permission&ipaserver=rolebased&navigation=ipaserver The UI will use the type to pick the correct dnsrecord--add command and each parameter in that command will have a corresponding field to enter the value. >> 2) But my main concern here is how the modification of current DNS >> records should work. Say, we have 2 MX records for example.com. How can >> we modify one of it in a new structured interface? >> >> We would have to implement dnsrecord-mx-show method so that you can fill >> all the text areas (preference, mailserver). Question is how to refer >> the value we want to show since DNS records are multivalued. We could >> pass --dnsrecord="..." with DNS record value, e.g. "0 mx.example.com." >> and then use the same value for dnsrecord-mx-mod. The whole command >> sequence would look this way: >> >> dnsrecord-find example.com -- get all DNS records for example.com >> dnsrecord-show example.com @ -- show DNS records directly in the zone >> NS: "ns.example.com" >> MX: "0 mx1.example.com." >> MX: "1 mx2.example.com."<< user wants to modify this one -> new window I think for each record value the primary keys are the zone name, record name, and the value itself. To simplify operations, we should use the value as a single string. For CLI, users can copy & paste the value more easily. For UI it depends whether (1) we're going to keep the current edit page where all records with the same name are considered a single entry, or whether (2) we're going to edit each record value in a separate page. See ticket #1478. If we stay with (1), the link to the edit page consists of zone name and record name only. But if we pick (2) the link consists of zone name, record name, value, and type (which can be obtained from -find output). >> dnsrecord-mx-show example.com --dnsrecord="1 mx1.example.com." >> PREFERENCE: 1 << user modifies this to 0 >> MAILSERVER: mx2.example.com. For consistency, the record value should be specified as an argument instead of an option (like in automount). So it will be like this: dnsrecord-mx-show "example.com" "@" "1 mx1.example.com." PREFERENCE: 1 MAILSERVER: mx2.example.com If we stay with (1) the UI will have to call the dnsrecord--show for each value to get the value of each fields. The UI will need to implement a new widget (or section) that can handle multiple fields which will be duplicated for each value. The edit page for (2) is much simpler since it only needs to handle a single type at a time. The output of the -show command will be used to populate each field. >> dnsrecord-mx-mod example.com --dnsrecord="1 mx1.example.com." --preference=0 When updating the value, option (1) is a bit more complicated because the UI will have to find the dirty record and then find the dirty field. Option (2) is simpler because it will only need to find the dirty field, but both will execute the following command: dnsrecord-mx-mod "example.com" "@" "1 mx1.example.com." --preference=0 I think option (2) is more clear to users because we only have to introduce 2 concepts: zone and record (which is the individual value). With option (1) we will have to explain the underlying LDAP entry that will be deleted automatically when the last record value is deleted. -- Endi S. Dewata From JR.Aquino at citrix.com Tue Sep 20 16:58:01 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 20 Sep 2011 16:58:01 +0000 Subject: [Freeipa-devel] Still failing on 5.7 with the same error........ In-Reply-To: <3BD75A55-6C9C-4B34-A7C4-5B3E6BD0740D@citrix.com> References: <3BD75A55-6C9C-4B34-A7C4-5B3E6BD0740D@citrix.com> Message-ID: <6824897F-8457-49A1-9B4A-2B429DEA0471@citrixonline.com> On Sep 19, 2011, at 10:16 PM, JR Aquino wrote: > We're having significant reproducible problems with rhel 5.7 + FreeIPA master... > I'm not sure if it is localized to us or even which side is responsible for the error... > > Has anyone had success with rhel 5.7's repo included FreeIPA client joining a fedora based FreeIPA server? > > We are essentially dead in the water at this point. > > Sent from my iPad > > Begin forwarded message: > > From: Brett Campbell <Brett.Campbell at citrix.com> > Date: September 19, 2011 6:48:55 PM PDT > To: JR Aquino <JR.Aquino at citrix.com> > Cc: Jason Vagalatos <Jason.Vagalatos at citrix.com> > Subject: RE: Still failing on 5.7 with the same error........ > > Apparently this error is printed from FreeIPA code and not an underlying library. > Here?s the relevant bit from ipa-getkeytab.c: > > /* Format of response > * > * KeytabGetRequest ::= SEQUENCE { > * new_kvno Int32 > * SEQUENCE OF KeyTypes > * } > * > * * List of accepted enctypes * > * KeyTypes ::= SEQUENCE { > * enctype Int32 > * } > */ > > rtag = ber_scanf(sctrl, "{i{", &kvno); > if (rtag == LBER_ERROR) { > fprintf(stderr, "ber_scanf() failed, Invalid control ?!\n"); > goto error_out; > } > > > However, the call that?s failing (ber_scanf()) is one from the openldap library: > > [root at util1 Server]# strings /usr/lib/liblber-2.3.so.0 |grep ber_scanf > ber_scanf > ber_scanf fmt (%s) ber: > ber_scanf: unknown fmt %c > ber_scanf > > > > From: /O=EXPERTCITY.COM/OU=BETA.EXPERTCITY/CN=RECIPIENTS/CN=BRETT.CAMPBELL On Behalf Of Brett Campbell > Sent: Monday, September 19, 2011 6:29 PM > To: JR.Aquino at citrix.com > Subject: Still failing on 5.7 with the same error........ > > Are you sure it?s not the server? Can you check the logs? > > > [root at util1 Server]# cat /etc/issue > Red Hat Enterprise Linux Server release 5.7 (Tikanga) > Kernel \r on an \m > [root at util1 Server]# > [root at util1 Server]# > [root at util1 Server]# > [root at util1 Server]# rpm --aid -ivh /tmp/ipa-client-2.0-14.el5_7.1.x86_64.rpm certmonger-0.42-1.el5.x86_64.rpm cyrus-sasl-gssapi-2.1.22-5.el5_4.3.x86_64.rpm sssd-client-1.5.1-37.el5.x86_64.rpm sssd-1.5.1-37.el5.x86_64.rpm xmlrpc-c-1.16.24-1206.1840.el5.x86_64.rpm libcollection-0.6.0-10.el5.x86_64.rpm libdhash-0.4.2-10.el5.x86_64.rpm libldb-0.9.10-33.el5.x86_64.rpm libtdb-1.2.1-6.el5.x86_64.rpm openssl-devel-0.9.8e-20.el5.x86_64.rpm libref_array-0.1.1-10.el5.x86_64.rpm libpath_utils-0.2.1-10.el5.x86_64.rpm libini_config-0.6.1-10.el5.x86_64.rpm libref_array-0.1.1-10.el5.x86_64.rpm openldap24-libs-2.4.23-5.el5.x86_64.rpm xmlrpc-c-client-1.16.24-1206.1840.el5.x86_64.rpm libtalloc-2.0.1-11.el5.x86_64.rpm c-ares-1.6.0-5.el5.x86_64.rpm krb5-devel-1.6.1-62.el5.x86_64.rpm zlib-devel-1.2.3-4.el5.x86_64.rpm libtevent-0.9.8-10.el5.x86_64.rpm e2fsprogs-devel-1.39-33.el5.x86_64.rpm keyutils-libs-devel-1.2-1.el5.x86_64.rpm libselinux-devel-1.33.4-5.7.el5.x86_64.rpm libsepol-devel-1.15.2-3.el5.x86_64.rpm > warning: /tmp/ipa-client-2.0-14.el5_7.1.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 37017186 > Preparing... ########################################### [100%] > 1:libtalloc ########################################### [ 4%] > 2:libtevent ########################################### [ 8%] > 3:xmlrpc-c ########################################### [ 12%] > 4:xmlrpc-c-client ########################################### [ 15%] > 5:libref_array ########################################### [ 19%] > 6:libtdb ########################################### [ 23%] > 7:libcollection ########################################### [ 27%] > 8:cyrus-sasl-gssapi ########################################### [ 31%] > 9:libldb ########################################### [ 35%] > 10:certmonger ########################################### [ 38%] > 11:c-ares ########################################### [ 42%] > 12:openldap24-libs ########################################### [ 46%] > 13:libpath_utils ########################################### [ 50%] > 14:libini_config ########################################### [ 54%] > 15:libdhash ########################################### [ 58%] > 16:sssd-client ########################################### [ 62%] > 17:sssd ########################################### [ 65%] > 18:libsepol-devel ########################################### [ 69%] > 19:libselinux-devel ########################################### [ 73%] > 20:keyutils-libs-devel ########################################### [ 77%] > 21:e2fsprogs-devel ########################################### [ 81%] > 22:krb5-devel ########################################### [ 85%] > 23:zlib-devel ########################################### [ 88%] > 24:ipa-client ########################################### [ 92%] > 25:openssl-devel ########################################### [ 96%] > 26:libref_array ########################################### [100%] > [root at util1 Server]# > [root at util1 Server]# > [root at util1 Server]# > [root at util1 Server]# > [root at util1 Server]# ipa-client-install --unattended --password='n7 I,6TN+!TF' --domain=expertcity.com --server=authstage1.ops.expertcity.com --hostname=$(hostname) --no-ntp > Realm: EXPERTCITY.COM > DNS Domain: expertcity.com > IPA Server: authstage1.ops.expertcity.com > BaseDN: dc=expertcity,dc=com > > > Joining realm failed: ber_scanf() failed, Invalid control ?! > child exited with 9 > Certificate subject base is: O=EXPERTCITY.COM > [root at util1 Server]# > [root at util1 Server]# > [root at util1 Server]# > [root at util1 Server]# ipa-client-install --unattended --password='n7 I,6TN+!TF' --domain=expertcity.com --server=authstage1.ops.expertcity.com --hostname=$(hostname) --no-ntp > Realm: EXPERTCITY.COM > DNS Domain: expertcity.com > IPA Server: authstage1.ops.expertcity.com > BaseDN: dc=expertcity,dc=com > > > Joining realm failed: Host is already joined. > Certificate subject base is: O=EXPERTCITY.COM > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Simo recently fixed a bug in master that was preventing users keytabs from being recognized as non expired... Following a hunch, I updated the Stage Server with the newest master and now I get a completely new error from the RHEL 5.7 Client: Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. From edewata at redhat.com Tue Sep 20 18:35:49 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 20 Sep 2011 13:35:49 -0500 Subject: [Freeipa-devel] [PATCH] 280 Fixed problem displaying special characters. Message-ID: <4E78DD05.70900@redhat.com> Some jQuery objects in various locations have been modified to use text() to show values obtained from the server (except messages). The text() will automatically encode special characters. Ticket #1798 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0280-Fixed-problem-displaying-special-characters.patch Type: text/x-patch Size: 10685 bytes Desc: not available URL: From edewata at redhat.com Tue Sep 20 19:09:34 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 20 Sep 2011 14:09:34 -0500 Subject: [Freeipa-devel] [PATCH] 270 Fixed posix group checkbox. In-Reply-To: <4E787FC1.8010604@redhat.com> References: <4E714199.9030501@redhat.com> <4E7229A0.7070002@redhat.com> <4E73563A.4080506@redhat.com> <4E787FC1.8010604@redhat.com> Message-ID: <4E78E4EE.5060504@redhat.com> On 9/20/2011 6:57 AM, Petr Vobornik wrote: >> Attached is the updated patch. I fixed the test case and did some >> cleanup. This is actually the problem I mentioned in the meeting (so >> patch 271 is actually fine). >> >> It looks like currently the checkbox widget is only used with boolean >> attributes. And it will only work with boolean attributes anyway because >> right now the save() will always return a boolean value. But for now I'm >> trying to use the original loaded/default value unless it's 'TRUE' or >> 'FALSE' which will be converted into boolean. >> >> In the future we might want to use this with non-boolean attributes. So >> we need to be able to map a pair of non-boolean values into checked and >> unchecked state during load()/reset() and vice versa during save(). > > ACK Pushed to master and ipa-2-1. -- Endi S. Dewata From rcritten at redhat.com Tue Sep 20 19:19:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 20 Sep 2011 15:19:33 -0400 Subject: [Freeipa-devel] Still failing on 5.7 with the same error........ In-Reply-To: <6824897F-8457-49A1-9B4A-2B429DEA0471@citrixonline.com> References: <3BD75A55-6C9C-4B34-A7C4-5B3E6BD0740D@citrix.com> <6824897F-8457-49A1-9B4A-2B429DEA0471@citrixonline.com> Message-ID: <4E78E745.90303@redhat.com> JR Aquino wrote: > > On Sep 19, 2011, at 10:16 PM, JR Aquino wrote: > >> We're having significant reproducible problems with rhel 5.7 + FreeIPA master... >> I'm not sure if it is localized to us or even which side is responsible for the error... >> >> Has anyone had success with rhel 5.7's repo included FreeIPA client joining a fedora based FreeIPA server? >> >> We are essentially dead in the water at this point. >> >> Sent from my iPad >> >> Begin forwarded message: >> >> From: Brett Campbell<Brett.Campbell at citrix.com> >> Date: September 19, 2011 6:48:55 PM PDT >> To: JR Aquino<JR.Aquino at citrix.com> >> Cc: Jason Vagalatos<Jason.Vagalatos at citrix.com> >> Subject: RE: Still failing on 5.7 with the same error........ >> >> Apparently this error is printed from FreeIPA code and not an underlying library. >> Here?s the relevant bit from ipa-getkeytab.c: >> >> /* Format of response >> * >> * KeytabGetRequest ::= SEQUENCE { >> * new_kvno Int32 >> * SEQUENCE OF KeyTypes >> * } >> * >> * * List of accepted enctypes * >> * KeyTypes ::= SEQUENCE { >> * enctype Int32 >> * } >> */ >> >> rtag = ber_scanf(sctrl, "{i{",&kvno); >> if (rtag == LBER_ERROR) { >> fprintf(stderr, "ber_scanf() failed, Invalid control ?!\n"); >> goto error_out; >> } >> >> >> However, the call that?s failing (ber_scanf()) is one from the openldap library: >> >> [root at util1 Server]# strings /usr/lib/liblber-2.3.so.0 |grep ber_scanf >> ber_scanf >> ber_scanf fmt (%s) ber: >> ber_scanf: unknown fmt %c >> ber_scanf >> >> >> >> From: /O=EXPERTCITY.COM/OU=BETA.EXPERTCITY/CN=RECIPIENTS/CN=BRETT.CAMPBELL On Behalf Of Brett Campbell >> Sent: Monday, September 19, 2011 6:29 PM >> To: JR.Aquino at citrix.com >> Subject: Still failing on 5.7 with the same error........ >> >> Are you sure it?s not the server? Can you check the logs? >> >> >> [root at util1 Server]# cat /etc/issue >> Red Hat Enterprise Linux Server release 5.7 (Tikanga) >> Kernel \r on an \m >> [root at util1 Server]# >> [root at util1 Server]# >> [root at util1 Server]# >> [root at util1 Server]# rpm --aid -ivh /tmp/ipa-client-2.0-14.el5_7.1.x86_64.rpm certmonger-0.42-1.el5.x86_64.rpm cyrus-sasl-gssapi-2.1.22-5.el5_4.3.x86_64.rpm sssd-client-1.5.1-37.el5.x86_64.rpm sssd-1.5.1-37.el5.x86_64.rpm xmlrpc-c-1.16.24-1206.1840.el5.x86_64.rpm libcollection-0.6.0-10.el5.x86_64.rpm libdhash-0.4.2-10.el5.x86_64.rpm libldb-0.9.10-33.el5.x86_64.rpm libtdb-1.2.1-6.el5.x86_64.rpm openssl-devel-0.9.8e-20.el5.x86_64.rpm libref_array-0.1.1-10.el5.x86_64.rpm libpath_utils-0.2.1-10.el5.x86_64.rpm libini_config-0.6.1-10.el5.x86_64.rpm libref_array-0.1.1-10.el5.x86_64.rpm openldap24-libs-2.4.23-5.el5.x86_64.rpm xmlrpc-c-client-1.16.24-1206.1840.el5.x86_64.rpm libtalloc-2.0.1-11.el5.x86_64.rpm c-ares-1.6.0-5.el5.x86_64.rpm krb5-devel-1.6.1-62.el5.x86_64.rpm zlib-devel-1.2.3-4.el5.x86_64.rpm libtevent-0.9.8-10.el5.x86_64.rpm e2fsprogs-devel-1.39-33.el5.x86_64.rpm keyutils-libs-devel-1.2-1.el5.x86_64.rpm libselinux-devel-1.33.4-5.7.el5.x86_64.rpm libsepol-devel-1.15.2 -3.el5.x86_64.rpm >> warning: /tmp/ipa-client-2.0-14.el5_7.1.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 37017186 >> Preparing... ########################################### [100%] >> 1:libtalloc ########################################### [ 4%] >> 2:libtevent ########################################### [ 8%] >> 3:xmlrpc-c ########################################### [ 12%] >> 4:xmlrpc-c-client ########################################### [ 15%] >> 5:libref_array ########################################### [ 19%] >> 6:libtdb ########################################### [ 23%] >> 7:libcollection ########################################### [ 27%] >> 8:cyrus-sasl-gssapi ########################################### [ 31%] >> 9:libldb ########################################### [ 35%] >> 10:certmonger ########################################### [ 38%] >> 11:c-ares ########################################### [ 42%] >> 12:openldap24-libs ########################################### [ 46%] >> 13:libpath_utils ########################################### [ 50%] >> 14:libini_config ########################################### [ 54%] >> 15:libdhash ########################################### [ 58%] >> 16:sssd-client ########################################### [ 62%] >> 17:sssd ########################################### [ 65%] >> 18:libsepol-devel ########################################### [ 69%] >> 19:libselinux-devel ########################################### [ 73%] >> 20:keyutils-libs-devel ########################################### [ 77%] >> 21:e2fsprogs-devel ########################################### [ 81%] >> 22:krb5-devel ########################################### [ 85%] >> 23:zlib-devel ########################################### [ 88%] >> 24:ipa-client ########################################### [ 92%] >> 25:openssl-devel ########################################### [ 96%] >> 26:libref_array ########################################### [100%] >> [root at util1 Server]# >> [root at util1 Server]# >> [root at util1 Server]# >> [root at util1 Server]# >> [root at util1 Server]# ipa-client-install --unattended --password='n7 I,6TN+!TF' --domain=expertcity.com --server=authstage1.ops.expertcity.com --hostname=$(hostname) --no-ntp >> Realm: EXPERTCITY.COM >> DNS Domain: expertcity.com >> IPA Server: authstage1.ops.expertcity.com >> BaseDN: dc=expertcity,dc=com >> >> >> Joining realm failed: ber_scanf() failed, Invalid control ?! >> child exited with 9 >> Certificate subject base is: O=EXPERTCITY.COM >> [root at util1 Server]# >> [root at util1 Server]# >> [root at util1 Server]# >> [root at util1 Server]# ipa-client-install --unattended --password='n7 I,6TN+!TF' --domain=expertcity.com --server=authstage1.ops.expertcity.com --hostname=$(hostname) --no-ntp >> Realm: EXPERTCITY.COM >> DNS Domain: expertcity.com >> IPA Server: authstage1.ops.expertcity.com >> BaseDN: dc=expertcity,dc=com >> >> >> Joining realm failed: Host is already joined. >> Certificate subject base is: O=EXPERTCITY.COM >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Simo recently fixed a bug in master that was preventing users keytabs from being recognized as non expired... Following a hunch, I updated the Stage Server with the newest master and now I get a completely new error from the RHEL 5.7 Client: > > Joining realm failed because of failing XML-RPC request. > This error may be caused by incompatible server/client major versions. What version of ipa-client are you using? Check ipaclient-install.log for potentially more details, and the Apache log on the IPA server as well. If the Apache side is logging an error about context.principal you need to update your ipa-client software which should pull in updated xmlrpc-c and curl libraries. rob From edewata at redhat.com Tue Sep 20 21:18:14 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 20 Sep 2011 16:18:14 -0500 Subject: [Freeipa-devel] [PATCH] 281 Fixed problem on combobox with search limit. Message-ID: <4E790316.5090302@redhat.com> The IPA.combobox_widget has been modified such that if the drop-down list doesn't contain the stored value (due to search limit) it will not select anything from the list. The widget has also been modified not to select the value that matches the filter automatically because that might not be the user's intention. Ticket #1819 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0281-Fixed-problem-on-combobox-with-search-limit.patch Type: text/x-patch Size: 2503 bytes Desc: not available URL: From simo at redhat.com Tue Sep 20 21:28:29 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 20 Sep 2011 17:28:29 -0400 Subject: [Freeipa-devel] [PATCH] 3 Fix ACIs in ipa-adtrust-install In-Reply-To: <20110919135320.GD11912@localhost.localdomain> References: <20110919135320.GD11912@localhost.localdomain> Message-ID: <1316554109.2684.544.camel@willson.li.ssimo.org> On Mon, 2011-09-19 at 15:53 +0200, Sumit Bose wrote: > Hi, > > while testing the creation of trust objects I found a typo in the ACI > allowing to read the NT hash and realized that an ACI was missing to > allow the samba user to add and modify the trust objects. The attached > patch should fix it. Tested (manually applying them after copy and paste on an already installed system) and works. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Tue Sep 20 21:28:53 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 20 Sep 2011 17:28:53 -0400 Subject: [Freeipa-devel] [PATCH] 4 Update samba LDAP schema In-Reply-To: <20110919141006.GE11912@localhost.localdomain> References: <20110919141006.GE11912@localhost.localdomain> Message-ID: <1316554133.2684.545.camel@willson.li.ssimo.org> On Mon, 2011-09-19 at 16:10 +0200, Sumit Bose wrote: > Hi, > > this patch updates the samba LDAP schema to the latest version > available. I think the next change to this file will be removing it > because Simo is working on new objectclasses for IPA which will replace > the ones from the samba schema. But for the time being the samba's IPA > passdb backend expects the old objectclasses for users, groups and trust > objects. Tested and works. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Wed Sep 21 07:26:43 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 21 Sep 2011 09:26:43 +0200 Subject: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry In-Reply-To: References: <28D50949-6CAB-4B58-BA3D-7F2C31EFEC35@citrixonline.com> <4DB085BB.6080104@redhat.com> <1303426875.26325.4.camel@willson.li.ssimo.org> <1303738997.23464.13.camel@willson.li.ssimo.org> <1303747204.23464.19.camel@willson.li.ssimo.org> <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> <128FDDA2-BC61-4D75-B08F-EA89C0C62CB3@citrixonline.com> <1316076472.2479.10.camel@dhcp-25-52.brq.redhat.com> <967AED78-B524-4EE8-8A0D-D13E26E7AE6E@citrixonline.com> <1316164295.24447.43.camel@dhcp-25-52.brq.redhat.com> <1316517204.18528.20.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1316590006.23658.0.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-20 at 16:16 +0000, JR Aquino wrote: > On Sep 20, 2011, at 4:13 AM, Martin Kosek wrote: > > > On Fri, 2011-09-16 at 16:37 +0000, JR Aquino wrote: > >> On Sep 16, 2011, at 2:11 AM, Martin Kosek wrote: > >> > >>> On Thu, 2011-09-15 at 17:25 +0000, JR Aquino wrote: > >>>> On Sep 15, 2011, at 1:47 AM, Martin Kosek wrote: > >>>> > >>>>> On Thu, 2011-09-15 at 00:47 +0000, JR Aquino wrote: > >>>>>> On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote: > >>>>> > >>>>>>> 5) I was thinking if there is a better solution to enabling/disabling of > >>>>>>> the plugin. Likes setting something like "managedEntryEnabled" attribute > >>>>>>> to on/off as we do with compat plugin. Current concept with disabling > >>>>>>> the definition by damaging the originFilter and then restoring it from > >>>>>>> an LDIF seems a bit awkward to me. > >>>>>> > >>>>>> This has been completely changed: > >>>>>> Instead of looking to ldif files, an ldap look up is now performed to dynamically list the available managed entries. > >>>>> > >>>>> Now we are talking :-) I like the new approach. > >>>> > >>>> > >>>> > >>>>> > >>>>> I have reviewed your patch, basic functionality looks good. But I still > >>>>> have few (nitpicking) comments: > >>>>> > >>>>> 1) There are parts from the previous file that are no longer needed > >>>>> since you switched to different approach: > >>>>> > >>>>> +import os > >>>>> > >>>>> + from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax > >>>>> > >>>>> + import StringIO > >>>>> > >>>>> + import ldif > >>>>> > >>>>> +except BadSyntax, e: > >>>>> + print "There is a syntax error in this update file:" > >>>>> + print " %s" % e > >>>>> + sys.exit(1) > >>>> > >>>> Removed > >>>> > >>>>> > >>>>> 2) I saw few whitespace errors on following lines of the patch: 419, 433 > >>>>> and 453 > >>>> > >>>> Fixed whitespace errors > >>>> > >>>>> > >>>>> 3) Output of the --list method is confusing: > >>>>> > >>>>> # ipa-managed-entries --list > >>>>> Directory Manager password: > >>>>> > >>>>> Available Managed Entry Plugins: > >>>>> cn=upg definition,cn=definitions,cn=managed > >>>>> entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > >>>>> cn=ngp definition,cn=definitions,cn=managed > >>>>> entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > >>>>> > >>>>> You must specify a managed entry definition <<< > >>>>> # echo $? > >>>>> 1 <<< > >>>>> > >>>>> a) I shouldn't be asked to specify a managed entry definition for --list > >>>> > >>>> Fixed > >>>> > >>>>> b) The listing was successful, so we shouldn't return error code > >>>> > >>>> Corrected error code > >>>> > >>>>> > >>>>> 4) Return code for disabling an already disabled entry should be 2 > >>>>> (according to man pages): > >>>>> > >>>>> # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable > >>>>> Directory Manager password: > >>>>> > >>>>> Plugin already disabled > >>>>> # echo $? > >>>>> 0 > >>>> > >>>> Fixed error code > >>>> > >>>>> > >>>>> 5) Strange is, that enabling a disabled plugin gives me return code 2: > >>>>> # ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable > >>>>> Directory Manager password: > >>>>> > >>>>> Enabling Plugin > >>>>> # echo $? > >>>>> 2 > >>>>> > >>>>> Return codes for these actions should fit the man pages. > >>>> > >>>> Fixed error code > >>>> > >>>>> > >>>>> 6) I would improve working with LDAP filters, current solution is error > >>>>> prone. Try disabling&enabling NGP Defition, we end up with this > >>>>> originFilter: > >>>>> > >>>>> originfilter: (&(objectclass=ipahostgroup)) > >>>>> > >>>>> I think the cleanest solution would be to use ldap.make_filter and > >>>>> ldap.combine_filters functions to play with these filter. You can > >>>>> inspire yourself in this example I wrote for DNS plugin: > >>>>> > >>>>> rev_zone_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE, exact=False, > >>>>> trailing_wildcard=False) > >>>>> filter = ldap.combine_filters((rev_zone_filter, filter), rules=ldap.MATCH_ALL) > >>>> > >>>> Rob and you addressed this in the mailing list. > >>>> For the record, I do agree that we are lacking a method for reading and modifying existing ldap filters. > >>>> We will continue with the simple string method here for this iteration. > >>>> > >>>>> > >>>>> 7) Entering Directory Manager every time may be a bit tedious. Could we > >>>>> use current Kerberos credentials and fall-back to asking Directory > >>>>> Manager password if it doesn't work? Its already done this way in > >>>>> ipa-replica-manage for example. > >>>>> > >>>>> We could fix this, however, as an enhancement in another patch. > >>>> > >>>> Fixed. We now will use gssapi if available, and prompt for password if there is no ticket. > >>>> > >>>>> > >>>>> 8) Man page - please use the new united FreeIPA man page header. Instead > >>>>> of > >>>>> > >>>>> +.TH "ipa-managed-entries" "1" "Sept 15 2011" "freeipa" "" > >>>>> > >>>>> use: > >>>>> > >>>>> +.TH "ipa-managed-entries" "1" "Sept 15 2011" "FreeIPA" "FreeIPA Manual > >>>>> Pages" > >>>> > >>>> Fixed > >>>> > >>>>> > >>>>> > >>>>> 9) Man page - comma is missing for --list option: > >>>>> > >>>>> +\fB\-l\-\-list\fR > >>>>> > >>>> > >>>> Fixed > >>>> > >>>>> > >>>>> 10) install/po/Makefile.in should be updated to: there is still > >>>>> reference to ipa-host-net-manage and ipa-managed-entries reference is > >>>>> missing > >>>> > >>>> Fixed > >>>> > >>> > >>> Great, most bugs are fixed. I only saw these 2 minor bugs. If those are > >>> fixed, I think we can ack&push. > >>> > >>> 1) Man pages: --list option is still not right, formating is wrong > >>> +\fB\-l\fR, -\-list\fR > >> > >> This typo is now corrected > >> > >>> > >>> 2) Enable action is missing a notice for the user, like the disable > >>> action has: > >>> > >>> # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable > >>> Disabling Plugin > >> > >> The output is now corrected. > >> > >>> # ipa-managed-entries -e 'cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable > >> > >> I have now also corrected the --list / -e / --entry to support/display shorthand for the managed entries instead of the full DN. > >> > >> # ipa-managed-entries --list > >> Available Managed Entry Definitions: > >> UPG Definition > >> NGP Definition > >> # > >> > >> # ipa-managed-entries --entry="UPG Definition" status > >> Plugin Enabled > >> # > >> > > > > Looks good. I found just one more bug: > > > > # ipa-managed-entries -e foo status > > Traceback (most recent call last): > > File "/usr/sbin/ipa-managed-entries", line 236, in > > sys.exit(main()) > > File "/usr/sbin/ipa-managed-entries", line 152, in main > > ['originfilter'], > > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner > > return f(*args, **kargs) > > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 502, in search_s > > return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout) > > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner > > return f(*args, **kargs) > > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 496, in search_ext_s > > return self.result(msgid,all=1,timeout=timeout)[1] > > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 181, in inner > > objtype, data = f(*args, **kargs) > > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 422, in result > > res_type,res_data,res_msgid = self.result2(msgid,all,timeout) > > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner > > return f(*args, **kargs) > > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 426, in result2 > > res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) > > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner > > return f(*args, **kargs) > > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 432, in result3 > > ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) > > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner > > return f(*args, **kargs) > > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 96, in _ldap_call > > result = func(*args,**kwargs) > > ldap.NO_SUCH_OBJECT: {'matched': 'cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'desc': 'No such object'} > > Thanks, It has now been corrected. > > > I think we should handle this situation better and report a nice error > > message. > > > > Martin > > > ACK. Pushed to master. Merged to ipa-2-1 branch and pushed as well. Martin From atkac at redhat.com Wed Sep 21 08:58:40 2011 From: atkac at redhat.com (Adam Tkac) Date: Wed, 21 Sep 2011 10:58:40 +0200 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <1316175916.24447.58.camel@dhcp-25-52.brq.redhat.com> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> <4E7251FB.4040406@redhat.com> <1316158954.24447.31.camel@dhcp-25-52.brq.redhat.com> <1316174284.2684.428.camel@willson.li.ssimo.org> <1316174674.24447.48.camel@dhcp-25-52.brq.redhat.com> <1316175139.2684.435.camel@willson.li.ssimo.org> <1316175916.24447.58.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E79A740.1000506@redhat.com> On 09/16/2011 02:25 PM, Martin Kosek wrote: > On Fri, 2011-09-16 at 08:12 -0400, Simo Sorce wrote: >> Whatever you do do not split this operation into a DEL+ADD, we want an >> atomic modify operation in any case. as you do not want to have a race >> where named may query the MX records and find them empty. That'd be much >> worse than returning one of them outdated. >> >> This means whatever the API we need to support a way to add all values >> at the same time. We can also have the more verbose API to make things >> more understandable, but we need this "bulk" API for the WebUI IMHO. > I agree, the change shouldn't be split to del+add. My proposed API: > > dnsrecord-mx-mod example.com --dnsrecord="1 mx1.example.com." --preference=0 > > would do just one write to LDAP. Unfortunately, this is not so pretty > for CLI, one would have to copy&paste raw DNS value to be able to edit > its components, but it should be simple for WebUI. Right now, I don't > see some better way. > I thought about this CLI proposal and it is definitely a good start. In the future we can consider to improve the CLI this way, for example: $ dnsrecord-mx-mod example.com --preference=0 Which record would you like to change? [1] 1 mx1.example.com. [2] 10 mx2.example.com. $ > > This way will be more convenient for people which use CLI, especially > when we start to support DNSSEC and resource record types which store > certificates (CERT/SSHFP) get widely used. I doubt that someone likes > copying&pasting SHA* hashes and RSA signatures every time when some > record is modified. > > Regards, Adam Good idea! I already added some interactive prompt helpers to DNS plugin, you can check for example dnsrecord_del command, specifically its interactive_prompt_callback(). This can be also used for -mod/-show command which will make the command user-friendly for both CLI and WebUI users. Martin From mkosek at redhat.com Wed Sep 21 09:22:17 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 21 Sep 2011 11:22:17 +0200 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <4E78BDC8.7010306@redhat.com> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> <4E7251FB.4040406@redhat.com> <1316158954.24447.31.camel@dhcp-25-52.brq.redhat.com> <1316517338.18528.22.camel@dhcp-25-52.brq.redhat.com> <4E78BDC8.7010306@redhat.com> Message-ID: <1316596940.23658.14.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-09-20 at 11:22 -0500, Endi Sukma Dewata wrote: > On 9/20/2011 6:15 AM, Martin Kosek wrote: > >>> ACK. Proposal looks like it will work fairly easily with the UI. > >>> We'll have to make some chagnes due to the Add doing something > >>> different based on the type, but that is the case anyway. > >> > >> Yes, I was thinking how can we integrate this new API to WebUI. AFAIK > >> you use dnsrecord-add $ZONE $REC --a-rec=... --mx-rec=... for adding a > >> new DNS record and dnsrecord-mod $ZONE $REC --mx-rec=... when for > >> example the mx record is being modified. All MX values (even the > >> unmodified ones) are passed to dnsrecord-mod. > >> > >> 1) I was wondering how the new dnsrecord--add commands can be > >> used. I suppose WebUI will know a list of DNS record types with these > >> new structured commands and offer the user new window to add a record > >> for these types instead of typing them directly to the text box as it is > >> now. > > When adding a DNS record the user will specify the name and the type, > then the UI will show a set of fields based on the selected record type. > > So instead of a generic 'data' field like below (click Add): > > http://edewata.fedorapeople.org/freeipa/install/ui/index.html#dns=dnszone&identity=dns&navigation=identity&dnszone-facet=default&dnszone-pkey=ayoung.boston.devel.redhat.com > > it will be similar to Permissions (click Add): > > http://edewata.fedorapeople.org/freeipa/install/ui/index.html#rolebased=permission&ipaserver=rolebased&navigation=ipaserver > > The UI will use the type to pick the correct dnsrecord--add > command and each parameter in that command will have a corresponding > field to enter the value. Yes, I think this will work fine. Would it make sense to create dnsrecord--add commands also for non-structured DNS records? I mean for example for A, AAAA, PTR, CNAME, ... record, which have just one simple value or let plain old dnsrecord-add --a-rec=... handle it? > > >> 2) But my main concern here is how the modification of current DNS > >> records should work. Say, we have 2 MX records for example.com. How can > >> we modify one of it in a new structured interface? > >> > >> We would have to implement dnsrecord-mx-show method so that you can fill > >> all the text areas (preference, mailserver). Question is how to refer > >> the value we want to show since DNS records are multivalued. We could > >> pass --dnsrecord="..." with DNS record value, e.g. "0 mx.example.com." > >> and then use the same value for dnsrecord-mx-mod. The whole command > >> sequence would look this way: > >> > >> dnsrecord-find example.com -- get all DNS records for example.com > >> dnsrecord-show example.com @ -- show DNS records directly in the zone > >> NS: "ns.example.com" > >> MX: "0 mx1.example.com." > >> MX: "1 mx2.example.com."<< user wants to modify this one -> new window > > I think for each record value the primary keys are the zone name, record > name, and the value itself. To simplify operations, we should use the > value as a single string. For CLI, users can copy & paste the value more > easily. Agreed. As Adam Tkac suggested, we can simplify this with interactive prompt so that user doesn't have to copy&paste, but just choose a record to -show/-mod. > > For UI it depends whether (1) we're going to keep the current edit page > where all records with the same name are considered a single entry, or > whether (2) we're going to edit each record value in a separate page. > See ticket #1478. > > If we stay with (1), the link to the edit page consists of zone name and > record name only. But if we pick (2) the link consists of zone name, > record name, value, and type (which can be obtained from -find output). This is more of a UXD decision, server API will remain intact. I just see 2 issues here: 1) If you let user edit multiple structured DNS records, you would have to call dnsrecord--show multiple times so that you can populate all the fields. This can slow down things. 2) Some DNS records may be pretty large. MX record data is small, but for example CERT records have an entire certificate stored in it. Wouldn't there be a problem if we place the large DNS record in URL? > > >> dnsrecord-mx-show example.com --dnsrecord="1 mx1.example.com." > >> PREFERENCE: 1 << user modifies this to 0 > >> MAILSERVER: mx2.example.com. > > For consistency, the record value should be specified as an argument > instead of an option (like in automount). So it will be like this: > > dnsrecord-mx-show "example.com" "@" "1 mx1.example.com." > PREFERENCE: 1 > MAILSERVER: mx2.example.com This can be done. > > If we stay with (1) the UI will have to call the dnsrecord--show > for each value to get the value of each fields. The UI will need to > implement a new widget (or section) that can handle multiple fields > which will be duplicated for each value. Ah, yes - as I wrote above. This would also take more time to process. > > The edit page for (2) is much simpler since it only needs to handle a > single type at a time. The output of the -show command will be used to > populate each field. > > >> dnsrecord-mx-mod example.com --dnsrecord="1 mx1.example.com." --preference=0 > > When updating the value, option (1) is a bit more complicated because > the UI will have to find the dirty record and then find the dirty field. > Option (2) is simpler because it will only need to find the dirty field, > but both will execute the following command: > > dnsrecord-mx-mod "example.com" "@" "1 mx1.example.com." --preference=0 > > I think option (2) is more clear to users because we only have to > introduce 2 concepts: zone and record (which is the individual value). > With option (1) we will have to explain the underlying LDAP entry that > will be deleted automatically when the last record value is deleted. > When I look at it, option (2) looks better for our case. Martin From sbose at redhat.com Wed Sep 21 11:18:00 2011 From: sbose at redhat.com (Sumit Bose) Date: Wed, 21 Sep 2011 13:18:00 +0200 Subject: [Freeipa-devel] [PATCH] 5 Fix typo in v3 base schema Message-ID: <20110921111800.GA16242@localhost.localdomain> Hi, there are three issues in 60basev3.ldif which prevents the LDAP server from starting. Two are minr typos and one a wrong matching rules for the octet string syntax. bye, Sumit -------------- next part -------------- From e7551b3bbc0f970f9fb5998a66864849b81691bb Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 21 Sep 2011 12:59:33 +0200 Subject: [PATCH] Fix typo in v3 base schema --- install/share/60basev3.ldif | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 64f42d480d68724ee2cdb548ead10d13361b0d40..d118de2f04a81c0b858d20b5aeb997e6e313fd9a 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -5,15 +5,15 @@ ## dn: cn=schema attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME 'ipaExternalMember' DESC 'External Group Member Identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) -attributeTypes: (2.16.840.1.113730.3.8.11.2 NAME 'ipaNTSecurityIdentfier' DESC 'NT Security ID' EQUALITY caseIgnoreIA5Match OREDRING caseIgnoreIA5OrderingMatch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.2 NAME 'ipaNTSecurityIdentifier' DESC 'NT Security ID' EQUALITY caseIgnoreIA5Match OREDRING caseIgnoreIA5OrderingMatch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.3 NAME 'ipaNTFlatName' DESC 'Flat/Netbios Name' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.4 NAME 'ipaNTFallbackPrimaryGroup' DESC 'Fallback Group to set the Primary group Security Identifier for users with UPGs' SUP distinguishedName X-ORIGIN 'IPA v3' ) -attributeTypes: (2.16.840.1.113730.3.8.11.5 NAME 'ipaNTHash' DESC 'NT Hash of user password' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.5 NAME 'ipaNTHash' DESC 'NT Hash of user password' EQUALITY octetStringMatch OREDRING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.6 NAME 'ipaNTLogonScript' DESC 'User Logon Script Name' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.7 NAME 'ipaNTProfilePath' DESC 'User Profile Path' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.8 NAME 'ipaNTHomeDirectory' DESC 'User Home Directory Path' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.9 NAME 'ipaNTHomeDirectoryDrive' DESC 'User Home Drive Letter' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) -objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectotryDrive ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $ ipaNTFlatName ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' ) -- 1.7.6 From pvoborni at redhat.com Wed Sep 21 11:50:38 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 21 Sep 2011 13:50:38 +0200 Subject: [Freeipa-devel] [PATCH] 271 Modified dialog to use sections. In-Reply-To: <4E714274.7080507@redhat.com> References: <4E714274.7080507@redhat.com> Message-ID: <4E79CF8E.5040908@redhat.com> On 09/15/2011 02:10 AM, Endi Sukma Dewata wrote: > The IPA.dialog has been modified to store sections instead of fields. > If there is no sections specified, it will create a default section. > > The adder dialog for automount map has been modified such that the > fields related to indirect map are stored in a section which will > only be visible when the map type is set to indirect. > > The adder dialog for host has been modified such that it uses a > custom section for hostname and DNS zone and standard section for > the other fields. > > Ticket #1394 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel 1) dialog.js:128 is_valid method should use section.is_valid method - no need to reimplement the same thing. On top of that, section.is_valid method checks required fields. 2) dialog.js:44 init() - uses the same code as details section. Wouldn't be better to split init method in details section to two parts?: 1: add_fields(spec) - which would accept array of field spec objects. 2: private init function which would call the add_fields method Then we could make a get_section method in dialog which would return last section (same code as in add_field). At last we would call section.add_fields(fields). 3) add.js_:44 add() method. I know, there is a TODO comment, but I think, we could make validation almost consistent right now. Plain loop through sections like the one in details.js:618 and additional if(valid) check before command argument construction would do the trick. I'm thinking if we should extract code for creating command(arguments and options) into separate object. Something like IPA.command_builder.add_arguments_sections(command, sections). 4) host.js:208,217: we should avoid using purely visual inline css styles. They should be replaced by class (if cannot be achieved by other selector) and styled in css file. This doesn't concern functional styles (animations, resizing, hiding, showing). 5) In host adder dialog. Is the margin between fqdn and other section OK? I don't mind it, just wondering. 6) group.js:100 param_info contains invalid string "Create as a non-POSIX group" for nonposix checkbox usage. -- Petr Vobornik From myllynen at redhat.com Wed Sep 21 12:12:13 2011 From: myllynen at redhat.com (Marko Myllynen) Date: Wed, 21 Sep 2011 15:12:13 +0300 Subject: [Freeipa-devel] [PATCH] include for uintptr_t Message-ID: <4E79D49D.5060103@redhat.com> Hi, stdint.h must be included for uintptr_t at least on Ubuntu Oneiric, without it ipa-client compilation fails. Cheers, -- Marko Myllynen -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-include-stdint.h-for-uintptr_t.patch URL: From simo at redhat.com Wed Sep 21 12:28:18 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 21 Sep 2011 08:28:18 -0400 Subject: [Freeipa-devel] [PATCH] 5 Fix typo in v3 base schema In-Reply-To: <20110921111800.GA16242@localhost.localdomain> References: <20110921111800.GA16242@localhost.localdomain> Message-ID: <1316608098.2684.552.camel@willson.li.ssimo.org> On Wed, 2011-09-21 at 13:18 +0200, Sumit Bose wrote: > Hi, > > there are three issues in 60basev3.ldif which prevents the LDAP server > from starting. Two are minr typos and one a wrong matching rules for the > octet string syntax. Sorry about that, I was sure I had tested it. But this means that the ACK also came w/o testing, that is bad :( Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Sep 21 12:31:54 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 21 Sep 2011 08:31:54 -0400 Subject: [Freeipa-devel] [PATCH] 5 Fix typo in v3 base schema In-Reply-To: <20110921111800.GA16242@localhost.localdomain> References: <20110921111800.GA16242@localhost.localdomain> Message-ID: <1316608314.2684.553.camel@willson.li.ssimo.org> On Wed, 2011-09-21 at 13:18 +0200, Sumit Bose wrote: > Hi, > > there are three issues in 60basev3.ldif which prevents the LDAP server > from starting. Two are minr typos and one a wrong matching rules for the > octet string syntax. Re-tested and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Sep 21 13:08:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 21 Sep 2011 09:08:56 -0400 Subject: [Freeipa-devel] [PATCH] include for uintptr_t In-Reply-To: <4E79D49D.5060103@redhat.com> References: <4E79D49D.5060103@redhat.com> Message-ID: <4E79E1E8.3030507@redhat.com> Marko Myllynen wrote: > Hi, > > stdint.h must be included for uintptr_t at least on Ubuntu Oneiric, > without it ipa-client compilation fails. > There is an ipa-client make target that should make things somewhat easier as it doesn't need to build the entire tree. rob From myllynen at redhat.com Wed Sep 21 13:13:46 2011 From: myllynen at redhat.com (Marko Myllynen) Date: Wed, 21 Sep 2011 16:13:46 +0300 Subject: [Freeipa-devel] [PATCH] include for uintptr_t In-Reply-To: <4E79E1E8.3030507@redhat.com> References: <4E79D49D.5060103@redhat.com> <4E79E1E8.3030507@redhat.com> Message-ID: <4E79E30A.2000401@redhat.com> Hi, >> stdint.h must be included for uintptr_t at least on Ubuntu Oneiric, >> without it ipa-client compilation fails. > > There is an ipa-client make target that should make things somewhat > easier as it doesn't need to build the entire tree. sure, but gcc bails out with an error when compiling ipa-join.c without this patch. And while at it I added the fix also to daemons/ipa-slapi-plugins/common/util.h not just for ipa-client/ipa-client-common.h. Cheers, -- Marko Myllynen From ayoung at redhat.com Wed Sep 21 14:27:31 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 21 Sep 2011 10:27:31 -0400 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <1316531492.12296.14.camel@dhcp-25-52.brq.redhat.com> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> <4E7251FB.4040406@redhat.com> <1316158954.24447.31.camel@dhcp-25-52.brq.redhat.com> <1316517338.18528.22.camel@dhcp-25-52.brq.redhat.com> <4E789D02.90204@redhat.com> <1316531492.12296.14.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E79F453.4010600@redhat.com> On 09/20/2011 11:11 AM, Martin Kosek wrote: > On Tue, 2011-09-20 at 10:02 -0400, Adam Young wrote: >> This discussion got me thinking, always a dangerous proposal: >> >> We are currently exposing record add with the lie that when you add a >> record, it has a type. THe reality is that a record is just this big >> collection of multi value attributes, and each of those is the "type" >> of the record. > The way I see it is that we have different types of Resource Records > with a (domain) name that can be shared. > >> >> If all of the 'records' have the same idnsname, then they really fall >> under the same Record object in LDAP. > Yes. > >> What if we focuses on the attribtutes themselves, and add the type info >> there. > I thought we do this already. > >> >> Pie in the sky proposal. Treat it as a starting point: >> >> From the webui perspective >> dnsrecord-add allows the case where it just has the the idnsname with >> no "records" >> >> dnsrecordattr-mod takes record type specific values. >> >> To add a location entry: >> >> ipa dnsrecordattr-mod --append location --lat-deg=INT --lat-min=INT --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT --v-precision=FLOAT >> >> >> And to remove it >> >> ipa dnsrecordattr-mod --remove location --lat-deg=INT --lat-min=INT --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT --v-precision=FLOAT > So if user would want to remove a LOC record, he would have to pass all > these attributes to refer which attribute value to remove? I think that is the case anyway. Since a DNS record is really just an multivalue attribute, you would now have to do a dns-record-mod with the list of all LOC records that you don't want to delete. I used this as an example because it is the most complex case. Just thinking it through...I'm not certain I like the "one command per record type" as it changes a lot of other assumptions. DNS is a wierd beast already. I've spent a lot of time on the DNS ui, and it is pretty tricky to get right. I'm trying to balance the PI against efficient usage. What we really need for the fields is a way to specify the format for a given field, much like the format strings used for group names. For example, the LOC record is really LOC d1 [m1 [s1]] {"N"|"S"} d2 [m2 [s2]] {"E"|"W"} alt["m"] [siz["m"] [hp["m"] [vp["m"]]]] And all the WebUI needs is a way to specify that format to validate. We need a better approach than setattr/add attr, but it should not be specific to the DNS use case. Let me frame the problem this way: Extend the IPA plugin API to allow for multivalue attributes, composed of multiple fields, where the fields can have format strings. Solve this design issue, and the DNS design becomes an application of it. From rcritten at redhat.com Wed Sep 21 14:28:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 21 Sep 2011 10:28:24 -0400 Subject: [Freeipa-devel] [PATCH] include for uintptr_t In-Reply-To: <4E79E30A.2000401@redhat.com> References: <4E79D49D.5060103@redhat.com> <4E79E1E8.3030507@redhat.com> <4E79E30A.2000401@redhat.com> Message-ID: <4E79F488.4010408@redhat.com> Marko Myllynen wrote: > Hi, > >>> stdint.h must be included for uintptr_t at least on Ubuntu Oneiric, >>> without it ipa-client compilation fails. >> >> There is an ipa-client make target that should make things somewhat >> easier as it doesn't need to build the entire tree. > > sure, but gcc bails out with an error when compiling ipa-join.c without > this patch. And while at it I added the fix also to > daemons/ipa-slapi-plugins/common/util.h not just for > ipa-client/ipa-client-common.h. > > Cheers, > Ok, opened https://fedorahosted.org/freeipa/ticket/1831 rob From rcritten at redhat.com Wed Sep 21 14:29:13 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 21 Sep 2011 10:29:13 -0400 Subject: [Freeipa-devel] [PATCH] 125 Remove checks for ds-replication plugin In-Reply-To: <1316508349.18528.13.camel@dhcp-25-52.brq.redhat.com> References: <1316508349.18528.13.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E79F4B9.2090704@redhat.com> Martin Kosek wrote: > The replication plugin is no longer shipped as a separate package. > Remove the code checking its existence. > > https://fedorahosted.org/freeipa/ticket/1815 ACK From rcritten at redhat.com Wed Sep 21 14:37:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 21 Sep 2011 10:37:40 -0400 Subject: [Freeipa-devel] [PATCH] Double check kinit return In-Reply-To: <1314822380.20296.347.camel@willson.li.ssimo.org> References: <1314822380.20296.347.camel@willson.li.ssimo.org> Message-ID: <4E79F6B4.3050703@redhat.com> Simo Sorce wrote: > At least once I had kinit fail to get a proper ticket and yet not return > an error. I honestly was not able to reproduce, but add a double check > to make sure we actually got a usable ticket so that ssh does no prompt > again for the admin user password. > > Fixes: https://fedorahosted.org/freeipa/ticket/1746 > ACK. I didn't see the original failure but belt and suspenders never hurts. rob From rcritten at redhat.com Wed Sep 21 14:47:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 21 Sep 2011 10:47:40 -0400 Subject: [Freeipa-devel] [PATCH] 876 normalize user principal In-Reply-To: <1316519405.18528.25.camel@dhcp-25-52.brq.redhat.com> References: <4E7351DB.8060007@redhat.com> <4E735A40.9000102@redhat.com> <1316519405.18528.25.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E79F90C.6040606@redhat.com> Martin Kosek wrote: > On Fri, 2011-09-16 at 10:16 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Normalize and validate user principals in user and passwd plugins. The >>> uid in the principal should be lower-case. >>> >>> rob >> >> With updated API.txt >> >> rob > > This works fine. I would just suggest improving the way how we handle > realm case mismatch: > > # ipa user-add --first=Foo --last=Bar --principal=fbar3 at idm.lab.bos.redhat.com FBar3 > ipa: ERROR: The realm for the principal does not match the realm for this IPA server > [root at vm-120 ~]# ipa user-add --first=Foo --last=Bar --principal=fbar3 at IDM.LAB.BOS.REDHAT.COM FBar3 > ------------------ > Added user "fbar3" > ------------------ > User login: fbar3 > First name: Foo > Last name: Bar > Full name: Foo Bar > Display name: Foo Bar > Initials: FB > Home directory: /home/fbar3 > GECOS field: Foo Bar > Login shell: /bin/sh > Kerberos principal: fbar3 at IDM.LAB.BOS.REDHAT.COM > UID: 63600005 > GID: 63600001 > Keytab: False > Password: False > > I think we should force it to uppercase in split_principal() as we do in > service.py. > > Martin > Done since we require upper-case realms in the installer. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-876-3-principal.patch Type: text/x-patch Size: 12700 bytes Desc: not available URL: From simo at redhat.com Wed Sep 21 14:49:13 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 21 Sep 2011 10:49:13 -0400 Subject: [Freeipa-devel] [PATCH] Double check kinit return In-Reply-To: <4E79F6B4.3050703@redhat.com> References: <1314822380.20296.347.camel@willson.li.ssimo.org> <4E79F6B4.3050703@redhat.com> Message-ID: <1316616553.2684.560.camel@willson.li.ssimo.org> On Wed, 2011-09-21 at 10:37 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > At least once I had kinit fail to get a proper ticket and yet not return > > an error. I honestly was not able to reproduce, but add a double check > > to make sure we actually got a usable ticket so that ssh does no prompt > > again for the admin user password. > > > > Fixes: https://fedorahosted.org/freeipa/ticket/1746 > > > > ACK. I didn't see the original failure but belt and suspenders never hurts. Yeah same reasoning here. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From yzhang at redhat.com Wed Sep 21 15:06:07 2011 From: yzhang at redhat.com (yi zhang) Date: Wed, 21 Sep 2011 08:06:07 -0700 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <4E79A740.1000506@redhat.com> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> <4E7251FB.4040406@redhat.com> <1316158954.24447.31.camel@dhcp-25-52.brq.redhat.com> <1316174284.2684.428.camel@willson.li.ssimo.org> <1316174674.24447.48.camel@dhcp-25-52.brq.redhat.com> <1316175139.2684.435.camel@willson.li.ssimo.org> <1316175916.24447.58.camel@dhcp-25-52.brq.redhat.com> <4E79A740.1000506@redhat.com> Message-ID: <4E79FD5F.5000707@redhat.com> On 09/21/2011 01:58 AM, Adam Tkac wrote: > On 09/16/2011 02:25 PM, Martin Kosek wrote: >> On Fri, 2011-09-16 at 08:12 -0400, Simo Sorce wrote: >>> Whatever you do do not split this operation into a DEL+ADD, we want an >>> atomic modify operation in any case. as you do not want to have a race >>> where named may query the MX records and find them empty. That'd be much >>> worse than returning one of them outdated. >>> >>> This means whatever the API we need to support a way to add all values >>> at the same time. We can also have the more verbose API to make things >>> more understandable, but we need this "bulk" API for the WebUI IMHO. >> I agree, the change shouldn't be split to del+add. My proposed API: >> >> dnsrecord-mx-mod example.com --dnsrecord="1 mx1.example.com." --preference=0 >> >> would do just one write to LDAP. Unfortunately, this is not so pretty >> for CLI, one would have to copy&paste raw DNS value to be able to edit >> its components, but it should be simple for WebUI. Right now, I don't >> see some better way. >> > I thought about this CLI proposal and it is definitely a good start. In > the future we can consider to improve the CLI this way, for example: > > $ dnsrecord-mx-mod example.com --preference=0 > Which record would you like to change? > [1] 1 mx1.example.com. > [2] 10 mx2.example.com. > $ > > > > This way will be more convenient for people which use CLI, especially > > when we start to support DNSSEC and resource record types which store > > certificates (CERT/SSHFP) get widely used. I doubt that someone likes > > copying&pasting SHA* hashes and RSA signatures every time when some > > record is modified. > > > > Regards, Adam > Interactive mode is useful in some case. But can people still script > with this CLI? I hope this CLI can still offer non-interactive mode so > it would be more script-friendly. > BTW, I am a QA. > > Yi That's a good question. But yes - it will be still scriptable. The prompt is just a user-helper, not an essential instrument to do the DNS changes. Martin From yzhang at redhat.com Wed Sep 21 15:45:43 2011 From: yzhang at redhat.com (yi zhang) Date: Wed, 21 Sep 2011 08:45:43 -0700 Subject: [Freeipa-devel] Structured DNS record API proposal In-Reply-To: <1316619849.16141.0.camel@dhcp-25-52.brq.redhat.com> References: <1316017122.2647.40.camel@dhcp-25-52.brq.redhat.com> <4E7251FB.4040406@redhat.com> <1316158954.24447.31.camel@dhcp-25-52.brq.redhat.com> <1316174284.2684.428.camel@willson.li.ssimo.org> <1316174674.24447.48.camel@dhcp-25-52.brq.redhat.com> <1316175139.2684.435.camel@willson.li.ssimo.org> <1316175916.24447.58.camel@dhcp-25-52.brq.redhat.com> <4E79A740.1000506@redhat.com> <4E79FD5F.5000707@redhat.com> <1316619849.16141.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E7A06A7.2010106@redhat.com> On 09/21/2011 08:44 AM, Martin Kosek wrote: > On Wed, 2011-09-21 at 08:06 -0700, yi zhang wrote: >> On 09/21/2011 01:58 AM, Adam Tkac wrote: >>> On 09/16/2011 02:25 PM, Martin Kosek wrote: >>>> On Fri, 2011-09-16 at 08:12 -0400, Simo Sorce wrote: >>>>> Whatever you do do not split this operation into a DEL+ADD, we want an >>>>> atomic modify operation in any case. as you do not want to have a race >>>>> where named may query the MX records and find them empty. That'd be much >>>>> worse than returning one of them outdated. >>>>> >>>>> This means whatever the API we need to support a way to add all values >>>>> at the same time. We can also have the more verbose API to make things >>>>> more understandable, but we need this "bulk" API for the WebUI IMHO. >>>> I agree, the change shouldn't be split to del+add. My proposed API: >>>> >>>> dnsrecord-mx-mod example.com --dnsrecord="1 mx1.example.com." --preference=0 >>>> >>>> would do just one write to LDAP. Unfortunately, this is not so pretty >>>> for CLI, one would have to copy&paste raw DNS value to be able to edit >>>> its components, but it should be simple for WebUI. Right now, I don't >>>> see some better way. >>>> >>> I thought about this CLI proposal and it is definitely a good start. In >>> the future we can consider to improve the CLI this way, for example: >>> >>> $ dnsrecord-mx-mod example.com --preference=0 >>> Which record would you like to change? >>> [1] 1 mx1.example.com. >>> [2] 10 mx2.example.com. >>> $