From sbose at redhat.com Mon Dec 3 10:53:45 2012 From: sbose at redhat.com (Sumit Bose) Date: Mon, 3 Dec 2012 11:53:45 +0100 Subject: [Freeipa-devel] [PATCH] 91 Restart sssd after authconfig update Message-ID: <20121203105345.GC2116@localhost.localdomain> Hi, this patch unconditionally restarts sssd after authconfig is run to fix https://fedorahosted.org/freeipa/ticket/3267 . bye, Sumit -------------- next part -------------- From 769e5858898eccc9084ce59b8a6eebee065b452d Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 3 Dec 2012 11:45:49 +0100 Subject: [PATCH] Restart sssd after authconfig update Recent versions of authconfig do not restart sssd if only the --enablesssd and --enablesssdauth options are used. To make sure sssd is running after ipa-server-install is run this patch add an unconditional restart of sssd after authconfig is run during the installation. Since there already is some logic trying to determine if sssd needs to be restarted or stopped if freeipa in uninstalled no changes are needed here. Fixes https://fedorahosted.org/freeipa/ticket/3267 --- ipa-client/ipa-install/ipa-client-install | 6 ++++++ 1 Datei ge?ndert, 6 Zeilen hinzugef?gt(+) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 190efb183d8c96e2c9665cf51d5346dc1111ae24..612bdc658870fa680f8d7c5b30d8111a6a316c66 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1822,6 +1822,12 @@ def install(options, env, fstore, statestore): auth_config.add_option("update") auth_config.execute() root_logger.info("%s", message) + if options.sssd: + sssd = ipaservices.service('sssd') + try: + sssd.restart() + except CalledProcessError: + root_logger.warning("SSSD service restart was unsuccessful.") if not options.sssd: #Modify pam to add pam_krb5 only when sssd is not in use -- 1.7.11.4 From sbose at redhat.com Mon Dec 3 11:26:59 2012 From: sbose at redhat.com (Sumit Bose) Date: Mon, 3 Dec 2012 12:26:59 +0100 Subject: [Freeipa-devel] [PATCH] 92 Do not recommend how to configure DNS in error message Message-ID: <20121203112659.GD2116@localhost.localdomain> Hi, this patch removes some specific recommendations from an error message to fix https://fedorahosted.org/freeipa/ticket/3261 bye, Sumit -------------- next part -------------- From c90cd0c997daa789fb3e4f798c43988daf0eb66f Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 3 Dec 2012 12:16:56 +0100 Subject: [PATCH] Do not recommend how to configure DNS in error message The best way to configure DNS depends on the environment and no general recommendations should be given by the CLI or Web UI. Especially forwarders should not be recommended by only be option of last resort. Fixes https://fedorahosted.org/freeipa/ticket/3261 --- ipalib/plugins/trust.py | 22 +++++++++------------- 1 Datei ge?ndert, 9 Zeilen hinzugef?gt(+), 13 Zeilen entfernt(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index b4a3d7697c620c38144ebaf459a6b3b97506f8ce..2019d910b18ea507b9d05f5b6165e7b6d9a43e4e 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -354,19 +354,15 @@ sides. instructions.append(_("Forward policy is defined for it in IPA DNS, " "perhaps forwarder points to incorrect host?")) except (errors.NotFound, KeyError) as e: - instructions.append(_("IPA manages DNS, please configure forwarder to " - "'%(domain)s' domain using following CLI command. " - "Make sure to replace DNS_SERVER and IP_ADDRESS by " - "actual values corresponding to the trusted domain's " - "DNS server:") % dict(domain=keys[-1])) - # tab character at the beginning of a multiline error message will be replaced - # in the web UI by a colorful hint. Does not affect CLI. - instructions.append(_("\tipa dnszone-add %(domain)s --name-server=[DNS_SERVER] " - "--admin-email='hostmaster@%(domain)s' " - "--force --forwarder=[IP_ADDRESS] " - "--forward-policy=only") % dict(domain=keys[-1])) - instructions.append(_("When using Web UI, please create DNS zone for domain '%(domain)s' " - "first and then set forwarder and forward policy.") % dict(domain=keys[-1])) + instructions.append(_("IPA manages DNS, please verify " + "your DNS configuration and " + "make sure that service records " + "of the '%(domain)s' domain can " + "be resolved. Examples how to " + "configure DNS with CLI commands " + "or the Web UI can be found in " + "the documentation. " ) % + dict(domain=keys[-1])) else: instructions.append(_("Since IPA does not manage DNS records, ensure DNS " "is configured to resolve '%(domain)s' domain from " -- 1.7.11.4 From pviktori at redhat.com Mon Dec 3 12:35:05 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 03 Dec 2012 13:35:05 +0100 Subject: [Freeipa-devel] [RFE] Warnings and client capabilities In-Reply-To: <5086BE75.6080408@redhat.com> References: <4FD7240A.5040400@redhat.com> <1339504707.8230.577.camel@willson.li.ssimo.org> <4FD73869.6020503@redhat.com> <4FE19398.2040401@redhat.com> <1340189270.3072.29.camel@balmora.brq.redhat.com> <1340200668.32038.150.camel@willson.li.ssimo.org> <5086BE75.6080408@redhat.com> Message-ID: <50BC9C79.7050009@redhat.com> I've submitted the updated design document to http://freeipa.org/page/V3/Messages On 10/23/2012 05:57 PM, Petr Viktorin wrote: > Here is a draft design document for ticket 2732. > Please comment on both the feature itself, and on how to write design > documents. > Petr?, please add how the UI should handle this. > -- Petr? From lroot at redhat.com Mon Dec 3 13:20:32 2012 From: lroot at redhat.com (Lynn Root) Date: Mon, 03 Dec 2012 14:20:32 +0100 Subject: [Freeipa-devel] [PATCH 0005] Clarified error message with ipa-client-automount In-Reply-To: <50B926A9.5030107@redhat.com> References: <1129149924.5633962.1353923519895.JavaMail.root@redhat.com> <50B926A9.5030107@redhat.com> Message-ID: <50BCA720.50305@redhat.com> On 11/30/2012 10:35 PM, Rob Crittenden wrote: > Lynn Root wrote: >> Returns a clearer hint when user is running ipa-client-automount with >> possible firewall up and blocking need ports. >> >> Not sure if this patch is worded correctly in order to address the >> potential firewall block when running ipa-client-automount. Perhaps a >> different error should be thrown, rather than NOT_IPA_SERVER. >> >> Ticket: https://fedorahosted.org/freeipa/ticket/3080 > > Tomas made a similar change recently in ipa-client-install which > includes more information on the ports we need. You may want to take a > look at that. It was for ticket > https://fedorahosted.org/freeipa/ticket/2816 > > rob Thank you Rob - I adapted the same approach in this updated patch. Let me know if it addresses the blocked port issue better. Thanks! -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-lroot-0005-2-Clarified-error-message-with-ipa-client-automount.patch Type: text/x-patch Size: 1928 bytes Desc: not available URL: From pviktori at redhat.com Mon Dec 3 13:46:45 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 03 Dec 2012 14:46:45 +0100 Subject: [Freeipa-devel] [RFE] Logging and output in install & management commands Message-ID: <50BCAD45.8080906@redhat.com> Hello, Please take a while to comment on this proposal before I post it on the wiki. This is about user-visible changes I plan to make for #2652 (Framework for admin/install tool) -- consistent behavior will (in addition to not confusing users) enable the framework to do common work without too much special-casing. = Overview = The output, logging, and command-line options of our install/management tools are inconsistent. This RFE aims to clean up some of the inconsistency. Specifically it addresses: - Inconsistencies between console output and log files - Tools using either --verbose or --debug used for the same purpose And some collateral issues: - The --version option missing in some tools - The problem of e.g. an accidental ipa-server-install overwriting ipaserver-install.log by the useless message, "The server is already installed" This is part of [https://fedorahosted.org/freeipa/ticket/2652|#2652 Framework for admin/install tools] = Design= Each command will have these command-line options (added automatically by the framework): --version show program's version number and exit -h, --help show the help message and exit output and logging options: -q, --quiet Output only errors -v, --verbose Print debugging information --log-file (alternate) log file name The precise meanings of the output options are: (nothing): print INFO-level messages and above to stderr -q: only print ERROR-level messages and above to stderr -v: print all messages to stderr, prefixed with severity level In all cases, if there is a log file, all messages go to it In commands that currently have it, the `-d, --debug` option will become a deprecated alias for --verbose. Note that this RFE only adds new options, so backwards compatibility is maintained. The tools will use the following log message severities: - CRITICAL for fatal errors - ERROR for critical things that the admin must see even in --quiet mode - WARNING for things that need to stand out in the log - INFO to display normal messages - DEBUG to spam about everything the program does - a plain print statement for things that should not be log, for interactive prompting should use the console and follow up with a DEBUG mentioning the final value The commands check their arguments and most do some validation and possible interactive prompting before doing any modification of the system. Since the system is not changed, the user can always re-run with --verbose if there are problems in this phase. Logging information from this phase to a file is useless. The file logging will start after the validation/prompting. The first logged message(s) will mention the command and options used. = Use Cases = User runs some /usr/sbin/ipa-* commands with the --help option to see that the logging-related options are the same in all of those programs. User runs an ipa-* command with the -q option to only see errors. User runs an ipa-* command (possibly with --log-file, if the command doesn't log by default), and later reviews the log file to find all relevant information. = Implementation = The RFE will be implemented gradually as new commands are ported to the framework. -- Petr? From rcritten at redhat.com Mon Dec 3 16:03:06 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 03 Dec 2012 11:03:06 -0500 Subject: [Freeipa-devel] [RFE] Logging and output in install & management commands In-Reply-To: <50BCAD45.8080906@redhat.com> References: <50BCAD45.8080906@redhat.com> Message-ID: <50BCCD3A.1020905@redhat.com> Petr Viktorin wrote: > Hello, > Please take a while to comment on this proposal before I post it on the > wiki. > This is about user-visible changes I plan to make for #2652 (Framework > for admin/install tool) -- consistent behavior will (in addition to not > confusing users) enable the framework to do common work without too much > special-casing. > > > = Overview = > > The output, logging, and command-line options of our install/management > tools are inconsistent. This RFE aims to clean up some of the > inconsistency. > > Specifically it addresses: > - Inconsistencies between console output and log files > - Tools using either --verbose or --debug used for the same purpose > And some collateral issues: > - The --version option missing in some tools > - The problem of e.g. an accidental ipa-server-install overwriting > ipaserver-install.log by the useless message, "The server is already > installed" > > This is part of [https://fedorahosted.org/freeipa/ticket/2652|#2652 > Framework for admin/install tools] > > > = Design= > > Each command will have these command-line options (added automatically > by the framework): > > --version show program's version number and exit > -h, --help show the help message and exit > > output and logging options: > -q, --quiet Output only errors > -v, --verbose Print debugging information > --log-file (alternate) log file name > > The precise meanings of the output options are: > (nothing): print INFO-level messages and above to stderr > -q: only print ERROR-level messages and above to stderr > -v: print all messages to stderr, prefixed with severity level > In all cases, if there is a log file, all messages go to it > > In commands that currently have it, the `-d, --debug` option will become > a deprecated alias for --verbose. > > Note that this RFE only adds new options, so backwards compatibility is > maintained. > > > The tools will use the following log message severities: > - CRITICAL for fatal errors > - ERROR for critical things that the admin must see even in --quiet mode > - WARNING for things that need to stand out in the log > - INFO to display normal messages > - DEBUG to spam about everything the program does > - a plain print statement for things that should not be log, for > interactive prompting should use the console and follow up with a DEBUG > mentioning the final value > > > The commands check their arguments and most do some validation and > possible interactive prompting before doing any modification of the > system. Since the system is not changed, the user can always re-run with > --verbose if there are problems in this phase. Logging information from > this phase to a file is useless. > The file logging will start after the validation/prompting. The first > logged message(s) will mention the command and options used. > > > = Use Cases = > > User runs some /usr/sbin/ipa-* commands with the --help option to see > that the logging-related options are the same in all of those programs. > > User runs an ipa-* command with the -q option to only see errors. > > User runs an ipa-* command (possibly with --log-file, if the command > doesn't log by default), and later reviews the log file to find all > relevant information. > > > = Implementation = > > The RFE will be implemented gradually as new commands are ported to the > framework. > > Can you list exactly which commands you're targetting? At least some (ipa-replica-manage, ipa-replica-prepare) don't have logging but may still benefit from this structure. Did you have those in mind as well? It may be time to rewrite ipa-upgradeconfig too. It started as a one-off and has grown considerably over the past year. It would benefit from this as well (though other enhancements would be beyond this scope). rob rob From dpal at redhat.com Mon Dec 3 16:17:39 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 03 Dec 2012 11:17:39 -0500 Subject: [Freeipa-devel] [RFE] Logging and output in install & management commands In-Reply-To: <50BCCD3A.1020905@redhat.com> References: <50BCAD45.8080906@redhat.com> <50BCCD3A.1020905@redhat.com> Message-ID: <50BCD0A3.6060500@redhat.com> On 12/03/2012 11:03 AM, Rob Crittenden wrote: > Petr Viktorin wrote: >> Hello, >> Please take a while to comment on this proposal before I post it on the >> wiki. >> This is about user-visible changes I plan to make for #2652 (Framework >> for admin/install tool) -- consistent behavior will (in addition to not >> confusing users) enable the framework to do common work without too much >> special-casing. >> >> >> = Overview = >> >> The output, logging, and command-line options of our install/management >> tools are inconsistent. This RFE aims to clean up some of the >> inconsistency. >> >> Specifically it addresses: >> - Inconsistencies between console output and log files >> - Tools using either --verbose or --debug used for the same purpose >> And some collateral issues: >> - The --version option missing in some tools >> - The problem of e.g. an accidental ipa-server-install overwriting >> ipaserver-install.log by the useless message, "The server is already >> installed" >> >> This is part of [https://fedorahosted.org/freeipa/ticket/2652|#2652 >> Framework for admin/install tools] >> >> >> = Design= >> >> Each command will have these command-line options (added automatically >> by the framework): >> >> --version show program's version number and exit >> -h, --help show the help message and exit >> >> output and logging options: >> -q, --quiet Output only errors >> -v, --verbose Print debugging information >> --log-file (alternate) log file name >> >> The precise meanings of the output options are: >> (nothing): print INFO-level messages and above to stderr >> -q: only print ERROR-level messages and above to stderr >> -v: print all messages to stderr, prefixed with severity level >> In all cases, if there is a log file, all messages go to it >> >> In commands that currently have it, the `-d, --debug` option will become >> a deprecated alias for --verbose. >> >> Note that this RFE only adds new options, so backwards compatibility is >> maintained. >> >> >> The tools will use the following log message severities: >> - CRITICAL for fatal errors >> - ERROR for critical things that the admin must see even in --quiet mode >> - WARNING for things that need to stand out in the log >> - INFO to display normal messages >> - DEBUG to spam about everything the program does >> - a plain print statement for things that should not be log, for >> interactive prompting should use the console and follow up with a DEBUG >> mentioning the final value >> >> >> The commands check their arguments and most do some validation and >> possible interactive prompting before doing any modification of the >> system. Since the system is not changed, the user can always re-run with >> --verbose if there are problems in this phase. Logging information from >> this phase to a file is useless. >> The file logging will start after the validation/prompting. The first >> logged message(s) will mention the command and options used. >> >> >> = Use Cases = >> >> User runs some /usr/sbin/ipa-* commands with the --help option to see >> that the logging-related options are the same in all of those programs. >> >> User runs an ipa-* command with the -q option to only see errors. >> >> User runs an ipa-* command (possibly with --log-file, if the command >> doesn't log by default), and later reviews the log file to find all >> relevant information. >> >> >> = Implementation = >> >> The RFE will be implemented gradually as new commands are ported to the >> framework. >> >> > > Can you list exactly which commands you're targetting? > > At least some (ipa-replica-manage, ipa-replica-prepare) don't have > logging but may still benefit from this structure. Did you have those > in mind as well? > > It may be time to rewrite ipa-upgradeconfig too. It started as a > one-off and has grown considerably over the past year. It would > benefit from this as well (though other enhancements would be beyond > this scope). Would it affect ipa-server-install and ipa-client-install too? I agree with Rob explicitly listing the commands would be helpful. IMO creating a table of existing commands would be very beneficial. I see it with the following columns: Command Version Help Quiet Verbose Log File Release xyz added was there added was there added Pilsner abc was there was there was there was there added Pilsner klm added was there added was there added Other beer ... This (or similar) would allow QE to easily see what changed and when and how to adjust test cases. For doc it will also provide information needed. > > rob > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Dec 3 16:28:23 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 03 Dec 2012 11:28:23 -0500 Subject: [Freeipa-devel] [RFE] Warnings and client capabilities In-Reply-To: <50BC9C79.7050009@redhat.com> References: <4FD7240A.5040400@redhat.com> <1339504707.8230.577.camel@willson.li.ssimo.org> <4FD73869.6020503@redhat.com> <4FE19398.2040401@redhat.com> <1340189270.3072.29.camel@balmora.brq.redhat.com> <1340200668.32038.150.camel@willson.li.ssimo.org> <5086BE75.6080408@redhat.com> <50BC9C79.7050009@redhat.com> Message-ID: <50BCD327.2080609@redhat.com> On 12/03/2012 07:35 AM, Petr Viktorin wrote: > I've submitted the updated design document to > http://freeipa.org/page/V3/Messages The use cases section looks strange to me. I do not think that the contents belongs there. The purpose of the Use cases section is to describe usage scenarios in more formal 1-2-3 form. For example: - User open UI - User navigates to page X - User enters Z - User clicks Y Current behavior: - One error/warning message is displayed New behavior: - A message box with several warnings and errors appears at the top of the screen giving user a full overview of what is wrong with the input. Similar use cases should be created for CLI What you have there is valuable info, it just belongs to some other section. > > > On 10/23/2012 05:57 PM, Petr Viktorin wrote: >> Here is a draft design document for ticket 2732. >> Please comment on both the feature itself, and on how to write design >> documents. >> Petr?, please add how the UI should handle this. >> > > > -- > Petr? > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Dec 3 16:30:58 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 03 Dec 2012 11:30:58 -0500 Subject: [Freeipa-devel] [RFE] Logging and output in install & management commands In-Reply-To: <50BCD0A3.6060500@redhat.com> References: <50BCAD45.8080906@redhat.com> <50BCCD3A.1020905@redhat.com> <50BCD0A3.6060500@redhat.com> Message-ID: <50BCD3C2.6030301@redhat.com> On 12/03/2012 11:17 AM, Dmitri Pal wrote: > On 12/03/2012 11:03 AM, Rob Crittenden wrote: >> Petr Viktorin wrote: >>> Hello, >>> Please take a while to comment on this proposal before I post it on the >>> wiki. >>> This is about user-visible changes I plan to make for #2652 (Framework >>> for admin/install tool) -- consistent behavior will (in addition to not >>> confusing users) enable the framework to do common work without too much >>> special-casing. >>> >>> >>> = Overview = >>> >>> The output, logging, and command-line options of our install/management >>> tools are inconsistent. This RFE aims to clean up some of the >>> inconsistency. >>> >>> Specifically it addresses: >>> - Inconsistencies between console output and log files >>> - Tools using either --verbose or --debug used for the same purpose >>> And some collateral issues: >>> - The --version option missing in some tools >>> - The problem of e.g. an accidental ipa-server-install overwriting >>> ipaserver-install.log by the useless message, "The server is already >>> installed" >>> >>> This is part of [https://fedorahosted.org/freeipa/ticket/2652|#2652 >>> Framework for admin/install tools] >>> >>> >>> = Design= >>> >>> Each command will have these command-line options (added automatically >>> by the framework): >>> >>> --version show program's version number and exit >>> -h, --help show the help message and exit >>> >>> output and logging options: >>> -q, --quiet Output only errors >>> -v, --verbose Print debugging information >>> --log-file (alternate) log file name >>> >>> The precise meanings of the output options are: >>> (nothing): print INFO-level messages and above to stderr >>> -q: only print ERROR-level messages and above to stderr >>> -v: print all messages to stderr, prefixed with severity level >>> In all cases, if there is a log file, all messages go to it >>> >>> In commands that currently have it, the `-d, --debug` option will become >>> a deprecated alias for --verbose. >>> >>> Note that this RFE only adds new options, so backwards compatibility is >>> maintained. >>> >>> >>> The tools will use the following log message severities: >>> - CRITICAL for fatal errors >>> - ERROR for critical things that the admin must see even in --quiet mode >>> - WARNING for things that need to stand out in the log >>> - INFO to display normal messages >>> - DEBUG to spam about everything the program does >>> - a plain print statement for things that should not be log, for >>> interactive prompting should use the console and follow up with a DEBUG >>> mentioning the final value >>> >>> >>> The commands check their arguments and most do some validation and >>> possible interactive prompting before doing any modification of the >>> system. Since the system is not changed, the user can always re-run with >>> --verbose if there are problems in this phase. Logging information from >>> this phase to a file is useless. >>> The file logging will start after the validation/prompting. The first >>> logged message(s) will mention the command and options used. >>> >>> >>> = Use Cases = >>> >>> User runs some /usr/sbin/ipa-* commands with the --help option to see >>> that the logging-related options are the same in all of those programs. >>> >>> User runs an ipa-* command with the -q option to only see errors. >>> >>> User runs an ipa-* command (possibly with --log-file, if the command >>> doesn't log by default), and later reviews the log file to find all >>> relevant information. >>> >>> >>> = Implementation = >>> >>> The RFE will be implemented gradually as new commands are ported to the >>> framework. >>> >>> >> Can you list exactly which commands you're targetting? >> >> At least some (ipa-replica-manage, ipa-replica-prepare) don't have >> logging but may still benefit from this structure. Did you have those >> in mind as well? >> >> It may be time to rewrite ipa-upgradeconfig too. It started as a >> one-off and has grown considerably over the past year. It would >> benefit from this as well (though other enhancements would be beyond >> this scope). > Would it affect ipa-server-install and ipa-client-install too? > I agree with Rob explicitly listing the commands would be helpful. > IMO creating a table of existing commands would be very beneficial. > > I see it with the following columns: > > Command Version Help Quiet Verbose > Log File Release > xyz added was there added was there > added Pilsner > abc was there was there was there was there > added Pilsner > klm added was there added was there > added Other beer > ... > > This (or similar) would allow QE to easily see what changed and when and > how to adjust test cases. > For doc it will also provide information needed. It wrapped so let me try again: Cmd Version Help Quiet Verbose Log File Release xyz added - added - added Pilsner abc - - - - added Pilsner klm added - added - added Other beer >> rob >> rob >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From pviktori at redhat.com Mon Dec 3 17:29:58 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 03 Dec 2012 18:29:58 +0100 Subject: [Freeipa-devel] [RFE] Logging and output in install & management commands In-Reply-To: <50BCD0A3.6060500@redhat.com> References: <50BCAD45.8080906@redhat.com> <50BCCD3A.1020905@redhat.com> <50BCD0A3.6060500@redhat.com> Message-ID: <50BCE196.5000404@redhat.com> On 12/03/2012 05:17 PM, Dmitri Pal wrote: > On 12/03/2012 11:03 AM, Rob Crittenden wrote: >> Petr Viktorin wrote: >>> Hello, >>> Please take a while to comment on this proposal before I post it on the >>> wiki. >>> This is about user-visible changes I plan to make for #2652 (Framework >>> for admin/install tool) -- consistent behavior will (in addition to not >>> confusing users) enable the framework to do common work without too much >>> special-casing. >>> >>> [...] >> >> Can you list exactly which commands you're targetting? All of them, `ls /usr/sbin/ipa*`. The ones written in C should just get the common options, framework stuff doesn't apply to them. >> At least some (ipa-replica-manage, ipa-replica-prepare) don't have >> logging but may still benefit from this structure. Did you have those >> in mind as well? Yes. They do output, they have --quiet and --verbose options. They should use the logger even if the log doesn't happen to go to a file. And once they do, I won't special-case them to lose --log-file. >> It may be time to rewrite ipa-upgradeconfig too. It started as a >> one-off and has grown considerably over the past year. It would >> benefit from this as well (though other enhancements would be beyond >> this scope). The scope is https://fedorahosted.org/freeipa/ticket/2652: if I see copy-pasted code, or code that reimplements something we already have better tools for, I put it in a shared module. This RFE just describes the outward-facing changes. > Would it affect ipa-server-install and ipa-client-install too? > I agree with Rob explicitly listing the commands would be helpful. > IMO creating a table of existing commands would be very beneficial. > I see it with the following columns: > > Command Version Help Quiet Verbose > Log File Release > xyz added was there added was there > added Pilsner > abc was there was there was there was there > added Pilsner > klm added was there added was there > added Other beer > ... > > This (or similar) would allow QE to easily see what changed and when and > how to adjust test cases. > For doc it will also provide information needed. > Yes, I can provide such a table for each release. It's long-term, low-priority effort, so it will take some time to get all of them done. The current state: All commands (except ipa-getcert) have --help. None have --log-file. --version -q -v -d ipa-adtrust-install Y - - Y ipa-ca-install Y - - Y ipa-client-automount - - - * ipa-client-install Y - - Y ipa-compat-manage - - - Y ipa-compliance - - - * ipa-csreplica-manage Y - Y - ipa-dns-install Y - - Y ipa-getkeytab - Y - - ipa-join - Y - Y ipa-ldap-updater Y - - Y ipa-managed-entries - - - Y ipa-nis-manage - - - Y ipa-replica-conncheck Y Y - Y ipa-replica-install Y - - Y ipa-replica-manage Y - Y - ipa-replica-prepare Y - - * ipa-rmkeytab - - - Y ipa-server-certinstall - - - ** ipa-server-install Y - - Y ipa-upgradeconfig Y Y - Y ipactl - - - Y * long variant (--debug) only ** -d means something else Note that currently --debug is used much more than --verbose. There are two reasons for favoring --verbose: it complements --quiet, and some commands already uses -d for something else. -- Petr? From pviktori at redhat.com Mon Dec 3 17:30:10 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 03 Dec 2012 18:30:10 +0100 Subject: [Freeipa-devel] [RFE] Warnings and client capabilities In-Reply-To: <50BCD327.2080609@redhat.com> References: <4FD7240A.5040400@redhat.com> <1339504707.8230.577.camel@willson.li.ssimo.org> <4FD73869.6020503@redhat.com> <4FE19398.2040401@redhat.com> <1340189270.3072.29.camel@balmora.brq.redhat.com> <1340200668.32038.150.camel@willson.li.ssimo.org> <5086BE75.6080408@redhat.com> <50BC9C79.7050009@redhat.com> <50BCD327.2080609@redhat.com> Message-ID: <50BCE1A2.20302@redhat.com> On 12/03/2012 05:28 PM, Dmitri Pal wrote: > On 12/03/2012 07:35 AM, Petr Viktorin wrote: >> I've submitted the updated design document to >> http://freeipa.org/page/V3/Messages > > The use cases section looks strange to me. > I do not think that the contents belongs there. > The purpose of the Use cases section is to describe usage scenarios in > more formal 1-2-3 form. > For example: > > - User open UI > - User navigates to page X > - User enters Z > - User clicks Y > Current behavior: > - One error/warning message is displayed > New behavior: > - A message box with several warnings and errors appears at the top of > the screen giving user a full overview of what is wrong with the input. > > Similar use cases should be created for CLI > > What you have there is valuable info, it just belongs to some other section. > > Okay. Since there are no user-visible changes, I left the section empty. The behavior is explained in Design so no info is lost. -- Petr? From dpal at redhat.com Mon Dec 3 17:42:04 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 03 Dec 2012 12:42:04 -0500 Subject: [Freeipa-devel] [RFE] Logging and output in install & management commands In-Reply-To: <50BCE196.5000404@redhat.com> References: <50BCAD45.8080906@redhat.com> <50BCCD3A.1020905@redhat.com> <50BCD0A3.6060500@redhat.com> <50BCE196.5000404@redhat.com> Message-ID: <50BCE46C.5090402@redhat.com> On 12/03/2012 12:29 PM, Petr Viktorin wrote: > On 12/03/2012 05:17 PM, Dmitri Pal wrote: >> On 12/03/2012 11:03 AM, Rob Crittenden wrote: >>> Petr Viktorin wrote: >>>> Hello, >>>> Please take a while to comment on this proposal before I post it on >>>> the >>>> wiki. >>>> This is about user-visible changes I plan to make for #2652 (Framework >>>> for admin/install tool) -- consistent behavior will (in addition to >>>> not >>>> confusing users) enable the framework to do common work without too >>>> much >>>> special-casing. >>>> >>>> > [...] >>> >>> Can you list exactly which commands you're targetting? > > All of them, `ls /usr/sbin/ipa*`. > The ones written in C should just get the common options, framework > stuff doesn't apply to them. > >>> At least some (ipa-replica-manage, ipa-replica-prepare) don't have >>> logging but may still benefit from this structure. Did you have those >>> in mind as well? > > Yes. They do output, they have --quiet and --verbose options. They > should use the logger even if the log doesn't happen to go to a file. > And once they do, I won't special-case them to lose --log-file. > >>> It may be time to rewrite ipa-upgradeconfig too. It started as a >>> one-off and has grown considerably over the past year. It would >>> benefit from this as well (though other enhancements would be beyond >>> this scope). > > The scope is https://fedorahosted.org/freeipa/ticket/2652: if I see > copy-pasted code, or code that reimplements something we already have > better tools for, I put it in a shared module. > This RFE just describes the outward-facing changes. > >> Would it affect ipa-server-install and ipa-client-install too? >> I agree with Rob explicitly listing the commands would be helpful. >> IMO creating a table of existing commands would be very beneficial. > >> I see it with the following columns: >> >> Command Version Help Quiet Verbose >> Log File Release >> xyz added was there added was there >> added Pilsner >> abc was there was there was there was there >> added Pilsner >> klm added was there added was there >> added Other beer >> ... >> >> This (or similar) would allow QE to easily see what changed and when and >> how to adjust test cases. >> For doc it will also provide information needed. >> > > Yes, I can provide such a table for each release. > It's long-term, low-priority effort, so it will take some time to get > all of them done. > > > The current state: > > All commands (except ipa-getcert) have --help. None have --log-file. > > --version -q -v -d > ipa-adtrust-install Y - - Y > ipa-ca-install Y - - Y > ipa-client-automount - - - * > ipa-client-install Y - - Y > ipa-compat-manage - - - Y > ipa-compliance - - - * > ipa-csreplica-manage Y - Y - > ipa-dns-install Y - - Y > ipa-getkeytab - Y - - > ipa-join - Y - Y > ipa-ldap-updater Y - - Y > ipa-managed-entries - - - Y > ipa-nis-manage - - - Y > ipa-replica-conncheck Y Y - Y > ipa-replica-install Y - - Y > ipa-replica-manage Y - Y - > ipa-replica-prepare Y - - * > ipa-rmkeytab - - - Y > ipa-server-certinstall - - - ** > ipa-server-install Y - - Y > ipa-upgradeconfig Y Y - Y > ipactl - - - Y > > * long variant (--debug) only > ** -d means something else > > > Note that currently --debug is used much more than --verbose. There > are two reasons for favoring --verbose: it complements --quiet, and > some commands already uses -d for something else. > > Can you please turn it into a page? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Mon Dec 3 20:24:14 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 03 Dec 2012 15:24:14 -0500 Subject: [Freeipa-devel] [PATCH] 92 Do not recommend how to configure DNS in error message In-Reply-To: <20121203112659.GD2116@localhost.localdomain> References: <20121203112659.GD2116@localhost.localdomain> Message-ID: <1354566254.19871.189.camel@willson.li.ssimo.org> On Mon, 2012-12-03 at 12:26 +0100, Sumit Bose wrote: > Hi, > > this patch removes some specific recommendations from an error message > to fix https://fedorahosted.org/freeipa/ticket/3261 ACK Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Dec 3 20:36:08 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 03 Dec 2012 15:36:08 -0500 Subject: [Freeipa-devel] [PATCH] 91 Restart sssd after authconfig update In-Reply-To: <20121203105345.GC2116@localhost.localdomain> References: <20121203105345.GC2116@localhost.localdomain> Message-ID: <50BD0D38.4080700@redhat.com> Sumit Bose wrote: > Hi, > > this patch unconditionally restarts sssd after authconfig is run to fix > https://fedorahosted.org/freeipa/ticket/3267 . ACK, pushed to master and ipa-3-0 rob From rcritten at redhat.com Mon Dec 3 20:39:43 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 03 Dec 2012 15:39:43 -0500 Subject: [Freeipa-devel] [PATCH] 92 Do not recommend how to configure DNS in error message In-Reply-To: <1354566254.19871.189.camel@willson.li.ssimo.org> References: <20121203112659.GD2116@localhost.localdomain> <1354566254.19871.189.camel@willson.li.ssimo.org> Message-ID: <50BD0E0F.5040705@redhat.com> Simo Sorce wrote: > On Mon, 2012-12-03 at 12:26 +0100, Sumit Bose wrote: >> Hi, >> >> this patch removes some specific recommendations from an error message >> to fix https://fedorahosted.org/freeipa/ticket/3261 > > ACK > > Simo. > pushed to master and ipa-3-0 From simo at redhat.com Mon Dec 3 20:23:41 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 03 Dec 2012 15:23:41 -0500 Subject: [Freeipa-devel] [PATCH] 91 Restart sssd after authconfig update In-Reply-To: <20121203105345.GC2116@localhost.localdomain> References: <20121203105345.GC2116@localhost.localdomain> Message-ID: <1354566221.19871.188.camel@willson.li.ssimo.org> On Mon, 2012-12-03 at 11:53 +0100, Sumit Bose wrote: > Hi, > > this patch unconditionally restarts sssd after authconfig is run to fix > https://fedorahosted.org/freeipa/ticket/3267 . ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From pviktori at redhat.com Tue Dec 4 09:04:19 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 04 Dec 2012 10:04:19 +0100 Subject: [Freeipa-devel] [RFE] Logging and output in install & management commands In-Reply-To: <50BCE46C.5090402@redhat.com> References: <50BCAD45.8080906@redhat.com> <50BCCD3A.1020905@redhat.com> <50BCD0A3.6060500@redhat.com> <50BCE196.5000404@redhat.com> <50BCE46C.5090402@redhat.com> Message-ID: <50BDBC93.5080608@redhat.com> On 12/03/2012 06:42 PM, Dmitri Pal wrote: > On 12/03/2012 12:29 PM, Petr Viktorin wrote: >> On 12/03/2012 05:17 PM, Dmitri Pal wrote: >>> On 12/03/2012 11:03 AM, Rob Crittenden wrote: >>>> Petr Viktorin wrote: >>>>> Hello, >>>>> Please take a while to comment on this proposal before I post it on >>>>> the >>>>> wiki. >>>>> This is about user-visible changes I plan to make for #2652 (Framework >>>>> for admin/install tool) -- consistent behavior will (in addition to >>>>> not >>>>> confusing users) enable the framework to do common work without too >>>>> much >>>>> special-casing. >>>>> >>>>> >> [...] >>>> >>>> Can you list exactly which commands you're targetting? >> >> All of them, `ls /usr/sbin/ipa*`. >> The ones written in C should just get the common options, framework >> stuff doesn't apply to them. >> >>>> At least some (ipa-replica-manage, ipa-replica-prepare) don't have >>>> logging but may still benefit from this structure. Did you have those >>>> in mind as well? >> >> Yes. They do output, they have --quiet and --verbose options. They >> should use the logger even if the log doesn't happen to go to a file. >> And once they do, I won't special-case them to lose --log-file. >> >>>> It may be time to rewrite ipa-upgradeconfig too. It started as a >>>> one-off and has grown considerably over the past year. It would >>>> benefit from this as well (though other enhancements would be beyond >>>> this scope). >> >> The scope is https://fedorahosted.org/freeipa/ticket/2652: if I see >> copy-pasted code, or code that reimplements something we already have >> better tools for, I put it in a shared module. >> This RFE just describes the outward-facing changes. >> >>> Would it affect ipa-server-install and ipa-client-install too? >>> I agree with Rob explicitly listing the commands would be helpful. >>> IMO creating a table of existing commands would be very beneficial. >> >>> I see it with the following columns: >>> >>> Command Version Help Quiet Verbose >>> Log File Release >>> xyz added was there added was there >>> added Pilsner >>> abc was there was there was there was there >>> added Pilsner >>> klm added was there added was there >>> added Other beer >>> ... >>> >>> This (or similar) would allow QE to easily see what changed and when and >>> how to adjust test cases. >>> For doc it will also provide information needed. >>> >> >> Yes, I can provide such a table for each release. >> It's long-term, low-priority effort, so it will take some time to get >> all of them done. >> >> >> The current state: >> >> All commands (except ipa-getcert) have --help. None have --log-file. >> >> --version -q -v -d >> ipa-adtrust-install Y - - Y >> ipa-ca-install Y - - Y >> ipa-client-automount - - - * >> ipa-client-install Y - - Y >> ipa-compat-manage - - - Y >> ipa-compliance - - - * >> ipa-csreplica-manage Y - Y - >> ipa-dns-install Y - - Y >> ipa-getkeytab - Y - - >> ipa-join - Y - Y >> ipa-ldap-updater Y - - Y >> ipa-managed-entries - - - Y >> ipa-nis-manage - - - Y >> ipa-replica-conncheck Y Y - Y >> ipa-replica-install Y - - Y >> ipa-replica-manage Y - Y - >> ipa-replica-prepare Y - - * >> ipa-rmkeytab - - - Y >> ipa-server-certinstall - - - ** >> ipa-server-install Y - - Y >> ipa-upgradeconfig Y Y - Y >> ipactl - - - Y >> >> * long variant (--debug) only >> ** -d means something else >> >> >> Note that currently --debug is used much more than --verbose. There >> are two reasons for favoring --verbose: it complements --quiet, and >> some commands already uses -d for something else. >> >> > Can you please turn it into a page? > http://freeipa.org/page/V3/Logging_and_output -- Petr? From pspacek at redhat.com Tue Dec 4 12:24:39 2012 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 04 Dec 2012 13:24:39 +0100 Subject: [Freeipa-devel] [PATCH 0098] Log failures detected in CHECK() macro In-Reply-To: <20121122130541.GF2159@redhat.com> References: <50AB8951.5000604@redhat.com> <20121122130541.GF2159@redhat.com> Message-ID: <50BDEB87.6080108@redhat.com> On 11/22/2012 02:05 PM, Adam Tkac wrote: > On Tue, Nov 20, 2012 at 02:44:49PM +0100, Petr Spacek wrote: >> Hello, >> >> Log failures detected in CHECK() macro. >> >> Function ldap_query() can return ISC_R_NOTFOUND legitimately. >> For this and similar cases CHECK_CONDLOG macro was introduced. >> It will not log if result != ISC_R_SUCCESS but == ignored_code. >> Nested condition will be eliminated by optimizing compiler >> in cases where ignored_code == ISC_R_SUCCESS. >> >> Function add_soa_record() is now called only for zones to prevent >> false error messages. > > Nack. > > I don't like second part of the patch much, it adds huge amount of logging > and now we will log every error twice because we already log errors explicitly. > > In my opinion better will be to add new configuration option, for example > "debug", and with this option we can emit log messages from CHECK macros (I > haven't though about implementation details, yet). Otherwise we should avoid > logging because it's useless to log all errors, they are expected in production > environment. > > I also don't like CHECK_CONDLOG macro, it's not intuitive and with it we can end > with so called spaghetti code... As I wrote above I would log every CHECK > failure with debugging on. > > However the first patch of the patch is fine (the add_soa_record part). Ok, reworked patch is attached. Logging is enabled only if configuration option 'verbose_checks yes' is present. I decommissioned CHECK_CONDLOG(), so each request for non-existing record will log failure: not found (when verbose mode is enabled). -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0098-2-Add-option-to-log-all-failures-detected-in-CHECK-mac.patch Type: text/x-patch Size: 3422 bytes Desc: not available URL: From atkac at redhat.com Tue Dec 4 13:36:26 2012 From: atkac at redhat.com (Adam Tkac) Date: Tue, 4 Dec 2012 14:36:26 +0100 Subject: [Freeipa-devel] [PATCH 92 WIP] Flush whole zone from cache during zone renaming/removal. In-Reply-To: <50A52F2D.3070402@redhat.com> References: <50A52F2D.3070402@redhat.com> Message-ID: <20121204133625.GA13739@redhat.com> On Thu, Nov 15, 2012 at 07:06:37PM +0100, Petr Spacek wrote: > Hello, > > attached patch is preliminary implementation of selective zone flush. > > > Implementation is not so straight-forward as I want to see. Before > discussing the patch itself - can we consider per-zone caches? In > that case, we can simply deallocate whole per-zone RBT and we are > done. > > Pros: > * Potentially better concurrency, simpler code, much less corner cases. > > Cons: > * We have to look into Zone register before searching the cache. > * It can limit concurrency ... with many extra small zones? I'm not sure. Hi Peter, In my opinion per-zone caches are better. Look into zone register isn't costly operation. Regards, Adam > ------------ > > Now we can dive into all the gory details of single-tree-cache implementation: > > Function discard_zone_from_cache() contains a long comment about > potential problems, please send me your opinions. > > Functions dbg_* can be simply deleted after end of testing. > > > I encountered some questions about locking: > How I should lock these two locks properly? > RWLOCK(&zr->rwlock, isc_rwlocktype_read); > LOCK(&cache->mutex); > > AFAIK without some more intelligent algorithm or locking protocol it > can simply deadlock if two threads attempt to get both locks in > different order. > > For now I chosen isc_task_beginexclusive() way. Hopefully, zone > flush should be rare operation so it can be enough. > > It raises another question: > Is it possible for a thread to hold some lock during isc_task_beginexclusive()? > > I mean this situation: > thread 1: lock(&cache->mutex) > thread 1: store a pointer to the middle of the cache > thread 2: isc_task_beginexclusive() > thread 2: do something with cache > thread 2: isc_task_endexclusive() > thread 1: dereference stored pointer -> CRASH - thread 2 changed the > data and pointer is invalid ... but thread 1 held the lock! > > I'm not really sure about this part of BIND. My guess: > During "exclusive mode" all threads except single one (= thread > which called isc_task_beginexclusive()) are blocked somewhere near > dispatch() ... so they do nothing and thus they should not hold any > lock. > > Is my guess correct? I looked into task.c and related code but I > can't say "I understood!" :-( > > > Now the funny part - RBT tree before and after per-zone flush. > > Expected behaviour when removing zone 'test.' > ============================================= > // cache tree before "test." zone removal > . (empty node) > 4.34.10.in-addr.arpa > 89.4.34.10.in-addr.arpa > brq.redhat.com > pspacek.brq.redhat.com > test.brq.redhat.com > test > e.test > _kerberos.e.test > _tcp.e.test (empty node) > _kerberos._tcp.e.test > _kerberos-master._tcp.e.test > _kpasswd._tcp.e.test > _ldap._tcp.e.test > _udp.e.test (empty node) > _kerberos._udp.e.test > _kerberos-master._udp.e.test > _kpasswd._udp.e.test > _ntp._udp.e.test > c182.e.test > pspacek.e.test > test.e.test > rec.test > sec.test > sub.test > ns.sub.test > rec.sub.test > > > // cache tree after 'test.' zone removal > // zones 'e.test.', 'sub.test.' and 'sec.test.' are still present > // record 'rec.test.' disappeared > . (empty node) > 4.34.10.in-addr.arpa > 89.4.34.10.in-addr.arpa > brq.redhat.com > pspacek.brq.redhat.com > test.brq.redhat.com > test (empty node) > e.test > _kerberos.e.test > _tcp.e.test (empty node) > _kerberos._tcp.e.test > _kerberos-master._tcp.e.test > _kpasswd._tcp.e.test > _ldap._tcp.e.test > _udp.e.test (empty node) > _kerberos._udp.e.test > _kerberos-master._udp.e.test > _kpasswd._udp.e.test > _ntp._udp.e.test > c182.e.test > pspacek.e.test > test.e.test > sec.test > sub.test > ns.sub.test > rec.sub.test > > -- > Petr^2 Spacek > From 91df0bb70398f985d6b13c282672c9a87cf98f41 Mon Sep 17 00:00:00 2001 > From: Petr Spacek > Date: Thu, 15 Nov 2012 18:32:00 +0100 > Subject: [PATCH] [WIP] Flush whole zone from cache during zone > renaming/removal. > > Signed-off-by: Petr Spacek > --- > src/cache.c | 241 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ > src/cache.h | 5 ++ > src/ldap_helper.c | 4 +- > 3 files changed, 249 insertions(+), 1 deletion(-) > > diff --git a/src/cache.c b/src/cache.c > index 898d48b291a83da7f77dbcf79e2bd3e7ff8281aa..5f969f33d911bd4f111059beeb3e0dd920fba226 100644 > --- a/src/cache.c > +++ b/src/cache.c > @@ -23,19 +23,23 @@ > #include > #include > #include > +#include > +#include > > #include > #include > #include > +#include > > #include > > #include "cache.h" > #include "ldap_helper.h" > #include "log.h" > #include "rdlist.h" > #include "settings.h" > #include "util.h" > +#include "zone_register.h" > > struct ldap_cache { > isc_mutex_t mutex; /* TODO: RWLOCK? */ > @@ -51,6 +55,70 @@ typedef struct { > isc_time_t valid_until; > } cache_node_t; > > +/************** Use following functions only for debug purposes **************/ > +void > +dbg_print_name_indent(dns_name_t *name) { > + int label_count; > + > + label_count = dns_name_countlabels(name); > + label_count -= 1; /* root is not indented */ > + label_count *= 4; /* indentation for single domain level */ > + > + printf("%2$*1$s", label_count, ""); > +} > + > +void > +dbg_print_name(dns_name_t *name) { > + char printbuff[DNS_NAME_FORMATSIZE]; > + > + dns_name_format(name, printbuff, DNS_NAME_FORMATSIZE); > + printf("%s", printbuff); > +} > + > +void > +dbg_print_rbt_names(isc_mem_t *mctx, dns_rbt_t *rbt) { > + isc_result_t result = ISC_R_SUCCESS; > + dns_rbtnodechain_t chain; > + > + dns_rbtnodechain_init(&chain, mctx); > + result = dns_rbtnodechain_first(&chain, rbt, NULL, NULL); > + while (result != ISC_R_NOMORE && result != ISC_R_NOTFOUND) { > + dns_fixedname_t name; > + dns_fixedname_t origin; > + dns_fixedname_t concat; > + dns_fixedname_init(&name); > + dns_fixedname_init(&origin); > + dns_fixedname_init(&concat); > + dns_rbtnode_t *node = NULL; > + char *node_desc = ""; > + > + result = dns_rbtnodechain_current(&chain, dns_fixedname_name(&name), > + dns_fixedname_name(&origin), &node); > + if (!(result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN)) > + break; > + > + CHECK(dns_name_concatenate(dns_fixedname_name(&name), > + dns_fixedname_name(&origin), > + dns_fixedname_name(&concat), > + NULL)); > + dbg_print_name_indent(dns_fixedname_name(&concat)); > + dbg_print_name(dns_fixedname_name(&concat)); > + if (node->data == NULL) { > + node_desc = " (empty node)"; > + } > + printf("%s\n", node_desc); > + > + result = dns_rbtnodechain_next(&chain, NULL, NULL); > + if (!(result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN)) > + break; > + } > + dns_rbtnodechain_invalidate(&chain); > + > +cleanup: > + return; > +} > +/************************ End of debug only functions ************************/ > + > static void > cache_node_deleter(void *data, void *deleter_arg) > { > @@ -179,6 +247,7 @@ ldap_cache_getrdatalist(isc_mem_t *mctx, ldap_cache_t *cache, > return ISC_R_NOTFOUND; > > LOCK(&cache->mutex); > + //dbg_print_rbt_names(cache->mctx, cache->rbt); > result = dns_rbt_findname(cache->rbt, name, 0, NULL, (void *)&node); > switch (result) { > case ISC_R_SUCCESS: > @@ -304,6 +373,178 @@ discard_from_cache(ldap_cache_t *cache, dns_name_t *name) > return result; > } > > +/** > + * Delete all records associated with single DNS zone from the cache. > + * > + * Each individual record in the cache is tested and deleted only if: > + * 1) Cache record belongs to deleted zone (specified by del_zone parameter). > + * and at same time > + * 2) Cache record doesn't belong to some *sub*-zone of deleted zone > + * (according to zone register). > + * > + * Task will be switched to and from exclusive mode automatically. > + * > + * @param[in] del_zone Absolute DNS name of deleted zone > + * @param[in] task Task which will be locked prior the cache RBT iteration > + * > + * @retval ISC_R_SUCCESS All records beloging to del_zone were deleted. > + * @retval other Any error including ISC_R_NOMEMORY. > + * > + * @attention > + * There is a case when some records wouldn't be deleted. > + * Let's have two master zones 'test' and 'sub.test' with following records: > + * > + * @attention > + * zone 'test.': > + * - @ SOA > + * - sub NS ns.sub > + * - ns.sub A 1.2.3.4 > + * - eg.sub TXT "blah blah" > + * > + * @attention > + * zone 'sub.test.': > + * - @ SOA > + * - @ NS ns > + * - ns A 1.2.3.4 > + * > + * @attention > + * In that case deletion of zone 'test.' woudn't delete records 'sub.test.', > + * 'ns.sub.test.' and 'eg.sub.test.' from cache because zone 'sub.test.' > + * is present in ZR. > + * > + * @attention > + * Records in zone 'test.' with names ending with 'sub.test.' are not > + * authoritative and have to be exactly same as in zone 'sub.test' > + * (see http://tools.ietf.org/html/rfc1034#section-4.2.1) > + * > + * @warning > + * For reasons stated above record 'eg.sub.test.' in zone 'test.' > + * should not exist at all and should never appear in cache. > + */ > +isc_result_t > +discard_zone_from_cache(ldap_cache_t *cache, zone_register_t *zr, > + dns_name_t *del_zone, isc_task_t *task) > +{ > + isc_result_t result; > + dns_rbtnodechain_t chain; > + dns_fixedname_t name; > + dns_fixedname_t origin; > + dns_fixedname_t concat; > + void *nodedata = NULL; > + dns_rbt_t *zr_rbt = NULL; > + dns_fixedname_t zr_foundname; > + dns_namelist_t del_names_list; > + dns_name_t *del_name = NULL; > + isc_result_t lock_status = ISC_R_IGNORE; > + > + REQUIRE(cache != NULL); > + REQUIRE(dns_name_isabsolute(del_zone)); > + > + dns_fixedname_init(&name); > + dns_fixedname_init(&origin); > + dns_fixedname_init(&concat); > + dns_rbtnodechain_init(&chain, cache->mctx); > + ISC_LIST_INIT(del_names_list); > + > + if (cache->rbt == NULL) > + CLEANUP_WITH(ISC_R_NOMORE); > + > + lock_status = isc_task_beginexclusive(task); > + RUNTIME_CHECK(lock_status == ISC_R_SUCCESS || > + lock_status == ISC_R_LOCKBUSY); > + > + /* ???? can somebody hold some locks during isc_task_beginexclusive()? > + RWLOCK(&zr->rwlock, isc_rwlocktype_read); > + LOCK(&cache->mutex); > + */ > + > + /* Iterate over cache RBT and remember names for deletion. */ > + zr_rbt = zr_get_rbt(zr); > + result = dns_rbtnodechain_first(&chain, > + cache->rbt, > + dns_fixedname_name(&name), > + dns_fixedname_name(&origin)); > + while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) { > + nodedata = NULL; > + > + CHECK(dns_name_concatenate(dns_fixedname_name(&name), > + dns_fixedname_name(&origin), > + dns_fixedname_name(&concat), > + NULL)); > + > + if (dns_name_issubdomain(dns_fixedname_name(&concat), del_zone)) { > + dns_fixedname_init(&zr_foundname); > + result = dns_rbt_findname(zr_rbt, > + dns_fixedname_name(&concat), > + DNS_RBTFIND_NOOPTIONS, > + dns_fixedname_name(&zr_foundname), > + &nodedata); > + > + /* Delete record if no sub-domain of del_zone was found > + * in zone register. */ > + if (result == ISC_R_NOTFOUND || > + ((result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) && > + (dns_name_equal(dns_fixedname_name(&zr_foundname), del_zone) || > + !dns_name_issubdomain(dns_fixedname_name(&zr_foundname), del_zone))) ) { > + del_name = isc_mem_get(cache->mctx, sizeof(dns_name_t)); > + if (del_name == NULL) > + CLEANUP_WITH(ISC_R_NOMEMORY); > + dns_name_init(del_name, NULL); > + ISC_LIST_APPEND(del_names_list, del_name, link); > + CHECK(dns_name_dup(dns_fixedname_name(&concat), > + cache->mctx, del_name)); > + } else if (result != ISC_R_SUCCESS && > + result != DNS_R_PARTIALMATCH) > + goto cleanup; > + } > + > + result = dns_rbtnodechain_next(&chain, dns_fixedname_name(&name), > + dns_fixedname_name(&origin)); > + } > + > +cleanup: > + if (result != ISC_R_NOMORE && result != ISC_R_NOTFOUND) { > + log_error_r("cache flush failed during 'sieve' phase"); > + goto cleanup; > + } else { > + result = ISC_R_SUCCESS; > + } > + > + dbg_print_rbt_names(cache->mctx, cache->rbt); > + > + /* free all memory - even in case of error */ > + while (!ISC_LIST_EMPTY(del_names_list)) { > + del_name = ISC_LIST_HEAD(del_names_list); > + ISC_LIST_UNLINK(del_names_list, del_name, link); > + if (result == ISC_R_SUCCESS) { > + result = dns_rbt_deletename(cache->rbt, del_name, > + ISC_FALSE); > + if (result == ISC_R_NOTFOUND) > + result = ISC_R_SUCCESS; > + else if (result != ISC_R_SUCCESS) > + log_error_r("unable to delete name from cache"); > + } > + if (dns_name_dynamic(del_name)) > + dns_name_free(del_name, cache->mctx); > + isc_mem_put(cache->mctx, del_name, sizeof(dns_name_t)); > + } > + > + dbg_print_rbt_names(cache->mctx, cache->rbt); > + > + if (lock_status == ISC_R_SUCCESS) > + isc_task_endexclusive(task); > + > + > + /* ???? can somebody hold some locks during isc_task_beginexclusive()? > + if (cache->rbt != NULL) { > + UNLOCK(&cache->mutex); > + RWUNLOCK(&zr->rwlock, isc_rwlocktype_read); > + } > + */ > + > + return result; > +} > + > isc_result_t > flush_ldap_cache(ldap_cache_t *cache) > { > diff --git a/src/cache.h b/src/cache.h > index a7aa5b7e889d9e195484a11dcf4f9a10d811f623..63f0d5ea727121af898d7f8651067d2433385ffc 100644 > --- a/src/cache.h > +++ b/src/cache.h > @@ -23,6 +23,7 @@ > #define _LD_CACHE_H_ > > #include "types.h" > +#include "zone_register.h" > > typedef struct ldap_cache ldap_cache_t; > > @@ -77,6 +78,10 @@ ldap_cache_enabled(ldap_cache_t *cache); > isc_result_t > discard_from_cache(ldap_cache_t *cache, dns_name_t *name); > > +isc_result_t > +discard_zone_from_cache(ldap_cache_t *cache, zone_register_t *zr, > + dns_name_t *del_zone, isc_task_t *task); > + > /** > * Discard all names from the cache and re-initialize internal RB-tree. > * @return ISC_R_SUCCESS even if cache is disabled. > diff --git a/src/ldap_helper.c b/src/ldap_helper.c > index 8a6f603d1393d322561a8cbb8fe4abf188c71dd0..abe19f1534c0794b69400589175fbd41937e0a59 100644 > --- a/src/ldap_helper.c > +++ b/src/ldap_helper.c > @@ -870,7 +870,9 @@ ldap_delete_zone2(ldap_instance_t *inst, dns_name_t *name, isc_boolean_t lock, > } > > /* TODO: flush cache records belonging to deleted zone */ > - CHECK(discard_from_cache(inst->cache, name)); > + //CHECK(discard_from_cache(inst->cache, name)); > + CHECK(discard_zone_from_cache(inst->cache, inst->zone_register, name, > + inst->task)); > > result = zr_get_zone_ptr(inst->zone_register, name, &zone); > if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) { > -- > 1.7.11.7 > -- Adam Tkac, Red Hat, Inc. From pviktori at redhat.com Tue Dec 4 14:51:05 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 04 Dec 2012 15:51:05 +0100 Subject: [Freeipa-devel] [PATCH] lkundrak-0001 Drop unused readline import Message-ID: <50BE0DD9.2070308@redhat.com> This patch was posted to Trac as https://fedorahosted.org/freeipa/ticket/3276 It fixes https://fedorahosted.org/freeipa/ticket/2691; I've added the link to the commit message. Works fine, ACK. Thank you, ?ubom?r! -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-lkundrak-0001-Drop-unused-readline-import.patch Type: text/x-patch Size: 1262 bytes Desc: not available URL: From pviktori at redhat.com Tue Dec 4 15:13:07 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 04 Dec 2012 16:13:07 +0100 Subject: [Freeipa-devel] [PATCH] lkundrak-0001 Drop unused readline import In-Reply-To: <50BE0DD9.2070308@redhat.com> References: <50BE0DD9.2070308@redhat.com> Message-ID: <50BE1303.8050607@redhat.com> On 12/04/2012 03:51 PM, Petr Viktorin wrote: > This patch was posted to Trac as > https://fedorahosted.org/freeipa/ticket/3276 > > It fixes https://fedorahosted.org/freeipa/ticket/2691; I've added the > link to the commit message. > > Works fine, ACK. Thank you, ?ubom?r! > > > And here's a patch to add Lubomir to Contributors.txt. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0102-Add-Lubomir-Rintel-to-Contributors.txt.patch Type: text/x-patch Size: 654 bytes Desc: not available URL: From mkosek at redhat.com Tue Dec 4 15:31:27 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 04 Dec 2012 16:31:27 +0100 Subject: [Freeipa-devel] [PATCH] lkundrak-0001 Drop unused readline import In-Reply-To: <50BE1303.8050607@redhat.com> References: <50BE0DD9.2070308@redhat.com> <50BE1303.8050607@redhat.com> Message-ID: <50BE174F.1070500@redhat.com> On 12/04/2012 04:13 PM, Petr Viktorin wrote: > On 12/04/2012 03:51 PM, Petr Viktorin wrote: >> This patch was posted to Trac as >> https://fedorahosted.org/freeipa/ticket/3276 >> >> It fixes https://fedorahosted.org/freeipa/ticket/2691; I've added the >> link to the commit message. >> >> Works fine, ACK. Thank you, ?ubom?r! >> >> >> > > And here's a patch to add Lubomir to Contributors.txt. > Pushed both to master and ipa-3-0. Thanks to both Petr and Lubomir! Martin From mkosek at redhat.com Tue Dec 4 15:58:49 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 04 Dec 2012 16:58:49 +0100 Subject: [Freeipa-devel] [PATCH] 338 Improve ipa-replica-prepare error message Message-ID: <50BE1DB9.4010206@redhat.com> When DNS zone/record manipulation commands fails for example due to a ValidationError, ipa-replica-prepapre reports a whole traceback which is difficult to read. Make sure our error error is more readable. https://fedorahosted.org/freeipa/ticket/3283 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-338-improve-ipa-replica-prepare-error-message.patch Type: text/x-patch Size: 2087 bytes Desc: not available URL: From rcritten at redhat.com Tue Dec 4 16:51:57 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Dec 2012 11:51:57 -0500 Subject: [Freeipa-devel] [PATCH] 1073 honor disabling lockout in ipa_lockout Message-ID: <50BE2A2D.5030106@redhat.com> Two options were added to the kdb backend to disable writes. The ipa_lockout plugin needs to honor these as well. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1073-lockout.patch Type: text/x-patch Size: 5535 bytes Desc: not available URL: From dpal at redhat.com Tue Dec 4 17:17:48 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 04 Dec 2012 12:17:48 -0500 Subject: [Freeipa-devel] [RFE] Logging and output in install & management commands In-Reply-To: <50BDBC93.5080608@redhat.com> References: <50BCAD45.8080906@redhat.com> <50BCCD3A.1020905@redhat.com> <50BCD0A3.6060500@redhat.com> <50BCE196.5000404@redhat.com> <50BCE46C.5090402@redhat.com> <50BDBC93.5080608@redhat.com> Message-ID: <50BE303C.8000306@redhat.com> On 12/04/2012 04:04 AM, Petr Viktorin wrote: > On 12/03/2012 06:42 PM, Dmitri Pal wrote: >> On 12/03/2012 12:29 PM, Petr Viktorin wrote: >>> On 12/03/2012 05:17 PM, Dmitri Pal wrote: >>>> On 12/03/2012 11:03 AM, Rob Crittenden wrote: >>>>> Petr Viktorin wrote: >>>>>> Hello, >>>>>> Please take a while to comment on this proposal before I post it on >>>>>> the >>>>>> wiki. >>>>>> This is about user-visible changes I plan to make for #2652 >>>>>> (Framework >>>>>> for admin/install tool) -- consistent behavior will (in addition to >>>>>> not >>>>>> confusing users) enable the framework to do common work without too >>>>>> much >>>>>> special-casing. >>>>>> >>>>>> >>> [...] >>>>> >>>>> Can you list exactly which commands you're targetting? >>> >>> All of them, `ls /usr/sbin/ipa*`. >>> The ones written in C should just get the common options, framework >>> stuff doesn't apply to them. >>> >>>>> At least some (ipa-replica-manage, ipa-replica-prepare) don't have >>>>> logging but may still benefit from this structure. Did you have those >>>>> in mind as well? >>> >>> Yes. They do output, they have --quiet and --verbose options. They >>> should use the logger even if the log doesn't happen to go to a file. >>> And once they do, I won't special-case them to lose --log-file. >>> >>>>> It may be time to rewrite ipa-upgradeconfig too. It started as a >>>>> one-off and has grown considerably over the past year. It would >>>>> benefit from this as well (though other enhancements would be beyond >>>>> this scope). >>> >>> The scope is https://fedorahosted.org/freeipa/ticket/2652: if I see >>> copy-pasted code, or code that reimplements something we already have >>> better tools for, I put it in a shared module. >>> This RFE just describes the outward-facing changes. >>> >>>> Would it affect ipa-server-install and ipa-client-install too? >>>> I agree with Rob explicitly listing the commands would be helpful. >>>> IMO creating a table of existing commands would be very beneficial. >>> >>>> I see it with the following columns: >>>> >>>> Command Version Help Quiet Verbose >>>> Log File Release >>>> xyz added was there added was there >>>> added Pilsner >>>> abc was there was there was there was there >>>> added Pilsner >>>> klm added was there added was there >>>> added Other beer >>>> ... >>>> >>>> This (or similar) would allow QE to easily see what changed and >>>> when and >>>> how to adjust test cases. >>>> For doc it will also provide information needed. >>>> >>> >>> Yes, I can provide such a table for each release. >>> It's long-term, low-priority effort, so it will take some time to get >>> all of them done. >>> >>> >>> The current state: >>> >>> All commands (except ipa-getcert) have --help. None have --log-file. >>> >>> --version -q -v -d >>> ipa-adtrust-install Y - - Y >>> ipa-ca-install Y - - Y >>> ipa-client-automount - - - * >>> ipa-client-install Y - - Y >>> ipa-compat-manage - - - Y >>> ipa-compliance - - - * >>> ipa-csreplica-manage Y - Y - >>> ipa-dns-install Y - - Y >>> ipa-getkeytab - Y - - >>> ipa-join - Y - Y >>> ipa-ldap-updater Y - - Y >>> ipa-managed-entries - - - Y >>> ipa-nis-manage - - - Y >>> ipa-replica-conncheck Y Y - Y >>> ipa-replica-install Y - - Y >>> ipa-replica-manage Y - Y - >>> ipa-replica-prepare Y - - * >>> ipa-rmkeytab - - - Y >>> ipa-server-certinstall - - - ** >>> ipa-server-install Y - - Y >>> ipa-upgradeconfig Y Y - Y >>> ipactl - - - Y >>> >>> * long variant (--debug) only >>> ** -d means something else >>> >>> >>> Note that currently --debug is used much more than --verbose. There >>> are two reasons for favoring --verbose: it complements --quiet, and >>> some commands already uses -d for something else. >>> >>> >> Can you please turn it into a page? >> > > http://freeipa.org/page/V3/Logging_and_output > Nice! Thanks. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Tue Dec 4 17:18:08 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 04 Dec 2012 12:18:08 -0500 Subject: [Freeipa-devel] [PATCH] 1073 honor disabling lockout in ipa_lockout In-Reply-To: <50BE2A2D.5030106@redhat.com> References: <50BE2A2D.5030106@redhat.com> Message-ID: <1354641488.19871.262.camel@willson.li.ssimo.org> On Tue, 2012-12-04 at 11:51 -0500, Rob Crittenden wrote: > Two options were added to the kdb backend to disable writes. The > ipa_lockout plugin needs to honor these as well. Oh I saw it assigned to me and was going to propose a similar patch. Thanks for getting there first :-) But one q. I wonder if we shouldn't share the code to audit stuff between the kdb plugin and the ldap plugin, this split sounds like it is going to byte us again if we need to change behavior. What do you think ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Dec 4 19:03:42 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Dec 2012 14:03:42 -0500 Subject: [Freeipa-devel] [PATCH] 1074 limit service list Message-ID: <50BE490E.3050602@redhat.com> Only touch the service list in the server installer and ipactl. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1074-service-list.patch Type: text/x-patch Size: 4196 bytes Desc: not available URL: From simo at redhat.com Tue Dec 4 19:30:08 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 04 Dec 2012 14:30:08 -0500 Subject: [Freeipa-devel] [PATCH] 1074 limit service list In-Reply-To: <50BE490E.3050602@redhat.com> References: <50BE490E.3050602@redhat.com> Message-ID: <1354649408.19871.275.camel@willson.li.ssimo.org> On Tue, 2012-12-04 at 14:03 -0500, Rob Crittenden wrote: > Only touch the service list in the server installer and ipactl. Nack, comments inline. > diff --git a/install/tools/ipactl b/install/tools/ipactl > index > f931a27257aaca987db46c7295cbb4708a6801f7..2a60b9eaf4e1ffb536fd389d17ff747c99492a35 100755 > --- a/install/tools/ipactl > +++ b/install/tools/ipactl > @@ -175,6 +175,9 @@ def get_config_from_file(): > > svc_list = [] > > + if not os.path.exists(ipaservices.get_svc_list_file()): > + return svc_list > + This break the fallback we have in ipa_stop() We expect an exception or a non empty list there. > try: > f = open(ipaservices.get_svc_list_file(), 'r') > svc_list = json.load(f) > @@ -469,7 +472,7 @@ def main(): > else: > raise e > > - api.bootstrap(context='cli', debug=options.debug) > + api.bootstrap(context='ipactl', debug=options.debug) > api.finalize() > > if '.' not in api.env.host: > diff --git a/ipapython/platform/base.py b/ipapython/platform/base.py > index > 8385e1038c0609ae06a7a4a25d844de48360f19e..d1d42b3259d735d88df4e9c1698d5f8781dd1124 100644 > --- a/ipapython/platform/base.py > +++ b/ipapython/platform/base.py > @@ -136,12 +136,15 @@ class PlatformService(object): > def __init__(self, service_name): > self.service_name = service_name > > - def start(self, instance_name="", capture_output=True, > wait=True): > + def start(self, instance_name="", capture_output=True, wait=True, > + update_list=True): Can we call this something like 'store_action' or 'remember_action' ? 'update_list' is quite opaque as name. Or maybe at least qualify: 'update_stop_list' > """ > When a service is started record the fact in a special file. > This allows ipactl stop to always stop all services that have > been started via ipa tools > """ > + if not update_list: > + return > svc_list = [] > try: > f = open(SVC_LIST_FILE, 'r') > @@ -159,10 +162,12 @@ class PlatformService(object): > f.close() > return > > - def stop(self, instance_name="", capture_output=True): > + def stop(self, instance_name="", capture_output=True, > update_list=True): > """ > When a service is stopped remove it from the service list > file. > """ > + if not update_list: > + return > svc_list = [] > try: > f = open(SVC_LIST_FILE, 'r') > diff --git a/ipapython/platform/systemd.py > b/ipapython/platform/systemd.py > index > bb6c009299adc9ca8488308afffdd767975fc2ae..359b593594f2db2b1a1810abbd71deebbf33677e 100644 > --- a/ipapython/platform/systemd.py > +++ b/ipapython/platform/systemd.py > @@ -91,13 +91,21 @@ class SystemdService(base.PlatformService): > > def stop(self, instance_name="", capture_output=True): > ipautil.run(["/bin/systemctl", "stop", > self.service_instance(instance_name)], capture_output=capture_output) > - super(SystemdService, self).stop(instance_name) > + if 'context' in api.env and api.env.context in ['ipactl', > 'installer']: Will this trigger also when ipa-client-install is run ? We have a patch on the list to restart sssd via ipa-client-install. sssd *should* not end in the stop-list though. > + update_list = True > + else: > + update_list = False > + super(SystemdService, > self).stop(instance_name,update_list=update_list) > > def start(self, instance_name="", capture_output=True, > wait=True): > ipautil.run(["/bin/systemctl", "start", > self.service_instance(instance_name)], capture_output=capture_output) > + if 'context' in api.env and api.env.context in ['ipactl', > 'installer']: > + update_list = True > + else: > + update_list = False > if wait and self.is_running(instance_name): > > self.__wait_for_open_ports(self.service_instance(instance_name)) > - super(SystemdService, self).start(instance_name) > + super(SystemdService, self).start(instance_name, > update_list=update_list) > > def restart(self, instance_name="", capture_output=True, > wait=True): > # Restart command is broken before systemd-36-3.fc16 > In general looks good, otherwise. Simo. > -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Dec 4 20:03:55 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Dec 2012 15:03:55 -0500 Subject: [Freeipa-devel] [PATCH] 1073 honor disabling lockout in ipa_lockout In-Reply-To: <1354641488.19871.262.camel@willson.li.ssimo.org> References: <50BE2A2D.5030106@redhat.com> <1354641488.19871.262.camel@willson.li.ssimo.org> Message-ID: <50BE572B.6090601@redhat.com> Simo Sorce wrote: > On Tue, 2012-12-04 at 11:51 -0500, Rob Crittenden wrote: >> Two options were added to the kdb backend to disable writes. The >> ipa_lockout plugin needs to honor these as well. > > Oh I saw it assigned to me and was going to propose a similar patch. > Thanks for getting there first :-) > > But one q. I wonder if we shouldn't share the code to audit stuff > between the kdb plugin and the ldap plugin, this split sounds like it is > going to byte us again if we need to change behavior. > > What do you think ? > > Simo. > I figured that since I wrote the lockout plugin I should fix this :-) I think that sharing the logic of the lockout is a great idea. I'm not entirely sure if all the LDAP-ey code can be made totally generic (one runs as an internal plugin of 389-ds, the other other in side the KDC) but at least the evaluation logic can be consolidated. Are you proposing that as part of this fix or as a future enhancement? rob From simo at redhat.com Tue Dec 4 20:12:12 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 04 Dec 2012 15:12:12 -0500 Subject: [Freeipa-devel] [PATCH] 1073 honor disabling lockout in ipa_lockout In-Reply-To: <50BE572B.6090601@redhat.com> References: <50BE2A2D.5030106@redhat.com> <1354641488.19871.262.camel@willson.li.ssimo.org> <50BE572B.6090601@redhat.com> Message-ID: <1354651932.19871.288.camel@willson.li.ssimo.org> On Tue, 2012-12-04 at 15:03 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > On Tue, 2012-12-04 at 11:51 -0500, Rob Crittenden wrote: > >> Two options were added to the kdb backend to disable writes. The > >> ipa_lockout plugin needs to honor these as well. > > > > Oh I saw it assigned to me and was going to propose a similar patch. > > Thanks for getting there first :-) > > > > But one q. I wonder if we shouldn't share the code to audit stuff > > between the kdb plugin and the ldap plugin, this split sounds like it is > > going to byte us again if we need to change behavior. > > > > What do you think ? > > > > Simo. > > > > I figured that since I wrote the lockout plugin I should fix this :-) > > I think that sharing the logic of the lockout is a great idea. I'm not > entirely sure if all the LDAP-ey code can be made totally generic (one > runs as an internal plugin of 389-ds, the other other in side the KDC) > but at least the evaluation logic can be consolidated. We already share code between the password plugin and the kdb driver for password relate stuff, we just need to be smart :-) > Are you proposing that as part of this fix or as a future enhancement? Nah, let's open a ticket for 3.2, I do not want to delay this fix, which *is* sufficient to address the bug. So ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Dec 4 20:14:28 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Dec 2012 15:14:28 -0500 Subject: [Freeipa-devel] [PATCH] 1074 limit service list In-Reply-To: <1354649408.19871.275.camel@willson.li.ssimo.org> References: <50BE490E.3050602@redhat.com> <1354649408.19871.275.camel@willson.li.ssimo.org> Message-ID: <50BE59A4.5010709@redhat.com> Simo Sorce wrote: > On Tue, 2012-12-04 at 14:03 -0500, Rob Crittenden wrote: >> Only touch the service list in the server installer and ipactl. > > Nack, comments inline. > > >> diff --git a/install/tools/ipactl b/install/tools/ipactl >> index >> f931a27257aaca987db46c7295cbb4708a6801f7..2a60b9eaf4e1ffb536fd389d17ff747c99492a35 100755 >> --- a/install/tools/ipactl >> +++ b/install/tools/ipactl >> @@ -175,6 +175,9 @@ def get_config_from_file(): >> >> svc_list = [] >> >> + if not os.path.exists(ipaservices.get_svc_list_file()): >> + return svc_list >> + > > This break the fallback we have in ipa_stop() > We expect an exception or a non empty list there. Ok, I can move the handling so ipactl ignores the exception. >> try: >> f = open(ipaservices.get_svc_list_file(), 'r') >> svc_list = json.load(f) >> @@ -469,7 +472,7 @@ def main(): >> else: >> raise e >> >> - api.bootstrap(context='cli', debug=options.debug) >> + api.bootstrap(context='ipactl', debug=options.debug) >> api.finalize() >> >> if '.' not in api.env.host: >> diff --git a/ipapython/platform/base.py b/ipapython/platform/base.py >> index >> 8385e1038c0609ae06a7a4a25d844de48360f19e..d1d42b3259d735d88df4e9c1698d5f8781dd1124 100644 >> --- a/ipapython/platform/base.py >> +++ b/ipapython/platform/base.py >> @@ -136,12 +136,15 @@ class PlatformService(object): >> def __init__(self, service_name): >> self.service_name = service_name >> >> - def start(self, instance_name="", capture_output=True, >> wait=True): >> + def start(self, instance_name="", capture_output=True, wait=True, >> + update_list=True): > > Can we call this something like 'store_action' or 'remember_action' ? > 'update_list' is quite opaque as name. > Or maybe at least qualify: 'update_stop_list' Yes, I'm not completely happy with the variable name either. How about update_service_list? >> """ >> When a service is started record the fact in a special file. >> This allows ipactl stop to always stop all services that have >> been started via ipa tools >> """ >> + if not update_list: >> + return >> svc_list = [] >> try: >> f = open(SVC_LIST_FILE, 'r') >> @@ -159,10 +162,12 @@ class PlatformService(object): >> f.close() >> return >> >> - def stop(self, instance_name="", capture_output=True): >> + def stop(self, instance_name="", capture_output=True, >> update_list=True): >> """ >> When a service is stopped remove it from the service list >> file. >> """ >> + if not update_list: >> + return >> svc_list = [] >> try: >> f = open(SVC_LIST_FILE, 'r') >> diff --git a/ipapython/platform/systemd.py >> b/ipapython/platform/systemd.py >> index >> bb6c009299adc9ca8488308afffdd767975fc2ae..359b593594f2db2b1a1810abbd71deebbf33677e 100644 >> --- a/ipapython/platform/systemd.py >> +++ b/ipapython/platform/systemd.py >> @@ -91,13 +91,21 @@ class SystemdService(base.PlatformService): >> >> def stop(self, instance_name="", capture_output=True): >> ipautil.run(["/bin/systemctl", "stop", >> self.service_instance(instance_name)], capture_output=capture_output) >> - super(SystemdService, self).stop(instance_name) >> + if 'context' in api.env and api.env.context in ['ipactl', >> 'installer']: > > Will this trigger also when ipa-client-install is run ? > We have a patch on the list to restart sssd via ipa-client-install. > sssd *should* not end in the stop-list though. No, the only services we care about for ipactl are those started by the server itself. I don't think a user would expect that certmonger, messagebus, sssd, etc would stop if they executed ipactl stop. >> + update_list = True >> + else: >> + update_list = False >> + super(SystemdService, >> self).stop(instance_name,update_list=update_list) >> >> def start(self, instance_name="", capture_output=True, >> wait=True): >> ipautil.run(["/bin/systemctl", "start", >> self.service_instance(instance_name)], capture_output=capture_output) >> + if 'context' in api.env and api.env.context in ['ipactl', >> 'installer']: >> + update_list = True >> + else: >> + update_list = False >> if wait and self.is_running(instance_name): >> >> self.__wait_for_open_ports(self.service_instance(instance_name)) >> - super(SystemdService, self).start(instance_name) >> + super(SystemdService, self).start(instance_name, >> update_list=update_list) >> >> def restart(self, instance_name="", capture_output=True, >> wait=True): >> # Restart command is broken before systemd-36-3.fc16 >> > In general looks good, otherwise. I'll work up a new patch soon. rob From simo at redhat.com Tue Dec 4 20:20:31 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 04 Dec 2012 15:20:31 -0500 Subject: [Freeipa-devel] [PATCH] 1074 limit service list In-Reply-To: <50BE59A4.5010709@redhat.com> References: <50BE490E.3050602@redhat.com> <1354649408.19871.275.camel@willson.li.ssimo.org> <50BE59A4.5010709@redhat.com> Message-ID: <1354652431.19871.291.camel@willson.li.ssimo.org> On Tue, 2012-12-04 at 15:14 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > On Tue, 2012-12-04 at 14:03 -0500, Rob Crittenden wrote: > >> Only touch the service list in the server installer and ipactl. > > > > Nack, comments inline. > > [..] > > This break the fallback we have in ipa_stop() > > We expect an exception or a non empty list there. > > Ok, I can move the handling so ipactl ignores the exception. Is the problem that we are printing an error to stdout/stderr ? Or do you actually want to change behavior somehow ? [..] > > Can we call this something like 'store_action' or 'remember_action' ? > > 'update_list' is quite opaque as name. > > Or maybe at least qualify: 'update_stop_list' > > Yes, I'm not completely happy with the variable name either. How about > update_service_list? Sounds ok. [..] > > Will this trigger also when ipa-client-install is run ? > > We have a patch on the list to restart sssd via ipa-client-install. > > sssd *should* not end in the stop-list though. > > No, the only services we care about for ipactl are those started by the > server itself. I don't think a user would expect that certmonger, > messagebus, sssd, etc would stop if they executed ipactl stop. Yes this is what I am saying, so ipa-client-install is identified as 'cli' and not as 'installer' I guess ? [..] > I'll work up a new patch soon. Thanks, Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Dec 4 20:56:57 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Dec 2012 15:56:57 -0500 Subject: [Freeipa-devel] [PATCH] 1074 limit service list In-Reply-To: <1354652431.19871.291.camel@willson.li.ssimo.org> References: <50BE490E.3050602@redhat.com> <1354649408.19871.275.camel@willson.li.ssimo.org> <50BE59A4.5010709@redhat.com> <1354652431.19871.291.camel@willson.li.ssimo.org> Message-ID: <50BE6399.5090703@redhat.com> Simo Sorce wrote: > On Tue, 2012-12-04 at 15:14 -0500, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Tue, 2012-12-04 at 14:03 -0500, Rob Crittenden wrote: >>>> Only touch the service list in the server installer and ipactl. >>> >>> Nack, comments inline. >>> > [..] >>> This break the fallback we have in ipa_stop() >>> We expect an exception or a non empty list there. >> >> Ok, I can move the handling so ipactl ignores the exception. > > Is the problem that we are printing an error to stdout/stderr ? > Or do you actually want to change behavior somehow ? We need to change the behavior. If you run: ipactl stop then: ipactl status you get a backtrace because the service list doesn't exist. > > [..] > >>> Can we call this something like 'store_action' or 'remember_action' ? >>> 'update_list' is quite opaque as name. >>> Or maybe at least qualify: 'update_stop_list' >> >> Yes, I'm not completely happy with the variable name either. How about >> update_service_list? > > Sounds ok. > > [..] > >>> Will this trigger also when ipa-client-install is run ? >>> We have a patch on the list to restart sssd via ipa-client-install. >>> sssd *should* not end in the stop-list though. >> >> No, the only services we care about for ipactl are those started by the >> server itself. I don't think a user would expect that certmonger, >> messagebus, sssd, etc would stop if they executed ipactl stop. > > Yes this is what I am saying, so ipa-client-install is identified as > 'cli' and not as 'installer' I guess ? > > [..] > Exactly. When the IPA api is bootstrapped you supply a context name. This is generally unique in the IPA universe and different names make things do different things. >> I'll work up a new patch soon. > > Thanks, > Simo. > From edewata at redhat.com Tue Dec 4 21:16:37 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 04 Dec 2012 15:16:37 -0600 Subject: [Freeipa-devel] [PATCH] 350 Configuring CA with ConfigParser. Message-ID: <50BE6835.4070106@redhat.com> The configuration code has been modified to use the ConfigParser to set the parameters in the CA section in the deployment configuration. This allows IPA to define additional PKI subsystems in the same configuration file. PKI Ticket #399 (https://fedorahosted.org/pki/ticket/399) -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0350-2-Configuring-CA-with-ConfigParser.patch Type: text/x-patch Size: 10359 bytes Desc: not available URL: From simo at redhat.com Tue Dec 4 21:45:35 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 04 Dec 2012 16:45:35 -0500 Subject: [Freeipa-devel] [PATCH] 1074 limit service list In-Reply-To: <50BE6399.5090703@redhat.com> References: <50BE490E.3050602@redhat.com> <1354649408.19871.275.camel@willson.li.ssimo.org> <50BE59A4.5010709@redhat.com> <1354652431.19871.291.camel@willson.li.ssimo.org> <50BE6399.5090703@redhat.com> Message-ID: <1354657535.19871.301.camel@willson.li.ssimo.org> On Tue, 2012-12-04 at 15:56 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > On Tue, 2012-12-04 at 15:14 -0500, Rob Crittenden wrote: > >> Simo Sorce wrote: > >>> On Tue, 2012-12-04 at 14:03 -0500, Rob Crittenden wrote: > >>>> Only touch the service list in the server installer and ipactl. > >>> > >>> Nack, comments inline. > >>> > > [..] > >>> This break the fallback we have in ipa_stop() > >>> We expect an exception or a non empty list there. > >> > >> Ok, I can move the handling so ipactl ignores the exception. > > > > Is the problem that we are printing an error to stdout/stderr ? > > Or do you actually want to change behavior somehow ? > > We need to change the behavior. > > If you run: ipactl stop > > then: ipactl status > > you get a backtrace because the service list doesn't exist. Ok, what about defining our own exception and then simply pass on it except for the stop() case that treats it differently ? Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Tue Dec 4 21:51:56 2012 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 04 Dec 2012 15:51:56 -0600 Subject: [Freeipa-devel] [PATCH] 350 Configuring CA with ConfigParser. In-Reply-To: <50BE6835.4070106@redhat.com> References: <50BE6835.4070106@redhat.com> Message-ID: <50BE707C.6090101@redhat.com> On 12/4/2012 3:16 PM, Endi Sukma Dewata wrote: > The configuration code has been modified to use the ConfigParser to > set the parameters in the CA section in the deployment configuration. > This allows IPA to define additional PKI subsystems in the same > configuration file. > > PKI Ticket #399 (https://fedorahosted.org/pki/ticket/399) New patch attached. Bumped the minimum pki-ca version. Note that the path to the ca_admin_cert.p12 is hardcoded due to this bug: https://fedorahosted.org/pki/ticket/437 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0350-3-Configuring-CA-with-ConfigParser.patch Type: text/x-patch Size: 11252 bytes Desc: not available URL: From rcritten at redhat.com Wed Dec 5 02:32:06 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Dec 2012 21:32:06 -0500 Subject: [Freeipa-devel] [PATCH] 1074 limit service list In-Reply-To: <1354657535.19871.301.camel@willson.li.ssimo.org> References: <50BE490E.3050602@redhat.com> <1354649408.19871.275.camel@willson.li.ssimo.org> <50BE59A4.5010709@redhat.com> <1354652431.19871.291.camel@willson.li.ssimo.org> <50BE6399.5090703@redhat.com> <1354657535.19871.301.camel@willson.li.ssimo.org> Message-ID: <50BEB226.8010308@redhat.com> Simo Sorce wrote: > On Tue, 2012-12-04 at 15:56 -0500, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Tue, 2012-12-04 at 15:14 -0500, Rob Crittenden wrote: >>>> Simo Sorce wrote: >>>>> On Tue, 2012-12-04 at 14:03 -0500, Rob Crittenden wrote: >>>>>> Only touch the service list in the server installer and ipactl. >>>>> >>>>> Nack, comments inline. >>>>> >>> [..] >>>>> This break the fallback we have in ipa_stop() >>>>> We expect an exception or a non empty list there. >>>> >>>> Ok, I can move the handling so ipactl ignores the exception. >>> >>> Is the problem that we are printing an error to stdout/stderr ? >>> Or do you actually want to change behavior somehow ? >> >> We need to change the behavior. >> >> If you run: ipactl stop >> >> then: ipactl status >> >> you get a backtrace because the service list doesn't exist. > > Ok, what about defining our own exception and then simply pass on it > except for the stop() case that treats it differently ? I think checking for file existence is probably going to hit the majority of the cases. Using a separate exception is probably overkill. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1074-2-service-list.patch Type: text/x-patch Size: 4832 bytes Desc: not available URL: From simo at redhat.com Wed Dec 5 05:25:26 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 05 Dec 2012 00:25:26 -0500 Subject: [Freeipa-devel] [PATCH] 1074 limit service list In-Reply-To: <50BEB226.8010308@redhat.com> References: <50BE490E.3050602@redhat.com> <1354649408.19871.275.camel@willson.li.ssimo.org> <50BE59A4.5010709@redhat.com> <1354652431.19871.291.camel@willson.li.ssimo.org> <50BE6399.5090703@redhat.com> <1354657535.19871.301.camel@willson.li.ssimo.org> <50BEB226.8010308@redhat.com> Message-ID: <1354685126.19871.401.camel@willson.li.ssimo.org> On Tue, 2012-12-04 at 21:32 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > On Tue, 2012-12-04 at 15:56 -0500, Rob Crittenden wrote: > >> Simo Sorce wrote: > >>> On Tue, 2012-12-04 at 15:14 -0500, Rob Crittenden wrote: > >>>> Simo Sorce wrote: > >>>>> On Tue, 2012-12-04 at 14:03 -0500, Rob Crittenden wrote: > >>>>>> Only touch the service list in the server installer and ipactl. > >>>>> > >>>>> Nack, comments inline. > >>>>> > >>> [..] > >>>>> This break the fallback we have in ipa_stop() > >>>>> We expect an exception or a non empty list there. > >>>> > >>>> Ok, I can move the handling so ipactl ignores the exception. > >>> > >>> Is the problem that we are printing an error to stdout/stderr ? > >>> Or do you actually want to change behavior somehow ? > >> > >> We need to change the behavior. > >> > >> If you run: ipactl stop > >> > >> then: ipactl status > >> > >> you get a backtrace because the service list doesn't exist. > > > > Ok, what about defining our own exception and then simply pass on it > > except for the stop() case that treats it differently ? > > I think checking for file existence is probably going to hit the > majority of the cases. Using a separate exception is probably overkill. ACK Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Wed Dec 5 10:01:17 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 05 Dec 2012 11:01:17 +0100 Subject: [Freeipa-devel] [PATCH] 339 Change network configuration file Message-ID: <50BF1B6D.1020709@redhat.com> Fedora+systemd changed deprecated /etc/sysconfig/network which was used by IPA to store static hostname for the IPA machine. See https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details. Change Fedora platform files to store the hostname to /etc/hostname instead. https://fedorahosted.org/freeipa/ticket/3279 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-339-change-network-configuration-file.patch Type: text/x-patch Size: 8376 bytes Desc: not available URL: From abokovoy at redhat.com Wed Dec 5 10:17:47 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 5 Dec 2012 12:17:47 +0200 Subject: [Freeipa-devel] [PATCH] 339 Change network configuration file In-Reply-To: <50BF1B6D.1020709@redhat.com> References: <50BF1B6D.1020709@redhat.com> Message-ID: <20121205101747.GB22265@redhat.com> On Wed, 05 Dec 2012, Martin Kosek wrote: >Fedora+systemd changed deprecated /etc/sysconfig/network which was >used by IPA to store static hostname for the IPA machine. See >https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details. > >Change Fedora platform files to store the hostname to /etc/hostname >instead. > >https://fedorahosted.org/freeipa/ticket/3279 NACK. My main objection is that it is Fedora 18 feature but you are incorporating it into fedora16 platform code. Perhaps we need to split out to fedora18 platform with this change and make sure we build with 'fedora18' platform on Fedora 18? 'fedora18' platform would inherit from fedora16 code and only override these two methods. -- / Alexander Bokovoy From mkosek at redhat.com Wed Dec 5 11:51:50 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 05 Dec 2012 12:51:50 +0100 Subject: [Freeipa-devel] [PATCH] 339 Change network configuration file In-Reply-To: <20121205101747.GB22265@redhat.com> References: <50BF1B6D.1020709@redhat.com> <20121205101747.GB22265@redhat.com> Message-ID: <50BF3556.2060208@redhat.com> On 12/05/2012 11:17 AM, Alexander Bokovoy wrote: > On Wed, 05 Dec 2012, Martin Kosek wrote: >> Fedora+systemd changed deprecated /etc/sysconfig/network which was >> used by IPA to store static hostname for the IPA machine. See >> https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details. >> >> Change Fedora platform files to store the hostname to /etc/hostname >> instead. >> >> https://fedorahosted.org/freeipa/ticket/3279 > NACK. > > My main objection is that it is Fedora 18 feature but you are > incorporating it into fedora16 platform code. > > Perhaps we need to split out to fedora18 platform with this change > and make sure we build with 'fedora18' platform on Fedora 18? > > 'fedora18' platform would inherit from fedora16 code and only override > these two methods. > That makes sense. I did that + moved restore_hostname function from platform files because it does not differ between platform versions. Updated patch attached. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-339-2-change-network-configuration-file.patch Type: text/x-patch Size: 13339 bytes Desc: not available URL: From abokovoy at redhat.com Wed Dec 5 12:14:15 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 5 Dec 2012 14:14:15 +0200 Subject: [Freeipa-devel] [PATCH] 339 Change network configuration file In-Reply-To: <50BF3556.2060208@redhat.com> References: <50BF1B6D.1020709@redhat.com> <20121205101747.GB22265@redhat.com> <50BF3556.2060208@redhat.com> Message-ID: <20121205121415.GC22265@redhat.com> On Wed, 05 Dec 2012, Martin Kosek wrote: >On 12/05/2012 11:17 AM, Alexander Bokovoy wrote: >> On Wed, 05 Dec 2012, Martin Kosek wrote: >>> Fedora+systemd changed deprecated /etc/sysconfig/network which was >>> used by IPA to store static hostname for the IPA machine. See >>> https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details. >>> >>> Change Fedora platform files to store the hostname to /etc/hostname >>> instead. >>> >>> https://fedorahosted.org/freeipa/ticket/3279 >> NACK. >> >> My main objection is that it is Fedora 18 feature but you are >> incorporating it into fedora16 platform code. >> >> Perhaps we need to split out to fedora18 platform with this change >> and make sure we build with 'fedora18' platform on Fedora 18? >> >> 'fedora18' platform would inherit from fedora16 code and only override >> these two methods. >> > >That makes sense. I did that + moved restore_hostname function from platform >files because it does not differ between platform versions. > >Updated patch attached. Yes, looks much better now, thanks! ACK -- / Alexander Bokovoy From abokovoy at redhat.com Wed Dec 5 12:16:41 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 5 Dec 2012 14:16:41 +0200 Subject: [Freeipa-devel] [PATCH] 0096 support Windows Server 2012 In-Reply-To: <1353611080.25995.42.camel@willson.li.ssimo.org> References: <20121122155942.GA9142@redhat.com> <1353611080.25995.42.camel@willson.li.ssimo.org> Message-ID: <20121205121641.GD22265@redhat.com> On Thu, 22 Nov 2012, Simo Sorce wrote: >On Thu, 2012-11-22 at 17:59 +0200, Alexander Bokovoy wrote: >> Hi, >> >> attached patch attempts to bring us up to MS-KILE version 25.0 support >> by >> verifying that if number of additional SIDs in KERB_VALIDATION_INFO >> structure is equal to one then this SID must be >> >> AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY, S-1-18-1 >> >> This SID means the client's identity is asserted by an authentication >> authority based on proof of possession of client credentials. >> >> During AD interop event at Microsoft earlier this year Simo found out >> that this is the case for Windows Server 2012 and we need to relax our >> check to allow this case. >> >> https://fedorahosted.org/freeipa/ticket/3231 >> >> I haven't tested it against Windows Server 2012 yet but sending the >> patch out for early check and verification. >> >> >NACK, >there are 2 SID Windows 2012 may put there, not just S-1-2-18-1 (also -2 >IIRC) and after I checked the docs I really think (As I suggested >before) that we shouldn't expect a specific SID here, or in a next >release a Windows server may break us again. > >The spec doesn't say they will never add other SIDs like these with new >meanings. >What we need to do is to check that NONE of these SIDs is from our own >domain, or is a builtin SID. > >I think the best option for now, is to filter out any SID in there that >we do not explicitly recognize, but not fail if there is any we do not >support, just skip. > >So if you find S-1-18-1/S-1-18-2 you may decide to leave them in the >PAC, they are useful indications to services and they can decide whether >to use them or not. We need to filter out any SID that is not a regular >domain SID (like wellknown SIDs and Builtin Domain SIDs) and any SID >that belong to our own domain. Beyond that we should retain other SIDs >(for example this structure might list an HistrorySID for the incoming >user and we should give a chance to applications to make use of that >information. Attached is a prototype to implement logic above. I haven't added filtering for anything but our own domain SIDs yet, want to get review for this part before going further. -- / Alexander Bokovoy -------------- next part -------------- >From 636d0a1dc52cf4059e447c1666477f1633e07c9a Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 22 Nov 2012 17:45:40 +0200 Subject: [PATCH] ipa-kdb: Support Windows 2012 Server Windows 2012 Server changed procedure how KERB_VALIDATION_INFO ([MS-PAC] section 2.5) is populated. Detailed description is available in [MS-KILE] version 25.0 and above. Refactor KERB_VALIDATION_INFO verification and ensure we filter out extra SIDs in case they belong to our domain. https://fedorahosted.org/freeipa/ticket/3231 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 127 ++++++++++++++++++++++++++++++++++------ 1 file changed, 110 insertions(+), 17 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index ed2c7fb8c8c4975ce942335f4688d32f7c84f937..0609fe3b1ff02e44f715fe9a6645aad7e8cb14eb 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -30,11 +30,13 @@ struct ipadb_adtrusts { char *domain_name; char *flat_name; char *domain_sid; + struct dom_sid domsid; }; struct ipadb_mspac { char *flat_domain_name; char *flat_server_name; + struct dom_sid domsid; char *fallback_group; uint32_t fallback_rid; @@ -87,6 +89,7 @@ static char *memberof_pac_attrs[] = { #define SID_ID_AUTHS 6 #define SID_SUB_AUTHS 15 #define MAX(a,b) (((a)>(b))?(a):(b)) +#define SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY "S-1-18-1" static int string_to_sid(char *str, struct dom_sid *sid) { @@ -213,6 +216,51 @@ static struct dom_sid *dom_sid_dup(TALLOC_CTX *memctx, return new_sid; } +static int dom_sid_cmp(const struct dom_sid *sid1, const struct dom_sid *sid2, bool compare_rids) +{ + int c, num; + + if (sid1 == sid2) { + return 0; + } + + if (sid1 == NULL) { + return -1; + } + + if (sid2 == NULL) { + return 1; + } + + /* If SIDs have different revisions, they are different */ + if (sid1->sid_rev_num != sid2->sid_rev_num) + return sid1->sid_rev_num - sid2->sid_rev_num; + + /* When number of authorities is different, sids are different */ + if (sid1->num_auths != sid2->num_auths) + return sid1->num_auths - sid2->num_auths; + + /* Optionally skip RIDs if asked */ + num = sid1->num_auths - 1; + if (!compare_rids) { + num--; + if (num < 0) return sid1->sub_auths[0] - sid2->sub_auths[0]; + } + + /* for same size authorities compare them backwards + * since RIDs are likely different */ + for (c = num; c >= 0; --c) + if (sid1->sub_auths[c] != sid2->sub_auths[c]) + return sid1->sub_auths[c] - sid2->sub_auths[c]; + + /* Finally, compare Identifier authorities */ + for (c = 0; c < SID_ID_AUTHS; c++) + if (sid1->id_auth[c] != sid2->id_auth[c]) + return sid1->id_auth[c] - sid2->id_auth[c]; + + return 0; +} + static int sid_append_rid(struct dom_sid *sid, uint32_t rid) { if (sid->num_auths >= SID_SUB_AUTHS) { @@ -1070,8 +1118,9 @@ static krb5_error_code filter_logon_info(krb5_context context, * attempt at getting us to sign fake credentials with the help of a * compromised trusted realm */ + struct ipadb_context *ipactx; struct ipadb_adtrusts *domain; - char *domsid; + int i, j, result, count; domain = get_domain_from_realm_update(context, realm); if (!domain) { @@ -1089,27 +1138,48 @@ static krb5_error_code filter_logon_info(krb5_context context, return EINVAL; } - /* check sid */ - domsid = dom_sid_string(NULL, info->info->info3.base.domain_sid); - if (!domsid) { - return EINVAL; - } - - if (strcmp(domsid, domain->domain_sid) != 0) { + /* check exact sid */ + result = dom_sid_cmp(&domain->domsid, info->info->info3.base.domain_sid, true); + if (result != 0) { krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain = %s, " - "expected domain SID = %s, " - "found domain SID = %s", - domain->domain_name, domain->domain_sid, - domsid); - talloc_free(domsid); + "expected domain SID = %s, ", + domain->domain_name, domain->domain_sid); return EINVAL; } - talloc_free(domsid); - /* According to MS-KILE, info->info->info3.sids must be zero, so check - * that it is the case here */ + /* According to MS-KILE 25.0, info->info->info3.sids may be non zero, so check + * should include different possibilities into account + * */ if (info->info->info3.sidcount != 0) { - return EINVAL; + ipactx = ipadb_get_context(context); + if (!ipactx && !ipactx->mspac) { + return KRB5_KDB_DBNOTINITED; + } + count = info->info->info3.sidcount; + i = 0; + j = 0; + do { + /* Compare SIDs without taking RID into account */ + result = dom_sid_cmp(&ipactx->mspac->domsid, info->info->info3.sids[i].sid, false); + if (result == 0) { + krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain = %s, " + "extra sid should be not from the domain %s but received RID %d ", + domain->domain_name, ipactx->mspac->flat_domain_name, + info->info->info3.sids[i].sid->sub_auths[info->info->info3.sids[i].sid->num_auths-1]); + j++; + memmove(info->info->info3.sids+i, info->info->info3.sids+i+1, count-i-1); + } + i++; + } while (i < count); + + if (j != 0) { + info->info->info3.sids = talloc_realloc(memctx, info->info->info3.sids, struct netr_SidAttr, count-j); + info->info->info3.sidcount = count-j; + if (!info->info->info3.sids) { + info->info->info3.sidcount = 0; + return ENOMEM; + } + } } /* According to MS-KILE, ResourceGroups must be zero, so check @@ -1595,6 +1665,12 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) ret = EINVAL; goto done; } + + ret = string_to_sid(t[n].domain_sid, &t[n].domsid); + if (ret) { + ret = EINVAL; + goto done; + } } ret = 0; @@ -1611,6 +1687,7 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx) { char *dom_attrs[] = { "ipaNTFlatName", "ipaNTFallbackPrimaryGroup", + "ipaNTSecurityIdentifier", NULL }; char *grp_attrs[] = { "ipaNTSecurityIdentifier", NULL }; krb5_error_code kerr; @@ -1664,6 +1741,22 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx) goto done; } + ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, + "ipaNTSecurityIdentifier", + &resstr); + if (ret) { + kerr = ret; + goto done; + } + + ret = string_to_sid(resstr, &ipactx->mspac->domsid); + if (ret) { + kerr = ret; + free(resstr); + goto done; + } + free(resstr); + free(ipactx->mspac->flat_server_name); ipactx->mspac->flat_server_name = get_server_netbios_name(); if (!ipactx->mspac->flat_server_name) { -- 1.8.0 From pvoborni at redhat.com Wed Dec 5 12:24:32 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 05 Dec 2012 13:24:32 +0100 Subject: [Freeipa-devel] [PATCH] 239 Better licensing information of 3rd party code Message-ID: <50BF3D00.5050407@redhat.com> README-LICENSE.txt file with licensing information of third party code used by Web UI in production or development was added. https://fedorahosted.org/freeipa/ticket/3281 Note: qunit tarball of version used in FreeIPA doesn't contain MIT, BSD 2 nor GPLv2 license text. Therefore I included also general MIT and BSD 2 template license text. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0239-Better-licensing-information-of-3rd-party-code.patch Type: text/x-patch Size: 23759 bytes Desc: not available URL: From mkosek at redhat.com Wed Dec 5 12:35:04 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 05 Dec 2012 13:35:04 +0100 Subject: [Freeipa-devel] [PATCH] 339 Change network configuration file In-Reply-To: <20121205121415.GC22265@redhat.com> References: <50BF1B6D.1020709@redhat.com> <20121205101747.GB22265@redhat.com> <50BF3556.2060208@redhat.com> <20121205121415.GC22265@redhat.com> Message-ID: <50BF3F78.3000607@redhat.com> On 12/05/2012 01:14 PM, Alexander Bokovoy wrote: > On Wed, 05 Dec 2012, Martin Kosek wrote: >> On 12/05/2012 11:17 AM, Alexander Bokovoy wrote: >>> On Wed, 05 Dec 2012, Martin Kosek wrote: >>>> Fedora+systemd changed deprecated /etc/sysconfig/network which was >>>> used by IPA to store static hostname for the IPA machine. See >>>> https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details. >>>> >>>> Change Fedora platform files to store the hostname to /etc/hostname >>>> instead. >>>> >>>> https://fedorahosted.org/freeipa/ticket/3279 >>> NACK. >>> >>> My main objection is that it is Fedora 18 feature but you are >>> incorporating it into fedora16 platform code. >>> >>> Perhaps we need to split out to fedora18 platform with this change >>> and make sure we build with 'fedora18' platform on Fedora 18? >>> >>> 'fedora18' platform would inherit from fedora16 code and only override >>> these two methods. >>> >> >> That makes sense. I did that + moved restore_hostname function from platform >> files because it does not differ between platform versions. >> >> Updated patch attached. > Yes, looks much better now, thanks! > > ACK Pushed to master, ipa-3-0. Martin From pviktori at redhat.com Wed Dec 5 12:54:01 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 05 Dec 2012 13:54:01 +0100 Subject: [Freeipa-devel] [PATCH] 350 Configuring CA with ConfigParser. In-Reply-To: <50BE707C.6090101@redhat.com> References: <50BE6835.4070106@redhat.com> <50BE707C.6090101@redhat.com> Message-ID: <50BF43E9.6010302@redhat.com> On 12/04/2012 10:51 PM, Endi Sukma Dewata wrote: > On 12/4/2012 3:16 PM, Endi Sukma Dewata wrote: >> The configuration code has been modified to use the ConfigParser to >> set the parameters in the CA section in the deployment configuration. >> This allows IPA to define additional PKI subsystems in the same >> configuration file. >> >> PKI Ticket #399 (https://fedorahosted.org/pki/ticket/399) > > New patch attached. Bumped the minimum pki-ca version. > > Note that the path to the ca_admin_cert.p12 is hardcoded due to this > bug: https://fedorahosted.org/pki/ticket/437 > ACK Attaching an additional patch that uses our DN objects, instead of strings, for the DN operations. I've overlooked that in the original Dogtag 10 patches (or the DN work overlapped with them, I forget). Until the new Dogtag hits official repos, you will need to use daily builds from http://nkinder.fedorapeople.org/dogtag-devel/fedora/ -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0103-Use-DN-objects-for-Dogtag-configuration.patch Type: text/x-patch Size: 2655 bytes Desc: not available URL: From tjaalton at ubuntu.com Wed Dec 5 13:01:14 2012 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Wed, 05 Dec 2012 15:01:14 +0200 Subject: [Freeipa-devel] [PATCH] convert the base platform modules into packages In-Reply-To: <507EB5F1.1040903@redhat.com> References: <505C804B.9010506@ubuntu.com> <507EB5F1.1040903@redhat.com> Message-ID: <50BF459A.8080306@ubuntu.com> On 17.10.2012 16:43, Petr Viktorin wrote: > On 09/21/2012 04:57 PM, Timo Aaltonen wrote: >> Ok, so this is the first step before we can start to rewrite bits from >> ipaserver/install to make them support other distros. There are no real >> functional changes yet. >> >> had some dependency issues installing the resulting rpm's, so didn't >> test the install scripts but they should work :) >> >> > > Hello, > > I recommend giving the -M flag to git format-patch, so it's easier to > see changes in the patch. > > > Your split of the fedora16 code into two modules is unfortunate: each > tries to import the other one, and one is the other's parent. This would > need special care to get working correctly. > > The best option here would probably be to put restore_context & > check_selinux_status into a separate submodule, so you don't need to > import fedora16 from services. > > Furthermore, in fedora16/__init__.py, you have: > from ipapython.platform.fedora16.service import * > This imports everything from that module, including e.g. "redhat" or "os". > Please avoid star imports. List all the imported names explicitly, or > import the module and then use qualified names. > > > Other than that, after a trivial rebase the patch seems to work fine on > Fedora. Thanks! And finally, here is version 2. fixed all the above, I think.. make-lint passes, make rpms too. -- t -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-convert-the-base-platform-modules-into-packages.patch Type: text/x-patch Size: 33759 bytes Desc: not available URL: From pspacek at redhat.com Wed Dec 5 12:25:56 2012 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 05 Dec 2012 13:25:56 +0100 Subject: [Freeipa-devel] [PATCH 92] Flush whole zone from cache during zone renaming/removal. In-Reply-To: <20121204133625.GA13739@redhat.com> References: <50A52F2D.3070402@redhat.com> <20121204133625.GA13739@redhat.com> Message-ID: <50BF3D54.5050406@redhat.com> On 12/04/2012 02:36 PM, Adam Tkac wrote: > On Thu, Nov 15, 2012 at 07:06:37PM +0100, Petr Spacek wrote: >> >Hello, >> > >> >attached patch is preliminary implementation of selective zone flush. >> > >> > >> >Implementation is not so straight-forward as I want to see. Before >> >discussing the patch itself - can we consider per-zone caches? In >> >that case, we can simply deallocate whole per-zone RBT and we are >> >done. >> > >> >Pros: >> >* Potentially better concurrency, simpler code, much less corner cases. >> > >> >Cons: >> >* We have to look into Zone register before searching the cache. >> >* It can limit concurrency ... with many extra small zones? I'm not sure. > Hi Peter, > > In my opinion per-zone caches are better. Look into zone register isn't > costly operation. Second version of the patch with per-zone caches is attached. I cut all debugging code so this version could be considered as final. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0092-2-Flush-whole-zone-from-cache-during-zone-renaming.patch Type: text/x-patch Size: 19136 bytes Desc: not available URL: From pvoborni at redhat.com Wed Dec 5 14:06:43 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 05 Dec 2012 15:06:43 +0100 Subject: [Freeipa-devel] [PATCH] 239 Better licensing information of 3rd party code In-Reply-To: <50BF3D00.5050407@redhat.com> References: <50BF3D00.5050407@redhat.com> Message-ID: <50BF54F3.1020605@redhat.com> On 12/05/2012 01:24 PM, Petr Vobornik wrote: > README-LICENSE.txt file with licensing information of third party code > used by Web UI in production or development was added. > > https://fedorahosted.org/freeipa/ticket/3281 > > Note: qunit tarball of version used in FreeIPA doesn't contain MIT, BSD > 2 nor GPLv2 license text. Therefore I included also general MIT and BSD > 2 template license text. > > Forget about Overpass fonts. Updated patch attached. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0239-1-Better-licensing-information-of-3rd-party-code.patch Type: text/x-patch Size: 28264 bytes Desc: not available URL: From simo at redhat.com Wed Dec 5 14:36:40 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 05 Dec 2012 09:36:40 -0500 Subject: [Freeipa-devel] [PATCH] 239 Better licensing information of 3rd party code In-Reply-To: <50BF54F3.1020605@redhat.com> References: <50BF3D00.5050407@redhat.com> <50BF54F3.1020605@redhat.com> Message-ID: <1354718200.19871.461.camel@willson.li.ssimo.org> On Wed, 2012-12-05 at 15:06 +0100, Petr Vobornik wrote: > On 12/05/2012 01:24 PM, Petr Vobornik wrote: > > README-LICENSE.txt file with licensing information of third party code > > used by Web UI in production or development was added. > > > > https://fedorahosted.org/freeipa/ticket/3281 > > > > Note: qunit tarball of version used in FreeIPA doesn't contain MIT, BSD > > 2 nor GPLv2 license text. Therefore I included also general MIT and BSD > > 2 template license text. > > > > > Forget about Overpass fonts. Updated patch attached. ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Dec 5 14:59:30 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 05 Dec 2012 09:59:30 -0500 Subject: [Freeipa-devel] [PATCH] 0096 support Windows Server 2012 In-Reply-To: <20121205121641.GD22265@redhat.com> References: <20121122155942.GA9142@redhat.com> <1353611080.25995.42.camel@willson.li.ssimo.org> <20121205121641.GD22265@redhat.com> Message-ID: <1354719570.19871.479.camel@willson.li.ssimo.org> On Wed, 2012-12-05 at 14:16 +0200, Alexander Bokovoy wrote: [..] > Attached is a prototype to implement logic above. I haven't added > filtering for anything but our own domain SIDs yet, want to get review > for this part before going further. Comments inline. > > +static int dom_sid_cmp(const struct dom_sid *sid1, const struct > dom_sid *sid2, bool compare_rids) > +{ > + int c, num; > + > + if (sid1 == sid2) { > + return 0; > + } > + > + if (sid1 == NULL) { > + return -1; > + } > + > + if (sid2 == NULL) { > + return 1; > + } > + > + /* If SIDs have different revisions, they are different */ > + if (sid1->sid_rev_num != sid2->sid_rev_num) > + return sid1->sid_rev_num - sid2->sid_rev_num; > + > + /* When number of authorities is different, sids are different */ > + if (sid1->num_auths != sid2->num_auths) > + return sid1->num_auths - sid2->num_auths; > + > + /* Optionally skip RIDs if asked */ > + num = sid1->num_auths - 1; > + if (!compare_rids) { > + num--; > + if (num < 0) return sid1->sub_auths[0] - sid2->sub_auths[0]; > + } I a not sure this works if you pass in a domain SID and an actual user SID, because they are of different lengths. A Domain SID is just like a USER SID but misses the last authority which represents the RID. Ie: Domain SID: S-1-5-21-12345-6789-101123 User SID: S-1-5-21-12345-6789-101123-501 I think the above function will make comparisons between domain SID and User SID (which is the only comparison we care about) never succeed. > + /* for same size authorities compare them backwards > + * since RIDs are likely different */ > + for (c = num; c >= 0; --c) > + if (sid1->sub_auths[c] != sid2->sub_auths[c]) > + return sid1->sub_auths[c] - sid2->sub_auths[c]; > + > + /* Finally, compare Identifier authorities */ > + for (c = 0; c < SID_ID_AUTHS; c++) > + if (sid1->id_auth[c] != sid2->id_auth[c]) > + return sid1->id_auth[c] - sid2->id_auth[c]; I am wondering, wouldn't it be more efficient if we did a simple memcmp() here ? After all these are arrays and should be fully packed. Also by testing backwards returning the classic -1, 0, +1 makes little sense because you do not know if a higher authority was 'bigger' or 'smaller' but you found a difference already in a following one. I would just return true or false from this function, either they match or they don't. By returning -1,0,1 you mislead the reader in believing this function might be used in a sorting algorithm, when it cannot as is. > + return 0; > +} > + > static int sid_append_rid(struct dom_sid *sid, uint32_t rid) > { > if (sid->num_auths >= SID_SUB_AUTHS) { > @@ -1070,8 +1118,9 @@ static krb5_error_code > filter_logon_info(krb5_context context, > * attempt at getting us to sign fake credentials with the help > of a > * compromised trusted realm */ > > + struct ipadb_context *ipactx; > struct ipadb_adtrusts *domain; > - char *domsid; > + int i, j, result, count; > > domain = get_domain_from_realm_update(context, realm); > if (!domain) { > @@ -1089,27 +1138,48 @@ static krb5_error_code > filter_logon_info(krb5_context context, > return EINVAL; > } > > - /* check sid */ > - domsid = dom_sid_string(NULL, info->info->info3.base.domain_sid); > - if (!domsid) { > - return EINVAL; > - } I think you can keep the above for reporting debugging purposes later so you do not have to change the log message. > - if (strcmp(domsid, domain->domain_sid) != 0) { > + /* check exact sid */ > + result = dom_sid_cmp(&domain->domsid, > info->info->info3.base.domain_sid, true); > + if (result != 0) { > krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain = %s, " > - "expected domain SID = %s, " > - "found domain SID = %s", > - domain->domain_name, > domain->domain_sid, > - domsid); > - talloc_free(domsid); > + "expected domain SID = %s, ", > + domain->domain_name, > domain->domain_sid); > return EINVAL; > } > - talloc_free(domsid); > > - /* According to MS-KILE, info->info->info3.sids must be zero, so > check > - * that it is the case here */ > + /* According to MS-KILE 25.0, info->info->info3.sids may be non > zero, so check > + * should include different possibilities into account > + * */ > if (info->info->info3.sidcount != 0) { > - return EINVAL; > + ipactx = ipadb_get_context(context); > + if (!ipactx && !ipactx->mspac) { > + return KRB5_KDB_DBNOTINITED; > + } > + count = info->info->info3.sidcount; > + i = 0; > + j = 0; > + do { > + /* Compare SIDs without taking RID into account */ > + result = dom_sid_cmp(&ipactx->mspac->domsid, > info->info->info3.sids[i].sid, false); > + if (result == 0) { > + krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain > = %s, " > + "extra sid should be not from the domain %s but > received RID %d ", > + domain->domain_name, > ipactx->mspac->flat_domain_name, > + > info->info->info3.sids[i].sid->sub_auths[info->info->info3.sids[i].sid->num_auths-1]); > + j++; > + memmove(info->info->info3.sids+i, > info->info->info3.sids+i+1, count-i-1); > + } Sorry but doesn't 0 means it's a match ? Looks to me using true/false is also less confusing. Also the log message would use a bit of rework, I suggest: "PAC Filtering issue: sid [%s] is not allowed from a trusted source and will be excluded." Before this you do a sid to string, this is ok even if slow as this is an important error condition and should not be common. > The rest and the approach looks otherwise good to me. Simo. -- Simo Sorce * Red Hat, Inc * New York From pvoborni at redhat.com Wed Dec 5 15:01:38 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 05 Dec 2012 16:01:38 +0100 Subject: [Freeipa-devel] [PATCH] 239 Better licensing information of 3rd party code In-Reply-To: <1354718200.19871.461.camel@willson.li.ssimo.org> References: <50BF3D00.5050407@redhat.com> <50BF54F3.1020605@redhat.com> <1354718200.19871.461.camel@willson.li.ssimo.org> Message-ID: <50BF61D2.1060403@redhat.com> On 12/05/2012 03:36 PM, Simo Sorce wrote: > On Wed, 2012-12-05 at 15:06 +0100, Petr Vobornik wrote: >> On 12/05/2012 01:24 PM, Petr Vobornik wrote: >>> README-LICENSE.txt file with licensing information of third party code >>> used by Web UI in production or development was added. >>> >>> https://fedorahosted.org/freeipa/ticket/3281 >>> >>> Note: qunit tarball of version used in FreeIPA doesn't contain MIT, BSD >>> 2 nor GPLv2 license text. Therefore I included also general MIT and BSD >>> 2 template license text. >>> >>> >> Forgot about Overpass fonts. Updated patch attached. > > ACK. > > Simo. > Pushed to master, ipa-3-0. -- Petr Vobornik From tjaalton at ubuntu.com Wed Dec 5 15:06:19 2012 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Wed, 05 Dec 2012 17:06:19 +0200 Subject: [Freeipa-devel] [PATCH] convert the base platform modules into packages In-Reply-To: <50BF459A.8080306@ubuntu.com> References: <505C804B.9010506@ubuntu.com> <507EB5F1.1040903@redhat.com> <50BF459A.8080306@ubuntu.com> Message-ID: <50BF62EB.5040006@ubuntu.com> On 05.12.2012 15:01, Timo Aaltonen wrote: > On 17.10.2012 16:43, Petr Viktorin wrote: >> On 09/21/2012 04:57 PM, Timo Aaltonen wrote: >>> Ok, so this is the first step before we can start to rewrite bits from >>> ipaserver/install to make them support other distros. There are no real >>> functional changes yet. >>> >>> had some dependency issues installing the resulting rpm's, so didn't >>> test the install scripts but they should work :) >>> >>> >> >> Hello, >> >> I recommend giving the -M flag to git format-patch, so it's easier to >> see changes in the patch. >> >> >> Your split of the fedora16 code into two modules is unfortunate: each >> tries to import the other one, and one is the other's parent. This would >> need special care to get working correctly. >> >> The best option here would probably be to put restore_context & >> check_selinux_status into a separate submodule, so you don't need to >> import fedora16 from services. >> >> Furthermore, in fedora16/__init__.py, you have: >> from ipapython.platform.fedora16.service import * >> This imports everything from that module, including e.g. "redhat" or >> "os". >> Please avoid star imports. List all the imported names explicitly, or >> import the module and then use qualified names. >> >> >> Other than that, after a trivial rebase the patch seems to work fine on >> Fedora. Thanks! > > And finally, here is version 2. > > fixed all the above, I think.. make-lint passes, make rpms too. Here's v3, thanks to your rebase to an even more current master :) -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-convert-the-base-platform-modules-into-packages.patch Type: text/x-patch Size: 35986 bytes Desc: not available URL: From abokovoy at redhat.com Wed Dec 5 15:18:56 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 5 Dec 2012 17:18:56 +0200 Subject: [Freeipa-devel] [PATCH] 0096 support Windows Server 2012 In-Reply-To: <1354719570.19871.479.camel@willson.li.ssimo.org> References: <20121122155942.GA9142@redhat.com> <1353611080.25995.42.camel@willson.li.ssimo.org> <20121205121641.GD22265@redhat.com> <1354719570.19871.479.camel@willson.li.ssimo.org> Message-ID: <20121205151856.GE22265@redhat.com> On Wed, 05 Dec 2012, Simo Sorce wrote: >On Wed, 2012-12-05 at 14:16 +0200, Alexander Bokovoy wrote: >[..] >> Attached is a prototype to implement logic above. I haven't added >> filtering for anything but our own domain SIDs yet, want to get review >> for this part before going further. > >Comments inline. >> >> +static int dom_sid_cmp(const struct dom_sid *sid1, const struct >> dom_sid *sid2, bool compare_rids) >> +{ >> + int c, num; >> + >> + if (sid1 == sid2) { >> + return 0; >> + } >> + >> + if (sid1 == NULL) { >> + return -1; >> + } >> + >> + if (sid2 == NULL) { >> + return 1; >> + } >> + >> + /* If SIDs have different revisions, they are different */ >> + if (sid1->sid_rev_num != sid2->sid_rev_num) >> + return sid1->sid_rev_num - sid2->sid_rev_num; >> + >> + /* When number of authorities is different, sids are different */ >> + if (sid1->num_auths != sid2->num_auths) >> + return sid1->num_auths - sid2->num_auths; >> + >> + /* Optionally skip RIDs if asked */ >> + num = sid1->num_auths - 1; >> + if (!compare_rids) { >> + num--; >> + if (num < 0) return sid1->sub_auths[0] - sid2->sub_auths[0]; >> + } > >I a not sure this works if you pass in a domain SID and an actual user >SID, because they are of different lengths. A Domain SID is just like a >USER SID but misses the last authority which represents the RID. > >Ie: > >Domain SID: S-1-5-21-12345-6789-101123 >User SID: S-1-5-21-12345-6789-101123-501 > >I think the above function will make comparisons between domain SID and >User SID (which is the only comparison we care about) never succeed. This is why I have 'compare_rids' argument. The code in filter_login_info actually uses it in places where we don't care about RIDs -- in case of domain SID comparison we have to compare all sub auths since the last one belongs to the domain. >> + /* for same size authorities compare them backwards >> + * since RIDs are likely different */ >> + for (c = num; c >= 0; --c) >> + if (sid1->sub_auths[c] != sid2->sub_auths[c]) >> + return sid1->sub_auths[c] - sid2->sub_auths[c]; >> + >> + /* Finally, compare Identifier authorities */ >> + for (c = 0; c < SID_ID_AUTHS; c++) >> + if (sid1->id_auth[c] != sid2->id_auth[c]) >> + return sid1->id_auth[c] - sid2->id_auth[c]; > >I am wondering, wouldn't it be more efficient if we did a simple >memcmp() here ? >After all these are arrays and should be fully packed. Probably harmless here. >Also by testing backwards returning the classic -1, 0, +1 makes little >sense because you do not know if a higher authority was 'bigger' or >'smaller' but you found a difference already in a following one. Be surprised, it is the way the SID sub auths comparison is done in Samba. >I would just return true or false from this function, either they match >or they don't. By returning -1,0,1 you mislead the reader in believing >this function might be used in a sorting algorithm, when it cannot as >is. Yes. We have two basic needs here: - test that SID starts with specific prefix (our domain), or - test that SID is well-known SIDs/exact domain SID I tried to pack two cases in the same comparison function but this obviously not working well. So maybe I'll split them explicitly. >> + return 0; >> +} >> + >> static int sid_append_rid(struct dom_sid *sid, uint32_t rid) >> { >> if (sid->num_auths >= SID_SUB_AUTHS) { >> @@ -1070,8 +1118,9 @@ static krb5_error_code >> filter_logon_info(krb5_context context, >> * attempt at getting us to sign fake credentials with the help >> of a >> * compromised trusted realm */ >> >> + struct ipadb_context *ipactx; >> struct ipadb_adtrusts *domain; >> - char *domsid; >> + int i, j, result, count; >> >> domain = get_domain_from_realm_update(context, realm); >> if (!domain) { >> @@ -1089,27 +1138,48 @@ static krb5_error_code >> filter_logon_info(krb5_context context, >> return EINVAL; >> } >> >> - /* check sid */ >> - domsid = dom_sid_string(NULL, info->info->info3.base.domain_sid); >> - if (!domsid) { >> - return EINVAL; >> - } > >I think you can keep the above for reporting debugging purposes later so >you do not have to change the log message. I'll move it into the conditional so that we don't allocate memore unless there is an error to report. This is though a bit fragile -- if memory allocation in dom_sid_string() fails... BTW, I'm yet to see any of these krb5_klog_syslog() messages. They never appear in logs even if I call the function unconditionally. >> - if (strcmp(domsid, domain->domain_sid) != 0) { >> + /* check exact sid */ >> + result = dom_sid_cmp(&domain->domsid, >> info->info->info3.base.domain_sid, true); >> + if (result != 0) { >> krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain = %s, " >> - "expected domain SID = %s, " >> - "found domain SID = %s", >> - domain->domain_name, >> domain->domain_sid, >> - domsid); >> - talloc_free(domsid); >> + "expected domain SID = %s, ", >> + domain->domain_name, >> domain->domain_sid); >> return EINVAL; >> } >> - talloc_free(domsid); >> >> - /* According to MS-KILE, info->info->info3.sids must be zero, so >> check >> - * that it is the case here */ >> + /* According to MS-KILE 25.0, info->info->info3.sids may be non >> zero, so check >> + * should include different possibilities into account >> + * */ >> if (info->info->info3.sidcount != 0) { >> - return EINVAL; >> + ipactx = ipadb_get_context(context); >> + if (!ipactx && !ipactx->mspac) { >> + return KRB5_KDB_DBNOTINITED; >> + } >> + count = info->info->info3.sidcount; >> + i = 0; >> + j = 0; >> + do { >> + /* Compare SIDs without taking RID into account */ >> + result = dom_sid_cmp(&ipactx->mspac->domsid, >> info->info->info3.sids[i].sid, false); >> + if (result == 0) { >> + krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain >> = %s, " >> + "extra sid should be not from the domain %s but >> received RID %d ", >> + domain->domain_name, >> ipactx->mspac->flat_domain_name, >> + >> info->info->info3.sids[i].sid->sub_auths[info->info->info3.sids[i].sid->num_auths-1]); >> + j++; >> + memmove(info->info->info3.sids+i, >> info->info->info3.sids+i+1, count-i-1); >> + } > >Sorry but doesn't 0 means it's a match ? Looks to me using true/false is >also less confusing. 0 means it's a match, true. And it this case we compare extra SID to our domain SID and have to remove extra SID then because we cannot allow our own SIDs stuffed into MS-KILE by foreign KDC. >Also the log message would use a bit of rework, I suggest: "PAC >Filtering issue: sid [%s] is not allowed from a trusted source and will >be excluded." Before this you do a sid to string, this is ok even if >slow as this is an important error condition and should not be common. OK. > >> >The rest and the approach looks otherwise good to me. > >Simo. > >-- >Simo Sorce * Red Hat, Inc * New York > -- / Alexander Bokovoy From rcritten at redhat.com Wed Dec 5 15:41:27 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 Dec 2012 10:41:27 -0500 Subject: [Freeipa-devel] [PATCH] 1073 honor disabling lockout in ipa_lockout In-Reply-To: <1354651932.19871.288.camel@willson.li.ssimo.org> References: <50BE2A2D.5030106@redhat.com> <1354641488.19871.262.camel@willson.li.ssimo.org> <50BE572B.6090601@redhat.com> <1354651932.19871.288.camel@willson.li.ssimo.org> Message-ID: <50BF6B27.1030200@redhat.com> Simo Sorce wrote: > On Tue, 2012-12-04 at 15:03 -0500, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Tue, 2012-12-04 at 11:51 -0500, Rob Crittenden wrote: >>>> Two options were added to the kdb backend to disable writes. The >>>> ipa_lockout plugin needs to honor these as well. >>> >>> Oh I saw it assigned to me and was going to propose a similar patch. >>> Thanks for getting there first :-) >>> >>> But one q. I wonder if we shouldn't share the code to audit stuff >>> between the kdb plugin and the ldap plugin, this split sounds like it is >>> going to byte us again if we need to change behavior. >>> >>> What do you think ? >>> >>> Simo. >>> >> >> I figured that since I wrote the lockout plugin I should fix this :-) >> >> I think that sharing the logic of the lockout is a great idea. I'm not >> entirely sure if all the LDAP-ey code can be made totally generic (one >> runs as an internal plugin of 389-ds, the other other in side the KDC) >> but at least the evaluation logic can be consolidated. > > We already share code between the password plugin and the kdb driver for > password relate stuff, we just need to be smart :-) > >> Are you proposing that as part of this fix or as a future enhancement? > > Nah, let's open a ticket for 3.2, I do not want to delay this fix, which > *is* sufficient to address the bug. > > So ACK. > > Simo. > pushed to master and ipa-3-0 From rcritten at redhat.com Wed Dec 5 15:46:06 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 Dec 2012 10:46:06 -0500 Subject: [Freeipa-devel] [PATCH] 1074 limit service list In-Reply-To: <1354685126.19871.401.camel@willson.li.ssimo.org> References: <50BE490E.3050602@redhat.com> <1354649408.19871.275.camel@willson.li.ssimo.org> <50BE59A4.5010709@redhat.com> <1354652431.19871.291.camel@willson.li.ssimo.org> <50BE6399.5090703@redhat.com> <1354657535.19871.301.camel@willson.li.ssimo.org> <50BEB226.8010308@redhat.com> <1354685126.19871.401.camel@willson.li.ssimo.org> Message-ID: <50BF6C3E.2020806@redhat.com> Simo Sorce wrote: > On Tue, 2012-12-04 at 21:32 -0500, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Tue, 2012-12-04 at 15:56 -0500, Rob Crittenden wrote: >>>> Simo Sorce wrote: >>>>> On Tue, 2012-12-04 at 15:14 -0500, Rob Crittenden wrote: >>>>>> Simo Sorce wrote: >>>>>>> On Tue, 2012-12-04 at 14:03 -0500, Rob Crittenden wrote: >>>>>>>> Only touch the service list in the server installer and ipactl. >>>>>>> >>>>>>> Nack, comments inline. >>>>>>> >>>>> [..] >>>>>>> This break the fallback we have in ipa_stop() >>>>>>> We expect an exception or a non empty list there. >>>>>> >>>>>> Ok, I can move the handling so ipactl ignores the exception. >>>>> >>>>> Is the problem that we are printing an error to stdout/stderr ? >>>>> Or do you actually want to change behavior somehow ? >>>> >>>> We need to change the behavior. >>>> >>>> If you run: ipactl stop >>>> >>>> then: ipactl status >>>> >>>> you get a backtrace because the service list doesn't exist. >>> >>> Ok, what about defining our own exception and then simply pass on it >>> except for the stop() case that treats it differently ? >> >> I think checking for file existence is probably going to hit the >> majority of the cases. Using a separate exception is probably overkill. > > > ACK > > Simo. > > pushed to master and ipa-3-0 rob From rcritten at redhat.com Wed Dec 5 20:37:48 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 Dec 2012 15:37:48 -0500 Subject: [Freeipa-devel] [PATCH] 338 Improve ipa-replica-prepare error message In-Reply-To: <50BE1DB9.4010206@redhat.com> References: <50BE1DB9.4010206@redhat.com> Message-ID: <50BFB09C.2080007@redhat.com> Martin Kosek wrote: > When DNS zone/record manipulation commands fails for example due to > a ValidationError, ipa-replica-prepapre reports a whole traceback > which is difficult to read. Make sure our error error is more > readable. > > https://fedorahosted.org/freeipa/ticket/3283 > ACK rob From abokovoy at redhat.com Wed Dec 5 21:01:20 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 5 Dec 2012 23:01:20 +0200 Subject: [Freeipa-devel] [PATCH] 0096 support Windows Server 2012 In-Reply-To: <1354719570.19871.479.camel@willson.li.ssimo.org> References: <20121122155942.GA9142@redhat.com> <1353611080.25995.42.camel@willson.li.ssimo.org> <20121205121641.GD22265@redhat.com> <1354719570.19871.479.camel@willson.li.ssimo.org> Message-ID: <20121205210120.GF22265@redhat.com> On Wed, 05 Dec 2012, Simo Sorce wrote: >On Wed, 2012-12-05 at 14:16 +0200, Alexander Bokovoy wrote: >[..] >> Attached is a prototype to implement logic above. I haven't added >> filtering for anything but our own domain SIDs yet, want to get review >> for this part before going further. > >Comments inline. >> >> +static int dom_sid_cmp(const struct dom_sid *sid1, const struct >> dom_sid *sid2, bool compare_rids) >> +{ >> + int c, num; >> + >> + if (sid1 == sid2) { >> + return 0; >> + } >> + >> + if (sid1 == NULL) { >> + return -1; >> + } >> + >> + if (sid2 == NULL) { >> + return 1; >> + } >> + >> + /* If SIDs have different revisions, they are different */ >> + if (sid1->sid_rev_num != sid2->sid_rev_num) >> + return sid1->sid_rev_num - sid2->sid_rev_num; >> + >> + /* When number of authorities is different, sids are different */ >> + if (sid1->num_auths != sid2->num_auths) >> + return sid1->num_auths - sid2->num_auths; >> + >> + /* Optionally skip RIDs if asked */ >> + num = sid1->num_auths - 1; >> + if (!compare_rids) { >> + num--; >> + if (num < 0) return sid1->sub_auths[0] - sid2->sub_auths[0]; >> + } > >I a not sure this works if you pass in a domain SID and an actual user >SID, because they are of different lengths. A Domain SID is just like a >USER SID but misses the last authority which represents the RID. > >Ie: > >Domain SID: S-1-5-21-12345-6789-101123 >User SID: S-1-5-21-12345-6789-101123-501 > >I think the above function will make comparisons between domain SID and >User SID (which is the only comparison we care about) never succeed. > >> + /* for same size authorities compare them backwards >> + * since RIDs are likely different */ >> + for (c = num; c >= 0; --c) >> + if (sid1->sub_auths[c] != sid2->sub_auths[c]) >> + return sid1->sub_auths[c] - sid2->sub_auths[c]; >> + >> + /* Finally, compare Identifier authorities */ >> + for (c = 0; c < SID_ID_AUTHS; c++) >> + if (sid1->id_auth[c] != sid2->id_auth[c]) >> + return sid1->id_auth[c] - sid2->id_auth[c]; > >I am wondering, wouldn't it be more efficient if we did a simple >memcmp() here ? >After all these are arrays and should be fully packed. > >Also by testing backwards returning the classic -1, 0, +1 makes little >sense because you do not know if a higher authority was 'bigger' or >'smaller' but you found a difference already in a following one. > >I would just return true or false from this function, either they match >or they don't. By returning -1,0,1 you mislead the reader in believing >this function might be used in a sorting algorithm, when it cannot as >is. > >> + return 0; >> +} >> + >> static int sid_append_rid(struct dom_sid *sid, uint32_t rid) >> { >> if (sid->num_auths >= SID_SUB_AUTHS) { >> @@ -1070,8 +1118,9 @@ static krb5_error_code >> filter_logon_info(krb5_context context, >> * attempt at getting us to sign fake credentials with the help >> of a >> * compromised trusted realm */ >> >> + struct ipadb_context *ipactx; >> struct ipadb_adtrusts *domain; >> - char *domsid; >> + int i, j, result, count; >> >> domain = get_domain_from_realm_update(context, realm); >> if (!domain) { >> @@ -1089,27 +1138,48 @@ static krb5_error_code >> filter_logon_info(krb5_context context, >> return EINVAL; >> } >> >> - /* check sid */ >> - domsid = dom_sid_string(NULL, info->info->info3.base.domain_sid); >> - if (!domsid) { >> - return EINVAL; >> - } > >I think you can keep the above for reporting debugging purposes later so >you do not have to change the log message. > >> - if (strcmp(domsid, domain->domain_sid) != 0) { >> + /* check exact sid */ >> + result = dom_sid_cmp(&domain->domsid, >> info->info->info3.base.domain_sid, true); >> + if (result != 0) { >> krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain = %s, " >> - "expected domain SID = %s, " >> - "found domain SID = %s", >> - domain->domain_name, >> domain->domain_sid, >> - domsid); >> - talloc_free(domsid); >> + "expected domain SID = %s, ", >> + domain->domain_name, >> domain->domain_sid); >> return EINVAL; >> } >> - talloc_free(domsid); >> >> - /* According to MS-KILE, info->info->info3.sids must be zero, so >> check >> - * that it is the case here */ >> + /* According to MS-KILE 25.0, info->info->info3.sids may be non >> zero, so check >> + * should include different possibilities into account >> + * */ >> if (info->info->info3.sidcount != 0) { >> - return EINVAL; >> + ipactx = ipadb_get_context(context); >> + if (!ipactx && !ipactx->mspac) { >> + return KRB5_KDB_DBNOTINITED; >> + } >> + count = info->info->info3.sidcount; >> + i = 0; >> + j = 0; >> + do { >> + /* Compare SIDs without taking RID into account */ >> + result = dom_sid_cmp(&ipactx->mspac->domsid, >> info->info->info3.sids[i].sid, false); >> + if (result == 0) { >> + krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain >> = %s, " >> + "extra sid should be not from the domain %s but >> received RID %d ", >> + domain->domain_name, >> ipactx->mspac->flat_domain_name, >> + >> info->info->info3.sids[i].sid->sub_auths[info->info->info3.sids[i].sid->num_auths-1]); >> + j++; >> + memmove(info->info->info3.sids+i, >> info->info->info3.sids+i+1, count-i-1); >> + } > >Sorry but doesn't 0 means it's a match ? Looks to me using true/false is >also less confusing. >Also the log message would use a bit of rework, I suggest: "PAC >Filtering issue: sid [%s] is not allowed from a trusted source and will >be excluded." Before this you do a sid to string, this is ok even if >slow as this is an important error condition and should not be common. > >> >The rest and the approach looks otherwise good to me. New patch attached. It filters out statically compiled in list of well-known SID prefixes and SIDs belonging to our own domain. I'll add fetching the white list from the LDAP in next version. -- / Alexander Bokovoy -------------- next part -------------- >From fd3b4f6747c59a0f540b3bba63b3aedaf6dca68b Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 22 Nov 2012 17:45:40 +0200 Subject: [PATCH] ipa-kdb: Support Windows 2012 Server Windows 2012 Server changed procedure how KERB_VALIDATION_INFO ([MS-PAC] section 2.5) is populated. Detailed description is available in [MS-KILE] version 25.0 and above. Refactor KERB_VALIDATION_INFO verification and ensure we filter out extra SIDs in case they belong to our domain. https://fedorahosted.org/freeipa/ticket/3231 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 268 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 253 insertions(+), 15 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index ed2c7fb8c8c4975ce942335f4688d32f7c84f937..ee1c6124f8d04cb10d091f11883834620c5c35ea 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -30,11 +30,15 @@ struct ipadb_adtrusts { char *domain_name; char *flat_name; char *domain_sid; + struct dom_sid domsid; }; struct ipadb_mspac { char *flat_domain_name; char *flat_server_name; + struct dom_sid domsid; + struct dom_sid *well_known_sids; + char *fallback_group; uint32_t fallback_rid; @@ -84,6 +88,36 @@ static char *memberof_pac_attrs[] = { NULL }; +static char *mspac_well_known_sids[] = { + "S-1-0", + "S-1-1", + "S-1-2", + "S-1-3", + "S-1-5-1", + "S-1-5-2", + "S-1-5-3", + "S-1-5-4", + "S-1-5-5", + "S-1-5-6", + "S-1-5-7", + "S-1-5-8", + "S-1-5-9", + "S-1-5-10", + "S-1-5-11", + "S-1-5-12", + "S-1-5-13", + "S-1-5-14", + "S-1-5-15", + "S-1-5-16", + "S-1-5-17", + "S-1-5-18", + "S-1-5-19", + "S-1-5-20", +}; + +#define LEN_WELL_KNOWN_SIDS (sizeof(mspac_well_known_sids)/sizeof(char*)) + + #define SID_ID_AUTHS 6 #define SID_SUB_AUTHS 15 #define MAX(a,b) (((a)>(b))?(a):(b)) @@ -213,6 +247,104 @@ static struct dom_sid *dom_sid_dup(TALLOC_CTX *memctx, return new_sid; } +/* checks if sid1 is a domain of sid2 or compares them exactly if exact_check is true + * returns + * true -- if sid1 is a domain of sid2 (including full exact match) + * false -- otherwise + * + * dom_sid_check() is supposed to be used with sid1 representing domain SID + * and sid2 being either domain or resource SID in the domain + */ +static bool dom_sid_check(const struct dom_sid *sid1, const struct dom_sid *sid2, bool exact_check) +{ + int c, num; + + if (sid1 == sid2) { + return true; + } + + if (sid1 == NULL) { + return false; + } + + if (sid2 == NULL) { + return false; + } + + /* If SIDs have different revisions, they are different */ + if (sid1->sid_rev_num != sid2->sid_rev_num) + return false; + + /* When number of authorities is different, sids are different + * if we were asked to check prefix exactly */ + num = sid2->num_auths - sid1->num_auths; + if (num != 0) { + if (exact_check) { + return false; + } else { + /* otherwise we are dealing with prefix check + * and sid2 should have RID compared to the sid1 */ + if (num != 1) { + return false; + } + } + } + + /* now either sid1->num_auths == sid2->num_auths or sid1 has no RID */ + + /* for same size authorities compare them backwards + * since RIDs are likely different */ + for (c = sid1->num_auths; c >= 0; --c) + if (sid1->sub_auths[c] != sid2->sub_auths[c]) + return false; + + /* Finally, compare Identifier authorities */ + for (c = 0; c < SID_ID_AUTHS; c++) + if (sid1->id_auth[c] != sid2->id_auth[c]) + return false; + + return true; +} + +static bool dom_sid_is_prefix(const struct dom_sid *sid1, const struct dom_sid *sid2) +{ + int c; + + if (sid1 == sid2) { + return true; + } + + if (sid1 == NULL) { + return false; + } + + if (sid2 == NULL) { + return false; + } + + /* If SIDs have different revisions, they are different */ + if (sid1->sid_rev_num != sid2->sid_rev_num) + return false; + + if (sid1->num_auths > sid2->num_auths) + return false; + + /* now sid1->num_auths <= sid2->num_auths */ + + /* compare up to sid1->num_auth authorities since RIDs are + * likely different and we are searching for the prefix */ + for (c = 0; c < sid1->num_auths; c++) + if (sid1->sub_auths[c] != sid2->sub_auths[c]) + return false; + + /* Finally, compare Identifier authorities */ + for (c = 0; c < SID_ID_AUTHS; c++) + if (sid1->id_auth[c] != sid2->id_auth[c]) + return false; + + return true; +} + static int sid_append_rid(struct dom_sid *sid, uint32_t rid) { if (sid->num_auths >= SID_SUB_AUTHS) { @@ -1059,6 +1191,22 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context, return domain; } +static void filter_logon_info_log_message(struct dom_sid *sid) +{ + char *domstr = NULL; + + domstr = dom_sid_string(NULL, sid); + if (domstr) { + krb5_klog_syslog(LOG_ERR, "PAC filtering issue: SID [%s] is not allowed " + "from a trusted source and will be excluded.", domstr); + talloc_free(domstr); + } else { + krb5_klog_syslog(LOG_ERR, "PAC filtering issue: SID is not allowed " + "from a trusted source and will be excluded." + "Unable to allocate memory to display SID."); + } +} + static krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx, krb5_data realm, @@ -1070,8 +1218,11 @@ static krb5_error_code filter_logon_info(krb5_context context, * attempt at getting us to sign fake credentials with the help of a * compromised trusted realm */ + struct ipadb_context *ipactx; struct ipadb_adtrusts *domain; - char *domsid; + int i, j, k, count; + bool result; + char *domstr = NULL; domain = get_domain_from_realm_update(context, realm); if (!domain) { @@ -1089,27 +1240,61 @@ static krb5_error_code filter_logon_info(krb5_context context, return EINVAL; } - /* check sid */ - domsid = dom_sid_string(NULL, info->info->info3.base.domain_sid); - if (!domsid) { - return EINVAL; - } - - if (strcmp(domsid, domain->domain_sid) != 0) { + /* check exact sid */ + result = dom_sid_check(&domain->domsid, info->info->info3.base.domain_sid, true); + if (!result) { + domstr = dom_sid_string(NULL, info->info->info3.base.domain_sid); + if (!domstr) { + return EINVAL; + } krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain = %s, " "expected domain SID = %s, " "found domain SID = %s", - domain->domain_name, domain->domain_sid, - domsid); - talloc_free(domsid); + domain->domain_name, domain->domain_sid, domstr); + talloc_free(domstr); return EINVAL; } - talloc_free(domsid); - /* According to MS-KILE, info->info->info3.sids must be zero, so check - * that it is the case here */ + /* According to MS-KILE 25.0, info->info->info3.sids may be non zero, so check + * should include different possibilities into account + * */ if (info->info->info3.sidcount != 0) { - return EINVAL; + ipactx = ipadb_get_context(context); + if (!ipactx && !ipactx->mspac) { + return KRB5_KDB_DBNOTINITED; + } + count = info->info->info3.sidcount; + i = 0; + j = 0; + do { + /* Compare SID with our domain without taking RID into account */ + result = dom_sid_check(&ipactx->mspac->domsid, info->info->info3.sids[i].sid, false); + if (result) { + filter_logon_info_log_message(info->info->info3.sids[i].sid); + } else { + for(k = 0; k < LEN_WELL_KNOWN_SIDS; k++) { + result = dom_sid_is_prefix(&ipactx->mspac->well_known_sids[k], info->info->info3.sids[i].sid); + if (result) { + filter_logon_info_log_message(info->info->info3.sids[i].sid); + break; + } + } + } + if (result) { + j++; + memmove(info->info->info3.sids+i, info->info->info3.sids+i+1, count-i-1); + } + i++; + } while (i < count); + + if (j != 0) { + info->info->info3.sids = talloc_realloc(memctx, info->info->info3.sids, struct netr_SidAttr, count-j); + info->info->info3.sidcount = count-j; + if (!info->info->info3.sids) { + info->info->info3.sidcount = 0; + return ENOMEM; + } + } } /* According to MS-KILE, ResourceGroups must be zero, so check @@ -1531,9 +1716,33 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac) } } + if ((*mspac)->well_known_sids) { + free((*mspac)->well_known_sids); + } + *mspac = NULL; } +#define LEN_WELL_KNOWN_SIDS (sizeof(mspac_well_known_sids)/sizeof(char*)) +krb5_error_code ipadb_mspac_fill_well_known_sids(struct ipadb_mspac *mspac) +{ + int i; + + mspac->well_known_sids = calloc(LEN_WELL_KNOWN_SIDS, sizeof(struct dom_sid)); + + if (mspac->well_known_sids == NULL) { + return ENOMEM; + } + + for (i = 0; i < LEN_WELL_KNOWN_SIDS; i++) { + if (mspac_well_known_sids[i] != NULL) { + (void) string_to_sid(mspac_well_known_sids[i], &(mspac->well_known_sids[i])); + } + } + + return 0; +} + krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) { struct ipadb_adtrusts *t; @@ -1595,6 +1804,12 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) ret = EINVAL; goto done; } + + ret = string_to_sid(t[n].domain_sid, &t[n].domsid); + if (ret) { + ret = EINVAL; + goto done; + } } ret = 0; @@ -1611,6 +1826,7 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx) { char *dom_attrs[] = { "ipaNTFlatName", "ipaNTFallbackPrimaryGroup", + "ipaNTSecurityIdentifier", NULL }; char *grp_attrs[] = { "ipaNTSecurityIdentifier", NULL }; krb5_error_code kerr; @@ -1664,6 +1880,22 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx) goto done; } + ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, + "ipaNTSecurityIdentifier", + &resstr); + if (ret) { + kerr = ret; + goto done; + } + + ret = string_to_sid(resstr, &ipactx->mspac->domsid); + if (ret) { + kerr = ret; + free(resstr); + goto done; + } + free(resstr); + free(ipactx->mspac->flat_server_name); ipactx->mspac->flat_server_name = get_server_netbios_name(); if (!ipactx->mspac->flat_server_name) { @@ -1725,6 +1957,12 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx) kerr = ipadb_mspac_get_trusted_domains(ipactx); + if (kerr) { + goto done; + } + + kerr = ipadb_mspac_fill_well_known_sids(ipactx->mspac); + done: ldap_msgfree(result); return kerr; -- 1.8.0 From rcritten at redhat.com Thu Dec 6 04:33:18 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 Dec 2012 23:33:18 -0500 Subject: [Freeipa-devel] [PATCH] 1075 wrap password change in transaction Message-ID: <50C0200E.4090609@redhat.com> Wrap the password change extop in a 389-ds transaction and ensure that administratively set passwords are always considered expired. I also removed an extraneous init from the betxn conversion. This was causing an error to be raised in the 389-ds error logs. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1075-password.patch Type: text/x-patch Size: 5629 bytes Desc: not available URL: From mkosek at redhat.com Thu Dec 6 07:01:20 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 06 Dec 2012 08:01:20 +0100 Subject: [Freeipa-devel] [PATCH] 338 Improve ipa-replica-prepare error message In-Reply-To: <50BFB09C.2080007@redhat.com> References: <50BE1DB9.4010206@redhat.com> <50BFB09C.2080007@redhat.com> Message-ID: <50C042C0.7050104@redhat.com> On 12/05/2012 09:37 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> When DNS zone/record manipulation commands fails for example due to >> a ValidationError, ipa-replica-prepapre reports a whole traceback >> which is difficult to read. Make sure our error error is more >> readable. >> >> https://fedorahosted.org/freeipa/ticket/3283 >> > > ACK > > rob Pushed to master, ipa-3-0. Martin From pviktori at redhat.com Thu Dec 6 13:49:41 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 06 Dec 2012 14:49:41 +0100 Subject: [Freeipa-devel] [PATCH] convert the base platform modules into packages In-Reply-To: <50BF62EB.5040006@ubuntu.com> References: <505C804B.9010506@ubuntu.com> <507EB5F1.1040903@redhat.com> <50BF459A.8080306@ubuntu.com> <50BF62EB.5040006@ubuntu.com> Message-ID: <50C0A275.9090508@redhat.com> On 12/05/2012 04:06 PM, Timo Aaltonen wrote: > On 05.12.2012 15:01, Timo Aaltonen wrote: >> On 17.10.2012 16:43, Petr Viktorin wrote: >>> On 09/21/2012 04:57 PM, Timo Aaltonen wrote: >>>> Ok, so this is the first step before we can start to rewrite bits from >>>> ipaserver/install to make them support other distros. There are no real >>>> functional changes yet. >>>> >>>> had some dependency issues installing the resulting rpm's, so didn't >>>> test the install scripts but they should work :) >>>> >>>> >>> >>> Hello, >>> >>> I recommend giving the -M flag to git format-patch, so it's easier to >>> see changes in the patch. >>> >>> >>> Your split of the fedora16 code into two modules is unfortunate: each >>> tries to import the other one, and one is the other's parent. This would >>> need special care to get working correctly. >>> >>> The best option here would probably be to put restore_context & >>> check_selinux_status into a separate submodule, so you don't need to >>> import fedora16 from services. >>> >>> Furthermore, in fedora16/__init__.py, you have: >>> from ipapython.platform.fedora16.service import * >>> This imports everything from that module, including e.g. "redhat" or >>> "os". >>> Please avoid star imports. List all the imported names explicitly, or >>> import the module and then use qualified names. >>> >>> >>> Other than that, after a trivial rebase the patch seems to work fine on >>> Fedora. Thanks! >> >> And finally, here is version 2. >> >> fixed all the above, I think.. make-lint passes, make rpms too. > > Here's v3, thanks to your rebase to an even more current master :) > Thank you! This works fine on f17 and f18. ACK. We're stabilizing for a 3.1 release right now, so we might hold pushing this to master until work on 3.2 starts. --- P.S. Git is surprisingly bad at splitting files. Well, it's much better than any other SCM I know: SVN, bzr, hg can't AFAIK track file splits at all. Today I learned how to use `git show` with file (not commit) hashes, and `git blame --reverse`. -- Petr? From simo at redhat.com Thu Dec 6 15:07:12 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 06 Dec 2012 10:07:12 -0500 Subject: [Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms In-Reply-To: <50A54768.8020307@redhat.com> References: <50A4C9D9.8020107@redhat.com> <50A4D4F4.8020806@redhat.com> <1352988643.10327.748.camel@willson.li.ssimo.org> <50A50169.9010908@redhat.com> <1352992483.10327.756.camel@willson.li.ssimo.org> <50A54768.8020307@redhat.com> Message-ID: <1354806432.14475.0.camel@willson.li.ssimo.org> On Thu, 2012-11-15 at 20:50 +0100, Tomas Babej wrote: > On 11/15/2012 04:14 PM, Simo Sorce wrote: > > On Thu, 2012-11-15 at 15:51 +0100, Tomas Babej wrote: > >> On 11/15/2012 03:10 PM, Simo Sorce wrote: > >>> On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote: > >>>> On 11/15/2012 11:54 AM, Tomas Babej wrote: > >>>>> Hi, > >>>>> > >>>>> This is server part of #3252. > >>>>> > >>>>> When user from other realm than FreeIPA's tries to use Web UI > >>>>> (login via forms-based auth or with valid trusted realm ticket), > >>>>> the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied > >>>>> is returned. > >>>>> > >>>>> Also, the support for usernames of the form user at SERVER.REALM > >>>>> or user at server.realm was added. > >>>>> > >>>>> https://fedorahosted.org/freeipa/ticket/3252 > >>>>> > >>>>> Tomas > >>>>> > >>>>> + # allows login in the form user at SERVER_REALM or FIXME:user at server_realm > >>>> The comment may not be clear for other people. I would be more verbose > >>>> about the FIXME. > >>>> > >>>>> + parts = user.split("@") > >>>>> + if len(parts) > 1: > >>>>> + if parts[1].upper()==self.api.env.realm: > >>>> I don't think we wanted to do this hard-check of realm. Personally I'am > >>>> not against it because it's better to fail at login than at subsequent > >>>> command (which will happen). Anyway it should be commented. > >>>> > >>>>> + user=parts[0] > >>>>> + else: > >>>>> + return self.unauthorized(environ, start_response, '', 'denied') > >>> I think you should really fail only if you get failure connecting to > >>> LDAP. Because we can easily allow logins by providing a mapping object > >>> as part of SASL rules, we simply do not do it yet. > >>> > >>> Simo. > >>> > >> Turns out if user from trusted realm logs in using WebUI form, > >> he sucessfully obtaines ticket, however, a ccache is created with > >> negative expiration time, because KRB5_CCache classes > >> uses server's realm in its methods. > > Uh odd. > > Well if the problem is deep there, then please open a ticket to fix that > > probelm and let's move on with your current solution. > > > > But we need either a ticket or a note somewhere (or maybe even just > > FIXMEs in your code comments) to make sure we improve this code later to > > check via LDAP so we do not hit a wall if/when we decide to allow > > trusted users to log into the ui. > > > > Simo. > The updated patch is attached. Please check if there are any other issues. > > I will open the tickets after further investigation. Sorry for the delay, I though I had ACKed this one already. Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Thu Dec 6 15:45:31 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 06 Dec 2012 16:45:31 +0100 Subject: [Freeipa-devel] [PATCH] 340 Add OCSL and CRL URIs to certificates Message-ID: <50C0BD9B.6010008@redhat.com> Modify the default IPA CA certificate profile to include CRL and OCSP extensions which will add URIs to IPA CRL&OCSP to published certificates. Both CRL and OCSP extensions have 2 URIs, one pointing directly to the IPA CA which published the certificate and one to a new CNAME ipa-ca.$DOMAIN which was introduced as a general CNAME pointing to all IPA replicas which have CA configured. The new CNAME is added either during new IPA server/replica/CA installation or during upgrade. https://fedorahosted.org/freeipa/ticket/3074 https://fedorahosted.org/freeipa/ticket/1431 ---- This patch originates in Rob's WIP OCSP patch, which I had to rewrite to make things working as we want to :-) Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-340-add-ocsl-and-crl-uris-to-certificates.patch Type: text/x-patch Size: 30477 bytes Desc: not available URL: From mkosek at redhat.com Thu Dec 6 15:48:15 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 06 Dec 2012 16:48:15 +0100 Subject: [Freeipa-devel] [PATCH] 340 Add OCSP and CRL URIs to certificates In-Reply-To: <50C0BD9B.6010008@redhat.com> References: <50C0BD9B.6010008@redhat.com> Message-ID: <50C0BE3F.6070108@redhat.com> On 12/06/2012 04:45 PM, Martin Kosek wrote: > Modify the default IPA CA certificate profile to include CRL and > OCSP extensions which will add URIs to IPA CRL&OCSP to published > certificates. > > Both CRL and OCSP extensions have 2 URIs, one pointing directly to > the IPA CA which published the certificate and one to a new CNAME > ipa-ca.$DOMAIN which was introduced as a general CNAME pointing > to all IPA replicas which have CA configured. > > The new CNAME is added either during new IPA server/replica/CA > installation or during upgrade. > > https://fedorahosted.org/freeipa/ticket/3074 > https://fedorahosted.org/freeipa/ticket/1431 > > ---- > > This patch originates in Rob's WIP OCSP patch, which I had to rewrite to make > things working as we want to :-) > > Martin > I knew the subject is wrong the moment I clicked the Send button... Sending a fixed patch. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-340-add-ocsp-and-crl-uris-to-certificates.patch Type: text/x-patch Size: 30477 bytes Desc: not available URL: From rcritten at redhat.com Thu Dec 6 15:48:54 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 06 Dec 2012 10:48:54 -0500 Subject: [Freeipa-devel] [PATCH 0023] Add detection for users from trusted/invalid realms In-Reply-To: <1354806432.14475.0.camel@willson.li.ssimo.org> References: <50A4C9D9.8020107@redhat.com> <50A4D4F4.8020806@redhat.com> <1352988643.10327.748.camel@willson.li.ssimo.org> <50A50169.9010908@redhat.com> <1352992483.10327.756.camel@willson.li.ssimo.org> <50A54768.8020307@redhat.com> <1354806432.14475.0.camel@willson.li.ssimo.org> Message-ID: <50C0BE66.4040008@redhat.com> Simo Sorce wrote: > On Thu, 2012-11-15 at 20:50 +0100, Tomas Babej wrote: >> On 11/15/2012 04:14 PM, Simo Sorce wrote: >>> On Thu, 2012-11-15 at 15:51 +0100, Tomas Babej wrote: >>>> On 11/15/2012 03:10 PM, Simo Sorce wrote: >>>>> On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote: >>>>>> On 11/15/2012 11:54 AM, Tomas Babej wrote: >>>>>>> Hi, >>>>>>> >>>>>>> This is server part of #3252. >>>>>>> >>>>>>> When user from other realm than FreeIPA's tries to use Web UI >>>>>>> (login via forms-based auth or with valid trusted realm ticket), >>>>>>> the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied >>>>>>> is returned. >>>>>>> >>>>>>> Also, the support for usernames of the form user at SERVER.REALM >>>>>>> or user at server.realm was added. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/3252 >>>>>>> >>>>>>> Tomas >>>>>>> >>>>>>> + # allows login in the form user at SERVER_REALM or FIXME:user at server_realm >>>>>> The comment may not be clear for other people. I would be more verbose >>>>>> about the FIXME. >>>>>> >>>>>>> + parts = user.split("@") >>>>>>> + if len(parts) > 1: >>>>>>> + if parts[1].upper()==self.api.env.realm: >>>>>> I don't think we wanted to do this hard-check of realm. Personally I'am >>>>>> not against it because it's better to fail at login than at subsequent >>>>>> command (which will happen). Anyway it should be commented. >>>>>> >>>>>>> + user=parts[0] >>>>>>> + else: >>>>>>> + return self.unauthorized(environ, start_response, '', 'denied') >>>>> I think you should really fail only if you get failure connecting to >>>>> LDAP. Because we can easily allow logins by providing a mapping object >>>>> as part of SASL rules, we simply do not do it yet. >>>>> >>>>> Simo. >>>>> >>>> Turns out if user from trusted realm logs in using WebUI form, >>>> he sucessfully obtaines ticket, however, a ccache is created with >>>> negative expiration time, because KRB5_CCache classes >>>> uses server's realm in its methods. >>> Uh odd. >>> Well if the problem is deep there, then please open a ticket to fix that >>> probelm and let's move on with your current solution. >>> >>> But we need either a ticket or a note somewhere (or maybe even just >>> FIXMEs in your code comments) to make sure we improve this code later to >>> check via LDAP so we do not hit a wall if/when we decide to allow >>> trusted users to log into the ui. >>> >>> Simo. >> The updated patch is attached. Please check if there are any other issues. >> >> I will open the tickets after further investigation. > > Sorry for the delay, > I though I had ACKed this one already. > > Simo. > pushed to master and ipa-3-0 From rcritten at redhat.com Thu Dec 6 16:01:00 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 06 Dec 2012 11:01:00 -0500 Subject: [Freeipa-devel] [PATCH] client: include the directory with domain-realm mappings in krb5.conf In-Reply-To: <20121113100644.GB8495@hendrix.brq.redhat.com> References: <20121008161726.GF685@hendrix.brq.redhat.com> <50731B03.2080604@redhat.com> <50856309.2050105@redhat.com> <1350929640.30610.167.camel@willson.li.ssimo.org> <20121031100010.GA13995@hendrix.brq.redhat.com> <5091181C.5060807@redhat.com> <20121106235321.GC2813@hendrix.redhat.com> <509A8A4E.2050807@redhat.com> <20121109165843.GV31678@hendrix.brq.redhat.com> <50A126ED.9090000@redhat.com> <20121113100644.GB8495@hendrix.brq.redhat.com> Message-ID: <50C0C13C.5090908@redhat.com> Jakub Hrozek wrote: > On Mon, Nov 12, 2012 at 05:42:21PM +0100, Jan Cholasta wrote: >> On 9.11.2012 17:58, Jakub Hrozek wrote: >>> On Wed, Nov 07, 2012 at 05:20:30PM +0100, Martin Kosek wrote: >>>> On 11/07/2012 12:53 AM, Jakub Hrozek wrote: >>>>> On Wed, Oct 31, 2012 at 01:22:52PM +0100, Martin Kosek wrote: >>>>>> On 10/31/2012 11:00 AM, Jakub Hrozek wrote: >>>>>>> On Mon, Oct 22, 2012 at 02:14:00PM -0400, Simo Sorce wrote: >>>>>>>> On Mon, 2012-10-22 at 17:15 +0200, Martin Kosek wrote: >>>>>>>>> On 10/08/2012 08:27 PM, Rob Crittenden wrote: >>>>>>>>>> Jakub Hrozek wrote: >>>>>>>>>>> On Fri, Aug 17, 2012 at 12:20:27PM -0400, Simo Sorce wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ----- Original Message ----- >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> the attached patches add the directory the SSSD writes domain-realm >>>>>>>>>>>>> mappings as includedir to krb5.conf when installing the client. >>>>>>>>>>>>> >>>>>>>>>>>>> [PATCH 1/3] ipachangeconf: allow specifying non-default delimeter for >>>>>>>>>>>>> options >>>>>>>>>>>>> ipachangeconf only allows one delimeter between keys and values. This >>>>>>>>>>>>> patch adds the possibility of also specifying "delim" in the option >>>>>>>>>>>>> dictionary to override the default delimeter. >>>>>>>>>>>>> >>>>>>>>>>>>> On a slightly-unrelated note, we really should think about adopting >>>>>>>>>>>>> Augeas. Changing configuration with home-grown scripts is getting >>>>>>>>>>>>> tricky. >>>>>>>>>>>>> >>>>>>>>>>>>> [PATCH 2/3] Specify includedir in krb5.conf on new installs >>>>>>>>>>>>> This patch utilizes the new functionality from the previous patch to >>>>>>>>>>>>> add >>>>>>>>>>>>> the includedir on top of the krb5.conf file >>>>>>>>>>>>> >>>>>>>>>>>>> [PATCH 3/3] Add the includedir to krb5.conf on upgrades >>>>>>>>>>>>> This patch is completely untested and I'm only posting it to get >>>>>>>>>>>>> opinions. At first I was going to use an upgrade script in %post but >>>>>>>>>>>>> then I thought it would be overengineering when all we want to do is >>>>>>>>>>>>> prepend one line.. Would a simple munging like this be acceptable or >>>>>>>>>>>>> shall I write a full script? >>>>>>>>>>>> >>>>>>>>>>>> NACK, using a scriptlet is fine, but not the way you did, as it has a huge >>>>>>>>>>>> race condition where krb5.conf exists and has only one line in it (the >>>>>>>>>>>> include line). >>>>>>>>>>>> >>>>>>>>>>>> You should first create the new file: echo "include ..." > /etc/krb.conf.ipanew >>>>>>>>>>>> Then cat the contents of the existing file in i:t cat /etc/krb.conf >> >>>>>>>>>>>> /etc/krb.conf.ipanew >>>>>>>>>>>> And finally atomically rename it: mv /etc/krb.conf.ipanew /etc/krb.conf >>>>>>>>>>>> >>>>>>>>>>>> This method is also safe wrt something killing the yum process ... >>>>>>>>>>>> >>>>>>>>>>>> Simo. >>>>>>>>>>> >>>>>>>>>>> I'm attaching a new revision of the patches not even two months after >>>>>>>>>>> the original nack. >>>>>>>>>>> >>>>>>>>>>> I also think it might be nice to have a more general way of upgrading >>>>>>>>>>> the client config so I filed >>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/3149 >>>>>>>>>> >>>>>>>>>> I don't think grepping for a string is an effective way to determine if the >>>>>>>>>> client has been configured. Someone could have removed that line. >>>>>>>>>> >>>>>>>>>> I'd prefer using /var/lib/ipa-client/sysrestore/sysrestore.index. If it exists >>>>>>>>>> and has more than 2 lines in it ([files] + one other file) then it is safe to >>>>>>>>>> say the client is configured, or at least partially configured. >>>>>>>>>> >>>>>>>>>> rob >>>>>>>>>> >>>>>>>>> >>>>>>>>> I just found one more issue. What if ipa-client-install is run with --no-sssd >>>>>>>>> option? In that case I assume we should not include the SSSD's krb5.include.d, >>>>>>>>> right? The same would also appy for upgrades, we would need to check if client >>>>>>>>> was actually configured with SSSD before mangling their krb5.conf. >>>>>>>> >>>>>>>> Yeah that's right, we should have all sssd related changes under a >>>>>>>> conditional that is true only when sssd is enabled. >>>>>>>> >>>>>>>> Simo. >>>>>>> >>>>>>> OK, new patches are attached. In new installs, the includedir is only >>>>>>> added when options.sssd is true. During upgrades, I checked for >>>>>>> sssd.conf's existence, I'm not sure if there's any other way to check if >>>>>>> the client was configured with sssd? >>>>>> >>>>>> Hello Jakub, thanks for these patches. I think that checking if /etc/sssd.conf >>>>>> exists as actually not so bad way to test if it was configured. Anyway, I did >>>>>> few tests on server and client but I still see few issues: >>>>>> >>>>>> 1) SELinux context of krb5.conf is not as expected (but I am not sure what real >>>>>> issue could that cause): >>>>>> >>>>>> # restorecon -FvvR /etc/krb5.conf >>>>>> restorecon reset /etc/krb5.conf context >>>>>> unconfined_u:object_r:etc_t:s0->system_u:object_r:krb5_conf_t:s0 >>>>>> >>>>> >>>>> Fixed. Thanks, I shouldn have noticed that doing mv would just replace >>>>> the original context. >>>>> >>>>>> 2) I can no longer kinit on IPA server after applying your patch >>>>>> # rpm -q sssd >>>>>> sssd-1.9.90-0.20121030T1436Zgitf46bf56.fc17.x86_64 >>>>>> # rpm -Uvh --force freeipa-*.rpm >>>>>> # head -n 5 /etc/krb5.conf >>>>>> includedir /var/lib/sss/pubconf/krb5.include.d/ >>>>>> [logging] >>>>>> default = FILE:/var/log/krb5libs.log >>>>>> kdc = FILE:/var/log/krb5kdc.log >>>>>> admin_server = FILE:/var/log/kadmind.log >>>>>> # KRB5_TRACE=/dev/stdout kinit admin >>>>>> [21059] 1351684052.658548: Getting initial credentials for >>>>>> admin at IDM.LAB.BOS.REDHAT.COM >>>>>> [21059] 1351684052.665269: Sending request (200 bytes) to IDM.LAB.BOS.REDHAT.COM >>>>>> [21059] 1351684052.665989: Resolving hostname vm-044.idm.lab.bos.redhat.com >>>>>> [21059] 1351684052.667511: Sending initial UDP request to dgram 10.16.78.44:88 >>>>>> [21059] 1351684052.672514: Received answer from dgram 10.16.78.44:88 >>>>>> [21059] 1351684052.672653: Response was from master KDC >>>>>> [21059] 1351684052.672751: Received error from KDC: -1765328370/KDC has no >>>>>> support for encryption type >>>>>> kinit: KDC has no support for encryption type while getting initial credentials >>>>>> >>>>>> >>>>>> Now when I comment includedir: >>>>>> # head -n 5 /etc/krb5.conf >>>>>> # kinit admin >>>>>> Password for admin at IDM.LAB.BOS.REDHAT.COM: >>>>>> # echo $? >>>>>> 0 >>>>>> >>>>>> When I upgraded client machine (without krb5kdc), kinit worked fine. Does that >>>>>> mean that krb5.conf can only be changed on client machines? >>>>>> >>>>> >>>>> I'm still looking into this. I'm not sure why kinit does that and why it >>>>> does that on the IPA server only. Unfortunately the default krb5 package >>>>> is so optimized that I need to rebuild one without optimizations. >>>>> >>>>>> 3) We should also add Requires on sssd >= 1.9.0 in FreeIPA spec file to pick up >>>>>> the new feature. Otherwise I just get an error on client: >>>>>> >>>>>> # kinit admin >>>>>> kinit: Included profile directory could not be read while initializing Kerberos >>>>>> 5 library >>>>>> >>>>> >>>>> Done >>>>> >>>>>> 4) (Optional) I think we can make the process of checking if IPA is configured >>>>>> easier and follow a similar way that Sumit did: >>>>>> https://fedorahosted.org/freeipa/changeset/fe66fbe637132ac5eb22eea388e2261f33497bf5/ >>>>>> >>>>>> This section: >>>>>> >>>>>> +restore=0 >>>>>> +test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l >>>>>> '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') >>>>>> + >>>>>> +if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then >>>>>> + if ! egrep -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf >>>>>> 2>/dev/null ; then >>>>>> >>>>>> could then be replaced by something like this: >>>>>> >>>>>> python -c "import sys; from ipapython import ipautil; sys.exit(0 if >>>>>> ipapython.is_ipaclient_configured() else 1);" > /dev/null 2>&1 >>>>>> if [ $? -eq 0 ]; then >>>>>> >>>>>> I am not saying you need to do this step, this can be done later by us. >>>>> >>>>> That code currently only exists for IPA server, right? At least judging >>>>> by: >>>> >from ipaserver.install import installutils; >>>>> >>>>> Then I would prefer to do it separately. It's a good idea, though, the >>>>> postscript as it is now is ugly. >>>>> >>>> >>>> Thanks for updated patch, now when I updated to the most recent sssd, kinit >>>> worked for me even though IPA master krb5.conf was updated. Few more issues I >>>> found follows: >>>> >>> >>> That must have been krb5 updated, sssd does not have much to do with >>> bare kinit. >>> >>>> rpmbuild --define "_topdir /root/freeipa-master/rpmbuild" -ba freeipa.spec >>>> error: line 179: Bad Requireflags: qualifiers: Requires(postttrans): >>>> policycoreutils >>>> make: *** [rpms] Error 1 >>>> >>>> This is the reason: >>>> +Requires(postttrans): policycoreutils >>>> should be: >>>> +Requires(posttrans): policycoreutils >>>> >>> >>> Thanks, the requires were misplaced, they were present in the server >>> section and should have been in the client section..and because I only >>> tested with make client-rpms (see below), I didn't notice the typo. >>> >>>> 2) IPA server krb5.conf is not updated for clean server/replica installation. >>>> The includedir can get there only with next package update. >>>> >>>> install/share/krb5.conf.template would also need to be updated. >>>> >>> >>> Done. I didn't realize the codepaths were different. >>> >>>> >>>> Besides these 2 issues (and the SELinux ones), the patch should be good to go. >>>> >>>> Martin >>> >>> New patches are attached. >>> >> >> We have discussed the patch with Jakub off-list and decided that the >> upgrade should be done in %post (with an appropriate $1 check) >> instead of %posttrans. >> > > With a little bit more context about why I chose %posttrans initially at > all..I wasn't sure if yum/rpm guarantees it would install the > dependencies (in this case sssd) before installing ipa-client-install, > so I initially did the upgrade in %posttrans to make sure all packages > were in place. > >> Besides that, ACK. > > Thank you, new patches are attached. I was waiting for selinux-policy to be updated so the included files would work in enforcing mode. That new package is on its way to updates-testing now. I pushed these three patches plus one which sets a new minimum for selinux-policy. pushed to master and ipa-3-0 rob From pvoborni at redhat.com Thu Dec 6 16:05:30 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 06 Dec 2012 17:05:30 +0100 Subject: [Freeipa-devel] [PATCH] 226 Better error message for login of users from other realms In-Reply-To: <50AB1F26.9090702@redhat.com> References: <50A3DD31.60007@redhat.com> <1352916957.10327.670.camel@willson.li.ssimo.org> <50A4D1D7.7040101@redhat.com> <50AB1F26.9090702@redhat.com> Message-ID: <50C0C24A.8040900@redhat.com> On 11/20/2012 07:11 AM, Endi Sukma Dewata wrote: > On 11/15/2012 5:28 AM, Petr Vobornik wrote: >> Changed. Updated patch attached. > > ACK. Pushed to master, ipa-3-0. > > Just a minor thing, the errors object probably can be created outside of > show_login_error_message() since it contains only fixed messages. > -- Petr Vobornik From mkosek at redhat.com Thu Dec 6 16:19:04 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 06 Dec 2012 17:19:04 +0100 Subject: [Freeipa-devel] [PATCH] 340 Add OCSP and CRL URIs to certificates In-Reply-To: <50C0BE3F.6070108@redhat.com> References: <50C0BD9B.6010008@redhat.com> <50C0BE3F.6070108@redhat.com> Message-ID: <50C0C578.3050303@redhat.com> On 12/06/2012 04:48 PM, Martin Kosek wrote: > On 12/06/2012 04:45 PM, Martin Kosek wrote: >> Modify the default IPA CA certificate profile to include CRL and >> OCSP extensions which will add URIs to IPA CRL&OCSP to published >> certificates. >> >> Both CRL and OCSP extensions have 2 URIs, one pointing directly to >> the IPA CA which published the certificate and one to a new CNAME >> ipa-ca.$DOMAIN which was introduced as a general CNAME pointing >> to all IPA replicas which have CA configured. >> >> The new CNAME is added either during new IPA server/replica/CA >> installation or during upgrade. >> >> https://fedorahosted.org/freeipa/ticket/3074 >> https://fedorahosted.org/freeipa/ticket/1431 >> >> ---- >> >> This patch originates in Rob's WIP OCSP patch, which I had to rewrite to make >> things working as we want to :-) >> >> Martin >> > > I knew the subject is wrong the moment I clicked the Send button... Sending a > fixed patch. > > Martin Found a crash in ipa-replica-install, sending a fixed patch. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-340-2-add-ocsp-and-crl-uris-to-certificates.patch Type: text/x-patch Size: 30634 bytes Desc: not available URL: From rcritten at redhat.com Thu Dec 6 19:35:25 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 06 Dec 2012 14:35:25 -0500 Subject: [Freeipa-devel] [PATCH] 340 Add OCSP and CRL URIs to certificates In-Reply-To: <50C0C578.3050303@redhat.com> References: <50C0BD9B.6010008@redhat.com> <50C0BE3F.6070108@redhat.com> <50C0C578.3050303@redhat.com> Message-ID: <50C0F37D.1070202@redhat.com> Martin Kosek wrote: > On 12/06/2012 04:48 PM, Martin Kosek wrote: >> On 12/06/2012 04:45 PM, Martin Kosek wrote: >>> Modify the default IPA CA certificate profile to include CRL and >>> OCSP extensions which will add URIs to IPA CRL&OCSP to published >>> certificates. >>> >>> Both CRL and OCSP extensions have 2 URIs, one pointing directly to >>> the IPA CA which published the certificate and one to a new CNAME >>> ipa-ca.$DOMAIN which was introduced as a general CNAME pointing >>> to all IPA replicas which have CA configured. >>> >>> The new CNAME is added either during new IPA server/replica/CA >>> installation or during upgrade. >>> >>> https://fedorahosted.org/freeipa/ticket/3074 >>> https://fedorahosted.org/freeipa/ticket/1431 >>> >>> ---- >>> >>> This patch originates in Rob's WIP OCSP patch, which I had to rewrite to make >>> things working as we want to :-) >>> >>> Martin >>> >> >> I knew the subject is wrong the moment I clicked the Send button... Sending a >> fixed patch. >> >> Martin > > Found a crash in ipa-replica-install, sending a fixed patch. > > Martin It looks good. I tested with and without DNS, with and without CAs, adding CAs, upgrades, no problems. The only question I have is this effectively makes the CRL optional. If it isn't found configured in the profile it won't add it in. Was that intentional? rob From rcritten at redhat.com Thu Dec 6 21:30:56 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 06 Dec 2012 16:30:56 -0500 Subject: [Freeipa-devel] [PATCH] 1077 fix ipa-join --unenroll crash Message-ID: <50C10E90.3060408@redhat.com> There were a number of code paths where we would try to call xmlrpc_env_clean() without having first called xmlrpc_env_init() Re-order the code so we always initialize the XML-RPC client first. I also noticed a place where the return value of strdup() was not being checked for NULL. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1077-join.patch Type: text/x-patch Size: 2100 bytes Desc: not available URL: From mkosek at redhat.com Fri Dec 7 07:39:54 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 07 Dec 2012 08:39:54 +0100 Subject: [Freeipa-devel] [PATCH] 340 Add OCSP and CRL URIs to certificates In-Reply-To: <50C0F37D.1070202@redhat.com> References: <50C0BD9B.6010008@redhat.com> <50C0BE3F.6070108@redhat.com> <50C0C578.3050303@redhat.com> <50C0F37D.1070202@redhat.com> Message-ID: <50C19D4A.1060000@redhat.com> On 12/06/2012 08:35 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 12/06/2012 04:48 PM, Martin Kosek wrote: >>> On 12/06/2012 04:45 PM, Martin Kosek wrote: >>>> Modify the default IPA CA certificate profile to include CRL and >>>> OCSP extensions which will add URIs to IPA CRL&OCSP to published >>>> certificates. >>>> >>>> Both CRL and OCSP extensions have 2 URIs, one pointing directly to >>>> the IPA CA which published the certificate and one to a new CNAME >>>> ipa-ca.$DOMAIN which was introduced as a general CNAME pointing >>>> to all IPA replicas which have CA configured. >>>> >>>> The new CNAME is added either during new IPA server/replica/CA >>>> installation or during upgrade. >>>> >>>> https://fedorahosted.org/freeipa/ticket/3074 >>>> https://fedorahosted.org/freeipa/ticket/1431 >>>> >>>> ---- >>>> >>>> This patch originates in Rob's WIP OCSP patch, which I had to rewrite to make >>>> things working as we want to :-) >>>> >>>> Martin >>>> >>> >>> I knew the subject is wrong the moment I clicked the Send button... Sending a >>> fixed patch. >>> >>> Martin >> >> Found a crash in ipa-replica-install, sending a fixed patch. >> >> Martin > > It looks good. I tested with and without DNS, with and without CAs, adding CAs, > upgrades, no problems. > > The only question I have is this effectively makes the CRL optional. If it > isn't found configured in the profile it won't add it in. Was that intentional? > > rob > It certainly wasn't intentional. Did it happen for you? It did not reproduce it in my tests as I always tried to request a cert and then checked for CRL record in it, but I found a glitch in my patch, pasting an interdiff: diff -u b/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py --- b/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1350,7 +1350,7 @@ new_set_list = None if setlist == '1,2,3,4,5,6,7,8': - new_set_list = '1,2,3,4,5,6,7,8,10' + new_set_list = '1,2,3,4,5,6,7,8,9' elif setlist == '1,2,3,4,5,6,7,8,10': new_set_list = '1,2,3,4,5,6,7,8,9,10' This may have caused an issue in your case. I checked a profile we use either with dogtag9 and dogtag10, and both have one empty CRL extension template, so if crl_profile_count == '1': should pass and CRL should be filled. Following sections should then enable it: + if setlist == '1,2,3,4,5,6,7,8': + new_set_list = '1,2,3,4,5,6,7,8,10' + elif setlist == '1,2,3,4,5,6,7,8,10': + new_set_list = '1,2,3,4,5,6,7,8,9,10' + + if new_set_list: + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.list', + new_set_list, quotes=False, separator='=') Updated patch (with the interdiff) attached). Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-340-3-add-ocsp-and-crl-uris-to-certificates.patch Type: text/x-patch Size: 30633 bytes Desc: not available URL: From mkosek at redhat.com Fri Dec 7 09:01:25 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 07 Dec 2012 10:01:25 +0100 Subject: [Freeipa-devel] [PATCH] 1077 fix ipa-join --unenroll crash In-Reply-To: <50C10E90.3060408@redhat.com> References: <50C10E90.3060408@redhat.com> Message-ID: <50C1B065.70607@redhat.com> On 12/06/2012 10:30 PM, Rob Crittenden wrote: > There were a number of code paths where we would try to call xmlrpc_env_clean() > without having first called xmlrpc_env_init() Re-order the code so we always > initialize the XML-RPC client first. > > I also noticed a place where the return value of strdup() was not being checked > for NULL. > > rob > The crash is fixed indeed: # /usr/sbin/ipa-join --unenroll -h foo The hostname must be fully-qualified: foo Segmentation fault # rpm -Uvh --force freeipa-* ... # /usr/sbin/ipa-join --unenroll -h foo The hostname must be fully-qualified: foo I just discovered quite a few memory leaks in the code you touched, for starters the host, paramArrayP or argArrayP. Fortunately, ipa-join is not a long time running program, so the memory leak is not so harmful. Thus, if you do not want to fix the memory leaks in this patch, then ACK, we can open a ticket for it. Martin From pviktori at redhat.com Fri Dec 7 09:05:02 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 07 Dec 2012 10:05:02 +0100 Subject: [Freeipa-devel] [PATCH] 350 Configuring CA with ConfigParser. In-Reply-To: <50BF43E9.6010302@redhat.com> References: <50BE6835.4070106@redhat.com> <50BE707C.6090101@redhat.com> <50BF43E9.6010302@redhat.com> Message-ID: <50C1B13E.4080307@redhat.com> On 12/05/2012 01:54 PM, Petr Viktorin wrote: > On 12/04/2012 10:51 PM, Endi Sukma Dewata wrote: >> On 12/4/2012 3:16 PM, Endi Sukma Dewata wrote: >>> The configuration code has been modified to use the ConfigParser to >>> set the parameters in the CA section in the deployment configuration. >>> This allows IPA to define additional PKI subsystems in the same >>> configuration file. >>> >>> PKI Ticket #399 (https://fedorahosted.org/pki/ticket/399) >> >> New patch attached. Bumped the minimum pki-ca version. >> >> Note that the path to the ca_admin_cert.p12 is hardcoded due to this >> bug: https://fedorahosted.org/pki/ticket/437 >> > > ACK > > > Attaching an additional patch that uses our DN objects, instead of > strings, for the DN operations. I've overlooked that in the original > Dogtag 10 patches (or the DN work overlapped with them, I forget). > > Until the new Dogtag hits official repos, you will need to use daily > builds from http://nkinder.fedorapeople.org/dogtag-devel/fedora/ > > Here is a rebased version of Endi's patch. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0350-4-Configuring-CA-with-ConfigParser.patch Type: text/x-patch Size: 11311 bytes Desc: not available URL: From mkosek at redhat.com Fri Dec 7 09:35:12 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 07 Dec 2012 10:35:12 +0100 Subject: [Freeipa-devel] [PATCH] 1075 wrap password change in transaction In-Reply-To: <50C0200E.4090609@redhat.com> References: <50C0200E.4090609@redhat.com> Message-ID: <50C1B850.6030502@redhat.com> On 12/06/2012 05:33 AM, Rob Crittenden wrote: > Wrap the password change extop in a 389-ds transaction and ensure that > administratively set passwords are always considered expired. > > I also removed an extraneous init from the betxn conversion. This was causing > an error to be raised in the 389-ds error logs. > > rob > This was acked off-list by Rich, so giving a second ACK from me. Worked fine. Fixed a typo in commit topic and pushed to master. Martin From mkosek at redhat.com Fri Dec 7 11:26:28 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 07 Dec 2012 12:26:28 +0100 Subject: [Freeipa-devel] [PATCH] 341 Bump 389-ds-base minimum in our spec file Message-ID: <50C1D264.6010702@redhat.com> Our code needs both Requires and BuildRequires set to 389-ds-base which supports transactions. -- This patch is for master branch only. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-341-bump-389-ds-base-minimum-in-our-spec-file.patch Type: text/x-patch Size: 1777 bytes Desc: not available URL: From mkosek at redhat.com Fri Dec 7 12:00:16 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 07 Dec 2012 13:00:16 +0100 Subject: [Freeipa-devel] [PATCH] 341 Bump 389-ds-base minimum in our spec file In-Reply-To: <50C1D264.6010702@redhat.com> References: <50C1D264.6010702@redhat.com> Message-ID: <50C1DA50.7020005@redhat.com> On 12/07/2012 12:26 PM, Martin Kosek wrote: > Our code needs both Requires and BuildRequires set to 389-ds-base > which supports transactions. > > -- > > This patch is for master branch only. > > Martin > Attaching a patch with configure.ac change that Sumit suggested off-list. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-341-2-bump-389-ds-base-minimum-in-our-spec-file.patch Type: text/x-patch Size: 2377 bytes Desc: not available URL: From mkosek at redhat.com Fri Dec 7 12:14:37 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 07 Dec 2012 13:14:37 +0100 Subject: [Freeipa-devel] [PATCH] 335 Stop and disable conflicting time&date services In-Reply-To: <1353016145.10327.766.camel@willson.li.ssimo.org> References: <50A4D35D.6070304@redhat.com> <1352989343.10327.752.camel@willson.li.ssimo.org> <50A5194E.80908@redhat.com> <1353016145.10327.766.camel@willson.li.ssimo.org> Message-ID: <50C1DDAD.409@redhat.com> On 11/15/2012 10:49 PM, Simo Sorce wrote: > On Thu, 2012-11-15 at 17:33 +0100, Martin Kosek wrote: >> On 11/15/2012 03:22 PM, Simo Sorce wrote: >>> On Thu, 2012-11-15 at 12:34 +0100, Martin Kosek wrote: >>>> Fedora 16 introduced chrony as default client time&date synchronization >>>> service: >>>> http://fedoraproject.org/wiki/Features/ChronyDefaultNTP >>>> Thus, there may be people already using chrony as their time and date >>>> synchronization service before installing IPA. >>>> >>>> However, installing IPA server or client on such machine may lead to >>>> unexpected behavior, as the IPA installer would configure ntpd and leave >>>> the machine with both ntpd and chronyd enabled. However, since the OS >>>> does not allow both chronyd and ntpd to be running concurrently and chronyd >>>> has the precedence, ntpd would not be run on that system at all. >>>> >>>> Make sure, that user is warned when trying to install IPA on such >>>> system and is given a possibility to either not to let IPA configure >>>> ntpd at all or to let the installer stop and disable chronyd. >>>> >>>> https://fedorahosted.org/freeipa/ticket/2974 >>> >>> This looks a bit backwards to me. >>> >>> The IPA server can only configure ntpd because it configures it to serve >>> time to the clients. So on a server force_ntpd should be the default and >>> the install should automatically shutdown crony. >> >> I considered that option too, but it simply just did not seem very "polite" to >> silently stop and disable chrony with some custom user time&date >> synchronization configuration that user may rely on. >> >> Telling user what's the problem and providing him with options what to do >> seemed more user friendly to me... > > not on the server, no you don;t get to choose there, unless you call > install script with --no-ntp Well, IMO this is exactly what my patch does on the server side. Allows user to either run the server install with --no-ntp or let it install with --force-ntpd which disables other time&date services. That are the only 2 choices, I just did the ntpd configuration in a polite way. > >>> >>> On clients we may give a choice, but then we should not stop, we should >>> instead configure the one tool the admin wants to use and point it to >>> the server, because time synchronization is critical. Not syncing time >>> is basically not an option so our default behavior must be to make sure >>> one of the time tool is properly configured and require a force flag if >>> the admin wants to 'not' configure a time sync tool. >>> >>> Simo. >>> >> >> The force flag to not configure time sync tool is already there as --no-ntp. I >> already discussed this with Rob before, I was advised to rather stick with the >> ntpd only for the time being. Adding Rob to CC to comment on this one. > > Not sure I grok what this entails, support only ntpd ? At this moment, yes. > In this case we can error out if crony is there on the client, but not > on the server. On the server we just roll over crony, as crony is not an > ntp server at all so it should go > if the admin *really*insist in using crony then they'll have to > explicitly install the server with --no-ntp > note that we are not going to change crony;s configuration just turn it > off and start ntpd instead. > > Simo. > Do I understand this right, that you also want to add a support for chrony? I.e. that ipa-client-install should be able to configure either ntpd or chronyd for synchronization based on user's choice? If yes, I am OK with that and I can implement it - I just wanted to make sure that this is what we want. In current state, ipa-client-install errors out when chrony is configured and allows user to either run with --no-ntp (and thus keep the chrony running) or with --force-ntpd which would disable chronyd and configure&enable ntpd. Martin From sbose at redhat.com Fri Dec 7 12:49:48 2012 From: sbose at redhat.com (Sumit Bose) Date: Fri, 7 Dec 2012 13:49:48 +0100 Subject: [Freeipa-devel] [PATCH] 341 Bump 389-ds-base minimum in our spec file In-Reply-To: <50C1DA50.7020005@redhat.com> References: <50C1D264.6010702@redhat.com> <50C1DA50.7020005@redhat.com> Message-ID: <20121207124948.GG1971@localhost.localdomain> On Fri, Dec 07, 2012 at 01:00:16PM +0100, Martin Kosek wrote: > On 12/07/2012 12:26 PM, Martin Kosek wrote: > > Our code needs both Requires and BuildRequires set to 389-ds-base > > which supports transactions. > > > > -- > > > > This patch is for master branch only. > > > > Martin > > > > Attaching a patch with configure.ac change that Sumit suggested off-list. > > Martin > ACK bye, Sumit From mkosek at redhat.com Fri Dec 7 13:00:26 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 07 Dec 2012 14:00:26 +0100 Subject: [Freeipa-devel] [PATCH] 341 Bump 389-ds-base minimum in our spec file In-Reply-To: <20121207124948.GG1971@localhost.localdomain> References: <50C1D264.6010702@redhat.com> <50C1DA50.7020005@redhat.com> <20121207124948.GG1971@localhost.localdomain> Message-ID: <50C1E86A.30208@redhat.com> On 12/07/2012 01:49 PM, Sumit Bose wrote: > On Fri, Dec 07, 2012 at 01:00:16PM +0100, Martin Kosek wrote: >> On 12/07/2012 12:26 PM, Martin Kosek wrote: >>> Our code needs both Requires and BuildRequires set to 389-ds-base >>> which supports transactions. >>> >>> -- >>> >>> This patch is for master branch only. >>> >>> Martin >>> >> >> Attaching a patch with configure.ac change that Sumit suggested off-list. >> >> Martin >> > > ACK > > bye, > Sumit > Pushed to master. Martin From simo at redhat.com Fri Dec 7 13:51:42 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 07 Dec 2012 08:51:42 -0500 Subject: [Freeipa-devel] [PATCH] 335 Stop and disable conflicting time&date services In-Reply-To: <50C1DDAD.409@redhat.com> References: <50A4D35D.6070304@redhat.com> <1352989343.10327.752.camel@willson.li.ssimo.org> <50A5194E.80908@redhat.com> <1353016145.10327.766.camel@willson.li.ssimo.org> <50C1DDAD.409@redhat.com> Message-ID: <1354888302.14475.39.camel@willson.li.ssimo.org> On Fri, 2012-12-07 at 13:14 +0100, Martin Kosek wrote: > On 11/15/2012 10:49 PM, Simo Sorce wrote: > > On Thu, 2012-11-15 at 17:33 +0100, Martin Kosek wrote: > >> On 11/15/2012 03:22 PM, Simo Sorce wrote: > >>> On Thu, 2012-11-15 at 12:34 +0100, Martin Kosek wrote: > >>>> Fedora 16 introduced chrony as default client time&date synchronization > >>>> service: > >>>> http://fedoraproject.org/wiki/Features/ChronyDefaultNTP > >>>> Thus, there may be people already using chrony as their time and date > >>>> synchronization service before installing IPA. > >>>> > >>>> However, installing IPA server or client on such machine may lead to > >>>> unexpected behavior, as the IPA installer would configure ntpd and leave > >>>> the machine with both ntpd and chronyd enabled. However, since the OS > >>>> does not allow both chronyd and ntpd to be running concurrently and chronyd > >>>> has the precedence, ntpd would not be run on that system at all. > >>>> > >>>> Make sure, that user is warned when trying to install IPA on such > >>>> system and is given a possibility to either not to let IPA configure > >>>> ntpd at all or to let the installer stop and disable chronyd. > >>>> > >>>> https://fedorahosted.org/freeipa/ticket/2974 > >>> > >>> This looks a bit backwards to me. > >>> > >>> The IPA server can only configure ntpd because it configures it to serve > >>> time to the clients. So on a server force_ntpd should be the default and > >>> the install should automatically shutdown crony. > >> > >> I considered that option too, but it simply just did not seem very "polite" to > >> silently stop and disable chrony with some custom user time&date > >> synchronization configuration that user may rely on. > >> > >> Telling user what's the problem and providing him with options what to do > >> seemed more user friendly to me... > > > > not on the server, no you don;t get to choose there, unless you call > > install script with --no-ntp > > Well, IMO this is exactly what my patch does on the server side. Allows user to > either run the server install with --no-ntp or let it install with --force-ntpd > which disables other time&date services. That are the only 2 choices, I just > did the ntpd configuration in a polite way. > > > > >>> > >>> On clients we may give a choice, but then we should not stop, we should > >>> instead configure the one tool the admin wants to use and point it to > >>> the server, because time synchronization is critical. Not syncing time > >>> is basically not an option so our default behavior must be to make sure > >>> one of the time tool is properly configured and require a force flag if > >>> the admin wants to 'not' configure a time sync tool. > >>> > >>> Simo. > >>> > >> > >> The force flag to not configure time sync tool is already there as --no-ntp. I > >> already discussed this with Rob before, I was advised to rather stick with the > >> ntpd only for the time being. Adding Rob to CC to comment on this one. > > > > Not sure I grok what this entails, support only ntpd ? > > At this moment, yes. > > > In this case we can error out if crony is there on the client, but not > > on the server. On the server we just roll over crony, as crony is not an > > ntp server at all so it should go > > if the admin *really*insist in using crony then they'll have to > > explicitly install the server with --no-ntp > > note that we are not going to change crony;s configuration just turn it > > off and start ntpd instead. > > > > Simo. > > > > Do I understand this right, that you also want to add a support for chrony? > I.e. that ipa-client-install should be able to configure either ntpd or chronyd > for synchronization based on user's choice? If yes, I am OK with that and I can > implement it - I just wanted to make sure that this is what we want. > > In current state, ipa-client-install errors out when chrony is configured and > allows user to either run with --no-ntp (and thus keep the chrony running) or > with --force-ntpd which would disable chronyd and configure&enable ntpd. No, that is not what I am saying. I think these should be the actions taken: 1. Server install (no flags). a. nothing is found: install ntpd as usual (unless --no-ntp is passed) b. ntpd is found: reconfigure it c.1. crony is found: disable it and reconfigure ntpd, no questions asked c.2. if --no-ntp is passed in then do not disable crony 2. client install a. nothing is found: install ntpd as usual (unless --no-ntp is passed) b. ntpd is found: whatever is done now c.1. crony is found: warn that crony is in use, but proceed with install c.2. if --force-ntpd is passed then disable crony and configure ntpd Basically in the server we imply a default of --force-ntpd, unless you pass --no-ntp Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Dec 7 14:43:44 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 Dec 2012 09:43:44 -0500 Subject: [Freeipa-devel] [PATCH] 1077 fix ipa-join --unenroll crash In-Reply-To: <50C1B065.70607@redhat.com> References: <50C10E90.3060408@redhat.com> <50C1B065.70607@redhat.com> Message-ID: <50C200A0.8030406@redhat.com> Martin Kosek wrote: > On 12/06/2012 10:30 PM, Rob Crittenden wrote: >> There were a number of code paths where we would try to call xmlrpc_env_clean() >> without having first called xmlrpc_env_init() Re-order the code so we always >> initialize the XML-RPC client first. >> >> I also noticed a place where the return value of strdup() was not being checked >> for NULL. >> >> rob >> > > The crash is fixed indeed: > > # /usr/sbin/ipa-join --unenroll -h foo > The hostname must be fully-qualified: foo > Segmentation fault > # rpm -Uvh --force freeipa-* > ... > # /usr/sbin/ipa-join --unenroll -h foo > The hostname must be fully-qualified: foo > > I just discovered quite a few memory leaks in the code you touched, for > starters the host, paramArrayP or argArrayP. Fortunately, ipa-join is not a > long time running program, so the memory leak is not so harmful. > > Thus, if you do not want to fix the memory leaks in this patch, then ACK, we > can open a ticket for it. > > Martin > I opened a new ticket for the memory leaks, https://fedorahosted.org/freeipa/ticket/3287 pushed to master and ipa-3-0 rob From mkosek at redhat.com Fri Dec 7 15:50:20 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 07 Dec 2012 16:50:20 +0100 Subject: [Freeipa-devel] [PATCH] 335 Stop and disable conflicting time&date services In-Reply-To: <1354888302.14475.39.camel@willson.li.ssimo.org> References: <50A4D35D.6070304@redhat.com> <1352989343.10327.752.camel@willson.li.ssimo.org> <50A5194E.80908@redhat.com> <1353016145.10327.766.camel@willson.li.ssimo.org> <50C1DDAD.409@redhat.com> <1354888302.14475.39.camel@willson.li.ssimo.org> Message-ID: <50C2103C.5090400@redhat.com> On 12/07/2012 02:51 PM, Simo Sorce wrote: > On Fri, 2012-12-07 at 13:14 +0100, Martin Kosek wrote: >> On 11/15/2012 10:49 PM, Simo Sorce wrote: >>> On Thu, 2012-11-15 at 17:33 +0100, Martin Kosek wrote: >>>> On 11/15/2012 03:22 PM, Simo Sorce wrote: >>>>> On Thu, 2012-11-15 at 12:34 +0100, Martin Kosek wrote: >>>>>> Fedora 16 introduced chrony as default client time&date synchronization >>>>>> service: >>>>>> http://fedoraproject.org/wiki/Features/ChronyDefaultNTP >>>>>> Thus, there may be people already using chrony as their time and date >>>>>> synchronization service before installing IPA. >>>>>> >>>>>> However, installing IPA server or client on such machine may lead to >>>>>> unexpected behavior, as the IPA installer would configure ntpd and leave >>>>>> the machine with both ntpd and chronyd enabled. However, since the OS >>>>>> does not allow both chronyd and ntpd to be running concurrently and chronyd >>>>>> has the precedence, ntpd would not be run on that system at all. >>>>>> >>>>>> Make sure, that user is warned when trying to install IPA on such >>>>>> system and is given a possibility to either not to let IPA configure >>>>>> ntpd at all or to let the installer stop and disable chronyd. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/2974 >>>>> >>>>> This looks a bit backwards to me. >>>>> >>>>> The IPA server can only configure ntpd because it configures it to serve >>>>> time to the clients. So on a server force_ntpd should be the default and >>>>> the install should automatically shutdown crony. >>>> >>>> I considered that option too, but it simply just did not seem very "polite" to >>>> silently stop and disable chrony with some custom user time&date >>>> synchronization configuration that user may rely on. >>>> >>>> Telling user what's the problem and providing him with options what to do >>>> seemed more user friendly to me... >>> >>> not on the server, no you don;t get to choose there, unless you call >>> install script with --no-ntp >> >> Well, IMO this is exactly what my patch does on the server side. Allows user to >> either run the server install with --no-ntp or let it install with --force-ntpd >> which disables other time&date services. That are the only 2 choices, I just >> did the ntpd configuration in a polite way. >> >>> >>>>> >>>>> On clients we may give a choice, but then we should not stop, we should >>>>> instead configure the one tool the admin wants to use and point it to >>>>> the server, because time synchronization is critical. Not syncing time >>>>> is basically not an option so our default behavior must be to make sure >>>>> one of the time tool is properly configured and require a force flag if >>>>> the admin wants to 'not' configure a time sync tool. >>>>> >>>>> Simo. >>>>> >>>> >>>> The force flag to not configure time sync tool is already there as --no-ntp. I >>>> already discussed this with Rob before, I was advised to rather stick with the >>>> ntpd only for the time being. Adding Rob to CC to comment on this one. >>> >>> Not sure I grok what this entails, support only ntpd ? >> >> At this moment, yes. >> >>> In this case we can error out if crony is there on the client, but not >>> on the server. On the server we just roll over crony, as crony is not an >>> ntp server at all so it should go >>> if the admin *really*insist in using crony then they'll have to >>> explicitly install the server with --no-ntp >>> note that we are not going to change crony;s configuration just turn it >>> off and start ntpd instead. >>> >>> Simo. >>> >> >> Do I understand this right, that you also want to add a support for chrony? >> I.e. that ipa-client-install should be able to configure either ntpd or chronyd >> for synchronization based on user's choice? If yes, I am OK with that and I can >> implement it - I just wanted to make sure that this is what we want. >> >> In current state, ipa-client-install errors out when chrony is configured and >> allows user to either run with --no-ntp (and thus keep the chrony running) or >> with --force-ntpd which would disable chronyd and configure&enable ntpd. > > No, that is not what I am saying. > > I think these should be the actions taken: > > 1. Server install (no flags). > a. nothing is found: install ntpd as usual (unless --no-ntp is passed) > b. ntpd is found: reconfigure it > c.1. crony is found: disable it and reconfigure ntpd, no questions asked > c.2. if --no-ntp is passed in then do not disable crony > > 2. client install > a. nothing is found: install ntpd as usual (unless --no-ntp is passed) > b. ntpd is found: whatever is done now > c.1. crony is found: warn that crony is in use, but proceed with install > c.2. if --force-ntpd is passed then disable crony and configure ntpd > > Basically in the server we imply a default of --force-ntpd, unless you > pass --no-ntp > > Simo. > Ok, I see your point now. Sending an updated version. During server installation, user is warned when running conflicting time service. Installation then enforces ntpd configuration. During client installation, user is also warned, but continuing in installation omits ntpd configuration instead. But user can use --force-ntpd to force ntpd configuration. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-335-2-stop-and-disable-conflicting-time-date-services.patch Type: text/x-patch Size: 15268 bytes Desc: not available URL: From rcritten at redhat.com Fri Dec 7 16:01:35 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 Dec 2012 11:01:35 -0500 Subject: [Freeipa-devel] [PATCH] 340 Add OCSP and CRL URIs to certificates In-Reply-To: <50C19D4A.1060000@redhat.com> References: <50C0BD9B.6010008@redhat.com> <50C0BE3F.6070108@redhat.com> <50C0C578.3050303@redhat.com> <50C0F37D.1070202@redhat.com> <50C19D4A.1060000@redhat.com> Message-ID: <50C212DF.9050207@redhat.com> Martin Kosek wrote: > On 12/06/2012 08:35 PM, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On 12/06/2012 04:48 PM, Martin Kosek wrote: >>>> On 12/06/2012 04:45 PM, Martin Kosek wrote: >>>>> Modify the default IPA CA certificate profile to include CRL and >>>>> OCSP extensions which will add URIs to IPA CRL&OCSP to published >>>>> certificates. >>>>> >>>>> Both CRL and OCSP extensions have 2 URIs, one pointing directly to >>>>> the IPA CA which published the certificate and one to a new CNAME >>>>> ipa-ca.$DOMAIN which was introduced as a general CNAME pointing >>>>> to all IPA replicas which have CA configured. >>>>> >>>>> The new CNAME is added either during new IPA server/replica/CA >>>>> installation or during upgrade. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/3074 >>>>> https://fedorahosted.org/freeipa/ticket/1431 >>>>> >>>>> ---- >>>>> >>>>> This patch originates in Rob's WIP OCSP patch, which I had to rewrite to make >>>>> things working as we want to :-) >>>>> >>>>> Martin >>>>> >>>> >>>> I knew the subject is wrong the moment I clicked the Send button... Sending a >>>> fixed patch. >>>> >>>> Martin >>> >>> Found a crash in ipa-replica-install, sending a fixed patch. >>> >>> Martin >> >> It looks good. I tested with and without DNS, with and without CAs, adding CAs, >> upgrades, no problems. >> >> The only question I have is this effectively makes the CRL optional. If it >> isn't found configured in the profile it won't add it in. Was that intentional? >> >> rob >> > > It certainly wasn't intentional. Did it happen for you? It did not reproduce it > in my tests as I always tried to request a cert and then checked for CRL record > in it, but I found a glitch in my patch, pasting an interdiff: > > diff -u b/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py > --- b/ipaserver/install/cainstance.py > +++ b/ipaserver/install/cainstance.py > @@ -1350,7 +1350,7 @@ > new_set_list = None > > if setlist == '1,2,3,4,5,6,7,8': > - new_set_list = '1,2,3,4,5,6,7,8,10' > + new_set_list = '1,2,3,4,5,6,7,8,9' > elif setlist == '1,2,3,4,5,6,7,8,10': > new_set_list = '1,2,3,4,5,6,7,8,9,10' > > This may have caused an issue in your case. I checked a profile we use either > with dogtag9 and dogtag10, and both have one empty CRL extension template, so > > if crl_profile_count == '1': > > should pass and CRL should be filled. Following sections should then enable it: > > + if setlist == '1,2,3,4,5,6,7,8': > + new_set_list = '1,2,3,4,5,6,7,8,10' > + elif setlist == '1,2,3,4,5,6,7,8,10': > + new_set_list = '1,2,3,4,5,6,7,8,9,10' > + > + if new_set_list: > + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, > + 'policyset.serverCertSet.list', > + new_set_list, quotes=False, separator='=') > > > Updated patch (with the interdiff) attached). > > Martin > Ok, makes sense. ACK, pushed to master rob From simo at redhat.com Fri Dec 7 16:11:21 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 07 Dec 2012 11:11:21 -0500 Subject: [Freeipa-devel] [PATCH] 335 Stop and disable conflicting time&date services In-Reply-To: <50C2103C.5090400@redhat.com> References: <50A4D35D.6070304@redhat.com> <1352989343.10327.752.camel@willson.li.ssimo.org> <50A5194E.80908@redhat.com> <1353016145.10327.766.camel@willson.li.ssimo.org> <50C1DDAD.409@redhat.com> <1354888302.14475.39.camel@willson.li.ssimo.org> <50C2103C.5090400@redhat.com> Message-ID: <1354896681.23302.0.camel@willson.li.ssimo.org> On Fri, 2012-12-07 at 16:50 +0100, Martin Kosek wrote: > > Ok, I see your point now. Sending an updated version. > > During server installation, user is warned when running conflicting > time > service. Installation then enforces ntpd configuration. > > During client installation, user is also warned, but continuing in > installation > omits ntpd configuration instead. But user can use --force-ntpd to > force ntpd > configuration. > Looks good to me. Haven't tested myself but ack to the approach. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Fri Dec 7 16:33:46 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 07 Dec 2012 11:33:46 -0500 Subject: [Freeipa-devel] [PATCH] 0096 support Windows Server 2012 In-Reply-To: <20121205210120.GF22265@redhat.com> References: <20121122155942.GA9142@redhat.com> <1353611080.25995.42.camel@willson.li.ssimo.org> <20121205121641.GD22265@redhat.com> <1354719570.19871.479.camel@willson.li.ssimo.org> <20121205210120.GF22265@redhat.com> Message-ID: <1354898026.23302.1.camel@willson.li.ssimo.org> On Wed, 2012-12-05 at 23:01 +0200, Alexander Bokovoy wrote: > New patch attached. > > It filters out statically compiled in list of well-known SID prefixes > and SIDs belonging to our own domain. Tested and work as expected against Windows 2012 Trusted domain. ACK. > I'll add fetching the white list from the LDAP in next version. Please open a ticket and build this as a separate patch. Simo. > -- Simo Sorce * Red Hat, Inc * New York From jdennis at redhat.com Fri Dec 7 17:36:48 2012 From: jdennis at redhat.com (John Dennis) Date: Fri, 07 Dec 2012 12:36:48 -0500 Subject: [Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior In-Reply-To: <50A13464.6040908@redhat.com> References: <50A02438.50601@redhat.com> <50A13464.6040908@redhat.com> Message-ID: <50C22930.3090202@redhat.com> On 11/12/2012 12:39 PM, Petr Viktorin wrote: > On 11/11/2012 11:18 PM, John Dennis wrote: In the future please do not quote the entire patch in the email. It makes it much too difficult to respond. It took me a long time to remove all the unnecessary text for this reply. New patch following in a moment, as well as the response to your second email. >> Cookie library issues: >> I decided to solve the cookie library problems by writing a minimal >> cookie library that does what we need and no more than that. It is a >> new module in ipapython shared by both client and server and comes >> with a new unit test. The module has plenty of documentation, no need >> to repeat it here. > > This sucks. Designing, implementing and maintaining our own version of > general code is never good. I'd like to discuss with the other > developers so everyone knows what's happening in this patch. > > Also, API design is a hard thing to do. I'd prefer if we made a subset > of an existing API (especially if there's any hope of the standard > library being fixed) rather than invented a new one. Yes it does suck, no one was more dismayed about this than myself. Here is bug references and expanded justification. The inability of Cookie.py to parse an Expires attribute was opened 6/10/2008, approximately 4.5 years ago. http://bugs.python.org/issue3073 To this day it remains open and unfixed. I discovered the bug report when I also ran afoul of the failed behavior. It was shortly thereafter I also discovered Cookie.py could not parse the HttpOnly and Secure boolean flags. There are only 7 defined items in a cookie and Cookie.py fails to parse 3 of them, close to a 50% failure rate. The bug has stayed open 4.5 years without a fix making into the upstream distribution. If we were dependent on getting Cookie.py fixed we would have to make the core Python packages in RHEL 5, RHEL 6, RHEL 7, Fedora 16, Fedora 17, and Fedora 18 were patched. Tracking and making sure the fix gets into all those distributions is a signifcant effort, but at least we own those distributions and have some control over them. But wait! We also expect the IPA clients to install and successfully run on other systems as well, Debian, Ubuntu, Solaris, etc. Who is going to make sure Cookie.py has been patched on all the releases of all those systems? Frankly I have no confidence the various bugs in Cookie.py will be taken seriously by upstream after it's languished 4.5 years without a fix making it into an upstream release. Nor is it just these 3 parse bugs. I can demonstrate many other ways Cookie.py fails in both cookie generation and cookie parsing. The amount of work needed to assure patched versions of Cookie.py was available in all the systems we hope to deploy the IPA client on would be huge. Compare that to spending less than a day writing a new module and unit test that works and installs with our client. To my thinking it's a no-brainer which is the better choice for the team. But there is another issue with Cookie.py. It's API is horrible, it's difficult to use and important features for working with cookies are completely absent. That's just at the API level, it's actual implementation is frightenly bad. You ask, why don't we at least make the new module API compatible so we can swap it out later when upstream finally gets around to fixing the problems. Emulating a terrible API and then having to extend it into something usable doesn't make sense to me, nor does it seem a good use of team resources nor beneficial to the IPA product. The bug I opened about the other issues in Cookie.py is: http://bugs.python.org/issue16611 > Please add the following paragraph to the cookie.py docstring, so people > know our implementation is incomplete: > >> It doesn't have every bell and whistle nor can it >> handle all the cookie scenarios found in the wild with random servers >> and browsers, it does what we need in an RFC manner (but not all RFC >> features). The implementation is complete because it follows the RFC. I was perhaps being too cautious. A lot of the extra code in the other libraries exists to accmodate behavior prior to standardization. Those days are hopefully long behind use. Plus our use of cookies is very constrained, we're only going to connect to a server we control. I'm not really worried at this juncture about historical misbehavior. I'm pretty sure the implementation will catch non-RFC compliant behavior and reject it which is proably the right thing to do. The only thing I think might be missing is automatically escaping and unescaping reserved characters. But the RFC is actually mum on this topic. It defines a legal character set which the parsing code observes. The libary does not currently validate all values being assigned to a cookie do not contain invalid charaters. It's currently up to the caller to supply valid URL components for the domain and path components which might be subject to escaping with HTML entities. Yes, that would be a good thing to add in the future. Is it essential for getting this in? No I don't think so. We won't assigning anything invalid into to the cookie because we've pre-validated everything prior to invoking this code. I've added a comment to this effect in the docstring. >> >> Request URL issues: >> >> We also had problems in rpc.py whereby information from the request >> which is needed when we process the response is not available. Most >> important was the requesting URL. It turns out that the way the class >> and object relationships are structured it's impossible to get this >> information. Someone else must have run into the same issue because >> there was a routine called reconstruct_url() which attempted to >> recreate the request URL from other available >> information. Unfortunately reconstruct_url() was not callable from >> inside the response handler. So I decided to store the information in >> the thread context and when the request is received extract it from >> the thread context. It's perhaps not an ideal solution but we do >> similar things elsewhere so at least it's consistent. I removed the >> reconstruct_url() function because the exact information is now in the >> context and trying to apply heuristics to recreate the url is probably >> not robust. > > I'm no fan of global state, but I guess there's no other way :( Neither am I. But this is a classic example of how the core Python libraries are messed up. >> +from ipapython.ipa_log_manager import * > > I understand star imports are current practice for ipa_log_manager, but > I believe it is time to start changing it. Especially since you're just > using one of the 8 names you're importing. > But if you don't agree, keep it and let's save the argument for another day. Fixed. > Here and in other places, Git complains about whitespace at end of line. Fixed. >> + def apply_session_cookie(self, url): > This method does too much. Can you split it into one that updates the > global state (and possibly stores the URL there), and another that > modifies the URL? Refactored by splitting out some of the generic logic into xmlclient.get_session_cookie_from_persistent_storage() and Cookie.http_return_ok(). This makes the routine a smaller and isolates some common logic. The logic to decide if the cookie should be returned properly belongs in the Cookie class so moving it there made a lot of sense and it should have been done that way originally. The unit test was also updated to test the new functionality. Plus the logic was expanded to closely follow the RFC requirements. Refactoring the way you suggest does not work because of the logic in create_connection(). I realize it's a bit awkward but I don't want to refactor too much of the existing code in search of a more elegant organization. creation_connection() is critical code and the risk of breaking something in search of a more elegant organization is not justified just prior to a release. >> + # O.K. session_cookie is valid to be returned, stash it away where it will will >> + # get included in a HTTP Cookie headed sent to the server. >> + self.log.debug("setting session_cookie into context '%s'", session_cookie) >> + setattr(context, 'session_cookie', session_cookie.http_cookie()) > > I don't understand why setattr is needed here. Why would a simple > context.session_cookie = session_cookie.http_cookie() > not work? > More of the same below. This is current practice across the entire code base. I don't know why it's done that way. I see little value in deviating from existing practice, that only creates more confusion without benefit. Open a code clean-up ticket on this issue if you wish, that will assure the idiom consistent everywhere. >> - if session_data and e.errcode == 401: >> + if context.has_key('session_cookie') and e.errcode == 401: > > What is has_key? Did you mean to use hasattr? Good catch! Yes I meant hasattr. > >> # Unauthorized. Remove the session and try again. >> - delattr(context, 'session_data') >> + delattr(context, 'session_cookie') > > Since you're touching the code, can you switch to `del > context.session_cookie`? (again, ignore this comment if there's some > deeper magic you're working around) > More of the same below. Again, because this is the current idiom, see above comment about consistency and opening a code clean-up ticket. >> + # Debug flag for class >> + debug = False > > We have a fancy logging module that allows us to easily tune loggers for > individual classes. Please use it instead of inventing a mechanism based > on class-wide flags and print statements. Opps, sorry, that was left over from when I developed the code stand-alone and forgot to delete it. Bye-Bye! > >> + >> + @classmethod >> + def datetime_to_time(cls, dt): > > As far as I can see, this method isn't used anywhere. Why add it? Because it would not be unreasonable to need to convert a naive datetime object in UTC to a UNIX time value (in fact I needed that in the unit test). I discovered it's not obvious how to do this correctly. I scratched my head pouring over the Python doc for the datetime and time modules and couldn't figure it out. A Google search revealed I was not alone in having trouble figuring this out. So rather than having others get it wrong or waste more time figuring it out I thought it reasonable to provide the utility. >> + @classmethod >> + def datetime_to_string(cls, dt=None): > > > Why is this a class method and not a normal function? It doesn't use cls > at all, and there's no value in overriding it in subclasses. > Same for the other classmethods. Good question, I think my reasoning for doing it this way is valid though. Handling datetime objects with timezones is awkward, it looks like timezone support was added after datetime objects were in use. Instead of having two datetime classes (one local and one with zone support) datetime objects have an internal state which makes them naive or timezone aware. By default you get naive objects. Adding zone support adds a bit of complexity that's not natively part of the module. This is further complicated by the fact you can't mix naive and aware objects (comparisons will raise exceptions, etc.). The best approach is to use the default naive object and follow a convention over the zone they're in (e.g. UTC). Aside from the time zone conventions there are strict requirements to meet RFC requirements on the string representation of these values when used in the context of a cookie. We need some way to assure the datetime values adhere to the requirements of the class. That makes it reasonable to "attach" methods observing the usage requirement in the class to the class. Making them stand alone functions does nothing to indicate nor enforce there is a specific context in which these need to be applied, class methods provide that context. The other uses of class methods are several of the parsing methods. They are class methods because they act as a class factory returning one or more class instances. >> + s = datetime.datetime.strftime(dt, '%a, %d %b %Y %H:%M:%S') >> + return s + ' GMT' > > AFAIK `return datetime.datetime.strftime(dt, '%a, %d %b %Y %H:%M:%S > GMT')` would work just as well. Sure, no problem, changed. >> + @property >> + def expires(self): >> + ''' >> + The expiration timestamp (in UTC) as a datetime object for the >> + cookie, or None if not set. >> + >> + You may assign a value of None, a datetime object, a numeric >> + UNIX timestamp (seconds since the epoch UTC) or formatted time >> + string (the latter two will be converted to a datetime object. >> + ''' >> + return self._expires >> + >> + @expires.setter >> + def expires(self, value): >> + if value is None: >> + self._expires = None >> + elif isinstance(value, datetime.datetime): >> + self._expires = value >> + elif isinstance(value, (int, long, float)): >> + self._expires = datetime.datetime.utcfromtimestamp(value) >> + elif isinstance(value, basestring): >> + self._expires = Cookie.parse_datetime(value) >> + else: >> + raise TypeError('value must be datetime, int, long, float, basestring or None, not %s' % \ >> + value.__class__.__name__) > > Are the automatic conversions necessary? I'd rather call an explicit > set_expires_from_timestamp than have the attribute silently changed, > with semantics depending on the type. > > This is the wrong kind of ?easy to use?. It should be ?easy to read and > understand?, not ?less characters to type? (with magic to determine what > you meant). Automatic conversions are valuable and useful. The value stored in the object *must* be of the type the object expects. However it's not uncommon to have the value be in some other format. The goal is * Make the API easy to use. * Assure the API is used correctly. * Not to obscure the callers logic with conversion logic every place the API is used. It is vastly more important to keep the calling clean and easy to read because it's used far more often than the single place the class is implemented. It is correct to put this logic in exactly one location, namely the class implementation. If the class implementation has a bit of complexity that's appropriate, far better the complexity is in the class and not widely distributed across all uses of the class where it will make reading the logic harder and be prone to incorrect usage. Automatic type conversion is common practice in other object orientated language for good reason. >> + def set_attr(self, name, value): >> + ''' >> + Sets one of the predefined cookie attributes. >> + ''' >> + attr_name = Cookie.attrs.get(name.lower(), None) >> + if attr_name is None: >> + raise ValueError("unknown cookie attribute '%s'" % name) >> + setattr(self, attr_name, value) > > Please don't include this in the public interface, there's no need for > users to call it. > It would be much better to inline the function in the only place that > calls it. Good point but I'd rather see it separated in a subroutine rather than cluttering up the other logic. I made it a class private method. > >> + >> + def __str__(self): >> + result = "%s=%s;" % (self.key, self.value) >> + >> + if self.domain is not None: >> + result += " Domain=%s;" % self.domain >> + >> + if self.path is not None: >> + result += " Path=%s;" % self.path >> + >> + if self.max_age is not None: >> + result += " Max-Age=%s;" % self.max_age >> + >> + if self.expires is not None: >> + result += " Expires=%s;" % Cookie.datetime_to_string(self.expires) >> + >> + if self.secure: >> + result += " Secure;" >> + >> + if self.httponly: >> + result += " HttpOnly;" >> + >> + return result[:-1] # strip trainling semi-colon > > Concatenating strings is slow; please consider building a list and then > `return '; '.join(result)`. O.K., fixed. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jdennis at redhat.com Fri Dec 7 17:37:08 2012 From: jdennis at redhat.com (John Dennis) Date: Fri, 07 Dec 2012 12:37:08 -0500 Subject: [Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior In-Reply-To: <50A23F64.7020903@redhat.com> References: <50A02438.50601@redhat.com> <50A23F64.7020903@redhat.com> Message-ID: <50C22944.5050608@redhat.com> On 11/13/2012 07:39 AM, Petr Viktorin wrote: > Continuing from yesterday. I tried building the RPMs, installing a > server, running the tests, and checking the Web UI. Each of these steps > failed. > > > On 11/11/2012 11:18 PM, John Dennis wrote: >> Note: This has been tested with both the command line api and the >> browser on both Fedora and RHEL-6. It has also been tested to make sure >> any cookies stored before an upgrade will work correctly. >> >> -- >> John Dennis >> >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> freeipa-jdennis-0082-Compliant-client-side-session-cookie-behavior.patch >> >> >> >From 089d69a1e06636bbd2836fcb9072b5a2ffef7ae2 Mon Sep 17 00:00:00 2001 >> From: John Dennis >> Date: Sun, 11 Nov 2012 17:05:32 -0500 >> Subject: [PATCH 82] Compliant client side session cookie behavior >> Content-Type: text/plain; charset="utf-8" >> Content-Transfer-Encoding: 8bit >> > [...] >> >> Ticket https://fedorahosted.org/freeipa/ticket/3022 >> --- >> ipalib/rpc.py | 224 +++++++++++++---- >> ipalib/session.py | 39 +-- >> ipapython/cookie.py | 486 ++++++++++++++++++++++++++++++++++++ >> ipaserver/rpcserver.py | 6 +- >> tests/test_ipapython/test_cookie.py | 332 ++++++++++++++++++++++++ >> 5 files changed, 1017 insertions(+), 70 deletions(-) >> create mode 100644 ipapython/cookie.py >> create mode 100644 tests/test_ipapython/test_cookie.py >> >> diff --git a/ipalib/rpc.py b/ipalib/rpc.py >> index c555105..b2021c1 100644 >> --- a/ipalib/rpc.py >> +++ b/ipalib/rpc.py >> @@ -61,7 +64,8 @@ from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT >> KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, KRB5_REALM_CANT_RESOLVE >> from ipapython.dn import DN >> >> -COOKIE_NAME = 'ipa_session_cookie:%s' >> +COOKIE_NAME = 'ipa_session' > > COOKIE_NAME is used in ipa-client-install, which promptly fails when it > does `kernel_keyring.del_key(COOKIE_NAME % host_principal)`. > (There should probably be a helper function to encapsulate this call.) Fixed. The whole keyring storage mechanism should never have been exposed in the first place. Instead it should have been encapsulated in some other functions that hide the implementation and instead export a logical abstraction. rpc.py now exports these functions: update_persistent_client_session_data(principal, data) read_persistent_client_session_data(principal) delete_persistent_client_session_data(principal) > >> +KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME >> >> def xml_wrap(value): >> """ > >> diff --git a/ipalib/session.py b/ipalib/session.py >> index 36beece..900259a 100644 >> --- a/ipalib/session.py >> +++ b/ipalib/session.py >> @@ -955,13 +955,18 @@ class MemcacheSessionManager(SessionManager): >> Session id as string or None if not found. >> ''' >> session_id = None >> - if cookie_header is not None: >> - cookie = Cookie.SimpleCookie() >> - cookie.load(cookie_header) >> - session_cookie = cookie.get(self.session_cookie_name) >> - if session_cookie is not None: >> - session_id = session_cookie.value >> - self.debug('found session cookie_id = %s', session_id) >> + try: >> + session_cookie = Cookie.get_named_cookie_from_string(cookie_header, self.session_cookie_name) >> + except Exception, e: >> + session_cookie = None >> + else: >> + session_id = session_cookie.value > > When the user first accesses the Web UI, session_cookie will be None, > resulting in an Internal Server Error. Hmm... I didn't see this in testing. I think you mean the cookie_header will be None, not the session_cookie being None. That case should have been caught by the try/except block surrounding get_named_cookie_from_string(). But in any event I added a check for the cookie_header being None at the top of the function. Or am I misunderstanding the problem you saw? > >> diff --git a/ipapython/cookie.py b/ipapython/cookie.py >> new file mode 100644 >> index 0000000..0033aed >> --- /dev/null >> +++ b/ipapython/cookie.py > [...] >> + >> + @property >> + def timestamp(self): > > Pylint complains here and in similar places below: > ipapython/cookie.py:313: [E0202, Cookie.timestamp] An attribute affected > in ipapython.cookie line 310 hide this method This is documented bug in pylint. The errors have been disabled along with a comment list the two bug reports and a FIXME saying to remove the error exclusion when pylint has fixed the bug. > >> diff --git a/tests/test_ipapython/test_cookie.py b/tests/test_ipapython/test_cookie.py >> new file mode 100644 >> index 0000000..4b3c317 >> --- /dev/null >> +++ b/tests/test_ipapython/test_cookie.py >> @@ -0,0 +1,332 @@ >> +# Authors: >> +# John Dennis >> +# >> +# Copyright (C) 2012 Red Hat >> +# see file 'COPYING' for use and warranty information >> +# >> +# This program is free software; you can redistribute it and/or modify >> +# it under the terms of the GNU General Public License as published by >> +# the Free Software Foundation, either version 3 of the License, or >> +# (at your option) any later version. >> +# >> +# This program is distributed in the hope that it will be useful, >> +# but WITHOUT ANY WARRANTY; without even the implied warranty of >> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >> +# GNU General Public License for more details. >> +# >> +# You should have received a copy of the GNU General Public License >> +# along with this program. If not, see. >> + >> +import unittest >> +import time >> +import datetime >> +import calendar >> +from cookie import Cookie > > Here I get ImportError: No module named cookie. Fixed, silly typo from stand-alone testing that omitted the module. I was remiss in not catching this in the patch, sorry. > > -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jdennis at redhat.com Fri Dec 7 17:38:34 2012 From: jdennis at redhat.com (John Dennis) Date: Fri, 07 Dec 2012 12:38:34 -0500 Subject: [Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior In-Reply-To: <50A02438.50601@redhat.com> References: <50A02438.50601@redhat.com> Message-ID: <50C2299A.2060004@redhat.com> Revised patch attached. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jdennis-0082-1-Compliant-client-side-session-cookie-behavior.patch Type: text/x-patch Size: 68507 bytes Desc: not available URL: From rcritten at redhat.com Fri Dec 7 18:07:51 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 Dec 2012 13:07:51 -0500 Subject: [Freeipa-devel] [PATCH] 335 Stop and disable conflicting time&date services In-Reply-To: <50C2103C.5090400@redhat.com> References: <50A4D35D.6070304@redhat.com> <1352989343.10327.752.camel@willson.li.ssimo.org> <50A5194E.80908@redhat.com> <1353016145.10327.766.camel@willson.li.ssimo.org> <50C1DDAD.409@redhat.com> <1354888302.14475.39.camel@willson.li.ssimo.org> <50C2103C.5090400@redhat.com> Message-ID: <50C23077.8040100@redhat.com> Martin Kosek wrote: > On 12/07/2012 02:51 PM, Simo Sorce wrote: >> On Fri, 2012-12-07 at 13:14 +0100, Martin Kosek wrote: >>> On 11/15/2012 10:49 PM, Simo Sorce wrote: >>>> On Thu, 2012-11-15 at 17:33 +0100, Martin Kosek wrote: >>>>> On 11/15/2012 03:22 PM, Simo Sorce wrote: >>>>>> On Thu, 2012-11-15 at 12:34 +0100, Martin Kosek wrote: >>>>>>> Fedora 16 introduced chrony as default client time&date synchronization >>>>>>> service: >>>>>>> http://fedoraproject.org/wiki/Features/ChronyDefaultNTP >>>>>>> Thus, there may be people already using chrony as their time and date >>>>>>> synchronization service before installing IPA. >>>>>>> >>>>>>> However, installing IPA server or client on such machine may lead to >>>>>>> unexpected behavior, as the IPA installer would configure ntpd and leave >>>>>>> the machine with both ntpd and chronyd enabled. However, since the OS >>>>>>> does not allow both chronyd and ntpd to be running concurrently and chronyd >>>>>>> has the precedence, ntpd would not be run on that system at all. >>>>>>> >>>>>>> Make sure, that user is warned when trying to install IPA on such >>>>>>> system and is given a possibility to either not to let IPA configure >>>>>>> ntpd at all or to let the installer stop and disable chronyd. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/2974 >>>>>> >>>>>> This looks a bit backwards to me. >>>>>> >>>>>> The IPA server can only configure ntpd because it configures it to serve >>>>>> time to the clients. So on a server force_ntpd should be the default and >>>>>> the install should automatically shutdown crony. >>>>> >>>>> I considered that option too, but it simply just did not seem very "polite" to >>>>> silently stop and disable chrony with some custom user time&date >>>>> synchronization configuration that user may rely on. >>>>> >>>>> Telling user what's the problem and providing him with options what to do >>>>> seemed more user friendly to me... >>>> >>>> not on the server, no you don;t get to choose there, unless you call >>>> install script with --no-ntp >>> >>> Well, IMO this is exactly what my patch does on the server side. Allows user to >>> either run the server install with --no-ntp or let it install with --force-ntpd >>> which disables other time&date services. That are the only 2 choices, I just >>> did the ntpd configuration in a polite way. >>> >>>> >>>>>> >>>>>> On clients we may give a choice, but then we should not stop, we should >>>>>> instead configure the one tool the admin wants to use and point it to >>>>>> the server, because time synchronization is critical. Not syncing time >>>>>> is basically not an option so our default behavior must be to make sure >>>>>> one of the time tool is properly configured and require a force flag if >>>>>> the admin wants to 'not' configure a time sync tool. >>>>>> >>>>>> Simo. >>>>>> >>>>> >>>>> The force flag to not configure time sync tool is already there as --no-ntp. I >>>>> already discussed this with Rob before, I was advised to rather stick with the >>>>> ntpd only for the time being. Adding Rob to CC to comment on this one. >>>> >>>> Not sure I grok what this entails, support only ntpd ? >>> >>> At this moment, yes. >>> >>>> In this case we can error out if crony is there on the client, but not >>>> on the server. On the server we just roll over crony, as crony is not an >>>> ntp server at all so it should go >>>> if the admin *really*insist in using crony then they'll have to >>>> explicitly install the server with --no-ntp >>>> note that we are not going to change crony;s configuration just turn it >>>> off and start ntpd instead. >>>> >>>> Simo. >>>> >>> >>> Do I understand this right, that you also want to add a support for chrony? >>> I.e. that ipa-client-install should be able to configure either ntpd or chronyd >>> for synchronization based on user's choice? If yes, I am OK with that and I can >>> implement it - I just wanted to make sure that this is what we want. >>> >>> In current state, ipa-client-install errors out when chrony is configured and >>> allows user to either run with --no-ntp (and thus keep the chrony running) or >>> with --force-ntpd which would disable chronyd and configure&enable ntpd. >> >> No, that is not what I am saying. >> >> I think these should be the actions taken: >> >> 1. Server install (no flags). >> a. nothing is found: install ntpd as usual (unless --no-ntp is passed) >> b. ntpd is found: reconfigure it >> c.1. crony is found: disable it and reconfigure ntpd, no questions asked >> c.2. if --no-ntp is passed in then do not disable crony >> >> 2. client install >> a. nothing is found: install ntpd as usual (unless --no-ntp is passed) >> b. ntpd is found: whatever is done now >> c.1. crony is found: warn that crony is in use, but proceed with install >> c.2. if --force-ntpd is passed then disable crony and configure ntpd >> >> Basically in the server we imply a default of --force-ntpd, unless you >> pass --no-ntp >> >> Simo. >> > > Ok, I see your point now. Sending an updated version. > > During server installation, user is warned when running conflicting time > service. Installation then enforces ntpd configuration. > > During client installation, user is also warned, but continuing in installation > omits ntpd configuration instead. But user can use --force-ntpd to force ntpd > configuration. > > Martin > ACK I tweaked this error to wrap differently before pushing: It went from this: WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd To this: WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd pushed to master From rcritten at redhat.com Fri Dec 7 18:22:41 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 Dec 2012 13:22:41 -0500 Subject: [Freeipa-devel] [PATCH] 0096 support Windows Server 2012 In-Reply-To: <1354898026.23302.1.camel@willson.li.ssimo.org> References: <20121122155942.GA9142@redhat.com> <1353611080.25995.42.camel@willson.li.ssimo.org> <20121205121641.GD22265@redhat.com> <1354719570.19871.479.camel@willson.li.ssimo.org> <20121205210120.GF22265@redhat.com> <1354898026.23302.1.camel@willson.li.ssimo.org> Message-ID: <50C233F1.9050501@redhat.com> Simo Sorce wrote: > On Wed, 2012-12-05 at 23:01 +0200, Alexander Bokovoy wrote: >> New patch attached. >> >> It filters out statically compiled in list of well-known SID prefixes >> and SIDs belonging to our own domain. > > Tested and work as expected against Windows 2012 Trusted domain. > > ACK. > >> I'll add fetching the white list from the LDAP in next version. > > Please open a ticket and build this as a separate patch. > > Simo. >> I reformatted the commit message for line wraps Pushed to master rob From rcritten at redhat.com Fri Dec 7 20:44:41 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 Dec 2012 15:44:41 -0500 Subject: [Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior In-Reply-To: <50C2299A.2060004@redhat.com> References: <50A02438.50601@redhat.com> <50C2299A.2060004@redhat.com> Message-ID: <50C25539.1050104@redhat.com> John Dennis wrote: > Revised patch attached. > Why catch exceptions from client_session_keyring_keyname() when it doesn't raise any? In store_session_cookie() shouldn't we log an error if a cookie can't be parsed, not a debug? In apply_session_cookie() I think we should log Cookie.URLMismatch and Exception at the error level instead of debug. My knowledge of cookies is rusty, but I don't understand this bit in path_valid() + if not url_path or not url_path.startswith('/'): + request_path = '/' + elif url_path.count('/') <= 1: + request_path = '/' + elif url_path.endswith('/'): + request_path = url_path[:-1] + else: + request_path = url_path If my url_path cis /ipa isn't this going to treat it as "/"? That seems wrong. Functionally the patch appears to be fine. rob From jdennis at redhat.com Fri Dec 7 21:21:18 2012 From: jdennis at redhat.com (John Dennis) Date: Fri, 07 Dec 2012 16:21:18 -0500 Subject: [Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior In-Reply-To: <50C25539.1050104@redhat.com> References: <50A02438.50601@redhat.com> <50C2299A.2060004@redhat.com> <50C25539.1050104@redhat.com> Message-ID: <50C25DCE.8070600@redhat.com> On 12/07/2012 03:44 PM, Rob Crittenden wrote: > John Dennis wrote: >> Revised patch attached. >> > > Why catch exceptions from client_session_keyring_keyname() when it > doesn't raise any? It may not explicitly raise an exception but one can still be raised if either KEYRING_COOKIE_NAME or principal is invalid. It's not likely that KEYRING_COOKIE_NAME would be invalid but the principal might be due to logic failures earlier. > In store_session_cookie() shouldn't we log an error if a cookie can't be > parsed, not a debug? Good point. Actually there is another problem there, if None is returned we need to stop processing and return. I've fixed both. > > In apply_session_cookie() I think we should log Cookie.URLMismatch and > Exception at the error level instead of debug. Good point, changed that to an error message as well as the catch-all handler immediately below it. > My knowledge of cookies is rusty, but I don't understand this bit in > path_valid() > > + if not url_path or not url_path.startswith('/'): > + request_path = '/' > + elif url_path.count('/') <= 1: > + request_path = '/' > + elif url_path.endswith('/'): > + request_path = url_path[:-1] > + else: > + request_path = url_path > > If my url_path cis /ipa isn't this going to treat it as "/"? That seems > wrong. I agree, that's confusing, it confused me too, but that's exactly what's in the RFC (http://tools.ietf.org/html/rfc6265#page-16). I stared at that a long time myself with exactly the same concerns. I'd appreciate it you or someone else would look at the RFC because I wonder if I'm not reading it correctly. I tend to agree that check is wrong. I'll send a revised patch with the above mentioned fixes once someone else puts their eyeballs on the RFC, or maybe we should just remove the check for the time being. > Functionally the patch appears to be fine. > > rob > -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Fri Dec 7 23:19:47 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 07 Dec 2012 18:19:47 -0500 Subject: [Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior In-Reply-To: <50C25DCE.8070600@redhat.com> References: <50A02438.50601@redhat.com> <50C2299A.2060004@redhat.com> <50C25539.1050104@redhat.com> <50C25DCE.8070600@redhat.com> Message-ID: <1354922387.23302.24.camel@willson.li.ssimo.org> On Fri, 2012-12-07 at 16:21 -0500, John Dennis wrote: > On 12/07/2012 03:44 PM, Rob Crittenden wrote: > > John Dennis wrote: > >> Revised patch attached. > >> > > > > Why catch exceptions from client_session_keyring_keyname() when it > > doesn't raise any? > > It may not explicitly raise an exception but one can still be raised if > either KEYRING_COOKIE_NAME or principal is invalid. It's not likely that > KEYRING_COOKIE_NAME would be invalid but the principal might be due to > logic failures earlier. > > > > In store_session_cookie() shouldn't we log an error if a cookie can't be > > parsed, not a debug? > > Good point. Actually there is another problem there, if None is returned > we need to stop processing and return. I've fixed both. > > > > > In apply_session_cookie() I think we should log Cookie.URLMismatch and > > Exception at the error level instead of debug. > > Good point, changed that to an error message as well as the catch-all > handler immediately below it. > > > > My knowledge of cookies is rusty, but I don't understand this bit in > > path_valid() > > > > + if not url_path or not url_path.startswith('/'): > > + request_path = '/' > > + elif url_path.count('/') <= 1: > > + request_path = '/' > > + elif url_path.endswith('/'): > > + request_path = url_path[:-1] > > + else: > > + request_path = url_path > > > > If my url_path cis /ipa isn't this going to treat it as "/"? That seems > > wrong. > > I agree, that's confusing, it confused me too, but that's exactly what's > in the RFC (http://tools.ietf.org/html/rfc6265#page-16). I stared at > that a long time myself with exactly the same concerns. > > I'd appreciate it you or someone else would look at the RFC because I > wonder if I'm not reading it correctly. I tend to agree that check is wrong. > > I'll send a revised patch with the above mentioned fixes once someone > else puts their eyeballs on the RFC, or maybe we should just remove the > check for the time being. I think that the algorithm fails to follow the RFC when you do: elif url_path.endswith('/'): request_path = url_path[:-1] Point 4 of the RFC doesn't say the path needs to end with a / it says you need to take everything before the last / wherever it is. Ie if the patch is /ipa/ui/foo then the path for the cookie is /ipa/ui Conversely if the path is /ipa/ui/foo/ the path is /ipa/ui/foo Basically these rules threat the last 'leaf' component as not part of the path and are meant to remove it. If I read it right instead your code fails the first example ie, both /ipa/ui/foo and /ipa/ui/foo/ give out a path of /ipa/ui/foo HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York From jdennis at redhat.com Sat Dec 8 16:16:23 2012 From: jdennis at redhat.com (John Dennis) Date: Sat, 08 Dec 2012 11:16:23 -0500 Subject: [Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior In-Reply-To: <1354922387.23302.24.camel@willson.li.ssimo.org> References: <50A02438.50601@redhat.com> <50C2299A.2060004@redhat.com> <50C25539.1050104@redhat.com> <50C25DCE.8070600@redhat.com> <1354922387.23302.24.camel@willson.li.ssimo.org> Message-ID: <50C367D7.50903@redhat.com> On 12/07/2012 06:19 PM, Simo Sorce wrote: > On Fri, 2012-12-07 at 16:21 -0500, John Dennis wrote: >> I'll send a revised patch with the above mentioned fixes once someone >> else puts their eyeballs on the RFC, or maybe we should just remove the >> check for the time being. > > I think that the algorithm fails to follow the RFC when you do: > elif url_path.endswith('/'): > request_path = url_path[:-1] > > Point 4 of the RFC doesn't say the path needs to end with a / it says > you need to take everything before the last / wherever it is. > > Ie if the patch is /ipa/ui/foo then the path for the cookie is /ipa/ui > Conversely if the path is /ipa/ui/foo/ the path is /ipa/ui/foo > > Basically these rules threat the last 'leaf' component as not part of > the path and are meant to remove it. Thank you, yes you're correct. The fundamental misconception is one I've stumbled on in the past as well as many others "what is the significance of a trailing slash in a URL path component". The trailing slash is quite significant but many of us get lulled into believing it's not because of the common HTTP server behavior of performing a redirect on a path without a trailing slash to a directory of the same name. The URL's "http://example.com/foo" and "http://example.com/foo/" are *not* the same URL. The path in a URL is considered a directory if and only if it ends with a trailing slash. RFC 6265 in Section 4.1.2.4. "The Path Attribute" clearly states the matching is performed on *directory* components. Without a trailing slash the leaf component is not a directory and hence must be stripped. Rob, the above is the answer to your question (and mine). "/ipa" and "/ipa/" are *not* the same and "/ipa" will not match "/ipa" as a cookie path component because "/ipa" is not a directory, the directory is "/". FWIW the cookies path attribute is defined to be a directory path and does not require the trailing slash (or so I believe). I'll send an updated patch shortly with the above fix. I also noticed that http_return_ok() omitted the validation for the HttpOnly and Secure flags I'll add that too. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jdennis at redhat.com Sun Dec 9 15:04:17 2012 From: jdennis at redhat.com (John Dennis) Date: Sun, 09 Dec 2012 10:04:17 -0500 Subject: [Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior In-Reply-To: <50C367D7.50903@redhat.com> References: <50A02438.50601@redhat.com> <50C2299A.2060004@redhat.com> <50C25539.1050104@redhat.com> <50C25DCE.8070600@redhat.com> <1354922387.23302.24.camel@willson.li.ssimo.org> <50C367D7.50903@redhat.com> Message-ID: <50C4A871.1000005@redhat.com> On 12/08/2012 11:16 AM, John Dennis wrote: > I'll send an updated patch shortly with the above fix. I also noticed > that http_return_ok() omitted the validation for the HttpOnly and Secure > flags I'll add that too. Revised patch attached. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jdennis-0082-2-Compliant-client-side-session-cookie-behavior.patch Type: text/x-patch Size: 74594 bytes Desc: not available URL: From jdennis at redhat.com Sun Dec 9 15:22:20 2012 From: jdennis at redhat.com (John Dennis) Date: Sun, 09 Dec 2012 10:22:20 -0500 Subject: [Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior In-Reply-To: <50C4A871.1000005@redhat.com> References: <50A02438.50601@redhat.com> <50C2299A.2060004@redhat.com> <50C25539.1050104@redhat.com> <50C25DCE.8070600@redhat.com> <1354922387.23302.24.camel@willson.li.ssimo.org> <50C367D7.50903@redhat.com> <50C4A871.1000005@redhat.com> Message-ID: <50C4ACAC.60705@redhat.com> On 12/09/2012 10:04 AM, John Dennis wrote: > On 12/08/2012 11:16 AM, John Dennis wrote: >> I'll send an updated patch shortly with the above fix. I also noticed >> that http_return_ok() omitted the validation for the HttpOnly and Secure >> flags I'll add that too. > > Revised patch attached. Same patch contents but with typo fixed. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jdennis-0082-3-Compliant-client-side-session-cookie-behavior.patch Type: text/x-patch Size: 74579 bytes Desc: not available URL: From mkosek at redhat.com Mon Dec 10 09:19:03 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 10 Dec 2012 10:19:03 +0100 Subject: [Freeipa-devel] [PATCH] 342 Fix sshd feature check Message-ID: <50C5A907.3060206@redhat.com> OpenSSH server included in Fedora 18 raises a validation error when the tested AuthorizedKeysCommand/PubKeyAgent option is tested with an empty value. It requires a command with an absolute path to be passed. Due to this issue, sshd support is never configured on Fedora 18. Pass the real agent we will use later to the testing command to avoid this error. -- This patch should make it to the upcoming 3.1 release. Note: this is not reproducible in RHEL-6 systems, so we are covered on this front. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-342-fix-sshd-feature-check.patch Type: text/x-patch Size: 2447 bytes Desc: not available URL: From pviktori at redhat.com Mon Dec 10 12:30:45 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 10 Dec 2012 13:30:45 +0100 Subject: [Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior In-Reply-To: <50C4ACAC.60705@redhat.com> References: <50A02438.50601@redhat.com> <50C2299A.2060004@redhat.com> <50C25539.1050104@redhat.com> <50C25DCE.8070600@redhat.com> <1354922387.23302.24.camel@willson.li.ssimo.org> <50C367D7.50903@redhat.com> <50C4A871.1000005@redhat.com> <50C4ACAC.60705@redhat.com> Message-ID: <50C5D5F5.7090805@redhat.com> On 12/09/2012 04:22 PM, John Dennis wrote: > On 12/09/2012 10:04 AM, John Dennis wrote: >> On 12/08/2012 11:16 AM, John Dennis wrote: >>> I'll send an updated patch shortly with the above fix. I also noticed >>> that http_return_ok() omitted the validation for the HttpOnly and Secure >>> flags I'll add that too. >> >> Revised patch attached. > > Same patch contents but with typo fixed. > There's some more typos, but let's try to push this through and fix typos later. Thanks for filing the Python bug & explaining your approaches. I still think this could be improved I'll stop bikeshedding now. Just two issues: When testing with lite-server listening on localhost, every request outputs "ipa: ERROR: not sending session cookie, URL mismatch". Is the message necessary? Replying to a previous mail: >>> diff --git a/ipalib/session.py b/ipalib/session.py >>> index 36beece..900259a 100644 >>> --- a/ipalib/session.py >>> +++ b/ipalib/session.py >>> @@ -955,13 +955,18 @@ class MemcacheSessionManager(SessionManager): [...] >>> + try: >>> + session_cookie = >>> Cookie.get_named_cookie_from_string(cookie_header, >>> self.session_cookie_name) >>> + except Exception, e: >>> + session_cookie = None >>> + else: >>> + session_id = session_cookie.value >> >> When the user first accesses the Web UI, session_cookie will be None, >> resulting in an Internal Server Error. > > Hmm... I didn't see this in testing. I think you mean the cookie_header > will be None, not the session_cookie being None. That case should have > been caught by the try/except block surrounding > get_named_cookie_from_string(). But in any event I added a check for the > cookie_header being None at the top of the function. Or am I > misunderstanding the problem you saw? > Yes, different problem. No cookie exists, so Cookie.get_named_cookie_from_string returns None, session_cookie is set to None, no exception is raised, the else: block accesses `session_cookie.value`. Tested with a clean install on f18. The attached fix solves the problem. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: fix.patch Type: text/x-patch Size: 503 bytes Desc: not available URL: From jcholast at redhat.com Mon Dec 10 12:38:19 2012 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 10 Dec 2012 13:38:19 +0100 Subject: [Freeipa-devel] [PATCH] 342 Fix sshd feature check In-Reply-To: <50C5A907.3060206@redhat.com> References: <50C5A907.3060206@redhat.com> Message-ID: <50C5D7BB.503@redhat.com> On 10.12.2012 10:19, Martin Kosek wrote: > OpenSSH server included in Fedora 18 raises a validation error when > the tested AuthorizedKeysCommand/PubKeyAgent option is tested with > an empty value. It requires a command with an absolute path to be > passed. Due to this issue, sshd support is never configured on > Fedora 18. > > Pass the real agent we will use later to the testing command to > avoid this error. > > -- > > This patch should make it to the upcoming 3.1 release. > > Note: this is not reproducible in RHEL-6 systems, so we are covered on this front. > ACK. Honza -- Jan Cholasta From mkosek at redhat.com Mon Dec 10 12:56:09 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 10 Dec 2012 13:56:09 +0100 Subject: [Freeipa-devel] [PATCH] 342 Fix sshd feature check In-Reply-To: <50C5D7BB.503@redhat.com> References: <50C5A907.3060206@redhat.com> <50C5D7BB.503@redhat.com> Message-ID: <50C5DBE9.1030703@redhat.com> On 12/10/2012 01:38 PM, Jan Cholasta wrote: > On 10.12.2012 10:19, Martin Kosek wrote: >> OpenSSH server included in Fedora 18 raises a validation error when >> the tested AuthorizedKeysCommand/PubKeyAgent option is tested with >> an empty value. It requires a command with an absolute path to be >> passed. Due to this issue, sshd support is never configured on >> Fedora 18. >> >> Pass the real agent we will use later to the testing command to >> avoid this error. >> >> -- >> >> This patch should make it to the upcoming 3.1 release. >> >> Note: this is not reproducible in RHEL-6 systems, so we are covered on this >> front. >> > > ACK. > > Honza > Pushed to master, ipa-3-0. Martin From mkosek at redhat.com Mon Dec 10 13:41:18 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 10 Dec 2012 14:41:18 +0100 Subject: [Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior In-Reply-To: <50C5D5F5.7090805@redhat.com> References: <50A02438.50601@redhat.com> <50C2299A.2060004@redhat.com> <50C25539.1050104@redhat.com> <50C25DCE.8070600@redhat.com> <1354922387.23302.24.camel@willson.li.ssimo.org> <50C367D7.50903@redhat.com> <50C4A871.1000005@redhat.com> <50C4ACAC.60705@redhat.com> <50C5D5F5.7090805@redhat.com> Message-ID: <50C5E67E.7050104@redhat.com> On 12/10/2012 01:30 PM, Petr Viktorin wrote: > On 12/09/2012 04:22 PM, John Dennis wrote: >> On 12/09/2012 10:04 AM, John Dennis wrote: >>> On 12/08/2012 11:16 AM, John Dennis wrote: >>>> I'll send an updated patch shortly with the above fix. I also noticed >>>> that http_return_ok() omitted the validation for the HttpOnly and Secure >>>> flags I'll add that too. >>> >>> Revised patch attached. >> >> Same patch contents but with typo fixed. >> > > There's some more typos, but let's try to push this through and fix typos later. > > Thanks for filing the Python bug & explaining your approaches. I still think > this could be improved I'll stop bikeshedding now. > > Just two issues: > > When testing with lite-server listening on localhost, every request outputs > "ipa: ERROR: not sending session cookie, URL mismatch". Is the message necessary? > > Replying to a previous mail: > >>>> diff --git a/ipalib/session.py b/ipalib/session.py >>>> index 36beece..900259a 100644 >>>> --- a/ipalib/session.py >>>> +++ b/ipalib/session.py >>>> @@ -955,13 +955,18 @@ class MemcacheSessionManager(SessionManager): > [...] >>>> + try: >>>> + session_cookie = >>>> Cookie.get_named_cookie_from_string(cookie_header, >>>> self.session_cookie_name) >>>> + except Exception, e: >>>> + session_cookie = None >>>> + else: >>>> + session_id = session_cookie.value >>> >>> When the user first accesses the Web UI, session_cookie will be None, >>> resulting in an Internal Server Error. >> >> Hmm... I didn't see this in testing. I think you mean the cookie_header >> will be None, not the session_cookie being None. That case should have >> been caught by the try/except block surrounding >> get_named_cookie_from_string(). But in any event I added a check for the >> cookie_header being None at the top of the function. Or am I >> misunderstanding the problem you saw? >> > > Yes, different problem. > No cookie exists, so Cookie.get_named_cookie_from_string returns None, > session_cookie is set to None, no exception is raised, the else: block accesses > `session_cookie.value`. > Tested with a clean install on f18. > The attached fix solves the problem. > Funny thing is that I was able to reproduce this issue only with Chrome browser. My Firefox did not reproduce it. I also hit weird issue when I logged in to Web UI, then cleaned server session cache (`service ipa_memcached restart`) and then tried to log in again, I was being rejected for about a minute even though I had valid credentials. But I checked that this issue is also present in IPA 2.2.1, so it's not a show-stopper for this release. Besides that, the patch worked fine in my tests, I also tried joining this server with older Fedora and some RHEL-6 machines and it worked fine. So I think that John's patch (with Petr's fix squashed) can be included for 3.1. Martin From jdennis at redhat.com Mon Dec 10 14:00:34 2012 From: jdennis at redhat.com (John Dennis) Date: Mon, 10 Dec 2012 09:00:34 -0500 Subject: [Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior In-Reply-To: <50C5D5F5.7090805@redhat.com> References: <50A02438.50601@redhat.com> <50C2299A.2060004@redhat.com> <50C25539.1050104@redhat.com> <50C25DCE.8070600@redhat.com> <1354922387.23302.24.camel@willson.li.ssimo.org> <50C367D7.50903@redhat.com> <50C4A871.1000005@redhat.com> <50C4ACAC.60705@redhat.com> <50C5D5F5.7090805@redhat.com> Message-ID: <50C5EB02.9020905@redhat.com> On 12/10/2012 07:30 AM, Petr Viktorin wrote: > Just two issues: > > When testing with lite-server listening on localhost, every request > outputs "ipa: ERROR: not sending session cookie, URL mismatch". Is the > message necessary? Rob asked for this to be changed from a debug message to an error which made sense, in theory we should never get into the situation, if we do something is terribly wrong. However neither of us thought about the lite-server case. There are two possible ways to address this. 1) test for the lite server context and don't emit the message. We test for lite server elsewhere and treat things differently. But I'm not a big fan of this approach, it's a way for mistakes to creep in because we're not exercising the same code paths during testing as we do during production. 2) Make the domain in the cookie match the domain of the lite-server. Currently we read the domain from api.env.host (technically it's the URL host). Perhaps there should be a utility to return the URL host component for those places that need it which detects which mode the server is running in. I'll take a quick look and see if that makes sense. > > Replying to a previous mail: > > >>> diff --git a/ipalib/session.py b/ipalib/session.py > >>> index 36beece..900259a 100644 > >>> --- a/ipalib/session.py > >>> +++ b/ipalib/session.py > >>> @@ -955,13 +955,18 @@ class MemcacheSessionManager(SessionManager): > [...] > >>> + try: > >>> + session_cookie = > >>> Cookie.get_named_cookie_from_string(cookie_header, > >>> self.session_cookie_name) > >>> + except Exception, e: > >>> + session_cookie = None > >>> + else: > >>> + session_id = session_cookie.value > >> > >> When the user first accesses the Web UI, session_cookie will be None, > >> resulting in an Internal Server Error. Ah yes I see the mistake now, I was thinking it raised an exception instead of returning None. Good catch, thanks! -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From lroot at redhat.com Mon Dec 10 14:53:17 2012 From: lroot at redhat.com (Lynn Root) Date: Mon, 10 Dec 2012 15:53:17 +0100 Subject: [Freeipa-devel] [PATCH] 0006 Raise ACI error when CSR has no subject hostname Message-ID: <50C5F75D.20705@redhat.com> Raise ACI error when CSR does not have a subject hostname. Ticket: https://fedorahosted.org/freeipa/ticket/3123 -- Lynn Root @roguelynn Associate Software Engineer Red Hat, Inc -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-lroot-0006-01-Raise-ACI-error-when-CSR-does-not-have-a-subject-hos.patch Type: text/x-patch Size: 1106 bytes Desc: not available URL: From jdennis at redhat.com Mon Dec 10 14:53:58 2012 From: jdennis at redhat.com (John Dennis) Date: Mon, 10 Dec 2012 09:53:58 -0500 Subject: [Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior In-Reply-To: <50C5EB02.9020905@redhat.com> References: <50A02438.50601@redhat.com> <50C2299A.2060004@redhat.com> <50C25539.1050104@redhat.com> <50C25DCE.8070600@redhat.com> <1354922387.23302.24.camel@willson.li.ssimo.org> <50C367D7.50903@redhat.com> <50C4A871.1000005@redhat.com> <50C4ACAC.60705@redhat.com> <50C5D5F5.7090805@redhat.com> <50C5EB02.9020905@redhat.com> Message-ID: <50C5F786.9080209@redhat.com> On 12/10/2012 09:00 AM, John Dennis wrote: > On 12/10/2012 07:30 AM, Petr Viktorin wrote: >> Just two issues: >> >> When testing with lite-server listening on localhost, every request >> outputs "ipa: ERROR: not sending session cookie, URL mismatch". Is the >> message necessary? > > Rob asked for this to be changed from a debug message to an error which > made sense, in theory we should never get into the situation, if we do > something is terribly wrong. However neither of us thought about the > lite-server case. There are two possible ways to address this. > > 1) test for the lite server context and don't emit the message. We test > for lite server elsewhere and treat things differently. But I'm not a > big fan of this approach, it's a way for mistakes to creep in because > we're not exercising the same code paths during testing as we do during > production. > > 2) Make the domain in the cookie match the domain of the lite-server. > Currently we read the domain from api.env.host (technically it's the URL > host). Perhaps there should be a utility to return the URL host > component for those places that need it which detects which mode the > server is running in. I'll take a quick look and see if that makes sense. Much simpler solution, using api.env.host was the wrong source of the server domain, it should have been the host value in api.env.xmlrpc_uri instead. Changing it to reference xmlrpc_uri fixes the problem without any other changes and is the value we should have been using. Patch will follow shortly after some more testing. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From pviktori at redhat.com Mon Dec 10 14:55:51 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 10 Dec 2012 15:55:51 +0100 Subject: [Freeipa-devel] [PATCH] 350 Configuring CA with ConfigParser. In-Reply-To: <50C1B13E.4080307@redhat.com> References: <50BE6835.4070106@redhat.com> <50BE707C.6090101@redhat.com> <50BF43E9.6010302@redhat.com> <50C1B13E.4080307@redhat.com> Message-ID: <50C5F7F7.4050104@redhat.com> On 12/07/2012 10:05 AM, Petr Viktorin wrote: > On 12/05/2012 01:54 PM, Petr Viktorin wrote: >> On 12/04/2012 10:51 PM, Endi Sukma Dewata wrote: >>> On 12/4/2012 3:16 PM, Endi Sukma Dewata wrote: >>>> The configuration code has been modified to use the ConfigParser to >>>> set the parameters in the CA section in the deployment configuration. >>>> This allows IPA to define additional PKI subsystems in the same >>>> configuration file. >>>> >>>> PKI Ticket #399 (https://fedorahosted.org/pki/ticket/399) >>> >>> New patch attached. Bumped the minimum pki-ca version. >>> >>> Note that the path to the ca_admin_cert.p12 is hardcoded due to this >>> bug: https://fedorahosted.org/pki/ticket/437 >>> >> >> ACK >> >> >> Attaching an additional patch that uses our DN objects, instead of >> strings, for the DN operations. I've overlooked that in the original >> Dogtag 10 patches (or the DN work overlapped with them, I forget). >> >> Until the new Dogtag hits official repos, you will need to use daily >> builds from http://nkinder.fedorapeople.org/dogtag-devel/fedora/ >> >> > > Here is a rebased version of Endi's patch. > And another rebase -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0350-5-Configuring-CA-with-ConfigParser.patch Type: text/x-patch Size: 11288 bytes Desc: not available URL: From mkosek at redhat.com Mon Dec 10 16:01:30 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 10 Dec 2012 17:01:30 +0100 Subject: [Freeipa-devel] [PATCH] 0006 Raise ACI error when CSR has no subject hostname In-Reply-To: <50C5F75D.20705@redhat.com> References: <50C5F75D.20705@redhat.com> Message-ID: <50C6075A.9010900@redhat.com> On 12/10/2012 03:53 PM, Lynn Root wrote: > Raise ACI error when CSR does not have a subject hostname. > > Ticket: https://fedorahosted.org/freeipa/ticket/3123 > Why an ACIError? I know there are are a lot of ACIErrors thrown in cert-request command processing, but they are all related to authorization of the request. In this case, this is rather a missing required field of the CSR, so ValidationError may be a better choice. Martin From rcritten at redhat.com Mon Dec 10 16:15:01 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Dec 2012 11:15:01 -0500 Subject: [Freeipa-devel] [PATCH] 350 Configuring CA with ConfigParser. In-Reply-To: <50C5F7F7.4050104@redhat.com> References: <50BE6835.4070106@redhat.com> <50BE707C.6090101@redhat.com> <50BF43E9.6010302@redhat.com> <50C1B13E.4080307@redhat.com> <50C5F7F7.4050104@redhat.com> Message-ID: <50C60A85.4070606@redhat.com> Petr Viktorin wrote: > On 12/07/2012 10:05 AM, Petr Viktorin wrote: >> On 12/05/2012 01:54 PM, Petr Viktorin wrote: >>> On 12/04/2012 10:51 PM, Endi Sukma Dewata wrote: >>>> On 12/4/2012 3:16 PM, Endi Sukma Dewata wrote: >>>>> The configuration code has been modified to use the ConfigParser to >>>>> set the parameters in the CA section in the deployment configuration. >>>>> This allows IPA to define additional PKI subsystems in the same >>>>> configuration file. >>>>> >>>>> PKI Ticket #399 (https://fedorahosted.org/pki/ticket/399) >>>> >>>> New patch attached. Bumped the minimum pki-ca version. >>>> >>>> Note that the path to the ca_admin_cert.p12 is hardcoded due to this >>>> bug: https://fedorahosted.org/pki/ticket/437 >>>> >>> >>> ACK >>> >>> >>> Attaching an additional patch that uses our DN objects, instead of >>> strings, for the DN operations. I've overlooked that in the original >>> Dogtag 10 patches (or the DN work overlapped with them, I forget). >>> >>> Until the new Dogtag hits official repos, you will need to use daily >>> builds from http://nkinder.fedorapeople.org/dogtag-devel/fedora/ >>> >>> >> >> Here is a rebased version of Endi's patch. >> > > And another rebase Pushed to master From rcritten at redhat.com Mon Dec 10 16:15:20 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Dec 2012 11:15:20 -0500 Subject: [Freeipa-devel] [PATCH] 350 Configuring CA with ConfigParser. In-Reply-To: <50BF43E9.6010302@redhat.com> References: <50BE6835.4070106@redhat.com> <50BE707C.6090101@redhat.com> <50BF43E9.6010302@redhat.com> Message-ID: <50C60A98.8080608@redhat.com> Petr Viktorin wrote: > On 12/04/2012 10:51 PM, Endi Sukma Dewata wrote: >> On 12/4/2012 3:16 PM, Endi Sukma Dewata wrote: >>> The configuration code has been modified to use the ConfigParser to >>> set the parameters in the CA section in the deployment configuration. >>> This allows IPA to define additional PKI subsystems in the same >>> configuration file. >>> >>> PKI Ticket #399 (https://fedorahosted.org/pki/ticket/399) >> >> New patch attached. Bumped the minimum pki-ca version. >> >> Note that the path to the ca_admin_cert.p12 is hardcoded due to this >> bug: https://fedorahosted.org/pki/ticket/437 >> > > ACK > > > Attaching an additional patch that uses our DN objects, instead of > strings, for the DN operations. I've overlooked that in the original > Dogtag 10 patches (or the DN work overlapped with them, I forget). > > Until the new Dogtag hits official repos, you will need to use daily > builds from http://nkinder.fedorapeople.org/dogtag-devel/fedora/ ACK on your patch, pushed to master From lroot at redhat.com Mon Dec 10 16:32:53 2012 From: lroot at redhat.com (Lynn Root) Date: Mon, 10 Dec 2012 17:32:53 +0100 Subject: [Freeipa-devel] [PATCH] 0006 Raise ACI error when CSR has no subject hostname In-Reply-To: <50C6075A.9010900@redhat.com> References: <50C5F75D.20705@redhat.com> <50C6075A.9010900@redhat.com> Message-ID: <50C60EB5.70508@redhat.com> On 12/10/2012 05:01 PM, Martin Kosek wrote: > On 12/10/2012 03:53 PM, Lynn Root wrote: >> Raise ACI error when CSR does not have a subject hostname. >> >> Ticket:https://fedorahosted.org/freeipa/ticket/3123 >> > Why an ACIError? I know there are are a lot of ACIErrors thrown in cert-request > command processing, but they are all related to authorization of the request. > In this case, this is rather a missing required field of the CSR, so > ValidationError may be a better choice. > > Martin > I elected ACIError simply because the immediately following ACIError raises the issue that hostname of principal doesn't match the subject hostname of the CSR - seemed a similar case of "doesn't match" with "doesn't exists." But right - it's not related to Auth. Would ValidationError be appropriate, or would RequirementError or NotFound be more so? -- Lynn Root @roguelynn Associate Software Engineer Red Hat, Inc From mkosek at redhat.com Mon Dec 10 16:39:14 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 10 Dec 2012 17:39:14 +0100 Subject: [Freeipa-devel] [PATCH] 0006 Raise ACI error when CSR has no subject hostname In-Reply-To: <50C60EB5.70508@redhat.com> References: <50C5F75D.20705@redhat.com> <50C6075A.9010900@redhat.com> <50C60EB5.70508@redhat.com> Message-ID: <50C61032.5070404@redhat.com> On 12/10/2012 05:32 PM, Lynn Root wrote: > On 12/10/2012 05:01 PM, Martin Kosek wrote: >> On 12/10/2012 03:53 PM, Lynn Root wrote: >>> Raise ACI error when CSR does not have a subject hostname. >>> >>> Ticket:https://fedorahosted.org/freeipa/ticket/3123 >>> >> Why an ACIError? I know there are are a lot of ACIErrors thrown in cert-request >> command processing, but they are all related to authorization of the request. >> In this case, this is rather a missing required field of the CSR, so >> ValidationError may be a better choice. >> >> Martin >> > I elected ACIError simply because the immediately following ACIError raises the > issue that hostname of principal doesn't match the subject hostname of the CSR > - seemed a similar case of "doesn't match" with "doesn't exists." But right - > it's not related to Auth. > > Would ValidationError be appropriate, or would RequirementError or NotFound be > more so? > The following raises ACIError because of failed authorization check, I think its ok. RequirementError is only thrown when a command option that is required is not passed by the user. I am not fond of expanding its use to the validation of user content, like CSR file. NotFound error is used when an _entry_ is not found - so not an ideal candidate either for this case. IMHO, ValidationError is fine for this situation - but maybe somebody else may have other opinion... Martin From jdennis at redhat.com Mon Dec 10 17:11:18 2012 From: jdennis at redhat.com (John Dennis) Date: Mon, 10 Dec 2012 12:11:18 -0500 Subject: [Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior In-Reply-To: <50C5F786.9080209@redhat.com> References: <50A02438.50601@redhat.com> <50C2299A.2060004@redhat.com> <50C25539.1050104@redhat.com> <50C25DCE.8070600@redhat.com> <1354922387.23302.24.camel@willson.li.ssimo.org> <50C367D7.50903@redhat.com> <50C4A871.1000005@redhat.com> <50C4ACAC.60705@redhat.com> <50C5D5F5.7090805@redhat.com> <50C5EB02.9020905@redhat.com> <50C5F786.9080209@redhat.com> Message-ID: <50C617B6.9000408@redhat.com> In IRC Rob and I agreed the message about a URLMismatch should be at the debug level and not the error level because it can occur on a client anytime the client elects to connect to a different server, which is not an error. Attached is the revised patch and a diff against the previous patch and this one just so it makes it easier to see what actually changed. Basically it's 4 things: * use xmlrpc_url as the cookies domain * revert message back to debug level * fix bug Petr3 found with uninitialized variable * update make-lint not to complain about using the fields in a urlparse result -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- diff --git a/ipalib/rpc.py b/ipalib/rpc.py index b2ff362..a5c5de5 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -578,7 +578,7 @@ class xmlclient(Connectible): pass return original_url except Cookie.URLMismatch, e: - self.error("not sending session cookie, URL mismatch: %s", e) + self.debug("not sending session cookie, URL mismatch: %s", e) return original_url except Exception, e: self.error("not sending session cookie, unknown error: %s", e) diff --git a/ipalib/session.py b/ipalib/session.py index b955b49..68b9b26 100644 --- a/ipalib/session.py +++ b/ipalib/session.py @@ -22,6 +22,7 @@ import errors import os import re import time +from urllib2 import urlparse from text import _ from ipapython.ipa_log_manager import * from ipalib import api, errors @@ -964,7 +965,7 @@ class MemcacheSessionManager(SessionManager): session_cookie = Cookie.get_named_cookie_from_string(cookie_header, self.session_cookie_name) except Exception, e: session_cookie = None - else: + if session_cookie: session_id = session_cookie.value if session_id is None: @@ -1083,8 +1084,8 @@ class MemcacheSessionManager(SessionManager): expiration = None; cookie = Cookie(self.session_cookie_name, session_id, - domain=api.env.host, path=url_path, - httponly=True, secure=True, + domain=urlparse.urlparse(api.env.xmlrpc_uri).netloc, + path=url_path, httponly=True, secure=True, expires=expiration) if add_header: result = 'Set-Cookie: %s' % cookie diff --git a/make-lint b/make-lint index 4cd7ce6..ae09e2a 100755 --- a/make-lint +++ b/make-lint @@ -64,7 +64,8 @@ class IPATypeChecker(TypeChecker): 'pattern', 'pattern_errmsg'], 'ipalib.parameters.Enum': ['values'], 'ipalib.parameters.File': ['stdin_if_missing'], - 'urlparse.SplitResult': ['netloc'], + 'urlparse.SplitResult': ['scheme', 'netloc', 'path', 'query', 'fragment', 'username', 'password', 'hostname', 'port'], + 'urlparse.ParseResult': ['scheme', 'netloc', 'path', 'params', 'query', 'fragment', 'username', 'password', 'hostname', 'port'], 'ipaserver.install.ldapupdate.LDAPUpdate' : ['log', 'debug', 'info', 'warning', 'error', 'critical', 'exception'], 'ipaserver.plugins.ldap2.SchemaCache' : ['log', 'debug', 'info', 'warning', 'error', 'critical', 'exception'], 'ipaserver.plugins.ldap2.IPASimpleLDAPObject' : ['log', 'debug', 'info', 'warning', 'error', 'critical', 'exception'], -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jdennis-0082-4-Compliant-client-side-session-cookie-behavior.patch Type: text/x-patch Size: 75567 bytes Desc: not available URL: From pviktori at redhat.com Mon Dec 10 18:01:08 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 10 Dec 2012 19:01:08 +0100 Subject: [Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior In-Reply-To: <50C617B6.9000408@redhat.com> References: <50A02438.50601@redhat.com> <50C2299A.2060004@redhat.com> <50C25539.1050104@redhat.com> <50C25DCE.8070600@redhat.com> <1354922387.23302.24.camel@willson.li.ssimo.org> <50C367D7.50903@redhat.com> <50C4A871.1000005@redhat.com> <50C4ACAC.60705@redhat.com> <50C5D5F5.7090805@redhat.com> <50C5EB02.9020905@redhat.com> <50C5F786.9080209@redhat.com> <50C617B6.9000408@redhat.com> Message-ID: <50C62364.6040607@redhat.com> On 12/10/2012 06:11 PM, John Dennis wrote: > In IRC Rob and I agreed the message about a URLMismatch should be at the > debug level and not the error level because it can occur on a client > anytime the client elects to connect to a different server, which is not > an error. > > Attached is the revised patch and a diff against the previous patch and > this one just so it makes it easier to see what actually changed. > Basically it's 4 things: > > * use xmlrpc_url as the cookies domain > * revert message back to debug level > * fix bug Petr3 found with uninitialized variable > * update make-lint not to complain about using the fields in a urlparse > result > ACK -- Petr? From rcritten at redhat.com Mon Dec 10 18:16:29 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Dec 2012 13:16:29 -0500 Subject: [Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior In-Reply-To: <50C62364.6040607@redhat.com> References: <50A02438.50601@redhat.com> <50C2299A.2060004@redhat.com> <50C25539.1050104@redhat.com> <50C25DCE.8070600@redhat.com> <1354922387.23302.24.camel@willson.li.ssimo.org> <50C367D7.50903@redhat.com> <50C4A871.1000005@redhat.com> <50C4ACAC.60705@redhat.com> <50C5D5F5.7090805@redhat.com> <50C5EB02.9020905@redhat.com> <50C5F786.9080209@redhat.com> <50C617B6.9000408@redhat.com> <50C62364.6040607@redhat.com> Message-ID: <50C626FD.5050608@redhat.com> Petr Viktorin wrote: > On 12/10/2012 06:11 PM, John Dennis wrote: >> In IRC Rob and I agreed the message about a URLMismatch should be at the >> debug level and not the error level because it can occur on a client >> anytime the client elects to connect to a different server, which is not >> an error. >> >> Attached is the revised patch and a diff against the previous patch and >> this one just so it makes it easier to see what actually changed. >> Basically it's 4 things: >> >> * use xmlrpc_url as the cookies domain >> * revert message back to debug level >> * fix bug Petr3 found with uninitialized variable >> * update make-lint not to complain about using the fields in a urlparse >> result >> > > ACK > ACK here too. Pushed to master and ipa-3-0 rob From rcritten at redhat.com Mon Dec 10 18:58:18 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Dec 2012 13:58:18 -0500 Subject: [Freeipa-devel] Announcing FreeIPA v3.1.0 Release Message-ID: <50C630CA.7000700@redhat.com> The FreeIPA team is proud to announce version FreeIPA v3.1.0. It can be downloaded from http://www.freeipa.org/page/Downloads. A build will be submitted to updates-testing for Fedora 18 soon. == Highlights in 3.1.0 == * A single 389-ds instance is used both for IPA identity data and for the dogtag CA server on new installs. * Support for Windows 2012 Server Trusts. * Verify that the IPA certificates are not tracked by certmonger after server uninstallation. * Enable 389-ds transactions. * If chronyd is running on a server disable it and replace it with ntpd by default. * Add new OCSP and CRL URIs to the IPA certificate profile for a new CNAME entry, ipa-ca.example.com. * Fix potential security error in cookie handling in ipa client tool, CVE-2012-5631. == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 is supported. Upgrading from previous versions is not supported and has not been tested. Upgrading from a previous version will not consolidate the 389-ds instances. Only new installations get a unified 389-ds backend. Upgraded servers will retain both instances. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel == Detailed Changelog since 3.0.1 == Ade Lee (1): * Changes to use a single database for dogtag and IPA Alexander Bokovoy (8): * ipa-kdb: Support Windows 2012 Server * Remove bogus check for smbpasswd * Warn about DNA plugin configuration when working with local ID ranges * Resolve external members from trusted domain via Global Catalog * Clarify trust-add help regarding multiple runs against the same domain * ipasam: better Kerberos error handling in ipasam * trusts: replace use of python-crypto by m2crypto * Propagate kinit errors with trust account Endi Sukma Dewata (1): * Configuring CA with ConfigParser. Jakub Hrozek (5): * ipa-client-automount: Add the autofs service if it doesn't exist yet * Make enabling the autofs service more robust * ipachangeconf: allow specifying non-default delimeter for options * Specify includedir in krb5.conf on new installs * Add the includedir to krb5.conf on upgrades Jan Cholasta (1): * Reword description of the --passsync option of ipa-replica-manage. John Dennis (2): * log dogtag errors * Compliant client side session cookie behavior Lubomir Rintel (1): * Drop unused readline import Martin Kosek (18): * Update SELinux policy for dogtag10 * Bump 389-ds-base minimum in our spec file * Add OCSP and CRL URIs to certificates * Stop and disable conflicting time&date services * Create reverse zone in unattended mode * Add fallback for httpd restarts on sysV platforms * Report ipa-upgradeconfig errors during RPM upgrade * Avoid uninstalling dependencies during package lifetime * Remove servertrls and clientctrls options from rename_s * Use common encoding in modlist generation * Process relative nameserver DNS record correctly * Do not require resolvable nameserver in DNS install * Disable global forwarding per-zone * Prepare spec file for Fedora 18 * Filter suffix in replication management tools * Change network configuration file * Improve ipa-replica-prepare error message * Fix sshd feature check Nikolai Kondrashov (1): * Add uninstall command hints to ipa-*-instal Petr Viktorin (12): * Fix schema replication from old masters * Use correct Dogtag configuration in get_pin and get_ca_certchain * Update certmap.conf on IPA upgrades * Properly stop tracking certificates on uninstall * Provide 'protocol' argument to IPAdmin * Make ipa-csreplica-manage work with both merged and non-merged DBs * Use DN objects for Dogtag configuration * ipautil.run: Log the command line before running the command * ipa-replica-install: Use configured IPA DNS servers in forward/reverse resolution check * Make sure the CA is running when starting services * Provide explicit user name for Dogtag installation scripts * Add Lubomir Rintel to Contributors.txt Petr Vobornik (7): * Simpler instructions to generate certificate * Fixed incorrect link to browser config after session expiration * Web UI: disable global forwarding per zone * WebUI: Change of default value of type of new group back to POSIX * Editable sshkey, mac address field after upgrade * Better licensing information of 3rd party code * Better error message for login of users from other realms Rob Crittenden (16): * Enable transactions by default, make password and modrdn TXN-aware * Become IPA 3.1.0 * Password change in a transaction, ensure passwords are truly expired * Don't configure a reverse zone if not desired in interactive installer. * Fix requesting certificates that contain subject altnames. * Improve error messages in ipa-replica-manage. * Close connection after each request, avoid NSS shutdown problem. * The SECURE_NFS value needs to be lower-case yes on SysV systems. * After unininstall see if certmonger is still tracking any of our certs. * Wait for the directory server to come up when updating the agent certificate. * Set MLS/MCS for user_u context to what will be on remote systems. * Handle the case where there are no replicas with list-ruv * Honor the kdb options disabling KDC writes in ipa_lockout plugin * Only update the list of running services in the installer or ipactl. * Set min for selinux-policy to 3.11.1-60 * Reorder XML-RPC initialization in ipa-join to avoid segfault. Simo Sorce (7): * Add support for using AES for cross-realm TGTs * Preserve original service_name in services * Save service name on service startup * Get list of service from LDAP only at startup * Revert "Save service name on service startup" * Save service name on service startup/shutdown * MS-PAC: Special case NFS services Sumit Bose (7): * Fix various issues found by Coverity * extdom: handle INP_POSIX_UID and INP_POSIX_GID requests * Restart httpd if ipa-server-trust-ad is installed or updated * ipa-adtrust-install: allow to reset te NetBIOS domain name * Lookup the user SID in external group as well * Restart sssd after authconfig update * Do not recommend how to configure DNS in error message Tomas Babej (5): * Forbid overlapping primary and secondary rid ranges * Refactoring of default.conf man page * Make service naming in ipa-server-install consistent * IPA Server check in ipa-replica-manage * Add detection for users from trusted/invalid realms From simo at redhat.com Mon Dec 10 19:38:18 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 10 Dec 2012 14:38:18 -0500 Subject: [Freeipa-devel] ipa-3-1 is now a new branch Message-ID: <1355168298.5073.58.camel@willson.li.ssimo.org> Hello list, with the release of 3.1 we now have a brand new ipa-3-1 branch. So from now on remember to mention if a patch is also meant to be pushed on older branches like ipa-3-0 (unlikely) or ipa-3-1 (quite possible) as well as master. Regards, Simo. -- Simo Sorce * Red Hat, Inc * New York From lroot at redhat.com Tue Dec 11 08:24:58 2012 From: lroot at redhat.com (Lynn Root) Date: Tue, 11 Dec 2012 09:24:58 +0100 Subject: [Freeipa-devel] [PATCH] 0006 Raise ACI error when CSR has no subject hostname In-Reply-To: <50C61032.5070404@redhat.com> References: <50C5F75D.20705@redhat.com> <50C6075A.9010900@redhat.com> <50C60EB5.70508@redhat.com> <50C61032.5070404@redhat.com> Message-ID: <50C6EDDA.7050803@redhat.com> > The following raises ACIError because of failed authorization check, I think > its ok. > > RequirementError is only thrown when a command option that is required is not > passed by the user. I am not fond of expanding its use to the validation of > user content, like CSR file. > > NotFound error is used when an _entry_ is not found - so not an ideal candidate > either for this case. > > IMHO, ValidationError is fine for this situation - but maybe somebody else may > have other opinion... > > Martin I assume no one is up in arms about electing to go for ValidationError :) New patch attached. Thanks for your help, Martin! -- Lynn Root @roguelynn Associate Software Engineer Red Hat, Inc -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-lroot-0006-02-Raise-ValidationError-when-CSR-does-not-have-a-subje.patch Type: text/x-patch Size: 1126 bytes Desc: not available URL: From pviktori at redhat.com Tue Dec 11 09:01:32 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 11 Dec 2012 10:01:32 +0100 Subject: [Freeipa-devel] [PATCH] 0094 Sort Options and Outputs in API.txt In-Reply-To: <5086722D.4010004@redhat.com> References: <5086722D.4010004@redhat.com> Message-ID: <50C6F66C.2070304@redhat.com> On 10/23/2012 12:32 PM, Petr Viktorin wrote: > Here is a cosmetic change, even though the patch looks big. See commit > mesage. Here's a newer version of the patch. Please consider it for 3.2. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0094-02-Sort-Options-and-Outputs-in-API.txt.patch Type: text/x-patch Size: 397969 bytes Desc: not available URL: From mkosek at redhat.com Tue Dec 11 08:27:48 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 11 Dec 2012 09:27:48 +0100 Subject: [Freeipa-devel] [PATCH] 0006 Raise ACI error when CSR has no subject hostname In-Reply-To: <50C6EDDA.7050803@redhat.com> References: <50C5F75D.20705@redhat.com> <50C6075A.9010900@redhat.com> <50C60EB5.70508@redhat.com> <50C61032.5070404@redhat.com> <50C6EDDA.7050803@redhat.com> Message-ID: <50C6EE84.7000001@redhat.com> On 12/11/2012 09:24 AM, Lynn Root wrote: > >> The following raises ACIError because of failed authorization check, I think >> its ok. >> >> RequirementError is only thrown when a command option that is required is not >> passed by the user. I am not fond of expanding its use to the validation of >> user content, like CSR file. >> >> NotFound error is used when an _entry_ is not found - so not an ideal candidate >> either for this case. >> >> IMHO, ValidationError is fine for this situation - but maybe somebody else may >> have other opinion... >> >> Martin > I assume no one is up in arms about electing to go for ValidationError :) > > New patch attached. Thanks for your help, Martin! > This is better. Though this raise statement would raise a different exception that one would expect... >>> from ipalib import errors, _ >>> raise errors.ValidationError(info=_("No hostname was found in subject of request")) Traceback (most recent call last): File "", line 1, in File "ipalib/errors.py", line 268, in __init__ self.msg = self.format % kw KeyError: 'name' Martin From lroot at redhat.com Tue Dec 11 09:22:51 2012 From: lroot at redhat.com (Lynn Root) Date: Tue, 11 Dec 2012 10:22:51 +0100 Subject: [Freeipa-devel] [PATCH] 0006 Raise ACI error when CSR has no subject hostname In-Reply-To: <50C6EE84.7000001@redhat.com> References: <50C5F75D.20705@redhat.com> <50C6075A.9010900@redhat.com> <50C60EB5.70508@redhat.com> <50C61032.5070404@redhat.com> <50C6EDDA.7050803@redhat.com> <50C6EE84.7000001@redhat.com> Message-ID: <50C6FB6B.3050905@redhat.com> On 12/11/2012 09:27 AM, Martin Kosek wrote: > On 12/11/2012 09:24 AM, Lynn Root wrote: >>> The following raises ACIError because of failed authorization check, I think >>> its ok. >>> >>> RequirementError is only thrown when a command option that is required is not >>> passed by the user. I am not fond of expanding its use to the validation of >>> user content, like CSR file. >>> >>> NotFound error is used when an _entry_ is not found - so not an ideal candidate >>> either for this case. >>> >>> IMHO, ValidationError is fine for this situation - but maybe somebody else may >>> have other opinion... >>> >>> Martin >> I assume no one is up in arms about electing to go for ValidationError :) >> >> New patch attached. Thanks for your help, Martin! >> > This is better. Though this raise statement would raise a different exception > that one would expect... > >>>> from ipalib import errors, _ >>>> raise errors.ValidationError(info=_("No hostname was found in subject of > request")) > Traceback (most recent call last): > File "", line 1, in > File "ipalib/errors.py", line 268, in __init__ > self.msg = self.format % kw > KeyError: 'name' > > Martin Try #3: added 'name' and 'error' parameters to ValidationError. Thanks again, Martin! -- Lynn Root @roguelynn Associate Software Engineer Red Hat, Inc -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-lroot-0006-03-Raise-ValidationError-when-CSR-does-not-have-a-subje.patch Type: text/x-patch Size: 1139 bytes Desc: not available URL: From mkosek at redhat.com Tue Dec 11 09:37:26 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 11 Dec 2012 10:37:26 +0100 Subject: [Freeipa-devel] [PATCH] Add Beta versioning In-Reply-To: <943042161.7794393.1352465011767.JavaMail.root@redhat.com> References: <943042161.7794393.1352465011767.JavaMail.root@redhat.com> Message-ID: <50C6FED6.3040204@redhat.com> On 11/09/2012 01:43 PM, Lynn Root wrote: > The VERSION file and Makefile now handles 'beta' release parameters when making s/rpms. > > Ticket: https://fedorahosted.org/freeipa/ticket/2893 > > Lynn Root > Associate Software Engineer > Red Hat The patch works fine. I have just one nitpick - comment in VERSION file is not right, mentions a wrong variable: +# e.g. IPA_VERSION_BETA=1 # <<<<<< +# -> "1.0.0beta1" # +######################################################## +IPA_VERSION_BETA_RELEASE= + Martin From lroot at redhat.com Tue Dec 11 09:47:55 2012 From: lroot at redhat.com (Lynn Root) Date: Tue, 11 Dec 2012 10:47:55 +0100 Subject: [Freeipa-devel] [PATCH] Add Beta versioning In-Reply-To: <50C6FED6.3040204@redhat.com> References: <943042161.7794393.1352465011767.JavaMail.root@redhat.com> <50C6FED6.3040204@redhat.com> Message-ID: <50C7014B.7020606@redhat.com> On 12/11/2012 10:37 AM, Martin Kosek wrote: > On 11/09/2012 01:43 PM, Lynn Root wrote: >> The VERSION file and Makefile now handles 'beta' release parameters when making s/rpms. >> >> Ticket: https://fedorahosted.org/freeipa/ticket/2893 >> >> Lynn Root >> Associate Software Engineer >> Red Hat > The patch works fine. I have just one nitpick - comment in VERSION file is not > right, mentions a wrong variable: > > +# e.g. IPA_VERSION_BETA=1 # <<<<<< > +# -> "1.0.0beta1" # > +######################################################## > +IPA_VERSION_BETA_RELEASE= > + > > Martin Updated patch attached, thank you for the catch! -- Lynn Root @roguelynn Associate Software Engineer Red Hat, Inc -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-lroot-0002-02-Added-the-ability-to-do-Beta-versioning.patch Type: text/x-patch Size: 2657 bytes Desc: not available URL: From mkosek at redhat.com Tue Dec 11 09:57:35 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 11 Dec 2012 10:57:35 +0100 Subject: [Freeipa-devel] [PATCH] Switch %r specifiers to %s in Public errors In-Reply-To: <50A101E7.9010003@redhat.com> References: <1476980763.8834780.1352726064763.JavaMail.root@redhat.com> <50A101E7.9010003@redhat.com> Message-ID: <50C7038F.7030201@redhat.com> On 11/12/2012 03:04 PM, Jan Cholasta wrote: > On 12.11.2012 14:14, Lynn Root wrote: >> >> ----- Original Message ----- >>> On 12.11.2012 12:50, Lynn Root wrote: >>>> >>>> >>>> Lynn Root >>>> Associate Software Engineer >>>> Red Hat >>>> >>>> ----- Original Message ----- >>>>> From: "Jan Cholasta" >>>>> To: "Lynn Root" >>>>> Cc: freeipa-devel at redhat.com >>>>> Sent: Friday, November 9, 2012 3:25:20 PM >>>>> Subject: Re: [Freeipa-devel] [PATCH] Switch %r specifiers to %s in >>>>> Public errors >>>>> >>>>> On 8.11.2012 17:22, Lynn Root wrote: >>>>>> Hmm I hope I understand well enough this time around. >>>>>> >>>>>> However, when I run the tests, there's this one error message I >>>>>> come across from `test_user[97]: user_add: Create u'tuser2'` - it >>>>>> throws `DatabaseError: Type or value exists`. I'm a bit lost on >>>>>> how to track this down. >>>>>> >>>>>> Once again - thanks for your help! >>>>>> >>>>>> Lynn Root >>>>>> Associate Software Engineer >>>>>> Red Hat >>>>>> >>>>>> ----- Original Message ----- >>>>>> From: "Martin Kosek" >>>>>> To: "Jan Cholasta" >>>>>> Cc: "Lynn Root" , freeipa-devel at redhat.com >>>>>> Sent: Thursday, November 8, 2012 8:46:42 AM >>>>>> Subject: Re: [Freeipa-devel] [PATCH] Switch %r specifiers to %s >>>>>> in >>>>>> Public errors >>>>>> >>>>>> On 11/07/2012 06:46 PM, Jan Cholasta wrote: >>>>>>> On 7.11.2012 16:08, Lynn Root wrote: >>>>>>>> Third time is a charm? >>>>>>>> >>>>>>>> Lynn Root >>>>>>>> Associate Software Engineer >>>>>>>> Red Hat >>>>>>>> >>>>>>>> ----- Original Message ----- >>>>>>>> From: "Jan Cholasta" >>>>>>>> To: "Lynn Root" >>>>>>>> Cc: freeipa-devel at redhat.com >>>>>>>> Sent: Monday, November 5, 2012 10:25:32 AM >>>>>>>> Subject: Re: [Freeipa-devel] [PATCH] Switch %r specifiers to %s >>>>>>>> in Public errors >>>>>>>> >>>>>>>> On 5.11.2012 09:43, Lynn Root wrote: >>>>>>>>> Here's try #2! Adjusted patch attached. Let me know if >>>>>>>>> there's >>>>>>>>> anything >>>>>>>>> else I've missed. >>>>>>>>> >>>>>>>>> Switched %r specifiers to '%s' in Public errors, and adjusted >>>>>>>>> tests to >>>>>>>>> expect no preceding 'u'. >>>>>>>>> >>>>>>>>> Tickets: https://fedorahosted.org/freeipa/ticket/3121 & >>>>>>>>> https://fedorahosted.org/freeipa/ticket/2588 >>>>>>>>> >>>>>>>>> Lynn Root >>>>>>>>> Associate Software Engineer >>>>>>>>> Red Hat >>>>>>>>> >>>>>>>>> ----- Original Message ----- >>>>>>>>> From: "Martin Kosek" >>>>>>>>> To: "Jan Cholasta" >>>>>>>>> Cc: "Lynn Root" , freeipa-devel at redhat.com >>>>>>>>> Sent: Tuesday, October 30, 2012 9:08:33 AM >>>>>>>>> Subject: Re: [Freeipa-devel] [PATCH] Switch %r specifiers to >>>>>>>>> %s >>>>>>>>> in Public >>>>>>>>> errors >>>>>>>>> >>>>>>>>> On 10/30/2012 09:04 AM, Jan Cholasta wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> On 29.10.2012 19:54, Lynn Root wrote: >>>>>>>>>>> Hi all! >>>>>>>>>>> >>>>>>>>>>> This switch drops the preceding 'u' from strings in public >>>>>>>>>>> error messages. >>>>>>>>>>> >>>>>>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/3121 >>>>>>>>>>> >>>>>>>>>>> This patch also addresses the unfriendly 'u' from re-raising >>>>>>>>>>> errors from the >>>>>>>>>>> external call to netaddr.IPAddress by passing a bytestring >>>>>>>>>>> to >>>>>>>>>>> the function. >>>>>>>>>>> >>>>>>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/2588 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> My first patch (and freeipa dev list email) ever! Let me >>>>>>>>>>> know >>>>>>>>>>> where there's >>>>>>>>>>> room to improve. >>>>>>>>>>> >>>>>>>>>>> Lynn Root >>>>>>>>>>> Associate Software Engineer >>>>>>>>>>> Red Hat >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I think it would be nice if you kept the quotes around the >>>>>>>>>> values, as that is >>>>>>>>>> probably the reason "%r" was used in the first place - i.e. >>>>>>>>>> use >>>>>>>>>> "'%s'" instead >>>>>>>>>> of plain "%s". >>>>>>>>> >>>>>>>>> +1 >>>>>>>>> >>>>>>>>> With current patch, I assume that a lot of unit tests will >>>>>>>>> fail >>>>>>>>> as they check >>>>>>>>> exact error message wording. I'd recommend running the whole >>>>>>>>> test suite with >>>>>>>>> your second patch revision. There is a short walkthrough how >>>>>>>>> to >>>>>>>>> set it up: >>>>>>>>> >>>>>>>>> http://freeipa.org/page/Testing >>>>>>>>> >>>>>>>>> Martin >>>>>>>>> >>>>>>>> >>>>>>>> You missed a few: >>>>>>>> >>>>>>>> $ git grep -En '%(\(.*?\))?r' >>>>>>>> >>>>>>>> Honza >>>>>>>> >>>>>>> >>>>>>> I think you have gone too far this time :-) It is not necessary >>>>>>> (or wise) to >>>>>>> get rid of %r *everywhere* in the code. >>>>>> >>>>>> Thanks Honza for pointing that out. It seems I missed that in >>>>>> yesterday's >>>>>> review. Now, when I look at it, it indeed is not right. >>>>>> >>>>>>> >>>>>>> A few rules to keep in mind: >>>>>>> >>>>>>> * If it is not an error message, do not touch it (log >>>>>>> messages >>>>>>> are not error >>>>>>> messages BTW). >>>>>>> >>>>>>> * If it is an error message for an exception that does not >>>>>>> inherit from >>>>>>> errors.PublicError, do not touch it (there might be a few >>>>>>> exceptions, though). >>>>>> >>>>>> Right. But for example, your netaddr str conversions should be >>>>>> fine >>>>>> since the >>>>>> netaddr error is propagated up to the ValidationError. >>>>>> >>>>>> Martin >>>>>> >>>>>>> >>>>>>> * Use '%s' (%s with ticks) only for arguments whose value >>>>>>> can >>>>>>> be only str or >>>>>>> unicode. >>>>>>> >>>>>>> Honza >>>>>>> >>>>>> >>>>> >>>>> This is better, thanks. >>>>> >>>>> In OverlapError.format, remove the ticks around %s, as we expect a >>>>> list >>>>> here (I think we could make it look prettier, similar to what >>>>> Martin >>>>> did >>>>> in >>>>> , >>>>> >>>>> but I'm not sure if we want to do it in this ticket/patch). >>>>> >>>> >>>> Fixed, ty. >>>> >>>>> I'm not sure what to do about the ValidationError at >>>>> ipalib/parameters.py:882 and ipalib/parameters.py:1171. I think it >>>>> should be "TypeError(TYPE_ERROR % (self.name, self.type, value, >>>>> type(value)))" instead, as by the time parameters are validated >>>>> they >>>>> are >>>>> the right type. >>>> >>>> Done - with adjusted tests. >>> >>> Thanks, but please refer to me as jcholast at redhat.com in the commit >>> message, so that people don't have to look me up. >>> >> >> Fixed. >> >>>> >>>>> >>>>> Also there is one %r you missed in ipalib/parameters.py:1554. >>>> >>>> The tests seem to be expecting a unicode character - are you sure >>>> this is right? >>> >>> Currently the message the error produces has two ticks on each side >>> of >>> the value, which is ugly. So, replace the "\'%(char)r\'" with either >>> "\'%(char)s\'" or "%(char)r". >> >> Ah now I see - fixed. >> >>> >>>> >>>> If not - attached is the new patch (correctly formatted). >>>> >>>> Thanks again! >>>> >>>>> >>>>> Honza >>>>> >>>>> -- >>>>> Jan Cholasta >>>>> >>> >>> Honza >>> >>> -- >>> Jan Cholasta >>> >> >> >> Lynn Root >> Associate Software Engineer >> Red Hat >> > > Thanks, ACK. > > Honza > I verified the patch is still OK and pushed it to master. I also added Lynn to the Contributors.txt file, she has earned the right to be listed there :-) Martin From mkosek at redhat.com Tue Dec 11 09:58:44 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 11 Dec 2012 10:58:44 +0100 Subject: [Freeipa-devel] [PATCH 0013] Remove user-unfriendly "u" character from error messages In-Reply-To: <5048CB9B.9040200@redhat.com> References: <50475150.4090905@redhat.com> <504756AF.1050803@redhat.com> <50476317.20604@redhat.com> <5048CB9B.9040200@redhat.com> Message-ID: <50C703D4.2020603@redhat.com> On 09/06/2012 06:13 PM, Petr Viktorin wrote: > On 09/05/2012 04:35 PM, Tomas Babej wrote: >> On 09/05/2012 03:42 PM, Petr Viktorin wrote: >>> On 09/05/2012 03:19 PM, Tomas Babej wrote: >>>> Hi, >>>> >>>> User-unfriendly errors were caused by re-raising errors >>>> from external python module netaddr. >>>> >>>> https://fedorahosted.org/freeipa/ticket/2588 >>>> >>>> Tomas >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>> >>> I don't agree with this approach. Raising another module's errors in >>> our code is ugly, and will break if netaddr changes. The arguments to >>> pass to the exceptions are undocumented (see >>> http://packages.python.org/netaddr/api.html#custom-exceptions). The >>> wording of error messages in libraries can usually change at any time, >>> and is intended for developers, not end users. >>> >>> This should be either fixed upstream (unlikely, using the repr() of >>> the argument is a sane thing to do at their side), or we should pass >>> bytestrings to netaddr (a possible quick fix, not sure it it'll work), >>> or, ideally, we should raise IPA's own errors. >>> >> Well, this particular fix wouldn't have broken anything, since it was >> raising the same error that the except clause in which the raising >> occured caught. However, I changed this to StandardError, since the >> error message is extracted and packed into ValidationError during >> further validation and therefore simple format message is suitable. > > I know this is a minor issue and unlikely to cause problems, but it still > should be fixed properly. > > The patch assumes AddrFormatError takes only one argument, the message. In > another case something like this might be a reasonable assumption, but having a > prettier error message doesn't justify it. > Taking free-form text from a library and fixing it up like this is also not > maintainable. Again, it assumes too much about the library. > > I won't ack this approach. Please consult someone else if you think it really > is the best way. > > Adding `addr = str(addr)` would work around the issue without indroducing > assumptions about an external library. > > > > Some technical issues with your patch, in case my "ideology" is incompatible > with the project: > > ValueError would be more appropriate than StandardError. We already raise it in > similar situations in this method. > > There is a case where your fix doesn't work: CheckedIPAddress(u'percent%sign'). > > Please adjust the test in test_dns_plugin that checks the error message. > Just to make things clear - this patch and this thread was superseded by Lynn's patch 0001. Martin From mkosek at redhat.com Tue Dec 11 10:02:52 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 11 Dec 2012 11:02:52 +0100 Subject: [Freeipa-devel] [PATCH] Add Beta versioning In-Reply-To: <50C7014B.7020606@redhat.com> References: <943042161.7794393.1352465011767.JavaMail.root@redhat.com> <50C6FED6.3040204@redhat.com> <50C7014B.7020606@redhat.com> Message-ID: <50C704CC.7030009@redhat.com> On 12/11/2012 10:47 AM, Lynn Root wrote: > On 12/11/2012 10:37 AM, Martin Kosek wrote: >> On 11/09/2012 01:43 PM, Lynn Root wrote: >>> The VERSION file and Makefile now handles 'beta' release parameters when >>> making s/rpms. >>> >>> Ticket: https://fedorahosted.org/freeipa/ticket/2893 >>> >>> Lynn Root >>> Associate Software Engineer >>> Red Hat >> The patch works fine. I have just one nitpick - comment in VERSION file is not >> right, mentions a wrong variable: >> >> +# e.g. IPA_VERSION_BETA=1 # <<<<<< >> +# -> "1.0.0beta1" # >> +######################################################## >> +IPA_VERSION_BETA_RELEASE= >> + >> >> Martin > Updated patch attached, thank you for the catch! > ACK. Pushed to master. Martin From mkosek at redhat.com Tue Dec 11 10:08:12 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 11 Dec 2012 11:08:12 +0100 Subject: [Freeipa-devel] [PATCH] Fixed the catch of the hostname option during ipa-server-install In-Reply-To: <50A37EE1.4040605@redhat.com> References: <985567129.139743.1352828239094.JavaMail.root@redhat.com> <50A37EE1.4040605@redhat.com> Message-ID: <50C7060C.7010901@redhat.com> On 11/14/2012 12:22 PM, Martin Kosek wrote: > On 11/13/2012 06:37 PM, Lynn Root wrote: >> Er, correctly formatted patch :D (I hope) >> >> Lynn Root >> Associate Software Engineer >> Red Hat >> >> ------------------------------------------------------------------------------- >> >> Hi all - >> >> Originally ipa-server-install would still prompt for the hostname even if >> it's supplied in the initial installation command. >> >> Ticket: https://fedorahosted.org/freeipa/ticket/2692 >> >> >> Lynn Root >> Associate Software Engineer >> Red Hat >> > > Yup, formatting is ok :-) > > ACK for the patch, works fine. Though we may wait with pushing it until we > start 3.2. > > Martin > Pushed to master, ipa-3-1. Martin From mkosek at redhat.com Tue Dec 11 11:30:49 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 11 Dec 2012 12:30:49 +0100 Subject: [Freeipa-devel] [PATCH] 0006 Raise ACI error when CSR has no subject hostname In-Reply-To: <50C6FB6B.3050905@redhat.com> References: <50C5F75D.20705@redhat.com> <50C6075A.9010900@redhat.com> <50C60EB5.70508@redhat.com> <50C61032.5070404@redhat.com> <50C6EDDA.7050803@redhat.com> <50C6EE84.7000001@redhat.com> <50C6FB6B.3050905@redhat.com> Message-ID: <50C71969.2010108@redhat.com> On 12/11/2012 10:22 AM, Lynn Root wrote: > On 12/11/2012 09:27 AM, Martin Kosek wrote: >> On 12/11/2012 09:24 AM, Lynn Root wrote: >>>> The following raises ACIError because of failed authorization check, I think >>>> its ok. >>>> >>>> RequirementError is only thrown when a command option that is required is not >>>> passed by the user. I am not fond of expanding its use to the validation of >>>> user content, like CSR file. >>>> >>>> NotFound error is used when an _entry_ is not found - so not an ideal >>>> candidate >>>> either for this case. >>>> >>>> IMHO, ValidationError is fine for this situation - but maybe somebody else may >>>> have other opinion... >>>> >>>> Martin >>> I assume no one is up in arms about electing to go for ValidationError :) >>> >>> New patch attached. Thanks for your help, Martin! >>> >> This is better. Though this raise statement would raise a different exception >> that one would expect... >> >>>>> from ipalib import errors, _ >>>>> raise errors.ValidationError(info=_("No hostname was found in subject of >> request")) >> Traceback (most recent call last): >> File "", line 1, in >> File "ipalib/errors.py", line 268, in __init__ >> self.msg = self.format % kw >> KeyError: 'name' >> >> Martin > Try #3: added 'name' and 'error' parameters to ValidationError. Thanks again, > Martin! > ACK. Pushed to master, ipa-3-1. Martin From tbabej at redhat.com Tue Dec 11 11:34:45 2012 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 11 Dec 2012 12:34:45 +0100 Subject: [Freeipa-devel] [PATCH 0024] Make options checks in idrange-add/mod consistent Message-ID: <50C71A55.4040107@redhat.com> Hi, **NOTE**: This is to be applied on top of my PATCH 0021 Option checks in idrange-add/mod have been made consistent. Both now enforce the following checks: - dom_sid and secondary_rid_base cannot be used together - rid_base must be used together if dom_rid is set - secondary_rid_base and rid_base must be used together if dom_rid is not set cat Unit test for third check has been added. http://fedorahosted.org/freeipa/ticket/3170 Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0024-Make-options-checks-in-idrange-add-mod-consistent.patch Type: text/x-patch Size: 7280 bytes Desc: not available URL: From mkosek at redhat.com Tue Dec 11 11:35:48 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 11 Dec 2012 12:35:48 +0100 Subject: [Freeipa-devel] [PATCH 0022] Relax restriction for leading/trailing whitespaces in *-find commands In-Reply-To: <5091168F.10007@redhat.com> References: <508FDF4D.60800@redhat.com> <5090EC81.7090604@redhat.com> <50910847.5060203@redhat.com> <5091168F.10007@redhat.com> Message-ID: <50C71A94.1070504@redhat.com> On 10/31/2012 01:16 PM, Tomas Babej wrote: > On 10/31/2012 12:15 PM, Martin Kosek wrote: >> On 10/31/2012 10:16 AM, Martin Kosek wrote: >>> On 10/30/2012 03:08 PM, Tomas Babej wrote: >>>> Hi, >>>> >>>> All *-find commands now enable leading/trailing whitespaces in the >>>> search phrase. Behaviour has been implemented directly into >>>> crud.Search class. >>>> >>>> https://fedorahosted.org/freeipa/ticket/2981 >>>> >>>> Tomas >>>> >>> ACK, works fine. >>> >>> Martin >>> >> I take the ACK back, just found out you forgot to re-generate API.txt which >> makes the build fail: >> >> >> # make rpms >> ... >> Argument 'criteria?' in command 'aci_find' in API file not found >> Argument count in aci_find of 0 doesn't match expected: 1 >> Argument criteria? of command aci_find in ipalib, not in API file: >> Str('criteria?', noextrawhitespace=False) >> Argument 'criteria?' in command 'delegation_find' in API file not found >> Argument count in delegation_find of 0 doesn't match expected: 1 >> Argument criteria? of command delegation_find in ipalib, not in API file: >> Str('criteria?', noextrawhitespace=False) >> Argument 'criteria?' in command 'selfservice_find' in API file not found >> Argument count in selfservice_find of 0 doesn't match expected: 1 >> Argument criteria? of command selfservice_find in ipalib, not in API file: >> Str('criteria?', noextrawhitespace=False) >> >> There are one or more changes to the API. >> Either undo the API changes or update API.txt and increment the major version >> in VERSION. >> make: *** [version-update] Error 1 >> >> Martin > Update patch version attached. I regenerated API.txt and incremented > IPA_API_VERSION_MINOR to 45. > > Tomas ACK. I rebased the patch (VERSION file conflict) and pushed to master, ipa-3-1. Martin From tbabej at redhat.com Tue Dec 11 11:38:58 2012 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 11 Dec 2012 12:38:58 +0100 Subject: [Freeipa-devel] [PATCH 0025] Add trusted domain range objectclass to idrange-mod Message-ID: <50C71B52.9080601@redhat.com> Hi, **NOTE**: This is to be applied on top of my PATCH 0024. I found this glitch while working on 0024, however, it does not fit into the scope of the ticket, so I am creating a separate patch for it. When modifing the idrange, one was able to add ipa NT trusted AD domain sid without objectclass ipatrustedaddomainrange being added. This patch fixes the issue. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0025-Add-trusted-domain-range-objectclass-to-idrange-mod.patch Type: text/x-patch Size: 1307 bytes Desc: not available URL: From rcritten at redhat.com Tue Dec 11 13:12:52 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 11 Dec 2012 08:12:52 -0500 Subject: [Freeipa-devel] [PATCH] 0006 Raise ACI error when CSR has no subject hostname In-Reply-To: <50C61032.5070404@redhat.com> References: <50C5F75D.20705@redhat.com> <50C6075A.9010900@redhat.com> <50C60EB5.70508@redhat.com> <50C61032.5070404@redhat.com> Message-ID: <50C73154.10204@redhat.com> Martin Kosek wrote: > On 12/10/2012 05:32 PM, Lynn Root wrote: >> On 12/10/2012 05:01 PM, Martin Kosek wrote: >>> On 12/10/2012 03:53 PM, Lynn Root wrote: >>>> Raise ACI error when CSR does not have a subject hostname. >>>> >>>> Ticket:https://fedorahosted.org/freeipa/ticket/3123 >>>> >>> Why an ACIError? I know there are are a lot of ACIErrors thrown in cert-request >>> command processing, but they are all related to authorization of the request. >>> In this case, this is rather a missing required field of the CSR, so >>> ValidationError may be a better choice. >>> >>> Martin >>> >> I elected ACIError simply because the immediately following ACIError raises the >> issue that hostname of principal doesn't match the subject hostname of the CSR >> - seemed a similar case of "doesn't match" with "doesn't exists." But right - >> it's not related to Auth. >> >> Would ValidationError be appropriate, or would RequirementError or NotFound be >> more so? >> > > The following raises ACIError because of failed authorization check, I think > its ok. > > RequirementError is only thrown when a command option that is required is not > passed by the user. I am not fond of expanding its use to the validation of > user content, like CSR file. > > NotFound error is used when an _entry_ is not found - so not an ideal candidate > either for this case. > > IMHO, ValidationError is fine for this situation - but maybe somebody else may > have other opinion... I think I raised an ACIError when the hostname doesn't match the principal because that could be more than an oops and more of an attempt to get a cert for a hostname you shouldn't. I agree that ValidationError is the way to go. rob From pspacek at redhat.com Tue Dec 11 13:25:42 2012 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 11 Dec 2012 14:25:42 +0100 Subject: [Freeipa-devel] [DHCP] tree layout options In-Reply-To: <1351784603.18469.113.camel@willson.li.ssimo.org> References: <5008027E.4070401@firstyear.id.au> <1351784603.18469.113.camel@willson.li.ssimo.org> Message-ID: <50C73456.3090108@redhat.com> On 11/01/2012 04:43 PM, Simo Sorce wrote: > On Thu, 2012-07-19 at 22:20 +0930, William Brown wrote: >> Find attached two different ldifs showing how the tree for DHCP services >> could be layed out. I personally prefer 2 due to the way that >> sharedNetwork segments can be named uniquely in a location without >> clashing with another location. The way that ISC-DHCP generates the >> config is through essentially a depth-first subtree search of the >> objects below the dhcpService object (In this case, cn=pultney). Due to >> this, I think the best way to split ipv4 and ipv6 due to the conflicting >> DHCP options, would be to make cn=locations,cn=v4,cn=isc,cn=dhcp and >> cn=locations,cn=v6,isc,cn=dhcp OR >> cn=locations4,cn=isc,cn=dhcp and cn=locations6,cn=isc,cn=dhcp >> >> Additionally, the option1 config does not at this time work with the >> ISC-DHCP server. It seems there is a bug in that it can parse the >> dhcpSharedNetworkDN attributes, and push them to a stack to follow them, >> but never parses the contents of them. Option 2 works, and generates a >> configuration for the networks and subnets correctly, but does not add >> any dhcpHost objects not the dhcpFailOverPeer information. I am >> investigating both. Hello list, I do not really follow the discussion, but I accidentally found some old IETF documents related to DHCP<->LDAP integration. http://tools.ietf.org/html/draft-ietf-dhc-schema-02 (Microsoft, 2000) http://tools.ietf.org/html/draft-ietf-dhc-ldap-schema-00 (Novell, 2001) I have met various texts about DHCP-LDAP integration in Novell's "Open Enterprise Server 11"/eDirectory documentation. Is somebody familiar with this aspect of eDirectory? Should we think about some interoperability? I don't know if there are some stand-alone tools for DHCP LDAP administration. Some docs: http://www.novell.com/documentation/oes11/pdfdoc/ntwk_dnsdhcp_lx/ntwk_dnsdhcp_lx.pdf -- Petr^2 Spacek From alee at redhat.com Tue Dec 11 19:12:10 2012 From: alee at redhat.com (Ade Lee) Date: Tue, 11 Dec 2012 14:12:10 -0500 Subject: [Freeipa-devel] [Fwd: Announcing Dogtag 10.0 Release Candidate 1] Message-ID: <1355253131.2513.60.camel@aleeredhat.laptop> -------------- next part -------------- An embedded message was scrubbed... From: Ade Lee Subject: Announcing Dogtag 10.0 Release Candidate 1 Date: Tue, 11 Dec 2012 14:11:24 -0500 Size: 7282 URL: From rcritten at redhat.com Tue Dec 11 21:44:26 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 11 Dec 2012 16:44:26 -0500 Subject: [Freeipa-devel] Announcing FreeIPA v3.0.2 Release Message-ID: <50C7A93A.3020501@redhat.com> The FreeIPA team is proud to announce version FreeIPA v3.0.2. It can be downloaded from http://www.freeipa.org/page/Downloads. == Highlights in 3.0.2 == * WebUI: Change of default value of type of new group back to POSIX. * Lookup the user SID in external group as well. * Include sssd-managed domain/realm mapping file managed in krb5.conf. * Fix potential security error in cookie handling in ipa client tool, CVE-2012-5631. == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 is supported. Upgrading from previous versions is not supported and has not been tested. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel == Detailed Changelog since 3.0.1 == Alexander Bokovoy (3): * ipasam: better Kerberos error handling in ipasam * trusts: replace use of python-crypto by m2crypto * Propagate kinit errors with trust account Jakub Hrozek (4): * Make enabling the autofs service more robust * ipachangeconf: allow specifying non-default delimeter for options * Specify includedir in krb5.conf on new installs * Add the includedir to krb5.conf on upgrades John Dennis (1): * Compliant client side session cookie behavior Lubomir Rintel (1): * Drop unused readline import Martin Kosek (5): * Prepare spec file for Fedora 18 * Filter suffix in replication management tools * Change network configuration file * Improve ipa-replica-prepare error message * Fix sshd feature check Petr Viktorin (2): * Provide explicit user name for Dogtag installation scripts * Add Lubomir Rintel to Contributors.txt Petr Vobornik (4): * WebUI: Change of default value of type of new group back to POSIX * Editable sshkey, mac address field after upgrade * Better licensing information of 3rd party code * Better error message for login of users from other realms Rob Crittenden (5): * Honor the kdb options disabling KDC writes in ipa_lockout plugin * Only update the list of running services in the installer or ipactl. * Set min for selinux-policy to 3.11.1-60 * Reorder XML-RPC initialization in ipa-join to avoid segfault. * Become IPA 3.0.2 Simo Sorce (1): * MS-PAC: Special case NFS services Sumit Bose (3): * Lookup the user SID in external group as well * Restart sssd after authconfig update * Do not recommend how to configure DNS in error message Tomas Babej (1): * Add detection for users from trusted/invalid realms From pviktori at redhat.com Wed Dec 12 12:35:07 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 12 Dec 2012 13:35:07 +0100 Subject: [Freeipa-devel] [PATCH] convert the base platform modules into packages In-Reply-To: <50C0A275.9090508@redhat.com> References: <505C804B.9010506@ubuntu.com> <507EB5F1.1040903@redhat.com> <50BF459A.8080306@ubuntu.com> <50BF62EB.5040006@ubuntu.com> <50C0A275.9090508@redhat.com> Message-ID: <50C879FB.4040302@redhat.com> On 12/06/2012 02:49 PM, Petr Viktorin wrote: > On 12/05/2012 04:06 PM, Timo Aaltonen wrote: >> On 05.12.2012 15:01, Timo Aaltonen wrote: >>> On 17.10.2012 16:43, Petr Viktorin wrote: >>>> On 09/21/2012 04:57 PM, Timo Aaltonen wrote: >>>>> Ok, so this is the first step before we can start to rewrite bits from >>>>> ipaserver/install to make them support other distros. There are no >>>>> real >>>>> functional changes yet. >>>>> >>>>> had some dependency issues installing the resulting rpm's, so didn't >>>>> test the install scripts but they should work :) >>>>> >>>>> >>>> >>>> Hello, >>>> >>>> I recommend giving the -M flag to git format-patch, so it's easier to >>>> see changes in the patch. >>>> >>>> >>>> Your split of the fedora16 code into two modules is unfortunate: each >>>> tries to import the other one, and one is the other's parent. This >>>> would >>>> need special care to get working correctly. >>>> >>>> The best option here would probably be to put restore_context & >>>> check_selinux_status into a separate submodule, so you don't need to >>>> import fedora16 from services. >>>> >>>> Furthermore, in fedora16/__init__.py, you have: >>>> from ipapython.platform.fedora16.service import * >>>> This imports everything from that module, including e.g. "redhat" or >>>> "os". >>>> Please avoid star imports. List all the imported names explicitly, or >>>> import the module and then use qualified names. >>>> >>>> >>>> Other than that, after a trivial rebase the patch seems to work fine on >>>> Fedora. Thanks! >>> >>> And finally, here is version 2. >>> >>> fixed all the above, I think.. make-lint passes, make rpms too. >> >> Here's v3, thanks to your rebase to an even more current master :) >> > > Thank you! This works fine on f17 and f18. ACK. > > We're stabilizing for a 3.1 release right now, so we might hold pushing > this to master until work on 3.2 starts. > Another rebase is needed for the time services (chrony) change. Attached. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tjaalton-0001-04-convert-the-base-platform-modules-into-packages.patch Type: text/x-patch Size: 36524 bytes Desc: not available URL: From pviktori at redhat.com Wed Dec 12 13:08:14 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 12 Dec 2012 14:08:14 +0100 Subject: [Freeipa-devel] [PATCH] 0094 Sort Options and Outputs in API.txt In-Reply-To: <50C6F66C.2070304@redhat.com> References: <5086722D.4010004@redhat.com> <50C6F66C.2070304@redhat.com> Message-ID: <50C881BE.6090608@redhat.com> On 12/11/2012 10:01 AM, Petr Viktorin wrote: > On 10/23/2012 12:32 PM, Petr Viktorin wrote: >> Here is a cosmetic change, even though the patch looks big. See commit >> mesage. > > Here's a newer version of the patch. Please consider it for 3.2. And here's another rebase. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0094-03-Sort-Options-and-Outputs-in-API.txt.patch Type: text/x-patch Size: 397214 bytes Desc: not available URL: From mkosek at redhat.com Wed Dec 12 13:11:59 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 12 Dec 2012 14:11:59 +0100 Subject: [Freeipa-devel] [PATCH] 0094 Sort Options and Outputs in API.txt In-Reply-To: <50C881BE.6090608@redhat.com> References: <5086722D.4010004@redhat.com> <50C6F66C.2070304@redhat.com> <50C881BE.6090608@redhat.com> Message-ID: <50C8829F.9020600@redhat.com> On 12/12/2012 02:08 PM, Petr Viktorin wrote: > On 12/11/2012 10:01 AM, Petr Viktorin wrote: >> On 10/23/2012 12:32 PM, Petr Viktorin wrote: >>> Here is a cosmetic change, even though the patch looks big. See commit >>> mesage. >> >> Here's a newer version of the patch. Please consider it for 3.2. > > And here's another rebase. > ACK. Pushed to master. Martin From rcritten at redhat.com Wed Dec 12 14:50:48 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Dec 2012 09:50:48 -0500 Subject: [Freeipa-devel] [Freeipa-users] Announcing FreeIPA v3.0.2 Release In-Reply-To: References: <50C7A93A.3020501@redhat.com> Message-ID: <50C899C8.8020405@redhat.com> Bret Wortman wrote: > Is this (like 3.1.0) also intended for f18? The sss_idmap package > doesn't seem to be available for f17. No, F-18 will have 3.1. 3.0 GA won't be backported to F-17. We did a couple of pre-releases of 3.0 in F-17 because F-18 wasn't easily usable for quite a long time (in our humble opinion). rob > On Tue, Dec 11, 2012 at 4:44 PM, Rob Crittenden > wrote: > > The FreeIPA team is proud to announce version FreeIPA v3.0.2. > > It can be downloaded from http://www.freeipa.org/page/__Downloads > . > > == Highlights in 3.0.2 == > > * WebUI: Change of default value of type of new group back to POSIX. > * Lookup the user SID in external group as well. > * Include sssd-managed domain/realm mapping file managed in krb5.conf. > * Fix potential security error in cookie handling in ipa client > tool, CVE-2012-5631. > > == Upgrading == > > An IPA server can be upgraded simply by installing updated rpms. The > server does not need to be shut down in advance. > > Please note, that the referential integrity extension requires an > extended set of indexes to be configured. RPM update for an IPA > server with a excessive number of hosts, SUDO or HBAC entries may > require several minutes to finish. > > If you have multiple servers you may upgrade them one at a time. It > is expected that all servers will be upgraded in a relatively short > period (days or weeks not months). They should be able to co-exist > peacefully but new features will not be available on old servers and > enrolling a new client against an old server will result in the SSH > keys not being uploaded. > > Downgrading a server once upgraded is not supported. > > Upgrading from 2.2.0 is supported. Upgrading from previous versions > is not supported and has not been tested. > > An enrolled client does not need the new packages installed unless > you want to re-enroll it. SSH keys for already installed clients are > not uploaded, you will have to re-enroll the client or manually > upload the keys. > > == Feedback == > > Please provide comments, bugs and other feedback via the > freeipa-devel mailing list: > http://www.redhat.com/mailman/__listinfo/freeipa-devel > > > == Detailed Changelog since 3.0.1 == > > Alexander Bokovoy (3): > * ipasam: better Kerberos error handling in ipasam > * trusts: replace use of python-crypto by m2crypto > * Propagate kinit errors with trust account > > Jakub Hrozek (4): > * Make enabling the autofs service more robust > * ipachangeconf: allow specifying non-default delimeter for options > * Specify includedir in krb5.conf on new installs > * Add the includedir to krb5.conf on upgrades > > John Dennis (1): > * Compliant client side session cookie behavior > > Lubomir Rintel (1): > * Drop unused readline import > > Martin Kosek (5): > * Prepare spec file for Fedora 18 > * Filter suffix in replication management tools > * Change network configuration file > * Improve ipa-replica-prepare error message > * Fix sshd feature check > > Petr Viktorin (2): > * Provide explicit user name for Dogtag installation scripts > * Add Lubomir Rintel to Contributors.txt > > Petr Vobornik (4): > * WebUI: Change of default value of type of new group back to POSIX > * Editable sshkey, mac address field after upgrade > * Better licensing information of 3rd party code > * Better error message for login of users from other realms > > Rob Crittenden (5): > * Honor the kdb options disabling KDC writes in ipa_lockout plugin > * Only update the list of running services in the installer or ipactl. > * Set min for selinux-policy to 3.11.1-60 > * Reorder XML-RPC initialization in ipa-join to avoid segfault. > * Become IPA 3.0.2 > > Simo Sorce (1): > * MS-PAC: Special case NFS services > > Sumit Bose (3): > * Lookup the user SID in external group as well > * Restart sssd after authconfig update > * Do not recommend how to configure DNS in error message > > Tomas Babej (1): > * Add detection for users from trusted/invalid realms > > _________________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/__mailman/listinfo/freeipa-users > > > > > > -- > Bret Wortman > The Damascus Group > Fairfax, VA > http://bretwortman.com/ > http://twitter.com/BretWortman > From bret.wortman at damascusgrp.com Wed Dec 12 14:46:17 2012 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Wed, 12 Dec 2012 09:46:17 -0500 Subject: [Freeipa-devel] [Freeipa-users] Announcing FreeIPA v3.0.2 Release In-Reply-To: <50C7A93A.3020501@redhat.com> References: <50C7A93A.3020501@redhat.com> Message-ID: Is this (like 3.1.0) also intended for f18? The sss_idmap package doesn't seem to be available for f17. On Tue, Dec 11, 2012 at 4:44 PM, Rob Crittenden wrote: > The FreeIPA team is proud to announce version FreeIPA v3.0.2. > > It can be downloaded from http://www.freeipa.org/page/**Downloads > . > > == Highlights in 3.0.2 == > > * WebUI: Change of default value of type of new group back to POSIX. > * Lookup the user SID in external group as well. > * Include sssd-managed domain/realm mapping file managed in krb5.conf. > * Fix potential security error in cookie handling in ipa client tool, > CVE-2012-5631. > > == Upgrading == > > An IPA server can be upgraded simply by installing updated rpms. The > server does not need to be shut down in advance. > > Please note, that the referential integrity extension requires an extended > set of indexes to be configured. RPM update for an IPA server with a > excessive number of hosts, SUDO or HBAC entries may require several minutes > to finish. > > If you have multiple servers you may upgrade them one at a time. It is > expected that all servers will be upgraded in a relatively short period > (days or weeks not months). They should be able to co-exist peacefully but > new features will not be available on old servers and enrolling a new > client against an old server will result in the SSH keys not being uploaded. > > Downgrading a server once upgraded is not supported. > > Upgrading from 2.2.0 is supported. Upgrading from previous versions is not > supported and has not been tested. > > An enrolled client does not need the new packages installed unless you > want to re-enroll it. SSH keys for already installed clients are not > uploaded, you will have to re-enroll the client or manually upload the keys. > > == Feedback == > > Please provide comments, bugs and other feedback via the freeipa-devel > mailing list: http://www.redhat.com/mailman/**listinfo/freeipa-devel > > == Detailed Changelog since 3.0.1 == > > Alexander Bokovoy (3): > * ipasam: better Kerberos error handling in ipasam > * trusts: replace use of python-crypto by m2crypto > * Propagate kinit errors with trust account > > Jakub Hrozek (4): > * Make enabling the autofs service more robust > * ipachangeconf: allow specifying non-default delimeter for options > * Specify includedir in krb5.conf on new installs > * Add the includedir to krb5.conf on upgrades > > John Dennis (1): > * Compliant client side session cookie behavior > > Lubomir Rintel (1): > * Drop unused readline import > > Martin Kosek (5): > * Prepare spec file for Fedora 18 > * Filter suffix in replication management tools > * Change network configuration file > * Improve ipa-replica-prepare error message > * Fix sshd feature check > > Petr Viktorin (2): > * Provide explicit user name for Dogtag installation scripts > * Add Lubomir Rintel to Contributors.txt > > Petr Vobornik (4): > * WebUI: Change of default value of type of new group back to POSIX > * Editable sshkey, mac address field after upgrade > * Better licensing information of 3rd party code > * Better error message for login of users from other realms > > Rob Crittenden (5): > * Honor the kdb options disabling KDC writes in ipa_lockout plugin > * Only update the list of running services in the installer or ipactl. > * Set min for selinux-policy to 3.11.1-60 > * Reorder XML-RPC initialization in ipa-join to avoid segfault. > * Become IPA 3.0.2 > > Simo Sorce (1): > * MS-PAC: Special case NFS services > > Sumit Bose (3): > * Lookup the user SID in external group as well > * Restart sssd after authconfig update > * Do not recommend how to configure DNS in error message > > Tomas Babej (1): > * Add detection for users from trusted/invalid realms > > ______________________________**_________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/**mailman/listinfo/freeipa-users > -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed Dec 12 15:32:27 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 12 Dec 2012 16:32:27 +0100 Subject: [Freeipa-devel] [PATCH 0021] Forbid overlapping rid ranges for the same id range In-Reply-To: <508A9378.60208@redhat.com> References: <508A9378.60208@redhat.com> Message-ID: <50C8A38B.8040401@redhat.com> On 10/26/2012 03:43 PM, Tomas Babej wrote: > Hi, > > creating an id range with overlapping primary and secondary > rid range using idrange-add or idrange-mod command now > raises ValidationError. Unit tests have been added to > test_range_plugin.py. > > https://fedorahosted.org/freeipa/ticket/3171 > > Tomas > 1) Add command can cause crash: # ipa idrange-add range9 --base-id=1000 --rid-base=1000 --secondary-rid-base= --range-size 1000 ipa: ERROR: an internal error has occurred 2) I don't like this construct very much: updated_values = dict(zip(rid_range_attributes,[None]*3)) This would look better, IMO: updated_values = dict((attr, None) for attr in rid_range_attributes) Why do you need this dict pre-created anyway? You overwrite all keys here: + for attr in rid_range_attributes: + if attr in entry_attrs: + updated_values[attr] = entry_attrs[attr] + else: + updated_values[attr] = int(old_attrs[attr][0]) 3) [nitpick] We don't end ValidationError with '.': + raise errors.ValidationError(name='ID Range setup', + error=_("Primary rid range and secondary rid range"\ + " cannot overlap.")) There is also a duplication of the same error message... 4) The -mod operation will also crash: # ipa idrange-add range9 --base-id=1000 --rid-base=1000 --secondary-rid-base=2000 --range-size 1000 # ipa idrange-mod range9 --secondary-rid-base= ipa: ERROR: an internal error has occurred Martin From rcritten at redhat.com Thu Dec 13 05:01:36 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Dec 2012 00:01:36 -0500 Subject: [Freeipa-devel] [PATCH] 1078 own ca_serialno Message-ID: <50C96130.5050300@redhat.com> We don't currently include the ca_serialno file in our spec file. This can generate an SELinux warning upon fresh install because we try to set context on a non-existent file. This creates an empty file on rpm install so the file can be owned by the spec. I also updated the selfsign serial number code to deal with an existing but empty file. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1078-serialno.patch Type: text/x-patch Size: 2455 bytes Desc: not available URL: From pviktori at redhat.com Thu Dec 13 08:48:41 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 13 Dec 2012 09:48:41 +0100 Subject: [Freeipa-devel] [PATCH 0021] Forbid overlapping rid ranges for the same id range In-Reply-To: <50C8A38B.8040401@redhat.com> References: <508A9378.60208@redhat.com> <50C8A38B.8040401@redhat.com> Message-ID: <50C99669.6070000@redhat.com> On 12/12/2012 04:32 PM, Martin Kosek wrote: [...] > 2) I don't like this construct very much: > > updated_values = dict(zip(rid_range_attributes,[None]*3)) > > This would look better, IMO: > updated_values = dict((attr, None) for attr in rid_range_attributes) Or just `dict.fromkeys(rid_range_attributes)` (but see below) > Why do you need this dict pre-created anyway? You overwrite all keys here: > > + for attr in rid_range_attributes: > + if attr in entry_attrs: > + updated_values[attr] = entry_attrs[attr] > + else: > + updated_values[attr] = int(old_attrs[attr][0]) > > -- Petr? From pviktori at redhat.com Thu Dec 13 09:59:37 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 13 Dec 2012 10:59:37 +0100 Subject: [Freeipa-devel] [PATCHES] 0104-0106 Provide means of displaying warning and informational messages on clients Message-ID: <50C9A709.8070806@redhat.com> It's time to give this to another set of eyes :) Design document: http://freeipa.org/page/V3/Messages Ticket: https://fedorahosted.org/freeipa/ticket/2732 More info is in commit messages. Because of https://fedorahosted.org/freeipa/ticket/3294, I needed to change the design document: when the client doesn't send the API version, it is assumed it's at a version before capabilities were introduced (i.e. 2.47). The client still gets a warning if the version is missing. Except for those commands where IPA didn't send a version -- ping, cert-show, etc. -- the warning wouldn't pass validation on old clients. (I'm assuming that our client is so far the only one that validates so strictly.) -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0104-Add-the-version-option-to-all-Commands.patch Type: text/x-patch Size: 68089 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0105-Add-ipalib.messages.patch Type: text/x-patch Size: 17098 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0106-Add-client-capabilities-enable-messages.patch Type: text/x-patch Size: 20533 bytes Desc: not available URL: From tbabej at redhat.com Thu Dec 13 10:52:00 2012 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 13 Dec 2012 11:52:00 +0100 Subject: [Freeipa-devel] [PATCH 0021] Forbid overlapping rid ranges for the same id range In-Reply-To: <50C8A38B.8040401@redhat.com> References: <508A9378.60208@redhat.com> <50C8A38B.8040401@redhat.com> Message-ID: <50C9B350.7010207@redhat.com> On 12/12/2012 04:32 PM, Martin Kosek wrote: > On 10/26/2012 03:43 PM, Tomas Babej wrote: >> Hi, >> >> creating an id range with overlapping primary and secondary >> rid range using idrange-add or idrange-mod command now >> raises ValidationError. Unit tests have been added to >> test_range_plugin.py. >> >> https://fedorahosted.org/freeipa/ticket/3171 >> >> Tomas >> > 1) Add command can cause crash: > > # ipa idrange-add range9 --base-id=1000 --rid-base=1000 --secondary-rid-base= > --range-size 1000 > ipa: ERROR: an internal error has occurred > > 2) I don't like this construct very much: > > updated_values = dict(zip(rid_range_attributes,[None]*3)) > > This would look better, IMO: > updated_values = dict((attr, None) for attr in rid_range_attributes) > > Why do you need this dict pre-created anyway? You overwrite all keys here: > > + for attr in rid_range_attributes: > + if attr in entry_attrs: > + updated_values[attr] = entry_attrs[attr] > + else: > + updated_values[attr] = int(old_attrs[attr][0]) > > > 3) [nitpick] We don't end ValidationError with '.': > > + raise errors.ValidationError(name='ID Range setup', > + error=_("Primary rid range and secondary rid range"\ > + " cannot overlap.")) > > There is also a duplication of the same error message... > > 4) The -mod operation will also crash: > > # ipa idrange-add range9 --base-id=1000 --rid-base=1000 > --secondary-rid-base=2000 --range-size 1000 > # ipa idrange-mod range9 --secondary-rid-base= > ipa: ERROR: an internal error has occurred > > Martin New patch version as well as diff between patch versions (for your convenience) attached. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0021-2-Forbid-overlapping-rid-ranges-for-the-same-id-range.patch Type: text/x-patch Size: 11163 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0021-1to2.diff Type: text/x-patch Size: 6273 bytes Desc: not available URL: From pviktori at redhat.com Thu Dec 13 12:12:21 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 13 Dec 2012 13:12:21 +0100 Subject: [Freeipa-devel] [PATCH] 1078 own ca_serialno In-Reply-To: <50C96130.5050300@redhat.com> References: <50C96130.5050300@redhat.com> Message-ID: <50C9C625.1090907@redhat.com> On 12/13/2012 06:01 AM, Rob Crittenden wrote: > We don't currently include the ca_serialno file in our spec file. This > can generate an SELinux warning upon fresh install because we try to set > context on a non-existent file. > > This creates an empty file on rpm install so the file can be owned by > the spec. > > I also updated the selfsign serial number code to deal with an existing > but empty file. > > rob > I couldn't reproduce the error, but I noticed you've left out the percent sign in %attr: > --- a/freeipa.spec.in > +++ b/freeipa.spec.in [...] > @@ -660,6 +662,7 @@ fi > %attr(755,root,root) %{plugin_dir}/libipa_cldap.so > %attr(755,root,root) %{plugin_dir}/libipa_range_check.so > %dir %{_localstatedir}/lib/ipa > +attr(600,root,root) %config(noreplace) %{_localstatedir}/lib/ipa/ca_serialno RPM build errors: File must begin with "/": attr(600,root,root) -- Petr? From rcritten at redhat.com Thu Dec 13 13:47:03 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Dec 2012 08:47:03 -0500 Subject: [Freeipa-devel] [PATCH] 1078 own ca_serialno In-Reply-To: <50C9C625.1090907@redhat.com> References: <50C96130.5050300@redhat.com> <50C9C625.1090907@redhat.com> Message-ID: <50C9DC57.2090504@redhat.com> Petr Viktorin wrote: > On 12/13/2012 06:01 AM, Rob Crittenden wrote: >> We don't currently include the ca_serialno file in our spec file. This >> can generate an SELinux warning upon fresh install because we try to set >> context on a non-existent file. >> >> This creates an empty file on rpm install so the file can be owned by >> the spec. >> >> I also updated the selfsign serial number code to deal with an existing >> but empty file. >> >> rob >> > > I couldn't reproduce the error, but I noticed you've left out the > percent sign in %attr: It was reported against RHEL systems, so perhaps the SELinux (or rpm) in Fedora suppresses this message. >> --- a/freeipa.spec.in >> +++ b/freeipa.spec.in > [...] >> @@ -660,6 +662,7 @@ fi >> %attr(755,root,root) %{plugin_dir}/libipa_cldap.so >> %attr(755,root,root) %{plugin_dir}/libipa_range_check.so >> %dir %{_localstatedir}/lib/ipa >> +attr(600,root,root) %config(noreplace) >> %{_localstatedir}/lib/ipa/ca_serialno > > RPM build errors: > File must begin with "/": attr(600,root,root) > > D'oh. I had tested this in RHEL and cut-n-pasted the fix upstream. Fixed. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-1078-2-serialno.patch Type: text/x-patch Size: 2456 bytes Desc: not available URL: From mkosek at redhat.com Thu Dec 13 13:48:33 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 13 Dec 2012 14:48:33 +0100 Subject: [Freeipa-devel] [PATCH 0021] Forbid overlapping rid ranges for the same id range In-Reply-To: <50C9B350.7010207@redhat.com> References: <508A9378.60208@redhat.com> <50C8A38B.8040401@redhat.com> <50C9B350.7010207@redhat.com> Message-ID: <50C9DCB1.8060808@redhat.com> On 12/13/2012 11:52 AM, Tomas Babej wrote: > On 12/12/2012 04:32 PM, Martin Kosek wrote: >> On 10/26/2012 03:43 PM, Tomas Babej wrote: >>> Hi, >>> >>> creating an id range with overlapping primary and secondary >>> rid range using idrange-add or idrange-mod command now >>> raises ValidationError. Unit tests have been added to >>> test_range_plugin.py. >>> >>> https://fedorahosted.org/freeipa/ticket/3171 >>> >>> Tomas >>> >> 1) Add command can cause crash: >> >> # ipa idrange-add range9 --base-id=1000 --rid-base=1000 --secondary-rid-base= >> --range-size 1000 >> ipa: ERROR: an internal error has occurred >> >> 2) I don't like this construct very much: >> >> updated_values = dict(zip(rid_range_attributes,[None]*3)) >> >> This would look better, IMO: >> updated_values = dict((attr, None) for attr in rid_range_attributes) >> >> Why do you need this dict pre-created anyway? You overwrite all keys here: >> >> + for attr in rid_range_attributes: >> + if attr in entry_attrs: >> + updated_values[attr] = entry_attrs[attr] >> + else: >> + updated_values[attr] = int(old_attrs[attr][0]) >> >> >> 3) [nitpick] We don't end ValidationError with '.': >> >> + raise errors.ValidationError(name='ID Range setup', >> + error=_("Primary rid range and secondary rid range"\ >> + " cannot overlap.")) >> >> There is also a duplication of the same error message... >> >> 4) The -mod operation will also crash: >> >> # ipa idrange-add range9 --base-id=1000 --rid-base=1000 >> --secondary-rid-base=2000 --range-size 1000 >> # ipa idrange-mod range9 --secondary-rid-base= >> ipa: ERROR: an internal error has occurred >> >> Martin > > New patch version as well as diff between > patch versions (for your convenience) attached. > > Tomas 1) You introduced mixed spaces and tabs - Python gods do not like that! 2) This is a nitpick, but there are too many redundant parens and brackets in this statement: + if(any([attr is None for attr in [rid_base,secondary_rid_base, size]])): + return False This would look nicer and would not create unnecessary list: + if any(attr is None for attr in (rid_base, secondary_rid_base, size)): + return False 3) Another construct I did not like very much: + is_set = lambda x : (x in entry_attrs) and not (x is None) a) "x is not None" reads better than "not (x is None)" b) I would rather replace all is_set lambdas with use of "if entry_attrs.get('attribute')" which is also used in other places in ipalib 4) I see a suspicions check + if (is_set('ipasecondarybaserid') != is_set('ipabaserid')): I though that ipasecondarybaserid is optional. With your change it is not: # ipa idrange-add range9 --base-id=1000 --rid-base=1000 --range-size 1000 ipa: ERROR: invalid 'ID Range setup': Options secondary_rid_base and rid_base must be used together It is also quite ugly condition, I would do something like: if entry_attrs.get('ipasecondarybaserid') and not entry_attrs.get('ipabaserid'): ... raise error 5) I would not create a list when it is not necessary, a tuple is more efficient I think: + rid_range_attributes = ['ipabaserid','ipasecondarybaserid','ipaidrangesize'] 6) If we want to check user does not create secondary RID range without a primary RID range, we should also do it in -mod operation: # ipa idrange-mod range9 --rid-base= -------------------------- Modified ID range "range9" -------------------------- Range name: range9 First Posix ID of the range: 1000 Number of IDs in the range: 1000 First RID of the secondary RID range: 2000 Range type: local domain range 7) I am sorry I did not come with this in my previous review, but I have one more nitpick for the error message: + error=_("Primary rid range and secondary rid range"\ + " cannot overlap")) I would do s/rid/RID/ as we also refer it as RID in our help... Martin From atkac at redhat.com Thu Dec 13 14:07:40 2012 From: atkac at redhat.com (Adam Tkac) Date: Thu, 13 Dec 2012 15:07:40 +0100 Subject: [Freeipa-devel] [PATCH 0098] Log failures detected in CHECK() macro In-Reply-To: <50BDEB87.6080108@redhat.com> References: <50AB8951.5000604@redhat.com> <20121122130541.GF2159@redhat.com> <50BDEB87.6080108@redhat.com> Message-ID: <20121213140739.GA26267@redhat.com> On Tue, Dec 04, 2012 at 01:24:39PM +0100, Petr Spacek wrote: > On 11/22/2012 02:05 PM, Adam Tkac wrote: > >On Tue, Nov 20, 2012 at 02:44:49PM +0100, Petr Spacek wrote: > >>Hello, > >> > >> Log failures detected in CHECK() macro. > >> > >> Function ldap_query() can return ISC_R_NOTFOUND legitimately. > >> For this and similar cases CHECK_CONDLOG macro was introduced. > >> It will not log if result != ISC_R_SUCCESS but == ignored_code. > >> Nested condition will be eliminated by optimizing compiler > >> in cases where ignored_code == ISC_R_SUCCESS. > >> > >> Function add_soa_record() is now called only for zones to prevent > >> false error messages. > > > >Nack. > > > >I don't like second part of the patch much, it adds huge amount of logging > >and now we will log every error twice because we already log errors explicitly. > > > >In my opinion better will be to add new configuration option, for example > >"debug", and with this option we can emit log messages from CHECK macros (I > >haven't though about implementation details, yet). Otherwise we should avoid > >logging because it's useless to log all errors, they are expected in production > >environment. > > > >I also don't like CHECK_CONDLOG macro, it's not intuitive and with it we can end > >with so called spaghetti code... As I wrote above I would log every CHECK > >failure with debugging on. > > > >However the first patch of the patch is fine (the add_soa_record part). > Ok, reworked patch is attached. Logging is enabled only if > configuration option 'verbose_checks yes' is present. I > decommissioned CHECK_CONDLOG(), so each request for non-existing > record will log failure: not found (when verbose mode is enabled). This looks fine for me. In future we might consider to add some rate-limiting patch for log_error_position() calls because in production environment debug log can be too huge but this is not blocker for the patch. Ack Regards, Adam > From 0efaa684d8c536805762d9a835897889cac87d25 Mon Sep 17 00:00:00 2001 > From: Petr Spacek > Date: Tue, 4 Dec 2012 13:12:53 +0100 > Subject: [PATCH] Add option to log all failures detected in CHECK() macro. > > Logging will be enabled if 'verbose_checks' option is set to 'yes'. > > Function add_soa_record() is now called only for zones to prevent > false error messages. > > Signed-off-by: Petr Spacek > --- > src/ldap_helper.c | 7 +++---- > src/settings.c | 1 + > src/util.h | 15 +++++++-------- > src/zone_manager.c | 2 ++ > 4 files changed, 13 insertions(+), 12 deletions(-) > > diff --git a/src/ldap_helper.c b/src/ldap_helper.c > index 7d1febb68a4773d4e1127e8135d30fd855ded6a6..436985247803240f9ec4f2c3e5118adf8466beec 100644 > --- a/src/ldap_helper.c > +++ b/src/ldap_helper.c > @@ -1694,10 +1694,9 @@ ldap_parse_rrentry(isc_mem_t *mctx, ldap_entry_t *entry, > const char *dn = ""; > const char *data = ""; > > - result = add_soa_record(mctx, qresult, origin, entry, > - rdatalist, fake_mname); > - if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) > - goto cleanup; > + if ((ldap_entry_getclass(entry) & LDAP_ENTRYCLASS_ZONE) != 0) > + CHECK(add_soa_record(mctx, qresult, origin, entry, > + rdatalist, fake_mname)); > > rdclass = ldap_entry_getrdclass(entry); > ttl = ldap_entry_getttl(entry); > diff --git a/src/settings.c b/src/settings.c > index 25578ce2687bf12e3a2d387caf0b26ed1a3083b6..08164766172f5f915584ae51b43e3d64798eed71 100644 > --- a/src/settings.c > +++ b/src/settings.c > @@ -32,6 +32,7 @@ > #include "util.h" > #include "types.h" > > +isc_boolean_t verbose_checks = ISC_FALSE; /* log each failure in CHECK() macro */ > > /* > * Forward declarations. > diff --git a/src/util.h b/src/util.h > index c61f4e7a4930717cfd7729caa2c2f36854d1903f..d6d3c73e6d25657805eee904e6047c542e52a656 100644 > --- a/src/util.h > +++ b/src/util.h > @@ -21,6 +21,8 @@ > #ifndef _LD_UTIL_H_ > #define _LD_UTIL_H_ > > +extern isc_boolean_t verbose_checks; /* from settings.c */ > + > #include "log.h" > > #define CLEANUP_WITH(result_code) \ > @@ -32,15 +34,12 @@ > #define CHECK(op) \ > do { \ > result = (op); \ > - if (result != ISC_R_SUCCESS) \ > + if (result != ISC_R_SUCCESS) { \ > + if (verbose_checks == ISC_TRUE) \ > + log_error_position("check failed: %s", \ > + dns_result_totext(result)); \ > goto cleanup; \ > - } while (0) > - > -#define CHECK_NEXT(op) \ > - do { \ > - result = (op); \ > - if (result != ISC_R_SUCCESS) \ > - goto next; \ > + } \ > } while (0) > > #define CHECKED_MEM_ALLOCATE(m, target_ptr, s) \ > diff --git a/src/zone_manager.c b/src/zone_manager.c > index 08ef91907a35564520b8ccb8d9993b49fc88a391..c19c3b6c91ff8114fcb15eacba0f74ec46047986 100644 > --- a/src/zone_manager.c > +++ b/src/zone_manager.c > @@ -121,6 +121,7 @@ manager_create_db_instance(isc_mem_t *mctx, const char *name, > setting_t manager_settings[] = { > { "zone_refresh", default_uint(0) }, > { "psearch", default_boolean(0) }, > + { "verbose_checks", default_boolean(0) }, > end_of_settings > }; > > @@ -139,6 +140,7 @@ manager_create_db_instance(isc_mem_t *mctx, const char *name, > /* Parse settings. */ > manager_settings[0].target = &zone_refresh; > manager_settings[1].target = &psearch; > + manager_settings[2].target = &verbose_checks; /* global variable */ > CHECK(set_settings(manager_settings, argv)); > > CHECKED_MEM_GET_PTR(mctx, db_inst); > -- > 1.7.11.7 > -- Adam Tkac, Red Hat, Inc. From atkac at redhat.com Thu Dec 13 14:17:53 2012 From: atkac at redhat.com (Adam Tkac) Date: Thu, 13 Dec 2012 15:17:53 +0100 Subject: [Freeipa-devel] [PATCH 101] Fix error handling in ldap_entry_create() In-Reply-To: <50ADE8AC.2090006@redhat.com> References: <50ACED69.7030702@redhat.com> <50ACFB70.7070009@redhat.com> <50ADE8AC.2090006@redhat.com> Message-ID: <20121213141752.GA26455@redhat.com> On Thu, Nov 22, 2012 at 09:56:12AM +0100, Petr Spacek wrote: > Hello, > > apparently I was very tired yesterday ... Cleaned version of the > patch is attached. > > Petr^2 Spacek > > On 11/21/2012 05:04 PM, Petr Spacek wrote: > >Hello, > > > >fixed fix is attached. Clang found bug in the fix but I didn't notice that > >because of other warnings ... > > > >On 11/21/2012 04:04 PM, Petr Spacek wrote: > >>Hello, > >> > >>I noticed this problem during investigation of dead code found by Clang. > >> > >> Fix error handling in ldap_entry_create(). > >> > >> Jump to cleanup section after first memory allocation created memory leak > >> which crashed BIND on reload. > >> > >> Missing return value check after ldap_get_dn() call can lead to crash. Ack > From eddb9db446610e79e4852b15cb2be420090364b7 Mon Sep 17 00:00:00 2001 > From: Petr Spacek > Date: Wed, 21 Nov 2012 15:53:28 +0100 > Subject: [PATCH] Fix error handling in ldap_entry_create(). > > Jump to cleanup section after first memory allocation created memory leak > which crashed BIND on reload. > > Missing return value check after ldap_get_dn() call can lead to crash. > > Signed-off-by: Petr Spacek > --- > src/ldap_entry.c | 26 ++++++++++++++++---------- > 1 file changed, 16 insertions(+), 10 deletions(-) > > diff --git a/src/ldap_entry.c b/src/ldap_entry.c > index 9436b895913b2eb1a711d9343e43e695ea7e6ae4..7d8b29bd0f1206df6b4fcdcdb08c4c9e82630527 100644 > --- a/src/ldap_entry.c > +++ b/src/ldap_entry.c > @@ -183,9 +183,9 @@ ldap_entry_create(isc_mem_t *mctx, LDAP *ld, LDAPMessage *ldap_entry, > ldap_entry_t **entryp) > { > isc_result_t result; > - ldap_attribute_t *attr; > + ldap_attribute_t *attr = NULL; > char *attribute; > - BerElement *ber; > + BerElement *ber = NULL; > ldap_entry_t *entry = NULL; > > REQUIRE(ld != NULL); > @@ -213,19 +213,25 @@ ldap_entry_create(isc_mem_t *mctx, LDAP *ld, LDAPMessage *ldap_entry, > > APPEND(entry->attrs, attr, link); > } > + attr = NULL; > > entry->dn = ldap_get_dn(ld, ldap_entry); > + if (entry->dn == NULL) { > + log_ldap_error(ld); > + CLEANUP_WITH(ISC_R_FAILURE); > + } > > + *entryp = entry; > + > +cleanup: > if (ber != NULL) > ber_free(ber, 0); > - > - *entryp = entry; > - > - return ISC_R_SUCCESS; > - > -cleanup: > - if (entry != NULL) > - ldap_attributelist_destroy(mctx, &entry->attrs); > + if (result != ISC_R_SUCCESS) { > + if (entry != NULL) > + ldap_attributelist_destroy(mctx, &entry->attrs); > + SAFE_MEM_PUT_PTR(mctx, entry); > + SAFE_MEM_PUT_PTR(mctx, attr); > + } > > return result; > } > -- > 1.7.11.7 > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Adam Tkac, Red Hat, Inc. From atkac at redhat.com Thu Dec 13 14:21:22 2012 From: atkac at redhat.com (Adam Tkac) Date: Thu, 13 Dec 2012 15:21:22 +0100 Subject: [Freeipa-devel] [PATCH 0106] Fix error handling for initial zone refresh in persistent search In-Reply-To: <50AE2EE7.8030206@redhat.com> References: <50AE2EE7.8030206@redhat.com> Message-ID: <20121213142122.GA26714@redhat.com> On Thu, Nov 22, 2012 at 02:55:51PM +0100, Petr Spacek wrote: > Hello, > > Fix error handling for initial zone refresh in persistent search. > > Old code terminates watcher thread in case of error. Now initial lookup > is restarted after reconnect_interval seconds. Ack > From 99a820736eab9ad597b193fe504ca965263b6655 Mon Sep 17 00:00:00 2001 > From: Petr Spacek > Date: Thu, 22 Nov 2012 14:52:08 +0100 > Subject: [PATCH] Fix error handling for initial zone refresh in persistent > search. > > Old code terminates watcher thread in case of error. Now initial lookup > is restarted after reconnect_interval seconds. > > Signed-off-by: Petr Spacek > --- > src/ldap_helper.c | 22 +++++++++++++++++++--- > 1 file changed, 19 insertions(+), 3 deletions(-) > > diff --git a/src/ldap_helper.c b/src/ldap_helper.c > index 57235de7da158b7a05de9e35fff2cdaaff74276c..28b2eb45c116572d76fefcfb9f5c1fba5411dc12 100644 > --- a/src/ldap_helper.c > +++ b/src/ldap_helper.c > @@ -3757,6 +3757,7 @@ ldap_psearch_watcher(isc_threadarg_t arg) > > restart: > /* Perform initial lookup */ > + ldap_query_free(ISC_TRUE, &ldap_qresult); > flush_required = ISC_TRUE; > if (inst->psearch) { > log_debug(1, "Sending initial psearch lookup"); > @@ -3794,15 +3795,30 @@ restart: > if (!sane_sleep(inst, inst->reconnect_interval)) > goto cleanup; > } > - ldap_query_free(ISC_TRUE, &ldap_qresult); > goto restart; > } else if (flush_required == ISC_TRUE) { > + isc_boolean_t restart_needed = ISC_FALSE; > /* First LDAP result after (re)start was received successfully: > * Unload old zones and flush record cache. > * We want to save cache in case of search timeout during restart. > */ > - CHECK(refresh_zones_from_ldap(inst, ISC_TRUE)); > - CHECK(flush_ldap_cache(inst->cache)); > + if ((result = refresh_zones_from_ldap(inst, ISC_TRUE)) > + != ISC_R_SUCCESS) { > + log_error_r("zone refresh after initial psearch lookup failed"); > + restart_needed = ISC_TRUE; > + } else if ((result = flush_ldap_cache(inst->cache)) > + != ISC_R_SUCCESS) { > + log_error_r("cache flush after initial psearch lookup failed"); > + restart_needed = ISC_TRUE; > + } > + > + if (restart_needed) { > + if (!sane_sleep(inst, inst->reconnect_interval)) > + goto cleanup; > + > + goto restart; > + } > + > flush_required = ISC_FALSE; > } > > -- > 1.7.11.7 > -- Adam Tkac, Red Hat, Inc. From pviktori at redhat.com Thu Dec 13 14:34:40 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 13 Dec 2012 15:34:40 +0100 Subject: [Freeipa-devel] [PATCH] 1078 own ca_serialno In-Reply-To: <50C9DC57.2090504@redhat.com> References: <50C96130.5050300@redhat.com> <50C9C625.1090907@redhat.com> <50C9DC57.2090504@redhat.com> Message-ID: <50C9E780.9020908@redhat.com> On 12/13/2012 02:47 PM, Rob Crittenden wrote: > Petr Viktorin wrote: >> On 12/13/2012 06:01 AM, Rob Crittenden wrote: >>> We don't currently include the ca_serialno file in our spec file. This >>> can generate an SELinux warning upon fresh install because we try to set >>> context on a non-existent file. >>> >>> This creates an empty file on rpm install so the file can be owned by >>> the spec. >>> >>> I also updated the selfsign serial number code to deal with an existing >>> but empty file. >>> >>> rob >>> >> >> I couldn't reproduce the error, but I noticed you've left out the >> percent sign in %attr: > > It was reported against RHEL systems, so perhaps the SELinux (or rpm) in > Fedora suppresses this message. > >>> --- a/freeipa.spec.in >>> +++ b/freeipa.spec.in >> [...] >>> @@ -660,6 +662,7 @@ fi >>> %attr(755,root,root) %{plugin_dir}/libipa_cldap.so >>> %attr(755,root,root) %{plugin_dir}/libipa_range_check.so >>> %dir %{_localstatedir}/lib/ipa >>> +attr(600,root,root) %config(noreplace) >>> %{_localstatedir}/lib/ipa/ca_serialno >> >> RPM build errors: >> File must begin with "/": attr(600,root,root) >> >> > > D'oh. I had tested this in RHEL and cut-n-pasted the fix upstream. Fixed. > > rob On Fedora this doesn't hurt, ACK. -- Petr? From mkosek at redhat.com Thu Dec 13 14:38:37 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 13 Dec 2012 15:38:37 +0100 Subject: [Freeipa-devel] [PATCH] 1078 own ca_serialno In-Reply-To: <50C9E780.9020908@redhat.com> References: <50C96130.5050300@redhat.com> <50C9C625.1090907@redhat.com> <50C9DC57.2090504@redhat.com> <50C9E780.9020908@redhat.com> Message-ID: <50C9E86D.7020102@redhat.com> On 12/13/2012 03:34 PM, Petr Viktorin wrote: > On 12/13/2012 02:47 PM, Rob Crittenden wrote: >> Petr Viktorin wrote: >>> On 12/13/2012 06:01 AM, Rob Crittenden wrote: >>>> We don't currently include the ca_serialno file in our spec file. This >>>> can generate an SELinux warning upon fresh install because we try to set >>>> context on a non-existent file. >>>> >>>> This creates an empty file on rpm install so the file can be owned by >>>> the spec. >>>> >>>> I also updated the selfsign serial number code to deal with an existing >>>> but empty file. >>>> >>>> rob >>>> >>> >>> I couldn't reproduce the error, but I noticed you've left out the >>> percent sign in %attr: >> >> It was reported against RHEL systems, so perhaps the SELinux (or rpm) in >> Fedora suppresses this message. >> >>>> --- a/freeipa.spec.in >>>> +++ b/freeipa.spec.in >>> [...] >>>> @@ -660,6 +662,7 @@ fi >>>> %attr(755,root,root) %{plugin_dir}/libipa_cldap.so >>>> %attr(755,root,root) %{plugin_dir}/libipa_range_check.so >>>> %dir %{_localstatedir}/lib/ipa >>>> +attr(600,root,root) %config(noreplace) >>>> %{_localstatedir}/lib/ipa/ca_serialno >>> >>> RPM build errors: >>> File must begin with "/": attr(600,root,root) >>> >>> >> >> D'oh. I had tested this in RHEL and cut-n-pasted the fix upstream. Fixed. >> >> rob > > On Fedora this doesn't hurt, ACK. > NACK. When FreeIPA gets uninstalled, we end up without this file again. Which would again lead to this warning on upgrades. I think we should rather truncate the file on server uninstall instead of removing it. Martin From pspacek at redhat.com Thu Dec 13 15:11:44 2012 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 13 Dec 2012 16:11:44 +0100 Subject: [Freeipa-devel] [PATCH 0106] Fix error handling for initial zone refresh in persistent search In-Reply-To: <20121213142122.GA26714@redhat.com> References: <50AE2EE7.8030206@redhat.com> <20121213142122.GA26714@redhat.com> Message-ID: <50C9F030.7020107@redhat.com> On 12/13/2012 03:21 PM, Adam Tkac wrote: > On Thu, Nov 22, 2012 at 02:55:51PM +0100, Petr Spacek wrote: >> >Hello, >> > >> > Fix error handling for initial zone refresh in persistent search. >> > >> > Old code terminates watcher thread in case of error. Now initial lookup >> > is restarted after reconnect_interval seconds. > Ack > Pushed to master and v2: e63d78d977402289ab405c37aa39f8ca6f17bd13 -- Petr^2 Spacek From pspacek at redhat.com Thu Dec 13 15:12:01 2012 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 13 Dec 2012 16:12:01 +0100 Subject: [Freeipa-devel] [PATCH 101] Fix error handling in ldap_entry_create() In-Reply-To: <20121213141752.GA26455@redhat.com> References: <50ACED69.7030702@redhat.com> <50ACFB70.7070009@redhat.com> <50ADE8AC.2090006@redhat.com> <20121213141752.GA26455@redhat.com> Message-ID: <50C9F041.8080806@redhat.com> On 12/13/2012 03:17 PM, Adam Tkac wrote: > On Thu, Nov 22, 2012 at 09:56:12AM +0100, Petr Spacek wrote: >> >Hello, >> > >> >apparently I was very tired yesterday ... Cleaned version of the >> >patch is attached. >> > >> >Petr^2 Spacek >> > >> >On 11/21/2012 05:04 PM, Petr Spacek wrote: >>> > >Hello, >>> > > >>> > >fixed fix is attached. Clang found bug in the fix but I didn't notice that >>> > >because of other warnings ... >>> > > >>> > >On 11/21/2012 04:04 PM, Petr Spacek wrote: >>>> > >>Hello, >>>> > >> >>>> > >>I noticed this problem during investigation of dead code found by Clang. >>>> > >> >>>> > >> Fix error handling in ldap_entry_create(). >>>> > >> >>>> > >> Jump to cleanup section after first memory allocation created memory leak >>>> > >> which crashed BIND on reload. >>>> > >> >>>> > >> Missing return value check after ldap_get_dn() call can lead to crash. > Ack > Pushed to master and v2: 2727a4b575869c8769c886bf8e2a780bc9f56c6d -- Petr^2 Spacek From simo at redhat.com Thu Dec 13 15:13:52 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 13 Dec 2012 10:13:52 -0500 Subject: [Freeipa-devel] [PATCH] 1078 own ca_serialno In-Reply-To: <50C9E86D.7020102@redhat.com> References: <50C96130.5050300@redhat.com> <50C9C625.1090907@redhat.com> <50C9DC57.2090504@redhat.com> <50C9E780.9020908@redhat.com> <50C9E86D.7020102@redhat.com> Message-ID: <1355411632.5073.154.camel@willson.li.ssimo.org> On Thu, 2012-12-13 at 15:38 +0100, Martin Kosek wrote: > On 12/13/2012 03:34 PM, Petr Viktorin wrote: > > On 12/13/2012 02:47 PM, Rob Crittenden wrote: > >> Petr Viktorin wrote: > >>> On 12/13/2012 06:01 AM, Rob Crittenden wrote: > >>>> We don't currently include the ca_serialno file in our spec file. This > >>>> can generate an SELinux warning upon fresh install because we try to set > >>>> context on a non-existent file. > >>>> > >>>> This creates an empty file on rpm install so the file can be owned by > >>>> the spec. > >>>> > >>>> I also updated the selfsign serial number code to deal with an existing > >>>> but empty file. > >>>> > >>>> rob > >>>> > >>> > >>> I couldn't reproduce the error, but I noticed you've left out the > >>> percent sign in %attr: > >> > >> It was reported against RHEL systems, so perhaps the SELinux (or rpm) in > >> Fedora suppresses this message. > >> > >>>> --- a/freeipa.spec.in > >>>> +++ b/freeipa.spec.in > >>> [...] > >>>> @@ -660,6 +662,7 @@ fi > >>>> %attr(755,root,root) %{plugin_dir}/libipa_cldap.so > >>>> %attr(755,root,root) %{plugin_dir}/libipa_range_check.so > >>>> %dir %{_localstatedir}/lib/ipa > >>>> +attr(600,root,root) %config(noreplace) > >>>> %{_localstatedir}/lib/ipa/ca_serialno > >>> > >>> RPM build errors: > >>> File must begin with "/": attr(600,root,root) > >>> > >>> > >> > >> D'oh. I had tested this in RHEL and cut-n-pasted the fix upstream. Fixed. > >> > >> rob > > > > On Fedora this doesn't hurt, ACK. > > > > NACK. > > When FreeIPA gets uninstalled, we end up without this file again. Which would > again lead to this warning on upgrades. > > I think we should rather truncate the file on server uninstall instead of > removing it. > Why don't we simply declare it as %ghost and conditionally label it ? I do not really like to have empty files just as an artifact, sounds like the wrong solution, sorry. Simo. -- Simo Sorce * Red Hat, Inc * New York From pspacek at redhat.com Thu Dec 13 15:14:01 2012 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 13 Dec 2012 16:14:01 +0100 Subject: [Freeipa-devel] [PATCH 0098] Log failures detected in CHECK() macro In-Reply-To: <20121213140739.GA26267@redhat.com> References: <50AB8951.5000604@redhat.com> <20121122130541.GF2159@redhat.com> <50BDEB87.6080108@redhat.com> <20121213140739.GA26267@redhat.com> Message-ID: <50C9F0B9.7090004@redhat.com> On 12/13/2012 03:07 PM, Adam Tkac wrote: > On Tue, Dec 04, 2012 at 01:24:39PM +0100, Petr Spacek wrote: >> >On 11/22/2012 02:05 PM, Adam Tkac wrote: >>> > >On Tue, Nov 20, 2012 at 02:44:49PM +0100, Petr Spacek wrote: >>>> > >>Hello, >>>> > >> >>>> > >> Log failures detected in CHECK() macro. >>>> > >> >>>> > >> Function ldap_query() can return ISC_R_NOTFOUND legitimately. >>>> > >> For this and similar cases CHECK_CONDLOG macro was introduced. >>>> > >> It will not log if result != ISC_R_SUCCESS but == ignored_code. >>>> > >> Nested condition will be eliminated by optimizing compiler >>>> > >> in cases where ignored_code == ISC_R_SUCCESS. >>>> > >> >>>> > >> Function add_soa_record() is now called only for zones to prevent >>>> > >> false error messages. >>> > > >>> > >Nack. >>> > > >>> > >I don't like second part of the patch much, it adds huge amount of logging >>> > >and now we will log every error twice because we already log errors explicitly. >>> > > >>> > >In my opinion better will be to add new configuration option, for example >>> > >"debug", and with this option we can emit log messages from CHECK macros (I >>> > >haven't though about implementation details, yet). Otherwise we should avoid >>> > >logging because it's useless to log all errors, they are expected in production >>> > >environment. >>> > > >>> > >I also don't like CHECK_CONDLOG macro, it's not intuitive and with it we can end >>> > >with so called spaghetti code... As I wrote above I would log every CHECK >>> > >failure with debugging on. >>> > > >>> > >However the first patch of the patch is fine (the add_soa_record part). >> >Ok, reworked patch is attached. Logging is enabled only if >> >configuration option 'verbose_checks yes' is present. I >> >decommissioned CHECK_CONDLOG(), so each request for non-existing >> >record will log failure: not found (when verbose mode is enabled). > This looks fine for me. In future we might consider to add some rate-limiting > patch for log_error_position() calls because in production environment debug log > can be too huge but this is not blocker for the patch. > > Ack I would wait before we hit some really huge log, otherwise it is not worth to spend time on it... Pushed to master and v2: 12850de76b6111c97ed7c40d85ddab6ee9fabe57 -- Petr^2 Spacek From pviktori at redhat.com Thu Dec 13 15:21:34 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 13 Dec 2012 16:21:34 +0100 Subject: [Freeipa-devel] [PATCHES] 0107-0114 Fix Confusing ipa tool online help organization Message-ID: <50C9F27E.50808@redhat.com> https://fedorahosted.org/freeipa/ticket/3060 Here is a collection of smallish fixes to `ipa help` and `ipa --help`. This should address most of Nikolai's proposal. Additionally, it's now possible to run `ipa --help` without a Kerberos ticket. And there are some new tests. I've not included the "Often used commands" in `ipa help`; I think that is material for a manual/tutorial, not a help command. Selecting a topic from `ipa topics` and then choosing a command from `ipa help ` is a better way to use the help than the verbose `ipa help commands` or proposed incomplete "Often used commands". -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0107-Improve-ipa-help-output.patch Type: text/x-patch Size: 3365 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0108-Print-help-to-stderr-on-error.patch Type: text/x-patch Size: 6952 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0109-Store-the-OptionParser-in-the-API-use-it-to-print-un.patch Type: text/x-patch Size: 2930 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0110-Simplify-ipa-help-topics-output.patch Type: text/x-patch Size: 1388 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0111-Add-command-summary-to-ipa-COMMAND-help-output.patch Type: text/x-patch Size: 1340 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0112-Mention-ipa-COMMAND-help-as-the-preferred-way-to-get.patch Type: text/x-patch Size: 1838 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0113-Parse-command-arguments-before-creating-a-context.patch Type: text/x-patch Size: 1056 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0114-Add-tests-for-the-help-command-help-options.patch Type: text/x-patch Size: 6726 bytes Desc: not available URL: From rcritten at redhat.com Thu Dec 13 15:28:28 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Dec 2012 10:28:28 -0500 Subject: [Freeipa-devel] [PATCH] 1078 own ca_serialno In-Reply-To: <1355411632.5073.154.camel@willson.li.ssimo.org> References: <50C96130.5050300@redhat.com> <50C9C625.1090907@redhat.com> <50C9DC57.2090504@redhat.com> <50C9E780.9020908@redhat.com> <50C9E86D.7020102@redhat.com> <1355411632.5073.154.camel@willson.li.ssimo.org> Message-ID: <50C9F41C.2010200@redhat.com> Simo Sorce wrote: > On Thu, 2012-12-13 at 15:38 +0100, Martin Kosek wrote: >> On 12/13/2012 03:34 PM, Petr Viktorin wrote: >>> On 12/13/2012 02:47 PM, Rob Crittenden wrote: >>>> Petr Viktorin wrote: >>>>> On 12/13/2012 06:01 AM, Rob Crittenden wrote: >>>>>> We don't currently include the ca_serialno file in our spec file. This >>>>>> can generate an SELinux warning upon fresh install because we try to set >>>>>> context on a non-existent file. >>>>>> >>>>>> This creates an empty file on rpm install so the file can be owned by >>>>>> the spec. >>>>>> >>>>>> I also updated the selfsign serial number code to deal with an existing >>>>>> but empty file. >>>>>> >>>>>> rob >>>>>> >>>>> >>>>> I couldn't reproduce the error, but I noticed you've left out the >>>>> percent sign in %attr: >>>> >>>> It was reported against RHEL systems, so perhaps the SELinux (or rpm) in >>>> Fedora suppresses this message. >>>> >>>>>> --- a/freeipa.spec.in >>>>>> +++ b/freeipa.spec.in >>>>> [...] >>>>>> @@ -660,6 +662,7 @@ fi >>>>>> %attr(755,root,root) %{plugin_dir}/libipa_cldap.so >>>>>> %attr(755,root,root) %{plugin_dir}/libipa_range_check.so >>>>>> %dir %{_localstatedir}/lib/ipa >>>>>> +attr(600,root,root) %config(noreplace) >>>>>> %{_localstatedir}/lib/ipa/ca_serialno >>>>> >>>>> RPM build errors: >>>>> File must begin with "/": attr(600,root,root) >>>>> >>>>> >>>> >>>> D'oh. I had tested this in RHEL and cut-n-pasted the fix upstream. Fixed. >>>> >>>> rob >>> >>> On Fedora this doesn't hurt, ACK. >>> >> >> NACK. >> >> When FreeIPA gets uninstalled, we end up without this file again. Which would >> again lead to this warning on upgrades. >> >> I think we should rather truncate the file on server uninstall instead of >> removing it. >> > > Why don't we simply declare it as %ghost and conditionally label it ? > > I do not really like to have empty files just as an artifact, sounds > like the wrong solution, sorry. > > Simo. > The file has to exist for SELinux to label it. If we ghost it them the package will own it if it exists but the SELinux context will still fail to apply. rob From simo at redhat.com Thu Dec 13 15:41:36 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 13 Dec 2012 10:41:36 -0500 Subject: [Freeipa-devel] [PATCH] 1078 own ca_serialno In-Reply-To: <50C9F41C.2010200@redhat.com> References: <50C96130.5050300@redhat.com> <50C9C625.1090907@redhat.com> <50C9DC57.2090504@redhat.com> <50C9E780.9020908@redhat.com> <50C9E86D.7020102@redhat.com> <1355411632.5073.154.camel@willson.li.ssimo.org> <50C9F41C.2010200@redhat.com> Message-ID: <1355413296.5073.156.camel@willson.li.ssimo.org> On Thu, 2012-12-13 at 10:28 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > On Thu, 2012-12-13 at 15:38 +0100, Martin Kosek wrote: > >> On 12/13/2012 03:34 PM, Petr Viktorin wrote: > >>> On 12/13/2012 02:47 PM, Rob Crittenden wrote: > >>>> Petr Viktorin wrote: > >>>>> On 12/13/2012 06:01 AM, Rob Crittenden wrote: > >>>>>> We don't currently include the ca_serialno file in our spec file. This > >>>>>> can generate an SELinux warning upon fresh install because we try to set > >>>>>> context on a non-existent file. > >>>>>> > >>>>>> This creates an empty file on rpm install so the file can be owned by > >>>>>> the spec. > >>>>>> > >>>>>> I also updated the selfsign serial number code to deal with an existing > >>>>>> but empty file. > >>>>>> > >>>>>> rob > >>>>>> > >>>>> > >>>>> I couldn't reproduce the error, but I noticed you've left out the > >>>>> percent sign in %attr: > >>>> > >>>> It was reported against RHEL systems, so perhaps the SELinux (or rpm) in > >>>> Fedora suppresses this message. > >>>> > >>>>>> --- a/freeipa.spec.in > >>>>>> +++ b/freeipa.spec.in > >>>>> [...] > >>>>>> @@ -660,6 +662,7 @@ fi > >>>>>> %attr(755,root,root) %{plugin_dir}/libipa_cldap.so > >>>>>> %attr(755,root,root) %{plugin_dir}/libipa_range_check.so > >>>>>> %dir %{_localstatedir}/lib/ipa > >>>>>> +attr(600,root,root) %config(noreplace) > >>>>>> %{_localstatedir}/lib/ipa/ca_serialno > >>>>> > >>>>> RPM build errors: > >>>>> File must begin with "/": attr(600,root,root) > >>>>> > >>>>> > >>>> > >>>> D'oh. I had tested this in RHEL and cut-n-pasted the fix upstream. Fixed. > >>>> > >>>> rob > >>> > >>> On Fedora this doesn't hurt, ACK. > >>> > >> > >> NACK. > >> > >> When FreeIPA gets uninstalled, we end up without this file again. Which would > >> again lead to this warning on upgrades. > >> > >> I think we should rather truncate the file on server uninstall instead of > >> removing it. > >> > > > > Why don't we simply declare it as %ghost and conditionally label it ? > > > > I do not really like to have empty files just as an artifact, sounds > > like the wrong solution, sorry. > > > > Simo. > > > > The file has to exist for SELinux to label it. If we ghost it them the > package will own it if it exists but the SELinux context will still fail > to apply. We can apply selinux context in ipa-server-install and not in the spec. That's when we need it anyway. Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Thu Dec 13 15:43:32 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 13 Dec 2012 16:43:32 +0100 Subject: [Freeipa-devel] [PATCHES] 0104-0106 Provide means of displaying warning and informational messages on clients In-Reply-To: <50C9A709.8070806@redhat.com> References: <50C9A709.8070806@redhat.com> Message-ID: <50C9F7A4.80909@redhat.com> On 12/13/2012 10:59 AM, Petr Viktorin wrote: > It's time to give this to another set of eyes :) > > Design document: http://freeipa.org/page/V3/Messages > Ticket: https://fedorahosted.org/freeipa/ticket/2732 > > More info is in commit messages. > > > Because of https://fedorahosted.org/freeipa/ticket/3294, I needed to change the > design document: when the client doesn't send the API version, it is assumed > it's at a version before capabilities were introduced (i.e. 2.47). > The client still gets a warning if the version is missing. Except for those > commands where IPA didn't send a version -- ping, cert-show, etc. -- the > warning wouldn't pass validation on old clients. (I'm assuming that our client > is so far the only one that validates so strictly.) I did a basic test of this patch and also quickly read through the patches and besides nitpicks (like unused inspect module in tests/test_ipalib/test_messages.py in patch 0105) I did not find any obvious errors in the Python code. However, this patch breaks WebUI badly, I did not even get to a log in screen. Cooperation with Petr Vobornik will be needed. In my case, I got blank screen and Javascript error: TypeError: IPA.messages.dialogs is undefined https://vm-037.idm.lab.bos.redhat.com/ipa/ui/ipa.js Line 1460 I assume this is related to the Internal Error that was returned in the JSON call { "error": null, "id": null, "principal": "admin at IDM.LAB.BOS.REDHAT.COM", "result": { "count": 5, "results": [ { "error": "an internal error has occurred", "error_code": 903, "error_name": "InternalError" }, { ... This can be reproduced with: # curl -v -H "Content-Type:application/json" -H "referer:https://`hostname`/ipa" -H "Accept:applicaton/json" --negotiate -u : --cacert /etc/ipa/ca.crt -d '{"method":"i18n_messages","params":[[],{}],"id":0}' -X POST https://`hostname`/ipa/json I am also not sure I like the requirement of a specific version option to be always passed. I would prefer that missing version option would mean "I use the most recent version of API" instead - it would make the custom JSONRPC/XMLRPC calls easier to use. But since the version option was not being sent for some commands, we may not have a choice anyway if we do not want to break old clients in case we add some capabilities to these commands. Martin From rcritten at redhat.com Thu Dec 13 15:44:55 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Dec 2012 10:44:55 -0500 Subject: [Freeipa-devel] [PATCH] 1078 own ca_serialno In-Reply-To: <1355413296.5073.156.camel@willson.li.ssimo.org> References: <50C96130.5050300@redhat.com> <50C9C625.1090907@redhat.com> <50C9DC57.2090504@redhat.com> <50C9E780.9020908@redhat.com> <50C9E86D.7020102@redhat.com> <1355411632.5073.154.camel@willson.li.ssimo.org> <50C9F41C.2010200@redhat.com> <1355413296.5073.156.camel@willson.li.ssimo.org> Message-ID: <50C9F7F7.2040901@redhat.com> Simo Sorce wrote: > On Thu, 2012-12-13 at 10:28 -0500, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Thu, 2012-12-13 at 15:38 +0100, Martin Kosek wrote: >>>> On 12/13/2012 03:34 PM, Petr Viktorin wrote: >>>>> On 12/13/2012 02:47 PM, Rob Crittenden wrote: >>>>>> Petr Viktorin wrote: >>>>>>> On 12/13/2012 06:01 AM, Rob Crittenden wrote: >>>>>>>> We don't currently include the ca_serialno file in our spec file. This >>>>>>>> can generate an SELinux warning upon fresh install because we try to set >>>>>>>> context on a non-existent file. >>>>>>>> >>>>>>>> This creates an empty file on rpm install so the file can be owned by >>>>>>>> the spec. >>>>>>>> >>>>>>>> I also updated the selfsign serial number code to deal with an existing >>>>>>>> but empty file. >>>>>>>> >>>>>>>> rob >>>>>>>> >>>>>>> >>>>>>> I couldn't reproduce the error, but I noticed you've left out the >>>>>>> percent sign in %attr: >>>>>> >>>>>> It was reported against RHEL systems, so perhaps the SELinux (or rpm) in >>>>>> Fedora suppresses this message. >>>>>> >>>>>>>> --- a/freeipa.spec.in >>>>>>>> +++ b/freeipa.spec.in >>>>>>> [...] >>>>>>>> @@ -660,6 +662,7 @@ fi >>>>>>>> %attr(755,root,root) %{plugin_dir}/libipa_cldap.so >>>>>>>> %attr(755,root,root) %{plugin_dir}/libipa_range_check.so >>>>>>>> %dir %{_localstatedir}/lib/ipa >>>>>>>> +attr(600,root,root) %config(noreplace) >>>>>>>> %{_localstatedir}/lib/ipa/ca_serialno >>>>>>> >>>>>>> RPM build errors: >>>>>>> File must begin with "/": attr(600,root,root) >>>>>>> >>>>>>> >>>>>> >>>>>> D'oh. I had tested this in RHEL and cut-n-pasted the fix upstream. Fixed. >>>>>> >>>>>> rob >>>>> >>>>> On Fedora this doesn't hurt, ACK. >>>>> >>>> >>>> NACK. >>>> >>>> When FreeIPA gets uninstalled, we end up without this file again. Which would >>>> again lead to this warning on upgrades. >>>> >>>> I think we should rather truncate the file on server uninstall instead of >>>> removing it. >>>> >>> >>> Why don't we simply declare it as %ghost and conditionally label it ? >>> >>> I do not really like to have empty files just as an artifact, sounds >>> like the wrong solution, sorry. >>> >>> Simo. >>> >> >> The file has to exist for SELinux to label it. If we ghost it them the >> package will own it if it exists but the SELinux context will still fail >> to apply. > > We can apply selinux context in ipa-server-install and not in the spec. > That's when we need it anyway. > > Simo. > I don't think we should. It would hose up fixfiles. If things ever got out-of-sync there would be no easy way to reset the contexts to what they should be. And yeah, this is a rather ugly case. I'm not super keen on carrying a 0-length file for no reason either. I tried the ghost method first which is why I know it doesn't work. rob From simo at redhat.com Thu Dec 13 16:06:30 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 13 Dec 2012 11:06:30 -0500 Subject: [Freeipa-devel] [PATCH] 1078 own ca_serialno In-Reply-To: <50C9F7F7.2040901@redhat.com> References: <50C96130.5050300@redhat.com> <50C9C625.1090907@redhat.com> <50C9DC57.2090504@redhat.com> <50C9E780.9020908@redhat.com> <50C9E86D.7020102@redhat.com> <1355411632.5073.154.camel@willson.li.ssimo.org> <50C9F41C.2010200@redhat.com> <1355413296.5073.156.camel@willson.li.ssimo.org> <50C9F7F7.2040901@redhat.com> Message-ID: <1355414790.5073.157.camel@willson.li.ssimo.org> On Thu, 2012-12-13 at 10:44 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > On Thu, 2012-12-13 at 10:28 -0500, Rob Crittenden wrote: > >> Simo Sorce wrote: > >>> On Thu, 2012-12-13 at 15:38 +0100, Martin Kosek wrote: > >>>> On 12/13/2012 03:34 PM, Petr Viktorin wrote: > >>>>> On 12/13/2012 02:47 PM, Rob Crittenden wrote: > >>>>>> Petr Viktorin wrote: > >>>>>>> On 12/13/2012 06:01 AM, Rob Crittenden wrote: > >>>>>>>> We don't currently include the ca_serialno file in our spec file. This > >>>>>>>> can generate an SELinux warning upon fresh install because we try to set > >>>>>>>> context on a non-existent file. > >>>>>>>> > >>>>>>>> This creates an empty file on rpm install so the file can be owned by > >>>>>>>> the spec. > >>>>>>>> > >>>>>>>> I also updated the selfsign serial number code to deal with an existing > >>>>>>>> but empty file. > >>>>>>>> > >>>>>>>> rob > >>>>>>>> > >>>>>>> > >>>>>>> I couldn't reproduce the error, but I noticed you've left out the > >>>>>>> percent sign in %attr: > >>>>>> > >>>>>> It was reported against RHEL systems, so perhaps the SELinux (or rpm) in > >>>>>> Fedora suppresses this message. > >>>>>> > >>>>>>>> --- a/freeipa.spec.in > >>>>>>>> +++ b/freeipa.spec.in > >>>>>>> [...] > >>>>>>>> @@ -660,6 +662,7 @@ fi > >>>>>>>> %attr(755,root,root) %{plugin_dir}/libipa_cldap.so > >>>>>>>> %attr(755,root,root) %{plugin_dir}/libipa_range_check.so > >>>>>>>> %dir %{_localstatedir}/lib/ipa > >>>>>>>> +attr(600,root,root) %config(noreplace) > >>>>>>>> %{_localstatedir}/lib/ipa/ca_serialno > >>>>>>> > >>>>>>> RPM build errors: > >>>>>>> File must begin with "/": attr(600,root,root) > >>>>>>> > >>>>>>> > >>>>>> > >>>>>> D'oh. I had tested this in RHEL and cut-n-pasted the fix upstream. Fixed. > >>>>>> > >>>>>> rob > >>>>> > >>>>> On Fedora this doesn't hurt, ACK. > >>>>> > >>>> > >>>> NACK. > >>>> > >>>> When FreeIPA gets uninstalled, we end up without this file again. Which would > >>>> again lead to this warning on upgrades. > >>>> > >>>> I think we should rather truncate the file on server uninstall instead of > >>>> removing it. > >>>> > >>> > >>> Why don't we simply declare it as %ghost and conditionally label it ? > >>> > >>> I do not really like to have empty files just as an artifact, sounds > >>> like the wrong solution, sorry. > >>> > >>> Simo. > >>> > >> > >> The file has to exist for SELinux to label it. If we ghost it them the > >> package will own it if it exists but the SELinux context will still fail > >> to apply. > > > > We can apply selinux context in ipa-server-install and not in the spec. > > That's when we need it anyway. > > > > Simo. > > > > I don't think we should. It would hose up fixfiles. If things ever got > out-of-sync there would be no easy way to reset the contexts to what > they should be. > > And yeah, this is a rather ugly case. I'm not super keen on carrying a > 0-length file for no reason either. I tried the ghost method first which > is why I know it doesn't work. Why would it hose fixfiles ? fixfiles knows not to bother with missing files afaik. There is something I guess I am missing here :/ Simo. -- Simo Sorce * Red Hat, Inc * New York From atkac at redhat.com Thu Dec 13 16:07:21 2012 From: atkac at redhat.com (Adam Tkac) Date: Thu, 13 Dec 2012 17:07:21 +0100 Subject: [Freeipa-devel] [PATCH 92] Flush whole zone from cache during zone renaming/removal. In-Reply-To: <50BF3D54.5050406@redhat.com> References: <50A52F2D.3070402@redhat.com> <20121204133625.GA13739@redhat.com> <50BF3D54.5050406@redhat.com> Message-ID: <20121213160720.GA27603@redhat.com> On Wed, Dec 05, 2012 at 01:25:56PM +0100, Petr Spacek wrote: > On 12/04/2012 02:36 PM, Adam Tkac wrote: > >On Thu, Nov 15, 2012 at 07:06:37PM +0100, Petr Spacek wrote: > >>>Hello, > >>> > >>>attached patch is preliminary implementation of selective zone flush. > >>> > >>> > >>>Implementation is not so straight-forward as I want to see. Before > >>>discussing the patch itself - can we consider per-zone caches? In > >>>that case, we can simply deallocate whole per-zone RBT and we are > >>>done. > >>> > >>>Pros: > >>>* Potentially better concurrency, simpler code, much less corner cases. > >>> > >>>Cons: > >>>* We have to look into Zone register before searching the cache. > >>>* It can limit concurrency ... with many extra small zones? I'm not sure. > >Hi Peter, > > > >In my opinion per-zone caches are better. Look into zone register isn't > >costly operation. > Second version of the patch with per-zone caches is attached. I cut > all debugging code so this version could be considered as final. Ack > From 9b1fe8c26049d0aeff8cc48c36b4faa4aca12b30 Mon Sep 17 00:00:00 2001 > From: Petr Spacek > Date: Wed, 5 Dec 2012 12:52:41 +0100 > Subject: [PATCH] Create separate record cache for each zone. > > This separation should solve all problems with stale records > after zone deletion and renaming. > > https://fedorahosted.org/bind-dyndb-ldap/ticket/91 > > Signed-off-by: Petr Spacek > --- > src/cache.c | 45 +++++++++++++++++---------------- > src/cache.h | 3 ++- > src/ldap_helper.c | 72 +++++++++++++++++++++++++++++------------------------ > src/ldap_helper.h | 3 --- > src/zone_register.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++---- > src/zone_register.h | 11 +++++++- > 6 files changed, 139 insertions(+), 64 deletions(-) > > diff --git a/src/cache.c b/src/cache.c > index 898d48b291a83da7f77dbcf79e2bd3e7ff8281aa..fd57fd92eb35dcbbd5c1e1911a93730624e30002 100644 > --- a/src/cache.c > +++ b/src/cache.c > @@ -38,11 +38,11 @@ > #include "util.h" > > struct ldap_cache { > - isc_mutex_t mutex; /* TODO: RWLOCK? */ > - isc_mem_t *mctx; > - dns_rbt_t *rbt; > - isc_interval_t cache_ttl; > - isc_boolean_t psearch; > + isc_mutex_t mutex; /* TODO: RWLOCK? */ > + isc_mem_t *mctx; > + dns_rbt_t *rbt; > + const isc_interval_t *cache_ttl; /* pointer to LDAP instance */ > + const isc_boolean_t *psearch; /* pointer to LDAP instance */ > }; > > typedef struct { > @@ -78,8 +78,9 @@ cache_node_create(ldap_cache_t *cache, cache_node_t **nodep) > isc_mem_attach(cache->mctx, &node->mctx); > ZERO_PTR(&node->rdatalist); > /* Do not set the ttl when psearch is enabled. */ > - if (!cache->psearch) > - CHECK(isc_time_nowplusinterval(&node->valid_until, &cache->cache_ttl)); > + if (*cache->psearch == ISC_FALSE) > + CHECK(isc_time_nowplusinterval(&node->valid_until, > + cache->cache_ttl)); > > *nodep = node; > return ISC_R_SUCCESS; > @@ -90,29 +91,27 @@ cleanup: > return result; > } > > +/** > + * @param[in] cache_ttl ISC interval in LDAP instance shared by all caches > + * @param[in] psearch boolean in LDAP instance shared by all caches > + */ > isc_result_t > -new_ldap_cache(isc_mem_t *mctx, const char *const *argv, ldap_cache_t **cachep, isc_boolean_t psearch) > +new_ldap_cache(isc_mem_t *mctx, const isc_interval_t *cache_ttl, > + const isc_boolean_t *psearch, ldap_cache_t **cachep) > { > isc_result_t result; > ldap_cache_t *cache = NULL; > - unsigned int cache_ttl; > - setting_t cache_settings[] = { > - { "cache_ttl", default_uint(120) }, > - end_of_settings > - }; > > + REQUIRE(cache_ttl != NULL); > + REQUIRE(psearch != NULL); > REQUIRE(cachep != NULL && *cachep == NULL); > > - cache_settings[0].target = &cache_ttl; > - CHECK(set_settings(cache_settings, argv)); > - > CHECKED_MEM_GET_PTR(mctx, cache); > ZERO_PTR(cache); > isc_mem_attach(mctx, &cache->mctx); > > - isc_interval_set(&cache->cache_ttl, cache_ttl, 0); > - > - if (cache_ttl) { > + cache->cache_ttl = cache_ttl; > + if (!isc_interval_iszero(cache_ttl)) { > CHECK(dns_rbt_create(mctx, cache_node_deleter, NULL, > &cache->rbt)); > CHECK(isc_mutex_init(&cache->mutex)); > @@ -123,21 +122,23 @@ new_ldap_cache(isc_mem_t *mctx, const char *const *argv, ldap_cache_t **cachep, > return ISC_R_SUCCESS; > > cleanup: > - if (cache != NULL) > - destroy_ldap_cache(&cache); > + destroy_ldap_cache(&cache); > > return result; > } > > void > destroy_ldap_cache(ldap_cache_t **cachep) > { > ldap_cache_t *cache; > > - REQUIRE(cachep != NULL && *cachep != NULL); > + REQUIRE(cachep != NULL); > > cache = *cachep; > > + if (cache == NULL) > + return; > + > if (cache->rbt) { > LOCK(&cache->mutex); > dns_rbt_destroy(&cache->rbt); > diff --git a/src/cache.h b/src/cache.h > index a7aa5b7e889d9e195484a11dcf4f9a10d811f623..7c7e69b305d3021f154ebb17d5b879ba8f34590e 100644 > --- a/src/cache.h > +++ b/src/cache.h > @@ -30,7 +30,8 @@ typedef struct ldap_cache ldap_cache_t; > * Create a new cache. > */ > isc_result_t > -new_ldap_cache(isc_mem_t *mctx, const char * const *argv, ldap_cache_t **cachep, isc_boolean_t psearch); > +new_ldap_cache(isc_mem_t *mctx, const isc_interval_t *cache_ttl, > + const isc_boolean_t *psearch, ldap_cache_t **cachep); > > /* > * Free all resources used up by the cache. > diff --git a/src/ldap_helper.c b/src/ldap_helper.c > index 436985247803240f9ec4f2c3e5118adf8466beec..5c0d914d3af89dac9739b75a4d92be09ddf27532 100644 > --- a/src/ldap_helper.c > +++ b/src/ldap_helper.c > @@ -67,6 +67,7 @@ > > #include "acl.h" > #include "krb5_helper.h" > +#include "cache.h" > #include "ldap_convert.h" > #include "ldap_entry.h" > #include "ldap_helper.h" > @@ -150,9 +151,6 @@ struct ldap_instance { > /* Pool of LDAP connections */ > ldap_pool_t *pool; > > - /* RRs cache */ > - ldap_cache_t *cache; > - > /* Our own list of zones. */ > zone_register_t *zone_register; > > @@ -177,6 +175,7 @@ struct ldap_instance { > ld_string_t *krb5_keytab; > ld_string_t *fake_mname; > isc_boolean_t psearch; > + isc_interval_t cache_ttl; > ld_string_t *ldap_hostname; > isc_task_t *task; > isc_thread_t watcher; > @@ -344,6 +343,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, > dns_view_t *view = NULL; > ld_string_t *auth_method_str = NULL; > dns_forwarders_t *orig_global_forwarders = NULL; > + isc_uint32_t cache_ttl_seconds; > setting_t ldap_settings[] = { > { "uri", no_default_string }, > { "connections", default_uint(2) }, > @@ -362,6 +362,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, > { "krb5_keytab", default_string("") }, > { "fake_mname", default_string("") }, > { "psearch", default_boolean(ISC_FALSE) }, > + { "cache_ttl", default_uint(120) }, > { "ldap_hostname", default_string("") }, > { "sync_ptr", default_boolean(ISC_FALSE) }, > { "dyn_update", default_boolean(ISC_FALSE) }, > @@ -417,12 +418,14 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, > ldap_settings[i++].target = ldap_inst->sasl_password; > ldap_settings[i++].target = ldap_inst->krb5_keytab; > ldap_settings[i++].target = ldap_inst->fake_mname; > - ldap_settings[i++].target = &ldap_inst->psearch; > + ldap_settings[i++].target = &ldap_inst->psearch; > + ldap_settings[i++].target = &cache_ttl_seconds; > ldap_settings[i++].target = ldap_inst->ldap_hostname; > ldap_settings[i++].target = &ldap_inst->sync_ptr; > ldap_settings[i++].target = &ldap_inst->dyn_update; > ldap_settings[i++].target = &ldap_inst->serial_autoincrement; > CHECK(set_settings(ldap_settings, argv)); > + isc_interval_set(&ldap_inst->cache_ttl, cache_ttl_seconds, 0); > > /* Set timer for deadlock detection inside semaphore_wait_timed . */ > if (semaphore_wait_timeout.seconds < ldap_inst->timeout*SEM_WAIT_TIMEOUT_MUL) > @@ -493,7 +496,6 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, > goto cleanup; > } > > - CHECK(new_ldap_cache(mctx, argv, &ldap_inst->cache, ldap_inst->psearch)); > CHECK(ldap_pool_create(mctx, ldap_inst->connections, &ldap_inst->pool)); > CHECK(ldap_pool_connect(ldap_inst->pool, ldap_inst)); > > @@ -661,9 +663,6 @@ destroy_ldap_instance(ldap_instance_t **ldap_instp) > > DESTROYLOCK(&ldap_inst->kinit_lock); > > - if (ldap_inst->cache != NULL) > - destroy_ldap_cache(&ldap_inst->cache); > - > zr_destroy(&ldap_inst->zone_register); > > while (!ISC_LIST_EMPTY(ldap_inst->orig_global_forwarders.addrs)) { > @@ -860,9 +859,6 @@ ldap_delete_zone2(ldap_instance_t *inst, dns_name_t *name, isc_boolean_t lock, > zone_name_char); > } > > - /* TODO: flush cache records belonging to deleted zone */ > - CHECK(discard_from_cache(inst->cache, name)); > - > result = zr_get_zone_ptr(inst->zone_register, name, &zone); > if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) { > log_debug(1, "zone '%s' not found in zone register", zone_name_char); > @@ -1235,6 +1231,7 @@ ldap_parse_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst) > unsigned char *zr_digest = NULL; > ldapdb_rdatalist_t rdatalist; > isc_boolean_t zone_dynamic = ISC_FALSE; > + ldap_cache_t *cache = NULL; > > REQUIRE(entry != NULL); > REQUIRE(inst != NULL); > @@ -1251,7 +1248,12 @@ ldap_parse_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst) > if (result == ISC_R_SUCCESS) > unlock = ISC_TRUE; > > - CHECK(discard_from_cache(inst->cache, &name)); > + /* cache will not exist before zone load */ > + result = zr_get_zone_cache(inst->zone_register, &name, &cache); > + if (result == ISC_R_SUCCESS) > + CHECK(discard_from_cache(cache, &name)); > + else if (result != ISC_R_NOTFOUND) > + goto cleanup; > > /* > * Forwarding has top priority hence when the forwarders are properly > @@ -1276,7 +1278,8 @@ ldap_parse_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst) > result = zr_get_zone_ptr(inst->zone_register, &name, &zone); > if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) { > CHECK(create_zone(inst, &name, &zone)); > - CHECK(zr_add_zone(inst->zone_register, zone, dn)); > + CHECK(zr_add_zone(inst->zone_register, zone, dn, > + &inst->cache_ttl, &inst->psearch)); > publish = ISC_TRUE; > log_debug(2, "created zone %p: %s", zone, dn); > } else if (result != ISC_R_SUCCESS) > @@ -1801,14 +1804,14 @@ ldapdb_rdatalist_get(isc_mem_t *mctx, ldap_instance_t *ldap_inst, dns_name_t *na > ldap_qresult_t *ldap_qresult = NULL; > ldap_entry_t *entry; > ld_string_t *string = NULL; > - ldap_cache_t *cache; > + ldap_cache_t *cache = NULL; > > REQUIRE(ldap_inst != NULL); > REQUIRE(name != NULL); > REQUIRE(rdatalist != NULL); > > /* Check if RRs are in the cache */ > - cache = ldap_instance_getcache(ldap_inst); > + CHECK(zr_get_zone_cache(ldap_inst->zone_register, name, &cache)); > result = ldap_cache_getrdatalist(mctx, cache, name, rdatalist); > if (result == ISC_R_SUCCESS) > return ISC_R_SUCCESS; > @@ -2700,7 +2703,7 @@ modify_ldap_common(dns_name_t *owner, ldap_instance_t *ldap_inst, > ld_string_t *owner_dn = NULL; > LDAPMod *change[3] = { NULL }; > LDAPMod *change_ptr = NULL; > - ldap_cache_t *cache; > + ldap_cache_t *cache = NULL; > ldap_entry_t *entry; > ldap_valuelist_t values; > isc_boolean_t zone_dyn_update = ldap_inst->dyn_update; > @@ -2757,7 +2760,7 @@ modify_ldap_common(dns_name_t *owner, ldap_instance_t *ldap_inst, > goto cleanup; > } > /* Flush modified record from the cache */ > - cache = ldap_instance_getcache(ldap_inst); > + CHECK(zr_get_zone_cache(ldap_inst->zone_register, owner, &cache)); > CHECK(discard_from_cache(cache, owner)); > > if (rdlist->type == dns_rdatatype_soa) { > @@ -2949,10 +2952,12 @@ modify_ldap_common(dns_name_t *owner, ldap_instance_t *ldap_inst, > > /* Modify PTR record. */ > CHECK(ldap_modify_do(ldap_inst, ldap_conn, str_buf(owner_dn_ptr), change, delete_node)); > - (void) discard_from_cache(ldap_instance_getcache(ldap_inst), > - dns_fixedname_name(&name)); > + cache = NULL; > + CHECK(zr_get_zone_cache(ldap_inst->zone_register, > + dns_fixedname_name(&name), &cache)); > + CHECK(discard_from_cache(cache, dns_fixedname_name(&name))); > } > - > + > cleanup: > ldap_query_free(ISC_FALSE, &ldap_qresult); > ldap_pool_putconnection(ldap_inst->pool, &ldap_conn); > @@ -2982,12 +2987,6 @@ remove_from_ldap(dns_name_t *owner, ldap_instance_t *ldap_inst, > delete_node); > } > > -ldap_cache_t * > -ldap_instance_getcache(ldap_instance_t *ldap_inst) > -{ > - return ldap_inst->cache; > -} > - > static isc_result_t > ldap_pool_create(isc_mem_t *mctx, unsigned int connections, ldap_pool_t **poolp) > { > @@ -3203,6 +3202,7 @@ soa_serial_increment(isc_mem_t *mctx, ldap_instance_t *inst, > isc_uint32_t old_serial; > isc_uint32_t new_serial; > isc_time_t curr_time; > + ldap_cache_t *cache = NULL; > > REQUIRE(inst != NULL); > REQUIRE(zone_name != NULL); > @@ -3236,7 +3236,8 @@ soa_serial_increment(isc_mem_t *mctx, ldap_instance_t *inst, > > /* write the new serial back to DB */ > CHECK(modify_soa_record(inst, NULL, str_buf(zone_dn), soa_rdata)); > - CHECK(discard_from_cache(ldap_instance_getcache(inst), zone_name)); > + CHECK(zr_get_zone_cache(inst->zone_register, zone_name, &cache)); > + CHECK(discard_from_cache(cache, zone_name)); > > /* put the new SOA to inst->cache and compare old and new serials */ > CHECK(ldap_get_zone_serial(inst, zone_name, &new_serial)); > @@ -3410,7 +3411,7 @@ update_record(isc_task_t *task, isc_event_t *event) > ldap_psearchevent_t *pevent = (ldap_psearchevent_t *)event; > isc_result_t result; > ldap_instance_t *inst = NULL; > - ldap_cache_t *cache; > + ldap_cache_t *cache = NULL; > isc_mem_t *mctx; > mctx = pevent->mctx; > > @@ -3437,16 +3438,23 @@ update_record(isc_task_t *task, isc_event_t *event) > } > > /* Get cache instance & clean old record */ > - cache = ldap_instance_getcache(inst); > + CHECK(zr_get_zone_cache(inst->zone_register, &name, &cache)); > CHECK(discard_from_cache(cache, &name)); > > + /* TODO: double check correctness before replacing ldap_query() with > + * data from *event */ > if (PSEARCH_MODDN(pevent->chgtype)) { > /* remove previous name only if it was inside DNS subtree */ > - if(dn_to_dnsname(mctx, pevent->prevdn, &prevname, &prevorigin) > + if (dn_to_dnsname(mctx, pevent->prevdn, &prevname, &prevorigin) > == ISC_R_SUCCESS) { > log_debug(5, "psearch_update: removing name from cache, dn: '%s'", > pevent->prevdn); > - CHECK(discard_from_cache(cache, &prevname)); > + cache = NULL; > + result = zr_get_zone_cache(inst->zone_register, &prevname, &cache); > + if (result == ISC_R_SUCCESS) > + CHECK(discard_from_cache(cache, &prevname)); > + else if (result != ISC_R_NOTFOUND) > + goto cleanup; > } else { > log_debug(5, "psearch_update: old name wasn't managed " > "by plugin, dn '%s'", pevent->prevdn); > @@ -3807,7 +3815,7 @@ restart: > * We want to save cache in case of search timeout during restart. > */ > CHECK(refresh_zones_from_ldap(inst, ISC_TRUE)); > - CHECK(flush_ldap_cache(inst->cache)); > + CHECK(zr_flush_all_caches(inst->zone_register)); > flush_required = ISC_FALSE; > } > > diff --git a/src/ldap_helper.h b/src/ldap_helper.h > index f6cbdc593d91485f767ae5ea6017e114f95733d1..a1e52f044d5e81ace7fb2d3c2ab082ad838944d1 100644 > --- a/src/ldap_helper.h > +++ b/src/ldap_helper.h > @@ -90,7 +90,4 @@ isc_result_t write_to_ldap(dns_name_t *owner, ldap_instance_t *ldap_inst, > isc_result_t remove_from_ldap(dns_name_t *owner, ldap_instance_t *ldap_inst, > dns_rdatalist_t *rdlist, isc_boolean_t delete_node); > > -/* Get cache associated with ldap_inst */ > -ldap_cache_t *ldap_instance_getcache(ldap_instance_t *ldap_inst); > - > #endif /* !_LD_LDAP_HELPER_H_ */ > diff --git a/src/zone_register.c b/src/zone_register.c > index 18438bf937a6482ddf058adbecdc21e7cf2e7f26..03eb1d0765de371420e4da6beb1a7b2e2e52db94 100644 > --- a/src/zone_register.c > +++ b/src/zone_register.c > @@ -53,7 +53,8 @@ typedef struct { > dns_zone_t *zone; > char *dn; > isc_uint32_t serial; /* last value processed by plugin (!= value in DB) */ > - unsigned char digest[RDLIST_DIGESTLENGTH]; /* MD5 digest from all RRs in zone record */ > + unsigned char digest[RDLIST_DIGESTLENGTH]; /* MD5 digest from all RRs in zone record */ > + ldap_cache_t *cache; > } zone_info_t; > > /* Callback for dns_rbt_create(). */ > @@ -129,6 +130,7 @@ zr_destroy(zone_register_t **zrp) > */ > static isc_result_t > create_zone_info(isc_mem_t *mctx, dns_zone_t *zone, const char *dn, > + const isc_interval_t *cache_ttl, const isc_boolean_t *psearch, > zone_info_t **zinfop) > { > isc_result_t result; > @@ -139,9 +141,9 @@ create_zone_info(isc_mem_t *mctx, dns_zone_t *zone, const char *dn, > REQUIRE(zinfop != NULL && *zinfop == NULL); > > CHECKED_MEM_GET_PTR(mctx, zinfo); > + ZERO_PTR(zinfo); > CHECKED_MEM_STRDUP(mctx, dn, zinfo->dn); > - zinfo->serial = 0; > - zinfo->zone = NULL; > + CHECK(new_ldap_cache(mctx, cache_ttl, psearch, &zinfo->cache)); > dns_zone_attach(zone, &zinfo->zone); > > *zinfop = zinfo; > @@ -165,6 +167,7 @@ delete_zone_info(void *arg1, void *arg2) > if (zinfo == NULL) > return; > > + destroy_ldap_cache(&zinfo->cache); > isc_mem_free(mctx, zinfo->dn); > dns_zone_detach(&zinfo->zone); > SAFE_MEM_PUT_PTR(mctx, zinfo); > @@ -175,7 +178,8 @@ delete_zone_info(void *arg1, void *arg2) > * must be absolute and the zone cannot already be in the zone register. > */ > isc_result_t > -zr_add_zone(zone_register_t *zr, dns_zone_t *zone, const char *dn) > +zr_add_zone(zone_register_t *zr, dns_zone_t *zone, const char *dn, > + const isc_interval_t *cache_ttl, const isc_boolean_t *psearch) > { > isc_result_t result; > dns_name_t *name; > @@ -206,7 +210,8 @@ zr_add_zone(zone_register_t *zr, dns_zone_t *zone, const char *dn) > goto cleanup; > } > > - CHECK(create_zone_info(zr->mctx, zone, dn, &new_zinfo)); > + CHECK(create_zone_info(zr->mctx, zone, dn, cache_ttl, psearch, > + &new_zinfo)); > CHECK(dns_rbt_addname(zr->rbt, name, new_zinfo)); > > cleanup: > @@ -248,6 +253,60 @@ cleanup: > return result; > } > > +isc_result_t > +zr_flush_all_caches(zone_register_t *zr) { > + dns_rbtnodechain_t chain; > + isc_result_t result; > + > + dns_rbtnodechain_init(&chain, zr->mctx); > + RWLOCK(&zr->rwlock, isc_rwlocktype_write); > + > + result = dns_rbtnodechain_first(&chain, zr->rbt, NULL, NULL); > + while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) { > + dns_rbtnode_t *node = NULL; > + ldap_cache_t *cache; > + > + CHECK(dns_rbtnodechain_current(&chain, NULL, NULL, &node)); > + cache = ((zone_info_t *)(node->data))->cache; > + CHECK(flush_ldap_cache(cache)); > + result = dns_rbtnodechain_next(&chain, NULL, NULL); > + } > + > +cleanup: > + RWUNLOCK(&zr->rwlock, isc_rwlocktype_write); > + if (result == ISC_R_NOMORE || result == ISC_R_NOTFOUND) > + result = ISC_R_SUCCESS; > + > + return result; > +} > + > +isc_result_t > +zr_get_zone_cache(zone_register_t *zr, dns_name_t *name, ldap_cache_t **cachep) { > + isc_result_t result; > + void *zinfo = NULL; > + > + REQUIRE(zr != NULL); > + REQUIRE(name != NULL); > + REQUIRE(cachep != NULL && *cachep == NULL); > + > + if (!dns_name_isabsolute(name)) { > + log_bug("trying to find zone with a relative name"); > + return ISC_R_FAILURE; > + } > + > + RWLOCK(&zr->rwlock, isc_rwlocktype_read); > + > + result = dns_rbt_findname(zr->rbt, name, 0, NULL, &zinfo); > + if (result == DNS_R_PARTIALMATCH) > + result = ISC_R_SUCCESS; > + if (result == ISC_R_SUCCESS) > + *cachep = ((zone_info_t *)zinfo)->cache; > + > + RWUNLOCK(&zr->rwlock, isc_rwlocktype_read); > + > + return result; > +} > + > /* > * Find the closest match to zone with origin 'name' in the zone register 'zr'. > * The 'matched_name' will be set to the name that was matched while finding > diff --git a/src/zone_register.h b/src/zone_register.h > index dea2c9dce054daf1764ba31154627419acada27d..cec7400ff893842d499d15f6897d448710ac5407 100644 > --- a/src/zone_register.h > +++ b/src/zone_register.h > @@ -21,21 +21,30 @@ > #ifndef _LD_ZONE_REGISTER_H_ > #define _LD_ZONE_REGISTER_H_ > > +#include "cache.h" > + > typedef struct zone_register zone_register_t; > > isc_result_t > zr_create(isc_mem_t *mctx, zone_register_t **zrp); > > void > zr_destroy(zone_register_t **zrp); > > isc_result_t > -zr_add_zone(zone_register_t *zr, dns_zone_t *zone, const char *dn); > +zr_add_zone(zone_register_t *zr, dns_zone_t *zone, const char *dn, > + const isc_interval_t *cache_ttl, const isc_boolean_t *psearch); > > isc_result_t > zr_del_zone(zone_register_t *zr, dns_name_t *origin); > > isc_result_t > +zr_flush_all_caches(zone_register_t *zr); > + > +isc_result_t > +zr_get_zone_cache(zone_register_t *zr, dns_name_t *name, ldap_cache_t **cachep); > + > +isc_result_t > zr_get_zone_dn(zone_register_t *zr, dns_name_t *name, const char **dn, > dns_name_t *matched_name); > > -- > 1.7.11.7 > -- Adam Tkac, Red Hat, Inc. From rcritten at redhat.com Thu Dec 13 16:08:40 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Dec 2012 11:08:40 -0500 Subject: [Freeipa-devel] [PATCH] 1078 own ca_serialno In-Reply-To: <1355414790.5073.157.camel@willson.li.ssimo.org> References: <50C96130.5050300@redhat.com> <50C9C625.1090907@redhat.com> <50C9DC57.2090504@redhat.com> <50C9E780.9020908@redhat.com> <50C9E86D.7020102@redhat.com> <1355411632.5073.154.camel@willson.li.ssimo.org> <50C9F41C.2010200@redhat.com> <1355413296.5073.156.camel@willson.li.ssimo.org> <50C9F7F7.2040901@redhat.com> <1355414790.5073.157.camel@willson.li.ssimo.org> Message-ID: <50C9FD88.8010600@redhat.com> Simo Sorce wrote: > On Thu, 2012-12-13 at 10:44 -0500, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Thu, 2012-12-13 at 10:28 -0500, Rob Crittenden wrote: >>>> Simo Sorce wrote: >>>>> On Thu, 2012-12-13 at 15:38 +0100, Martin Kosek wrote: >>>>>> On 12/13/2012 03:34 PM, Petr Viktorin wrote: >>>>>>> On 12/13/2012 02:47 PM, Rob Crittenden wrote: >>>>>>>> Petr Viktorin wrote: >>>>>>>>> On 12/13/2012 06:01 AM, Rob Crittenden wrote: >>>>>>>>>> We don't currently include the ca_serialno file in our spec file. This >>>>>>>>>> can generate an SELinux warning upon fresh install because we try to set >>>>>>>>>> context on a non-existent file. >>>>>>>>>> >>>>>>>>>> This creates an empty file on rpm install so the file can be owned by >>>>>>>>>> the spec. >>>>>>>>>> >>>>>>>>>> I also updated the selfsign serial number code to deal with an existing >>>>>>>>>> but empty file. >>>>>>>>>> >>>>>>>>>> rob >>>>>>>>>> >>>>>>>>> >>>>>>>>> I couldn't reproduce the error, but I noticed you've left out the >>>>>>>>> percent sign in %attr: >>>>>>>> >>>>>>>> It was reported against RHEL systems, so perhaps the SELinux (or rpm) in >>>>>>>> Fedora suppresses this message. >>>>>>>> >>>>>>>>>> --- a/freeipa.spec.in >>>>>>>>>> +++ b/freeipa.spec.in >>>>>>>>> [...] >>>>>>>>>> @@ -660,6 +662,7 @@ fi >>>>>>>>>> %attr(755,root,root) %{plugin_dir}/libipa_cldap.so >>>>>>>>>> %attr(755,root,root) %{plugin_dir}/libipa_range_check.so >>>>>>>>>> %dir %{_localstatedir}/lib/ipa >>>>>>>>>> +attr(600,root,root) %config(noreplace) >>>>>>>>>> %{_localstatedir}/lib/ipa/ca_serialno >>>>>>>>> >>>>>>>>> RPM build errors: >>>>>>>>> File must begin with "/": attr(600,root,root) >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> D'oh. I had tested this in RHEL and cut-n-pasted the fix upstream. Fixed. >>>>>>>> >>>>>>>> rob >>>>>>> >>>>>>> On Fedora this doesn't hurt, ACK. >>>>>>> >>>>>> >>>>>> NACK. >>>>>> >>>>>> When FreeIPA gets uninstalled, we end up without this file again. Which would >>>>>> again lead to this warning on upgrades. >>>>>> >>>>>> I think we should rather truncate the file on server uninstall instead of >>>>>> removing it. >>>>>> >>>>> >>>>> Why don't we simply declare it as %ghost and conditionally label it ? >>>>> >>>>> I do not really like to have empty files just as an artifact, sounds >>>>> like the wrong solution, sorry. >>>>> >>>>> Simo. >>>>> >>>> >>>> The file has to exist for SELinux to label it. If we ghost it them the >>>> package will own it if it exists but the SELinux context will still fail >>>> to apply. >>> >>> We can apply selinux context in ipa-server-install and not in the spec. >>> That's when we need it anyway. >>> >>> Simo. >>> >> >> I don't think we should. It would hose up fixfiles. If things ever got >> out-of-sync there would be no easy way to reset the contexts to what >> they should be. >> >> And yeah, this is a rather ugly case. I'm not super keen on carrying a >> 0-length file for no reason either. I tried the ghost method first which >> is why I know it doesn't work. > > Why would it hose fixfiles ? > fixfiles knows not to bother with missing files afaik. > > There is something I guess I am missing here :/ > > Simo. > Ok, I think I misunderstood your proposal to remove policy from the rpm then. What is it you're suggesting? rob From rcritten at redhat.com Thu Dec 13 16:32:51 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Dec 2012 11:32:51 -0500 Subject: [Freeipa-devel] [PATCH] 1078 own ca_serialno In-Reply-To: <50C9FD88.8010600@redhat.com> References: <50C96130.5050300@redhat.com> <50C9C625.1090907@redhat.com> <50C9DC57.2090504@redhat.com> <50C9E780.9020908@redhat.com> <50C9E86D.7020102@redhat.com> <1355411632.5073.154.camel@willson.li.ssimo.org> <50C9F41C.2010200@redhat.com> <1355413296.5073.156.camel@willson.li.ssimo.org> <50C9F7F7.2040901@redhat.com> <1355414790.5073.157.camel@willson.li.ssimo.org> <50C9FD88.8010600@redhat.com> Message-ID: <50CA0333.1050607@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> On Thu, 2012-12-13 at 10:44 -0500, Rob Crittenden wrote: >>> Simo Sorce wrote: >>>> On Thu, 2012-12-13 at 10:28 -0500, Rob Crittenden wrote: >>>>> Simo Sorce wrote: >>>>>> On Thu, 2012-12-13 at 15:38 +0100, Martin Kosek wrote: >>>>>>> On 12/13/2012 03:34 PM, Petr Viktorin wrote: >>>>>>>> On 12/13/2012 02:47 PM, Rob Crittenden wrote: >>>>>>>>> Petr Viktorin wrote: >>>>>>>>>> On 12/13/2012 06:01 AM, Rob Crittenden wrote: >>>>>>>>>>> We don't currently include the ca_serialno file in our spec >>>>>>>>>>> file. This >>>>>>>>>>> can generate an SELinux warning upon fresh install because we >>>>>>>>>>> try to set >>>>>>>>>>> context on a non-existent file. >>>>>>>>>>> >>>>>>>>>>> This creates an empty file on rpm install so the file can be >>>>>>>>>>> owned by >>>>>>>>>>> the spec. >>>>>>>>>>> >>>>>>>>>>> I also updated the selfsign serial number code to deal with >>>>>>>>>>> an existing >>>>>>>>>>> but empty file. >>>>>>>>>>> >>>>>>>>>>> rob >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I couldn't reproduce the error, but I noticed you've left out the >>>>>>>>>> percent sign in %attr: >>>>>>>>> >>>>>>>>> It was reported against RHEL systems, so perhaps the SELinux >>>>>>>>> (or rpm) in >>>>>>>>> Fedora suppresses this message. >>>>>>>>> >>>>>>>>>>> --- a/freeipa.spec.in >>>>>>>>>>> +++ b/freeipa.spec.in >>>>>>>>>> [...] >>>>>>>>>>> @@ -660,6 +662,7 @@ fi >>>>>>>>>>> %attr(755,root,root) %{plugin_dir}/libipa_cldap.so >>>>>>>>>>> %attr(755,root,root) %{plugin_dir}/libipa_range_check.so >>>>>>>>>>> %dir %{_localstatedir}/lib/ipa >>>>>>>>>>> +attr(600,root,root) %config(noreplace) >>>>>>>>>>> %{_localstatedir}/lib/ipa/ca_serialno >>>>>>>>>> >>>>>>>>>> RPM build errors: >>>>>>>>>> File must begin with "/": attr(600,root,root) >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> D'oh. I had tested this in RHEL and cut-n-pasted the fix >>>>>>>>> upstream. Fixed. >>>>>>>>> >>>>>>>>> rob >>>>>>>> >>>>>>>> On Fedora this doesn't hurt, ACK. >>>>>>>> >>>>>>> >>>>>>> NACK. >>>>>>> >>>>>>> When FreeIPA gets uninstalled, we end up without this file again. >>>>>>> Which would >>>>>>> again lead to this warning on upgrades. >>>>>>> >>>>>>> I think we should rather truncate the file on server uninstall >>>>>>> instead of >>>>>>> removing it. >>>>>>> >>>>>> >>>>>> Why don't we simply declare it as %ghost and conditionally label it ? >>>>>> >>>>>> I do not really like to have empty files just as an artifact, sounds >>>>>> like the wrong solution, sorry. >>>>>> >>>>>> Simo. >>>>>> >>>>> >>>>> The file has to exist for SELinux to label it. If we ghost it them the >>>>> package will own it if it exists but the SELinux context will still >>>>> fail >>>>> to apply. >>>> >>>> We can apply selinux context in ipa-server-install and not in the spec. >>>> That's when we need it anyway. >>>> >>>> Simo. >>>> >>> >>> I don't think we should. It would hose up fixfiles. If things ever got >>> out-of-sync there would be no easy way to reset the contexts to what >>> they should be. >>> >>> And yeah, this is a rather ugly case. I'm not super keen on carrying a >>> 0-length file for no reason either. I tried the ghost method first which >>> is why I know it doesn't work. >> >> Why would it hose fixfiles ? >> fixfiles knows not to bother with missing files afaik. >> >> There is something I guess I am missing here :/ >> >> Simo. >> > > Ok, I think I misunderstood your proposal to remove policy from the rpm > then. What is it you're suggesting? > > rob I talked to the guys in #selinux. This is a difference in fixfiles between Fedora and RHEL. In Fedora fixfiles suppresses missing paths. I've reassigned the bugzilla to policycoreutils to get this fixed properly. Withdrawing my patch. rob From pviktori at redhat.com Thu Dec 13 17:09:47 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 13 Dec 2012 18:09:47 +0100 Subject: [Freeipa-devel] [PATCHES] 0104-0106 Provide means of displaying warning and informational messages on clients In-Reply-To: <50C9F7A4.80909@redhat.com> References: <50C9A709.8070806@redhat.com> <50C9F7A4.80909@redhat.com> Message-ID: <50CA0BDB.4000807@redhat.com> On 12/13/2012 04:43 PM, Martin Kosek wrote: > On 12/13/2012 10:59 AM, Petr Viktorin wrote: >> It's time to give this to another set of eyes :) >> >> Design document: http://freeipa.org/page/V3/Messages >> Ticket: https://fedorahosted.org/freeipa/ticket/2732 >> >> More info is in commit messages. >> >> >> Because of https://fedorahosted.org/freeipa/ticket/3294, I needed to change the >> design document: when the client doesn't send the API version, it is assumed >> it's at a version before capabilities were introduced (i.e. 2.47). >> The client still gets a warning if the version is missing. Except for those >> commands where IPA didn't send a version -- ping, cert-show, etc. -- the >> warning wouldn't pass validation on old clients. (I'm assuming that our client >> is so far the only one that validates so strictly.) > > I did a basic test of this patch and also quickly read through the patches and > besides nitpicks (like unused inspect module in > tests/test_ipalib/test_messages.py in patch 0105) I did not find any obvious > errors in the Python code. Noted, will fix in future versions of the patch. > > However, this patch breaks WebUI badly, I did not even get to a log in screen. > Cooperation with Petr Vobornik will be needed. In my case, I got blank screen > and Javascript error: > > TypeError: IPA.messages.dialogs is undefined > https://vm-037.idm.lab.bos.redhat.com/ipa/ui/ipa.js > Line 1460 > > I assume this is related to the Internal Error that was returned in the JSON call > > { > "error": null, > "id": null, > "principal": "admin at IDM.LAB.BOS.REDHAT.COM", > "result": { > "count": 5, > "results": [ > { > "error": "an internal error has occurred", > "error_code": 903, > "error_name": "InternalError" > }, > { > ... > > This can be reproduced with: > > # curl -v -H "Content-Type:application/json" -H > "referer:https://`hostname`/ipa" -H "Accept:applicaton/json" --negotiate -u : > --cacert /etc/ipa/ca.crt -d > '{"method":"i18n_messages","params":[[],{}],"id":0}' -X POST > https://`hostname`/ipa/json Good catch! The i18n_messages plugin already defines a "messages" output. When I renamed this from "warnings" to "messages" I forgot to check for clashes. Since i18n_messages is an internal command only used by the Web UI, we can rename its output to "texts" without breaking compatibility. I'm attaching a preliminary fix (for both backend and UI), but hopefully it won't be necessary, see below. > I am also not sure I like the requirement of a specific version option to be > always passed. I would prefer that missing version option would mean "I use the > most recent version of API" instead - it would make the custom JSONRPC/XMLRPC > calls easier to use. > > But since the version option was not being sent for some commands, we may not > have a choice anyway if we do not want to break old clients in case we add some > capabilities to these commands. > I see three other options, all worse: - Do not use capabilities for the affected commands, meaning no new functionality can be added to them (and by extension, no new functionality common to all commands can be added). - Treat a missing version as the current version - Break backwards compatibility And one possibly better (thanks to Petr? and Martin for opening my eyes off-list!): - Deprecate XML-RPC. All XML-RPC requests would be pinned to current version (2.47). Capabilities/messages would only apply to JSON-RPC. This would also allow us to solve the above name-clashing problem elegantly. Here is a reminder of what a JSON response looks like: { "error": null, "id": 0, "principal": "admin at IDM.LAB.BOS.REDHAT.COM", "result": { "summary": "IPA server version 3.1.0GIT2e4bd02. API version 2.47" }, "version": "3.1.0GIT2e4bd02" } A XML-RPC response only contains the "result" part of that. So with JSON, we can put the messages in the top level, which is much better design. XML-RPC sucks in other ways too. We already have a workaround for its inability to attach extra info to errors (commit 88262a75ffe7a25640333dcc4da2100830cae821, Add instructions support to PublicError). I've opened a RFC here: https://fedorahosted.org/freeipa/ticket/3299. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0115-Rename-the-messages-Output-of-the-i18n_messages-comm.patch Type: text/x-patch Size: 3438 bytes Desc: not available URL: From dpal at redhat.com Fri Dec 14 00:46:14 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 13 Dec 2012 19:46:14 -0500 Subject: [Freeipa-devel] [PATCHES] 0107-0114 Fix Confusing ipa tool online help organization In-Reply-To: <50C9F27E.50808@redhat.com> References: <50C9F27E.50808@redhat.com> Message-ID: <50CA76D6.8090404@redhat.com> On 12/13/2012 10:21 AM, Petr Viktorin wrote: > https://fedorahosted.org/freeipa/ticket/3060 > > Here is a collection of smallish fixes to `ipa help` and `ipa > --help`. > This should address most of Nikolai's proposal. > Additionally, it's now possible to run `ipa --help` without > a Kerberos ticket. And there are some new tests. > > I've not included the "Often used commands" in `ipa help`; I think > that is material for a manual/tutorial, not a help command. Selecting > a topic from `ipa topics` and then choosing a command from `ipa help > ` is a better way to use the help than the verbose `ipa help > commands` or proposed incomplete "Often used commands". Since the ticket has a bit of discussion and you indicate that you did not to address everything can you please extract what have been addressed and put it into a design page. I know it is not RFE but it would help to validate the changes by testers. Please put the wiki link into the ticket. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Fri Dec 14 08:04:04 2012 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 14 Dec 2012 09:04:04 +0100 Subject: [Freeipa-devel] [PATCHES] 0104-0106 Provide means of displaying warning and informational messages on clients In-Reply-To: <50CA0BDB.4000807@redhat.com> References: <50C9A709.8070806@redhat.com> <50C9F7A4.80909@redhat.com> <50CA0BDB.4000807@redhat.com> Message-ID: <50CADD74.1090802@redhat.com> On 13.12.2012 18:09, Petr Viktorin wrote: > On 12/13/2012 04:43 PM, Martin Kosek wrote: >> On 12/13/2012 10:59 AM, Petr Viktorin wrote: >>> It's time to give this to another set of eyes :) >>> >>> Design document: http://freeipa.org/page/V3/Messages >>> Ticket: https://fedorahosted.org/freeipa/ticket/2732 >>> >>> More info is in commit messages. >>> >>> >>> Because of https://fedorahosted.org/freeipa/ticket/3294, I needed to >>> change the >>> design document: when the client doesn't send the API version, it is >>> assumed >>> it's at a version before capabilities were introduced (i.e. 2.47). >>> The client still gets a warning if the version is missing. Except for >>> those >>> commands where IPA didn't send a version -- ping, cert-show, etc. -- the >>> warning wouldn't pass validation on old clients. (I'm assuming that >>> our client >>> is so far the only one that validates so strictly.) >> >> I did a basic test of this patch and also quickly read through the >> patches and >> besides nitpicks (like unused inspect module in >> tests/test_ipalib/test_messages.py in patch 0105) I did not find any >> obvious >> errors in the Python code. > > Noted, will fix in future versions of the patch. > >> >> However, this patch breaks WebUI badly, I did not even get to a log in >> screen. >> Cooperation with Petr Vobornik will be needed. In my case, I got blank >> screen >> and Javascript error: >> >> TypeError: IPA.messages.dialogs is undefined >> https://vm-037.idm.lab.bos.redhat.com/ipa/ui/ipa.js >> Line 1460 >> >> I assume this is related to the Internal Error that was returned in >> the JSON call >> >> { >> "error": null, >> "id": null, >> "principal": "admin at IDM.LAB.BOS.REDHAT.COM", >> "result": { >> "count": 5, >> "results": [ >> { >> "error": "an internal error has occurred", >> "error_code": 903, >> "error_name": "InternalError" >> }, >> { >> ... >> >> This can be reproduced with: >> >> # curl -v -H "Content-Type:application/json" -H >> "referer:https://`hostname`/ipa" -H "Accept:applicaton/json" >> --negotiate -u : >> --cacert /etc/ipa/ca.crt -d >> '{"method":"i18n_messages","params":[[],{}],"id":0}' -X POST >> https://`hostname`/ipa/json > > Good catch! The i18n_messages plugin already defines a "messages" > output. When I renamed this from "warnings" to "messages" I forgot to > check for clashes. > Since i18n_messages is an internal command only used by the Web UI, we > can rename its output to "texts" without breaking compatibility. > > I'm attaching a preliminary fix (for both backend and UI), but hopefully > it won't be necessary, see below. > >> I am also not sure I like the requirement of a specific version option >> to be >> always passed. I would prefer that missing version option would mean >> "I use the >> most recent version of API" instead - it would make the custom >> JSONRPC/XMLRPC >> calls easier to use. >> >> But since the version option was not being sent for some commands, we >> may not >> have a choice anyway if we do not want to break old clients in case we >> add some >> capabilities to these commands. >> > > I see three other options, all worse: > - Do not use capabilities for the affected commands, meaning no new > functionality can be added to them (and by extension, no new > functionality common to all commands can be added). > - Treat a missing version as the current version > - Break backwards compatibility > > And one possibly better (thanks to Petr? and Martin for opening my eyes > off-list!): > - Deprecate XML-RPC. All XML-RPC requests would be pinned to current > version (2.47). Capabilities/messages would only apply to JSON-RPC. > > This would also allow us to solve the above name-clashing problem > elegantly. Here is a reminder of what a JSON response looks like: > > { > "error": null, > "id": 0, > "principal": "admin at IDM.LAB.BOS.REDHAT.COM", > "result": { > "summary": "IPA server version 3.1.0GIT2e4bd02. API version 2.47" > }, > "version": "3.1.0GIT2e4bd02" > } > > A XML-RPC response only contains the "result" part of that. > So with JSON, we can put the messages in the top level, which is much > better design. > > XML-RPC sucks in other ways too. We already have a workaround for its > inability to attach extra info to errors (commit > 88262a75ffe7a25640333dcc4da2100830cae821, Add instructions support to > PublicError). > > I've opened a RFC here: https://fedorahosted.org/freeipa/ticket/3299. > +1, XML-RPC sucks. This should have been done a long time ago. Honza -- Jan Cholasta From pviktori at redhat.com Fri Dec 14 11:30:23 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 14 Dec 2012 12:30:23 +0100 Subject: [Freeipa-devel] [PATCHES] 0107-0114 Fix Confusing ipa tool online help organization In-Reply-To: <50CA76D6.8090404@redhat.com> References: <50C9F27E.50808@redhat.com> <50CA76D6.8090404@redhat.com> Message-ID: <50CB0DCF.7050102@redhat.com> On 12/14/2012 01:46 AM, Dmitri Pal wrote: > On 12/13/2012 10:21 AM, Petr Viktorin wrote: >> https://fedorahosted.org/freeipa/ticket/3060 >> >> Here is a collection of smallish fixes to `ipa help` and `ipa >> --help`. >> This should address most of Nikolai's proposal. >> Additionally, it's now possible to run `ipa --help` without >> a Kerberos ticket. And there are some new tests. >> >> I've not included the "Often used commands" in `ipa help`; I think >> that is material for a manual/tutorial, not a help command. Selecting >> a topic from `ipa topics` and then choosing a command from `ipa help >> ` is a better way to use the help than the verbose `ipa help >> commands` or proposed incomplete "Often used commands". > > Since the ticket has a bit of discussion and you indicate that you did > not to address everything can you please extract what have been > addressed and put it into a design page. > I know it is not RFE but it would help to validate the changes by testers. > Please put the wiki link into the ticket. > http://freeipa.org/page/V3/Help -- Petr? From tbabej at redhat.com Fri Dec 14 12:52:49 2012 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 14 Dec 2012 13:52:49 +0100 Subject: [Freeipa-devel] [PATCH 0021] Forbid overlapping rid ranges for the same id range In-Reply-To: <50C9DCB1.8060808@redhat.com> References: <508A9378.60208@redhat.com> <50C8A38B.8040401@redhat.com> <50C9B350.7010207@redhat.com> <50C9DCB1.8060808@redhat.com> Message-ID: <50CB2121.9070209@redhat.com> On 12/13/2012 02:48 PM, Martin Kosek wrote: > On 12/13/2012 11:52 AM, Tomas Babej wrote: >> On 12/12/2012 04:32 PM, Martin Kosek wrote: >>> On 10/26/2012 03:43 PM, Tomas Babej wrote: >>>> Hi, >>>> >>>> creating an id range with overlapping primary and secondary >>>> rid range using idrange-add or idrange-mod command now >>>> raises ValidationError. Unit tests have been added to >>>> test_range_plugin.py. >>>> >>>> https://fedorahosted.org/freeipa/ticket/3171 >>>> >>>> Tomas >>>> >>> 1) Add command can cause crash: >>> >>> # ipa idrange-add range9 --base-id=1000 --rid-base=1000 --secondary-rid-base= >>> --range-size 1000 >>> ipa: ERROR: an internal error has occurred >>> >>> 2) I don't like this construct very much: >>> >>> updated_values = dict(zip(rid_range_attributes,[None]*3)) >>> >>> This would look better, IMO: >>> updated_values = dict((attr, None) for attr in rid_range_attributes) >>> >>> Why do you need this dict pre-created anyway? You overwrite all keys here: >>> >>> + for attr in rid_range_attributes: >>> + if attr in entry_attrs: >>> + updated_values[attr] = entry_attrs[attr] >>> + else: >>> + updated_values[attr] = int(old_attrs[attr][0]) >>> >>> >>> 3) [nitpick] We don't end ValidationError with '.': >>> >>> + raise errors.ValidationError(name='ID Range setup', >>> + error=_("Primary rid range and secondary rid range"\ >>> + " cannot overlap.")) >>> >>> There is also a duplication of the same error message... >>> >>> 4) The -mod operation will also crash: >>> >>> # ipa idrange-add range9 --base-id=1000 --rid-base=1000 >>> --secondary-rid-base=2000 --range-size 1000 >>> # ipa idrange-mod range9 --secondary-rid-base= >>> ipa: ERROR: an internal error has occurred >>> >>> Martin >> New patch version as well as diff between >> patch versions (for your convenience) attached. >> >> Tomas > 1) You introduced mixed spaces and tabs - Python gods do not like that! Oops, I'd rather send a fixed patch sooner than they bring down their wrath on me. :) > 2) This is a nitpick, but there are too many redundant parens and brackets in > this statement: > > + if(any([attr is None for attr in [rid_base,secondary_rid_base, size]])): > + return False > > This would look nicer and would not create unnecessary list: > > + if any(attr is None for attr in (rid_base, secondary_rid_base, size)): > + return False Brackets reduced. > 3) Another construct I did not like very much: > > + is_set = lambda x : (x in entry_attrs) and not (x is None) > > a) "x is not None" reads better than "not (x is None)" > b) I would rather replace all is_set lambdas with use of "if > entry_attrs.get('attribute')" which is also used in other places in ipalib I don't think this approach would be beneficial. If any of rid_base, secondary_rid_base, base_id, e.g. would be set to 0, the expression like /entry_attrs.get('base_id') /would be evaluated as False both in case that there is no key 'base_id' in the dictionary and in the case that the value associated with the key is 0. To avoid these problems, we would have to complicate conditions used in if-s, and therefore make the readability worse. / / > 4) I see a suspicions check > > + if (is_set('ipasecondarybaserid') != is_set('ipabaserid')): > > I though that ipasecondarybaserid is optional. With your change it is not: > > # ipa idrange-add range9 --base-id=1000 --rid-base=1000 --range-size 1000 > ipa: ERROR: invalid 'ID Range setup': Options secondary_rid_base and rid_base > must be used together > > It is also quite ugly condition, I would do something like: > > if entry_attrs.get('ipasecondarybaserid') and not entry_attrs.get('ipabaserid'): > ... raise error It's not a bug. It's a feature :) Secondary base RID indeed is mandatory when primary RID base has been defined. Its purpose is to prevent collisions when user and group share the same POSIX ID number. From the documentation of idrange.py: /To create an ID range for the local domain it is not necessary to specify a// //domain SID. But since it is possible that a user and a group can have the same// //value as Posix ID a second RID interval is needed to handle conflicts. / > 5) I would not create a list when it is not necessary, a tuple is more > efficient I think: > > + rid_range_attributes = > ['ipabaserid','ipasecondarybaserid','ipaidrangesize'] Fixed. > 6) If we want to check user does not create secondary RID range without a > primary RID range, we should also do it in -mod operation: > > # ipa idrange-mod range9 --rid-base= > -------------------------- > Modified ID range "range9" > -------------------------- > Range name: range9 > First Posix ID of the range: 1000 > Number of IDs in the range: 1000 > First RID of the secondary RID range: 2000 > Range type: local domain range This is fixed as part of my patch 0024 as it falls under the scope of http://fedorahosted.org/freeipa/ticket/3170 I will send a rebased version later today. > 7) I am sorry I did not come with this in my previous review, but I have one > more nitpick for the error message: > + error=_("Primary rid range and secondary rid range"\ > + " cannot overlap")) > > I would do s/rid/RID/ as we also refer it as RID in our help... > > Martin Fixed. However, lower-case rid is used in ipa_range_check.c 389 plugin. We might want to consider filing a naming convention ticket then. Tomas -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0021-3-Forbid-overlapping-rid-ranges-for-the-same-id-range.patch Type: text/x-patch Size: 11761 bytes Desc: not available URL: From abokovoy at redhat.com Fri Dec 14 12:59:42 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 14 Dec 2012 14:59:42 +0200 Subject: [Freeipa-devel] [PATCH 0021] Forbid overlapping rid ranges for the same id range In-Reply-To: <50CB2121.9070209@redhat.com> References: <508A9378.60208@redhat.com> <50C8A38B.8040401@redhat.com> <50C9B350.7010207@redhat.com> <50C9DCB1.8060808@redhat.com> <50CB2121.9070209@redhat.com> Message-ID: <20121214125942.GJ10152@redhat.com> On Fri, 14 Dec 2012, Tomas Babej wrote: >On 12/13/2012 02:48 PM, Martin Kosek wrote: >>On 12/13/2012 11:52 AM, Tomas Babej wrote: >>>On 12/12/2012 04:32 PM, Martin Kosek wrote: >>>>On 10/26/2012 03:43 PM, Tomas Babej wrote: >>>>>Hi, >>>>> >>>>>creating an id range with overlapping primary and secondary >>>>>rid range using idrange-add or idrange-mod command now >>>>>raises ValidationError. Unit tests have been added to >>>>>test_range_plugin.py. >>>>> >>>>>https://fedorahosted.org/freeipa/ticket/3171 >>>>> >>>>>Tomas >>>>> >>>>1) Add command can cause crash: >>>> >>>># ipa idrange-add range9 --base-id=1000 --rid-base=1000 --secondary-rid-base= >>>>--range-size 1000 >>>>ipa: ERROR: an internal error has occurred >>>> >>>>2) I don't like this construct very much: >>>> >>>>updated_values = dict(zip(rid_range_attributes,[None]*3)) >>>> >>>>This would look better, IMO: >>>>updated_values = dict((attr, None) for attr in rid_range_attributes) >>>> >>>>Why do you need this dict pre-created anyway? You overwrite all keys here: >>>> >>>>+ for attr in rid_range_attributes: >>>>+ if attr in entry_attrs: >>>>+ updated_values[attr] = entry_attrs[attr] >>>>+ else: >>>>+ updated_values[attr] = int(old_attrs[attr][0]) >>>> >>>> >>>>3) [nitpick] We don't end ValidationError with '.': >>>> >>>>+ raise errors.ValidationError(name='ID Range setup', >>>>+ error=_("Primary rid range and secondary rid range"\ >>>>+ " cannot overlap.")) >>>> >>>>There is also a duplication of the same error message... >>>> >>>>4) The -mod operation will also crash: >>>> >>>># ipa idrange-add range9 --base-id=1000 --rid-base=1000 >>>>--secondary-rid-base=2000 --range-size 1000 >>>># ipa idrange-mod range9 --secondary-rid-base= >>>>ipa: ERROR: an internal error has occurred >>>> >>>>Martin >>>New patch version as well as diff between >>>patch versions (for your convenience) attached. >>> >>>Tomas >>1) You introduced mixed spaces and tabs - Python gods do not like that! >Oops, I'd rather send a fixed patch sooner than they bring down their >wrath on me. :) >>2) This is a nitpick, but there are too many redundant parens and brackets in >>this statement: >> >>+ if(any([attr is None for attr in [rid_base,secondary_rid_base, size]])): >>+ return False >> >>This would look nicer and would not create unnecessary list: >> >>+ if any(attr is None for attr in (rid_base, secondary_rid_base, size)): >>+ return False >Brackets reduced. >>3) Another construct I did not like very much: >> >>+ is_set = lambda x : (x in entry_attrs) and not (x is None) >> >>a) "x is not None" reads better than "not (x is None)" >>b) I would rather replace all is_set lambdas with use of "if >>entry_attrs.get('attribute')" which is also used in other places in ipalib >I don't think this approach would be beneficial. If any of rid_base, >secondary_rid_base, base_id, e.g. would be set to 0, the expression like > >/entry_attrs.get('base_id') > >/would be evaluated as False both in case that there is no key 'base_id' >in the dictionary and in the case that the value associated with the key >is 0. To avoid these problems, we would have to complicate conditions >used in if-s, and therefore make the readability worse. >/ >/ >>4) I see a suspicions check >> >>+ if (is_set('ipasecondarybaserid') != is_set('ipabaserid')): >> >>I though that ipasecondarybaserid is optional. With your change it is not: >> >># ipa idrange-add range9 --base-id=1000 --rid-base=1000 --range-size 1000 >>ipa: ERROR: invalid 'ID Range setup': Options secondary_rid_base and rid_base >>must be used together >> >>It is also quite ugly condition, I would do something like: >> >>if entry_attrs.get('ipasecondarybaserid') and not entry_attrs.get('ipabaserid'): >>... raise error >It's not a bug. It's a feature :) > >Secondary base RID indeed is mandatory when primary RID base has been >defined. >Its purpose is to prevent collisions when user and group share the >same POSIX ID number. > >From the documentation of idrange.py: > >/To create an ID range for the local domain it is not necessary to >specify a// >//domain SID. But since it is possible that a user and a group can >have the same// >//value as Posix ID a second RID interval is needed to handle conflicts. > >/ >>5) I would not create a list when it is not necessary, a tuple is more >>efficient I think: >> >>+ rid_range_attributes = >>['ipabaserid','ipasecondarybaserid','ipaidrangesize'] >Fixed. >>6) If we want to check user does not create secondary RID range without a >>primary RID range, we should also do it in -mod operation: >> >># ipa idrange-mod range9 --rid-base= >>-------------------------- >>Modified ID range "range9" >>-------------------------- >> Range name: range9 >> First Posix ID of the range: 1000 >> Number of IDs in the range: 1000 >> First RID of the secondary RID range: 2000 >> Range type: local domain range >This is fixed as part of my patch 0024 as it falls under the scope of >http://fedorahosted.org/freeipa/ticket/3170 > >I will send a rebased version later today. >>7) I am sorry I did not come with this in my previous review, but I have one >>more nitpick for the error message: >>+ error=_("Primary rid range and secondary rid range"\ >>+ " cannot overlap")) >> >>I would do s/rid/RID/ as we also refer it as RID in our help... >> >>Martin >Fixed. However, lower-case rid is used in ipa_range_check.c 389 plugin. >We might want to consider filing a naming convention ticket then. RID is RID as it is abbreviation of Relative ID. See http://msdn.microsoft.com/en-us/library/cc246018.aspx for details of SID (and RID as it is part of SID). -- / Alexander Bokovoy From tbabej at redhat.com Fri Dec 14 13:49:52 2012 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 14 Dec 2012 14:49:52 +0100 Subject: [Freeipa-devel] [PATCH 0021] Forbid overlapping rid ranges for the same id range In-Reply-To: <20121214125942.GJ10152@redhat.com> References: <508A9378.60208@redhat.com> <50C8A38B.8040401@redhat.com> <50C9B350.7010207@redhat.com> <50C9DCB1.8060808@redhat.com> <50CB2121.9070209@redhat.com> <20121214125942.GJ10152@redhat.com> Message-ID: <50CB2E80.2010706@redhat.com> On 12/14/2012 01:59 PM, Alexander Bokovoy wrote: > On Fri, 14 Dec 2012, Tomas Babej wrote: >> On 12/13/2012 02:48 PM, Martin Kosek wrote: >>> On 12/13/2012 11:52 AM, Tomas Babej wrote: >>>> On 12/12/2012 04:32 PM, Martin Kosek wrote: >>>>> On 10/26/2012 03:43 PM, Tomas Babej wrote: >>>>>> Hi, >>>>>> >>>>>> creating an id range with overlapping primary and secondary >>>>>> rid range using idrange-add or idrange-mod command now >>>>>> raises ValidationError. Unit tests have been added to >>>>>> test_range_plugin.py. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/3171 >>>>>> >>>>>> Tomas >>>>>> >>>>> 1) Add command can cause crash: >>>>> >>>>> # ipa idrange-add range9 --base-id=1000 --rid-base=1000 >>>>> --secondary-rid-base= >>>>> --range-size 1000 >>>>> ipa: ERROR: an internal error has occurred >>>>> >>>>> 2) I don't like this construct very much: >>>>> >>>>> updated_values = dict(zip(rid_range_attributes,[None]*3)) >>>>> >>>>> This would look better, IMO: >>>>> updated_values = dict((attr, None) for attr in rid_range_attributes) >>>>> >>>>> Why do you need this dict pre-created anyway? You overwrite all >>>>> keys here: >>>>> >>>>> + for attr in rid_range_attributes: >>>>> + if attr in entry_attrs: >>>>> + updated_values[attr] = entry_attrs[attr] >>>>> + else: >>>>> + updated_values[attr] = int(old_attrs[attr][0]) >>>>> >>>>> >>>>> 3) [nitpick] We don't end ValidationError with '.': >>>>> >>>>> + raise errors.ValidationError(name='ID Range >>>>> setup', >>>>> + error=_("Primary rid range and secondary >>>>> rid range"\ >>>>> + " cannot overlap.")) >>>>> >>>>> There is also a duplication of the same error message... >>>>> >>>>> 4) The -mod operation will also crash: >>>>> >>>>> # ipa idrange-add range9 --base-id=1000 --rid-base=1000 >>>>> --secondary-rid-base=2000 --range-size 1000 >>>>> # ipa idrange-mod range9 --secondary-rid-base= >>>>> ipa: ERROR: an internal error has occurred >>>>> >>>>> Martin >>>> New patch version as well as diff between >>>> patch versions (for your convenience) attached. >>>> >>>> Tomas >>> 1) You introduced mixed spaces and tabs - Python gods do not like that! >> Oops, I'd rather send a fixed patch sooner than they bring down their >> wrath on me. :) >>> 2) This is a nitpick, but there are too many redundant parens and >>> brackets in >>> this statement: >>> >>> + if(any([attr is None for attr in [rid_base,secondary_rid_base, >>> size]])): >>> + return False >>> >>> This would look nicer and would not create unnecessary list: >>> >>> + if any(attr is None for attr in (rid_base, secondary_rid_base, >>> size)): >>> + return False >> Brackets reduced. >>> 3) Another construct I did not like very much: >>> >>> + is_set = lambda x : (x in entry_attrs) and not (x is None) >>> >>> a) "x is not None" reads better than "not (x is None)" >>> b) I would rather replace all is_set lambdas with use of "if >>> entry_attrs.get('attribute')" which is also used in other places in >>> ipalib >> I don't think this approach would be beneficial. If any of rid_base, >> secondary_rid_base, base_id, e.g. would be set to 0, the expression like >> >> /entry_attrs.get('base_id') >> >> /would be evaluated as False both in case that there is no key 'base_id' >> in the dictionary and in the case that the value associated with the key >> is 0. To avoid these problems, we would have to complicate conditions >> used in if-s, and therefore make the readability worse. >> / >> / >>> 4) I see a suspicions check >>> >>> + if (is_set('ipasecondarybaserid') != >>> is_set('ipabaserid')): >>> >>> I though that ipasecondarybaserid is optional. With your change it >>> is not: >>> >>> # ipa idrange-add range9 --base-id=1000 --rid-base=1000 --range-size >>> 1000 >>> ipa: ERROR: invalid 'ID Range setup': Options secondary_rid_base and >>> rid_base >>> must be used together >>> >>> It is also quite ugly condition, I would do something like: >>> I see I forgot to react to this one. This construct is not introduced by this patch, and anyway, I personally like it, because it is an easy way of expressing that the condition is satisfied if and only if ipabaserid and ipasecondarybaserid are equivalent. >>> if entry_attrs.get('ipasecondarybaserid') and not >>> entry_attrs.get('ipabaserid'): >>> ... raise error >> It's not a bug. It's a feature :) >> >> Secondary base RID indeed is mandatory when primary RID base has been >> defined. >> Its purpose is to prevent collisions when user and group share the >> same POSIX ID number. >> >> From the documentation of idrange.py: >> >> /To create an ID range for the local domain it is not necessary to >> specify a// >> //domain SID. But since it is possible that a user and a group can >> have the same// >> //value as Posix ID a second RID interval is needed to handle conflicts. >> >> / >>> 5) I would not create a list when it is not necessary, a tuple is more >>> efficient I think: >>> >>> + rid_range_attributes = >>> ['ipabaserid','ipasecondarybaserid','ipaidrangesize'] >> Fixed. >>> 6) If we want to check user does not create secondary RID range >>> without a >>> primary RID range, we should also do it in -mod operation: >>> >>> # ipa idrange-mod range9 --rid-base= >>> -------------------------- >>> Modified ID range "range9" >>> -------------------------- >>> Range name: range9 >>> First Posix ID of the range: 1000 >>> Number of IDs in the range: 1000 >>> First RID of the secondary RID range: 2000 >>> Range type: local domain range >> This is fixed as part of my patch 0024 as it falls under the scope of >> http://fedorahosted.org/freeipa/ticket/3170 >> >> I will send a rebased version later today. >>> 7) I am sorry I did not come with this in my previous review, but I >>> have one >>> more nitpick for the error message: >>> + error=_("Primary rid range and secondary rid >>> range"\ >>> + " cannot overlap")) >>> >>> I would do s/rid/RID/ as we also refer it as RID in our help... >>> >>> Martin >> Fixed. However, lower-case rid is used in ipa_range_check.c 389 plugin. >> We might want to consider filing a naming convention ticket then. > RID is RID as it is abbreviation of Relative ID. > See http://msdn.microsoft.com/en-us/library/cc246018.aspx for details of > SID (and RID as it is part of SID). > Ok, I replaced rid range for RID range on all occasions. Updated patch attached :) Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0021-4-Forbid-overlapping-rid-ranges-for-the-same-id-range.patch Type: text/x-patch Size: 11761 bytes Desc: not available URL: From dpal at redhat.com Fri Dec 14 14:37:14 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 14 Dec 2012 09:37:14 -0500 Subject: [Freeipa-devel] [PATCHES] 0107-0114 Fix Confusing ipa tool online help organization In-Reply-To: <50CB0DCF.7050102@redhat.com> References: <50C9F27E.50808@redhat.com> <50CA76D6.8090404@redhat.com> <50CB0DCF.7050102@redhat.com> Message-ID: <50CB399A.8020600@redhat.com> On 12/14/2012 06:30 AM, Petr Viktorin wrote: > On 12/14/2012 01:46 AM, Dmitri Pal wrote: >> On 12/13/2012 10:21 AM, Petr Viktorin wrote: >>> https://fedorahosted.org/freeipa/ticket/3060 >>> >>> Here is a collection of smallish fixes to `ipa help` and `ipa >>> --help`. >>> This should address most of Nikolai's proposal. >>> Additionally, it's now possible to run `ipa --help` without >>> a Kerberos ticket. And there are some new tests. >>> >>> I've not included the "Often used commands" in `ipa help`; I think >>> that is material for a manual/tutorial, not a help command. Selecting >>> a topic from `ipa topics` and then choosing a command from `ipa help >>> ` is a better way to use the help than the verbose `ipa help >>> commands` or proposed incomplete "Often used commands". >> >> Since the ticket has a bit of discussion and you indicate that you did >> not to address everything can you please extract what have been >> addressed and put it into a design page. >> I know it is not RFE but it would help to validate the changes by >> testers. >> Please put the wiki link into the ticket. >> > > http://freeipa.org/page/V3/Help > > Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From pspacek at redhat.com Mon Dec 17 09:52:15 2012 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 17 Dec 2012 10:52:15 +0100 Subject: [Freeipa-devel] [PATCH 92] Flush whole zone from cache during zone renaming/removal. In-Reply-To: <20121213160720.GA27603@redhat.com> References: <50A52F2D.3070402@redhat.com> <20121204133625.GA13739@redhat.com> <50BF3D54.5050406@redhat.com> <20121213160720.GA27603@redhat.com> Message-ID: <50CEEB4F.6090602@redhat.com> On 12/13/2012 05:07 PM, Adam Tkac wrote: > On Wed, Dec 05, 2012 at 01:25:56PM +0100, Petr Spacek wrote: >> >On 12/04/2012 02:36 PM, Adam Tkac wrote: >>> > >On Thu, Nov 15, 2012 at 07:06:37PM +0100, Petr Spacek wrote: >>>>> > >>>Hello, >>>>> > >>> >>>>> > >>>attached patch is preliminary implementation of selective zone flush. >>>>> > >>> >>>>> > >>> >>>>> > >>>Implementation is not so straight-forward as I want to see. Before >>>>> > >>>discussing the patch itself - can we consider per-zone caches? In >>>>> > >>>that case, we can simply deallocate whole per-zone RBT and we are >>>>> > >>>done. >>>>> > >>> >>>>> > >>>Pros: >>>>> > >>>* Potentially better concurrency, simpler code, much less corner cases. >>>>> > >>> >>>>> > >>>Cons: >>>>> > >>>* We have to look into Zone register before searching the cache. >>>>> > >>>* It can limit concurrency ... with many extra small zones? I'm not sure. >>> > >Hi Peter, >>> > > >>> > >In my opinion per-zone caches are better. Look into zone register isn't >>> > >costly operation. >> >Second version of the patch with per-zone caches is attached. I cut >> >all debugging code so this version could be considered as final. > Ack Re-based on top of patch 106 and pushed to master and v2: b367091b867bc8541bb842b06a41fe70f1f3a001 -- Petr^2 Spacek From mkosek at redhat.com Mon Dec 17 14:57:57 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 17 Dec 2012 15:57:57 +0100 Subject: [Freeipa-devel] [PATCH 0021] Forbid overlapping rid ranges for the same id range In-Reply-To: <50CB2E80.2010706@redhat.com> References: <508A9378.60208@redhat.com> <50C8A38B.8040401@redhat.com> <50C9B350.7010207@redhat.com> <50C9DCB1.8060808@redhat.com> <50CB2121.9070209@redhat.com> <20121214125942.GJ10152@redhat.com> <50CB2E80.2010706@redhat.com> Message-ID: <50CF32F5.4000409@redhat.com> On 12/14/2012 02:49 PM, Tomas Babej wrote: > On 12/14/2012 01:59 PM, Alexander Bokovoy wrote: >> On Fri, 14 Dec 2012, Tomas Babej wrote: >>> On 12/13/2012 02:48 PM, Martin Kosek wrote: >>>> On 12/13/2012 11:52 AM, Tomas Babej wrote: >>>>> On 12/12/2012 04:32 PM, Martin Kosek wrote: >>>>>> On 10/26/2012 03:43 PM, Tomas Babej wrote: >>>>>>> Hi, >>>>>>> >>>>>>> creating an id range with overlapping primary and secondary >>>>>>> rid range using idrange-add or idrange-mod command now >>>>>>> raises ValidationError. Unit tests have been added to >>>>>>> test_range_plugin.py. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/3171 >>>>>>> >>>>>>> Tomas >>>>>>> >>>>>> 1) Add command can cause crash: >>>>>> >>>>>> # ipa idrange-add range9 --base-id=1000 --rid-base=1000 >>>>>> --secondary-rid-base= >>>>>> --range-size 1000 >>>>>> ipa: ERROR: an internal error has occurred >>>>>> >>>>>> 2) I don't like this construct very much: >>>>>> >>>>>> updated_values = dict(zip(rid_range_attributes,[None]*3)) >>>>>> >>>>>> This would look better, IMO: >>>>>> updated_values = dict((attr, None) for attr in rid_range_attributes) >>>>>> >>>>>> Why do you need this dict pre-created anyway? You overwrite all keys here: >>>>>> >>>>>> + for attr in rid_range_attributes: >>>>>> + if attr in entry_attrs: >>>>>> + updated_values[attr] = entry_attrs[attr] >>>>>> + else: >>>>>> + updated_values[attr] = int(old_attrs[attr][0]) >>>>>> >>>>>> >>>>>> 3) [nitpick] We don't end ValidationError with '.': >>>>>> >>>>>> + raise errors.ValidationError(name='ID Range setup', >>>>>> + error=_("Primary rid range and secondary rid range"\ >>>>>> + " cannot overlap.")) >>>>>> >>>>>> There is also a duplication of the same error message... >>>>>> >>>>>> 4) The -mod operation will also crash: >>>>>> >>>>>> # ipa idrange-add range9 --base-id=1000 --rid-base=1000 >>>>>> --secondary-rid-base=2000 --range-size 1000 >>>>>> # ipa idrange-mod range9 --secondary-rid-base= >>>>>> ipa: ERROR: an internal error has occurred >>>>>> >>>>>> Martin >>>>> New patch version as well as diff between >>>>> patch versions (for your convenience) attached. >>>>> >>>>> Tomas >>>> 1) You introduced mixed spaces and tabs - Python gods do not like that! >>> Oops, I'd rather send a fixed patch sooner than they bring down their wrath >>> on me. :) >>>> 2) This is a nitpick, but there are too many redundant parens and brackets in >>>> this statement: >>>> >>>> + if(any([attr is None for attr in [rid_base,secondary_rid_base, size]])): >>>> + return False >>>> >>>> This would look nicer and would not create unnecessary list: >>>> >>>> + if any(attr is None for attr in (rid_base, secondary_rid_base, size)): >>>> + return False >>> Brackets reduced. >>>> 3) Another construct I did not like very much: >>>> >>>> + is_set = lambda x : (x in entry_attrs) and not (x is None) >>>> >>>> a) "x is not None" reads better than "not (x is None)" >>>> b) I would rather replace all is_set lambdas with use of "if >>>> entry_attrs.get('attribute')" which is also used in other places in ipalib >>> I don't think this approach would be beneficial. If any of rid_base, >>> secondary_rid_base, base_id, e.g. would be set to 0, the expression like >>> >>> /entry_attrs.get('base_id') >>> >>> /would be evaluated as False both in case that there is no key 'base_id' >>> in the dictionary and in the case that the value associated with the key >>> is 0. To avoid these problems, we would have to complicate conditions >>> used in if-s, and therefore make the readability worse. >>> / >>> / >>>> 4) I see a suspicions check >>>> >>>> + if (is_set('ipasecondarybaserid') != is_set('ipabaserid')): >>>> >>>> I though that ipasecondarybaserid is optional. With your change it is not: >>>> >>>> # ipa idrange-add range9 --base-id=1000 --rid-base=1000 --range-size 1000 >>>> ipa: ERROR: invalid 'ID Range setup': Options secondary_rid_base and rid_base >>>> must be used together >>>> >>>> It is also quite ugly condition, I would do something like: >>>> > I see I forgot to react to this one. This construct is not introduced by this > patch, > and anyway, I personally like it, because it is an easy way of expressing that the > condition is satisfied if and only if ipabaserid and ipasecondarybaserid are > equivalent. > >>>> if entry_attrs.get('ipasecondarybaserid') and not >>>> entry_attrs.get('ipabaserid'): >>>> ... raise error >>> It's not a bug. It's a feature :) >>> >>> Secondary base RID indeed is mandatory when primary RID base has been defined. >>> Its purpose is to prevent collisions when user and group share the same >>> POSIX ID number. >>> >>> From the documentation of idrange.py: >>> >>> /To create an ID range for the local domain it is not necessary to specify a// >>> //domain SID. But since it is possible that a user and a group can have the >>> same// >>> //value as Posix ID a second RID interval is needed to handle conflicts. >>> >>> / >>>> 5) I would not create a list when it is not necessary, a tuple is more >>>> efficient I think: >>>> >>>> + rid_range_attributes = >>>> ['ipabaserid','ipasecondarybaserid','ipaidrangesize'] >>> Fixed. >>>> 6) If we want to check user does not create secondary RID range without a >>>> primary RID range, we should also do it in -mod operation: >>>> >>>> # ipa idrange-mod range9 --rid-base= >>>> -------------------------- >>>> Modified ID range "range9" >>>> -------------------------- >>>> Range name: range9 >>>> First Posix ID of the range: 1000 >>>> Number of IDs in the range: 1000 >>>> First RID of the secondary RID range: 2000 >>>> Range type: local domain range >>> This is fixed as part of my patch 0024 as it falls under the scope of >>> http://fedorahosted.org/freeipa/ticket/3170 >>> >>> I will send a rebased version later today. >>>> 7) I am sorry I did not come with this in my previous review, but I have one >>>> more nitpick for the error message: >>>> + error=_("Primary rid range and secondary rid range"\ >>>> + " cannot overlap")) >>>> >>>> I would do s/rid/RID/ as we also refer it as RID in our help... >>>> >>>> Martin >>> Fixed. However, lower-case rid is used in ipa_range_check.c 389 plugin. >>> We might want to consider filing a naming convention ticket then. >> RID is RID as it is abbreviation of Relative ID. >> See http://msdn.microsoft.com/en-us/library/cc246018.aspx for details of >> SID (and RID as it is part of SID). >> > Ok, I replaced rid range for RID range on all occasions. > > Updated patch attached :) > > Tomas Ok, this looks good. I just removed extraneous parens in "if (...):" as we agreed to. ACK. Pushed to master, ipa-3-1. Martin From pviktori at redhat.com Mon Dec 17 15:08:51 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 17 Dec 2012 16:08:51 +0100 Subject: [Freeipa-devel] [PATCHES] 0022, 0115-0116 Make Sudo commands case-sensitive In-Reply-To: <4F58D6E8.7040202@redhat.com> References: <4F58D6E8.7040202@redhat.com> Message-ID: <50CF3583.3060700@redhat.com> https://fedorahosted.org/freeipa/ticket/2482 The first two patches are rebased from what I sent back in March; the third fixes ACIs using targetfilter. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0022-03-Use-ipauniqueid-for-the-RDN-of-sudo-commands.patch Type: text/x-patch Size: 14259 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0115-Prevent-a-sudo-command-from-being-deleted-if-it-is-a.patch Type: text/x-patch Size: 5893 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0116-Update-sudocmd-ACIs-to-use-targetfilter.patch Type: text/x-patch Size: 4535 bytes Desc: not available URL: From mkosek at redhat.com Tue Dec 18 12:41:38 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 18 Dec 2012 13:41:38 +0100 Subject: [Freeipa-devel] [PATCH] 343 Enable SSSD on client install Message-ID: <50D06482.5000605@redhat.com> authconfig component changed its behavior. It no longer starts and enables SSSD daemon when --enablesssd and --enablesssdauth options are used. It only enables the PAM module and adds SSSD to nsswitch. Enable SSSD on new client/server installs manually. Also make sure that we stop&disable SSSD when we delete the configuration. https://fedorahosted.org/freeipa/ticket/3307 -- Martin Kosek Senior Software Engineer - Identity Management Team Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-343-enable-sssd-on-client-install.patch Type: text/x-patch Size: 2273 bytes Desc: not available URL: From jcholast at redhat.com Tue Dec 18 15:56:07 2012 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 18 Dec 2012 16:56:07 +0100 Subject: [Freeipa-devel] [PATCH] 343 Enable SSSD on client install In-Reply-To: <50D06482.5000605@redhat.com> References: <50D06482.5000605@redhat.com> Message-ID: <50D09217.9050103@redhat.com> Hi, On 18.12.2012 13:41, Martin Kosek wrote: > authconfig component changed its behavior. It no longer starts and > enables SSSD daemon when --enablesssd and --enablesssdauth options > are used. It only enables the PAM module and adds SSSD to nsswitch. > > Enable SSSD on new client/server installs manually. Also make sure > that we stop&disable SSSD when we delete the configuration. > > https://fedorahosted.org/freeipa/ticket/3307 > ACK. Honza -- Jan Cholasta From mkosek at redhat.com Tue Dec 18 16:51:32 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 18 Dec 2012 17:51:32 +0100 Subject: [Freeipa-devel] [PATCH] 343 Enable SSSD on client install In-Reply-To: <50D09217.9050103@redhat.com> References: <50D06482.5000605@redhat.com> <50D09217.9050103@redhat.com> Message-ID: <50D09F14.8000800@redhat.com> On 12/18/2012 04:56 PM, Jan Cholasta wrote: > Hi, > > On 18.12.2012 13:41, Martin Kosek wrote: >> authconfig component changed its behavior. It no longer starts and >> enables SSSD daemon when --enablesssd and --enablesssdauth options >> are used. It only enables the PAM module and adds SSSD to nsswitch. >> >> Enable SSSD on new client/server installs manually. Also make sure >> that we stop&disable SSSD when we delete the configuration. >> >> https://fedorahosted.org/freeipa/ticket/3307 >> > > ACK. > > Honza > Pushed to master, ipa-3-1, ipa-3-0. Martin From simo at redhat.com Wed Dec 19 01:28:57 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 18 Dec 2012 20:28:57 -0500 Subject: [Freeipa-devel] [PATCH] Spit out info on http connect failure. Message-ID: <1355880537.2894.19.camel@willson.li.ssimo.org> Ina code base far far away ... or maybe not. ... deep in the bowels of out HTTP connection backend routines ... it so happens that we are throwing away an exception. So here is an almost one-liner that cheered me up as it unveiled the mystery of a client failing to join a replica. Cheers, Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-503-1-Log-info-on-failure-to-connect.patch Type: text/x-patch Size: 940 bytes Desc: not available URL: From mkosek at redhat.com Wed Dec 19 08:53:15 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 19 Dec 2012 09:53:15 +0100 Subject: [Freeipa-devel] [PATCH] Spit out info on http connect failure. In-Reply-To: <1355880537.2894.19.camel@willson.li.ssimo.org> References: <1355880537.2894.19.camel@willson.li.ssimo.org> Message-ID: <50D1807B.4090103@redhat.com> On 12/19/2012 02:28 AM, Simo Sorce wrote: > Ina code base far far away ... or maybe not. > ... deep in the bowels of out HTTP connection backend routines ... it so > happens that we are throwing away an exception. > > So here is an almost one-liner that cheered me up as it unveiled the > mystery of a client failing to join a replica. > > Cheers, > Simo. > This is a very useful patch. I know it because I yesterday investigated the same issue as you and hit the same lack of logging. I just changed the line to: self.log.info('Connection to %s failed with %s', url, e) to match our logging style and avoid formatting the logged string unless its actually used. ACK. Pushed to master, ipa-3-1. Martin From mkosek at redhat.com Wed Dec 19 14:44:23 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 19 Dec 2012 15:44:23 +0100 Subject: [Freeipa-devel] [PATCH] 344 Fix delegation-find command --group handling Message-ID: <50D1D2C7.7010903@redhat.com> A wrong way of handling --group DN object caused Internal Error for this command. Fix that and also provide unit tests to avoid another regression. https://fedorahosted.org/freeipa/ticket/3311 -- Martin Kosek Senior Software Engineer - Identity Management Team Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-344-fix-delegation-find-command-group-handling.patch Type: text/x-patch Size: 3145 bytes Desc: not available URL: From pviktori at redhat.com Wed Dec 19 15:06:26 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 19 Dec 2012 16:06:26 +0100 Subject: [Freeipa-devel] [PATCH] 344 Fix delegation-find command --group handling In-Reply-To: <50D1D2C7.7010903@redhat.com> References: <50D1D2C7.7010903@redhat.com> Message-ID: <50D1D7F2.1010701@redhat.com> On 12/19/2012 03:44 PM, Martin Kosek wrote: > A wrong way of handling --group DN object caused Internal Error > for this command. Fix that and also provide unit tests to avoid > another regression. > > https://fedorahosted.org/freeipa/ticket/3311 > > ACK -- Petr? From mkosek at redhat.com Wed Dec 19 15:33:57 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 19 Dec 2012 16:33:57 +0100 Subject: [Freeipa-devel] [PATCH] 344 Fix delegation-find command --group handling In-Reply-To: <50D1D7F2.1010701@redhat.com> References: <50D1D2C7.7010903@redhat.com> <50D1D7F2.1010701@redhat.com> Message-ID: <50D1DE65.5060702@redhat.com> On 12/19/2012 04:06 PM, Petr Viktorin wrote: > On 12/19/2012 03:44 PM, Martin Kosek wrote: >> A wrong way of handling --group DN object caused Internal Error >> for this command. Fix that and also provide unit tests to avoid >> another regression. >> >> https://fedorahosted.org/freeipa/ticket/3311 >> >> > > ACK > Pushed to master, ipa-3-1, ipa-3-0. Martin From jdennis at redhat.com Wed Dec 19 18:36:40 2012 From: jdennis at redhat.com (John Dennis) Date: Wed, 19 Dec 2012 13:36:40 -0500 Subject: [Freeipa-devel] [PATCH 83] Cookie Expires date should be locale insensitive Message-ID: <50D20938.5020101@redhat.com> -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jdennis-0083-Cookie-Expires-date-should-be-locale-insensitive.patch Type: text/x-patch Size: 7071 bytes Desc: not available URL: From JR.Aquino at citrix.com Wed Dec 19 20:52:46 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 19 Dec 2012 20:52:46 +0000 Subject: [Freeipa-devel] [PATCH] 0043 Allow-PKI-CA-Replica-Installs-when-CRL-exceeds-default Message-ID: <1148EF9A-1016-4852-BD78-7B4389EEC7A3@citrixonline.com> Due to a limitation with 389 DS, the nsslapd-maxbersize cannot be set dynamically. This causes an issue during IPA PKI-CA Replica installs, when the master has a CRL that exceeds the default limit. The cainstance.py code attempts to set this value prior to performing the initial PKI-CA replication, however, since the value cannot be set dynamically, the installation fails. This patch works around the issue by adding the ldif to the original initialization values bootstrapped by the call to setup-ds.pl FreeIPA Ticket: https://fedorahosted.org/freeipa/ticket/3314 Upstream 389 Ticket: https://fedorahosted.org/389/ticket/542 "Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ JR Aquino Senior Information Security Specialist, Technical Operations T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365 GIAC Certified Exploit Researcher and Advanced Penetration Tester | GIAC WebApplication Penetration Tester | GIAC Certified Incident Handler JR.Aquino at citrix.com [cid:ba63f4c4-1eef-428b-adb2-ab9598cbdf0e at citrixonline.com] Powering mobile workstyles and cloud services -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 15835 bytes Desc: image002.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0043-Allow-PKI-CA-Replica-Installs-when-CRL-exceeds-default.patch Type: application/octet-stream Size: 839 bytes Desc: freeipa-jraquino-0043-Allow-PKI-CA-Replica-Installs-when-CRL-exceeds-default.patch URL: From simo at redhat.com Wed Dec 19 22:32:33 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 19 Dec 2012 17:32:33 -0500 Subject: [Freeipa-devel] [PATCH] 0043 Allow-PKI-CA-Replica-Installs-when-CRL-exceeds-default In-Reply-To: <1148EF9A-1016-4852-BD78-7B4389EEC7A3@citrixonline.com> References: <1148EF9A-1016-4852-BD78-7B4389EEC7A3@citrixonline.com> Message-ID: <1355956353.2894.38.camel@willson.li.ssimo.org> On Wed, 2012-12-19 at 20:52 +0000, JR Aquino wrote: > Due to a limitation with 389 DS, the nsslapd-maxbersize cannot be set dynamically. > This causes an issue during IPA PKI-CA Replica installs, when the master has a CRL that exceeds the default limit. > The cainstance.py code attempts to set this value prior to performing the initial PKI-CA replication, however, since the value cannot be set dynamically, the installation fails. > > This patch works around the issue by adding the ldif to the original initialization values bootstrapped by the call to setup-ds.pl Why are we not simply restarting the instance after setting the value ? What's in database.ldif ? What produces it ? Simo. -- Simo Sorce * Red Hat, Inc * New York From JR.Aquino at citrix.com Wed Dec 19 22:41:24 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 19 Dec 2012 22:41:24 +0000 Subject: [Freeipa-devel] [PATCH] 0043 Allow-PKI-CA-Replica-Installs-when-CRL-exceeds-default In-Reply-To: <1355956353.2894.38.camel@willson.li.ssimo.org> References: <1148EF9A-1016-4852-BD78-7B4389EEC7A3@citrixonline.com> <1355956353.2894.38.camel@willson.li.ssimo.org> Message-ID: <09B4CD8E-23A9-46F5-B5F5-7245B3B937B5@citrixonline.com> On Dec 19, 2012, at 2:32 PM, Simo Sorce wrote: > On Wed, 2012-12-19 at 20:52 +0000, JR Aquino wrote: >> Due to a limitation with 389 DS, the nsslapd-maxbersize cannot be set dynamically. >> This causes an issue during IPA PKI-CA Replica installs, when the master has a CRL that exceeds the default limit. >> The cainstance.py code attempts to set this value prior to performing the initial PKI-CA replication, however, since the value cannot be set dynamically, the installation fails. >> >> This patch works around the issue by adding the ldif to the original initialization values bootstrapped by the call to setup-ds.pl > > Why are we not simply restarting the instance after setting the value ? > > What's in database.ldif ? What produces it ? /usr/share/pki/ca/conf/database.ldif is part of the dogtag installation and it contains the following entry: dn: cn=config changetype: modify replace: nsslapd-maxbersize nsslapd-maxbersize: 209715200 It's purpose is to increase the limit for maxbersize from 2097152 to 209715200. The ldif is inserted via the jars that are wrapped by pkisilent... So this leaves 3 options: #1 Add code to perform the ldap insert followed by a dirsrv restart into the cainstance.py code #2 Add recode the jar files from DogTag to require a dirsrv restart after the insert, but prior to the replication #3 Just initialize the dirsrv database with the correct value to begin with. <1 line fix> #4 Ask 389 to allow maxbersize to be a dynamically initialized variable #3 Seemed the path of least resistance. I did take the time to code #1 and verify that it worked as well. I have a ticket open for #4 Alee hinted that the jar modifications for #2 might not be trivial... > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > From simo at redhat.com Thu Dec 20 02:35:35 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 19 Dec 2012 21:35:35 -0500 Subject: [Freeipa-devel] [PATCH] 0043 Allow-PKI-CA-Replica-Installs-when-CRL-exceeds-default In-Reply-To: <09B4CD8E-23A9-46F5-B5F5-7245B3B937B5@citrixonline.com> References: <1148EF9A-1016-4852-BD78-7B4389EEC7A3@citrixonline.com> <1355956353.2894.38.camel@willson.li.ssimo.org> <09B4CD8E-23A9-46F5-B5F5-7245B3B937B5@citrixonline.com> Message-ID: <1355970935.2894.40.camel@willson.li.ssimo.org> On Wed, 2012-12-19 at 22:41 +0000, JR Aquino wrote: > On Dec 19, 2012, at 2:32 PM, Simo Sorce wrote: > > > On Wed, 2012-12-19 at 20:52 +0000, JR Aquino wrote: > >> Due to a limitation with 389 DS, the nsslapd-maxbersize cannot be set dynamically. > >> This causes an issue during IPA PKI-CA Replica installs, when the master has a CRL that exceeds the default limit. > >> The cainstance.py code attempts to set this value prior to performing the initial PKI-CA replication, however, since the value cannot be set dynamically, the installation fails. > >> > >> This patch works around the issue by adding the ldif to the original initialization values bootstrapped by the call to setup-ds.pl > > > > Why are we not simply restarting the instance after setting the value ? > > > > What's in database.ldif ? What produces it ? > > /usr/share/pki/ca/conf/database.ldif is part of the dogtag installation and it contains the following entry: > dn: cn=config > changetype: modify > replace: nsslapd-maxbersize > nsslapd-maxbersize: 209715200 > > It's purpose is to increase the limit for maxbersize from 2097152 to 209715200. > > The ldif is inserted via the jars that are wrapped by pkisilent... So this leaves 3 options: > > #1 Add code to perform the ldap insert followed by a dirsrv restart into the cainstance.py code > #2 Add recode the jar files from DogTag to require a dirsrv restart after the insert, but prior to the replication > #3 Just initialize the dirsrv database with the correct value to begin with. <1 line fix> > #4 Ask 389 to allow maxbersize to be a dynamically initialized variable > > #3 Seemed the path of least resistance. > I did take the time to code #1 and verify that it worked as well. > I have a ticket open for #4 > Alee hinted that the jar modifications for #2 might not be trivial... Method #3 is ok, but for master, where we have unified ds instances, you should look at doing ti as we do change other similar attributes in install/updates/10-config.update so that older installations are updated as well. If you do it only at install and the CRL grows later you'd get older server start choking because they have not been updated. Simo. -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Thu Dec 20 11:13:11 2012 From: sbose at redhat.com (Sumit Bose) Date: Thu, 20 Dec 2012 12:13:11 +0100 Subject: [Freeipa-devel] [PATCH 83] Cookie Expires date should be locale insensitive In-Reply-To: <50D20938.5020101@redhat.com> References: <50D20938.5020101@redhat.com> Message-ID: <20121220111311.GY22856@localhost.localdomain> On Wed, Dec 19, 2012 at 01:36:40PM -0500, John Dennis wrote: > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ Patch is working as expected and he code looks good to me. I just have a minor comment. I think 'import time' can be removed from both files. Although it looks like it wasn't used even before your patch I wonder if you can add the removal here? bye, Sumit From mkosek at redhat.com Thu Dec 20 11:24:13 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 20 Dec 2012 12:24:13 +0100 Subject: [Freeipa-devel] [PATCH 83] Cookie Expires date should be locale insensitive In-Reply-To: <50D20938.5020101@redhat.com> References: <50D20938.5020101@redhat.com> Message-ID: <50D2F55D.6080303@redhat.com> On 12/19/2012 07:36 PM, John Dennis wrote: > I tested the patch on RHEL platform and it works fine and removes the annoying error. My comments on the patch: 1) I do not think its necessary to write target branches to commit message. Also there is a typo: ipapython/cooke.py 2) As for the tests - could we for example try setting non-US locale in the test to verify that cookie lib is locale independent? Python has means to do that, (import locale; locale.setlocale(locale.LC_ALL, 'cs_CZ')). But this is not a blocker for this patch. I am sure that Petr^3 will have more comments on the code as he is reviewing it too :-) Martin From pviktori at redhat.com Thu Dec 20 11:35:45 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 20 Dec 2012 12:35:45 +0100 Subject: [Freeipa-devel] [PATCH 83] Cookie Expires date should be locale insensitive In-Reply-To: <50D20938.5020101@redhat.com> References: <50D20938.5020101@redhat.com> Message-ID: <50D2F811.2010205@redhat.com> On 12/19/2012 07:36 PM, John Dennis wrote: > > The Expires attribute in a cookie is supposed to follow the RFC 822 > (superseded by RFC 1123) date format. That format includes a weekday > abbreviation (e.g. Tue) which must be in English according to the > RFC's. > > ipapython/cooke.py has methods to parse and format the Expires > attribute but they were based on strptime() and strftime() which > respects the locale. If a non-English locale is in effect the wrong > date string will be produced and/or it won't be able to parse the date > string. > > The fix is to use the date parsing and formatting functions from > email.utils which specifically follow the RFC's and are not locale > sensitive. > > This patch also updates the unit test to use email.utils as well. > > The patch should be applied to the following branches: > > master, 3.0, 3.1 > > Ticket:https://fedorahosted.org/freeipa/ticket/3313 This solves the issue for me. It's better than what's there now, so It's OK as a hotfix. However, I did find something to discuss. Your comment references RFC 1123, which doesn't seem relevant at all. The cookie Expires header is defined in RFC 6265 (section 5.1.1), but email.utils.parsedate uses syntax defined in RFC 2822. Apparently the two are equivalent for common usage, but RFC 6265 specifies a more complicated algorithm. Shouldn't we follow it? To nitpick, I'm not a fan of including target branches in the commit message (they should be in the accompanying e-mail), or of documenting past bugs as comments in the code (git log/blame works better for checking history). -- Petr? From alee at redhat.com Thu Dec 20 14:39:36 2012 From: alee at redhat.com (Ade Lee) Date: Thu, 20 Dec 2012 09:39:36 -0500 Subject: [Freeipa-devel] [PATCH] 0043 Allow-PKI-CA-Replica-Installs-when-CRL-exceeds-default In-Reply-To: <1355970935.2894.40.camel@willson.li.ssimo.org> References: <1148EF9A-1016-4852-BD78-7B4389EEC7A3@citrixonline.com> <1355956353.2894.38.camel@willson.li.ssimo.org> <09B4CD8E-23A9-46F5-B5F5-7245B3B937B5@citrixonline.com> <1355970935.2894.40.camel@willson.li.ssimo.org> Message-ID: <1356014377.15924.50.camel@aleeredhat.laptop> On Wed, 2012-12-19 at 21:35 -0500, Simo Sorce wrote: > On Wed, 2012-12-19 at 22:41 +0000, JR Aquino wrote: > > On Dec 19, 2012, at 2:32 PM, Simo Sorce wrote: > > > > > On Wed, 2012-12-19 at 20:52 +0000, JR Aquino wrote: > > >> Due to a limitation with 389 DS, the nsslapd-maxbersize cannot be set dynamically. > > >> This causes an issue during IPA PKI-CA Replica installs, when the master has a CRL that exceeds the default limit. > > >> The cainstance.py code attempts to set this value prior to performing the initial PKI-CA replication, however, since the value cannot be set dynamically, the installation fails. > > >> > > >> This patch works around the issue by adding the ldif to the original initialization values bootstrapped by the call to setup-ds.pl > > > > > > Why are we not simply restarting the instance after setting the value ? > > > > > > What's in database.ldif ? What produces it ? > > > > /usr/share/pki/ca/conf/database.ldif is part of the dogtag installation and it contains the following entry: > > dn: cn=config > > changetype: modify > > replace: nsslapd-maxbersize > > nsslapd-maxbersize: 209715200 > > > > It's purpose is to increase the limit for maxbersize from 2097152 to 209715200. > > > > The ldif is inserted via the jars that are wrapped by pkisilent... So this leaves 3 options: > > > > #1 Add code to perform the ldap insert followed by a dirsrv restart into the cainstance.py code > > #2 Add recode the jar files from DogTag to require a dirsrv restart after the insert, but prior to the replication > > #3 Just initialize the dirsrv database with the correct value to begin with. <1 line fix> > > #4 Ask 389 to allow maxbersize to be a dynamically initialized variable > > > > #3 Seemed the path of least resistance. > > I did take the time to code #1 and verify that it worked as well. > > I have a ticket open for #4 > > Alee hinted that the jar modifications for #2 might not be trivial... > > Method #3 is ok, but for master, where we have unified ds instances, you > should look at doing ti as we do change other similar attributes in > install/updates/10-config.update so that older installations are updated > as well. > If you do it only at install and the CRL grows later you'd get older > server start choking because they have not been updated. > Are you referring to masters which have been converted from non-unified DS to a single DS using an as-yet-to-be-written script? The ldif change mentioned above is already performed as part of the dogtag install. For a freshly installed master, there is no large CRL to break the installation. In the replica scenario, this change is needed before we attempt replication because the large CRL breaks replication. In fact, if that value had not been set on the master, there would be no large CRL to cause replication problems. > Simo. > From simo at redhat.com Thu Dec 20 14:49:15 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 20 Dec 2012 09:49:15 -0500 Subject: [Freeipa-devel] [PATCH] 0043 Allow-PKI-CA-Replica-Installs-when-CRL-exceeds-default In-Reply-To: <1356014377.15924.50.camel@aleeredhat.laptop> References: <1148EF9A-1016-4852-BD78-7B4389EEC7A3@citrixonline.com> <1355956353.2894.38.camel@willson.li.ssimo.org> <09B4CD8E-23A9-46F5-B5F5-7245B3B937B5@citrixonline.com> <1355970935.2894.40.camel@willson.li.ssimo.org> <1356014377.15924.50.camel@aleeredhat.laptop> Message-ID: <1356014955.2894.65.camel@willson.li.ssimo.org> On Thu, 2012-12-20 at 09:39 -0500, Ade Lee wrote: > On Wed, 2012-12-19 at 21:35 -0500, Simo Sorce wrote: > > On Wed, 2012-12-19 at 22:41 +0000, JR Aquino wrote: > > > On Dec 19, 2012, at 2:32 PM, Simo Sorce wrote: > > > > > > > On Wed, 2012-12-19 at 20:52 +0000, JR Aquino wrote: > > > >> Due to a limitation with 389 DS, the nsslapd-maxbersize cannot be set dynamically. > > > >> This causes an issue during IPA PKI-CA Replica installs, when the master has a CRL that exceeds the default limit. > > > >> The cainstance.py code attempts to set this value prior to performing the initial PKI-CA replication, however, since the value cannot be set dynamically, the installation fails. > > > >> > > > >> This patch works around the issue by adding the ldif to the original initialization values bootstrapped by the call to setup-ds.pl > > > > > > > > Why are we not simply restarting the instance after setting the value ? > > > > > > > > What's in database.ldif ? What produces it ? > > > > > > /usr/share/pki/ca/conf/database.ldif is part of the dogtag installation and it contains the following entry: > > > dn: cn=config > > > changetype: modify > > > replace: nsslapd-maxbersize > > > nsslapd-maxbersize: 209715200 > > > > > > It's purpose is to increase the limit for maxbersize from 2097152 to 209715200. > > > > > > The ldif is inserted via the jars that are wrapped by pkisilent... So this leaves 3 options: > > > > > > #1 Add code to perform the ldap insert followed by a dirsrv restart into the cainstance.py code > > > #2 Add recode the jar files from DogTag to require a dirsrv restart after the insert, but prior to the replication > > > #3 Just initialize the dirsrv database with the correct value to begin with. <1 line fix> > > > #4 Ask 389 to allow maxbersize to be a dynamically initialized variable > > > > > > #3 Seemed the path of least resistance. > > > I did take the time to code #1 and verify that it worked as well. > > > I have a ticket open for #4 > > > Alee hinted that the jar modifications for #2 might not be trivial... > > > > Method #3 is ok, but for master, where we have unified ds instances, you > > should look at doing ti as we do change other similar attributes in > > install/updates/10-config.update so that older installations are updated > > as well. > > If you do it only at install and the CRL grows later you'd get older > > server start choking because they have not been updated. > > > Are you referring to masters which have been converted from non-unified > DS to a single DS using an as-yet-to-be-written script? I was thinking of a current 3.1 setup with multiple replicas installed before this patch lands in Fedora. Old master (3.0) with split instances, new replicas (3.1) with unified instances. After a while CRL in master grows past limit. All replicas break because no update fixed them. > The ldif change mentioned above is already performed as part of the > dogtag install. For a freshly installed master, there is no large CRL > to break the installation. > > In the replica scenario, this change is needed before we attempt > replication because the large CRL breaks replication. In fact, if that > value had not been set on the master, there would be no large CRL to > cause replication problems. Understood, I am not asking for a huge change, just that the change is done in an update file and not just on a fresh install. Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Thu Dec 20 15:42:08 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 20 Dec 2012 16:42:08 +0100 Subject: [Freeipa-devel] [PATCH 83] Cookie Expires date should be locale insensitive In-Reply-To: <50D2F811.2010205@redhat.com> References: <50D20938.5020101@redhat.com> <50D2F811.2010205@redhat.com> Message-ID: <50D331D0.20409@redhat.com> On 12/20/2012 12:35 PM, Petr Viktorin wrote: > On 12/19/2012 07:36 PM, John Dennis wrote: >> >> The Expires attribute in a cookie is supposed to follow the RFC 822 >> (superseded by RFC 1123) date format. That format includes a weekday >> abbreviation (e.g. Tue) which must be in English according to the >> RFC's. >> >> ipapython/cooke.py has methods to parse and format the Expires >> attribute but they were based on strptime() and strftime() which >> respects the locale. If a non-English locale is in effect the wrong >> date string will be produced and/or it won't be able to parse the date >> string. >> >> The fix is to use the date parsing and formatting functions from >> email.utils which specifically follow the RFC's and are not locale >> sensitive. >> >> This patch also updates the unit test to use email.utils as well. >> >> The patch should be applied to the following branches: >> >> master, 3.0, 3.1 >> >> Ticket:https://fedorahosted.org/freeipa/ticket/3313 > > This solves the issue for me. It's better than what's there now, so It's OK as > a hotfix. However, I did find something to discuss. > > > Your comment references RFC 1123, which doesn't seem relevant at all. > The cookie Expires header is defined in RFC 6265 (section 5.1.1), but > email.utils.parsedate uses syntax defined in RFC 2822. Apparently the two are > equivalent for common usage, but RFC 6265 specifies a more complicated > algorithm. Shouldn't we follow it? > > > > To nitpick, I'm not a fan of including target branches in the commit message > (they should be in the accompanying e-mail), or of documenting past bugs as > comments in the code (git log/blame works better for checking history). > > Pushed to master, ipa-3-1, ipa-3-0 (since we need this hotfix now). I just fixed the commit message as written above. You can open another upstream ticket to fix these comment discrepancies. Martin From awnuk at redhat.com Thu Dec 20 16:49:21 2012 From: awnuk at redhat.com (Andrew Wnuk) Date: Thu, 20 Dec 2012 08:49:21 -0800 Subject: [Freeipa-devel] [PATCH] 0043 Allow-PKI-CA-Replica-Installs-when-CRL-exceeds-default In-Reply-To: <1356014955.2894.65.camel@willson.li.ssimo.org> References: <1148EF9A-1016-4852-BD78-7B4389EEC7A3@citrixonline.com> <1355956353.2894.38.camel@willson.li.ssimo.org> <09B4CD8E-23A9-46F5-B5F5-7245B3B937B5@citrixonline.com> <1355970935.2894.40.camel@willson.li.ssimo.org> <1356014377.15924.50.camel@aleeredhat.laptop> <1356014955.2894.65.camel@willson.li.ssimo.org> Message-ID: <50D34191.3010209@redhat.com> On 12/20/2012 06:49 AM, Simo Sorce wrote: > On Thu, 2012-12-20 at 09:39 -0500, Ade Lee wrote: >> On Wed, 2012-12-19 at 21:35 -0500, Simo Sorce wrote: >>> On Wed, 2012-12-19 at 22:41 +0000, JR Aquino wrote: >>>> On Dec 19, 2012, at 2:32 PM, Simo Sorce wrote: >>>> >>>>> On Wed, 2012-12-19 at 20:52 +0000, JR Aquino wrote: >>>>>> Due to a limitation with 389 DS, the nsslapd-maxbersize cannot be set dynamically. >>>>>> This causes an issue during IPA PKI-CA Replica installs, when the master has a CRL that exceeds the default limit. >>>>>> The cainstance.py code attempts to set this value prior to performing the initial PKI-CA replication, however, since the value cannot be set dynamically, the installation fails. >>>>>> >>>>>> This patch works around the issue by adding the ldif to the original initialization values bootstrapped by the call to setup-ds.pl >>>>> Why are we not simply restarting the instance after setting the value ? >>>>> >>>>> What's in database.ldif ? What produces it ? >>>> /usr/share/pki/ca/conf/database.ldif is part of the dogtag installation and it contains the following entry: >>>> dn: cn=config >>>> changetype: modify >>>> replace: nsslapd-maxbersize >>>> nsslapd-maxbersize: 209715200 >>>> >>>> It's purpose is to increase the limit for maxbersize from 2097152 to 209715200. If your CA is relatively recent, 209715200 should give you enough room to generate CRLs v1 with up to 9.4 millions entries. If you plan on having bigger CRLs, consider further increase of nsslapd-maxbersize. >>>> >>>> The ldif is inserted via the jars that are wrapped by pkisilent... So this leaves 3 options: >>>> >>>> #1 Add code to perform the ldap insert followed by a dirsrv restart into the cainstance.py code >>>> #2 Add recode the jar files from DogTag to require a dirsrv restart after the insert, but prior to the replication >>>> #3 Just initialize the dirsrv database with the correct value to begin with. <1 line fix> >>>> #4 Ask 389 to allow maxbersize to be a dynamically initialized variable >>>> >>>> #3 Seemed the path of least resistance. >>>> I did take the time to code #1 and verify that it worked as well. >>>> I have a ticket open for #4 >>>> Alee hinted that the jar modifications for #2 might not be trivial... >>> Method #3 is ok, but for master, where we have unified ds instances, you >>> should look at doing ti as we do change other similar attributes in >>> install/updates/10-config.update so that older installations are updated >>> as well. >>> If you do it only at install and the CRL grows later you'd get older >>> server start choking because they have not been updated. >>> >> Are you referring to masters which have been converted from non-unified >> DS to a single DS using an as-yet-to-be-written script? > I was thinking of a current 3.1 setup with multiple replicas installed > before this patch lands in Fedora. > > Old master (3.0) with split instances, new replicas (3.1) with unified > instances. > > After a while CRL in master grows past limit. > All replicas break because no update fixed them. > >> The ldif change mentioned above is already performed as part of the >> dogtag install. For a freshly installed master, there is no large CRL >> to break the installation. >> >> In the replica scenario, this change is needed before we attempt >> replication because the large CRL breaks replication. In fact, if that >> value had not been set on the master, there would be no large CRL to >> cause replication problems. > Understood, I am not asking for a huge change, just that the change is > done in an update file and not just on a fresh install. > > Simo. > From tbabej at redhat.com Fri Dec 21 11:15:45 2012 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 21 Dec 2012 12:15:45 +0100 Subject: [Freeipa-devel] [PATCHES 0024-0025] Improvements to idrange.py Message-ID: <50D444E1.9050502@redhat.com> Hi, Sending updated and rebased versions of patches 0024 and 0025. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0024-3-Make-options-checks-in-idrange-add-mod-consistent.patch Type: text/x-patch Size: 8005 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0025-3-Add-trusted-domain-range-objectclass-when-using-idra.patch Type: text/x-patch Size: 1397 bytes Desc: not available URL: